Hello,
In line with ISC's deprecation policy, I am notifying the mailing list
of our intent to remove support for Response-Policy Server support.
Back in 2018, Farsight Security[1] contributed a patch to BIND that was
an optional replacement to our native RPZ implementation. At that time,
our RPZ
Hi John.
Let me add that NOT restricting what the resolver accepts from the
forwarder would be a security hole. In fact is _was_ a security hole in
BIND, see
[CVE-2021-25220] DNS Cache Poisoning Vulnerability
https://gitlab.isc.org/isc-projects/bind9/-/issues/2950
In your example 'baz.local'
Hi John.
The reason is step 4c here:
https://datatracker.ietf.org/doc/html/rfc1034#section-5.3.3
The A record in the response is for a name that BIND wasn't asked for
(otherwise why a CNAME at all?), so in the interests of not just believing
random answers that might potentially poison the cache,
We are asked to forward queries for foo.example.com to a set of private
resolvers. So we have something like this in our .conf
zone "foo.example.com" {type forward; forward only;
forwarders { 10.1.2.3; 10.1.4.5; };
};
And when queried for an A-record for bar.foo.example.com (and the
Allow me to quote from BIND documentation here:
https://bind9.readthedocs.io/en/latest/reference.html#bind-9-statistics
Cache DB RRsets
Statistics counters related to cache contents, maintained per view.
The “NXDOMAIN” counter is the number of names that have been cached as
nonexiste
Hi,
Your network configuration as per
https://gitlab.isc.org/isc-projects/bind9/-/issues/4866 is a class C
private IPV4.For a class C IPv4 private range you don't need cluster at
server level to support queries from hardly less that 256 hosts. It can be
achieved at the physical single server confi
Hi Nagesh,
it's unclear what exactly is the log about. Is that first start of the
server? (I guess so.) Or the client's attempt?
You have mentioned that you have two systems, one working and other one
failing. I suggest you gather logs from both and compare them line by
line to find the diff
Hi,
We have checked all the files related to krb and keytab, all files and
their permissions are good. But still updates are getting denied. I am
attaching the Krb5 Trace output also, please check and let me know.
tkey-gssapi-credential option also specified in the named.conf, but still
updated are
Hello everyone,
I am currently working on a solution using BIND 9 with two servers in a
cluster, managed by Pacemaker, with a floating IP to ensure service
continuity in case of failover. My main goal is to dynamically load DNS
zones from a database.
I have already tried using the DLZ modules, bu
9 matches
Mail list logo
