Address match lists syntax, was Managing localhost
Hi,
I found a number of allow-query {localhost;}; and similar stuff in my .conf
files. It doesn't seem to be allowed, since the manual says:
The elements which constitute an address match list can be any of the
following:
* an IP address (IPv4 or IPv6)
* an IP prefix (in `/' notation)
* a key ID, as defined by the key statement
* the name of an address match list defined with the acl statement
* a nested address match list enclosed in braces
However, named-checkconf doesn't complain. I could fix that by defining an
acl named localhost. But do I need to?
Best
Ale
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Address match lists syntax, was Managing localhost
Ooops, sorry. Please forget that. On Fri 25/Jun/2021 12:50:55 +0200 Alessandro Vesely wrote: However, named-checkconf doesn't complain. I could fix that by defining an acl named localhost. But do I need to? Now I tried to redefine and got: /etc/bind/named.conf.options:37: attempt to redefine builtin acl 'localhost' Best Ale -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Odd A record in our hosts zone file
I ran across these A records in one of our zone files: ;EXCHANGE STUFF mail1m IN A xxx.xxx.xxx.52; dhbex1 mail1m IN A xxx.xxx.xxx.54; dhbex2 I can see that this is a cheap load-balancing for our exchange OWA servers, but what is the ‘1m’ notation? I haven’t been able to find that in my searching of the manual. (We’re adding new servers and I need to make sure our DNS is properly set for them.) -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Odd A record in our hosts zone file
Hi Bruce,
Here you're specifying a distinct TTL for those records which overrides the
default TTL for this zone (which you will have set towards the top of the file
with the rest of the defaults)
1m = 60 seconds:
https://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/s1-bind-zone.html
So you're essentially telling DNS clients that the value provided for
mail.{your-fqdn} is only valid for 60 seconds. As you say, a cheap load
balancing attempt!
Best,
Richard.
-Original Message-
From: bind-users On Behalf Of Bruce Johnson
Sent: 25 June 2021 6:56 pm
To: bind-users@lists.isc.org
Subject: Odd A record in our hosts zone file
I ran across these A records in one of our zone files:
;EXCHANGE STUFF
mail1m IN A xxx.xxx.xxx.52; dhbex1
mail1m IN A xxx.xxx.xxx.54; dhbex2
I can see that this is a cheap load-balancing for our exchange OWA servers, but
what is the ‘1m’ notation? I haven’t been able to find that in my searching of
the manual.
(We’re adding new servers and I need to make sure our DNS is properly set for
them.)
--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group
Institutions do not have opinions, merely customs
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Odd A record in our hosts zone file
Time to live in the cache. Short time to live is useful when you need to change the A record to swing one host to another. > On Jun 25, 2021, at 12:56, Bruce Johnson wrote: > > I ran across these A records in one of our zone files: > > ;EXCHANGE STUFF > mail1m IN A xxx.xxx.xxx.52; dhbex1 > mail1m IN A xxx.xxx.xxx.54; dhbex2 > > I can see that this is a cheap load-balancing for our exchange OWA servers, > but what is the ‘1m’ notation? I haven’t been able to find that in my > searching of the manual. > > (We’re adding new servers and I need to make sure our DNS is properly set for > them.) > > -- > Bruce Johnson > University of Arizona > College of Pharmacy > Information Technology Group > > Institutions do not have opinions, merely customs > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Odd A record in our hosts zone file
Thank you…this is very useful information; I thought TTL could only be
specified on a per-zone basis, not per-host.
On Jun 25, 2021, at 11:10 AM, Richard T.A. Neal
mailto:rich...@richardneal.com>> wrote:
Hi Bruce,
Here you're specifying a distinct TTL for those records which overrides the
default TTL for this zone (which you will have set towards the top of the file
with the rest of the defaults)
1m = 60 seconds:
https://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/s1-bind-zone.html
So you're essentially telling DNS clients that the value provided for
mail.{your-fqdn} is only valid for 60 seconds. As you say, a cheap load
balancing attempt!
Best,
Richard.
-Original Message-
From: bind-users On Behalf Of Bruce Johnson
Sent: 25 June 2021 6:56 pm
To: bind-users@lists.isc.org
Subject: Odd A record in our hosts zone file
I ran across these A records in one of our zone files:
;EXCHANGE STUFF
mail1m IN A xxx.xxx.xxx.52; dhbex1
mail1m IN A xxx.xxx.xxx.54; dhbex2
I can see that this is a cheap load-balancing for our exchange OWA servers, but
what is the ‘1m’ notation? I haven’t been able to find that in my searching of
the manual.
(We’re adding new servers and I need to make sure our DNS is properly set for
them.)
--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group
Institutions do not have opinions, merely customs
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group
Institutions do not have opinions, merely customs
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Odd A record in our hosts zone file
On 25.06.21 18:29, Bruce Johnson wrote: Thank you…this is very useful information; I thought TTL could only be specified on a per-zone basis, not per-host. not even per-host. Different RR types for the same host can have different TTL. mail1m IN A xxx.xxx.xxx.52; dhbex1 mail1m IN A xxx.xxx.xxx.54; dhbex2 mail1d IN TXT "v=spf1 a -all" mail1h IN MX 0 mail etc. Only same RR types MUST have same value so e.g.: mail1m IN A xxx.xxx.xxx.52; dhbex1 mail2m IN A xxx.xxx.xxx.54; dhbex2 would be incorrect and server will choose one of those to implement for all RRs (see rfc 2182 section 5.2) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Managing localhost
Grant Taylor via bind-users wrote: > On 6/21/21 11:00 AM, Tony Finch wrote: > > That advice is out of date: nowadays you should not put any localhost > > entries in the DNS, because it can cause problems for web browser security. > > Modern software should suppress queries for localhost so they never reach > > the DNS. > > If I'm understanding the problem correctly, it seems to come down to anything > involving localhost /except/ fully qualified localhost.(implicit null). Correct. As I mentioned in the blog post (link repeated below), I did some data collection to verify that dropping the localhost subdomains would be safe: answer, yes, there were basically no localhost queries. I used to have a bunch of zones related to special-use domain names and IP addresses, but after BIND 9.12 added support for DNSSEC-based NXDOMAIN synthesis, I deleted them all. This means that (strictly speaking) my servers don't conform to RFC 6761's requirements for localhost, but (a) I can say that it is BIND's bug rather than mine, and (b) it doesn't matter anyway because the query traffic is negligible. > > https://www.dns.cam.ac.uk/news/2017-09-01-localhost.html > > https://datatracker.ietf.org/doc/html/rfc6761#section-6.3 Tony. -- f.anthony.n.finchhttps://dotat.at/ Faeroes: Variable 2 to 4, becoming southwest 5 to 7. Slight or moderate, becoming moderate or rough. Occasional rain later. Good, occasionally moderate later. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
