Re: Question about post-quantum X25519Kyber768

Yes , when any changes concerning DS records would drag willing of support by registries, it sounds reasonable that there should be an RFC for it. Thanks, Carlos On 02/01/2025 13:45, Robert Wagner wrote: From my poke a few months back - stuff like PQC and NSA's Commercial Solutions for C

Re: Question about post-quantum X25519Kyber768

>From my poke a few months back - stuff like PQC and NSA's Commercial Solutions >for Classified settings need to go through the RFC process. Since both the DNS >server and DNS client need to be on the same page as to which cipher suites >they agree on. Around 10/16: Robert, if you'd like to p

Re: Question about recursive client max quota

On 08/11/2024 11.20, Pedro García Segura wrote: I'm having a hard time understanding the default recursive max quota being set at 100 by default, since most modern servers now have RAM to spare, and it's a bit scary to think that another Internet outage may happen again and internal critical s

Re: Question about recursive client max quota

Hi Greg, Thanks so much, your last paragraph makes sense. I guess what I would expect, and excuse me if this reasoning is flawed, is that BIND could use different queues/priorities for external/internal domains. E.g. if after parsing the necessary query fields I see that I'm authoritative for the

Re: Question about recursive client max quota

Hello Pedro. Firstly, which version of BIND are you running? Generally, though, increasing `recursive-clients` on a box with a decent amount of power and RAM is not an issue: 50k, or even bigger, should be fine. But please test it first. We have discussed raising the default but we’re not quite

Re: Question about DNSSEC

Thanks guys! As usual, you've taught me an invaluable lesson. Regards, Bob On Fri, Nov 1, 2024 at 11:42 AM Evan McKinney wrote: > Even with a CNAME record, the delv command will validate each step of the > resolution. You can use the +vtrace option to see each validation and > +mtrace to see

Re: Question about DNSSEC

Sorry, I get the DO and AD flags confused. I see now that DIG is telling me that somewhere in the chain there is an entry that is not validated. I was doing everything manually. And yes, I saw that DELV runs the chain. Thanks again, Bob -- Visit https://lists.isc.org/mailman/listinfo/bind-user

Re: Question about DNSSEC

Even with a CNAME record, the delv command will validate each step of the resolution. You can use the +vtrace option to see each validation and +mtrace to see each individual message. -Evan Get BlueMail for Desktop Ondřej Surý wrote: DO flag is indication to “do DNSSEC”, it

Re: Question about DNSSEC

DO flag is indication to “do DNSSEC”, it has no other meaning. You should be looking for AD flag.As for delv output - it prints out which names are validated and those that are not. I don’t see anything wrong here.--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different.

Re: Question about DNSSEC

The host is www.irs.gov. A further question. DIG sets the DO flag even though the second and third entries in the CNAME chain are not signed. There's basically no indication that there's really any issue. DELV indicates the host as "fully validated" then flags the second entry in the CNAME chain

Re: Question about DNSSEC

Hi there, On Thu, 31 Oct 2024, Crist Clark wrote: Name names. DNS is out there in public. There are a LOT of US .gov sites where the .gov is all signed, but it ends up in $BIGCLOUDPROVIDER that is not. www.gsa.gov www.state.gov www.house.gov www.senate.gov www.cia.gov www.cisa.gov (*ehem*) ww

Re: Question about DNSSEC

Name names. DNS is out there in public. There are a LOT of US .gov sites where the .gov is all signed, but it ends up in $BIGCLOUDPROVIDER that is not. www.gsa.gov www.state.gov www.house.gov www.senate.gov www.cia.gov www.cisa.gov (*ehem*) www.get.gov (not even .gov is signed?!) Same thing for

Re: Question about DNSSEC

> On 1 Nov 2024, at 09:15, Bob McDonald wrote: > > If a host is defined as a CNAME chain where the domain of the host is DNSSEC > signed but the domain(S) of the target(s) in the CNAME chain are not, does > that mean that the entry really isn't DNSSEC protected? Correct. Every element of t

Re: Question about parameter settings query-source-v6 address { none; };

Hi Klaus, this exact configuration is described in the KB: https://kb.isc.org/v1/docs/en/aa-00206 But my recommendation is actually to use a dual-stack proxy in front of `named -4` and use the PROXYv2 protocol to interact with named. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and y

Re: Question about "too many records"

On 2024-08-02 04:30, Petr Špaček wrote: On 02. 08. 24 0:52, Tim Daneliuk wrote: On 8/1/24 17:14, John Thurston wrote: After reading the CVE description, it isn't clear to me how the degraded performance is manifest. If 300 A-records exist for the name 'foo', do we expect:  1. queries for A-r

Re: Question about "too many records"

On 02. 08. 24 0:52, Tim Daneliuk wrote: On 8/1/24 17:14, John Thurston wrote: After reading the CVE description, it isn't clear to me how the degraded performance is manifest. If 300 A-records exist for the name 'foo', do we expect:  1. queries for A-records for 'foo' will be slower than expe

Re: Question about "too many records"

On 8/1/24 17:14, John Thurston wrote: After reading the CVE description, it isn't clear to me how the degraded performance is manifest. If 300 A-records exist for the name 'foo', do we expect: 1. queries for A-records for 'foo' will be slower than expected 2. all queries for 'foo' will be sl

Re: Question about "too many records"

After reading the CVE description, it isn't clear to me how the degraded performance is manifest. If 300 A-records exist for the name 'foo', do we expect: 1. queries for A-records for 'foo' will be slower than expected 2. all queries for 'foo' will be slower than expected 3. every query to the

Re: Question about "too many records"

J, This issue has been covered by earlier threads, and is mentioned on the BIND 9.18.28 release notes. Starting with BIND 9.18.28 changes were made to mitigate performance impact CVE-2024-1737 BIND database will be slow if if a very large number of RRs exist at the same name. If you find you

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

We have just upgraded the "bind-esv" repository from BIND 9.16.50 to BIND 9.18.27, i.e. the same version as in the "bind" repository. We will try to keep everyone informed about further major version upgrades in our package repositories in the coming months. -- Best regards, Michał Kępień -- Vi

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

Actually, now that we are polishing the last bits of 9.20.0 would be a good time to start 9.16->9.18 transition. The current plan is that on next Wednesday (next week), the bind-esv repositories will be bumped from 9.16 to 9.18, the 'bind' repository will stay on 9.18 until 9.20 is released, an

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

> Have you considered scheduling the change in version published in each COPR > repository so it doe /not/ coincide with the release of a new version of > BIND? > > I have some hosts tied to the COPR for BIND-ESV, and some tied to BIND. I > hit a stumbling block during the last "roll over" event,

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

lf of John Thurston Sent: Monday, June 17, 2024 11:19 AM To: bind-users@lists.isc.org Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition   This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know t

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

1:19 AM To: bind-users@lists.isc.org Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know the content is safe. Have you considered sc

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

Have you considered scheduling the change in version published in each COPR repository so it doe /not/ coincide with the release of a new version of BIND? I have some hosts tied to the COPR for BIND-ESV, and some tied to BIND. I hit a stumbling block during the last "roll over" event, and it t

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

Hi Brian, > We’ve been using the ISC BIND 9 COPR repositories at > https://copr.fedorainfracloud.org/coprs/isc/ for a few years now, but I had a > question – is there a planned date to update the “bind-esv” channel to > provide BIND 9.18 rather than BIND 9.16? Since 9.16 is now EOL we’ve > sw

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

m: Stacey Marshall > Date: Friday, June 14, 2024 at 4:09 AM > To: Sebby, Brian A. > Cc: bind-users@lists.isc.org > Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV > transition > > On 14 Jun 2024, at 0: 32, Sebby, Brian A. via bind-users wrote: >

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

1.4305| Argonne National Laboratory From: Stacey Marshall Date: Friday, June 14, 2024 at 4:09 AM To: Sebby, Brian A. Cc: bind-users@lists.isc.org Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition On 14 Jun 2024, at 0: 32, Sebby, Brian A. via bind-users wrote:

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

On 14 Jun 2024, at 0:32, Sebby, Brian A. via bind-users wrote: > I spent years having to compile BIND myself on Solaris Curious, Solaris 11.4 provides a recent 9.18 ESV release. Though not the monthly drops that ISC have been providing for a while, is that what you wanted? Mr. Stacey Marshall

Re: Question about resolver

This looks like Google has forgotten to create the zone 96.34.in-addr.arpa but have created 180.96.34.in-addr.arpa resulting in answers that should come from 96.34.in-addr.arpa getting REFUSED returned. DNSSEC validation and QNAME minimisation find these sorts of configuration errors. Intermed

Re: Question about resolver

On 2024-04-26 16:45, Josh Kuo wrote: In this particular case, isn't the resolver attempting to do a reverse lookup of the IP address that's listed ? You are right, I missed that this is a reverse-mapping zone. In that case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa" and

Re: Question about resolver

On 2024-04-26 16:28, Mark Andrews wrote: DS records live in the parent zone and the RFC 1034 rules for serving zone break down when a grandparent zone and child zone are served by the same server. This is corrected be the client by looking for intermediate NS records to find the hidden deleg

Re: Question about resolver

> > In this particular case, isn't the resolver attempting to do a reverse > lookup of the IP address that's listed ? > > You are right, I missed that this is a reverse-mapping zone. In that case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa" and you'll see the problem. Reverse-mapping

Re: Question about resolver

DS records live in the parent zone and the RFC 1034 rules for serving zone break down when a grandparent zone and child zone are served by the same server. This is corrected be the client by looking for intermediate NS records to find the hidden delegations then resuming the DS lookup. Named

Re: Question about resolver

On 2024-04-25 08:55, Josh Kuo wrote: DS = Delegation Signer, it is the record type that a signed child upload to the parent zone. It's difficult to say for sure without more information such as which domain name you are trying to resolve, but looks like it is probably due to a mis-matching DS re

Re: Question about resolver

DS = Delegation Signer, it is the record type that a signed child upload to the parent zone. It's difficult to say for sure without more information such as which domain name you are trying to resolve, but looks like it is probably due to a mis-matching DS record between the child and the parent (s

Re: Question about authoritative server and AA Authoritative Answer

-users@lists.isc.org Envoyé: mercredi 17 Janvier 2024 16:00 Objet : Re: Question about authoritative server and AA Authoritative Answer   Hi again. Please start a packet capture on the auth server. This should do it:    sudo tcpdump -nvi any -c 1 -w mydns.pcap port 53 Then from pc1, please do

Re: Question about authoritative server and AA Authoritative Answer

Michel Diemer via bind-users wrote: > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 This response message has the QR flag, the AA flag and the RD flag turned on. The message contains 1 copy of the query, 0 answers to the query, 1 reference to an authoritative nameserver (pro

Re: Question about authoritative server and AA Authoritative Answer

ROR, id: 57670 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > *Why AUTHORITY: 0 and not AUTHORITY: 1 ???* > > De : "Greg Choules" > A : pub.dieme...@laposte.net,bind-users@lists.isc.org > Envoyé: lundi 15 Janvier 2024 18:27 > Objet : Re: Q

Re: Question about authoritative server and AA Authoritative Answer

poste.net,bind-users@lists.isc.org Envoyé: lundi 15 Janvier 2024 18:27 Objet : Re: Question about authoritative server and AA Authoritative Answer   Hi again and thanks for that. I'm still not exactly clear on the setup. I think the auth server is 172.16.0.254 (I don't know what pc1 is)

Re: Question about authoritative server and AA Authoritative Answer

tive answers ? The ones where the answer count was zero (look for "ANSWER: 0,”). > De : "Mark Andrews" > A : pub.dieme...@laposte.net,"bind users" > Envoyé: dimanche 14 Janvier 2024 23:54 > Objet : Re: Question about authoritative server and AA Authorita

Re: Question about authoritative server and AA Authoritative Answer

e netplan and networkd. > > > Kind Regards, > > Michel Diemer. > > > > De : "Greg Choules" > A : pub.dieme...@laposte.net,bind-users@lists.isc.org > Envoyé: dimanche 14 Janvier 2024 23:28 > Objet : Re: Question about authoritative server and AA Authoritative

Re: Question about authoritative server and AA Authoritative Answer

hel Diemer.     De : "Greg Choules" A : pub.dieme...@laposte.net,bind-users@lists.isc.org Envoyé: dimanche 14 Janvier 2024 23:28 Objet : Re: Question about authoritative server and AA Authoritative Answer   Hi Michel. Please can you send the following information: - name and IP address of the

Re: Question about authoritative server and AA Authoritative Answer

Please use home.arpa, as defined by RFC 8375. Or better use existing and registered domain of you or your organization. What kind of resolver is running on DNS server? Which version? I would guess dnsmasq or similar. That is willing and able to forward just queries of selected types, while ans

Re: Question about authoritative server and AA Authoritative Answer

> On 15 Jan 2024, at 09:04, Michel Diemer via bind-users > wrote: > > ‌Ders bind users, > > I have already asked a similar question which was more about DNS in general , > this one is very specific about the AA bit. > > Today's question is : « "dig pc1.reseau1.lan ns" show AUTHORITY: 1 and

Re: Question about authoritative server and AA Authoritative Answer

Hi Michel. Please can you send the following information: - name and IP address of the authoritative server - the full contents of the zone file for "reseau1.lan" - name and IP address of the other server - what does this server do? - What is the machine "pc1", on which you are running the digs? -

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

Hi there, On Wed, 13 Dec 2023, Greg Choules wrote: If your server can reach the Internet it can recurse all on its own. And for extra information, I recommend you give the '+trace' option to dig. I hope that helps. Ditto. :) -- 73, Ged. -- Visit https://lists.isc.org/mailman/listinfo/bi

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

Hi Michel. You will get an authoritative answer (AA bit = 1) if the server is either primary (master) or secondary (slave) for the QNAME (query name); in this case "reseau1.lan". From the config snip you provided this is because you have the config: zone "reseau1.lan" { type master; ... }; If

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

On Wed, Dec 13, 2023 at 05:29:02PM +0100, Michel Diemer via bind-users wrote a message of 1723 lines which said: > another virtual machine that uses the first one as ics dhcp and dns > server. An important thing about DNS: there are two types of DNS servers, very different. Resolvers and auth

Re: Question on ISC BIND DNS Server

On Thu, 23 Nov 2023 at 00:07, Matus UHLAR - fantomas wrote: > > On 22.11.23 23:44, Turritopsis Dohrnii Teo En Ming wrote: > >I have Virtualmin / Webmin web hosting server control panel. I have 2 > >Virtual Private Servers in Germany and 1 Virtual Private Server in > >Japan. > > > >Can I upgrade BI

Re: Question on ISC BIND DNS Server

On 22.11.23 23:44, Turritopsis Dohrnii Teo En Ming wrote: I have Virtualmin / Webmin web hosting server control panel. I have 2 Virtual Private Servers in Germany and 1 Virtual Private Server in Japan. Can I upgrade BIND DNS Server manually? Will it cause problems with Virtualmin / Webmin? I

Re: Question about URL being logged by resolver

It means something in your network sent a query containing the literal URL below. The message is just misleading - the resolver tries to do QNAME minimization on it, it fails, switches to full name which ends with NXDOMAIN from root. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and yo

Re: Question about URL being logged by resolver

People accidentally enter urls as domain names into tools. https://app-measurement.com/sdk-exp/A is a legal, but unusual, domain name consisting of 3 labels 'https://app-measurement’, 'com/sdk-exp/A’ and ‘.’. Mark > On 4 Nov 2023, at 13:29, Nick Tait via bind-users > wrote: > > Hi J. > > I

Re: Question about URL being logged by resolver

Hi J. I'm not sure what the cause of the URLs is, but I can confirm I'm seeing the same URLs in my own logs. The queries originate from multiple devices on my internal network - all Apple devices I think. My advice: I wouldn't waste too much effort trying to solve this one, as it is almost c

Re: question about DNSSEC with PKCS11

1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more insecure to convert the key(s) from HSM to .private file with dnssec-keyfromlabel ? keys are not actually 'converted' with this utility; instead the .private file links to the corresponding private (and typically unexportab

Re: question about DNSSEC with PKCS11

Hi, The KB article was written before dnssec-policy. Unfortunately, OpenSSL with engine_pkcs11 does not support creating keys. So if you want to use an HSM with dnssec-policy, you will need to create the keys yourself and you can then import them in the key-directory with dnssec-keyfromlabel.

Re: Question regarding delv and custom local trust anchor

On Thu, Jun 08, 2023 at 07:57:12PM +, Evan Hunt wrote: > So, I'm guessing systemd-resolved is choking on the EDNS COOKIE option. > This needs to be reported as a bug to the systemd maintainers. And, maybe > delv should have a +nocookie option. Hmm, on further inspection, I was wrong about this

Re: Question regarding delv and custom local trust anchor

On Thu, Jun 08, 2023 at 09:54:15AM -0400, Josh Kuo wrote: > *$ delv -a right.key www.example.com . A*;; broken > trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53 > ;; resolution failed: broken trust chain The address 127.0.0.53 was the clue I needed to figure thi

Re: Question About Internal Recursive Resolvers

On 18.10.22 09:23, Bob McDonald wrote: There are no outside clients. In this example, I'm only discussing inside clients on inside DNS. The recursive resolvers that ALL inside clients connect to will seek responses from the DNS root servers AFTER determining that the response can not be determine

Re: Question About Internal Recursive Resolvers

Let's not overthink this. I fear that I've activated a lot of creative circuitry in individuals and provided flimsy details around my example. There are no outside clients. In this example, I'm only discussing inside clients on inside DNS. The recursive resolvers that ALL inside clients connect to

Re: Question About Internal Recursive Resolvers

On 14. 10. 22 18:08, Bob McDonald wrote: I'm thinking about redesigning an internal DNS environment. To begin with, all internal DNS zones would reside on non-recursive servers only. That said, all clients would connect to recursive resolvers. The question is this; do I use an internal root with

Re: Question About Internal Recursive Resolvers

On 15.10.22 16:03, Bob McDonald wrote: OK, if a known client accesses DNS on the internal network, that client is pointed at a recursive resolver (e.g by DHCP). That resolver either provides access to the internal DNS zones (e.g. via stub zones) or sends the client query to the root servers on th

Re: Question About Internal Recursive Resolvers

On 10/15/22 1:51 PM, Greg Choules via bind-users wrote: Hi Grant. Hi Gred, I'm quickly replying to your message. I'll reply to Matus & Fred later when I have more time for a proper reply. My understanding is this, which is almost identical to what I did in a former life: client ---recur

Re: Question About Internal Recursive Resolvers

OK, if a known client accesses DNS on the internal network, that client is pointed at a recursive resolver (e.g by DHCP). That resolver either provides access to the internal DNS zones (e.g. via stub zones) or sends the client query to the root servers on the internet. An unknown client (e.g. guest

Re: Question About Internal Recursive Resolvers

Hi Grant. My understanding is this, which is almost identical to what I did in a former life: client ---recursive_query---> recursive_DNS_server ---non_recursive_query---> internal_auth/Internet where: client == laptop/phone/server running stub resolver code recursive_DNS_server == what Bob is as

Re: Question About Internal Recursive Resolvers

People do the funniest things with DNS. It's a pretty good key-value store, especially for read-heavy workloads. Maybe you update counters for "what clients in this OT environment are posting telemetry to this web server"? DNS wouldn't be a good choice for that, but Redis is. But maybe you wan

Re: Question About Internal Recursive Resolvers

If you are an ISP/registry/DNS provider, it makes sense to separate authoritative zones for your clients' domains, for all those cases your client move their domains somewhere else without notifying you (hell, they do that too often), or to be able to prepare moving domains to your servers. #

Re: Question About Internal Recursive Resolvers

On 10/15/22 10:34 AM, Matus UHLAR - fantomas wrote: If you are an ISP/registry/DNS provider, it makes sense to separate authoritative zones for your clients' domains, for all those cases your client move their domains somewhere else without notifying you (hell, they do that too often), or to be

Re: Question About Internal Recursive Resolvers

On 10/15/22 10:03 AM, Bob McDonald wrote: My understanding has always been that the recommendation is/was to separate recursive and non-recursive servers. I too (had) long shared -- what I'm going to retroactively call -- that over simplification. Now I understand I'm talking about an INTERN

Re: Question About Internal Recursive Resolvers

I'm thinking about redesigning an internal DNS environment. To begin with, all internal DNS zones would reside on non-recursive servers only. why? On 15.10.22 12:03, Bob McDonald wrote: My understanding has always been that the recommendation is/was to separate recursive and non-recursive se

Re: Question About Internal Recursive Resolvers

>>I'm thinking about redesigning an internal DNS environment. To begin >>with, all internal DNS zones would reside on non-recursive servers >>only. >why? My understanding has always been that the recommendation is/was to separate recursive and non-recursive servers. Now I understand I'm talking a

Re: Question About Internal Recursive Resolvers

On 14.10.22 12:08, Bob McDonald wrote: I'm thinking about redesigning an internal DNS environment. To begin with, all internal DNS zones would reside on non-recursive servers only. why? That said, all clients would connect to recursive resolvers. don't they now? The question is this; do I

Re: Question About Internal Recursive Resolvers

Hi Greg,Great points!  I must have forgotten how messy this got :) ./John Original message From: Greg Choules Hi John.Yes, you *could* forward and that was a setup I inherited a good few years ago. The appeal is obvious: it's easy to do; just chuck queries over there and get ans

Re: Question About Internal Recursive Resolvers

Hi John. Yes, you *could* forward and that was a setup I inherited a good few years ago. The appeal is obvious: it's easy to do; just chuck queries over there and get answers. But forwarding keeps the RD bit set, meaning that the server being forwarded to should a) have recursion enabled (though it

RE: Question About Internal Recursive Resolvers

Hi Bob,I've been able to do this with 'forward' zones.  The config would go in the resolver but the files would not./John Original message From: Bob McDonald I'm thinking about redesigning an internal DNS environment. To beginwith, all internal DNS zones would reside on non-recu

Re: Question About Internal Recursive Resolvers

Hi Bob. In a previous life I did just this. Large resolvers for customers and internal users, defaulting to the Internet but with specific configuration to internal auth-only servers for private zones (I used stub but static-stub and mirror are alternatives - they each behave slightly differently).

Re: Question about dnstap

> On 13 Sep 2022, at 14:34, Peter wrote: > > Apparently, the first connect() happens (after chroot but) before > droppings priviledges. > (The FreeBSD integration script does set -u to UID "bind", by default.) > > So, apparently, fstrm_capture should also run as UID "bind" (and would > then n

Re: Question about dnstap

On Tue, Sep 13, 2022 at 12:24:15PM +0200, Petr Špaček wrote: ! On 12. 09. 22 15:49, Peter wrote: ! > On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! > ! My testing did not uncover anything problematic. ! > ! ! > ! Versions: ! > ! fstrm 0.6.1-1 ! > ! protobuf 21.5-1 ! > ! protobuf-c 1

Re: Question about dnstap

On 12. 09. 22 15:49, Peter wrote: On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! My testing did not uncover anything problematic. ! ! Versions: ! fstrm 0.6.1-1 ! protobuf 21.5-1 ! protobuf-c 1.4.1-1 ! ! ! A procedure which works: ! - start BIND configured with ! options { !

Re: Question about dnstap

On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! My testing did not uncover anything problematic. ! ! Versions: ! fstrm 0.6.1-1 ! protobuf 21.5-1 ! protobuf-c 1.4.1-1 ! ! ! A procedure which works: ! - start BIND configured with ! options { ! dnstap { all; }; ! dnstap-o

Re: Question about dnstap

On Mon, Sep 12, 2022 at 12:27:25PM +0200, Borja Marcos wrote: ! I am not sure this is intended behavior, or maybe I should file a bug. ! ! I am doing some tests with dnstap and bind (9.18.6 now but I see the same behavior with older 9.18 versions). I am using ! dnstap-go. ! ! I have configured

Re: Question about dnstap

On 12. 09. 22 12:27, Borja Marcos wrote: Hi, I am not sure this is intended behavior, or maybe I should file a bug. I am doing some tests with dnstap and bind (9.18.6 now but I see the same behavior with older 9.18 versions). I am using dnstap-go. I have configured bind to use dnstap with no

Re: Question about additional section in BIND-responses

On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote: Using BIND-9.18.5 as a recursive server: What's the reason, that BIND answers with the additional section for the the following query where for example Knot resolver and also PowerDNS resolver doesn't add the additional section for the same que

Re: Question regarding newsyslog.conf and Bind logs

On 2022-08-25 18:04, Greg Choules wrote: Hi again J. If I understand correctly, you want to enable querylog on a busy recursive server permanently, rotate the files once a day and don't care if you lose some logs because the number of queries on a busy day generates more data than the specifie

Re: Question regarding newsyslog.conf and Bind logs

Hi again J. If I understand correctly, you want to enable querylog on a busy recursive server permanently, rotate the files once a day and don't care if you lose some logs because the number of queries on a busy day generates more data than the specified log file is allowed to contain. My question

Re: Question regarding newsyslog.conf and Bind logs

On 2022-08-25 16:46, Richard T.A. Neal wrote: Hi J, I'm coming a little late to the party on this one and I think you might struggle to do rotation based on both date/time *and* file size, but I use logrotate to rotate all of my BIND logs daily, keeping 31 days of logs. And you'll see that o

RE: Question regarding newsyslog.conf and Bind logs

J wrote: > I'm looking to have my: queries.log (which logs all the queries my Bind > 9.16.30 recursive resolver resolves), rotated at the end of the day and I'd > like to keep 7 days worth of those logs. {snip} > I still want any daily log *before* it's being rotated to be a maximum size > of

Re: Question regarding newsyslog.conf and Bind logs

On 2022-08-25 04:52, Anand Buddhdev wrote: On 25/08/2022 05:23, J Doe wrote: Hello J Doe, I was wondering if anyone could provide feedback on whether the following: newsyslog.conf file is correct to allow for daily log rotation for my Bind 9.16.30 logs ? My currently logging settings in: n

Re: Question regarding newsyslog.conf and Bind logs

On 2022-08-25 03:05, Greg Choules wrote: Hello J What is it you're actually trying to achieve here? Cheers, Greg Hi Greg, I'm looking to have my: queries.log (which logs all the queries my Bind 9.16.30 recursive resolver resolves), rotated at the end of the day and I'd like to keep 7 days

Re: Question regarding newsyslog.conf and Bind logs

On 25/08/2022 05:23, J Doe wrote: Hello J Doe, I was wondering if anyone could provide feedback on whether the following: newsyslog.conf file is correct to allow for daily log rotation for my Bind 9.16.30 logs ? My currently logging settings in: named.conf are:     ...     logging {

Re: Question regarding newsyslog.conf and Bind logs

Hello J What is it you're actually trying to achieve here? Cheers, Greg On Thu, 25 Aug 2022 at 04:24, J Doe wrote: > Hello, > > I was wondering if anyone could provide feedback on whether the > following: newsyslog.conf file is correct to allow for daily log > rotation for my Bind 9.16.30 logs

Re: Question about additional section in BIND-responses

On 8/17/22 06:45, Tom wrote: On 8/17/22 02:27, Evan Hunt wrote: On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote: Using BIND-9.18.5 as a recursive server: What's the reason, that BIND answers with the additional section for the the following query where for example Knot resolver and also

Re: Question about additional section in BIND-responses

On 8/17/22 02:27, Evan Hunt wrote: On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote: Using BIND-9.18.5 as a recursive server: What's the reason, that BIND answers with the additional section for the the following query where for example Knot resolver and also PowerDNS resolver doesn't add

Re: Question about additional section in BIND-responses

On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote: > Using BIND-9.18.5 as a recursive server: > What's the reason, that BIND answers with the additional section for the > the following query where for example Knot resolver and also PowerDNS > resolver doesn't add the additional section for the

Re: Question about linking jemalloc with Bind 9.18.x when doing the compile.

On 02/08/2022 18:46, Bhangui, Sandeep - BLS CTR via bind-users wrote: Hello all We are getting ready to test Bind 9.18.x. Currently we are running the latest version of 9.16.x branch. We have downloaded and successfully installed the jemalloc module on the Server ( RHEL 7.9 OS) and getting r

Re: Question about missing bind.keys

On Tue, Apr 12, 2022 at 09:37:22PM -0400, J Doe wrote: > Apologies for my late reply. Thank you so much for the detailed > explanation of: dnssec-validation auto and what happens when: bind.keys > doesn't exist. > > With this setting in place in my: named.conf I then restarted BIND, gave > it

Re: Question about missing bind.keys

On 2022-03-30 02:23, Evan Hunt wrote: On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote: I have a question about the bind.keys file and what happens when it is not available. [...] ** If I don't have bind.keys in my BIND directory but have: dnssec-validation auto in my named.conf, is BIND

Re: Question about missing bind.keys

On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote: > I have a question about the bind.keys file and what happens when it is > not available. [...] > ** If I don't have bind.keys in my BIND directory but have: > dnssec-validation auto in my named.conf, is BIND automatically getting > the trus

Re: Question about "max-zone-ttl" in dnssec-policy

On Tue, Sep 21, 2021 at 03:11:30PM +0200, Tom wrote: > The documentation says, that "any record encountered with a TTL higher > than max-zone-ttl is capped at the maximum permissible TTL value". > > Is the documentation wrong here? It does appear to be wrong, yes. It also differs from the behav

Re: Question about "max-zone-ttl" in dnssec-policy

Hi Matthijs Thank you for your explanation. The documentation says, that "any record encountered with a TTL higher than max-zone-ttl is capped at the maximum permissible TTL value". Is the documentation wrong here? Thank you. Kind regards, Tom On 21.09.21 09:47, Matthijs Mekking wrote: H

  1   2   3   4   >