Another operational impact of these broken servers, broken DNS64. BIND
wants to verify no records exist for a QNAME before synthesizing
records, but since it can’t get a valid denial of existence, it won’t
return synthesized s.
On Sat, Jul 5, 2025 at 6:44 AM Bagas Sanjaya wrote:
> On 7
On 7/5/25 19:17, Jeff Sumner wrote:
Apologies for the lack of clarity.
We performed a major F5 upgrade recently – for which we were delegating
some zones from our ISC BIND servers (just Plain Old NS record
delegation) and ever since then, clients using nslookup and host, which
query the BIND
in the sniffer – so the BIND servers are acting correctly – the F5s are
not. We’re working that through.
J
From: Bagas Sanjaya
Date: Saturday, July 5, 2025 at 8:12 AM
To: Jeff Sumner , bind-users@lists.isc.org
Subject: Re: question about resolving of amazoses.com
On 7/5/25 18:55, Jeff
On 7/5/25 18:55, Jeff Sumner wrote:
Doing battle with the exact same problem – from an over-the-weekend F5
upgrade.
So funny this is coming up now. We’re not considering a code upgrade
yet, but users are complaining about the Real ISC-BIND servers returning
SERVFAIL for queries (not subz
“Not considering a code reversion on the F5’s yet” (not upgrade)
J
From: Jeff Sumner
Date: Saturday, July 5, 2025 at 7:55 AM
To: bind-users@lists.isc.org
Subject: Re: question about resolving of amazoses.com
Doing battle with the exact same problem – from an over-the-weekend F5 upgrade
servers.
J
From: bind-users on behalf of Ondřej Surý
Date: Saturday, July 5, 2025 at 12:03 AM
To: Florian Piekert
Cc: bind-users@lists.isc.org
Subject: Re: question about resolving of amazoses.com
Specifically in this case the incorrect chain starts here:
> $ dig IN feedback-smtp
m @ns-265.awsdns-33.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11817
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOS
Hello and many thanks for the quick all-answering response!
Thanks for Greg as well, I leave it to Petr's answer then :-)
Am 04.07.2025 um 10:13 schrieb Petr Špaček:
On 04. 07. 25 9:56, Florian Piekert via bind-users wrote:
Hello all,
I frequently have this in my logs
May 4 14:29:16 sonne
On 04. 07. 25 9:56, Florian Piekert via bind-users wrote:
Hello all,
I frequently have this in my logs
May 4 14:29:16 sonne named[4035767]: DNS format error from
2600:9000:5303:c800::1#53 resolving feedback-smtp.us-
east-1.amazonses.com/ for 127.0.0.1#44099: Name us-
east-1.amazonses.co
Hi Florian.
Well since you mention it, may we see your BIND configuration? Also "named
-V", please and, if you can, a packet capture (preferably binary pcap, not
just a few lines of tcpdump output) showing what your server is doing at
the time you see these messages in the logs.
Cheers, Greg
On F
Hello all,
I frequently have this in my logs
May 4 14:29:16 sonne named[4035767]: DNS format error from
2600:9000:5303:c800::1#53 resolving feedback-smtp.us-east-1.amazonses.com/
for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone
feedback-smtp.us-east-1.amazons
On 04/06/2025 18:50, Greg Choules wrote:
The help text for delv says you can specify a source using -b, the
same as you can with dig:
Usage: delv [@server] {q-opt} {d-opt} [domain] [q-type] [q-class]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,...) [defaul
[#port] (bind to source address/port)
etc...
The rest I don't know, yet.
Hope that helps, Greg
On Wed, 4 Jun 2025 at 07:46, Nick Tait via bind-users <
bind-users@lists.isc.org> wrote:
> Hi Stace.
>
> The transport protocol used to ask the question is (or should be)
> inde
Hi Stace.
The transport protocol used to ask the question is (or should be)
independent of the question being asked. So in this case asking for a
PTR record for an IPv6 address wouldn't change whether IPv4 or IPv6 is
used to make the recursive queries.
I've done a bit more testi
On 03/06/2025 22:06, Petr Špaček wrote:
I've created
https://gitlab.isc.org/isc-projects/bind9/-/issues/5351
so we can improve logging. Your input on what sort of information is
useful would be much appreciated.
Thanks very much for that. I've added a comment. :-)
--
Visit https://lists.isc.or
count = 0; } /^;; sending packet to / { while
($0 != "") { getline; if ($0 == ";; QUESTION SECTION:") { getline; sub(/^;/, ""); print; count++;
if (/\tIN\tA$/) acount++; break; } } } END { print "NUMBER OF QUERIES = " count; print "
On 6/3/25 12:06, Petr Špaček wrote:
On 6/3/25 11:29, Nick Tait wrote:
On 02/06/2025 23:30, Petr Špaček wrote:
In short, with an empty cache, BIND will exceed pre-configured limit
on number of queries it can do. This is protection from various
attacks which misuse DNS to attack itself.
Thanks
On 3 Jun 2025, at 10:29, Nick Tait via bind-users wrote:
> But I also noticed that delv only makes A queries (not ), and even if I
> specify "-6" on the command-line it makes no difference?
Have yo tried using an IPv6 address with the -x option?
delv -x :::45.90.5.195 +ns +qmin +maxque
/ { while
($0 != "") { getline; if ($0 == ";; QUESTION SECTION:") { getline; sub(/^;/, ""); print; count++;
if (/\tIN\tA$/) acount++; break; } } } END { print "NUMBER OF QUERIES = " count; print "DOUBLE-COUNTING A QUERIES
TO COMPENSATE FOR MISSING A
On 6/2/25 12:01, Nick Tait via bind-users wrote:
I can reproduce the issue by clearing the BIND cache, and then running the
following DIG command, to attempt a reverse DNS lookup of 45.90.5.195
On 6/2/25 12:54, Carlos Horowicz via bind-users wrote:
The problem seems related to "No zone cut at
d
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3483
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 47e896cf6ccfda110100683d80f19d2be46647905c35 (good)
;; QUESTION S
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 2467e98a489c44ce0100683d16c87c1c3adbd38053d7 (good)
;; QUESTION SECTION:
;195.5.90.45.in-addr.arpa. IN PTR
;; Query time: 1979 msec
;; SERVER: 2001:db8::3#53(2001:db8::3) (UDP)
;; WHEN: Mon Jun 02 15:13:12 NZST 2025
rsday, January 2, 2025 7:32 AM
*To:* bind-users@lists.isc.org
*Subject:* Question about post-quantum X25519Kyber768
This email originated from outside of TESLA
Do not click links or open attachments unless you recognize the sender
and know the content is safe.
Hi there,
does anyone know of the
-users
Sent: Thursday, January 2, 2025 7:32 AM
To: bind-users@lists.isc.org
Subject: Question about post-quantum X25519Kyber768
This email originated from outside of TESLA
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
Hi there,
does a
Hi there,
does anyone know of the bind developers thinking of incorporating
post-quantum cryptography into bind9 , like Cloudflare with
X25519Kyber768 on BoringSSL ?
I'm just curious about if there are thoughts or ongoing work, or if this
is in the near roadmap at all.
Thank you,
Carlos H
Thank you so much for the detailed explanation!
Wish you all a great weekend.
Kind regards
David Carvalho
-Original Message-
From: Mark Andrews
Sent: 21 November 2024 22:23
To: David Carvalho
Cc: bind-users
Subject: Re: Simple question - trailing "." in zone file
The final
22 Nov 2024, at 04:44, David Carvalho via bind-users
> wrote:
>
> Hi!
> Sorry for this “beginner” question. If I knew this before, than I completely
> forgot.
> I know a “.” Inside a zone file can be used to define top level entry .If a
> record entry doesn’t have it, it
On Thu, Nov 21, 2024 at 12:45 PM David Carvalho via bind-users <
bind-users@lists.isc.org> wrote:
> Hi!
>
> Sorry for this “beginner” question. If I knew this before, than I
> completely forgot.
>
> I know a “.” Inside a zone file can be used to define top level en
Hi!
Sorry for this "beginner" question. If I knew this before, than I completely
forgot.
I know a "." Inside a zone file can be used to define top level entry .If a
record entry doesn't have it, it gets itself along with the domain name.
Today I was comparing my master
> On 19. 11. 2024, at 1:42, Jean-François Bachelet wrote:
>
[…]
> I am just curious, as the correct config for the secondary DNS, as if the
> main one is down and the secondary have not the complete config itself how
> can it take on the job of the primary one for the time of its repair ?
Tha
Regards,
Jeff
18/11/2024 à 20:06, Ondřej Surý a écrit :
I think the good starting point is exactly the question that Marco asked
- we have no idea what Jean-François is trying to achieve.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Ple
I think the good starting point is exactly the question that Marco asked - we
have no idea what Jean-François is trying to achieve.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working
Hi Jeff.
This is a good starting point for setting up primary and secondary servers:
https://bind9.readthedocs.io/en/stable/chapter3.html#authoritative-name-servers
Nick.
> On 19 Nov 2024, at 7:44 AM, Marco Moock wrote:
> Am Mon, 18 Nov 2024 19:03:55 +0100
> schrieb Jean-François Bachelet :
>
see RFC 2182 for info on secondary dns servers
https://www.rfc-editor.org/rfc/rfc2182
e.g. nor so good to have the on the same subnet
Scott
> On Nov 18, 2024, at 1:03 PM, Jean-François Bachelet
> wrote:
>
> Hello folks :)
>
> just to be sure, in case we have two (internals) dns servers on t
Am Mon, 18 Nov 2024 19:03:55 +0100
schrieb Jean-François Bachelet :
> just to be sure, in case we have two (internals) dns servers on the
> same network (for the case of one is unavaillable), if I understand
> well the docs, the two servers should have the exact same
> configurations, appart that
Hello folks :)
just to be sure, in case we have two (internals) dns servers on the same
network (for the case of one is unavaillable), if I understand well the
docs, the two servers should have the exact same configurations, appart
that the secondary is stated as 'secondary' and the first 'mas
On 08/11/2024 11.20, Pedro García Segura wrote:
I'm having a hard time understanding the default recursive max quota being set
at 100 by default, since most modern servers now have RAM to spare, and it's a
bit scary to think that another Internet outage may happen again and internal
critical s
Hi Greg,
Thanks so much, your last paragraph makes sense.
I guess what I would expect, and excuse me if this reasoning is flawed, is
that BIND could use different queues/priorities for external/internal
domains. E.g. if after parsing the necessary query fields I see that I'm
authoritative for the
Hello Pedro.
Firstly, which version of BIND are you running?
Generally, though, increasing `recursive-clients` on a box with a decent amount
of power and RAM is not an issue: 50k, or even bigger, should be fine. But
please test it first. We have discussed raising the default but we’re not quite
Hello,
Recently we had a Internet outage that lasted for a few hours and quickly
filled the recursive clients quota (set at 1000) since most internet-bound
recursive queries timed out, and our network is huge.
This also affected recursive queries to internal authoritative domains,
thus interrupti
. 2024, at 16:21, Bob McDonald wrote:
>
>
> The host is www.irs.gov.
>
> A further question.
>
> DIG sets the DO flag even though the second and third entries in the CNAME
> chain are not signed. There's basically no indication that there's really
> any issue.
Sorry, I get the DO and AD flags confused. I see now that DIG is telling me
that somewhere in the chain there is an entry that is not validated. I was
doing everything manually. And yes, I saw that DELV runs the chain.
Thanks again,
Bob
--
Visit https://lists.isc.org/mailman/listinfo/bind-user
ted to reply outside your normal working hours.
On 1. 11. 2024, at 16:21, Bob McDonald wrote:
The host is www.irs.gov <http://www.irs.gov> .
A further question.
DIG sets the DO flag even though the second and third entries in the CNAME
chain are not signed. There's basically no indica
lt;>> DiG 9.20.2 <<>> www.irs.gov. +dnssec;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 1232; C
The host is www.irs.gov.
A further question.
DIG sets the DO flag even though the second and third entries in the CNAME
chain are not signed. There's basically no indication that there's really
any issue.
DELV indicates the host as "fully validated" then flags the secon
Hi there,
On Thu, 31 Oct 2024, Crist Clark wrote:
Name names. DNS is out there in public.
There are a LOT of US .gov sites where the .gov is all signed, but it ends
up in $BIGCLOUDPROVIDER that is not.
www.gsa.gov
www.state.gov
www.house.gov
www.senate.gov
www.cia.gov
www.cisa.gov (*ehem*)
ww
n are
> not, does that mean that the entry really isn't DNSSEC protected?
>
> Correct. Every element of the chain needs to be DNSSEC signed (and
> validated as secure) for it to be protected.
>
> > I can list an example dig for the host in question but I'm relucta
t. Every element of the chain needs to be DNSSEC signed (and validated
as secure) for it to be protected.
> I can list an example dig for the host in question but I'm reluctant to do so
> as it's a US gov host.
>
> Please advise.
>
> Regards,
>
> Bob
> --
If a host is defined as a CNAME chain where the domain of the host is
DNSSEC signed but the domain(S) of the target(s) in the CNAME chain are
not, does that mean that the entry really isn't DNSSEC protected?
I can list an example dig for the host in question but I'm reluctant to do
so
Hello,
In KASP poliicy, How to determine the pre-publication time, i found these
parameters :
- publish-safety
- retire-safety
- purge-keys
In my understanding, the next key is pre-publish at publish-safety +
retire-safety ?
Regards
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to
Hi Klaus,
this exact configuration is described in the KB:
https://kb.isc.org/v1/docs/en/aa-00206
But my recommendation is actually to use a dual-stack proxy in front of `named
-4` and use the PROXYv2 protocol to interact with named.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and y
Hi,
is it possible to set
query-source-v6 address { none; };
I would like to make DNS requests via ipv4 and ipv6 to isc bind (incoming) from
my Internal network.
However, outgoing requests should only be made via ipv4.
This is e.g. necessary in a scenario where a 6in4 tunnel is used for an
On 2024-08-02 04:30, Petr Špaček wrote:
On 02. 08. 24 0:52, Tim Daneliuk wrote:
On 8/1/24 17:14, John Thurston wrote:
After reading the CVE description, it isn't clear to me how the
degraded performance is manifest.
If 300 A-records exist for the name 'foo', do we expect:
1. queries for A-r
On 02. 08. 24 0:52, Tim Daneliuk wrote:
On 8/1/24 17:14, John Thurston wrote:
After reading the CVE description, it isn't clear to me how the
degraded performance is manifest.
If 300 A-records exist for the name 'foo', do we expect:
1. queries for A-records for 'foo' will be slower than expe
On 8/1/24 17:14, John Thurston wrote:
After reading the CVE description, it isn't clear to me how the degraded
performance is manifest.
If 300 A-records exist for the name 'foo', do we expect:
1. queries for A-records for 'foo' will be slower than expected
2. all queries for 'foo' will be sl
After reading the CVE description, it isn't clear to me how the degraded
performance is manifest.
If 300 A-records exist for the name 'foo', do we expect:
1. queries for A-records for 'foo' will be slower than expected
2. all queries for 'foo' will be slower than expected
3. every query to the
J,
This issue has been covered by earlier threads, and is mentioned on the
BIND 9.18.28 release notes.
Starting with BIND 9.18.28 changes were made to mitigate performance
impact CVE-2024-1737 BIND database will be slow if if a very large
number of RRs exist at the same name.
If you find you
Hi,
I run my own validating recursive resolver with BIND 9.18.28.
In the resolver logs I noticed:
01-Aug-2024 10:30:22.294 query-errors: info: client @0xec879280280
127.0.0.1#14435 (bf10x.hubspotemail.net): query failed (too many
records) for bf10x.hubspotemail.net/IN/A at
We have just upgraded the "bind-esv" repository from BIND 9.16.50 to
BIND 9.18.27, i.e. the same version as in the "bind" repository.
We will try to keep everyone informed about further major version
upgrades in our package repositories in the coming months.
--
Best regards,
Michał Kępień
--
Vi
Actually, now that we are polishing the last bits of 9.20.0 would be a good
time to start
9.16->9.18 transition.
The current plan is that on next Wednesday (next week), the bind-esv
repositories will
be bumped from 9.16 to 9.18, the 'bind' repository will stay on 9.18 until 9.20
is released,
an
> Have you considered scheduling the change in version published in each COPR
> repository so it doe /not/ coincide with the release of a new version of
> BIND?
>
> I have some hosts tied to the COPR for BIND-ESV, and some tied to BIND. I
> hit a stumbling block during the last "roll over" event,
lf of John Thurston
Sent: Monday, June 17, 2024 11:19 AM
To: bind-users@lists.isc.org
Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition
This email originated from outside of TESLA
Do not click links or open attachments unless you recognize the sender and know t
1:19 AM
To: bind-users@lists.isc.org
Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV
transition
This email originated from outside of TESLA
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
Have you considered sc
Have you considered scheduling the change in version published in each
COPR repository so it doe /not/ coincide with the release of a new
version of BIND?
I have some hosts tied to the COPR for BIND-ESV, and some tied to BIND.
I hit a stumbling block during the last "roll over" event, and it t
Hi Brian,
> We’ve been using the ISC BIND 9 COPR repositories at
> https://copr.fedorainfracloud.org/coprs/isc/ for a few years now, but I had a
> question – is there a planned date to update the “bind-esv” channel to
> provide BIND 9.18 rather than BIND 9.16? Since 9.16 is n
y
provided before executing `dnf upgrade` in the coming weeks.
Thank you,
Darren Ankney
On Fri, Jun 14, 2024 at 10:58 AM Sebby, Brian A. via bind-users
wrote:
>
> No, I haven’t run BIND on Solaris in years – this question is regarding the
> EPEL repos that ISC provides that can be used
No, I haven’t run BIND on Solaris in years – this question is regarding the
EPEL repos that ISC provides that can be used by CentOS and RHEL. I just
mentioned Solaris because there were no binary releases back then, and to thank
ISC since it’s a lot easier to install BIND from the EPEL
On 14 Jun 2024, at 0:32, Sebby, Brian A. via bind-users wrote:
> I spent years having to compile BIND myself on Solaris
Curious, Solaris 11.4 provides a recent 9.18 ESV release.
Though not the monthly drops that ISC have been providing for a while,
is that what you wanted?
Mr. Stacey Marshall
We’ve been using the ISC BIND 9 COPR repositories at
https://copr.fedorainfracloud.org/coprs/isc/ for a few years now, but I had a
question – is there a planned date to update the “bind-esv” channel to provide
BIND 9.18 rather than BIND 9.16? Since 9.16 is now EOL we’ve switched to using
the
In the dnssec.log file I only found references to normal key rotation.
Adding the section for update_security and running at trace 99 didn't
provide _any_ update_security log output, nor did it provide any extra
output to the update log.
even when running in single combined log format I coul
Please allow me to refocus this thread to the original question.
I'm asking about the logging facility with respect to the "update"
section of code in ISC's bind9 product.
Yes, I understand update-policy choices/errors will generate the REFUSED
response.
_I'm only
s: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 7b100d5f1abe6a330100662eea5988229ff2514536e1 (good)
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 274739 IN NS a.root-servers.net.
. 274739 IN NS g.roo
On 2024-04-26 16:45, Josh Kuo wrote:
In this particular case, isn't the resolver attempting to do a reverse
lookup of the IP address that's listed ?
You are right, I missed that this is a reverse-mapping zone. In that
case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa" and
On 2024-04-26 16:28, Mark Andrews wrote:
DS records live in the parent zone and the RFC 1034 rules for serving zone
break down when a grandparent zone and child zone are served by the same
server. This is corrected be the client by looking for intermediate NS records
to find the hidden deleg
>
> In this particular case, isn't the resolver attempting to do a reverse
> lookup of the IP address that's listed ?
>
>
You are right, I missed that this is a reverse-mapping zone. In that case,
run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa" and you'll see
the problem. Reverse-mapping
DS records live in the parent zone and the RFC 1034 rules for serving zone
break down when a grandparent zone and child zone are served by the same
server. This is corrected be the client by looking for intermediate NS records
to find the hidden delegations then resuming the DS lookup.
Named
On 2024-04-25 08:55, Josh Kuo wrote:
DS = Delegation Signer, it is the record type that a signed child upload
to the parent zone. It's difficult to say for sure without more
information such as which domain name you are trying to resolve, but
looks like it is probably due to a mis-matching DS re
DS = Delegation Signer, it is the record type that a signed child upload to
the parent zone. It's difficult to say for sure without more information
such as which domain name you are trying to resolve, but looks like it is
probably due to a mis-matching DS record between the child and the parent
(s
Hello,
I run BIND 9.18.26 as a recursive, validating resolver. In my logs, I
noticed the following:
22-Apr-2024 19:25:59.614 lame-servers: info: chase DS servers
resolving '180.96.34.in-addr.arpa/DS/IN': 216.239.34.102#53
What does "chase DS servers" mean ?
Thanks,
- J
--
Visit https
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Jan
> Schaumann via bind-users
> Gesendet: Dienstag, 26. März 2024 14:44
> An: bind-users@lists.isc.org
> Betreff: Re: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records
>
> Karl Auer
tps://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
Simplified, the authoritative performs the "CNAME"
chain resolution (because it controls the zones in
question) and returns the final result so the client
doesn't have to
On Tue, 2024-03-26 at 08:00 -0400, Victoria Risk wrote:
> We have a knowledgebase article on the topic of ‘alias’ records:
> https://kb.isc.org/docs/aa-01640. The article is a bit out of date,
> but still basically valid. It is not specific to the implementation
> you mention however.
Thanks! T
Karl,
We have a knowledgebase article on the topic of ‘alias’ records:
https://kb.isc.org/docs/aa-01640. The article is a bit out of date, but still
basically valid. It is not specific to the implementation you mention however.
Vicky
> On Mar 26, 2024, at 7:49 AM, Karl Auer wrote:
>
> I'm
I'm puzzled by the ClouDNS "ALIAS" record. I was wondering if anyone
knows how it is handled "under the hood"?
It seems to be a non-standard extension that some DNS providers
support. It seems to work similarly to, but not quite the same way as,
a CNAME. Its big advantage over a CNAME is that it c
-users@lists.isc.org
Envoyé: mercredi 17 Janvier 2024 16:00
Objet : Re: Question about authoritative server and AA Authoritative Answer
Hi again.
Please start a packet capture on the auth server. This should do it:
sudo tcpdump -nvi any -c 1 -w mydns.pcap port 53
Then from pc1, please do
Michel Diemer via bind-users wrote:
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
This response message has the QR flag, the AA flag and the RD flag
turned on. The message contains 1 copy of the query, 0 answers to the
query, 1 reference to an authoritative nameserver (pro
est various network settings (dynamic dns, fixed ip
> address, dhcp provided ip address, ...).
>
> For this specific question about authoritative server, pc1 has a fixed ip
> address. Ubuntu's networkd-resolved local dns caching and stub is disabled,
> (Cache=no, DNSStubListe
address, ...).
For this specific question about authoritative server, pc1 has a fixed ip
address. Ubuntu's networkd-resolved local dns caching and stub is disabled,
(Cache=no, DNSStubListener=no). For this specific question, I have only two
computers, one authoritative non-recursive dns server and
tive answers ?
The ones where the answer count was zero (look for "ANSWER: 0,”).
> De : "Mark Andrews"
> A : pub.dieme...@laposte.net,"bind users"
> Envoyé: dimanche 14 Janvier 2024 23:54
> Objet : Re: Question about authoritative server and AA Authorita
e netplan and networkd.
>
>
> Kind Regards,
>
> Michel Diemer.
>
>
>
> De : "Greg Choules"
> A : pub.dieme...@laposte.net,bind-users@lists.isc.org
> Envoyé: dimanche 14 Janvier 2024 23:28
> Objet : Re: Question about authoritative server and AA Authoritative
hel Diemer.
De : "Greg Choules"
A : pub.dieme...@laposte.net,bind-users@lists.isc.org
Envoyé: dimanche 14 Janvier 2024 23:28
Objet : Re: Question about authoritative server and AA Authoritative Answer
Hi Michel.
Please can you send the following information:
- name and IP address of the
it answers
just A type queries itself, but forwards SOA and NS queries.
Cheers,
Petr
On 14. 01. 24 23:04, Michel Diemer via bind-users wrote:
Ders bind users,
I have already asked a similar question which was more about DNS in
general , this one is very specific about the AA bit.
Today&#
> On 15 Jan 2024, at 09:04, Michel Diemer via bind-users
> wrote:
>
> Ders bind users,
>
> I have already asked a similar question which was more about DNS in general ,
> this one is very specific about the AA bit.
>
> Today's question is : « "dig pc1.
org> wrote:
> Ders bind users,
>
> I have already asked a similar question which was more about DNS in
> general , this one is very specific about the AA bit.
>
> Today's question is : *« "dig pc1.reseau1.lan ns"** show AUTHORITY: 1 and
> "dig pc1.reseau1.l
Ders bind users,
I have already asked a similar question which was more about DNS in general ,
this one is very specific about the AA bit.
Today's question is : « "dig pc1.reseau1.lan ns" show AUTHORITY: 1 and "dig
pc1.reseau1.lan" shows AUTHORITY: 0. Which setting
Hi there,
On Wed, 13 Dec 2023, Greg Choules wrote:
If your server can reach the Internet it can recurse all on its own.
And for extra information, I recommend you give the '+trace' option to dig.
I hope that helps.
Ditto. :)
--
73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bi
Hi Michel.
You will get an authoritative answer (AA bit = 1) if the server is either
primary (master) or secondary (slave) for the QNAME (query name); in this
case "reseau1.lan". From the config snip you provided this is because you
have the config:
zone "reseau1.lan" {
type master;
...
};
If
On Wed, Dec 13, 2023 at 05:29:02PM +0100,
Michel Diemer via bind-users wrote
a message of 1723 lines which said:
> another virtual machine that uses the first one as ics dhcp and dns
> server.
An important thing about DNS: there are two types of DNS servers, very
different. Resolvers and auth
Dear Bind user,
I am a teacher and trying to understand how dns works. I am spending hours
reading various sources without finding satisfying information. For teaching
purposes I have created a virtual machine with isc dhcp server and bind9 and
another virtual machine that uses the fir
an.
> >
> >Can I upgrade BIND DNS Server manually? Will it cause problems with
> >Virtualmin / Webmin?
>
>
> I think this is question for webmin/virtualmin, but from what I know about
> webmin it tends to edit local configuration, so I guess it will edit primary
>
1 - 100 of 1051 matches
Mail list logo
