Hi Ondřej,
On 31 Jan 2025, at 8:16, Ondřej Surý wrote:
> We would appreciate if you can give the following git snapshots a test run
> if you have a capacity to do so.
I can report that 9.18.34-dev compiles and works fine on OpenBSD 7.6, and
9.20.6-dev compiles and works on NetBSD 10.1.
My syst
Hi,
the BIND 9 team merged an improvement to BIND 9.18.34-dev and 9.20.6-dev
releases that should help with the memory usage in the resolver scenarios and in
the case of BIND 9.18.34-dev there's even improved performance for the
cold cache. The improvements for 9.18.34-dev is significant, for 9.20
Hi,
the BIND 9 team merged an improvement to BIND 9.18.34-dev and 9.20.6-dev
releases that should help with the memory usage in the resolver scenarios and in
the case of BIND 9.18.34-dev there's even improved performance for the
cold cache. The improvements for 9.18.34-dev is significant, for 9.20
ow the kind of rubbish HTTPS RRs
> below.
A related issue: does anyone know a software / service which tests
HTTPS records and actually connects to the HTTPS server to see if it
indeed supports what it claims to support. (Testing all ALPNs, all IP
hints, etc.)
"Error, HTTP record says alpn=h3 b
Hiya,
On 20/06/2024 14:34, Ondřej Surý wrote:
Stephen,
you actually gave me an idea - you should use BIND version without HTTPS record
support and just convert the records to TYPExxx form. That way, there will be no
parser standing in your way and you can put all kind of rubbish to the zone.
Stephen,
you actually gave me an idea - you should use BIND version without HTTPS record
support and just convert the records to TYPExxx form. That way, there will be
no parser standing in your way and you can put all kind of rubbish to the zone.
P.S.: Why am I even helping you when the eduroam
Hi again,
Actually, it may well be that bind allows me sufficient
leeway to do most of the tests I want, so this is just
to check that there's no imminent plan to have bind
disallow the kind of rubbish HTTPS RRs below. If that's
not likely to change in the next few months, then I'd
say I'm fine.
Hiya,
Thanks all for the info/suggestions. I guess I'll have
to try what Ondřej suggests or something similar, and
that's ok.
Cheers,
S.
OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
--
Visit https://lists.isc.or
> On 20 Jun 2024, at 15:29, Michael Richardson wrote:
>
>
> Mark Andrews wrote:
>> Named and nsupdate validate input for types they know about (both text
>> and wire). You would have to use versions that are not HTTPS aware and
>> use unknown type format.
>
> So, he could code it in Perl or
Mark Andrews wrote:
> Named and nsupdate validate input for types they know about (both text
> and wire). You would have to use versions that are not HTTPS aware and
> use unknown type format.
So, he could code it in Perl or Python or something which had a dynamic DNS
library. Bind
Stephen,
I would suggest to write a specialized DNS server using dnspython rather than
trying to cram the crap into existing DNS servers.
Then it should be possible to use something like this:
https://hypothesis.readthedocs.io/en/latest/ to generate the test cases
automatically.
Cheers,
--
On
Named and nsupdate validate input for types they know about (both text
and wire). You would have to use versions that are not HTTPS aware and
use unknown type format.
Mark
> On 20 Jun 2024, at 11:39, Stephen Farrell wrote:
>
>
> Hiya,
>
> Apologies if this is a repeat, I spent a bit of time l
Hiya,
Apologies if this is a repeat, I spent a bit of time looking
but didn't find stuff...
I'd like to publish various HTTPS RRs with dodgy encodings
in order to test which clients handle things well or badly.
Were it possible to use nsupdate for that, that'd make my
life simpler, but I've no
On 29. 05. 24 11:31, adrien sipasseuth wrote:
Only if KSK has DSState: rumoured. If the DSState is hidden it means
that it is not expected to be in the parent (for example because the
DNSKEY has not yet been fully propagated).
> Do you need to withdraw the old key too immediatly ? anything els
14:02, adrien sipasseuth wrote:
> > Hello,
> >
> > I try to set up a testing environment in order to create some scripts
> > for automated the roll over KSK.
> >
> > # question 1 #
> > this is my policy :
> >
> > dns
Hi,
On 5/16/24 14:02, adrien sipasseuth wrote:
Hello,
I try to set up a testing environment in order to create some scripts
for automated the roll over KSK.
# question 1 #
this is my policy :
dnssec-policy "test" {
keys {
ksk lifetime P3D
Hello,
I try to set up a testing environment in order to create some scripts for
automated the roll over KSK.
# question 1 #
this is my policy :
dnssec-policy "test" {
keys {
ksk lifetime P3D algorithm ecdsa256 2048;
zsk lifetime P1D
>> I recently made an upgrade of BIND to version 9.18.11 on our
>> resolver cluster, following the recent announcement. Shortly
>> thereafter I received reports that the validation that lookups of
>> "known entries" in our quite small RPZ feed (it's around 1MB
>> on-disk) no longer succeeds as exp
On Thu, Jan 26, 2023 at 07:03:37PM +0100, Havard Eidnes via bind-users wrote:
> Hi,
>
> I recently made an upgrade of BIND to version 9.18.11 on our
> resolver cluster, following the recent announcement. Shortly
> thereafter I received reports that the validation that lookups of
> "known entries"
Hi,
I recently made an upgrade of BIND to version 9.18.11 on our
resolver cluster, following the recent announcement. Shortly
thereafter I received reports that the validation that lookups of
"known entries" in our quite small RPZ feed (it's around 1MB
on-disk) no longer succeeds as expected, but
Testing, please ignore.
-Dan
--
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
Sorry for the noise
--
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lis
testing, please ignore
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more
king into all the
>>> Makefiles just to get it to build. You install without doing testing?
>>
>> That's a very strange definition of "hacking". Setting makefile [preferences
>> and options is not in and way "hacking".
>>
> ___
files just to get it to build. You install without doing testing?
>
> That's a very strange definition of "hacking". Setting makefile [preferences
> and options is not in and way "hacking".
>
___
Please visit http
On 5/10/21 01:55, @lbutlr wrote:
> On 06 May 2021, at 09:57, Dennis Clarke via bind-users
> wrote:
>> I do NOT trust a build result where I had to go hacking into all the
>> Makefiles just to get it to build. You install without doing testing?
>
> That's a very s
On 06 May 2021, at 09:57, Dennis Clarke via bind-users
wrote:
> I do NOT trust a build result where I had to go hacking into all the
> Makefiles just to get it to build. You install without doing testing?
That's a very strange definition of "hacking". Setting makefile [pre
On 5/8/21 14:13, Evan Hunt wrote:
> On Thu, May 06, 2021 at 11:57:58AM -0400, Dennis Clarke via bind-users wrote:
>> I do NOT trust a build result where I had to go hacking into all the
>> Makefiles just to get it to build. You install without doing testing?
>
> I think Ondr
On Thu, May 06, 2021 at 11:57:58AM -0400, Dennis Clarke via bind-users wrote:
> I do NOT trust a build result where I had to go hacking into all the
> Makefiles just to get it to build. You install without doing testing?
I think Ondrej just meant that we haven't put much emphasis on
d running `make check` is enough.
>
I do NOT trust a build result where I had to go hacking into all the
Makefiles just to get it to build. You install without doing testing?
Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
bind-users wrote:
>>>
>>> Hey there. I looked in the README and I dont see an INSTALL file at all
>>> so I have to assume that the testing docs exist somewhere.
>>
>> Have a look at
>>
>> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/bin/tests/
On 5/6/21 10:50, Tony Finch wrote:
> Dennis Clarke via bind-users wrote:
>>
>> Hey there. I looked in the README and I dont see an INSTALL file at all
>> so I have to assume that the testing docs exist somewhere.
>
> Have a look at
>
> https://gitlab.isc.org/i
Dennis Clarke via bind-users wrote:
>
> Hey there. I looked in the README and I dont see an INSTALL file at all
> so I have to assume that the testing docs exist somewhere.
Have a look at
https://gitlab.isc.org/isc-projects/bind9/-/tree/main/bin/tests/system
There are some more
Hey there. I looked in the README and I dont see an INSTALL file at all
so I have to assume that the testing docs exist somewhere.
I build 9.11.31 after wrangling the Makefile(s) everywhere and now I
have built a separate machine to run the tests. I needed that because
there are a bucket of
also applied to Rollovers and Deletes, but we have
> meanwhile lifted this restriction as it did not provide a security
> benefit and caused operational issues(for example, changing Nameserver
> operators)
> Some other restrictions however apply in all cases, for example, the CDS
&g
Hi Jim
let me give you a bit more info
On April 9, 2021 8:23:48 PM UTC, Hugo Salgado wrote:
Switch has a website to test the CDS processing for .ch:
https://www.nic.ch/security/cds/
for domainmail.ch it says "The CDS configuration of the domain name
domainmail.ch will not be processed.
[ ..
On April 9, 2021 8:21:33 PM UTC, "John W. Blue via bind-users"
wrote:
>Sorry .. clicked send too soon.
>
>Found this via google:
>
>https://docs.gandi.net/en/domain_names/advanced_users/dnssec.html
>
>"You can not add DS keys as we compute it for you with the KSK or ZSK, then we
>send it to the
On April 9, 2021 8:23:48 PM UTC, Hugo Salgado wrote:
>Switch has a website to test the CDS processing for .ch:
> https://www.nic.ch/security/cds/
>
>for domainmail.ch it says "The CDS configuration of the domain name
>domainmail.ch will not be processed.
>[ ... ]
>The DNS query returned: "Server
Switch has a website to test the CDS processing for .ch:
https://www.nic.ch/security/cds/
for domainmail.ch it says "The CDS configuration of the domain name
domainmail.ch will not be processed.
[ ... ]
The DNS query returned: "Server failed to complete the DNS request".
"
You should check the
:12 PM
To: bind-users@lists.isc.org
Subject: Re: Testing KASP, CDS, and .ch
On Fri, 2021-04-09 at 19:05 +, John W. Blue via bind-users wrote:
> So the issue here is that the DS record that sit in .ch has an ID of 22048
> but the domainmail.ch servers are telling the world that the c
DNSSEC will be validated.
John
-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jim
Popovitch via bind-users
Sent: Friday, April 09, 2021 2:12 PM
To: bind-users@lists.isc.org
Subject: Re: Testing KASP, CDS, and .ch
On Fri, 2021-04-09 at 19:05
On Fri, 2021-04-09 at 19:05 +, John W. Blue via bind-users wrote:
> So the issue here is that the DS record that sit in .ch has an ID of 22048
> but the domainmail.ch servers are telling the world that the correct ID is
> 17870.
>
> Thus the DNSSEC breakage.
Of course, however there is no 2
Popovitch via bind-users
Sent: Friday, April 09, 2021 1:58 PM
To: bind-users@lists.isc.org
Subject: Testing KASP, CDS, and .ch
Hello!
I've read the "Schacher 20200622 Support for and adoption of CDS in .ch and
.li", and studied https://kb.isc.org/docs/dnssec-key-and-signing-policy
Hello!
I've read the "Schacher 20200622 Support for and adoption of CDS in .ch
and .li", and studied
https://kb.isc.org/docs/dnssec-key-and-signing-policy, however I've hita brick
wall:
https://dnsviz.net/d/domainmail.ch/dnssec/
What am I missing?
I'm using the following policy and zone conf
s for these tips, this makes me feel a lot more confident that I'm on the
right track.
Regardless, I do hope your migration goes smooth!
John
-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bruce
Johnson
Sent: Wednesday, November 18, 2020 1
allow-transfer" and "allow-update" I don’t
think those are as important as disabling "also-notify".
Regardless, I do hope your migration goes smooth!
John
-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bruce
Johnson
Se
orches and pitchforks at my door for breaking
everything...
I've made some changes to the configuration (mostly removing zones and address
assignments that are no longer valid) and I'd like to bring it up for testing
so I know it’s working before we do the cutover to production.
If I
Working
Nuno
Sent from my Verizon 4G LTE Droid
On Feb 14, 2018 1:48 AM, Dan Mahoney wrote:
>
> Please ignore -- just testing post mailman upgrade.
>
> Best,
>
> -Dan Mahoney
> ISC Operations Group
> ___
> Please
Please ignore -- just testing post mailman upgrade.
Best,
-Dan Mahoney
ISC Operations Group
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
Hoi Tony,
Wednesday, August 30, 2017, 6:44:32 PM, you wrote:
> Grant Taylor wrote:
>>
>> There is additional footer content (as well as headers) in messages from the
>> mailing list.
>>
>> Does Gmail detect that and ignore it? Or is the message simply folded into
>> the conversation in Gmail?
On 8/30/17 12:44 PM, Tony Finch wrote:
> There are reasons I am no longer a postmaster...
And they all said Ramen...
AlanC
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to uns
Grant Taylor wrote:
>
> There is additional footer content (as well as headers) in messages from the
> mailing list.
>
> Does Gmail detect that and ignore it? Or is the message simply folded into
> the conversation in Gmail?
No, I believe deduplication is based purely on the message-ID, but as f
On 08/30/2017 09:49 AM, Tony Finch wrote:
You seem to be using Gmail which does de-duplication across all messages
in your account, so your messages received from the list are deleted since
they are duplicates of the copies in your sent-mail folder.
There is additional footer content (as well a
Alan Clegg wrote:
>
> It appears that I just don't see my own posts for whatever reason. 8-)
You seem to be using Gmail which does de-duplication across all messages
in your account, so your messages received from the list are deleted since
they are duplicates of the copies in your sent-mail fol
On 8/30/17 11:25 AM, Adamiec, Lawrence wrote:
> I see your email on the list.
Thanks to those that have responded both on- and off-list.
It appears that I just don't see my own posts for whatever reason. 8-)
[You know how long it's been since I debugged a mailing list issue??!]
No additional r
... yes, yes you are.
I'm explicitly responding in case you have the mailman "Don't send me
my own posts" (not metoo) option.
W
On Wed, Aug 30, 2017 at 11:20 AM, Alan Clegg wrote:
> I don't think I can post to this list for some reason.
>
> I'd like to be able to respond to questions, but my re
I see your email on the list.
Thank you.
Larry
__
Lawrence Adamiec
Web Developer/UNIX Admin
Information Technology Services (ITS)
Chicago-Kent College of Law
Illinois Institute of Technology
565 W. Adams St.
Chicago, IL
60661
On Wed, Aug 30, 2017 at 10:2
I don't think I can post to this list for some reason.
I'd like to be able to respond to questions, but my responses never seem
to show up...
this is just a test to see if I am visible on the list.
Thanks!
AlanC
signature.asc
Description: OpenPGP digital signature
performance, there are multiple tools that could
generate/replay queries at high volume, just search the list, the topic was
discussed multiple times.
Emil
Original Message
Subject: Testing DNS security
Local Time: February 21, 2017 2:05 PM
UTC Time: February 21, 2017 12
Hi,
I have created a DNS server by using BIND and I have established security
policies
Now I want to test its performance before hosting it
Can you recommend me network simulators that allow to check its security ??
Thank you in advance.
--
___
Ple
Helpdesk 24/7 : 974-9900
On 6/22/16, 08:58, "Warren Kumari" wrote:
Kinda depends on what you are testing, but there is also Nominum's
dnsperf: http://nominum.com/measurement-tools/
This is easy to install, simple to use, and comes with a sample query file.
W
On Wed, Jun 22, 2016 at 8:48
Polo
On 6/24/16 6:29 PM, John W. Blue wrote:
Marco
Sent from Nine <http://www.9folders.com/>
*From:* Dan Mahoney
*Sent:* Jun 24, 2016 6:28 PM
*To:* bind-us...@isc.org
*Subject:* Testing
testing
___
Please visit https://lists.isc.org/m
Sorry for the noise, please ignore.
-Dan Mahoney
ISC Ops team
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-
Marco
Sent from Nine<http://www.9folders.com/>
From: Dan Mahoney
Sent: Jun 24, 2016 6:28 PM
To: bind-us...@isc.org
Subject: Testing
testing
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind
testing
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Kinda depends on what you are testing, but there is also Nominum's
dnsperf: http://nominum.com/measurement-tools/
This is easy to install, simple to use, and comes with a sample query file.
W
On Wed, Jun 22, 2016 at 8:48 AM, Emil Natan wrote:
> queryperf, supplied with BIND, found under
queryperf, supplied with BIND, found under contrib.
What we usually do is "record" some real traffic, then run queryperf on
multiple machines against a server. If I'm not mistaken similar topic was
discussed here recently so you can search the archives.
Emil
On Wed, Jun 22, 2016 at 3:34 PM, King,
I have a new DNS BIND setup that I need to stress test. There are many test for
hitting a web server to simulate traffic, but I can’t find a one for doing the
same thing to a DNS server. Does anyone have any recommendations?
--
Hal King - h...@utk.edu
Systems Administrator
Office of Informati
Hello,
Is it possible to test DNS delegation using 2 Linux devices running RHEL
Version 6.1 and bind-9.8.2
What changes would be required in named.conf or Zone Files in order to test this
P.S: This is just for my learning purpose, as I am unable to understand how the
Tiered architecture wor
> My lesson is - besides just working out the configuration - testing
> RFC5011 takes more patience than just about any other feature of
> DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have.
Yup. I learned that as well.
As a side note: can you imagine my surprise wh
> By default it dumps its output to a file; you can use `rndc secroots -`
> to get output on stdout.
Using "-" to get it to dump the secroots output to stdout is a new
feature added for 9.11. That hasn't been published yet, but if you build
from the source tree at source.isc.org (like Tony does),
On 4/21/15, 10:15, "Warren Kumari" wrote:
>
>From the ARM:
Sigh, RTFM...(My, BIND's gotten a lot more complicated/feature-rich since
I last read the docs.)
Hey, it's there.
smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https
On Tue, Apr 21, 2015 at 9:55 AM, Edward Lewis wrote:
> On 4/21/15, 9:45, "Tony Finch" wrote:
>>rndc secroots
>>
>>You can also look in the .mkeys file.
>
> I tried secroots with my set up, I got nothing despite the mkeys file.
> (Kind of asking - does that work?):
>
> (I had my rndc port bumped o
Edward Lewis wrote:
>
> I tried secroots with my set up, I got nothing despite the mkeys file.
> (Kind of asking - does that work?):
By default it dumps its output to a file; you can use `rndc secroots -`
to get output on stdout.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Hebrides, Bailey:
On 4/21/15, 9:45, "Tony Finch" wrote:
>rndc secroots
>
>You can also look in the .mkeys file.
I tried secroots with my set up, I got nothing despite the mkeys file.
(Kind of asking - does that work?):
(I had my rndc port bumped out of sudo-land, so it's overridden:)
$ rndc -p 1953 -c rndc.conf
Edward Lewis wrote:
>
> I have a suggestion - is there a way to query a BIND server for it's trust
> anchor key set?
rndc secroots
(though this only provides the key tags not the public key data)
> I say perhaps unnecessary because the information may be available on
> disk (which an administra
sn't keeping up with the rolls - I had neglected to
speed up it's clock. Once I did that, it worked.
My lesson is - besides just working out the configuration - testing
RFC5011 takes more patience than just about any other feature of
DNS/DNSSEC. RFC5011 is the most wall-clock drive
On Mon, Apr 20, 2015 at 4:33 PM, Evan Hunt wrote:
> On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote:
>> That page says (for BIND):
>> "Note: When using this config file you will probably need to delete
>> /var/named/21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mke
On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote:
> That page says (for BIND):
> "Note: When using this config file you will probably need to delete
> /var/named/21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys*
> every time you restart BIND after missing a keyrol
On Mon, Apr 20, 2015 at 3:41 PM, Edward Lewis wrote:
> Thanks. rm'd the file and added the timers. (I did that also after
> sending, so it is the deleting the old file that did the trick.) The
> start-up lines look good.
>
> Got an AD bit again too.
>
> (I may have a few more issues as I move t
Thanks. rm'd the file and added the timers. (I did that also after
sending, so it is the deleting the old file that did the trick.) The
start-up lines look good.
Got an AD bit again too.
(I may have a few more issues as I move this off a laptop on to a regular
machine. Right now it helps know
On Mon, Apr 20, 2015 at 06:42:42PM +, Edward Lewis wrote:
> Being that I'm working on a laptop (hence on on over the weekend) I've had
> to recreate the environment today. I'm a bit more puzzled now.
There's a separate file that named creates to keep the current
managed keys state information
Thanks to Evan for the last look and thanks to Jan-Piet for the suggestion
to go to 9.10.2.
Being that I'm working on a laptop (hence on on over the weekend) I've had
to recreate the environment today. I'm a bit more puzzled now.
I've built and installed BIND 9.10.2. Using http://keyroll.system
Edward,
the subject of this message piqued my interest ;-)
> 17-Apr-2015 10:17:02.083 starting BIND 9.10.0 -g -c rfc5011.conf
Very ouch. Much pain. Lots frustration. Many hairpulls. Mucho crash. ;)
Upgrade to 9.10.2 [1] in which Evan fixes the CVE we discovered on
RFC5011 rolls and, thankfully,
Thanks. Now have 'ad' bits via both BIND and unbound.
Will let you know when I've shot myself in the foot.
On 4/17/15, 12:45, "Evan Hunt" wrote:
...
>instead of waiting a full 30 days. (This is, I hope obviously, *not*
>something you want to run in production. :) )
smime.p7s
Description: S
that you can't
trust a new key until it's been in the DNSKEY rrset for at least a month.
To enable testing in a reasonable time, there's an undocumented
option to named that redefines time units for RFC 5011 purposes:
$ named -T mkeytimers=2/5/60
The numbers between the slas
I am building named and unbound recursive servers to follow a test of RFC
5011 trust anchor updates, the experiment is documented at
http://keyroll.systems. One reason why I'm asking here is in
http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/
which mentions some issues with RFC 5
z-passthru.
*.205.132.in-addr.arpa CNAME rpz-passthru.
16.0.0.205.132.rpz-ip CNAME rpz-passthru.
... and for a patch site:
12.0.0.0.23.rpz-ip CNAME rpz-passthru. ; Akamai
(Note that I added the in-addr.arpa lines just lately, and
haven't re-run the tests with
On 06/01/15 22:52, Anne Bennett wrote:
I don't know what to make of this; it looks as though the
technology is several years old, and my experience with ISC
bind is usually excellent. Has anyone else encountered this
type of flakiness?
No, but we're not using client-ip RPZ, just qname-based b
hose RPZs, and *do* use them for policy.
>
> My set-up works, but sporadically - it's as though the RPZs wink
> in and out of use for no apparent reason, even when I'm not
> changing the data. At one point while testing last December,
> my by-client-IP test quarantine ru
e for no apparent reason, even when I'm not
changing the data. At one point while testing last December,
my by-client-IP test quarantine rule just stopped matching
(based on no logged hits, and no redirection of my queries
from the quarantined host). Only a restart of named on the
resolver br
Sorry for the noise.
-Dan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Sorry for the noise.
-Dan Mahoney
ISC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Hi,
First post here!
At my current occupation we rely heavily on our internal DNS operating
correctly.
And I got involved on how we would do change management, or specifically
unit test our existing configuration.
I got interested and started a personal project of mine, currently named
"bsa" for
interesting output
tests.sh: line 130: 31718 Aborted (core dumped)
$NSUPDATE -l -p 5300 -k ns1/session.key > nsupdate.out 2>&1 <
> From: dan.lut...@level3.com
> To: bind-us...@isc.org
> Subject: Compiling and testing on Fedora
> Date: Wed, 20 Jun 2012
On 21/06/12 15:21, Lightner, Jeff wrote:
Turning off SELinux also requires a reboot after changing mode.
"setenforce 0" does not require a reboot.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-
: Compiling and testing on Fedora
Did you turn OFF SELinux?
prompt>setenforce 0
Then run the test,
> From: dan.lut...@level3.com<mailto:dan.lut...@level3.com>
> To: bind-us...@isc.org<mailto:bind-us...@isc.org>
> Subject: Compiling and testing on Fedora
> Date: Wed, 20 Jun
Did you turn OFF SELinux?
prompt>setenforce 0
Then run the test,
> From: dan.lut...@level3.com
> To: bind-us...@isc.org
> Subject: Compiling and testing on Fedora
> Date: Wed, 20 Jun 2012 23:33:08 +
>
> Hi all,
>
> I've had a major problem with
I don't immediately recognize the issue. But hopefully the detailed
named debugging output is saved. Look for the "*.run" (maybe named.run)
files.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-us
Hi all,
I've had a major problem with using Fedora Core (10 through 15), when compiling
and running "make test":
A:System test acl
I:Couldn't start server ns2 (pid=17344)
R:FAIL
S:allow_query:Wed Jun 20 23:21:47 GMT 2012
T:allow_query:1:A
A:System test allow_query
I:Couldn't start server ns2 (p
1 - 100 of 133 matches
Mail list logo
