implement the DNS
protocol. NS queries for intermediate names are not getting the expected
answer.
-- Mark Andrews
On 1 Dec 2023, at 21:10, Alessandro Vesely wrote:
Hi all,
I have this in BIND 9.18.19-1~deb12u1-Debian' logs:
north:log$ grep '148.19.188.64.list.dnswl.org' na
Hi all,
I have this in BIND 9.18.19-1~deb12u1-Debian' logs:
north:log$ grep '148.19.188.64.list.dnswl.org' named-qu.log.0
30-Nov-2023 15:58:23.901 queries: info: client @0x7f281e72ff68 127.0.0.1#54827
(148.19.188.64.list.dnswl.org): view internal: query:
148.19.188.64.list.dnswl.org IN A + (12
Hi,
DHCP server has options to insert leased addresses in a dynamic zone. That
works for IPv4. PCs connected to the LAN somehow discover the gateway has a
routable IPv6 address and self-assign an address in that range, besides the
fe80:: thing, without talking to a DHCP server.
Is there a
On Sat 10/Jun/2023 19:32:31 +0200 Ondřej Surý wrote:
The other approach might be the up/down scripts on your ppp connection that
will reconfigure the query-source(-v6) address as the connection is established
or tore down.
Cute! Thank you.
Best
Ale
--
--
Visit https://lists.isc.org/ma
On Fri 09/Jun/2023 18:32:25 +0200 Anand Buddhdev wrote:
On 09/06/2023 17:26, Alessandro Vesely wrote:
Having two WANs, it would be reasonable, in case one doesn't work, to try the
other one. However, it's always useless to try the LAN. Is there any way to
configure which interfa
Hi,
I have two WANs. As a leftover from the times when I had no IPv6 address, I
was running named with -4 option. I just removed it a couple of minutes ago.
However, I still have IPv4 precedence in gai.conf:
precedence ::1/128 50 0
precedence ::/0 40
Hi,
I forked libopendkim, an abandonware library implementing DKIM signatures for
email messages. It has a QUERY_CACHE compile-time option which enables usage
of a Berkeley DB to store DKIM keys. If the option is enabled, the local cache
is looked up before querying the DNS, and keys are cac
On Wed 23/Nov/2022 16:54:56 +0100 Niall O'Reilly wrote:
With "APT-Sources: http://ppa.launchpad.net/isc/bind/ubuntu focal/main amd64
Packages",
the file /usr/share/doc/bind9/README.Debian recommends:
Zones subject to automatic updates (such as via DHCP and/or nsupdate) should be
stored in /v
Hi Dan,
On Sat 24/Sep/2022 01:10:12 +0200 Dan Mahoney wrote:
On Aug 23, 2022, at 07:39, G.W. Haywood via bind-users
wrote:
On Tue, 23 Aug 2022, Alessandro Vesely wrote:
I see the list operates both From: munging and ARC sealing. While I'm clear
about the former, I'm curious abo
time mail comes.
On 25.08.22 18:10, Alessandro Vesely wrote:
Please tell us.
On Fri 02/Sep/2022 14:27:55 +0200 Matus UHLAR - fantomas wrote:
so far, not ex
- opendmarc only uses header that's inserted by openarc milter
- openarc milter for bind-users inserts arc.chain="isc.org:isc.or
On Sun 04/Sep/2022 14:17:25 +0200 Benny Pedersen wrote:
ARC-Authentication-Results: i=1; mx.pao1.isc.org;
dmarc=pass (p=none dis=none) header.from=tana.it;
spf=pass smtp.mailfrom=tana.it;
dkim=permerror (0-bit key) header.d=tana.it header.i=@tana.it
That stanza is faulty. The key at eps
On Fri 02/Sep/2022 14:27:55 +0200 Matus UHLAR - fantomas wrote:
On 25.08.22 18:10, Alessandro Vesely wrote:
I see the list operates both From: munging and ARC sealing. While I'm
clear about the former, I'm curious about how ARC works:
Do any subscribers trust the seal by isc.org?
On Mon 29/Aug/2022 12:09:10 +0200 Matus UHLAR - fantomas wrote:
On 25.08.22 18:10, Alessandro Vesely wrote:
The lack of interest by others proves that From: munging is not so much of a
nuisance as they say...
This will come sooner or later, however:
earlier this year I've done small
Thanks Ged for all the feedback.
The lack of interest by others proves that From: munging is not so much of
a nuisance as they say...
Best
Ale
On Tue 23/Aug/2022 16:39:33 +0200 Bind Users wrote:
Hi there,
On Tue, 23 Aug 2022, Alessandro Vesely wrote:
I see the list operates both From
Hi all and list admins,
I see the list operates both From: munging and ARC sealing. While I'm
clear about the former, I'm curious about how ARC works:
Do any subscribers trust the seal by isc.org?
In that case, do they get non-munged messages?
Are there other advantages that ARC brings abou
On Thu 28/Oct/2021 09:34:42 +0200 Matthijs Mekking wrote:
On 27-10-2021 18:48, Alessandro Vesely wrote:
3. The server produces new .signed and .signed.jnl files every day, which
is inconvenient as the zone files directory is checked by tripwire. Is
that timing determined by the dnskey-ttl
Hi Matthijs,
thanks for clarifications.
On Wed 27/Oct/2021 17:53:46 +0200 Matthijs Mekking wrote:
On 27-10-2021 12:54, Alessandro Vesely wrote:
I also switched to dnssec-policy. Somewhere I read that I should have
defined a policy with keys matching the existing keys. I also defined a
Hi all,
I recently installed version 9.16, and have a number of doubts. During the
upgrade, named didn't want to load signed zones because of CDS/CDNSKEY
inconsistency. There were CDS records in the zone files, which I removed.
I also switched to dnssec-policy. Somewhere I read that I shou
Ooops, sorry. Please forget that.
On Fri 25/Jun/2021 12:50:55 +0200 Alessandro Vesely wrote:
However, named-checkconf doesn't complain. I could fix that by defining an
acl named localhost. But do I need to?
Now I tried to redefine and got:
/etc/bind/named.conf.options:37: attem
Hi,
I found a number of allow-query {localhost;}; and similar stuff in my .conf
files. It doesn't seem to be allowed, since the manual says:
The elements which constitute an address match list can be any of the
following:
* an IP address (IPv4 or IPv6)
* an IP prefix (i
On Fri 04/Jun/2021 22:51:01 +0200 Ondřej Surý wrote:
And if I had to answer the question whether I and my team should
spend time improving BIND 9 just for everybody or invest the precious
time into fixing yet another incompatibility between POSIX/SUSv2 and
Windows world, I think the answer would
On Wed 14/Apr/2021 00:37:22 +0200 Richard T.A. Neal wrote:
Julien Salort wrote:
Reading this thread, I considered simply enabling the fail2ban named-refused
jail, but they advise against it because it would end up blocking the victim
rather than the attacker.
I'm happy to be corrected by mo
On Thu 11/Feb/2021 17:44:20 +0100 Havard Eidnes wrote:
Yeah, by the time it lands on Debian's glibc we'll have grown a long
long beard. I'm still missing RES_TRUSTAD...
Oh, this set me off on a tangent. I hadn't heard of RES_TRUSTAD
before, so I found
https://man7.org/linux/man-pages/man5
On Thu 11/Feb/2021 14:47:13 +0100 Ondřej Surý wrote:
Mark is right. The internet isn’t always on and it isn’t only composed of big
tech companies with lots of resources.
The internet consists of lot small systems made by people like you and me and
we don’t have infinite resources to keep every
On Wed 10/Feb/2021 22:38:05 +0100 J Doe wrote:
Out of curiosity, what servers have you encountered that no longer use the five
day cutoff ?
I didn't take note, but I read discussions on the topic. Users expect mail to be
delivered almost instantly. The "warning, still trying" messages sho
On Thu 11/Feb/2021 10:44:58 +0100 Havard Eidnes wrote:
Still, being able to differentiate a local network congestion from a
remote bad configuration would help.
That's true. There's
https://tools.ietf.org/html/draft-ietf-dnsop-extended-error-16
which look promising, trying to make it poss
Hi Havard,
thanks for your reply.
On Tue 09/Feb/2021 18:15:43 +0100 Havard Eidnes wrote:
is there a way to know that a query has already been tried a few
minutes ago, and failed?
From whose perspective?
A well-behaved application could remember it asked the same query
a short while ago, of
Hi,
is there a way to know that a query has already been tried a few minutes ago,
and failed?
It happens seldomly, but sometimes the DKIM mail filter gets a SERVFAIL when it
tries to authenticate an incoming message. SERVFAIL occurs when DNSSEC check
fails. Trying again is useless, it has
On Wed 13/Jan/2021 14:31:58 +0100 John Kristoff wrote:
Some may be sourced from a security/research survey project, but some
sources performing this may be for more nefarious purposes - building a
list of open resolvers that will answer for the purposes of maintaining
an amplication/reflection hi
On Wed 13/Jan/2021 11:03:01 +0100 Matus UHLAR - fantomas wrote:
On 13.01.21 10:21, Alessandro Vesely wrote:
Are the queries refused because of the dot (.)? In the query log, I also
found some 28 IN ANY queries from 7 IPs for xxx.at.fragolina.it, which
probably got away with a NXDOMAIN.
no
Hi,
I'm getting lots of log lines like the following:
Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2a3b80 74.74.74.8#24048
(.): view external: query failed (REFUSED) for ./IN/ANY at
../../../bin/named/query.c:7144
Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2784d0 74.74.74
On Thu 05/Nov/2020 12:59:37 +0100 Michael De Roover wrote:
On Thu, 2020-11-05 at 11:31 +0100, Alessandro Vesely wrote:
A good secondary offloads your server
noticeably, and
keeps the domain alive in case of temporary failures.
AFAIK, authoritative slave servers are only used when the master
On Thu 15/Oct/2020 18:57:16 +0200 Jason Long via bind-users wrote:
Excuse me, I just have one server for DNS and that tutorial is about secondary
DNS server too.
Just skip the chapter about the secondary. You're better off buying secondary
DNS services externally. A good secondary offload
On Thu 15/Oct/2020 20:59:32 +0200 Stephane Bortzmeyer wrote:
On Thu, Oct 15, 2020 at 11:16:05AM -0700,
Fred Morris wrote
a message of 50 lines which said:
2) If you want to run your own DNS nameservers, you will need to buy a
book, read the (BIND) Administrator's Reference Manual, and/o
On 2020-06-05 9:29 p.m., Paul Kosinski via bind-users wrote:
> A very interesting article on how China uses DNS (among other things)
> to "control" Internet usage.
>
> https://blog.thousandeyes.com/deconstructing-great-firewall-china/
The term "DNSSEC" appears just once in that article, after th
Great!
Thank you Ondrej
Ale
On 29/04/2020 12:26, Ondřej Surý wrote:
> Hi,
>
> to create a empty non-terminal (ENT) you should do:
>
> non-empty.an-empty-name.example.com. IN TXT
>
> Ondrej
> --
> Ondřej Surý
> ond...@isc.org
>
>> On 29 Apr 2
Hi all,
the doc says each node has a set of resource information, which may be empty.
But how do I create such a node? If I just write, say:
an-emty-name.example.com.
named-checkzone complains about unexpected end of input.
NULL is not usable in master files. For the time being, I try:
On Wed 15/Apr/2020 10:15:09 +0200 Ondřej Surý wrote:
> The renaming was done as it was a logical choice, the service is starting a
> daemon,
> and not a package, and daemon name is `named`. Also it is the name used by RPM
> based systems and Arch Linux and Gentoo, so it was also made to make BIND
Hi
On Sat 08/Feb/2020 12:05:23 +0100 Ondřej Surý wrote:
> If `dig +dnssec +cd emeraldonion.org mx` will give you answers and `dig
> +dnssec emeraldonion.org mx` does not, then it’s most probably validation
> failure.
Aha, +cd is what I wanted to learn. Thanks a lot!
>
> Then of course base
Hi,
thank you for your prompt reply!
On Sat 08/Feb/2020 11:39:05 +0100 Ondřej Surý wrote:
>> How do I fix this issue?
>
>
> You don’t, their DNSSEC is broken:
>
> https://dnsviz.net/d/emeraldonion.org/dnssec/
I see. Is there a command to diagnose that locally?
> They have to either start
Hi!
I find I'm unable to send mail to a domain. I get an NDR saying DNS lookup
failed. Indeed, when I try manually, I get:
906-north:src$ dig emeraldonion.org mx
; <<>> DiG 9.10.3-P4-Debian <<>> emeraldonion.org mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status:
Same here
See also
https://serverfault.com/questions/897894/bind-is-not-resigning-dnssec-zone-after-zone-update-and-service-restart
Ale
On Thu 23/Jan/2020 09:57:02 +0100 Jukka Pakkanen wrote:
> Yes, that worked. Also had to delete the .jnl, to prevent the "not exact"
> error..
>
> Jukka
>
>
On Tue 12/Nov/2019 18:18:52 +0100 Tony Finch wrote:
> Alessandro Vesely wrote:
>>
>> It doesn't seem to happen every day, but can happen again on the next day.
>> Can
>> the period be controlled?
>
> It depends on the size of the zone (bigger zone
On Tue 12/Nov/2019 13:39:30 +0100 Jim Popovitch via bind-users wrote:
> On 11/12/19 4:42 AM, Alessandro Vesely wrote:
>> Hi,
>>
>> I have a signed domain, with inline-signing yes and auto-dnssec maintain.
>>
>> Although the domain is static, the .signed and .signed
On Tue 12/Nov/2019 12:09:06 +0100 Mark Andrews wrote:
> The RRSIGs need to be regenerated periodically. This is the changes you are
> seeing.
>
It doesn't seem to happen every day, but can happen again on the next day. Can
the period be controlled?
Best
Ale
--
__
Hi,
I have a signed domain, with inline-signing yes and auto-dnssec maintain.
Although the domain is static, the .signed and .signed.jnl files are being
rewritten without apparent reason. They are about a month newer than the
corresponding .jbk and base files.
I notice that because of tripwire
Hi all,
reading about the various ways to sign zones, inline-signing seems to be the
simplest one. However, a 2014 Swiss howto I found has this obscure warning:
Update Nov 2017: DNSSEC zone signing as described here is outdated.
We strongly recommend against the method described in this
47 matches
Mail list logo
