Re: How can I set the interface used to transfer zones?
Try transfer-source in the slave zone options:
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#zone_statement_grammar
On Thu, 5 Jul 2012, Carlos Ribas wrote:
Hi,
Yes. That?s the problem. I have this statement defined, but it still
try to connect using the wrong IP. Any ideas?
Regards,
-
Carlos Eduardo Ribas
2012/7/5 Jan-Piet Mens
Is it possible to configure my slave to receive zones using an
specific interface from master?
Your slave's zone stanza looks like this:
zone "example.net" {
type slave;
file "...";
masters { 10.1.1.1; };
};
The `masters' statement defines the address of the master server, so you
specify the private IP address of your master here.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: ISO or virtual appliance
On Thu, 22 Aug 2013, Manish Rane wrote: Hi Guys, Is there any ISO or virtual appliance available for BIND? Which ease out the deploy and configuration task. Free, or commercial? I know Infoblox has this, though I have no direct experience with that side. http://www.infoblox.com/products/infoblox-appliances ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: whois expiration limit?
On Wed, 19 Feb 2014, Lightner, Jeff wrote: Hi, I know this is the BIND list but I???m thinking folks who deal with DNS probably may be able to answer this question about whois. We recently transferred and renewed a domain by 2 years which pushed its expiration to 01/25/2025. The order confirmation shows that expiration and looking at the domain at the Registrar???s web site under our account it shows that expiration as well. However, when running whois both here and at the Registrar???s site it shows expiration 01/25/2024. It makes me wonder if there is a 10 year limit in whois since 2024 would be within 10 years but 2025 would be outside of it. I didn???t see anything in RFC 3912 describing whois that even suggests a limit for expirations dates. Not a big deal as I may be dead by then either way ??? just wondering if anyone knows of a reason this would occur. Please don???t suggest I contact the Registrar. I already did and they seemed as clueless as I am. Just anecdotally, but I have seen a 10 year limit on registration/renewal, before. I believe CIRA only allows that, generally. Not sure of a more appropriate list, either, so figured I'd respond here.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TTL is varying across nameservers
Hi Robert, On Sun, 25 Sep 2022, Robert M. Stockmann wrote: There is something strange going on with the TTL of my domain across nameservers on the internet. This is how its configured on ns1.stokkie.net and ns2.stokkie.net : $ dig +norecurse +ttlid stokkie.net @84.87.53.162 ; <<>> DiG 9.8.1 <<>> +norecurse +ttlid stokkie.net @84.87.53.162 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54209 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;stokkie.net. IN A ;; ANSWER SECTION: stokkie.net.86400 IN A 84.87.53.162 <- snip -> Here the nameserver of my ADSL ISP, resolver1.kpn.net : $ dig +ttlid stokkie.net @194.151.228.18 ; <<>> DiG 9.8.1 <<>> +ttlid stokkie.net @194.151.228.18 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47231 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;stokkie.net. IN A ;; ANSWER SECTION: stokkie.net.79291 IN A 84.87.53.162 <- snip -> Here the public DNS server of Google : $ dig +ttlid stokkie.net @8.8.8.8 ; <<>> DiG 9.8.1 <<>> +ttlid stokkie.net @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29668 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;stokkie.net. IN A ;; ANSWER SECTION: stokkie.net.21599 IN A 84.87.53.162 <- snip -> Here's the second time Google : $ dig +ttlid stokkie.net @8.8.8.8 ; <<>> DiG 9.8.1 <<>> +ttlid stokkie.net @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3080 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;stokkie.net. IN A ;; ANSWER SECTION: stokkie.net.21600 IN A 84.87.53.162 <- snip -> Is this proper behavior ? Yes, it is. The queried dns servers are caching servers and answer from the cache. The first time, they get the result from the authoritative server with a TTL of 86400. When they serve the answer from the cache, they will reduce the TTL by the amount of seconds since they got it from the authoritative server - i.e. the TTL would be 0 after one day and the caching server (or any server downstream) *must* get a new record from the authoritative server. Though, I find it interesting, that the TTL of the google dns server *increases* between the queries - are you sure, the order is right? regards, Erich -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind9.5.1 Multithreading
I have worked with bind 9 in single thread,but i want to upgrade my server to solaris 10 and bind 9.5.1-P1(my machine has 4Gig Ram and 2 cpu(900mhz)) Based on practical experience: does enable multithreading for Bind 9.5.1 is good or not? (with considering stability and simple management) Regards Iman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Open Ports in BIND
Dear Admins I installed Bindv9.5.1 and it works properly,,but i have some questions about these parameters: # netstat -an |grep 53 |wc 3911223 20656 is first number the total queries which asked from my server on port 53 or number of sessions that stablished? what is the second and third numbers # netstat -an |grep 953 |wc 1 7 75 what are above numbers?(first-second-third)? # rndc status xxx... soa queries in progress: 1 query logging is OFF recursive clients: 365/32668/32768 tcp clients: 3/1 server is up and running what is the meaning of recursive clinets 365/32668? is 365 the number of queries which asked from my server or number of sessions from other clients to me? what is the meaning of tcp clients:3? any guide would be appreciated Regards ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Open ports in Bind
Dear Admins maybe my first question type was wrong,sorry for terrible!,my question is: when i run netstat -an,why my server has some stablished connection with its own ip address through different source port to one client address? example: 192.168.1.1.51121 74.222.11.71.53 Connected192.168.1.1.58967 74.222.11.71.53 Connected192.168.1.1.46691 74.222.11.71.53 Connected does it mean that,,client 74.222.11.71 [http://74.222.11.71/] at the time of snapshot requests 3 dns queries from my server or something else? can we say the number of recursive-clients after run "rndc status" and the output of "netstat -an |grep 53 | wc" point to the same thing (regardless of difference to running time)? Regards ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
"Fragment Flags Invalid"
I installed fresh installation of solaris 10 on sparc machine with latest
bind v9,this server is behind the hardware Firewall(policy from out to in is
udp53&from in to out is any).
But my cisco IDS always announces this alarm from my server to other
external clients or servers:
"Fragment Flags Invalid"
Src Address Dst Address Signature Name
192.168.1.1 x.x.x.xFragment Flags Invalid
Here is my named.conf:
options {
version "version not currently available";
pid-file ".../run/named.pid";
directory ".../named/namedb";
dump-file ".../named.dump";
recursive-clients 1;
statistics-file "/namedb/statistics";
tcp-clients 1000;
allow-recursion {
any;
};
};
logging {
channel simple_log {
file "/var/adm/named/bind.log" versions 3 size 50m;
print-category yes;
print-severity yes;
print-time yes;
severity warning;
};
category default {
simple_log;
};
};
key "rndc-key" {
algorithm ,;
secret "";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
does anybody have idea about this alarm? can i fix this error by tunning
bind?
Regards
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Difference between netstat & rndc status
Hello Admins When i run : #netstat -an |grep udp |wc it returns a number which is lower than the output of rndc status recursive clients. what is the difference between netstat -an |grep udp |wc(open udp ports to dns server) and amount of recursice clients in the rndc status command? I thinked they should present the same value? doesnt it? Does the difference point the cache hints? here is my values: ns1# netstat -an | grep udp | wc 6303150 42210 ns1# netstat -an | grep tcp | wc 22 1321669 ns1# rndc status version: 9.7.3-P1 (version not currently available) CPUs found: 4 worker threads: 4 number of zones: 18 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 1497/9900/1 tcp clients: 3/1000 server is up and running Regards Iman ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fwd: Re: Difference between netstat & rndc status
-Original Message- From: "Bind" To: "Feng He" Date: Mon, 04 Jul 2011 18:13:19 +0430 Subject: Re: Difference between netstat & rndc status How much does rndc take for calculating its outpot value(recursive clients value)? ie (in which duration it calculates its value,one seconds?!) Regards -Original Message----- From: Feng He To: Bind Cc: bind-users@lists.isc.org Date: Sun, 3 Jul 2011 19:04:47 +0800 Subject: Re: Difference between netstat & rndc status 2011/7/3 Bind : > Hello Admins > When i run : > #netstat -an |grep udp |wc > it returns a number which is lower than the output of rndc status recursive > clients. > what is the difference between netstat -an |grep udp |wc(open udp ports to > dns server) and amount of recursice clients in the rndc status command? Not the same stuff at all. netstat -an|grep udp shows the UDP concurrent connections currently. > recursive clients: 1497/9900/1 This shows the history count of DNS replying. Regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fwd: Re: Fwd: Re: Difference between netstat & rndc status
-Original Message- From: "Bind" To: "Mark Andrews" Date: Tue, 05 Jul 2011 09:55:03 +0430 Subject: Re: Fwd: Re: Difference between netstat & rndc status Thanks for your best support and answers all the time. Could u explain more about this list. how it built and when it refreshed? Regards -Original Message- From: Mark Andrews To: "Bind" Cc: "bind-users@lists.isc.org" Date: Tue, 05 Jul 2011 09:07:07 +1000 Subject: Re: Fwd: Re: Difference between netstat & rndc status In message , "Bind" writes: > > How much does rndc take for calculating its outpot value(recursive clients > value)? > ie (in which duration it calculates its value,one seconds?!) > Regards It's the current count on the number client in the list. The number of UDP sockets is unrelated to the number of clients. * Multiple clients ask the same question. * A client can result in multiple simultanious queries being made. * named makes its own queries. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nslookup problem
Hi I have an authorative dns server which handle my domains. also my dns server is a recursive. so i set it in my hosts. when i run nslookup on a windows machine and do a query about domains which my dns server isnt authorative about them like yahoo.com it returns: Non-authoritative answer: Name:yahoo.com Addresses: 72.30.2.43 98.137.149.56 209.191.122.70 67.195.160.76 69.147.125.65m ok,my server isnt authorative about yahoo.com and everything is correct.but when i ask about domains which my dns server is authorative about them it returns the same structure(Non-authoritative answer:): > www.report.dci.ir Server: [217.218.127.105] Address: 217.218.127.105 Non-authoritative answer: Name:www.report.dci.ir Address: 217.218.127.123 why? since my dns server is authorative about dci.ir and i think it show "authorative answer"! what is the reason? thx ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: All Bind servers crashed
On Wed, 16 Nov 2011, Bill Owens wrote: On Wed, Nov 16, 2011 at 09:57:18AM +0100, Stephane Bortzmeyer wrote: On Wed, Nov 16, 2011 at 09:47:48AM +0100, Magnus Schmidt wrote a message of 49 lines which said: Nov 16 05:30:41 xxx named[1326]: critical: query.c:1781: INSIST(! dns_rdataset_isassociated(sigrdataset)) failed, back trace This behavior makes me bet that the trigger is a name in an incoming email message, being resolved by an anti-spam filter. That appeared to trigger a site-wide resolver crash back in May, when the oversigned .gov zone was mentioned on a list (this particular list, I think). That suggests looking in the inbound mail spool to see what might have been received at the time of the crash might be productive. Regardless of how the query was started, if this theory of propagation is correct I'd suggest that posting the triggering name unobscured in an email message would be A Bad Thing, even if one is emailing it to ISC as they've suggested. Perhaps *especially* in that case, unless they've taken care to have one production recursor running Unbound ;) Bill (who is downloading Unbound right now) We had the same thing happen, across multiple, geographically-diverse servers overnight, around the exact same time as the OP. That seems a little odd to be an email, as it would have to cover a myriad of destinations all at once. While that's possible, I'm just finding it lacking as the sole reason for the conclusion. Using 9.7.3-P3 from ISC sources, here, too. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind-9.6 and Heavy Cpu Load
Hello I have SunFire V880 (2 cpu +4G Ram) and installed bind 9.6.1-P1 on solaris 10. but my cpu load is very high!(above 90% during the pick time) bash-3.00# prstat -a PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 562 root 2517M 2498M cpu0 00 1503:30:2 95% named/5 2394 root 3808K 3168K cpu2590 0:00:00 0.9% prstat/1 here are some relatde information: rndc status recursive clients: 841/9900/1 My input traffic which shown by MRTG is about "2.5" Mbps recieved requests(udp 53) and is normal in our network behavior during the pick time. my question is: does this high cpu load relate to input requests and is normall or it relate to something else? also i disabled dnssec(dnssec-enable no;dnssec-validation no;) & Logging feature in bind, but the cpu load didnt decrease! anybody have idea about it? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind-9.7.1 multi thread question (FreeBSD)
Hello I compiled Bind971 on FreeBSD 8 (amd64). ./configure --prefix=/opt/ --enable-threads --sysconfdir=/opt/config --localstatedir=/opt/ --sbindir=/opt/named --datarootdir=/opt/ --enable-shared=no --with-openssl everything is ok and it works. but when i get top command,,freebsd returns many named processess which are run,,is it ok?(on my previous installed bind9.6 on solaris it didnt show these in prstat -a) PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 396 root7 490 3207M 2575M kqread 3 725:01 19.97% named 71422 root1 440 28652K 8768K select 1 0:46 0.00% snmpd 882 root1 440 5864K 1512K select 0 0:00 0.00% syslogd 1117 root1 440 6920K 1588K nanslp 2 0:00 0.00% cron 543 root7 440 20640K 11844K kqread 0 0:00 0.00% named 637 root7 440 20640K 11888K kqread 2 0:00 0.00% named 531 root7 440 20640K 11844K kqread 0 0:00 0.00% named 725 root7 440 20640K 11888K kqread 2 0:00 0.00% named 602 root7 440 20640K 11888K kqread 2 0:00 0.00% named 679 root7 440 20640K 11844K kqread 2 0:00 0.00% named 597 root7 440 20640K 11888K kqread 0 0:00 0.00% named 695 root7 440 20640K 11844K kqread 2 0:00 0.00% named 684 root7 440 20640K 11888K kqread 1 0:00 0.00% named 613 root7 440 19616K 11800K kqread 1 0:00 0.00% named 555 root7 440 20640K 11844K kqread 1 0:00 0.00% named 625 root7 440 20640K 11888K kqread 0 0:00 0.00% named 846 root7 440 20640K 11888K kqread 1 0:00 0.00% named 707 root7 440 20640K 11888K kqread 3 0:00 0.00% named 1128 root7 440 20640K 11856K kqread 0 0:00 0.00% named 1360 root7 440 20640K 11924K kqread 1 0:00 0.00% named 70665 root7 440 20640K 11924K kqread 0 0:00 0.00% named 1376 operator7 440 20640K 11904K kqread 0 0:00 0.00% named 1337 operator7 440 20640K 11948K kqread 0 0:00 0.00% named 1252 operator7 440 20640K 11948K kqread 3 0:00 0.00% named 1276 operator7 440 20640K 11904K kqread 3 0:00 0.00% named 1232 operator7 440 20640K 11948K kqread 1 0:00 0.00% named 1298 root7 440 20640K 11880K kqread 0 0:00 0.00% named 1319 operator7 440 20640K 11948K kqread 3 0:00 0.00% named 71374 operator7 440 19616K 11856K kqread 1 0:00 0.00% named 70559 operator7 440 20640K 11904K kqread 3 0:00 0.00% named 70630 root7 440 20640K 11880K kqread 0 0:00 0.00% named 70443 operator7 440 20640K 11948K kqread 2 0:00 0.00% named 70612 root7 440 20640K 11924K kqread 3 0:00 0.00% named 70590 operator7 440 20640K 11904K kqread 1 0:00 0.00% named 70464 operator7 440 20640K 11904K kqread 0 0:00 0.00% named 71884 root1 440 10352K 3800K CPU00 0:00 0.00% top 1304 root7 440 20640K 11876K kqread 1 0:00 0.00% named 70618 root7 440 20640K 11880K kqread 0 0:00 0.00% named 70519 root7 440 20640K 11880K kqread 1 0:00 0.00% named why does top show these and is it normal operation or i made a mistake? Regards Iman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
"spare hosts" as personal DNS nameservers for 'mynew.org'
Assume I register domain 'mynew.org' with registrar namecheap; and as an exercise, I plan to setup my own two authoritative DNS nameservers for 'mynew.org'. I have several linux VMs, that are under used, so I want to use them for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; is that going to work?** namecheap support seems to suggest that the personal DNS authorative nameservers for 'mynew.org', must be in 'mynew.org', as in ns1.mynew.org ns2.mynew.org This is not what I want, since I do not want to spin up 2 new servers. **Pls confirm, that I do not need to do this, and that I could use 2 existing linux hosts outside of mynew.org as personal DNS authorative nameservers.** Any additional related tips appreciated. -- thanks!, Tom -- Related (Child NS records): <http://zq3q.org/pz/#cispa_DNS_Nameserver_NS_records_for_mynew.org> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
On Tue 7/11/17 15:23 +0100 Tony Finch wrote: > b...@zq3q.org wrote: > > > I have several linux VMs, that are under used, so I want to use them > > for the nameservers for 'mynew.org'. Neither are in 'mynew.org'; > > is that going to work? > > Yes, that is perfectly normal. For example, > > $ dig +noall +answer ns dotat.at > dotat.at. 3559IN NS ns1.gratisdns.dk. > dotat.at. 3559IN NS ns3.gratisdns.dk. > dotat.at. 3559IN NS grey.dotat.at. > dotat.at. 3559IN NS puck.nether.net. > > $ dig +noall +answer ns ac.uk > ac.uk. 20993 IN NS ns0.ja.net. > ac.uk. 20993 IN NS ns1.surfnet.nl. > ac.uk. 20993 IN NS ns2.ja.net. > ac.uk. 20993 IN NS ns3.ja.net. > ac.uk. 20993 IN NS ns4.ja.net. > ac.uk. 20993 IN NS auth03.ns.uu.net. > ac.uk. 20993 IN NS ws-fra1.win-ip.dfn.de. Thanks for the good examples Tony. Nice to learn your "+noall +answer" dig syntax also. -- What is a domain registrar with good support, that can guide me through getting this to work under linux (fedora 24 and bind 9.x)? I can buy a new domain if need be. My current registrar may respond with a different person, for each mail for a given single issue, and I'm getting inconsistent answers. They will not tell me any of their log error info; not sure if they even look? They ignore several of my questions. In fairness they are sincere and trying. -- thanks, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
Hi Niall: On Tue 7/11/17 15:24 +0100 "Niall O'Reilly" wrote: > On 11 Jul 2017, at 14:57, b...@zq3q.org wrote: > > > Assume I register domain 'mynew.org' with registrar namecheap; and as > > an exercise, > > I plan to setup my own two authoritative DNS nameservers for > > 'mynew.org'. > > > > I have several linux VMs, that are under used, so I want to use them > > for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; > > is that going to work?** > > Unless you misconfigure things, it should just work. **I think I have one thing wrong, pls confirm:** Assume my 'spare nameservers' are these fictious ones: pup.asdf.org zap.xen.prgmr.com I did **not** register: pup as a nameserver for mynew.org in asdf.org zap as a nameserver for mynew.org in xen.prgmr.com One of my real hosts *is below xen.prgmr.com*, like the fake 'zap' above, so I would have to email prgmr.com support to get them to add mynew.org. IN NS zap.xen.prgmr.com. ^^^ << Is this valid? to the xen.prgmr.com zone. Is this correct? -- I tried to get terminology roughly right. In my fictious example, I had to pick a registrar (not namecheap) to help me create the 'asdf.org'. Then to get a NS record for pup.asdf.org to be authoritative for "mynew.org." in the zone for 'asdf.org', I have to deal with the registrar's web GUI, and "register" pup.asdf.org as this NS. If course there is also a SOA, and NS record in the "mynew.org." zone. Sorry if I'm getting pedantic, but I would appreciate anyone correcting me so I understand. > > namecheap support seems to suggest that the personal DNS authorative > > nameservers > > for 'mynew.org', must be in 'mynew.org', as in > > > > ns1.mynew.org > > ns2.mynew.org > > Nonsense. Thanks. In fairness, different support email lead me in conflicting directions. They do have a 'custom DNS servers' option, that seems to support name servers that are "non vanity" / "outside-the-domain-they-are-authoritative-for" nameservers. That option silently failed for me (see "I think I have one thing wrong" above). It's frustrating that my registrar does not share any error logs that could pin point the problem. >OTOH, if your registrar is obdurate, you may need to find > a creative work-around. > > > This is not what I want, since I do not want to spin up 2 new servers. > > You can work around the obduracy without spinning up any new server. > Simply use the addresses of each of your existing servers in the > (you are using IPv6, I hope?) and A records for the new names. I prefer not to use a work around. I'm willing to go with another registrar, if someone could suggest one. -- In any case, see if I understand you: So, at the registrar level for mynew.org, I specify the vanity name servers ns1.mynew.org, and ns2.mynew.org with the IP addresses of pup and zap. I also add (sorry IP4) 'A' records for ns1.mynew.org, and ns2.mynew.org in the mynew.org zone for nameservers pup and zap. > Of course, this can only work if your servers have public, reachable > addresses. They are public. --snip THANKS Niall for the help and good words! -- regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
Hi Matthew: On Tue 7/11/17 15:24 +0100 Matthew Seaman wrote: > On 2017/07/11 14:57, b...@zq3q.org wrote: > > > I have several linux VMs, that are under used, so I want to use them > > for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; > > is that going to work?** > > Yes, that will work. There is no requirement for any of the NSes for > a zone to be part of that zone or, conversely, not part of that zone. This seems imp: > Although if any of the NSes are in the zone, there should be glue > records added at the level above. As I wrote to Niall (msg dated 11 Jul 2017 15:04:32 -0500) , I **do not** have a NS record for each of my two nameservers, in the domain zone that the respective nameserver itself is in. That is a mistake, I need to fix, right? > > namecheap support seems to suggest that the personal DNS authorative > > nameservers for 'mynew.org', must be in 'mynew.org', as in > > > > ns1.mynew.org ns2.mynew.org > > This is not a requirement from the DNS side. It's normal for > providers to offer this -- vanity name servers are usually a selling > point. OK. Thanks for that term "vanity name servers". > Even so, if you can make ns1.mynew.org and ns2.mynew.org resolve to > the A or addresses of your VMs, you should be good to go. named > is going to work the same irrespective of whatever it thinks the > hostname of your VM is, and that can be different to the name users > look up in the DNS. > > Failing that, there are any number of other providers that will let > you register a domain, and the vast majority of those certainly will > let you specify your own nameservers. If you have a specific registrar in mind with good support pls let me know. -- thanks/regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
Hi Reindl: On Tue 7/11/17 18:05 +0200 Reindl Harald wrote: > > Am 11.07.2017 um 15:57 schrieb b...@zq3q.org: > > Assume I register domain 'mynew.org' with registrar namecheap; and as an > > exercise, > > I plan to setup my own two authoritative DNS nameservers for 'mynew.org'. > > > > I have several linux VMs, that are under used, so I want to use them > > for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; > > is that going to work?** > > > > namecheap support seems to suggest that the personal DNS authorative > > nameservers > > for 'mynew.org', must be in 'mynew.org', as in > > > > ns1.mynew.org > > ns2.mynew.org > > for sure not > and i am repsonsible for both zones and some hundret others > on that nameservers over 15 years Thanks for confirming. > https://intodns.com/rhsoft.net confirms that all is fine Thanks for this tool! > and when your > registrar really has such crazy requirements switch to a sane one - > frankly it's even not helpful in case you need to switch nameservers > because in the case above they become GLUE records with a TTL of 172800 > independent from the zone TTL OK, I'm ready to consider other registrars, any suggestions would be appreciated. https://www.gandi.net/ has been suggested by Matthew Seaman. Looks good to me. related rant: http://zq3q.org/pz/#zycbu_Choosing_a_DNS_registrar > i had to switch a server which hosted websites and one of the > nameservers (i know don't mix it) to a different machine some years ago > and it was not funny that it took ages until webclients used the new IP > address while NDS would not have been a problem by just keep the old one > as additional slave until shut it down > > ns1.thelounge.net. ['85.124.176.242'] [TTL=172800] > ns2.thelounge.net. ['91.118.73.16'] [TTL=172800] > > [harry@rh:~]$ whois rhsoft.net > ... > Name Server: ns1.thelounge.net > Name Server: ns2.thelounge.net > DNSSEC: Unsigned > > [harry@rh:~]$ dig NS rhsoft.net @ns1.thelounge.net > ; <<>> DiG 9.10.5-P2-RedHat-9.10.5-2.P2.fc25 <<>> NS rhsoft.net > @ns1.thelounge.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27172 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1024 > ;; QUESTION SECTION: > ;rhsoft.net.IN NS > > ;; ANSWER SECTION: > rhsoft.net. 86400 IN NS ns2.thelounge.net. > rhsoft.net. 86400 IN NS ns1.thelounge.net. --snip On Tue 7/11/17 21:33 +0200 Reindl Harald wrote: --snip > > What is a domain registrar with good support, that can guide me through > > getting this to work under linux (fedora 24 and bind 9.x)? I can buy a new > > domain > > if need be. > > no need - you can transfer your domains at any point in time Thanks. I may as well learn that process. --snip > > in case of .at we are directly registrar and our infrastructure talks > idrectly via > https://en.wikipedia.org/wiki/Extensible_Provisioning_Protocol to Thx for the above link. > nic.at, for other TLD's we use https://www.epag.de/ which belongs in the > meantime to GoDaddy Thx, I looked at https://www.epag.de/en/ > it should not be that hard to find a service which let you define the > nameservers of your domain - if it's a registrar at it's own or a > reseller don#t matter that much because the only point is whatever > interface that let you define "these hosts are the nameservers for > excample.com" -- regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: delegation NS records
Hi Niall: On Tue 7/11/17 22:56 +0100 "Niall O'Reilly" wrote: > On 11 Jul 2017, at 22:01, b...@zq3q.org wrote: > > > As I wrote to Niall (msg dated 11 Jul 2017 15:04:32 -0500) , > > That hasn't reached me yet. > > > I **do not** have a NS record for each of my two > > nameservers, in the domain zone that the respective nameserver itself is > > in. > > That is a mistake, I need to fix, right? > > Short answer: just no. > > Long answer: not unless either of your servers is providing name service for > the zone that the nameserver itself is in. As I understand from your > original message, this is not the case, so just no. Thanks much! -- Check my comprehension: So, **delegation** NS records are only needed in the zone which has an $ORIGIN, which is 1 level up from the $ORIGIN in the zone that contains the nameserver SOA, and authority NS records in. If this zone with delegation NS records is a subdomain of a TLD, then one adds these delegation NS records by using the registrar's interface to the TLD registry. -- regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: delegation NS records
Hi Bob:
These examples help! Thank you.
On Thu 7/13/17 15:53 -0400 Bob Harold wrote:
> Let's illustrate one NS record, for each of the cases:
> (I think your case is #2)
>
> 1. Name server name inside the domain itself
>
> example.com zone:
> example.com IN NS ns.example.com
> ns.example.com IN A x.x.x.x
>
> the TLD com would have (entered by the registrar)
> example.com IN NS ns.example.com
> ns.example.com IN A x.x.x.x (this is a "glue" record)
OK. This example is the most commonly seen in web searches.
> 2. Name server name in another domain:
>
> example.com zone:
> example.com IN NS ns.otherdomain.com
>
> TLD com zone:
> example.com IN NS ns.otherdomain.com
> (no glue record)
Exactly one delegation NS record.
Several have made that clear; ie I now clearly understand there is
*not* another NS delegation record needed in the zone with the $ORIGIN
that is part of the ("non vanity") nameserver's FQDN.
> otherdomain.com zone:
> ns.otherdomain.com IN A x.x.x.x
Almost goes without saying that above A record is needed.
> 3. Sibling domains with name servers for each other: (should be avoided?)
>
> example.com zone:
> example.com IN NS ns.otherdomain.com
> ns.example.com IN A x.x.x.x
>
> otherdomain.com zone:
> otherdomain.com IN NS ns.example.com
> ns.otherdomain.com IN A x.x.x.x
>
> TLD com zone:
> example.com IN NS ns.otherdomain.com
> ns.example.com IN A x.x.x.x (glue record?)
> ns.otherdomain.com IN A x.x.x.x (glue record?)
Interesting. I think the glue record make sense.
I'm not planning to do this. :->
I do not see any delegation NS record for otherdomain.com above.
Is this right?:
TLD com zone:
example.comIN NS ns.otherdomain.com
ns.example.com IN A x.x.x.x (glue record?)
otherdomain.comIN NS ns.example.com
ns.otherdomain.com IN A x.x.x.x (glue record?)
--
thanks,
Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: delegation NS records
Yesterday, Niall corrected me off list. Hopefully what I write below is now correct: Assume our nameserver SOA and related authoritatve NS record are in the zone w/$ORIGIN" "example.com.". Regardless of what the FQDN for the nameserver itself is, only a single **delegation** NS record needed, and it belongs in the ".com." TLD. In general the delegation NS record belongs in the zone w/an $ORIGIN, which is one level up from the $ORIGIN of the zone that contains: the nameserver SOA, and authority NS record. When this zone where the delegation NS record belongs is a TLD, one adds the delegation NS record using the registrar's tool that interfaces w/the TLD registry. -- Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2))
On Fri, Dec 30, 2022 at 12:39:30PM +0100, Peter wrote: > On Thu, Dec 29, 2022 at 03:43:35PM -0500, Timothe Litt wrote: > > ! So much like DNSSEC itself, the technology is there, but the will to use it > ! everywhere it's needed is not. > > Timothy, thank You for the update. I agree to Your viewpoints, and we > have seen mostly the same with IPv6. Apparently it needs serious pain to > move something in technology that is mostly invisible to the common > user. (OTOH we can see new collaboration tools or javascript > frameworks every day.) > > PMc The only hope is for the customers of domain registrars to request that they implement this, and to cite it as a problem when publically reviewing registrars. For example, my registrar has their own API, but that's all. When asked to add support for RFC7344, they say they'll consider it. The more customers who ask for it, the better (I hope). And now that DNSSEC is so much easier to use than in the past, maybe more people will start asking for RFC7344. cheers, raf -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind forgets my changes with nsupdate
> My solution is not to mix dynamic update with other access. > Instead, I put in CNAMEs in the signed zone to a sub-zone (or other zone) > where I do exclusive dynamic update. This isn't perfect, but it works > well enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my > certificates. Not perfect? What issues did you see? Thanks! -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
use bind 9.8 as caching server and authoritative nameserver
Hi all ,
I installed a new bind caching server called nameserver.hiddendomain.be by
using Ubuntu server 12.04.3 LTS with the included bind version :
9.8.1.dfsg.P1-4 for testing.
We are a tiny ISP for some regional customers so we don't use forwarders, we
host the caching servers for them.
Recently our government obligated all ISP's to block access to child-porn,
illegal betting sites, illegal file share sites etc...
I have been asked now to implement this on our caching DNS servers (serve a
custom zone to all of our customers that points to an IP from the government
that hosts a block-page)
It's the first time I try to use this mixed bind setup. (still act as caching
server for our customers, but be authoritative for all domains we need to
block)
When I query a to-be-blocked-zone with for example: dig @localhost stop.com ,
I get the response I want from within our local zone file (see zone file below;
/etc/bind/stop.com.zone).
If I use another Ubuntu host in the same network and qery with dig @nameserver
stop.com , I get the response from the Internet and not from the master zone
file located on our 'nameserver'. (our test caching server seems to ignore it's
master for the zone stop.com)
Below you will find our config files ,I don't see the problem, thanks for your
help !
Regards,
Olivier
(the name of my test server and the name of the zone we need to block have been
replaced by fake ones for privacy reasons. Except for those names and it's IP,
all other info is from my test server-setup)
---cat /etc/hosts -->
127.0.0.1 localhost
IP.IP.IP.IP nameserver.hiddendomain.be nameserver
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
---cat /etc/bind/named.conf -->
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
---cat /etc/bind/named.conf.options -->
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//
dnssec-enable yes;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
---cat /etc/bind/named.conf.local -->
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "stop.com"
{
type master;
file "/etc/bind/stop.com.zone";
};
---cat /etc/bind/stop.com.zone -->
$TTL 86400
$ORIGIN stop.com.
@ IN SOA nameserver.hiddendomain.be.
hostmaster.hiddendomain.be. (
2013101601 ; serial number YYMMDDNN
28800 ; Refresh
7200 ; Retry
864000 ; Expire
86400 ; Min TTL
)
NS ns3.hiddendomain.be.
NS ns4.hiddendomain.be.
IN A 193.191.245.56
www IN A 193.191.245.56
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: socket error on ipv6 link local
I'm getting the same errors with bind-9.10.0b2.
Just a guess but I think it's related to using a HE IPv6 Tunnel and the
updated root servers.
On Tue, 1 Apr 2014, Paul A wrote:
Date: Tue, 1 Apr 2014 16:25:43 -0400
From: Paul A
To: 'Kevin Darcy' , bind-users@lists.isc.org
Subject: RE: socket error on ipv6 link local
So Kevin what your saying is someone using my dns created a record with
fe80::? I was under the impression that bind what trying to listen on that
subnet.
Thanks Paul
From: bind-users-bounces+razor=meganet@lists.isc.org
[mailto:bind-users-bounces+razor=meganet@lists.isc.org] On Behalf Of
Kevin Darcy
Sent: Tuesday, April 01, 2014 4:02 PM
To: bind-users@lists.isc.org
Subject: Re: socket error on ipv6 link local
My guess would be that some miscreant out there created a glue record
with an RDATA of "fe80::" and your network stack balks at connecting to such
an abomination.
- Kevin
On 4/1/2014 2:31 PM, Paul A wrote:
Hi, I have been using bind 9.9.4 for awhile suddenly looking at the looks I
see lots of socket.c errors. Looking at this it seems that bind is
complaining about the link local ipv6 address , I enabled ipv6 awhile back
and I just noticed this.
Apr 1 13:05:32 ns1 named[18769]: connect(fe80::#53) 22/Invalid argument
Apr 1 13:05:32 ns1 named[18769]: socket.c:5351: unexpected error:
Apr 1 13:05:32 ns1 named[18769]: connect(fe80::#53) 22/Invalid argument
Apr 1 13:05:32 ns1 named[18769]: socket.c:5351: unexpected error:
Apr 1 13:05:32 ns1 named[18769]: connect(fe80::#53) 22/Invalid argument
Apr 1 13:05:32 ns1 named[18769]: socket.c:5351: unexpected error:
Apr 1 13:05:32 ns1 named[18769]: connect(fe80::#53) 22/Invalid argument
Aside from having my global ipv6 addresses here is the link local on that
box.
inet6 addr: fe80::206:5bff:fe8e:/64 Scope:Link
Has anyone ran into this issue, I do have listen-on-v6 { any; }; and im
assuming if I was to just add the global ipv6 ips this would go away but I
guess im wondering does bind not listen bind itself to link local ip as well
? what is the recommended way to go about fixing this.
BIND 9.9.4 (Extended Support Version) built with
'--enable-rrl'
Thanks, Paul
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
dnssec-keymgr: Plans and usage?
Hi, lastly I've discovered the new python tool dnssec-keymgr included in BIND 9.11 alpha release. I'm seeking for simple tools to handle key rollovers unattended. And the lightweight dnssec-keymgr could be the right one. Are there any future plans or milestones out there (expect of 'remaining work' from the manual)? I would like to handle KSK updates of second level domains using that tool (option -k applies policy only on KSKs). And especially I'm looking for an interface to trigger updates of DS records. The call on dnssec-settime may could be wrapped using the -s option of dnssec-keymgr to send a DS update via the registrar to the parent on publications or removals of DNSKEYs from the zone. But are there any other concepts or thoughts like supporting hooks for different phases in key rollovers? Thanks, Armin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can we provide recursion for forward zones in response to iterative queries?
Hi, In summary, my question is whether there is a way to configure a bind caching server to provide recursion in response to iterative queries for records in a forward type zone. The background is that we have: - AD domain controllers that are authoritative for all of 10.in-addr.arpa. in our data centers - most clients point to these for DNS resolution. - Linux bind caching resolvers in our data centers - domain controllers forward to these for anything they don’t own. - Some AWS VPCs which have been allocated subdomains of 10.in-addr.arpa. and are routable from our data centers. These have Route53 inbound endpoints which answer queries for those subdomains. - The bind caching resolvers have forwarding rules for those subdomains to the AWS inbound endpoints. The subdomains in our AWS VPCs have NS records, but the servers those point to refuse queries for records in the subdomains. The zone resolution is taken care of by the Route53 resolver service. The Route53 inbound endpoints successfully resolve queries from our data centers for those subdomains as long as the recursion desired flag is set to 1 in the query. If recursion desired is set to 0 they do not send any reply at all. We want to be able to resolve PTR records in the subdomains in the AWS VPCs from our data centers where, as I said above, the clients point to the domain controllers for DNS resolution. Because the AD domain controllers already own 10.in-addr.arpa, they refuse to allow us to configure conditional forwarding for its subdomains. So we delegated the subdomains to the inbound endpoints. Because they are delegations, the domain controllers set the recursion desired flag to 0 on the queries they send to the endpoints, and we are not getting replies from the endpoints. As a workaround we tried delegating to our linux bind caching resolvers but we ran into the same issue, that the domain controllers set recursion desired to 0. As a result, when our linux caching servers have the result in cache, the lookup is successful, but when it would require a fresh lookup it gets a reply with no answers. Hence my question, is there a way to tell our bind caching resolvers to ignore the recursion desired flag and provide recursion anyway? Thanks, Maria ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we provide recursion for forward zones in response to iterative queries?
Currently our linux caching resolvers have a forwarding rule for
10.in-addr.arpa back to a small subset of our approximately 200 AD domain
controllers. We made it a stub zone at one point in the past, but ran into
intermittent resolution problems, although I don’t recall the details. We’ve
never tried making it a slave zone as you recommend. If it would be better to
change that to a slave zone then we want to do that, but there is a concern.
Not all subdomains are delegated under 10.in-addr.arpa over on the AD side, and
it is used as a catch-all for those that aren’t. Hundreds of thousands of
desktops, laptops, devices and servers are constantly renewing and updating
their IP addresses, and that domain is constantly changing. This would lead to
our caching resolvers constantly pulling zone transfers from the AD servers.
What would you recommend we do on the linux side to mitigate that, and is it
still best to make it a slave zone in that case? We can make recommendations
for changes on the AD side, but changes there take longer and are more complex
to put in place. It’s easier if we can work around it on the linux side.
Thanks!
Maria
> On Apr 6, 2020, at 8:30 PM, Mark Andrews wrote:
>
> As 10.in-addr.arpa is private namespace *all* of you recursive servers should
> be configured to serve it. This is similar to how all of your recursive
> nameservers know where the root servers are except you are using a slave zone
> instead of a hint zone.
>
> i.e.
>
> 10.in-addr.arpa {
> type slave;
> masters { ; };
> file “slave/10.in-addr.arpa”;// adjust to match your local conventions.
> request-ixfr no; // only use AXFR for 10.in-addr.arpa as it
> is coming from AD as IXFR does not work well.
> forwarders { /* empty */ }; // use iterative resolution for the
> children of 10.in-addr.arpa.
> };
>
> Forwarding should NEVER be needed if servers are reachable at the IP level.
> If the solution says “configure a forward zone” it is almost always wrong.
>
> Do the similar for the top of all other private namespaces you are using.
>
> Mark
>
>> On 4 Apr 2020, at 03:06, bind-li...@iano.org wrote:
>>
>> Hi,
>>
>> In summary, my question is whether there is a way to configure a bind
>> caching server to provide recursion in response to iterative queries for
>> records in a forward type zone.
>>
>> The background is that we have:
>>
>> - AD domain controllers that are authoritative for all of 10.in-addr.arpa.
>> in our data centers - most clients point to these for DNS resolution.
>> - Linux bind caching resolvers in our data centers - domain controllers
>> forward to these for anything they don’t own.
>> - Some AWS VPCs which have been allocated subdomains of 10.in-addr.arpa. and
>> are routable from our data centers. These have Route53 inbound endpoints
>> which answer queries for those subdomains.
>> - The bind caching resolvers have forwarding rules for those subdomains to
>> the AWS inbound endpoints.
>>
>> The subdomains in our AWS VPCs have NS records, but the servers those point
>> to refuse queries for records in the subdomains. The zone resolution is
>> taken care of by the Route53 resolver service. The Route53 inbound endpoints
>> successfully resolve queries from our data centers for those subdomains as
>> long as the recursion desired flag is set to 1 in the query. If recursion
>> desired is set to 0 they do not send any reply at all.
>>
>> We want to be able to resolve PTR records in the subdomains in the AWS VPCs
>> from our data centers where, as I said above, the clients point to the
>> domain controllers for DNS resolution.
>>
>> Because the AD domain controllers already own 10.in-addr.arpa, they refuse
>> to allow us to configure conditional forwarding for its subdomains. So we
>> delegated the subdomains to the inbound endpoints. Because they are
>> delegations, the domain controllers set the recursion desired flag to 0 on
>> the queries they send to the endpoints, and we are not getting replies from
>> the endpoints.
>>
>> As a workaround we tried delegating to our linux bind caching resolvers but
>> we ran into the same issue, that the domain controllers set recursion
>> desired to 0. As a result, when our linux caching servers have the result in
>> cache, the lookup is successful, but when it would require a fresh lookup it
>> gets a reply with no answers. Hence my question, is there a way to tell our
>> bind caching resolvers to ignore the recursion desired flag and provide
>> recursion anyway?
>>
>> Thanks,
>> Maria
&g
Re: Can we provide recursion for forward zones in response to iterative queries?
I had been told they tried that twice and in both cases the domain controller would not let them add the conditional forwarder. On the strength of your having said it worked in your situation, they tried again and now it is working. Thank you! Maria > On Apr 6, 2020, at 11:37 AM, Chris Buxton wrote: > > On Apr 3, 2020, at 9:06 AM, bind-li...@iano.org wrote: >> Because the AD domain controllers already own 10.in-addr.arpa, they refuse >> to allow us to configure conditional forwarding for its subdomains. So we >> delegated the subdomains to the inbound endpoints. Because they are >> delegations, the domain controllers set the recursion desired flag to 0 on >> the queries they send to the endpoints, and we are not getting replies from >> the endpoints. >> >> As a workaround we tried delegating to our linux bind caching resolvers but >> we ran into the same issue, that the domain controllers set recursion >> desired to 0. As a result, when our linux caching servers have the result in >> cache, the lookup is successful, but when it would require a fresh lookup it >> gets a reply with no answers. Hence my question, is there a way to tell our >> bind caching resolvers to ignore the recursion desired flag and provide >> recursion anyway? > > I've solved this before. You've tried two solutions, and neither worked > alone. You need to do both. > > - Delegate the subzones in question to the forwarders (or anywhere, really). > - Add conditional forwarding for the subzones also, pointing to the > forwarders. > > Without the delegation, the conditional forwarding won't work -- the MS DNS > servers will respond authoritatively. But without the conditional forwarding, > the MS DNS servers will send iterative queries, not recursive queries. > > Regards, > Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we provide recursion for forward zones in response to iterative queries?
Thanks. I have opened a ticket with AWS support asking them to allow us to pull
slave copies of our VPC-internal zones. If they don’t do that, then making the
zones slaves will not fix our problem, because the AWS endpoints refuse to
answer iterative queries.
Thanks,
Maria
> On Apr 7, 2020, at 4:09 PM, Mark Andrews wrote:
>
> Add delegations if they are missing. This is how DNS is designed to be
> managed.
>
> This should have been done as part of allocating the address space
> initially.
> --
> Mark Andrews
>
>> On 8 Apr 2020, at 02:43, bind-li...@iano.org wrote:
>>
>> Currently our linux caching resolvers have a forwarding rule for
>> 10.in-addr.arpa back to a small subset of our approximately 200 AD domain
>> controllers. We made it a stub zone at one point in the past, but ran into
>> intermittent resolution problems, although I don’t recall the details. We’ve
>> never tried making it a slave zone as you recommend. If it would be better
>> to change that to a slave zone then we want to do that, but there is a
>> concern. Not all subdomains are delegated under 10.in-addr.arpa over on the
>> AD side, and it is used as a catch-all for those that aren’t. Hundreds of
>> thousands of desktops, laptops, devices and servers are constantly renewing
>> and updating their IP addresses, and that domain is constantly changing.
>> This would lead to our caching resolvers constantly pulling zone transfers
>> from the AD servers. What would you recommend we do on the linux side to
>> mitigate that, and is it still best to make it a slave zone in that case? We
>> can make recommendations for changes on the AD side, but changes there take
>> longer and are more complex to put in place. It’s easier if we can work
>> around it on the linux side.
>>
>> Thanks!
>> Maria
>>
>>> On Apr 6, 2020, at 8:30 PM, Mark Andrews wrote:
>>>
>>> As 10.in-addr.arpa is private namespace *all* of you recursive servers
>>> should be configured to serve it. This is similar to how all of your
>>> recursive nameservers know where the root servers are except you are using
>>> a slave zone instead of a hint zone.
>>>
>>> i.e.
>>>
>>> 10.in-addr.arpa {
>>> type slave;
>>> masters { ; };
>>> file “slave/10.in-addr.arpa”;// adjust to match your local conventions.
>>> request-ixfr no; // only use AXFR for 10.in-addr.arpa as it is
>>> coming from AD as IXFR does not work well.
>>> forwarders { /* empty */ }; // use iterative resolution for the children
>>> of 10.in-addr.arpa.
>>> };
>>>
>>> Forwarding should NEVER be needed if servers are reachable at the IP level.
>>> If the solution says “configure a forward zone” it is almost always wrong.
>>>
>>> Do the similar for the top of all other private namespaces you are using.
>>>
>>> Mark
>>>
>>>>> On 4 Apr 2020, at 03:06, bind-li...@iano.org wrote:
>>>>
>>>> Hi,
>>>>
>>>> In summary, my question is whether there is a way to configure a bind
>>>> caching server to provide recursion in response to iterative queries for
>>>> records in a forward type zone.
>>>>
>>>> The background is that we have:
>>>>
>>>> - AD domain controllers that are authoritative for all of 10.in-addr.arpa.
>>>> in our data centers - most clients point to these for DNS resolution.
>>>> - Linux bind caching resolvers in our data centers - domain controllers
>>>> forward to these for anything they don’t own.
>>>> - Some AWS VPCs which have been allocated subdomains of 10.in-addr.arpa.
>>>> and are routable from our data centers. These have Route53 inbound
>>>> endpoints which answer queries for those subdomains.
>>>> - The bind caching resolvers have forwarding rules for those subdomains to
>>>> the AWS inbound endpoints.
>>>>
>>>> The subdomains in our AWS VPCs have NS records, but the servers those
>>>> point to refuse queries for records in the subdomains. The zone resolution
>>>> is taken care of by the Route53 resolver service. The Route53 inbound
>>>> endpoints successfully resolve queries from our data centers for those
>>>> subdomains as long as the recursion desired flag is set to 1 in the query.
>>>> If recursion desired is set to 0 they do not send any reply at all.
>>>>
>>>> We want to be able to resolve PTR recor
Re: [Non-DoD Source] BIND Masters and slaves
I have been teaching informal DNS classes at work for decades, and I used to be very careful to use “master” and “slave” and would include a section where I pointed out that using “primary” and “secondary” instead was not correct. Then about 10 years ago one person in class pointed out to me that for some people when they hear that terminology it really bothers them because of what slavery means. When she said that a few other people nodded and agreed. I hadn’t thought about that aspect of it, and so someone had to explain to me how jarring and distracting from the subject matter that could be for some people. I’ve used “primary” and “secondary” in all my classes and documentation since then. Not because of twitter and social media or because I have an image to uphold, but in order to be considerate of other people’s feelings and not dismiss them because they’re so different from mine. I would like to see the terms replaced by something that doesn’t hearken back to tragedy and torture. Maria > On Jun 15, 2020, at 2:15 PM, Michael De Roover wrote: > > Of course I could, but I do not feel like the effort to change nomenclature > is either beneficial or worth taking for granted the requests of some people > on Twitter - as the slave to peer authority I am - given how much it affects > documentation, code, comments, general environment of the projects > themselves. I enjoy being surrounded by people much smarter than I am when it > comes to the mailing list here. Let's keep it that way and not derange > ourselves into meaningless blabber from social media. > > What I did notice over time however that most of the projects affected are > also those who do have to maintain a good public image, usually corporations. > Meanwhile projects such as Opal <https://github.com/opal/opal/issues/941> and > recently Rubocop <https://github.com/rubocop-hq/rubocop/issues/8091> as well > were not. The latter one I'd like to draw attention to. The maintainer > clearly didn't ask for this and asked everyone who shamed him, why are you > doing this? None of the complainers were affiliated to the project at all. > Chances are that they weren't even using it and just searched for projects > with the name "cop" in it instead. These are not the people I want to support > in my effort to end racism, which I do support, and quite heavily so. > > On 6/15/20 8:00 PM, DeCaro, James John (Jim) CIV DISA FE (USA) wrote: >> Or you can call the slave servers 'secondary' servers. > -- > Met vriendelijke groet / Best regards, > Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
query-source and listened interfaces
Hi Xinyu, What matters is the kernel routing table for the addresses of the remote servers. The query source address can specified by config, but the kernel will choose which interface to use. Maybe you can put each interface into their own routing table? How to do this is OS dependent, though. Patrick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
editing rc.d/named?
Hi All: I installed 9.6.0 alongside FreeBSD7's default 9.4.2, and it's working fine when i start it manually, but I'm having trouble getting it to start automatically. I edited etc/rc.d/named to: command="/usr/local/sbin/named -c /etc/namedb/named.conf" but when I restart the server, the default 9.4.2 install in /usr/sbin/named starts instead of the path to 9.6 above?___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: editing rc.d/named?
bind user wrote: Hi All: I installed 9.6.0 alongside FreeBSD7's default 9.4.2, and it's working fine when i start it manually, but I'm having trouble getting it to start automatically. I edited etc/rc.d/named Don't do that. :) The rc.d system is designed to be configured with rc.conf. You probably want to do this: grep named /etc/defaults/rc.conf >> /etc/rc.conf Make sure that you only have one set of entries for named in /etc/rc.conf and then make your changes there. You probably want to uncomment the named_flags example for the -c option to named. to: command="/usr/local/sbin/named -c /etc/namedb/named.conf" but when I restart the server, the default 9.4.2 install in /usr/sbin/named starts instead of the path to 9.6 above? It's being overridden by rc.conf, which is how it's supposed to work. Thanks for that detailed explanation, Doug...after years of running Unix/Bind blind (because it just worked), I'm finally understanding why things are the way they are. -AK ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DDNS fails. record allready exists
Hi List, I have not yet found a solution for my problem. So I came here: I use DDNS. Every night my server (in my local network) is shutting down. On the next day I have the problem that DDNS is no longer working, because on update I get the error that the DNS record allready exists. What is the solution? I use BIND version 9.7.2_p3-r1. regards Daniel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS fails. record allready exists
Hi, I forget something: I use DDNS with DHCP. Thus DDNS fails the next time the client is getting a new lease. regards Daniel Am Montag, 20. Dezember 2010, 21:34:32 schrieben Sie: > Hi List, > I have not yet found a solution for my problem. So I came here: > > I use DDNS. Every night my server (in my local network) is shutting down. > On the next day I have the problem that DDNS is no longer working, because > on update I get the error that the DNS record allready exists. What is the > solution? > > I use BIND version 9.7.2_p3-r1. > > regards > Daniel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS fails. record allready exists
Hi,
keep calm ;-) I do not await a solution in 5 minutes ;-)
Am Dienstag, 21. Dezember 2010, 23:38:13 schrieb Bill Larson:
> On Mon, Dec 20, 2010 at 1:34 PM, wrote:
> > Hi List,
> > I have not yet found a solution for my problem. So I came here:
> >
> > I use DDNS. Every night my server (in my local network) is shutting down.
> > On
> > the next day I have the problem that DDNS is no longer working, because
> > on update I get the error that the DNS record allready exists. What is
> > the solution?
> >
> > I use BIND version 9.7.2_p3-r1.
>
> Well, there have been two questions asked but no more information given.
> That doesn't make it easy for anyone to help you.
>
> Some questions:
>
> 1. What is your DHCP server? H/W and S/W. Are you talking about a Linux
> box running "dhcpd" or a NetGear router running their DHCP server. This
> may make just a little difference.
I use the DHCPD from http://www.isc.org/products/DHCP. I run Gentoo Linux on
that server. This server is the router, dhcp server and dns server in my LAN.
It is standard x86 hardware.
> 2. Why is your server shutting down? Is this shutdown expected? Also,
> which server are you referring to? Is this the DNS server or the DHCP
> server (or both)? You may have problems well outside the issue of DHCP and
> DNS.
It is shutting down every night, because I sleep at night ;-) DHCP and Bind
both are running on this server. It is just an idea of me that bind is dumping
the journal to the zonefile on shutting down. In primary zone file I have:
coffee A 192.168.11.35
But I never was writing it there by my own. This must be a result of DDNS.
> 3. Who is trying to perform the DDNS updates? Is this the client machines
> or the DHCP server?
The DHCP tries to perform a DDNS update if the client sends its hostname (what
it normaly should do). The client itselfs just performs a DHCP request. The
DDNS update is done via rndc-key.
> 4. What do you see in your logs? This may answer your question without any
> more work on anybody's part.
22-Dec-2010 20:35:44.451 update: info: client 192.168.11.1#58646: updating
zone 'sugarland.local/IN': update unsuccessful: coffee.sugarland.local/A:
'rrset does not exist' prerequisite not satisfied (YXRRSET)
I was reading that this means that the name/ip already exists. I was confused
by the message but I found a page which explained why it says "not exist".
As I get the error message "coffee" had a record for 192.168.11.35. But coffee
was getting 192.168.11.42. BTW: coffee is a notebook in dual boot between
windows and linux. May this is part of the problem?!
> 5. What is your DNS server configuration? Who is allowed to perform DDNS
> updates?
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-
key"; };
};
zone "sugarland.local" IN {
type master;
file "pri/sugarland.zone";
allow-update { key rndc-key; };
};
zone "11.168.192.in-addr.arpa" IN {
type master;
file "pri/11.168.192.zone";
allow-update { key rndc-key; };
};
> 6. When you say that "the DNS record already exists", have you confirmed
> this? Just query your DNS server for that record and see if it is really
> there. If it is not, this this message, which I am assuming is from your
> DHCP server or from your client machine, isn't true. Then again, if it
> really does exist, why would you think that it magically disappears? If
> you add a record to a zone, why would you think that it shouldn't still be
> there?
It is true. See above.
> 7. You say you are running "BIND version 9.7.2_p3-r1". Sorry, I can
> understand the 9.7.2-P3 part, but what is the "r1" you are referring to?
> (I'll bet you are running Gentoo Linux, but this is just an assumption.)
> Is this built from the BIND sources from ISC or is this some package that
> you got from someone else?
You have win :-) This is a version extension from Gentoo. The package uses the
sources from ftp://ftp.isc.org/isc/bind9. No patches are applied.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC submit of DLV vs DNSKEY records?
"missed it by THAT much ...". thx! relocating to bind-users. On Thu, 05 May 2011 14:37 -0500, "/dev/rob0" wrote: > FWIW I think you hit the wrong list. Did you mean bind-users@isc? > On Thu, May 05, 2011 at 12:25:27PM -0700, dchilton+b...@bestmail.us >wrote: > > after signing my zones with 'dnssec-signzone', i 've got both > > > > dsset-domain.com > > dlvset-domain.com > > > > containing DS- and DLV-records, respectively. > > > > i know i *can* submit the records to my registrar (DS records) > > and dlv.isc.org (DLV records), but should I do both? > > > > i'm not clear if these are redundant mechs for getting to a > > 'valid' DNSSEC state, or complementary. > > > > can anyone clarify -- both or just one? and if just one, which > > one? > > [I hope someone will correct me if I'm wrong.] > > My understanding: if the parent is signed, that is the only way a > child zone can be validated, unless of course using trusted-keys. > DLV is only done when the parent is unsigned. > > Off to the registrar you go! > -- > Offlist mail to this address is discarded unless > "/dev/rob0" or "not-spam" is in Subject: header > ___ > dhcp-users mailing list > dhcp-us...@lists.isc.org > https://lists.isc.org/mailman/listinfo/dhcp-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?
Hi. My bind v980-p1 svr is DNSSEC-enabled, and signed zones are publishing as DNSSEC-valid. I've both internal and external views: -- internal is authoritative and provides recursion for LAN clients -- external serves only as an authoritative hidden-primary feeding slaves via AXFR. all good. if i enable DNSSEC validation in the internal view, having imported the trusted key for the root, for known-good domains, a 'dig domain.com' returns DATA as expected, e.g., dig pir.org | egrep "IN.*A|;; flags" ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;pir.org. IN A pir.org.75 IN A 173.201.238.128 dig pir.org +dnssec | egrep "IN.*A|;; flags" ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1 ;pir.org. IN A pir.org.95 IN A 173.201.238.128 pir.org.95 IN RRSIG A 5 2 300 20110523085011 20110509085011 38939 pir.org. LLK3y1HXm3/F3Tvq/b/cW4jnQC6gxtYlalPhM28w3tUzo2wS482vaWQr RF1DBvGTUD4uADNidjaftjkch7b2H1b+e5V4o0xQml/WpqCW/VqgLgxI g/yIg9WhP1Ec8uvWG2Ojy0ZIM0JKBBfFFlIxZVYqCyrY8WittyUOFlwo O48= pir.org.95 IN RRSIG NS 5 2 300 20110523085011 20110509085011 38939 pir.org. yUKJARGNwBWKFTi1V1nU5x38vcQrYPSn86G5MzjyMBjUWwZ3zZ4E+OMz P8svjTEdwKd6ibQGAp7aVEcqE3ruCnioqaXCZJsjT6YCaTpIjUMmRvpj tZUByl11+aqfcJuvfTNOo2PFtzRDv46vAlbZFf74fAK4AwNQa42OZlZC WVc= for known-bad domains 'dig domain.com' hesitates for a bit, then returns SERVFAIL -- no DATA. dig www.adobe.com ; <<>> DiG 9.8.0-P1 <<>> www.adobe.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26024 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.adobe.com. IN A ;; Query time: 2948 msec ;; SERVER: 10.10.10.100#53(10.10.10.100) ;; WHEN: Mon May 9 12:21:28 2011 ;; MSG SIZE rcvd: 31 my understanding was that a 'dig domain.com +dnssec' on a known-bad domain would return DATA without the SERVFAIL, but it returns the same. e.g., dig www.adobe.com +dnssec ; <<>> DiG 9.8.0-P1 <<>> www.adobe.com +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4667 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.adobe.com. IN A ;; Query time: 69 msec ;; SERVER: 10.10.10.100#53(10.10.10.100) ;; WHEN: Mon May 9 12:21:32 2011 ;; MSG SIZE rcvd: 42 Shouldn't the "+dnssec" case for known-bad be returning DATA? Also, I'm unlcear about the proper use for validation. I *want* to validate, but have the DATA nonetheless returned, with appropriate FLAGS so that, e.g., Firefox + DNSSEC-extension can (1) resolve the domain, and (2) 'report' the DNSSEC state in-browser. The way things are working now, with validation enabled and NO DATA returned, domains simply don't resolve at all -- and, of course, the browser displays a failure. Is my expected usage _not_ appropriate? THanks, DCh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
No A Record for NS
Hi All, I'm trying to query for A record, like this : # dig @a.gtld-servers.net ns1.ats-com.com +short 203.130.232.235 # dig @203.130.232.235 ns1.ats-com.com +short (No A Record) What is happen if that NS be used for authoritative some domain(s) ? Thanks Fulan -- Bind DNS ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: No A Record for NS
On Fri, 20 Mar 2009 15:57:03 +1100 Mark Andrews wrote: > > I'm trying to query for A record, like this : > > # dig @a.gtld-servers.net ns1.ats-com.com +short > > 203.130.232.235 > > > > # dig @203.130.232.235 ns1.ats-com.com +short > > (No A Record) > > > > What is happen if that NS be used for authoritative some domain(s) ? > > Things break once the nameserver learn that the authoritative > servers for the zone don't have address records. Could you explain the query results, below : (Two Cache DNS, with different results) # dig www.ats-com.com @222.124.204.34 ; <<>> DiG 9.4.1-P1 <<>> www.ats-com.com @222.124.204.34 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2091 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ats-com.com. IN A ;; Query time: 6 msec ;; SERVER: 222.124.204.34#53(222.124.204.34) ;; WHEN: Fri Mar 20 15:14:45 2009 ;; MSG SIZE rcvd: 33 # dig www.ats-com.com @202.134.1.10 ; <<>> DiG 9.4.1-P1 <<>> www.ats-com.com @202.134.1.10 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45331 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.ats-com.com. IN A ;; ANSWER SECTION: www.ats-com.com.3108IN CNAME ats-com.com. ats-com.com.745 IN A 203.130.232.235 ;; AUTHORITY SECTION: ats-com.com.745 IN NS ns2.ats-com.com. ats-com.com.745 IN NS ns1.ats-com.com. ;; ADDITIONAL SECTION: ns2.ats-com.com.2337IN A 203.130.232.235 ;; Query time: 11 msec ;; SERVER: 202.134.1.10#53(202.134.1.10) ;; WHEN: Fri Mar 20 15:22:36 2009 ;; MSG SIZE rcvd: 115 Is it possible if the information for A record (ns1.ats-com.com) get from the NS parent ? Which the problem ? (cache dns or the domain) Thank You. -- Senmi ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dynamic update response
Hello, My question is about the fields in the dynamic update response. As RFC 2136 describes there are 2 possible dynamic update responses: I. The ZOCOUNT, PRCOUNT, UPCOUNT, COUNT fields and associated sections are copied in the response packet II. Placing zeros (0) in the these "count" fields and not including any part of the original update Bind seems to follow the second rule. Is it possible to configure Bind server to copy the ZOCOUNT, PRCOUNT, UPCOUNT and ADCOUNT fields and associated sections in the response packet? RFC 2136: Dynamic Updates in the Domain Name System (DNS UPDATE)3.8 - ResponseAt the end of UPDATE processing, a response code will be known. A response message is generated by copying the ID and Opcode fields from the request, and either copying the ZOCOUNT, PRCOUNT, UPCOUNT, and ADCOUNT fields and associated sections, or placing zeros (0) in the these "count" fields and not including any part of the original update. The QR bit is set to one (1), and the response is sent back to the requestor. If the requestor used UDP, then the response will be sent to the requestor's source UDP port. If the requestor used TCP, then the response will be sent back on the requestor's open TCP connection. Thanks in advance. Best Regards, Jack Komoly tudású társkereső, a komoly kapcsolatokért -ingyenes regisztrációval. Már 3500+ házasság.http://ad.adverticum.net/b/cl,1,6022,348035,429858/click.prm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: Dynamic update response
Hello Mark, Thank you for your response. Best Regards, Arpad Mark Andrews írta: > > In message , bind jack writes: > > Hello, > > > > My question is about the fields in the dynamic update response. > > As RFC 2136 describes there are 2 possible dynamic update responses: > > > > I. The ZOCOUNT, PRCOUNT, UPCOUNT, COUNT fields and associated sections are = > > copied in the response packet > > II. Placing zeros (0) in the these "count" fields and not including any par= > > t of the original update > > Bind seems to follow the second rule. > > Is it possible to configure Bind server to copy the ZOCOUNT, PRCOUNT, UPCOU= > > NT and ADCOUNT fields and associated sections in the response packet? > >No. > >Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > Komoly tudású társkereső, a komoly kapcsolatokért -ingyenes regisztrációval. Már 3500+ házasság.http://ad.adverticum.net/b/cl,1,6022,348035,429858/click.prm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On 08/23/2017 05:47 PM, Reindl Harald wrote: arrakis.thelounge.net. 86399 IN SPF "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all" prometheus.thelounge.net. 86399 IN SPF "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all" otherwise only @example.com *itself* is protected from forging, our homegrown DNS backend automatcially publishes SPF records for every hostname in every domain This might be a case to use the include so that each host can include (read: pull in) the SPF record for the parent domain. Obviously it depends on how your infrastructure is configured. also avoid "v=spf1 mx" - why? because it's a useless DNS lookup on the receiver publish ip-adresses whenever possible - the connecting IP is known for free, the MX is not relevant on the destination server when receive email as long as you force the lookup by careless SPF records I think that it may be possible for someone to publish a PTR record in their IP space that reverse resolves to a name of one of your MX servers. There by allowing their bogus server to send email as you. -- Grant. . . . unix || die -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9.11.3 - resolving troubles running as a caching server
Hello list I'm glad there is such an active list. Hope there is anybody out there who can help me with my little problem. :-) We are running six bind server ( all Ubuntu LTS 18.04 with bind 9.11.3 ), so they are pretty up to date. Three of them have authoritative zones, one is for testing and two are just caching servers. And there starts my problem. 1. It only appears on my caching servers and only if I use my other servers as forwarders. 2. At the moment the problem appears on my chaching servers I'm still able to let it resolve through my forwarders. 3. Only one organisation with several newspapers are affected. There may be others but I don't know at the moment. Ok, all these newspapers are hosted on oraclecloud with short timers around 30s. # dig www.20min.ch ;; ANSWER SECTION: www.20min.ch. 39 IN CNAME tamedia.a.inregion.waas.oci.oraclecloud.net. tamedia.a.inregion.waas.oci.oraclecloud.net. 16 IN CNAME tm.inregion.waas.oci.oraclecloud.net. tm.inregion.waas.oci.oraclecloud.net. 16 IN CNAME eu-london.inregion.waas.oci.oraclecloud.net. eu-london.inregion.waas.oci.oraclecloud.net. 28 IN A 138.1.82.213 eu-london.inregion.waas.oci.oraclecloud.net. 28 IN A 147.154.234.67 eu-london.inregion.waas.oci.oraclecloud.net. 28 IN A 147.154.228.138 # dig www.tagesanzeiger.ch ;; ANSWER SECTION: www.tagesanzeiger.ch. 113 IN CNAME cnp-a-cre-p.newsnetz.ch. cnp-a-cre-p.newsnetz.ch. 113 IN CNAME tamedia.a.inregion.waas.oci.oraclecloud.net. tamedia.a.inregion.waas.oci.oraclecloud.net. 11 IN CNAME tm.inregion.waas.oci.oraclecloud.net. tm.inregion.waas.oci.oraclecloud.net. 12 IN CNAME eu-switzerland.inregion.waas.oci.oraclecloud.net. eu-switzerland.inregion.waas.oci.oraclecloud.net. 12 IN A 192.29.59.121 eu-switzerland.inregion.waas.oci.oraclecloud.net. 12 IN A 192.29.58.46 eu-switzerland.inregion.waas.oci.oraclecloud.net. 12 IN A 192.29.58.42 Now if I use my caching servers with forwarders enabled I run quite often into cases where resolving stops working for theses two domains at the same time. When I take a dump I see the following line: ; answer tm.inregion.waas.oci.oraclecloud.net. 893 \- ;-$NXRRSET I have to clear this host from cache to make it working again, for a few minutes. The stupid thing, this NXRRSET cache entry has a much higher lifetime. And so resolving stops working on my caching servers for more then 15min. Any idea how I could find out why this happens? There must be something between my DNS servers. They are in the same network, so there is no firewall between. Many thanks and regards Florian ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.11.3 - resolving troubles running as a caching server
Hello Ondřej
Many thanks for your answer. Hope debugging can help me without server
overloading.
They have around 1500 queries/s peakload during eveninghours. It will
need some time to log exactly this effect.
At the moment I have the following lines disabled:
// forwarders {
// 213.160.41.2;
// 213.160.40.34;
// };
About the answer. Does it matter if I query A or if there is
only a CNAME as an answer?
My last test shows me following cache entry. This has happend around
20min after restarting bind with my forwarders enabled.
; answer
tm.inregion.waas.oci.oraclecloud.net. 1697 \-A ;-$NXRRSET
Could a server timeout ends up in such a cache entry? Or does it need a
valid answer from the forwarders? What you think.
I tried to force forwarding by adding "forwarding only" but the result
was the same.
Regards Florian
Am 20.11.2019 um 11:58 schrieb Ondřej Surý:
> Hi,
>
> you mentioned “forwarders” - what are these and how does answer look
> like on the upstream forwarders?
>
> I would recommend enabling higher debug level (start with -d 1) and look into
> logs what was the answer from the forwarders preceding the failure.
>
> Ondrej
> --
> Ondřej Surý — ISC
>
>> On 20 Nov 2019, at 18:44, Bind Mailinglist wrote:
>>
>> Hello list
>> I'm glad there is such an active list. Hope there is anybody out there
>> who can help me with my little problem. :-)
>> We are running six bind server ( all Ubuntu LTS 18.04 with bind 9.11.3
>> ), so they are pretty up to date.
>> Three of them have authoritative zones, one is for testing and two are
>> just caching servers. And there starts my problem.
>> 1. It only appears on my caching servers and only if I use my other
>> servers as forwarders.
>> 2. At the moment the problem appears on my chaching servers I'm still
>> able to let it resolve through my forwarders.
>> 3. Only one organisation with several newspapers are affected. There may
>> be others but I don't know at the moment.
>>
>> Ok, all these newspapers are hosted on oraclecloud with short timers
>> around 30s.
>>
>> # dig www.20min.ch
>> ;; ANSWER SECTION:
>> www.20min.ch. 39 IN CNAME
>> tamedia.a.inregion.waas.oci.oraclecloud.net.
>> tamedia.a.inregion.waas.oci.oraclecloud.net. 16 IN CNAME
>> tm.inregion.waas.oci.oraclecloud.net.
>> tm.inregion.waas.oci.oraclecloud.net. 16 IN CNAME
>> eu-london.inregion.waas.oci.oraclecloud.net.
>> eu-london.inregion.waas.oci.oraclecloud.net. 28 IN A 138.1.82.213
>> eu-london.inregion.waas.oci.oraclecloud.net. 28 IN A 147.154.234.67
>> eu-london.inregion.waas.oci.oraclecloud.net. 28 IN A 147.154.228.138
>>
>> # dig www.tagesanzeiger.ch
>> ;; ANSWER SECTION:
>> www.tagesanzeiger.ch. 113 IN CNAME cnp-a-cre-p.newsnetz.ch.
>> cnp-a-cre-p.newsnetz.ch. 113IN CNAME
>> tamedia.a.inregion.waas.oci.oraclecloud.net.
>> tamedia.a.inregion.waas.oci.oraclecloud.net. 11 IN CNAME
>> tm.inregion.waas.oci.oraclecloud.net.
>> tm.inregion.waas.oci.oraclecloud.net. 12 IN CNAME
>> eu-switzerland.inregion.waas.oci.oraclecloud.net.
>> eu-switzerland.inregion.waas.oci.oraclecloud.net. 12 IN A 192.29.59.121
>> eu-switzerland.inregion.waas.oci.oraclecloud.net. 12 IN A 192.29.58.46
>> eu-switzerland.inregion.waas.oci.oraclecloud.net. 12 IN A 192.29.58.42
>>
>>
>> Now if I use my caching servers with forwarders enabled I run quite
>> often into cases where resolving stops working for theses two domains at
>> the same time.
>> When I take a dump I see the following line:
>> ; answer
>> tm.inregion.waas.oci.oraclecloud.net. 893 \- ;-$NXRRSET
>>
>> I have to clear this host from cache to make it working again, for a few
>> minutes.
>> The stupid thing, this NXRRSET cache entry has a much higher lifetime.
>> And so resolving stops working on my caching servers for more then 15min.
>>
>> Any idea how I could find out why this happens?
>> There must be something between my DNS servers. They are in the same
>> network, so there is no firewall between.
>>
>> Many thanks and regards
>> Florian
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.11.3 - resolving troubles running as a caching server
Am 21.11.2019 um 11:47 schrieb Bind Mailinglist: > Hello Ondřej > Interesting case and not so easy to detect. But I was able to get a > few steps further. > As I have always to clear cache for host > tm.inregion.waas.oci.oraclecloud.net I focused monitoring on that. > 1. > On my caching servers I was tracing this host with wireshark. In most > cases my other servers replyed to the queries (most A, some CNAME) > with an other CNAME. > When the problem appears, the last reply was a SOA from my DNS server. > So why sends my DNS server such a SOA reply to the cache server? > 2. > So I was trying to do the same on my DNS servers. > And there all A queries for tm.inregion.waas.oci.oraclecloud.net were > replied from authoritative servers with a CNAME and a very dynamic > host. Maybe quite normal for this oracle cloud. > But there were a few CNAME queries for the same host. And for CNAME > queries I allways got an SOA answer. > About 1.5s my server queries again for an A record which has been > answered. > > What happens when my cache queries my DNS server for the same host at > the time between SOA reply and next A reply from the authoritative server? > > I can reproduce it like this: > > The CNAME query: > > $ dig @ns1.p17.dynect.net tm.inregion.waas.oci.oraclecloud.net CNAME > > ; <<>> DiG 9.9.5-3ubuntu0.19-Ubuntu <<>> @ns1.p17.dynect.net > tm.inregion.waas.oci.oraclecloud.net CNAME > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24630 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;tm.inregion.waas.oci.oraclecloud.net. IN CNAME > > ;; AUTHORITY SECTION: > inregion.waas.oci.oraclecloud.net. 1800 IN SOA > ns1.p17.dynect.net. hostmaster.inregion.waas.oci.oraclecloud.net. > 1574248545 3600 600 604800 1800 > > ;; Query time: 15 msec > ;; SERVER: 2001:500:90:1::17#53(2001:500:90:1::17) > ;; WHEN: Thu Nov 21 11:44:41 CET 2019 > ;; MSG SIZE rcvd: 127 > > > The A query: > > $ dig @ns1.p17.dynect.net tm.inregion.waas.oci.oraclecloud.net A > > ; <<>> DiG 9.9.5-3ubuntu0.19-Ubuntu <<>> @ns1.p17.dynect.net > tm.inregion.waas.oci.oraclecloud.net A > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55743 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;tm.inregion.waas.oci.oraclecloud.net. IN A > > ;; ANSWER SECTION: > tm.inregion.waas.oci.oraclecloud.net. 30 IN CNAME > eu-switzerland.inregion.waas.oci.oraclecloud.net. > > ;; AUTHORITY SECTION: > inregion.waas.oci.oraclecloud.net. 86400 IN NS ns4.p17.dynect.net. > inregion.waas.oci.oraclecloud.net. 86400 IN NS ns3.p17.dynect.net. > inregion.waas.oci.oraclecloud.net. 86400 IN NS ns1.p17.dynect.net. > inregion.waas.oci.oraclecloud.net. 86400 IN NS ns2.p17.dynect.net. > > ;; Query time: 14 msec > ;; SERVER: 2001:500:90:1::17#53(2001:500:90:1::17) > ;; WHEN: Thu Nov 21 11:45:38 CET 2019 > ;; MSG SIZE rcvd: 255 > > But I'm still if that is my problem. > Regard Florian > > > > Am 20.11.2019 um 18:16 schrieb Ondřej Surý: >> The cache shows you that the forwarder reported that there’s no such record >> returned from the upstream resolvers. >> >> The NXRRSET means - Non-eXistant Resource Record Set, e.g. your resolvers >> cached the non-existence of the name returned from the upstream resolvers. >> >> The other option would be running the affected query against the upstream >> resolvers in a semi-tight loop and log the results. >> >> while true; do echo "$(date -R): $(dig +short IN A @)“; >> sleep 1; done >> >> Ondrej >> -- >> Ondřej Surý >> ond...@isc.org >> >>> On 21 Nov 2019, at 01:09, Bind Mailinglist wrote: >>> >>> Hello Ondřej >>> Many thanks for your answer. Hope debugging can help me without server >>> overloading. >>> They have around 1500 queries/s peakload during eveninghours. It will need >>> some time to log exactly this effect. >>> At the moment I have the following lines disabled:
mysterious wedges in bind9
Hello, My primary bind9 name server which does double-duty as a server and recursive lookup is becoming "wedged" where it does not respond to queries or stop events from rndc. Sending SIGTERM does not work; I have to SIGKILL (kill -9) it. Package info: ii bind9 1:9.5.0.dfsg.P2-1ubun Internet Domain Name Server OS: Ubuntu 8.10 Needless to say, this is causing me a headache. When it's down, SSH operations take over a minute. Strangely, I have an identical server which slaves all the same domains but does not ever exhibit this behavior. What can/should I do to troubleshoot this? Thanks in advance! -- Obama Nation | My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpID9uQwSXYu.pgp Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
test - plz ignore
___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Debugging Information Lacking?
I have some other issues that I'm trying to work through, but I wanted to ask about a specific issue. I'm trying to see what BIND currently thinks all of the zones are, so I issue the "rndc dumpdb -zones" command. I get the following output: Nov 27 07:36:26 DNA-DNS1 named[20035]: received control channel command 'trace 99' Nov 27 07:36:26 DNA-DNS1 named[20035]: debug level is now 99 Nov 27 07:36:28 DNA-DNS1 named[20035]: received control channel command 'dumpdb -zones' Nov 27 07:36:28 DNA-DNS1 named[20035]: dumpdb started: -zones Nov 27 07:36:28 DNA-DNS1 named[20035]: dumpdb complete However, it appears no file is generated. "find / -name cache_dump.db" doesn't return anything. The log says that dumpdb is complete, but it doesn't say what it wrote. I would expect the log file to say something like: Nov 27 07:36:28 DNA-DNS1 named[20035]: dumpdb output to: /var/lib/bind/ cache_dump.db It doesn't. Could we get that added to the logging information? root@DNA-DNS1:/var/lib/bind# named -v BIND 9.10.3-P4-Debian root@DNA-DNS1:/var/lib/bind# cat /etc/debian_version 9.11 - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debugging Information Lacking?
Frak, so I was looking for the wrong file name the whole time. I must have
latched on to the wrong one and then ran with it.
If the logging captured the path and name of the file it was writing, I
probably would have noticed my error the first time around.
-
Mike Hammett
Intelligent Computing Solutions
Midwest Internet Exchange
The Brothers WISP
- Original Message -
From: "Lee"
To: isc-bind-us...@ics-il.net
Cc: bind-users@lists.isc.org
Sent: Wednesday, November 27, 2019 8:59:51 AM
Subject: Re: Debugging Information Lacking?
On 11/27/19, isc-bind-us...@ics-il.net wrote:
>
> I have some other issues that I'm trying to work through, but I wanted to
> ask about a specific issue.
>
> I'm trying to see what BIND currently thinks all of the zones are, so I
> issue the "rndc dumpdb -zones" command.
<.. snip ..>
> However, it appears no file is generated. "find / -name cache_dump.db"
> doesn't return anything.
the default file name is named_dump.db
If your named.conf has this bit
options {
directory "/var/cache/bind";
# working directory
then "rndc dumpdb -zones" creates the file /var/cache/bind/named_dump.db
If your named.conf has this bit
options {
dump-file "/tmp/cache_dump.db";
then "rndc dumpdb -zones" creates the file /tmp/cache_dump.db
> The log says that dumpdb is complete, but it doesn't say what it wrote. I
> would expect the log file to say something like:
>
> Nov 27 07:36:28 DNA-DNS1 named[20035]: dumpdb output to: /var/lib/bind/
> cache_dump.db
>
> It doesn't. Could we get that added to the logging information?
Yes, it would be nice if that was added
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Primary/Secondary (Was: Master/Slave)
Terminology, Power, and Exclusionary Language in Internet-Drafts and RFCs Abstract This document argues for more inclusive language conventions sometimes used by RFC authors and the RFC Production Centre in Internet-Drafts that are work in progress, and in new RFCs that may be published in any of the RFC series, in order to foster greater knowledge transfer and improve diversity of participation in the IETF. This document represents the opinion of the authors and does not have IETF consensus. https://www.ietf.org/archive/id/draft-knodel-terminology-09.html -- -Barry Shein Software Tool & Die| b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo* -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent issues resolving "labor.upload.akamai.com"
On Fri, Feb 3, 2023 at 4:32 AM Greg Choules via bind-users
wrote:
>> From a quick look in Wireshark at what my own server (9.18.8) is doing, this
>> looks like Akamai not responding correctly to a BIND QNAME minimisation
>> query. Here's one response, from 95.101.36.192 for example, of many similar
>> ones showing an issue. The response code shouldn't be REFUSED:
Definitely protocol issues going on with akamai.net. A query for the
target in the OP, at an akamai.net auth, indicates that there's a
zone cut at e.stor:
dig +noall +auth r33674-33729.neards.1.cftp.e.stor.lb.akamai.net
@zc.akamaitech.net
e.stor.lb.akamai.net. 4000IN NS n4e.stor.lb.akamai.net.
e.stor.lb.akamai.net. 4000IN NS n0e.stor.lb.akamai.net.
e.stor.lb.akamai.net. 4000IN NS n3e.stor.lb.akamai.net.
e.stor.lb.akamai.net. 4000IN NS n2e.stor.lb.akamai.net.
e.stor.lb.akamai.net. 4000IN NS n1e.stor.lb.akamai.net.
but it returns that the stor label is a lame delegation:
dig stor.lb.akamai.net @zc.akamaitech.net | awk '/status/ {print $6}'
REFUSED,
Even if lb were itself delegated, REFUSED is still the wrong answer
for stor; in that case it should get the delegation for lb. But lb
isn't delegated either, so refused is even more wrongerer.
I'll forward this over to Akamai.
--
tale
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Is there an incompatibility between 9.16.37/9.18.11 and 9.9 when doing HMAC-MD5 AXFR?
Hi all
Due to circumstances beyond my control a remote partner needs to use a 9.9.9
version of bind and we are required to use HMAC-MD5 for zone transfers. There
is no (big) security concern since the networks are isolated and not exposed to
the larger Internet.
When the secondary requests an AXFR I see:
client @0x nnn.nnn.nnn.nnn#xx: request has invalid signature:
TSIG : tsig verify failure (BADSIG)
Doing a dig directly (with the same key) I get the zone:
client @0x nnn.nnn.nnn.nnn#xx /key (zone.tld): transfer
of 'zone.tld/IN': AXFR started: TSIG (serial )
Is there any known incompatibilities - preferably with workarounds :) - that
anyone knows about?
I apologize in advance if the info is lacking but here are, what I consider,
the relevant parts from named.conf:
key "." {
algorithm hmac-md5;
secret "XX";
};
acl servers {
nnn.nnn.nnn.nnn;
nnn.nnn.nnn.nnn;
nnn.nnn.nnn.nnn;
};
acl transfer {
!servers;
!localhost;
!nnn.nnn.nnn.nnn;
any;
};
zone "zone.tld." IN {
type master;
file "/etc/bind/zones/zone.file";
allow-transfer { !transfer; key .; };
};
Again - sorry if this is insufficient information.
It could be as simple as the remote not having everything in order but they
swear up and down that they have checked, doublechecked and enlisted multiple
persons in doing the checks.
I would appreciate any and all hints even if they are farfetched.
Best Regards
Patrik Graeser
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Bind listener to an IPv6 from AnyIP subnet
Hello, I am trying to bind named listener to an IPv6 from prefix which
is assigned to a system via AnyIP kernel feature - basically, it is done
by the following command: sudo ip -6 route add local 2001:db8::/32 dev lo.
To be able to use IPv6 from AnyIP prefix the following sysctl must be
applied: net.ipv6.ip_nonlocal_bind = 1
Having above, I am able to use any IP from AnyIP prefix in all software
but named refuses to create socket, which listens to that kind of an IP
address.
As an alternative approach I have tried to run with a configuration
"listen-on-v6 { any; }", but it does behave in a way I need - it binds
separate socket for each discovered IP address rather wildcard address
of [::].
Had anyone faced the same or similar issue?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind listener to an IPv6 from AnyIP subnet
I have reloaded the configuration as well as restarted the bind9. The
simpliest workaround I see - bind IPv6 explicitly to the interface using
command "ip address add 2001:db8::1 dev eth0" and then I am able to use
2001:db8::1 for the named. But I would like to take advantage of using
AnyIP.
On 3/12/23 19:03, Darren Ankney wrote:
Just a quick question because I ran into this problem before... is it
possible that named was started before the ip was added?
On Sun, Mar 12, 2023 at 12:55 PM Serg via bind-users
wrote:
Hello, I am trying to bind named listener to an IPv6 from prefix which
is assigned to a system via AnyIP kernel feature - basically, it is done
by the following command: sudo ip -6 route add local 2001:db8::/32 dev lo.
To be able to use IPv6 from AnyIP prefix the following sysctl must be
applied: net.ipv6.ip_nonlocal_bind = 1
Having above, I am able to use any IP from AnyIP prefix in all software
but named refuses to create socket, which listens to that kind of an IP
address.
As an alternative approach I have tried to run with a configuration
"listen-on-v6 { any; }", but it does behave in a way I need - it binds
separate socket for each discovered IP address rather wildcard address
of [::].
Had anyone faced the same or similar issue?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind listener to an IPv6 from AnyIP subnet
The problem is I have lots of IPv6 addresses where I need to listen DNS
requests (IPv6 prefix of /64) and I could not just explicitly add each to the
interface, thus I use AnyIP feature to be able to use entire prefix by locally
by such software like nginx, curl, etc.
Regarding the usage of [::] - due to usage of firewall I am able to block
connections to the 53/udp and 53/tcp which are not coming to specific IP
addresses or ranges, I do not need such filtering functionality within bind
itself.
Anyway, the better option is to allow bind to a so known "non-local" IP
addresses. Currently if I try to bind named to a IP address within AnyIP prefix
but which is not explicitly added to an interface it just not bind socket here.
Read this blog post for more details on AnyIP feature:
https://blog.widodh.nl/2016/04/anyip-bind-a-whole-subnet-to-your-linux-machine/
2023-03-13T08:55:16Z Michael Richardson :
>
> Serg via bind-users wrote:
> > As an alternative approach I have tried to run with a configuration
> > "listen-on-v6 { any; }", but it does behave in a way I need - it binds
> > separate socket for each discovered IP address rather wildcard address
> > of [::].
>
> Bind needs to bind a new socket for each address so that it can easily know
> which address is being communicated with. While there are newer ways to do
> this, they aren't that portable.
>
> What is the problem with binding to all the addresses, if you then filter
> which addresses will actually respond?
>
> Many large authoritative resolvers put the anycast address on the lo, and
> then use
> BGP to announce connectivity, and AFAIK, they all just listen on all
> addresses, because sometimes you want to ask a specific server a question.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
Are you an open recursor? If the answer is no, you should not face any amplifications attacks. If you are an open recursor, the best solution is to restrict which IP addresses are allowed to access your recursor. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND | Cname chain resolution using forward ( CNAME&A returned but no use A) (#3995)
hi bind admin,
when i use bind-9.11 for my interdns?? deviceip is 10.1.1.1,
i config
zone "bd.baidubce.com."
in { type forward ; forward only; forwarders { 10.10.10.10; }; };
1??when i dig @10.1.1.1 x.bd.bcebos.com.
2??10.10.10.10 return record "CNAME bd.bcebos.com., A 100.67.96.26, A
100.67.96.27" to device10.1.1.1
3??but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me
4??device10.1.1.1 go to qurey bd.bcebos.com. recursive itself??and get another
record 110.242.70.8
i have questions
1??why config is forward only?? but bind get CNAME & A??bind do not return
A to me??and query cname again itself??
thanks--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
BIND | Cname chain resolution using forward ( CNAME&A returned but no use A) (#3995)
i am very very sorry ,
the zone info of first mail -> zone "bd.baidubce.com." i write
wrong;
the wright info is zone "x.bd.bcebos.com."
please just see this mail,
when i use bind-9.11 for my interdns deviceip is 10.1.1.1, i config
zone "x.bd.bcebos.com."
in { type forward ; forward only; forwarders { 10.10.10.10; }; };
1,when i dig @10.1.1.1 x.bd.bcebos.com.
2,10.10.10.10 return record "CNAME
bd.bcebos.com., bd.bcebos.com. A 100.67.96.26, A 100.67.96.27"
to device10.1.1.1
3,but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me
4,device10.1.1.1 go to qurey bd.bcebos.com. recursive itself, and
get another record 110.242.70.8
i have questions
1,why config is forward only, bind get CNAME & A records from forwarders,
but bind do not return A record to me?and query cname domain
recursive again itself?
thanks
hi bind admin,
when i use bind-9.11 for my interdns?? deviceip is 10.1.1.1,
i config
zone "bd.baidubce.com."
in { type forward ; forward only; forwarders { 10.10.10.10; }; };
1??when i dig @10.1.1.1 x.bd.bcebos.com.
2??10.10.10.10 return record "CNAME bd.bcebos.com., A 100.67.96.26, A
100.67.96.27" to device10.1.1.1
3??but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me
4??device10.1.1.1 go to qurey bd.bcebos.com. recursive itself??and get another
record 110.242.70.8
i have questions
1??why config is forward only?? but bind get CNAME & A??bind do not return
A to me??and query cname again itself??
thanks--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC regulatory requirements?
On Wed, Apr 05, 2023 at 11:04:10AM +0200, Klaus Malorny wrote: > On 04.04.23 15:11, Josh Kuo wrote: > > Hi all, > > > > [...] > > > > The only one I know of is the very dated US OMB memo from 2008. I see > > several European domains have better DNSSEC deployment rates (such as > > .de). Are there any regulations or friendly recommendations from some > > kind of governing body at work here? > > > > Thank you. > > > > -Josh > > > > Hi Josh, > > at least not in Germany/.de. There may be rules for governmental domain > names, but not for the general public/commercial domains. Other European > ccTLD registry have/had promotions for DNSSEC, so this might be the reason > for higher deployment rates. > > Greetings, > Klaus I think at least one Scandinavian country had a tax incentive to encourage DNSSEC adoption, but no regulatory requirement. cheers, raf -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation NS-records when zones share an authority server
it'll matter when you decide to add DNSSEC to the zone, and it's also good hygiene in the absence of DNSSEC so that any future maintainer can be reminded that there is a subdomain at that name when looking at the parent. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What is the equivalent of this dnsmasq configuration
I need to hijack certain domains and not its subdomains, so I use dnsmasq to achieve it: ``` [host-record=example.com](http://host-record=google.com),1.2.3.4 ``` In bind I have to create a zone and copy everything there, is there a simple way for domains I have no authority for?-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problem with recursion for windows bind for Teamviewer
I don't know if this will be fixed before EOL for windows bind but here is the problem Teamviewer (and maybe other sites too) when you do the recursion when no answer under 1000ms it tries again which is trigged by client windows (not the one running bind) which also tries again for a answer this seems to causes the bind server not to give a answer but it tries and tries then Teamviewer works so Teamviewer DNS is doing a delayed reply which seems to be causing a problem for bind for windows because I tested bind in Ubuntu having DNS forward for teamviewer.com to it and Teamviewer loads faster. So it be nice if this could be fixed but I will not hold my breath. Thanks for any insight on this -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursion for windows bind for Teamviewer
I'm by no means an expert in DNS or how it fully works so I can't be of any more help about this problem then I already have. But it seems Teamviewer have rebooted their DNS servers and now windows bind allows the Teamviewer to load faster -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursion for windows bind for Teamviewer
So more tests and the problem has come back but I think I know why thinking internet sharing was the problem I found a way to disable it because it bind shared access for port 53 on 0.0.0.0 so that the problem I think now after testing with it on. For any interested MS has made it really hard to disable ICS on windows 11 I have tried many ways to disable it all over the web none worked but what did work was to delete the start key for: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursion for windows bind for Teamviewer
Now its not working fast again! I don't know now must be Teamviewer DNS delaying replies causing windows bind to fail in some way. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursion for windows bind for Teamviewer
I'm just using bind to do my DNS look ups with no forwarders thats all Teamviewer app uses DNS to find its servers from what I can tell it can take over 4000ms to get a answer. The following seems to help in bind resolver-retry-interval 5000; I think if I can then find a setting in windows to do the same thing that might help even over here is what I see from Wireshark https://ufile.io/q0kxqltc -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursion for windows bind for Teamviewer
On starting Teamviewer it can say no connection when bind does the lookup with this delay it cause bind to not reply LAN side sometimes which causes the app to fail yet with a bind on Ubuntu there is no problem. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursion for windows bind for Teamviewer
This might show the problem even more on two interfaces WAN side and LAN you can see 192.168.53.19 ask for routerpool8 #60 then bind goes out #62 gets a answer # 75 and no reply back to 192.168.53.19 https://ufile.io/v8oob3jg -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursion for windows bind for Teamviewer
This is the thing the setup works for many site fast just this Teamviewer and their DNS servers are a problem and bind does reply to 192.168.53.19 all be it 26 seconds later! but Teamviewer trys over and over then it connects yet the for the WAN side took under 4 seconds to get the answer WAN side https://ufile.io/6ofm19ng -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursion for windows bind for Teamviewer
and this from dig maybe a routing iusse why it take so long for me? C:\Program Files\ISC BIND 9\bin>dig @213.227.191.1 router14.teamviewer.com +norecurs ; <<>> DiG 9.16.45 <<>> @213.227.191.1 router14.teamviewer.com +norecurs ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36405 ;; flags: qr aa; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;router14.teamviewer.com. IN A ;; ANSWER SECTION: router14.teamviewer.com. 3600 IN CNAME routerpool14.rlb.teamviewer.com. routerpool14.rlb.teamviewer.com. 120 IN A 188.172.235.146 routerpool14.rlb.teamviewer.com. 120 IN A 217.146.13.137 routerpool14.rlb.teamviewer.com. 120 IN A 34.17.240.4 routerpool14.rlb.teamviewer.com. 120 IN A 217.146.21.139 routerpool14.rlb.teamviewer.com. 120 IN A 37.252.234.165 ;; Query time: 3106 msec ;; SERVER: 213.227.191.1#53(213.227.191.1) ;; WHEN: Mon Nov 20 18:49:09 GMT Standard Time 2023 ;; MSG SIZE rcvd: 177 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursion for windows bind for Teamviewer
So here is a theory if a client asks a query and bind goes out for that query and the reply is delayed but you get the answer then for what ever reason the reply to the client from bind is delayed more! So the quicker the answer the quicker the answer to the client. Why? I have no idea? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Queries/day
Hello all, <https://serverfault.com/questions/106920/how-to-get-dns-server-statistics-t otal-queries-per-day-windows-server-2003> How to get DNS SERVER Statistics ? Total Queries per day and month. the Rndc statistics file is quite difficult to read. Is there a simplest method? Nevertheless, I've attached my stats file, which I ran manually. After examining this file, is there anyone who can tell? How many queries each day and month Thanks a lot in advance for your reponse.. Ejaz named.stats Description: Binary data -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
unable-resolve-bank=domain
8OpyIcR7GmK1NhQtYQZXqPMmcFS6We G0c3ohwJSMSN8L2LpCx44Z1crr9CvA== ;; Received 650 bytes from 192.55.83.30#53(m.gtld-servers.net) in 63 ms gslb.sabbnet.com. 7200IN NS ns3.sabb.com. gslb.sabbnet.com. 7200IN NS ns4.sabb.com. ;; Received 161 bytes from 108.59.171.0#53(ns21.hsbc.net) in 16 ms www.services.online-banking.gslb.sabbnet.com. 900 IN A 193.27.7.78 ;; Received 89 bytes from 193.27.7.38#53(ns3.sabb.com) in 3 ms When we dig without +trace, no response [root@ns10 ~]# dig www.services.online-banking.gslb.sabbnet.com ;; communications error to 212.119.64.2#53: timed out ;; communications error to 212.119.64.2#53: timed out ; <<>> DiG 9.18.11 <<>> www.services.online-banking.gslb.sabbnet.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17592 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 14886f221081fc8e0100657e9abb46c04b22e6da4f29 (good) ;; QUESTION SECTION: ;www.services.online-banking.gslb.sabbnet.com. IN A ;; Query time: 1990 msec ;; SERVER: 212.119.64.2#53(212.119.64.2) (UDP) ;; WHEN: Sun Dec 17 09:52:43 +03 2023 ;; MSG SIZE rcvd: 101 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: unable-resolve-bank=domain
My queries logs shows the below, [root@ns10 ~]# tail -f /var/log/querylog | grep www.services.online-banking.gslb.sabbnet.com. 17-Dec-2023 11:06:03.438 queries: info: client @0x7f29940013a8 167.86.165.83#64231 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN +E(0)D (212.119.64.2) 17-Dec-2023 11:10:20.186 queries: info: client @0x7f294c64f3c8 213.210.238.28#30304 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN HTTPS +E(0)D (212.119.64.2) 17-Dec-2023 11:13:55.798 queries: info: client @0x7f2970c9fe18 212.119.64.2#53159 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN A +E(0)K (212.119.64.2) 17-Dec-2023 11:13:57.480 queries: info: client @0x7f295411def8 46.152.39.165#15007 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN A +E(0)D (212.119.64.2) 17-Dec-2023 11:13:57.505 queries: info: client @0x7f2a0060db68 46.152.39.165#25046 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN +E(0)D (212.119.64.2) 17-Dec-2023 11:13:57.513 queries: info: client @0x7f29c419e0b8 46.152.39.165#42489 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN A + (212.119.64.2) Ejaz -Original Message- From: Ondřej Surý [mailto:ond...@isc.org] Sent: Sunday, December 17, 2023 11:01 AM To: MEjaz Cc: bind-users@lists.isc.org Subject: Re: unable-resolve-bank=domain > On 17. 12. 2023, at 8:20, MEjaz via bind-users > wrote: > > Any hint would be highly appreciated.. Paraphrasing: Logs or it didn’t happen… Always start with logs. The dig output is useless as we can’t possibly know what is happening inside named on that server. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: unable-resolve-bank=domain
Some additional information 17-Dec-2023 11:14:20.737 queries: debug 3: client @0x7f2a1027d6f8 88.213.90.92#64617 (www.services.online-banking.gslb.sabbnet.com): looking for relevant NSEC 17-Dec-2023 11:14:20.737 queries: debug 3: client @0x7f2a1027d6f8 88.213.90.92#64617 (www.services.online-banking.gslb.sabbnet.com): ignoring nsec because name is past end of range Ejaz -Original Message- From: MEjaz [mailto:me...@cyberia.net.sa] Sent: Sunday, December 17, 2023 11:16 AM To: 'Ondřej Surý' Cc: 'bind-users@lists.isc.org' Subject: RE: unable-resolve-bank=domain My queries logs shows the below, [root@ns10 ~]# tail -f /var/log/querylog | grep www.services.online-banking.gslb.sabbnet.com. 17-Dec-2023 11:06:03.438 queries: info: client @0x7f29940013a8 167.86.165.83#64231 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN +E(0)D (212.119.64.2) 17-Dec-2023 11:10:20.186 queries: info: client @0x7f294c64f3c8 213.210.238.28#30304 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN HTTPS +E(0)D (212.119.64.2) 17-Dec-2023 11:13:55.798 queries: info: client @0x7f2970c9fe18 212.119.64.2#53159 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN A +E(0)K (212.119.64.2) 17-Dec-2023 11:13:57.480 queries: info: client @0x7f295411def8 46.152.39.165#15007 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN A +E(0)D (212.119.64.2) 17-Dec-2023 11:13:57.505 queries: info: client @0x7f2a0060db68 46.152.39.165#25046 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN +E(0)D (212.119.64.2) 17-Dec-2023 11:13:57.513 queries: info: client @0x7f29c419e0b8 46.152.39.165#42489 (www.services.online-banking.gslb.sabbnet.com): query: www.services.online-banking.gslb.sabbnet.com IN A + (212.119.64.2) Ejaz -Original Message- From: Ondřej Surý [mailto:ond...@isc.org] Sent: Sunday, December 17, 2023 11:01 AM To: MEjaz Cc: bind-users@lists.isc.org Subject: Re: unable-resolve-bank=domain > On 17. 12. 2023, at 8:20, MEjaz via bind-users > wrote: > > Any hint would be highly appreciated.. Paraphrasing: Logs or it didn’t happen… Always start with logs. The dig output is useless as we can’t possibly know what is happening inside named on that server. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unable to Query DoH with `tls none` and Plain HTTP
Hello,
Hope you are having a great day.
I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP)
server with the ubuntu/bind9:latest docker image behind a HTTPS load
balancer however I am unable to perform any DNS query with the newly
installed BIND9 server(not through the load balancer).
I am getting the following when I try to perform the query:
➜ curl -v -H 'accept: application/dns-message'
'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB'
* Trying 172.23.0.2:80...
* Connected to 172.23.0.2 (172.23.0.2) port 80
GET /dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1
Host: 172.23.0.2
User-Agent: curl/8.5.0
accept: application/dns-message
* Received HTTP/0.9 when not allowed
* Closing connection
curl: (1) Received HTTP/0.9 when not allowed
and here is my named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/iw5hSZ1O
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
http://psrp.bbqporkmccity.com/vye5rn/nH13n27l
//
dnssec-validation auto;
listen-on-v6 { any; };
// Custom Options From Here
allow-query { any;};
allow-transfer { none; };
listen-on port 53 { any; };
listen-on port 80 tls none http default { any; };
};
Am I doing something wrong?
Thank you very much and I am looking forward to a solution.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
Hello,
Thank you very much, I was unaware of the HTTP/2 requirement and was
assuming it is a bug. Is there any reason for omitting the HTTP/1.1
upgrade part of the protocol?
On 2024/01/01 22:30, Ondřej Surý wrote:
Hi,
BIND 9 DoH implementation always uses HTTP/2, so you
can't talk to it via HTTP/0.9, so your proxy balancer needs
to talk HTTP/2.
curl --http2-prior-knowledge -v -H 'accept: application/dns-message'
'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB'
should work if I am reading the curl man page correctly (I don't have bind with
doh no-tls here)
dig +http-plain @172.23.0.2
will definitely work.
Ondřej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
On 1. 1. 2024, at 13:35, r1wcp42w--- via bind-users
wrote:
Hello,
Hope you are having a great day.
I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server with
the ubuntu/bind9:latest docker image behind a HTTPS load balancer however I am
unable to perform any DNS query with the newly installed BIND9 server(not
through the load balancer).
I am getting the following when I try to perform the query:
➜ curl -v -H 'accept: application/dns-message'
'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB'
* Trying 172.23.0.2:80...
* Connected to 172.23.0.2 (172.23.0.2) port 80
GET /dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1
Host: 172.23.0.2
User-Agent: curl/8.5.0
accept: application/dns-message
* Received HTTP/0.9 when not allowed
* Closing connection
curl: (1) Received HTTP/0.9 when not allowed
and here is my named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/vXKoBzwW
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//====
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
http://psrp.bbqporkmccity.com/vye5rn/WflSTkLF
//
dnssec-validation auto;
listen-on-v6 { any; };
// Custom Options From Here
allow-query { any;};
allow-transfer { none; };
listen-on port 53 { any; };
listen-on port 80 tls none http default { any; };
};
Am I doing something wrong?
Thank you very much and I am looking forward to a solution.
--
Visit http://psrp.bbqporkmccity.com/vye5rn/jprjhJwF to unsubscribe from this
list
ISC funds the development of this software with paid support subscriptions.
Contact us at http://psrp.bbqporkmccity.com/vye5rn/HiPEm7Fv for more
information.
bind-users mailing list
bind-users@lists.isc.org
http://psrp.bbqporkmccity.com/vye5rn/pgPJe84v
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
On Tue, Jan 2, 2024 at 4:38 AM Jakob Bohm via bind-users wrote: > Having the DoH server as a standalone process talking to DNS/TCP would > be a solid implementation given the constant flow of changes made to > HTTP(S) by the Big 5. Perhaps, but for reference here is the relevant section of the DoH spec: https://datatracker.ietf.org/doc/html/rfc8484#section-5.2 HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH. The messages in classic UDP-based DNS [RFC1035] are inherently unordered and have low overhead. A competitive HTTP transport needs to support reordering, parallelism, priority, and header compression to achieve similar performance. Those features were introduced to HTTP in HTTP/2 [RFC7540]. Earlier versions of HTTP are capable of conveying the semantic requirements of DoH but may result in very poor performance. That ISC has chosen to follow the minimum HTTP version as recommended by the RFC is solid ground on which to be standing. -- tale -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec-key 'unknown algorithm RSASHA512'
Hello, I'm using ubuntu 22.04 server on which bind 9.18.8 service is running. I'm trying to generate dnssec-key by using the command "dnssec-keygen -a RSASHA512 -b 2048 -n zone example.com" After doing this, it is generating both public key and private key. When I generate a file with aprivate key in /etc/bind directory, it is throwing error 'unknown algorithm 'RSASHA512' Same error is thrown when tried with other algorithms like ECDSAP256SHA256, RSASHA1, RSASHA256 etc Any help is greatly appreciated. -- Regards, पं. विष्णु शंकर P. Vishnu Sankar टीम लीडरTeam Leader-Network Operations सी-डॉट C-DOT इलैक्ट्रॉनिक्स सिटी फेज़ IElectronics City Phase I होसूर रोड बेंगलूरु Hosur Road Bengaluru – 560100 फोन Ph91 80 25119466 -- Disclaimer : This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. The sender does not accept liability for any errors or omissions in the contents of this message, which arise as a result. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-key 'unknown algorithm RSASHA512'
Hello,
Bind version - 9.18.12
-->This is the command I used for generating dnssec-keygen keys -
root@dhcpt: /etc/bind# dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com
Kexample.com.+013+43215.key
Kexample.com.+013+43215.private
root@dhcpt:/etc/bind# cat Kexample.com.+013+43215.private
Private-key-format: v1.3
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk=
Created: 20240111045202
Publish: 20240111045202
Activate: 20240111045202
-->With help of the private key i generated one file with name
"named.conf.tsigkeys" at
/etc/bind -
root@dhcpt:/etc/bind# cat named.conf.tsigkeys
key "my-tsig" {
algorithm "ECDSAP256SHA256";
secret "ESkrVALONh7Rj4UZVsOy54Y2SIJiY5HYhoQdxJLuWPk=";
};
--> below is the error received when i restart named service
root@dhcpt:/etc/bind# named-checkconf
/etc/bind/named.conf.tsigkeys:2: unknown algorithm 'ECDSAP256SHA256'
Any help is greatly appreciated.
Regards,
Mounika
On Thu, 11 Jan 2024 15:49:18 +1100, Mark Andrews wrote
> Firstly show what you are actually doing. It it too much for you to actually
> cut-and-paste what you are doing?
>
> Secondly BIND 9.18 is at 9.18.22. Version 9.18.8 is seriously out of date.
>
> > On 11 Jan 2024, at 15:21, pvs via bind-users
> > wrote:
> >
> > Hello,
> >
> > I'm using ubuntu 22.04 server on which bind 9.18.8 service is running.
> > I'm trying to generate dnssec-key by using the command "dnssec-keygen -a
> > RSASHA512
-b 2048 -n zone example.com"
> >
> > After doing this, it is generating both public key and private key. When I
> > generate
a file with aprivate key in /etc/bind directory, it is throwing error 'unknown
algorithm 'RSASHA512'
> > Same error is thrown when tried with other algorithms like ECDSAP256SHA256,
> > RSASHA1,
RSASHA256 etc
> > Any help is greatly appreciated.
> >
> > --
> > Regards,
> >
> > पं. विष्णु शंकर P. Vishnu Sankar
> > टीम लीडर Team Leader-Network Operations
> > सी-डॉट C-DOT
> > इलैक्ट्रॉनिक्स सिटी फेज़ I Electronics City Phase I
> > होसूर रोड बेंगलूरु Hosur Road Bengaluru – 560100
> > फोन Ph 91 80 25119466
> > --
> > Disclaimer :
> > This email and any files transmitted with it are confidential and intended
> > solely
for the use of the individual or entity to whom they are addressed.
> > If you are not the intended recipient you are notified that disclosing,
> > copying,
distributing or taking any action in reliance on the contents of this
information is
strictly prohibited.
> > The sender does not accept liability for any errors or omissions in the
> > contents of
this message, which arise as a result.
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> > this
list
> >
> > ISC funds the development of this software with paid support subscriptions.
> > Contact
us at https://www.isc.org/contact/ for more information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
### Please consider the environment and print this email only if necessary . Go
Green
###
Disclaimer :
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you are not the intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited. The sender does not accept liability
for any errors or omissions in the contents of this message, which arise as a
result.
--
Open WebMail Project (http://openwebmail.org)
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
DiG DoH TLS Error
Hello, I am trying to resolve a DNS record with DNS over HTTPS with DiG on our DNS server. However DiG is returning a TLS error. See following anonymized result ➜ dig +trace +https @dns.example.com www.example.com ;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. ;; no servers could be reached ;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. ;; no servers could be reached ;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. ;; no servers could be reached I can confirm that the server can be reached and with openssl s_client -connect, the certificate returned OK result Connecting to 192.168.132.5 CONNECTED(0003) depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1 verify return:1 depth=1 C=US, O=Let's Encrypt, CN=R3 verify return:1 depth=0 CN=*.example.com verify return:1 --- Certificate chain 0 s:CN=*.example.com i:C=US, O=Let's Encrypt, CN=R3 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 2024 GMT; NotAfter: Apr 2024 GMT 1 s:C=US, O=Let's Encrypt, CN=R3 i:C=US, O=Internet Security Research Group, CN=ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT --- Server certificate -BEGIN CERTIFICATE- -END CERTIFICATE- subject=CN=*.example.com issuer=C=US, O=Let's Encrypt, CN=R3 --- No client certificate CA names sent Peer signing digest: SHA384 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2816 bytes and written 392 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 384 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher: TLS_AES_128_GCM_SHA256 Session-ID: Session-ID-ctx: Resumption PSK: PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: . Start Time: 1705398062 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK Any idea what is causing the TLS error? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to use different views on DNS-over-HTTPS vs normal DNS on port 53
Hello, How can I configure BIND9 to reply to requests from DNS-over-HTTPS with view A, and if the requests is from normal DNS on port 53, reply with view B? Example: client 192.168.1.5 requests A record test.example.com with DNS over HTTPS, BIND should reply with view A client 192.168.1.5 requests A record test.example.com with DNS on port 53, BIND should reply with view B -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
error: 'allow-update' is not allowed in 'slave' zone
Hello,
I configured Bind 9.18.12 as slave DDNS with dynamic updates from DHCP (ISC
DHCP 4.4)
running on the same server (Ubuntu 22.04 server)
When I run "named-checkconf named.conf", I get the following error
"named.conf:2018: option 'allow-update' is not allowed in 'slave' zone
'zonename.com'"
Following is the named.conf file (part)
zone "zonename.com" {
type slave;
file "com/zonename/sec.zonename.com";
masters {
IP address;
};
allow-update {
key rndc-key;
};
allow-transfer {
IP address;
};
};
I am clueless what is going wrong. Any help is greatly appreciated
Thanks in advance,
Mounika
### Please consider the environment and print this email only if necessary . Go
Green
###
Disclaimer :
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you are not the intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited. The sender does not accept liability
for any errors or omissions in the contents of this message, which arise as a
result.
--
Open WebMail Project (http://openwebmail.org)
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Observation: BIND 9.18 qname-minimization strict vs dig +trace
Hmm, I wonder if qname-minimisation is at issue here. My trace dies with: 85.191.131.in-addr.arpa. 1800 IN NS fs838.click-network.com. 85.191.131.in-addr.arpa. 1800 IN NS ns102.click-network.com. couldn't get address for 'fs838.click-network.com': not found couldn't get address for 'ns102.click-network.com': not found -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[help]how to configure ecs subnet for bind-9.18-21
dear admin: now, i use bind-9.18-21, i want to use ecs client subnet function; but i don't know how to configure it, and i don't get method from google please give me some example,or document , or google links to learn about it ; thanks! Yang 395096...@qq.com-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
To the last windows Bind
Eagle-Eye Cherry - Save Tonight (youtube.com) <https://www.youtube.com/watch?v=Nntd2fgMUYw> -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: qname minimization: me too :(
On Tue, Jun 25, 2024 at 10:42 AM Stephane Bortzmeyer wrote:
> > Jun 25 16:18:31 conr named[4725]: lame-servers:
> >info: success resolving 'bar.foo.isc.org/A' after disabling
> >qname minimization due to 'ncache nxdomain'
>
> I do not see how this is possible ("success resolving") since the name
> does not exist and all ISC name servers reply it does not exist.
>
> And all the resolvers I tried (through RIPE Atlas) say the same. No
> "success resolving".
Admittedly "success" can be ambiguous, and in this case it means
successfully got an answer for the question that was originally being
pursued. In this context, a negative answer is still a successful
resolution, unlike timeout or servfail from auths or various other
failures.
--
tale
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice on balancing web traffic using geoip ACls
On 23 Feb 2020, at 07:57, @lbutlr wrote: > (9.11.6 should be coming really soon) 9.11.16, and I appear to be behind a touch, it is already released. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
delv 9.16.0, failed to add trusted key '.': ran out of space
Hi, The 9.16.0 version of delv seems to have trouble reading the root trust anchor from the bind.keys file. I'm seeing this in multiple environments, CentOS 6.10 and FreeBSD 11.3: [user@host ~]$ delv -v delv 9.16.0 [user@host ~]$ delv isc.org ;; /etc/bind.keys:31: failed to add trusted key '.': ran out of space ;; setup_dnsseckeys: failure Attempting to rule out a problem with my local bind.keys, I grabbed a fresh copy, but delv produces the same output: [user@host ~]$ wget -qO /tmp/bind.keys.916 https://gitlab.isc.org/isc-projects/bind9/raw/v9_16/bind.keys [user@host ~]$ delv -a /tmp/bind.keys.916 isc.org ;; /tmp/bind.keys.916:31: failed to add trusted key '.': ran out of space ;; setup_dnsseckeys: failure The above output is from CentOS but the behavior is identical on FreeBSD. Has anyone observed delv 9.16.0 to work in these environments? Before opening a bug I want to make sure I didn't goof something on my end. Thanks, Shaun ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: delv 9.16.0, failed to add trusted key '.': ran out of space
On Fri, 28 Feb 2020 20:07:47 + Tony Finch wrote: > Shaun via bind-users wrote: > > > > The 9.16.0 version of delv seems to have trouble reading the root trust > > anchor from the bind.keys file. > > I see this too. The bug is that dns_client_addtrustedkey() has a buffer > for parsing DNSKEY or DS records, but it's only big enough for DS. Thanks for tracking this down! I've opened an issue in GitLab and included your patch there. Shaun ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X
Hi Sandeep, I encountered this on RHEL 6 and got past it by tweaking an environment variable: export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/lib/pkgconfig libuv places a meta file into that directory, and the configure script needed a little hint to find it. Shaun On Tue, 24 Mar 2020 19:44:20 + "Bhangui, Sandeep - BLS CTR via bind-users" wrote: > Hello > > Trying to compile Bind 9.16.1 on RHEL 7.X and RHEL 6.X and getting compile > errors hopefully someone can point me in the right direction. > > The download for the source code from the ISC site was done sometimes late > last week. > > Configuration. > > RHEL 7.X and RHEL 6.X running on HP-BLADE physical server. > > RHEL 7.X Kernel > > Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Thu Dec 12 06:44:49 EST 2019 x86_64 > x86_64 x86_64 GNU/Linux > > As far as I can tell has the libuv library packageis installed on this > RHEL 7.X machine. > > sh-4.2# rpm -qa | grep -i libuv > > libuv-1.34.0-1.el7.x86_64 > > > This is the configure error I getwhen I try to compileon the RHEL 7.X > machine. > > checking for sched_setaffinity... yes > > checking for pthread_setname_np... yes > > checking for pthread_set_name_np... no > > checking for pthread_np.h... no > > checking for libuv... checking for libuv >= 1.0.0... no > > configure: error: libuv not found > > + exit 0 > > I am getting a similar error on RHEL 6.X machine but on that machine I do not > have the libuv package so that could explain that. > > Please advise. > > Thanks in advance. > > Sandeep > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
"lame-servers: info: no valid RRSIG resolving ..."
hi- i'm seeing what i'm wondering if is a lot of "lame-servers: info: no valid RRSIG resolving ..." messages in the logs [on average ~500 messages per day]. a small snippet: 15-Apr-2020 18:11:46.057 lame-servers: info: no valid RRSIG resolving 'jwplayer.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:11:46.150 lame-servers: info: no valid RRSIG resolving 'tranet.net/DS/IN': 192.5.6.30#53 15-Apr-2020 18:11:47.559 lame-servers: info: no valid RRSIG resolving 'inboxsdk.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:11:49.146 lame-servers: info: no valid RRSIG resolving 'basis.net/DS/IN': 192.5.6.30#53 15-Apr-2020 18:11:58.474 lame-servers: info: no valid RRSIG resolving 'starfinancial.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:11:59.665 lame-servers: info: no valid RRSIG resolving 'vice.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:09.501 lame-servers: info: no valid RRSIG resolving 'lithium.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:09.756 lame-servers: info: no valid RRSIG resolving 'sc-static.net/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:10.004 lame-servers: info: no valid RRSIG resolving 'snapchat.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:12.638 lame-servers: info: no valid RRSIG resolving 'yimg.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:16.823 lame-servers: info: no valid RRSIG resolving 'transamerica.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:16.932 lame-servers: info: no valid RRSIG resolving 'quantummetric.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:17.129 lame-servers: info: no valid RRSIG resolving 'tealiumiq.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:17.171 lame-servers: info: no valid RRSIG resolving 'bounceexchange.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:22.971 lame-servers: info: no valid RRSIG resolving 'mwefinancial.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:23.248 lame-servers: info: no valid RRSIG resolving 'redditmedia.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:23.869 lame-servers: info: no valid RRSIG resolving 'imtwjwoasak.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:25.189 lame-servers: info: no valid RRSIG resolving 'b.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:25.313 lame-servers: info: no valid RRSIG resolving 'jquery.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:26.555 lame-servers: info: no valid RRSIG resolving 'forter.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:29.008 lame-servers: info: no valid RRSIG resolving 'quovadisoffshore.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:29.029 lame-servers: info: no valid RRSIG resolving 'quovadisglobal.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:29.974 lame-servers: info: no valid RRSIG resolving 'mixpanel.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:35.786 lame-servers: info: no valid RRSIG resolving 'spotify.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:36.982 lame-servers: info: no valid RRSIG resolving 'freeform.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:38.295 lame-servers: info: no valid RRSIG resolving 'edgedatg.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:12:58.190 lame-servers: info: no valid RRSIG resolving 'footprintdns.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:13:01.282 lame-servers: info: no valid RRSIG resolving 'qualifiedaddress.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:13:01.744 lame-servers: info: no valid RRSIG resolving 'dc-msedge.net/DS/IN': 192.5.6.30#53 15-Apr-2020 18:14:54.009 lame-servers: info: no valid RRSIG resolving 'facebook.com/DS/IN': 192.5.6.30#53 15-Apr-2020 18:16:20.039 lame-servers: info: no valid RRSIG resolving 'pphosted.com/DS/IN': 192.5.6.30#53 a number of these [most?] are zones that are signed, and some don't even exist, so i'm curious about seeing these messages. what am i not understanding, and/or what can i do to troubleshoot further? thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "lame-servers: info: no valid RRSIG resolving ..."
thanks- we're running 9.14.8, courtesy of the isc ubuntu ppa [https://launchpad.net/~isc]: >named -v BIND 9.14.8-Ubuntu (Stable Release) >dpkg -s bind9 Package: bind9 Status: install ok installed Priority: optional Section: net Installed-Size: 872 Maintainer: Debian DNS Team Architecture: amd64 Version: 1:9.14.8-1+ubuntu19.10.1+isc+1 Replaces: bind (<< 1:9.13.6~) [...] Homepage: https://www.isc.org/downloads/bind/ does that mean in theory the version we're running would be new enough we shouldn't be seeing that particular symptom? thanks > On Apr 17, 2020, at 19.01, Mark Andrews wrote: > > They are almost certainly the result of running an older version of named and > packet loss > causing named to fallback to plain DNS which doesn’t return DNSSEC records. > Newer versions > of named don’t fallback to plain DNS on packet loss. > > 5029. [func] Workarounds for servers that misbehave when queried >with EDNS have been removed, because these broken >servers and the workarounds for their noncompliance >cause unnecessary delays, increase code complexity, >and prevent deployment of new DNS features. See > https://dnsflagday.net for further details. [GL #150] > > BIND 9.14.0 is the first non development version with this behaviour. > > Mark > >> On 18 Apr 2020, at 01:24, btb via bind-users >> wrote: >> >> hi- >> >> i'm seeing what i'm wondering if is a lot of "lame-servers: info: no valid >> RRSIG resolving ..." messages in the logs [on average ~500 messages per >> day]. a small snippet: >> >> 15-Apr-2020 18:11:46.057 lame-servers: info: no valid RRSIG resolving >> 'jwplayer.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:11:46.150 lame-servers: info: no valid RRSIG resolving >> 'tranet.net/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:11:47.559 lame-servers: info: no valid RRSIG resolving >> 'inboxsdk.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:11:49.146 lame-servers: info: no valid RRSIG resolving >> 'basis.net/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:11:58.474 lame-servers: info: no valid RRSIG resolving >> 'starfinancial.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:11:59.665 lame-servers: info: no valid RRSIG resolving >> 'vice.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:09.501 lame-servers: info: no valid RRSIG resolving >> 'lithium.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:09.756 lame-servers: info: no valid RRSIG resolving >> 'sc-static.net/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:10.004 lame-servers: info: no valid RRSIG resolving >> 'snapchat.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:12.638 lame-servers: info: no valid RRSIG resolving >> 'yimg.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:16.823 lame-servers: info: no valid RRSIG resolving >> 'transamerica.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:16.932 lame-servers: info: no valid RRSIG resolving >> 'quantummetric.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:17.129 lame-servers: info: no valid RRSIG resolving >> 'tealiumiq.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:17.171 lame-servers: info: no valid RRSIG resolving >> 'bounceexchange.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:22.971 lame-servers: info: no valid RRSIG resolving >> 'mwefinancial.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:23.248 lame-servers: info: no valid RRSIG resolving >> 'redditmedia.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:23.869 lame-servers: info: no valid RRSIG resolving >> 'imtwjwoasak.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:25.189 lame-servers: info: no valid RRSIG resolving >> 'b.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:25.313 lame-servers: info: no valid RRSIG resolving >> 'jquery.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:26.555 lame-servers: info: no valid RRSIG resolving >> 'forter.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:29.008 lame-servers: info: no valid RRSIG resolving >> 'quovadisoffshore.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:29.029 lame-servers: info: no valid RRSIG resolving >> 'quovadisglobal.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:29.974 lame-servers: info: no valid RRSIG resolving >> 'mixpanel.com/DS/IN': 192.5.6.30#53 >> 15-Apr-2020 18:12:35.786 lame-servers
Nsupdate and TTL
What is the proper syntax gor changing the TTL on a zone with nsupdate? Does the existence of $TTL 86400 in the domain.conf file override nssupdate’s attempts to change the TTL? # nsupdate -k /path/to/key > zone example.com > ttl 3600 > send > ^d No errors, but no change in the TTL. -- "I know she's in there," said Verence, holding his crown in his hands in the famous Ai-Se-or-Mexican-Bandits-Have-Raided-Our-Village position ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
unknown option 'trust-anchors'
In named.conf I have dnssec-enable yes; dnssec-validation auto; # rndc managed-keys status view: _default next scheduled event: Sun, 05 Jul 2020 20:43:00 GMT name: . keyid: 20326 algorithm: RSASHA256 flags: SEP next refresh: Sun, 05 Jul 2020 20:43:00 GMT trusted since: Mon, 21 Jan 2019 14:53:55 GMT mail # rndc reload rndc: 'reload' failed: failure mail # tail /var/log/messages Jul 5 07:41:24 mail.covisp.net named[53940] /usr/local/etc/namedb/bind.keys:29: unknown option 'trust-anchors' Jul 5 07:41:24 mail.covisp.net named[53940] reloading configuration failed: failure Bind is currently running just fine and has been since 8 June. The bind.keys file has: # See https://data.iana.org/root-anchors/root-anchors.xml for current trust # anchor information for the root zone. But that URL does not load and gives an XML error. -- -=> <http://xkcd.com/241/> <http://xkcd.com/304/> <http://xkcd.com/635/> <=- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?
On Sun, Jul 19, 2020 at 7:06 AM @lbutlr wrote: > On 17 Jul 2020, at 11:56, Ted Mittelstaedt wrote: > > In fact, the ONLY reason that the name "bind9" was ever even coined > > at all was because the changes from bind8 both in the syntax of the > > config file and how the program operated they wanted to boot admins > > in the behind to get them to change their config files. > > This. Exactly this. Well, one minor bit of clarification is important. While highlighting the significant change in software might have been the motivation for why some installers chose to go with the name bind9 in place of named in some contexts, it was also a major design goal of BIND9 that it could run as a drop-in replacement for BIND8 on most configurations. It achieved this goal. The basic syntax was unchanged and configuration behavior was largely the same but for a little bit around the edges. And for what it's worth, not all systems moved away from "named" to "bind9". I've been running FreeBSD for decades, and I can't remember ever calling the service "bind9". ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
