FWIW,
I ran into this issue with www.elevationsbanking.com as well. The setup was
very similar, the record resolved to a CNAME which in turn resolved to another
CNAME. When the TTL expired on the CNAME the record would revert to NXDOMAIN.
It wasn’t until the TTL expired for the SOA that things
ins (michoski) wrote:
>> -Original Message-
>> From: Nicholas F Miller
>> Date: Thursday, June 5, 2014 at 10:25 AM
>> To: "bind-users@lists.isc.org"
>> Subject: SPF RR type
>>
>>> Are SPF RR types finally dead or not? I¹ve read thr
) wrote:
> -Original Message-
> From: Nicholas F Miller
> Date: Thursday, June 5, 2014 at 10:25 AM
> To: "bind-users@lists.isc.org"
> Subject: SPF RR type
>
>> Are SPF RR types finally dead or not? I¹ve read through rfc7208 it
>> appears that they are:
&
Are SPF RR types finally dead or not? I’ve read through rfc7208 it appears that
they are:
"SPF records MUST be published as a DNS TXT (type 16) Resource Record
(RR) [RFC1035] only. The character content of the record is encoded
as [US-ASCII]. Use of alternative DNS RR types was support
k if you have the latest 9.10
> version. I wasn't running 9.10-p1.
>
> Sent from my iPhone
>
>> On 28/05/2014, at 10:30, "Nicholas F Miller"
>> wrote:
>>
>> Not that they are related but we had a crash of bind about seven hours after
>>
Not that they are related but we had a crash of bind about seven hours after
installing 9.10:
named[20831]: name.c:534: REQUIREname) != ((void *)0)) && (((const
isc__magic_t *)(name))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 |
('n')) failed, back trace
Back to 9.9.5 for now.
You might try changing your update-policy from:
grant johnmill-dnst...@lab.brandeis.edu zonesub ANY;
grant * zonesub ANY;
to
grant johnmill-dnst...@lab.brandeis.edu zonesub ANY;
grant LAB.BRANDEIS.EDU zonesub ANY;
I’m not positive this is the proper syntax since we don’t use the zonesub
option
- fantomas wrote:
> On 10.09.13 08:15, Nicholas F Miller wrote:
>> I am at a loss. When doing digs using our name servers for 'ANY' records of
>> a domain we are getting TTLs of five seconds. The TTLs will be correct if
>> we query for the records individually jus
We have a winner! I disabled RPZ on a test DNS server and the problem went
away. We do not have a whitelist zone so the issue must be with RPZ zones in
general (or the format of the RPZ zone file).
_
Nicholas Miller, OIT, University of Color
wrote:
> Nicholas F Miller wrote:
>
>> The problem is the reply will ALWAYS be five seconds when doing an 'ANY'
>> query. It is not a matter of the TTL counting down.
>
> Is there a middlebox of some kind between you and the name server?
>
> Tony.
>
There aren't any options set to reduce the TTLs. When you dig using a public
DNS server the replies are correct. It is only when using our DNS servers.
_
Nicholas Miller, OIT, University of Colorado at Boulder
On Sep 10, 2013, at 10:04 A
I am at a loss. When doing digs using our name servers for 'ANY' records of a
domain we are getting TTLs of five seconds. The TTLs will be correct if we
query for the records individually just not when using 'ANY'. Ideas?
> dig google.com any
; <<>> DiG 9.8.3-P1 <<>> google.com any
;; global op
sing AD or Bind for DNS/DHCP? I'm assuming your using AD for
>>> authentication.
>
>>> On Oct 19, 2012, at 10:46 AM, Nicholas F Miller
>>> wrote:
>>>> DDNS record scavenging is the only feature I'm aware of that MS DNS has
>>>> that
ETT
> Boston, MA 02215-3693
>
> www.berklee.edu
> 617.747.8656
> Twitter: @thomp318
>
> On Oct 19, 2012, at 10:46 AM, Nicholas F Miller
> wrote:
>
>> DDNS record scavenging is the only feature I'm aware of that MS DNS has that
>> Bind doesn't . On
DDNS record scavenging is the only feature I'm aware of that MS DNS has that
Bind doesn't . On the flip side, ISC Bind can ACL who can add certain record
types to a dynamic zone using GSS-TSIG as well as supports views and ACLs for
recursion. Everything else should be standard DNS.
You need to be running Bind 9.7.2-P2 or higher for GSS-TSIG to work.
Create a user account in your AD. Then run:
ktpass -out .keytab -princ DNS/@
-pass * -mapuser @
_
Nicholas Miller, OIT, University of Colorado at Boulder
On Dec 9, 201
Try:
grant EXAMPLE.TEST subdomain EXAMPLE.TEST ANY;
_
Nicholas Miller, ITS, University of Colorado at Boulder
On May 11, 2011, at 7:08 AM, Juergen Dietl wrote:
> Hello,
>
> and thanx for all your answeres.
>
> I want to ask the question
I recently went through this and have it working. Look through the archives for
'GSS-TSIG and Active Directory'.
https://lists.isc.org/mailman/mmsearch/bind-users?config=bind-users.htsearch&restrict=&exclude=&method=and&format=short&sort=score&words=GSS-TSIG+and+Active+Directory
Things to check:
cannot deny '' and allow 'A'. Any time I set a
deny for '' it also blocks 'A' records.
Are these bugs or by design?
>
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Oct 5, 20
AAA' and allow 'A'. Any time I set a
deny for '' it also blocks 'A' records.
Are these bugs or by design?
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Oct 1, 2010, at 1:27 PM, Nic
YES Brilliant Thanks Rob.
I think it is working now. I have the update-policy setup as follows:
grant d...@realm wildcard * ANY;
grant d...@realm wildcard * ANY;
grant dns_serv...@realm wildcard * ANY;
deny REALM ms-self * SR
, University of Colorado at Boulder
On Oct 1, 2010, at 7:00 AM, Nicholas F Miller wrote:
> Thanks, I'll give it a try and see if things begin to work.
> _
> Nicholas Miller, ITS, University of Colorado at Boulder
>
>
>
&
.
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 30, 2010, at 4:00 PM, Rob Austein wrote:
> Sorry, I spent most of the last two weeks locked in a conference room
> and mostly off net, still catching up.
>
> At Mon, 27 Sep 2010 07:54:54 -0600
Thanks, I'll give it a try and see if things begin to work.
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 30, 2010, at 10:15 AM, Tony Finch wrote:
> On Thu, 30 Sep 2010, Nicholas F Miller wrote:
>
>
3:24 PM, Dave Knight wrote:
>
> On 2010-09-30, at 11:24 AM, Nicholas F Miller wrote:
>
>> Does anyone actually have GSS-TSIG working with an Active Directory? I see
>> plenty of posts from people trying to get it to work. I have yet to see
>> anyone who claims to
Does anyone actually have GSS-TSIG working with an Active Directory? I see
plenty of posts from people trying to get it to work. I have yet to see anyone
who claims to actually have it working. Did MS change something in 2008r2 since
GSS-TSIG was implemented in bind to make it inoperable?
__
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 27, 2010, at 10:23 AM, Nicholas F Miller wrote:
> A small correction:
>
> The packets captured below were between one of the DCs and the DNS server not
> a client.
>
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 27, 2010, at 7:54 AM, Nicholas F Miller wrote:
> Are you sure? ;-P
>
> I can't seem to get things working. It looks like the Windows machines are
> not happy with the TKEY the DCs are giving them. I can kinit a use
Sep 17, 2010, at 11:08 PM, Rob Austein wrote:
> At Fri, 17 Sep 2010 13:18:42 -0600, Nicholas F Miller wrote:
>>
>> Does anyone have instructions on how to setup a Linux bind server to
>> use GSS-TSIG against an AD? I have found many articles from people
>> having issues
rsity of Colorado at Boulder
On Sep 17, 2010, at 12:54 PM, Rob Austein wrote:
> At Fri, 17 Sep 2010 09:17:09 -0600, Nicholas F Miller wrote:
>>
>> I was wondering if it is possible to use the tkey-gssapi-credential
>> and update-policy on a Windows install of bind. It strik
I was wondering if it is possible to use the tkey-gssapi-credential and
update-policy on a Windows install of bind. It strikes me that running bind on
a Windows server, snapped into the AD it will serve DNS to, should be the
easiest way of getting DDNS with update-policy control working.
Am I n
Can you set more than one Active Directory to use tkey-gssapi-
credential and tkey-domain in bind?
ie.
Two keytabs:
DNS/foo.example.org at AD1.EXAMPLE.ORG
DNS/foo.example.org at AD2.EXAMPLE.ORG
-- named.conf
--
I take it this is not possible using update-policy?
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 30, 2009, at 11:29 AM, Nicholas F Miller wrote:
Is it possible to restrict user machines to only be able to update
Is it possible to restrict user machines to only be able to update
their 'A' records on a specific subnet? We would like to allow DDNS
but restrict it to specific subnets and only allow the machines to
update their 'A' records. Allow-updates will not get us the record
restrictions we would
All good suggestions. We have given them both some thought. I was just
wondering if there was a problem with the way we were doing things.
Nicholas Miller, ITS, University of Colorado at Boulder
On Jan 7, 2009, at 11:34 AM, Mike Eggleston
We have a few dynamic zones that are provisioned using Addhost. When
addhost adds records to the zone every night it will run "nsupdate <
update.file". The update.file will contain records like these:
prereq yxrrset machine.colorado.edu. in a
update delete machine.colorado.edu. in a
prereq
Barry & Jonathan,
Thanks for the quick replies. your responses go along with my findings
as well. I am trying to clean up some of our configs. The DDNS zones
just didn't look right to me and I wanted to confirm what I was
thinking.
Jonathan, I tested things on a test DC by pointing it at
I have a couple of questions regarding how a Microsoft domain
controller updates a dynamic zone.
1 ) When a domain controller tries to update the zone does it try the
DNS servers it has listed in its network settings or does it follow
the SOA for the zone?
2) In the configs below does the
38 matches
Mail list logo
