RE: Time stamp in query log
Dear All, We are facing misbehaviour of Time stamp in query log since January2015. We are using RHEL 6.2 and bind version 9.9.5-P1 for DNS Server. We are in the IST time zone. Our Server time is showing correct time but query log time stamp is showing ten & half hour delay. Can anybody help regarding... With Regards Divya New Delhi. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does BIND supports ANAME RR
Dear Admin, Has anybody used advance features of bind DoT and DoH, Kindly help me to configure DoT and DoH in DNS with bind BIND 9.17.16+CentOS 7.9. With Regards Divya - Original Message - From: "Ondřej Surý" To: "klaus darilion" Cc: bind-users@lists.isc.org Sent: Monday, August 9, 2021 10:48:54 PM Subject: Re: Does BIND supports ANAME RR No, and there’s no strong usercase for that. The ANAME was wrong on every level from the protocol perspective and I am glad it is gone. Ondřej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 9. 8. 2021, at 17:23, Klaus Darilion via bind-users > wrote: > > Does every application that uses gethostbyname have a benefit of HTTPS/SVCB? > That is what I meant. > regards > Klaus > >> -Ursprüngliche Nachricht- >> Von: Mark Andrews >> Gesendet: Montag, 9. August 2021 15:55 >> An: Klaus Darilion >> Cc: Evan Hunt ; Gaurav Kansal ; bind- >> us...@lists.isc.org >> Betreff: Re: Does BIND supports ANAME RR >> >> Every resolver on the planet already supports HTTPS and SVCB. Every >> authoritative server on the planet already supports HTTPS and SVCB via >> unknown record format. iOS is already making HTTPS queries for every >> webpage. I believe other browsers also make HTTPS queries today. Go look >> at your DNS traffic. >> >> The MR mentioned earlier allows named and the other tools to load and >> display the records in presentation format and to do the additional section >> processing. None of that it required to be able to return these records. >> It >> just makes it easier. >> >> Just about all the other DNS vendors also have code that can read and >> display presentation format. >> >> ANAME is dead. >> -- >> Mark Andrews >> >>> On 9 Aug 2021, at 21:53, Klaus Darilion via bind-users > us...@lists.isc.org> wrote: >>> >>> >>>> >>>> -Ursprüngliche Nachricht- >>>> Von: bind-users Im Auftrag von Evan >>>> Hunt >>>> Gesendet: Samstag, 7. August 2021 20:21 >>>> An: Gaurav Kansal >>>> Cc: bind-users@lists.isc.org >>>> Betreff: Re: Does BIND supports ANAME RR >>>> >>>>>> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: >>>>>> I need the help in figuring out whether BIND supports ANAME ? If yes, >>>>>> then from which version on wards ? >>>>> >>>>> No, it doesn't. The effort to standardize ANAME stalled, and I doubt >>>>> it'll be coming back. >>>>> >>>>> The new HTTPS and SVCB records look like a better approach anyway. >>>>> BIND will have support for those pretty soon. >>> >>> But honestly SVCB will not solve the ANAME problem. I will take years until >> all resolvers/client would support SVCB whereas ANAME would be >> implemented in the authoritative name server and hence would work for >> every client/resolver as client/resolver never sees the ANAME but only the >> A/ record. >>> >>> regards >>> Klaus >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe >> from this list >>> >>> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
advance features of BIND DoT and DoH
Dear Admin, Has anybody implemented advance features of BIND DoT and DoH, Kindly help me to configure DoT and DoH in DNS with BIND 9.17.16+CentOS 7.9. With Regards Divya - Original Message - From: "Ondřej Surý" To: "klaus darilion" Cc: bind-users@lists.isc.org Sent: Monday, August 9, 2021 10:48:54 PM Subject: Re: Does BIND supports ANAME RR No, and there’s no strong usercase for that. The ANAME was wrong on every level from the protocol perspective and I am glad it is gone. Ondřej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 9. 8. 2021, at 17:23, Klaus Darilion via bind-users > wrote: > > Does every application that uses gethostbyname have a benefit of HTTPS/SVCB? > That is what I meant. > regards > Klaus > >> -Ursprüngliche Nachricht- >> Von: Mark Andrews >> Gesendet: Montag, 9. August 2021 15:55 >> An: Klaus Darilion >> Cc: Evan Hunt ; Gaurav Kansal ; bind- >> us...@lists.isc.org >> Betreff: Re: Does BIND supports ANAME RR >> >> Every resolver on the planet already supports HTTPS and SVCB. Every >> authoritative server on the planet already supports HTTPS and SVCB via >> unknown record format. iOS is already making HTTPS queries for every >> webpage. I believe other browsers also make HTTPS queries today. Go look >> at your DNS traffic. >> >> The MR mentioned earlier allows named and the other tools to load and >> display the records in presentation format and to do the additional section >> processing. None of that it required to be able to return these records. >> It >> just makes it easier. >> >> Just about all the other DNS vendors also have code that can read and >> display presentation format. >> >> ANAME is dead. >> -- >> Mark Andrews >> >>> On 9 Aug 2021, at 21:53, Klaus Darilion via bind-users > us...@lists.isc.org> wrote: >>> >>> >>>> >>>> -Ursprüngliche Nachricht- >>>> Von: bind-users Im Auftrag von Evan >>>> Hunt >>>> Gesendet: Samstag, 7. August 2021 20:21 >>>> An: Gaurav Kansal >>>> Cc: bind-users@lists.isc.org >>>> Betreff: Re: Does BIND supports ANAME RR >>>> >>>>>> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: >>>>>> I need the help in figuring out whether BIND supports ANAME ? If yes, >>>>>> then from which version on wards ? >>>>> >>>>> No, it doesn't. The effort to standardize ANAME stalled, and I doubt >>>>> it'll be coming back. >>>>> >>>>> The new HTTPS and SVCB records look like a better approach anyway. >>>>> BIND will have support for those pretty soon. >>> >>> But honestly SVCB will not solve the ANAME problem. I will take years until >> all resolvers/client would support SVCB whereas ANAME would be >> implemented in the authoritative name server and hence would work for >> every client/resolver as client/resolver never sees the ANAME but only the >> A/ record. >>> >>> regards >>> Klaus >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe >> from this list >>> >>> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC implementation on IPv6 PTR Zones
Dear Admin, Has anybody implemented DNSSEC on IPv6 reverse zones? Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with BIND 9.17.16+CentOS 7.9. With Thanks & Regards Divya ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC implementation on IPv6 PTR Zones
How to create DS for 2409::/28 With Regards Divya Parashar From: m...@posix.co.za To: bind-users@lists.isc.org Cc: "Divya" Sent: Thursday, November 18, 2021 3:44:56 PM Subject: Re: DNSSEC implementation on IPv6 PTR Zones And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC. One suggestion though. When one signs an IPv4 reverse - use NSEC - as everyone can guess what is there anyway. With IPv6 - you might want to use NSEC3 - as there can be huge holes in the reverse zone. Make the bad guy work at guessing what is in the zone. Also - if signing a brand new zone - try using Algo 13 (Elliptical curve) as it will generate shorter keys - so less chance of your zone being used in a DNS DDOS amplification attack - it doesn't amplify as much. On 11/18/21 12:07 PM, Mark Andrews wrote: You do it exactly the same as any other zone. You create DNSKEYs. You sign the zone. You add DS records to the parent zone. -- Mark Andrews BQ_BEGIN On 18 Nov 2021, at 20:28, Divya [ mailto:divy...@nic.in | ] wrote: BQ_END BQ_BEGIN Dear Admin, Has anybody implemented DNSSEC on IPv6 reverse zones? Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with BIND 9.17.16+CentOS 7.9. With Thanks & Regards Divya [ https://amritmahotsav.nic.in/ ] ___ Please visit [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at [ https://www.isc.org/contact/ | https://www.isc.org/contact/ ] for more information. bind-users mailing list [ mailto:bind-users@lists.isc.org | bind-users@lists.isc.org ] [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] BQ_END ___ Please visit [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at [ https://www.isc.org/contact/ | https://www.isc.org/contact/ ] for more information. bind-users mailing list [ mailto:bind-users@lists.isc.org | bind-users@lists.isc.org ] [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] -- Mark James ELKINS - Posix Systems - (South) Africa [ mailto:m...@posix.co.za | m...@posix.co.za ] Tel: +27.826010496 For fast, reliable, low cost Internet in ZA: [ https://ftth.posix.co.za/ | https://ftth.posix.co.za ] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC implementation on IPv6 PTR Zones
Not able to sign the zone for 2409::/28 dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.4.2.ip6.arpa. -t Zone Pls help.. With Regards From: "Divya" To: m...@posix.co.za Cc: bind-users@lists.isc.org Sent: Monday, November 22, 2021 3:49:30 PM Subject: Re: DNSSEC implementation on IPv6 PTR Zones How to create DS for 2409::/28 With Regards Divya Parashar From: m...@posix.co.za To: bind-users@lists.isc.org Cc: "Divya" Sent: Thursday, November 18, 2021 3:44:56 PM Subject: Re: DNSSEC implementation on IPv6 PTR Zones And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC. One suggestion though. When one signs an IPv4 reverse - use NSEC - as everyone can guess what is there anyway. With IPv6 - you might want to use NSEC3 - as there can be huge holes in the reverse zone. Make the bad guy work at guessing what is in the zone. Also - if signing a brand new zone - try using Algo 13 (Elliptical curve) as it will generate shorter keys - so less chance of your zone being used in a DNS DDOS amplification attack - it doesn't amplify as much. On 11/18/21 12:07 PM, Mark Andrews wrote: You do it exactly the same as any other zone. You create DNSKEYs. You sign the zone. You add DS records to the parent zone. -- Mark Andrews BQ_BEGIN On 18 Nov 2021, at 20:28, Divya [ mailto:divy...@nic.in | ] wrote: BQ_END BQ_BEGIN Dear Admin, Has anybody implemented DNSSEC on IPv6 reverse zones? Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with BIND 9.17.16+CentOS 7.9. With Thanks & Regards Divya [ https://amritmahotsav.nic.in/ ] ___ Please visit [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at [ https://www.isc.org/contact/ | https://www.isc.org/contact/ ] for more information. bind-users mailing list [ mailto:bind-users@lists.isc.org | bind-users@lists.isc.org ] [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] BQ_END ___ Please visit [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at [ https://www.isc.org/contact/ | https://www.isc.org/contact/ ] for more information. bind-users mailing list [ mailto:bind-users@lists.isc.org | bind-users@lists.isc.org ] [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] -- Mark James ELKINS - Posix Systems - (South) Africa [ mailto:m...@posix.co.za | m...@posix.co.za ] Tel: +27.826010496 For fast, reliable, low cost Internet in ZA: [ https://ftth.posix.co.za/ | https://ftth.posix.co.za ] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
