On 02/08/2022 18:46, Bhangui, Sandeep - BLS CTR via bind-users wrote:
Hello all
We are getting ready to test Bind 9.18.x. Currently we are running the
latest version of 9.16.x branch.
We have downloaded and successfully installed the jemalloc module on the
Server ( RHEL 7.9 OS) and getting r
On Tue, Aug 02, 2022 at 02:04:22PM -0400, Timothe Litt wrote:
! On 02-Aug-22 13:18, Peter wrote:
! > On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote:
! > !
On Wed, Aug 03, 2022 at 04:49:35PM +1000, Mark Andrews wrote:
! Additionally authoritative servers for a zone are supposed to answer queries
with RD=1 set with RA=0 if the client is not being offered recursion. REFUSED
is the wrong answer of the query name involves zones you serve. Only if you a
Hey,
I just want to add that there is a better way to do this in iptables
with hashlimit. The normal rate limit in iptables is too crude.
Below is an example from the rate-limit-chain, to which you simply send
all port 53 traffic from the INPUT chain (make sure to exclude
127.0.0.1/127.0.0.5
I think the best way to soften the effect, and make DNSSEC much less
brittle, without losing any of the security, is to reduce the TTL of the DS
record in the parent zone (usually TLD's) drastically - from 2 days to like
30 minutes. That allows quick recovery from a failure. I realize that
will c
Part of my problem is that caching does not seem to be working in my
internal view.
Something is happening such that my internal systems AND the server
itself cannot resolve names and looses it even 5 min later, indicating
not caching.
I read https://kb.isc.org/docs/aa-00851
In my include f
Thanks. I will look into this.
On 8/3/22 07:47, Victor Johansson via bind-users wrote:
Hey,
I just want to add that there is a better way to do this in iptables
with hashlimit. The normal rate limit in iptables is too crude.
Below is an example from the rate-limit-chain, to which you simpl
Hi Robert.
May we see the file /etc/resolv.conf and your BIND configuration? It's
difficult to guess what might be going on with only a small snippet of
information.
If you "ping somewhere" (or "ssh a-server", or whatever) the OS will
consult resolv.conf to determine where to send DNS queries. If t
On 03-Aug-22 09:27, Bob Harold wrote:
I think the best way to soften the effect, and make DNSSEC much less
brittle, without losing any of the security, is to reduce the TTL of
the DS record in the parent zone (usually TLD's) drastically - from 2
days to like 30 minutes. That allows quick reco
Am 2022-08-03 15:27, schrieb Bob Harold:
I think the best way to soften the effect, and make DNSSEC much less
brittle, without losing any of the security, is to reduce the TTL of
the DS record in the parent zone (usually TLD's) drastically - from 2
days to like 30 minutes. That allows quick reco
> One more thing should *in theory* not matter much. Personally, I'm not too
> happy about short TTLs. This trend is likely significantly undermining the
> stability and redundancy of the internet as a whole already.
In the days of limited, expensive hardware and slow links, long TTLs made
sens
thanks Greg. Yes I need to figure out how to troubleshoot this. But
here is some stuff:
# cat resolv.conf
# Generated by NetworkManager
search attlocal.net htt-consult.com
nameserver 23.123.122.146
nameserver 2600:1700:9120:4330::1
My server is 23.123.122.146. That IPv6 addr is my ATT router.
On 03-Aug-22 10:53, bind-users-requ...@lists.isc.org wrote:
# cat resolv.conf
My server is 23.123.122.146. That IPv6 addr is my ATT router.
You don't want to do that. The ATT router will not know how to resolve
internal names. There is no guarantee that your client resolver will
try name
On 8/2/22 3:29 PM, Robert Moskowitz wrote:
My clients use my internal view. My external view has:
match-clients { any; };
match-destinations { any; };
allow-query { any; };
allow-query-cache { localhost; };
recursion no;
it's been a while but I do
I see a two-fold issue with DNSSEC:
1. The wide-spread tutorials seem to explain a key rollover as an
exceptional activity, a *change* that is infrequently done. And
changes, specifically the infrequent ones, bring along the
possibility of failure, mostly due to human error.
I don't s
On 8/2/22 3:15 PM, Grant Taylor via bind-users wrote:
It looks like you're dealing with A queries for the root domain. I've
blocked this, and similar queries, via iptables firewall in the past.
I've seen a number of responses to Robert's "Stopping ddos" thread
discussing using firewalls (ipta
On 8/3/22 11:35, Timothe Litt wrote:
On 03-Aug-22 10:53, bind-users-requ...@lists.isc.org wrote:
# cat resolv.conf
My server is 23.123.122.146. That IPv6 addr is my ATT router.
You don't want to do that. The ATT router will not know how to
resolve internal names. There is no guarantee
I generally agree with you - comments in line
On 8/3/22 5:56 PM, Peter wrote:
I see a two-fold issue with DNSSEC:
1. The wide-spread tutorials seem to explain a key rollover as an
exceptional activity, a *change* that is infrequently done. And
changes, specifically the infrequent ones,
Try
echo -e "[main]\ndns=none" > /etc/NetworkManager/conf.d/no-dns.conf
systemctl restart NetworkManager.service
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 03-Aug-22
On 03/08/2022 18:36, Robert Moskowitz wrote:
Hi Robert,
[snip]
ARGH!
I want the IPv6 addr from my firewall/gateway. But I don't want that
IPv6 nameserver!
Calm down. Just add "PEERDNS=no" in your ifcfg-eth0 file. This way, the
resolv.conf file will only contain your specified DNS servers
On 8/3/22 13:10, Anand Buddhdev wrote:
On 03/08/2022 18:36, Robert Moskowitz wrote:
Hi Robert,
[snip]
ARGH!
I want the IPv6 addr from my firewall/gateway. But I don't want that
IPv6 nameserver!
Calm down. Just add "PEERDNS=no" in your ifcfg-eth0 file. This way,
the resolv.conf file wi
On 8/3/22 12:59, Timothe Litt wrote:
Try
echo -e "[main]\ndns=none" > /etc/NetworkManager/conf.d/no-dns.conf
systemctl restart NetworkManager.service
Same content in resolv.conf. BTW this is on Centos7.
Timothe Litt
ACM Distinguished Engineer
--
This communicatio
Perhaps this is only caching the zones in the Internal View, not all
public stuff looked up by internal clients?
I say this because I get fast responses to internal servers, but slow if
at all to external ones.
Grasping here because my search foo is weak and I can't find where it is
defined
Hmm. Your resolv.conf says that it's written by NetworkManager.
What I suggested should have stopped it from updating resolv.conf.
See
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/manually-configuring-the-etc-resolv-conf-file
Not really. Using ECDSA (or EdDSA) CSK is pretty lightweight even during
rollover.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 3. 8. 2022, at 19:10, Peter wrote:
>
This is boarderline not thinking on my part.
OF COURSE those FQDNs resolve fast; they are in local ZOne files. No
lookup needed.
Sheesh.
"Slow down, you move to fast. Got to make the Mornin' last!" :)
On 8/3/22 14:43, Robert Moskowitz wrote:
Perhaps this is only caching the zones in the In
Hi Robert.
Turn on query logging by doing "rndc querylog". You should see a message
saying that has been done in "named.log", to where each query will now be
logged. If you have views, part of the query log will contain which view
was matched. So this will tell you two things:
1. If the queries
On 8/3/22, Robert Moskowitz via bind-users wrote:
> thanks Greg. Yes I need to figure out how to troubleshoot this. But
> here is some stuff:
>
> # cat resolv.conf
> # Generated by NetworkManager
> search attlocal.net htt-consult.com
> nameserver 23.123.122.146
> nameserver 2600:1700:9120:4330::1
On Wed, 3 Aug 2022 13:47:41 +0200
Victor Johansson via bind-users wrote:
> Hey,
>
> I just want to add that there is a better way to do this in iptables
> with hashlimit. The normal rate limit in iptables is too crude.
>
> Below is an example from the rate-limit-chain, to which you simply send
29 matches
Mail list logo
