Windows 2008 R2 validating DNSSEC resolvers
I know this is a bind list, but does anyone know any public information about when/if Microsoft is going to release a SHA2 compatible DNS server so it can be used as a validating DNSSEC resolver without forwarders? Since the root trust anchor is published in SHA2, currently it can't be used (unless someone knows a workaround). Thanks. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Cisco ACE config for internal DNS load balancing
Anyone have any suggestions/best practices/config examples for DNS load balancing for internal use on CISCO ACE blades? I've got the standard example working, but wondered about keepalive frequency, timeouts, fragments, etc. Anyone got any examples they use that they could share? ---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Configuring CNAME for nosslsearch.google.com
Actually, this can be done. Create a zone file for "www.google.com", not "google.com". The zone file should like this (replace THIS_HOSTNAME with the name of your nameserver: @ IN SOA localhost root@localhost. ( 2012041100 7200 1800 1209600 300 ) IN NS THIS_HOSTNAME IN CNAME nosslsearch.google.com. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 > -Original Message- > From: bind-users-bounces+mhuff=ox@lists.isc.org [mailto:bind-users- > bounces+mhuff=ox@lists.isc.org] On Behalf Of Lyle Giese > Sent: Monday, April 16, 2012 8:50 AM > To: bind-users@lists.isc.org > Subject: Re: Configuring CNAME for nosslsearch.google.com > > On 4/16/2012 3:30 AM, Phil Mayers wrote: > > On 04/15/2012 11:40 PM, Tobias Krais wrote: > >> Hi Ben, > >> > >> hmm. How can I manage what google suggests: > >> "Information for school network administrators about the No-SSL > >> option > >> > >> To utilize the no SSL option for your network, configure the DNS > >> entry for www.google.com to be a CNAME for nosslsearch.google.com." > >> Source: > >> > http://support.google.com/websearch/bin/answer.py?hl=en&hlrm=en&answer= > 186669. > >> > >> You can find this quite at the end of the document. > >> > >> How can I realize such a configuration in bind? > > > > As you've been told, you can't. CNAMEs can't live at zone apex, so > you > > can't a CNAME at the zone apex of "www.google.com". And if you create > > "google.com" as a zone, all other hostnames will be blackholed, > > including "nosslsearch.google.com". > > > > I don't know why Google have made that suggestion; it's a bad > > suggestion, that's not supported by many nameservers. > > > > I personally think it's a bad idea to try and disable SSL search for > > your users too, but that's your decision. > > > > "unbound" might be able to to this, with a transparent local-zone and > > local-data override for "www.google.com". > > ___ > > Or did they really mean, create a hosts file on the local machine that > contains... > > Or in your proxy server redirect www.google.com to > nosslsearch.google.com > > DNS server software is not very supportive of doing this for good > reasons. > > Lyle Giese > LCR Computer Services, Inc. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Configuring CNAME for nosslsearch.google.com
I had forgotten that about CNAME. But you can hard-code an A record to the nosslsearch.google.com record We have to use this technique (we point the A record to a proxy) for regulatory reasons to block IM connections except through our IM proxy. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 > -Original Message- > From: bind-users-bounces+mhuff=ox@lists.isc.org [mailto:bind-users- > bounces+mhuff=ox@lists.isc.org] On Behalf Of Alan Clegg > Sent: Monday, April 16, 2012 9:53 AM > To: bind-users@lists.isc.org > Subject: Re: Configuring CNAME for nosslsearch.google.com > > On 4/16/2012 9:40 AM, Matthew Huff wrote: > > Actually, this can be done. > > > > Create a zone file for "www.google.com", not "google.com". The zone > > file should like this (replace THIS_HOSTNAME with the name of your > nameserver: > > > > > > @ IN SOA localhost root@localhost. ( > > 2012041100 > > 7200 > > 1800 > > 1209600 > > 300 ) > > > > IN NS THIS_HOSTNAME > > > > IN CNAME nosslsearch.google.com. > > Which isn't legal since you can't have a CNAME and another RR at the > same label. > > AlanC > -- > a...@clegg.com | acl...@infoblox.com > 1.919.355.8851 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Suggestions for primary DNS hosting
Within the last few years, we have drastically reduced our DNS footprint, as well as our datacenter size. We are looking to migrate our primary DNS to a provider, but I'm having trouble finding ones that meet our requirements 1) Provide primary DNS without necessary being the registar for the domain 2) Provide primary DNS for both forward and reverse zones. 3) Support IPv4 and IPv6 records 4) Provide IPv6 nameservers (not required, but nice to have) 5) Allow arbitrary RR records such as SPF, TXT, etc... Any suggestions? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: loads of Query denied... is it an attack or a misconfiguration ?
I've been aware of this problem since it first came up on this and nanog's
list, but I'm having some configuration issues trying to make the upward
referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS
queries being answered in the log:
11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view
external-in: query: . IN NS +
11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view
external-in: query: ox.com IN NS -EDC
11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view
external-in: query: . IN NS +
11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view
external-in: query: ox.com IN NS -EDC
11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view
external-in: query: . IN NS +
11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view
external-in: query: . IN NS +
11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view
external-in: query: . IN NS +
My config follows, any suggestion?
options {
directory "/var/named";
pid-file "/var/named/named.pid";
statistics-file "/var/named/named.stats";
memstatistics-file "/var/named/named.memstats";
dump-file "/var/adm/named.dump";
zone-statistics yes;
notify no;
transfer-format many-answers;
max-transfer-time-in 60;
interface-interval 0;
recursion no;
allow-transfer { xfer; };
allow-query { none; };
allow-recursion { none; };
additional-from-auth no;
additional-from-cache no;
};
view "internal-in" in {
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
allow-query { trusted; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "master/db.127.0.0";
allow-query {
any;
};
allow-transfer { none; };
};
zone "foo.com" in {
type master;
file "master/db.foo";
};
...
...
...
};
view "external-in" in {
match-clients { any; };
recursion no;
allow-transfer { xfer; };
allow-query { none; };
allow-recursion { none; };
additional-from-auth no;
additional-from-cache no;
zone "." in {
type hint;
file "db.cache";
};
zone "foo.com" in {
type master;
file "master/db.foo";
allow-query { any; };
};
...
...
...
};
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
Matthew Huff.vcf
Description: Binary data
smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: loads of Query denied... is it an attack or a misconfiguration ?
Thanks to David Forest, I realize now that the query IS being refused,
however nothing in the bind log shows the refusal. Is there anyway to see
that in the log?
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
> -Original Message-
> From: David Forrest [mailto:d...@maplepark.com]
> Sent: Wednesday, February 11, 2009 10:11 AM
> To: Matthew Huff
> Cc: 'bind-users@lists.isc.org'
> Subject: RE: loads of Query denied... is it an attack or a
> misconfiguration ?
>
> On Wed, 11 Feb 2009, Matthew Huff wrote:
>
> > I've been aware of this problem since it first came up on this and
> nanog's
> > list, but I'm having some configuration issues trying to make the
> upward
> > referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing
> the NS
> > queries being answered in the log:
> >
> > 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view
> > external-in: query: ox.com IN NS -EDC
> > 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view
> > external-in: query: ox.com IN NS -EDC
> > 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view
> > external-in: query: . IN NS +
> >
> > My config follows, any suggestion?
> >
> > options {
> >directory "/var/named";
> >pid-file "/var/named/named.pid";
> >statistics-file "/var/named/named.stats";
> >memstatistics-file "/var/named/named.memstats";
> >dump-file "/var/adm/named.dump";
> >zone-statistics yes;
> >
> >notify no;
> >
> >transfer-format many-answers;
> >max-transfer-time-in 60;
> >interface-interval 0;
> >
> >recursion no;
> >
> >allow-transfer { xfer; };
> >allow-query { none; };
> >allow-recursion { none; };
> >
> >additional-from-auth no;
> >additional-from-cache no;
> > };
> >
> > view "internal-in" in {
> > match-clients { trusted; };
> > recursion yes;
> > additional-from-auth yes;
> > additional-from-cache yes;
> > allow-query { trusted; };
> > allow-recursion { trusted; };
> > allow-query-cache { trusted; };
> >
> > zone "." in {
> >type hint;
> >file "db.cache";
> > };
> >
> > zone "0.0.127.in-addr.arpa" in {
> >type master;
> >file "master/db.127.0.0";
> >allow-query {
> > any;
> >};
> >allow-transfer { none; };
> > };
> >
> > zone "foo.com" in {
> >type master;
> >file "master/db.foo";
> > };
> >
> > ...
> > ...
> > ...
> >
> > };
> >
> > view "external-in" in {
> > match-clients { any; };
> > recursion no;
> >
> > allow-transfer { xfer; };
> > allow-query { none; };
> > allow-recursion { none; };
> >
> > additional-from-auth no;
> > additional-from-cache no;
> >
> > zone "." in {
> >type hint;
> >file "db.cache";
> > };
> >
> > zone "foo.com" in {
> >type master;
> >file "master/db.foo";
> >allow-query { any; };
> > };
> >
> > ...
> > ...
> > ...
> > };
> >
> Matthew, the querylog shows what was queried. To see what is answered
> try
> digging your external interface.
>
> Here is my external view:
>
> view "external" { // Primary nameserver for maplepark.com.
> match-clients { any; };
> recursion no;
> additional-from-cache no;
> // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-
> harmful
>
> zone "maplepark.com"{
> type master;
> notify yes;
> allow-transfer { slave-name-servers; };
> file "/var/named/drf/external/maplepark.com.external.";
> };
>
> zone &quo
client query logging (refused message)
In my logging global section I have:
logging {
channel audit_log {
file "/var/log/named_audit.log" versions 128 size 4m;
severity debug;
print-time yes;
print-category yes;
};
...
category client { audit_log; };
...
};
and I get:
...
17-Feb-2009 08:14:17.376 queries: client 62.109.4.89#49464: view
external-in: query: . IN NS +
...
logged, and I have verified that the query is refused, but nothing in the
log shows that it was refused. Is there anyway to log the success/failure of
the queries?
----
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
Matthew Huff.vcf
Description: Binary data
smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: rndc stats - 9.5.0-p2
There may be more than one "named" binary in your path. You may want to do an explicit reference to check the version (./named -V) or do a "which named" Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 > -Original Message- > From: bind-users-boun...@lists.isc.org [mailto:bind-users- > boun...@lists.isc.org] On Behalf Of Cihan Subasi (Garanti Teknoloji) > Sent: Tuesday, February 17, 2009 7:51 AM > To: bind-users@lists.isc.org > Cc: c...@hermes.cam.ac.uk > Subject: RE: rndc stats - 9.5.0-p2 > > I think you're rigth, when I check the file sizes they are not same but > versions are matching... > > short > > -- > #ls -la > total 48166 > drwxr-xr-x 2 root other512 Aug 15 2008 . > drwxr-xr-x 13 root other512 Nov 21 14:02 .. > -rwxr-xr-x 1 root other1199932 Aug 15 2008 dnssec-keygen > -rwxr-xr-x 1 root other3675504 Aug 15 2008 dnssec-signzone > -rwxr-xr-x 2 root other5134128 Aug 15 2008 lwresd > -rwxr-xr-x 2 root other5134128 Aug 15 2008 named > -rwxr-xr-x 1 root other3816336 Aug 15 2008 named-checkconf > -rwxr-xr-x 1 root other3624412 Aug 15 2008 named-checkzone > lrwxrwxrwx 1 root other 15 Aug 15 2008 named-compilezone > -> named-checkzone > -rwxr-xr-x 1 root other 847676 Aug 15 2008 rndc > -rwxr-xr-x 1 root other1136800 Aug 15 2008 rndc-confgen > /usr/local/sbin > #named -v > BIND 9.5.0-P2 > /usr/local/sbin > > long-- > [garanti2]ls -la > total 158646 > drwxr-xr-x 2 bin bin 512 Nov 26 17:10 . > drwxr-xr-x 15 root other512 Nov 26 17:01 .. > -rwxr-xr-x 1 root other3318808 Nov 26 17:10 dnssec-keygen > -rwxr-xr-x 1 bin bin 5182984 Mar 25 2004 dnssec-makekeyset > -rwxr-xr-x 1 bin bin 5184180 Mar 25 2004 dnssec-signkey > -rwxr-xr-x 1 root other9997148 Nov 26 17:10 dnssec-signzone > -rwxr-xr-x 2 root other15535428 Nov 26 17:10 lwresd > -rwxr-xr-x 2 root other15535428 Nov 26 17:10 named > -rwxr-xr-x 1 root other10443912 Nov 26 17:10 named-checkconf > -rwxr-xr-x 1 root other9923952 Nov 26 17:10 named-checkzone > lrwxrwxrwx 1 root other 15 Nov 26 17:10 named-compilezone > -> named-checkzone > -rwxr-xr-x 1 root other2917848 Nov 26 17:10 rndc > -rwxr-xr-x 1 root other3061584 Nov 26 17:10 rndc-confgen > [garanti2]named -v > BIND 9.5.0-P2 > > > > -Original Message- > From: Chris Thompson [mailto:c...@hermes.cam.ac.uk] On Behalf Of Chris > Thompson > Sent: Tuesday, February 17, 2009 2:40 PM > To: Cihan Subasi (Garanti Teknoloji) > Cc: Bind Users Mailing List > Subject: Re: rndc stats - 9.5.0-p2 > > On Feb 17 2009, Cihan Subasi (Garanti Teknoloji) wrote: > > >When I run "rndc stats" on two different servers with 9.5.0-p2, I am > >getting two different dumps of stats, one of them dumps the stats in > >very short format > >(7 lines), the other dumps it in very long format (50-60lines per > >dump)..What could be the difference on both? thank you > > Are you *sure* they are both running BIND 9.5.0-P2 ? Much the most > likely explanation is that the one producing short statistics is a pre > 9.5 version. > I don't believe that BIND 9.5.x even includes any code to generate the > old format. > > -- > Chris Thompson > Email: c...@cam.ac.uk > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding records to a domain I don't control for anyone who uses my nameserver
Try creating a zone file _xmpp_client._tcp.example.com and put the SRV record in there. Treat the host as an entire domain. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 > -Original Message- > From: bind-users-boun...@lists.isc.org [mailto:bind-users- > boun...@lists.isc.org] On Behalf Of Brandon Dimcheff > Sent: Thursday, February 26, 2009 2:10 PM > To: bind-users@lists.isc.org > Subject: Adding records to a domain I don't control for anyone who uses > my nameserver > > Hello, > > I'm trying to configure BIND to add some records to a domain that I > don't control, so that anybody who uses my nameserver will have the > additional records. Specifically, I'm trying to add xmpp SRV records > so our jabber infrastructure that uses our nameserver can contact a > handful of domains properly. All other records for the domain should > work as defined by their authoritative server. > > Example: > > dig @127.0.0.1 SRV _xmpp_client._tcp.example.com. should return my SRV > record hosted by my server > dig @127.0.0.1 A example.com should return example.com's A record by > recursive lookup > > Does anybody have any suggestions? I've tried a few different things, > but none of them seem to have worked. > > Thanks, > Brandon > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding records to a domain I don't control for anyone who uses my nameserver
Unfortunately this is common in the financial services realm. Compliance requires us to archive all IM messages from google, aol, msn, and yahoo. Blocking it with acls doesn't work since the IM clients will resort to http and are pretty clever about hiding it. Blocking IP addresses doesn't work since they change frequently. Spoofing the dns zones are the only solution. The IM archive server companies usually provide email updates when some of the zones changes. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sam Wilson Sent: Monday, March 02, 2009 12:56 PM To: comp-protocols-dns-b...@isc.org Subject: Re: Adding records to a domain I don't control for anyone who uses my nameserver In article , Barry Margolin wrote: > In article , > Brandon Dimcheff wrote: > > > Hello, > > > > I'm trying to configure BIND to add some records to a domain that I > > don't control, so that anybody who uses my nameserver will have the > > additional records. Specifically, I'm trying to add xmpp SRV records > > so our jabber infrastructure that uses our nameserver can contact a > > handful of domains properly. All other records for the domain should > > work as defined by their authoritative server. > > > > Example: > > > > dig @127.0.0.1 SRV _xmpp_client._tcp.example.com. should return my SRV > > record hosted by my server > > dig @127.0.0.1 A example.com should return example.com's A record by > > recursive lookup > > > > Does anybody have any suggestions? I've tried a few different things, > > but none of them seem to have worked. > > I don't think you can do this with BIND. Its database is organized by > names, not types. If a server is authoritative for a name, it will > never recurse for that name. He could create a local zone for the domain _xmpp_client._tcp.example.com containing only the SRV record (plus the necessary SOA and NS records). That way any lookups for *.example.com and *._tcp.example.com would get directed to the real example.com servers. It's a horrible thing to do, though, to claim authority for someone else's address space. What happens when example.com sets up its own _xmpp_client._tcp.example.com with different data in it? Who debugs that? Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: 2GB Memory Limits on Solaris 10
enable-largefile support turns on 64 bit filesystem, but not 64 bit memory. Normally under Solaris even a 32 bit process should be able to use the full 4GB address space (or at least 3.5-3.8GB). Try checking your ulimits in the script that starts the process. BTW, by default the named process even on a 64 bit system is compiled in 32 bit mode. The main reason is that any other libraries it might use (openssl, etc) will also need to have 64 bit versions. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http:// <http://www.otaotr.com/> www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Raymond Popowich Sent: Monday, June 08, 2009 3:35 PM To: bind-users@lists.isc.org Subject: 2GB Memory Limits on Solaris 10 Hello, I am running several Bind 9.6.0-P1 DNS resolvers on Solaris 10. The largest does around 2500 queries/second at peak times. They are configured with --enable-largefile support. About once a month I am having a problem with the largest resolvers breaking when the named process hits 2GB. I've logged a few different errors including file descriptor limits which I increased when that happened, to increasing the option for max-cache-size, to my current errors such as ns_client_replace() failed: out of memory. The servers have 8GB of physical memory. I am OK with telling bind to use an unlimited amount of resources or specifying a double in the current maximum up to 4GB. Would it be possible for someone to provide a full list of all of the named.conf options that I need to specify in named.conf and increase from the default settings? I've been fixing these errors one at a time for a while now and I really can't afford to keep troubleshooting this problem by waiting for new errors to happen. Thank you for your time, -Raymond <> Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: A simple question, please help
You don't need the zone entry. In your options configuration add:
...
forwarders { 208.67.222.222; 208.67.220.220; };
forward only;
...
And restart. This will make your named server a forward only name server
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ken Lai
Sent: Sunday, July 19, 2009 2:52 AM
To: bind-us...@isc.org
Subject: A simple question, please help
my bind server have a default option
forwarders { 208.67.222.222; 208.67.220.220; };
to send all query to OpenDNS.
but some answer could not access, while a answer can which solved by another
server
i put these in the config:
zone "x.com" {
type forward;
forwarders { x.x.x.x; };
};
but this not work.
how can i make this happen.
THANKS.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Disable automatic empty IPv6 zones (with -4 already specified)
Is there any way to disable BIND from loading the automatic empty zones (D.F.IP6.APRA, etc...). They are being generated even with the -4 command line. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Disable automatic empty IPv6 zones (with -4 already specified)
No, I guess not :) Thanks. I looked for something like that, but my google-fu was lacking. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 > -Original Message- > From: bind-users-boun...@lists.isc.org [mailto:bind-users- > boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas > Sent: Thursday, July 30, 2009 10:44 AM > To: bind-users@lists.isc.org > Subject: Re: Disable automatic empty IPv6 zones (with -4 already > specified) > > On 30.07.09 10:35, Matthew Huff wrote: > > Is there any way to disable BIND from loading the automatic empty > zones > > (D.F.IP6.APRA, etc...). They are being generated even with the -4 > command > > line. > > have you looked at the disable-empty-zone configuration directive? > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Linux IS user friendly, it's just selective who its friends are... > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: linux chroot reqs changed?
I would assume it's using udp/tcp socket to the loopback interface instead of the file. -Original Message- From: bind-users-bounces+mhuff=ox@lists.isc.org [mailto:bind-users-bounces+mhuff=ox@lists.isc.org] On Behalf Of Rick Dicaire Sent: Thursday, February 18, 2010 4:17 PM To: Bind Users Mailing List Subject: linux chroot reqs changed? Hi folks...after a little experimentation today I've discovered certain files are no longer used in a linux chroot. Linux kernel versions 2.6.2x. Bind versions tested were 9.6.1-P3 and 9.7.0, both compiled from src (not distro pkgs), and started with: /usr/sbin/named -t /var/named -u username Used to be you needed to have (r)syslogd add a listening socket to $CHROOT/dev, have $CHROOT/dev/null, and $CHROOT/dev/random. I removed $CHROOT/dev/null, disabled the extra syslogd socket for $CHROOT/dev/log. Using lsof, it now seems only $CHROOT/dev/random is opened by named, /dev/null is opened. named still logs to syslog, and I can't figure out how syslog is accessed, is it via /dev/log (I don't see it opened by named)? Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
