ld
and the output will show you if all the right things are in place and
that there is (or is not) a chain of trust from your trusted anchor
(DNSKEY) to your domain, and if not, where the chain is broken.
Regards,
Mike
--
Michael Milligan
ce with DNSSEC.
BIND 9.6 has support for automatically re-signing the zone (incremental
signing) as dynamic updates are processed.
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
___
bind-users mailing lis
(they check and add any
missing records). Watch syslog to make sure this happens. You can also
use GSS-TSIG in the latest versions of BIND to allow clients and domain
controllers to do dynamic updates of their DNS records too, but that's
another can of wor
.g.,
MX). All these (mis)behaviors regularly causes problems for
troubleshooters. And I can just imagine how they will deal with DNSSEC...
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
t's supposed to buy. I
wouldn't worry about implementing it... microsoft.com isn't even using
it and they invented it. ;-)
>
> http://www.openspf.org/SPF_vs_Sender_ID
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
___
and relaying insensitive.
See openspf.org and dkim.org for more details.
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ME record is also included in the answer as
well as the synthesized CNAME record(s). I say records since DNAME
chains are possible here too (though not recommended of course).
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
do that
(insert vendor name here). Or a BIND patch, e.g, to enhance rrset-order
{} functionality (I don't know of a public one). Or use SRV records
instead if this is for an application you are developing.
Regards,
Mike
--
Michael Milligan
efix, then you may or may not be able to get it delegated
to you in DNS ala RFC 2317 depending on the competence or desire/will of
your co-lo provider to do it.
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
(listen-on,
query-source, transfer-source, notify-source, and friends.)
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
> and Michael Milligan replied:
>> And don't forget to set a group policy on all DCs to not update the A
>> records in the apex zone. Otherwise the DCs will complain in the Event
>> logs forever... this assumes the BIND servers are authoritative for
>> example
in the zone, which becomes problematic when there
are more than about 10 DCs. I had one customer with 100s of DCs, and
each one put in an NS record in the zone for itself... ugh. With a
little magic, dropped that back to a handful of DCs at big data centers.)
Regards,
Mike
--
Michael
also doesn't interfere much when you do DR failover tests as the
secondaries will be resilient to connectivity loss to the primary.
About the only thing you have to worry about is dynamic updates during
those times, but those are usually re-tried later (typically from DHCP
servers or Microsoft
uot;include:" lookups and associated records. A
Permanent Error will be returned if you exceed the 10 lookup limit.
See http://www.openspf.org/, there are tools, tips and tricks to help you.
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
_
Very curious...
That server (cpns01.secureserver.net) is claiming authority for the root
zone, so it's just plain a bad actor. Into my blackhole list it goes,
along with it's friends...
$ dig @216.69.185.38 +norec any .
; <<>> DiG 9.6.0-P1 <<>> @216.69.185.38 +norec any .
; (1 server found)
;;
to keep away underscores, right? ;-)
(Don't answer that, unless you want to take the bait.)
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Danny Mayer wrote:
> Michael Milligan wrote:
>> Just being more general. A URL is a HTTP URI... Google has plenty of
>> explanations.
>
> That's nonsense. A URL was never just an HTTP URI. It's one example of
> one but there have always been more than one type
want to override (like as the
target of an MX record), then the view from your perspective will look
different and may have unintended consequences. Just think it through
and test if you're not sure.
And don't forget about what you've done when it comes time to
troubleshoot a prob
ly in regards to underscores. Until they
change, we all are stuck with the mess.
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
nal server changes, you
have to track that and periodically update your name. Unless you take a
proxy approach.
Regards,
Mike
--
Michael Milligan -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
URI if you expect to
see the same expected results.
Regards,
Mike
PS: There are other maintenance problems with your approach too, but
you avoid those by just not even trying to do what you asked.
--
Michael Milligan -> mi...@acmeps.com
___
David Sparks wrote:
>
> There are plenty of ways to get a mail loop that don't involve DNS
> mis-configuration. As such pretty much every major MTA detects and stops mail
> loops.
Not if you (accidentally) fat-finger the MTA configuration. It is
completely possible to still mis-configure a MTA
You just don't get it. You are off wandering around in the weeds.
Read the tail end of Chapter 5 in the book "DNS and BIND" describing the
MX selection algorithm in layman's terms to (perhaps) understand why
having MX records referencing CNAMEs is bad.
It may work right now for you, but referenc
zone?
zone "example.fr" {
type slave;
masters { x.x.x.x; };
};
If you really are trying to get around a firewall, then this server is a
resolving server anyway (serving end systems) and thus you would need
recursion turned on...
Regards,
Mike
--
Michael Milligan
t these add hostnames which are queried for!
> These are all systematically returning queries. And these come from
> multiple source IP addresses.
> Are these queries legitimate? I mean, do you know of any system that may
> be doing this? Are these strange hostname queries part
25 matches
Mail list logo
