Re: rndc showzone?

On 9/22/25 06:55, Havard Eidnes via bind-users wrote: Hi, I'm trying to extend my personal "rndc subcommand" reportoire, and for this particular problem we're seeing, "rndc showzone" would have been useful. However, in our cases, both with BIND 9.18.39 and BIND 9.20.13 that command just complet

Re: Development version of BIND 9 - 9.21.10 with meson build system

>> # meson install -C build-dir >> errors out when I have BIND 9.20 already installed in /usr/local >> with >> ERROR: Destination '/usr/local/bin/named-compilezone' already exists >> and is not a symlink > > I noticed this when replacing pre-meson 9.21 installation with a > post-meson one. Remove t

Silence is Tactical Re: Finer control over REFUSED, e.g. root referrals

I've read the _Silence Is Not Golden_ paper (https://dl.acm.org/doi/pdf/10.1145/3576915.3616647) and I've written a response to it, and to Ondrej, and to this thread generally. It's as long as an RFC so based on early feedback I've posted it to my "blog": http://consulting.m3047.net/dubai-letters/s

Re: Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution?

Hi, I snipped the whole message as it seems like in a phase “how do I debug the CA”. Your email didn’t contain any information about the rest of the DNS configuration in your network, so it is kind of hard to help you. We don’t know whether you configured the CA machine to use any custom DNS to

Re: Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution?

level domain limitation on Bind9 (if any) with regards to this issue. > Did I misinterpreted your reply? > > Warm regards > > > -Oorspronkelijk bericht- > Van: Mark Andrews > Verzonden: donderdag 18 september 2025 14:28 > Aan: P van Dijk > CC: bind-

RE: Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution?

: Re: Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution? .HOME does not exist so you will NEVER get a CERT for a .HOME name. Use registered names. Mark > On 18 Sep 2025, at 13:15, P van Dijk wrote: > > Dear

Re: Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution?

.HOME does not exist so you will NEVER get a CERT for a .HOME name. Use registered names. Mark > On 18 Sep 2025, at 13:15, P van Dijk wrote: > > Dear All, > Has anyone encountered the error message ‘There was a problem with a DNS > query during identifier validation’ while trying the complete

Re: DiG: Path set via SSLKEYLOGFILE is ignored

I use dig to debug a dns server (CoreDNS) and ability to extract key log is very useful. Fwiw, it’s more useful to have it on the client side than server side (named). Best Regards, Ilya Kulakov > On Sep 10, 2025, at 1:15 AM, Michał Kępień wrote: > > I created https://gitlab.isc.org/isc-pro

RE: I need to learn more about BIND DNS server to pass my job interview next Monday

Why don't you chat a bit with AI. My impression is that AI is good at teaching you what you want to know. Quite often it messes up, but for broader knowledge acquirement it should do fine. https://copilot.microsoft.com/ > > Good day from Singapore, > > I have received another email from the

Re: FreeBSD Port: dns/bind920 steadily increasing memory usage

Hi Felix, thanks for willing to debug the issue. Here's a primer: https://www.isc.org/blogs/2023-BIND-memory-management-explained/ The basics are: 1. configure stats channel 2. look at the memory distribution (internal) to see where the memory goes 3. if there's a really runaway memory, we can

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

On Sunday, 14 September 2025 10:13:30 Central European Summer Time Marc wrote: > Why don't you chat a bit with AI. My impression is that AI is good at > teaching you what you want to know. Quite often it messes up, but for > broader knowledge acquirement it should do fine. > https://copilot.micro

Re: Finer control over REFUSED, e.g. root referrals

Fred Morris wrote: > It needs to recurse to gather the data which it is intended to deliver. > It also runs RPZ configured as a WAF ("web application firewall". I > know, this is DNS. deal with the cognitive dissonance, starting with the > fact that RPZ is referred to as a "DNS fi

Re: BIND 9.20.12 - dnstap - RPZ - DNS-collector - Elasticsearch

Hi Mark, Yes, that’s what I see in the default log but when looking into rpz.log I see the query and RPZ rewrites rpz: info: client @0x7f033dd7f000 MyHiddenMaster#56341 (ads.pubmatic.com): rpz QNAME NODATA rewrite ads.pubmatic.com/HTTPS/IN via ads.pubmatic.com.rpz.f1-online.net

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

On Sunday, September 14th, 2025 at 4:36 PM, Benny Pedersen via bind-users wrote: > Marc skrev den 2025-09-14 10:13: > > > Why don't you chat a bit with AI. My impression is that AI is good at > > teaching you what you want to know. Quite often it messes up, but for > > broader knowledge acquire

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

Folks, discussing AI is offtopic for this list. Please keep the discussion related to BIND 9. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 14. 9. 2025, at 15:54, Turr

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

On Sun, Sep 14, 2025 at 10:42:45AM +0200, Benny Pedersen via bind-users wrote a message of 23 lines which said: > mx.junc.eu (amavis); dkim=neutral reason="invalid (public key: not > available)" header.d=i header.b="YUOrfkQZ"; dkim=fail (2048-bit key) > reason="fail (message has been altered)"

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

On Sun, Sep 14, 2025 at 08:13:30AM +, Marc wrote a message of 75 lines which said: > Why don't you chat a bit with AI. My impression is that AI is good at > teaching you what you want to know. Quite often it messes up, but for broader > knowledge acquirement it should do fine. > > https

RE: I need to learn more about BIND DNS server to pass my job interview next Monday

On Sunday, September 14th, 2025 at 4:13 PM, Marc wrote: > Why don't you chat a bit with AI. My impression is that AI is good at > teaching you what you want to know. Quite often it messes up, but for broader > knowledge acquirement it should do fine. > > https://copilot.microsoft.com/ I have

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

Benny Pedersen via bind-users skrev den 2025-09-14 10:35: Marc skrev den 2025-09-14 10:13: Why don't you chat a bit with AI. My impression is that AI is good at teaching you what you want to know. Quite often it messes up, but for broader knowledge acquirement it should do fine. https://copil

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

Marc skrev den 2025-09-14 10:13: Why don't you chat a bit with AI. My impression is that AI is good at teaching you what you want to know. Quite often it messes up, but for broader knowledge acquirement it should do fine. https://copilot.microsoft.com/ real life is many times better then AI,

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

Good day from Singapore, I have received another email from the interviewing cybersecurity company in Singapore on 12 Sep 2025 at 1543 hours. [QUOTE] Good Day! Thank you for booking an interview with us. We will be assessing your thought process in solving complex questions and your ability

Re: Specifying "max-cache-size default;" causes core-dump

default UDP/IPv4 port range: [32768, 60999] 14-Sep-2025 13:33:24.317 using default UDP/IPv6 port range: [32768, 60999] 14-Sep-2025 13:33:24.318 listening on IPv4 interface lo, 127.0.0.1#8053 14-Sep-2025 13:33:24.318 listening on IPv6 interface lo, ::1#8053 14-Sep-2025 13:33:24.318 Disabling perio

Re: NXDomain reply after LAN IP response from forwarder for zone

BIND 9.20.12 And adding `validate-except` to my configuration seems to be what I need, so thanks Greg. ``` IP 10.0.10.1.33184 > 10.0.10.100.53: 43821+ [1au] A? firewall.my-home.net.lan. (62) IP 10.0.10.100.59360 > 10.0.10.101.53: 45885+% [1au] A? firewall.my-home.net.lan. (62) IP 10.0.10.101.

Re: NXDomain reply after LAN IP response from forwarder for zone

Hello. What version of BIND are you running? By default, BIND will attempt to perform DNSSEC validation, which is probably why you're seeing the DS query. See here for more information on validation and DNSSEC in general: https://bind9.readthedocs.io/en/latest/dnssec-guide.html#dnssec-validation-e

Re: NXDomain reply after LAN IP response from forwarder for zone

That changes the response to ServFail, but probably appropriate on what I'm doing when reading into the option. (https://serverfault.com/a/1001622) And watching `tcpdump` with me asking via `dig` without the extra clutter I was getting from my phone, I am noticing I missed another query being m

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

And you want to do this by Monday? Well good luck. Here are some resources you might start with: https://bind9.readthedocs.io/en/stable/index.html https://kb.isc.org/v1/en https://www.oreilly.com/library/view/dns-and-bind/0596100574/ The book is getting a bit old now, but makes handy reading any

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

On Saturday, September 13th, 2025 at 10:28 PM, Danjel Jungersen via bind-users wrote: > On 12-09-2025 08:32, Turritopsis Dohrnii Teo En Ming via bind-users wrote: > >> I am 47 years old as of 12 Sep 2025. I hope I am not getting too old to >> learn! I understand the ability to learn deteriorate

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

On 12-09-2025 08:32, Turritopsis Dohrnii Teo En Ming via bind-users wrote: I am 47 years old as of 12 Sep 2025. I hope I am not getting too old to learn! I understand the ability to learn deteriorates with age / aging. Congratulations! I hope the same, I'm 2 years older ;-) And the ability

Re: BIND 9.20.12 - dnstap - RPZ - DNS-collector - Elasticsearch

NODATA is a concept not a record type. It indicates that the name is correct but there are no records of the requested type. -- Mark Andrews > El 12 sept 2025, a las 0:34, Wolfgang Riedel via bind-users > escribió: >  > Hi Folks, > > I just wonder if I am missing something ;-) > > I am c

Re: NXDomain reply after LAN IP response from forwarder for zone

Use “forward only:” for your local zones. -- Mark Andrews > El 13 sept 2025, a las 4:58, Jarrod Spencer Farrell > escribió: > > I'm setting up a private VPN containing mobile devices and the home's LAN > through a firewall part of the VPN network, and I'd like to use the FQDN of a > LAN de

Re: Debug Level Logs in BIND 9.18.16 Despite Debug Level Set to 0

> On 12. 9. 2025, at 15:07, Nagesh Thati wrote: > > I am using --enable-singletrace option while compiling the BIND, Why? What do you expect this does? > will it cause any extra debug lines during query resolution, even if the rndc > trace level is set to 0? This is a debugging feature, so

Re: Debug Level Logs in BIND 9.18.16 Despite Debug Level Set to 0

Hi, I am using *--enable-singletrace * option while compiling the BIND, will it cause any extra debug lines during query resolution, even if the rndc trace level is set to 0? Thanks On Mon, Feb 10, 2025 at 1:02 PM Ondřej Surý wrote: > I can't reproduce the issue. > > $ cat named.conf > logging

Re: Development version of BIND 9 - 9.21.10 with meson build system

On 11/09/2025 23:18, Havard Eidnes via bind-users wrote: # meson install -C build-dir errors out when I have BIND 9.20 already installed in /usr/local with ERROR: Destination '/usr/local/bin/named-compilezone' already exists and is not a symlink I noticed this when replacing pre-meson 9.21 i

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

On Friday, September 12th, 2025 at 2:06 AM, Benjamin Smith wrote: > This is a dream response, and it seems that you got this off you're just > honest with them about where you are and what you're doing! > > I note that they don't ask about bind, but DNS and DHCP. So what I think: > > I would st

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

entication come to mind. > > You may find resources such as Zytrax useful, I find them complementary to > ISC’s own documentation and have commented them in from time to time into my > config files. That being said, my path was full of just trial and error. See > what works,

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

On Thursday, September 11th, 2025 at 11:22 PM, Greg Choules wrote: > And you want to do this by Monday? Well good luck. > > Here are some resources you might start with: > > https://bind9.readthedocs.io/en/stable/index.html > https://kb.isc.org/v1/en > https://www.oreilly.com/library/view/dns-an

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

This is a dream response, and it seems that you got this off you're just honest with them about where you are and what you're doing!I note that they don't ask about bind, but DNS and DHCP. So what I think: I would study hard on how DNS works and DHCP. I wouldn't bother with bind at all. Right about

Re: Finer control over REFUSED, e.g. root referrals

On 08. 09. 25 16:27, Michael Richardson wrote: Ondřej Surý wrote: > I can definitely say this is not going to be implemented and nobody should. > Not returning answer is a protocol violation that can lead to DNS > spoofing window being much larger. Surely I'm allowed to *not*

Re: Development version of BIND 9 - 9.21.10 with meson build system

So... I got some hints elsewhere. In my case I need $ meson setup build-dir -Dtracing=disabled $ meson compile -C build-dir However, install still errors out: # meson install -C build-dir errors out when I have BIND 9.20 already installed in /usr/local with ERROR: Destination '/usr/local/bin

Re: I need to learn more about BIND DNS server to pass my job interview next Monday

them in from time to time into my config files. That being said, my path was full of just trial and error. See what works, use it for a while, re-evaluate. If ingenuity rather than memorization is what this company is after, this is the angle I’d want to approach it from. Met vriendelijke groet

Re: DiG: Path set via SSLKEYLOGFILE is ignored

I created https://gitlab.isc.org/isc-projects/bind9/-/issues/5515 since OP mentioned having issues with using gitlab.isc.org. -- Best regards, Michał Kępień -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.

Re: DiG: Path set via SSLKEYLOGFILE is ignored

Yes. dig doesn't really setup any other logging than stderr and SSLKEYLOGFILE uses the logging facility for the output. Using SSLKEYLOGFILE with anything other than named is currently undocumented, and we probably should fix that. Please fill an issue for this, so it doesn't fade away in the ti

Re: Finer control over REFUSED, e.g. root referrals

"Our society has ordered itself to be responsible, but also so that no one person is responsible." Ondřej you're not going to like my reply, but I'd like it to be adequately reasoned. It will be debatable. I'm not even sure this is the best venue, maybe dns-operati...@dns-oarc.net would be a bette

Re: Finer control over REFUSED, e.g. root referrals

Hello, I appreciated your earlier comment regarding some shared utopian internet citizen responsibility to have a port 53 listener on every address... or not. On 9/8/25 7:42 AM, Michael Richardson wrote: > Fred Morris wrote: > > It needs to recurse to gather the data which it is intended to d

Re: Finer control over REFUSED, e.g. root referrals

Ondřej Surý wrote: > I can definitely say this is not going to be implemented and nobody should. > Not returning answer is a protocol violation that can lead to DNS > spoofing window being much larger. Surely I'm allowed to *not* run a DNS server on an IP address, and dropping repl

Re: Finer control over REFUSED, e.g. root referrals

> On 8. 9. 2025, at 16:27, Michael Richardson wrote: > > Surely I'm allowed You are absolutely free to do whatever you want. I am just saying, this is not going to be implemented in BIND 9 and should not be implemented in any other DNS software. Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My

Re: Finer control over REFUSED, e.g. root referrals

doesn't delete its copy of the domain from its > records until the expiration time after the primary stops using that > secondary. > > Andrew Pavlin > administrator of ka2ddo.org and ka2ddo.radio domains > > > From: bind-use

Re: Finer control over REFUSED, e.g. root referrals

Andrew, you've given me an intriguing idea! On Sun, 7 Sep 2025, Andrew Pavlin wrote: Personally, I would like an even finer control than what the allow-query option allows. I too run an authoritative server, and it too is being routinely used for DNS amplification attacks. Rather than returni

Re: Finer control over REFUSED, e.g. root referrals

ntil the expiration time after the primary stops using that secondary. Andrew Pavlin administrator of ka2ddo.org and ka2ddo.radio domains From: bind-users on behalf of Darren Ankney Sent: Sunday, September 7, 2025 6:21 AM To: bind-users@lists.isc.org Subje

Re: Finer control over REFUSED, e.g. root referrals

Fred, I think I’ve rendered all the help I’m capable of. Best of luck. -Dan > On Sep 7, 2025, at 14:58, Fred Morris wrote: > > I thought I gave enough context, but let me give some more. The instance of > BIND which is publicly exposed is sitting in front of a fleet of these: > https://gith

Re: Finer control over REFUSED, e.g. root referrals

I thought I gave enough context, but let me give some more. The instance of BIND which is publicly exposed is sitting in front of a fleet of these: https://github.com/m3047/rkvdns which are delegated subdomains of the one and only zone which the BIND instance knows about (not counting administrativ

Re: Finer control over REFUSED, e.g. root referrals

Hi again Fred, > As for if you are missing something else that would allow you to > achieve your goal, I'll let others answer. This was bugging me this morning so I ran a quick second test. It turns out that allow-query { }; limited to just those IP(s) that should be able to query the server wil

Re: Re: Finer control over REFUSED, e.g. root referrals

th subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of bin

Re: Finer control over REFUSED, e.g. root referrals

> On Sep 6, 2025, at 11:27, Fred Morris wrote: > > So I have a BIND server which is publicly exposed, but which is not > referenced from the canonical tree we call "The DNS". It serves as a firewall > / DNS "WAF" for resources which it recurses to obtain. Hey Fred, If you have a service on

Re: Finer control over REFUSED, e.g. root referrals

Hi Fred, > It seems as though somehow that behavior is implicit in allowing / > disallowing recursion by the server. I think this is right. I think isc.org ns servers return "REFUSED" because they have recursion disabled and are not authoritative for what you have asked for ('.' TXT) (and you us

Re: Forward first showing odd behavior BIND 9.11.36-RedHat-9.11.36-16.el8_10.4 (Extended Support Version)

> And since we don’t want these following the full recursion out to the > internet, root hints are intentionally disabled (we’re hoping for at least > some data hygiene by using these specific forwarders). That's forward only. > Setting it to ‘forward only’ resolved the issue. See above. > Do

Re: Forward first showing odd behavior BIND 9.11.36-RedHat-9.11.36-16.el8_10.4 (Extended Support Version)

Hi David. I find your configuration a bit bizarre because you say you don't want recursion, yet you have both "recursion yes;" and "forward first;' (which is the default anyway, so this statement is redundant). "recursion yes;" says to attempt recursion unless something else (like forwarding) say

Re: Development version of BIND 9 - 9.21.10 with meson build system

of make install ? An attempt with (as root, as I'm expecting root-only-writable destination directories to be touched): # meson install -C build-dir is not entirely successful. For some reason the build system decides to re-do parts of the build, and parts of it now complains, and it s

Re: Development version of BIND 9 - 9.21.10 with meson build system

On 03. 09. 25 14:53, Havard Eidnes wrote: Does https://bind9.readthedocs.io/en/latest/chapter10.html#building-bind-9 help? Yes, it gets me a bit further. The current stumbling block is that the configury system can't find liburcu-common (despite finding the other rcu libs), seemingly that's be

Re: Development version of BIND 9 - 9.21.10 with meson build system

Uh oh, I wrote this before I checked the meson.build: We actually should have the workaround in meson too: ## userspace-rcu urcu_dep = [dependency('liburcu-cds', version: '>=0.10.0')] if rcu_flavor == 'membarrier' config.set('RCU_MEMBARRIER', true) urcu_dep += dependency('liburcu', versio

Re: Development version of BIND 9 - 9.21.10 with meson build system

Well, we had this workaround for urcu << 0.13 in configure.ac, but I would suggest that you should rather use the latest urcu release instead of adding the workaround back to meson.build. Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Pleas

Re: Development version of BIND 9 - 9.21.10 with meson build system

> Does > https://bind9.readthedocs.io/en/latest/chapter10.html#building-bind-9 > help? Yes, it gets me a bit further. The current stumbling block is that the configury system can't find liburcu-common (despite finding the other rcu libs), seemingly that's because the pkg-config file for that libr

Re: Development version of BIND 9 - 9.21.10 with meson build system

On 03. 09. 25 12:31, Havard Eidnes via bind-users wrote: as previously announced, the BIND 9.21 (development branch) has changed the build system from venerable autotools to meson build system. If you build BIND 9 from sources now would be a good time to try building the development version from

Re: Development version of BIND 9 - 9.21.10 with meson build system

> as previously announced, the BIND 9.21 (development branch) has > changed the build system from venerable autotools to meson > build system. If you build BIND 9 from sources now would be a > good time to try building the development version from sources > and report any issues you find to our Git

Re: Bind forwards DNS requests even though forwarding is disabled.

No, the forwarding is disabled if the forwarding list is empty. What you can probably do is to create a sinkhole address on the localhost (with DROP firewall rule) and forward to that. However, why not just disable recursion or properly forward to the AdGuard DNS server instead? Both are perfect

Re: Bind forwards DNS requests even though forwarding is disabled.

You still have the "forward only;" and "forwarders" statements. Would commenting those out make a difference? -- Best regards Sten Carlsen Don't be impressed with unintelligible stuff said condescendingly . -- Radia Perlman. > On 2 Sep 2025, at 20.12, Ondřej Surý wrote: > > https://bind

Re: Bind forwards DNS requests even though forwarding is disabled.

Hi Sascha. I have a few questions. 1) Are you sure BIND is forwarding? Is that the term you mean to use? Please can you take a binary packet capture (pcap, not copy/paste of terminal output) that shows what the BIND server is doing and send that, You may have disabled global forwarding but recursio

Re: Bind forwards DNS requests even though forwarding is disabled.

https://bind9.readthedocs.io/en/v9.20.12/reference.html#namedconf-statement-forwarders > The default is the empty list (no forwarding). ^^^ you've effectively disabled forwarding. You haven't described precisely what are you trying to achieve, but you probably want to disable recursion? https:

Re: Bind forwards DNS requests even though forwarding is disabled.

Hello again and thank you for the background. Firstly, tcpdump. I would recommend a command like this, run in a separate terminal window just before you make some test queries in another window: sudo tcpdump -v -i any -c 1 -w port 53 The -c is a safety net to make sure it stops, should you

Re: Bind forwards DNS requests even though forwarding is disabled.

First of all, thank you for your quick response. In this case, “forwarding” may be somewhat of a misplaced term. What I want to achieve, and what has been working for over 5 years, is for BIND DNS to act as the primary DNS for DNS queries relating to intranet name resolution (Samba AD), and for A

Re: BIND9.18.33 after upgrade to this version, same BIND configuration no longer accepts dynamic DNS updates with SIG0 keypairs

On 01. 09. 25 21:37, Adam Burns wrote: I'm trying to debug some dynamic update zones (using SIG0 keys) after a BIND version upgrade, and I'm hoing someone on this list can give advice on potential root cause or at least suggestions on how to debug ... FTR info on root cause is in the Release No

Re: BIND9.18.33 after upgrade to this version, same BIND configuration no longer accepts dynamic DNS updates with SIG0 keypairs

Upgrade to 9.20. Some computational denial of service fixes involving SIG(0) where not back ported to 9.18 but rather the path was just disabled. > On 2 Sep 2025, at 05:37, Adam Burns wrote: > > Hi all, > > I'm trying to debug some dynamic update zones (using SIG0 keys) after a BIND > versio

RE: Trying simple NS delegation for a subdomain * I cannot get it to load/work.

could see them. -Steve -Original Message- From: Mark Andrews Sent: Wednesday, August 27, 2025 8:19 PM To: Steve Gladden Cc: bind-users@lists.isc.org Subject: Re: Trying simple NS delegation for a subdomain * I cannot get it to load/work. > On 28 Aug 2025, at 10:01, Steve

RE: Trying simple NS delegation for a subdomain * I cannot get it to load/work

, 2025 9:30 PM To: bind-users@lists.isc.org Subject: Re: Trying simple NS delegation for a subdomain * I cannot get it to load/work Read the post from Mark Andrews again. To check whether or not the “local” zone has the delegation loading correctly, recursion MUST be turned off when submitting

RE: Trying simple NS delegation for a subdomain * I cannot get it to load/work

All good! I'm up & running now. And learned some stuff. -Steve -Original Message- From: bind-users On Behalf Of Steve Gladden Sent: Wednesday, August 27, 2025 9:51 PM To: Robert McDonald (Bob) ; bind-users@lists.isc.org Subject: RE: Trying simple NS delegation for a subd

RE: Trying simple NS delegation for a subdomain * I cannot get it to load/work

Oh sweet, I'll try that! -sg -Original Message- From: bind-users On Behalf Of Robert McDonald (Bob) Sent: Wednesday, August 27, 2025 9:30 PM To: bind-users@lists.isc.org Subject: Re: Trying simple NS delegation for a subdomain * I cannot get it to load/work Read the post from

RE: Trying simple NS delegation for a subdomain * I cannot get it to load/work.

fix it. From: Al Sent: Wednesday, August 27, 2025 9:14 PM To: Steve Gladden Subject: Re: Trying simple NS delegation for a subdomain * I cannot get it to load/work. chatgpt was pretty coherent for once: That message comes from BIND (named) when it tries to resolve a domain and gets a

Re: Trying simple NS delegation for a subdomain * I cannot get it to load/work

Read the post from Mark Andrews again. To check whether or not the “local” zone has the delegation loading correctly, recursion MUST be turned off when submitting the query. In the dig command add the switch +norecurse (or just +norec). That will get rid of the SERVFAIL response. Start there.

RE: Trying simple NS delegation for a subdomain * I cannot get it to load/work.

add the record. This has me stuck as I can’t add the zone on the remote system, AND I can’t simply add the NS record on my local system. Thanks. -Steve From: Al Sent: Wednesday, August 27, 2025 8:13 PM To: Steve Gladden Subject: Re: Trying simple NS delegation for a subdomain * I cannot g

Re: Trying simple NS delegation for a subdomain * I cannot get it to load/work.

> On 28 Aug 2025, at 10:01, Steve Gladden wrote: > > Hi this is my first post ever. > I’m stuck on a very simple task that I have not been able to get it to work. > I have done this in the past with older versions of BIND but it has been > quite a while. > > I’m trying to delegate to a

Re: FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)

Well, this: https://mailman.mit.edu/pipermail/kerberos-announce/2025q3/thread.html#208 Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 26. 8. 2025, at 14:51, Pe

Re: FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)

On Tue, Aug 26, 2025 at 02:02:46PM +0200, Petr Špaček wrote: ! On 26. 08. 25 13:24, Petr Špaček wrote: ! > On 26. 08. 25 12:31, Peter 'PMc' Much wrote: ! > > Out of recvsoa ! > > recvgss() ! > > recvgss creating rcvmsg ! > > show_message() ! > > recvmsg reply from GSS-TSIG query ! > > ;; ->>HEADER<

Re: FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)

On Tue, Aug 26, 2025 at 02:34:34PM +0200, Ondřej Surý wrote: ! Hmm, given the recent f^Hhiccup in mit krb5, I would suggest to try less recent version and/or report this to upstream. Ondrej, I am not familiar with these. Do You have a link or two? As one might have noticed I am not yet familiar

Re: FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)

Hmm, given the recent f^Hhiccup in mit krb5, I would suggest to try less recent version and/or report this to upstream. -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 25. 8. 20

Re: FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)

On 26. 08. 25 13:24, Petr Špaček wrote: On 26. 08. 25 12:31, Peter 'PMc' Much wrote: Out of recvsoa recvgss() recvgss creating rcvmsg show_message() recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  41256 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0,

Re: FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)

On 26. 08. 25 12:31, Peter 'PMc' Much wrote: Out of recvsoa recvgss() recvgss creating rcvmsg show_message() recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41256 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;5466

Re: FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)

Hi Michal, glad to read You! On Tue, Aug 26, 2025 at 08:50:51AM +0200, Michał Kępień wrote: ! So it looks like krb5 is unable to process the initial GSS-API token ! sent by nsupdate - something inside krb5 returns the ! KRB5_CRYPTO_INTERNAL error code. ! ! Could you perhaps start named with th

Re: bind9.20.11-4deb and Windows Server 2015 DNS Problem

On 26. 08. 25 9:25, Daniel Marquez-Klaka wrote: I recently upgraded from Deb12 to Deb 13 and thereby from bind 9.18.33-1deb to 9.20.11-4deb. While in former version everything was running as expected I observed a (to me) strange behavior between bind9.20.11-4-deb and Windows Server 2016, Versio

Re: Windows versions of bind tools

Hi Robert, You could install Windows Subsystem for Linux (WSL) and a Linux distribution of your choice and you should be able to run bind-tools. cheers arsen * Ondřej Surý [2025-08-25 20:19 (+0200)]: > Nope, no plans for Windows release. Of rather, there is a plan to not release > anything on

Re: FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)

Hi Peter, > This is the error: > - > recvmsg reply from GSS-TSIG query > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4885 > ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;3478577972.sig-conr-e.int

Re: Windows versions of bind tools

Nope, no plans for Windows release. Of rather, there is a plan to not release anything on Windows in the future. FTR new releases work fine on Mac and are available from homebrew or macports. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please d

RE: forwarders order

forwarders? I don't find a way to do this -Message d'origine- De : Mark Andrews Envoyé : samedi 23 août 2025 22:55 À : DEMBLANS Mathieu Cc : bind-users@lists.isc.org Objet : Re: forwarders order It is smoothed RTT. Forwarders however have highly variable RTT as the records usu

Re: DNSSEC policy using wrong directory?

Mark Andrews wrote: > Just put the zone file somewhere named can do that. OK, thanks, that works. I see you answer this every few years. For secured environments, it'd be better if BIND copied the file over to the working directory itself. In a typical OCI/Docker image, the configuration will b

Re: DNSSEC policy using wrong directory?

When you use dnssec-policy named updates the zone content. It then wants to write the updated zone content back out. It does this by writing a temporary file and when that is complete atomically switching that file with the old zone file. Just put the zone file somewhere named can do that. --

Re: DNSSEC policy using wrong directory?

I should have mentioned that `managed-keys.bind{,.jnl}` are written (correctly) to /var/cache/bind. So the `directory` option is doing its job, just not for the `dnssec-policy` journals. But `Kgood-with-numbers.com.*` *are* going into /var/cache/bind, so `dnssec-policy` is getting that part corr

Re: DNSSEC policy using wrong directory?

And the corresponding option: https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-journal -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 24. 8. 2025, at

Re: DNSSEC policy using wrong directory?

https://bind9.readthedocs.io/en/stable/chapter6.html#the-journal-file -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 24. 8. 2025, at 3:54, Mike wrote: > > I just set up `dnss

Re: DNSSEC policy using wrong directory?

Mike skrev den 2025-08-24 03:50: I just set up `dnssec-policy default;` in my zones. Now I'm seeing error messages like: general: error: /etc/bind/good-with-numbers.com.signed.jnl: create: permission denied Well, yeah, that's a read-only file system. options { directory "/var/cache

Re: forwarders order

It is smoothed RTT. Forwarders however have highly variable RTT as the records usually needs to be looked up from the authoritative servers so what you end up measuring is RTT + resolution time. RRsets expire at the same time on both the local caching server and the forwarders. > On 21 Aug 2

Re: meson - rpath and chroot

he bind build. Now I know why my binaries could not > find their libraries (I edited meson.build to re-add rpath). Am I the only > end-user who still uses --prefix ? > > I also noticed that the new bind is missing chroot support; I cannot find any > mention of this change in

  1   2   3   4   5   6   7   8   9   10   >