/bind-users/2019-June/101930.html
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/lis
3.74] which doesn't have this server
cookie problem.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
this was a reasonable use of "invalid", and consistent with
the remarks in section 6.4 of RFC 6761 (also dating from 2013, incidentally).
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-u
for these negative responses in Cache, or
could there really be that many objects in the cache ?
Assuming these were output as uint64_t but then reinterpreting them as
int64_t, they are very *small* negative numbers, -57 and -9 respectively.
I suspect something other than overflow is responsible.
e.g. for the www.[zonename] RRs
in different zones), because the full owner name is included in the
hashing input.
(Use a different Key)
Yes. Because there are no advantages whatsoever in doing otherwise!
--
Chris Thompson
Email: c...@cam.ac.uk
__
.yourdomain
CNAME externalntp.otherdomain
CNAME externalntp.someotherdomain
Assuming that you are running name server software that actually allows
you to have several CNAMEs with the same label, of course.
BIND8 with "multiple-cnames yes", perhaps? :-)
approach is to do a dig
axfr to get the actual zone...
If you do need to work from the zone files, I would strongly recommend
normalising them with "name-checkzone -o outfile zonename infile" or
an equivalent, before trying to unpick them with "Perl, awk, etc".
--
Chr
rpa/dnssec/
Thanks for the heads up - I'll make sure our Ops team is aware.
To further increase our Schadenfreude, please do let the list know just
how ISC managed to let that happen! Or will you be able to blame ARIN?
--
Chris Thompson
Email:
g forward to the time when BIND,
inter alia, supports them...
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.
"Re: [the subject format for the list's
digest messages]". Maybe a scan of the message content for a copy of
the digest prologue would be a good idea as well.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.
/pipermail/dns-operations/2016-April/014765.html
which is fairly tight-lipped!
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
copy exactly from the
query, and the owner field used in the answer section, which recent
versions of BIND make the same as that loaded from zone file (when
authoritative), or as received from an authoritative nameserver (when
from the cache).
--
Chris Thompson
Email: c...@cam.
ne is described.
Would this actually break a validating resolver with a locally defined
(unsigned) empty zone 2.0.192.IN-ADDR.ARPA ? The parent zone can produce
a proof that there is no signed delegation, but only by revealing the
signed DNAME.
--
Chris Thompson
Email: c...@cam.
Ls so that they will remain cached.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailma
On May 14 2015, I wrote:
Now that RFCs 7434 & 7435 have been published, how do ISC see the future ...
That should be 7_5_34 & 7_5_35 of course. Curses.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org
the public DNS acquire DNAMEs pointing to that (hopefully ones
with large TTLs).
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-u
ter file has been updated. (Of course, as Phil Mayers
points out, this would cause downstream IXFRs to become AXFRs,)
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
(Almost) no-one uses HINFO for its original purpose anywhere in
the DNS.
and I think I might get away with it.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bin
l, it served me right when we later had to put an A record (sorts before
HINFO) at the apex of cam.ac.uk and I had to modify our normalised-zone-file-
comparsion program to allow for that!
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://
something is in the
public DNS at all, it ought to be signed. But our tribulations
summarised above (and believe me, I could go on about it at *much*
greater length! you should be grateful) have occasionally made me
regret that.
--
Chris Thompson
Email: c...@cam.ac.uk
__
know about lbtest.isnlab.in,
You are always going to get inconsistent results until you fix the
delegation.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users ma
xpedites what would normally happen
when the refresh interval expires. That is, it will do an SOA query
against the master(s), and if the serial has increased attempt an
(if possible incremental) zone transfer.
--
Chris Thompson
Email: c...@cam.ac.uk
___
would vote for 'dq' (as in, DNS query)
which has the virtue of not matching anything in the Ubuntu "did you
mean?" database.
Oh please, not another two-letter command for the benefit only of the
digit-ally challenged...
Not to mention what http://en.wikipedia.org/wiki/DQ has t
solv.conf (if any).
The search list is not used by default.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
e sure your old nameservers stop serving the
zone, or at least serve a version with the new NS records in"
situation. but the (highly anti-social, by the way) behaviour
of these nameservers makes that impossible to arrange.
--
Chris Thompson
Email: c...@cam.ac.uk
_
for .net?
No, they are authoritative for udrtld.net, self-consistently claiming
themselves as the only NS records for it.
This looks like a simple case of a change of nameservers for a zone not
propagating too well, because the old ones haven't stopped serving it.
--
Chris
not a bug. It is mandated by RFC 5155 - see
section 4.1.2.
This was really nic.at (and not example.com), wasn't it? Your domain
obfustication was half-hearted! I tried looking at it, but things
were changing too fast for me to get consistent results...
--
Chris Thompson
Email: c...@cam.
On Mar 21 2014, SM wrote:
Hi Chris,
At 11:18 21-03-2014, Chris Thompson wrote:
We used to create lots of localhost.[subdomain].cam.ac.uk records, even
to the extent of adding an record just for those institutions that
had IPv6 enabled on their networks. But we have pretty much given up
alhost.cam.ac.uk itself, to terminate the probable iteration described
above before it goes any further.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind
therwise.
I think I am going to have to retreat hurt from this attempt to use
inline signing, and find some other way of achieving what I want.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bin
On Feb 19 2014, Alan Clegg wrote:
On 2/19/14, 8:59 PM, Chris Thompson wrote:
What is the right way ... or maybe I should be asking IS there a right
way ... to change a zone that has been signed by inline signing (i.e. with
"inline-signing yes; auto-dnssec maintain;" in it zone sta
error: zone playground.test/IN:
not loaded due to errors.
and the zone goes into SERVFAIL state.
The only way I found out of this was to remove the [zone-file].signed
and [zone-file].signed.jnl files manually, and *then* do "rndc reconfig".
Surely there must be something bette
It's not often mentioned, incidentally, that using more iterations increases
the probability of a collision. Of course, it's pretty damn small to begin
with, so that doesn't really matter. But the algorithm, described in RFC 5155
section 5, could have been better designed
1
150 ---1--1-- 2
Total 1076 156 5 2 27 21 216
[*] A lot more than there used to be, due to the influx of new gTLDs.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Pleas
So even when they use
the new (case-sensitive) compression rules themselves, they will
only respond to clients with different casing in the question
and answer sections if they have themselves been queried for
the same name with different casings (possibly by different
clients, of course).
-
tter.postbank.de
(despite the fact that the NS records are included in the referral).
Note the absence of opt-out in the NSEC3.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
On Jan 14 2014, Joseph S D Yao wrote:
On 2014-01-12 10:04, Chris Thompson wrote:
[...]
That would be more plausible if www.p3net.net actually resolved to
something, rather than giving NXDOMAIN ...
How interesting. From here I see (and saw before I posted):
;; ANSWER SECTION
le of typing in www.p3net.net to get to his or her Web
site.
That would be more plausible if www.p3net.net actually resolved to
something, rather than giving NXDOMAIN ...
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/ma
rnalprint to the .signed.jnl file, unless the
journal has been pruned as a result of exceeding the max-journal-size
setting. But this won't tell you *when* each increment happened.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.
strange to have signing done in more than one place, yes.
The sort of scenario when you want to do signing on a slave is that
in "Example 2" in https://kb.isc.org/article/AA-00626/
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please v
transfer is
possible and if so whether it would fit into the UDP payload.
Of course, if the client's supplied SOA serial is the same, this
response indicates that no zone transfer is needed.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit
oves there is no DS
record for cam.ac.uk in the zone cam.ac.uk, which of course is true.]
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
TXT "order!"
message.example. TXT "A paragraph of text that"
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-use
I have reported this problem to bind9-bugs [ISC bug #34839].
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
On Sep 24 2013, Tony Finch wrote:
Chris Thompson wrote:
I have noticed that I get occasional (fast) SERVFAIL responses from
"dig NS iq.", e.g.
"iq" is partially signed, in the sense that some of its nameservers
deliver a signed version, and some an unsigned one, but
ned version, and some an unsigned one, but I don't see
how that leads to the effect observed.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
) an NXDOMAIN for, rather than
the unqualified one. The OP would probably have been a lot less
mystified if the message had been
Host www.undernet.org.my-domain.example not found: 3(NXDOMAIN)
rather than
Host www.undernet.org not found: 3(NXDOMAIN)
--
Chris Thompson
Email: c...@cam.ac.uk
nclude the option
"empty-zones-enable yes;" explicitly.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
h
the "journal" option in the "zone" statement.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users
of the ESV status of the
BIND 9.9 series.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.o
everse zones to built in empty zones
list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
[RT #31336]
That doesn't apply if you have automatic empty zones disabled, e.g.
by "recursion no" in options, of course.
--
Chris
e yet.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
tart
all over again with the search path(s) added after a "negative" result,
but it doesn't.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-u
, "all the publicity material
sent out by the nominator [for an award for the web site] gave the URL
as http://cam.ac.uk/ and this has been retweeted around".
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/lis
re are all sorts of possible misconfigurations using forwarders that
might provoke problems of this sort.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
specifying a "file" value for the zones on the slave server?
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc
dig +trace +nodnssec www.isc.org
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman
cords for "." and the address records for the *.root-servers.net
names so referenced.
But why did it keep going on and on about it? And what made it stop?
Has anyone else seen anything similar?
--
Chris Thompson
Email: c...@cam.ac.uk
___
Ple
};
zone "232.128.in-addr.arpa" {
type slave;
file "slave/232.128.in-addr.arpa";
journal "slave-jnl/232.128.in-addr.arpa";
...
};
...
One slight niggling disadvantage is that you can't tell
named-checkzone / named-compilezone with the -j option where
to find the journ
On Nov 1 2012, Jan-Piet Mens wrote:
I do as well, and this will be documented in the next version of
this document.
I believe you've mentioned that here before. Several times. Today. ;-)
"What I tell you three times is true.”
The Bellman, pp Lewis Carroll
--
Chris Thompso
e unsigned version provided by a DLZ interface?
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ames on the basis
of a "domain part" taken to be all but the first label. It was hard work
to change it to allow the "domain part" for authorisation purposes to be
any trailing set of labels, but by ${DEITY?} it was necessary!
--
Chris Thompson
Email: c...@cam.ac.uk
__
providing records for the number of labels between cuts.
I don't see how "safer" would apply, either.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
, the more that the actually executing named says about
itself, the better.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.is
out with the internal defaults for category and
priority (daemon.notice). Any suppression would need to be done at the
syslog level.
But I have some difficulty understanding why anyone would want it suppressed.
It's true that BIND is a bit noisier t
say the least.
But you should notice that the above response - rcode NOERROR with
an empty data section - is what RFC 2308 calls "NODATA", and not an
NXDOMAIN. This is because test.cloudns.tk is an "empty non-terminal"
in the name tree within the zone, and it is that which p
ot;, which does
seem to happen when the nameservers for a zone behave abnormally. This
time I have got around to reporting it to bind9-bugs.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc
AILURE));
Presumably we need to change this code
return (dst__openssl_toresult2(
"RSA_public_decrypt",
DST_R_VERIFYFAILURE));
similarly?
--
Chris Thompson
Email: c...@cam.ac.uk
__
, i.e. on which of the the nameservers's
own addresses it arrived on.)
Thinking in terms of "listen-on" was a category error. Views don't
have separate listening apparatus. Instead the queries that come
in are farmed out to the views on the basis of their matching
conditions
named-journalprint utility distributed with BIND. Although I
have to say I would hate to be dependent on this way of recovering a
lost zone file: you should probably be rethinking your whole backup
and recovery strategy.
--
Chris Thompson
Email: c...@cam.ac.uk
___
ics channel,
but not in the file written by "rndc stats".]
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
7;t check CNAME labels) ... :-(
Apologies for the FUD.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https:/
".
Well, I have to take that back. As far as I can see the -k option of
named-checkzone has no effect at all, despite the man page, at least
with BIND 9.8.3-P1.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/
uot;warn" anyway,
but you may want to use "fail".
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
htt
ts to 16M.
got into BIND 9.5.0, but
2457. [tuning]max-cache-size is reverted to 0, the previous
default. It should be safe because expired cache
entries are also purged. [RT #18684]
was there before 9.5.1, and AFAICS it has been like that e
quot;.
This works better if the files for "type slave" zones are kept
in a separate directory (or directories) from the "type master"
ones, if any.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/
On May 17 2012, Daniel Deighton wrote:
On 05/17/2012 12:20 PM, Chris Thompson wrote:
[... snip ...]
named: general: error: socket: file descriptor exceeds limit (4096/4096)
last message repeated 1194 times
named: general: error: socket: file descriptor exceeds limit (4096/4096)
last message
numbers are
reached only when the network has gone pear-shaped anyway.)
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users
ration occurs while the
zone file is being read, at startup or after e,g, an "rndc reload [zone]".
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
L directive than rely on it defaulting to
the SOA.MINTTL value (or specify all TTLs explicltly).
You probably meant "root.localhost." for the SOA.rname.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailma
ee if
you ran a sniffer during a zone transfer. You can convert it to text
format to see what's in the file with:
named-checkzone -D -f raw
The other things that changed in BIND 9.9 is that there is a new version
of the "raw" format (as in "-F raw=1" versus "-F
re-signing activity, but we assume it hasn't
been doing so as often as once a second...
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
anchors, which maybe
does not bode well for them ever appearing in BIND.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.
managed-keys.bind file to remove the noxious entry, and
then restarting it.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-user
idation is off, I am
not sure why it would be bothering to (try to) fetch the DNSKEY
records.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-user
uld work, but "rndc retransfer [zone]" is a lot simpler!
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
of wrapping
our serials round from MMDDNN style to seconds-since-1970, the
stealth-slaving Windows DNS servers of that time (even the 2008
ilk) just could not cope, and went into a tizzy continuously trying
to fetch the zones and then rejecting them for their "smaller" serials.
different process: instead of
"rndc reload" after updaing some of the zone files, I loop through the
list of updated zone files and run "rndc reload " for each one.
This is better, of course, if you can do it.
--
Chris Thompson
Email: c...@cam.ac.uk
ted as deep as you like[*] without you needing to make
a zone cut.
[*] subject to the overall limit of 253 characters on the fully
qualified name
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users t
the SERVFAILs no longer occur.
I think this may indicate that the data structure in managed-keys.bind
cannot quite capture all the complexities of RFC 5011.
The BIND version used in the later part of this experiment was (early-access)
9.8.2rc2 but I doubt that is particularly sign
6+1 except for
the following:
com, net & edu use 3 for all DNSKEYs
gov uses 3 for its KSK and active ZSKs, 2"32+1 for an idle ZSK
cz uses 2^16+1 for its KSK, 2^32+1 for its ZSK
la my & us use 2^32+1 for all DNSKEYs
--
Chris Thompso
On Mar 7 2012, Bill Owens wrote:
On Wed, Mar 07, 2012 at 12:13:35PM +, Chris Thompson wrote:
This is wrong (although I have seen the same thing stated in a number
of other places). When the default public exponent was changed from
3 to 2^16+1 (change 2088) the one selected by -e was
worrying about people
using buggy pre-2006 versions of OpenSSL and go back to using RSA
public exponents of 3 again most of the time. I notice that this
is what VeriSign do for the DNSKEY records in "com", "net" & "edu".
--
Chris Thompson
Email: c...@cam.ac.uk
___
it up to date in most of my own nameserver configurations.]
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
> The default_debug channel has the special property that it only
ARM> produces output when the server's debug level is nonzero.
It's actually quite a pain that one can't define one's own channels
with that "special property".
--
Chris Thompson
Email: c...@cam.a
ameserver". The security functions end-to-end,
between the zone administrator (she who generates its contents and signs
it) and the validator, not point-to-point.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/li
correct?
AFAIK 'rndc flush' will do the same.
If you know the domain name in question, "rndc flushname ghost.example"
should be enough. (BIND 9.9 has "rndc flushtree" as well, but I think
clobbering the cached NS records for the ghost domain should be enough
that
these are "common in practice". Well yes, in spades! It would also be
quite inconsistent with the existing credibility rules, and with the
fact that in signed zones the delegation NS RRset is unsigned, on the
basis that it is a hint, not authoritative.
--
C
ecific iterative stage it was working through at the time - in
your example, the response of the authoritative "in" servers.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users t
pears, not just the query log ones.
But it does look mighty strange in that case. And maybe people will want
the class and type (and even flags) of the query added in the general case,
which would sort of reduce the query log specific info to just "it happened".
--
Chris Thompson
E
1 - 100 of 344 matches
Mail list logo
