Re: Multi-master (HA)

Well, we use two masters in different locations, w/o DLZ. Files for signed zones are being generated from databases and uploaded to servers. What we need here - is propagating of DDNS plus periodical synchronizing of zones, journals etc. Regarding zone templates - I'm using it with NSD4 and I'm to

Re: All client resolvers support DNSSEC compatible queries ???

2014-04-24 13:46 GMT+04:00 Carsten Strotmann : > Hello Jeronimo, > > "Jeronimo L. Cabral" writes: > >> Dear, we have several hosts in our LAN that ask our BIND DNS: Debian, >> Windows 7, Red Hat and CentOS. >> >> If we implement DNSSEV validation support in our BIND9 server...how >> can I know if

Re: Bind vs flood

However, if you choose the second action, then your tech support should be ready. 2014-02-28 13:36 GMT+04:00 Peter Andreev : > Well, at first glance it looks like malicious activity, so the best action > is to call all users, suspected in sending such requests, and warn them. > The

Re: Bind vs flood

Well, at first glance it looks like malicious activity, so the best action is to call all users, suspected in sending such requests, and warn them. The fast and very (very-very-very) dirty solution is to set up zone 84822258.com on your resolver. This should supress

Re: Bind vs flood

Hi Dmitry, If your problem is a lot of strange queries, then there is two ways: 1. You operate an open resolver. If you can - restrict it to a limited scope of clients, otherwise the only way you can lower number of incoming queries is DPI; 2. You operate a non-open resolver. Then you can find wh

Re: listen-to clusterIP address

2013/6/5 Phil Mayers > On 06/05/2013 07:37 PM, paul wrote: > >> Hi. I have a two node active passive cluster serving webpages. When a >> failover occurs, I have to restart named on the now active node because >> > > You don't have to restart it. "rndc reconfig" will re-check the IPs on the > mach

Re: reverse zone of type forward when /28 subnet

Actually, Mark's advice is much better. 2012/12/29 Dmitri Tarkhov : > Hi, > this finally works: > > view "reverse1" IN { > recursion yes; > > zone "z.y.x.in-addr.arpa" IN { type forward; forward only; > forwarders { A; B; }; }; > > > zone "localhost" IN { type maste

Re: reverse zone of type forward when /28 subnet

r now the best defence against cache poisoning is DNSSec and since we have signed all russian TLDs you could implement it. > > > Peter Andreev wrote: > >> 2012/12/27 Dmitri Tarkhov : >> >>> Hi, >>> thanks a lot for the information. >>> Contains

Re: reverse zone of type forward when /28 subnet

ody but zone owner. >But I don't want to indulge into such remote circumventions. > 4. That's possible to not bother about the issue but for now >I am not ready to fold hands. I just meant that fencing your resolver without really good reasons is a bad idea. If you do it &qu

Re: reverse zone of type forward when /28 subnet

ne to work. > May be some other unknown by me approach exists. > Again, there is no problem with reverse resolving in general but > I cannot achieve this directly at my dns, that is to receive a response > from it no matter wherever it forwards the request or from where it > gets the P

Re: reverse zone of type forward when /28 subnet

Please correct me if I'm wrong: you'd like to edit PTR records for your part of the /24 zone? If so, what you ISP says about rfc2317? 2012/12/27 Dmitri Tarkhov : > Hi, > I've searched the list archives and Google and don't see anything > to answer my question subj. > we have let's say x.y.z.240/28

Re: Strange issue with signed zone

2012/11/9 Peter Andreev : > 2012/11/9 Tony Finch : >> Peter Andreev wrote: >>> >>> We signed another zone and met the same problem again. The only >>> difference is algorithm - now it is RSASHA256. >>> >>> > We have ~30 servers running BIND

Re: Strange issue with signed zone

2012/11/9 Tony Finch : > Peter Andreev wrote: >> >> We signed another zone and met the same problem again. The only >> difference is algorithm - now it is RSASHA256. >> >> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we >> > signed f

Re: Strange issue with signed zone

Hi everybody! We signed another zone and met the same problem again. The only difference is algorithm - now it is RSASHA256. > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. > Recently we realised that our servers don't

Re: Using BIND-DLZ for a hidden master [was: Re: dns master-slave transfer]

2012/11/1 Chris Thompson : > On Oct 29 2012, Feng He wrote: > >> 于 2012-10-29 9:58, kavin 写道: >>> >>> Now，I want transfer the zone data from the master dns serverto slave >>> dns server ,the master dns use bind-dlz+mysql and the slave dns server >>> use bind+file. >> >> >> AFAIK, BIND DLZ doesn't s

Re: TTL for name servers

2012/6/6 Mark Andrews > > In message c...@mail.gmail.com> > , Alexander Gurvitz writes: > > Hi. > > > > TTL returned by YOUR zone authoritative server will (at least should) be > > preferred by caches. > > > > Matt Larson from verisign explained on these: > > > > http://www.merit.edu/mail.archiv

Re: TTL for name servers

Just to clarify, let's assume that you maintain zone example.be. Let's also say that in .be zone TTL for your NS'es is 86400 and TTL for NS'es in your zone is 345600. In such scenario the latter will be cached by resolver because it is the authoritative data. For some resolver implementations this

Re: Can I build a new DNS/BIND system parallel to our existing DNS production system?

Hello, Samad, Another way to estimate you query rate is using system's udp counters. Not as precise as query logging, but doesn't cause performance drop in case of high query rates and accurate enough for estimation. 2012/5/4 Samad Agha > Thanks Daniel, I really appreciate your help. > > SA > >

Re: Bind doesn't make zone delegation.

2012/4/19 Ellad G. Yatsko > Nope. FreeBSD is not the master for sokol.msk.united-networks.ru. It > delegates zone sokol.msk only. > Not more.Master for sokol.msk.united-networks.ru is > srvgate.sokol.msk.united-networks.ru (Ubuntu > server). > > Indeed, now when I try nslookup sokol.msk.united-n

Re: Bind doesn't make zone delegation.

2012/4/19 Ellad G. Yatsko > Hello! > Here is output: > /etc/namedb> dig @172.16.0.1 sokol.msk.united-networks.ru. NS +norec > > ; <<>> DiG 9.4.3-P2 <<>> @172.16.0.1 sokol.msk.united-networks.ru. NS > +norec > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- op

Re: Bind doesn't make zone delegation.

Hi, First of all, nslookup isn't a good tool for debug DNS problems. Use dig instead. Could you show the output of "dig @freebsdbox sokol.msk.united-networks.ru. NS +norec" run from freebsd box itself? 2012/4/19 Ellad G. Yatsko > > Hello! >> >>I have FreeBSD 7.2 x64 installed. And Bin

Re: slave not updating or creating ofd zone files

2012/3/29 Peter Andreev > > > 2012/3/29 RYAN M. vAN GINNEKEN > >> Hello all i have what is to me a very strange bind 9 master slave >> transfer issue. >> >> When i update a zone file on the master the file updates correctly the >> notifies are sent and

Re: slave not updating or creating ofd zone files

2012/3/29 RYAN M. vAN GINNEKEN > Hello all i have what is to me a very strange bind 9 master slave transfer > issue. > > When i update a zone file on the master the file updates correctly the > notifies are sent and every thing seems to work perfectly except it > transfers 0 bytes to the slave.

Re: reverse dns for IPV6 ranges

2012/3/20 michoski > On 3/19/12 11:58 AM, "Peter Andreev" wrote: > > 2012/3/19 hugo hugoo > >> Jay, > >> > >> - Can you give me an example of such configuration? > >> > >> As anyone else some examples of IPV6 reverse configu

Re: reverse dns for IPV6 ranges

2012/3/19 hugo hugoo > Jay, > > - Can you give me an example of such configuration? > > > > As anyone else some examples of IPV6 reverse configuration used in > production environment? > > Thanks for sharing your experience... > > Hugo, > We use IPv6 in production environment. It was a real hea

Re: "rndc reconfig" vs. "rndc reload"

2012/3/16 Mark Pettit > I've read carefully through the BIND ARM and am still not sure of the > answer to this, so I figured I'd ask on here. > > "rndc reconfig" causes BIND to re-load its config file, but unlike "rndc > reload", BIND will not scan the zone files it's mastering to see if there >

Re: Anycast DNS

2012/3/1 Beavis > Just want to piggy back on this topic is there any documentation > available online that shows a deployment guideline for Anycast? > > -beavis > What about RFC 4786? > On Wed, Feb 29, 2012 at 10:31 AM, Warren Kumari wrote: > > > > On Feb 29, 2012, at 11:00 AM, Todd Snyder wr

Re: CVE-2012-1033 (Ghost domain names) mitigation

2012/2/9 John Hascall > > > Questions: > > (1) It looks to me like if the ghost name is in our >DNS RPZ zone, then that 'fixes' the problem for >that name. Is this correct? > Ghost domain could be redelegated to a new owner and become absolutely legal. > > (2) It also looks like resta

Re: Detailed Log Analysis based on rndc stats!!

Sorry, Shiva I have confused you. Mark is absolutely right and I was wrong. Another way is to capture responses with tcpdump or dnscap. 2012/1/30 Mark Andrews > > In message < > canbtt6nxwb4fqygev4x8_jl+m5ho7wfenirxzg3pgvc-kzc...@mail.gmail.com> > , Shiva Raman writes: > > Hi Peter > > > > Thank

Re: Detailed Log Analysis based on rndc stats!!

2012/1/17 Shiva Raman > Hi All > > i am running Bind version 9.8.1 as an Authoritative Name server. From > the rndc.stats , i observe that there are some query failures happening > in the server. I am trying to get a detailed information of this query > failures, but the current logging option

Re: Defense against a client?

2012/1/16 Tom Schmitt > Hi, > > I have a problem with the load on my Bind. Normally it's fine, but from > time to time there are clients which causes through a misconfiguration or a > failed local service (not intentionally) a very high amount of queries. > After finding and informing the respons

Re: which NS record will be cached?

2012/1/12 MontyRee > > Hi, all. > > > I have one question about NS cache ttl. > for example, I can get two different NS TTL like below. > > $ dig google.com ns +trace > > google.com. 172800 IN NS ns2.google.com. > google.com. 172800 IN NS ns1.google.

Re: Is bind support conditionally resolution?

2012/1/10 Drunkard Zhang > I am designing a big deploy system, which will implement via DNS. The > demond is misc, one of them is conditionally resolve, which means that > if one CDN node near unavailable, or latency increased significantly, > no matter why, I want bind to give another second bes

Re: About root zones

2012/1/4 Mark Andrews : > > If you want named to be authoritative only set "recursion no;" or > "allow-recursion { none; }" or "allow-query-cache { none; };" and > no data will be returned from the cache.  allow-recursion and > allow-query-cache cross inherit from each other. > > If you only want m

Re: About root zones

2012/1/3 Chuck Swiger : > On Jan 3, 2012, at 11:13 AM, Peter Andreev wrote: >> Unfortunately as I learning BIND more, I understand that it is not >> very suitable for my requirements. > > Which are?  I've been trying to understand what the actual problem you are > t

Re: About root zones

2012/1/3 Lyle Giese : > On 01/03/12 07:53, Peter Andreev wrote: >> >> 2012/1/2 Matus UHLAR - fantomas: >>>>>>> >>>>>>> On 21.12.11 19:21, Peter Andreev wrote: >>>>>> >>>>>> >>>>>> I thi

Re: About root zones

>>> them, >>> you can only prevent it by configuring BIND (so it will not need them) or >>> firewall such packets so they will not get outside (which may break its >>> functionality). > > > On 03.01.12 16:53, Peter Andreev wrote: >> >> My p

Re: About root zones

2012/1/2 Matus UHLAR - fantomas : >>>>> On 21.12.11 19:21, Peter Andreev wrote: >>>> >>>> I think that if server is authoritative - and - slave-only it should >>>> use system resolver rather than querying by itself. > > >> 2012/1/2 Mat

Re: About root zones

2012/1/2 Matus UHLAR - fantomas : >>> On 21.12.11 19:21, Peter Andreev wrote: >>>> >>>> All these servers are slaves. They don't send notifies. > > >> 2011/12/21 Matus UHLAR - fantomas : >>> >>> they do, unless you have turned it

Re: About root zones

David, thank you, I checked and all seems good :). 2011/12/21 Matus UHLAR - fantomas : >> 2011/12/21 Matus UHLAR - fantomas : >>> >>> Disabling recursion should do the same afaik. However, disabling >>> >>> additional-from-cache is OK and afaik disabled

Re: About root zones

2011/12/21 Matus UHLAR - fantomas : >>>>> On 20.12.11 17:37, Peter Andreev wrote: >>>>>> >>>>>> Whether it means that without hint zone named still can perform >>>>>> iterative lookups for its internal purposes? > &

Re: About root zones

2011/12/21 Matus UHLAR - fantomas : >>>> 2011/12/20 Mark Andrews : >>>>> >>>>>        Named has a compiled in set of root hints.  It is used if >>>>>        a root zone is not defined in named.conf. > > >>> On 20.12.11 17:37

Re: About root zones

2011/12/20 Matus UHLAR - fantomas : >> 2011/12/20 Mark Andrews : >>> >>>        Named has a compiled in set of root hints.  It is used if >>>        a root zone is not defined in named.conf. > > > On 20.12.11 17:37, Peter Andreev wrote: >> >> W

Re: About root zones

2011/12/20 Mark Andrews : > >        Named has a compiled in set of root hints.  It is used if >        a root zone is not defined in named.conf. > >        Mark Whether it means that without hint zone named still can perform iterative lookups for its internal purposes? > > -- > Mark Andrews, ISC

Strange issue with signed zone

Hello! We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we have signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. Recently we realised that our servers don't generate NSEC3 for signed zone. Problem has gone after we restarted BIND instances. Is described behaviour normal for

Re: updating Bind made it slower

2011/9/27 Tom Schmitt : > > >> It is not clear in your question, are you use "rndc reload" or "rndc >> reload zone.name"? Latter will be faster in case if you change one or >> few zones in one pass of your updating-script. > > I generate from my database the complete named.conf, especially includin

Re: updating Bind made it slower

2011/9/27 Tom Schmitt : > >> > I just updated a couple of my DNS-servers from the rather old version >> > 9.4.1 to a newer version 9.8.0-P4. >> > >> > After this I have problem with outages. Looking into it, I found that >> > the time for a "rndc reload" has nearly doubled! >> >> This has been poin

Re: DNSSEC and MS AD

2011/8/9 Chris Buxton : > On Aug 9, 2011, at 10:07 AM, John Williams wrote: > >> --- On Tue, 8/9/11, Chris Buxton wrote: >> >>> With a private version of a domain, you should not need to >>> worry about a DS record in the parent. Just make sure your >>> internal caching servers not only can find t

Re: Forward only zones.

2011/7/25 Vbvbrj : > On 25.07.2011 10:15, Matus UHLAR - fantomas wrote: This is how BIND is supposed to work. If you _need_ such setup, why don't you setup your AD servers as recursive point clients directly to them? you can teoretically configure maximum cache time in BIN

Re: link-local glue AAAA

Thank you, Matus, that's all i wanted to know. 2011/6/5 Matus UHLAR - fantomas : > On 05.06.11 17:07, Peter Andreev wrote: >> I'm puzzled a little - i see in my zone glue records with >> link-local addresses. I think it is not good, but no rfc mentions >> abo

link-local glue AAAA

Hi I'm puzzled a little - i see in my zone glue records with link-local addresses. I think it is not good, but no rfc mentions about link-local in glue. Could someone tell me best practices for link-local in glue? Thanks for advance. -- -- AP ___

Re: Bind 9.8 with dlz and dnssec

2011/3/10 Evan Hunt > > > Now DLZ supports dynamic updates and theoretically it is possible to make > > such tricks: > > > > rndc freeze example.com > > put some new records in database > > rndc thaw example.com > > rndc sign example.com > > rndc freeze example.com > > > > That is zone isn't reall

Bind 9.8 with dlz and dnssec

Hello, List Now DLZ supports dynamic updates and theoretically it is possible to make such tricks: rndc freeze example.com put some new records in database rndc thaw example.com rndc sign example.com rndc freeze example.com That is zone isn't really dynamic, but it is dynamically loadable and si

Re: rndc addzone and file name

Now I see, I really was mistaken about addzone. Kalman, Alan, thank you very much for explanation. I think, I won't break working things and continue with includes and scripts :) 2011/1/14 Alan Clegg : > >> You haven't understood. I have several includes within one default >> view and I need to ad

Re: rndc addzone and file name

2011/1/14 Kalman Feher : > > > > On 14/01/11 9:57 AM, "Peter Andreev" wrote: > >> 2011/1/13 Alan Clegg : >>> On 1/13/2011 11:08 AM, Peter Andreev wrote: >>> >>>> I've executed >>>> rndc addzone test.test '{ type

Re: rndc addzone and file name

2011/1/13 Alan Clegg : > On 1/13/2011 11:08 AM, Peter Andreev wrote: > >> I've executed >> rndc addzone test.test '{ type master; file "/etc/namedb/master/test.1"; };' >> >> and have got the file /etc/namedb/3bf305731dd26307.nzf: >>

Re: rndc addzone and file name

I see that my first post wasn't clear, please, excuse me. I'll try to explain the situation. I have: named.conf: ... include "includes/file1"; include "includes/file2"; etc ... eof I've executed rndc addzone test.test '{ type master; file "/etc/namedb/master/test.1"; };' and have got the file /

rndc addzone and file name

Hello, All! I have several includes which are edited via hand-written script and now I'm trying to simplify it by using add/delzone options of rndc. So, the question is: how can I specify files where rndc addzone puts new zones' descriptions? Thanks in advance. -- -- AP

Re: Split view - differing SOA serial number

2010/7/8 John Horne > [..] > Both views use the same zone file (which currently contains 3330257 as > the serial number), and the zone is configured to use a single master. > If I use rndc to reload the zone in both views, then nothing changes. If > I stop and restart the whole named service, the

Re: FW: BIND 9 errors

2010/7/1 Y z > > (bind version 9.7.0-P1) > > A DNS slave server has two IPs: an internal RFC1918 number to talk to > the internal net, and an external one to talk to the rest of the world. > > If I *don't* put the external IP in a master: > > zone "example.com" { > type slave; > file "example"; >

Re: Using bind to provide a dns redirector

Have you tried to add to your "." zone something like this: microsoft.com NS ns1.msft.net NS ns3.msft.net NS ns5.msft.net etc? Just an assumption - RFC 4592 describes processing of asterisk as "any non-existent in parti

Re: Modifying a response

2010/2/24 Alan Clegg > Peter Andreev wrote: > > > > For example: if user asks for non-existent domain, caching server > > > replies with some address and no-error rcode. > > > > _Extremely_ bad idea. > > > > > > Yes, I know, b

Re: Modifying a response

2010/2/24 Stephane Bortzmeyer > On Wed, Feb 24, 2010 at 01:28:09PM +0300, > Peter Andreev wrote > a message of 31 lines which said: > > > Is it possible to modify responses on caching server side? > > Not with BIND (short of modifying the source code). Other name ser

Modifying a response

Hello, everybody. Is it possible to modify responses on caching server side? For example: if user asks for non-existent domain, caching server replies with some address and no-error rcode. ___ bind-users mailing list bind-users@lists.isc.org https://lis

Re: Delegation question!

t; Regards, > > Alans > > > > *From:* bind-users-bounces+batpower83=yahoo.co...@lists.isc.org [mailto: > bind-users-bounces+batpower83 = > yahoo.co...@lists.isc.org] *On Behalf Of *Peter Andreev > *Sent:* Monday, January 25, 2010 12:15 PM > *To:* BIND Users Mailing List

Re: Delegation question!

Have you requested delegation? 2010/1/25 Alans > Hello, > > When I check our dns ip from external server for ptr records it shows > nothing but > 93.in-addr.arpa.6562IN SOA ns-pri.ripe.net. > dns-help.ripe.net. 2010012534 3600 7200 1209600 7200 > We bought 93.x.x.0/x from RI

Re: master server selection / notify

When I tested the multiple masters configuration, I noticed, that slave chooses master which sends notifies. I used bind-9.4.3-p2. 2010/1/20 Matus UHLAR - fantomas > Hello, > > I wasn't able to find answer, if this is documented anywhere, please point > me there. I like reading docs ;-) > > when

Re: Disable Refused answer

Are you want to disable refused answers for recursion and allow any answers for authoritative information in the same time? 2009/12/3 Dmitry Rybin > Give me parabellum :) > > This is not answer. I wont to disable Refused answers for not allowed > client in recursion. > > P

Re: Disable Refused answer

Search in arm by keyword "blackhole" will save father of russian democracy :-) 2009/12/3 Dmitry Rybin > Barry Margolin wrote: > >> In article , >> Dmitry Rybin wrote: >> >> Hello! >>> >>> I can't find in docs how disable answer (Refused), if recursion for IP is >>> not allowed? >>> >> >> What

Re: about alt-transfer-source

-address. 2009/7/9 Stacey Jonathan Marshall > On 09/07/2009 10:22, Peter Andreev wrote: > >> Can somebody explain how many retries must pass, before IP-address from &g

about alt-transfer-source

Can somebody explain how many retries must pass, before IP-address from alt-transfer-source option will be used? Thank you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: queries with no RD bit set are truncating

Kevin, this server is totally non-recursive. Neither recurse option is enabled and packet size does not exceed 512 byte. May be it was some temporarly bugs due to mysterious causes. Below I post full sniffer's output for both queries: No. TimeSourceDestination

Re: queries with no RD bit set are truncating

Because there is nothing in server's logs. While client sees following: (query with no RD bit) - Flags: Query, Opcode - QUERY (Standard query), Rcode - Success QR:(0...) Query Opcode:(....) QUERY (Standard query) 0 AA:

Re: queries with no RD bit set are truncating

Thank you for answer, Kevin. Yes, recursion completely *off* by "recursion no;" option. And only my servers are authoritative for client's zone. So I'm in confusion, because as you said, for servers should not have a difference between RD=0 and RD=1. I'm afraid that there are reasons for such str

queries with no RD bit set are truncating

Good day I have met a trouble with non-recursive BIND 9.3.3, running on FreeBSD 6.2-R. Sometimes if one of our clients sends query with no RD bit set, he receives a truncated answer. If RD bit is set then all well. Where I should look to localise a problem? Thank you. ___