Re: dnssec/obsolete dns keys removal - how to?

On 21/06/2025 05:16, Florian Piekert via bind-users wrote: Hello, wow, that did the trick. I didn't think of this at all. It -after all- appeared to be VERY obvious. I don't know why I overlooked this possibilty. THANK YOU! Am 20.06.2025 um 19:03 schrieb Crist Clark: Do you have a .signed f

Re: QNAME minimisation question

root trust anchor)                  -b address[#port]   (bind to source address/port) etc... The rest I don't know, yet. Hope that helps, Greg Thanks Greg. On Wed, 4 Jun 2025 at 07:46, Nick Tait via bind-users wrote: I've done a bit more testing on this, and it seems like if you u

Re: QNAME minimisation question

ot;;; WARNING: using internal name server mode: '@8.8.8.8' will be ignored" On 03/06/2025 22:36, Stacey Marshall wrote: On 3 Jun 2025, at 10:29, Nick Tait via bind-users wrote: But I also noticed that delv only makes A queries (not ), and even if I specify "-6" on t

Re: QNAME minimisation question

On 03/06/2025 22:06, Petr Špaček wrote: I've created https://gitlab.isc.org/isc-projects/bind9/-/issues/5351 so we can improve logging. Your input on what sort of information is useful would be much appreciated. Thanks very much for that. I've added a comment. :-) -- Visit https://lists.isc.or

Re: QNAME minimisation question

On 02/06/2025 23:30, Petr Špaček wrote: In short, with an empty cache, BIND will exceed pre-configured limit on number of queries it can do. This is protection from various attacks which misuse DNS to attack itself. Thanks for the explanation! This particular recursive query doesn't seem espe

QNAME minimisation question

Hi list. I've been investigating a failure that I noticed in my DNS logs. I know the issue is related to QNAME minimisation, but rather than just turning it off (to make the problem go away), I'm trying understand whether BIND is doing exactly what it is expected to do? I can reproduce the i

Re: My Introduction and current issues -

Sorry let me try again. I missed your other questions... On 11/05/2025 17:17, Fred Morris wrote: BIND insists on addresses bound to interfaces (at least, that's my contention, based on experience yesterday, which may or may not reflect some reality which has been manufactured today). resolved

Re: My Introduction and current issues -

On 11/05/2025 17:17, Fred Morris wrote: BIND insists on addresses bound to interfaces (at least, that's my contention, based on experience yesterday, which may or may not reflect some reality which has been manufactured today). resolved uses a loopback address which is not bound to an interfac

Re: My Introduction and current issues -

On 11/05/2025 07:28, Fred Morris wrote: Stop! Squirrel wearing a systemd tshirt! Kill / maim / destroy / drive off systemd resolved. Then make sure that resolv.conf is not being hijacked. Now try again. Contrary to popular opinion -- on this list at least -- systemd-resolved is /not/ evil.

Re: Multiple views (more than 2)

On 19/04/2025 02:06, Marek Kozlowski wrote: view pub {     match-clients { any; }; Hi Marek. What you have created looks great, and looks like it will work fine. I have one minor suggestion though: For consistency with your other views, and to eliminate the possibility of accidentally transf

Re: Executive Order 14144 - encrypted DNS

Now I've also come across this draft from the IETF's Network WG, might be relevant? But it seems like it's been published in 2021 and is still a draft. Not sure how "standard" that is in IETF lingo, but it does seem interesting.https://www.ietf.org/archive/id/draft-dickson-dprive-adot-auth-06.htmlI

Re: localhost name lookup

On 15/01/2025 10:47, Emmanuel Fusté wrote: If so, does the ISC ship a db.local with a wildcard - eg.    --- cut here --- @   IN  NS  localhost. @   IN  A   127.0.0.1 @   IN      ::1 *   IN  A   127.0.0.1 IN      ::1    --- cut here

Re: localhost name lookup

On 15/01/2025 4:56 am, Lee wrote: Should bind answer when asked for an A record for random.name.localhost? If so, does the ISC ship a db.local with a wildcard - eg. --- cut here --- @ IN NS localhost. @ IN A 127.0.0.1 @ IN ::1 * IN

Re: RFC compliance: MUST v SHOULD or MAY

On 15/01/2025 6:09 am, Lee wrote: I don't have a whole lot of options there. The clients are a mixture of Windows and Apple products.. about all I can do (or at least all I know how to do) is use DHCP to give them a domain name and point them to a resolver. My understanding is: * Apple device

Re: RFC compliance: MUST v SHOULD or MAY

On 13/01/2025 12:44, Lee wrote: As long as I'm asking ignorant questions.. is there some reason why bind (at least as it came configured on my Debian machine) looks up .local names? I added this bit to named.conf to do what seemed reasonable. But again - it seems reasonable _to me_ I dunno if a

Re: Undelegating a Signed Subdomain

Just an idea, but what if you copy the current ZSK key files from the example.com zone and rename the files (i.e. add “bar” into the filenames) so it will be picked up by the bar.example.com zone? In theory that should populate bar.example.com with the correct RRSIG records prior to removing the

Re: forwarding non-domain queries

On 10/12/2024 12:25, Greg Choules via bind-users wrote: Actually you don't need it anyway, even if you are doing recursion, as Internet root hints have been built into BIND for many years. The only reason you would need a hint zone is to define custom roots for a private network that is *comple

Re: secondary dns server question :)

Hi Jeff. This is a good starting point for setting up primary and secondary servers: https://bind9.readthedocs.io/en/stable/chapter3.html#authoritative-name-servers Nick. > On 19 Nov 2024, at 7:44 AM, Marco Moock wrote: > Am Mon, 18 Nov 2024 19:03:55 +0100 > schrieb Jean-François Bachelet : >

Re: Strictly separate directories for admin-provided and named-generated files?

On 16/11/2024 04:47, Charles Eckman via bind-users wrote: I'm also down for other workarounds, if you have suggestions! Hi Charles. As a simple workaround, you can create the zone file in /var/lib, and then create a hard-link (using "ln") to the same file in /etc/bind. That way you can confi

Re: BIND RPZ is not blocking A record

IN SOA ns1.custom.block. ns1.custom.block. > ( 2006060301 21600 3600 604800 3600 ) >IN NSns1.custom.block. > ns1.custom.block. IN A 172.1.254.243 > wg.custom.block.IN A 172.1.254.243 > app.hubspot.comCNAME . > >> On

Re: BIND RPZ is not blocking A record

On 14/11/2024 7:48 pm, Blason R wrote: And here is zone file $TTL 180 @ IN SOA ns1.custom.block. ns1.custom.block. ( 2006060301 21600 3600 604800 3600 ) IN NSns1.custom.block. ns1.custom.block. IN A 172.1.xx.xx wg.custom.block.IN A 172

Re: different serial number in SOA on different interfaces

On 06/11/2024 03:16, Hans Mayer via bind-users wrote: I have 3 views: view badcountry: based on geoip ( the name is self-explanatory ) view internal: all local area networks but not the loopback interfaces for IPv4 and IPv6 it has only two response policy zones for drop and passthru , nothing

Re: different serial number in SOA on different interfaces

Hi Hans. Based on what you described, it sounds like DNS queries you issue to your server (using dig) are processed by one view for loopback addresses and a different view for eno1 addresses? If that is the case it would be interesting to see how the (same) zone is defined in those two views?

Re: DNSSEC with views and shared zone files

On 19/10/2024 05:50, Bowie Bailey via bind-users wrote: On 10/18/2024 12:07 PM, Bob Harold wrote: On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users wrote: I am finally getting around to setting up DNSSEC on my server (Bind 9.16).  I found some instructions online and was ab

Re: MDLZ user activation

On 07/06/2024 22:10, Marco Moock wrote: Am 07.06.2024 um 10:58:27 Uhr schrieb G.W. Haywood: On the face of your description, this sounds like a spammer who has slightly more skill than usual. The spammer simply used the name in From: after the Nick posted tothe list) (Nick Tait via bind-user

Re: MDLZ user activation

e link), or the email below is bogus and they have exploited the list MTA to distribute spam? Can anyone shed any light on this? Happy to share all the mail headers if that helps? Thanks, Nick. On 07/06/2024 04:19, gustavojavi...@gmail.com wrote: Hi Nick Tait via bind-users, A new MDLZ a

Re: Problem with a certain domain

On 4/06/2024 12:44 am, Thomas Barth via bind-users wrote: unfortunately, today I had to restart bind9 for the third time in an attempt to send a newsletter to get rid the communication error, although with a query response of 1800 msecs. Is it possible to configure bind9 so that a public DNS se

Re: CIDR notation for RPZ rpz-ip ?

On 18/05/2024 09:11, J Doe wrote: Hello, When using RPZ with BIND 9.18.27 and rpz-ip, can any CIDR prefix be used or must they be either: /8, /16, /24, /32 for IPv4 ? For example, if I want to block records with an A address of 192.168.10.1, I know I can write:     32.1.10.168.192.rpz-ip  

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

On 17/04/2024 11:41, John Thurston wrote: I'm seeing strange behavior with a BIND 9.18.24 resolver and dnssec-failed.org. With no dnssec-validation line (or with "dnssec-validation auto") in the .conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected . . until it doesn't. Af

Re: opendnssec -> inline-signing

On 08/03/2024 12:54, Randy Bush wrote: but WHY NOT? same key sets with opendnssec and inline-signing, we think. The most obvious possibility is that this is referring to a different directory to where you put the keys that you wanted to use: |key-directory "/usr/home/dns/dkeys"| I couldn't

Re: fixed rrset ordering - is this still a thing?

On 02/03/2024 11:36, Greg Choules wrote: Please don't encourage using "search" in resolv.conf or the Windows equivalent. Search domains make queries take longer, impose unnecessary load on resolvers and make diagnosis of issues harder because, when users say "it doesn't work" you have no idea w

Re: fixed rrset ordering - is this still a thing?

On 02/03/2024 03:42, Mike Mitchell via bind-users wrote: Our networking team is in the habit of entering the IP address of every network interface on a router under one name. The very first address entry is their out-of-band management interface. "rrset-order fixed" is used on their domain fo

Re: Problem upgrading to 9.18 - important feature being removed

On 27/02/2024 13:22, Michael Sinatra wrote: On 2/26/24 13:41, Al Whaley wrote: Originally (under the above command) RR records for DNSSEC were maintained by bind, but the ZSK and KSK keys were maintained by me.  This command is being discarded.  I understand that bind "sort of" supports this f

NOTIFY and TSIG

Hi list. I've been trying to understand whether it is necessary for the NOTIFY request (i.e. sent from primary to secondary server) to use TSIG, in the case where the secondary server specifies a key in its zone's "primaries" option? For example, assume the following set-up: The primary ser

Re: migration from auto-dnssec to dnssec-policy deletes keys immediately

> On 28 Dec 2023, at 1:05 PM, Adrian Zaugg > wrote: > > 2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys > 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076 > (KSK) > 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654 > (Z

Re: Zone file got updated via named process unexpected

On 17/12/2023 5:30 pm, liudong...@ynu.edu.cn wrote: I found this zone file got updated in about 15 minutes when I made changes or restarted named, and this behavior seems match the docs bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can confirm I DO NOT configure allow-updat

Re: dnssec-delegation seems to be broken from .gov to bls.gov

On 7/12/2023 9:05 am, Nick Tait via bind-users wrote: I could be wrong, but based on the output above it looks like the current TTL is 0, which means that doing this should provide immediate relief. Sorry it looks like the DNS server on the Wi-Fi network I'm connected to has done some

Re: dnssec-delegation seems to be broken from .gov to bls.gov

On 7/12/2023 1:53 am, Bhangui, Sandeep - BLS CTR via bind-users wrote: Hi It seems the DNSSEC delegation is broken from “.gov” to bls.gov domain and due to which the records for bls.gov are considered as bogus and we are having issues at our site. It looks like we were in the process of KSK

mirror zone and hint zone?

Hi list. I've just implemented a mirror zone for ".", and I noticed that it works even though I haven't removed the hint zone (also for "."). What is the recommendation here? Is it OK to have both mirror and hint zones? Or should I remove the hint zone from my configuration, to avoid potenti

Re: Stub zones, but secndary?

On 20/11/2023 1:00 pm, Peter wrote: It's tricky. One problem is these are slave zones, they are authoritative and do not work well with DNSSEC. I'm curious... What issues did you have with these zones and DNSSEC? I would have expected that the signed zones should just work? Nick. -- Visit h

Re: KASP Key Rollover: ZSK Disappears Immediately

On 03/10/2023 09:59, Eddie Rowe wrote: I appreciate the feedback.  I did make sure the ZSK is omnipresent and the issue still happens so it might be that my attempt to take the default policy and bring it down to 1 day to hurry along testing.  I will see if I can find any test policies in the l

Re: Question about URL being logged by resolver

Hi J. I'm not sure what the cause of the URLs is, but I can confirm I'm seeing the same URLs in my own logs. The queries originate from multiple devices on my internal network - all Apple devices I think. My advice: I wouldn't waste too much effort trying to solve this one, as it is almost c

Re: How should I configure internal and external DNS servers

Hi Nick. Your current set-up sounds like a fairly common configuration. And depending on your requirements there are a number of options that you might consider. But let's start with requirements: I've made some assumptions - please advise if I've got any of this wrong?: * You have two di

Re: KASP Key Rollover: ZSK Disappears Immediately

27;t stick around. I can only assume that the reason you have rumoured state is because you are trying to roll your ZSK to soon after the previous ZSK rollover? Have you checked the various timing settings in the KASP definition? Nick. On 30/09/23 11:32, Nick Tait via bind-users wrote: On 2

Re: KASP Key Rollover: ZSK Disappears Immediately

On 29/09/23 12:05, Eddie Rowe wrote: When I perform a ZSK key rollover the existing ZSK disappears *immediately* so not sure what I am missing when using the KASP to manage key rollover.  The state for the keys looks good and for this test I have TTL set to 1 hour..  But why does dig not show m

Re: KSAP - How to manually rollover keys documentation?

On 28/09/23 10:02, Eddie Rowe wrote: I am using the nifty feature of the KASP in 9.16.23, but I cannot seem to locate documentation on how to manually rollover keys in case this is needed in the future. The documentation is excellent as far as discussing the steps involved for the manual or sem

Re: Should I set parental-agents to localhost?

Hi Björn. Not sure if my (late) reply is any use to you, but yes my understanding is that you could use localhost as the parental agent in the cases where (a) the local machine also hosts the parent zone, or (b) it is a recursive resolver. In the latter case the DNSSEC responses would be vali

Re: Zone Transfers Being Refused

Hi Dulux-Oz.It looks like the router between the primary and secondary DNS servers is performing NAT on the packets it is forwarding between those subnets?It would make your life much simpler if you can turn that off? I.e only NAT packets going out to the Internet/your ISP?Nick. Origina

RE: How to update zone with dnssec-policy

Hi Matthias.It looks like nobody solved your /original/ problem? If you are still looking for an answer it might help if you posted some logs? The people on this list are good at interpreting any errors you're seeing. :-)Nick. Original message From: Matthias Fechner Date: 2/07/

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

On 2/06/23 15:02, Jesus Cea wrote: What I get from your reply is that BIND is not expected to do anything about this. It is a bit disappointed but I agree that BIND is doing the right thing. Too bad big players don't care. But I need to "solve" this, so dropping BIND (nooo!) or patching softwar

Re: Problem with subdomain delegation - NS RR ignored?

Hi TG. I just wanted to check: 1. Your "hub" zone contains the NS delegation for "fish.hub." to "ns1.fish.hub." with glue record "4.4.4.4". Is 4.4.4.4 the correct IP address of the server you are delegating to? 2. You haven't included the sub zone configuration (i.e. from 4.4.4.4) below

Re: help with notify

On 18/04/2023 2:16 am, Matt Zagrabelny via bind-users wrote: On Mon, Apr 17, 2023 at 9:04 AM Marco wrote: Am 17.04.2023 um 08:59:29 Uhr schrieb Matt Zagrabelny via bind-users: > I'm running a little older Debian bind: > > bind9               1:9.9.5.dfsg-9 The upgrade your

Re: Best practice MultiView

On 18/04/2023 2:43 am, Greg Choules via bind-users wrote: Why do you need it? Do you have some secondaries that are not listed as NS in zones? The goal was to have the primary use a particular TSIG key when it sends out the NOTIFY messages to the secondaries, which is achieved by turning off

Re: Best practice MultiView

On 18/04/2023 1:40 am, Jiaming Zhang wrote: However, I got a question on the syntax of |also-notify|​, what I can see from bind9's user manual, the target of |also-notify|​ can be | | [ port ] | [ port ]|​, does this means that I can use domain names of the server instead of IP? Both name

Re: Best practice MultiView

Hi Jiaming. You'll also need "match-clients" in the first view (at least), so that the correct view handles the zone transfer request. As well as specifying 'the right key' in match-clients, you'll probably also want to specify 'not the wrong key', otherwise you won't be able to query the vie

Re: Piggybacking on a zone’s dnssec-policy using auto-dnssec: How can one do this after Bind 9.19?

On 17/04/23 09:08, Andrej Podzimek via bind-users wrote: The easiest (?) way to make DNSSEC work in all views has been to keep a dnssec-policy for zones in *one* of the views (to generate and maintain keys) and then passively refer to the keys from the zones’ counterparts in other views using a

Re: RPZ zone response delay time ?

On 8/04/2023 4:27 am, Jason Vas Dias wrote: I have converted the excellent hosts file at https://someonewhocares.org/hosts/ to a Response Policy Zone (RPZ) file served by my local named that ends: *.google-analytics.com A 0.0.0.0 *.clarity.ms A 0.0.0.0 *.adtelligent.com A 0.0.0.0

Re: BIND operating in Parental Agent role (according to RFC 7344)?

On 12/04/2023 7:51 pm, Petr Špaček wrote: There is a philosophical question whether this is something a DNS server should do. You make a very good point. There are external tools which can automate zone scan, e.g. https://github.com/CZ-NIC/fred-cdnskey-scanner It hadn't occurred to me to lo

Re: Delegation NS-records when zones share an authority server

On 13/04/2023 5:58 am, Havard Eidnes via bind-users wrote: I suspect you don't need the NS records in challenge.state.ak.us and if you remove them then the records in challenge.state.ak.us are simply part of the state.ak.us zone since they're served off of the same server. Unfortunately "not qui

BIND operating in Parental Agent role (according to RFC 7344)?

Hi list. I'm currently running a few DNSSEC zones in BIND using dnssec-policy option, albeit with an unlimited lifetime on the KSK, so that I can control KSK roll-overs (which is necessary because my Registrar doesn't support RFC 7344)... Anyway I know that BIND supports RFC 7344 via parenta

Re: KASP: sharing policy and keys between views

Hi Carsten.I've been running split views with a DNSSEC zone using dnssec-policy for at least a couple of years.I'm using a CSK (i.e. combined KSK+ZSK) and haven't yet worked out the best way to automate key rollover wrt DS in parent zone, so my key rollovers are manual currently. Consequently I'

Re: [KASP] Key rollover

On 14/02/23 05:39, adrien sipasseuth wrote: "You configure parental agents and named will check which DS’s are published.  Named won’t complete the roll until it knows the new DS is published." => what is parental agent ? i don't find this term in Bind documentation. From what I understand, you

Re: [KASP] Key rollover

On 9/02/23 05:17, adrien sipasseuth wrote: so it works BUT I need to know more than 48h in advance that the rollover is starting to submit the new KSK to my registar. How can I set this up if it's not with "public-safety"? If it was me, I'd set the KSK to not roll-over automatically, and inste

Re: Resolve some hosts thats are dnssec signed differently

cient. My idea was to hook into the DNS and make sure to not return the IPv4 address 195.30.95.36, but 192.168.0.1 (as all my devices at home are using my local bind here for lookup). I hope that explain it better what I would like to solve. Matthias Am 07.02.2023 um 07:48 schrieb Nick Tait

Re: Resolve some hosts thats are dnssec signed differently

Hi Matthias. It isn't clear whether the issue you're trying to solve is (a) avoiding DNS resolution going out then in to get to your authoritative servers, or (b) with resolved addresses of your servers being the public address which means that data packets sent to/from those servers are going

Re: Providing AD flag for authoritative domains

On 23/12/2022 2:30 am, Jesus Cea wrote: Is there any way to configure bind to verify DNSSEC integrity and signal the AD flag for authoritative domains?. Views (it would lose the AA flag, then)? What would be the best practice for dnssec verification? To use a fully validating local resolver?

Re: parental-agents clause - IP address only ?

On 5/12/22 15:34, vom513 wrote: Hello all, So I set up parental-agents lists for my zones, and actually got to see it work (awesome !). bind detected the parent DS records and acted accordingly. However, I currently have these lists configured using the IP (v4 only at the moment) addresses o

Re: dig +norecurse behaviour changed with 9.16.33

Hi Veronique. I'm not an expert, but to me the 9.16 behaviour is what I would expect to happen, based on: * When you issue the non-recursive query for "spectrum.cern.ch", it is answered from the "cern.ch" zone, which only knows the CNAME (returned in the ANSWER section) and the NS recor

Secondary zone is only using the first listed primary

Hi list. I have a BIND server that is acting as a secondary to replicate a zone from SpamHaus/Deteque, which is then used internally as a Response Policy Zone. This had been working fine for several years, but recently I noticed that BIND was reporting that the zone had expired. When I looked

Re: Sparklight and DNSSEC

On 27/09/2022 3:58 am, Benny Pedersen wrote: imho dnssec-validation auto;  have a bug as it validates domains without DS set hope bind developpers can confirm or deny it Hi Benny. Until DS records are published in the parent zone, the (signed) zone is considered 'insecure', and validation

RE: Dnssec issues

Hi Salma.While I haven't experienced your problem before, I do recall having 'issues' with DNSSEC when my router was acting as a caching DNS resolver.My suggestion is to check if you have an appliance 'helping' with DNS (e.g. between these servers and the Internet?) and if so try turning that fu

Re: Issue with dns resolution for www.ssa.gov

On 2/09/22 08:09, Bhangui, Sandeep - BLS CTR via bind-users wrote: # nslookup _www.ssa.gov_ ;; Got SERVFAIL reply from 127.0.0.1, trying next server Server: 198.6.1.1 Address:    198.6.1.1#53 Non-authoritative answer: Hi Sandeep. This looks like when you use ns

Re: Primary zone not fully maintained by BIND

On 26/05/22 20:34, Matthijs Mekking wrote: What version are you using? We had a bug with dnssec-policy and views (#2463), but that has been fixed. Since 9.16.18 you should not be able to set the same key-directory for the same zone in different views. Hi Matthijs. You got me worried just t

Re: why did it take 26 hours for DSState to change to omnipresent?

On 16/05/22 21:34, Matthijs Mekking wrote: Hi Nik, On 16-05-2022 07:49, Nick Tait via bind-users wrote: Hi there. Ever since I updated my BIND configuration to use the new dnssec-policy feature (a year or so ago) my KSK/CSK rollovers have been a complete shambles. My problems stem from the

Re: per record responses based on originating IP

On 16/05/22 20:05, Angus Clarke wrote: As mentioned in a separate reply to Grant, the goal is to have (amongst other things) local recursors "find" the locally deployed authoritative servers through NS records. What hasn't been mentioned is that I am also looking to simplify configuration manag

why did it take 26 hours for DSState to change to omnipresent?

Hi there. Ever since I updated my BIND configuration to use the new dnssec-policy feature (a year or so ago) my KSK/CSK rollovers have been a complete shambles. My problems stem from the inference (based documentation and examples) that running "rndc dnssec -checkds published" tells BIND that

Re: per record responses based on originating IP

On 13/05/22 09:02, Grant Taylor via bind-users wrote: On 5/12/22 2:41 PM, Nick Tait via bind-users wrote: This sounds like exactly the sort of use case for Response Policy Zones: How are you going to have RPZ return different addresses for different clients?  Are you suggesting use different

Re: per record responses based on originating IP

On 13/05/2022 12:30 am, Angus Clarke wrote: Does bind have some simple way to respond differently based on source address but on a per record basis? Or perhaps include a baseline zone in a view and separately include differences for that view - something like this perhaps? Hi Angus. This sou

Re: Bind9 Server conflicts with docker0 interface

On 7/05/2022 1:38 am, Maurà cio Penteado via bind-users wrote: I added the A-record "ns1  IN  A  172.17.0.1" to my zone-file as suggested and it seems that the order fixed the issue. Now my Bind9 clients are getting ip 192.168.0.10 favorably. Hi Mauricio. I don't think anyone suggested that y

Re: Bind9 Server conflicts with docker0 interface

On 6/05/2022 7:51 am, Grant Taylor via bind-users wrote: On my Bind9 server, I have the following zone-files: forward.example.lan.db: ns1     IN      A           192.168.0.10 ns1     IN          fe80::f21f:afff:fe5d:be90 I don't see the 2nd, Docker (?), address; 172.17.0.1, in the zone.  S

Re: Bind and systemd-resolved

On 2/05/2022 8:13 pm, Reindl Harald wrote: you want 127.0.0.1 act as your resolver no matter what Well, not always... If your local BIND service isn't a recursive resolver irrelevant in context of this topic and worth exactly the same as saying "if you don't use bind at all" and honestly i

Re: Bind and systemd-resolved

On 1/05/2022 9:13 pm, Reindl Harald wrote: Am 01.05.22 um 06:38 schrieb Nick Tait via bind-users: I'm not 100% sure, but I wonder if disabling systemd-resolved may create issues if, for example, you are using netplan with systemd-networkd as the renderer? E.g. Will it still be possib

Confused by parental-source documentation

Hi list. I've been reading the latest BIND9 documentation on the new DNSSEC features, and section 4.2.28.1 got me horribly confused: /The following options apply to DS queries sent to //|parental-agents|//:/ /|parental-source|/ /|parental-source|//determines which local sourc

Re: Bind and systemd-resolved

Hi list. I'm not 100% sure, but I wonder if disabling systemd-resolved may create issues if, for example, you are using netplan with systemd-networkd as the renderer? E.g. Will it still be possible to pick up DNS servers from IPv6 router advertisements? A lower impact (and IMHO more future-p