Hello list,
I was wondering if anybody could advise please, on the line below that I always
seem to get in my Bind 9.8.4 logs:
error (unexpected RCODE SERVFAIL) resolving
'dul.dnsbl.sorbs.net/A/IN':174.36.198.232#53
I know what it generally stands for, that is the name server was unable to
pr
Hi all,
Have a question at OpenSSL code on bind9.11.3.
from target file : openssl_link.c
I read source code,
it's looks like so that the "lock_callback" function may define it in
case of OpenSSL version more than 1.0 or less than 1.1. *1
However, I looks like the code line number 206 (in openss
Thank you Mark. Your insight and detail is
always helpful and immensely appreciated. For
what it's worth, I will make it a point to reach
out to the relevant parties to grouse to the
extent possible about the damage done by
DNS servers authoritative for DNSSEC signed
zones that aren't properly su
Archives.org is served by the following servers.
archives.gov. 300 IN NS sauthns1.qwest.net.
archives.gov. 300 IN NS sauthns2.qwest.net.
Those servers return BADVERS to EDNS(0) queries with a EDNS option
present. BADVERS is NEVER a valid rcode to
Firstly, you can tell nslookup to make queries “nslookup -query=”.
nslookup is a really old tool which is why it make A queries by default.
It predates even the concept of IPv6 (which dates from ~1995). The same
also applies to dig which is slightly younger than nslookup.
Secondly, I wo
On Apr 11, 2018, at 4:26 PM, Mark Boolootian wrote:
>>> As far as I know, a host with on an IPv6 address is only ever
>>> going to perform lookups. I'd be very interested to know
>>> if there are cases where that isn't true.
>>
>> Well, if you run nslookup or dig -t a, you're asking for A r
>> As far as I know, a host with on an IPv6 address is only ever
>> going to perform lookups. I'd be very interested to know
>> if there are cases where that isn't true.
>
> Well, if you run nslookup or dig -t a, you're asking for A records
> explicitly.
Ah, true that. Does nslookup do that
On Apr 11, 2018, at 3:49 PM, Mark Boolootian wrote:
>
>>> I'll give those tools a try, but I don't understand how my client is
>>> requesting
>> an A record. It only has IPv6 networking. DNS64 should be requesting an
>> A record, but that the client should see is the converted record. Is
>
DNS64 server takes a lookup and if there are NOT records at the name
it then performs a A lookup for the same name and maps the results into
records and returns them. There are additional caveats but that is the basic
process.
It does NOT take a A lookup and return record.
A
According to what I've read, that's exactly what DNS64 does. It converts A
records to records. (For mixed networks, it just passes through
records, but that's not in my configuration):
"DNS64 is a mechanism for synthesizing resource records (RRs) from A
RRs." - https://tools.ietf.or
>> I'll give those tools a try, but I don't understand how my client is
>> requesting
> an A record. It only has IPv6 networking. DNS64 should be requesting an
> A record, but that the client should see is the converted record. Is that
> not right?
>
> Nope-- DNS requests aren't going to conv
On Apr 11, 2018, at 3:32 PM, Rick Tillery wrote:
> I'll give those tools a try, but I don't understand how my client is
> requesting an A record. It only has IPv6 networking. DNS64 should be
> requesting an A record, but that the client should see is the converted
> record. Is that not rig
Because nslookup and dig are specialised DNS testing tools. They
don’t use getaddrinfo to perform test lookups. getaddrinfo is the
function that most applications use as part of the connection process.
> On 12 Apr 2018, at 8:33 am, Rick Tillery wrote:
>
> I'll give those tools a try, but I don
I'll give those tools a try, but I don't understand how my client is
requesting an A record. It only has IPv6 networking. DNS64 should be
requesting an A record, but that the client should see is the converted
record. Is that not right?
Rick
On Wed, Apr 11, 2018, 5:27 PM Chuck Swiger wrote:
RFC 1034
The domain system provides such a feature using the canonical name
(CNAME) RR. A CNAME RR identifies its owner name as an alias, and
specifies the corresponding canonical name in the RDATA section of the
RR. If a CNAME RR is present at a node, no other data should be
present; this ensur
On Apr 11, 2018, at 3:09 PM, Rick Tillery wrote:
> I appear to have my NAT64+DN64 IPv6 -> IPv4 network configured correctly, as
> I can access IPv4 only Internet sites, e.g. from my browser. But some tools
> don't seem to work the way I think they should.
>
> One example is nslookup. If do ns
I am seeing the below error when a zone is signed without an A record for zone.
However there is a an CNAME record for the same top-level domain (zone), could
this be causing the below error and why?
dnssec-signzone: error: dns_master_load: :33: zonename: CNAME and other data
dnssec-signzone: fa
I appear to have my NAT64+DN64 IPv6 -> IPv4 network configured correctly,
as I can access IPv4 only Internet sites, e.g. from my browser. But some
tools don't seem to work the way I think they should.
One example is nslookup. If do nslookup ipv4.google.com, I get:
$ nslookup ipv4.google.com
Ser
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Wed, 2018-04-11 at 21:06 +, praveen via bind-users wrote:
> Is an "A" record mandatory entry for top-level domain (zone) when
> using DNSSEC, DKIM, SPF and DMARC configuration?
No. I have zones with all of that, with no A record at the apex,
Hi All,
Sometime ago I posted about capturing DNS activity (queries and responses)
for both BIND and Windows DNS, and my colleague had a tool which he ported
to Windows for me. This tool is called dns-logger.
His company NoSpaceships, has just released the dns-logger product,
available free for
Hi there,
On Wed, 11 Apr 2018, speijnik wrote:
I'd need a way of returning a random pick of a limited number of
records from a given rrset ...
Something like this?
8<--
#!/usr/bin/perl -w
use strict;
use Net::DNS;
use List::
All,
Operating BIND version "BIND 9.9.10-P1 (Extended Support Version)" DNSSEC
signing in place. DKIM, SPF and DMARC records are also in place for top-level
domain (zone).
Is an "A" record mandatory entry for top-level domain (zone) when using DNSSEC,
DKIM, SPF and DMARC configuration?
Thanks
_
Ah, you are awesome Carl! Thank
you!! And doh, stupid me. I was
emailing the wrong people.
On Wed, Apr 11, 2018 at 11:45 AM, Carl Byington wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Wed, 2018-04-11 at 11:28 -0700, Mark Boolootian wrote:
>
>
>> I'm wondering if anyone fr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Wed, 2018-04-11 at 11:28 -0700, Mark Boolootian wrote:
> I'm wondering if anyone from this august group
> can clue me in to how I might config around this
> issue for the archives.gov servers (assuming that
> is possible).
// 9-11commission.gov
Hi folks,
I upgraded out of 9.10 and into 9.12
last week. Subsequent to that, I received
complaints about hosts in archives.gov
failing to resolve.
We run validating recursive servers, and
archives.gov is signed.
I've poked at this but concluded I lack
enough DNS foo to understand the specifics
Dear bind users,
I'm currently looking for a way of making bind9 respond with a subset of an
rrset. I'd need a way of returning a random pick of a limited number of
records from a given rrset.
ie. from an existing rrset containing 100 records I'd like to return 5
random records.
>From what I've
I should have pointed out that BOTH servers have recursion turned on.
Yeah, I know about having DNSSEC-enable=yes to not break downstream
validation. (I inherited this setup...)
BOTH are internal DNS servers with access to the internet to query the
internet roots (no default forwarding active).
On a case-by-case basis, one can use stub zones, conditional forwarding, etc.
but if you're looking for a "break Internet standards" switch, I think you're
going to be disappointed. Vix has stopped calling BIND a "reference"
implementation of DNS, but it still tries to set a good example.
Alinti Anand Buddhdev
The delegation of 131.161.213.in-addr.arpa points to dns.est.com.tr and
dns2.est.com.tr. But these two names are aliased to dns3.est.com.tr and
dns4.est.com.tr.
However, one cannot use alias names as targets of NS records. This is
forbidden by RFC 2181, section 10.3.
Th
Bob McDonald wrote:
>
> Server A
> DNSSEC=yes
> DNSSEC-validation=yes
> Valid trust anchor for the root zone
> DNSSEC validation seems to work correctly
> Zone one.com. is setup as a forward zone to server B
>
> Server B
> DNSSEC=no
> DNSSEC-validation=N/A
> authoritative and the master for one.co
Aras Yorgancı wrote:
>
> Our BIND 9.9 DNS servers cannot resolve PTR record of a mx server. So We
> cannot established e-mail communication.
This is because the delegation NS records point at CNAMEs, which is not
allowed - if a resolver tries to chase CNAMEs in this situation it can get
into a co
The delegation of 131.161.213.in-addr.arpa points to dns.est.com.tr and
dns2.est.com.tr. But these two names are aliased to dns3.est.com.tr and
dns4.est.com.tr.
However, one cannot use alias names as targets of NS records. This is
forbidden by RFC 2181, section 10.3.
The operator of this reverse
Consider the follwing example:
Server A
DNSSEC=yes
DNSSEC-validation=yes
Valid trust anchor for the root zone
DNSSEC validation seems to work correctly
Zone one.com. is setup as a forward zone to server B
Server B
DNSSEC=no
DNSSEC-validation=N/A
authoritative and the master for one.com.
When ser
Hi,
Our BIND 9.9 DNS servers cannot resolve PTR record of a mx server. So
We cannot established e-mail communication.
[root@localhost ~]# dig @127.0.0.1 -x 213.161.131.25
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @127.0.0.1 -x 213.161.131.25
; (1 server found)
;; global options: +cmd
;;
34 matches
Mail list logo
