ur zone off-line and upload it to bind, did
you remember to change SOA and reload master?
Regards,
Torinthiel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users
ng
dnssec-signzone, or is it possible only with careful manual inclusion?
Regards,
Torinthiel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lis
On 09/01/11 17:56, Tom Schmitt wrote:
>
> I found the cause of my problem (and a solution):
>
> dig +trace actually has another behaviour than doing the trace manually step
> by step with dig.
>
>
> For a trace, dig is asking for the NS-records, then for the IP-address of the
> nameserver fou
t; 1 million views sounds to me like a recipe for disaster. The time to run
> through all of the match-clients statements would probably be excessive,
> and the memory requirements would likely be huge.
And one question remains: Why would anyone need such a setup.
Torinthiel
signature.
he paths are different, and that's why it
fails. Also, does 'very liberal' mean a+rwX, or something else? Bind
might be trying to write as a user you are not expecting.
Regards,
Torinthiel
___
Please visit https://lists.isc.org/mailman/
itative server cannot cache anser from itself. Cache is for
answers a server has received from somewhere, while authoritative
answers come directly from zone data.
Torinthiel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr
false-positives.
d) you can't have normal master-slave setup, which leads to zone
maintenance problems.
Regards,
Torinthiel
> Date: Thu, 14 Jul 2011 17:42:56 +0800
> Subject: Re: master slave different site different resolution
> From: short...@gmail.com
> To: d_gabr
to be configured correctly (But I haven't dig any
deeper).
Note, I've not tested it deeply, so it might be wrong.
Regards,
Torinthiel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
remains is *mailserver's* side to query for
said SPF records and act accordingly. And this does not belong to ISC,
but to your mailserver's provider. Postfix can do this by external
plugins, some others probably as well but I haven't tested it.
Regards,
Torinthiel
On Mon, Jul 11, 2011
not available
>
> ;; QUESTION SECTION:
> ;www.mydots.net. IN A
>
> ;; ANSWER SECTION:
> www.mydots.net. 900 IN A 61.144.56.101
>
> ;; AUTHORITY SECTION:
> mydots.net. 3600 IN NS ns7.dnsbed.com.
> mydots.net. 3600 IN NS ns8.dnsbed.com.
And this one ha
it. probably the best method would be to try it out.
Torinthiel
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
reating some VPN tunnel. It's not however too bad,
unless you're either using TSIG and have locally configured keys, or
trying to debug some specific DNS problem. Answers go out and are
returned, that's most of what's expected from DNS.
Torinthiel
>
> 1) ns1.google.com i
en worms
disguising themselves as same name only different folder, or as "named
.exe" with space appended to base name. Looks great if you have hidded
extensions, as it seems you have two files with name "named".
Torinthiel
signature.asc
Description: OpenPGP digital signature
is makes your zone unvalidabe to anyone
that doesn't trust that island. now, if you have a DLV record, than
anyone trusting it can also validate your zone. If, OTOH, one trusts
parent, then why should he bother checking DLV?
Having a signed parent won't stop anyone from lookng at DLV (si
On 05/02/11 14:20, Jeff Pang wrote:
> 2011/5/2 Jeff Pang :
>> 2011/5/2 Torinthiel :
>>
>>> Authority named never sends queries on it's own, only responds to
>>> submitted queries.
>> Doesn't it execute iterative query from the root server?
>>
n, only responds to
submitted queries. So it will work correctly, although you won't be able
to resolve anything from that box.
Torinthiel
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.o
nsfering correctly, at least nothing you've written says otherwise),
but you don't have these in reverse zones.
Torinthiel
>
> master 192.168.1.2
>
> //
> // mydomain.com
>
> zone "mydomain.com" {
> type maste
dnssec-keygen inserts space for
readability purposes only. If you still have original *.key and
*.private files, you can check it yourself, that the Key field in
*private contains exactly the same as *.key, minus the space.
Torinthiel
signature.asc
Description: OpenPGP digital signature
__
(this implies that first you
trust DLV's key) it behaves just as if it got example.com's DS record
from .com. You still have to maintain key, but only one.
3) RFC 5011 specifies how keys can authenticate themselves, thus
simplifying KSK rollover.
Torinthiel
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ta using the same presentation encoding as domain
>> names.
>>
>
>
> Thanks mark.
> But I meant what text string is permitted or not permitted in a TXT record.
There are no specific constraints on TXT record. It's free form text, so
you can specify 'bla
use the
IP
>address of the new DNS. Effectively the old DNS becomes an alias of the new
>DNS.
Possible problem: glue records. With internal NS and no access to registrar
you have no way to update glue records, so domain will still be delegated to
old servers.
Regards,
Torinthiel
D FRAGMENT
of course stage and foo can have different IP addresses, and you
probably want to add MX and other records as well.
Torinthiel
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
BIND as
>configured in my named.conf. However, if I try to add a forward
It might be, but it also might be because you have no IPv6 connectivity.
Regards,
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
s one here doesn't seem to add anything , and
it does seem strange.
You specify here, that clients from your local IP subnet, that ask for names
in your local IP subnet can ask recursive queries, and have some pretty
standard zones.
My quess would be that it won't require re
network: host mydns.example.com =
>10.140.27.10
The only way would be to create 3 different zone files, with those addresses,
and 3 different views on this sever, each having a different zone file and
configured for different networks
I don't have bind ARM on-hand, bu
o change the default query type for any of the tools.
Torinthiel
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
? How you test if resolution works?
Having bind run multiple zones is absolutely normal, and there are no
reasons to require more than one IP address with that.
Torinthiel
>
> root:/var/named# cat named.conf
> options {
> listen-on-v6 { none; };
> listen-on { 192.16
not have IPv6 connectivity from the DNS server to
> {C,I,B,L}.root-servers.net.
And is it possible to make BIND stop trying to use IPv6 at all? I'm in a
similar situation, I know I have connection issues and I simply want
bind to either not use IPv6 or at least prefer IPv4.
li
On 03/31/11 04:54, Mike Diggins wrote:
> The A records for the two nameservers exist in the sub.Domain.CA zone
> file. I can fix the error by adding the two nameserver A records to the
> Domain.CA zone file but I'm wondering why this is an error with 9.7, and
> not 9.2.1, and is this the correct wa
On 03/27/11 20:45, fakessh @ wrote:
> That would be the key with id 47103 in your case. The one that has SEP
> flag, the one that only signs DNSKEY records and not others.
> Regards,
> Torinthiel
> http://www.mail-archive.com/bind-users@lists.isc.org/msg09107.html
>
> Th
tency dnssec
debuguers response and writing conseil for new areas zone)
Torinthiel
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On 03/27/11 09:07, Mark Andrews wrote:
> Could you please send it to bind9-bugs. That way it will be tracked.
Thanks for the pointer, did that.
Torinthiel
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-us
s
minimum/negative TTL is usually much lower than SOA's TTL.
Using bind version 9.7.2-P3.
Torinthiel
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
0 modified
Guessing by this, I'd do ls -ld /dev /dev/{log,null,random,urandom,zero}
Torinthiel
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
have missing RRSIGS from some
nameservers.
Either convince admins to deploy DNSSec or drop those nameservers.
Then it should work.
Torinthiel
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
do after you create zone.
> and what is this other publication of another DS
I have no idea what do you mean by this sentence.
Torinthiel
>
>
> Le lundi 21 mars 2011 à 08:25 +1100, Mark Andrews a écrit :
>> In message <1300650238.6651.15.camel@localhost.localdomain>, "
d also need notify no
at ns1 (so it won't send notifies at all), and notify-to-soa yes at ns0
(so it will send notify to ns1).
Oh, and I really hope ns0.mydomain.net has static IP address even though
it has ADSL. If no, you can either use ip/length or (even better) use
TSIG keys as authenticat
nsbed.com @b.gtld-servers.net
which right now returns dns[1-4].registrar-servers.com, so not the ones
you've typed.
And, as your servers don't answer for
dig ns dnsbed.com @ns1.dnsbed.com
then I guess my original assumption of your domain has been wrong. Bujt the
procedur
ITY SECTION".
But in this case, you're asking the authotrative server. Authorative server
answers in answer section, as it knows the answer. Authorative section is
for 'I don't know, ask ...'
The rule above goes for servers which are not authorative for a given zone.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
;
>logging {
>channel query.log {
>file "/var/log/query.log" version; 3 size 5m;
that would by file "/var/log/query.log" version 3 size 5m;
You want 3 versions, so why separate keyword from its parameter?
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On 03/01/11 21:52, fakessh @ wrote:
> as I now know what key DS uses.
That would be the key with id 47103 in your case. The one that has SEP
flag, the one that only signs DNSKEY records and not others.
Regards,
Torinthiel
signature.asc
Description: OpenPGP digital signat
red me they will probably be ready. This might, or might
not be related to providing DNSSEC by other OVH branches and for other
registries.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
G SIZE rcvd: 58
>
>
> I have setup the NS for ox.test.nsbeta.info zone, why dig +short gets
> nothing but dig does get the result?
+short instructs dig to only write extract of ANSWER section. your reply
is in authorative section.
Torinthiel
signature.asc
Description: OpenPGP
en the default
named.conf has related config (and/or comments).
Regards,
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Dnia 2011-02-22 13:29 Eivind Olsen napisał(a):
>On Tue, 22 Feb 2011 08:59:51 +0100, "Torinthiel"
>wrote:
>> Hmm, looks to me as the box listed as client sends some strange notify
>> messages. Notify normally should contain SOA, so that receiving NS can
>>
ongst ones with lowest precedence, discarding those
failed.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
.
>>
>> - Can anybody give some feedback on the IPV6 compliancy?
>>IS bind-9.6-ESV-R3 totally compliant with IPV6?
>
>Yes.
But a different issue might be is your system (the box Bind runs on, network,
routers, firewalls) IPv6 compliant.
Torinthiel
_
obably.
Now, the more important part - why would you be running a slave of root?
AFAIK the root servers don't a) allow transfer b) send you notifies, so
you'll be in trouble as soon as anything changes, which means every week
right now, that root is signed. Why is
zone "." in { type hint; }
not enough for you?
Regards,
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
named.conf and network topology)
Try (from both servers)
a) dig @127.0.0.1
b) ping 198.41.0.4 (which is a.root-servers.net's IP address)
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
e config, so if it reboots you don't have two master servers.
And you could cook up a more complicated script, that tries to ping the
other server and runs master config generation, freeze, soa change, thaw,
reload and send you an email - and you have fully automated HA.
Torinthiel
On 02/13/11 17:16, Walter Alejandro Iglesias wrote:
> On Sun, Feb 13, 2011 at 02:13:48PM +0100, Torinthiel wrote:
>
>> On 02/13/11 12:52, Walter Alejandro Iglesias wrote:
>>> It will be a web hosting sever. I wrote my own web client
>>> panel and my own bash scripts
;d advice dig ns mydomain.com @a.gtld-servers.net (or any
other name server for your TLD)
> At go daddy I added ns1.mydomain.com and ns2.mydomain.com
> records and associate them to the two ips in its web
> interface.
>
> At my vps panel I have an option to reverse address domain
> names, could it confuse dns? Must I use this registers or
> must I leave it blank? I case it is convenient setup a domain
> name at VPS dns, what can I put there?
Those are the PTR records. For DNS you probably don't need them For
email you definitely do, for WWW probably not.
Regards,
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
med.conf)
dig axfr @master your.zone > your.zone.dump
maybe add +noall +answer to get rid of (most) comments and useless stuff.
And you will get double SOA record, at start and end of file.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
ORIGIN example.com
www a 1.2.3.4
and
www.example.com. a 1.2.3.4
are completely equivalent.
Now, why would you want to look into slave files, except for verifying
that the zone transfer succeeded?
Torinthiel
___
bind-users mailing list
bind-u
Dnia 2011-02-08 16:47 fddi napisał(a):
>I need really something very simple:
>
>
>I have 2 domain name servers, I need them to be multi-master so I will
>put a mysql instance on each one,
>the two mysql servers in sync whith each other.
>
>when one of the servers goes down, the other continue to
Dnia 2011-02-08 17:40 Terry. napisał(a):
>Hi list,
>
>Can BIND's "file" command referer to more than one zone file?
>For example,
>
> zone "test.nsbeta.info" {
> type master;
> file "a.db";
> file "b.db";
> };
>
>When a record doesn't exist in a.db, BIND wi
ss ad.domain.com (as it has
private IP adress, and these are public - that's one part of guess), they
end up not resolving the name.
Can verify that 203.59.24.3; 203.0.178.191; 203.134.24.70; can call
192.168.0.3, on that address?
Also, keep in mind that normally you should not use only one NS per
delegation, but a minimum of two. Here, for a testing environment (I guess)
it'll work, but don't do it on production environment.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On 02/01/11 22:13, Jay Ford wrote:
> On Tue, 1 Feb 2011, Torinthiel wrote:
>> Third is about -N option:
>> a well established practice (although I don't know what was the
>> origin) is
>> to set SOA serial number to eg 2011020101, which is current day and
>>
On 02/01/11 19:44, Paul Wouters wrote:
> On Tue, 1 Feb 2011, Torinthiel wrote:
>
>>
>> To clarify things, I'm using BIND 9.7.2-P2.
>>
>> First is about input file: you can specify on the command line either
>> the
>> signed version of the zone, or t
signzone -N, using a
fourth format specifier?
Regards,
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
It's quite possible that one of those I've already
pointed to contains this information, but also that a different one states
this information. But it was RFC for certain.
Regards,
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
ht
not the bd. ones. But com.bd ones don't provide an answer, so
you have timeout.
Looks like the com.bd zone is broken somewhat. either the delegation should
be removed from bd, or the server needs fixing and adding another servers is
necessary.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
till this
is ony the default, if an entry contains it's own TTL it will take
precedence.
Other than sed'ing/awk'ing the zone files I see no other options.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
names, aliases, virtual hosts or virtual servers.
The name that is sent to the web serwer is the one typed in browser, and has
nothing to do with any CNAME records on the way. The web server must be
configured to handle it.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
rmation - e.g. SPF record , which didn't
show up on results. And they don't support third-level domains as well -
asking form mail.nsbeta.info returns information about nsbeta.info
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ion? You still
have to setup views, but then it will be easier when you change something.
Torinthiel
>
>Ty.
>
>
>-Ursprüngliche Nachricht-
>Von: Phil Mayers [mailto:p.may...@imperial.ac.uk]
>Gesendet: Montag, 17. Januar 2011 15:46
>An: someone
>Cc: bind-users@list
Dnia 2011-01-14 03:11 fakessh @ napisał(a):
>hello bind network and hello dnssec network admin.
>
>
>thank you for answered,
>I think I found a solution to my problem.
>$INCLUDE directive is that I have to handle
>
>
>example:
> $INCLUDE /var/named/keys/dsset-fakessh.eu. fakessh.eu
YOU
one file only when needed. That way if ZSK gets compromised you
just scrap those signatures, generate new ZSK and new signatures.
Just don't put those signatures with ZSK. It it gets compromised so do
the signatures, and you're screwed.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
on NSEC
need NSEC, so indirectly need sorting too.
For NSEC3 (which you are using) sorting makes no sense. Signing only
needs to sort hashed names to generate NSEC3 records. No need to sort
actual records in zone.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
files download the zone from master.
rndc can only tell BIND (either master or slave) to initiate that
connection, it can't change zones by itself.
You could of course copy zone files to slaves by some means (rsync?
scp?) and then rndc reload the slave, but
a) why?
sponse:
What version of bind are you using? My wild guess is that it's not
recent enough to recognize NSEC3 signatures. Bind 9.4.3 was not, and I
got exactly the same symptoms.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
htt
;ve asked for abyss.tamay-dogan.net the NS could present
you with this RR and it's signature and prove that abyss.tamay-dogan.net
(which falls between tamay-dogan.net and admin.tamay-dogan.net) does not
exist.
As a side effect, it's now possible to enumerate ever
zone transfers because it's automatic.
No, you don't have to.
If you know which zone has changed, than you can do "rndc reload zonename".
If you don't, than "rndc reload" reloads all zones.
You could also try "rndc reconfig", but I think it will only load
Dnia 2010-12-30 11:45 Torinthiel napisał(a):
>Dnia 2010-12-30 18:03 p...@mail.nsbeta.info napisał(a):
>
>>Sunil Shetye writes:
>>
>>>
>>> Case 2: Lame Server Reply
>>>
>>> ==
e, but the query was sent with 'rd' -
'recursion desired' flag, as if you haven't given +norec. And with recursion
giving answer is perfectly legal. If not for that flag, then yes, I'd
consider it a lame response, although probably someone more knowledgeable
than m
o sum up:
Question: Does the server have authorative data?
Answer 1: Server returns data when asked without recursion ->; YES
Answer 2: Server is not listed in authority section ->; NO
Real answer: Lame server.
Regards,
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
rrectly nonetheless.
>
>AND what do the RFC say about those CNAME chains? CNAME points to a CNAME?
It's not incorrect, but discouraged.
See http://tools.ietf.org/html/rfc1034, last two paragraphs of section 3.6.2
Torinthiel
___
bind-us
nd expert myself (but having read and hopefully understood the
RFC's) I have to agree with it. And, having other issues with Microsoft DNS
server myself (althoug this could be the lameness of it's admins as well), I
don't have a hard time belie
gt; reading private key file fakessh.eu/DSA/47103: file not found
>
First, where are the key files, related to bind directory (the one in
options { directory })?
Are the names correctly given to bind?
it looks like bind cannot find them.
Second, you need to give the user runing bi
d be the lameness of it's admins as well), I
don't have a hard time believing this.
Although, if it works when VM is duplicated but has no traffic, it looks
like something else to me (maybe two completely different errors, but with
similar apperance)
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Second, you issue
gpg --verify bind-9.7.2-P3.tar.gz.asc bind-9.7.2-P3.tar.gz
might work with only the signed name (gpg --verify
bind-9.7.2-P3.tar.gz.asc), I'm not sure how about this case.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On 12/20/10 01:32, Mark Andrews wrote:
> In message <4d0e8340.9060...@data.pl>, Torinthiel writes:
>
>> Hello everyone,
>>
>> I've recently updated bind to version 9.7.2_p3.
>>
> Upgraded from what?
>
>From 9.4.3_p5
>
>
>
auto, so I have no choice but to use
built-in DLV. But, e.g. secspider.cs.ucla.edu looks interesting.
Can anyone shed some light if this is my mistake, not having something
in configuration, or a general bind error?
Regards,
Torinthiel
___
bind-users mailing list
bin
83 matches
Mail list logo
