Bind99 and a slave named server

2013-08-16 Thread LuKreme 

I've been running bind 9 on my FreeBSD servers for awhile. After putting a new 
machine in place I installed bind99 via ports on the new machine (the master) 
and updated bind to bind99 on the secondary DNS (the slave).

However, I could not get the slave to do anything other than post errors and 
refuse to start. Usually they were along the lines of not being able to bind to 
port 953 or of not being able to receive the zone updates.

To get it working, I converted the slave to a master so I have two instances 
that are both masters. If I need to make changes, I'll need to make them twice. 
Obviously, I'd prefer to haver try this working correctly.

Before I really dig into this, is there a general "before you upgrade" or "how 
to upgrade bind9 to bind99" that I didn't see because I updated via ports?

It can't be THAT broken, since converting to master went very smoothly.

-- 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind99 and a slave named server

2013-08-17 Thread LuKreme 
On Aug 16, 2013, at 23:28, Noel Butler  wrote:
> I'm still trying to work out what the hell bind99 is <>
Sorry, that is how ports refers to bind 9.9


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind not getting out of my LAN?

2013-08-18 Thread LuKreme 
If I try to check my dns from inside my LAN (on either ns1 or ns2), everything 
seems fine:

# dig webmail.covisp.net | grep -A1 ";; ANSWER" | tail -1
webmail.covisp.net. 86400   IN  CNAME   www.covisp.net.

# dig www.covisp.net | grep -A1 ";; ANSWER" | tail -1
www.covisp.net. 86400   IN  A   75.148.117.90

# dig @ns1.covisp.net mail.covisp.net | grep -A1 ";; ANSWER" | tail -1
mail.covisp.net.86400   IN  A   75.148.117.91

But If I try to use an external server:

# dig @8.8.8.8 mail.covisp.net 

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 mail.covisp.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10140
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.covisp.net.   IN  A

;; Query time: 4085 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 18 08:36:34 2013
;; MSG SIZE  rcvd: 33

# dig @75.75.75.75 mail.covisp.net 

; <<>> DiG 9.8.3-P1 <<>> @75.75.75.75 mail.covisp.net
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


Here's the top of my named.conf:

options {
   directory   "/etc/namedb";
   pid-file"/var/run/named/pid";
   listen-on { 75.148.117.93; 75.148.117.91; 127.0.0.1; };
   statistics-file "/var/stats/named.stats";
   dnssec-enable yes;
   dnssec-validation yes;
};

key "rndc-key" { algorithm hmac-md5; secret "keykeykey="; };
controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; }; };

managed-keys {
   "." initial-key 257 3 8
   "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
   FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
   bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
   X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
   W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
   Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
   QxA+Uk1ihz0=";
};

zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; };
zone "." { type hint; file "slave/root-nameservers"; };


-- 
The older you get the more you need the people you knew when you were
young.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind not getting out of my LAN?

2013-08-18 Thread LuKreme 
On 18 Aug 2013, at 08:59 , Matus UHLAR - fantomas  wrote:
> no answers come from your namesevrers, 75.148.117.92 nor 75.148.117.93.
> 
> no servers can resolve yopur domain if your nameservers do not respond.
> 
> they do not seem to be reachable from internet. Are they behind firewall
> that blocks DNS?

As it turned out, the NSP stopped routing for .92 and .93 (but not for .90 or 
.91). Had to go reset their hardware and then everything worked, so nothing to 
do with bind.


-- 
Growing up leads to growing old, and then to dying/And dying to me don't
sound like all that much fun.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind99 and a slave named server

2013-08-18 Thread LuKreme 
On 17 Aug 2013, at 09:02 , Alan Clegg  wrote:
> On Aug 17, 2013, at 5:12 AM, LuKreme  wrote:
>> On Aug 16, 2013, at 23:28, Noel Butler  wrote:
>>> I'm still trying to work out what the hell bind99 is
>> <:).png>
>> Sorry, that is how ports refers to bind 9.9
> 
> Thanks for that, but any word on the actual error messages?

Since I converted the slave to a second master I don't have any errors. What I 
was looking for was a writeup on setting a master and slave up specifically 
under bind 9.9, since it seem different.

Since it is all working, what I am looking for now is "how to convert you 
master bind server to a slave".

I am finding a few on going the other way (slave to master) but almost all of 
them are for older versions of bind9.

-- 
'You make us want what we can't have and what you give us is worth
nothing and what you take is everything and all there is left for us is
the cold hillside, and emptiness, and the laughter of the elves.'

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind99 and a slave named server

2013-08-18 Thread LuKreme 
On 18 Aug 2013, at 14:06 , Dave Warren  wrote:

> Change the zones from master to slave in your named.conf? There really isn't 
> much more to it than that, assuming you have a new authoritative master is 
> already configured and serving the zones.

Oh, there's a bit more to it than that. There's allow transfer or something and 
notify and text or binary (I want text).

Keep in mind, the reason I am running two masters right now is that the slave 
was not working.

-- 
"There's nothin' wrong with bein' a son of a bitch." -- Gaspode the
Wonder Dog

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind99 and a slave named server

2013-08-20 Thread LuKreme 

On 18 Aug 2013, at 19:20 , Noel Butler  wrote:

> As has been said already, there is really very little to it, and unless you 
> sent it to Alan off-list, you still have  _NOT_  provided the error logs 
> after being asked by more than one person.

Thanks, I thought I was clear.

I am *not* getting any errors, so there are no error logs. However, I am 
currently running each server as a master.

What I am looking for is something (docs, a writeup, a how-to, anything) on 
converting a master bind 9.9 server to a slave bind 9.9 server. I see a lot on 
converting a slave to a master.

Things that I know are issues I want to cover before I make changes.

1. RAW versus TEXT
2. allow transfer
3. notify
4. key files<1>
5. dnssec-enable
6. managed-keys

and any changes in how root servers are setup since I am pretty sure that has 
changed since I first setup bind 9.1 many eons ago (2002?).

<1> For example, right now, since server 2 is an exact copy of server 1 with 
IPs changed, the two machines have identical rndc-key files.

-- 
A clear conscience is usually the sign of a bad memory.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind99 and a slave named server

2013-08-20 Thread LuKreme 
On 20 Aug 2013, at 14:38 , Alan Clegg  wrote:
> To convert master to slave:

[snip]

> Bazinga!

OK. Not Bazinga.

$ grep covisp named.conf
zone "covisp.net" { type slave; file "slave/covisp.net"; masters { 
75.148.117.92; }; };
$ rndc status
version: 9.9.3-P2
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 117
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 5
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
$ grep listen named.conf
listen-on { 75.148.117.93; 75.148.117.91; 127.0.0.1; };
$ dig @localhost covisp.net | grep -A2 ";; ANS" | tail -2
$ dig @75.148.117.91 covisp.net | grep -A2 ";; ANS" | tail -2
$ dig @ns1.covisp.net covisp.net |grep -A2 ";; ANS" |tail -2
covisp.net. 86400   IN  A   75.148.117.93
covisp.net. 86400   IN  A   75.148.117.90

in /var/log/messages:
Aug 20 20:40:23 mail named[81006]: the working directory is not writable<1>
Aug 20 20:40:23 mail named[81006]: all zones loaded
Aug 20 20:40:23 mail named[81006]: running

Oh, and slave/ is empty.

$ grep covisp named.conf-master 
zone "covisp.net" { type master; file "master/covisp.net";  };
$ diff /var/named/etc/namedb/master/covisp.net 
/var/named/etc/namedb/slave/covisp.net
$ cp /var/named/etc/namedb/named.conf-master /var/named/etc/namedb/named.conf
$ rndc reload
$ dig @75.148.117.91 covisp.net | grep -A2 ";; ANS" | tail -2
covisp.net. 86400   IN  A   75.148.117.93
covisp.net. 86400   IN  A   75.148.117.90

<1> (the working directory is not writeable comes up every time because 
/var/named/etc/namedb is owned by root and changing it causes bind to first 
change it back, and then log the error anyway).


-- 
LOOSE TEETH DON'T NEED MY HELP Bart chalkboard Ep. AABF16

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Update from 9.2.1 to 9.8.2 rc1

2013-09-03 Thread LuKreme 

On 03 Sep 2013, at 08:17 , Mark Andrews  wrote:

> named-checkconf -z

Nifty. I was alerted to a couple of SPF issues.

-- 
You could save people. You could get there in the nick of time. And
something could snap its fingers and say, no , it has to be that way.
Let me tell you how it has to be. This is how the legend goes. --Soul
Music

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dumping master file: tmp-xxx: open: permission denied

2014-01-13 Thread LuKreme 
OK, I am getting this error "dumping master file: tmp-xxx: open: permission 
denied", occasionally, on both my slave DNS servers and I can't seem to fix it.

The dns slave files are being written into /var/named/etc/namedb/slave which is 
owned by bind

8 drwxr-xr-x  2 bind  wheel  1024 Jan 13 19:46 /var/named/etc/namedb/slave

DNS changes are getting propagated to both servers from the master, so I don't 
know where the permission denied is coming from. Where is this tmp file being 
(attempted to be) written?

And why are the slave servers "dumping master file" in the first place?

-- 
Carlin's Third Commandment: Thou shall keep thy religion to thyself.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dumping master file: tmp-xxx: open: permission denied

2014-01-14 Thread LuKreme 

On 13 Jan 2014, at 20:36 , Mark Andrews  wrote:

> 
> In message <8919443e-8f62-48cd-8da4-9c9632fc5...@kreme.com>, LuKreme writes:
>> OK, I am getting this error "dumping master file: tmp-xxx: open:
>> permission denied", occasionally, on both my slave DNS servers and I
>> can't seem to fix it.
>> 
>> The dns slave files are being written into /var/named/etc/namedb/slave
>> which is owned by bind
>> 
>> 8 drwxr-xr-x  2 bind  wheel  1024 Jan 13 19:46 /var/named/etc/namedb/slave
>> 
>> DNS changes are getting propagated to both servers from the master, so I
>> don't know where the permission denied is coming from. Where is this
>> tmp file being (attempted to be) written?
> 
> It's trying to write the the working directory which I doubt is
> /var/named/etc/namedb/slave.  I suspect you have a bad "file"
> directive.

Hmm. OK, there is a /var/named/etc/namedb/working/ which is also owned by bind.

Where might this bad file directive be? The only ‘file’ in named.conf are in 
the form “slave/example.com” and the pid-file setting.

>> And why are the slave servers "dumping master file" in the first place?
> 
> So the slave can start up and serve the zone content when the master
> server is down.

Oh? Coolness :)

-- 
I WILL STOP TALKING ABOUT THE TWELVE INCH PIANIST Bart chalkboard Ep.
3F07

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dumping master file: tmp-xxx: open: permission denied

2014-01-14 Thread LuKreme 

On 14 Jan 2014, at 09:02 , David Forrest  wrote:

> On Tue, 14 Jan 2014, LuKreme wrote:
> 
>> 
>> On 13 Jan 2014, at 20:36 , Mark Andrews  wrote:
>> 
>>> 
>>> In message <8919443e-8f62-48cd-8da4-9c9632fc5...@kreme.com>, LuKreme writes:
>>>> OK, I am getting this error "dumping master file: tmp-xxx: open:
>>>> permission denied", occasionally, on both my slave DNS servers and I
>>>> can't seem to fix it.
>>>> 
>>>> The dns slave files are being written into /var/named/etc/namedb/slave
>>>> which is owned by bind
>>>> 
>>>> 8 drwxr-xr-x  2 bind  wheel  1024 Jan 13 19:46 /var/named/etc/namedb/slave
>>>> 
>>>> DNS changes are getting propagated to both servers from the master, so I
>>>> don't know where the permission denied is coming from. Where is this
>>>> tmp file being (attempted to be) written?
>>> 
>>> It's trying to write the the working directory which I doubt is
>>> /var/named/etc/namedb/slave.  I suspect you have a bad "file"
>>> directive.
>> 
>> Hmm. OK, there is a /var/named/etc/namedb/working/ which is also owned by 
>> bind.
>> 
>> Where might this bad file directive be? The only ‘file’ in named.conf are in 
>> the form “slave/example.com” and the pid-file setting.
>> 
>>> And why are the slave servers "dumping master file" in the first place?
>>> 
>>> So the slave can start up and serve the zone content when the master
>>> server is down.
>> 
>> Oh? Coolness :)
> 
> I've been tripped up on this before as there is a default directory and the 
> default can be overridden by a "directory" option statement.  Using a chroot 
> adds the current definition into the chrooted directory.  It can get quite 
> confusing and I have found that just using full paths on all zone files just 
> cuts out any question. Usually the slave server will get a new copy master 
> fairly quickly if you don't save it but it is cleaner if it has a fairly 
> recent copy locally.

so I should change

zone "kreme.com" { type slave; masters { 75.148.37.67; }; file 
"slave/kreme.com";  };

to

zone "kreme.com" { type slave; masters { 75.148.37.67; }; file 
“/var/named/etc/namedb/slave/kreme.com";  };

and that will eliminate the errors?

or are you saying that in options { … I should set 

directory “/var/named/etc/namedb/“

If I change the ownership of /var/named/etc/namedb to bind, it gets changed 
back to root when bind starts.

-- 
"Those people who think they know everything are a great annoyance to
those of us who do." - Isaac Asimov

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

"Recursive no;" implications?

2014-01-21 Thread LuKreme 
If you set recursion no; in named.conf, you need to set the forwarders as well. 
Is there anything else that must be done so that DNS queries still work?

If you have master/slave servers you should specify allow-recursion for your 
subnet instead, right? I'd you do this, you don't need to set forwarders, yes?

And finally, can you specify a slave DNS against a CNAME or must it have a rDNS 
and an A record?

For example

  NS ns1.example.com.
  NS ns2.example.com.

Ns1.  A  12.34.56.789
Ns2   CNAME name.someothername.tld

Where the server at the CNAME doesn't have rDNS?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Recursive no;" implications?

2014-01-21 Thread LuKreme 

On 21 Jan 2014, at 02:12 , Mark Andrews  wrote:

>> If you have master/slave servers you should specify allow-recursion for your 
>> subnet instead, right? I'd you do this, you don't need to set forwarders, 
>> yes?
> 
> Allow-recursion has no impact on master / slave zones.

OK, so in order to lock down your server agains DDOS DNS attacks you need to 
restrict the access to the recursive lookup, yes? But if you set 'recursion 
no;' then your own servers will not lookup IP addresses for, for example, you 
mail server to check reject_unknown_reverse_client_hostname or related.



Looking at that, if I am reading it correctly, I should have

allow-recursion { "localnets"; }

in the options on the master and slave DNS servers (along with any other 
specific IPs that I want to/need to allow). Given the risks in allowing 
recursion for the wilds of the Internet, how are companies like Google able to 
allow access to 8.8.8.8 and 8.8.4.4 without being used for these DDOS attacks?

>> And finally, can you specify a slave DNS against a CNAME or must it have a rD
>> NS and an A record?
> 
> No.  NS records need to refer to nodes with A and/or  records.  Reverse
> DNS is irrelevent to the delegation.

Thanks, I thought that was the case.

-- 
"A thousand years ago we thought the world was a bowl. Five hundred
years ago we knew it was a globe. Today we know it is flat and round
carried through space on the back of a turtle. Don't you wonder what
shape it will turn out to be tomorrow?" [Lord Vetinari]

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

2014-01-21 Thread LuKreme 

On 18 Jan 2014, at 06:52 , Larry Stone  wrote:

> That is not the problem. 

In the launchd plist do you have something like


  NetworkState
  


or maybe

inetdCompatibility

  Wait
  


to tell the system not to start bind until after the network is up?

-- 
IT IS NOT YET MIDNIGHT?  'I shouldn't think it's more than a quarter
past eleven.' THEN WE HAVE THREE-QUARTERS OF AN HOUR 'How can you be
sure?' BECAUSE OF DRAMA, MISS FLITWORTH.. THE KIND OF DEATH WHO POSES
AGAINST THE SKYLINE AND GETS LIT UP BY LIGHTNING FLASHES, said Bill
Door, disapprovingly, DOESN'T TURN UP AT FIVE-AND-TWENTY PAST ELEVEN IF
HE CAN POSSIBLY TURN UP AT MIDNIGHT.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

2014-01-22 Thread LuKreme 

On 22 Jan 2014, at 05:37 , Larry Stone  wrote:

> 
> On Jan 21, 2014, at 11:38 PM, LuKreme  wrote:
> 
>> 
>> On 18 Jan 2014, at 06:52 , Larry Stone  wrote:
>> 
>>> That is not the problem. 
>> 
>> In the launchd plist do you have something like
>> 
>> 
>> NetworkState
>> 
>> 
>> 
>> or maybe
>> 
>> inetdCompatibility
>> 
>> Wait
>> 
>> 
>> 
>> to tell the system not to start bind until after the network is up?
> 
> No, but neither does Apple.

Right, but Apple did this by having their compile of bind start listening on 
127.0.0.1 and then prodding it once the network was up and the IP address was 
available. Since Apple doesn't take this extra step, you'd need to tell launchd 
to wait for the Network, or you'd have to duplicate Apple's solution (probably 
by sending need a SIGHUP when the network is live).

> My launched plist is the same as what Apple provided with OS X 10.8

Right, but bind was included with the base OS X client in 10.8.

> But another good area for experimentation when I have a chance (yesterday’s 
> surprise announcement that Logmein is discontinuing their Free product 
> effective immediately shuffled the priorities :-( ).

Yes, that rather pissed me off as well. It's one thing to discontinue a free 
service, it is something else entirely to cut it off with no warning. Oh well.

-- 
'Winners never talk about glorious victories. That's because they're the
ones who see what the battlefield looks like afterwards. It's only the
losers who have glorious victories.' --Small Gods

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Recursive no;" implications?

2014-01-22 Thread LuKreme 

On 22 Jan 2014, at 01:43 , Steven Carr  wrote:

> A better option (and better overall design) would be
> to split your DNS servers, leave the current DNS servers as
> authoritative only and install a second set of DNS servers as a
> caching layer allowing recursion and do not have any direct inbound
> access from the Internet. All internal clients point to the caching
> layer.

Ah, well, that's an idea. I could even run the caching dns on the nail server.

-- 
And I'm nor insane, my mother had me tested.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND

2014-03-08 Thread LuKreme 

On 08 Mar 2014, at 12:52 , Kostas Zorbadelos  wrote:

> One mitigation approach is to blackhole the domains using local zones.

That’s not much of a mitigation. Not having open resolvers would be mitigation.

-- 
Eyes the shady night has shut/Cannot see the record cut And silence
sounds no worse than cheers/After earth has stopped the ears.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Two domains reporting errors

2014-09-09 Thread LuKreme 
# named-checkconf -z | grep -v loaded
master/bt.tld:3: ignoring out-of-zone data (bt.tld)
master/bt.tld:15: ignoring out-of-zone data (webdav.bt.tld)
_default/dw.tld/IN: bad zone
master/bt.tld:16: ignoring out-of-zone data (www.bt.tld)
zone dw.tld/IN: has 0 SOA records
zone dw.tld/IN: has no NS records

So, line 3 in bt.tld is the SOA line which looks as far as I can tell, 
basically identical to every other file:

==> master/covisp.net <==
$ORIGIN .
$TTL 86400  ; 1 day
covisp.net  IN SOA  covisp.net. root.covisp.net. (

==> master/bt.tld <==
$ORIGIN .
$TTL 86400  ; 1 day
bt.tldIN SOA  bt.tld. root.covisp.net. (

and line 15 and 16 do redirect to www.covisp.net (but then, so do all the other 
webdav.* and www.* domains in other files)

For the second domain, I don't understand the _default/dw.tld/IN error at all, 
and the file starts like all the others:

# head -3  master/dw.tld 
$ORIGIN .
$TTL 86400
@IN  SOA dw.tld. root.covisp.net.  (

(all the files have same permissions and all are in /etc/named/master)

-- 
I DID NOT SEE ELVIS Bart chalkboard Ep. 7G07

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Two domains reporting errors

2014-09-09 Thread LuKreme 
On 09 Sep 2014, at 19:42 , LuKreme  wrote:
> # named-checkconf -z | grep -v loaded

Never mind. I recreated the files from scratch and the errors went away.



-- 
I DID NOT SEE ELVIS Bart chalkboard Ep. 7G07

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Two domains reporting errors

2014-09-25 Thread LuKreme 
On 10 Sep 2014, at 04:55 , /dev/rob0  wrote:
> "@" refers to the current $ORIGIN.  When a zone file is initially 
> loaded, $ORIGIN is implicitly set to the name of the zone.  But you 
> changed that, it's now the root!  So "@" here means ".", and no, a 
> zone file with "@" is not the same as a zone file with an explicit 
> owner name for the SOA.

...

> $TTL 1d
> @ IN  SOA ns hostmaster ( ...
> @ IN  NS  ns
> @ IN  NS  ns1
> @ IN  NS  ns2
> @ IN  MX  0 mail
> mail  IN  A   192.0.2.25
> nsIN  A   192.0.2.53
> ns1   IN  A   192.0.2.35
> ns2   IN  A   192.0.2.36
> 
> Note that there are only relative names in my example.  This could 
> load as any zone name.  You might want to use some fully-qualified 
> names on the RHS, such as "root.covisp.net." as the SOA RNAME.

Wait a second, so the zone name comes from the named.conf?

I could have, for all my hosted domains, a single file named something like 
hosted.conf and then simply link to it with `ln hosted.conf dw.tld` or ln -s, 
perhaps?

Also, the SOA line contains ns?

-- 
'Yes, but humans are more important than animals,' said Brutha. 'This
is a point of view often expressed by humans,' said Om. (Small Gods)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Two domains reporting errors

2014-09-28 Thread LuKreme 

> On 27 Sep 2014, at 15:46 , Doug Barton  wrote:
> 
> On 9/25/14 4:49 PM, LuKreme wrote:
> 
>> Wait a second, so the zone name comes from the named.conf?
> 
> Not quite. When named loads the zone file it does it in the context of
> the zone stanza from named.conf. If the zone name in the SOA is listed
> literally then named will check to make sure that it matches, and
> generate an error if it does not.
> 
> However, if you use the @ sign in that spot in the SOA record then named
> will "fill in" the zone name for you.
> 
> The subsequent uses of the @ sign will inherit their labels from the context 
> of the previous label.
> 
>> I could have, for all my hosted domains, a single file named
>> something like hosted.conf and then simply link to it with `ln
>> hosted.conf dw.tld` or ln -s, perhaps?
> 
> Don't do that ... Just use the same file name in the zone stanzas in 
> named.conf.
> 
>> Also, the SOA line contains ns?
> 
> The MNAME field theoretically lists the master name server for the zone. In 
> practice however it isn't used for anything except occasionally for dynamic 
> DNS.
> 
> hope this helps,

This is all very interesting. To be honest, I first figured out how to generate 
named.con and the domain failed back in 1995 and have pretty much followed the 
following recipe ever since:

cp existingdomain.tld.cont newdomain.tld.conf
vi newdomain.tld.conf

vi named.con




-- 
Traveling through hyperspace ain't like dusting crops, boy.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Two domains reporting errors

2014-09-28 Thread LuKreme 
On 28 Sep 2014, at 08:37 , LuKreme  wrote:
> This is all very interesting. To be honest, I first figured out how to 
> generate named.con and the domain failed 

Sigh.

named.conf and the domain files. I swear, my typos and OS X autocorrect do 
*not* get along.

-- 
K is for KATE who was struck by an axe
L is for Leo who swallowed some tacks

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Digging to the final IP

2014-10-21 Thread LuKreme 

> On 21 Oct 2014, at 19:20 , Dave Knight  wrote:
> 
> $ dig +noall +answer dave.knig.ht in a | egrep 'IN\tA\t' | cut -f6
> 216.235.14.46

Interesting. This works for me:

dig +noall +answer home.kreme.com in a | egrep '\tA' | cut -f5

but on your example, it requires -f6

And yet, the outputs appear to have the same number of fields.

 $ dig +noall +answer www.kreme.com in a 
www.kreme.com.  21139   IN  CNAME   cerebus.kreme.com.
cerebus.kreme.com.  21141   IN  A   23.24.150.141
 $ dig +noall +answer dave.knig.ht in a 
dave.knig.ht.   13916   IN  CNAME   sb.sanxion.org.
sb.sanxion.org. 222 IN  A   216.235.14.46

Very odd.

I use:

 $ dig +short $HOSTNAME | tail -1


-- 
"A synonym is a word you use when you can't spell the word you first
thought of." - Burt Bacharach

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Digging to the final IP

2014-10-22 Thread LuKreme 

> On 21 Oct 2014, at 22:46 , Jim Young  wrote:
> 
> On 10/22/14 12:08 AM, "LuKreme"  wrote:
> 
>>> On 21 Oct 2014, at 19:20 , Dave Knight  wrote:
>>> 
>>> $ dig +noall +answer dave.knig.ht in a | egrep 'IN\tA\t' | cut -f6
>>> 216.235.14.46
>> 
>> Interesting. This works for me:
>> 
>> dig +noall +answer home.kreme.com in a | egrep '\tA' | cut -f5
>> 
>> but on your example, it requires -f6
>> 
>> And yet, the outputs appear to have the same number of fields.
>> 
>> $ dig +noall +answer www.kreme.com in a
>> www.kreme.com.   21139   IN  CNAME   cerebus.kreme.com.
>> cerebus.kreme.com.   21141   IN  A   23.24.150.141
>> $ dig +noall +answer dave.knig.ht in a
>> dave.knig.ht.13916   IN  CNAME   sb.sanxion.org.
>> sb.sanxion.org.  222 IN  A   216.235.14.46
>> 
>> Very odd.
> 
> Subtle formatting difference for human consumption.  There are a variable
> number of ASCII TABs inserted to visually align fields.

Yeah, I saw the extra space after 222, but did not check for a second tab 
following sb.sanxion.org.

> This is where output generated for human consumption can be tricky to
> parse.

That’s why I like dig +short


-- 
BART BUCKS ARE NOT LEGAL TENDER Bart chalkboard Ep. 8F06

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind in FreeBSD 10

2015-01-22 Thread LuKreme 
I know FreeBSD requires you to install bind if you need it as of version 10, 
but what i can’t find is if the packages bind910 and bind-tools overlap 
completely or not. That is, do I install bind-tools if bind is installed?

Also, just quickly, is there a consensus on running 9.10 over 9.9?

-- 
Look, that's why there's rules, understand? So that you *think* before
you break 'em.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuration

2015-02-02 Thread LuKreme 
On Feb 2, 2015, at 4:02 AM, Tony Finch  wrote:
> wu shuangrong  wrote:
>> 
>> I'd like to configure BIND in such way that when it failed to get result for
>> the first time, it'll query for the second time.
> 
> Try adjusting resolver-query-timeout.

That will not help if the FIRST connection is hitting a tar-pit.

(not saying that is happening, but it’s certainly possible)

-- 
Gentlemen, you can't fight in here! This is the War Room.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Batch updating all DNS records on my Bind server

2020-04-20 Thread LuKreme 
On Apr 20, 2020, at 18:11, Mark Andrews  wrote:
> 
> Really all machines should be updating their own address records in the
> DNS.  Have each machine create a KEY record with its name.  Install the
> KEY record in the DNS.  Use SIG(0) signed UPDATE requests to update the
> address records.

This will be the third IP change in 26 years. Maybe the fourth.

Sent from my iPhone
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Minimum TTL?

2018-02-08 Thread LuKreme 
Is it possible to tell bind to ignore very short TTLs and enforce a...say... 5 
second minimum TTL?

-- 
This is my signature. There are many like it, but this one is mine.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS not resolving on google, but is on other services

2018-02-16 Thread LuKreme 
I have a domain that I host for a friend that he is not able to access 
suddenly. We thought it was SSL related, but after gettting more information 
his work computers are not getting an IP address (he can access it from home).  
I checked quadnines, openDNS, and google dns. The first two responded with the 
right IP and google timed out.

OpenDNS 208.67.222.222 and 9.9.9.9 both respond:
;; ANSWER SECTION:
www.david-dodge.com.86400   IN  CNAME   www.covisp.net.
www.covisp.net. 86400   IN  A   65.121.55.45

But googles 8.8.8.8 doesn't:

;; QUESTION SECTION:
;www.david-dodge.com.   IN  A

;; Query time: 5003 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 16 15:27:10 MST 2018
;; MSG SIZE  rcvd: 48

Is google just b0rked? (Seems unlikely) or is there something in the 
configuration for the dns that they don't like?

-- 
ADVANCE TO THE REAR!


-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and secondary DNS servers

2018-09-09 Thread LuKreme 
On Sep 8, 2018, at 10:21, Mark Elkins  wrote:
> Have you DNSSEC Signed your Domain - that is "covisp.net" because I
> don't see any DS records for it in the "net" zone.

I think I have everything set now and am hopping the two errors I have about 
validation are a matter of waiting for hover to propagate.

“None of the 2 DNSKEY records could be validated by any of the 2 DS records”

Thanks for all your help. We'll see if I still show this as broken tomorrow.

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND DNS problem (?)

2018-09-30 Thread LuKreme 
On Sep 26, 2018, at 07:52, Jukka Pakkanen  wrote:
> Still Symantec "enterprise support technician" claims the problem is on our 
> DNS servers, and as a "proof" send the chapter 4.1.1 of the RFC1035, where it 
> is stated that "code 2 = server failure", and this should prove that our 
> servers are not working because they got "server failure" error ;-)

Somehow, this coming from someone at Symantec is not at all surprising.

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

2019-04-03 Thread LuKreme 
On Apr 2, 2019, at 03:03, Anand Buddhdev  wrote:
> 1. The simple one is to configure BIND with the "--disable-linux-caps"
> option. The notes say that this comes at the cost of some security, but
> it's not clear what the risks are.

I think it is just the cost of the added security caps provides.

-- 
Tuesday’s dead
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users