Re: Can not query localhost

[Marco]

Am 13.01.2023 schrieb David Carvalho via bind-users
:

> I get SERVFAIL when querying outside my domain.

Have you enabled an ACL that allows any IP address to query your
public zones?

You can only restrict recursive requests to your own IP addresses.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Resolving and caching illegal names

[Marco]

Am 24.01.2023 um 12:15:58 Uhr schrieb John Thurston:

> This comes up because my "resolvers" don't actually resolve. All they 
> are allowed to do is forward external queries to Akamai, and accept
> the response from Akamai. And Akamai (thank you very much), is happy
> to accept queries like "What is the A-record for 10.11.12.13?" and
> reply with "The answer is 10.11.12.13, and is good for 10 seconds."
> 
> Akamai's explanation for this behavior is, ..." the query was made in 
> error (likely/maybe meant to be type "PTR") and we are trying to save 
> the resolver from doing the work a query like this would entail."

Then Akamai is doing nasty things. Why don't they answer the correct
answer

.   3600IN  SOA a.root-servers.net.
nstld.verisign-grs.com. 2023012500 1800 900 604800 86400

and let applications fail that don't query PTR records in
in-addr.apra/ip6.arpa?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: filter-a and dns64 in a ipv6-only network

[Marco]

Am 31.01.2023 um 19:52:11 Uhr schrieb Thomas Schäfer:

> Am Montag, 30. Januar 2023, 23:12:53 CET schrieb Mark Andrews:
> > Do you want a correctly operating DNS64 server or do you want to
> > filter all A records?  They are mutually exclusive requirements.
> > Please read RFC 6147 to understand why they are mutually exclusive.
> >  
> 
> That's simply not true. RFC 6147 is about synthesizing  records
> based on A records. It says nothing about blocking A records
> afterwards.

Why would it make sense to block them?
 
> > You seem to have this strange notion that to run an IPv6-only node
> > or network that you need to filter out A records.   
> 
> It isn't  more strange than filtering  records in old IPv4 only
> networks. That filter is ironically implemented by the isc - despite
> there is no serious RFC for that.

I don't see a reason for filtering at all. What is the benefit of that?

> The purpose of the A record filter is to correct the behavior of apps
> which don't respect IPv6 RFCs regarding the preference of IPv6 over
> IPv4.

Best would be to fix these "apps".
If the computer does not have an IPv4 address, the A records are
useless, it can't use them and needs to connect via IPv6.

> My experience until now: the a record filter doesn't break anything,
> but it make some apps working  without clat - so at least some
> windows and linux apps.

Why don't they work if they can't connect using IPv4?
Which apps are affected?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS DDoS protection

[Marco]

Am 24.02.2023 um 13:25:40 Uhr schrieb Bob Harold:

> Before answering this question, can you tell me the proper place
> where I should be asking this question?
> 
> "We are researching DDoS protection, including DNS.  What companies or
> products or methods should I be looking at?"

If it is about the proper BIND configuration to avoid DoS, it is the
right place. It isn't the right place to look for companies that
provide such a service.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS DDoS protection

[Marco]

Am 24.02.2023 um 20:09:15 Uhr schrieb King, Harold Clyde (Hal):

> I would like to hear the latest configurations for BIND to help with
> DDoS.

There are some basic configurations:
Allow recursion only for you own networks - not for the global
internet, to avoid amplify attacks and to avoid recursive queries from
everywhere.

What is the purpose of you installation?
Is your server authoritative to a public DNS zone like example.org?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: help with notify

[Marco]

Am 17.04.2023 um 08:59:29 Uhr schrieb Matt Zagrabelny via bind-users:

> I'm running a little older Debian bind:
> 
> bind9   1:9.9.5.dfsg-9

The upgrade your OS, stretch already has 9.10 and that is very old.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Permission issue ¿?

[Marco]

Am 22.06.2023 um 11:47:50 Uhr schrieb Daniel Armando Rodriguez via
bind-users:

> drwxr-sr-x   4 root bind 4,0K jun 22 11:17 .

That means that the group bind is not allowed to write into that
directory.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: help me with the ipv6 PTR generation

[Marco]

Am 23.08.2023 23:13 schrieb Cesar Augusto Camacho Sierra:

> I am looking to generate IPv6 PTR records in a specific format for my
> BIND 9 server. The desired format is [insert format]. I've tried
> [describe any approach you've tried], but I'm having a hard time
> getting it done. Could anyone provide guidance on how to accomplish
> this?

IPv6 PTR records are simply reversed.
2001:db8::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
Create a zone file with your network like for IPv4.
You can there set your PTR records.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: help me with the ipv6 PTR generation

[Marco]

Am 24.08.2023 schrieb Jan-Piet Mens :

> easier said than done, for some of us. I use BIND's arpaname(1)
> utility which does the work for me:
> 
> $ arpaname 2001:db8::1
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA

Thanks for telling me. I used dig and extracted the question section.

Sadly, arpaname is in bind9 package, so if I wanna use it, I have to
install bind.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Local network IPv6 addresses

[Marco]

Am 03.09.2023 um 18:36:53 Uhr schrieb Alessandro Vesely:

> DHCP server has options to insert leased addresses in a dynamic zone.
>  That works for IPv4.  PCs connected to the LAN somehow discover the
> gateway has a routable IPv6 address and self-assign an address in
> that range, besides the fe80:: thing, without talking to a DHCP
> server.
> 
> Is there a method to get those addresses into the DNS?

This is the SLAAC - it doesn't use DHCPv6.
No domain name will be assigned by this method, so I see no reason for
DNS.

You can configure your router to advertise the prefix without the A
flag, so no SLAAC happens.
YOu need then to configure a DHCPv6. Then it should me possible to pass
the lease information into a dynamic DNS zone.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS NXDOMAIN flood

[Marco]

Am 02.11.2023 10:58 schrieb Mosharaf Hossain:

> The attack originates from an external network, and it periodically
> saturates our entire internet bandwidth.

Can you verify that the source IP is not spoofed (TCP ACK replies
instead of ACK RST, no ICMP port unreachable for UDP)?
If yes, contact the abuse desk, so they can shut that machine down.

If they refuse to do, you can block their address ranges for some time
to see if they stop attacking your server.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adaptation response ton ANY queries

[Marco]

Am 03.11.2023 schrieb avanpevenaeyge :

> However, I know that BIND is designed to respond to ANY requests via
> TCP for security reasons. So my question is: how can I make my BIND9
> server respond to ANY queries via UDP and not TCP for the purposes of
> my thesis? Thank you in advance for your reply.

BIND replies to ANY in UDP too by default in Debian.
If the foreign client queries in UDP, the server can't reply in TCP.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adaptation response ton ANY queries

[Marco]

Am 03.11.2023 schrieb avanpevenaeyge :

> Ok but what about the response to ANY queries on ubuntu 22.04? I
> tried to do some ANY queries from my client but the server always
> responds with TCP. Is it a security measure to prevent DNS
> amplification attack?

Please tell us how you do the lookup.
Try 
dig example.org +notcp to force a UDP lookup.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco]

Am 04.11.2023 15:03 schrieb Nick Tait via bind-users:

> I only included this because the idea had been put forward already.
> But even if the logistics of assigning public IPv6 addresses to your 
> internal hosts was palatable to you, you'd also want to think about 
> whether you are comfortable making that information (i.e. the IPv6 
> addresses used for internal servers) publicly available? I think most 
> organisations wouldn't want to do that?

Firewalls exist to block incoming traffic.
It is also possible to create a internal.example.org domain and only
allow queries from your own network, if you really want to hide DNS.

Security by obscurity isn't a good security concept.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

forward first and fallback not working

[marco]

Hi,
bind 9.10.3_p4 with this global option:

forward first;

forwarders {
   8.8.8.8;
};

If i dig from localhost or any client and 8.8.8.8 answers all is ok but
if 8.8.8.8 is unreachable or it doesn't respond, bind doesn't fallback
on himslef asking to root server etc .

This is not expected.
Anyone with this behavior ?

best regards
Marco
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward first and fallback not working

[marco]

No errors on logs and if i remove
forward first;

forwarders {
   8.8.8.8;
};

all is workin properly .

i don't know if i am missing something but i think it is a bug .




On Tue, 23 Aug 2016 21:05:13 +
"Darcy Kevin (FCA)"  wrote:

> Look in your logs at the time of named startup to see if your
> root-server priming failed at that time.
> 
>   
> -
> kevin
> 
> 
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf
> Of ma...@nucleus.it Sent: Tuesday, August 23, 2016 6:42 AM
> To: bind-users@lists.isc.org
> Subject: forward first and fallback not working
> 
> Hi,
> bind 9.10.3_p4 with this global option:
> 
> forward first;
> 
> forwarders {
>8.8.8.8;
> };
> 
> If i dig from localhost or any client and 8.8.8.8 answers all is ok
> but if 8.8.8.8 is unreachable or it doesn't respond, bind doesn't
> fallback on himslef asking to root server etc .
> 
> This is not expected.
> Anyone with this behavior ?
> 
> best regards
> Marco
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: automatic reverse and forwarding zones

[Marco]

Am 27.10.2022 um 07:23:01 Uhr schrieb JAHANZAIB SYED:

> Edit the corresponding REVERSE zone & add following line in the end
> 
> $GENERATE 1-255 $ IN PTR 10-11-11-$.example.com.
> 
> Dont forget to Reload bind config & you are done.

Thanks.
How is the syntax for IPv6?
Is it possible to do it for an entire /64?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: automatic reverse and forwarding zones

[Marco]

Am 27.10.2022 um 10:58:18 Uhr schrieb Bjørn Mork:

> Possible, but only for very small pools.  Note that $GENERATE only is
> a short form for easier hand editing of zone files on the primary
> server. The zone is expanded on load and zone transfers etc will
> contain the expanded data set. It doesn't save any resources.  Only
> editing.

Ok thanks.
Did it create any problems if you don't have Reverse DNS for the IPv6
addresses for normal customer traffic?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: automatic reverse and forwarding zones

[Marco]

Am 27.10.2022 um 09:52:55 Uhr schrieb Grant Taylor via bind-users:

> This is a singular IP (presumably link-net) for a customer.  So there 
> would be exactly one forward  and one reverse PTR record.

It isn't, because a customer gets /48 or /56 in most cases. The
customer's router can use various methods to assign addresses, auto
configuration and DHCPv6. If the ISP wants to provide reverse zone for
all possible addresses (ISP doesn't know which one of the assigned are
used by the customer), it must have all reverse zones on their zone
file or dynamically create them when a DNS server receives a request.

> I remember years ago that DHCP servers could be configured to 
> dynamically update the forward and / or reverse zone when providing a 
> lease to a client.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: automatic reverse and forwarding zones

[Marco]

Am 27.10.2022 um 13:08:40 Uhr schrieb Grant Taylor via bind-users:

> Aside:  I do question what you would populate the /48 ~ /56 ip6.arpa 
> zone with.  What hypothetical data would you put in it?  If it's PD
> to an end user, what information would the ISP put in there that
> wouldn't be confidential or potentially reveal that any and all IPs
> in that prefix belong to a customer w/o also identifying the customer?

At least for IPv4, there are servers that reject connections from IPs
that don't have a reverse zone with PTR record.
That is the only reason that I see for that.
Most ISPs do it.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.18 BIND not resolving .gov.bd site

[Marco M.]

Am 30.10.2023 um 12:25:32 Uhr schrieb Mosharaf Hossain:

> mofa.gov.bd.86400   IN  NS  ns1.bcc.gov.bd.
> mofa.gov.bd.86400   IN  NS  ns2.bcc.gov.bd.
> couldn't get address for 'ns1.bcc.gov.bd': not found
> couldn't get address for 'ns2.bcc.gov.bd': not found
> dig: couldn't get address for 'ns1.bcc.gov.bd': no more
> root@ns1:/etc/bind#

I can resolve them, but only A records exist.
Please try it again.

dig a ns2.bcc.gov.bd
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS NXDOMAIN flood

[Marco M.]

Am 02.11.2023 um 12:02:00 Uhr schrieb Mosharaf Hossain:

> We are receiving the traffic form random IP addresses to DNS servers.

Even when those IP addresses change, can you verify in any way that
those are not spoofed, so the traffic originates rom that networks?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help about DNS documentation

[Marco M.]

Am 03.11.2023 um 15:20:50 Uhr schrieb Amaury Van Pevenaeyge:

> Hello everyone,
> 
> I'm currently a final year Master's student at the Free University of
> Brussels. As part of my Master's thesis, I have to implement a DNS
> amplification scenario within a Cyber Range. However, before
> achieving this final goal, I first need to make amplification rate
> measurements within a virtual machine system. I therefore have a few
> questions about the DNS protocol and DNS servers.
> 
> 
>   *   Why do some DNS servers respond via TCP to an ANY query made
> under UDP?

As I told you, they simply can't do that. But the client (e.g. dig or
any other DNS client) can use TCP to query ANY. You can use a sniffer
like Wireshark to see what is really transferred.

> I have read in RFC8482 that modern DNS servers try to
> limit responses to ANY queries in order to limit the impact of their
> use in DNS amplification attack but I would like to learn more about
> the security measures/best practices currently in place for this type
> of query and for big TXT responses. Does anyone have any sources or
> other RFCs that might be useful?

The ANY record is, according to the RFC, mostly used for debugging
stuff, but not for productive stuff. Maybe disable replies to it and
check which services refuse to run anymore.

>   *   Would you have any advice/recommendations or sources on the
> legal Framework to be respected for my Master’s thésis, so that I can
> carry out my various measures without being illegal or alerting
> certain entities?

Do the tests on you own network and spoof you own network's IP
addresses.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 15:51:32 Uhr schrieb Nick Howitt via bind-users:

> As this site is externally accessible as well, we also have to put an
> identical entry in bind-external so we end up having many identical
> entries in bind-internal and bind-external.

It seems they people who set that up didn't understand the idea of a
master and slave server.
You have one master where changes are being made and optionally many
slaves that get their zone information from that one master.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:

> My problem is the use of external IP's duplicated between the
> internal and external masters for some IPs/FQDNs which I want to get
> rid of.

Implement IPv6 and get rid of the old IPv4 technology for internal
communication.

It is a big task, but after it is being done, many nasty stuff is gone
like NAT hairpinning or split-DNS.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 17:58:51 Uhr schrieb Nick Howitt via bind-users:

> On 03/11/2023 17:54, Marco M. wrote:
> > Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:
> >  
> >> My problem is the use of external IP's duplicated between the
> >> internal and external masters for some IPs/FQDNs which I want to
> >> get rid of.  
> > Implement IPv6 and get rid of the old IPv4 technology for internal
> > communication.
> >
> > It is a big task, but after it is being done, many nasty stuff is
> > gone like NAT hairpinning or split-DNS.  
> Not remotely on the cards with 200+ servers and so on, I'm afraid.

You have to start at some time, rest is a matter of time.

> Some of the servers are too old, I think for IPv6 - SLES 11.

Already out of support. Such machines must not be connected to the
internet anymore because they are a security risk. Replace them with a
current operating system.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 19:15:45 Uhr schrieb Nick Howitt via bind-users:

> You are preaching to the converted, but we have a huge mix of SLES
> 11, Ubuntu 16, 18, 20 and 22 machines + Windows Server 2016. Getting
> them all current is a long term project and it has to go through all
> sorts of customer authorisations. I am after a quick win with the
> Bind configs

Be aware that running EoL systems without security updates is a huge
security risk. Do you or your customers REALLY want that?

Second: Those operating systems support IPv6, so you can deploy it to
remove the necessity of internal and extern IPv4 split addressing.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 19:18:49 Uhr schrieb Nick Howitt via bind-users:

> Can the bind-internal not be made to caching only and not 
> authoritative? If so, how?

Of course it can, simply remove the zone configuration, but it will
then cache the records from the authoritative server (your
"external-bind").
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 19:54:32 Uhr schrieb Nick Howitt:

> How do you mean remove the zone information?

In your /etc/bind are configuration files.
Look for named.conf* and find those that include zones:

zone "f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa" {
type master;
file "/etc/bind/db.f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa";
};

Those lines make it authoritative for that zone. If it isn't
authoritative for that zone, it will ask the forwarder (if
configured) or looks it up from the root servers and goes down the
hierarchy to the authoritative server (your external).

> Which bits do I change and does this then leave me able to serve out
> internal IPs for the FQDN's that require them?

No, if you need to server different information than your "external"
server, you need a source for that information.

That is why I advocate against using split DNS and migration to IPv6 to
only have one address for that server.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 20:12:59 Uhr schrieb Nick Howitt via bind-users:

> I have those lines, but if I remove them, then presumably I cannot
> have internal overrides anywhere, like a hosts file would or like
> dnsmasq would?

BIND doesn't care about /etc/hosts.
If you make it authoritative for a zone, it will look up what is
exactly in that zone file.
If it isn't authoritative, it will ask another DNS server (forwarders
or hierarchy from root servers) and won't check files on your system.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 04.11.2023 um 19:41:44 Uhr schrieb Nick Howitt via bind-users:

> Thanks for the reply. Interesting.
> Option A - It works but I would like to stop maintaining two
> different servers with the same data.
> Option B - I have no chance of getting the company to agree to IPv6.

Then you are in a stonehenge company. Tell them about the problem and
that relying on IPv4 creates additional work.
My recommendation: Let the people who refuse IPv6 do the DNS work if
possible. :-)

> Option G - Yes it would be trivial with DNSMasq internally. I don't 
> think I have any chance of pushing this through. Also DNSMasq does
> not support replication (but it could be scripted).

Is it possible to use dnsmasq as the master (does it support zone
transfer?) and bind as a slave?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I debug if the queries are not getting resolved?

[Marco Moock]

Am 11.12.2023 um 23:37:36 Uhr schrieb Blason R:

> I require assistance in troubleshooting the resolution issue for
> specific domains that are not being resolved properly. The version of
> BIND I am currently using is BIND 9.18.20-1.

First, tell us if those queries are authoritative on that server or not.

Try using dig and post the output here.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: unable-resolve-bank=domain

[Marco Moock]

Am 17.12.2023 um 10:21:05 Uhr schrieb MEjaz via bind-users:

> One of the banking domain www.services.online-banking.gslb.sabbnet.com
>   unable to
> resolve with  our primary namservers 212.119.64.2 whearas as my
> another server 212.119.64.3 is ok

Problem at their side:

gslb.sabbnet.com.   7200IN  NS  ns3.sabb.com.
gslb.sabbnet.com.   7200IN  NS  ns4.sabb.com.
;; Received 161 bytes from 108.59.173.0#53(ns21.hsbc.uk) in 67 ms

;; communications error to 37.76.254.149#53: timed out
;; communications error to 37.76.254.149#53: timed out
;; communications error to 37.76.254.149#53: timed out
www.services.online-banking.gslb.sabbnet.com. 900 IN A 193.27.7.78
;; Received 89 bytes from 193.27.7.38#53(ns3.sabb.com) in 119 ms

ns4.sabb.com. is unreachable and one of your resolvers picks that first.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [Windows] [9.16.45] Missing IPv4 DNS prevents tools from working

[Marco Moock]

Am 09.01.2024 um 01:41:46 Uhr schrieb Gentry Deng via bind-users:

> Due to an accident my local network is missing IPv4 DNS but has IPv6
> DNS so it has little impact on accessing the internet.
> 
> But I found that neither `dig `nor `nslookup` worked, and reported an
> error:

Windows Linux subsystem?

Does it have an IPv6 address?

Run ip a or ifconfig inside it.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Upgrade

[Marco Moock]

Am 15.02.2024 schrieb Semra Türkkal Nazlımoğlu
:

> Our bind version seems below. How can we upgrade bind version?

It comes from the OS you are using.
Upgrade to the current RHEL release.
If you prefer bleeding-edge versions, use Fedora instead.

> And if we upgrade bind version, is there any problem?

Install the new OS in a virtual machine and try running BIND there with
your configuration/zones and check for any errors.
In most cases, the upgrade works without any problems.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: record PTR

[Marco Moock]

Am 14.03.2024 schrieb sami.ra...@sofrecom.com:

> Hello, please, I want to know if I need to delegate a range of IP
> addresses to my authoritative DNS server with my registrar before
> creating a PTR record or not. In other words, if I want to create a
> PTR record on my authoritative server (ns1.mydomain.com) for
> mail.mydomain.com pointing to 41.226.22.50, should the range
> 41.226.22.0/24 be delegated to my authoritative DNS server
> ns1.mydomain.com?

The reverse zone for your net/IP needs to be delegated, nothing more.
That needs to be done by your ISP because not by your domain registrar.

If you only want to set some PTRs in your address range, the range will
be delegated and you only set the PTRs you need.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DoH credentials

[Marco Moock]

Am 25.03.2024 um 17:09:43 Uhr schrieb Julien Salort:

> Because I am using an Apache proxy, bind9 sees the incoming requests
> as localhost, so allows all recursive requests from anybody.
> 
> Does it mean that credentials have to be implemented by the webserver
> ?

Yes, if you want to have a reverse proxy, this is a way to use auth.

If you don't want to have an open resolver, you have to control that at
the apache side.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1711382983mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME and IPv6

[Marco Moock]

Am 28.05.2024 um 12:00:09 Uhr schrieb Peter:

>   if I understand corrently, the use of CNAME is just a convenience
> and no technical feature, right?

It is technical because the query is redirected to the domain listed in
the CNAME.

> In lots of examples on the net, a zonefile for a domain might contain
> things similar to this:
> 
>   @ORIGIN example.com.
>   ..
>   myhost A1.2.3.4
>   wwwCNAMEmyhost.example.com.
>   www1   CNAMEmyhost.example.com.
>   someappCNAMEmyhost.example.com.
>   xyzCNAMEmyhost.example.com.
>   ...

That all points to this node, e.g. because multiple services are
running on the same machines, but it should be possible to separate
them when needed without changing domain names on other machines that
need to access them.
When the IP address changes, only the records of the machine listed in
CNAME need to be changed at one place.

> Often, the webserver and other applications are not actually
> running on node 1.2.3.4, but are internally portforwarded to
> some other node, for various reasons.

This is bad IPv4 stuff, you should get rid off that ASAP.
Use CNAMEs for each node that exists in reality and point to it with
CNAME.



> Now we add an IPv6 address for 'myhost'. But portforwarding
> doesn't work for IPv6. Instead we are required to use different
> addresses all over, like so:

port forwarding would work, but is nasty here. Redirectors like rinetd
can handle that, but I recommend against in this case.

> So, how would you do it? Is there a nice and elegant way?

www CNAME   webserver1
ftp CNAME   ftp2

webserver1  A   192.168.0.1
webserver1  2001:db8::1
ftp2A   172.16.0.1
ftp22001:db8:::1

That makes it possible to redirect it to the actual machines that runs
the service.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1716890409mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME and IPv6

[Marco Moock]

Am 28.05.2024 um 18:48:38 Uhr schrieb Peter:

> On Tue, May 28, 2024 at 12:25:03PM +0200, Marco Moock wrote:

> ! > Now we add an IPv6 address for 'myhost'. But portforwarding
> ! > doesn't work for IPv6. Instead we are required to use different
> ! > addresses all over, like so:
> ! 
> ! port forwarding would work, but is nasty here. Redirectors like
> rinetd ! can handle that, but I recommend against in this case.
> 
> I tried it, and didn't get around the Path MTU discovery: Forward SNMP
> to one host, HTTP to another - which one then gets the ICMPv6 2.0
> "message too big"? 

rinetd manages 2 separate connections and should work with PMTUD. Did
you use that or another way?

PS: I still recommend pointing to the machines that host the stuff
instead of having a middlebox that might create additional headache
like improper logging, performance issues. :-)


-- 
Gruß
Marco

Send unsolicited bulk mail to 1716914918mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME and IPv6

[Marco Moock]

Am 30.05.2024 um 00:47:56 Uhr schrieb Peter:

> On Wed, May 29, 2024 at 12:20:09PM +0200, Matus UHLAR - fantomas
> wrote: ! > On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock
> wrote: ! > > rinetd manages 2 separate connections and should work
> with PMTUD. ! 
> ! On 28.05.24 22:17, Peter wrote:
> ! > I'm wondering how it would. The connections are TCP, the PMTU
> works ! > via ICMP6.

Please stop using ! as a quoting character, it will break line wrapping
when replying and create a mess in the mailing list.

> ! No, Path MTU discovery works with TCPv4 using ICMPv4 as well.
> ! (although it was/is quite common to block ICMP packets which can
> make it not ! work properly)
> 
> That is a different matter, lots of people switch them off
> and things do still work, because we're in most cases allowed to
> defragment (firewalls do that) and refragment at any point on the
> way as needed.

That only applies if the router want to fragment it and if the DF bit
is NOT set by the sender.

> Blocking ICMPv4 a practise that is certainly annoying, but what
> can we do?

Telling those who do it that is is a really bad idea and don't
implement workarounds.

> ! > So I would assume, the ICMP "packet too big" message
> ! > reaches the host where rinetd runs, is swallowed by the kernel,
> and ! > the kernel sets the MTU in it's hostcache. Or something along
> that ! > line.
> ! 
> ! > The TCP traffic however gets forwarded by rinetd to the internal
> ! > appserver(s) - which never get the message that they should reduce
> ! > their MTU.
> ! 
> ! The data from one TCP connection are sent through another TCP
> connection, ! where both connections are separate with separate MTU
> and PMTUD.
> 
> A new quintuple, then. Hm. Not sure why I was unhappy with that...

Didn't you say you never tried rinetd?

> one reason was probably that a webserver would not be able to know the
> client address.

That is indeed the case and logging will be much more complicated,
including banning with fail2ban.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1717022876mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MDLZ user activation

[Marco Moock]

Am 07.06.2024 um 10:58:27 Uhr schrieb G.W. Haywood:

> On the face of your description, this sounds like a spammer who has
> slightly more skill than usual.

The spammer simply used the name in From: after the Nick posted tothe
list) (Nick Tait via bind-users) and the mail address
(bind-users@lists.isc.org) as the recipient.

I assume this was accidentally sent to the list and not Nick himself,
but this is just a guess.

> I'd like to see the headers, or better the entire mail.  Please feel
> free to send privately.

They are publicly posted on the list.

Message-ID:
<6661e181d6fce_20e3f8fc856fcec65140...@sidekiq-frequent-fd-poduseast1-free-blue-fc47b6fff-n44lb.mail>

If you need it, I can forward it to you.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1717750707mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange reply dumped URGENT

[Marco Moock]

Am 12.07.2024 um 14:13:03 Uhr schrieb Herman Brule via bind-users:

> bind to my proxy from IPv4 to IPv6 zone

Why don't you simply run multiple authoritative servers, some only
accessible by IPv6, some dual-stack?

They are independent of each other and only the zone transfer need to
work.

I also see some strange things:

m@ryz:~$ host 811.vps.confiared.com.
811.vps.CONFIARED.com has address 45.225.75.8
811.vps.CONFIARED.com has IPv6 address 2803:1920::c:1963
m@ryz:~$ host 811b.vps.confiared.com.
811b.vps.CONFIARED.com is an alias for 811.vps.confiared.com.
811.vps.CONFIARED.com has address 45.225.75.8
811.vps.CONFIARED.com has IPv6 address 2803:1920::c:1963
m@ryz:~$ 

You should have redundant servers and not 2 NS records that point to
the same machine.

Please fix that first and update your glue records.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1720786383mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange reply dumped URGENT

[Marco Moock]

Am 12.07.2024 um 14:38:58 Uhr schrieb Herman Brule:

> Because the customer are into IPv6 zone

So the master DNS is IPv6 only?
No problem for the zone transfer.

> And the EDGE router connecting IPv4 and IPv6 is internal to the data 
> center company, not accessible for the customer.

In which way is this router involved in DNS resolution?

-- 
Gruß
Marco

Send unsolicited bulk mail to 1720787938mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange reply dumped URGENT

[Marco Moock]

Am 12.07.2024 um 14:56:28 Uhr schrieb Herman Brule via bind-users:

> The edge router receive the query, should just forward to the IP into 
> the named.conf.rproxy (then IPv6 master)

So bind runs on this router?

What is the hostname of this router?
To which IP addresses does it point?

-- 
Gruß
Marco

Send unsolicited bulk mail to 1720788988mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange reply dumped URGENT

[Marco Moock]

Am Fri, 12 Jul 2024 15:51:32 -0400
schrieb Herman Brule :

>   Loop detected! We were referred back to '45.225.75.8'

That's why I say:
Have real NS records that point to unique systems.
If you forward, make sure the other machine is the master.

I operate DNS with 2 NS records, one dual-stack, the other only IPv6.
No forwards, simply zone transfer.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange reply dumped URGENT

[Marco Moock]

Am Fri, 12 Jul 2024 22:44:38 -0400
schrieb Herman Brule :

> For now your method fail, include I try:
> 
> zone "ore.org.bo" {
>      type master;
>      file "/etc/bind/ore.org.bo.db";
> };

Only have one, exactly one master for a zone. Everything else will
create a big mess.

The other servers are slaves and will poll the zones from the master.

E.g.

ns1.example.org is IPv6 only and the master for example.org.
Glue records will only include the IPv6 address.
It will be listed as NS for example.org.

ns2.example.org is a slave and will poll the stuff from ns1, not
forward it to it.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

!AAAA in statistics

[Marco Moock]

Hello!

named.stats includes that:

[...]
++ Cache DB RRsets ++
[View: default]
3184 A
1059 NS
 108 CNAME
   8 SOA
   6 PTR
   1 TXT
2739 
  75 DS
 378 RRSIG
   6 NSEC
  21 DNSKEY
   6 HTTPS
  12 !
  10 !DS
   4 !HTTPS
   6 NXDOMAIN
[View: _bind (Cache: _bind)]

What do the lines with the ! mean?

-- 
kind regards
Marco
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

v6-bias

[Marco Moock]

Hello!

I couldn't find anything else than https://kb.isc.org/docs/aa-01349
for v6-bias.

Is that still relevant for current versions?

Is there a reason that option isn't described in the normal
documentation?

I've set it to 200ms and I still see outgoing queries to IPv4
destinations that are reachable via IPv6 and have a latency under 20 ms.

-- 
kind regards
Marco
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: v6-bias

[Marco Moock]

Am 18.08.2024 um 23:44:26 Uhr schrieb Mark Andrews:

> > On 18 Aug 2024, at 20:32, Marco Moock  wrote:

> It is.  Go to the product page.  Look at panel 3 “Configuration".
> Click on "Administrator Reference Manual (ARM)” then enter “v6-bias”
> in the search box.

https://bind9.readthedocs.io/en/v9.18.28/reference.html#namedconf-statement-v6-bias

As I searched on isc.org, I couldn't find it.

> > I've set it to 200ms and I still see outgoing queries to IPv4
> > destinations that are reachable via IPv6 and have a latency under
> > 20 ms.  
> 
> Named uses smooth measured RTT which means it still has to
> occasionally talk to servers over IPv4 to measure the RTT.

Can that be disabled, so IPv4 fallback will only be used when IPv6
query takes longer than the time set in v6-bias?

-- 
kind regards
Marco

Send unsolicited bulk mail to 1724017466mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.18 horrendous

[Marco Moock]

Am 23.08.2024 um 21:57:47 Uhr schrieb Edwardo Garcia:

> I've just updated 9.18 again, as recent update, and ever since using
> this 9.18 mess the load has been horrendous never ever have I
> experiemnce such a clusterfcsk of a release

I can understand your anger, but the first thing to notice is that not
everybody experienced that problem (I use 9.18 for more than a year
without that).

You have to specify your operating system and bind versions (also the
build source, OS repos often have some patches applied), so somebody
can reproduce the problem. If the problem can be reproduced, it can be
fixed.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1724443067mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.18 horrendous

[Marco Moock]

Am Fri, 23 Aug 2024 16:28:22 -0400
schrieb David Farje :

> The whole point of open source software is that you as a user get
> software for free

You get certain freedoms because of the license. This doesn't mean it
needs to be provided for free. ISC also sells BIND9 together with a
support contract.

> and if something goes wrong you are free to
> collaborate to fix it or stop using it.  That's it.  There is no room
> for anything else.
> 
> Complaining about the quality of software you did not pay for or even
> test before putting it in production seems illogical to me especially
> if you are given the tools to fix it.

Complaining is a normal process and part of the development. If people
are dissatisfied and don't complain, nobody will notice it. Although,
complaining should be done in a rationale and non-aggressive way.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query Regarding NSEC RR in DNSSEC

[Marco Davids]

Hello Gaurav,

You might want to have a look at our whitepaper on 'authenticated denial
of existence' to gain better understanding of this somewhat complicated
aspect of the DNSSEC specification:

https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf

Regards,

--
Marco



On 02/14/2012 08:18 PM, Chris Buxton wrote:
> Briefly, the answer is, the NXDOMAIN response could be replayed by a
> man-in-the-middle attacker. We need to have something to sign, something
> specific to that query. If we just return the zone's SOA record and its
> signature, we're still subject to a replay attack. So we need to prove
> the negative, and that happens by enumerating all the possible positive
> answers "near" the query.
> 
> Regards,
> Chris Buxton
> BlueCat Networks
> 
> On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote:
> 
>> Dear Team,
>>  
>> We have a Authenticated Response in DNSSEC through trust chain.
>> Now my question is why we itself need a NSEC when we get response from
>> DNSSEC enabled server authentically.
>>  
>> Means, if a Record exist in DNSSEC, then it replies the answer along
>> with RRSIG of that RR.
>> AND if domain doesn’t exist, then it can simply give NXDOMAIN and our
>> job will be done as we trust that nameserver through trust chain.
>> So what’s the need of NSEC??
>>  
>> Thanks n Regards, 
>> GAURAV KANSAL 
>> 9910118448 
>> VoIP - 6259 
>> Operation And Routing Unit 
>> NIC , NEW DELHI
>>  
>> Please don't print this e-mail until & unless you really need, it will
>> save Trees on Planet Earth. 
>> IPv4 is Over,
>> Are your ready for new Network.
>>  
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind and views

[Marco Felettigh]

Hi,
i have server with an old Bind (bind-9.9.4P2) and is configured with
multiple views.

ViewA that has slave zones and accept query for match-destinations IpA
ViewB that has others slave zones and accept query for
match-destinations IpB

ViewDefault that is the a default configuration for root zones etc. and
accept query for match-destinations IpDefault.

view "ViewA" {
match-destinations { IpA; };
transfer-source IpA;
allow-query { any; };
recursion no;

zone pippo.it .

};
 
view "ViewB" {
match-destinations { IpB; };
transfer-source IpB;
allow-query { any; };
recursion no;
zone.
};


When from the server i run for example:
dig hosta.pippo.it

dig contact my resolv.conf nameserver (127.0.0.1) on port 53 but the
Bind's resolver contact root servers and come down all the dns chain
like Bind do not has the pippo.it zone in the ViewA.

Of corse if i run
dig hosta.pippo.it @IpA 
all is working properly.

Is it possible to force the Bind's resolver to lookup in all the views ?
Important: i need the views binded to differents ips.

Thanks
Marco







___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind and views

[Marco Felettigh]

Hi Mark,
yes of corse if i put the zone in both views all is fine but we
want to partition the dns server without duplication.

Is it possible ?
Marco

On Wed, 07 Oct 2015 21:32:48 +1100
Mark Andrews  wrote:

> 
>   Just put the zone in both views.
> 
>   If you upgrade to 9.10 you can use in-view to cross link.
> 
>   Mark

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward first and fallback not working

[Marco Felettigh]

The dns resolution with 8.8.8.8 works fine with "forward first" if
8.8.8.8 is working but for testing i blocked with an
intermediate firewall the dns requests to the forwarder and two things
happened (the second one is bad).

1) If the firewall reset the connection to 8.8.8.8 bind fallbacks on its
  root servers and this is good

2) If the firewall drop the connection to 8.8.8.8 bind does NOT
  fallback on its root servers and this is a bad thing cause in this
  way i was testing a network outage for my forwarder.

below my config

Hi attach also che config

/etc/resolv.conf
search domain.dom
nameserver 127.0.0.1

named.conf
acl "trusted" {
127.0.0.0/8;
192.168.1.0/24;
};

options {
directory "/var/bind";
pid-file "/run/named/named.pid";

/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
//bindkeys-file "/etc/bind/bind.keys";

session-keyfile "/var/bind/session.key";

//listen-on-v6 { ::1; };
//listen-on { 127.0.0.1; };

masterfile-format text;

   allow-query {
/*
 * Accept queries from our "trusted" ACL.  We will
 * allow anyone to query our master zones below.
 * This prevents us from becoming a free DNS server
 * to the masses.
 */
trusted;
};

allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};

allow-recursion {
/* Only trusted addresses are allowed to use recursion.
*/ trusted;
};

allow-transfer {
/* Zone tranfers are denied by default. */
none;
};

allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};

forward first;
forwarders {
   8.8.8.8;
};
};

zone "." in {
type hint;
file "/var/bind/named.cache";
};

zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};

zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
notify no;
};

End of named.conf


On Wed, 24 Aug 2016 09:21:09 +0200
ma...@nucleus.it wrote:

> No errors on logs and if i remove
> forward first;
> 
> forwarders {
>8.8.8.8;
> };
> 
> all is workin properly .
> 
> i don't know if i am missing something but i think it is a bug .
> 
> 
> 
> 
> On Tue, 23 Aug 2016 21:05:13 +
> "Darcy Kevin (FCA)"  wrote:
> 
> > Look in your logs at the time of named startup to see if your
> > root-server priming failed at that time.
> > 
> > 
> > -
> > kevin
> > 
> > 
> > -Original Message-
> > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf
> > Of ma...@nucleus.it Sent: Tuesday, August 23, 2016 6:42 AM
> > To: bind-users@lists.isc.org
> > Subject: forward first and fallback not working
> > 
> > Hi,
> > bind 9.10.3_p4 with this global option:
> > 
> > forward first;
> > 
> > forwarders {
> >8.8.8.8;
> > };
> > 
> > If i dig from localhost or any client and 8.8.8.8 answers all is ok
> > but if 8.8.8.8 is unreachable or it doesn't respond, bind doesn't
> > fallback on himslef asking to root server etc .
> > 
> > This is not expected.
> > Anyone with this behavior ?
> > 
> > best regards
> > Marco
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> > 
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> > 
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users  
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

automatic reverse and forwarding zones

[Marco Moock]

Hello,

how do ISPs automatically create the reverse and forwaring zones for
their customers IP pools?

For example one of their clients has the IP 2001:db::3.

Its reverse zone
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.d.0.0.1.0.0.2.ip6.arpa
includes a PTR pointing to
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.d.0.0.1.0.0.2.isp.example.org

This has an  record of 2001:db::3.

Is it possible to let bind create that automatically for certain zones?

-- 
kind regards
Marco

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Debugging recursive bind

[Marco Michelino]

Hi all,
I have a recursive dns server that sometimes returns errors on queries
even if the requested domain exists:


# dig @myserver agriturismolacapraccia.it mx

; <<>> DiG 9.3.4-P1.1 <<>> @myserver agriturismolacapraccia.it mx
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12554
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;agriturismolacapraccia.it. IN  MX

;; Query time: 34 msec
;; SERVER: XX.XX.XX.XX#53(XX.XX.XX.XX)
;; WHEN: Fri Nov 21 10:59:14 2008
;; MSG SIZE  rcvd: 43


My log file shows no error... how can I debug the query to understand
what's going wrong?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Need to use dnsperf with bind 9.5.0

[Marco Bicca]

Hi Guys,

I am trying to reproduce a crash issue with bind 9.5.0 when running rndc dumpdb 
-all

Do you guys know if there's any way to convert a cache_dump.db file to a 
suitable file to use with dnsperf?

If not I think I'll have to do some awk/sed work to extract the info I need to 
generate a file like that.

I basically need a very large query file to run lots of queries.

Thank you,
__
Marco Bicca

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS Bulk Query Tool

[Marco Bicca]

Hi Gaurav,

I would use dnsperf and the 1 million website list from Alexa:

DNSPerf:
Freebsd: http://www.freshports.org/dns/dnsperf

Depending on your OS there are available ports too.

Alexa's list:
http://s3.amazonaws.com/alexa-static/top-1m.csv.zip


Did that in the past and it worked pretty well.

Thanks,
___
Marco Bicca

-Original Message-
From: bind-users-bounces+marco_bicca=symantec@lists.isc.org
[mailto:bind-users-bounces+marco_bicca=symantec@lists.isc.org] On Behalf
Of Gaurav Kansal
Sent: Wednesday, November 02, 2011 10:49 AM
To: bind-users@lists.isc.org
Subject: DNS Bulk Query Tool

Dear All,

 

I set up a new DNS Server using Bind 9.7

For meantime I open this server for the whole world. I wanna check how many
queries it can handle.

Is this any freeware available for checking this. Is there any tool
available by which I can come to know after how much load my DNS will be
down (Or it will stop responding) ???

 

Thanks and Regards,

Gaurav Kansal

8860785630

9910118448

 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS Bulk Query Tool

[Marco Bicca]

Hi Gaurav,

Not sure, I used dnsperf just fine on a centos box.

Thanks,
Marco

-Original Message-
From: Gaurav Kansal [mailto:gaurav.kan...@nic.in] 
Sent: Friday, November 11, 2011 1:33 AM
To: Marco Bicca; bind-users@lists.isc.org
Subject: RE: DNS Bulk Query Tool

Hi Marco,
Thanks.
Dnsperf tool is not working in my machine. I don't understand why??

Is there any other tool available? 

Thanks and Regards,
Gaurav Kansal
9910118448





-Original Message-
From: Marco Bicca [mailto:marco_bi...@symantec.com]
Sent: Thursday, 03 November, 2011 12:03 AM
To: Gaurav Kansal; bind-users@lists.isc.org
Subject: RE: DNS Bulk Query Tool

Hi Gaurav,

I would use dnsperf and the 1 million website list from Alexa:

DNSPerf:
Freebsd: http://www.freshports.org/dns/dnsperf

Depending on your OS there are available ports too.

Alexa's list:
http://s3.amazonaws.com/alexa-static/top-1m.csv.zip


Did that in the past and it worked pretty well.

Thanks,
___
Marco Bicca

-Original Message-
From: bind-users-bounces+marco_bicca=symantec@lists.isc.org
[mailto:bind-users-bounces+marco_bicca=symantec@lists.isc.org] On Behalf
Of Gaurav Kansal
Sent: Wednesday, November 02, 2011 10:49 AM
To: bind-users@lists.isc.org
Subject: DNS Bulk Query Tool

Dear All,

 

I set up a new DNS Server using Bind 9.7

For meantime I open this server for the whole world. I wanna check how many
queries it can handle.

Is this any freeware available for checking this. Is there any tool
available by which I can come to know after how much load my DNS will be
down (Or it will stop responding) ???

 

Thanks and Regards,

Gaurav Kansal

8860785630

9910118448

 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC closed environment

[Marco Davids]

Eduardo Júnior wrote:

> it's possible configure dnssec only between 2 name servers, first is
> the authoritative and second is the recurisve? The authoritative name
> server would have zones signed and the recursive will do querys and
> validation.

Sure, why not?

I personally prefer my setup whereby I have included the IANA testbed:
https://ns.iana.org/dnssec/status.html.

In other words, I use their root hints and zonefiles in my test-environment.

In fact, I even managed to get an appearantly valid chain of trust all
the way up to my 'home.forfunsec.org' testdomain with it. Quite
instructive and fun to play with. :-)

> And using dig (properly compiled and configured) makes
> requests to recursive  and validation occurs correctly?

Yep, that sounds like it should work.

But you might like 'drill', from NlNetlabs:

http://www.nlnetlabs.nl/projects/ldns/

(sorry, for being a bit off-topic here)

Regards,

-- 
Marco Davids
SIDN

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

multithreading for dnssec-signzone

[Marco Davids]

Hi all,

It seems as if my 'dnssec-signzone' runs on one CPU-core only, where as
I would have expected it to run on all four.

Specs:

- Ubuntu 8.04.3 LTS
- bind-9.7.0b1.f1.tar.gz
- Quad-core 'Intel(R) Xeon(R) CPU E5335  @ 2.00GHz' (according to
'/proc/cpuinfo')

I tried 'configure' with and without '--enable-threads', but there is no
notable difference.

I also tried 'dnssec-signzone' with and without the '-n' option. No
difference either.

Can anyone point me in the right direction please?

Thank you so much.

-- 
Marco Davids

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: multithreading for dnssec-signzone

[Marco Davids]

Op 23-12-2009 15:14, schreef Paul Wouters:
> On Wed, 23 Dec 2009, Marco Davids wrote:
> 
>> It seems as if my 'dnssec-signzone' runs on one CPU-core only, where as
>> I would have expected it to run on all four.
> 
> dnssec-signzone first does a lot of preprocessing on one core, before
> it finally starts signing with multiple cores. Are you sure it is not
> using multiple cores?

Not anymore... I guess I'd better be patient and wait for the entire
signing process to finish first :-)

Thanks.

-- 
Marco

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: multithreading for dnssec-signzone

[Marco Davids]

On 12-23-2009 15:33, Marco Davids wrote:

>>> It seems as if my 'dnssec-signzone' runs on one CPU-core only, where as
>>> I would have expected it to run on all four.
>>
>> dnssec-signzone first does a lot of preprocessing on one core, before
>> it finally starts signing with multiple cores. Are you sure it is not
>> using multiple cores?
> 
> Not anymore... I guess I'd better be patient and wait for the entire
> signing process to finish first :-)

Okay - it works now. Thank you all for your replies. The solution turned
out to be a bit foolish: don't forget to do a 'make clean' first before
trying something else. :-/

BTW: sorry for messing up an existing thread on this list. I was unaware
of that behaviour of my e-mail client.

Regards,

-- 
Marco

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL in BIND when resolving certain domains (.gov.co)

[Marco Moock]

Am 01.11.2024 um 16:30:55 Uhr schrieb Cesar Augusto Camacho Sierra:

> Could this issue be related to some additional configuration in BIND
> or is it possible that it is a bug in the cundinamarca.gov.co
> delegation chain? I appreciate any guidance or suggestions for
> additional testing.


Problem in their infrastructure:

cundinamarca.gov.co.43200   IN  NS  ns1-auth.etb.net.co.
cundinamarca.gov.co.43200   IN  NS  ns2-auth.etb.net.co.
[...]
;; Received 710 bytes from 156.154.105.25#53(ns6.cctld.co) in 15 ms

;; communications error to 2800:260::11::221#53: timed out
;; communications error to 2800:260::11::221#53: timed out
;; communications error to 2800:260::11::221#53: timed out
gevir.cundinamarca.gov.co. 28800 IN NS  hillstone.cundinamarca.gov.co.
;; Received 170 bytes from 201.244.1.170#53(ns2-auth.etb.net.co) in 179 ms

;; communications error to 119.26.56.250#53: timed out
;; expected opt record in response
;; Received 43 bytes from
190.26.56.250#53(hillstone.cundinamarca.gov.co) in 191 ms

Both servers are reachable, via IPv6 using ICMP echo req, but the DNS
server isn't listening on UDP nor TCP.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1730475055mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL in BIND when resolving certain domains (.gov.co)

[Marco Moock]

Am 01.11.2024 um 22:37:30 Uhr schrieb Marco Moock:

> Both servers are reachable, via IPv6 using ICMP echo req, but the DNS
> server isn't listening on UDP nor TCP.

I have to catch that up:
I don't receive any answer when querying UDP or TCP, also on other
ports. Maybe it is also a firewall that simply drops the traffic.

I've now contacted their hostmaster on the address listed in SOA.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1730497050mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: secondary dns server question :)

[Marco Moock]

Am Mon, 18 Nov 2024 19:03:55 +0100
schrieb Jean-François Bachelet :

> just to be sure, in case we have two (internals) dns servers on the
> same network (for the case of one is unavaillable), if I understand
> well the docs, the two servers should have the exact same
> configurations, appart that the secondary is stated as 'secondary'
> and the first 'master'.
> 
> that for both confs and zones and etc...

It depends on what you want.
A DNS server can do different tasks.
One is serving authoritative information.

For one zone (e.g. example.org), there exists a master and there can
exist slaves (also called secondary).

If you have multiple zones, a server can be master for one zone and
slave for another.

Other settings like recursive resolving for your clients can have
completely independent setting, depending on your needs.

You need to tell us more what you want to accomplish.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: notify IPv6

[Marco Moock]

Am 24.11.2024 um 12:10:42 Uhr schrieb James:

> If a name server has only an IPv6 address (no IPv4) I do not see the 
> transfer and the data are not updated on the secondary.  The 
> documentation says "NOTIFY messages are sent to the name servers
> defined in the NS records for the zone"

Try a zone transfer manually with

dig axfr example.org -6 @dns-server

Does that work?
How do the  records of the server look?
Is the slave in the different zone?
If so, check the glue records of it too.

Generally, which version are you running?

-- 
Gruß
Marco

Send unsolicited bulk mail to 1732446642mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/Slave

[Marco Moock]

Am 31.01.2025 um 21:03:06 Uhr schrieb Karol Nowicki via bind-users:

> With design where one ISC Bind DNS server is a master for domain
> example1.com while in same time acts like as Slave for another one
> lets say example2.com do we breaks any ISC recomendations or good
> practice ? 

Such a config works perfectly fine.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1738353786mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND DNS Server on Windows

[Marco Moock]

Am 09.02.2025 um 10:51:35 Uhr schrieb Turritopsis Dohrnii Teo En Ming
via bind-users:

> Can I install WinBIND on Windows 10 and Windows 11? The following
> guide mentioned installation of WinBIND on Windows Server only.

Should work, give it a try.

-- 
Gruß
Marco
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Authoritative and caching

[Marco Moock]

Am Wed, 19 Feb 2025 10:58:14 +0100
schrieb Danjel Jungersen via bind-users :

> But if I change /etc/resolv.conf to 127.0.0.1 something happens
> If I do a dig or ping from my postfixbox to something that the 2 main 
> bind-boxes are authoratative for, it doesn't work.

Please sniff the DNS traffic between the 2 machines and check if the
request goes out to the authoritative server and check what it replied.

You can trigger the request by

dig A/ non-working domain @IP.

Try +recurse/+norecurse to check if the issue is related to those flags.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 Geolocation per /64

[Marco Moock]

Am 18.02.2025 um 18:50:31 Uhr schrieb Peter 'PMc' Much:

> Consideration:
>Since every /64 in IPv6 carries it's own distinct geolocation info,
>there must be somewhere a database of -quick average- 2^64 =
>18446744073709551616 records.

Much less.
Only 2000::/3 is GUA and only a small amount of that is allocated to
LIRs (ISPs). They only use a portion of that for serving their
customers.

> I'm currently trying to figure out where that database is located.

I can't help you with that, although Maxmind has such a service.
https://www.maxmind.com/en/locate-my-ip-address

At least for my IP the geo information I get from there is simply junk.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1739901031mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading the Bind Server issue

[Marco Moock]

Am 19.03.2025 um 13:23:09 Uhr schrieb Lowry-Schiller, Dell M CTR
\(USA\) via bind-users:

> Message: I am following the instructions provided in the knowledge
> base and I am having issues with the upgrade of my bind server to
> version 9.20.6 I am currently on version BIND 9.16.23-RH

This indicates you are using RedHat?
If so, I recommend using the release that comes with your operating
system, this is much easier and tested.

> I run this command and it works fine   ./configure
> --prefix=/usr/local/bind-9.9.6 --sysconfdir=/etc --localstatedir=/var
> --enable-threads --with-openssl
> 
> Then I run the command make this is where I get the error message.
>   Error message: [root@rhel-nbind2 bind-9.20.6]#
> make make: *** No targets specified and no makefile found.  Stop
> I am using this URL: https://kb.isc.org/docs/aa-00648

Run ll and in the folder and post it here if you really want to compile
yourself.


-- 
Gruß
Marco

Send unsolicited bulk mail to 1742386989mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: long FQDN resolution

[Marco Moock]

Am 15.05.2025 um 14:31:40 Uhr schrieb DEMBLANS Mathieu:

> It is problematic for DNSBL requests because it generate a lot of
> useless requests and this kind of service look at the number of
> requests done (usage policy):

Disable qname minimization for that.


-- 
Gruß
Marco

Send unsolicited bulk mail to 1747312300mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dns tunnel detection/prevention

[Marco Moock]

Am 22.05.2025 um 14:23:05 Uhr schrieb Karol Nowicki via bind-users:

> Does ISC Bind software by native has any dns tunneling prevention
> embedded ?

Please give more info what you want to accomplish.

> Wysłane z Yahoo Mail do iPhone

Please configure your mail software not to include such lines.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1747916585mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

[Marco Davids (SIDN)]

Hi,

It is not possible to configure NSEC3 as a default in named.conf (on a
per zone basis), is it? I would welcome such a feature.

I also find it a bit strange that BIND decides to go for NSEC, even when
the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).

Thanks.

--
Marco


On 03/07/12 00:10, Wolfgang Nagele wrote:
> Hi,
> 
> Ok that is already a bit better - at least saves a full sign with NSEC first. 
> Wondering though, from a user perspective sending in NSEC3PARAM from the 
> unsigned end seems like the most natural thing to do. Why complicate matters 
> by having to use rndc here?
> 
> Cheers,
> 
> --
> Wolfgang Nagele
> Senior Systems and Network Administrator
> AusRegistry Pty Ltd
> Level 8, 10 Queens Road
> Melbourne, Victoria, Australia, 3004
> Phone +61 3 9090 1756
> Email: wolfgang.nag...@ausregistry.com.au
> Web: www.ausregistry.com.au
> 
> 
> The information contained in this communication is intended for the named 
> recipients only. It is subject to copyright and may contain legally 
> privileged and confidential information and if you are not an intended 
> recipient you must not use, copy, distribute or take any action in reliance 
> on it. If you have received this communication in error, please delete all 
> copies from your system and notify us immediately.
> 
> On Mar 6, 2012, at 6:55 PM, Evan Hunt wrote:
> 
>>> According to the docs it should be possible to set NSEC3PARAM on the
>>> unsigned version when using inline-signer mode. The signing BIND 9.9
>>> should then decide to use NSEC3, which salt, opt-out, etc. based on this.
>>> I have tried this and could not get it to work. The only way to use NSEC3
>>> with the inline signer atm is to run 'rndc -nsec3param' once the zone has
>>> been configured. Any hints?
>>
>> You should be able to use 'rndc signing -nsec3param' before the zone
>> is signed.  It's working for me:
>>
>>zone "example.nil" {
>>type master;
>>inline-signing yes;
>>auto-dnssec maintain;
>>file "example1.db";
>>};
>>
>>
>>$ rndc signing -nsec3param 1 0 10 BEEF example.nil
>>$ rndc signing -list example.nil
>>Pending NSEC3 chain 1 0 10 BEEF
>>$ dnssec-keygen -3 example.nil
>>Generating key pair.++
>>..++ 
>>Kexample.nil.+007+28952
>>$ dnssec-keygen -3fk example.nil
>>Generating key pair...+++
>>..+++ 
>>Kexample.nil.+007+04053
>>$ rndc loadkeys example.nil
>>$ sbin/rndc signing -list example.nil
>>Done signing with key 4053/NSEC3RSASHA1
>>Done signing with key 28952/NSEC3RSASHA1
>>$ dig @localhost +short nsec3param example.nil
>>1 0 10 BEEF
>>
>> --
>> Evan Hunt -- each@isc.orggg
>> Internet Systema Consortium, Inc.
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

[Marco Davids (SIDN)]

Phil,

On 03/07/12 10:27, Phil Mayers wrote:
> On 03/07/2012 08:50 AM, Marco Davids (SIDN) wrote:
> 
>> I also find it a bit strange that BIND decides to go for NSEC, even when
>> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).
>>
> AS I understand it, NSEC3 incurs overhead at validating resolvers. That 
> being the case, it is unfriendly to use it unless you really need it

I don't have a problem with that. It's just that I find the current way
BIND works a bit tricky. I would feel more comfortable with an explicit
configuration-option in named.conf, rather than a seperate action (being
'rndc signing -nsec3param').

(In the case I *really* want NSEC3 that is, naturally)

Regards,

--
Marco
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

[Marco Davids (SIDN)]

On 03-07-12 18:08, Evan Hunt wrote:

>> I also find it a bit strange that BIND decides to go for NSEC, even when
>> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).
>
> There's no difference between algorithm 7 and algorithm 5 (RSASHA1).
> The use of a new algorithm number for a previously-existing algorithm is
> sort of a signaling mechanism: it tells older resolvers that you're using
> a newer version of the DNSSEC specification than
> they're equipped to deal with .  But it doesn't mean NSEC3 is required, or
> even expected.

Interesting way of looking at it.

Algo 7 is mentioned in RFC5155. It tells older resolvers your are using
a newer version of DNSSEC. Sure it does, namely a version that supports
NSEC3, right? Now why would you want to do that? Because either you are
doing NSEC3, or you are planning to do so in the foreseeable future.

It's kind of a trade-off, I suppose:

- use algo 7 with NSEC allows you to move to NSEC3 without much hassle
(but older resolvers won't validate your replies meanwhile)

- use algo 5 with NSEC and you have to do a algorithm rollover first
when you want to move to NSEC3 (but meanwhile, older resolvers will
validate your replies).

Are there still any 'older' resolvers around? Maybe not...

Anyway, thanks for your insights!

--
Marco
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dig 9.9.1 AD-bit

[Marco Davids (SIDN)]

Hi,

Dig 9.9.1 is setting the AD-bit in queries by default.

Does anyone know why?

Took me a while to figure out, among other things because Wireshark has
a little bug that prevents the AD-bit being shown in queries.

(reported as bug 2472 and 7555 on https://bugs.wireshark.org/bugzilla/)

Thanks.

Regards,

-- 
Marco
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

allow-recursion slowing server to crawl

[Marco C. Coelho]

I discovered my bind 9 server was being used in a DDOS attack so I 
decided (late) to block outside networks from making recursive 
requests.  The problem is every time I enable this, the time for DNS 
queries goes from 0-1ms to 2000-6000ms or just times out completely.  
The options section is below. I've commented it out so as to enable my 
network to run.


There are thousands of my clients that need recursion from this server.  
It is also authoritative for many domains.


There is a semi busy mail server on this same box that uses DNS as well.

I googled this to death with no real suggestions.  I've tried it with 
ACL and without.


Any suggestions would be appreciated.

Marco

acl "internal" {
  24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; "localnets"; "localhost";
};

options {
  directory "/var/named";
  /*
   * If there is a firewall between you and nameservers you want
   * to talk to, you might need to uncomment the query-source
   * directive below.  Previous versions of BIND always asked
   * questions using port 53, but BIND 8.1 uses an unprivileged
   * port by default.
   */
  // query-source address * port 53;
  recursive-clients 1000;
  recursion yes;
  //allow-query { any; };
  //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; 
"localnets"; "localhost"; };

  //allow-recursion { "internal"; };
  //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; 
"localnets"; "localhost"; };

  listen-on-v6 { none; };
  listen-on { 24.202.224.2; };
  version "8.2.3-REL";
};

--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-recursion slowing server to crawl

[Marco C. Coelho]

Just so the list has the same answer,

Mark Andrews was right.
This server was being hammered so hard that logging the rejects was 
killing the performance.

adding:
logging {
  category default { null; };
  //category lame-servers { null; };
};

to named.conf fixed the performance issues.

mc

On 2/27/2013 5:18 PM, Mark Andrews wrote:

I suspect this is just logging. send the security channel to null;
for a while.  Once your server gets off the I'm a recursive reflector
lists you can turn it on again.

In message <512e7940.7060...@argontech.net>, "Marco C. Coelho" writes:

I discovered my bind 9 server was being used in a DDOS attack so I
decided (late) to block outside networks from making recursive
requests.  The problem is every time I enable this, the time for DNS
queries goes from 0-1ms to 2000-6000ms or just times out completely.
The options section is below. I've commented it out so as to enable my
network to run.

There are thousands of my clients that need recursion from this server.
It is also authoritative for many domains.

There is a semi busy mail server on this same box that uses DNS as well.

I googled this to death with no real suggestions.  I've tried it with
ACL and without.

Any suggestions would be appreciated.

Marco

acl "internal" {
24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; "localnets"; "localhost";
};

options {
directory "/var/named";
/*
 * If there is a firewall between you and nameservers you want
 * to talk to, you might need to uncomment the query-source
 * directive below.  Previous versions of BIND always asked
 * questions using port 53, but BIND 8.1 uses an unprivileged
 * port by default.
 */
// query-source address * port 53;
recursive-clients 1000;
recursion yes;
//allow-query { any; };
//allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
"localnets"; "localhost"; };
//allow-recursion { "internal"; };
//allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
"localnets"; "localhost"; };
    listen-on-v6 { none; };
listen-on { 24.202.224.2; };
version "8.2.3-REL";
};

--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
  from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring DNSSEC for child domains

[Marco Davids (SIDN)]

Hi Jaap,

On 05/06/13 16:09, Jaap Winius wrote:

> 2.)  http://dnsviz.net/d/zuid.dapadam.nl/dnssec/
> 
> This shows two DS records in the parent zone, one not secure and one  
> bogus, and three DNSKEY records in the child zone, none of which are  
> secure.

Perhaps you could remove ns[12].transip.net from your NS-set and try
again? It seems as if these name servers are causing some problems.

(see attachment)

http://dnsviz.net/d/zuid.dapadam.nl/responses/

Regards,

--
Marco

 dig +dnssec DS zuid.dapadam.nl @ns2.transip.net.
;; Got bad packet: extra input data
424 bytes
07 95 84 00 00 01 00 03 00 00 00 01 04 7a 75 69  .zui
64 07 64 61 70 61 64 61 6d 02 6e 6c 00 00 2b 00  d.dapadam.nl..+.
01 04 7a 75 69 64 07 64 61 70 61 64 61 6d 02 6e  ..zuid.dapadam.n
6c 00 00 2b 00 01 00 01 51 80 00 3a 00 00 08 01  l..+Q..:
00 00 00 05 00 00 00 00 00 00 00 00 00 00 27 63  ..'c
32 65 31 38 37 63 30 62 64 31 33 32 37 62 37 65  2e187c0bd1327b7e
66 61 62 62 64 36 34 36 32 65 39 63 64 32 35 64  fabbd6462e9cd25d
35 34 31 35 39 37 04 7a 75 69 64 07 64 61 70 61  541597.zuid.dapa
64 61 6d 02 6e 6c 00 00 2b 00 01 00 01 51 80 00  dam.nl..+Q..
53 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00  S...
00 00 00 40 64 32 31 32 36 32 65 30 35 62 37 37  ...@d21262e05b77
66 66 33 61 30 39 39 38 33 65 38 37 30 30 37 32  ff3a09983e870072
61 64 63 66 34 63 65 31 61 30 64 66 38 63 33 36  adcf4ce1a0df8c36
36 38 36 36 33 30 31 64 65 66 63 34 61 65 34 33  6866301defc4ae43
35 32 64 33 04 7a 75 69 64 07 64 61 70 61 64 61  52d3.zuid.dapada
6d 02 6e 6c 00 00 2e 00 01 00 01 51 80 00 9e 00  m.nl...Q
2b 08 03 00 01 51 80 51 ab 44 ba 51 83 a9 aa da  +Q.Q.D.Q
55 07 64 61 70 61 64 61 6d 02 6e 6c 00 02 a3 b2  U.dapadam.nl
3a 2a 8c 4f 39 7e ff 54 75 ff 0c fb c6 3d ac 5e  :*.O9..Tu=.^
b3 a4 ec 0c 52 32 e7 f5 1c a6 89 fe 4a b4 a8 fb  R2..J...
98 17 7f b3 68 f1 c8 5c a0 af bc cc 7a 76 e4 26  h..\zv.&
d8 b5 e4 f7 9e 1b e9 0d b9 b5 14 91 ae 85 af cf  
35 c0 d3 4b a1 0f ec b4 cf 81 ad f9 7d 0e bc c3  5..K}...
68 77 6d ac 83 27 79 1b 97 8b 2d 2f 06 d6 1a dd  hwm..'y...-/
d2 72 be 4c 4e 87 61 60 68 8f 06 11 f4 c8 04 25  .r.LN.a`h..%
d1 38 63 c5 96 e6 4c 4d b4 f3 12 49 d5 00 00 29  .8c...LM...I...)
10 00 00 00 80 00 00 00  


smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Who is right?

[Marco Davids (SIDN)]

dig ANY example.org @..

Google Public DNS:
--
returns DS: no

BIND 9.9.3-P2:
--
returns DS: yes

Unbound 1.4.20:
---
returns DS: no

Personally I don't care much, but perhaps someone on this list has a
strong opinion about these differences that I should know about?

Thank you.

-- 
Marco



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND

[Marco Davids (SIDN)]

On 05/03/14 15:15, Klaus Darilion wrote:
> Does it only happen for IPv6 DNS requests? Maybe it is related to this:
> https://open.nlnetlabs.nl/pipermail/nsd-users/2014-January/001783.html

Or, less likely, this:

http://marc.info/?l=linux-netdev&m=139352943109400&w=2

--
Marco


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: localhoast A record?

[Marco Davids (SIDN)]

On 21-03-14 14:03, Casey Deccio wrote:

> I've adopted a number of zones and most of them contain "localhost in
> a 127.0.0.1" records. I'm curious what current RFC standards state and
> what the community considers best practice.

> I would take a look at the query logs for the zones in question.  You
> might be surprised at how many queries are being made by systems that
> are applying a suffix from the search list because of the lack of of an
> entry for localhost in the hosts file or the mishandling thereof.

To me, an NXDOMAIN-reply seems better than an answer with an A-record to
127.0.0.1 (because that won't be an incentive to fix an apparently
broken situation).

My advice: forget about localhost entries in your zone files, unless it
concerns a special situation, such as domains that are part of your
search-list. You may want to consider adding it in such a case (although
I don't do so). But if you do, don't forget to add an -record for
::1 as well ;-)

Regards,


-- 
Marco



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS weirdness

[Marco Davids (SIDN)]

Darcy Kevin (FCA) schreef op 06-01-15 om 19:56:

> This nameserver is forwarding to 208.67.222.222 and 208.67.220.220. Are those 
> valid and working?

OpenDNS, right?

--
Marco




smime.p7s
Description: S/MIME-cryptografische ondertekening
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSE logging and parsing it

[Marco Davids (SIDN)]

Hi,

What would be a good way to configure BIND-logging, or rather to filter 
DNSSEC-validation errors from that logging?

Unbound logs stuff like this:

Mar  5 12:58:47 xs unbound: [16331:0] info: validation failure : No DNSKEY record from 203.0.113.5 for key example.nl.nl. while building 
chain of trust

That's great for parsing and finding domain names with DNSSEC issues.

BIND logs various, less unambiguous kinds of messages, like:

dnssec.log:05-Mar-2015 12:58:24.767 dnssec: info: validating example.nl/A: got 
insecure response; parent indicates it should be secure

and, for the same request: 

lame-servers.log:05-Mar-2015 12:58:24.742 lame-servers: info: insecurity proof 
failed resolving 'example.nl/A/IN': 203.0.113.5#53

It even logs an informational message when the domain is signed, but there is 
no DS-record in the parent (which to me does not count as a DNSSEC-validation 
problem):

dnssec.log:05-Mar-2015 12:48:37.969 dnssec: info: validating www.example.nl/A: 
no valid signature found

What would be the best, unambiguous string(s) to grep for, in order to find 
domain names that have validation-problems?

Please advise.

-- 
Marco



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] Re: configuration error in lists.isc.org

[Marco Davids (SIDN)]

On 07/08/15 02:03, Charles Swiger wrote:

>> So ISC: please fix your list servers, let them rewrite the From headers!
> 
> How would this help?  Changing the From header breaks your domain's DKIM
> signing; are you asking them to take ownership of your messages and then DKIM 
> sign
> them on behalf of isc.org 

That is what the IETF list servers do anyway. Unfortunately they don't
rewrite the From headers, thereby breaking the alignment. So in total it
doesn't help a whole lot, but it's one step closer to the solution.

Regards,

-- 
Marco



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.8 with dlz and dnssec

[Marco Davids (SIDN)]

Op 10-03-11 18:26, Christian Laursen schreef:
> On 03/10/11 17:05, Evan Hunt wrote:

>> and hadn't even given any thought to to the problem of supporting DNSSEC,
>> but we can add those features to the roadmap as well if there's user demand.
> 
> I just want to throw my vote for having DLZ support DNSSEC at some point.

Christian, Evan,

You might want to play around a little bit with PowerDNSSEC. Even though
DNSSEC development is still ongoing, it already looks very promising and
I am sure it will serve well as a great source of inspiration for future
DLZ developments.

http://powerdnssec.org/

--
Marco

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: ipv6 PTR in zone file

[Marco Davids (SIDN)]

On 04/12/11 10:50, walter.jontofs...@t-systems.com wrote:

> you could use ipv6calc (ftp://ftp.bieringer.de/pub/linux/ipv6/ipv6calc) to 
> calculate the reverse strings.

Yes.

Or do it 'the BIND way':

 dig  -x 2001:7b8:c05::80:1 | grep ip6.arpa | tail -1 | awk '{print $1}'

--
Marco

> Im Auftrag von Michel de Nostredame
>> Gesendet: Montag, 11. April 2011 20:44
>> An: bind-users
>> Betreff: ipv6 PTR in zone file
>>
>> Hi BIND Users,
>>
>> I am not sure if my post here is proper or not. If not please 
>> kindly guide me to a correct list.
>>
>> I have lot of "static" IPv6 address needs to add into DNS PTR record.
>> Most of them are server IP addresses and addresses on router 
>> interfaces.
>> Compose proper PTR records, without human errors, is highly 
>> difficult (compares to IPv4 PTR records), as we encode some 
>> customer information into the address.
>>
>> I tried to look into bit-string and soon realized it is 
>> already removed from recent BIND versions. Then tried to 
>> search "$REVERSE" and "$INVERSE" on Google but got no much 
>> luck; seems not much development / discussion recently.
>>
>> For example, today we probably do PTR list this,
>>
>> $ORIGIN 0.0.0.0.0.0.d.4.1.a.1.0.1.0.0.2.ip6.arpa.
>> 1.0.1.a.0.0.0.5.6.0.c.1.0.0.5.6 PTR
>> xe-3-0-3-101.ar.par1.fr.netname.net.
>>
>>
>> What I am think about is if there is any potential possibility 
>> to compose IPv6 PTR records in ZONE files in a little easier method?
>> something like
>>
>> $ORIGIN $REVERSE(2001:01a1:4d00:).ip6.arpa.
>> $REVERSE(6500:1c06:5000:a101)  PTR
>> xe-3-0-3-101.ar.par1.fr.netname.net.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: ipv6 PTR in zone file

[Marco Davids (SIDN)]

On 04/12/11 11:49, Michel de Nostredame wrote:

>>> you could use ipv6calc (ftp://ftp.bieringer.de/pub/linux/ipv6/ipv6calc) to 
>>> calculate the reverse strings.
>> Yes.
>> Or do it 'the BIND way':
>>  dig  -x 2001:7b8:c05::80:1 | grep ip6.arpa | tail -1 | awk '{print $1}'

> Beside them, is any potential possibility to have something build-in
> in BIND config/zone file as kind of beautiful (my, and my team,
> personal point of view) solution?

I wonder if the $GENERATE directive could work for you.

Not sure...

http://www.zytrax.com/books/dns/ch8/generate.html

--
Marco
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Strange issue - please enlighten me

[Marco Davids (SIDN)]

Hi,

I run into an unclear situation while trying to resolve certain domains.
It happened when I tried with 9.7.0rc1, 9.7.0b and also with 9.7.0. I
dont's have a whole lot of other BIND versions at my disposal, but I
found an older one, 9.3.4-P1.2, and that one works fine.

One of the domains that suffers from this issue is www.airfrance.fr. It
gives a SERVFAIL:

; <<>> DiG 9.7.0rc1 <<>> www.airfrance.fr @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65377
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.airfrance.fr.  IN  A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb 19 19:03:35 2010
;; MSG SIZE  rcvd: 34


Anyone any clue? I am trying to understand why some resolvers handle
this query well, while BIND 9.7.x returns a SERVFAIL.

dig +trace www.airfrance.fr works as expected.

logging says:

lame-servers: info: lame server resolving 'www.airfrance.fr' (in
'www.airfrance.fr'?): 193.57.219.253#53

Thank you.

Regards,

--
Marco Davids

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind multi-threaded question

[Marco Davids (SIDN)]

max power wrote:
> i am running bind on chroot jail, every thing is working fine
> i only got one bind process ?
> multi-threaded is enabled when compile , but should i find 8 processes
> how can i be sure that bind is using 8 threads

Running Linux?

You may want to try adding a 'proc'-directory in your chroot jail.

Something like:

mkdir /chroot/bind/proc
mount --bind /proc /chroot/bind/proc

and then in your /etc/fstab add something like this:

/proc /chroot/bind/proc none bind,ro 0 0

Regards,

-- 
Marco Davids
Technical Advisor
SIDN
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ad flag for RRSIG queries

[Marco Davids (SIDN)]

Hi,

Can anyone explain to me why the 'ad'-flag is set for this query?

dig +dnssec -t RRSIG www.forfunsec.org

How does a validating resolver determine that such an answer is secure?

Thank you.

-- 
Marco Davids
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ad flag for RRSIG queries

[Marco Davids (SIDN)]

On 07/13/10 23:58, Doug Barton wrote:

>> Can anyone explain to me why the 'ad'-flag is set for this query?
>>
>> dig +dnssec -t RRSIG www.forfunsec.org
> 
> I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What
> version of BIND are you using?
> 

Hi Doug,

I use BIND 9.7.0rc1, configured to work with the IANA testbed.

dig +dnssec rrsig www.forfunsec.org @149.20.64.20

has the AD flag too, though. It run's BIND 9.6.1-P2. (DNS-OARC
validating resolvers),

The other one, 149.20.64.21, doesn't have it (Unbound)

Regards

--
Marco
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ad flag for RRSIG queries

[Marco Davids (SIDN)]

On 07/14/10 00:43, Doug Barton wrote:

>>>> Can anyone explain to me why the 'ad'-flag is set for this query?
>>>>
>>>> dig +dnssec -t RRSIG www.forfunsec.org
>>>
>> I use BIND 9.7.0rc1, configured to work with the IANA testbed.

> I'd be interested to see what happens if you upgrade to the latest
> versions in each branch (the 9.7.x server above
> What you're seeing sounds like a bug, hopefully one that's been fixed
> (as it seems to be in 9.7.1-P1).

I just upgraded one machine to 9.7.1-P1 (configured to use DLV).

Same result...

; <<>> DiG 9.7.1-P1 <<>> +dnssec rrsig www.iis.se @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48545
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.iis.se.IN  RRSIG

;; ANSWER SECTION:
www.iis.se. 6   IN  RRSIG   A 5 3 60 20100723102502 
20100713102502 3932
iis.se. MF5Qq5yBzQ+ZvDvcfGBoVn6ym3EzCOVVqQY2ghVxBoSCQ9Hrh1/0nOj9
39Mr5incAefjg0mXSSvDo9WqFUm1cqUcQ4UJuOoT7VzDiC2OilAxr2xe
fo6pivkNlHGIPzbXjSrq65292YIKgQnPXleTtH4HepUmn6bESQI/ioaB 9xk=

;; AUTHORITY SECTION:
iis.se. 3545IN  NS  ns2.nic.se.
iis.se. 3545IN  NS  ns.nic.se.
iis.se. 3545IN  NS  ns3.nic.se.
iis.se. 3545IN  RRSIG   NS 5 2 3600 20100723102502 
20100713102502 3932
iis.se. JRJ11qCnEFgVFY0ZDfevfd7Colywb7tlgFXWXOjq0ikqCX8lvcIBKbik
RQ+NqwBsHE4aa4E9QLVaruFTg+5tYIKWdonDjk8Kon+8f4oAf9cy9Yjs
Ldg0N6wa2HsTlHAq+EdlvXKgZvs8qCkY87iwkVLqn0bp704yacQhVKIQ yXA=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 14 04:46:41 2010
;; MSG SIZE  rcvd: 428


dig +short chaos txt version.bind @localhost
"9.7.1-P1"

--
Marco

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNAME + DNSSEC

[Marco Davids (SIDN)]

Hi,

I noticed some inconsistent behavior in a particular setup where a DNAME
is involved and I am trying to figure out who is right and who is wrong.

Players involved on the resolving side are:

Google Public DNS (resolves without an error)
BIND (often results in a timeout and a log-rule saying: "unrelated DNAME
in answer")
Unbound (results in a SERVFAIL)

On the authoritative side the players are:

PowerDNS
BIND
NSD

The query-type (A yield other results than ANY)

The query to test is for example:

dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.bergzand.nl

I believe both bergzand.nl and bergzand.net are hosted on PowerDNS.

dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.scintilla.nl

This domain is served from BIND.

For testing-purposes I tried to simulate the situation in sidnlabs.nl:

dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.sidnlabs.nl

sidnlabs.nl is served from BIND, but example.nl (the DNAME) is served
from BIND and NSD).

I guess I have these question to the reader:

- Is it ok for BIND to have a timeout?
- Why does Google resolve, why does UNbound result in a SERVFAIL and who
is right?
- Is there an authoritative server (PowerDNS perhaps?) not doing the
right thing?

I've been looking to long to this matter so this is the time to ask for
your help. It didn't help that DNS-OARCs open BIND-resolver
(184.105.193.73) broke down, having the same effect as a timeout).

Thanks.

--
Marco



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME + DNSSEC

[Marco Davids (SIDN)]

On 20/10/2016 14:41, Marco Davids (SIDN) wrote:

> For testing-purposes I tried to simulate the situation in sidnlabs.nl:
> 
> dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.sidnlabs.nl

ERROR!

That should be:

dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.dname.sidnlabs.nl

--
Marco




smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

make AAAA type the default for dig

[Marco Davids (SIDN)]

Hi,

Not sure if this has been proposed before, but I am wondering:

Has ISC ever considered to change the default 'dig -t' option from A to 
AAAA?


--
Marco



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Proper Way to Configure a Domain which never sends emails

[Marco Davids via bind-users]

A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful.

--
Marco

On 19/08/2019 23:31, Kevin Darcy wrote:
> [ Classification Level: PUBLIC ]
> 
> MXes are for *receiving* mail of course. The request is about *sending*
> mail.
> 
> Setting the SPF record to "-all" is probably about the best you can do,
> since AFAIK there is no universally-recognized way to signal "domain X
> never sends mail".
> 
> Ironically, in order to prevent anyone from accepting mail purportedly
> from your domain, you might want to make yourself look as much as
> possible like SPAM or malware.
> 
> Perhaps you could volunteer your domain to be added to one or more of
> the public SMTP blacklists? :-)
> 
>                                                                        
>                                                  - Kevin
> 
> On Mon, Aug 19, 2019 at 10:34 AM Barry Margolin  <mailto:bar...@alum.mit.edu>> wrote:
> 
> In article  <mailto:mailman.930.1566219505.711.bind-us...@lists.isc.org>>,
>  Ignacio García mailto:y...@ignasi.com>> wrote:
> 
> > Hi there.
> >
> > Thanks for your support. First message to the list, sorry if already
> > posted a similar question, but I haven't found mention anywhere.
> >
> > I have to set up dns records for a domain just for a web site, for
> which
> > we will NEVER send emails (though we might receive some from old
> > customers), so I would like to announce somehow that emails sent from
> > this domain should always be disregarded. I was thinking of
> setting just
> > A and  records for @ and www, NS records, MA records (for
> receiving)
> > and SPF with a record just consisting of v=spf1 -all  , not
> declaring an
> > A and MX records at all. I'm not sure at all this is a proper way of
> > declaring this. In fact, what I would like is to EXPLICITELY mention
> > somehow that we will never send emails from that domain. Could
> anybody
> > help me with this?
> 
> A common practice is to point the MX record to ".".
> 
> -- 
> Barry Margolin
> Arlington, MA



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users