named.conf splitting

2012-02-17 Thread Nick Edwards 
Hi,
In a recent discussion on another list, it was discussed the pros and
cons of splitting the main conf file to a per domain.

In binds case it would be  to /etc/named.d/*.conf
So each zone would have a file in that directory containing only the
relevant info
 eg:

zone "example.com" {
type master;
allow-transfer { slavesdns; };
file "example.com.signed";
allow-query { any; };
allow-update { none; };
};

thats it, nothing more, rather than having 2000 entries in named.conf,
we would have 2000 conf file to be read (yes in addition to the 2000
actual zone files.

with apache it takes only 2 or so more seconds to start and reload
doing it this way, so I know that bind will take longer, it has to
with all those  open/read/close files, at present bind starts up in
about 9 seconds due 17K zones, so I'd imagine this would take even up
to 15 seconds.

My question is, has anyone done this with success or failure?
Would a named developer know if its safe or detrimental to do this?
or would it simply make no difference apart from the extra time for
starts/reloads?


(This came about on another list, because we load all hosts  on apache
in one file (2000 per box)  recently something went wrong with sshfs
during a transaction, and in  deleting a vhost block it took out about
100 of them :)  so we are looking at making things a bit more
failsafe, my opinion is, if it can happen once, it can happen again,
it could have happened to a zone file, but luckily only the web conf
file.

Thoughts anyone?

Thanks
Niki
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC and slaves error

2012-03-07 Thread Nick Edwards 
I am an old hand at bind, but -  DNSSEC Newbie alert :->

I am after clarification on how slaves handle DNSSEC.

I have two slaves, both were stale, like since Feb 9 ! One I directly
control, the second, I do not, so I can not provide details on how
that one is configured, but given it is a reputable provider, I assume
setup is as good or better than mine.

The zone was resigned 3 weeks ago as 30 days, but one week ago I
resigned it again as about 3 months using:dnssec-signzone -a -e
+15724800 -K keys/ -N INCREMENT guilty_domain.here

After all this time, still no change on slaves, I had to edit the zone
(inserted a dummy TXT entry)   then resign the zone, and then  they
both picked up changes.

Shouldn't they detect the change from the increment  and update? I
checked my controlled slave and it was stale RRSIGs until I altered
the actual zone, then RRSIG updated.

my controlled servers:
Linux Slackware (x2)
Bind 9.9.0

uncontrolled server Bind 9.9.0,  RedHat (release unknown)

/options master
dnssec-enable yes;
dnssec-validation yes;

zone
type master;
allow-transfer { lan; slavedns; };
file "xx.org.signed";
allow-query { any; };
allow-update { none; };

/options slave
dnssec-enable yes;

zone
  type slave;
  masters { x.x.x.x; };
  file "xx.org";
  allow-query { any; };


Am I doing something wrong?

thanks
Nik
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and slaves error

2012-03-07 Thread Nick Edwards 
On 3/7/12, Mark Andrews  wrote:

>> resigned it again as about 3 months using:dnssec-signzone -a -e
>> +15724800 -K keys/ -N INCREMENT guilty_domain.here
>
> You should have fed dnssec-signzone the old signed zone not the unsigned
> zone.
>
> dnssec-signzone -f guilty_domain.here.signed  -N INCREMENT
> guilty_domain.here.signed
>

Thank you Mark, in all of the so called "howto's" I've read, I recall
none of them mentioning resigning the "signed file".
I've changed my cheat sheet to reflect above is only useful for
initial signing, and your example as all subsequent signings

Thanks again.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and slaves error

2012-03-07 Thread Nick Edwards 
On 3/8/12, Nick Edwards  wrote:
> On 3/7/12, Mark Andrews  wrote:
>
>>> resigned it again as about 3 months using:dnssec-signzone -a -e
>>> +15724800 -K keys/ -N INCREMENT guilty_domain.here
>>
>> You should have fed dnssec-signzone the old signed zone not the unsigned
>> zone.
>>
>> dnssec-signzone -f guilty_domain.here.signed  -N INCREMENT
>> guilty_domain.here.signed
>>
>
> Thank you Mark, in all of the so called "howto's" I've read, I recall
> none of them mentioning resigning the "signed file".
> I've changed my cheat sheet to reflect above is only useful for
> initial signing, and your example as all subsequent signings
>
> Thanks again.
>

Hrmm, is thatreally the correct command?

dnssec-signzone  -f xx.org.signed -a -e +15724800 -K keys/ -N
INCREMENT xx.org.signed

fatal: failed loading zone from 'xxx.org.signed': not at top of zone
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and slaves error

2012-03-08 Thread Nick Edwards 
Thanks, that did the trick!


On 3/8/12, Mark Andrews  wrote:
>
> In message
> 
> , Nick Edwards writes:
>> On 3/8/12, Nick Edwards  wrote:
>> > On 3/7/12, Mark Andrews  wrote:
>> >
>> >>> resigned it again as about 3 months using:dnssec-signzone -a -e
>> >>> +15724800 -K keys/ -N INCREMENT guilty_domain.here
>> >>
>> >> You should have fed dnssec-signzone the old signed zone not the
>> >> unsigned
>> >> zone.
>> >>
>> >> dnssec-signzone -f guilty_domain.here.signed  -N INCREMENT
>> >> guilty_domain.here.signed
>> >>
>> >
>> > Thank you Mark, in all of the so called "howto's" I've read, I recall
>> > none of them mentioning resigning the "signed file".
>> > I've changed my cheat sheet to reflect above is only useful for
>> > initial signing, and your example as all subsequent signings
>> >
>> > Thanks again.
>> >
>>
>> Hrmm, is thatreally the correct command?
>>
>> dnssec-signzone  -f xx.org.signed -a -e +15724800 -K keys/ -N
>> INCREMENT xx.org.signed
>>
>> fatal: failed loading zone from 'xxx.org.signed': not at top of zone
>
> -o xxx.org
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Blackholing

2012-12-04 Thread Nick Edwards 
Hi All,

Is there a way for RPZ zone file to act on  domain AND subdomains
without using two separate entries?

At present I can only get them to match on one or the other unless I do
example.comblah
*.example.com  blah

I'm sure I've missed the obvious, but thought I'd ask
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

nxdomain

2013-08-28 Thread Nick Edwards 
Hi,
In just testing a few things with our authoritative server, I made a
typo, and, much to my surprise the server responds NXDOMAIN to
requests from unauthed requesters, this used to return  REFUSED, when
did this error change?

(bind 9.9.3-P2)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nxdomain

2013-08-28 Thread Nick Edwards 
The typos was more of how I came about my request, forget the typo as
such, it the actual answer,  to use a more common well known name, if
I type

~$ host www.undernet.org ns1
Using domain server:
Name: ns1

Host www.undernet.org not found: 3(NXDOMAIN)

Above should be, and I'm darn sure used to be, REFUSED -  not NXDOMAIN

perhaps I should also include my options in my original post, that was
remiss of me

acl trust contains localhost and the servers actual IP addresses,
nowhere does it permit the IP range I tried from

options {
directory "/var/named";
allow-query { trust; };
allow-transfer { localhost; };
blackhole { bogon; };
recursive-clients 2000;
clients-per-query 40;
tcp-clients 100;
recursion no;
additional-from-cache no;
transfer-format many-answers;
masterfile-format text;
interface-interval 0;
dnssec-enable yes;
dnssec-validation yes;
};




On 8/28/13, Matus UHLAR - fantomas  wrote:
> On 28.08.13 23:13, Nick Edwards wrote:
>>In just testing a few things with our authoritative server, I made a
>>typo, and, much to my surprise the server responds NXDOMAIN to
>>requests from unauthed requesters, this used to return  REFUSED, when
>>did this error change?
>>
>>(bind 9.9.3-P2)
>
> what typo?
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I'm not interested in your website anymore.
> If you need cookies, bake them yourself.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nxdomain

2013-08-28 Thread Nick Edwards 
Mark,

On 8/29/13, Mark Andrews  wrote:
>
> In message
> 
> , Nick Edwards writes:
>> The typos was more of how I came about my request, forget the typo as
>> such, it the actual answer,  to use a more common well known name, if
>> I type
>>
>> ~$ host www.undernet.org ns1
>> Using domain server:
>> Name: ns1
>>
>> Host www.undernet.org not found: 3(NXDOMAIN)
>>
>> Above should be, and I'm darn sure used to be, REFUSED -  not NXDOMAIN
>>
>> perhaps I should also include my options in my original post, that was
>> remiss of me
>>
>> acl trust contains localhost and the servers actual IP addresses,
>> nowhere does it permit the IP range I tried from
>>
>> options {
>> directory "/var/named";
>> allow-query { trust; };
>> allow-transfer { localhost; };
>> blackhole { bogon; };
>> recursive-clients 2000;
>> clients-per-query 40;
>> tcp-clients 100;
>> recursion no;
>> additional-from-cache no;
>> transfer-format many-answers;
>> masterfile-format text;
>> interface-interval 0;
>> dnssec-enable yes;
>> dnssec-validation yes;
>> };
>
> Given www.undernet.org exists on the Internet (so you wouldn't be
> getting NXDOMAIN if it was recursing to the Internet) and you havn't
> shown the entire configuration we can't tell if it is a lack of
> understanding about your configuration or a bug.
>

The only other components to our pure authoratitive only server
configuration  are

The bogon acl from team cymru

include "/var/named/root_trusted_key";

logging {
category lame-servers { null; };
category edns-disabled { null; };
category client { null; };
};

zone "." {
type hint;
file "root.hints";
};


zone "127.in-addr.arpa" {
type master;
file "localhost.rev";
notify no;
};

zone "localhost" {
type master;
file "localhost.zone";
notify no;
};

zone "somedomain.org" {
type master;
allow-transfer { slave.ip; };
file "somedomain.org.signed";
allow-query { any; };
allow-update { none; };
};


zone ".in-addr.arpa" {
type master;
allow-transfer { sec.IP; };
file "00v4.zone";
allow-query { any; };
allow-update { none; };
}

zone "xxx.ip6.arpa" {
type master;
allow-transfer { sec.IP; };
file "00v6.zone";
allow-query { any; };
allow-update { none; };
};

zone "" {
type slave;
masters { x.x.x.x; };
file "xx.signed";
allow-query { any; };
};


there are 27 more master/slave zones, but they all are in identical
format as above and
we certainly do not host undernet :-)

and with no customer IP ranges  included in any ACL since these are
not caching servers), and, having friends trying from different ISP's,
we get NXDOMAIN, be it undernet, or google  Host www.google.com not
found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it
does respond correctly to domains it is supposed too

in the end because of this config, I expect to see REFUSED here, like
we have in the past, not sure when this changed.

Both our ns1 ans ns2 respond in same
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nxdomain

2013-08-29 Thread Nick Edwards 
Good Morning,
Wow, all these messages, as other posters have pointed out to me, dig
shows what I wanted to see, REFUSED, only host shows NXDOMAIN and from
other posts I see why I am getting that result, so in the end its all
just a false alarm, my servers are doing the right thing, so I can
rest easy.

On 8/29/13, Mark Andrews  wrote:
>
> In message
> 
> , Nick Edwards writes:
>> Mark,
>>
>> On 8/29/13, Mark Andrews  wrote:
>> >
>> > In message
>> > 
>> > , Nick Edwards writes:
>> >> The typos was more of how I came about my request, forget the typo as
>> >> such, it the actual answer,  to use a more common well known name, if
>> >> I type
>> >>
>> >> ~$ host www.undernet.org ns1
>> >> Using domain server:
>> >> Name: ns1
>> >>
>> >> Host www.undernet.org not found: 3(NXDOMAIN)
>> >>
>> >> Above should be, and I'm darn sure used to be, REFUSED -  not NXDOMAIN
>> >>
>> >> perhaps I should also include my options in my original post, that was
>> >> remiss of me
>> >>
>> >> acl trust contains localhost and the servers actual IP addresses,
>> >> nowhere does it permit the IP range I tried from
>> >>
>> >> options {
>> >> directory "/var/named";
>> >> allow-query { trust; };
>> >> allow-transfer { localhost; };
>> >> blackhole { bogon; };
>> >> recursive-clients 2000;
>> >> clients-per-query 40;
>> >> tcp-clients 100;
>> >> recursion no;
>> >> additional-from-cache no;
>> >> transfer-format many-answers;
>> >> masterfile-format text;
>> >> interface-interval 0;
>> >> dnssec-enable yes;
>> >> dnssec-validation yes;
>> >> };
>> >
>> > Given www.undernet.org exists on the Internet (so you wouldn't be
>> > getting NXDOMAIN if it was recursing to the Internet) and you havn't
>> > shown the entire configuration we can't tell if it is a lack of
>> > understanding about your configuration or a bug.
>> >
>>
>> The only other components to our pure authoratitive only server
>> configuration  are
>>
>> The bogon acl from team cymru
>>
>> include "/var/named/root_trusted_key";
>>
>> logging {
>> category lame-servers { null; };
>> category edns-disabled { null; };
>> category client { null; };
>> };
>>
>> zone "." {
>> type hint;
>> file "root.hints";
>> };
>>
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "localhost.rev";
>> notify no;
>> };
>>
>> zone "localhost" {
>> type master;
>> file "localhost.zone";
>> notify no;
>> };
>>
>> zone "somedomain.org" {
>> type master;
>> allow-transfer { slave.ip; };
>> file "somedomain.org.signed";
>> allow-query { any; };
>> allow-update { none; };
>> };
>>
>>
>> zone ".in-addr.arpa" {
>> type master;
>> allow-transfer { sec.IP; };
>> file "00v4.zone";
>> allow-query { any; };
>> allow-update { none; };
>> }
>>
>> zone "xxx.ip6.arpa" {
>> type master;
>> allow-transfer { sec.IP; };
>> file "00v6.zone";
>> allow-query { any; };
>> allow-update { none; };
>> };
>>
>> zone "" {
>> type slave;
>> masters { x.x.x.x; };
>> file "xx.signed";
>> allow-query { any; };
>> };
>>
>>
>> there are 27 more master/slave zones, but they all are in identical
>> format as above and
>> we certainly do not host undernet :-)
>>
>> and with no customer IP ranges  included in any ACL since these are
>> not caching servers), and, having friends trying from different ISP's,
>> we get NXDOMAIN, be it undernet, or google  Host www.google.com not
>> found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it
>> does respond correctly to domains it is supposed too
>>
>> in the end because of this config, I expect to see REFUSED here, like
>> we have in the past, not sure when this changed.
>>
>> Both our ns1 ans ns2 respond in same
>
> You still havn't provided enough information to workout whether
> there is a bug or not.
>
> Why don't you post the complete response to the dig request unaltered.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logs problem with Bind 9.9.4

2014-08-08 Thread Nick Edwards 
bugger off with your dictatorship
do not bring it here like you take it every list you go to, well,
those that you have not been kicked off of that is


On 8/2/14, Reindl Harald  wrote:
> why do you reply off-list, in HTML and top-posting?
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logs problem with Bind 9.9.4

2014-08-08 Thread Nick Edwards 
maybe he will, when you learn  to stop being so offensive and abusive
on every list you decide to join, and to tink  a cvertain blacklsit
operator on this list a few days ago said you were well behaved, hrmmm
are you paying him you off so he wont list you again in his rbl


On 8/3/14, Reindl Harald  wrote:
> jesus christ learn to use mailing-lists, stop to reply
> in private and strip your qutes
>
> Am 02.08.2014 um 10:29 schrieb ahmed salim:
>> On Sat, Aug 2, 2014 at 10:24 AM, Reindl Harald > > wrote:
>>
>> why do you reply off-list, in HTML and top-posting?
>>
>> Am 02.08.2014 um 08:09 schrieb ahmed salim:
>> > the logging is (syslog)
>>
>> so you can filter in rsyslog.conf
>> https://www.google.at/search?q=rsyslog+filter+messages
>>
>> > now your configuration block is working
>>
>> fine
>>
>> > I'm just wondering how to disable IPv6 logs???
>>
>> what about show us what you are talking about?
>> nobody but you knows what you see on your screen
>>
>> http://www.catb.org/esr/faqs/smart-questions.html#beprecise
>>
>> > I tried is to disable it by editing "/etc/sysconfig/named" and make
>> (OPTIONS="-4")
>> > but I still getting them in my logs
>> >
>> > thank you for your help
>
> stripped full quote
>
>> OK, sorry for not being precise
>>
>> the IPv6 logs is some thing like this:
>>   error (network unreachable) resolving 'videolan.org/DS/IN
>> ': 2001:500:b::1#53
>>   error (network unreachable) resolving 'px.owneriq.net/A/IN
>> ': 2600:1401:2::1#53
>>
>> is there any solution to stop these logs ???
>
> if you don't have working ipv6 just disable the stack
>
> /etc/sysctl.conf:
> net.ipv6.conf.all.disable_ipv6=1
> net.ipv6.conf.default.disable_ipv6=1
>
> after reboot you should no longer have ipv6 link local addresses
> and so BIND realizes at startup that ipv6 is not supported
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

shutting up logs

2015-05-14 Thread Nick Edwards 
 skipping nameserver 'ns5.concord.org' because it is a CNAME, while
resolving '210.128-25.119.138.63.in-addr.arpa/PTR'

I have logs grow by about 30 megs a day with pretty much only this in
it (of course not always same remote server), how do I shut this up ?

My logging statments are

logging {
category lame-servers { null; };
category edns-disabled { null; };
category client { null; };
category dnssec { null; };
//  channel log_queries { file "/tmp/debug_query.log";
print-category yes; };
//  category queries { log_queries; };
};

TIA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

lookout timesouts

2016-09-19 Thread Nick Edwards 
Hi,

We have a customer who has their own cache server, but in the afternoons
before they close up for the day, they commit off-site backups, this
process takes them about 90 mins, anyone trying to use the internet in this
time fails 99.9% of the time due to DNS lookup errors, but if they use an
external DNS server, such as ours, it works - albeit slow but it does get a
response. The local DNS cache server operates fine and instant for their
private LAN, and pinging around their LAN is sub 1ms so the problem exists
when bind tries to go out to get answers for real hostnames. When  their
internet link is not fully utilized there is no problems.

The problem arose again today before the off-site backups when just one PC
got its message from Microsoft to grab the anniversary update, at 11
o'clock in the morning, strangely it did not fill their link, but the pps
must have been rampant because the DNS errors again failed when using their
local cache resolver server.

Is there a named.conf setting we can suggest they use on their cache server
that perseveres and waits a little longer for answers to send to their
client machines?
They are using bind 9.10.4-p2 with default settings from source package
along with options of -

directory "/opt/named";
allow-query { x; };
allow-query-cache { x; };
allow-transfer { xx; };


Thanks for any advice.
Nik
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: lookout timesouts

2016-09-21 Thread Nick Edwards 
Thanks Mark, it's likely reason, they are using a microtek or such junk if
my memory serves me correct, we will drop in a juniper and see if that
resolves it.


On Tue, Sep 20, 2016 at 7:51 AM, Mark Andrews  wrote:

>
> In message  qozh...@mail.gmail.com>, Nick Edwards writes:
> >
> > Hi,
> >
> > We have a customer who has their own cache server, but in the afternoons
> > before they close up for the day, they commit off-site backups, this
> > process takes them about 90 mins, anyone trying to use the internet in
> this
> > time fails 99.9% of the time due to DNS lookup errors, but if they use an
> > external DNS server, such as ours, it works - albeit slow but it does
> get a
> > response. The local DNS cache server operates fine and instant for their
> > private LAN, and pinging around their LAN is sub 1ms so the problem
> exists
> > when bind tries to go out to get answers for real hostnames. When  their
> > internet link is not fully utilized there is no problems.
> >
> > The problem arose again today before the off-site backups when just one
> PC
> > got its message from Microsoft to grab the anniversary update, at 11
> > o'clock in the morning, strangely it did not fill their link, but the pps
> > must have been rampant because the DNS errors again failed when using
> their
> > local cache resolver server.
> >
> > Is there a named.conf setting we can suggest they use on their cache
> server
> > that perseveres and waits a little longer for answers to send to their
> > client machines?
> > They are using bind 9.10.4-p2 with default settings from source package
> > along with options of -
> >
> > directory "/opt/named";
> > allow-query { x; };
> > allow-query-cache { x; };
> > allow-transfer { xx; };
> >
> >
> > Thanks for any advice.
> > Nik
>
> There is one word for this.  Bufferbloat.  This is where the a
> router has massive buffers for the link and rather than dropping
> packets when it cannot send packet thereby throttling TCP straight
> away it queues up traffic creating a very long delay path and
> eventually throttles TCP to the link speed when the buffer finally
> fills.  I've seen this create multi-second delays in the path.
> Really bad buffer bloat can create delays that are minutes long.
>
> Go talk to your router vendor. This is either a bug in their product
> or a bug in a upstream router.  It is possible to examine the traffic
> flows in a router and mitigate bufferbloat in another router by
> resticting the traffic through the first route to slightly less
> than what the second router will allow.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: authority

2016-10-24 Thread Nick Edwards 
On Tue, Oct 25, 2016 at 12:11 AM, Reindl Harald 
wrote:


> identical like the first one
>
> Which IP should be use?
>>
>
> i don't understand your question
>
>
Since you have NOTHING to do with ISC or even remotely with bind, if you
dont understand , LEAVE IT TO SOMEONE WHO DOES

but you just cant help yourself can you, damn troll
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: authority

2016-10-24 Thread Nick Edwards 
On Tue, Oct 25, 2016 at 12:42 AM, Reindl Harald 
wrote:


>
>
>
>>
> don't get me wrong but that question shows that you are not ready to run a
> public dns server - there is no "local" or
>

when you make statements like that to be sure you include the fact you have
NOTHING to do with ISC or bind.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: authority

2016-10-24 Thread Nick Edwards 
On Tue, Oct 25, 2016 at 7:11 AM, Reindl Harald 
wrote:

>
> i don't understand your question
>>
>>
>> Since you have NOTHING to do with ISC or even remotely with bind, if you
>> dont understand , LEAVE IT TO SOMEONE WHO DOES
>>
>
> and YOU have something to do with ISC?
> i doubt!
>
> since i maintain hundrets of domains and wrote admin-backends for BIDN i
> pretend to have more than remotely to do with bind for many many years
>
>


PRETEND is the key operative word here, you have  ZERO to do with ISC Bind,
you are not a member of the consortium, yes, that I know!

I'll leave it for a list moderator to cane your arse for trying to imply
you are associated with bind project.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: authority

2016-10-24 Thread Nick Edwards 
On Tue, Oct 25, 2016 at 7:14 AM, Reindl Harald 
wrote:

>
>
>
> this is a public mailing list - so what!
>
> when someone don't yet get the connection between nameservers, webserver
> and ip-addresses he is not ready to connect public servers and that's
> completly independent of the fact you ra elike a statement or not - so get
> out of my sigt and keep your persnaol attacks for yourself, epsecially when
> you are *that* slow with your poisioning responses
>
>

Thats right, when someone calls you out for what you really are, you try
turn it around. truth hurts Reindl

you obviously did not know or understand the question, this does not mean
nobody else does, so you should shut your trolling trap and ignore the
post, and let someone who does know what they mean answer it. Its why youve
been kicked off just about every other technical/ASP lists on this planet.

and as slow for responses? I have a life, I enjoy weekends, I do not sit on
internet 20 hours a day like you try to because no one in their sane mind
could put up with you.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11.6-P1 build fails on Solaris

2019-04-30 Thread Nick Edwards 
lots of things failing in recent times, even with CentOS, mostly because of
openssl min version changes, and most recently even latest releases wont
build now because of a change in min python versions *sigh*, i'm just going
to leave it as is, thats all we can do.


On Fri, Apr 26, 2019 at 5:05 AM  wrote:

> BIND 9.11.5-P4 built fine on this Solaris 10 environment with same
> configure settings:
>
>
>
> --enable-ipv6 \
>
> --enable-filter- \
>
> --enable-largefile \
>
> --enable-fixed-rrset \
>
> --enable-threads \
>
> --disable-shared \
>
> --with-dlopen=no \
>
> --with-openssl=/opt/bind911/openssl \
>
> --with-geoip=/opt/bind911/geoip \
>
> --without-gssapi --without-python \
>
> --prefix=/opt/bind911
>
>
>
> However, now the build fails for BIND 9.11.6-P1 with the following:
>
>
>
> Undefined  first referenced
>
> symbolin file
>
> isc_atomic_xadd client.o
>
> ld: fatal: symbol referencing errors. No output written to namedtmp0
>
> *** Error code 1
>
> make: Fatal error: Command failed for target `named'
>
>
>
>
>
> Thanks,
>
> Greg
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users