Re: Query Regarding NSEC RR in DNSSEC
Briefly, the answer is, the NXDOMAIN response could be replayed by a man-in-the-middle attacker. We need to have something to sign, something specific to that query. If we just return the zone's SOA record and its signature, we're still subject to a replay attack. So we need to prove the negative, and that happens by enumerating all the possible positive answers "near" the query. Regards, Chris Buxton BlueCat Networks On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote: > Dear Team, > > We have a Authenticated Response in DNSSEC through trust chain. > Now my question is why we itself need a NSEC when we get response from DNSSEC > enabled server authentically. > > Means, if a Record exist in DNSSEC, then it replies the answer along with > RRSIG of that RR. > AND if domain doesn’t exist, then it can simply give NXDOMAIN and our job > will be done as we trust that nameserver through trust chain. > So what’s the need of NSEC?? > > Thanks n Regards, > GAURAV KANSAL > 9910118448 > VoIP - 6259 > Operation And Routing Unit > NIC , NEW DELHI > > Please don't print this e-mail until & unless you really need, it will save > Trees on Planet Earth. > IPv4 is Over, > Are your ready for new Network. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Efficacy of using short timeout values for an A record
Mac OS X imposes a 60 second minimum on TTLs, or at least it did at one time. I am unaware of any other client OS having such a restriction. Client software does not always respect TTLs, though. It's entirely possible for a client application to completely ignore the TTL value and continue to connect (and reconnect as needed) to whatever address was first retrieved via the stub resolver. Regards, Chris Buxton BlueCat Networks On Feb 14, 2012, at 2:59 AM, goran kent wrote: > Hi, > > I need to setup an A record for a machine who's IP might change > unexpectedly, and I need to ensure PCs out there cache it for as short > a time as possible: > >host1300 IN A 10.10.10.10 > > Does anyone know whether MS windows PCs will in fact honour that 300s, > then force a re-lookup? Can I use even shorter values? eg, 60? > > I know this will lead to extra DNS traffic, but this is only for this > particular case. > > Thanks for any comments. > > Regards > gk > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Efficacy of using short timeout values for an A record
On Feb 14, 2012, at 11:23 AM, Chuck Swiger wrote: On Feb 14, 2012, at 11:11 AM, Alan Clegg wrote: >> On 2/14/2012 1:42 PM, Chuck Swiger wrote: >> >>> ISC's BIND has (or had) a MINTTL value of 5 minutes / 300 seconds. >>> It's probably unreasonable to expect other platforms to refetch DNS >>> records faster than that. >> >> Uh... no. BIND has always respected TTL when caching information. > > See http://www.ietf.org/rfc/rfc1035.txt > > "The MINIMUM value in the SOA should be used to set a floor on the TTL of > data distributed from a zone. The original question is from the standpoint of the recursive server, not the authoritative server. Yes, BIND 4 imposed a minimum value, but only on authoritative data. Not on cached data. BIND has (or perhaps had) the ability to impose a minimum TTL on cached data, but most implementations do not enable this. As I recall, the value has to be set in the source code before compiling the binary. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: block ddns by name
On Feb 16, 2012, at 7:22 AM, Tom Schmitt wrote:
>> Von: Tony Finch
>
>>> Does anyone know if there is a way to prevent the creation of certain
>>> records - by name?
>>
>> update-policy {
>> deny "*" name "internal.example.com";
>> # ...
>> };
>
> Hi,
>
> I have a quite similar question but can't figure it out from the doc for
> update-policy:
>
> I have a few DHCP-clients which are sending really stupid hostnames to the
> DHCP and via DHCP they got into my DNS zones.
>
> Example: A few IP-phones are sending as their hostname eight times xFF. And
> this not printable name is then in DNS where I (and a few older nameserver)
> don't want it.
>
> So is there something possible like
> update-policy { deny "*" name /^a-zA-Z0-9_\-/; };
> ?
>
> (For thos who don't speak regex: deny all names with something in it what is
> no letter or digit or underscore or dash.
Does a check-names policy achieve this? I'm honestly not sure.
BTW: _ is not a valid hostname character. And your regex needs brackets:
/[^a-zA-Z0-9_-]/
But no, update-policy doesn't support regular expressions.
Regards,
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: named.conf splitting
Yes, it's quite possible to split named.conf into separate per-zone .conf files
and then 'include' them back into named.conf. You can even put the list of
include statements in a separate file, and then include that into named.conf.
named.conf:
options {
[...]
}
include "/path/to/etc/zones.conf";
zones.conf:
include "/path/to/etc/zone1.conf";
include "/path/to/etc/zone2.conf";
[...]
I've seen this done with hundreds of thousands of zones. Performance does not
seem to be significantly impacted by breaking up named.conf into included
files. The loading time for named in this case will be dominated by the time
load actual zones, which involves allocating memory and building a tree
structure in memory.
Use the latest versions of BIND for fastest loading of this number of zones.
See Evan Hunt's blog posts on the topic:
http://www.isc.org/community/blog/201107/major-improvement-bind-9-startup-performance
http://www.isc.org/community/blog/201107/isc-bind-981b3-provides-startup-performance-improvements
Regards,
Chris Buxton
BlueCat Networks
On Feb 17, 2012, at 1:24 AM, Nick Edwards wrote:
> Hi,
> In a recent discussion on another list, it was discussed the pros and
> cons of splitting the main conf file to a per domain.
>
> In binds case it would be to /etc/named.d/*.conf
> So each zone would have a file in that directory containing only the
> relevant info
> eg:
>
> zone "example.com" {
>type master;
>allow-transfer { slavesdns; };
>file "example.com.signed";
>allow-query { any; };
>allow-update { none; };
> };
>
> thats it, nothing more, rather than having 2000 entries in named.conf,
> we would have 2000 conf file to be read (yes in addition to the 2000
> actual zone files.
>
> with apache it takes only 2 or so more seconds to start and reload
> doing it this way, so I know that bind will take longer, it has to
> with all those open/read/close files, at present bind starts up in
> about 9 seconds due 17K zones, so I'd imagine this would take even up
> to 15 seconds.
>
> My question is, has anyone done this with success or failure?
> Would a named developer know if its safe or detrimental to do this?
> or would it simply make no difference apart from the extra time for
> starts/reloads?
>
>
> (This came about on another list, because we load all hosts on apache
> in one file (2000 per box) recently something went wrong with sshfs
> during a transaction, and in deleting a vhost block it took out about
> 100 of them :) so we are looking at making things a bit more
> failsafe, my opinion is, if it can happen once, it can happen again,
> it could have happened to a zone file, but luckily only the web conf
> file.
>
> Thoughts anyone?
>
> Thanks
> Niki
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind public/private domain question
On Feb 21, 2012, at 9:51 AM, Marseglia, Michael wrote: > Hello, > > I’m looking for advice on an issue. I have a publicly registered domain > which we also use internally. I have bind configured as a caching DNS > server. Bind is configured to use four other Windows DNS servers as > forwarders for the domain. Bind should be using the root servers for > anything not configured to forward. > > Bind replies with the correct name record when I perform a query using the > fqdn for a machine. However, the authority and additional portion of the > query returns the root servers. > > The Windows DNS servers are returned if I perform a query for the NS > records of the internal domain. > > Subsequent DNS queries using the fqdn show the appropriate, internal > Windows DNS servers. This is harmless and normal. > I don’t understand why BIND is attempting to resolve the private, internal > domain using the root servers when I have a forwarders statement in my > configuration file specifying our internal DNS servers. It's not. > Is there an article that addresses this issue or can someone please point > me to the correct resource so I can understand what is going on? - BIND receives query for hostname in internal domain - BIND forwards query to MS DNS server - MS DNS server answers authoritatively, but does not include auth and add'l sections - BIND evaluates answer and accepts it - BIND sends answer back to client, along with the best auth and add'l data it has in cache, which might be from the root zone - Client gets answer, but drops auth and add'l sections Harmless. Normal. Nothing to be worried about. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring a domain slave to look up subdomain hosts
On Feb 28, 2012, at 10:04 AM, Mike Bernhardt wrote: > Yes, you are confused J > > I am simply trying to get the domain slave to make queries for hosts in the > subdomain which is hosted on other servers, instead of forwarding the queries > to the domain master. I thought a stub zone would facilitate this by giving > my server the lookup information it needed to do this. Apparently this is not > the case. Even though it receives a db file with the NS and SOA information > for the subdomain, it is ignoring it. Forwarding works. Being a slave for the > subdomain works. Stub zone doesn’t work. > > If it’s supposed to “ignore” the stub zone in my configuration, what is the > value of a stub zone? Disable forwarding in the parent zone or in the stub zones and it will work. Forwarding, which is often a poor design choice, overrides stub zones. Disable forwarding selectively or remove it from your architecture completely. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring a domain slave to look up subdomain hosts
Sorry, my mistake. Apparently, it needs to be overridden (disabled) in each affected zone, not just at the domain apex. If you leave out the stub zones entirely and disable forwarding in the parent zones, it should work. That way, the server is simply following delegations, rather than relying on stub zones. Regards, Chris Buxton BlueCat Networks On Feb 28, 2012, at 3:11 PM, Mike Bernhardt wrote: > So, it seems that the stub zone only works as I expected if I disable ALL > forwarding- not just in the parent zone but also in global options. Is that > the expected behavior for a stub zone? It’s not consistent with what you said > below. > > From: Mike Bernhardt [mailto:bernha...@bart.gov] > Sent: Tuesday, February 28, 2012 2:47 PM > To: 'Chris Buxton' > Cc: bind-users@lists.isc.org > Subject: RE: Configuring a domain slave to look up subdomain hosts > > Forwarding was disabled for the parent zone, but it still didn’t work. That’s > why I asked the question. I was doing one or the other, and trying to get rid > of forwarding to the domain master. I have it on in global options because we > don’t let internal name servers go to the root; they forward to our dmz name > server for internet lookups. > > I can set up a forwarding zone on this server for the subdomain as someone > else suggested. But if a stub zone is supposed to work, we’re back to my > original question. Given the information I provided in my initial question, > why isn’t it working when forwarding is disabled in the parent zone? > > From: Chris Buxton [mailto:chris.p.bux...@gmail.com] > Sent: Tuesday, February 28, 2012 10:34 AM > To: Mike Bernhardt > Cc: 'Nex6'; bind-users@lists.isc.org; 'Mark Andrews' > Subject: Re: Configuring a domain slave to look up subdomain hosts > > On Feb 28, 2012, at 10:04 AM, Mike Bernhardt wrote: > > > Yes, you are confused J > > I am simply trying to get the domain slave to make queries for hosts in the > subdomain which is hosted on other servers, instead of forwarding the queries > to the domain master. I thought a stub zone would facilitate this by giving > my server the lookup information it needed to do this. Apparently this is not > the case. Even though it receives a db file with the NS and SOA information > for the subdomain, it is ignoring it. Forwarding works. Being a slave for the > subdomain works. Stub zone doesn’t work. > > If it’s supposed to “ignore” the stub zone in my configuration, what is the > value of a stub zone? > > Disable forwarding in the parent zone or in the stub zones and it will work. > Forwarding, which is often a poor design choice, overrides stub zones. > Disable forwarding selectively or remove it from your architecture completely. > > Regards, > Chris Buxton > BlueCat Networks > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem with bind manually installation on debian
On Mar 7, 2012, at 9:15 AM, mustafa alhussona wrote: > hi > i have problem with installing bind (i tried 9.7.4,9.8.1,9.9.0 versions) > service manually on debian squeeze, the problem is the service is installed > but i cant find the configuration file and there is some error logs, please > can you suggest a solution for this problem, the installation steps are > ./configure --prefix=/usr/local/bind9 > make > make install man 5 named.conf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: with subject: NS record for subzone definition
On Mar 13, 2012, at 6:23 AM, hugo hugoo wrote: > I have zone "toto.be" with some records (not important) > > In the same name server, I want to create the subzone "titi.toto.be" with > some records. > > > ==> do I have to create in zone "toto.be" the following NS record: > > titi.toto.be. TTL IN NSns1.xxx.be > > > I have found cases where this situation is present and other when it is not > present...and both cases seems to work. > What is the difference? Yes, you should create the NS records. If you are using the exact same set of servers for the subzone as for the child, and are not using DNSSEC, you can get away without the NS records, but you shouldn't get into this bad habit. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: masters ordering in named.conf
On Mar 23, 2012, at 10:54 AM, Eric Chandler wrote: > I have a question with regards to ordering of masters in slave zones. In the > example below, will the slave zone try these in order each and every time? > [...] or does it choose at random? Masters are tried in the order listed. Regards, Chris Buxton BlueCat Networks___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to reset the serial number?
On Mar 26, 2012, at 11:30 AM, Carlos Ribas wrote: > Hello all, > > I accidentally changed the serial number to one bigger than 32 bits and now > I'm trying to reset the serial number. Following the manual of Bind9 I tried > to add 2147483647 (2ˆ31-1) to the number and reload the server, but my slave > is not updating to the new zone serial number. > > Here is what I'm doing: > > # dig @10.0.1.24 saturno.br SOA > ... > ;; ANSWER SECTION: > example.br. 86400 IN SOA ns1.example.br. > hostmaster.example.br. 2694341036 7200 3600 604800 86400 > ... > > 2694341036 + 2147483647 = 4841824683 > > I put this number as serial, but did not work. I also saw that when the > number is over than 4,294,967,295 I have to substract 4,294,967,296. So > 4841824683 - 4294967296 = 546857387. It did not work too. Does anybody knows > what I'm doing wrong? I'm using Bind 9.7.3. You cannot reload a dynamic zone. Could that be the problem? A serial number higher than 2^32 will not load. Instead of adding 2^31 - 1, subtract 2^31 + 1. Or try adding 2^30 (or subtracting 3 * 2^30). Make sure to reload the zone after each change, or if your zone is dynamic, use a dynamic update that adds the SOA record again and sets the new serial number. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: journal rollforward failed: journal out of sync with zone
On Apr 12, 2012, at 5:19 AM, Bryton wrote: > > Not at all.Everything is automated via cron.Zone is generated from one > server cron pushes to another then cron reload bind... Figure out why you're getting a journal file. If you need to have a journal file (i.e. you need whatever mechanism caused it to be created), then you have to get rid of your cron job, or modify how it works. Arbitrarily replacing a zone file when there's a journal file can cause exactly the problem you're seeing. Chris Buxton BlueCat Networks > On 04/12/2012 02:03 PM, Phil Mayers wrote: >> On 12/04/12 11:50, Bryton wrote: >>> Hi, >>> >>> I have observer a SERVFAIL error in one of my zone.On checking the logs >>> I realized there is this error >>> >>> /journal rollforward failed: journal out of sync with zone/ >>> >>> I tried to learn more about it and I found out the solution is to delete >>> the journal file and restart bind.I tried that and it works.Now I wonder >>> what is the reason for such error and what the permanent solution to >>> mitigate it. >> >> Did you or someone else edit the zone file by hand, without "freeze"/"thaw" >> the zone first? >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind forwarding...
To the IP address of the DNS server? As in, recursive queries sent to the
server asking for this name will be forwarded on to... the same DNS server?
That would only work if you had views enabled.
However, if what you really want is that such queries are answered with an A
record pointing to the name server (or some other host), rather than getting
the real answer from Apple's name servers, what you want is an authoritative
zone, not forwarding.
zone "guzzoni.apple.com" {
type master;
file "short-circuit-queries.db";
};
Chris Buxton
BlueCat Networks
On Apr 15, 2012, at 11:15 AM, Markus Braun wrote:
> Hello,
>
> how can i make a bind forwarding something like this:
>
> DNS server to forward Guzzoni.apple.com traffic to own IP?
>
> thank you
>
> marcus!
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring CNAME for nosslsearch.google.com
On Apr 15, 2012, at 3:40 PM, Tobias Krais wrote: > Hi Ben, > > hmm. How can I manage what google suggests: > "Information for school network administrators about the No-SSL option > > To utilize the no SSL option for your network, configure the DNS entry > for www.google.com to be a CNAME for nosslsearch.google.com." > Source: > http://support.google.com/websearch/bin/answer.py?hl=en&hlrm=en&answer=186669. > You can find this quite at the end of the document. > > How can I realize such a configuration in bind? I believe you can use response policy (RPZ) to achieve this. Or you can use just about any non-BIND resolver (e.g. unbound) to achieve this. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: VMware & Bind
On Jun 5, 2012, at 9:58 AM, Manson, John wrote: > Will bind run on VMware? Yes. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transfer the same zone from a split-view master
On Jun 5, 2012, at 1:50 PM, Carlos Raúl Laguna Mendoza wrote: > Hi everyone still stuck with this can anyone through some light here i need > transfer a several iqual zone from two views in my master server but the > slave server only has one ip so i read something about using TSIG to get this > done but so far nothing, can anyone explain to me how should look the config > of the view and zone in the master and slave server.Regards and thanks Check the FAQ. In short: - Create two TSIG keys, one per view. - Configure those keys on each server (master and slave). - In each view on the master, use match-clients to match one key and not the other -- put the TSIG keys first, before any IP addresses. - In each view on each server (master and slave), use a server statement referencing the other server and designating the key for that view. - Remove the zone files from the slave server. - 'rndc reload' on both servers. - Check the logs and the slave's zone files. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Corrupted zone files on 9.9.1 slave, temp files with text contents...
Probably nothing. I believe the default format for slave zones is now compiled rather than text. Remove all the zone files on the slave and reload it. Chris Buxton BlueCat Networks On Jun 8, 2012, at 12:26 PM, David L. Beem wrote: > Just upgraded to 9.9.1 from 9.8.0, the end results seem to be reported > correctly from both master and slave. Master (running on 2003 R2) is > unaffected. Slave (2008 SP2) puts corrupted (text with additional special > characters) zone files in the directory when the service is restarted, and > creates additional files named "db-X000" each containing the original > text of a zone file. > > What have I done wrong or not done correctly following the installation? > > TIA > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Journal File Question
On Jul 25, 2012, at 7:25 AM, wbr...@e1b.org wrote: > Chris wrote on 07/25/2012 09:04:49 AM: > >> Is it possible to restore a zone file from its associated journal file? > > No. The journal file only records updates to the zone. At best you would > only recover the changes since last commit to the zone file. > >> The docs seem to indicate that a restart of bind will sync the two >> files, but in practice I get such as this: > > It doesn't sync the files to make two equal copies. It applies all of the > outstanding transactions in the journal file to the zone file and then > empties the journal. I don't believe that is entirely correct. The journal file needs to be retained to support ixfrs. My understanding is that it will be automatically trimmed to max-journal-size, if that option is set. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master DNS with Bind
On Aug 5, 2012, at 11:26 PM, Evan Hunt wrote: >> Looking to find information as to whether I can set up bind for >> multi-master DNS. I want to be able to update DNS records via any or more >> than one nameserver in the domain and have the records updated and >> propagated regardless if the "master" is available. Is this supported or >> are there ways to make this work with bind? > > Not at this time. We've discussed the subject at some length and it > may appear in a future release, but it's not on the near-term roadmap. Couldn't this be done with DLZ? signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master DNS with Bind
On Aug 6, 2012, at 7:37 PM, john.debe...@teradyne.com wrote: > Don't know. I haven't used it. Do you have experience with it? > No, I don't have experience with DLZ. However, I believe multi-master DNS should be possible with DLZ and active-active database replication. Regards, Chris Buxton BlueCat Networks signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cname and soa record in the same zone file -- problem?
It works because they're not using BIND. Whatever they're using doesn't enforce rules for CNAME records. I would expect it to give inconsistent results, but I'm not 100% sure. Running some queries, I'm seeing where the query results aren't always being cached correctly, but I can't see how the bad effects would go any further than that. Perhaps someone else can explain how this misbehaves in this particular situation. Chris Buxton BlueCat Networks On Sep 18, 2012, at 8:08 AM, M. Meadows wrote: > > Why / how does this work? > > dig -t any www.careerone.com.au @ns2.tmpw.net. > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.2 <<>> -t any > www.careerone.com.au @ns2.tmpw.net. > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15513 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3 > > ;; QUESTION SECTION: > ;www.careerone.com.au. IN ANY > > ;; ANSWER SECTION: > www.careerone.com.au. 2560IN SOA ns1.tmpw.net. > hostmaster.tmpw.net. 1347892090 16384 2048 1048576 2560 > www.careerone.com.au. 14400 IN NS ns1.tmpw.net. > www.careerone.com.au. 14400 IN NS ns2.tmpw.net. > www.careerone.com.au. 14400 IN NS ns3.tmpw.net. > www.careerone.com.au. 600 IN CNAME > www.careerone.com.au.edgesuite.net. > > ;; ADDITIONAL SECTION: > ns1.tmpw.net. 3600IN A 208.71.198.33 > ns2.tmpw.net. 3600IN A 63.121.30.233 > ns3.tmpw.net. 3600IN A 208.71.198.34 > > ;; Query time: 81 msec > ;; SERVER: 63.121.30.233#53(63.121.30.233) > ;; WHEN: Tue Sep 18 08:48:30 2012 > ;; MSG SIZE rcvd: 240 > > > I thought a cname record can't coexist with any other records in a zone file. > How does this even get loaded this way? What results should the owners of > this domain expect? I assume they'll be inconsistent and problematic. Right? > > Thanks! > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about how a particular dig works ...
My guess is that MS DNS is failing to treat the authoritative CNAME result from the www.careerone.com.au servers (which shouldn't even be authoritative) as more trustworthy than the NS records it received in the referral from the parent zone. This then causes that CNAME record to be rejected, which then kills the whole process. The BIND name server sees the CNAME record and, apparently, at least works with it long enough to build an answer to the query it received. It doesn't seem to want to cache it, and so ends up looking it up again more often than should be necessary. But at least it's able to answer queries. Chris Buxton BlueCat Networks On Sep 18, 2012, at 9:59 AM, M. Meadows wrote: > > Thanks Kevin. I understand how the chained alias works. Sorry, I didn't > explain my question very well. > > I can see that the 8.8.8.8 google public dns server gets an answer. > > I know that this domain has a cname coexisting with an SOA record and NS > records ... both of which I have read are a bad thing. And I've seen the > other reply that indicates that this combination of records in a zone file > wouldn't even load in BIND ... so it's done with some other more forgiving > DNS app. > > What I also see (but failed to explain) is that we have a local nameserver > that can't find an answer to the digwww.careerone.com.au query. Gets no > record back. Our local nameserver is an AD server that just throws up its > imaginary hands in despair. So is this what we should expect from this > problematic DNS setup in the www.careerone.com.au zone file? Erratic or > somewhat erratic results? Just curious why google and some other public > facing dns servers get an answer when our own local nameserver can't figure > it out. > > > > Date: Tue, 18 Sep 2012 11:18:58 -0400 > From: k...@chrysler.com > To: bind-users@lists.isc.org > Subject: Re: question about how a particular dig works ... > > On 9/18/2012 9:45 AM, M. Meadows wrote: > > dig www.careerone.com.au +short @8.8.8.8 > www.careerone.com.au.edgesuite.net. > a903.g.akamai.net. > 208.44.23.99 > 208.44.23.121 > > Why does the above dig work when > > dig careerone.com.au +nssearch @8.8.8.8 > SOA dns0.news.com.au. hostmaster.news.com.au. 2012082200 3600 1200 86400 1200 > from server usw1.akam.net in 106 ms. > SOA dns0.news.com.au. hostmaster.news.com.au. 2012082200 3600 1200 86400 1200 > from server usw4.akam.net in 136 ms. > SOA dns0.news.com.au. hostmaster.news.com.au. 2012082200 3600 1200 86400 1200 > from server usc4.akam.net in 124 ms. > SOA dns0.news.com.au. hostmaster.news.com.au. 2012082200 3600 1200 86400 1200 > from server usc1.akam.net in 40 ms. > SOA dns0.news.com.au. hostmaster.news.com.au. 2012082200 3600 1200 86400 1200 > from server usw5.akam.net in 190 ms. > SOA dns0.news.com.au. hostmaster.news.com.au. 2012082200 3600 1200 86400 1200 > from server ns1-24.akam.net in 171 ms. > SOA dns0.news.com.au. hostmaster.news.com.au. 2012082200 3600 1200 86400 1200 > from server asia1.akam.net in 161 ms. > SOA dns0.news.com.au. hostmaster.news.com.au. 2012082200 3600 1200 86400 1200 > from server ns1-50.akam.net in 161 ms. > > shows 8 auth nameservers for careerone.com.au > > and if you use > > dig www.careerone.com.au +short @ > > you get no answer. > > How does that work? Where does the 8.8.8.8 google public dns server get its > answer from? > > www.careerone.com.au is an alias (through chained aliasing) ultimately to > a903.g.akamai.net. To get an authoritative answer for a903g.akamai.net you'd > need to ask one of the g.akamai.net nameservers. Which is presumably what > Google's public resolver did to get the answers it returned to your query. > > > - Kevin > > ___ Please visit > https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this > list bind-users mailing list bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: does a stub zone require an IXFR?
On Sep 20, 2012, at 4:39 AM, M. Meadows wrote: > Attempting to determine if a stub zone requires any kind of zone transfer. > Reading through online doc I find mixed opinions. No zone transfer. Just an SOA query, an NS query, and (if necessary) A and record queries for name server names. Chris Buxton BlueCat Networks signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Moving from "type forward" to "type static-stub"
On Sep 20, 2012, at 5:49 PM, Oscar Ricardo Silva wrote: > I have several recursive, caching BIND servers [...] > The current servers are configured to forward any queries for our domain > straight to our authoritative servers [...] > I've been reading about the new zone type: static-stub and believe this may > work better for us. [...] > If I'm correct, it will send non-recursive queries to the listed servers and > will honor delegations. I've tested this configuration in our lab and it all > appears to be working. > > With our configuration, are there any downsides to changing from forward > zones to static-stub? Type static-stub should work great here. Type stub, which has been around since before I started managing DNS servers (a very long time now), would probably also have worked. Chris Buxton BlueCat Networks signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statistics-file and file rotation
On Sep 20, 2012, at 5:38 PM, Alex wrote: > I have a bind-9.7.4 server running on fc15. I use the 'size' parameter > with the query log file to automatically rotate them. How can I do > this with the statistics-file file? It doesn't seem to be documented? AFAIK, you can't. Chris Buxton BlueCat Networks signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unintended Consequences; I shut down the wrong bind.
On Oct 3, 2012, at 8:35 AM, Martin McCormick wrote: > Could shutdown have triggered rndc to give a stop > command to bind? Yes, depending on the scripts executed during system shutdown. Executing `rndc stop` during shutdown happens on, for example, Red Hat Enterprise Linux. For this reason, the default server in rndc.conf should always be some form of localhost. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query (cache) 'domain.com/AAAA/IN' denied
On Oct 10, 2012, at 7:22 PM, kalin wrote: > if i add a zone record to the named.conf i'm editing and do a dig on it, > locally i get it fine: > > $ dig @ns2. domain.com > > ; <<>> DiG 9.8.1-P1 <<>> @ns2. domain.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52275 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 No you don't. You're getting it from the other computer. No 'aa' flag. Your zone is not loading for some reason. The reason it works locally and not remotely is, the local query is in the default allow-recursion ACL, but the remote host is not. The recursion settings are a red herring. Solve the missing 'aa' flag. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the wild record
On Oct 15, 2012, at 6:16 AM, pa...@riseup.net wrote: > no SOA for test.cloudns.tk IMO. see: You have confused "domain" with "zone". You have a zone named 'cloudns.tk.'. A zone is also a domain. Within that domain, you have the following subdomains (that you have mentioned): test.cloudns.tk. s1.test.cloudns.tk. *.cloudns.tk. All of these domain names are the apexes of domains. None of those domains are broken out (delegated) as zones (with SOA records). What everyone so far has been trying to tell you is, even though you have no records named 'test.cloudns.tk.', its existence as a domain name is implied by the existence the child, 's1.test.cloudns.tk.'. Therefore, the wildcard will not match queries for those two domain names. Nor will it match any other domain names within those two domains -- you would need A records for the following names to cover all of the names other than s1.test: test.cloudns.tk. *.test.cloudns.tk. *.s1.test.cloudns.tk. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable log message
On Oct 19, 2012, at 6:22 PM, Warren Kumari wrote: > On Oct 19, 2012, at 9:17 PM, "Michael Hoskins (michoski)" > wrote: >> -Original Message- >>> On Oct 19, 2012, at 6:13 PM, Alan Clegg wrote: >>> >>>> >>>> On Oct 18, 2012, at 1:13 PM, Chris Thompson wrote: >>>> >>>>> On Oct 18 2012, Jeremy C. Reed wrote: >>>>> >>>>>> On Thu, 18 Oct 2012, Jack Tavares wrote: >>>>>> >>>>>>> I am running bind9.8.x built from source and I see this message in >>>>>>> the logs >>>>>>> built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' >>>>>>> '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' >>>>>>> '--mandir=/usr/share/man' '--with-openssl=/blah' >>>>>>> '--enable-fixed-rrset' '--enable-shared' '--enable-threads' >>>>>>> '--enable-ipv6' '--with-libtool' etc etc etc I would prefer to not >>>>>>> have that show up in the log. >>>>>>> Short of modifying the source, is there an easy way to disable that? >>>>>> >>>>>> No way to disable just it. It is in the "general" catch-all category. >>>>> >>>>> Also, it is output before the configuration "logging" directives have >>>>> been >>>>> processed, so it comes out with the internal defaults for category and >>>>> priority (daemon.notice). Any suppression would need to be done at the >>>>> syslog level. >>>>> >>>>> But I have some difficulty understanding why anyone would want it >>>>> suppressed. >>>>> It's true that BIND is a bit noisier than it used to be at this stage, >>>>> but >>>>> can this really be a problem? Do you let the black hats see your >>>>> system logs? >>>> >>>> >>>> This message was added by general recognition that being able to >>>> rebuild a "drop-in" binary for BIND when you didn't have access to the >>>> build directory (where the config.log contains the information) was a >>>> good thing. >>> >>> Yah, a very good thingŠ This has been really really useful to me on a >>> number of occasionsŠ >>> >>>> >>>> I, for one, see no reason to suppress this message (but I do have blind >>>> spots at times). >>> >>> Me neither, but I am interested why folk might want toŠ >> >> Maybe it's viewed as information disclosure? > > Ah, that's a good point, especially if BIND is being incorporated into an > appliance / black box and there is no need for the users of the appliance to > know what all goes on under the hood? An an employee of the maker of an appliance solution, I can say that we gladly tell our customers what's going on under the hood. If we didn't, they wouldn't trust us. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND does not answer
On Oct 23, 2012, at 5:17 PM, Christian Tardif wrote: > Hi, > > I have a strange BIND behaviour I don't know how to handle. As I don't > exactly know how to describe it, I'll rather explain what I did and what > happens. But not quite easy to follow. > > In my tests, I have two servers with BIND installed on them: SiteA (BIND > 9.8.2rc1 on CentOS 6.3), and SiteB (BIND 9.5.0-P2, on Mandriva 2008.1). A > third environment helps me for diagnostics. > > SiteA is a recursive name server. I've been able to prove that it does not > behave correctly under certain circumstances by hitting it with a simple > request: asking it to give me NS records for a certain subdomain for which > it's primary for the base domain (dig @SiteA NS sub.domain.tld, SiteA being > authoritative for domain.tld). It just times out. There are glue records on > SiteA for the sub.domain.tld master BIND). In order to try to figure out what > was going on, I try, directly from SiterA, to send a request, as a client, > directly to the master of sub.domain.tld. Times out again. At this moment, I > can't tell which server is faulty. But I ge the same behaviour trying to get > an answer from a completely different server (SiteB). In that case as well, > no answer. But still starting from SiteA. > > I then tried to get a response for the request I made from SiteA to SiteB (as > I control both), but this time, starting for my third environment. Then, > SiteB answers to my request. So SiteB looks like it's working. But how come > it does not answer my request from SiteA? From BIND logs on siteB, there's > no trace of SiteA-to-SiteB' request. In order to prove that my UDP packets > actually reaches their destination, and are not modified during transit, I > opened a tcpdump session on SiteA and on SiteB. Packets come through in good > shape, but didn't find their way to BIND application, as it seems. In my > opinion, SiteB is not part of the problem, as it answers normally to every > other it receives from anywhere else than SiteA. If I try again > SiteA-to-SiteB request, I can see with TCPDUMP that packets gets out of > SiteA, and enters SiteB. But BIND doesn't react. Even if I try to enable > debugging on SiteB, I don't see anything. > > What could be wrong, and how do I solve it? What tools are available to help > out? If I try to ask for recursive request (let's say www.google.com) from > anywhere, pointing at SiteA, I get a proper answer. What happens if you use 'dig +norec' in your tests? That is, use iterative queries. Does that change the behavior you see? Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Bind in Active Directory
On Oct 24, 2012, at 6:50 AM, Nicholas F Miller wrote: > Scavenging is a concern but we didn't have much choice. Our AD is only one of > many subdomains and our DHCP spans all of them. If we used DHCP for DDNS > records we wouldn't be guaranteed unique names. By limiting DDNS to just the > AD we are guaranteed unique names. We only needed DDNS in our AD so it made > the most sense to use GSS-TSIG. So let the client specify the DDNS domain name, in the DHCP transaction. Or just hard-code a DDNS domain name into each subnet, possibly varying by subnet. Or do both -- use the client-supplied value if one is supplied, or else use the default. Bear in mind, I'm not saying client updates are necessarily bad, only that you could have done it the other way. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegations
On Oct 31, 2012, at 4:02 PM, Doug Barton wrote:
> On 10/31/2012 03:56 PM, Mark Andrews wrote:
>> You are equating a practice that was techically wrong, and known
>> to be wrong from the get go, with one that has never been techically
>> wrong.
>
> Yes, I'm making exactly the same judgment that typical users make. "It
> works, so it must be Ok."
>
> The fact that we ("experts") can get away with something, whether it's
> technically right/wrong/indifferent not withstanding, doesn't mean that
> it's good advice for the average user.
I must disagree with my learned colleague here.
Introducing the extra subzone for the current subdomain also introduces extra
work if DNSSEC is later introduced. It can also cause as many problems as it
solves even in the absence of DNSSEC.
As for the possibility of administrator error in the future, and making things
futureproof, I would assert that stumbling when bad assumptions cause problems
is the quickest way to learn the proper rules of DNS. Designing a system to
match the possible wrong-headed assumptions of future admins results in a
system akin to Microsoft's DNS snap-in for MMC, whereby users then develop
mistakes in their thinking about how DNS works and therefore are unable to
properly troubleshoot and fix real problems when they occur.
I would prefer to promote a correct understanding of the actual rules of DNS.
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegations
On Oct 31, 2012, at 2:31 PM, Kevin Darcy wrote: > I know of at least 2 commerically-available DNS maintenance systems that, by > default, do not allow what they call "dotted hostnames", by which they mean a > name which is at least 2 labels below a zone cut, e.g. "foo.bar" in the > "example.com" zone. Their underlying assumption seems to be that *every* > level of the hierarchy will, in the usual/typical/default case, be delegated. As an employee of a company that makes a DNS management product, I can say that there is a strong temptation to think this way when designing such a product. We have mostly managed to avoid this type of stupidity, but I still get tripped up by it occasionally. When I find it, it gets logged as a bug report, of course, because we have plenty of customers who rely on "dotted records". Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging no such name
On Nov 19, 2012, at 3:32 AM, Artemis Braja wrote: > Hello, > > I've been using BIND 9.8 for some time but I can't find a way to log "no such > name" or "noanswer" responses with bind logging clause. > > Actually I'm able to log by setting the debug level to 3, but yet it's too > hard to parse it, especially when you try to push these logs to a DB. > > Is there any possibility to log only these type of response without going to > such a high debug level. To log the responses that named sends in response to queries, you are best off using a packet sniffer of some kind. There are even commercial offerings available from multiple vendors that will capture, collect, and analyze this data for you. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
On Nov 30, 2012, at 4:53 AM, Matus UHLAR - fantomas wrote: >> 2012/11/29 Chuck Swiger >>> You've got two nameservers for the domain per WHOIS as: >>> >>> Domain servers in listed order: >>> NS1.VIDEOLINEDVD.COM >>> NS2.VIDEOLINEDVD.COM >>> >>> ...but they don't have A records setup. Your nameservers must have A >>> records: > > actually, they have glue A record in .com zone: > > ;; AUTHORITY SECTION: > videolinedvd.com. 172800 IN NS ns1.videolinedvd.com. > videolinedvd.com. 172800 IN NS ns2.videolinedvd.com. > > ;; ADDITIONAL SECTION: > ns1.videolinedvd.com. 172800 IN A 72.167.164.36 > ns2.videolinedvd.com. 172800 IN A 72.167.164.36 Glue records without matching authoritative records are pretty useless. If there isn't a matching A record in the videolinedvd.com zone as served by those two servers, it just won't work. Chris Buxton BlueCat Networks signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
On Nov 30, 2012, at 10:33 AM, Matus UHLAR - fantomas wrote: >>>> 2012/11/29 Chuck Swiger >>>>> You've got two nameservers for the domain per WHOIS as: >>>>> >>>>> Domain servers in listed order: >>>>> NS1.VIDEOLINEDVD.COM >>>>> NS2.VIDEOLINEDVD.COM >>>>> >>>>> ...but they don't have A records setup. Your nameservers must have A >>>>> records: > >> On Nov 30, 2012, at 4:53 AM, Matus UHLAR - fantomas wrote: >>> actually, they have glue A record in .com zone: >>> >>> ;; AUTHORITY SECTION: >>> videolinedvd.com. 172800 IN NS ns1.videolinedvd.com. >>> videolinedvd.com. 172800 IN NS ns2.videolinedvd.com. >>> >>> ;; ADDITIONAL SECTION: >>> ns1.videolinedvd.com. 172800 IN A 72.167.164.36 >>> ns2.videolinedvd.com. 172800 IN A 72.167.164.36 > > On 30.11.12 09:46, Chris Buxton wrote: > >> Glue records without matching authoritative records are pretty useless. If >> there isn't a matching A record in the videolinedvd.com zone as served by >> those two servers, it just won't work. > > at the time I have checked, the server ad given were not responding. > So I can not say if there are any records... did you get any? Actually, no, I didn't get a response from that server either. Note that it's the same IP address for both names -- bad practice. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Expiration TTLs
On Dec 1, 2012, at 12:17 PM, Paul Romano wrote: > What is a good compromise on zone expiration TTLs? Our DNS is authoritative > for AD DNS and we want to make sure we force records to refresh but do not > want to expose ourselves to the risk of zone failures. The zone expiration timer is not a TTL timer. The two are different. Zone expiration should usually be at least a week. I've set mine to 6 weeks. This timer has nothing to do with the refresh interval, which is also defined in the SOA record. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Expiration TTLs
On Dec 2, 2012, at 6:10 PM, Paul Romano wrote: > Chris. > Thanks for the correction on the term TTL instead of timer. The engineer I > inherited this environment from has the refresh set to 40 minutes and the > zone expiration set to 2 hours. The explanation I got was that since we are > authoritative for AD we want ensure that some kind of scavenging is in place. > Your explanation suggests that the refresh time is strictly survivability and > will not force an update if the serial numbers do not increment enough to > implement the refresh. > Am I stating this correctly? Any suggestions? No, that's not quite right. Here are some definitions: - Refresh timer: Controls how often a slave or stub server will check in with its configured master(s) to see if the zone has been updated, in the absence of a notify message. This check is an SOA query. This is related to master/slave and master/stub zone replication. If the serial number in the retrieved SOA record is larger than the serial number the server currently has -- even by 1 -- it triggers either a zone transfer (slave) or further queries for NS and A records (stub). - Retry timer: If a refresh check fails, the slave or stub server will start the retry timer instead of the refresh timer. When it runs out, the server tries again to refresh from its master(s). The purpose is to control how often a slave or stub server refreshes while the master is unavailable. - Expire timer: At every successful refresh check, this timer is reset. If the zone has not been refreshed by the time this timer runs out, the zone is expired. The server will not respond authoritatively (for slave zones); I'm not sure exactly what happens with stub servers, or whether they use this timer at all. Typically, the refresh timer is set to the longest amount of time the organization will permit a slave to be out of date compared to its master -- depending on the usage, usually somewhere between 1 hour and 1 day. The retry timer is often set to a smaller value -- often between 10 minutes and 2 hours -- but I've seen installations where it is set longer (and not due to misunderstanding). The expire timer is generally set to between 1 and 6 weeks, to allow time for a problem with a master to be noticed and corrected before a slave stops responding authoritatively. The notify mechanism, whereby an authoritative server proactively notifies other authoritative servers (typically a primary master notifying its slaves) when a zone is updated, augments this system of timers. When a notify is received, it causes a refresh check to occur immediately; this resets the timers. Note that there is no scavenging function in BIND (nothing similar to MS DNS' aging and scavenging feature set), and no way to really implement it purely in DNS. Any attempt to use the expire timer to achieve this is evidence of a profound misunderstanding of the use of these timers. Regards, Chris Buxton BlueCat Networks signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't find named_dump.db
On Dec 3, 2012, at 7:41 AM, Daniele Imbrogino wrote: > Using BIND 9.8.1 on Ubuntu 12.04, I try to save the server cache using the > command "sudo rndc dumpdb -cache" (without quotes, obviously), but then I > can't find the file "/etc/bind/named_dump.db" being "/etc/bind/" the working > directory of the server. Look in /var/cache/bind. That's the working directory for the bind9 package default configuration. (To see this, use 'grep directory /etc/bind/named.conf.options'.) Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Requesting tips on setting TTLs so that expired RRSIG data doesn't stay in the zone
On Dec 14, 2012, at 2:48 AM, GS Bryan wrote: > Reference: http://dnssec-debugger.verisignlabs.com/imouto.my > > How to configure named (version BIND 9.9.2-P1-RedHat-9.9.2-2.P1.el5) > so that expired RRSIG data doesn't stay in the zone? I heard it has > omething to do with the TTL of the zone (the expiry timer in that > zone's SOA). In DNS, it's important to correctly understand the terminology and use it with precision. Failure to do so leads to misunderstandings like the one displayed above. A zone doesn't have a TTL. It might have a default TTL expressed in the master copy of the zone, but this only has an effect on the way the zone is loaded by the primary master name server. As far as all other name servers are concerned, there is no default TTL, and every record has an explicit TTL. The expire timer value in the zone's SOA record is not a TTL. Its only effect is on slave servers that fail to successfully refresh the zone from their master server(s) within that period. The existence of records in an authoritative zone is not affected by TTLs. However, the caching of records by other name servers is affected by TTLs. Perhaps you were really trying to ask how to make sure stale RRSIG records are removed from the caches of other name servers in a timely manner; in that case, the TTLs of the specific records could come into play. However, expired RRSIGs are discarded by validating resolvers. The validating resolver, on encountering a stale RRSIG, would typically query one of the zone's authoritative servers directly (in the absence of forwarding configuration) to get a current RRSIG record. Therefore, the only problem these expired RRSIGs might cause is a little bit of wasted bandwidth. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: With the announcement that: “Advisory — D-root is changing its IPv4 address on the 3rd of January.”
On Dec 14, 2012, at 6:59 AM, Hayward, Bruce wrote: > Hi > > With the announcement that: “Advisory — D-root is changing its IPv4 address > on the 3rd of January.” > > https://lists.dns-oarc.net/pipermail/dns-operations/2012-December/009428.html > > We are running 9.7.3-P3 on the Auths, and 9.8.1-P1 on the resolvers. > > We currently do not use a root hints file – If we put a hints file in > named.conf, then will named will use it, rather than the compiled in hints? Yes. Chris Buxton BlueCat Networks___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Duplicate records?
On Dec 21, 2012, at 8:45 AM, Marek Kozlowski wrote: > As I can see BIND allows duplicate A: > > pikusIN A 192.168.1.1 > pikusIN A 192.168.1.2 Those aren't duplicates. They are a record set of two records. If they had the same data, we would call them duplicates. A record set is a set of records that all have the same name, class, and type. Also called an rrset, short for "resource record set". > and PTR: > > 192.168.1.1.IN PTR pikus.somedomain.com. > 192.168.1.1.IN PTR filemon.somedomain.com. Again, an rrset of PTR records. > and disallows duplicate CNAMEs in the same way. CNAME is a singleton type. Each rrset of type CNAME must have exactly one record, no more. Furthermore, a CNAME record cannot coexist with any other record type of the same name, except for a couple of DNSSEC record types (RRSIG and NSEC). > For A and PTR both > records are returned. My questions are: > > 1. Is using duplicate A and PTR a standard (RFC...?) supported by all > named implementations? Yes. > 2. Is using this duplicate A / PTR a good practice? That depends on the use case. Multiple PTR records in an rrset is typically a bad idea (won't achieve the desired effect), but that is not always the case. Putting multiple A records in an rrset is common. > 3. If A can be duplicated and CNAME cannot -- what's the reason for > using CNAMEs (A-s are better). A CNAME record creates an alias. If the target of that alias changes (gets a new address, gets a new MX record, or whatever), the alias need not change to gain the same benefit. Deciding when to use a CNAME record in place of one or more other records is a matter of taste, management tools, and use cases. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Transfers-out
On Jan 8, 2013, at 1:24 PM, Manson, John wrote:
> Can this option be used in a ‘slave’ config to prevent out-bound transfers?
> Transfers-out 0;
> The 9.9.2 ARM is ambiguous.
Wouldn't it be simpler to just write this instead, in your options statement?
allow-transfer { none; };
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: MNAME not a listed NS record
On Jan 16, 2013, at 1:01 PM, Chuck Swiger wrote: > On Jan 16, 2013, at 12:40 PM, Dave Warren wrote: >> Is there anything technically wrong with having a SOA MNAME field that isn't >> listed as a NS record? > > Sure. The SOA MNAME is expected to be the "primary master" nameserver for > the zone; it's where things like dhcpd and such send dynamic updates for the > zone to. No, not necessarily, not if there's no NS record for it. RFC 2136 says says that the server "as given by the SOA MNAME field if matched by some NS NSDNAME" should be the preferred target of a dynamic update. That is, if the master server (as indicated by the SOA record) is not listed in an NS record as an authoritative name server, it need not be considered. However, the RFC is a bit vague on how a requestor determines (and orders) the list of authoritative name servers for a zone, and so... - ISC DHCP sends DDNS updates to the SOA MNAME server if and only if that server is also listed in an NS record. Otherwise, it picks a name from the available NS records and sends the update there. This behavior can be overridden by a zone statement in dhcpd.conf. - Microsoft clients send DDNS updates to various places, and will typically try multiple targets if the update is denied. I believe the order is the first configured caching resolver, the zone's MNAME field, and then any one of the servers listed in the NS RRSet. I believe the client will try three times, assuming these three cases are all different. (I'm not counting potential retries to the same target to attempt use of GSS-TSIG.) I believe nsupdate behaves the same as dhcpd, but it's been a while since I last tested this. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: private trust anchor
On Feb 10, 2013, at 3:26 PM, Evan Hunt wrote: > Then configure the > zones as "type forward", with "forwarders" pointing to the authoritative > server(s) for your zones. The resolver will then forward queries for those > names to the authoritative servers, and validate the responses. Type forward? Really? I didn't expect that to come from someone at ISC. Use 'type stub' instead, with a masters statement rather than a forwarders statement. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slaving from DNS masters behind LVS
On Feb 12, 2013, at 7:00 PM, Nick Urbanik wrote: > We have a pair of DNS servers running BIND behind a direct routing LVS > director pair running keepalived. Let's call these two DNS servers A > and B, and the VIP V. > > They slave from a hidden master; let's call it M. > > I want to allow another machine S to slave from A and B, the pair of > DNS servers that are behind LVS. > > Another machine F will forward to the DNS servers behind the load > balancer, A and B. > > [There is another similar setup at another location, so there will > be a V1 and V2, A1, A2, B1, B2; all of A1, A2, B1, B2 slave from M.] > > 1. Should the machine in the SOA be V, or A or B? > 2. Should the NS records for the zones be A, B and V, or just V? > 3, Should S slave from A and B, or should it slave from V? > 4. Should F forward to V, or to both A and B? Generally speaking, if you're going to use a load balancer, use it. Don't go around it. I assume your VIP will actually float between two load balancers, for redundancy. Why is forwarding involved? Forwarding is a recursive server behavior, but your other questions relate to authoritative service. Mixing the two, especially in a high-traffic environment, is a recipe for disaster. (Not that I haven't implemented that for even very large customers -- the customer is always right unless you can convince them otherwise. Use of multiple views, with match-recursive-only enabled in one of them, can somewhat alleviate the problem.) 1. Your choice. Mine would be M. My second choice would be either V1 or V2, if there was some need to truly conceal the identity of M. 2. V1 and V2. 3. V1 and V2. 4. V1 and V2. But as others have pointed out, unless you're getting huge numbers of queries, I wouldn't bother with load balancers for authoritative service. I would only start looking for this type of solution if 6 individual name servers were insufficient to handle the load. And in that case, my first choice would be anycast, because that also gives you geographic redundancy, routing redundancy, etc. That's how the root server clusters are set up, for the most part. For recursive service, where clients can't be relied upon to effectively use any server beyond the first one they query, load balancers make good sense. But in that case, you (ideally) shouldn't have any zones configured on the name servers other than (possibly) RPZs, stub zones, and (if you really must) conditional forwarding zones. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SOA issue
On Feb 13, 2013, at 9:22 AM, Paul A wrote: > Can anyone tell help me figure out why this SOA is not changing no matter > what I do. The zone was edited and has a new SOA but no matter what I do bind > doesn’t reload the zone with the new SOA. I tried rndc freeze/unfreeze and > still nothing. Short of reloading bind what else can I do. > > TIA, Paul > > named-compilezone -o - sturdymemorial.org db.sturdymemorial > zone sturdymemorial.org/IN: loaded serial 2013021307 > sturdymemorial.org. 86400 IN SOA > reuben.meganet.net. postmaster.naisp.net. 2013021307 10800 3600 604800 600 > OK Your zone only has an SOA record. A zone without NS records will not load. If that's not really the issue, because you've edited the output above, a couple of hints: - rndc reload is unnecessary if rndc freeze executes correctly. A dynamic zone (one that you would freeze and thaw) cannot be reloaded. Thawing the zone effectively reloads it. - Do not edit a dynamic zone's zone file without first freezing it. Otherwise, when you freeze it, the data in memory will be written to disk, overwriting your changes. - Are you sure you're editing the right file? Chris Buxton BlueCat Networks > rndc reload sturdymemorial.org > zone reload up-to-date > > > dig @localhost sturdymemorial.org soa > > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57470 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 > > ;; QUESTION SECTION: > ;sturdymemorial.org.IN SOA > > ;; ANSWER SECTION: > sturdymemorial.org. 600 IN SOA reuben.meganet.net. > postmaster.naisp.net. 2012011801 10800 3600 604800 600 > > from the log file > > named[26675]: received control channel command 'reload sturdymemorial.org' > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Building a fresh named.root
On Feb 14, 2013, at 8:49 AM, Shawn Bakhtiar wrote: > > Running bind rooted on FC 16 using the standard package. > > The ca file is located in /var/named/chroot/var/named/named.ca > > The hints are not built in. > [shawn@www ~]$ strings /usr/sbin/named | grep A.ROOT-SERVERS.NET > returns nothing. Yes they are. All versions of BIND since 9.3 or so have had the root hints built in. Even Red Hat's version. Unfortunately, Warren missed a trick of some sort -- I suspect that if you strip the binary, the 'strings' command won't find the values. But they're still there. Adam Tkac would not remove this from the Red Hat SRPM. Root hints, as somebody pointed out, are just hints. There is no reason to focus on making sure they're 100% accurate. There's also no point in stripping the IPv6 addresses out of the root hints zone if you don't have IPv6 -- the real list will be fetched (by DNS query) from the servers in the hints file, including all of their IPv6 addresses. If your DNS server doesn't have IPv6 connectivity, I have two comments for you: - Why not? It's easy to get a tunnel, if nothing else is available. - Start named with the -4 argument to prevent it from trying to contact IPv6 addresses. Chris Buxton BlueCat Networks___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Export / Import all zone data
On Feb 14, 2013, at 11:46 AM, Mailinglists wrote:
> I'm looking to migrate all of the zone data from one installation of Bind to
> another...hardware move. One machine is very old but running a pretty modern
> version of Bind 9.6-ESV-R8. The other server is running Bind 9.8.2 and is in
> use, so I'm merging existing zone data with new data, although none of the
> zones will overlap.
>
> The problem I see is that the actual zone files, the way they are structured,
> are in an old format. Bind 9.6 must still understand them, but I don't think
> they are structured the "proper" way. I was hopeful there was an export /
> import procedure whereby that process would sanitize the zone info and log
> any errors for manual fixing.
>
> Either this process is dead simple and so nobody documents it or it is all
> but impossible so nobody documents it...I'm not sure. But an hour of web
> searches hasn't turned up much, just lots of info about migrating to or from
> a Windows based DNS to BIND.
named-compilezone is your friend here.
I use this 3 line script to sanitize inputs when I'm migrating customers from
their old platform to our appliances:
#!/bin/bash
mv $2{,.orig}
named-compilezone -i none -k ignore -o $2 $1 $2.orig
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Building a fresh named.root
On Feb 15, 2013, at 9:57 AM, Robert Moskowitz wrote: > I will do some more testing with this to see if I can indeed remove the > root.hint includes. But I have a question. I have tried to dig in my server > for the root info like you can a root server, but obviously this is not the > way to do it, as I get an empty list eventhough I know I can resolve names > that I am not authoritative for. > > I tried > > dig +bufsize=4096 . ns @localhost > > (and without the bufsize) and it comes back with a warning that recursion > requested but not available and an empty list. More interestingly is that in > /var/log/messages it shows: > > named[2872]: client ::1#57049: view external: query (cache) './NS/IN' denied > > I would think this should go to my internal view? I even put 127.0.0.1 into > my match-clients/destinations network list and it is still using the external > view. The hostname 'localhost' can mean different things to different computers. It probably means ::1 (IPv6 localhost) in this case. Try explicitly specifying the IP address rather than using the hostname. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stop of logging of No Valid Signature Found
On Feb 25, 2013, at 8:25 PM, Robert Moskowitz wrote: > So should I change this to an include and put dnssec-validation back to yes? No. "dnssec-validation auto;" is correct for 90% of cases. An Internet validating resolver should almost certainly use this. Mark is simply being precise and complete in his explanation. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 3rd party CNAMEs and open recursion
On Mar 4, 2013, at 10:43 AM, Verne Britton wrote:
>
> I have been testing and testing and either just don't see what I'm doing
> wrong, or have a learning block :-)
>
> current thinking is that a open recursion DNS server is bad, so we want to
> implement an allow-recursion clause; perhaps even make some views so our
> local users still recurse while the general public cannot ...
>
> but I am running into a roadblock with our Google Apps cname:
>
> gmail.wvstateu.edu is a cname to ghs.google.com
>
> and bind wants recursion turned on in order to translate it.
Your client machines need recursive service. So give them a recursive server
that can find both your internal data and Internet data. If you must do this on
the same machine as hosts your authoritative data, you have a couple of choices:
1. Don't use views:
options {
allow-recursion { your-nets-go-here; };
[...]
};
zone "your.zone" {
[...]
};
2. Or, use views:
options {
[...]
};
view "recursion" {
match-recursive-only yes;
allow-recursion { your-nets-go-here; };
[ ...other recursion settings... ]
};
view "authority" {
recursion no;
zone "your.zone" {
[...]
};
};
While it may seem more complex to use views, there are advantages in terms of
flexibility. However, ultimately either way will probably work, at least until
you start rolling out DNSSEC (at which point you will probably need to use
either views or separate servers).
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
On Mar 14, 2013, at 3:29 AM, Tony Finch wrote:
> King, Harold Clyde (Hal) wrote:
>
>> Is there an option for bind like the allow-recursion { }
>> For blocking out going records of 10.0.0.0/8 and 192.168.0.0/16 so I could
>> do a view like:
>
> I'm not sure what you mean by "blocking out going records" but there are a
> couple of options that might do what you want:
>
> There is the "blackhole" acl which makes named ignore all requests and
> never send queries to a particular address range.
>
> There is the server ... { bogus yes; }; clause which stops named from
> sending queries to a particular address range.
No, I'm pretty sure the OP wants to strip records from responses if the records
are A records referring to private address space (RFC 1918).
I've no idea how you would do this.
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking private addresses with a optionq
On Mar 14, 2013, at 9:07 AM, Niall O'Reilly wrote: > > On 14 Mar 2013, at 15:57, Chris Buxton wrote: > >> No, I'm pretty sure the OP wants to strip records from responses if the >> records are A records referring to private address space (RFC 1918). >> >> I've no idea how you would do this. > > Other than separate views, with a "trimmed" zone in the external view? Well, yes, if the server in question is authoritative for all the data in question. But if it's just a resolver, that may be more difficult. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursion issue
On Mar 28, 2013, at 7:56 AM, Manson, John wrote: > My external authoritative dns does not allow recursion. > We have vanity names like speaker.gov. > When we add an entry like: > www.speaker.gov CNAMEwww.house.gov > it fails because of the recursion statement even though the external dns is > authoritative for house.gov. > Anyone know of a way to modify the recursion behavior since house.gov is > already in the outhouse-view along with the vanity .gov names.? > Currently we have to use A records with the www.house.gov IP. > Web staff and others would like to see the House server name displayed in the > browser url bar and in dig results. If you want the browser URL bar to change from what the user typed to "www.house.gov", you have to use an HTTP redirect. You cannot do that with DNS. Other than that issue, what part of your current environment is not working? In your public data, I see: www.speaker.gov.300 IN CNAME wc.house.gov.edgekey.net. wc.house.gov.edgekey.net. 17789 IN CNAME e4776.g.akamaiedge.net. e4776.g.akamaiedge.net. 20 IN A 184.26.83.91 Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursion issue
On Mar 28, 2013, at 8:27 AM, Manson, John wrote: > From the internet: > Answer records > > name class typedatatime to live > test.gopleader.govIN CNAME testwww.house.gov > > Testwww from the internet: > Answer records > > name class typedatatime to live > testwww.house.gov IN A 12.13.14.15 900s(00:15:00) > > So the first lookup does not fully resolve due to recursion. > Does this help? Yes it does. It just doesn't all get answered from the one zone. Both of your public servers, chyron and mercury, contain both zones. A non-recursive query to either of them gets both records in an authoritative answer. $ dig test.gopleader.gov +norec @mercury.house.gov ; <<>> DiG 9.7.6-P1 <<>> test.gopleader.gov +norec @mercury.house.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26756 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.gopleader.gov.IN A ;; ANSWER SECTION: test.gopleader.gov. 300 IN CNAME testwww.house.gov. testwww.house.gov. 900 IN A 12.13.14.15 ;; Query time: 100 msec ;; SERVER: 143.231.1.67#53(143.231.1.67) ;; WHEN: Thu Mar 28 08:45:23 2013 ;; MSG SIZE rcvd: 80 There is no need to configure recursion on your external authoritative name servers. Other name servers will not query them recursively anyway. I continue to fail to see the problem that you're trying to solve. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursion issue
On Mar 28, 2013, at 9:05 AM, Manson, John wrote: > I disagree with your statement about recursion. > What stops an authoritative server from doing recursion if you do not have > the recursion statement? > I guess the bind default is recursion yes. OK, bad choice of words on my part. I did not mean to say that you should not set any configuration options to disable recursion, because as you said, it is on by default (but restricted, by default, to localnets and localhost). What I meant was that there is no reason to permit recursive queries to your authoritative servers. Therefore, I would recommend turning it off using 'recursion no;' in your options or view statement. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursion Issue
On Mar 28, 2013, at 10:51 AM, Manson, John wrote: > http://www.digwebinterface.com/? Is one of the internet sites I use. http://www.digwebinterface.com/?hostnames=test.gopleader.gov&type=A&showcommand=on&colorize=on&stats=on&norecursive=on&useresolver=8.8.4.4&ns=auth&nameservers= __ test.gopleader@chyron.house.gov.: dig A +norec test.gopleader.gov. @chyron.house.gov. ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.1 <<>> A +norec test.gopleader.gov. @chyron.house.gov. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48126 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.gopleader.gov.IN A ;; ANSWER SECTION: test.gopleader.gov. 300 IN CNAME www.house.gov. www.house.gov. 900 IN CNAME house.gov.edgesuite.net. ;; Query time: 26 msec ;; SERVER: 143.228.129.38#53(143.228.129.38) ;; WHEN: Thu Mar 28 18:55:49 2013 ;; MSG SIZE rcvd: 97 test.gopleader@mercury.house.gov.: dig A +norec test.gopleader.gov. @mercury.house.gov. ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.1 <<>> A +norec test.gopleader.gov. @mercury.house.gov. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63565 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.gopleader.gov.IN A ;; ANSWER SECTION: test.gopleader.gov. 300 IN CNAME www.house.gov. www.house.gov. 900 IN CNAME house.gov.edgesuite.net. ;; Query time: 23 msec ;; SERVER: 143.231.1.67#53(143.231.1.67) ;; WHEN: Thu Mar 28 18:55:49 2013 ;; MSG SIZE rcvd: 97 __ You've changed the record test.gopleader.gov since last I looked at it -- it's now going to Akamai. The result shown here shows what's called a "dangling CNAME" -- your CNAME record, pointing to an outside resource. A resolving name server (one with recursion enabled) will then follow that to Akamai, giving this result: test.gopleader.gov. 300 IN CNAME www.house.gov. www.house.gov. 552 IN CNAME house.gov.edgesuite.net. house.gov.edgesuite.net. 12640 IN CNAME a1164.g.akamai.net. a1164.g.akamai.net. 19 IN A 165.254.47.115 a1164.g.akamai.net. 19 IN A 165.254.47.112 Everything is as it should be. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward First on Master Zone (bypass SOA)
On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: > I’ve spent hours researching a way to accomplish this without any luck. Is > there any way to accomplish what I’m trying to do? No, not unless you want to monkey around with static zones and $INCLUDE directives -- something like this: Internal zone file: $INCLUDE internal.zone.apex $INCLUDE example.com.common-records $TTL 86400 some.internal.host A 192.0.2.1 [...] External zone file: $INCLUDE external.zone.apex $INCLUDE example.com.common-records $TTL 86400 some.external.host A 192.0.2.254 [...] where the *.zone.apex files look something like this: $TTL 86400 @ SOA [... 7 data fields ...] NS ns1.example.com. NS ns2.example.com. MX 10 mx1.example.com. This way, you mostly maintain 3 files of DNS records for the zone -- external, internal, and common. Note that this is not compatible with dynamic zones. If you need to support dynamic zones (and who doesn't, these days?), you're out of luck. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic Update Policy.....
On Mar 28, 2013, at 4:03 PM, Gary Greene wrote:
> I'm trying to get bind to use ddns updates for our environment, however I'm
> getting errors in the logs on the system that the host is being denied from
> making the changes.
>
> Currently, I'm only allowing certain hosts to update their records, as a test.
>
> The stanza for update-policy follows:
>
> zone "minervanetworks.com" {
> type master;
> notify yes;
> update-policy {
> grant ggreene-imac$@MINERVANETWORKS.COM ms-self * A;
> grant cvallejo-w7-lt$@MINERVANETWORKS.COM ms-self * A;
> grant cvallejo-test-w7-lt$@MINERVANETWORKS.COM ms-self * A;
> };
> file "/etc/named.d/minervanetworks.zone";
> check-names ignore;
> };
>
> The error I see in the logs:
> Mar 28 15:57:29 ns1 named[11482]: client 10.5.1.11#52418: view internal:
> update 'minervanetworks.com/IN' denied
That log message is normal.
If you want to use GSS-TSIG, that's not going to work. I don't have a complete
step-by-step of what's required, but at a minimum:
- Don't use ms-self.
- Do create a user account in AD with a service principal name that matches the
hostname of the master name server as advertised in the SOA and NS records,
prefixed by "DNS/". For example,
"DNS/ns1.minervanetworks@minervanetworks.com". Without this, GSS-TSIG will
not be attempted.
- Do not be concerned by the denied update. Every attempt to update will go
something like this:
1. SOA query for name to be updated, to recursion server.
2. Address lookup for server listed in SOA record, to recursion server.
3. Insecure DDNS update message to server listed in SOA record. [denied]
4. TKEY query to server listed in SOA record, to establish a single-use shared
key.
5. Signed update message to server listed in SOA record. [approved or denied,
according to policy]
> The reverse zones work, as they are setup to allow dhcpd to make the changes
> (and they work correctly), however the forward zone does not.
At a guess, you're not using GSS-TSIG for reverse record updates, correct?
Is there a reason not to have DHCP update the host records as well as the
reverse?
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable logging for a view
On Mar 29, 2013, at 1:46 AM, Francesco wrote: > Hello, > i need to log queries into bind.log for all views except only one view (i > call it the deafult view, where it logs all attacks, flood, ecc.). > > But i noticed i can not insert logging clause into a view. > > Is there a way? No. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding rndc referral statistics
On Mar 29, 2013, at 8:13 AM, M. Meadows wrote: > Thinking about this ... perhaps this is more to do with the behavior of BIND > 9.3 versus BIND 9.7. Did the referral mechanism change? Here are my thoughts > on the subject: > > Nameserver A is the authority for zone1.com and it is the authority for > sub.zone1.com. Sub.zone1.com is delegated from zone1.com. If a query comes to > nameserver A from a resolver asking for info about host.sub.zone1.com and the > namserver looks in zone1.com and sees the delegation of sub.zone1.com an > inefficient method of handling the query would be to pass back a referral to > sub.zone1.com (which just points back at itself). But that would work and > would result in a referral. In a more efficient application ... the > nameserver would recognize that the delegated authority for sub.zone1.com is > ... itself. It would complete the query of host.sub.zone1.com and return an > answer instead of a referral. Am I on the right track with this or just > wasting my time with wild and inaccurate speculation? Yeah, that's not it. I can't answer the original question, but the responses to queries in the scenario outlined are the same. BIND always returns the best answer it can. If it worked the way you were speculating (for 9.3), the BIND name server would not know that the second query was a follow up to the referral, and would process it in the same way. Responses in this scenario would be the same (at least as far as the answer section of the response is concerned) coming from BIND 9.9, 9.3, 9.1, 8.2, or 4.9. (I can't speak for 4.8.) Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPZ and negative answers
Can anyone explain this to me? If a name exists in the response policy, and also exists in the real Internet namespace, the value from the policy is returned. But if it doesn't exist out on the Internet, then the value is not returned -- an NXDOMAIN (or SERVFAIL, or whatever) is returned instead. I've known this for a while but haven't understood why it is thus. Today, it has become a problem for me. If I set a policy of "this name gets response X", I expect that policy to be used rather than "this name gets response X unless it doesn't exist out on the Internet or can't be resolved due to an error." Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and negative answers
On Apr 3, 2013, at 4:13 PM, Vernon Schryver wrote: >> From: Chris Buxton > >> If a name exists in the response policy, and also exists in the real >> Internet namespace, the value from the policy is returned. But if it >> doesn't exist out on the Internet, then the value is not returned -- >> an NXDOMAIN (or SERVFAIL, or whatever) is returned instead. >> >> I've known this for a while but haven't understood why it is thus. >> Today, it has become a problem for me. If I set a policy of "this >> name gets response X", I expect that policy to be used rather than >> "this name gets response X unless it doesn't exist out on the >> Internet or can't be resolved due to an error." > > RPZ stands for "response policy zone" and concerns rewriting responses > instead of queries. The answer section of an NXDOMAIN or SERFVAIL > response does not contain a domain name that could trigger rewriting. > > Rewriting queries instead of responses would fail to rewrite CNAME > chains. Thanks for the explanation. It seems to me this is a gap in coverage of RPZ -- the algorithm should be updated, in my opinion, to cover the case of a negative answer. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and negative answers
On Apr 4, 2013, at 1:42 AM, Phil Mayers wrote: > On 04/04/2013 12:50 AM, Chris Buxton wrote: > >> Thanks for the explanation. It seems to me this is a gap in coverage >> of RPZ -- the algorithm should be updated, in my opinion, to cover >> the case of a negative answer. > > AIUI it's a deliberately limited mechanism aimed at preventing resolution of > harmful domains; NODATA/NXDOMAIN rewriting has caused enough controversy in > the recent past that I can understand there being reluctance to extend RPZ to > do it. > > Can you comment on the use-case? Sure. Here's an example. A company wants to halt the spread of a piece of malware that uses DNS lookups to find its C&C. The malware is known to try computed domain names successively until one resolves, and then connect to the resolved address. The company has set up a honeypot server to control the malware and keep it quiescent. The company has determined the first N domains of the sequence, but does not know how to calculate the complete set of domains. Therefore, the company wants to put the known domains into an RPZ. Normal, individual zones would also work, but this would require mixing them with other data in their management system. The customer wants to keep these domains separate from other managed data. Unfortunately, because RPZ doesn't return a policy-based answer when there is no positive answer to be found out on the Internet, RPZ is not a suitable solution. Therefore, the customer is forced to create the individual zones normally, mixing them with other data in their management solution, rather than using RPZ to trap the malware into contacting the honeypot server. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4.x and check-names
On Apr 17, 2013, at 8:58 AM, Matus UHLAR - fantomas wrote: > On 17.04.13 06:39, Ben-Eliezer, Tal (ITS) wrote: >> default.log:12-Apr-2013 00:45:37.447 general: warning: zone >> /IN: gc._msdcs./A: bad owner name (check-names) >> default.log:12-Apr-2013 00:45:37.447 general: warning: zone >> /IN: gc._msdcs./A: bad owner name (check-names) > > Hmm, aren't those supposed to be SRV records? No, they are the addresses of the global catalog servers. If they were SRV records, check-names would not complain. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mirror Masters
On Apr 23, 2013, at 2:01 PM, Manson, John wrote: > We have a second master at a different location and I was wondering if there > is any way to have the first master send db file updates to it using file > transfers like it does to the slaves. > We currently do db file transfers between masters with sftp and would like to > stop using OS processes and have it done within named, if possible. > The second master is exactly like the first master including front-side IP, > dns traffic router-separated from the first master, and the script we use for > DB maintenance in a fail-over scenario. > Both masters file transfer IPs are different and are listed in all slaves so > they get notifies from both. > I’m guessing it has to do with being master for a zone and not acting on > notifies it may receive. Make it a slave, using text format instead of raw format. Then in the event of a disaster, change all the zone statements from slave to master. That way, you won't be dependent on OS processes for transferring and synchronizing the data between the two masters. Your other choice is to use rsync to synchronize files between the two masters, perhaps as a cron job. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mirror Masters
On Apr 24, 2013, at 2:21 PM, Manson, John wrote: > Works great. Got the conf file down to about 12 lines (only transferring 1 > zone file for test). > Only problem is the file is in slave format. > Is the master going to have a problem sending the db.x.bak to slaves? > When a slave receives the transferred file, will it do the slave conversion > to the file which is already in slave format? Please explain what you mean by "slave format". Do you mean binary (raw) format, or just formatted differently as a text file? (Different versions of BIND behave differently.) Please keep in mind that a zone transfer between DNS servers is not a file transfer. The master does not send a file to the slaves. It sends DNS records, in binary (DNS protocol) format. Chris Buxton___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Courses
On Apr 27, 2013, at 4:18 AM, Alan Clegg wrote: > On Apr 27, 2013, at 11:36 AM, SUNDAY A. OLUTAYO wrote: > >> ISC should consider online training too, same linux foundation has done. > > As one of the ISC instructors, I will say that our classes are highly > interactive, both student-to-instructor and in the lab experience provided. > > I have yet to find any online training that comes close to what we provide in > person. Agreed. Having given training both live and online, I can say that the online version was highly inferior to the live class. When I taught DNS and BIND courses for Men & Mice, the live interaction was a key component of the value of the class. You just don't get that remotely. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does bind select what master to use?
On Apr 27, 2013, at 5:52 AM, Matus UHLAR - fantomas wrote: > On 27.04.13 01:03, Kevin Morgan wrote: >> Does it use an algorithm to determine the best server to use or does >> it try the masters in the order they are listed? I am wondering if >> listing the masters in a different order can optimize the performance >> of bind. > > AFAIK: > BIND keeps track of servers accessible and their RTT. It tends to prefer > theone with shoertet RTT but ocasionally re-tries (RTT can change over > time. If notice comes, BIND tends to prefer server that has sent it. If you're talking masters, as in the BIND server is a slave refreshing from its masters, then I don't believe that's correct. I believe it compares the serial numbers retrieved from each and prefers the one with the highest value. If you're talking about forwarding to forwarders, then yes, RTT is used. If you're talking about recursion, then yes, RTT is used. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NS geo-distribution
On Apr 29, 2013, at 9:01 PM, Dave Warren wrote: > With the vast majority of our customers being in North America (probably 75% > of users are in Canada), would it make sense to add a Europe based NS or > would this tend to return slower results on average since a potential user > would have a 1/3 chance of hitting a NS with a higher latency? RTT means almost always hitting the fastest server. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mailing list "reply-to" setting
On May 9, 2013, at 4:02 PM, Carlos M. martinez wrote: > My mail setup is as limited as my eyesight. As I mentioned, I have > emails in my inbox and filter afterwards in order to keep mbox size at > reasonable levels. In this way I don't forget to check this or that folder. I'm sorry, but I have to ask. Does your mail client not download all your mail and show you which mailboxes have new messages? I can't conceive of using a mail client that doesn't do this -- without it, automated filtering is useless, because as you said you would have to check every folder to see if there are new messages in it. My mail client shows the number of unread messages next to each mail folder, except for those that have no unread messages. I do not have to click on each folder to cause this to happen. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Negative zones; NXDOMAIN responses
On May 20, 2013, at 12:51 AM, Narcis Garcia wrote:
> - Yes, I thought about not using DNS from the same internet provider,
> but wanted to know if there is a way to patch only the .local response.
>
> - This is the configuration I use in one of the LANs:
>
> view "local-nets" {
>match-clients { acl_local-nets; };
>recursion yes;
>forwarders {
>62.151.2.8;
>};
>include "/etc/bind/named.conf.default-zones";
> }
>
> - These are the tests to be done from a client:
> $ host -t SOA local.
> $ host -t SOA local. 62.151.2.8
>
> - I've tried to create an empty zone, or lacking of A or SOA records,
> but then BIND9 doesn't load it:
> zone local/IN: has 0 SOA records
> zone local/IN: has no NS records
> zone local/IN: not loaded due to errors.
>
> - I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
> to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
> But I'm not sure if it's useful for SOA records.
For the time being, .local is not delegated from the root. So just not using
your ISP's resolvers will do what you want -- recurse directly to the Internet.
There is no way to create an empty .local zone that won't have even an SOA
record. I'm not sure if you could do this via RPZ -- probably -- but why bother
when you could just remove your ISP's servers from the equation?
Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: any requests
If you have mail relays acting this way, you'd better give them a dedicated DNS server to use for recursive lookups, because otherwise that's going to periodically fail. If a host has both an MX record and an A record, and if the A record is in cache, the ANY lookup will just get the A record, not the MX record. And that represents a failure of the SMTP protocol implementation. Chris Buxton On Jun 3, 2013, at 3:42 PM, Leonard Mills wrote: > If your some of your clients are SMTP relays, then ANY is the default lookup > for an MX and is perfectly normal. > > Much better from the point of view of the mail servers to do one lookup > instead of several. > > Len > > > From: hugo hugoo > To: Vernon Schryver ; "bind-users@lists.isc.org" > > Sent: Monday, June 3, 2013 12:26 PM > Subject: RE: any requests > > Hello, > > Thanks for your answer. > I see ANY queries from my clients (we do not use open resolvers) > > I do not see why these kind of queries are present. > Moreover, the cache servers only anbswer with its cache content. > Is this normal or must the cache query the authoritztive server to fetch all > the records? > > Hugo, > > > Date: Sun, 2 Jun 2013 22:13:33 + > > From: v...@rhyolite.com > > To: bind-users@lists.isc.org > > Subject: Re: any requests > > > > > From: Matus UHLAR - fantomas > > > > > On 02.06.13 20:28, hugo hugoo wrote: > > > > > >I plan to block these kind of requests on the dns cache servers in order > > > >to > > > > avoid any amplification attack. > > > > > hard to say, but as I stated before: don't do that. > > > > Instead, use RRL to mitigate many kinds of amplification attacks instead > > of only those using ANY. See http://www.redbarn.org/dns/ratelimits > > > > Blocking DNS ANY requests is to DNS amplification DoS mitigation as > > blocking SMTP envelope Mail_From values of <> is to spam filtering. > > In early spam days, people who either knew far less than they pretended > > or had special agendas prescribed blocking the <> sender as almost the > > FUSSP, and never mind RFCs that require accepting mail from <>, the > > value of mail from <>, and the vast floods of spam that don't and > > never did involve the <> sender. > > > > Blocking DNS ANY or SMTP <> fit the old saying by H. L. Mencken: > > For every complex problem there is an answer that is clear, > > simple, and wrong. > > > > > > Vernon Schryver v...@rhyolite.com > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: any requests
On Jun 5, 2013, at 11:59 AM, Doug Barton wrote: > On 06/05/2013 11:33 AM, Tony Finch wrote: >> I believe the ANY hack on mail servers was a Sendmailism 20ish years ago. > > s/Send/q/ That makes even more sense. DJB always thinks he knows best. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Stub zones vs minimal responses
I'm seeing something I didn't expect in BIND's behavior, and I wanted to get confirmation from someone that this is expected, or at least a known limitation. If an authoritative server is configured to send minimal responses, will a stub zone get all the necessary data from that server? What I'm seeing is, the recursive server sends an SOA query; the response contains only the SOA record, and no NS or A records. The recursive server doesn't follow up with an NS record query, and therefore the stub zone fails. Queries to the recursive server for data in that zone get a SERVFAIL response. Am I understanding the evidence correctly? Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stub zones vs minimal responses
On Jun 12, 2013, at 5:23 AM, Tony Finch wrote: > Chris Buxton wrote: >> >> If an authoritative server is configured to send minimal responses, will >> a stub zone get all the necessary data from that server? What I'm seeing >> is, the recursive server sends an SOA query; the response contains only >> the SOA record, and no NS or A records. The recursive server doesn't >> follow up with an NS record query, and therefore the stub zone fails. >> Queries to the recursive server for data in that zone get a SERVFAIL >> response. > > Does the authoritative server answer queries over TCP? After making the > SOA query to refresh a stub zone, BIND calls ns_query() in lib/dns/zone.c > which always uses TCP. Interesting. I'll look into that. Thanks, Tony. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What happens when one out of three NSs are down?
On Jun 11, 2013, at 4:12 PM, Gary Wallis wrote: > DNS experts: > > What really happens in the real world when 1 out of three authoritative NSs > are down for 30 minutes due to a datacenter outage? > > For example, we have 3 NSs: > > ns1.someisp.net 12.23.34.45 > ns2.someisp.net 23.34.45.56 > ns3.someisp.net 34.45.56.67 > > All in different datacenters. > All are authoritative for a given zone. > All have the same zone data and SOA serial number for the zone. > > Where the datacenter handling ns3 broke routing (mistake in new router > configuration) for 34.45.56.0/24 and ns3 is no longer reachable. > > I think I have a grasp on the basic theory here, but in practice, the > unreachable ns3 nameserver creates problems for a small group of customers > trying to reach web sites with zones hosted by these three authoritative NSs. > > Will round robin glue NS records help? > > Can quick or automated changes at the registrar of the NS3 IP help? For > example to change to a hot spare in some other datacenter? In this case would > the running NSs have to have the changed NS A record also match? > > Any comments and best practice solution info very welcome. You might consider using anycast to route around the problem. In practice, though, your best bet is to find out why that small group of customers are having problems. Are they querying the servers directly? Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF record with include:
On Jun 20, 2013, at 7:30 PM, Julie Xu wrote: > Hi Steven, Jason, Ged and Bind expert > > Thanks for the reply. It is great help. > > However, I need ask more. > > For this include clause to be added in, I have also need to add DKIM records. SPF and DKIM are unrelated. There is no way to reference DKIM records inside your SPF records. Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 2.1a3 on centos 6.4
On Jun 22, 2013, at 12:50 PM, "Lawrence K. Chen, P.Eng." wrote: > Or don't use nslint? +1 Use 'named-checkconf -z' instead. Or run it without '-z', and then use 'named-checkzone' against each zone file, with suitable options to tweak the tests to meet your needs. Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 2.1a3 on centos 6.4
On Jun 24, 2013, at 10:09 AM, Brian Cuttler wrote: > On Mon, Jun 24, 2013 at 09:40:36AM -0700, Chris Buxton wrote: >> On Jun 22, 2013, at 12:50 PM, "Lawrence K. Chen, P.Eng." >> wrote: >> >>> Or don't use nslint? >> >> +1 >> >> Use 'named-checkconf -z' instead. Or run it without '-z', and then use >> 'named-checkzone' against each zone file, with suitable options to tweak the >> tests to meet your needs. > > Used that a bit on one of my Solaris boxes, I recall it was very > handy for pinning down a syntax issue I had and couldn't find, but > I didn't discover a way to use it check for A/PTR record pairs. Ah, yes, that is an uncommon requirement and is not covered by the BIND tools. (Underscores in names are covered.) If you can't get nslint to work, it's pretty simple to write a perl script to check A/PTR (and /PTR) correlation and also run named-checkzone against each zone. Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Answers from cache or authority section?
On Jun 25, 2013, at 7:32 AM, John Horne wrote: > Hello, > > I am having a bit of trouble understanding what happens when, in this > instance, a DNS reverse lookup occurs. Our site has the class-C > 141.163.0.0 address range. If I perform reverse lookups from inside or > outside our site, then they seem to work fine. However, we are currently > investigating a problem an external site has with reverse lookups of our > IP addresses. > > If I run (externally): > >dig 141.in-addr.arpa ns > > then 6 NS records are returned. If I query any one of those using: > > dig +norecurse 163.141.in-addr.arpa ns @tinnie.arin.net > > (using 'tinnie' in this example) then I get our 4 NS records relating to > our local and remote name servers: > > == > ;; AUTHORITY SECTION: > 163.141.in-addr.arpa. 172800 IN NS dns2.cis.strath.ac.uk. > 163.141.in-addr.arpa. 172800 IN NS dns1.cis.strath.ac.uk. > 163.141.in-addr.arpa. 172800 IN NS dns1.plymouth.ac.uk. > 163.141.in-addr.arpa. 172800 IN NS dns0.plymouth.ac.uk. > == > > There is no ANSWER section, but a referral to the servers listed in the > AUTHORITY section. > > So, I assume that at this point the name server used by a resolver will > now cache those NS records. As such, any subsequent reverse lookup for a > 141.163.x.x address should use one of the above cached name servers and > get an answer. Your assumption is incorrect. The delegation will only be cached until a more reliable rrset is found -- the NS records returned by your servers (more reliable because of the 'aa' flag). You already know the solution. Don't publish internal-only name servers to the public. You can do any of the following to fix this: - Turn on minimal responses on all 4 name servers listed in the referral from ARIN (but this can have undesirable side effects) - Use two views (but this can cause lots of extra work) - Publish your external name servers internally (but this can require firewall changes) - Make your internal name servers reachable from the Internet Regards, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Service Hung
On Jul 2, 2013, at 7:33 PM, Arie Lendra Putra wrote: > PS: sometimes this happens when our upstream is down, many unanswered DNS > request sometimes trigger named not responding. Stop forwarding. Do your own recursion. Regards, Chris Buxton___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Performance with Huge RPZ
On Jul 12, 2013, at 3:11 AM, Arie L. Putra wrote: > We are building a server for recursive DNS Server, this server will be acted > as a cache for our network. (several user-side DNS Server will forward to > this server) > Using Ubuntu Server with latest BIND version, we are trying to have RPZ > incuded in this BIND, with around 800k blacklisted sites. > > Has anyone have experience, how RPZ with huge list will impact BIND > performance, will it reduce DNS response time? we have six DNS server that > will point to this server, each server is serving about 15Mbps of DNS Traffic > on peak hour. > > this server is a Ubuntu box with 2 Xeon (total of 12 core, 24 if include HT), > 16GB RAM. I've seen well over 1 million entries in an RPZ. The performance impact with BIND 9.8 was noticeable but not horrible. The memory requirements were roughly 300 MB for this one zone, compared to over 3 GB for the equivalent in the form of somewhere north of 500 thousand individual zones (two A records each, for the zone apex and a wildcard, all loading from the same file). I'm not used to considering DNS traffic in terms of Mb/s (nor MB/s). I'm more used to considering q/s. The servers with the aforementioned RPZ each handled a relatively large number of queries, possibly as high as 20Kq/s. In my experience, it's impossible to know how a given server will perform without seeing all of the configuration, as lots of configuration settings can impact performance. Once such example is query logging to file (instead of to syslog), which can completely gut performance. Regards, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind classless slave from microsoft dns classful SOA?
On Jul 12, 2013, at 9:09 AM, Michael Hare wrote: > Bind-users; > > I have been asked to slave a /24 from a microsoft SOA, however, their > authority for the /24 is false in that they really only have authority to > 192/26. > > Am I correct in that there is no way to slave said zone [x.y.z.in-addr.arpa] > but serve it as a different zone [192/26.x.y.z.in-addr.arpa] without relying > on some outside scripts to do the translation? Yes, that is correct. A zone is itself, not some other zone. A slave's job is to faithfully reproduce the zone as published by its master server. Were I you, I would refuse to slave the /24 reverse zone. Regards, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New warning message...
On Jul 22, 2013, at 1:24 PM, Barry S. Finkel wrote:
> On 7/22/2013 11:17 AM, bind-users-requ...@lists.isc.org wrote:
This was discussed here already, and imho this is anti-spf bullshit like
>>all those "spf breaks forwarding" FUD. The SPF RR is already here and is
>>preferred over TXT that is generik RR type, unlike SPF.
>> On 22.07.13 08:50, Barry S. Finkel wrote:
>>> >It is not Fear, Uncertainty, and Doubt that "SPF breaks forwarding".
>>> >SPF*DOES* break forwarding.
>
>> No, it does not. If a mail gets delivered to address, which is sending it
>> further ("forwarding it"), the envelope sender has to be changed, because
>> it's not the original sender who sends the another mail. Forwarding without
>> changing envelope address is already broken, it's just people don't care
>> without SPF.
>
>>> > I have a case I am researching right now
>>> >where forwarded mail is undeliverable due to SPF checking at the
>>> >new destination.
>> Rewrite the sender's address. You have more choices, SRS is one of them.
>>
>> -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
>
> I have no control over what my Mail User Agent does. And a quick reading
> of section 3.6.6 of RFC 5322 does not tell me what is the correct action
> on a forwarded message:
>
> 1) Change the "From:" address, or
>
> 2) Keep the "From:" address.
>
> My MUA, Thunderbird, does 1). And I do not see any configuration
> option. I am not sure which action is "correct".
>
> I do not know what implications for forwarding SMTP (RFC 5321) has.
Do not be confused by the From: address shown by your mail client. That is not
the envelope sender.
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind9 and logrotation
On Jul 29, 2013, at 3:09 PM, Christoph Anton Mitterer wrote: > Is there a clean way to have bind9 reopening it's logfiles, in order to > allow clean log rotation? No. > If not, could that be implemented? Send a feature request to ISC, or write it in yourself and maintain a patch. Of course you know logrotate can truncate files rather than renaming them, after first copying their contents, but this leaves a small window for lost log messages. You can also configure logrotate to work with the inactive log files created by BIND's own logging facility. That is, let BIND write and rotate log files, but then process them with logrotate afterward. Another option is to send all log messages through syslog, which allows for: - asynchronous (batched) file writing - all kinds of other, more advanced features that BIND doesn't support natively Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.1-P1: 'make test' fails
On Aug 20, 2013, at 5:11 AM, Niall O'Reilly wrote: > On 22 Nov 2011, at 11:24, Niall O'Reilly wrote: > >> Since quite a few years, I habitually run 'make test' after building BIND >> from sources. I'me seiing a failure with 9.8.1-P1, and wonder whether >> anyone else is also. > > [By way of putting this to bed, at last ...] > > Updating the Perl module Net::DNS to a recent version seems to be > what is needed to make the test which was failing (labelled 'xfer') > run successfully. > > I don't know the cut-off point between 'old' and 'recent' version > of Net::DNS. I've had success with 0.65 and 0.66; current is 0.72. > An 'old' version will cause the 'xfer' test to fail in BIND releases > subsequent to 9.8.1-P1, including current releases. There is a mailing list for Net::DNS. List-Subscribe: <https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users>, <mailto:net-dns-users-requ...@nlnetlabs.nl?subject=subscribe> That said, there was a discussion last December about what has changed since Net::DNS was taken over by a new maintainer, meaning post-0.68. A small number of quite disruptive changes were made in 0.69. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: the location of dig and named
On Aug 28, 2013, at 2:35 PM, Nidal Shater wrote: > when I typed dig or named ,,, what is the location of the executable program > dig and named is ? Your answer can be found with this command, available on many operating systems: which dig or: which named Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with "authoritative answer"
On Sep 11, 2013, at 8:11 AM, Brian Cuttler wrote: > We have remapped some of our DNS clients to point to another > DNS resolver, one that we do not control, but that has "forwarder" > records in place to point our domain's address resolution requests > back to an authoritative server in our domain. > > Dig is showing authoritative answer when I query my domain's server > for an address that I own. > > Dig is NOT showing authoritative when I query the other domain's server. > > I'd have thought that the forwarded request, coming from my server, > would have resulted in an authoritative reply. When you query a non-authoritative server, such as one configured to forward the query to another server, the result is supposed to be marked non-authoritative. That's the point of the 'aa' flag. Not all name servers behave this way, but they are supposed to. BIND 9 behaves correctly. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
On Sep 23, 2013, at 7:59 AM, Vernon Schryver wrote: > From: Eliezer Croitoru > >> I was looking for something like that but I am sure a dynamic DB is >> needed for the task right? > > Large DNSBLs are not very dynamic, because they have relatively few > changes per day. From another perspective, with the popularity of > dynamically updating forward and reverse DNS zones as end-user IP > addresses changes, why isn't the the machinery in any full featured > DNS implementation a "dyanamic DB"? The term "database" should not > imply "sql" or even "relational." Indeed, a DNS server is a type of database server. The DNS is a large distributed database. Regards, Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.9.4 Bug Fixes - RT #34583
On Sep 21, 2013, at 8:35 AM, Steve Arntzen wrote: > Good morning/day/evening. > > What exactly does "beneath" mean in the following line from the 9.9.4 > bug fixes? > > "Fix forwarding for forward only "zones" beneath automatic empty zones. > [RT #34583]" "Beneath" in this case refers to the namespace tree diagram. Think of an upside-down tree structure, with the root at the top. Then "10.in-addr.arpa" is beneath "in-addr.arpa", and (more importantly in this case, as Evan pointed out) "100.10.in-addr.arpa" is beneath "10.in-addr.arpa". Regards, Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ help on BIND
Babu Dheen,
The stanza you quoted will get you the zone. It appears to be correct syntax.
If you’re using views, put this inside a view; otherwise, put it at the global
level.
It will not create a response policy based on the zone. You have to do that
yourself. Examples are in the BIND v9 Administrator Reference Manual, assuming
your copy of the ARM is up to date and you’re using a relatively recent version
of BIND.
The file ‘dbx.rpz.spamhaus.org' will contain a copy of the response policy
zone. Again, configuring named to use this as the basis for a response policy
requires extra configuration. I don’t know the purpose of this RPZ, so I can’t
give you the exact syntax. Perhaps someone from Spamhaus can help you with that.
I don’t have enough context to answer your question about a whitelist. Perhaps
someone else can help you with that.
Regards,
Chris Buxton
On Dec 23, 2013, at 5:11 AM, babu dheen wrote:
> Dear All,
>
> My BIND DNS server is authorized to use spamhaus RPZ service and spamhaus
> official team requested me to paste below configuration line in
> /etc/named.conf file. Since i am new to RPZ and BIND, kindly help me to
> enable this feature.
>
>
> zone "rpz.spamhaus.org" {
> type slave;
> file "dbx.rpz.spamhaus.org";
>masters { 199.168.90.51; 199.168.90.52; 199.168.90.53; };
> allow-transfer { none; };
>allow-query { none; };
> };
>
> My question is:
>
> 1. If i paste the above line alone in /etc/named.conf file will work?
>
> 2. What will be the content of dbx.rpz.spamhaus.org file ?
>
> 3. How to maintain the local whitelist policy?
>
>
> Regards
> Babudheen
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Error logs in bind resolving
On Dec 30, 2013, at 2:29 AM, Gaurav Kansal wrote: > Dear All, > > In my bind server logs, I am getting too much error logs of below mentioned > type. > Can anyone pl. explain me why I am getting these logs and how to get rid of > those. > > Although when I am doing dig for the domain (for which I am getting the > error), I am getting the valid output. > > Thanks. > > Dec 30 15:54:18 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving > 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 I see an incorrect negative response. Could this be the problem? Here is the end of a dig trace: geoadnxs.com. 172800 IN NS 01.auth.nym1.appnexus.net. geoadnxs.com. 172800 IN NS 01.auth.nym2.appnexus.net. geoadnxs.com. 172800 IN NS 01.auth.lax1.appnexus.net. geoadnxs.com. 172800 IN NS 01.auth.ams1.appnexus.net. ;; Received 222 bytes from 192.33.14.30#53(192.33.14.30) in 123 ms sin1.geoadnxs.com. 86400 IN NS ns2.apac.gslb-ns.net. sin1.geoadnxs.com. 86400 IN NS ns1.apac.gslb-ns.net. ;; Received 122 bytes from 68.67.133.169#53(68.67.133.169) in 67 ms geoadnxs.com. 30 IN SOA ns1.gslb.com. support.appnexus.net. 1 86400 30 86400 30 ;; Received 103 bytes from 64.208.141.10#53(64.208.141.10) in 187 ms ___ My resolving name server complains as follows: Dec 30 10:19:45 ubuntu named[1299]: DNS format error from 64.208.141.10#53 resolving ib.sin1.geoadnxs.com/ for client ::1#60014: invalid response Dec 30 10:19:45 ubuntu named[1299]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53 Dec 30 10:19:45 ubuntu named[1299]: DNS format error from 64.208.141.11#53 resolving ib.sin1.geoadnxs.com/ for client ::1#60014: invalid response Dec 30 10:19:45 ubuntu named[1299]: error (FORMERR) resolving 'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53 ___ I believe the problem is that when asked for an record, the load balancer gives an otherwise-proper-looking negative response that claims to be from the wrong zone. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error logs in bind resolving
On Dec 30, 2013, at 9:46 PM, Gaurav Kansal wrote: > I am getting the error message for lot of domains. > > Log of error entries are attached. All the ones I checked were caused by broken implementations. > Is it possible to configure bind so that error message should not be > generated in logs file. They’re logged as errors. I’m not sure I’d want to suppress these errors. Maybe your log service can be configured to filter them out more specifically than what can be done with named’s own logging capability. Regards, Chris Buxton___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error logs in bind resolving
On Dec 31, 2013, at 11:25 PM, Gaurav Kansal wrote: > Thanks Chris for your useful comments. > > On Dec 30, 2013, at 9:46 PM, Gaurav Kansal wrote: >>> I am getting the error message for lot of domains. >>> >>> Log of error entries are attached. >>> >> All the ones I checked were caused by broken implementations. > > Is this a broken implementation of IPv6 or something else. As this DNS Server > is running IPv6 only. Broken implementations of name servers. They’re probably mostly load balancers. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: When Updates Fail
On Jan 7, 2014, at 2:05 PM, Martin McCormick wrote: > Is there any way to tell what is actually being sent to > bind when attempting a dynamic update? > > I have a perl script which is obviously broken because > every forward update it tries to send fails. > > 07-Jan-2014 15:38:09.458 client 192.168.1.5#17352: request has invalid > signature: TSIG ns: tsig verify failure (BADKEY) Are you using Net::DNS to send your updates? If so, what version? There is a bug in 0.73 with regard to TSIG. One solution, for the time being, is to downgrade to 0.72. Or there’s a release candidate for 0.74 that apparently fixes it, but I haven’t tested it. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9
On Jan 17, 2014, at 6:45 PM, Larry Stone wrote: > Background: I have been using my Macintosh as a server… […] > Problem: This morning, by happenstance, both were rebooted a few minutes > apart and suddenly, nobody could access anything. Finally figured out that > named on both was not responding (queries timed out). Killed named (which was > immediately restarted by Apple’s launchd) and all was well. Rebooted the > secondary to see if it was repeatable and same thing. Nothing of interest in > the log - both the initial startup at boot time and restart log identically > (and it does log the RFC 1918 empty zones warning so it gets that far). I’m > guessing there’s some resource not available at boot time that’s causing > named to hang but that really just a will guess. I remember fixing this problem way back when Apple first switched to launchd (10.4 or so). Basically, Apple patches (or used to patch) named to make it register with the system to be told when a network interface is added. Their patch allowed named to start up before the network is up, and then essentially get a SIGHUP or something like it every time a network interface comes up or goes down. The problem is that launchd starts named before the network is up. The solution is to have it wait a few seconds before starting. The way we did it back then was to have launchd start a script instead of starting named directly. The script would simply sleep 3 seconds (or something like that) before starting named. It would then stay open. I’d bet that the package from Men & Mice includes this script or an equivalent workaround. When I wrote the original script I wrote about above, I worked at Men & Mice. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: additional section policy
On Jan 19, 2014, at 7:30 PM, houguanghua wrote: > Would you please tell me which RFC depicts the policy of 'additional > section'? and how bind server deals with 'additional section'? > > Sometimes the number of 'additional section' is more than numbe of > 'authority section'. I don't know how local bind server will do when > receiving these additional sections. > Local Bind server may: >-- pick one name server randomly >-- or use sophisticated policies that "score" name servers and pick more > often the ones that replied faster > > Which is right? The additional section is filled in by the responding name server with whatever records it feels would help the querier in the near future. This could be, for example, the addresses of name servers listed in NS records. It appears you’re asking about specifically this case. This behavior is described in RFC 1034 or 1035, I believe. As for responding to this data by following up on a referral and asking a listed name server, the BIND name server uses the RTT (round trip time) algorithm. Basically, it tries to guess which remote server would respond fastest and queries that server. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
