re Negative responses usually cached?
>>
>
> by TTL while in case of a SERVFAIL i am not sure if it get cached
>
Only authoritative negative responses are cached. SERVFAILs are never
authoritative, by definition.
--
Kevin Oberman, Network Engineer, Retired
E-mail: rkober...@gmail
ke "forward first".
Since I am retired, I no longer manage a BIND server, so I have no logs to
check on the behavior of "my" server. It would be interesting to see any
documentation on the algorithm used to detect the "closest" root server as
well as the log of someone e
that are used in the absence
of a hints file. Yo0u really only need a hits file if you are using a
non-standard (usually internal) root.
Once named "finds" a responsive root from either its internal list or from
the hints file, the hints are i
ve failures or more than M of the last K queries. I no longer have
access to the trivial script since I retired.
It's really harder than it looks to do right and I don't think my code was
adequately rigorous, but was capable of responding to most issues. I'm sure
more heuristics rea
https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
Note that chroot has just been re-enabled in the FreeBSD BIND ports. It's
not default,
uirement, it worked well in testing, so we
> considered it useful and happily supported it. :-)
>
SRV records are almost essential for some applications. I can't imagine not
supporting them.
HINFO is getting pretty rare. The security issues are pretty obvious and
its advantages are rathe
management up. Last post I saw said
mid-January. That should mean about now.
--
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkober...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this l
via
> HTTP, as the named process grows. See the "statistics-channels"
> documentation in the manual. You can use curl or wget to dump them to a
> file.
>
The standard tool for this on FreeBSD is fetch(1). E.g. fetch -o FILE "URL"
In a script I usually also use &#
>
> Really thanks,
>
> JeLo
>
>
Did you add the new zone to the slave's configuration (usually named.conf)?
I assume so, or it would never load. But named.conf is only read when named
is started or a 'reload' command is sent to it (rndc reload). Until then,
h
the wrong address which probably will result in a
failure, but may result in getting old data. from a system that is no
longer updating.
Also beware of using too great an ncache TTL. This is the time to wait to
retry querying after an authoritative failure (NDOMAIN). It is to prevent
flooding a serv
alidation
>> 14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.milA:
>> in fetch_callback_validator
>> 14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.milA:
>> fetch_callback_validator: got failure
>> 14-Nov-2013 12:58:13.233 d
to do so, just simple tcpdump will work well.
--
R. Kevin Oberman, Network Engineer
E-mail: rkober...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists
even running DNS? Is a firewall blocking the query?
The response? Is the server yours or someone else's? Is routing allowing
bi-directional communication? Is these an outage that is blocking
communication? The list of possibilities just goes on and on.
If you want help, you have to tell us something mo
hatever data they have unless that data is
delegated to your server.
--
R. Kevin Oberman, Network Engineer
E-mail: rkober...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
short... A few
minutes.
The TTL on most stable RRs should be hours or even days. You shorten the
TTL when you plan some change in a "permanent" record.
--
R. Kevin Oberman, Network Engineer
E-mail: rkober...@gmail.com
___
Please visit http
ation in a Bind server.
>> >
>> > Measuring SERVFAILs seems to be a good proxy to measure DNSSEC's
>> > impact.
>> >
>> > Thanks for the reply.
>>
>> SERVFAILS are not rare and come from many things. Looking at the
>> delta
>
gt; Thanks for the reply.
SERVFAILS are not rare and come from many things. Looking at the delta
after enabling validation might be interesting, but in my experience
you are unlikely to see any difference beyond the jitter that will
always be there. Except for a couple of major goofs e
med start
This looks like FreeBSD. If so, just use 'service named restart' for
newer versions of FreeBSD. If the service command is not available,
you can use '/etc/rc.d/named restart'. It wil properly stop named and
then restart it.
--
R. Kevin Oberman, Network Engineer
E-mai
recursion for
local system, I think it would be much simpler and more easily
maintained to use an ACL with the 'allow-recursion' option. Views
provide a lot of benefits for more complex cases, but to just control
recursion strikes my as over-kill.
--
R. Kevin Oberman, Network Engineer
On Mon, Sep 3, 2012 at 5:24 PM, Mohsen Pahlevanzadeh
wrote:
> On Mon, 2012-09-03 at 15:42 -0700, Kevin Oberman wrote:
>> On Sun, Sep 2, 2012 at 10:12 AM, Mohsen Pahlevanzadeh
>> wrote:
>> > Dear all,
>> >
>> > I installed bind in Debian/lenny, and
ce?
2. Does a firewall allow access to port 53/UDP?
There are other possibilities, depending on thins like you network
configuration. Make sure that you can ping the server from the remote
system. And, please do not run an open recursive server. (Don't know
that you are trying to, but it look
proprietary service is quite unlikely to register it or want
to do so. After all, it would serve no purpose at all, even if the SRV
records were used between enterprise facilities over the wider
Internet.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6..
SRV records [RFC2782]." Not even "should".
It appears to me that you are reading things into RFCs that are simply
not there. That said the example you provide is silly, but I believe
it is valid.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
__
the
counter/logs of any firewall should confirm this or let you move on to
other options.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
hat you need to use rndc to
freeze the zone, edit the zone file, and thaw the zone. You really
can't edit a zone that is subject to any operation that makes use of
journal files (dynamic updates, in-line signing) while the zone may be
changing during the edit.
--
R. Kevin Oberman, Network Engineer
but will return the case of the authoritative record.
See RFC1034 3.1 for a general description or RFC1035, section 2.3.3 for detail.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bi
be tractable.
Once you have captured the data, you can use a tool like wireshark to
look at it.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from t
solete. I
suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC
software that does not support SHA256 at this time, but I suspect
someone, somewhere is running it.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
Please vi
ures
for handling these in place and, ironically, that is what complicated
things.
On my semi-retirement, I passed support for our DNS on to other, very
capable hands who are very knowledgeable on DNSSEC, but I suspect that
a KSK roll will prove 'interesting'.
--
R. Kevin Oberman, Netwo
aily and rolling ZSKs every 2 weeks for
over a year with no glitches at all, though we are using a non-BIND
solution (Secure64) to do the signing. Still, it tells me that it is
possible and I suspect that BIND 10 will move closer to that point.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6..
s about how careful people have to be about handling
details when DNSSEC is added. It simply can't be the "set and forget"
DNS of the past, at least not until and unless tools become far more
bullet-proof.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
hat things were working when the registry was not yet
ready to accept DS keys in any standard way.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
f
ery might return over 512 bytes of data.
The removal of the 512 byte limit on DNS packets is well over a decade old
and dancing around it is a losing proposition. You must either fix your
firewall (the right solution) or set your servers to NOT set the EDNS flag
(a work-around that will probabl
n the other side of the tunnel must talk IPv6.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.or
kets. Without edns0, UDP packet size is limited to 512 bytes. With
edns0, packets may typically run up to 4K bytes.
If you are seeing issues with edns0, look for firewall issues. Make
sure that it is not limiting DNS UDP to 512 and that it is allowing
fragments. These are two of the most cause
band-aid that will just keep breaking
things.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.
the files as stated. named should be able to read
the named.conf file, but should not own it or have write access to it.
named must have read access to all zone files as well as both read and
write to the directory where they are located.
--
R. Kevin Oberma
ending on exactly what you are trying to accomplish, you might get there by:
1. A DNAME in the parent. This aliases the entire domain, so this
might or might not do what you want.
2. Use a A (and other records as needed) instead of a CNAME.
--
R. Kevin Oberman, Network Engineer
On Wed, Sep 21, 2011 at 2:25 AM, Niall O'Reilly wrote:
>
> On 21 Sep 2011, at 02:08, Kevin Oberman wrote:
>
>> dig confirms that .com had the glue for water.com.
>
> As does dnscheck.iis.se.
> Indeed, none of the test history (5 tests, today and yas
m.
>
> Lyle Giese
The problem is that .com has the records. In the real world you provide glue
to your registrar and they provide the glue to the delegating zone.
dig confirms that .com had the glue for water.com.
R. Kevin Oberman, Network Engineer
Retired
kob6...@gmail.com> LCR Compu
A 12.44.84.214
>
> ;; Query time: 22 msec
> ;; SERVER: 192.42.93.30#53(192.42.93.30)
> ;; WHEN: Tue Sep 20 13:21:28 2011
> ;; MSG SIZE rcvd: 105
>
> Regards,
> Chris Buxton
> BlueCat Networks
I just did some checks and I think dnscheck is broken. I get
on of DNS is to have multiple
servers, all answering and all having identical data for queries from
any particular
source.
Kevin Oberman
Network Engineer -- Retired
kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to un
onse from that system and people at the
branch office will usually get responses from that server. But, if the
servers are configured properly, they will always be in sync withing
seconds of any change.
--
R. Kevin Oberman, Network Engineer - Retired
E-mail: kob6...@gmail.com
___
On Tue, Aug 30, 2011 at 11:33 AM, mfla wrote:
> Dears,
> I use ProBIND to administrate my BIND servers.
> I would like to know which other possibities be available for DNS central
> management ?
At my former employer, we used Nixu Namesurfer.
--
R. Kevin Oberman, Network Engineer
see two NS records in the gtld servers for com and the
dig returns SOA records for both when I query 8.8.8.8.
dig spinsix.com. +nssearch @8.8.8.8
SOA ns63.domaincontrol.com. dns.jomax.net. 2011080600 28800 7200
604800 86400 from server 216.69.185.42 in 75 ms.
SOA ns63.domaincontrol.com. dn
commercial tools are available, but I am not sure of
open source tools that support IPv6 well.
Finally, you really need to move to at LEAST 9.7. It has decent DNSSEC
support and many other important capabilities.
--
R. Kevin Oberman, Network Engineer - Retired
E-mail: kob6...@gmail.com
Group who also developed BSD Unix from which all BSD flavors
developed. The primary authors of BIND v4.3(?) were four grad students
at UC.
See BIND on Wikipedia
(https://secure.wikimedia.org/wikipedia/en/wiki/BIND) for more
details.
--
R. Kevin Oberman, Network Engineer - Retired
E-mail: kob6...@g
oo much.
>
> Is this abuse? If so, is it likely intentional?
There are many apps that can generate the volume of queries you are seeing.
The query rate is really not that high.
My first guess is some sort of logging tool, but there are a great many
other possibilities.
R. Kevin Oberman,
ded data that must be
moved for 64-bit operations. It also means the 64-bit binaries are
larger, often by a significant amount.
I recommend sticking with 32-bit systems unless you have a specific
need for 64-bit capacity.
--
R. Kevin Oberman, Network Engineer - Retired
E-mail: kob6...@gmail.com
n't reproduce it myself
> (probably, I'm doing something wrong).
You can't trigger it any longer. The .gov people imposed a work-around
that prevented the bug from being triggered. This was done quite a few
hours ago.
--
R. Kevin Oberman, Network Engineer
Energy Scienc
will actually be
checked again. This is a fail-safe mechanism to control load on servers,
but checking every 10 or 15 minutes is not a serious load.
Fortunately, BIND has a sanity check that limits min TTL to 3 hours, so
yours is not as bad as it seems, but I'd really suggest changing it.
nit.d/
> directory.
>
> I know that if bind is installed via apt-get install (I am using
> debian linux version), there is automatically a bind9 startup script
> in /etc/init.d/ directory.
It would help a bit if you gave us a hint as to what OS and OS version
as well as the vers
ons are supported for 9.4 and 9.6
Yes, it has, but FreeBSD-7.2 is rather old and not supported. FreeBSD is
now at 8.2 and includes 9.6-ESV-R4. 7.4 is also fully supported and has
9.4-ESV.
Of course, as you mention, the ports are more current. It has several
versions including 9.7.3 and 9.8.0
It may get updated in just a few seconds, but
the server will continue to respond that it does not exist until the
negative cache TTL expires.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.ne
bove is an empty set. I can
imagine some reasons some might want to do it, but I can't come up with
a GOOD reason for it. Most people move their trust anchors out of the
DLV when they are confident that the keys are properly located in the
parent zone.
In other words, I think that this should be
t a sign
> they are actually doing it.
Yes, they are. As of the last report I have received, something over 50%
of all .gov zones are now signed with the DS records installed in the
.gov zone. Still quite a ways to go but substantial progress has been
made and people with broken firewall are s
On Sat, 2011-01-29 at 14:49 +0800, p...@mail.nsbeta.info wrote:
> The book "Pro DNS and BIND" says:
>
> If the caching server obtains its data directly from an authoritative DNS,
> then it too will respond as authoritative. Ohterwise, if the data is
> supplied from its cache, the response is no
sue". I see a description of the
set-up and a statement that bind 8 works, both nothing about what is
failing on BIND 9.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net
t; the next day or so so all the testing is being done on another
> box for now.
>
> Thanks for all the help from this list. I think we are more
> there than not, but we aren't home yet.
Go ahead and start signing your master data and making the signed data
available so you can
sends out notifies to the
slaves which publicly serve the data. No need for two instances.
I believe the real claim to fame of Secure64 is the security of the
private keys. The system is FIPS140-2 level 2 certified and that is hard
to come by, especially without an HSM. This is very nice of dynam
> From: Mark Andrews
> Date: Thu, 09 Dec 2010 09:07:53 +1100
>
>
> In message <20101208214221.566771c...@ptavv.es.net>, "Kevin Oberman" writes:
> > I just ran into an odd issue with a TSIG signed zone transfer.
> >
> > On occasion I was lo
ere more appropriate
language that might indicate that it could also be an effective time-out
because the transfer took too long? Maybe "failed while receiving
responses: clocks are unsynchronized or maximum transfer time exceeded"?
--
R. Kevin Oberman, Network Engineer
Energy Sciences Netw
as not mentioned in arm9.7, so
> I'm asking here.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
R. Kevin Oberman, Network Engineer
Energy Sciences N
> Date: Fri, 03 Dec 2010 13:08:23 -0800
> From: "Kevin Oberman"
> Sender: bind-users-bounces+oberman=es@lists.isc.org
>
> I would really like to get the huge number of rejected recursive
> quieries out of my logs, but I have failed, so far. I am referring to:
Or am I missing something else?
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3
pires. I thing
the heading in the RFC is "TTL Considerations", but I am working from
memory.
I don't use BIND to sign my data, so I am not sure how "smart" BIND is
about these numbers.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Networ
inname
> >
> Date: Tue, 23 Nov 2010 16:18:17 -0600
> From: "Wilbert J. Rojas O."
> Sender: bind-users-bounces+oberman=es@lists.isc.org
>
> Jonathan Thanks for responding, but I don't understand your idea.
>
>
> Ing. Wilbert J. Rojas O. |Equ
ntion that I use bind-9.7.2-P2.
> > Removing the journal (as a workaround for now) helps although it's no
> > solution.
> > The nsupdate commands are:
> > server ns.zone.tld
> > zone my.zone.tld
> > update delete my.zone.tld A
> > update add my.zone
ping the DNS server?
It almost sounds like something has a bad subnet mask, but that is less
likely if the host is in the same /24 as the server.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Lab
of BIND in included in your Fedora? Last I looked, the
version was ancient. 9.3 or something similar.
You really need to update to 9.7.2-P2 as 9.7 is the first (and only) version
to support managed-keys. 9.3 does not really support dnssec at all, if
that is what you have. Useful DNSSEC shoed up somewhere i
newsyslog.conf? Are you starting it properly so that the PID file is in
the right place, usually /var/run?
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net P
s are returned.
I think that this is unfortunate, but there is too much software out
there (including many standard libraries) that make the same silly
assumption to things it can be changed. There is even an RFC saying
approximately this. Sorry, but I don't recall which one.
--
R. Kevi
asy.
Yes, I am sure that some script somewhere depends on some "wrong"
response from nslookup, but I can't see keeping nslookup(1) alive as is
for that amazingly unlikely case.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
E
> Date: Thu, 07 Oct 2010 01:53:29 +1100
> From: Ben McGinnes
>
> On 7/10/10 1:47 AM, Kevin Oberman wrote:
> >
> > I keep hoping for a BIND distro that upgrades nslookup(1) to:
> > print STDERR, "nslookup(1) has been replaced by host(1)\n"; exit 0;
>
S. And dig/host is to be greatly preferred for that purpose over
> nslookup, which sucks in more ways than I care to list here.
I keep hoping for a BIND distro that upgrades nslookup(1) to:
print STDERR, "nslookup(1) has been replaced by host(1)\n"; exit 0;
I've been wishi
e com zone.
I know that netsol (and the other registrars) do not update glue based
on what is returned from an NS query to the current authoritative
server. Doing so would create a huge security issue and an easy way to
hijack DNS. Once DNSSEC is in place, it will become feasible to do
this, but I w
etting DO. I suspect WIN7 would.
This last section is largely an educated guess. I don't have time now to
read up on those details in the RFCs.
Again, get the @#$% firewall fixed! As time goes on, more and more
queries will be blocked by it as DNSSEC moves to the mainstream.
--
R. Kevin Oberm
or a zone if you are on Solaris, or a Solaris based
> distro.
While both are pretty simple to do on BSD, jail is far more secure, but
I certainly find setting up jails more complex than chrooting. (Besides,
the FreeBSD BIND is chrooted by default, so there is nothing to set up.)
--
R. Kevin Oberm
ven for government sites, though ONLY in cases
where dynamic DNS is used or the back-end DNS management system requires
it. Government sites may not keep the KSK on-line. See SP800-81r1
Section 9.4 for details.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence
it.
ICANN is the obvious place to go, but I don't believe the format ICANN
publishes in is compatible with anchors2keys. The XML schema is
different from that of the ITAR. Not that it is all that hard to figure
out. I will confirm that the ISC published key matches the one ICANN
has, but I wo
MINUTES.
The purpose of the negative cache is to keep servers from being
continually beaten on and reducing queries from some broken piece of
software from hundreds of queries/second to 4 or 5 per minute. (And
there were and probably are things still making hundreds of
queries/second because some reso
pport of
BIND on our public servers mostly unrelated to the IPAM and DNSSEC stuff
has really not been hard.
In the time it took me to send my reply, I could have updated BIND on
all of our public servers and I don't have to upgrade all that often. I
think running 9.3 is false economy. DNS is j
n't know of any highly regarded security expert
who recommends them and most object to them rather strongly.
I will admit to once having stateful firewalls in front of my DNS
servers, but after an unfortunate case of a badly written application
DOSing ourselves, stateful firewalls have been remo
that will not
mean that they will be accepting them immediately.
Until then, dlv.isc.org is the best (only?) option.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net Ph
problems on a smaller scale
until the firewall is fixed.
Sent from my Treo:
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
E. O. Lawrence Berkeley National Laboratory (LBNL)
ober...@es.net +1 510-486-8634
-Original Message-
From: Paul Wouters
n explain what I overlooked and why this really IS a bad
idea. Or, maybe I got it right.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net Phone: +1 510 486-8634
Key fingerprin
example.com, it will start there. Obviously,
there should not be many queries to the root. I'll leave why there are as
an exercise for network researchers and those who write really stupid,
often broken software, that uses DNS.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (
://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/etc/namedb/named.conf?rev=1.31;content-type=text%2Fplain
You can add the unassigned space to those fairly easily, but make sure
that you update it as space is assigned.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (
e that includes tests of
DNSSEC. Yo can install the tests on a local system or run them on the
web site.
I also urge you to get copy of NIST SP800-81r1, an excellent overview
and how-to on DNS security that goes well beyond DNSSEC. It is at:
http://csrc.nist.gov/publications/drafts/800-81-rev1/nis
12
bytes. (Well, it didn't have a "problem", it just blocked them. I'm not
sure what, if any code version fixes this. (I don't have any these days.)
If this has not been fixed, that might explain it.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Er
doesn't encrypt payload because it doesn't need to.
More specifically, I don't WANT to encrypt the data for either DNS or
NTP. In both cases I want the data to always be signed clear-text and
that is what DNSSEC does.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet
raft when
I printed it out, but I suspect that the final draft will match these
recommendations.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net Phone: +1 510 486-8634
Key
dicating it is on a server in a NATed
address space. The second is loopback.
The configuration is intended for a local server answering
authoritatively for internal, NATed addresses and forwarding all other
queries to servers in public space.
--
R. Kevin Oberman, Network Engineer
Energy Science
to act as a
stateless device and just pass traffic that was not blocked by the ACL.
A real-time black hole server in combination with ACLs is the only good
way to protect a server.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkel
> Date: Mon, 28 Dec 2009 18:02:29 -0800 (PST)
> From: Pamela Rock
>
>
>
> --- On Mon, 12/28/09, Mark Andrews wrote:
>
> > From: Mark Andrews
> > Subject: Re: IPv6 TCP
> > To: "Pamela Rock"
> > Cc: "Kevin Oberman" , "Chuc
var'
'--disable-linux-caps' '--with-randomdev=/dev/random' '--with-openssl=/usr'
'--with-libxml2=/usr/local' '--without-idn' 'STD_CDEFINES=-DDIG_SIGCHASE=1'
'--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=
validation. If you sign your data without enabling validation, it does
nothing, as far as I can tell.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net Phone: +1 510 486-8634
Ke
97 matches
Mail list logo
