about the file command
Hi list,
Can BIND's "file" command referer to more than one zone file?
For example,
zone "test.nsbeta.info" {
type master;
file "a.db";
file "b.db";
};
When a record doesn't exist in a.db, BIND will continue to look for it in b.db.
Thanks.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master with mysql backend
2011/2/8 fddi : > I have considered dlz, but it does mocu more than simply mysql backend and > seems too way complicate for my porpouse. > At hte end I am considering using this mysql-bind: > > http://mysql-bind.sourceforge.net/ > You may read this one of the mailing list archive: https://lists.isc.org/pipermail/bind-users/2008-April/069884.html Terry. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the file command
2011/2/8 Matus UHLAR - fantomas :
> On 08.02.11 17:40, Terry. wrote:
>> Can BIND's "file" command referer to more than one zone file?
>> For example,
>>
>> zone "test.nsbeta.info" {
>> type master;
>> file "a.db";
>> file "b.db";
>> };
>>
>> When a record doesn't exist in a.db, BIND will continue to look for it in
>> b.db.
>
> Afaik, no. Why would you want that?
For views catchall.
for example, named.conf has three views enabled by default, some users
have three veiws setup, but some have only two views setup, so I want
the catchall solution for the the lack of a view.
Any suggestion?
Regards,
Terry.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master with mysql backend
2011/2/9 Torinthiel : > Or, if you need to be able to modify records from both servers than maybe > multi-master with rsync'ing to the other server will work? Mysql Active-Active replication could do that easily. AFAIK, mysql backend BIND doesn't have the feature "notify", so database replication is the primary way of sync zones. Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.6.3 crashing on Freebsd 7.3
2011/2/11 Joshua Frugé : > running bind 9.6.3 installed from ports on Freebsd 7.3 (amd64) > > Getting this error in my local log > > 10-Feb-2011 21:12:13.711 general: rbtdb.c:1506: INSIST(((unsigned > int)((&(node)->references)->refs)) == 0 && node->data == ((void *)0)) failed > could you try to compile BIND from the source rather than the ports installation? Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: additional empty zones
2011/2/12 Matus UHLAR - fantomas : > Hello, > > Is it possible to add additional zones as empty? depends on what is "empty". ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind on vps
2011/2/13 Walter Alejandro Iglesias : > Hello, > > I read bind howto, several tutorials, mailing lists. After > two months trying to get this working without success I must > bother you. > > I am running a Slackware in a vps server, it provides me two > IPs (I can ask for more if needed). > > I have the domains registered at go daddy. > > It will be a web hosting sever. I wrote my own web client > panel and my own bash scripts to automate the upload of new > client's virtual domains. That's why I want to run my own dns > server; I want to be able to update the registers in my own > machine. > > I am running my name server in the same machine I run my > domains. I've read a post in this mailing list where a newbie > like me explains the same problem. But the last answer > mention only about "glue" records and I think I've included > them correctly(?). nslookup returns me the expected when I > run from inside the vps but not when I run it from the > outside. > I have been also running the named on my VPS, with two IPs too. The site is under developing, after done will also provide the smartdns hosting to my customers,:) -- Free SmartDNS Hosting: http://DNSbed.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
help with views design
Hello gurus,
Thanks firstly since I have got many helps from the list before.
Now I'm designing a open DNS service, say I have three views as below:
view "uni" {
match-clients {
key "unikey";
UNI;
};
allow-update {key "unikey";};
zone "test.nsbeta.info" {
type master;
file "test.nsbeta.info.uni.db";
};
};
view "edu" {
match-clients {
key "edukey";
EDU;
};
allow-update {key "edukey";};
zone "test.nsbeta.info" {
type master;
file "test.nsbeta.info.edu.db";
};
};
view "any" {
match-clients {
key "defaultkey";
any;
};
allow-update {key "defaultkey";};
zone "test.nsbeta.info" {
type master;
file "test.nsbeta.info.any.db";
};
};
Some customer's domain names have all three views, so I define the
zones in each view, they work fine.
But some customers have only two views, say it's view uni and view any.
Thus I setup zones in view uni and view any, but view edu will be lost.
If the clients from edu network query for the zones, they will get
NXDOMAIN result.
For my DNS service, the customers submit their records from web
interface, the records are inserted into database.
Then a daemon will load the new updated records from database and call
nsupdate to update them to BIND.
I know I can use complicated SQL to resolve it, for example, if the
customer doesn't have edu view, I could copy all the records from any
view to edu view in database with SQL statement. If the customer later
add a record to edu view, before insert it to database, I have to drop
all the before records copied from any view, etc.
But rather than using SQL doing it, is there a good BIND way handling this case?
Thanks in advance.
Regards.
--
Free SmartDNS Hosting:
http://DNSbed.com/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: process of updating slave servers
check your configure especially for: * notify/ also-notify/ allow-notify * allow-transfer * does slave named have the permittion to write to data dir? Regards. 2011/2/15 donovan jeffrey j : > Greetings > > I have a new slave server. I edited my master, incremented the serial number > and reloaded named. The master is fine, and contains the new entry but the > slaves are still running the previous entries. > > what is the basic operation of updating a slave ? > > I reloaded the zone with rndc and the slave pulled the zone. The serial > number was incremented on the slave, but the old entry's were still there. > I checked the forward and reverse records, and nothing had changed except the > serial number. So I deleted the slave files, and pulled the zone again, and > kick started named, everything works fine. > I highly doubt my procedure was the correct way to do it. > > can someone explain to me the proper work flow for updating records on slaves > ? > > TIA > > -j > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Free SmartDNS Hosting: http://DNSbed.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.7.3 is now available.
2011/2/15 Mark Andrews : > > 9.7.3 > > * BIND now builds with threads disabled in versions of NetBSD earlier > than 5.0 and with pthreads enabled by default in NetBSD versions > 5.0 and higher. Also removes support for unproven-pthreads, > mit-pthreads and ptl2. [RT #19203] Looks a great release. BTW, does bind-9.7's threads work well on Linux X86 platform? Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: process of updating slave servers
2011/2/15 donovan jeffrey j :
>
> On Feb 14, 2011, at 8:31 PM, Terry. wrote:
>
>> check your configure especially for:
>>
>> * notify/ also-notify/ allow-notify
>> * allow-transfer
>> * does slave named have the permittion to write to data dir?
>
> yes , salve can write.
>
> slave options;
> allow-transfer { 10.1.1.2; };
In practical the slave doesn't have the allow-transfer option.
> allow-notify {10.1.1.2};
If the slave is listed in the NS records of the zone distinctly (ie,
it's not a hidden slave) then this allow-notify is also not needed.
> transfer-format many-answers;
>
> master options;
> allow-transfer { 10.135.1.3; };
>
If the slave is a hidden name server, then in master both
allow-transfer and also-notify are needed, otherwise neither of them
is needed.
Regards.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
about a query
Hello, Please see the dig info below. ns1.dns-diy.com is the auth-server of duowan.com domain. My question is, when ns1.dns-diy.com answer with a CNAME for "udb.duowan.com", and the answer also include an A RR for that alias, how will the public DNS cache servers handle this answer? Will the DNS cache use this A RR as result directly, or they make a new request for the alias domain name udb.duowan.blogchina.org and find the result? Thanks! $ dig udb.duowan.com +trace ; <<>> DiG 9.4.2-P2 <<>> udb.duowan.com +trace ;; global options: printcmd . 108212 IN NS d.root-servers.net. . 108212 IN NS e.root-servers.net. . 108212 IN NS m.root-servers.net. . 108212 IN NS b.root-servers.net. . 108212 IN NS g.root-servers.net. . 108212 IN NS l.root-servers.net. . 108212 IN NS c.root-servers.net. . 108212 IN NS i.root-servers.net. . 108212 IN NS k.root-servers.net. . 108212 IN NS a.root-servers.net. . 108212 IN NS j.root-servers.net. . 108212 IN NS h.root-servers.net. . 108212 IN NS f.root-servers.net. ;; Received 512 bytes from 202.96.128.86#53(202.96.128.86) in 4 ms com.172800 IN NS h.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. ;; Received 492 bytes from 128.8.10.90#53(d.root-servers.net) in 340 ms duowan.com. 172800 IN NS ns1.dns-diy.com. duowan.com. 172800 IN NS ns2.dns-diy.com. ;; Received 204 bytes from 192.35.51.30#53(f.gtld-servers.net) in 300 ms udb.duowan.com. 9 IN CNAME udb.duowan.blogchina.org. udb.duowan.blogchina.org. 5 IN A 64.38.63.4 ;; Received 86 bytes from 218.85.139.33#53(ns1.dns-diy.com) in 19 ms -- Free SmartDNS Hosting: http://DNSbed.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about a query
Thanks a lot Chris. 2011/2/21 Chris Buxton : > That depends on the implementation. Really old versions of BIND would > have accepted the A record. However, it's not in-bailiwick, so any > name server that would accept it is very likely vulnerable to cache > poisoning. > > Current versions of BIND (probably stretching back to somewhere in the > 8.2 series) will disregard it and resolve it separately. > > Chris Buxton > BlueCat Networks > > > On 2/21/11, Terry. wrote: >> Hello, >> >> Please see the dig info below. ns1.dns-diy.com is the auth-server of >> duowan.com domain. >> My question is, when ns1.dns-diy.com answer with a CNAME for >> "udb.duowan.com", and the answer also include an A RR for that alias, >> how will the public DNS cache servers handle this answer? >> Will the DNS cache use this A RR as result directly, or they make a >> new request for the alias domain name udb.duowan.blogchina.org and >> find the result? >> >> Thanks! >> >> $ dig udb.duowan.com +trace >> >> ; <<>> DiG 9.4.2-P2 <<>> udb.duowan.com +trace >> ;; global options: printcmd >> . 108212 IN NS d.root-servers.net. >> . 108212 IN NS e.root-servers.net. >> . 108212 IN NS m.root-servers.net. >> . 108212 IN NS b.root-servers.net. >> . 108212 IN NS g.root-servers.net. >> . 108212 IN NS l.root-servers.net. >> . 108212 IN NS c.root-servers.net. >> . 108212 IN NS i.root-servers.net. >> . 108212 IN NS k.root-servers.net. >> . 108212 IN NS a.root-servers.net. >> . 108212 IN NS j.root-servers.net. >> . 108212 IN NS h.root-servers.net. >> . 108212 IN NS f.root-servers.net. >> ;; Received 512 bytes from 202.96.128.86#53(202.96.128.86) in 4 ms >> >> com. 172800 IN NS h.gtld-servers.net. >> com. 172800 IN NS g.gtld-servers.net. >> com. 172800 IN NS e.gtld-servers.net. >> com. 172800 IN NS c.gtld-servers.net. >> com. 172800 IN NS d.gtld-servers.net. >> com. 172800 IN NS a.gtld-servers.net. >> com. 172800 IN NS l.gtld-servers.net. >> com. 172800 IN NS f.gtld-servers.net. >> com. 172800 IN NS k.gtld-servers.net. >> com. 172800 IN NS b.gtld-servers.net. >> com. 172800 IN NS i.gtld-servers.net. >> com. 172800 IN NS m.gtld-servers.net. >> com. 172800 IN NS j.gtld-servers.net. >> ;; Received 492 bytes from 128.8.10.90#53(d.root-servers.net) in 340 ms >> >> duowan.com. 172800 IN NS ns1.dns-diy.com. >> duowan.com. 172800 IN NS ns2.dns-diy.com. >> ;; Received 204 bytes from 192.35.51.30#53(f.gtld-servers.net) in 300 ms >> >> udb.duowan.com. 9 IN CNAME udb.duowan.blogchina.org. >> udb.duowan.blogchina.org. 5 IN A 64.38.63.4 >> ;; Received 86 bytes from 218.85.139.33#53(ns1.dns-diy.com) in 19 ms >> >> -- >> Free SmartDNS Hosting: >> http://DNSbed.com/ >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > > -- > Sent from my mobile device > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Free SmartDNS Hosting: http://DNSbed.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
mx selection order
Hello, Given I have these MX records: example.com.3600IN MX 10 m1.example.com. example.com.3600IN MX 10 m2.example.com. example.com.3600IN MX 20 m3.example.com. My question is, when m1.example.com is failed to communicate with, the remote MTA will continue to talk to m2 or m3? Thanks. -- Free SmartDNS Hosting: http://DNSbed.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to allow set Host file dns query priorities in BIND
I was thinking this is most likely the network problem, so you'd better setup a good network with redundancy and high availability. 2011/2/23 babu dheen > > is there any option in BIND to give priority to HOST file before connecting > it to internet ISP or local zone? > > -- Free SmartDNS Hosting: http://DNSbed.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
why dig +short for NS doesn't get the result
server1:/var/cache/bind# dig ox.test.nsbeta.info ns @localhost +short # got nothing here server1:/var/cache/bind# dig ox.test.nsbeta.info ns @localhost ; <<>> DiG 9.6-ESV-R3 <<>> ox.test.nsbeta.info ns @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53460 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ox.test.nsbeta.info. IN NS ;; AUTHORITY SECTION: ox.test.nsbeta.info.20222 IN NS dwdns1.nsbeta.info. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 1 11:51:21 2011 ;; MSG SIZE rcvd: 58 I have setup the NS for ox.test.nsbeta.info zone, why dig +short gets nothing but dig does get the result? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: why dig +short for NS doesn't get the result
> > +short instructs dig to only write extract of ANSWER section. your reply > is in authorative section. > Torinthiel > > Thanks. That's right. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about AUTHORITY SECTION
Hello, When I delegate a subdomain in a zone example.com, the config in named.conf is like: test.example.com. 3600 IN NS ns1.another.com. test.example.com. 3600 IN NS ns2.another.com. Then I dig to the auth-server of the example zone: dig test.example.com ns @ns1.example.com I found some servers return the ANSWER SECTION, but some servers return the AUTHORITY SECTION. For example: ;; ANSWER SECTION: test.example.com. 3600IN NS ns2.another.com. test.example.com. 3600IN NS ns1.another.com. And: ;; AUTHORITY SECTION: test.example.com. 3600IN NS ns2.another.com. test.example.com. 3600IN NS ns1.another.com. I'm confused, shall name server answer with ANSWER or AUTHORITY for this case? Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about AUTHORITY SECTION
2011/3/4 Mark Andrews : > > In message , > terr > y writes: >> Hello, >> >> When I delegate a subdomain in a zone example.com, the config in >> named.conf is like: >> >> test.example.com. 3600 IN NS ns1.another.com. >> test.example.com. 3600 IN NS ns2.another.com. >> >> Then I dig to the auth-server of the example zone: >> >> dig test.example.com ns @ns1.example.com >> >> I found some servers return the ANSWER SECTION, but some servers >> return the AUTHORITY SECTION. >> >> For example: >> >> ;; ANSWER SECTION: >> test.example.com. 3600 IN NS ns2.another.com. >> test.example.com. 3600 IN NS ns1.another.com. >> >> And: >> >> ;; AUTHORITY SECTION: >> test.example.com. 3600 IN NS ns2.another.com. >> test.example.com. 3600 IN NS ns1.another.com. >> >> >> I'm confused, shall name server answer with ANSWER or AUTHORITY for this case >> ? > > Look at RA and RD. If the server recurses, you will get a answer. > If the server does not recurse, you will get a referral. Then there > are the really old broken servers which get this wrong. > Hi Mark, Please see this for details: $ dig nsbeta.info ns @ns34.domaincontrol.com ; <<>> DiG 9.4.2-P2.1 <<>> nsbeta.info ns @ns34.domaincontrol.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41454 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;nsbeta.info. IN NS ;; ANSWER SECTION: nsbeta.info.3600IN NS ns34.domaincontrol.com. nsbeta.info.3600IN NS ns33.domaincontrol.com. ;; Query time: 183 msec ;; SERVER: 208.109.255.17#53(208.109.255.17) ;; WHEN: Fri Mar 4 22:59:39 2011 ;; MSG SIZE rcvd: 123 There isn't the "ra" flag in the response, why the nameserver has been also answering with the "ANSWER SECTION"? I think it should answer with the "AUTHORITY SECTION". Thanks again. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about AUTHORITY SECTION
> > But in this case, you're asking the authotrative server. Authorative server > answers in answer section, as it knows the answer. Authorative section is > for 'I don't know, ask ...' > The rule above goes for servers which are not authorative for a given zone. > Torinthiel > ___ I'm very sorry, just by typo, I do mean this case: $ dig test.nsbeta.info ns @ns33.domaincontrol.com ; <<>> DiG 9.4.2-P2.1 <<>> test.nsbeta.info ns @ns33.domaincontrol.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13538 ;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;test.nsbeta.info. IN NS ;; ANSWER SECTION: test.nsbeta.info. 3600IN NS ns2.dnsbed.com. test.nsbeta.info. 3600IN NS ns1.dnsbed.com. ;; Query time: 186 msec ;; SERVER: 216.69.185.17#53(216.69.185.17) ;; WHEN: Sat Mar 5 09:36:58 2011 ;; MSG SIZE rcvd: 122 So why does ns33.domaincontrol.com answer with ANSWER SECTION rather than AUTHORITY SECTION? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slaves and views
2011/3/5 Chris Buxton : > > On Mar 4, 2011, at 8:46 AM, John Wobus wrote: > >> Hi, >> >> Can a zone file a slave in one view and the same zone file >> be served by another view? > > You can do this for static master zones, but it's not a good idea for slaves. > > Depending on the use case for your internal view, you may be able to solve > this better using forwarding, stub zones, or (BIND 9.8 only) static-stub > zones. Chris, What's the difference between a stub zone and a static-stub zone? I have been thinking they are the same. Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about AUTHORITY SECTION
2011/3/5 Mark Andrews : >> So why does ns33.domaincontrol.com answer with ANSWER SECTION rather >> than AUTHORITY SECTION? > > If you ask with rd=0 (+norec), which is what nameservers do, you > get the referral. Presumably ns33.domaincontrol.com is running > BIND 8 which didn't fully comply the RFC 1034. One of the reasons > for writing BIND 9 was to sort out these corner cases. > > If rd=1 BIND 8 assumed that there was a stub resolver talking to > it so it put the response in the answer section despite it not being > authoritative for the child zone. It rd=0 it did what RFC 1034 > said to do, put the response in the authority section. > > BIND 9 will actually recurse if rd=1 and the client is in the > allow-recursion acl and fetch the answer from the child zone and > return it. If not it will return a referral. > That's the great answer. You have cleaned my confusion which exists long time in my head. Thanks a lot Mark. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
About name servers registration
Hello, How do I know that my name servers, ns1.dnsbed.com and ns2.dnsbed.com, have been registered in ICANN? Thanks. -- www.DNSbed.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
force to flush from jnl to zone files
Hello, My BIND has been using dynamic updates for zone update. My question is, how to force to flush updated data from the *.jnl files to zone files? I know restarting bind can do that, but is there another better way? Thanks. Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: force to flush from jnl to zone files
2011/3/20 Evan Hunt : >> My BIND has been using dynamic updates for zone update. >> My question is, how to force to flush updated data from the *.jnl >> files to zone files? >> I know restarting bind can do that, but is there another better way? > > "rndc freeze " will do that. Run "rndc thaw" afterward to > re-enable DDNS. > > Rather coincidentally, yesterday afternoon I wrote the code for an "rndc > sync" command that would dump the zone without freezing updates. That'll > be in BIND 9.9. > Thank you all for the kind helps. I love BIND as well as the list people, :) -- www.DNSbed.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on DNS reporter
How will "rndc status" take something good for you? 2011/3/20 babu dheen > Hi, > > Can anyone let me know is there any open source software available to > generate report for DNS service based on DNS BIND query logs. > > We have BIND DNS running RHEL 5.0. Would like to generate report based on > its logs so that we can identify list of clients quering external domains > and its query count. > > Many clients in our company infected with malware which thus send > unnecessary query to remote external domain (non available domain). So if we > have any software which can generate the report from DNS BIND logs, will be > very helpful. > > > Regards > Babu > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- www.DNSbed.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
can I set the second nameserver to a public dns cache?
Hello, I have only one nameserver for a domain. Can I set the second nameserver for this domain to a public dns cache? for example: abc.com. IN NS ns1.abc.com. abc.com. IN NS ns2.abc.com. ns2.abc.com. IN A 8.8.8.8 # 8.8.8.8 is google's public dns server Since DNS cache does a rec-resolver, so it will also answer with the correct result? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
is notify message going with UDP or TCP?
BIND master sends the notify message with TCP or UDP protocal? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns record delegation
于 2011-4-12 11:55, Parashar Singh 写道: * IN NS ns1.GLB.com <http://ns1.GLB.com> but it's not working. Can anyone suggest, how to configure this in bind? I was thinking you need a forward zone rather than the wild. -- terry - te...@geekmail.de ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NS record, nameserver down.
于 2011-4-12 16:34, fddi 写道: if a remote host does a query for www.domain.com will the query always be succesful even if ns1 is down ? or the NS records are just round-robin so that if the query arrives to the one which is down, the query will fail ? The clients will always try the second alive nameserver so your doman names will be resolved without much problem. -- terry - te...@geekmail.de ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
service provider frontend delegation options
Hello, I am trying to get bind in to replace a simpledns implementation due to the "viewing" capability with bind. However, we also have a need to be able to give our customers access to modify zones that they own. I only see one that comes close to allowing this named "DNS Control" or "RocketControl DNS". It appears to be a good idea but I want to see what everyone everyone else is doing. Certainly I'm not the first one to want this type of functionality. Any ideas? Thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
tsig and servers help
Hello,
I am a bit confused about what exactly applying a key to the servers
part of the config does:
server 10.25.1.11 {
keys {
omajelns01.omajelns02;
};
};
key omajelns01.omajelns02 {
algorithm hmac-md5;
secret "asdfasdfasdfasdfasdf";
};
zone "narf.com" {
type master;
file "/var/named/narf.com.hosts";
also-notify {
10.25.1.11;
};
notify yes;
};
In this config, what does the key in the server section actually do
for me? I really only want zone transfers to be secured between my
master and slaves but I don't really want each zone to have it's own
key. There's also a very high chance that I will have to exchange
zones with non-bind servers too. Which I don't think is an issue if I
apply keys at the server level. Thoughts?
Thanks!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: tsig and servers help
On Fri, Apr 24, 2009 at 12:11 PM, Jeremy C. Reed wrote:
> On Fri, 24 Apr 2009, Terry wrote:
>
>> I am a bit confused about what exactly applying a key to the servers
>> part of the config does:
>>
>> server 10.25.1.11 {
>> keys {
>> omajelns01.omajelns02;
>> };
>> };
>> key omajelns01.omajelns02 {
>> algorithm hmac-md5;
>> secret "asdfasdfasdfasdfasdf";
>> };
>> zone "narf.com" {
>> type master;
>> file "/var/named/narf.com.hosts";
>> also-notify {
>> 10.25.1.11;
>> };
>> notify yes;
>> };
>>
>> In this config, what does the key in the server section actually do
>> for me? I really only want zone transfers to be secured between my
>> master and slaves but I don't really want each zone to have it's own
>> key. There's also a very high chance that I will have to exchange
>> zones with non-bind servers too. Which I don't think is an issue if I
>> apply keys at the server level. Thoughts?
>
> Hello Terry,
>
> The keys in the server statement is used to cause requests sent to that
> server to be signed using that key. In this case, it may be more than just
> zone transfers. It needs to be configured on both sides (so also on the
> slave at 10.25.1.11).
>
> Jeremy C. Reed
> ISC Sales & Support Engineer
>
Thanks for your reply. On my slave, I have this:
server 10.25.1.10 {
keys {
omajelns01.omajelns02;
};
};
It will sign all requests between these hosts. If requests come
across that appear to be from these hosts and they are not signed, the
server at either end will reject the requests (i am pretty sure that's
the whole idea but just clarifying)? If that's the case, I like this
architecture, it's simple and provides a level of security without a
great deal of configuration overhead.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
domain keys
Hi I have setup exim to sign my emails as per documentation here http://wiki.exim.org/DomainKeys The mails are getting domainkeys=pass (ok); from=bluelight.org.uk; from yahoo so that bit is ok. But I am failing the policy test here http://domainkeys.sourceforge.net/policycheck.html I have this in my zone file. Any advice or pointers welcome _domainkey.bluelight.org.uk. IN TXT "k=rsa; t=y; o=-;" myselector._domainkey.bluelight.org.uk. IN TXT "k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAw Thanks Terry ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: domain keys
swilting wrote:
Le samedi 20 juin 2009 à 14:45 +0100, Terry a écrit :
Hi I have setup exim to sign my emails as per documentation here
http://wiki.exim.org/DomainKeys
The mails are getting domainkeys=pass (ok); from=bluelight.org.uk; from
yahoo
so that bit is ok.
But I am failing the policy test here
http://domainkeys.sourceforge.net/policycheck.html
I have this in my zone file. Any advice or pointers welcome
_domainkey.bluelight.org.uk. IN TXT "k=rsa; t=y; o=-;"
must inform the selector
Not sure what you mean by that ? searching now for the documentation
myselector._domainkey.bluelight.org.uk. IN TXT "k=rsa; t=y;
p=MHwwDQYJKoZIhvcNAQEBBQADawAw
and write the line without newline, and do not forget the (") final
Yes I have that bit ok
Thanks
Terry
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.339 / Virus Database: 270.12.81/2188 - Release Date: 06/19/09 17:56:00
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: domain keys
swilting wrote: my record txt is like this ; DomainKeys _domainkey.fakessh.eu. IN TXT "t=y; o=-;" fakessh._domainkey.fakessh.eu.IN TXT "k=rsa;t=s;p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANzPkPCFCJwwhcYtThxfSA1LVWtBUlB7Z5G1rVRByvJxldnmfsD9BkrKmU2xqGCHr41Hys3tMWYktahv+pksDZ0CAwEAAQ==" une dkimproxy work fine in my box centos 5.3 Le samedi 20 juin 2009 à 15:12 +0100, Terry a écrit : Thanks for your assistance I now have what you have _domainkey.bluelight.org.uk. IN TXT "t=y; o=-;" bluelight._domainkey.bluelight.org.uk. IN TXT "k=rsa; t=y; p=long key" Your domain tests fine here http://domainkeys.sourceforge.net/policycheck.html but mine does not and locally its the same too. I must be missing some thing silly. The emails are being signed fine though so that side of things is ok The selector also tests fine dig @192.168.2.199 bluelight._domain.bluelight.org.uk TXT ; <<>> DiG 9.4.2 <<>> @192.168.2.199 bluelight._domain.bluelight.org.uk TXT ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60488 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;bluelight._domain.bluelight.org.uk. IN TXT ;; AUTHORITY SECTION: bluelight.org.uk. 3600IN SOA ns1.bluelight.org.uk. terry.bluelight.org.uk. 2009062012 10800 3600 604800 3600 cf# dig @192.168.2.199 _domain.bluelight.org.uk TXT ; <<>> DiG 9.4.2 <<>> @192.168.2.199 _domain.bluelight.org.uk TXT ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18576 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_domain.bluelight.org.uk. IN TXT ;; AUTHORITY SECTION: bluelight.org.uk. 3600IN SOA ns1.bluelight.org.uk. terry.bluelight.org.uk. 2009062012 10800 3600 604800 3600 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: domain keys
Byung-Hee HWANG wrote: Terry writes: Hi I have setup exim to sign my emails as per documentation here http://wiki.exim.org/DomainKeys The mails are getting domainkeys=pass (ok); from=bluelight.org.uk; from yahoo so that bit is ok. But I am failing the policy test here http://domainkeys.sourceforge.net/policycheck.html I have this in my zone file. Any advice or (...) As far as i know, DK(RFC4870) was obsoleted by DKIM(RFC4871). So i think it's better starting with DKIM than DK. Here is good guidance for Exim: http://wiki.exim.org/DKIM ;; Sincerely, Ok thank you thats next then. The keys are working and it is passing the check this morning http://domainkeys.sourceforge.net/cgi-bin/check_policy?domain=bluelight.org.uk&Submit=Submit Thanks for your help Terry ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BUG? Wildcard lookup masked by more specific record of alternative type
Hi, Is the following expected or is it a bug? All the best, Terry ; This wildcard allows the lookup of "test.domain A": ; *.domain IN A 1.2.3.4 ; ; This TLSA record breaks the lookup of "test.domain A": ; _443._tcp.test.domain IN TLSA 1 0 1 83cfeec8dbe315e9f93e9ec87beda3619033876f1f96729c9939964961f6aa9c ; ; Workaround: Adding a specific record restores the lookup of "test.domain A": ; ;test.domain IN A 1.2.3.4 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BUG? Wildcard lookup masked by more specific record of alternative type
On 14 February 2014 12:01, Tony Finch wrote: > Terry Burton wrote: >> Is the following expected or is it a bug? > > It is correct. See RFC 4592 for the full explanation of how wildcards work. For sake of Google... RFC 4592 3.3.1 defines "The closest encloser is the node in the zone's tree of existing domain names that has the most labels matching the query name ... The source of synthesis is defined in the context of a query process as that wildcard domain name immediately descending from the closest encloser." Adding the TSLA record for _443._tcp.test.domain amended the closest encounter for the query from "domain" to the "test.domain" empty non-terminal, hence no synthesis. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Inline-signing feature request: Directly set the signed zone's serial number
Hi, After reinitialising the inline-signing process (for example by removing the journal files or redeploying the master server) the freshly signed zone's serial number will usually be behind the authoritative version on the slaves causing transfers to fail — possibly leading to expired signatures, zone expiry, etc. Currently, bumping the serial number of the unsigned zones to exceed that of the slaves is required, however it would be /convenient/ to have a one-shot method (perhaps via rndc) for specifying the signed zone serial number such that this doesn't require edits to the unsigned zone files. This is especially useful in bootstrapping scenarios where the zone data is held under strict revision control or generated by some provisioning system that "owns" the serial number. Am I on my own with this or would others find this useful? Thanks, Terry ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Inline-signing feature request: Directly set the signed zone's serial number
On 7 Oct 2014 18:42, "Alan Clegg" wrote: > > On 10/7/2014 9:49 AM, Terry Burton wrote: > > This is especially useful in bootstrapping scenarios where the zone > > data is held under strict revision control or generated by some > > provisioning system that "owns" the serial number. > > By setting the number backwards, you are breaking all of your slave servers and causing no-end of problems getting all of THEM corrected. You've misunderstood. I'm not attempting to decrease the serial number. With inline signing you have a hidden serial number in the unsigned zone and an exposed serial number in the signed versions which your slaves track. After redeployment (following DR, emergency relocation, elastic capacity expansion, etc.) I want to be able to bump the exposed serial number (once) back to an appropriate value without having to modify the unsigned zones. (For context, the unsigned zone serial number matches the revision number in a VCS to which the DNS infrastructure hosts and administrators have read-only access, i.e. mandatory separation of infrastructure and data access rights.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Inline-signing feature request: Directly set the signed zone's serial number
On 7 Oct 2014 21:44, "Doug Barton" wrote: > > On 10/7/14 11:03 AM, Terry Burton wrote: > >> With inline signing you have a hidden serial number in the unsigned zone >> and an exposed serial number in the signed versions which your slaves >> track. After redeployment (following DR, emergency relocation, elastic >> capacity expansion, etc.) I want to be able to bump the exposed serial >> number (once) back to an appropriate value without having to modify the >> unsigned zones. >> >> (For context, the unsigned zone serial number matches the revision >> number in a VCS to which the DNS infrastructure hosts and administrators >> have read-only access, i.e. mandatory separation of infrastructure and >> data access rights.) > > > * Check out the unmodified version of the unsigned zone > * Increase the serial number in the checked out copy to be past the one in the signed zone > * rndc reload > * Delete the modified version of the zone file, and revert to the master copy > > ... all of which is not to say that your request is not reasonable, just letting you know that a solution exists. Sure, this is the approach that is currently taken. As stressed in my request, this is purely for convenience... and a little bit of obsessive data purity - load what you're given without additional processing, etc. Thanks all the same! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Inline-signing feature request: Directly set the signed zone's serial number
On 7 Oct 2014 22:35, "Alan Clegg" wrote: > > On 10/7/2014 2:03 PM, Terry Burton wrote: >> >> On 7 Oct 2014 18:42, "Alan Clegg" > <mailto:a...@clegg.com>> wrote: >> > >> > On 10/7/2014 9:49 AM, Terry Burton wrote: >> > > This is especially useful in bootstrapping scenarios where the zone >> > > data is held under strict revision control or generated by some >> > > provisioning system that "owns" the serial number. >> > >> > By setting the number backwards, you are breaking all of your slave >> servers and causing no-end of problems getting all of THEM corrected. >> >> You've misunderstood. I'm not attempting to decrease the serial number. >> >> With inline signing you have a hidden serial number in the unsigned zone >> and an exposed serial number in the signed versions which your slaves >> track. After redeployment (following DR, emergency relocation, elastic >> capacity expansion, etc.) I want to be able to bump the exposed serial >> number (once) back to an appropriate value without having to modify the >> unsigned zones. > > > Ok, I'm aware of the difference between unsigned and signed zones in an in-line signing configuration and am more and more curious about your terminology of "appropriate value" for the signed zones. Currently advertised serial +1. > If the data hasn't changed, the serial is appropriate. If the data has changed, the signed data serial number is going to be incremented the next time you transfer (bump in the wire) or reload (on box) the data. BIND on a reinitialised signing master doesn't know about the external serial number until you tell it either by updating the unsigned zone data (fine when you control this) or update the signing state by some other method, as I propose. > As Doug said, edit the data and when you reload it's going to "do the right thing" but you should never get into this predicament to begin with from my limited understanding of DNS. Separate the data provider and DNS infrastructure provider and this predicament ensues. > Now, the problem with his added step is that the next time you edit the file that you have in your version control system, the serial number is now going to match (if you treat it as "just a number") the one that you edited OUTSIDE OF THE PROCEDURE and you won't get correct zone transfers. > > I'd recommend adding one step to the DR/whatever procedure: "bump serial number in version control in to complete process". That sounds ideal however in this case it's not possible to redefine access to the VCS in this fashion due to the integrity constraints of the current procedures. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
NOTIFY from masters when slave provides several views
This question is related to the prior "Internal and External view on same
slave server? - RESOLVED" thread, but seems to be a different situation in
which the previous answer doesn't apply.
I have 3 nameservers, which we'll call ns1, ns2, and ns3. These servers
are primarily slave servers for stealth master servers (that last part
shouldn't really matter).
ns1, ns2, and ns3 operate with three views each - internal, customer, and
external. Internal is for the ISP's infrastructure systems, customer is for
customers (and allows recursion), and external is for the rest of the net
(no recursion, just authoritative answers for the zones it serves).
The master servers can be in address ranges covered by any of those views
as well - the ISP's own zones come from a server in the internal view, most
customer zones come from servers in the customer view, with a few coming
from servers in the external view.
Importantly, neither the masters nor ns1/2/3 have different zone data in
different views - the answers are always the same.
As an example, if ns1 gets a NOTIFY for a slave zone from a master in an
address covered by the customer view, it will do an xfer of the zone, but
only for ns1's customer view. The internal and external views won't trans-
fer until the expiry/refresh time for the zone fires.
Also important is that there are a *lot* of zones, and they all live in
an external include file (which, itself, is a collection of smaller include
files), which are all auto-generated from an external database. So it would
be very difficult to change that. Also, most of the masters are on customer
systems with a variety of nameserver versions, and asking them to add addit-
ional IP addresses (or indeed, make any changes at all) would also be very
difficult.
What I'd like is some way to tell BIND that if it gets a NOTIFY for a
zone, it should transfer that zone for all views, not just the matching
view.
The BIND versions in use are 9.6.0-P1 and 9.6.1b1.
Here's a censored example of the relevant parts of the named.conf file:
// The internal view allows everything
view "internal" in {
match-clients { internal; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
// Root hints
//
zone "." {
type hint;
file "named.root";
};
// snip... (internal-only zones removed from example)
// Customer zones
//
include "includes.conf";
};
// The customer view allows everything too, but has a different nane for
// statistics gathering purposes, and might have restrictions added later
view "customer" in {
match-clients { customer; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
// Root hints
//
zone "." {
type hint;
file "named.root";
};
// Customer zones
//
include "includes.conf";
};
// The external view allows queries of zones we serve, but not recursion
view "external" in {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
// Root hints
//
zone "." {
type hint;
file "named.root";
};
// Customer zones
//
include "includes.conf";
};
Terry Kennedy http://www.tmk.com
te...@tmk.com New York, NY USA
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: NOTIFY from masters when slave provides several views
niall.orei...@ucd.ie wrote: > On Thu, 2009-03-26 at 19:46 -0400, terry+bindus...@tmk.com wrote: > > Importantly, neither the masters nor ns1/2/3 have different zone data in > > different views - the answers are always the same. > > If you don't have different zone data per view, I don't > understand what purpose the views serve, that could not > be met using other configuration options. From what you > describe, they seem to be getting in the way. Let me clarify - for a zone in more than one of the views, that zone's data doesn't vary by zone. The "internal" view has some zones not found in the "customer" or "external" views. Also, the external view doesn't provide recursion, while the customer and internal ones do. If you can describe how to handle the recursion issue without using views or multiple DNS servers, I'd be very interested. Terry Kennedy http://www.tmk.com te...@tmk.com New York, NY USA ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NOTIFY from masters when slave provides several views
> > Let me clarify - for a zone in more than one of the views, that zone's
> > data doesn't vary by zone. The "internal" view has some zones not found
> > in the "customer" or "external" views.
>
> This sounds like a job for the allow-query option in the zone statements.
I should have mentioned that I tried that, but got:
"option 'allow-query' is not allowed in 'forward' zone 'xxx.yyy.com'"
In fact, that's what forced me into views in the first place.
> >
> > Also, the external view doesn't provide recursion, while the customer
> > and internal ones do.
>
> And this is a job for allow-query and allow-query-cache.
What's the deal with "allow-query"? I did some lookups from a host on an
outside net (not in either the internal or customer views) and the server
answered queries for the zones it hosted regardless of whether it was set
to "allow-query { internal; customer; };" or "allow-query { any; };".
Terry Kennedy http://www.tmk.com
te...@tmk.com New York, NY USA
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
