In article ,
Dan Letkeman wrote:
> Yes, I have already done this for the the forward zones:
>
> eg domain.com is the static one and workstations.domain.com is the dynamic
> one
>
> But this is my reverse zone that is shared between the two. I don't
> know how you would split that up..
Yes, I have already done this for the the forward zones:
eg domain.com is the static one and workstations.domain.com is the dynamic one
But this is my reverse zone that is shared between the two. I don't
know how you would split that up..
Dan.
On Wed, Jan 11, 2012 at 7:25 PM, Barry Margol
In article ,
Dan Letkeman wrote:
> Ah, I did not know that. So then my scenario must be somewhat common.
> Yes I update this reverse zone dynamically via dhcp, but I also have
> some static devices in the same range that I want to manually enter,
> hence the manual entry on the master. So wha
You can freeze thaw or use nsupdate to dynamically add the static entries.
rndc freeze
Edit zone
rndc thaw
You will lose any ddns updates during the freeze.
-Ben Croswell
On Jan 11, 2012 3:52 PM, "Dan Letkeman" wrote:
> Ah, I did not know that. So then my scenario must be somewhat common.
>
Ah, I did not know that. So then my scenario must be somewhat common.
Yes I update this reverse zone dynamically via dhcp, but I also have
some static devices in the same range that I want to manually enter,
hence the manual entry on the master. So what is the best practice
for adding a static e
> > Now if FreeBSD would just add 9.9 to the ports collection
>
> I generally don't add new versions until they are released,
ISC said today in the inline-signing Webinar, that 9.9 would probably be
released on February 7th. Maybe wait for that?
-JP
__
On 1/11/12 10:57 AM, "Doug Barton" wrote:
> Apples and oranges. The things listed below are actual bogons. Compare
> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf?rev=1.36
When tracking bogons, it's certainly good to stay up to date. Another
related data point:
http://www.team
On Wed, 2012-01-11 at 19:26 +0100, Jan-Piet Mens wrote:
> > Next great thing would be for ISC to support the Soft-HSM that
> > OpenDNSSEC uses. I believe that this would make the step of moving to a
> > real hardware HSM a lot easier (if necessary).
>
> BIND has supported the PKCS#11 interface (./
Apples and oranges. The things listed below are actual bogons. Compare
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf?rev=1.36
Doug
On 1/11/2012 9:15 AM, Sten Carlsen wrote:
> Hi
>
> Good news is that you should simplify your bogon list, lots of those
> addresses are now actua
Hi
Good news is that you should simplify your bogon list, lots of those
addresses are now actually in use; e.g. I have regular visits on my
pages by 2.x.x.x as they are now mostly handed out (local ISP here) and
in legitimate use.
On 11/01/12 16:05, Tony Finch wrote:
> Matus UHLAR - fantomas wro
> Next great thing would be for ISC to support the Soft-HSM that
> OpenDNSSEC uses. I believe that this would make the step of moving to a
> real hardware HSM a lot easier (if necessary).
BIND has supported the PKCS#11 interface (./configure --with-pkcs11)
since 9.6 IIRC, so it ought to be possibl
> Next great thing would be for ISC to support the Soft-HSM that
> OpenDNSSEC uses. I believe that this would make the step of moving to a
> real hardware HSM a lot easier (if necessary).
softhsm works with BIND 9. It's cumbersome--you need special
configure options and and a patched version of o
Phil Mayers wrote:
>
> Something like Tony's "nsdiff" script (see his post) makes it relatively easy,
> but it's still "another step".
It's more like a replacement step: run nsdiff | nsupdate instead of rndc reload.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Tyne, Dogger, Fisher, German Big
On 1/11/2012 9:27 AM, Howard Leadmon wrote:
> As always thanks for all the support for things like this on the FreeBSD
> side.
My pleasure.
> That said, I'd love to see that happen, even as a -devel type port,
> since in general when ISC considers something an RC, it's pretty darn stable
> by
Hello Doug,
As always thanks for all the support for things like this on the FreeBSD
side.That said, I'd love to see that happen, even as a -devel type port,
since in general when ISC considers something an RC, it's pretty darn stable
by the point.
At the moment I use the 9.8.1 port, an
On Wed, 2012-01-11 at 11:50 -0500, Howard Leadmon wrote:
> Thanks, I will head on over and take a look, sounds like something I should
> be interested in.Now if FreeBSD would just add 9.9 to the ports
> collection, it would save me from having to build it by hand..
I think BIND 9.9 is defini
On 1/11/2012 8:50 AM, Howard Leadmon wrote:
> Now if FreeBSD would just add 9.9 to the ports collection
I generally don't add new versions until they are released, but if there
is sufficient interest I can take a look at adding this as a -devel
version sooner rather than later.
Doug
--
On 11/01/12 17:04, Ryan Novosielski wrote:
Not that this is honestly so hard, however. I have played with it at
home some and the ns-update command means that you can still at least do
this manually fairly easily from the command line. Is my read on that
correct?
Performing a dynamic DNS updat
I took the ISC 2 day Intro to DNS and BIND class. The instructor made a
good point that building from source frees you from the dependance on the
distro's package maintainer. As part of the class, we had to compile bind
from scratch. It was very straight forward ./configure, make, make
insta
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/11/2012 10:47 AM, Phil Mayers wrote:
> On 11/01/12 15:31, Howard Leadmon wrote:
>
>> Then I go to make a change to my DNS file, whoa was I in for a
>> shock, as
>> apparently BIND took my nice text file for DNS I have edited for ages,
>> and
>
Thanks, I will head on over and take a look, sounds like something I should
be interested in.Now if FreeBSD would just add 9.9 to the ports
collection, it would save me from having to build it by hand..
---
Howard Leadmon
> -Original Message-
> From: Michael Graff [mailto:mgr...@
Howard Leadmon wrote:
>
> So I guess my million dollar question is, I want to use DNSSEC (it's
> actually working now), but I want to be able to edit my zone files the way I
> always have for many years, and just have BIND sign the zones with the keys
> and update as needed to keep DNS running sm
ISC is also, by pure luck, offering a web seminar on inline signing in BIND 9.9
today. While the first one starts in 15 minutes as I write this message, there
are a total of three sessions today.
Head on over to http://www.isc.org/webinar to find out the times and
information on how to join.
On 11/01/12 15:31, Howard Leadmon wrote:
Then I go to make a change to my DNS file, whoa was I in for a shock, as
apparently BIND took my nice text file for DNS I have edited for ages, and
As you found out, you cannot do that. "auto-dnssec maintain" requires
that updates to the zone by via
You want BIND 9.9 (currently 9.9.0rc1) with inline signing. This will do
exactly what you want, I think.
--Michael
On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote:
>
> OK, in an attempt to start using DNSSEC over here, I suppose I bit myself
> in the backside, and even spending some time us
OK, in an attempt to start using DNSSEC over here, I suppose I bit myself
in the backside, and even spending some time using googlefu I still haven't
quite figured this all out.
I am currently running the current BIND 9.8.1, and setup to support DNSSEC.
After reading around a bit, I saw that se
Matus UHLAR - fantomas wrote:
>
> I prefer defining 127.in-addr.arpa and inside:
>
> 1.0.0 PTR localhost.
I used to do that, but I need fewer zone files if I use the same reverse
zone for v6 and v4 :-) I have fairly extensive setup for bogons, and I
have set up empty zones to cover the same range
On Jan 10 2012, Tony Finch wrote:
Irwin Tillman wrote:
What's the recommended approach?
My empty zone is:
@ SOA localhost. root.localhost. 1 1h 1000 1w 1h
NS localhost.
I also have a "localhost." zone (RFC 2606) which is:
@ SOA localhost. root.localhost. 1 1h 1000 1w 1h
NS
Thanks Fajr.
I will handle it further.
Regards
Babu
--- On Wed, 11/1/12, Fajar A. Nugraha wrote:
From: Fajar A. Nugraha
Subject: Re: huge count of DNS deny hits
To: "babu dheen"
Cc: bind-users@lists.isc.org
Date: Wednesday, 11 January, 2012, 1:59 PM
On Wed, Jan 11, 2012 at 1:27 PM, babu
Thanks Anand.
I have one more question.
Is there any option in bind which facilitates me to answer my clients for
that zone only which has DNSSEC enable??? For all other queries, it should
not answer.
Please don't print this e-mail until & unless you really need, it will save
Trees on Planet Ear
Ya.
It also appears the same to me.
-Original Message-
From: Jan-Piet Mens [mailto:jpm...@gmail.com] On Behalf Of Jan-Piet Mens
Sent: Wednesday, January 11, 2012 5:00 PM
To: bind-users@lists.isc.org
Cc: Gaurav kansal
Subject: Re: DNSSEC authentication and ad parameter
> DNS OARC runs
> DNS OARC runs a pair of validating servers, open to the public.
It appears their BIND server has DLV anchor configured, but their
Unbound instance doesn't.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> I tried from google dns (8.8.8.8) also but didnt get AD bit set. This may
> be because 8.8.8.8 might not be configured for DLV validation.
Google's DNS servers don't do proper DNSSEC validation.
> Is there any open dns available from which I can check my domain for AD
> flag set??
On 11/01/2012 11:13, Gaurav kansal wrote:
Hi Gaurav,
> Now, I understand why I was not getting my “AD” flag set in query response.
>
> I tried from google dns (8.8.8.8) also but didn’t get “AD” bit set. This may
> be because 8.8.8.8 might not be configured for DLV validation.
>
> Is there any o
Dear Marc,
Thanks for detailed explanation.
Now, I understand why I was not getting my AD flag set in query response.
I tried from google dns (8.8.8.8) also but didnt get AD bit set. This may
be because 8.8.8.8 might not be configured for DLV validation.
Is there any open dns avai
> $ORIGIN 184.16.172.in-addr.arpa.
> $TTL 14400; 4 hours
> 105 PTR GVC-E237-A01.wks-gvc.domain.com.
> 88PTR GVC-LIB-C07.wks-gvc.domain.com.
> 9 PTR gvc-busdrivers.wks-gvc.domain.com.
> 90PTR nb-csiler.
On 10.01.12 15:06, Dan Letkeman wrote:
It seems as if these types of records get transfered:
9 PTR gvc-busdrivers.wks-gvc.domain.com.
But these do not:
24.184.16.172.in-addr.arpa. IN PTR str-r7500.gvc.domain.com.
If I delete the journal file on the on th
On 10.01.12 18:13, Tony Finch wrote:
In the reverse direction I have 1.0.0.172.in-addr.arpa and
1.0.0.ip6.arpa zones with the predictable contents:
@ SOA localhost. root.localhost. 1 1h 1000 1w 1h
NS localhost.
PTRlocalhost.
I prefer defining 127.in-addr.arpa and inside:
1.0.0
On Wed, Jan 11, 2012 at 1:27 PM, babu dheen wrote:
>
> Dear Fajar,
>
> Below logs taken from Internal DNS server running in Microsoft DNS.
Then why did you ask this list instead of contacting MS support?
> I checked with client AV status, everything is fine( system is up to date
> with DAT fro
39 matches
Mail list logo
