Re: Primary/Secondary

me personally, and I do not want go back using the old terms. (for context: I'm from Germany) Greetings Carsten Strotmann -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscription

Re: Snapshot versions of BIND 9.18 and 9.20 for testing

Hi Ondřej, On 31 Jan 2025, at 8:16, Ondřej Surý wrote: > We would appreciate if you can give the following git snapshots a test run > if you have a capacity to do so. I can report that 9.18.34-dev compiles and works fine on OpenBSD 7.6, and 9.20.6-dev compiles and works on NetBSD 10.1. My syst

Re: Problem upgrading to 9.18 - important feature being removed

Hi Ondřej, > On 27. Feb 2024, at 16:43, Ondřej Surý wrote: > > Carsten, could you please fill a feature request in the GitLab? Done, #4606. Greetings Carsten -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this softwar

Re: Problem upgrading to 9.18 - important feature being removed

Hi Jim, > On 27. Feb 2024, at 16:39, Jim P. via bind-users > wrote: > > There should also be an option to display the current configuration in > specific detail to easily create a new KASP (side question: why does DNS > need a new acronym?) The term “KASP” for “Key-and-signing-policy” has been

Re: Problem upgrading to 9.18 - important feature being removed

Hi Matthijs, On 27 Feb 2024, at 15:54, Matthijs Mekking wrote: > - When migrating to dnssec-policy, make sure the configuration matches your > existing keys. the most problems I've seen so far have to do with this step: admins "think" they have created a configuration that matches the current

Old ZSK refuses to retire

Hi, I have a situation where in a BIND 9 zone with dnssec-policy and inline-signing, after a ZSK rollover, the (old) ZSK is refusing to retire. Although the timing metadata shows the retire and deletion dates in the past, the ZSK is still in the zone and is signing the records (along with the n

KASP: sharing policy and keys between views

operate a DNSSEC signed split horizon setup? Greetings Carsten Strotmann -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more inf

Re: DNSTAP overload condition logging

Hi Chris, Chris Buxton writes: [[PGP Signed Part:Undecided]] Hi Carsten, From our reading of the code, it appears that when the buffer fills up, it refuses to accept new entries. Older events are not overwritten, but newer events are refused. The fstrm_iothr_submit() function can return su

DNSTAP overload condition logging

Hi, how can a BIND 9 operator detect an DNSTAP overload condition? My understanding is that BIND 9 worker threads write DNSTAP information into a circular buffer in memory, which is that read by a different thread to write out the data (to file or socket). Is there any indication to the user

Re: How to measure use of forwarders?

Hello Richard, "Parkin, Richard (R.)" writes: Hello! We recently re-addressed some of our external-facing cache servers into a new network and discovered that our IPs appear to be blackholed going to certain third-party auth servers, either intentionally or unintentionally. Our workarou

Status of zytrax.com "DNS for Rocket Scientists" website

Hi, does anyone know about the status of the zytrax.com website and the excellent "DNS for Rocket Scientists" guide? The webpage first had a x509 certificate error (expired) in December 2020 and now the web server is unreachable. I (and colleagues) have tried to reach Ron Aitchison by mail

Re: Wildcard DNS records

Hello Stefano, Chiesa, Stefano writes: > Hello all. > I manage several BIND 9.10.4-P8 servers with more of less 600 DNS zones. > Anyway I never used wildcard DNS record and I hope you can help me to > understand. > > The need is: > * I have a dns zone i.e. example.com > * this zone will have an

Re: TLD Registries supporting RFC 7344/8078

Hello Stephane, Stephane Bortzmeyer writes: > On Tue, Mar 13, 2018 at 10:52:50AM +0100, > Carsten Strotmann wrote > a message of 19 lines which said: > >> is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078) >> already support at the TLD level somewhere?

TLD Registries supporting RFC 7344/8078

Hi, is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078) already support at the TLD level somewhere? I know it is implemented in BIND 9.11+ and Knot, but can it be used in the real Internet :) I searched the usual places but cannot find any information indicating support at TLD level.

Re: SOA Minimum comment in "dig" output

Hi Daniel, Daniel Stirnimann writes: > Hello Carsten, > >> RFC 2308 "DNS NCACHE" defines the last field of the SOA RR as "the TTL of >> negative responses". > > Negative caching TTL is not defined as the last field of the SOA RR: > > "When the authoritative server creates this record its TTL > i

Re: SOA Minimum comment in "dig" output

Hi, here is a question I've got during a DNS training, and I still do not have a good answer: RFC 2308 "DNS NCACHE" defines the last field of the SOA RR as "the TTL of negative responses". ; << DiG 9.10.3-P4-Ubuntu << +noall +answer +multi +cmd soa example.com ;; global options: +c

BIND 9.10 IPv6 performance

Hi, I'm doing some performance tests on some modern Haswell CPU machines (20 cores) using Ubuntu Linux 14.04 (Kernel 3.13.0-46-generic) using BIND 9.10.1-P2 compiled with "--with-tuning=large". With using 8 worker threads I get near 400K QPS via IPv4 UDP (from a hot cache without resolving), whic

Re: size limit on RDATA in nsupdate

Hello Shumon, Shumon Huque writes: > On Sat, Feb 21, 2015 at 7:35 AM, Carsten Strotmann > wrote: > > Hi, > > I'm trying to build an automated update system for OPENPGPKEY records > with BIND 9 9.9.6-P2 and "nsupate". > > I've verified

Re: size limit on RDATA in nsupdate

PKEY RR Type (not the generic RR representation). -- Carsten Strotmann Email: c...@strotmann.de Blog: strotmann.de ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.

Re: size limit on RDATA in nsupdate

Addition: this is how the nsupdate line for the record looks like add f437b55d4fb40f93bbfa04802a6a2bcf8b69d5ee93d1b53259e6e4fc._openpgpkey.sys4.de. IN TYPE61 \# 3340 99020d[] The RDATA size after "\#" seems to be correct. -- Carsten Strotmann Email: c...@strotmann.de Blog: st

size limit on RDATA in nsupdate

or in the "generic RR" syntax (generated by hash-slinger)? Might this be an buffer issue? -- Carsten Strotmann Email: c...@strotmann.de Blog: strotmann.de ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: Bind and ZSK-Rollovers: Changing salt automatically?

Hi Tony, Tony Finch writes: > Carsten Strotmann wrote: >> >> I do not understand how the NSEC3 hash can be defeated by an >> attacker. Could you give a link to additional information or could you >> explain the issue with NSEC3 salt in other words? > > http://

Re: Bind and ZSK-Rollovers: Changing salt automatically?

d how the NSEC3 hash can be defeated by an attacker. Could you give a link to additional information or could you explain the issue with NSEC3 salt in other words? Best regards Carsten -- Carsten Strotmann Email: c...@strotmann.de Blog: strotmann.de ___

Re: DNS slave not synced after successfully zone transfer

m ISC --> ftp://ftp.isc.org/isc/bi…-P2/BIND9.10.0-P2.x64.zip -- Carsten Strotmann Email: c...@strotmann.de Blog: dnsworkshop.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: Bind and ZSK-Rollovers: Changing salt automatically?

zone is no too big (e.g. re-generating all RRSIGs is not a problem), I would recommend to roll the salt in the same intervals, but independent from the ZSK rollover. -- Carsten Strotmann Email: c...@strotmann.de Blog: dnsworkshop.org ___ Please visit

Re: Can someone please translate entries from query.log file?

/bind/solaris/9/sparc/9.9.3-P2/> Best regards Carsten -- Carsten Strotmann Email: c...@strotmann.de Blog: strotmann.de ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing li

Re: All client resolvers support DNSSEC compatible queries ???

Hello Jeronimo, "Jeronimo L. Cabral" writes: > Dear, we have several hosts in our LAN that ask our BIND DNS: Debian, > Windows 7, Red Hat and CentOS. > > If we implement DNSSEV validation support in our BIND9 server...how > can I know if our hosts' resolvers are compatible with DNSSEC queries >

Re: What means -EDC in bind9 logs ?

Jean-François Leroux writes: > Hi, > must be a stupid question but I hadn't noticed before that some > queries in my server are labelled like that > > query IN A -ED (or EDC, or EC) > > What does this mean ? you'll find the documentation for query-log entries in the BIND Administra

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Hello Evan, Evan Hunt writes: > On Thu, Mar 06, 2014 at 11:34:45AM +0100, Carsten Strotmann wrote: >> there could be a hard-link from a name like "tsig-keygen" to >> "dnssec-keygen" which changes the type of key created to "-n HOST". That &g

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Hello Evan, Evan Hunt writes: >> there could be a hard-link from a name like "tsig-keygen" to >> "dnssec-keygen" which changes the type of key created to "-n HOST". That >> would not require any change to the existing interface. Just an idea. > > Thanks, Carsten. I had actually had the same thou

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Hi Evan, Evan Hunt writes: > On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote: >> I agree that it might be nice to change "dnssec-keygen" to make the tool >> more userfriendly. The current state-of-things is because of historic >> developme

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Gaurav Kansal writes: > I was wondering if HMAC* keys are not used for zone then why the same > is displayed when we use "dnssec-keygen -h". the tool "dnssec-keygen" can be used to create both "zone" keys (with "-n ZONE") for DNSSEC zone signing, and "host" keys (with "-n HOST") for TSIG signin

Re: Monitoring Zonefiletransfer

Hi Markus, "Markus Weber" writes: >> >> Choose sane SOA values. refresh and retry << expire > > I will check these values, i thought they were kind of standard values > the default SOA values on a MS DNS Server are well and good for dynamic, internal, AD integrated DNS zones. For use in

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

Hi Chris, Chris Buxton writes: > I’d bet that the package from Men & Mice includes this script or an > equivalent workaround. When I wrote the original script I wrote about > above, I worked at Men & Mice. Your script or the sleep timer is not in the package anymore, but maybe it should be. I d

Re: Allow recursion for esternal resources in a authoritative zone on a "not open" dns server

thing special to configure in BIND, only you need a BIND DNS Server acting as a cache server. A client should never directly talk to a authoritative (only) DNS Server. It should always go through an intermediate caching. Best regards Carsten Strotmann "Chiesa Stefano" writes: > He

Re: MAcOS X 10.9 upgrade removes BIND

Hi Sean, Sean Channel writes: > > Thanks for the M&M package, this is fantastic! On the critical side, > the package BOM only lists an extinct tarball instead of the actual > files and directories in the package. Just a nit pick, apologies: yes, that is a historical artifact from the time where

Re: MAcOS X 10.9 upgrade removes BIND

let me know. Please report any issues with this installers to me. Best regards Carsten Strotmann Eduardo Bonsi writes: > I want to confirm what Carsten said here; > > I just performed an upgrade from Snow Leopard, 10.6.8 one day before > Yesterday. The upgrade itself went fine exc

MAcOS X 10.9 upgrade removes BIND

nd there are reports coming in from other users, but I need to confirm this on a lab environment. The Men & Mice BIND MacOS X installers at currently fail on MacOS X 10.9, because /var/named is not there. I'm working on updating the Men & Mice packages to work on Mac

Re: Upgrade Bind documentation

Eduardo Bonsi writes: > Menandmice have some pre-compiled packages updates for these systems. > > http://support.menandmice.com/download/bind/ > > GNU-kfreebsd/ > illumian/ > kGNUfreebsd/ > linux/ > macosx/ > solaris/ > (as the one compiling the BIND packages @ Men & Mice): unfortunatntly we do

Re: Upgrade Bind documentation

piled BIND binaries over to the DNS servers. "named -V" gives you the compile switches used to compile your current BIND. If you use the very same switches during compiling 9.8.6, you should get a new BIND that matches your existing setup and is a &q

Re: Performance Tuning RHEL 5 and Bind

Hi, Kevin Darcy writes: > Are these queries mostly for names in an Active Directory domain? The > default for Active Directory is for *every* Domain Controller to > register NS records at the apex of the AD domain. Pretty soon, for any > reasonably-sized AD infrastructure, all of those NSes cau

Re: chroot /var/run permissions

Hello John, jo...@primebuchholz.com writes: > > What I am I missing here? /var/named/var/run and > /var/named/var/run/named > have group write permissions, so it seems it *shouldn't* be > complaining, > and the resulting files should've been owned by named, shouldn't they? > If you are runni

Re: [users@httpd] webservers not responding properly after hardware change

Hello Norman, Norman Fournier writes: > > I posted this to httpd.apache.org but have not had any response, so I > think it may be more related to BIND than DNS. Apologies for the > cross-post. the information you give is not enough to debug the problem or even to have a sense if it is a DNS pro

Re: [users@httpd] webservers not responding properly after hardware change

Hi Normal, Norman Fournier writes: > > ns2:~ norman$ apachectl -t > Syntax OK > ns2:~ norman$ apachectl restart > launchctl: CFURLWriteDataAndPropertiesToResource > (/System/Library/LaunchDaemons/org.apache.httpd.plist) failed: -10 > ns2:~ norman$ apachectl start > launchctl: CFURLWriteDataAndP

Re: [Architecture discussion] IPv6 and best practices for DNS naming and the MX/SMTP problem

IN 2001:db8:0:2::14 > > but this violates the RFCs saying that A/ entries should have a > corresponding PTR entry. > I don't see this violating an RFC. Both address entries for mailmx can (and should) have a proper PTR record (one in in-addr.arpa, and

Re: zone files in bind-9.9

Hello Feng, Feng He writes: > I upgraded my BIND from 9.7 to 9.9. > For BIND 9.7 all zone files under /var/cache/bind are clear textes. > But under BIND 9.9 it seems the zone files are binary format. > So how can we check the content of zone files now? you can use "named-compilezone" to conver

Re: Ubuntu 12.04 & BIND 9.9.2-P1

x-gnu/openssl-1.0.0/engines/libgost.so Be prepared that you need to copy multiple file. Fix one error and then look for the next. Best regards Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from th

Re: RSA warnings & errors in 9.8.4

Hello Jay, Jay Ford writes: > I just upgraded BIND on a Linux-based server from 9.8.3-P3 to 9.8.4. > > I started getting a bunch of "RSA_verify" errors, as has been > discussed on this list. Is there a 9.8 release which quells those > messages, or is hacking > the source post-download still th

Re: rndc reconfig does not work

Hello Ben, benjamin fernandis writes: > Hi, > > As per my understanding, if we change anything in named.conf and then > if we require to enable changes without service restart, we go with > rndc reconfig. > > So i tried it but it does not work. > "rndc reconfig" does only very specific tasks a

Re: difference between default views in named_statistics.txt

t; (authors.bind, version.bind, hostname.bind). try: dig @ ch tx hostname.bind So the statistics output give you information how many queries are received for "normal" DNS zones (view _default) and the special build in zone (view _bind). Best regards Carsten Strotmann _

Re: Query regarding 'UPDATE' field in log entries

llow clients to automatically update the zone, you need to configure the zone as a dynamic zone (using update-policy or allow-update statements). If the client is not in your own networks, someone in the remote network has (mis-)configured the client to be inside t

Re: nsupdate for default TTL

change the dedicated TTLs on each individual resource record using the "nsupdate" tool. Best regards and a good new year! Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this li

Re: Upstart job for BIND9

Hello Alexander, Alexander Gurvitz writes: > Carsten, > > The script in my original question (it's in the P.S. at the bottom of > my first mail) seem to work for me. Ahh, thanks, my Emacs was hiding that :) > (I can't decide which one is better: bind.conf, bind9.conf or > named.conf :) I w

Re: Upstart job for BIND9

Hello Alexander, Alexander Gurvitz writes: > Hello. > > I'm trying to run a bind9 from an upstart job instead of an init.d > script. > I'm a bit confused if I should "expect fork" or "expect daemon". It > seems > to work with "expect fork", though somehow I don't feel convinced. > > (Upstart mu

Re: Performance tuning

n is usually not the issue. Best regards Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Forcing DNSSEC queries

Hello Russell, russell aspinwall writes: > > Could libresolv be modified so that it would permit the following > directives in /etc/resolv.conf. > > dnssec enable - perform only DNSSEC queries (default > mode of operation if no directive supplied) > > dnssec disable

Re: Change in statistics format

Hello John, John Miller writes: > Hello everyone, > > When did BIND 9 switch over from the older > > +++ Statistics Dump +++ (timestamp) > success # > referral # > nxrrset # > nxdomain # > recursion # > failure # > --- Statistics Dump --- (timestamp) > > to the newer > > +++ Statistics Dump +++

Re: User wanting to use a .local domain to host DNS

Phil Mayers writes: > On 14/11/12 15:02, King, Harold Clyde (Hal) wrote: >> I'm a bit confused by a user request. I think he is trying to keep some >> hosts on the private side of DNS, but he wants to use a DNS name like >> host.sub.local. I do not know of the use of the .local TLD except in >> b

Re: ISC Bind in Active Directory

Hello Phil, Phil Mayers writes: > On 10/24/2012 10:17 PM, Carsten Strotmann wrote: > >> my experience is that it is safe to place clients in either a DNS domain >> with the same name as the AD domain, or in a subdomain of the AD >> domain. > > What does "p

Re: Spotty Lookups on One of Our Networks

Hello Martin, Martin McCormick writes: > I described a case where one of our remote campuses can't > resolve a number of remote domains. One example is noaa.gov. It > also successfully resolves random remote domains without > seemingly any rime or reason. > > Here is a bad dig trace for n

Re: ISC Bind in Active Directory

amespace. A general observation: If find a high number of DNS admins in AD networks that have the preception that the earth, pardon DNS, is flat. It is not, it is a hierarchy :). And every attempt too make it appear flat creates problems. -- Carsten Strotmann __

Re: ISC Bind in Active Directory

Hello Aaron, Aaron Thompson writes: > I have little experience in the AD arena for DNS/DHCP. Without being > a too loaded question, with your experience is it possible or common > to have a very knowledgeable understanding of the performance and > health of an AD system similar to a BIND syst

Re: ISC Bind in Active Directory

ans). But running BIND and ISC DHCP gives more flexibility and control. Pick you choice -- easy live vs. understanding and fun :) Carsten Strotmann Men & Mice ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this l

Re: rndc protocol

Hello Matthew, "Matthew Horsfall (alh)" writes: > I was curious if the underlying protocol used by the rndc command was > well documented and if writing clients against it (rather than using > the rndc utility) was advisable or not. I'm not aware of extra documentation, but I know developers t

Re: Error Resolving / EDNS

Hello James, "James Tingler" writes: > Thanks for the reply Carsten.  This didn't make a difference but > potentially I'm using the parameter incorrectly (no errors though). >   > /etc/rc.d/init.d/named start -4 >   no, it does not work that way. /etc/rc.d/init.d/named is a startscript, and th

Re: Error Resolving / EDNS

Hello James, "James Tingler" writes: >   > E.g. >   > Sep 17 15:32:01 PROD55-DNS2 named[27503]: error (network unreachable) > resolving 'www.amazon.com/A/IN': 2610:a1:1017::1#53 > Sep 17 15:32:08 PROD55-DNS2 named[27503]: error (network unreachable) > resolving 'www.amazon.com/A/IN': 2001:502:

Re: BIND 9.6-ESV-R7-P3 is now available

"Ayca Taskin (Garanti Teknoloji)" writes: > Hi, > > Im using BIND 9.6.1-P3 and want to upgrade BIND 9.9.1-P3 on Solaris. What are > your advices about upgrade and migration, to 9.9.1-P3, is there any guide for > this? Whenever you upgrade to a new version of BIND (esp. when it is a new major

Re: install BIND on Mac OS X

pangj writes: > Thanks. > > bogon:~ pro$ named -v > BIND 9.7.3-P3 > > This does have been installed. For a more recent version of BIND (9.8.x or 9.9.x), there are MacOS X installers of new versions at -- Carsten

Re: Sunos 5.8 Error:EDNS not supported by your namesever

Ryan Novosielski writes: > FWIW, 9.6 ships with Solaris 10. current BIND release installer packages for Solaris 10 (Sparc and i86pc) can be found at http://support.menandmice.com/download/bind/solaris/ I'm also willing to build current BIND 9 packages for Solaris 8 or 9, but only if a good cas

Re: Version statement...

Jeff Justice writes: Hi Jeff, > I am trying to mask our DNS servers version output to a custom string, > but it doesn't seem to be working for me. In a nutshell, I have added > this to my options block of my named.conf: > >version "[DNS Server]"; > > But when I do a query, it still shows th

Re: security BIND

Hello Alberto, On Sat, 4 Aug 2012, Alberto Rasillo wrote: Hi what are recomendations regarding security and DNS service?Thnks it is difficult (impossible?) to answer such a generic question. Generic security advice for a DNS service: * read your DNS servers documentation carefully * understa

Re: Problem with DNSSEC signing zone

C validated, but that is another issue). Best regards Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/li

Re: Operation Cancelled Error

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Ben, On 7/12/12 10:32 AM, Ben wrote: > Still, my question is open.. I'm not from ISC, but I have an idea what causes this (but I'm not an authoritative source). You can look up the BIND source code. Every caching DNS Server (BIND or other pro

Re: BIND, DNSSEC & AD

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello John, On 6/29/12 4:52 PM, John Williams wrote: > The purpose behind this is not to protect the internal AD DNS from > hijacking. But rather to allow internal clients to run DNSSEC > related queries without having to reference external resolver

BIND, DNSSEC & AD

too late). -- Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Understanding cause of DNS format error (FORMERR)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, On 6/24/12 10:07 AM, Carsten Strotmann (private) wrote: > It might even be a new Windows 2012 DNS server, and it might be an > issue with this new version. This is just speculation, but if it is > an issue with Windows 2012 DNS, it

Re: Understanding cause of DNS format error (FORMERR)

tocol violation, and that might be the cause of FORMERR. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/myqQACgkQsUJ3c+pomYGzyQCdF

Re: Understanding cause of DNS format error (FORMERR)

set, which should normally not appear in an error type of response, but might be caused by a mangled DNS packet: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 30679 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 I have no explanation of this issue at the mome

Re: Understanding cause of DNS format error (FORMERR)

3(2a01:111:2005::1:1) ;; WHEN: Sat Jun 23 10:47:33 2012 ;; MSG SIZE rcvd: 60 If some other members of this mailing list also see the same FORMERR (I'm seeing it over IPv4+IPv6), that is is very likely a firewall or middlebox on the Microsoft side. Best regards Carsten Strotmann -BEG

Re: Understanding cause of DNS format error (FORMERR)

94.245.124.49; 207.46.55.10; 65.55.31.17; }; }; We've also informed Microsoft about the issue. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment

Re: MS AD 2008R2 and bind

e. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org

Re: rndc addzone|delzone

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/1/12 1:18 PM, DNSbed.com wrote: > On Sun, 1 Jan 2012 13:05:41 +0100, Jan-Piet Mens > wrote: >>> Has anyone tried the new features of rndc addzone|delzone with >>> BIND-9.7? Will the zone added|deleted get transfered between >>> master and slaves

Take your DNSSEC with a grain of salt ...

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, because it was a recurring question in the ISC/Men & Mice DNSSEC trainings this year, I've taken some time to write down my knowledge on NSEC3 use of the "salt" and "iteration" parameters:

Re: rndc reload has no effect?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/31/11 8:09 AM, Ken Peng wrote: > Today I setup a new name system, BIND 9.7.3 with multi-views, zone > transfer are going based on different TSIG-Keys. I have found a > strange problem that when I edited the zone file, anded a record, > increased