On 2024-09-19 19:17, Mark Andrews wrote:
I think the reason for the REFUSED is pretty obvious
% dig +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt
; <<>> DiG 9.21.0-dev <<>> +norec google._domainkey.socialinnovation.ca
@173.245.59.231 txt
;; global options: +cmd
;; Got answer
Hi list,
I have BIND 9.18.29 validating recursive resolver running on OpenBSD
7.5. This resolver performs resolution for a mail server.
Sometimes in my logs I will see the following:
17-Sep-2024 16:21:41.562 lame-servers: info: REFUSED unexpected
RCODE resolving 'google._domainkey.so
On 2024-08-02 04:30, Petr Špaček wrote:
On 02. 08. 24 0:52, Tim Daneliuk wrote:
On 8/1/24 17:14, John Thurston wrote:
After reading the CVE description, it isn't clear to me how the
degraded performance is manifest.
If 300 A-records exist for the name 'foo', do we expect:
1. queries for A-r
Hi,
I run my own validating recursive resolver with BIND 9.18.28.
In the resolver logs I noticed:
01-Aug-2024 10:30:22.294 query-errors: info: client @0xec879280280
127.0.0.1#14435 (bf10x.hubspotemail.net): query failed (too many
records) for bf10x.hubspotemail.net/IN/A at
Hi list,
I run a BIND 9.18.27 resolver on a small mail server.
Sometimes in the logs I will see entries similar to the following:
04-Jul-2024 12:20:48.048 query-errors: info: client @0x3777f6412b0
127.0.0.1#48123 (bras-base-toroon0964w-
grc-41-142-198-14-9.dsl.bell.ca): quer
On 2024-05-17 19:37, Nick Tait via bind-users wrote:
On 18/05/2024 09:11, J Doe wrote:
Hello,
When using RPZ with BIND 9.18.27 and rpz-ip, can any CIDR prefix be used
or must they be either: /8, /16, /24, /32 for IPv4 ?
For example, if I want to block records with an A address of
Hi list,
I run a validating recursive resolver with BIND 9.18.27. Over the
course of many days, I have noted the following warning about a missing
cookie from a particular server:
09-May-2024 20:09:22.277 resolver: info: missing expected cookie
from 192.5.5.241#53
This server runs
Hello,
When using RPZ with BIND 9.18.27 and rpz-ip, can any CIDR prefix be used
or must they be either: /8, /16, /24, /32 for IPv4 ?
For example, if I want to block records with an A address of
192.168.10.1, I know I can write:
32.1.10.168.192.rpz-ipINCNAME .
... and records li
On 2024-05-05 20:47, Mark Andrews wrote:
On 6 May 2024, at 07:38, J Doe wrote:
Hello,
I run BIND 9.18.26 as a recursive, validating resolver. In my logs, I
noticed the following:
01-May-2024 00:52:49.689 lame-servers: info: truncated TCP response
resolving 'www.ipfire.
Hello,
I run BIND 9.18.26 as a recursive, validating resolver. In my logs, I
noticed the following:
01-May-2024 00:52:49.689 lame-servers: info: truncated TCP response
resolving 'www.ipfire.org/A/IN': 74.113.60.134#53
I am aware that there are issues with DNS UDP traffic being trun
On 2024-04-26 16:45, Josh Kuo wrote:
In this particular case, isn't the resolver attempting to do a reverse
lookup of the IP address that's listed ?
You are right, I missed that this is a reverse-mapping zone. In that
case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa" and
On 2024-04-26 16:28, Mark Andrews wrote:
DS records live in the parent zone and the RFC 1034 rules for serving zone
break down when a grandparent zone and child zone are served by the same
server. This is corrected be the client by looking for intermediate NS records
to find the hidden deleg
On 2024-04-25 08:55, Josh Kuo wrote:
DS = Delegation Signer, it is the record type that a signed child upload
to the parent zone. It's difficult to say for sure without more
information such as which domain name you are trying to resolve, but
looks like it is probably due to a mis-matching DS re
Hello,
I run BIND 9.18.26 as a recursive, validating resolver. In my logs, I
noticed the following:
22-Apr-2024 19:25:59.614 lame-servers: info: chase DS servers
resolving '180.96.34.in-addr.arpa/DS/IN': 216.239.34.102#53
What does "chase DS servers" mean ?
Thanks,
- J
--
Visit https
Hello,
On a Bind 9.18.19 server configured as a recursive resolver, I sometimes
see URL's being noted in the log files.
One such example is:
02-Nov-2023 23:32:19.435 lame-servers: info: success resolving
'https://app-measurement.com/sdk-exp/A' after disabling qname
minimization due to 'ncac
Hello,
I have a basic recursive resolver configuration with Bind 9.18.19 that
acts as the resolver for some VPN roadwarrior clients (a mix of Apple
iOS and macOS clients).
Periodically I will see the following in my logs:
02-Nov-2023 15:06:27.658 resolver: info: loop detected resolving
'ns1
On 2022-08-25 18:04, Greg Choules wrote:
Hi again J.
If I understand correctly, you want to enable querylog on a busy
recursive server permanently, rotate the files once a day and don't care
if you lose some logs because the number of queries on a busy day
generates more data than the specifie
On 2022-08-25 16:46, Richard T.A. Neal wrote:
Hi J,
I'm coming a little late to the party on this one and I think you might
struggle to do rotation based on both date/time *and* file size, but I use
logrotate to rotate all of my BIND logs daily, keeping 31 days of logs. And
you'll see that o
On 2022-08-25 04:52, Anand Buddhdev wrote:
On 25/08/2022 05:23, J Doe wrote:
Hello J Doe,
I was wondering if anyone could provide feedback on whether the
following: newsyslog.conf file is correct to allow for daily log
rotation for my Bind 9.16.30 logs ?
My currently logging settings in
On 2022-08-25 03:05, Greg Choules wrote:
Hello J
What is it you're actually trying to achieve here?
Cheers, Greg
Hi Greg,
I'm looking to have my: queries.log (which logs all the queries my Bind
9.16.30 recursive resolver resolves), rotated at the end of the day and
I'd like to keep 7 days
Hello,
I was wondering if anyone could provide feedback on whether the
following: newsyslog.conf file is correct to allow for daily log
rotation for my Bind 9.16.30 logs ?
My currently logging settings in: named.conf are:
...
logging {
channel chn_file_queries {
b
nssec clientnon dnssec
client
You don’t want the second recursive server to spend all its time re-asking
queries that will fail validation
On 29 Apr 2022, at 11:24, J Doe wrote:
Hi,
I am configuring an RPZ for a validating resolver. I read in the BIND 9.18.2
ARM that there is a boolean op
Hi,
I am configuring an RPZ for a validating resolver. I read in the BIND
9.18.2 ARM that there is a boolean option for RPZ zones called:
break-dnssec.
The ARM states:
...In that case, RPZ actions are applied regardless of DNSSEC.
The name of the clause option reflects the fact that
On 2022-03-30 02:23, Evan Hunt wrote:
On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote:
I have a question about the bind.keys file and what happens when it is
not available.
[...]
** If I don't have bind.keys in my BIND directory but have:
dnssec-validation auto in my named.con
Hello,
I have a question about the bind.keys file and what happens when it is
not available.
According to the ARM:
dnssec-validation This option enables DNSSEC validation in named.
. . .
(To prevent problems if bind.keys is not found, the current trust
anchor is also co
On 2021-02-10 3:05 a.m., Alessandro Vesely wrote:
Hi Havard,
That's what I've been doing. For an incoming message, a temporary
failure means replying a 4xx code. The sender keeps the message in its
queue, and eventually gives up. Once upon a time, MTAs used to retry
sending for five
NS is...
>
> On Sun, 25 Aug 2019, m3047 wrote:
>> On Sat, 24 Aug 2019, J Doe wrote:
>>> [...] Is it possible to re-write a response on a reverse lookup ? For
>>> instance, if I considered example.com a “bad domain”, can I write a RPZ
>>>
Hello,
I have a basic question regarding RPZ on Bind 9.11.x.
Is it possible to re-write a response on a reverse lookup ? For instance, if I
considered example.com a “bad domain”, can I write a RPZ policy so that a
reverse lookup of IP’s that map to example.com fails or is blocked ?
I know I c
28 matches
Mail list logo
