Re: Bind > 9.12 Will Not Start On FreeBSD

On 4/27/19 9:22 PM, Tim Daneliuk wrote: On 4/27/19 5:33 PM, @lbutlr wrote: On 27 Apr 2019, at 16:21, Tim Daneliuk wrote: Why is 9.12+ now suddenly so grumpy about who owns the files? Is this a recent fix to reduce the attack surface on files owned by root? Pretty sure. I thought it was men

Re: SSL cert for lists.isc.org expired on Saturday, December 29, 2018

I've had LE fail after a cerbot upgrade because it grew a dependency that didn't automatically get installed with the upgrade. So yes, automation good, but not perfect. On 2018-12-31 6:54 PM, John W. Blue wrote: nuff said, eh? I thought that Let's Encrypt wanted to roll / revalidate SSL cert

Re: about the effect of installing with "--without-openssl"

On 08/26/2018 07:30 PM, takahiro wrote: That's why I want to know the effect of installing with "without-openssl". What specifically are you trying to accomplish by compiling without openssl? ___ Please visit https://lists.isc.org/mailman/listinfo/bin

Re: Local Slave copy of root zone

On 08/21/2018 08:53 AM, Grant Taylor via bind-users wrote: On 08/20/2018 11:06 PM, Doug Barton wrote: But that doesn't mean that slaving a zone, any zone, including the root, is "dangerous." If slaving zones is dangerous, the DNS is way more fragile than it already is. Sorry

Re: nslookup oddities (Was: SRV record not working)

On 08/20/2018 10:14 AM, Lee wrote: On 8/19/18, Mark Andrews wrote: nslookup applies the search list by default and doesn’t stop on a NODATA response. Some versions of nslookup have been modified by OS vendors to use /etc/hosts for address lookups. nslookup doesn’t display the entire response

Re: Local Slave copy of root zone

On 08/20/2018 09:00 AM, Grant Taylor via bind-users wrote: On 08/20/2018 05:23 AM, Tony Finch wrote: If the local root zone gets corrupted somehow (maliciously or otherwise) the usual setup cannot detect a problem, but it'll cause DNSSEC validation failures downstream. The normal resolver / val

Re: nslookup oddities (Was: SRV record not working)

fied by OS vendors to use /etc/hosts for address lookups. nslookup doesn’t display the entire response by default. On 20 Aug 2018, at 12:28 pm, Lee wrote: On 8/19/18, Doug Barton wrote: On 08/19/2018 12:11 PM, Lee wrote: On 8/18/18, Doug Barton wrote: nslookup uses the local resolver stub. T

Re: nslookup oddities (Was: SRV record not working)

On 08/19/2018 12:11 PM, Lee wrote: On 8/18/18, Doug Barton wrote: nslookup uses the local resolver stub. That's fine, if that's what you want/need to test. If you want to test specific servers, or what is visible from the Internet, etc. dig is the right tool, as the answers yo

Re: SRV record not working

On 08/18/2018 04:53 PM, Barry Margolin wrote: In article , Grant Taylor wrote: On 08/18/2018 07:25 AM, Bob McDonald wrote: I don't think anyone hates nslookup (well maybe a few do ) I suppose the immense dislike stems from the fact that it's the default utility under Windows. Folks who use

Re: Local Slave copy of root zone

On 2018-08-15 10:43, Tony Finch wrote: Doug Barton wrote: Slaving the root and ARPA zones is a small benefit to performance for a busy resolver, [...] This technique is particularly useful for folks in bad/expensive network conditions. While the current anycast networks of root servers

Re: Local Slave copy of root zone

On 08/15/2018 09:11 AM, Bob McDonald wrote: I've recently been investigating having a local slave copy of the root zone on a caching/forwarder type server. I've even put the local slave copy of the root zone into a separate view accessed via a different loopback address. (An limited example of

Re: Modification in dhcpd.conf does not update ddns

On 01/28/2016 10:23 AM, Bernard Fay wrote: Hi, I have DDNS and DHCPD setup and it works ok so far. But, while testing the integration of dhcpd and dns, I found that if I change the IP address in dhcpd.conf for a previously configured client the change is not reflected in DNS once the client rec

Re: RPZ in dns views

On 01/22/2016 05:30 PM, Rama Krishna Prasad Chunduru wrote: Hi All, I am trying to use RPZ ( Response Policy Zone) in DNS views (BIND 9.8.2) but i am getting the below error service named restart Stopping named:[ OK ] Starting named: Error in n

Re: Bind9 on VMWare

On 01/13/2016 04:34 AM, Philippe Maechler wrote: My idea for the new setup is: --- caching servers - Setup new caching servers - Configure the ipv4 addresses of both (old) servers on the new servers as a /32 and setup an anycast network. This way the stupid client

Re: GSS-TSIG updates with multiple KSPs on the same BIND server?

On 6/4/15 5:14 PM, John Marshall wrote: On Thu, 04 Jun 2015, 23:04 +, Vinícius Ferrão wrote: I always make my own krb5.conf file. Which krb bits on DNS you're talking about? $ORIGIN example.com. _kerberos TXT "EXAMPLE.REALM" _kerberos._udpSRV 0 0 88 kdc1

GSS-TSIG updates with multiple KSPs on the same BIND server?

Folks, Reading through manuals, HOWTOs, etc. on line it SEEMS possible that BIND 9.8+ could be configured to use multiple KSPs. The traditional way of configuring GSS-TSIG is the following in options{}: tkey-domain "FOO.BAR"; tkey-gssapi-credential "DNS/dns1.foo.bar"; However that co

Re: Digging to the final IP

On 10/21/14 8:31 PM, Frank Bulk wrote: Dave, Thanks for the input, but what I was looking for was a dig command that returns the IP(s) or a fail. It looks like the host command is the right solution in this case, not dig. Yep. :) You can check the return value of the call to get your fail as

Re: DLV verify issue

On 10/23/14 4:34 AM, Péter-Zoltán Keresztes wrote: Hello I am trying to add a dnssec signed tomain to DLV isc. Is there a DNSSEC path from this domain up to the root zone? (It would be helpful to list what domain it is.) If so, why are you adding it to DLV? Doug __

Re: Digging to the final IP

It's interesting to see the discussion about trying to turn dig into something it isn't. :) It's a really good DNS diagnostic tool, but if you just want to get the answer for a query, host does the job quite well, with a lot less fuss. Doug ___ Ple

Re: BIND resource requirements

On 10/20/14 11:50 AM, Mike Bernhardt wrote: Anyone have some input on this? No one has commented so far. -Original Message- From: Mike Bernhardt [mailto:bernha...@bart.gov] Sent: Tuesday, October 14, 2014 11:59 AM To: bind-users@lists.isc.org Subject: BIND resource requirements We are c

Re: Inline-signing feature request: Directly set the signed zone's serial number

On 10/7/14 11:03 AM, Terry Burton wrote: With inline signing you have a hidden serial number in the unsigned zone and an exposed serial number in the signed versions which your slaves track. After redeployment (following DR, emergency relocation, elastic capacity expansion, etc.) I want to be ab

Re: Diagnostic help part 2

On 10/1/14 8:17 AM, Barry Margolin wrote: In article , Eli Heady wrote: With response sizes growing (dnssec, ipv6), answers are more likely to be too large for UDP. That's unlikely. That's why EDNS was created, so that these large answers wouldn't require TCP. ... and more than a decade

Re: Diagnostic help part 2

On 9/30/14 12:18 PM, Bill Christensen wrote: Ok, since I theoretically have the allow-query correct I need to move on to what else may be wrong. When I test with http://www.intodns.com/ or other online tools, I'm getting " ERROR: One or more of your nameservers did not respond" (the IP is the s

Re: Two domains reporting errors

On 9/25/14 4:49 PM, LuKreme wrote: Wait a second, so the zone name comes from the named.conf? Not quite. When named loads the zone file it does it in the context of the zone stanza from named.conf. If the zone name in the SOA is listed literally then named will check to make sure that it match

Re: Change in behaviour regarding ndots and searchlist

On 9/15/14 7:04 AM, Lightner, Jeff wrote: While the final dot has been required within zone files to prevent unwanted appendages to records it has NOT been required by tools such as host and nslookup on either Windows or Linux/UNIX which routinely use "search" domains. On Windows the behavio

Re: bind-9.10.0-P2 memory leak?

On 9/12/14 11:07 AM, Mike Hoskins (michoski) wrote: I do have a lot of interest in the community getting to the bottom of this, as we are just planning a large upgrade in one of our environments which will move caching clusters serving 6-8k clients over to 9.10.1. Given all of the problems that

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On 8/28/14 10:55 AM, Timothe Litt wrote: Aside from the use of the word 'absurdity', I'm not offended. I am trying to educate. And while I recognize that I'm arguing pragmatism with a market purist, It's nice to be called "pure," in some context anyway. :) However as I pointed out I'm not

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On 8/27/14 3:03 PM, Timothe Litt wrote: So you really meant that validating resolvers should only consult DLV if their administrator knows that users are looking-up names that are in the DLV? That's how I read your advice. You're correct. I don't see how that can work; hence we'll disagree.

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On 8/26/14 10:35 AM, Timothe Litt wrote: I think this is misleading, or at least poorly worded and subject to misinterpretation. I chose my words carefully, and I stand by them. I did not say that the DLV has no value, and I specifically mentioned that there are circumstances when it is valua

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 8/26/14 5:50 AM, Tomas Hozza wrote: | On 08/26/2014 02:27 PM, Mark Andrews wrote: |>> Why would you expect them to succeed? | | Because validation using root servers and authoritative servers | proved that the domain is intentionally unsecure. T

Re: Bind RPZ dnsfirewall howto's version 2 are here

Please don't reply to a message on the list and change the subject line. Doing so causes your new topic to show "under" the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, save the l

Re: Metazones or Something Else?

On 08/04/2014 09:33 AM, John Anderson wrote: I've recently inherited a project that is going to require some method of automatically disseminating zone information to slave DNS servers running BIND. The traditional solution to this problem is rsync, although I realize that's not very sexy. :)

Re: OT: Authoritative Server returning RR's with decrementing TTL's?

Almost certainly not running BIND. Almost certainly is running a "creative" load balancing solution. hth, Doug On 07/31/2014 12:56 PM, Ray Van Dolson wrote: Not BIND-related specifically... (though the server below could be running BIND I suppose). This seems weird. Why is this authoritati

Re: Public facing authoritative NS all masters

Please don't reply to a message on the list and change the subject line. Doing so causes your new topic to show "under" the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, save the l

Re: Using a DynDNS hostname in master-statement for a bind slave?

On 06/27/2014 08:27 AM, Johannes Kastl wrote: The slave server (HOST B) is reachable from the internet via a dynDNS hostname. Now I want to setup another bind as slave on a server hosted at my provider. It should use HOST B as its master, to transfer the zone and act as a slave. BUT I found not

Re: tsig-key

On 06/10/2014 08:56 AM, Mohammed Ejaz wrote: Any help would be highly appreciated. Switch to BlueCat which does all communication with TSIG by default? :) Sorry, couldn't resist ... Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind

Re: SPF RR type

Please don't reply to a message on the list and change the subject line. Doing so causes your new topic to show "under" the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, save the l

Re: Problem dlz_mysql_driver

Please don't reply to a message on the list and change the subject line. Doing so causes your new topic to show "under" the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, save the l

Re: Book recomendations?

On 05/27/2014 03:51 PM, Baird, Josh wrote: Hi, Can someone recommend a modern/new-ish book on DNS (specifically BIND)? I know there have been several O'Reily books throughout the years, but haven't kept up on anything in the past few years. I'm looking for architecture design, best practice

Re: Architecture Questions

On 05/28/2014 07:39 AM, Mark Andrews wrote: In message , "Baird, Josh" writes: Hi, I have historically hosted authoritative slave zones on my internal caching/r ecursive servers to override recursion for internal zones. These servers are not directly reachable from the internet. Generally

Re: bind 9.10..0-P1 rndc: 'retransfer' failed: not found; other rndc commands are ok

On 05/22/2014 09:33 PM, Teerapatr Kittiratanachai wrote: Sorry for jumping in, so from your information I understand that when I have updated zone file at the master I should use `rndc reload ` instead `rndc retransfer ` to transfer the new zone file to other slaves, is it right ? Yes, you relo

Re: Slave zone intermittently not refreshing

On 05/08/2014 05:53 AM, Mart van de Wege wrote: I have a couple, all of them 'retry limit for master $foo exceeded'. Only 2 hits for the master that's giving trouble though, and none of those around the time we had trouble. If you're seeing any of these errors the problem is worse than you t

Re: a note on 9.10.0rc2: eleven, twelve; dig and delv(e)

Evan, I mulled over your response and considered not pursuing this further, but apparently I can't help myself. :) On 04/27/2014 12:00 PM, Evan Hunt wrote: On Sun, Apr 27, 2014 at 07:36:22PM +0100, Chris Thompson wrote: I rather liked "delve", but the truncation to "delv" does indeed seem su

Re: a note on 9.10.0rc2: eleven, twelve; dig and delv(e)

On 04/25/2014 02:25 PM, Evan Hunt wrote: So, after consultation with the bottoms of one or two bottles, and consideration of several alternative names (including "dredge", "bore", "shovel" and -- taking it in a slightly different direction -- "groove") we decided to simply send the second 'e' in

Re: Zone transfer doesn't work when I set allow-update statement

On 04/25/2014 02:04 PM, Evan Hunt wrote: On Fri, Apr 25, 2014 at 05:29:30PM -0300, Jeronimo L. Cabral wrote: But the master zone is not refreshed until I execute "service bind9 restart" ("service bind9 reload" doesn't refresh the master zone). The zone has been updated, but the changes are sto

Re: Clients Matching Multiple Views

On 04/11/2014 10:59 AM, John Wobus wrote: My understanding has been that two views that are masters for a zone can safely share a zone file if the zone isn't dynamic (e.g. dnsupdate, dnssec auto signing, etc), but that two views of a slave zone shouldn't do that: you could have two different vie

Re: Example of classless reverse-lookup zone

On 04/07/2014 08:14 PM, Dimitar Georgievski wrote: Hi Doug, Thanks, your article really cleared my confusion with the naming and delegation of zones. I did read initially RFC 2317 when I started working on this task, but I was lost with the use of the / char

Re: Example of classless reverse-lookup zone

On 04/07/2014 02:46 PM, Dimitar Georgievski wrote: Hi, I am trying to configure a subnet (example: 10.1.16.32/27 ) zone files for internal domains, and have hard times with setting up the reverse lookup zone file. The couple examples I found on the internet didn't help muc

Re: BIND 9.10.0b1 is now available

On 03/17/2014 01:06 PM, Evan Hunt wrote: On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: Yes, it was my understanding of how HSM worked. That's why I was trying to build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one side, and PKCS11 interface for zone sign

Re: BIND 9.10.0b1 is now available

On 03/17/2014 12:29 PM, Mathieu Arnold wrote: Hum, so, it will also use pkcs11 for dnssec validation too ? (Sorry if this seems a silly question.) HSMs are typically an auth-only tool, although I suppose that in a super-high-security environment that they could be justified for validation ...

Re: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND

On 3/8/2014 1:30 PM, sth...@nethelp.no wrote: One mitigation approach is to blackhole the domains using local zones. That�s not much of a mitigation. Not having open resolvers would be mitigation. Not having open resolvers is good - but unfortunately doesn't help against misbehaving clients (

Re: bind-9.9.5 regression test error

On 02/12/2014 10:16 PM, Christoph Moench-Tegeder wrote: ## Doug Barton (do...@dougbarton.us): If you don't have enough random bits on your system to run these simple tests, your /dev/random is seriously underpopulated, and likely a security risk. You should definitely not put BI

Re: Monitoring Zonefiletransfer

On 02/18/2014 04:39 PM, Mark Andrews wrote: Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. Also try to determine what the "primary" master i

Re: how to modify the cache

On 02/17/2014 11:37 AM, Kevin Darcy wrote: Ugh, that mixes apples (recursive resolution) and oranges (iterative resolution). Out of curiosity, what bad thing do you think will happen if you mix these two functions? Doug ___ Please visit https://li

Re: changing NSEC3 salt

On 02/12/2014 05:17 AM, Chris Thompson wrote: On Feb 11 2014, David Newman wrote: [...] That's interesting. It seems to contradict Lucas' advice to "always use '1 0 10' for these [NSEC3] flags, as fewer aren't secure enough and more aren't any more secure." It's difficult to see how that can

Re: bind-9.9.5 regression test error

On 02/12/2014 11:16 AM, Christoph Moench-Tegeder wrote: ## Bruce Dubbs (bruce.du...@gmail.com): I've been trying to run the regression tests for bind-9.9.5 and keep getting lots of timeouts and errors in the system/inline test. I saw the same symptoms when packaging/testing bind-9.9.5. I trac

Re: missing NOTIFY after rndc signing -clear all zone

On 02/06/2014 04:27 AM, Klaus Darilion wrote: Hi! I just noticed that on "rndc signing -clear all zone", Bind removes the private RRs, updates the NSEC3 RR, and increases the serial, but it does not send NOTIFYs. I guess this is a bug. I tested bind 9.9.5, with inline-signing of a zone. Does

Re: Disabling RPZ for a few clients / views sharing zones

On 02/06/2014 06:27 AM, Chuck Anderson wrote: I was kinda hoping that newer versions of BIND could share zones (with identical zone contents) between views without requiring the messy multiple IP alias setup. You have always been able to do this with include files. hth, Doug

Re: classless ptr setup

On 01/20/2014 11:21 AM, Jim Pazarena wrote: Thank you for this. I am familiar with the setup; I suppose that my question was unclear. Can the SAME named.conf handle BOTH the /24 cname assignments AND the /25 in-addr.arpa records. Which sounds like a dumb question, but I thought named may not li

Re: How to deny update of statically assgined a/ptr records?

On 01/16/2014 06:01 AM, Mark Andrews wrote: In message , Oleg Gvozdev writes: Hello. I have dynamic zone. And A record in it: Example(pseudo-code): *zone myzone.* * a 10.0.0.1 domain xxx* Then I made DHCP update for host "host.myzone." and it receives address from dynamic range (10.0.0.1

Re: dumping master file: tmp-xxx: open: permission denied

On 01/14/2014 08:14 AM, LuKreme wrote: so I should change zone "kreme.com" { type slave; masters { 75.148.37.67; }; file "slave/kreme.com"; }; to zone "kreme.com" { type slave; masters { 75.148.37.67; }; file “/var/named/etc/namedb/slave/kreme.com"; }; and that will eliminate the errors?

Re: Generic reasons for recursive performance not to peg CPU?

On 01/12/2014 07:30 PM, Barry Margolin wrote: In article , Doug Barton wrote: Thanks for the response, but you're answering a different question than I asked. :) The question I'm interested in is, "Why is the recursive server not pegging the CPU?" I'm aware that t

Re: Generic reasons for recursive performance not to peg CPU?

Thanks for the response, but you're answering a different question than I asked. :) The question I'm interested in is, "Why is the recursive server not pegging the CPU?" I'm aware that there will be a difference in qps between auth-only and recursive, but the recursive server seems to be worki

Re: Generic reasons for recursive performance not to peg CPU?

Thanks for the response, but that's not it. The auth-only responses are generating a lot more traffic than the recursive. Doug On 01/12/2014 05:21 PM, Sten Carlsen wrote: Wild guess: network bandwidth runs out before CPU? Why the difference, I have no clue. On 13/01/14 02.16, Doug B

Generic reasons for recursive performance not to peg CPU?

Howdy, Without going into too much detail, doing some performance testing and am seeing a weird result. On the same systems authoritative queries will happily peg the CPU. However when running recursive queries (with a small zone, all data cached before testing) the CPU never gets above 80%.

Re: Updated to bind 9.9.3-P2

On 07/30/2013 02:49 PM, Lawrence K. Chen, P.Eng. wrote: From 9.9.2-P2...I had build 9.9.3, but just as I was about to deploy came the announcement to either go to 9.9.3-P1 or stay with 9.9.2-P2. All the picky messages of this version You had a lot of issues in your message. IMO they make

Re: permissions for DNSSEC zone signing

On 07/23/2013 04:48 PM, David Newman wrote: On 7/23/13 3:44 PM, Mark Andrews wrote: In message <51ef00af.4090...@networktest.com>, David Newman writes: FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports [...] zone "example.org" { type master; file "master/exa

Re: bind classless slave from microsoft dns classful SOA?

On 07/12/2013 09:09 AM, Michael Hare wrote: Bind-users; I have been asked to slave a /24 from a microsoft SOA, however, their authority for the /24 is false in that they really only have authority to 192/26. Am I correct in that there is no way to slave said zone [x.y.z.in-addr.arpa] but serve

Re: Reverse Lookups with Forwarders

forwarders {8.8.8.8;}; forward only; }; }; ~ On Tue, Jul 9, 2013 at 12:23 PM, Doug Barton mailto:do...@dougbarton.us>> wrote: It's not at all clear from your description what you&#x

Re: Reverse Lookups with Forwarders

It's not at all clear from your description what you're trying to accomplish. Particularly it's not clear what you seem to be trying to accomplish with the 2317 delegation for a /24 zone. Can you describe what you're trying to do, and why? It may be easier to help you that way. Please use the

Re: Reverse address entries

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/03/2013 07:52 PM, Novosielski, Ryan wrote: | On 07/03/2013 04:39 AM, Matus UHLAR - fantomas wrote: |> On 02.07.13 08:53, Daniel McDonald wrote: |>> I've had trouble with OSI-Soft PI historian without reverse |>> entries. If there is no revers

Re: configure syslog prefix

On 07/02/2013 06:34 AM, Sam Wilson wrote: In article , Tony Finch wrote: Klaus Darilion wrote: Some software allows to configure the syslog prefix, but I couldn't find that for bind. Rename the named executable. Assuming a Unix-like OS would having multiple links (hard or soft) have t

Re: Secondary DNS question...

Box. Jeff On Jun 26, 2013, at 11:53 PM, Doug Barton wrote: Yes, seems fine now. Can you share more information about what it was you turned off? Sounds odd, but the results speak for themselves. Doug On 06/26/2013 09:39 PM, SH Development wrote: Sure could use some direction about where t

Re: Secondary DNS question...

Yes, seems fine now. Can you share more information about what it was you turned off? Sounds odd, but the results speak for themselves. Doug On 06/26/2013 09:39 PM, SH Development wrote: Sure could use some direction about where to start looking. I "thought" I had everything working for the

Re: Secondary DNS question...

On 06/26/2013 06:50 PM, SH Development wrote: Okay, so I got to it sooner than I thought. So, could you take a look at: starionhost.net stariontech.com starionline.com Any one of those, but they should all be identical now and on some new secondary DNS. The delegations are now identical, an

Re: Secondary DNS question...

On 06/26/2013 07:54 AM, Matus UHLAR - fantomas wrote: All very interesting, but I'm afraid at my level of expertise on DNS, I'm not following. If I'm broken, how do I attempt to fix? Someone mentioned that our ns1.starionhost.net was not authoritative. How does one even decide that? As far as

Re: PTR files

Norman, It's virtually certain that the error you're seeing is not related to BIND. You would almost certainly get your problem solved faster by posting on a list related to the web server software that you are using and walking through your complete configuration with them. Good luck, Doug

Re: Thank you Warren!!! - WAS::Re: This list's prefix

Great! Now step 2 is to remove the tag from the subject line before sending mail back to the list. :) On 06/16/2013 02:50 PM, Jerry K wrote: Hello Warren, Thank you so much for this post. Long time procmail user here. I'm only sad I didn't think of this myself first. Its been working great

Re: DNS Amplification Attacks... and a trivial proposal

On 06/14/2013 05:13 PM, Vernon Schryver wrote: From: Doug Barton is that (like RRL) your proposal relies on people updating their software. RRL needs only authority and open recursive servers to be updated. The vast majority of DNS installations are closed recursive and stubb

Re: DNS Amplification Attacks... and a trivial proposal

ld F. Guilmette wrote: In message <51baa714.9020...@dougbarton.us>, Doug Barton wrote: It's obvious you're frustrated (understandable), and enthusiastic (commendable), but you might want to consider dialing down your "rhetoric" a bit. Great idea! I have only one

Re: Rate-Limit Question

On 06/14/2013 09:08 AM, Evan Hunt wrote: (Our usual policy is not to add substantial new features in maintenance releases like 9.9.4; making it a compile-time option that defaults to off is our way of tiptoeing around the rule.) Quite reasonable, and much appreciated. :) ___

Re: DNS Amplification Attacks... and a trivial proposal

Ronald F. Guilmette wrote: In message <51ba355b.10...@dougbarton.us>, Doug Barton wrote: No. You can still get pretty good amplification with 512 byte responses. That is an interesting contention. Is there any evidence of, or even any reasonably reliable report of any DDoS actually being p

Re: DNS Amplification Attacks... and a trivial proposal

On 06/13/2013 02:01 PM, Ronald F. Guilmette wrote: The entire problem is fundamentally a result of the introduction of EDNS0. Wwouldn't you agree? No. You can still get pretty good amplification with 512 byte responses. There are 2 causes of this problem, lack of BCP 38, and improperly secure

Re: Serving up two domains

Jason, What you're saying here doesn't make sense, so some more details are needed. On 06/11/2013 08:54 PM, Jason Hellenthal wrote: I have a domain or two that I'm serving up and have traffic from some mobile devices and a few pieces of software that also try to resolve to the hostname.tld i

Re: any requests

On 06/05/2013 11:33 AM, Tony Finch wrote: I believe the ANY hack on mail servers was a Sendmailism 20ish years ago. s/Send/q/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: focusfeatures.com issue

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Looks like it is in transition. The COM delegation has this: ns1.netbcp.com ns2.netbcp.net pdns1.ultradns.net pdns2.ultradns.net pdns3.ultradns.org pdns4.ultradns.org pdns5.ultradns.info

Re: Negative zones; NXDOMAIN responses

On 05/21/2013 12:39 AM, Phil Mayers wrote: On 05/21/2013 08:23 AM, Matus UHLAR - fantomas wrote: On 21.05.13 11:03, Mark Andrews wrote: The simplest solution is to slave the root zone and turn off notify to so you don't spam the official root servers. 192.5.5.241 is f.root-servers.

Re: Problem query (SERVFAIL)

No problem here from 2 different sites. Seems to be a problem between your resolving name server and their authorities: ;; AUTHORITY SECTION: pointhq.com.3190IN NS dns6.pointhq.com. pointhq.com.3190IN NS dns7.pointhq.com. ;; ADDITIONAL SECTION

Re: Mailing list "reply-to" setting

Seriously, can we stop discussing this now? If you need subject line tags, or your mail client doesn't properly know how to respond only to the list, or whatever -- please go work that out on your own. The majority of users on the list don't want or need these things, and many of us find thi

Re: Classless PTR query issue

On 05/07/2013 01:50 PM, Matus UHLAR - fantomas wrote: On 07.05.13 11:06, Michael Varre wrote: So interestingly they did give me their setup and this is their response, and my warm and fuzzy feeling continues to go out the window: They use SimpleDNS Record Name: 65.246.59.108.in-addr.arpa DNS Se

Re: DDOS attack Bind 9.9 - P2

On 05/03/2013 11:44 AM, rohan.he...@cwjamaica.com wrote: What if both authoritative and recursive are running on the same server That's a simple answer, don't do that. Doug (ever) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

Re: ISC Courses

Ted made some really good points. It's also worth pointing out that overhead, like renting the facility to teach the classes in, food, travel expenses for the trainers to get to the site, course materials, insurance, etc. often run into the 'many hundreds' of dollars per student before the firs

Re: ANNOUNCEMENT: New BIND versions are available.

Michael, Thanks for this announcement, and a welcome change. Given the following: 1. bind-announce is very low volume, and carries only critical information that the community needs to know 2. Currently all posts to bind-announce are duplicated to the other lists Wouldn't it make sense to 's

Re: Simple question about zone and CNAME

On 04/08/2013 06:42 AM, Sam Wilson wrote: In article , wbr...@e1b.org wrote: Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, "all the publicity material sent out by the nominator [for an award for the web site] gave the UR

Re: Simple question about zone and CNAME

On 04/08/2013 06:54 AM, Sam Wilson wrote: In article , Doug Barton wrote: On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: | It is funny you should mention that... my questions about using views | to create a situation where one single record is different happens to | be exactly for this

Re: Simple question about zone and CNAME

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: | It is funny you should mention that... my questions about using views | to create a situation where one single record is different happens to | be exactly for this reason. The Active Directory admi

Re: Forward First on Master Zone (bypass SOA)

On 04/03/2013 05:30 PM, Kevin Darcy wrote: It's still not clear to me what you think is the "right" way to do it. I'm not saying that there is only one right way. I'm saying you first have to answer the question, "What might we want to achieve by having different answers internally vs. extern

Re: is NS record pointing to "some other name server" needed in case of classless IN-ADDR.ARPA delegations?

On 04/02/2013 12:47 AM, Martin T wrote: Is NS record pointing to "some other name server" needed in case of classless IN-ADDR.ARPA delegations? What happens if one does not specify this? It's very common for the parent name server(s) to slave the 2317 zone so that it can answer directly. It's

Re: Forward First on Master Zone (bypass SOA)

On 04/01/2013 11:46 AM, Kevin Darcy wrote: On 3/29/2013 12:09 AM, Doug Barton wrote: On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: My organization is evaluating the use of split-view DNS in our environment. Simple ... don't do it. It's almost never the right answer, and

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

On 03/29/2013 05:39 AM, Mark Elkins wrote: Try using a more simple MD5, short key. Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA) There was also some sort of length bug? - try 128 bit length. The ARM explains this correctly. It has to be HMAC-MD5, but the 512 length is just fin

  1   2   3   4   >