Wikipedia have been told multiple times that their nameservers are
broken, that they fail to add the CNAME records, as required by RFC
1034, which results in garbage answers being returned. Those garbage
answers result in the FORMERR log messages.
Both of the answers below should have CNAME chai
Users are experiencing this problem now in the field, and more users
will
be experiencing it as BIND is upgraded in more and more places. Every
single user relying on a Fedora 15 DNS server, for example, is going to
see occasional unnecessary DNS timeouts when trying to resolve host
names.
On 07/11/2011 11:11, Jonathan Kamens wrote:
> The number of DNS queries required for each address lookup requested by
> a client has gone up considerably because of IPV6. The problem is being
> exacerbated by the fact that many DNS servers on the net don't yet
> support IPV6 queries.
I have to dis
In message <4e1b5c57.8090...@kamens.us>, Jonathan Kamens writes:
> On 7/11/2011 4:06 PM, Bill Owens wrote:
> > https://lists.isc.org/pipermail/bind-users/2011-March/083109.html
> > in which the first sentence says it all: "The nameservers for wikiped=
> ia.org are broken."
> It's not just wikipe
In message <4e1b562b.2070...@kamens.us>, Jonathan Kamens writes:
>
> On 7/11/2011 3:26 PM, Eivind Olsen wrote:
> > I think the main issue here is - why is your nameserver thinking it has=
>
> > IPv6 connectivity?
> No, this isn't the issue.
>
> I see the FORMERR errors in syslog and the timeout
On Mon, Jul 11, 2011 at 04:25:59PM -0400, Jonathan Kamens wrote:
> On 7/11/2011 4:06 PM, Bill Owens wrote:
> >https://lists.isc.org/pipermail/bind-users/2011-March/083109.html
> > in which the first sentence says it all: "The nameservers for
> > wikipedia.org are broken."
> It's not just wikiped
On 7/7/2011 12:37 PM, Evan Hunt wrote:
less than $dnskey_ttl seconds in the future. If the activation time
were further away, it would not warn you. If it were in the past, it
would use the key to sign the zone, and again it would not warn you.
There's only a window of $dnskey_ttl seconds in w
On Jul 11, 2011, at 1:25 PM, Jonathan Kamens wrote:
> Even if PowerDNS is the only source of this issue, and even if the new
> version of PowerDNS is released tomorrow, I'm sure there will still be sites
> running the old version a year from now. So just relying on a PowerDNS
> release to fix th
I'm unclear how BIND could be modified to fix this. The querying
client machines are asking BIND for records. BIND goes out to
the authoritative nameservers to attempt to resolve said records.
The broken nameservers (PowerDNS <3.0 etc) timeout or otherwise hand
out bad responses (FORME
On 7/11/2011 2:11 PM, Jonathan Kamens wrote:
The number of DNS queries required for each address lookup requested
by a client has gone up considerably because of IPV6. The problem is
being exacerbated by the fact that many DNS servers on the net don't
yet support IPV6 queries. The result is tha
On 7/11/2011 4:06 PM, Bill Owens wrote:
https://lists.isc.org/pipermail/bind-users/2011-March/083109.html
in which the first sentence says it all: "The nameservers for wikipedia.org are
broken."
It's not just wikipedia.org that's broken, obviously. I see this error
in my logs for 19 domains s
On 07/11/2011 07:11 PM, Jonathan Kamens wrote:
The number of DNS queries required for each address lookup requested
by a client has gone up considerably because of IPV6. The problem is
being exacerbated by the fact that many DNS servers on the net don't yet
support IPV6 queries. The result is t
On Mon, Jul 11, 2011 at 02:11:57PM -0400, Jonathan Kamens wrote:
> The number of DNS queries required for each address lookup requested by
> a client has gone up considerably because of IPV6. The problem is being
> exacerbated by the fact that many DNS servers on the net don't yet
> support IPV6
On 7/11/2011 3:26 PM, Eivind Olsen wrote:
I think the main issue here is - why is your nameserver thinking it has
IPv6 connectivity?
No, this isn't the issue.
I see the FORMERR errors in syslog and the timeouts resolving host names
even when I start named with -4.
Named is querying for
On 7/11/2011 3:10 PM, Tony Finch wrote:
Jonathan Kamens wrote:
I said above that the problem is exacerbated by the fact that many DNS servers
don't yet support IPV6 queries. This is because the queries don't get
NXDOMAIN responses, which would be cached, but rather FORMERR responses, which
On 7/8/2011 12:11 PM, Joseph S D Yao wrote:
It should be possible to set up an authoritative-only name server so
that it does not recurse for anyone [except perhaps itself], but still
allow someone to get a full resolution of a name whose canonical name is
elsewhere. IMHBUCO.
I started with thi
Jonathan Kamens wrote:
> I said above that the problem is exacerbated by the fact that many DNS
> servers don't yet support IPV6 queries. This is because the queries
> don't get NXDOMAIN responses, which would be cached, but rather FORMERR
> responses, which are not cached. As a result, the s
Jonathan Kamens wrote:
>
> I said above that the problem is exacerbated by the fact that many DNS servers
> don't yet support IPV6 queries. This is because the queries don't get
> NXDOMAIN responses, which would be cached, but rather FORMERR responses, which
> are not cached. As a result, the
The number of DNS queries required for each address lookup requested by
a client has gone up considerably because of IPV6. The problem is being
exacerbated by the fact that many DNS servers on the net don't yet
support IPV6 queries. The result is that address lookups are frequently
taking so lo
On 7/11/11 12:15 PM, "Tony Finch" wrote:
> Daniel McDonald wrote:
>>
>> ; <<>> DiG 9.8.0-P4 <<>> @localhost ips.backscatterer.local ds
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26308
>> ;; flags: qr aa rd ra; QU
Daniel McDonald wrote:
>
> ; <<>> DiG 9.8.0-P4 <<>> @localhost ips.backscatterer.local ds
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26308
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
Are you
On Jul 10 2011, Emil Natan wrote:
Hi,
I have few boxes running BIND 9.7.3-P3. I do not use DNSSEC (for now) and
dynamic updates (at all) and I have them explicitly disabled in named.conf
(dnssec-enable no; dnssec-validation no; allow-update{ none; };) but I
see named still searching for m
kalpesh varyani wrote:
> Does ISC implement SPF for server or client side currently?
> If yes, then where to get the libraries; if not then what is the
> scheduled date/release for implementation?
I'm not ISC, and anything I say may be completely wrong. Ok, that's the
disclaimer done with...
BIN
Hi,
As per the ARM document for bind9.7, ISC has provided support for new
RR(resource record) types including SPF. Comparison of code of Bind9.3
and Bind9.7 suggests that new libraries (at src\lib\dns) have been
provided for SPF identification. However, either the function
definitions are absent o
24 matches
Mail list logo
