Re: disable dnssec for particular domain
You break a chain of trust by proving there is a insecure delegation. NXDOMAIN is not a delegation. The point on OPTOUT is to allow the parent zone to add and remove insecure delegations without resigning. Mark > On 7 Feb 2018, at 11:26 pm, Tony Finch wrote: > > Pruned debug logs... > > validating testa.eu/DS: looking for closest encloser > validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA indicates > potential closest encloser: 'eu' > validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA at > super-domain eu > validating testa.eu/DS: NSEC3 GLIBHU0LF7IH1TGCCS68E3R5508AKBFR proves name > does not exist: 'testa.eu' > validating testa.eu/DS: NSEC3 GLIBHU0LF7IH1TGCCS68E3R5508AKBFR indicates > optout > validating testa.eu/DS: NSEC3 4EIKQ8ORL4U4NTG72QEDRA6P3NDA1UNC proves name > does not exist: '*.eu' > validating testa.eu/DS: in checkwildcard: *.eu > validating testa.eu/DS: NEEDNODATA = 0 > validating testa.eu/DS: FOUNDNODATA = 0 > validating testa.eu/DS: FOUNDOPTOUT = 1 > validating testa.eu/DS: NEEDNOQNAME = 1 > validating testa.eu/DS: FOUNDNOQNAME = 1 > validating testa.eu/DS: NEEDNOWILDCARD = 1 > validating testa.eu/DS: FOUNDNOWILDCARD = 1 > validating testa.eu/DS: FOUNDCLOSEST = 1 > validating testa.eu/DS: nonexistence proof(s) found > > Looks OK so far... > > fctx 0x7f1a5bfc1a10(testa.eu/DS): nonexistence validation OK > validating testa.eu/SOA: in dsfetched2: ncache nxdomain > validating testa.eu/SOA: resuming proveunsecure > validating testa.eu/SOA: insecurity proof failed > > Then it goes pear-shaped. > > Aha! I think what's happening here is that BIND is expecting a NODATA > response, to indicate that there is a delegation without a DS record. > (For an example, `dig +dnssec +multiline europa.eu ds) > > However the validator gets an NXDOMAIN response claiming the domain > doesn't exist at all. But this is an opt-out NXDOMAIN so it is not a > proof. Nevertheless the validator believes it, and is convinced that it > has not proved the NODATA that it was expecting to prove, so it tells > itself it has not found an insecure delegation. > > This is a tricky case. You can argue convincingly either way whether it is > a bug or not, I think. Even if it is a bug, fixing it is not going to > solve your problem any time soon - you need a pragmatic operational > solution. > > What you should do is add some nameservers to the registration (serving an > empty zone or something), so that the .eu nameservers return a NODATA > response instead of an NXDOMAIN response. Then your private zone will > work. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode > Tyne, Dogger: Northwest 4 or 5, backing southwest 5 to 7. Slight or moderate. > Wintry showers, then occasional rain. Good, occasionally poor. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Minimum TTL?
Is it possible to tell bind to ignore very short TTLs and enforce a...say... 5 second minimum TTL? -- This is my signature. There are many like it, but this one is mine. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disable dnssec for particular domain
On 08.02.18 19:12, Mark Andrews wrote: You break a chain of trust by proving there is a insecure delegation. that should be expected :-) and in case of private/internal domain even logical - it's not useful to push DS records to parent, and even possible with 2 versions of the same zone. NXDOMAIN is not a delegation. The point on OPTOUT is to allow the parent zone to add and remove insecure delegations without resigning. shouldn't that cause validation to stop? Or, if NXDOMAIN is processed before OPTOUT, should the TLD contain insecure validation so it could be ignored and internal zone would be used? On 7 Feb 2018, at 11:26 pm, Tony Finch wrote: Pruned debug logs... validating testa.eu/DS: looking for closest encloser validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA indicates potential closest encloser: 'eu' validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA at super-domain eu validating testa.eu/DS: NSEC3 GLIBHU0LF7IH1TGCCS68E3R5508AKBFR proves name does not exist: 'testa.eu' validating testa.eu/DS: NSEC3 GLIBHU0LF7IH1TGCCS68E3R5508AKBFR indicates optout validating testa.eu/DS: NSEC3 4EIKQ8ORL4U4NTG72QEDRA6P3NDA1UNC proves name does not exist: '*.eu' validating testa.eu/DS: in checkwildcard: *.eu validating testa.eu/DS: NEEDNODATA = 0 validating testa.eu/DS: FOUNDNODATA = 0 validating testa.eu/DS: FOUNDOPTOUT = 1 validating testa.eu/DS: NEEDNOQNAME = 1 validating testa.eu/DS: FOUNDNOQNAME = 1 validating testa.eu/DS: NEEDNOWILDCARD = 1 validating testa.eu/DS: FOUNDNOWILDCARD = 1 validating testa.eu/DS: FOUNDCLOSEST = 1 validating testa.eu/DS: nonexistence proof(s) found Looks OK so far... fctx 0x7f1a5bfc1a10(testa.eu/DS): nonexistence validation OK validating testa.eu/SOA: in dsfetched2: ncache nxdomain validating testa.eu/SOA: resuming proveunsecure validating testa.eu/SOA: insecurity proof failed Then it goes pear-shaped. Aha! I think what's happening here is that BIND is expecting a NODATA response, to indicate that there is a delegation without a DS record. (For an example, `dig +dnssec +multiline europa.eu ds) However the validator gets an NXDOMAIN response claiming the domain doesn't exist at all. But this is an opt-out NXDOMAIN so it is not a proof. Nevertheless the validator believes it, and is convinced that it has not proved the NODATA that it was expecting to prove, so it tells itself it has not found an insecure delegation. This is a tricky case. You can argue convincingly either way whether it is a bug or not, I think. Even if it is a bug, fixing it is not going to solve your problem any time soon - you need a pragmatic operational solution. What you should do is add some nameservers to the registration (serving an empty zone or something), so that the .eu nameservers return a NODATA response instead of an NXDOMAIN response. Then your private zone will work. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 08.02.2018 um 09:52 schrieb LuKreme: Is it possible to tell bind to ignore very short TTLs and enforce a...say... 5 second minimum TTL? no, such a feature was refused because it violates RFC's (questionable justification for a local decision not enbaled by default) and hence on a inbound mailserver use unbound which has it cache-min-ttl: 90 cache-max-negative-ttl: 90 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Hi, Am 2018-02-08 hackte LuKreme in die Tasten: > Is it possible to tell bind to ignore very short TTLs and enforce > a...say... 5 second minimum TTL? VERY SHORT TTL? 5 sec minimum? What Du you mean with ignoring? It is you YOU have to configure Bind9 correctly to longer TTLs. If the NS Entry is not a Dyn-DNS entry, it should have anyway at least 3600 seconds. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On 2018-02-08 10:10, Michelle Konzack wrote: > Hi, > > Am 2018-02-08 hackte LuKreme in die Tasten: >> Is it possible to tell bind to ignore very short TTLs and enforce >> a...say... 5 second minimum TTL? > > VERY SHORT TTL? > > 5 sec minimum? > > What Du you mean with ignoring? > It is you YOU have to configure Bind9 correctly to longer TTLs. > > If the NS Entry is not a Dyn-DNS entry, > it should have anyway at least 3600 seconds. > This situation is relevant if bind is acting as recursive DNS server and upstream record has very short TTL. In that case the record is not kept cached for longer than 5 seconds and it might be not optimal if this record is looked up frequently. Some recursive servers have an option to set minimum TTL and thus overwrite upstream TTL for such records with some minimal value (like 90s for example). It has nothing to do with the authoritative mode when yo set up TTL for zones locally hosted. k. -- Karol Augustin ka...@augustin.pl http://karolaugustin.pl/ +353 85 775 5312 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Thankyou for clarification... Am DATE hackte AUTHOR in die Tasten: Karol Augustin > On 2018-02-08 10:10, Michelle Konzack wrote: >> Hi, >> >> Am 2018-02-08 hackte LuKreme in die Tasten: >>> Is it possible to tell bind to ignore very short TTLs and enforce >>> a...say... 5 second minimum TTL? >> >> VERY SHORT TTL? >> >> 5 sec minimum? >> >> What Du you mean with ignoring? >> It is you YOU have to configure Bind9 correctly to longer TTLs. >> >> If the NS Entry is not a Dyn-DNS entry, >> it should have anyway at least 3600 seconds. >> > This situation is relevant if bind is acting as recursive DNS server and > upstream record has very short TTL. In that case the record is not kept > cached for longer than 5 seconds and it might be not optimal if this > record is looked up frequently. Some recursive servers have an option to > set minimum TTL and thus overwrite upstream TTL for such records with > some minimal value (like 90s for example). > > It has nothing to do with the authoritative mode when yo set up TTL for > zones locally hosted. > > > k. -- Michelle KonzackMiila ITSystems @ TDnet GNU/Linux Developer 00372-54541400 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 08.02.2018 um 11:10 schrieb Michelle Konzack: Am 2018-02-08 hackte LuKreme in die Tasten: Is it possible to tell bind to ignore very short TTLs and enforce a...say... 5 second minimum TTL? VERY SHORT TTL? 5 sec minimum? What Du you mean with ignoring? It is you YOU have to configure Bind9 correctly to longer TTLs. If the NS Entry is not a Dyn-DNS entry, it should have anyway at least 3600 seconds you miss the topic many DNSBL's have a very short TTL and at the same time a limit of queries froma single IP until you need to pay for the service so if you have a inbound MX and the RBL has 2 seconds TTL and a botnet is trying to deliver spam to you override the 2 scodn TTL with 90 seconds or whatever makes sense reduces the total amount of DNS requests dramatically ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Hello Harald, Am 2018-02-08 hackte Reindl Harald in die Tasten: > you miss the topic > > many DNSBL's have a very short TTL and at the same time a limit of > queries froma single IP until you need to pay for the service > > so if you have a inbound MX and the RBL has 2 seconds TTL and a botnet > is trying to deliver spam to you override the 2 scodn TTL with 90 > seconds or whatever makes sense reduces the total amount of DNS requests > dramatically Sounds logic. And this feature was rejected by the Bind Developers? -- Michelle KonzackMiila ITSystems @ TDnet GNU/Linux Developer 00372-54541400 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 08.02.2018 um 12:30 schrieb Michelle Konzack: Hello Harald, Am 2018-02-08 hackte Reindl Harald in die Tasten: you miss the topic many DNSBL's have a very short TTL and at the same time a limit of queries froma single IP until you need to pay for the service so if you have a inbound MX and the RBL has 2 seconds TTL and a botnet is trying to deliver spam to you override the 2 scodn TTL with 90 seconds or whatever makes sense reduces the total amount of DNS requests dramatically Sounds logic. And this feature was rejected by the Bind Developers? i remember a response pointing out it would violate RFC's ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disable dnssec for particular domain
Matus UHLAR - fantomas wrote: > > and in case of private/internal domain even logical - it's not useful to > push DS records to parent, and even possible with 2 versions of the same > zone. You can have a secure delegation in the parent if you sign both versions of the zone with the same KSK. (There are lots of reasons that it might be difficult to do this in practice, though.) > On 08.02.18 19:12, Mark Andrews wrote: > > The point on OPTOUT is to allow the parent zone to add and remove > > insecure delegations without resigning. > > shouldn't that cause validation to stop? Well, that's what I expected :-) this is why I said it's arguable which is the right behaviour - it depends on your view of what opt-out does. Does it avoid re-signing work in zones with lots of insecure delegations (the authoritative point of view), or does it stop validation (the recursive point of view)? Mark's point is that the auth PoV is the original motivating purpose of opt-out. But really this question is beside the point. We'll have a lot less fun exploring these corner cases in the protocol if people stop trying to play silly buggers with the DNS namespace and delegate things properly. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Irish Sea: Southwest 5 to 7 veering northwest 6 to gale 8, perhaps severe gale 9 later. Slight or moderate, becoming moderate or rough. Rain then wintry showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In article you write: >you miss the topic > >many DNSBL's have a very short TTL and at the same time a limit of >queries froma single IP until you need to pay for the service This doesn't sound like a technical problem. Is there some reason you shouldn't pay for the service you're using? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 08.02.2018 um 16:16 schrieb John Levine: In article you write: you miss the topic many DNSBL's have a very short TTL and at the same time a limit of queries from a single IP until you need to pay for the service This doesn't sound like a technical problem. Is there some reason you shouldn't pay for the service you're using? braindead argumentation because it was a technical problem until you stepped in when i try to reduce the amount of dns-queries to the service to reduce their load because i decide for me that instead 5 seconds 30 or 90 second are "realtime" the R in RBL enough frankly, even *if* i pay for the service i would call it a good citizen to produce less load and the "minimum-ttl" also reduces load from other RBL's without any restriction additionally you can *not* control your inbound mailflow - so when the same IP is hammering on your server and you produce 20 times mor DNS requests than the rest of the year what options do you have - you did nothing wrong and exceeded limits ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On Thu, Feb 08, 2018 at 01:30:04PM +0200, Michelle Konzack wrote: > Hello Harald, > Am 2018-02-08 hackte Reindl Harald in die Tasten: > > you miss the topic > > > > many DNSBL's have a very short TTL and at the same time a limit of > > queries froma single IP until you need to pay for the service > > > > so if you have a inbound MX and the RBL has 2 seconds TTL and a botnet > > is trying to deliver spam to you override the 2 scodn TTL with 90 > > seconds or whatever makes sense reduces the total amount of DNS requests > > dramatically > > Sounds logic. > > And this feature was rejected by the Bind Developers? If the RRset wants a TTL of N seconds, then that is the authoritative instruction from the owner of the zone about how the data should be used. We have to follow that. The RFCs so far do not allow increasing TTL, though they allow decreasing it. If a DNSBL zone has a TTL of 2 seconds, then talk to the zone owner about why it is so. There ought to be a reason from their perspective why it is set to 2s. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 08.02.2018 um 16:34 schrieb Mukund Sivaraman: On Thu, Feb 08, 2018 at 01:30:04PM +0200, Michelle Konzack wrote: Hello Harald, Am 2018-02-08 hackte Reindl Harald in die Tasten: you miss the topic many DNSBL's have a very short TTL and at the same time a limit of queries froma single IP until you need to pay for the service so if you have a inbound MX and the RBL has 2 seconds TTL and a botnet is trying to deliver spam to you override the 2 scodn TTL with 90 seconds or whatever makes sense reduces the total amount of DNS requests dramatically Sounds logic. And this feature was rejected by the Bind Developers? If the RRset wants a TTL of N seconds, then that is the authoritative instruction from the owner of the zone about how the data should be used. We have to follow that. The RFCs so far do not allow increasing TTL, though they allow decreasing it. If a DNSBL zone has a TTL of 2 seconds, then talk to the zone owner about why it is so. There ought to be a reason from their perspective why it is set to 2s so what - nobody can force me to ask him the same question every 2 seconds and as long it's a local resolver for my own services the one i have to ask about any why in doubt is the person i face in the mirror every morning yes, you are free to decide that named don't need to support the users wish of such a feature. but the result is that the user stops to use named at all on a inbound-mailserver and is done ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 08.02.2018 um 16:39 schrieb Reindl Harald: Am 08.02.2018 um 16:34 schrieb Mukund Sivaraman: On Thu, Feb 08, 2018 at 01:30:04PM +0200, Michelle Konzack wrote: Hello Harald, Am 2018-02-08 hackte Reindl Harald in die Tasten: you miss the topic many DNSBL's have a very short TTL and at the same time a limit of queries froma single IP until you need to pay for the service so if you have a inbound MX and the RBL has 2 seconds TTL and a botnet is trying to deliver spam to you override the 2 scodn TTL with 90 seconds or whatever makes sense reduces the total amount of DNS requests dramatically Sounds logic. And this feature was rejected by the Bind Developers? If the RRset wants a TTL of N seconds, then that is the authoritative instruction from the owner of the zone about how the data should be used. We have to follow that. The RFCs so far do not allow increasing TTL, though they allow decreasing it. If a DNSBL zone has a TTL of 2 seconds, then talk to the zone owner about why it is so. There ought to be a reason from their perspective why it is set to 2s so what - nobody can force me to ask him the same question every 2 seconds and as long it's a local resolver for my own services the one i have to ask about any why in doubt is the person i face in the mirror every morning yes, you are free to decide that named don't need to support the users wish of such a feature. but the result is that the user stops to use named at all on a inbound-mailserver and is done and BTW - i don't need to ask the zone owner because common sense has the answer already: to have answers as real-time as possible nad let as less as possible new listings slip through it's still my decision as mailadmin if i need that accuracy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On Thu, Feb 08, 2018 at 04:39:36PM +0100, Reindl Harald wrote: > > > Am 08.02.2018 um 16:34 schrieb Mukund Sivaraman: > > On Thu, Feb 08, 2018 at 01:30:04PM +0200, Michelle Konzack wrote: > > > Hello Harald, > > > Am 2018-02-08 hackte Reindl Harald in die Tasten: > > > > you miss the topic > > > > > > > > many DNSBL's have a very short TTL and at the same time a limit of > > > > queries froma single IP until you need to pay for the service > > > > > > > > so if you have a inbound MX and the RBL has 2 seconds TTL and a botnet > > > > is trying to deliver spam to you override the 2 scodn TTL with 90 > > > > seconds or whatever makes sense reduces the total amount of DNS requests > > > > dramatically > > > > > > Sounds logic. > > > > > > And this feature was rejected by the Bind Developers? > > > > If the RRset wants a TTL of N seconds, then that is the authoritative > > instruction from the owner of the zone about how the data should be > > used. We have to follow that. The RFCs so far do not allow increasing > > TTL, though they allow decreasing it. > > > > If a DNSBL zone has a TTL of 2 seconds, then talk to the zone owner > > about why it is so. There ought to be a reason from their perspective > > why it is set to 2s > > so what - nobody can force me to ask him the same question every 2 seconds > and as long it's a local resolver for my own services the one i have to ask > about any why in doubt is the person i face in the mirror every morning I doubt the zone owner is forcing you to use their zone. You can nix fetches to it. If you want the zone data, then follow what the zone owner requires. > yes, you are free to decide that named don't need to support the users > wish of such a feature. but the result is that the user stops to use > named at all on a inbound-mailserver and is done Also, just for argument's sake, one user wants to extend TTLs to 5s. Another wants 60s TTLs. What is OK and what is going too far? It really is something for the zone owner to consider. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In article , Reindl Harald wrote: > frankly, even *if* i pay for the service i would call it a good citizen > to produce less load and the "minimum-ttl" also reduces load from other > RBL's without any restriction If the service provider is worried about load, they should increase their TTL to reduce the frequency of queries. It's not your job to second-guess them. There are some servers that will avoid expiring records if the auth servers stop responding, as a fail-safe mechanism. I think Google Public DNS does this. So they obey TTL when deciding when to try to refresh the cache, but will continue returning whatever they've cached if necessary. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 08.02.2018 um 16:51 schrieb Mukund Sivaraman: On Thu, Feb 08, 2018 at 04:39:36PM +0100, Reindl Harald wrote: Am 08.02.2018 um 16:34 schrieb Mukund Sivaraman: If the RRset wants a TTL of N seconds, then that is the authoritative instruction from the owner of the zone about how the data should be used. We have to follow that. The RFCs so far do not allow increasing TTL, though they allow decreasing it. If a DNSBL zone has a TTL of 2 seconds, then talk to the zone owner about why it is so. There ought to be a reason from their perspective why it is set to 2s so what - nobody can force me to ask him the same question every 2 seconds and as long it's a local resolver for my own services the one i have to ask about any why in doubt is the person i face in the mirror every morning I doubt the zone owner is forcing you to use their zone. You can nix fetches to it. If you want the zone data, then follow what the zone owner requires. does not matter yes, you are free to decide that named don't need to support the users wish of such a feature. but the result is that the user stops to use named at all on a inbound-mailserver and is done Also, just for argument's sake, one user wants to extend TTLs to 5s. Another wants 60s TTLs. What is OK and what is going too far? that's simply the users decision - problem solved It really is something for the zone owner to consider for sure not ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Reindl Harald wrote: > > yes, you are free to decide that named don't need to support the users wish of > such a feature. but the result is that the user stops to use named at all on a > inbound-mailserver and is done Or you could use patched versions from FreeBSD or Debian ... https://svnweb.freebsd.org/ports/head/dns/bind912/files/extrapatch-bind-min-override-ttl?view=markup https://sources.debian.org/src/bind9/1:9.11.2.P1-1/debian/patches/10_min-cache-ttl.diff/ Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Lundy, Fastnet: Southwest 5 to 7 veering northwest 6 to gale 8. Rough or very rough. Rain then showers. Good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 08.02.2018 um 17:03 schrieb Barry Margolin: In article , Reindl Harald wrote: frankly, even *if* i pay for the service i would call it a good citizen to produce less load and the "minimum-ttl" also reduces load from other RBL's without any restriction If the service provider is worried about load, they should increase their TTL to reduce the frequency of queries. It's not your job to second-guess them. let my job me my own problem - seriously - my server - my rules - period if named can't serve my needs than "dnf remove bind; dnf install unbound" is the solution and was it on mailservers named is great as authoritative server but not for RBL's which also can be used on webserver (web-application firewall where you try to reduce latency as much as you can) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Barry Margolin wrote: > There are some servers that will avoid expiring records if the auth > servers stop responding, as a fail-safe mechanism. For instance, BIND 9.12 - https://www.isc.org/blogs/bind-9-12-almost-ready/ Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Irish Sea: Southwest 5 to 7 veering northwest 6 to gale 8, perhaps severe gale 9 later. Slight or moderate, becoming moderate or rough. Rain then wintry showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Reindl Harald wrote: yes, you are free to decide that named don't need to support the users wish of such a feature. but the result is that the user stops to use named at all on a inbound-mailserver and is done On 08.02.18 16:07, Tony Finch wrote: Or you could use patched versions from FreeBSD or Debian ... https://svnweb.freebsd.org/ports/head/dns/bind912/files/extrapatch-bind-min-override-ttl?view=markup https://sources.debian.org/src/bind9/1:9.11.2.P1-1/debian/patches/10_min-cache-ttl.diff/ FYI, it's there for years. bind9 (1:9.6.0.dfsg.P1-1) experimental; urgency=low [Michael Milligan] * Add min-cache-ttl and min-ncache-ttl keywords [LaMont Jones] * Fix merge errors from 9.6.0.dfsg.P1-0 -- LaMont Jones Fri, 20 Mar 2009 15:50:50 -0600 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On Thu, Feb 08, 2018 at 05:05:51PM +0100, Reindl Harald wrote: > > I doubt the zone owner is forcing you to use their zone. You can nix > > fetches to it. If you want the zone data, then follow what the zone > > owner requires. > > does not matter It matters to us. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 08.02.2018 um 17:10 schrieb Mukund Sivaraman: On Thu, Feb 08, 2018 at 05:05:51PM +0100, Reindl Harald wrote: I doubt the zone owner is forcing you to use their zone. You can nix fetches to it. If you want the zone data, then follow what the zone owner requires. does not matter It matters to us it's not your business to make local decisions, your business are sane defaults and warning from such override options to use them outside specific workloads but that's it do what you want - i do too and throw out software which don't give me options i want to have that way when competitors provide them because i have no time for political stuff when i need to configure a server which is in my responsibility ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 08.02.2018 um 17:07 schrieb Tony Finch: Reindl Harald wrote: yes, you are free to decide that named don't need to support the users wish of such a feature. but the result is that the user stops to use named at all on a inbound-mailserver and is done Or you could use patched versions from FreeBSD or Debian ... https://svnweb.freebsd.org/ports/head/dns/bind912/files/extrapatch-bind-min-override-ttl?view=markup https://sources.debian.org/src/bind9/1:9.11.2.P1-1/debian/patches/10_min-cache-ttl.diff/ yeah, i will switch from Fedora to Debian or start to maintain named including patches on my own instead just use a different package out of the distribution repos which can do the same and let me control *my* server as i want out-of-the-box won't happen :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On 02/08/2018 08:51 AM, Mukund Sivaraman wrote: Also, just for argument's sake, one user wants to extend TTLs to 5s. Another wants 60s TTLs. What is OK and what is going too far? I think what is "OK" is up to each administrator. Obviously the zone administrators have decided that they want people to use the 2s TTL. That being said, it is up to each individual recursive server operator if they want to honor what the zone administrators have published, or if the recursive administrators want to override published desires. It really is something for the zone owner to consider. Yes and no. Yes it's up to the zone owner to consider what intentions that they want to publish. No, the zone owner has no influence on how I operate my servers. I choose how I operate my servers. If I choose to operate my servers in a manner that ignores the zone owner's published desires, that's on me. I feel like this discussion is really two issues: 1) Does the capability to override published values and 2) should I use said capability. They really are two different questions. I personally would like to see BIND have the option to do #1, even if I never use it. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On Thu, Feb 8, 2018 at 4:34 PM, Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 02/08/2018 08:51 AM, Mukund Sivaraman wrote: > >> Also, just for argument's sake, one user wants to extend TTLs to 5s. >> Another wants 60s TTLs. What is OK and what is going too far? >> > > I think what is "OK" is up to each administrator. > > Obviously the zone administrators have decided that they want people to > use the 2s TTL. > > That being said, it is up to each individual recursive server operator if > they want to honor what the zone administrators have published, or if the > recursive administrators want to override published desires. > > It really is something for the zone owner to consider. >> > > Yes and no. Yes it's up to the zone owner to consider what intentions > that they want to publish. No, the zone owner has no influence on how I > operate my servers. I choose how I operate my servers. > > If I choose to operate my servers in a manner that ignores the zone > owner's published desires, that's on me. > > I feel like this discussion is really two issues: 1) Does the capability > to override published values and 2) should I use said capability. They > really are two different questions. I personally would like to see BIND > have the option to do #1, even if I never use it. > > +1 > > -- > Grant. . . . > unix || die > > -- Bob Harold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
> I think what is "OK" is up to each administrator. > > Obviously the zone administrators have decided that they want people to > use the 2s TTL. > > That being said, it is up to each individual recursive server operator > if they want to honor what the zone administrators have published, or if > the recursive administrators want to override published desires. > > > It really is something for the zone owner to consider. > > Yes and no. Yes it's up to the zone owner to consider what intentions > that they want to publish. No, the zone owner has no influence on how I > operate my servers. I choose how I operate my servers. Yesterday I measured, on our busiest resolvers, the amount of replies with TTL=0 the resolvers received (from the authoritative servers). Turns out we receive around 2.3 percent replies with TTL=0. This is a percentage I can live with, and I see no reason to artificially inflate the TTL. That being said - if the percentage had been significantly higher, I would feel it was perfectly reasonable to set a minimum TTL of for instance 10s. I agree that this is a decision for each operator. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 09.02.2018 um 07:02 schrieb sth...@nethelp.no: I think what is "OK" is up to each administrator. Obviously the zone administrators have decided that they want people to use the 2s TTL. That being said, it is up to each individual recursive server operator if they want to honor what the zone administrators have published, or if the recursive administrators want to override published desires. It really is something for the zone owner to consider. Yes and no. Yes it's up to the zone owner to consider what intentions that they want to publish. No, the zone owner has no influence on how I operate my servers. I choose how I operate my servers. Yesterday I measured, on our busiest resolvers, the amount of replies with TTL=0 the resolvers received (from the authoritative servers). Turns out we receive around 2.3 percent replies with TTL=0. This is a percentage I can live with, and I see no reason to artificially inflate the TTL. That being said - if the percentage had been significantly higher, I would feel it was perfectly reasonable to set a minimum TTL of for instance 10s. I agree that this is a decision for each operator. and i can tell you from where they are coming: CISCO router with "DNS-ALG" between primary and slave writing in front of every CNAME explicit a TTL 0 statement - was there and it takes a long time until you realize that your slave repsonds with differnt data as you configured ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
