Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 06:06:16AM +, Evan Hunt wrote a message of 22 lines which said: > Is there a requirement that Dr. Bernstein must personally do the dancing? > Let someone else write the RFC, if it needs writing. Also, there are not only RFCs. Standards can be described by other mea

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Tue, Feb 23, 2010 at 07:28:48PM -0800, Michael Sinatra wrote a message of 34 lines which said: > While I think the OpenDNS people (especially David U., their > founder) have a huge amount of clue, I think they're barking up the > wrong tree here. On the other hand, they are crystal-clear:

Re: Blacklisting private address range

On Tue, Feb 23, 2010 at 09:56:55PM -0500, Diosney Sarmiento Herrera wrote a message of 20 lines which said: > Have any sense to blacklist the private address ranges on a server > that is facing Internet? I am not sure I parse your sentence correctly but may be you refer to the "Rebinding prev

Re: Update returns FORMERR: ran out of space

On Wed, Feb 24, 2010 at 11:32:35AM +1100, Mark Andrews wrote a message of 35 lines which said: > Turn the debugging up to 3. With 'severity debug 30', all I get is: 24-Feb-2010 10:17:01.047 update: debug 8: client ::1#45986: updating zone 'toto.fr/IN': prerequisites are OK 24-Feb-2010 10:1

Re: Blacklisting private address range

On Feb 23, 2010, at 7:56 PM, Diosney Sarmiento Herrera wrote: Hi! Have any sense to blacklist the private address ranges on a server that is facing Internet? I mean, this address ranges is not even routed on the Internet. There is a trick about this? No trick, it is commonly done.

Re: Differences between 9.3 and later versions

> On Feb 23 2010, Matus UHLAR - fantomas wrote: >> since 9.5, the default for allow-recursion is { localhost; localnets; >> }; previous versions used iirc { all; }; On 23.02.10 16:48, Chris Thompson wrote: > Actually, that change was made in 9.4. (Some of the cross-inheritance of > the different

Re: hosts or subnet number in delegation?

On 23.02.10 23:01, sasa sasa wrote: > for a 192.168.199.64/26 in zone file to delegate to a customer; > should i put subnet number: > > 64/26 IN NS ns1.example.com. > 64/26 IN NS ns2.example.com. > > or host ranges: > > 64-126 IN NS ns1.example.com. > 64-126 IN NS ns2.example.com. > > . > . > $

Modifying a response

Hello, everybody. Is it possible to modify responses on caching server side? For example: if user asks for non-existent domain, caching server replies with some address and no-error rcode. ___ bind-users mailing list bind-users@lists.isc.org https://lis

Re: Modifying a response

On Wed, Feb 24, 2010 at 01:28:09PM +0300, Peter Andreev wrote a message of 31 lines which said: > Is it possible to modify responses on caching server side? Not with BIND (short of modifying the source code). Other name servers may do it

Re: Fwd: IPv6 client and negative cache - some doubts

In article , Michal Wesolowski wrote: > My server is caching only, I don't administer ns*.az.pl servers. I'm just > trying to understand if binds copes well with such an external error. As you > pointed out both servers fails in some (different) way but second one does > this only when queried f

Re: Fwd: IPv6 client and negative cache - some doubts

In article , Mark Andrews wrote: > In message , > Micha > l Wesolowski writes: > > > > After some reading my present understanding is that correct response to > > > > query when there is such record in the zone and there exists another record > > of different type for the same name - is

Re: Modifying a response

2010/2/24 Stephane Bortzmeyer > On Wed, Feb 24, 2010 at 01:28:09PM +0300, > Peter Andreev wrote > a message of 31 lines which said: > > > Is it possible to modify responses on caching server side? > > Not with BIND (short of modifying the source code). Other name servers > may do it >

Re: Modifying a response

Peter Andreev wrote: > > For example: if user asks for non-existent domain, caching server > > replies with some address and no-error rcode. > > _Extremely_ bad idea. > > > Yes, I know, but boss is boss and task is task :). > > Thank you very much for your answer. You might want t

Re: Modifying a response

2010/2/24 Alan Clegg > Peter Andreev wrote: > > > > For example: if user asks for non-existent domain, caching server > > > replies with some address and no-error rcode. > > > > _Extremely_ bad idea. > > > > > > Yes, I know, but boss is boss and task is task :). > > > > Thank you very

Re: Update returns FORMERR: ran out of space

On Wed, Feb 24, 2010 at 10:18:31AM +0100, Stephane Bortzmeyer wrote a message of 39 lines which said: > With 'severity debug 30', all I get is: And, for a successful dynamic update (it works with A records): 24-Feb-2010 14:31:44.803 update: debug 8: client ::1#13202: updating zone 'toto.fr/

RE: Query denied errors on PTR records for delegated zone

Nice write up. It explains WHY we had the weird delegation on switching carriers a few years back and also explains why I had to put my kluge in. However, I wonder how easy it is in practice to get a company the size of AT&T to do individual delegations for dozens or hundreds of IPs? You mention

Re: BIND 9.6.2rc1 make test question

On 02/15/10 20:25, John Center wrote: Hi, I just built BIND 9.6.2rc1 & make test passes except for the following: A:the dst module provides the capability to verify data signed with the RSA and DSA algorithms I:testing t2_data_1, t2_dsasig, test., 23616, DST_ALG_DSA, ISC_R_SUCCESS I:testing t

Re: Update returns FORMERR: ran out of space

On Wed, Feb 24, 2010 at 10:18:31AM +0100, Stephane Bortzmeyer wrote a message of 39 lines which said: > 24-Feb-2010 10:17:01.057 update: error: client ::1#45986: updating zone > 'toto.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space Adding a fair amount of debugging traces, I can get

Re: Modifying a response

On Wed, Feb 24, 2010 at 11:37:29AM +0100, Stephane Bortzmeyer wrote a message of 18 lines which said: > Other name servers may do it http://www.unbound.net/documentation/pythonmod/index.html http://www.unbound.net/documentation/pythonmod/examples/example3.html

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

reply below On Wed, Feb 24, 2010 at 1:06 AM, Evan Hunt wrote: > > > I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is > > full of wackos. So it is unlikely he will ever be bothered to dance the > > IETF RFC jig. > > Is there a requirement that Dr. Bernstein must personally

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 1:13 AM, Michael Sinatra < mich...@rancid.berkeley.edu> wrote: > As someone who both signs his production zones and does DNSSEC validation, > I can assure you that DNSSEC works. But you've done as good job as I can > imagine in making the case for DNScurve. > Done. regar

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 02/24/10 01:25, Jonathan de Boyne Pollard wrote: DNScurve advocates, on the other hand, point out that DNS isn't encrypted. Well, neither is the phone book. So what? So the protocol is vulnerable to both local and remote forgery attacks, just like other unencrypted protocols

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: > Thats not the case with DNScurve. Again I stress - over 20 billion > requests per day at OpenDNS are DNScurve compatible.The traffic in > DNSSEC is chicken feed compared to DNScurve. Joe, The fact that queries hit servers that are DNScurve capable does not mean that they ar

Re: Query denied errors on PTR records for delegated zone

On 24.02.10 08:31, Lightner, Jeff wrote: > From: "Lightner, Jeff" > Date: Wed, 24 Feb 2010 08:31:44 -0500 > Subject: RE: Query denied errors on PTR records for delegated zone > To: Jonathan de Boyne Pollard , > BIND users mailing list > > Nice write up. It explains WHY we had the weird de

Re: Query denied errors on PTR records for delegated zone

sorry for the first post, accidentally hit send instead of drop... On 24.02.10 08:31, Lightner, Jeff wrote: > Nice write up. It explains WHY we had the weird delegation on switching > carriers a few years back and also explains why I had to put my kluge > in. > > However, I wonder how easy it is

Re: Blacklisting private address range

On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote: > On Tue, Feb 23, 2010 at 09:56:55PM -0500, > Diosney Sarmiento Herrera wrote: > > > Have any sense to blacklist the private address ranges on a server > > that is facing Internet? > > I am not sure I parse your sentence correctly but may be you ref

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Tue, 23 Feb 2010, Joe Baptista wrote: > > Lets not forget the IETF has had 15 years to secure the DNS. The result is > the DNSSEC abortion. It has failed. It looks pretty lively to me. DNSSEC has multiple interoperable implementations, and it will be deployed in the most important zones this ye

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

> Thats not the case with DNScurve. Again I stress - over 20 billion > requests per day at OpenDNS are DNScurve compatible. The traffic in > DNSSEC is chicken feed compared to DNScurve. ORG and GOV and quite a lot of the ccTLD's are "DNSSEC compatible", so I don't actually think it'd be much of a

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, 24 Feb 2010, Tony Finch wrote: On Tue, 23 Feb 2010, Joe Baptista wrote: Lets not forget the IETF has had 15 years to secure the DNS. The result is the DNSSEC abortion. It has failed. It looks pretty lively to me. DNSSEC has multiple interoperable implementations, and it will be deplo

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Feb 24 2010, Evan Hunt wrote: Thats not the case with DNScurve. Again I stress - over 20 billion requests per day at OpenDNS are DNScurve compatible. The traffic in DNSSEC is chicken feed compared to DNScurve. ORG and GOV and quite a lot of the ccTLD's are "DNSSEC compatible", so I don't ac

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

In article , Chris Thompson wrote: > On Feb 24 2010, Evan Hunt wrote: > > >> Thats not the case with DNScurve. Again I stress - over 20 billion > >> requests per day at OpenDNS are DNScurve compatible. The traffic in > >> DNSSEC is chicken feed compared to DNScurve. > > > >ORG and GOV and quite

Re: Blacklisting private address range

On Feb 24, 2010, at 11:23 AM, Tony Finch wrote: On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote: On Tue, Feb 23, 2010 at 09:56:55PM -0500, Diosney Sarmiento Herrera wrote: Have any sense to blacklist the private address ranges on a server that is facing Internet? I am not sure I parse your

Random slow queries

Running Bind 9.6.1-P3 We run authorative DNS for 60k+ zones. One one network where we two dns servers both running the same hardware on Centos 5.4 We see slow dns responses : example for i in {1..250}; do dig example.com @localhost | grep "Query time:"; done; Sometimes they'll all come back w/

Zone transfers from slaves to slaves?

Hello, I think I have a configuration issue somewhere. It looks like from the logs that my master server is notifying the slaves correctly, but then the other slaves are also notifying the slaves as well. 172.16.0.100 is the master 172.16.0.101 is 1st slave 172.16.0.102 is 2nd slave Here is a l

Re: Zone transfers from slaves to slaves?

Dan Letkeman wrote: > I think I have a configuration issue somewhere. It looks like from > the logs that my master server is notifying the slaves correctly, but > then the other slaves are also notifying the slaves as well. > > 172.16.0.100 is the master > 172.16.0.101 is 1st slave > 172.16.0.10

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: >Someone else has written the RFC draft - which see http://bit.ly/b5mFkV That draft has this text, "Expires: February 27, 2010" [3 days from today]. I am not sure what an expiration date means officially on a draft RFC.

RE: BIND 9.6.2rc1 make test question

Hi Stace, Sorry, I didn't think this was necessarily a Solaris problem. I'm running this on Solaris 10 (SPARC 64bit), built with Sun Studio 12.1. Why did it occur on OpenSolaris? Thanks. -John From: stacey.marsh...@sun.com [stacey.marsh...@sun.co

RE: OpenDNS today announced it has adopted DNSCurve to secure DNS

>From the BCP79 referenced at top of the draft: " d. "Internet-Draft": temporary documents used in the IETF and RFC Editor processes. Internet-Drafts are posted on the IETF web site by the IETF Secretariat and have a nominal maximum lifetime in the Secretariat's public directory

Re: Fwd: IPv6 client and negative cache - some doubts

In message , Sam Wilson wri tes: > In article , > Mark Andrews wrote: > > > In message , > > Micha > > l Wesolowski writes: > > > > > > After some reading my present understanding is that correct response to > > > > > > query when there is such record in the zone and there exists anothe

Re: Update returns FORMERR: ran out of space

In message <20100224091831.ga3...@nic.fr>, Stephane Bortzmeyer writes: > On Wed, Feb 24, 2010 at 11:32:35AM +1100, > Mark Andrews wrote > a message of 35 lines which said: > > > Turn the debugging up to 3. > > With 'severity debug 30', all I get is: > > 24-Feb-2010 10:17:01.047 update: deb

Re: Zone transfers from slaves to slaves?

In message <4b8586a0.2030...@isc.org>, Alan Clegg writes: > Dan Letkeman wrote: > > > I think I have a configuration issue somewhere. It looks like from > > the logs that my master server is notifying the slaves correctly, but > > then the other slaves are also notifying the slaves as well. > >=

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 11:33 AM, Evan Hunt wrote: > > Thats not the case with DNScurve. Again I stress - over 20 billion > > requests per day at OpenDNS are DNScurve compatible. The traffic in > > DNSSEC is chicken feed compared to DNScurve. > > ORG and GOV and quite a lot of the ccTLD's are "DN

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: > [] I guess that depends on if DNSSEC > is turned on by default in BIND. Incidentally - is it? dnssec-enable yes; and dnssec-validation yes; are the defaults since BIND 9.5 Serving signed zones requires signed zone data to serve. Validation requir

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 10:08 PM, Alan Clegg wrote: > > dnssec-enable yes; > and > dnssec-validation yes; > > are the defaults since BIND 9.5 > > How do I turn it off. Thanks joe ___ bind-users mailing list bind-users@lists.isc.org https://lists.is

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: > dnssec-enable yes; > and > dnssec-validation yes; > > are the defaults since BIND 9.5 > > > How do I turn it off. Since you edited out the most important part of my post, I'll repeat it here before I answer your question: Serving signed zones requ

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

> It's going to be interesting to watch. I guess that depends on if DNSSEC is > turned on by default in BIND. Incidentally - is it? That depends on what you mean by "turned on". The DNSSEC protocol is enabled, and the DO bit is set in queries, so authoritative servers with signed data will send i

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Thu, 25 Feb 2010, Evan Hunt wrote: It's going to be interesting to watch. I guess that depends on if DNSSEC is turned on by default in BIND. Incidentally - is it? That depends on what you mean by "turned on". The DNSSEC protocol is enabled, and the DO bit is set in queries, so authoritativ