Re: 9.18 horrendous

I agree. Banning them because you disagree with what they say ? You have shares in facebook ? TikTok ? Federal Govt ? On 2024-08-23 7:19 AM, Marcus Kool wrote: The user was angry and ranted about named 9.18.x.  He did not rant about any developer or any member of your team.  Removing a user fr

Re: Deprecation notice force BIND 9.20+: "rrset-order fixed" and "sortlist"

> On 1 Mar 2024, at 10:37, Greg Choules via bind-users > wrote: > > In summary, Do the hard work of traffic steering somewhere else and let your > DNS resolvers deliver the chosen answer. Don't make the resolvers themselves > try to do this on the basis of incomplete information. Well said

Re: Problem upgrading to 9.18 - important feature being removed

ants to have bind9 used by the 42 people who are experts of bind9. -Jim P. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more

one authoritative name server and each domain requires ns1.thisdomain.com

domain.TLD and ns2.anotherdomain.TLD" are only seen as the name servers for zones in TLD? Maybe a view for zones in TLD ... or possibly a separate view for each zone from TLD that needs this treatment of name servers? Thanks, Jim Peters jpet...@dovetailinternet.com -- Visit https://lists.

RE: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

Thank you. That makes sense, I appreciate the feedback. V/R Jim DeCaro DISA Systems Administrator Windows and Unix/Linux Server Operations FE222/DoDNet Service Section Defense Enclave Services Directorate Defense Information Systems Agency ☎ 301-225-8180 ☎ 301-375-8180 james.j.decaro3

RE: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

I tried this utility and got the following message: gnutls-cli: command not found... Thank you V/R Jim DeCaro -Original Message- From: Ondřej Surý Sent: Thursday, April 28, 2022 5:15 PM Cc: DeCaro, James John (Jim) CIV DISA FE (USA) ; bind-users@lists.isc.org; Mcallister, Reginald

RE: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

from rhel-7-server-extras-rpms: [Errno 256] No more mirrors to try. https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/extras/os/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden I don't have access to the red hat repos yet. Is this helpful? V/R Jim DeCaro -O

RE: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

art to the locally created repo file for testing. All variations resulted in the same error. Thank you so much for your input, I will hopefully test it sometime today. V/R Jim DeCaro -Original Message- From: Michał Kępień Sent: Thursday, April 28, 2022 4:55 PM To: DeCaro, James John

RE: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

gpgcheck=1 gpgkey=https://download.copr.fedorainfracloud.org/results/isc/bind/pubkey.gpg repo_gpgcheck=0 enabled=1 enabled_metadata=1 --same result V/R Jim DeCaro DISA Systems Administrator Windows and Unix/Linux Server Operations FE222/DoDNet Service Section Defense Enclave Services Directorate Defense

RE: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

] name=Corp repo for bind owned by isc baseurl=https://download.copr.fedorainfracloud.org/results/isc/bind/epel-7-x86_64/ skip_if_unavailable=True gpgcheck=0 enabled=1 enabled_metadata=1 type=rpm-md ---same result. V/R Jim DeCaro DISA Systems Administrator Windows and Unix/Linux Server Operations

RE: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

stall isc-bind Partial output: failure: repodata/repomd.xml from download.copr.fedorainfracloud.org_results_isc_bind_epel-7-_: [Errno 256] No more mirrors to try. https://download.copr.fedorainfracloud.org/results/isc/bind/epel-7-/repodata/repomd.xml: [Errno 14] HTTPS Error 503 - Service Unavailable (repeats

RE: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

OK I tried that and got the same results but I will try again. Thank you V/R Jim DeCaro DISA Systems Administrator Windows and Unix/Linux Server Operations FE222/DoDNet Service Section Defense Enclave Services Directorate Defense Information Systems Agency ☎ 301-225-8180 ☎ 301-375-8180

Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

t search indicates a possible issue with the target site (which I doubt) I am relatively new to repository configuration, so I am assuming I am missing something. Thanks in advance for any input V/R Jim DeCaro -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this

Re: 'managed-keys' is deprecated ??

On Tue, 2021-06-15 at 14:27 +1000, Mark Andrews wrote: > https://downloads.isc.org/isc/bind9/9.16.16/doc/arm/Bv9ARM.pdf The modern-day RTFM :-) -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this l

RE: [Non-DoD Source] Re: Installing BIND 9.16.15

I can review which has more specific solutions? Many Thanks for your time. -Original Message- From: Ondřej Surý Sent: Thursday, May 6, 2021 12:57 PM To: DeCaro, James John (Jim) CIV DISA FE (USA) Cc: bind-users@lists.isc.org Subject: [Non-DoD Source] Re: Installing BIND 9.16.15 All active

Installing BIND 9.16.15

t figure it out yet. Any help would be appreciated. Jim ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https:/

Re: Using RNDC to control remote access to my BIND server

t the runner docker/js/etc environment can talk to the staging named. There's 10,000 ways to do things in CI/CD, the 1 way that doesn't exist is the only one you will recall in the middle of a weekend while you are on vacation. :) -Jim P. __

Re: FW: Preventing a particular type of nameserver abuse

e reserved IPs and quickly transfer them from server to server using the OVH API. This is great for database resiliency/failover, etc. -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds

Re: Testing KASP, CDS, and .ch

On Sat, 2021-04-10 at 13:18 +0200, Oli Schacher wrote: > Hi Jim > let me give you a bit more info > > > On April 9, 2021 8:23:48 PM UTC, Hugo Salgado wrote: > > > Switch has a website to test the CDS processing for .ch: > > > https://www.nic.ch/security/cds/

RE: Testing KASP, CDS, and .ch

ink you're missing the point of this thread. I'm not asking about how to configure DNSSEC the traditional way. Btw, one *can* manually setup a DS RR at Gandi, but they take and decode the actual key data not the DS. -Jim P ___ Please visi

Re: Testing KASP, CDS, and .ch

NS query returned: "Server failed to complete the DNS request". >" > >You should check the requirements. You'd need to answer for three >consecutive days, be consistent in all NS IP addresses, etc. > >Hugo > >On 15:11 09/04, Jim Popovitch via bind-users wr

Re: Testing KASP, CDS, and .ch

the whole purpose of CDS/CDNSKEY is to not have to do that, no? -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions.

Testing KASP, CDS, and .ch

04:06:33 2021) ; Delete: 20210303051133 (Wed Mar 3 05:11:33 2021) ; SyncPublish: 20210221023255 (Sun Feb 21 02:32:55 2021) -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of th

Re: Two copies of recent posts

il. > I just received 2 copies of your post, with 2 different ESMTP IDs... because you sent it to 2 different recipients. That same thing would happen if you sent it to bind-users@lists.isc.org and bind-users@lists.isc.org. -Jim P. ___ Please visit

Re: Two copies of recent posts

On Mon, 2020-11-23 at 08:13 +0100, Reindl Harald wrote: > > Am 23.11.20 um 04:58 schrieb Jim Popovitch via bind-users: > > On Sun, 2020-11-22 at 21:56 -0500, Paul Kosinski via bind-users wrote: > > > I've been getting two identical copies of recent posts to this list...

Re: Two copies of recent posts

rify who they are replying to, it's easy to see from the "Servfail on Bind -9.16.1" thread where the problem(s) exist. Note Paul, I only received one copy of your post, and you should be only receiving one copy of my reply. -Jim P. __

Re: getting a later-version of BIND on various linux OS's

ou are looking for is Debian Backports: https://backports.debian.org/ Stable (Buster) Backports has v9.16.6 https://packages.debian.org/buster-backports/bind9 It's built and maininted by: https://tracker.debian.org/pkg/bind9 -Jim P.___ Plea

Re: rbldnsd and DNSSEC compatibility issues - any suggestions?

On Thu, 2020-09-10 at 13:50 -0400, Jim Popovitch via bind-users wrote: > On Thu, 2020-09-10 at 11:56 -0400, Rob McEwen wrote: > > I manage an anti-spam DNSBL and I've been running into an issue in recent > > years - that I'm FINALLY getting around to asking about. I just

Re: rbldnsd and DNSSEC compatibility issues - any suggestions?

efined as a trust anchor, for instance in a trust-anchors statement, or dnssec- validation auto must be active. You might want to try adding "dnssec-validation auto" to the zone stanza. zone "invaluement.local" in { type forward; forward only; forwarders { 1

RE: [Non-DoD Source] Re: [DoD Source -- ssshhhh Top Secret] Re: Dumb Question is an A or AAAA record required?

We have an application that queries reverse lookups on clients trying to access it in order to verify the client and its IP are legit and a part of the correct domain/acl.. So if the pointer record does not match, the client is rejected. I don't know if that is relevant in this case, but it prov

RE: [Non-DoD Source] Re: Dumb Question is an A or AAAA record required?

Would the lack of A records affect pointer records? Seems like it would. Jim "If you always do what you always did you will always get what you always got." -Original Message- From: bind-users On Behalf Of Mark Andrews Sent: Thursday, July 9, 2020 8:56 AM To: @lbutlr Cc:

RE: [Non-DoD Source] BIND 9.16 incoming TCP connection errors

When I got that message I had to unblock tcp port 53 on my firewall. Jim -Original Message- From: bind-users On Behalf Of Anand Buddhdev Sent: Tuesday, June 16, 2020 11:28 AM To: bind-users Subject: [Non-DoD Source] BIND 9.16 incoming TCP connection errors All active links

RE: [Non-DoD Source] Re: BIND Masters and slaves

Or you can call the slave servers 'secondary' servers. V/R Jim DeCaro DISA Systems Administrator Windows and Unix Server Operations FE222/DoDNet Service Section Defense Enclave Services Directorate ☎ 301-225-8180 ☎ 301-375-8180 james.j.decaro3@mail.mil james.j.decaro3@mai

RE: [Non-DoD Source] Re: BIND installed on a Solaris 11.4 x 86 virtual server

, now the default directories are correct but the service still goes into maintenance with the same error as produced by named -c /etc/named.conf -g. I apologize that my inexperience makes this confusing. V/R Jim DeCaro DISA Systems Administrator Windows and Unix Server Operations FE222/DoDNet

RE: [Non-DoD Source] Re: BIND installed on a Solaris 11.4 x 86 virtual server

--->>default paths: these are not what I was shooting for --should be: named configuration: /etc/named.conf rndc configuration: /etc/rndc.conf DNSSEC root key: /etc/bind.keys nsupdate session key: /usr/var/run/named/session.key named PID file: /usr/v

BIND installed on a Solaris 11.4 x 86 virtual server

nf 01-Jun-2020 13:59:55.663 loading configuration: file not found 01-Jun-2020 13:59:55.663 exiting (due to fatal error) Thanks V/R Jim DeCaro DISA Systems Administrator Windows and Unix Server Operations FE222/DoDNet Service Section Defense Enclave Services Directorate ☎ 301-225-8180 ☎ 301-375-8

RE: [Non-DoD Source] Re: Upgrading from BIND 9.14.9 to 9.16.3

Thank you. amd64 does not exist in the /usr/local/lib/ directory. This is a Solaris 11.4 x86 64 bit system so that may be why. I will keep looking. Thanks again V/R Jim DeCaro DISA Systems Administrator Windows and Unix Server Operations FE222/DoDNet Service Section Defense Enclave Services

RE: [Non-DoD Source] Re: Upgrading from BIND 9.14.9 to 9.16.3

exit 1; \ fi; \ done make: Fatal error: Command failed for target `subdirs' I am not sure why it will not create or find the directories from that code. libuv.so.1 is located in /usr/local/lib/libuv.so.1 --not sure why it will not find this since I added the path using the

RE: Upgrading from BIND 9.14.9 to 9.16.3

command needs an option to discover libuv but I am not sure. Any help would be appreciated. Jim ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

On Wed, 2020-04-15 at 14:21 +0200, Reindl Harald wrote: > > Am 15.04.20 um 14:17 schrieb Jim Popovitch via bind-users: > > On Wed, 2020-04-15 at 10:35 +0200, Klaus Darilion wrote: > > > Thanks for answer! > > > > > > So actually it is just a cosmet

Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?

On Wed, 2020-04-15 at 10:35 +0200, Klaus Darilion wrote: > Thanks for answer! > > So actually it is just a cosmetic change not addressing a real problem. > > I will miss the bind9 service :-( Wait until you find out about Predicatable Network Interface Names and iptables ru

Re: update-policy wildcard grant

On Thu, 2020-04-02 at 09:27 +1100, Mark Andrews wrote: > > On 2 Apr 2020, at 06:53, Jim Popovitch via bind-users < > > bind-users@lists.isc.org> wrote: > > > > Hello! > > > > I started on #bind, moved on to the ARM, and now I am here. > > > >

update-policy wildcard grant

am I doing wrong? tia! -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

OT: Reminder: DNSSEC series starts in 1 day

First, I love it that ISC does these informative sessions. However, why send out iCal/Calendar instructions AND then send me emails 1 day and 1 hour before each session? I don't want to cancel my registration, but I do want to cancel the constant email reminders. Help! -

Re: NSEC3 salt change - temporary performance decline

> On 21 Jan 2020, at 15:59, Daniel Stirnimann > wrote: > > I agree that re-salting is kind of pointless So, just like NSEC3 then? :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mai

Re: The signed domain file rewritten

Why does bind rewrite that file? Because someone forgot to put dynamic files in /var ? :P https://en.wikipedia.org/wiki/Unix_filesystem -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bi

Re: Would/Could/Should

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, 2019-10-10 at 10:39 -0400, Jim Popovitch via bind-users wrote: > Hello! > > Is this a language/translation issue, or is named telling me that it > would but didn't limit? > > > Oct 10 00:57:21 ns2 named[623]:

Would/Could/Should

iting error responses to 2404:6800:4003:c00::/56 - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3RmV4WutJ2KyCS2zPcxbabkKGJ8FAl2fQp8ACgkQPcxbabkK GJ+E/hAAt8LBEUukrfFTCY1BT4dUq4NVnT3uM2Z4TwXOgT9BzTHO1J6G/BaT7HrR KGnUm055Fa0GtwKQnCMCXjmMRdPNUno9Mr9DXbHq4EmIp9Cpgi1GrTC+fqD

Re: Auth server reports: resolver priming query complete

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, 2019-07-28 at 02:14 +1000, Mark Andrews wrote: > > On 28 Jul 2019, at 2:03 am, Jim Popovitch via bind-users > > wrote: > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > On Su

Re: Auth server reports: resolver priming query complete

BTW, this is with v9.14.4. Follow-up question: I only see ns1 (master) logging the priming, ns2 doesn't. ns2 is a slave to ns1, but also a master to a 3rd party (e.g. also-notify, notify-explict). Shouldn't ns2 also be priming addresses of the non- auth 3rd party? - -Jim P. -

Re: Auth server reports: resolver priming query complete

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, 2019-07-27 at 11:04 -0400, Jim Popovitch via bind-users wrote: > Hello! > > Why would an auto-only server (in this case the master) report this: > > Jul 27 13:07:58 ns1 named[624]: resolver priming query complete &

Auth server reports: resolver priming query complete

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! Why would an auto-only server (in this case the master) report this: Jul 27 13:07:58 ns1 named[624]: resolver priming query complete tia, - -Jim P. -BEGIN PGP SIGNATURE

Re: DMARC test

Kosinski You can read more about how Mailman handles DMARC here:  https://wiki.list.org/DEV/DMARC hth, - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3RmV4WutJ2KyCS2zPcxbabkKGJ8FAl0rw7cACgkQPcxbabkK GJ9JChAAhNPPmoLbUR0UGsPjEfYSSPe1fSoO5q+larj9mXaO9rCOuVpSucf5FqO

Re: A policy for removing named.conf options.

> On 13 Jun 2019, at 14:18, Warren Kumari wrote: > >> A configuration option that is candidate for removal will be deprecated >> first. During this phase the option will still work, but we will be >> communicating to users that the option is going to be removed soon. A >> user that has depreca

Re: Should we remove the DLV code?

> On 21 May 2019, at 16:00, Hugo Salgado-Hernández wrote: > > One important thing is that the "islands of security" concept > may be necessary in different places (companies? communities?) > and the DLV technique is not limited to the root. For the same > reason I consider that Bind's support i

Re: Fwd: SSHFP observation

On Thu, 2019-01-31 at 21:12 +0530, Mukund Sivaraman wrote: > On Thu, Jan 31, 2019 at 10:30:30AM -0500, Jim Popovitch via bind- > users wrote: > > On Thu, 2019-01-31 at 19:14 +0530, rams wrote: > > > Hi, > > > I have setup sshfp records as follows in bind zone f

Re: Fwd: SSHFP observation

g wrong in a zone file, and we can't see what it is because the domain you specified is invalid. So, until you show us some data my best guess is that you have a formatting error in a zone file(s). Help us help you by specifying the actual domain. -Jim P. ___

Definitive guide for purging old DNSSEC key files

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 What is the definitive steps for purging (rm -f) old DNSSEC key files that expired months ago? tia, - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlvHefsACgkQJxVetMRa JwX3HxAAhze9yaypBQdqkz9r0qOUeB6OmU

Re: [BIND] Re: Is it possible to...

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, 2018-08-10 at 09:47 +1000, Mark Andrews wrote: > > On 10 Aug 2018, at 5:46 am, Jim Popovitch via bind-users > s...@lists.isc.org> wrote: > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > >

Is it possible to...

that possible with a(ny)? recent version of Bind9? tia, - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAltsmgYACgkQJxVetMRa JwUWaw/9FU02HPacQQtH6AVhp3IFDlbvCcMgodcxzeYvIrFLiJU0pGUlkg31XqBd T4UZkZViaydmDBpZY2igPvBInF8ZzwrgWdLlpJIFNurdLe67nvptF0qcll+2ExHy

Re: v9.12.1-P2 changed files

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sat, 2018-05-19 at 01:03 +, Evan Hunt wrote: > On Fri, May 18, 2018 at 04:28:24PM -0400, Jim Popovitch via bind- > users wrote: > > Honest question Why are there so many sourcecode > > modifications/additions/deletions b

v9.12.1-P2 changed files

/plainh/470058dd - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlr/N2gACgkQJxVetMRa JwU02w//bWw5TAoVjmTsMlUJndA7Yd3DM14fsWBMTBGGxKYZjG9JskBOOoGYFrbZ gR+ljJAGEOTRBGYStG6f+M7ocPK9brXVpFiqhGB/cG0ntM9vgczKWC0HjWHvQuZf 3vdqu6hs77fQyxy82mkOeVB/dRCJdbAQWt7I7ezstWhvlYqs

Roadmap for DNSSEC signing/automation?

d9 fully manage this, perpetually. Thx, - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlqn/MAACgkQJxVetMRa JwUIRhAAmB7SewSVkChuKRMqnZdPAvjA30vXOqQFUUiMD91waGhhzlWIesuL5PfH uU9UrBLp6O2V+tZTAPvnogJeIBa7zm1QB9LXK4wWqhyU+ywu4ADS6Fzt6OFgWL08 y5xXuZK+Nxcxjg

Re: RPZ zone name label length limit

Hi Mukund, Yes, I will send the report with a sample RPZ zone that contains the name to bind-b...@isc.org. Thanks, Jim On 6/29/17, 2:40 PM, "Mukund Sivaraman" wrote: Hi Jim On Thu, Jun 29, 2017 at 01:57:16PM +, Jim Yang wrote: > Hi, > > W

RPZ zone name label length limit

name label that is longer than 63 characters)? When I dig these DNS records using 8.8.8.8, which reports them as ‘NXDOMAIN’. Thanks, Jim ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users

Re: RPZ zone load failure ran out of space

Hi Bob, Thank you for the explanation. It makes sense to me now. Best, Jim From: Bob Harold Sent: Wednesday, June 28, 2017 4:38 PM To: Jim Yang Cc: bind-users@lists.isc.org Subject: Re: RPZ zone load failure ran out of space On Wed, Jun 28, 2017 at 3:44 PM

RPZ zone load failure ran out of space

policy records. ; Note: There are no periods (.) after the (relativised) owner names. bad.domain.com A 10.0.0.1 ; redirect to walled garden 2001:2::1 Thanks, Jim ___ Please visit https

bind 9.8.2 "no valid signature found"

xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fs

Re: bind does not resolved all domains (SERVFAIL)

Hi, For me, today's problem is philasd.org, getting SERVFAIL # dig +trace philasd.org couldn't get address for 'dns1.philasd.org': not found couldn't get address for 'dns2.philasd.org': not found dig: couldn't get address for 'dns1.philasd.org': no more / Missin

Re: Question on prod.msocdn.com

Just fyi, Found my problem here, our Tipping Point IPS was misbehaving for msocdn.com, all well now. The contributors on the ISC lists are a wealth of information and appreciated. best! jim On 11/9/2016 2:50 PM, Jim Glassford wrote: On 11/9/2016 2:42 PM, Jim Glassford wrote: On 11/9/2016

Re: Question on prod.msocdn.com

On 11/9/2016 2:42 PM, Jim Glassford wrote: On 11/9/2016 4:55 AM, Tony Finch wrote: Jim Glassford wrote: Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd either timeout or SERVFAIL depending on version of bind. It works for me with BIND 9.11 and 9.10.4-P4. There are some

Re: [Ext] Re: Question on prod.msocdn.com

On 11/9/2016 4:55 AM, Tony Finch wrote: Jim Glassford wrote: Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd either timeout or SERVFAIL depending on version of bind. It works for me with BIND 9.11 and 9.10.4-P4. There are some EDNS-related changes in 9.10 which might be

Question on prod.msocdn.com

n1dspg.akamaiedge.net. 3966IN A 209.48.71.60 n6dspg.akamaiedge.net. 3966IN A 165.254.211.13 ;; Query time: 25 msec ;; WHEN: Tue Nov 8 19:18:06 2016 ;; MSG SIZE rcvd: 475 thanks! jim ___ Please visit https://lists.isc.

Re: The DDOS attack on DYN & RRL ?

On Mon, Oct 31, 2016 at 12:21 PM, Tony Finch wrote: > Jim Popovitch wrote: >> >> It seems to me that anycast is probably much worse in the Mirai botnet >> scenario unless each node is pretty much as robust as a traditional >> unicast node. > > This blog post is a

Re: The DDOS attack on DYN & RRL ?

On Mon, Oct 31, 2016 at 11:27 AM, Matthew Seaman wrote: > On 2016/10/31 14:53, Jim Popovitch wrote: >> On Mon, Oct 31, 2016 at 10:25 AM, Matthew Seaman >> wrote: >>> This despite the fact that Dyn has a global anycast network with >>> plenty of bandwidth, point

Re: The DDOS attack on DYN & RRL ?

uch worse in the Mirai botnet scenario unless each node is pretty much as robust as a traditional unicast node. -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list b

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

ks cooler than the later. -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: minimal-any on master

On Mon, Sep 05, 2016 at 05:12:47PM +0100, Tony Finch wrote: > Jim Popovitch via bind-users wrote: > > > > Thanks. Now I'm seeing something slighly different. I have 3 NS > > servers, ns{1-3}.domainmail.org. > > > > When I first asked 3 days ago I was seein

Re: minimal-any on master

On Mon, Sep 05, 2016 at 09:51:25AM +0100, Tony Finch wrote: > Jim Popovitch via bind-users wrote: > > > > Should minimal-all (v9.11.0-rc1) work on a master? My testing shows > > that it only works on the slave DNS servers. > > Works for me :-) minimal-any is implement

Re: minimal-all on master

On Fri, Sep 02, 2016 at 06:59:35PM +, Jim Popovitch via bind-users wrote: > Hello, > > Should minimal-all (v9.11.0-rc1) work on a master? My testing shows that it > only works on the slave DNS servers. > And by minimal-all I mean minimal-any (i keep typo'ing that fo

minimal-all on master

Hello, Should minimal-all (v9.11.0-rc1) work on a master? My testing shows that it only works on the slave DNS servers. relevant named.conf: http://paste.debian.net/plainh/62ee2440 -Jim P. signature.asc Description: Digital signature ___ Please

Re: SPF and domain keys

t selector name and d=foxtrot.com in the signatures of the email it sends as foxtrot.com. This is a very common arrangement used by domains that use email sending providers. -Jim On 8/28/16 4:13 PM, project722 wrote: > Lets say my domain is foxtrot.com <http://foxtrot.com> and we have SP

Spurious DNSKEY records on slave

o longer a .jnl file there. I'm not sure where it came from in the first place. Master is running 9.9.5-9+deb8u6-Debian Slave is running 9.8.4-rpz2+rl005.12-P1 (both obtained from Debian distribution) Is this a known problem? -Jim ___ Please vi

auto-dnssec sanity check (please)

. That concerns me. Is it as simple as cached responses? -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Re: Bind v9.9.7-P2 inline-signing hourly?

;s a check to see if the zone keys have been changed (e.g., a new key > added, an existing key scheduled for deletion, a standby key activated, > etc). Thanks! -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc

Bind v9.9.7-P2 inline-signing hourly?

red to the alternative. :-) -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: [Ext] RRL settings that work for you

Hi Mike, In production since July 2013 without complaints and believe it has helped here. rate-limit { responses-per-second 10; window 5; }; best! jim On 5/26/2015 5:00 PM, Mike Hoskins (michoski) wrote: Hi folks, I've read about RRL with interest since its inception, but jus

Re: Digging to the final IP

g.^I^I299^IIN^IA^I216.235.14.46 There is only one ASCII TAB (represented as ^I with cat -t) between "cerebus.kreme.com." and "21409." but two ASCII TABs between "sb.sanxion.org." and "299". I'm guessing a very short name might result in three

logging via named.conf

Is there an easy way in the named.conf logging to have ALL logging go to local2 ? I've created: logging { channel syslog-local2 { syslog local2; print-category yes; print-severity yes; }; category default { syslog-local2; }; category general {

Re: Master to Slave initial zone transfer question

specified with each *also-notify* address to send the notify messages to a port other than the default of 53. *also-notify* is not meaningful for stub zones. The default is the empty list. best! jim ___ Please visit https://lists.isc.org/mailm

Re: classless ptr setup

t;0/25.z.y.x.in-addr.arpa" { ... ... } ...and in the zone file: 1 PTR some.host. ... as normal. HTH, -John From: Jim Pazarena To: bind-users@lists.isc.org Date: 01/20/2014 01:43 PM Subject:classless ptr setup Sent by:bind-users-bounces+johnh=primebuchholz...

classless ptr setup

I have a full /24, which I would like to separate into two /25's, and assign each half to two of my customers. The snag is that *I* maintain the DNS for each of these customers. Is it possible to create the classless setup within my system so that it starts with the /24 but can assign the two cla

DNS format error

I see in my logs "DNS format error from 205.178.190.53#53 resolving excelwetsuits.com/MX for client 207.34.147.83#54521: invalid response" The client is *my* mail server IP. I am wondering is this error on MY side or their's ? It doesn't sound like it. If it's on their end.. how far should someo

authoritative rDNS

I set up a subnet on my server, complete with rdns, and ARIN has been adjusted for my two dns servers (ns.qcislands.net & ns2.qcislands.net) the subnet: 23.235.75.0/24 if you do a lookup of, for instance: 23.235.75.10 and bounce that nslookup off of other dns servers, SOME say: Authoritative an

ARIN IP assignments

I have a client who has been assigned a /20 from ARIN. They asked me to help them with their DNS. The DNS for me is the easy part. except... ARIN has told them that you use the DNS to set up the routing so that the traffic for this /20 gets routed to the correct up-stream provider. Is this cor

Re: reverse resolution failing

Jim Pazarena wrote, On 2013-02-07 9:31 AM: my named is 9.9.0 while it can resolve "webmail.acrodex.com" ( 139.142.184.10 ) it cannot reverse resolve 139.142.184.10 (example follows). However, if I do a simply nslookup using goodle DNS. nslookup 139.142.184.10 8.8.8.8 IT WORKS!

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

On Fri, Mar 29, 2013 at 10:02 AM, Steven Carr wrote: > On 29 March 2013 14:57, Jim Bucks wrote: > > I just noticed (has been there all along), that the subdomain is not > showing > > up in the "automated" unable to line. > > I want it to add dhcp-172-

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

On Fri, Mar 29, 2013 at 6:39 AM, Mark Elkins wrote: > Try using a more simple MD5, short key. > > Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA) > There was also some sort of length bug? - try 128 bit length. > > On Fri, 2013-03-29 at 06:19 -0600, Jim

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

lete" URL provided by ?Alex?"). The only difference I can see is that I used a 512 bit key vs the examples 128bit key. And, I'm using a slaves/ directory vs internal/ directory for the "zones" files. Jim INTERACTIVE WORKS [root@dns04 ch

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Hi Jim, Shouldn't there be quotes around the key string in the named .conf file? I have quotes around mine in named.conf. I do not have quotes around the key string in the dhcpd.conf. If this is correct, I've made sure they match (I was trying to "genericize" the key str

  1   2   >