Re: Question about post-quantum X25519Kyber768

2025-01-02 Thread Carlos Horowicz via bind-users
rsday, January 2, 2025 7:32 AM *To:* bind-users@lists.isc.org *Subject:* Question about post-quantum X25519Kyber768 This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi there, does anyone know of the

Re: Question about post-quantum X25519Kyber768

2025-01-02 Thread Robert Wagner
-users Sent: Thursday, January 2, 2025 7:32 AM To: bind-users@lists.isc.org Subject: Question about post-quantum X25519Kyber768 This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi there, does a

Question about post-quantum X25519Kyber768

2025-01-02 Thread Carlos Horowicz via bind-users
Hi there, does anyone know of the bind developers thinking of incorporating post-quantum cryptography into bind9 , like Cloudflare with X25519Kyber768 on BoringSSL ? I'm just curious about if there are thoughts or ongoing work, or if this is in the near roadmap at all. Thank you, Carlos H

RE: Simple question - trailing "." in zone file

2024-11-22 Thread David Carvalho via bind-users
Thank you so much for the detailed explanation! Wish you all a great weekend. Kind regards David Carvalho -Original Message- From: Mark Andrews Sent: 21 November 2024 22:23 To: David Carvalho Cc: bind-users Subject: Re: Simple question - trailing "." in zone file The final

Re: Simple question - trailing "." in zone file

2024-11-21 Thread Mark Andrews
22 Nov 2024, at 04:44, David Carvalho via bind-users > wrote: > > Hi! > Sorry for this “beginner” question. If I knew this before, than I completely > forgot. > I know a “.” Inside a zone file can be used to define top level entry .If a > record entry doesn’t have it, it

Re: Simple question - trailing "." in zone file

2024-11-21 Thread Rick Dicaire
On Thu, Nov 21, 2024 at 12:45 PM David Carvalho via bind-users < bind-users@lists.isc.org> wrote: > Hi! > > Sorry for this “beginner” question. If I knew this before, than I > completely forgot. > > I know a “.” Inside a zone file can be used to define top level en

Simple question - trailing "." in zone file

2024-11-21 Thread David Carvalho via bind-users
Hi! Sorry for this "beginner" question. If I knew this before, than I completely forgot. I know a "." Inside a zone file can be used to define top level entry .If a record entry doesn't have it, it gets itself along with the domain name. Today I was comparing my master

Re: secondary dns server question :)

2024-11-18 Thread Ondřej Surý
> On 19. 11. 2024, at 1:42, Jean-François Bachelet wrote: > […] > I am just curious, as the correct config for the secondary DNS, as if the > main one is down and the secondary have not the complete config itself how > can it take on the job of the primary one for the time of its repair ? Tha

Re: secondary dns server question :)

2024-11-18 Thread Jean-François Bachelet
Regards, Jeff 18/11/2024 à 20:06, Ondřej Surý a écrit : I think the good starting point is exactly the question that Marco asked - we have no idea what Jean-François is trying to achieve. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Ple

Re: secondary dns server question :)

2024-11-18 Thread Ondřej Surý
I think the good starting point is exactly the question that Marco asked - we have no idea what Jean-François is trying to achieve. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working

Re: secondary dns server question :)

2024-11-18 Thread Nick Tait via bind-users
Hi Jeff. This is a good starting point for setting up primary and secondary servers: https://bind9.readthedocs.io/en/stable/chapter3.html#authoritative-name-servers Nick. > On 19 Nov 2024, at 7:44 AM, Marco Moock wrote: > Am Mon, 18 Nov 2024 19:03:55 +0100 > schrieb Jean-François Bachelet : >

Re: secondary dns server question :)

2024-11-18 Thread Scott Bradner
see RFC 2182 for info on secondary dns servers https://www.rfc-editor.org/rfc/rfc2182 e.g. nor so good to have the on the same subnet Scott > On Nov 18, 2024, at 1:03 PM, Jean-François Bachelet > wrote: > > Hello folks :) > > just to be sure, in case we have two (internals) dns servers on t

Re: secondary dns server question :)

2024-11-18 Thread Marco Moock
Am Mon, 18 Nov 2024 19:03:55 +0100 schrieb Jean-François Bachelet : > just to be sure, in case we have two (internals) dns servers on the > same network (for the case of one is unavaillable), if I understand > well the docs, the two servers should have the exact same > configurations, appart that

secondary dns server question :)

2024-11-18 Thread Jean-François Bachelet
Hello folks :) just to be sure, in case we have two (internals) dns servers on the same network (for the case of one is unavaillable), if I understand well the docs, the two servers should have the exact same configurations, appart that the secondary is stated as 'secondary' and the first 'mas

Re: Question about recursive client max quota

2024-11-08 Thread Nicki Křížek
On 08/11/2024 11.20, Pedro García Segura wrote: I'm having a hard time understanding the default recursive max quota being set at 100 by default, since most modern servers now have RAM to spare, and it's a bit scary to think that another Internet outage may happen again and internal critical s

Re: Question about recursive client max quota

2024-11-08 Thread Pedro García Segura
Hi Greg, Thanks so much, your last paragraph makes sense. I guess what I would expect, and excuse me if this reasoning is flawed, is that BIND could use different queues/priorities for external/internal domains. E.g. if after parsing the necessary query fields I see that I'm authoritative for the

Re: Question about recursive client max quota

2024-11-08 Thread Greg Choules
Hello Pedro. Firstly, which version of BIND are you running? Generally, though, increasing `recursive-clients` on a box with a decent amount of power and RAM is not an issue: 50k, or even bigger, should be fine. But please test it first. We have discussed raising the default but we’re not quite

Question about recursive client max quota

2024-11-08 Thread Pedro García Segura
Hello, Recently we had a Internet outage that lasted for a few hours and quickly filled the recursive clients quota (set at 1000) since most internet-bound recursive queries timed out, and our network is huge. This also affected recursive queries to internal authoritative domains, thus interrupti

Re: Question about DNSSEC

2024-11-01 Thread Bob McDonald
. 2024, at 16:21, Bob McDonald wrote: > >  > The host is www.irs.gov. > > A further question. > > DIG sets the DO flag even though the second and third entries in the CNAME > chain are not signed. There's basically no indication that there's really > any issue.

Re: Question about DNSSEC

2024-11-01 Thread Bob McDonald
Sorry, I get the DO and AD flags confused. I see now that DIG is telling me that somewhere in the chain there is an entry that is not validated. I was doing everything manually. And yes, I saw that DELV runs the chain. Thanks again, Bob -- Visit https://lists.isc.org/mailman/listinfo/bind-user

Re: Question about DNSSEC

2024-11-01 Thread Evan McKinney
ted to reply outside your normal working hours. On 1. 11. 2024, at 16:21, Bob McDonald wrote:  The host is www.irs.gov <http://www.irs.gov> . A further question. DIG sets the DO flag even though the second and third entries in the CNAME chain are not signed. There's basically no indica

Re: Question about DNSSEC

2024-11-01 Thread Ondřej Surý
lt;>> DiG 9.20.2 <<>> www.irs.gov. +dnssec;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 1232; C

Re: Question about DNSSEC

2024-11-01 Thread Bob McDonald
The host is www.irs.gov. A further question. DIG sets the DO flag even though the second and third entries in the CNAME chain are not signed. There's basically no indication that there's really any issue. DELV indicates the host as "fully validated" then flags the secon

Re: Question about DNSSEC

2024-10-31 Thread G.W. Haywood
Hi there, On Thu, 31 Oct 2024, Crist Clark wrote: Name names. DNS is out there in public. There are a LOT of US .gov sites where the .gov is all signed, but it ends up in $BIGCLOUDPROVIDER that is not. www.gsa.gov www.state.gov www.house.gov www.senate.gov www.cia.gov www.cisa.gov (*ehem*) ww

Re: Question about DNSSEC

2024-10-31 Thread Crist Clark
n are > not, does that mean that the entry really isn't DNSSEC protected? > > Correct. Every element of the chain needs to be DNSSEC signed (and > validated as secure) for it to be protected. > > > I can list an example dig for the host in question but I'm relucta

Re: Question about DNSSEC

2024-10-31 Thread Mark Andrews
t. Every element of the chain needs to be DNSSEC signed (and validated as secure) for it to be protected. > I can list an example dig for the host in question but I'm reluctant to do so > as it's a US gov host. > > Please advise. > > Regards, > > Bob > --

Question about DNSSEC

2024-10-31 Thread Bob McDonald
If a host is defined as a CNAME chain where the domain of the host is DNSSEC signed but the domain(S) of the target(s) in the CNAME chain are not, does that mean that the entry really isn't DNSSEC protected? I can list an example dig for the host in question but I'm reluctant to do so

[KASP] Question about pre-publication interval

2024-09-20 Thread adrien sipasseuth
Hello, In KASP poliicy, How to determine the pre-publication time, i found these parameters : - publish-safety - retire-safety - purge-keys In my understanding, the next key is pre-publish at publish-safety + retire-safety ? Regards -- Visit https://lists.isc.org/mailman/listinfo/bind-users to

Re: Question about parameter settings query-source-v6 address { none; };

2024-09-05 Thread Ondřej Surý
Hi Klaus, this exact configuration is described in the KB: https://kb.isc.org/v1/docs/en/aa-00206 But my recommendation is actually to use a dual-stack proxy in front of `named -4` and use the PROXYv2 protocol to interact with named. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and y

Question about parameter settings query-source-v6 address { none; };

2024-09-05 Thread Klaus Tachtler via bind-users
Hi, is it possible to set    query-source-v6 address { none; }; I would like to make DNS requests via ipv4 and ipv6 to isc bind (incoming) from my Internal network. However, outgoing requests should only be made via ipv4. This is e.g. necessary in a scenario where a 6in4 tunnel is used for an

Re: Question about "too many records"

2024-08-02 Thread J Doe
On 2024-08-02 04:30, Petr Špaček wrote: On 02. 08. 24 0:52, Tim Daneliuk wrote: On 8/1/24 17:14, John Thurston wrote: After reading the CVE description, it isn't clear to me how the degraded performance is manifest. If 300 A-records exist for the name 'foo', do we expect:  1. queries for A-r

Re: Question about "too many records"

2024-08-02 Thread Petr Špaček
On 02. 08. 24 0:52, Tim Daneliuk wrote: On 8/1/24 17:14, John Thurston wrote: After reading the CVE description, it isn't clear to me how the degraded performance is manifest. If 300 A-records exist for the name 'foo', do we expect:  1. queries for A-records for 'foo' will be slower than expe

Re: Question about "too many records"

2024-08-01 Thread Tim Daneliuk
On 8/1/24 17:14, John Thurston wrote: After reading the CVE description, it isn't clear to me how the degraded performance is manifest. If 300 A-records exist for the name 'foo', do we expect: 1. queries for A-records for 'foo' will be slower than expected 2. all queries for 'foo' will be sl

Re: Question about "too many records"

2024-08-01 Thread John Thurston
After reading the CVE description, it isn't clear to me how the degraded performance is manifest. If 300 A-records exist for the name 'foo', do we expect: 1. queries for A-records for 'foo' will be slower than expected 2. all queries for 'foo' will be slower than expected 3. every query to the

Re: Question about "too many records"

2024-08-01 Thread James Stegemeyer
J, This issue has been covered by earlier threads, and is mentioned on the BIND 9.18.28 release notes. Starting with BIND 9.18.28 changes were made to mitigate performance impact CVE-2024-1737 BIND database will be slow if if a very large number of RRs exist at the same name. If you find you

Question about "too many records"

2024-08-01 Thread J Doe
Hi, I run my own validating recursive resolver with BIND 9.18.28. In the resolver logs I noticed: 01-Aug-2024 10:30:22.294 query-errors: info: client @0xec879280280 127.0.0.1#14435 (bf10x.hubspotemail.net): query failed (too many records) for bf10x.hubspotemail.net/IN/A at

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-26 Thread Michał Kępień
We have just upgraded the "bind-esv" repository from BIND 9.16.50 to BIND 9.18.27, i.e. the same version as in the "bind" repository. We will try to keep everyone informed about further major version upgrades in our package repositories in the coming months. -- Best regards, Michał Kępień -- Vi

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-18 Thread Ondřej Surý
Actually, now that we are polishing the last bits of 9.20.0 would be a good time to start 9.16->9.18 transition. The current plan is that on next Wednesday (next week), the bind-esv repositories will be bumped from 9.16 to 9.18, the 'bind' repository will stay on 9.18 until 9.20 is released, an

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-18 Thread Michał Kępień
> Have you considered scheduling the change in version published in each COPR > repository so it doe /not/ coincide with the release of a new version of > BIND? > > I have some hosts tied to the COPR for BIND-ESV, and some tied to BIND. I > hit a stumbling block during the last "roll over" event,

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-17 Thread Ondřej Surý
lf of John Thurston Sent: Monday, June 17, 2024 11:19 AM To: bind-users@lists.isc.org Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition   This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know t

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-17 Thread Robert Wagner
1:19 AM To: bind-users@lists.isc.org Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know the content is safe. Have you considered sc

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-17 Thread John Thurston
Have you considered scheduling the change in version published in each COPR repository so it doe /not/ coincide with the release of a new version of BIND? I have some hosts tied to the COPR for BIND-ESV, and some tied to BIND. I hit a stumbling block during the last "roll over" event, and it t

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-17 Thread Michał Kępień
Hi Brian, > We’ve been using the ISC BIND 9 COPR repositories at > https://copr.fedorainfracloud.org/coprs/isc/ for a few years now, but I had a > question – is there a planned date to update the “bind-esv” channel to > provide BIND 9.18 rather than BIND 9.16? Since 9.16 is n

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-17 Thread Darren Ankney
y provided before executing `dnf upgrade` in the coming weeks. Thank you, Darren Ankney On Fri, Jun 14, 2024 at 10:58 AM Sebby, Brian A. via bind-users wrote: > > No, I haven’t run BIND on Solaris in years – this question is regarding the > EPEL repos that ISC provides that can be used

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-14 Thread Sebby, Brian A. via bind-users
No, I haven’t run BIND on Solaris in years – this question is regarding the EPEL repos that ISC provides that can be used by CentOS and RHEL. I just mentioned Solaris because there were no binary releases back then, and to thank ISC since it’s a lot easier to install BIND from the EPEL

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-14 Thread Stacey Marshall
On 14 Jun 2024, at 0:32, Sebby, Brian A. via bind-users wrote: > I spent years having to compile BIND myself on Solaris Curious, Solaris 11.4 provides a recent 9.18 ESV release. Though not the monthly drops that ISC have been providing for a while, is that what you wanted? Mr. Stacey Marshall

Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-13 Thread Sebby, Brian A. via bind-users
We’ve been using the ISC BIND 9 COPR repositories at https://copr.fedorainfracloud.org/coprs/isc/ for a few years now, but I had a question – is there a planned date to update the “bind-esv” channel to provide BIND 9.18 rather than BIND 9.16? Since 9.16 is now EOL we’ve switched to using the

Re: Debugging TSIG signed nsupdate problems - Specifically a logging question

2024-05-28 Thread Erik Edwards via bind-users
In the dnssec.log file I only found references to normal key rotation. Adding the section for update_security and running at trace 99 didn't provide _any_  update_security log output, nor did it provide any extra output to the update log. even when running in single combined log format I coul

Re: Debugging TSIG signed nsupdate problems - Specifically a logging question

2024-05-27 Thread Erik Edwards via bind-users
Please allow me to refocus this thread to the original question. I'm asking about the logging facility with respect to the "update" section of code in ISC's bind9 product. Yes, I understand update-policy choices/errors will generate the REFUSED response. _I'm only

Re: Question about resolver

2024-04-28 Thread Mark Andrews
s: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: 7b100d5f1abe6a330100662eea5988229ff2514536e1 (good) ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 274739 IN NS a.root-servers.net. . 274739 IN NS g.roo

Re: Question about resolver

2024-04-27 Thread J Doe
On 2024-04-26 16:45, Josh Kuo wrote: In this particular case, isn't the resolver attempting to do a reverse lookup of the IP address that's listed ? You are right, I missed that this is a reverse-mapping zone. In that case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa" and

Re: Question about resolver

2024-04-27 Thread J Doe
On 2024-04-26 16:28, Mark Andrews wrote: DS records live in the parent zone and the RFC 1034 rules for serving zone break down when a grandparent zone and child zone are served by the same server. This is corrected be the client by looking for intermediate NS records to find the hidden deleg

Re: Question about resolver

2024-04-26 Thread Josh Kuo
> > In this particular case, isn't the resolver attempting to do a reverse > lookup of the IP address that's listed ? > > You are right, I missed that this is a reverse-mapping zone. In that case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa" and you'll see the problem. Reverse-mapping

Re: Question about resolver

2024-04-26 Thread Mark Andrews
DS records live in the parent zone and the RFC 1034 rules for serving zone break down when a grandparent zone and child zone are served by the same server. This is corrected be the client by looking for intermediate NS records to find the hidden delegations then resuming the DS lookup. Named

Re: Question about resolver

2024-04-26 Thread J Doe
On 2024-04-25 08:55, Josh Kuo wrote: DS = Delegation Signer, it is the record type that a signed child upload to the parent zone. It's difficult to say for sure without more information such as which domain name you are trying to resolve, but looks like it is probably due to a mis-matching DS re

Re: Question about resolver

2024-04-25 Thread Josh Kuo
DS = Delegation Signer, it is the record type that a signed child upload to the parent zone. It's difficult to say for sure without more information such as which domain name you are trying to resolve, but looks like it is probably due to a mis-matching DS record between the child and the parent (s

Question about resolver

2024-04-24 Thread J Doe
Hello, I run BIND 9.18.26 as a recursive, validating resolver. In my logs, I noticed the following: 22-Apr-2024 19:25:59.614 lame-servers: info: chase DS servers resolving '180.96.34.in-addr.arpa/DS/IN': 216.239.34.102#53 What does "chase DS servers" mean ? Thanks, - J -- Visit https

AW: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records

2024-03-26 Thread Klaus Darilion via bind-users
> -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Jan > Schaumann via bind-users > Gesendet: Dienstag, 26. März 2024 14:44 > An: bind-users@lists.isc.org > Betreff: Re: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records > > Karl Auer

Re: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records

2024-03-26 Thread Jan Schaumann via bind-users
tps://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html Simplified, the authoritative performs the "CNAME" chain resolution (because it controls the zones in question) and returns the final result so the client doesn't have to

Re: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records

2024-03-26 Thread Karl Auer
On Tue, 2024-03-26 at 08:00 -0400, Victoria Risk wrote: > We have a knowledgebase article on the topic of ‘alias’ records: > https://kb.isc.org/docs/aa-01640. The article is a bit out of date, > but still basically valid. It is not specific to the implementation > you mention however. Thanks! T

Re: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records

2024-03-26 Thread Victoria Risk
Karl, We have a knowledgebase article on the topic of ‘alias’ records: https://kb.isc.org/docs/aa-01640. The article is a bit out of date, but still basically valid. It is not specific to the implementation you mention however. Vicky > On Mar 26, 2024, at 7:49 AM, Karl Auer wrote: > > I'm

[OFF-TOPIC] Question about ClouDNS (and others') ALIAS records

2024-03-26 Thread Karl Auer
I'm puzzled by the ClouDNS "ALIAS" record. I was wondering if anyone knows how it is handled "under the hood"? It seems to be a non-standard extension that some DNS providers support. It seems to work similarly to, but not quite the same way as, a CNAME. Its big advantage over a CNAME is that it c

Re: Question about authoritative server and AA Authoritative Answer

2024-01-17 Thread Michel Diemer via bind-users
-users@lists.isc.org Envoyé: mercredi 17 Janvier 2024 16:00 Objet : Re: Question about authoritative server and AA Authoritative Answer   Hi again. Please start a packet capture on the auth server. This should do it:    sudo tcpdump -nvi any -c 1 -w mydns.pcap port 53 Then from pc1, please do

Re: Question about authoritative server and AA Authoritative Answer

2024-01-17 Thread Björn Persson
Michel Diemer via bind-users wrote: > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 This response message has the QR flag, the AA flag and the RD flag turned on. The message contains 1 copy of the query, 0 answers to the query, 1 reference to an authoritative nameserver (pro

Re: Question about authoritative server and AA Authoritative Answer

2024-01-17 Thread Greg Choules via bind-users
est various network settings (dynamic dns, fixed ip > address, dhcp provided ip address, ...). > > For this specific question about authoritative server, pc1 has a fixed ip > address. Ubuntu's networkd-resolved local dns caching and stub is disabled, > (Cache=no, DNSStubListe

Re: Question about authoritative server and AA Authoritative Answer

2024-01-17 Thread Michel Diemer via bind-users
address, ...).  For this specific question about authoritative server, pc1 has a fixed ip address. Ubuntu's networkd-resolved local dns caching and stub is disabled, (Cache=no, DNSStubListener=no). For this specific question, I have only two computers, one authoritative non-recursive dns server and

Re: Question about authoritative server and AA Authoritative Answer

2024-01-16 Thread Mark Andrews
tive answers ? The ones where the answer count was zero (look for "ANSWER: 0,”). > De : "Mark Andrews" > A : pub.dieme...@laposte.net,"bind users" > Envoyé: dimanche 14 Janvier 2024 23:54 > Objet : Re: Question about authoritative server and AA Authorita

Re: Question about authoritative server and AA Authoritative Answer

2024-01-15 Thread Greg Choules via bind-users
e netplan and networkd. > > > Kind Regards, > > Michel Diemer. > > > > De : "Greg Choules" > A : pub.dieme...@laposte.net,bind-users@lists.isc.org > Envoyé: dimanche 14 Janvier 2024 23:28 > Objet : Re: Question about authoritative server and AA Authoritative

Re: Question about authoritative server and AA Authoritative Answer

2024-01-15 Thread Michel Diemer via bind-users
hel Diemer.     De : "Greg Choules" A : pub.dieme...@laposte.net,bind-users@lists.isc.org Envoyé: dimanche 14 Janvier 2024 23:28 Objet : Re: Question about authoritative server and AA Authoritative Answer   Hi Michel. Please can you send the following information: - name and IP address of the

Re: Question about authoritative server and AA Authoritative Answer

2024-01-15 Thread Petr Menšík
it answers just A type queries itself, but forwards SOA and NS queries. Cheers, Petr On 14. 01. 24 23:04, Michel Diemer via bind-users wrote: ‌Ders bind users, I have already asked a similar question which was more about DNS in general , this one is very specific about the AA bit. Today&#

Re: Question about authoritative server and AA Authoritative Answer

2024-01-14 Thread Mark Andrews
> On 15 Jan 2024, at 09:04, Michel Diemer via bind-users > wrote: > > ‌Ders bind users, > > I have already asked a similar question which was more about DNS in general , > this one is very specific about the AA bit. > > Today's question is : « "dig pc1.

Re: Question about authoritative server and AA Authoritative Answer

2024-01-14 Thread Greg Choules via bind-users
org> wrote: > ‌Ders bind users, > > I have already asked a similar question which was more about DNS in > general , this one is very specific about the AA bit. > > Today's question is : *« "dig pc1.reseau1.lan ns"** show AUTHORITY: 1 and > "dig pc1.reseau1.l

Question about authoritative server and AA Authoritative Answer

2024-01-14 Thread Michel Diemer via bind-users
‌Ders bind users, I have already asked a similar question which was more about DNS in general , this one is very specific about the AA bit. Today's question is : « "dig pc1.reseau1.lan ns" show AUTHORITY: 1 and "dig pc1.reseau1.lan" shows AUTHORITY: 0. Which setting

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

2023-12-13 Thread G.W. Haywood
Hi there, On Wed, 13 Dec 2023, Greg Choules wrote: If your server can reach the Internet it can recurse all on its own. And for extra information, I recommend you give the '+trace' option to dig. I hope that helps. Ditto. :) -- 73, Ged. -- Visit https://lists.isc.org/mailman/listinfo/bi

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

2023-12-13 Thread Greg Choules via bind-users
Hi Michel. You will get an authoritative answer (AA bit = 1) if the server is either primary (master) or secondary (slave) for the QNAME (query name); in this case "reseau1.lan". From the config snip you provided this is because you have the config: zone "reseau1.lan" { type master; ... }; If

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

2023-12-13 Thread Stephane Bortzmeyer
On Wed, Dec 13, 2023 at 05:29:02PM +0100, Michel Diemer via bind-users wrote a message of 1723 lines which said: > another virtual machine that uses the first one as ics dhcp and dns > server. An important thing about DNS: there are two types of DNS servers, very different. Resolvers and auth

Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

2023-12-13 Thread Michel Diemer via bind-users
  ‌ Dear Bind user,   I am a teacher and trying to understand how dns works. I am spending hours reading various sources without finding satisfying information. For teaching purposes I have created a virtual machine with isc dhcp server and bind9 and another virtual machine that uses the fir

Re: Question on ISC BIND DNS Server

2023-11-22 Thread Turritopsis Dohrnii Teo En Ming
an. > > > >Can I upgrade BIND DNS Server manually? Will it cause problems with > >Virtualmin / Webmin? > > > I think this is question for webmin/virtualmin, but from what I know about > webmin it tends to edit local configuration, so I guess it will edit primary >

Re: Question on ISC BIND DNS Server

2023-11-22 Thread Matus UHLAR - fantomas
think this is question for webmin/virtualmin, but from what I know about webmin it tends to edit local configuration, so I guess it will edit primary zone file. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this

Question on ISC BIND DNS Server

2023-11-22 Thread Turritopsis Dohrnii Teo En Ming
Subject: Question on ISC BIND DNS Server Good day from Singapore, I have Virtualmin / Webmin web hosting server control panel. I have 2 Virtual Private Servers in Germany and 1 Virtual Private Server in Japan. Can I upgrade BIND DNS Server manually? Will it cause problems with Virtualmin

Re: Question about URL being logged by resolver

2023-11-04 Thread Ondřej Surý
It means something in your network sent a query containing the literal URL below. The message is just misleading - the resolver tries to do QNAME minimization on it, it fails, switches to full name which ends with NXDOMAIN from root. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and yo

Re: Question about URL being logged by resolver

2023-11-04 Thread Mark Andrews
People accidentally enter urls as domain names into tools. https://app-measurement.com/sdk-exp/A is a legal, but unusual, domain name consisting of 3 labels 'https://app-measurement’, 'com/sdk-exp/A’ and ‘.’. Mark > On 4 Nov 2023, at 13:29, Nick Tait via bind-users > wrote: > > Hi J. > > I

Re: Question about URL being logged by resolver

2023-11-03 Thread Nick Tait via bind-users
Hi J. I'm not sure what the cause of the URLs is, but I can confirm I'm seeing the same URLs in my own logs. The queries originate from multiple devices on my internal network - all Apple devices I think. My advice: I wouldn't waste too much effort trying to solve this one, as it is almost c

Question about URL being logged by resolver

2023-11-03 Thread J Doe
Hello, On a Bind 9.18.19 server configured as a recursive resolver, I sometimes see URL's being noted in the log files. One such example is: 02-Nov-2023 23:32:19.435 lame-servers: info: success resolving 'https://app-measurement.com/sdk-exp/A' after disabling qname minimization due to 'ncac

Question about Google domain with recursive resolver

2023-11-03 Thread J Doe
Hello, I have a basic recursive resolver configuration with Bind 9.18.19 that acts as the resolver for some VPN roadwarrior clients (a mix of Apple iOS and macOS clients). Periodically I will see the following in my logs: 02-Nov-2023 15:06:27.658 resolver: info: loop detected resolving 'ns1

Re: question about DNSSEC with PKCS11

2023-08-15 Thread Jan-Piet Mens
1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more insecure to convert the key(s) from HSM to .private file with dnssec-keyfromlabel ? keys are not actually 'converted' with this utility; instead the .private file links to the corresponding private (and typically unexportab

Re: question about DNSSEC with PKCS11

2023-08-08 Thread Matthijs Mekking
Hi, The KB article was written before dnssec-policy. Unfortunately, OpenSSL with engine_pkcs11 does not support creating keys. So if you want to use an HSM with dnssec-policy, you will need to create the keys yourself and you can then import them in the key-directory with dnssec-keyfromlabel.

question about DNSSEC with PKCS11

2023-08-04 Thread sun guonian
hi, I have tried the DNSSEC sign testing according the document, https://kb.isc.org/docs/bind-9-pkcs11 (and section 5.5 of the Bv9ARM of version 9.18.16) I have two questions about it, 1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more insecure to convert the key(s) from HS

Re: Question regarding delv and custom local trust anchor

2023-06-08 Thread Evan Hunt
On Thu, Jun 08, 2023 at 07:57:12PM +, Evan Hunt wrote: > So, I'm guessing systemd-resolved is choking on the EDNS COOKIE option. > This needs to be reported as a bug to the systemd maintainers. And, maybe > delv should have a +nocookie option. Hmm, on further inspection, I was wrong about this

Re: Question regarding delv and custom local trust anchor

2023-06-08 Thread Evan Hunt
;; sending packet to 127.0.0.53#53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7870 ;; flags: rd cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: 8e31ae17213

Question regarding delv and custom local trust anchor

2023-06-08 Thread Josh Kuo
Hello, I am trying to use delv (version 19.8.2 on Ubuntu 0.22.04) to troubleshoot using a custom trust anchor. However, I am getting very strange results from delv. The short of it is, I must point delv at another validating resolver (such as @8.8.8.8) for the custom trust anchors (-a) to work. Fi

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

2023-01-17 Thread Pirawat WATANAPONGSE via bind-users
Pirawat. > -- Forwarded message -- > From: E R > To: bind-users@lists.isc.org > Cc: > Bcc: > Date: Tue, 17 Jan 2023 17:28:57 -0600 > Subject: DNSSEC With Primary Hidden - Clarifying Question from > Documentation > I am planning on implementing the

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

2023-01-17 Thread Peter
On Tue, Jan 17, 2023 at 05:28:57PM -0600, E R wrote: ! I am planning on implementing the current version of BIND to replace the ! aging, undocumented authoritative servers I inherited. I want to hide the ! primary server on our internal network and have two secondary servers be ! publicly availabl

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

2023-01-17 Thread Mark Andrews
> On 18 Jan 2023, at 10:55, Grant Taylor via bind-users > wrote: > > On 1/17/23 4:45 PM, Michael Richardson wrote: >> Many people do exactly that. > > Sorry, I don't see that as an answer to -- my understanding of -- the OP's > question of "Does

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

2023-01-17 Thread Grant Taylor via bind-users
On 1/17/23 4:45 PM, Michael Richardson wrote: Many people do exactly that. Sorry, I don't see that as an answer to -- my understanding of -- the OP's question of "Does the primary server that handles the DNSSEC duties need to be not hidden / publicly accessible?" Sp

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

2023-01-17 Thread Michael Richardson
E R wrote: > I am planning on implementing the current version of BIND to replace the > aging, undocumented authoritative servers I inherited. I want to hide the > primary server on our internal network and have two secondary servers be > publicly available. While reading the DN

DNSSEC With Primary Hidden - Clarifying Question from Documentation

2023-01-17 Thread E R
I am planning on implementing the current version of BIND to replace the aging, undocumented authoritative servers I inherited. I want to hide the primary server on our internal network and have two secondary servers be publicly available. While reading the DNSSEC Guide

Re: General DNS / SPF question

2023-01-09 Thread G.W. Haywood via bind-users
Hi there, On Mon, 9 Jan 2023, Michael Muller wrote: Thanks for responding to my question. Again, if there's a better place to ask this question, I can go there. ... Taking this off list. -- 73, Ged. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this

Re: General DNS / SPF question

2023-01-09 Thread Michael Muller via bind-users
Hi G, Thanks for responding to my question. Again, if there's a better place to ask this question, I can go there. I did not see an SPF list on the community list sign-up page <https://www.isc.org/mailinglists/>. I updated the SPF to include:_spf.google.com instead of includ

Re: General DNS / SPF question

2023-01-08 Thread G.W. Haywood via bind-users
Hi there, On Sun, 8 Jan 2023, Mark Andrews wrote: Please don't hijack an existing thread by replying to an existing message for a unrelated subject. It is bad form. Just create a new message and send it to bind-us...@isc.org. Oh, blast, I missed that, sorry. -- 73, Ged. -- Visit https://l

  1   2   3   4   5   6   7   8   9   10   >