Re: Magic for NSEC3

On Mon, Jan 5, 2009 at 5:57 PM, Jim wrote: > While testing our DNSSEC signing product, I found that the expense of > signing with NSEC3 versus NSEC was very data dependent. In TLD type > zones with a sparse number of records that needed to be signed, > signing time could be reduced from hours to

Bind9 Kerberos authentication

I'm trying to find some more clarification on how to use kerberos for dnssec. I thought it may have been possible a while ago, was told there was only tsig, then found a reference to it in the Administrators guide. I've been trying to find a tutorial or howto (or at least something) on google but

named’s “/dev/random" error on AIX

system info:AIX 5.3 bind info : 9.6.0 when i start up named , i get serval error about "/dev/random" : #./named -g -d 99 07-Jan-2009 14:10:14.716 starting BIND 9.6.0 -g -d 99 07-Jan-2009 14:10:14.716 built with '--prefix=/data/aibind' '--enable- threads' '--with-randomdev=/dev/urandom' '--with-

Special property of default_debug logging channel

To quote from the ARM: | The default_debug channel has the special property that it only | produces output when the server's debug level is nonzero. Is it possible to define one's own logging channels that behave similarly? Just specifying "severity dynamic" is not enough: one gets info level

Re: named’s “/dev/random" error on AIX

On Jan 6, 2009, at 11:11 PM, 蚂蚁蚂蚁 wrote: system info:AIX 5.3 bind info : 9.6.0 when i start up named , i get serval error about "/dev/random" : #./named -g -d 99 07-Jan-2009 14:10:14.716 starting BIND 9.6.0 -g -d 99 07-Jan-2009 14:10:14.716 built with '--prefix=/data/aibind' '--enable- threads

RE: named’s “/dev/random" error on AIX

If your AIX system doesn't have a /dev/random or /dev/urandom, try the following - Get the correct major number from the system ( 56 in this case ) r...@dimqswlv2:/ ==> # odmget CuDvDr | grep -p random CuDvDr: resource = "ddins" value1 = "random" value2 = "56" val

Re: Bind9 Kerberos authentication

At Wed, 07 Jan 2009 09:51:07 +1000, Da Rock wrote: > > I'm trying to find some more clarification on how to use kerberos for > dnssec. I thought it may have been possible a while ago, was told there > was only tsig, then found a reference to it in the Administrators guide. > > I've been trying to

Ever growing jnl files

We have a few dynamic zones that are provisioned using Addhost. When addhost adds records to the zone every night it will run "nsupdate < update.file". The update.file will contain records like these: prereq yxrrset machine.colorado.edu. in a update delete machine.colorado.edu. in a prereq

Re: Ever growing jnl files

Nicholas F Miller wrote: > We have a few dynamic zones that are provisioned using Addhost. When > addhost adds records to the zone every night it will run "nsupdate < > update.file". The update.file will contain records like these: > > prereq yxrrset machine.colorado.edu. in a > update delete mac

Re: Ever growing jnl files

On Wed, 07 Jan 2009, Nicholas F Miller might have said: > We have a few dynamic zones that are provisioned using Addhost. When > addhost adds records to the zone every night it will run "nsupdate < > update.file". The update.file will contain records like these: > > prereq yxrrset machine.col

Named goes deaf

Hello, running BIND 9.4.2-P2 on OS X 10.5, this is just what comes with OS X out of the box. Today, my secondary NS provider could not zone transfer. I looked into it and could not telnet to port 53, connection refused. This happens quite often on my friends machine, but he runs OS X 10.3

Re: Ever growing jnl files

I've seen similar behaviors in earlier versions of BIND as well. Since it doesn't seam to impact performance etc I haven't really bothered with it. What you can do is to run an rndc freeze/thaw, this will check out the journal file. /Jonathan On Wed, Jan 7, 2009 at 10:30 AM, Nicholas F Miller wr

Re: Ever growing jnl files

All good suggestions. We have given them both some thought. I was just wondering if there was a problem with the way we were doing things. Nicholas Miller, ITS, University of Colorado at Boulder On Jan 7, 2009, at 11:34 AM, Mike Eggleston

BIND 9.6.0-P1 is now available

BIND 9.6.0-P1 is now available. BIND 9.6.0-P1 is a SECURITY patch for BIND 9.6.0. It addresses a bug in which return values from some OpenSSL functions were left unchecked, making it theoretically possible to spoof answers from some signed zones. Bugs should be reported

BIND 9.5.1-P1 is now available

BIND 9.5.1-P1 is now available. BIND 9.5.1-P1 is a SECURITY patch for BIND 9.5.1. It addresses a bug in which return values from some OpenSSL functions were left unchecked, making it theoretically possible to spoof answers from some signed zones. Bugs should be reported t

BIND 9.4.3-P1 is now available

BIND 9.4.3-P1 is now available. BIND 9.4.3-P1 is a SECURITY patch for BIND 9.4.3. It addresses a bug in which return values from some OpenSSL functions were left unchecked, making it theoretically possible to spoof answers from some signed zones. Bugs should be reported t

BIND 9.3.6-P1 is now available

BIND 9.3.6-P1 is now available. BIND 9.3.6-P1 is a SECURITY patch for BIND 9.3.6. It addresses a bug in which return values from some OpenSSL functions were left unchecked, making it theoretically possible to spoof answers from some signed zones. Bugs should be reported t

BIND Security Advisory (CVE-2009-0025; Severity: Low)

Internet Systems Consortium Security Advisory. BIND: EVP_VerifyFinal() and DSA_do_verify() return checks. 7 January 2009 Versions affected: BIND 9.0 (all versions) BIND 9.1 (all versions) BIND 9.2 (all versions)

Problem resolving "www.lmsintl.com"

I am running bind 9,4.2-P2 on windows and can resolve all external Domains names with the exception of www.lmsintl.com Doing a "dig www.lmsintl.com +trace returns the proper address If I do a ping or nslookup on www.lmsintl.com

Re: Ever growing jnl files

On Wed, 7 Jan 2009, Mike Eggleston wrote: > On Wed, 07 Jan 2009, Nicholas F Miller might have said: > > > We have a few dynamic zones that are provisioned using Addhost. When > > addhost adds records to the zone every night it will run "nsupdate < > > update.file". The update.file will contai

Re: Problem resolving "www.lmsintl.com"

Make sure your Windows client is not appending any additional suffix to your domain name by adding a . to the end of your domain name. So for example, your nslookup command should look something similar to this: nslookup www.lmsintl.com. What happens when you do "dig www.lmsintl.com. a"? Does it

Re: BIND 9.6.0-P1 is now available (rob_aust...@isc.org)

Echoing a complaint made recently -- I saw the announcements of the -P1 patch for the various supported versions of BIND via the bind-users digest. I used to get them also via some -announce list at ISC, I do not remember the name, maybe bind-annou...@isc.org . And I noticed that the list archive

RE: BIND 9.6.0-P1 is now available (rob_aust...@isc.org)

Hi Barry, https://lists.isc.org/pipermail/bind-users/ Cheers, Jason -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of bsfin...@anl.gov Sent: Thursday, 8 January 2009 9:15 AM To: bind-users@lists.isc.org Subject: Re: BIND 9.6

Re: BIND 9.6.0-P1 is now available (rob_aust...@isc.org)

Also https://lists.isc.org/pipermail/bind-announce/ carries the announcements archive. Regards, Andy Jason Mitchell wrote: Hi Barry, https://lists.isc.org/pipermail/bind-users/ Cheers, Jason -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.

Re: Ever growing jnl files

see max-journal-size ; In message , Nicholas F Mill er writes: > We have a few dynamic zones that are provisioned using Addhost. When > addhost adds records to the zone every night it will run "nsupdate < > update.file". The update.file will contain records like these: > > prereq yxr

problem with nsupdate

Hello everybody, I was trying to get nsupdate creating an A Record for a subdomain. I was following one of the tutorials out there in the web. After I finished everything I received the following (manually obscured) output from nsupdate -d: Creating key... Outgoing update query: ;; ->>HEADER<<

Conflicting glue records?

If different registrars contain different host records for the same name server, what glue records are established in the root servers? Suppose two domains at different registrars both list ns1.mydomain.com as a nameserver but each gives a different IP. Are the results undefined? Is there s

Re: Conflicting glue records?

Each registrars push the information that they have. So if you have apples.com with an NS record of ns1.dns.com==137.161.0.1 and oranges.com with a NS record of ns1.dns.com=137.161.0.2, when people query for apples, they will get the .1 address and when they query for oranges.com they will get the

Re: Conflicting glue records?

In article , "Dawn Connelly" wrote: > Each registrars push the information that they have. So if you have > apples.com with an NS record of ns1.dns.com==137.161.0.1 and > oranges.com with a NS record of ns1.dns.com=137.161.0.2, when people > query for apples, they will get the .1 address and whe

Re: problem with nsupdate

Oliver Block wrote: > I CAN SEE NO ERROR MESSAGE. The server log is usually informative in these situations. hth, Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Conflicting glue records?

Milo Hyson wrote: > If different registrars contain different host records for the same name > server, what glue records are established in the root servers? Suppose > two domains at different registrars both list ns1.mydomain.com as a > nameserver but each gives a different IP. Are the results und