Re: query issue
At 08:45 29-03-2012, Anand Buddhdev wrote: I also note that kingstonmass.org has delegation to 2 name servers in the ORG zone, but 3 name servers at its apex. The additional name server, mns01.domaincontrol.com, gives a REFUSED response to a query for the domain. From mns01.domaincontrol.com: ;; ANSWER SECTION: kingstonmass.org. 3600IN NS mns02.domaincontrol.com. kingstonmass.org. 3600IN NS mns01.domaincontrol.com. ns1.gis.net and ns2.gis.net return a different answer. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query issue
At 15:05 29-03-2012, Mark Andrews wrote: The queries are sent to that address because named has learnt that mns01.domaincontrol.com has a IPv6 address. mns01.domaincontrol.com isn't responding to me over IPv6 either. I see a response from 2607:f208:206::22. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on wildcard falls into glue records
At 07:08 15-05-2012, Alexander Gurvitz wrote: From wikipedia: To quote RFC 1912, "A common mistake is thinking that a wildcard Using Wikipedia to quote RFC 1912 is odd ... Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: VMware & Bind
Hi John, At 09:58 05-06-2012, Manson, John wrote: Will bind run on VMware? Yes, if the guest operating system supports it. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation Cancelled Error
Hi Ben, At 05:37 11-07-2012, Ben wrote: Actually, I am doing load testing with my CACHING DNS SERVER, and for that i setup one client machine which sent queries to CACHING DNS SERVER, and while doing this , i got below given erros in log.So is point to any network problem or any fine tunning / configuration required to bind? I am using google public dns ips as forwarder in named.conf Are you doing load testing on Google's DNS server? Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation Cancelled Error
Hi Ben, At 16:49 11-07-2012, Ben wrote: I am doing load testing on our local caching dns.But while doing it , i added google dns and some other dns ips as forwarder to test QPS. It seems to me that it is not a good idea to do load testing on some third-party server. I am confusing that those errors are due to bind misconfiguration or something else? An error condition can trigger such an error. It isn't related to the BIND configuration file. If someone share his experience with it, What are the maximum QPS handled by bind? that is good to understand more. There is a long thread at https://lists.isc.org/pipermail/bind-users/2011-June/084405.html The question might be what is the maximum QPS handled on hardware similar to the one you used for the test. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Weird stuff with one host... :-S
At 06:31 16-07-2012, Michelle Konzack wrote: Can "views" be configured by Host/IP? "A client matches a view if its source IP address matches the address_match_list of the view's match-clients clause and its destination IP address matches the address_match_list of the view's match-destinations clause". See example at http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#id2590162 Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns_query_createvia: failed address not available
Hi Merton, At 16:02 19-08-2012, Merton Campbell Crockett wrote: Hopefully someone on this list can identify what is triggering the "dns_query_createvia" error. I haven't encountered this particular error in the last 25 years of mucking with named. The error results in named to fail to load slave zones when it is first loaded if the zone files are not present. When the slave zone files are present, they are loaded but zone transfers are not performed to refresh the zone data. The following named.log excerpt was created by using a "rndc refresh ad.gd-ais.com" command to force a refresh of the zone data. 19-Aug-2012 18:28:48.575 general: info: received control channel command 'refresh ad.gd-ais.com' 19-Aug-2012 18:28:48.575 general: debug 1: queue_soa_query: zone AD.GD-AIS.COM/IN: enter 19-Aug-2012 18:28:48.575 general: debug 1: soa_query: zone AD.GD-AIS.COM/IN: enter 19-Aug-2012 18:28:48.575 general: debug 3: dns_request_createvia 19-Aug-2012 18:28:48.575 general: debug 3: req_destroy: request 0x3b7e18 19-Aug-2012 18:28:48.575 general: debug 3: dns_request_createvia: failed address not available Is an IP address specified for pulling the zone in the configuration file? Is the IP address bound to one of the available interfaces? Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about connections to BIND and tcp 443
At 07:38 22-08-2012, Moore, Mark A. wrote: from connecting to 443 since these servers are only DNS. Is there any reason for clients to connect to tcp 443 for any type of DNS resolution? Just want to confirm before I dig deeper into this issue. No. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
At 11:29 02-09-2012, Mohsen Pahlevanzadeh wrote: second nmap is from my machine , not server. Then i run telnet from my machine and then i get : root@debian:/home/mohsen# telnet 184.22.226.205:53 telnet: could not resolve 184.22.226.205:53/telnet: Name or service not known dig example.com @184.22.226.205 gives the following: ;; QUESTION SECTION: ;example.com. IN A ;; Query time: 13 msec ;; SERVER: 184.22.226.205#53(184.22.226.205) ;; MSG SIZE rcvd: 29 The nameserver is listening on 184.22.226.205 for DNS queries and it is responding. In a previous message, you did the following: root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 Verify the IP address you should be using for DNS. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question related to domain names and less to bind straight.
At 22:04 04-09-2012, Eliezer Croitoru wrote: I am working on a blacklist and in order to filter the list and to do some Error checks I first want to identify the TLD part of the domain to make the search prefix at least of the domain and not the tld. the basic list exists at: http://data.iana.org/TLD/tlds-alpha-by-domain.txt But in a case of a regional tld such as "il" I want to filter the domain in the second 3rd level. is there an rfc that talks about regional tld? No. is there any known restriction for regional tlds sub-domains naming? It's ccTLD policy. See the public suffix list for an informal lower level break-down. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
At 21:10 16-10-2012, pangj wrote: IMO, a resolver will have the ability to get the public key of a ZSK for validating the signed RR. How will it get this public key? And, is the usage of a KSK similiar to the CA certificate? See http://www.nlnetlabs.nl/publications/dnssec_howto/ Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
At 07:15 14-11-2012, John Miller wrote: It doesn't look like .local is officially reserved (http://tools.ietf.org/html/rfc2606), but .localdomain definitely is. .localdomain is not reserved. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we load balance traf[f]ic for CNAME records?
At 01:14 14-12-2012, Manish Rane wrote: I understand that Mail Delivery load balance can be achieved by usingMX priorities. My concern is not that, rather I am more worries about users who will be using A record to configure their mail clients like IMAP or POP. I am thinking on load balancing their since I want users to access the both the ISPs to connect. I can have A/CNAME? record See RFC 6186. Verify whether the mail clients support that specification. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
At 04:40 AM 3/13/2013, Jan-Piet Mens wrote: BIND has supported SPF records since 9.4 I think, so yes. Their functionality is identical (i.e. define both if you want/need both) name ttl class TXT text name ttl class SPF text The DNS query will likely be for TXT RRs only in future (see RFC 6686). Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
At 08:35 18-03-2013, Vernon Schryver wrote: Also, those who are not lazy, who think RFC 4408bis is wrong, and want to use type 99 without violating RFC 4408bis will go to the IEFF. I suggest reading the messages with a subject line of "#9: RFC 4408 SPF RR type" in the mail archive at http://www.ietf.org/mail-archive/web/spfbis/current/ Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Confused about a basic concept
Hi Bryan, At 09:52 05-06-2013, Bryan Harris wrote: Regarding if we need a hidden master in the first place, I wish I could remember. :-) It's been that way since I came here and I suspect it's a requirement we will simply have to keep using. Sometimes it is better to ask or else you can end up with problematic requirements. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: This list's prefix
Hi Elmar, At 12:27 05-06-2013, Elmar K. Bins wrote: And the 100-dollar-question is: How do you remove them on outgoing mails? ;-) The answer is to edit the subject line after hitting the reply button. :-) Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PTR files
Hi Norman, If I recall correctly the initial message you posted mentioned a network connectivity problem. I suggest verifying whether one end can ping the other end. See whether you can ping by IP address and by host name. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New warning message...
Hi Dan, At 03:07 24-07-2013, McDonald, Dan wrote: SPF RR types are already standards track - see RFC 6652. An informational rfc warning that the standard is not being adopted should be seen as a call to fix the admins, not discard the standard. The SPF specification is not on the Standards Track. RFC 6652 is about ARF. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: internal network PTR records, necessary?
Hi James, At 19:06 13-08-2013, James Chase wrote: I noticed if I do a reverse lookup on an internal IP it seems to reference an iana server. Do we have a misconfiguration to be going out there for an answer? Could it be that this iana server was not responding monday morning? See RFC 6303 and RFC 6305. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: localhoast A record?
Hi Chris, At 11:18 21-03-2014, Chris Thompson wrote: We used to create lots of localhost.[subdomain].cam.ac.uk records, even to the extent of adding an record just for those institutions that had IPv6 enabled on their networks. But we have pretty much given up doing that for new subdomains. It still seems to me potentially useful to keep localhost.cam.ac.uk itself, to terminate the probable iteration described above before it goes any further. It can be used to exploit web application vulnerabilities. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF RR type
Hi Nicholas, At 07:25 05-06-2014, Nicholas F Miller wrote: Are SPF RR types finally dead or not? I've read through rfc7208 it appears that they are: "SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only. The character content of the record is encoded as [US-ASCII]. Use of alternative DNS RR types was supported in SPF's experimental phase but has been discontinued." ...but to confuse the issue rfc7208 goes on to say: "If a future update to SPF were developed that did not reuse existing SPF records, it could use the SPF RR type. SPF's use of the TXT RR type for structured data should in no way be taken as precedent for future protocol designers." Bind-9.10.0-P1 still reports errors if you don't have SPF RRs defined with the SPF TXT records or are not using 'check-spf ignore'. Should one keep existing SPF RRs or remove The SPF RR is no longer used for SPF verification (re. RFC 7208). The second part of the quoted text is there so that the usage of the TXT RR in that RFC is not used as a precedent. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
At 22:11 24-01-2009, Al Stu wrote: Some people seem to think RFC 974 creates a standard which prohibits the use of CNAME/alias in MX records. But very much to the contrary RFC 974 demonstrates that CNAME/alias is permitted in MX records. RFC 974 is obsoleted by RFC 2821; the latter is obsoleted by RFC 5321. Quoting Section 5 of that RFC: "When a domain name associated with an MX RR is looked up and the associated data field obtained, the data field of that response MUST contain a domain name. That domain name, when queried, MUST return at least one address record (e.g., A or RR) that gives the IP address of the SMTP server to which the message should be directed. Any other response, specifically including a value that will return a CNAME record when queried, lies outside the scope of this Standard. The prohibition on labels in the data that resolve to CNAMEs is discussed in more detail in RFC 2181, Section 10.3." ISC's message that a CNAME/alias in an MX record is illegal is incorrect and just an attempt by ISC to get people to go along with what is only a perceived rather than actual standard/requirement, and should be removed so as not to further the fallacy of this perceived perception of a standard/requirement, as it is neither a standard nor a requirement, and certainly not illegal. Pointing to a CNAME on the right-hand side of an MX record is incorrect and may affect mail delivery. This is not about perceived perception of a requirement (see the MUST return at least one address record in the quoted text). Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
At 00:44 25-01-2009, Al Stu wrote: "When a domain name associated with an MX RR is looked up and the associated data field obtained, the data field of that response MUST contain a domain name.That domain name, when queried, MUST return at least one address record (e.g., A or RR) that gives the IP address of the SMTP server to which the message should be directed." Correct. And when a that domain name is a CNAME pointing to an A RR the query returns not only the alias but also the real name and the IP address from the A RR. Thus meeting the requirements to "return at least one address record (e.t., A or RR)". But yet ISC seems to find it necessary to throw a message that it is "illegal", when it clearly is not. That's a liberal interpretation of the specifications and it's the opposite of the intent of the quoted paragraph. Implementors are expected to query for an address record only. Any other behavior such as the one described in your second paragraph is undefined. Further reading of that section elaborates on what to do if a CNAME is returned and there is a reference to RFC 2181 for a discussion of the prohibition of CNAMEs on the right-end side. RFC 974 specifies the algorithm to build the list of RRs and discusses about possible issues. It's the same algorithm in RFC 2821 and RFC 5321. The confusion about CNAMEs in MX records stems from the interpretation of the text about how CNAMEs on the left-hand side are handled and that was clarified in the latest revision of the specifications. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: single-character host names
At 13:46 25-02-2009, Mike Bernhardt wrote: I've been looking into the RFCs regarding whether or not single-character (alpha) host names are allowed or not. RFC 952 says no, but 2181 says that host names must between 1 and 63 octets in length, which would appear to say "yes." Section 2.1 of RFC 1123 discusses the syntax for host names and clarifies RFC 952. Host names can be up to 63 octets and the FQDNs up to 255 octets (RFC 2181). You can have a single-character host name as long as it follows the syntax. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRSIG Expired
At 17:23 03-04-2011, Paul Ooi Cong Jen wrote: Yea, this was default via FreeBSD :) Some versions of FreeBSD have commented out directives to slave the root zone, the arpa zone and the in-addr.arpa zone from f.root-servers.net. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: continous DNS query to ROOT DNS server
At 11:33 25-04-2011, babu dheen wrote: Dears, I have DHCP server running in Windows Operating System(Windows 2003), i have configured forwarder towards gateway DNS server(running in redhat). When i check the firewall hits for DHCP server i can see, my DHCP server is sending too many DNS query towards ROOT DNS servers(192.175.48.1, 192.175.48.6, 192.175.48.42 and etc) See http://tools.ietf.org/html/draft-ietf-dnsop-as112-under-attack-help-help Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
Hi Frank, At 11:33 26-05-2011, Frank Kloeker wrote: I using bind 9.7.3 as resolver in a slightly larger server farm with some mail servers that use domain key validation. If a try # host -t TXT _adsp._domainkey.federalreserve.gov This occurs with BIND 9.8.0: buffer.c:285: REQUIRE(b->used + 1 <= b->length) failed, back trace #0 0x1c012a92 in assertion_failed()+0x42 #1 0x1c186957 in isc_assertion_failed()+0x27 #2 0x1c187e6d in isc__buffer_putuint8()+0x7d #3 0x1c09f3e5 in dns_ncache_addoptout()+0x2e5 #4 0x1c10fce9 in ncache_adderesult()+0x69 #5 0x1c1102e5 in validated()+0x3a5 #6 0x1c1a2af0 in isc__taskmgr_dispatch()+0x1c0 #7 0x1c1a5f23 in evloop()+0x73 #8 0x1c1a619a in isc__app_ctxrun()+0x13a #9 0x1c1a6242 in isc__app_run()+0x12 #10 0x1c013add in main()+0xbbd #11 0x1c003917 in ___start()+0x77 #12 0x1c003897 in __start()+0x17 #13 0xcfbde8bc in __fini()+0xb3a2874c exiting (due to assertion failure) Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about AUTHORITY SECTION
At 00:04 08-07-2011, Chris Buxton wrote: As for Kevin's assertion that the SOA record in the authority section is required for a negative response, this is also incorrect. RFC 2308 is a proposed standard, not a standard. Further, section 8 of this RFC does not say explicitly that an SOA must be RFC 2308 replaces Section 4.3.4 of RFC 1034. Irrespective of whether it is only at Proposed Standard, it is implemented by BIND 9. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [UNsolved] was: what does dig +trace do?
Hi Tom, At 23:42 01-09-2011, Tom Schmitt wrote: But seriously: I don't see in the RFC that it is forbidden to have a hostname directly in the root-zone (without a internal dot). From RFC 921: "The names are being changed from simple names, or globally unique strings, to structured names, where each component name is unique only with respect to the superior component name." "Because of the growth of the Internet, structured names (or domain style names) have been introduced. Each element of the structured name will be a character string (with the same constraints that previously applied to the simple names). The elements (or components) of the structured names are separated with periods, and the elements are written from the most specific on the left to the most general on the right." The above discusses about hierarchical names. It is about how the system was designed to work and not about what is forbidden. The syntax of a legal Internet host name was specified in RFC-952, updated by RFC 1123. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
Hi Jaap, At 15:42 06-09-2011, Jaap Akkerhuis wrote: Make me wonder who reserved .local and specifically earmaked it to be used for mDNS. Iana <http://www.iana.org/domains/root/db/> doesn't seem to know about this. Can you give some references? See draft-cheshire-dnsext-multicastdns-14 which you may have read. :-) There is also a proposal for a "Special-Use Domain Name" (draft-cheshire-dnsext-special-names-01). Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Weird IPv6 issue?
At 11:01 11-09-2011, Sten Carlsen wrote: If I do: dig d6.s-carlsen.dk (d6 is the host in question, it has one IPv6 address, nothing else), I get no answer, but it gives me the SOA. This is the case even if looking from the server itself. The following from my normal workstation. silver4:~ carlsen$ dig d6.s-carlsen.dk ; <<>> DiG 9.6.0-APPLE-P2 <<>> d6.s-carlsen.dk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45921 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;d6.s-carlsen.dk.INA ;; AUTHORITY SECTION: s-carlsen.dk.86400INSOAns2.s-carlsen.dk. hostmaster.s-carlsen.dk. 2010123191 10800 900 604800 86400 If the type argument is not supplied, dig will perform a lookup for an A record. dig d6.s-carlsen.dk Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NXDOMAIN redirection in BIND 9.9
At 14:52 29-09-2011, Michael Graff wrote: We came to the conclusion that no matter how much we wanted it to not be true, people find a way to do NXDOMAIN if they want to. The issue is not ours to push, it's between the ISP and the customer ultimately, and people will do it -- and more intrusively -- than BIND 9.9 will. http://queue.acm.org/detail.cfm?id=1647302 Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
At 04:46 13-12-2011, babu dheen wrote: In what situation, DNS packet size can exceed more than 512 bytes. In fact, my gateway DNS TXT records used for DKIM, for example. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
At 03:51 14-12-2011, babu dheen wrote: In this case, do you think that internal users trying to send emails directly to internet? No. Email delivery is taken care by Email Gateway device, obviously, DKIM verification (if enabled) can only be done by Email gateway of my company... How does internal client make DKIM query which uses the TXT record in DNS ? The "internal client" (MUA) does not make such queries. Can you tell me list of URL which size exceed 514 bytes to verify whether my internal server truncate/return failure code when query such URL using UDP query? See http://netalyzr.icsi.berkeley.edu/ Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DLZ provider other than a database?
At 17:53 20-12-2011, Doug Barton wrote: I've been given an interesting challenge that I doubt I'm the first one to face, so I thought I'd ask. :) I have an internal project for which I have a large'ish number of hostnames that I want to return a fairly standard set of RRs for, but (for a variety of reasons) I'd rather not create any sort of static data set for (e.g., zone file, actual db entries, etc.). https://github.com/jpmens/dlz_lua Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wildcards and the include directive?
At 00:29 24-01-2012, Alfie John wrote: I've looked hard but can't find any reference to using wildcards inside an include directive. Does this feature exist in 9? http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#id2575504 Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig printout doesn't appear to match reality
At 08:53 16-05-2009, Frank Bulk wrote: It appears that dig is printing results that it attributes to the wrong server. While troubleshooting an inconsistent NS issue (upstream from us), a trace [snip] sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. This is unrelated to your original question. dns.mtcnet.net does not resolve. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A question from RFC 3403
At 07:22 26-05-2009, sandoche BALAKRICHENAN wrote: An example from RFC 3403 The URN might look like this: urn:cid:199606121851.1@bar.example.com This Application's First Well Known Rule is to extract the characters between the first and second colon. For this URN that would be 'cid'. The Application also specifies that, in order to build a Database-valid Key, the string 'urn.arpa' should be appended to the result of the First Well Known Rule. The result is 'cid.urn.arpa'. Next, the client queries the DNS for NAPTR records for the domain- name 'cid.urn.arpa'. The result is a single record: cid.urn.arpa. IN NAPTR 100 10 """" "!^urn:cid:.+@([^\.]+\.)(.*)$!\2!i" My question is when the application has already converted "urn:cid:199606121851.1@bar.example.com" -> cid.urn.arpa. ==> why does the regexp string again searches for "urn:cid:" ? Because it's not a terminal lookup. REGEXP - A containing a substitution expression that is applied to the original string ==> Anyone have an idea why it always should be applied to the original string? The answer is in the paragraph that follows the one you quoted. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave DNS disconnect...
At 21:33 12-06-2009, Jeff Lasman wrote: We recently received a /24 from a provider who said they'd delegate rDNS authority to our servers: ns1.ns-one.net (85.17.204.1) and ns2.ns-one.net (69.26.172.2) But looking at the dig trace (I won't copy it in here) for one of the IP#s (chosen at random): $ dig -x 74.124.205.95 +trace NS1.TERSUM.COM and NS2.TERSUM.COM did not delegate the /24. But the provider assures me that they've got others set up exactly this way and that they can do rDNS. Ask the provider from which nameservers and to which nameservers the delegation was done. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME for MX Record?
At 09:35 19-08-2009, Bradley Caricofe wrote: I have the following issue. A customer hosts a domain with me, facplus.com. Her primary email account is on that domain, we'll call it h...@facplus.com. She has also registered another name through Dotster, meetingtoolsandjewels.com. Dotster provides her with URL redirection and email forwarding for that domain. She has setup an email address, we'll call it h...@meetingtoolsandjewels.com, which should forward to h...@facplus.com. We've been having a problem where not all senders are being received when mail is sent to the h...@meetingtoolsandjewels.com account. I've sent her test emails from gmail, yahoo and my own server (sendmail) and all were received. When I send emails from systems using exchange, I eventually get a bounce that the message has been delayed...it's never received. ;; QUESTION SECTION: ;meetingtoolsandjewels.com. IN MX ;; ANSWER SECTION: meetingtoolsandjewels.com. 1800 IN MX 0 m1.dnsix.com. meetingtoolsandjewels.com. 3600 IN CNAME meetingsmaven.typepad.com. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
At 05:25 31-01-10, Wael Shaheen wrote: As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Mail submission is done over port 587 and not port 25. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. So instead of blocking port 25 we can redirect the DNS port to the DNS farm that is dedicated for dynamic users, that will guarantee that no standard DNS port forwarded queries are going to external servers. Then we will block the MX and root queries for those dynamic clients. That will prevent them from using a locally installed DNS service on their machines or query MX records for targets they want to send spam to. That can be bypassed as you explained below. Of course there will still be some challenges like if some spammers know the A record of the mail server they want to connect to or if they used the IP address of the targeted mail server also if they used open dns that works on non-standard ports, but then again I believe these users will stand out and will be identified more easily. The idea is another variation of the walled garden. You could look into doing traffic flow analysis and using feedback reports to identify the source of the abuse. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: designing the DNS from the scratch
Hi Abdulhadi, At 00:31 09-07-2017, Abdulhadi Ettwejiri wrote: we are ISP company , we are providing Internet to our customer, Recently one of our VIP customer ask for DNS service, and need the response time 3msec, we don't have enough knowledge of DNS, I suggest discussing with your customer about the requirement as it is not clear what they are looking for. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
