Re: cname for apex record

I feel your pain. You do have to pick your battles and if you don't have anyone to back you up it becomes much, much harder. The over-arching issue here is that devs want everything to be easy for them at the expense of infrastructure. My favorite phrase to devs especially web devs is "this i

Re: cname for apex record

Because the world we live in today it has become too hard or uncool for people type "www". Then to make matters worse most enterprise environments with an external Internet facing need to sit behind some type of CDN like Cloudfront, Akamai, ect *just* to blunt the nonstop DoS traffic. John Se

Re: cname for apex record

Short answer: no Longer answer: set the apex to an IP address of a external facing webserver that you control so it can to do an HTTP 302 redirection to your cloudfront name. John Sent from Nine From: "Cuttler, Brian R (HEALTH) via bin

RE: Logging with Unencrypted DNS, DoT and DoH

Ralph, You already may be aware of the BIND webinar's put on by ISC and presented by Carsten: https://www.isc.org/docs/BIND_9webinar2.pdf https://www.youtube.com/watch?v=7Uu6XvY68SM If not, spend some time watching the video and would like to point out that slide 12 lists several COTS vendors

RE: Problem with a certain domain

Sorry did not spend too much time thinking about this but if you are checking DKIM should that be a TXT query instead of an A record? John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Thomas Barth via bind-users Sent: Friday, May 31, 2024 12

RE: Facing issues while resolving only one record

Recommend you turn off DNSSEC validation and see if it starts working. If it does, then you know the issue is with how DNSSEC is configured on your server. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Blason R Sent: Wednesday, August 30, 2023 8:20 AM To: bind-use

RE: host restriction

Zoltan, There may be another way to make this work but this is what comes to my mine: acl’s in a view. https://kb.isc.org/docs/aa-00851 # named.conf acl google-is-good { 192.168.7.0/24; localhost; }; acl google-is-evil { 192.168.8.0/24; }; view google-good { match-clients { google-is-good;

RE: DNSSEC error resolving gpo.gov ?

Subject: Re: DNSSEC error resolving gpo.gov ? That is done also by bind 9.11, not only infoblox. It creates both digests on common operations. On 3/14/23 16:23, John W. Blue via bind-users wrote: > Keep in mind that SHA1 may not have been included by choice. > > If gpo.gov is using Infob

RE: DNSSEC error resolving gpo.gov ?

Keep in mind that SHA1 may not have been included by choice. If gpo.gov is using Infoblox there is a, what I like to call, Infoblox-ism in play regarding DNSSEC where even if you choose RSA256 or RSA512 or whatever it will create a SHA1. John -Original Message- From: bind-users [mailto

Re: Something other than port 53 is blocking the LAN based BIND9 Servers

Recommend you run tcpdump on the affected server: tcpdump -n -i ethxxx port 53 This should give you a better lay of the land instead of observational troubleshooting. If you do not see packets leaving then there is something on your side. If you see port 53 packets leaving and not returning c

RE: named out of swap on NetBSD/amd64

At the risk of stating the obvious .. have you tried 9.16.37 or 9.18.11? While I am usually down for an off in the weeds hardcore root cause analysis of problem is nice to get a quick win with a different version. John -Original Message- From: bind-users [mailto:bind-users-boun...@lists

RE: Email migration and MX records

Hi Bruce, It would be better to have an SMTP server return 421 "4.3.0" or 421 "4.7.0" while the migration is under way instead of bouncing the connection. 421 will tell all SMTP servers everywhere to "try again later". The 421 error is a proven greylisting configuration. Not knowing what is

RE: Add TXT records for SPF when CNAME exists in same sub-domain

RFC 1034 3.6.2 second paragraph: “If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. This rule also insures that a cached CNAME can be used without checking with an authoritative server for oth

Re: Issue with dns resolution for www.ssa.gov

Sandeep, Are you all using CISA's Protective DNS? If so, there might be a ruleset that is causing problems. If not, and I have not checked, but is DNSSEC for SSA working correctly? John Sent from Nine From: "Bhangui, Sandeep - BLS CT

RE: DNSSEC signing of an internal zone gains nothing (unless??)

Also John .. how SSHA and TLSA be used if the internal zone fails validation? John -Original Message- From: John Franklin [mailto:frank...@sentaidigital.com] Sent: Monday, August 1, 2022 12:45 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: DNSSEC signing of an internal

RE: DNSSEC signing of an internal zone gains nothing (unless??)

ecursive mode at the same time - should be two separate instances of BIND. On 8/1/22 7:51 PM, John W. Blue via bind-users wrote: Also do not disagree. However, the intent of the thread is to talk about the lack of an AD flag from a non-public internal authoritative server. Based upon what I am

RE: DNSSEC signing of an internal zone gains nothing (unless??)

: Monday, August 1, 2022 12:45 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??) On Aug 1, 2022, at 12:15, John W. Blue via bind-users wrote: > > As some enterprise networks begin to engineer towards the conce

RE: DNSSEC signing of an internal zone gains nothing (unless??)

@lists.isc.org Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??) On 8/1/22 10:15 AM, John W. Blue via bind-users wrote: > While that extra overhead is true, it is more accurate to say that if > internal clients are talking directly to an authoritative server the > AD

DNSSEC signing of an internal zone gains nothing (unless??)

As some enterprise networks begin to engineer towards the concepts of ZeroTrust, one item caught me unaware: PM's asking for the DNSSEC signing of an internal zone. Granted, it has long been considered unwise by DNS pro's with a commonly stated reason that it increasing the size of the zone ya

RE: your mail

mail Am 16.01.22 um 04:47 schrieb John W. Blue via bind-users: > Lol. I am not going to do that either. Lol. can you do us all a favor and stop writing useless mails to lists at saturday night? that footer is for morons which send messages with "unsubscribe" to mailing lists

RE: your mail

Lol. I am not going to do that either. Lol. -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald Sent: Saturday, January 15, 2022 9:44 PM To: bind-users@lists.isc.org Subject: Re: your mail Please visit https://lists.isc.org/mailman/l

RE: your mail

/diverging tangent I don't want to diminish any contribution to the good of the cause that anyone is willing to make but ... I am not going to stop top posting. Personally, commentary about top posting is so 1997. Perhaps it is also because I have reached an age where I just don't care anymore

RE: your mail

Not be ornery but honestly, for me, globs of text that is pasted into an email is TLDR because I cannot *do* anything with it. So I skip it out of hand. A real tcpdump packet capture is a file that can be loaded by wireshark and analyzed. tcpdump -n -i port 53 -w One from the client and one

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

Your using the wrong tools to troubleshoot or investigate this error. Instead of relying upon resolvers to provide situational awareness you need to inspect DNSSEC itself using dnsviz.net: https://dnsviz.net/d/pms.psc.gov/dnssec/ psc.gov is giving the world ID 5089 when they need to handing out

RE: Sorry

I’m not judging but it sounds like to me what you are really describing is PTSD from installing Windows 7 and “upgrading” it to Windows 10. :D I too use Microsoft products but for infrastructure services facing the open Internet (like DNS) I only use BIND running on FreeBSD. Not knowing exactl

Re: Best DNSSEC documentation for current version?

Hello Brett, Have you seen the webinar videos on ISC's youtube channel? https://www.youtube.com/user/ISCdotorg/search?query=DNSSEC I would encourage you to attend them as they are presented. One even had a VM's for the attendees to practice the information presented and ask questions. John __

Re: Inline signing fails dnsviz test.

Hello Dan. Does your registrar have the ability via a UI to place a DS record in the .name zone? And if so, have you done that already? John Sent from Nine From: Dan Egli Sent: Monday, May 10, 2021 12:20 AM To: bind-users@lists.isc.or

RE: Update DNSSEC Zone

Hi Peter .. How do you know your DNSSEC is working to begin with? Here is a URL that I prefer to use that will help answer that question: https://dnsviz.net/ What you are looking for is your to zone to be “secure”. Since you are an experienced BIND admin .. any clues to be found in the logs?

Re: Name server delegation

Since "" is a subzone inside of the example.com zone the answer is yes, it can be delegated. John Sent from Nine From: Karol Nowicki via bind-users Sent: Monday, April 26, 2021 10:24 AM To: bind-users@lists.isc.org Subject: Name ser

RE: Testing KASP, CDS, and .ch

:12 PM To: bind-users@lists.isc.org Subject: Re: Testing KASP, CDS, and .ch On Fri, 2021-04-09 at 19:05 +0000, John W. Blue via bind-users wrote: > So the issue here is that the DS record that sit in .ch has an ID of 22048 > but the domainmail.ch servers are telling the world that the c

RE: Testing KASP, CDS, and .ch

+, John W. Blue via bind-users wrote: > So the issue here is that the DS record that sit in .ch has an ID of 22048 > but the domainmail.ch servers are telling the world that the correct ID is > 17870. > > Thus the DNSSEC breakage. Of course, however there is no 22048 id in Gandi

RE: Testing KASP, CDS, and .ch

So the issue here is that the DS record that sit in .ch has an ID of 22048 but the domainmail.ch servers are telling the world that the correct ID is 17870. Thus the DNSSEC breakage. John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jim Pop

RE: underscores in A queries

It would seem that underscores is one of those characters in DNS that leads a double life. RFC’s say that underscores are disallowed for use in hostnames but SRV records use it to indicate service type et al. And then you have the acm-validations.aws geniuses who use it their hostnames to vali

RE: Timeout setting

When I queried the authoritative server directly it worked: ;; QUESTION SECTION: ;111.250.179.17.in-addr.arpa. IN PTR ;; ANSWER SECTION: 111.250.179.17.in-addr.arpa. 86400 IN PTR rn2-msbadger07105.apple.com. ;; Query time: 62 msec ;; SERVER: 17.47.176.10#53(17.47.176.10) I would re

RE: Bind 9.11 serving up false answers for a single domain.

..@lists.isc.org] On Behalf Of @lbutlr Sent: Thursday, February 11, 2021 6:18 PM To: bind-users Subject: Re: Bind 9.11 serving up false answers for a single domain. On 11 Feb 2021, at 16:38, John W. Blue via bind-users wrote: > I have found to tshark to be useful as well but the failing

RE: Bind 9.11 serving up false answers for a single domain.

0, 2021 10:37 PM To: bind-users@lists.isc.org Cc: John W. Blue Subject: Re: Bind 9.11 serving up false answers for a single domain. I rather prefer tshark to tcpdump: it's essentially the command line version of wireshark, and thus has wireshark's protocol "dissecting" abilities.

RE: Bind 9.11 serving up false answers for a single domain. (OT)

So out of curiosity why does the us tld have a SHA1 DS in root? Should be an easy thing to tidy up, eh? John -Original Message- From: Stuart@registry.godaddy [mailto:Stuart@registry.godaddy] Sent: Wednesday, February 10, 2021 7:20 PM To: John W. Blue; bind-users Subject: Re: Bind 9.11

RE: Bind 9.11 serving up false answers for a single domain. (OT)

DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 -Original Message- From: Stuart@registry.godaddy [mailto:Stuart@registry.godaddy] Sent: Wednesday, February 10, 2021 5:24 PM To: John W. Blue; bind-users Subject: Re: Bind 9.11 serving up false answers

RE: Bind 9.11 serving up false answers for a single domain.

Three words: tcpdump and wireshark It is like peanut and jelly .. hall and oates .. salt and pepper .. ebb and flow .. pen and paper .. I could go on but … Know them. Love them. They are your newest best friends. Using tcpdump IMHO should be the first tool anyone uses when troubleshooting

RE: Testing a new master server...

Hello Bruce! For opening comments .. I have nothing but empathy for you and the firefight you are in. "Intuitional inertia" is never enjoyable especially when you are the one tasked with change. So you indicated "upstream network management" is sending DNS/DHCP traffic but then you say that i

Re: DNSSEC migration sanity check

Howdy bind-users list. TLDR: we were able to move zones between DNS servers with different KSK/ZSK while keeping the zones secure. First I want to say a BIG thank you for the replies received since it helped in documenting our workflow for these migrations. Off list, Paul E. mentioned that a

DNSSEC migration sanity check

We are in the process of moving from one IPAM vendor to another. All of our zones are DNSSEC signed and the TTL's have been lowered to 300 seconds. At a high level, the playbook is to update the registrar with names/IP addresses of the new servers and update the DSKEY. Depending on the time of

RE: broken trust chain

What version of BIND are you using? John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of youssef.fassifi...@inwi.ma Sent: Tuesday, July 28, 2020 6:10 PM To: bind-users@lists.isc.org Subject: broken trust chain Hi All, I am using Bind as resolver for end users . A

RE: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?

Speaking about things to be annoyed over .. I am still ticked that FreeBSD dropped BIND from the distribution for something called unwinding or whatever it is. John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ted Mittelstaedt Sent: Friday

RE: [DoD Source -- ssshhhh Top Secret] Re: Dumb Question is an A or AAAA record required?

>From a BIND point of view "in-addr.arpa" is a unique zone with no dependencies. John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of DeCaro, James John (Jim) CIV DISA FE (USA) via bind-users Sent: Thursday, July 09, 2020 8:16 AM To: Mark Andrew

Re: Bind9 shared cache

In BIND views can be configured to share a cache on the same server but I do not think that it can be done between servers. That said, time for a sanity check. Does this configuration resolve a specific technical problem? If so, then I would recommend you keep running your unbound system. If

RE: Bind 9 not responding to queries

Sir Izake, Any network troubleshooting starts with finding out what is being placed on the wire. In your particular example it sounds like you need to validate if this Cent box is seeing a SYN flood. You do this by using tcpdump. Assuming you only have one ethernet adapter (which by extension

Re: securing bind in todays hostile environment

Since it sounds like you have not had much experience with, I urge you to check it out should you have anything in your environment that could benefit from automation. Simply telling someone to chunk it and not have any experience with it is a little misguided IMO. We pay multiple different t

Re: securing bind in todays hostile environment

Some things to think about .. 1. What is your/teams plan B to fix this type of ansible environment should it get horked up? There is a ton of stuff that is being configured for you all under the hood and by your own admission your a novice. The laws of unintended consequences apply. 2. Why

Re: Obfuscating SOA information in RPZ

What does the complaint look like? Is it preventing this industrial machine from doing its job? John Sent from Nine From: Ict Security Sent: Nov 29, 2019 7:18 AM To: bind-users@lists.isc.org Subject: Obfuscating SOA information in RPZ

RE: Inquiry re: DNS over HTTPS

Additionally, Tony Finch back on July 11th of this year suggested: To give DoH access to clients you need a proxy such as dnsdist or doh101. https://dotat.at/cgi/git/doh101.git https://dnsprivacy.org/wiki/display/DP/Using+dnsdist+for+DoT+and+DoH John From: bind-users [mailto:bind-users-boun...@

RE: Bind-Efficientip

There is a ton of fluff on the EfficientIP website about carrier grade this and carrier grade that. So it feels like to me that you are getting trapped in the marketing goo when you really should be asking if an IPAM solution is what your organization needs. That said, IPAM software (Infoblo

RE: DNSSEC basic information

esday, September 24, 2019 2:01 PM To: John W. Blue Cc: bind-us...@isc.org Subject: RE: DNSSEC basic information John W. Blue wrote: > > Nothing prevents anyone from using DNSSEC internally but, as I > understand it, that was not the intent. I'm a relative newcomer having only done DNSSEC for

RE: DNSSEC basic information

example, if you have an > internal network using a fake TLD and you want to prevent it from showing up > as bogus. ... and in a separate message, John W. Blue wrote: > 1. DNSSEC was designed for external zones I have a case where I recently had to use "validate-except" bec

RE: DNSSEC basic information

Jukka, Some odds n ends in no particular order: 1. DNSSEC was designed for external zones 2. Use delv instead of dig when troubleshooting DNSSEC and play around with these options: +rtrace (resolver) +vtrace (validation) You want to see “fully validated”. 3. Commit these values to memory so

Re: BIND setup for GSLB (Global Service Load Balancing)

Roberto, I don’t think an F5 type open source solution exists that will give you active updates to DNS. If you not need to update DNS based upon outages and just looking for DNS to work in general then anycast comes to mind. John > On Sep 12, 2019, at 11:40 AM, Roberto Carna wrote: > > Hi

Re: rndc - sync before reload?

Please elaborate on the technical reason why instead of being terse. Thanks! John Sent from Nine From: Anand Buddhdev Sent: Saturday, July 13, 2019 4:48 PM To: John Thurston; bind-users@lists.isc.org Subject: Re: rndc - sync before relo

Re: rndc - sync before reload?

I have zero experience with dynamic zones on BIND because all of ours are static. That said, and since nobody else has commented, it seems like it would make sense to sync before reload. The man says that sync writes out to the journal which shouldn't ever be a bad thing. John Sent from Nine

Re: Bind9 stops responding for some clients

Good job on the amount of troubleshooting work done so far. Next steps should be to run tcpdump on the interface for port 53 to see what is happening when an outage is in progress. What you will be looking for specifically is the query packet in and the response packet out. Use the following c

RE: rndc and nsupdate failing to work for me

Marc, Regarding your rndc problem, I think you might be confusing rndc. If rndc is invoked with no options, specifically “k”, then rndc assumes the key it needs is in the rndc.conf file. If rndc.conf is not present, rndc will use the default rndc.key file. That said, since rndc knows there is

RE: BIND DNS Enable audit logs - Authoritative

> We edit our zones manually .. *cringe* No wonder you are looking for audit logging! Yikes. Outside of DDI specific solutions like Infoblox or Bluecat, you might want to check out Webmin. It logs all changes made via it's interface: https://doxfer.webmin.com/Webmin/Webmin_Actions_Log John

RE: SSL cert for lists.isc.org expired on Saturday, December 29, 2018

“It looks like you are using a System V-style OS. BSD is waiting for you. Would you like some help?” Kidding aside, Slackware is old school awesome. ;) From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Noel Butler Sent: Tuesday, January 01, 2019 5:32 PM To: bind-users@l

SSL cert for lists.isc.org expired on Saturday, December 29, 2018

nuff said, eh? I thought that Let's Encrypt wanted to roll / revalidate SSL certs every 90 days. IIRC they have automation for apache and DNS tools when it comes to revalidation. Good hunting! ___ Please visit https://lists.isc.org/mailman/listinfo/b

RE: Question about visibility

I agree on using non-standard ports as well. Moving SSH to a non-standard port is a perfect example of how to actually ID bad actors. It follows that any host connecting to 22 is clearly traffic that needs to be dropped and blocked. And if that host is blocked then any other connections it wo

RE: Zone transfer failure

And make sure that all of your servers are sync’d to the same NTP. That has burned me in the past. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bob Harold Sent: Wednesday, October 17, 2018 9:16 AM To: ampra...@gmail.com Cc: bind-users@lists.isc.org Subject: Re:

RE: Question about forwarder zones

Based upon everything that I am reading it is name specific. To wit: ".. forwarding rules apply to queries for all domain names that end in the domain name of the zone." So it would follow that "example.com" would not get queries for "reallycool.example.com" if zone forwarding is configured co

RE: BIND DNS problem (?)

I could not zoom in to see anything. Please post a better screenshot or better yet post the .pcap itself for download and review. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka Pakkanen Sent: Wednesday, September 26, 2018 2:46 AM To: bind-users@lists.isc.org

RE: How to create an SRV record for the CSTA service

Meh. Don’t sweat it .. everyone has goofed in some manner at sometime or another. Besides, we are team BIND! We won't tell a-n-y-o-n-e. ;) -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of King, Harold Clyde (Hal) Sent: Thursday, September 13,

RE: Frequent timeout

l suggestions. Good hunting! John -Original Message- From: Alex [mailto:mysqlstud...@gmail.com] Sent: Tuesday, September 11, 2018 1:57 PM To: John W. Blue; bind-users@lists.isc.org Subject: Re: Frequent timeout Hi, On Tue, Sep 11, 2018 at 2:47 PM John W. Blue wrote: > > If you use

RE: Frequent timeout

does not look like a bandwidth issue at this particular point in time. John -Original Message- From: Alex [mailto:mysqlstud...@gmail.com] Sent: Tuesday, September 11, 2018 1:19 PM To: bind-users@lists.isc.org; John W. Blue Subject: Re: Frequent timeout Hi, Here is a much more reason

RE: Frequent timeout

:bind-users-boun...@lists.isc.org] On Behalf Of Alex Sent: Thursday, September 06, 2018 2:54 PM To: bind-users@lists.isc.org Subject: Re: Frequent timeout On Thu, Sep 6, 2018 at 3:05 PM John W. Blue wrote: > > Alex, > > Have you uploaded this pcap with the SERVFAIL's? I didn

RE: Frequent timeout

Alex, Have you uploaded this pcap with the SERVFAIL's? I didn't have time to look at your first upload but can review this one. John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alex Sent: Thursday, September 06, 2018 1:49 PM To: c...@bying

Re: KSK Rollover

As I personally understand it you can ignore this notice if: a) you are not enforcing DNSSEC validation b) if you are running a version of BIND that supports automatic KSK updates. John Sent from Nine From: Brent Swingle Sent: Thursday,

Re: Frequent timeout

tcpdump is your newest best friend to troubleshoot network issues. You need to see what (if anything) is being placed on the wire and the responses (if any). My goto syntax is: tcpdump -n -i eth0 port domain I like -n because it prevents a PTR lookup from happing. Why add extra noise? As w

Re: Stopping name server abuse

I disagree. Put up classy default page that is smart but funny while pointing out that owners of the domains are morons. So many options here! John Sent from Nine From: Warren Kumari Sent: Jun 24, 2018 3:36 PM To: Alex Cc: bind-users@

RE: Issue with AT&T IPs?

DNS, by design, is generally speaking agnostic when it comes to providing answers to DNS questions. It would have to be a very deliberate edit to the "allow-query" option in the conf file to enable your construct of a "DNS blacklist". In an enterprise environment this type of defensive action

RE: command line ID vs Wireshark transaction ID (dns.id)

> What nameserver addresses are listed in /etc/resolv.conf? So. resolv.conf has the non-RFC1918 ip addresses commented out *and* loopback is the only one enabled. Lovely. I decided to leave it as is and retested with: # tcpdump -n -i lo0 -s0 port domain tcpdump: verbose output suppressed

RE: command line ID vs Wireshark transaction ID (dns.id)

Forgot to add a screenshot: http://www.rfmapping.com/transactionid.png Thanks! John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John W. Blue Sent: Thursday, August 10, 2017 6:07 PM To: bind-users@lists.isc.org Subject: command line ID vs Wireshark transaction ID

command line ID vs Wireshark transaction ID (dns.id)

I have been trying to correlate the ID value returned via a command line query here: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60796 to a "transaction ID" found in wireshark when it dissects the packet found here: Transaction ID: 0x1aa6 without any success because 0x1aa6 does not hex

RE: designing the DNS from the scratch

Abdulhadi, Honestly, I think that a design spec of getting DNS responses in 3ms across the board is unrealistic. My initial MX query for litc.ly took 367ms: ;; ADDITIONAL SECTION: exmail.litc.ly. 14400 IN A 197.215.159.227 dns2.lttnet.net.21600 IN A 62.

RE: Delegation not found at parent

Patrik, The issue here is that you are using pingdom.com to check to see if there is a subzone called “ns1” to which there is not. So the answer that you got is correct. Take “ns1” off and rerun the test. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Patrik La

Re: Weird issue with bind & router

Chris, First, what a strange problem to have. You really need to spend some time capturing the traffic placed on the wire via tcpdump and then slicing it up for clues with wireshark. If you set a continuous ping to the router that would be a good timestamp that you can use to correlate as a ma

RE: Providing GeoIP information for servers

>From the it-could-be-worse department: https://arstechnica.com/tech-policy/2016/08/kansas-couple-sues-ip-mapping-firm-for-turning-their-life-into-a-digital-hell/ I am more a fan of continental geolocation accuracy when it comes to IP addresses. John Fro

Re: RDRAND, etc [ wasRe: Slow zone signing with ECDSA

TL;DR Sent from Nine From: Timothe Litt Sent: Apr 20, 2017 7:34 AM To: bind-users@lists.isc.org Subject: Re: RDRAND, etc [ wasRe: Slow zone signing with ECDSA On 20-Apr-17 01:26, Paul Kosinski wrote: "The tinfoil hat brigade in some distributions has resisted using t

Re: bind-dyndb-ldap integration

The "alternative facts" are that it never happened. Even if did we wouldn't tell anyone. ;) John Sent from Nine From: Hika van den Hoven Sent: Mar 24, 2017 11:10 PM To: bind userlist Subject: Re: bind-dyndb-ldap integration Hoi Hika, Sorry for my initial double po

Re: Graphing BIND 9.11/9.10 Queries

Daniel, Thanks for sharing. I like the HTTP statistics channel but trying slice up the XML has been challenging. Going to be checking this combo out. John Sent from Nine From: Daniel Stirnimann Sent: Jan 19, 2017 8:19 AM To: bind-users@lists.isc.org Subject: Re: Gr

Re: Test, please ignore

Ignoring level currently at 100% of its original rated performance, beginning to throttle up to 104% but doing so under computer control. Sent from Nine From: John Anderson Sent: Nov 20, 2016 11:43 PM To: Dan Mahoney ;bind-us...@isc.org Subject: RE: Test, please ignore

RE: BIND/Control Panel/FreeBSD

JCSL, Personally, my default choice for an OS is always FreeBSD first but let's be pragmatic. BSD 10.x changed drastically in many ways under the hood and control panel authors found the cost to benefit ratio too high to keep supporting FreeBSD. Assuming there is a really good reason why the

RE: ThreatSTOP BIND DNS Firewall Available

So an item of note that I noticed is that the "quick start" guide: http://www.threatstop.com/sites/default/files/threatstop_quickstart_guide.pdf is more about getting the ThreatSTOP interface configured than an actual BIND DNS server. It might be the day that I am having but it sure was a slog

Re: forwarder (YES/NO)

Pol, You can "audit" your traffic by getting a pcap via tcpdump and then analyzing it in wireshark. Packets don't lie. John Sent from Nine From: Pol Hallen Sent: Sep 21, 2016 2:35 PM To: bind-users@lists.isc.org Subject: Re: forwarder (YES/NO) hello again! > try r

Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

.9folders.com/> From: Vinícius Ferrão Sent: Aug 30, 2016 11:36 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1 Unnecessary hate. OS X is a pretty standard Unix and it's POSIX certified instead of Linux for example.

Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

I personally avoid all Apple products like the plauge. Sadly, a iPhone 6s was foisted upon me by my place of employment. Piece of junk. Hate it. achem. Surely you can find some normal hardware to install unix on and then BIND, right? Or. How about throwing up a VM on the Mac and using that

RE: OPenssl 1.1 and Bind

Doctor, I enjoyed how http://www.gizoogle.net/textilizer.php adjusted your sig: Member - Liberal International God, Queen n' ghetto dag! Never Satan Prezzy Republic! Beware AntiChrist rising! Look at Psalms 14 n' 53 on Atheism Time fo' tha USA ta hold a referendum on its rehood n' vote ta di

Re: Questions on how to setup Reverse DNS in bind 9

Ken, You typically will not be delegated reverse DNS. Honestly, I would contact godaddy support directly and see if they can adjust it for you. As in, not on your server directly but either tell you how to do it in a control panel on your side of the fence or they just do it from their side.

Re: Testing

Marco Sent from Nine From: Dan Mahoney Sent: Jun 24, 2016 6:28 PM To: bind-us...@isc.org Subject: Testing testing ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users m

RE: UDP Packet Hack

(1) Does "dig" get its UDP packets from "named" server? Yes. tcpdump -n -i lo0 port domain $ dig www.allpowerlabs.com 20:36:28.073280 IP 127.0.0.1.10588 > 127.0.0.1.53: 18890+ A? www.allpowerlabs.com. (38) 20:36:28.210557 IP 127.0.0.1.53 > 127.0.0.1.10588: 18890 1/3/3 A 75.119.212.1

RE: Issues resolving outlook.office365.com

>These were being blamed on "the network". Nothing can be blamed on the network without a client pcap. Otherwise it is just a bunch of hand waving and hot air. Show me the money. ;) John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-u

RE: ISC considering a change to the BIND open source license

>This change will not automatically ensure that commercial vendors modifying >BIND will support ISC, but it will at least communicate that this would be >appropriate. This. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri

Re: New type of DDoS? Anyone saw it?

Apologies. The intent is to drop inbound queries from the internet. Sent from Nine<http://www.9folders.com/> From: Mark Andrews Sent: May 16, 2016 3:41 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: New type of DDoS? Anyone saw it? In message , "John W. Bl

Re: New type of DDoS? Anyone saw it?

Hello Marek, Do you have an IPv6 assignment? If not, there is really no need to even be resolving records. An overly simplistic description of a potential solution could be to just drop the incoming request via its hex value in much the same way rate limiting is done for the "any" q

  1   2   >