On Mar 30, 2015, at 2:30 AM, Matthew Seaman
wrote:
> On 03/30/15 00:35, @lbutlr wrote:
>> Downloaded and compiled bind-9.9.7 (FreeBSD 8.4-RELEASE) and it built fine
>> (./configure && make && make install).
>
> On FreeBSD, building software out of the p
> On Mar 31, 2015, at 02:46, Mathieu Arnold wrote:
>
> +--On 30 mars 2015 19:32:09 -0600 "@lbutlr" wrote:
> |> # /usr/local/sbin/named -u bind -c /etc/namedb/named.conf \
> |>-t /var/named
> |
> | Yes, that works without reporting any errors, so the is
On 22 Feb 2020, at 18:25, Scott A. Wozny wrote:
> I’m setting up hot-hot webserver clusters hosted on the west and east coasts
> of the US and would like to use Bind 9.11.4
I’d consider changing that version. While Bind 9.11 *is* still supported, it is
EOL at the end of this year. If you really
With my install of bind 9.14 bindtools 9.16.0 was also installed.
This version is missing some (legacy) algorithms that I am still using on my
system, specifically hmac-sha256
dnssec-keygen [options] name
Version: 9.16.0
name: owner of the key
Options:
-a :
RSASHA1 | NSEC3RS
We are making some changes to our NSP account and the NSP is threatening to
change our IP block. This means I will have to update all the domains on the
system (all using DNSSEC). We are still arguing with them since there is no
technical reason for forcing this change on us, but chances are the
On 18 Apr 2020, at 09:34, Reindl Harald wrote:
> Am 18.04.20 um 17:23 schrieb @lbutlr:
>> Is it possible to batch update all the domains? Looking at nsupdate it looks
>> like I have to step through and do every domain individually.
> well, where is the issue iterate all your
On 29 Apr 2020, at 14:19, Tony Finch wrote:
> DoT is easier since you only need a raw TLS reverse proxy, and there are
> lots of those, for example, nginx:
DOH is better because it cannot be blocked without blocking all https traffic.
(FSVO of better, of course. I am sure there is a vi/emacs spa
On 05 Jun 2020, at 04:10, Jukka Pakkanen wrote:
> Thx for the info, had missed this one and actually we have that minor
> misconfiguration too. Have had since 1995 when started our nameservers and
> never noticed…
If it makes you feel better, it wasn't an error in 1995.
I remember removing the
When a domain configuration file contains an include line for the key, where is
that include looking for the key file?
I'm in a situation where the keys seems to work fine for updating DNSSEC, but
nsdiff complains the key file is not found.
Obviously something in named.conf or the domain file i
On 05 Jul 2020, at 10:12, Tony Finch wrote:
> @lbutlr wrote:
>
>> When a domain configuration file contains an include line for the key,
>> where is that include looking for the key file?
>
> ... good question, I have avoided having to find that out ...
Heh.
> So
On 05 Jul 2020, at 07:51, @lbutlr via bind-users
wrote:
> mail # rndc reload
> rndc: 'reload' failed: failure
> mail # tail /var/log/messages
> Jul 5 07:41:24 mail.covisp.net named[53940]
> /usr/local/etc/namedb/bind.keys:29: unknown option 'trust-anchors'
When seeing up a secondary zone what do I replace # with in following (the
old syntax was masters instead od master, so I am guessing it needs a new
keyword)?
zone "example.com" {
type secondary;
# { 192.168.10.1; };
file "/var/lib/bind/db.example.com";
};
in https://bind9.readthe
Trying to verify that I can make changes with nsupdatem and running into
something I don’t understand.
mail # nsupdate -k admin.key
> zone name covisp.net
> update delete ns1.covisp.net. INA 65.121.55.42
> update add ns1.covisp.net. 3601 INA 65.121.55.42
> send
; Co
On 06 Jul 2020, at 16:47, Kevin Darcy wrote:
> You didn't dot-terminate covisp.net in the "zone" statement
Ow!
Sigh.
--
The whole thing that makes a mathematician's life worthwhile is that
he gets the grudging admiration of three or four colleagues
__
On 06 Jul 2020, at 22:00, ShubhamGoyal wrote:
> I am installing bind latest version with additional feature , it gave me
> "configure: error librpz.so and dlopen needed for dnsrps" error.
> I am searching for that error but i did not find the solution.
You have configured bind for dnsrps and
On 06 Jul 2020, at 17:59, Mark Andrews wrote:
> Nsupdate can normally determine the name of the zone that has to be updated
> so most of the time you don’t need to specify the zone. There are a few
> cases, like when adding delegating NS records or glue to the parent zone you
> have to overrid
On 07 Jul 2020, at 08:06, Tony Finch wrote:
Excellent post, and a nice summary of some best practices.
I have a couple of questions.
> Response rate limiting is very effective. Start off by putting the
> following in your options{} section, and look in the BIND ARM for other
> directives you ca
On 07 Jul 2020, at 12:06, Michael De Roover wrote:
> On 7/7/20 4:06 PM, Tony Finch wrote:
>
>> max-udp-size 1420;
>> https://dnsflagday.net/2020/
> Interesting, I wasn't aware of this campaign. I don't know if I'm
> knowledgeable enough on UDP to be able to make educated decisions on
On 08 Jul 2020, at 05:03, Adrian van Bloois wrote:
> When I try to start bind 9.16.x from systemd it fails not being able to
> find something.
…
> What could be the problem???
Not really possible to guess without the error message.
--
"Are you pondering what I'm pondering?"
"I think so, Bra
Given a domain that is hosted and used for email and web, is an A record for
that domain actually required?
That is, if bob.tld is hosted by example.com can you simply have
NS ns1.example.com
NS ns2.example.com
MX mx.example.com
www CNAME www.example.com
Without spe
On 12 Jul 2020, at 06:28, Matus UHLAR - fantomas wrote:
>> On 7/12/20 6:23 AM, ShubhamGoyal wrote:
>>> I am thinking to stop or drop ANY type queries from our DNS Recursive
>>> resolver , so please tell me how can we drop or stop ANY type queries from
>>> bind.
Don't do this.
> On 12.07.20 12:
On 28 Jun 2020, at 09:13, Matus UHLAR - fantomas wrote:
>> zone "abc.com" {
>> type forward;
>> forwarders {1.1.1.1;};
>
> of 1.1.1.1 is IP of nameserver for abc.com, you should better configure it
> as "type stub" or "type static-stub".
1.1.1.1 is a DNS resolver for Cloudflare and r
On 14 Jul 2020, at 00:31, MEjaz wrote:
>
Please do not post images. Copy and paste the text.
(Over 100 lines of quoted lines with no content deleted)
--
I WILL NOT BARF UNLESS I'M SICK Bart chalkboard Ep. 8F15
___
Please visit https://lists.isc.o
On 17 Jul 2020, at 11:56, Ted Mittelstaedt wrote:
> In fact, the ONLY reason that the name "bind9" was ever even coined
> at all was because the changes from bind8 both in the syntax of the
> config file and how the program operated they wanted to boot admins
> in the behind to get them to change
On 20 Jul 2020, at 10:09, tale wrote:
> And for what it's worth, not all systems moved away from "named" to
> "bind9". I've been running FreeBSD for decades, and I can't remember
> ever calling the service "bind9".
The service is always named, the package is bind. I stopped adding the 9 many
ye
On 21 Jul 2020, at 06:37, Mark Andrews wrote:
> On 21 Jul 2020, at 18:23, @lbutlr wrote:
>>
>> Bind is a poor choice for desktop use. Packages like unbound are much better
>> for that sort of use, and it is fr less critical if those packages have
>> security issue
Getting these in the logs:
named[652] malformed transaction: managed-keys.bind.jnl last serial 1204 !=
transaction first serial 1159
named[652] managed-keys-zone: keyfetch_done:dns_journal_write_transaction ->
unexpected error
named[652] managed-keys-zone: error during managed-keys processing (u
On 23 Sep 2020, at 19:19, @lbutlr wrote:
> named[652] malformed transaction: managed-keys.bind.jnl last serial 1204 !=
> transaction first serial 1159
> named[652] managed-keys-zone: keyfetch_done:dns_journal_write_transaction ->
> unexpected error
> named[652] managed-keys-
I am getting the following error on one specific domain and I am unsure how to
fi it. Searching for the error lead to suggestions about not running multiple
copies of bind on the same machine, but that is not the case here (and it is
only affecting one domain).
named[652] malformed transaction:
On 16 Oct 2020, at 08:36, Bob Harold wrote:
> That is certainly not obvious. How do I request improving the manual?
>
> "in turn" would seem to imply "in order", and the order would logically be
> the order I listed them.]
I disagree. In turn means one is tried, then if that fails the next is
On 19 Oct 2020, at 00:54, Matus UHLAR - fantomas wrote:
> On 18.10.20 11:00, @lbutlr wrote:
>> I am getting the following error on one specific domain and I am unsure how
>> to fi it. Searching for the error lead to suggestions about not running
>> multiple copies of bin
On 19 Oct 2020, at 08:57, Bob McDonald wrote:
> When you talk about "putting the .jnl file aside" what are you doing?
> Stopping named THEN deleting the .jnl file?
I did not delete the file. I stopped named and moved the file, then restarted
named. After everything seemed to be working, then I
On 27 Nov 2020, at 00:00, Onur GURSOY wrote:
> Hello Everyone,
Oh, come on!
--
"Are you pondering what I'm pondering?"
"Wuh, I think so, Brain, but if we didn't have ears, we'd look like
weasels."
___
Please visit https://lists.isc.org/mailman
On 18 Dec 2020, at 10:56, Nicolas Bock wrote:
> ;; ANSWER SECTION:
> com. 63779 IN DS 30909 8 2
> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
> In other words, the forwarder returns a Delegation Signer
> record but not an RRset Signature record. Presumably that
> means that
Give that I have a authoritative bind9 server for example.com and given that I
have a home connection that is (technically) dynamic home.example.com what is
the easiest way for me to automatically update the DNS on the rare occasions
that it changes?
The example.com domain is setup with DNSSEC
On 23 Dec 2020, at 21:23, Grant Taylor via bind-users
wrote:
> On 12/23/20 6:53 PM, @lbutlr wrote:
>> Give that I have a authoritative bind9 server for example.com and given that
>> I have a home connection that is (technically) dynamic home.example.com what
>> is the
I've been using alg-7 for DNS, but that is no longer recommended. How difficult
is it to change the signing algorithm and what is the process (Bind 9.16.11)?
--
"He raised his hammer defiantly and opened his mouth to say, "Oh,
yeah?" but stopped, because just by his ear he heard a growl
On 01 Feb 2021, at 07:14, Matthijs Mekking wrote:
> Depends on what your DNSSEC configuration is. Are you using
> dnssec-signzone/named? auto-dnssec maintain? inline-signing? dnssec-policy?
> dnssec-keymgr?
These are all good questions, and when I set this up I could have answered with
some de
On 02 Feb 2021, at 02:23, Matthijs Mekking wrote:
> 1. Create a dnssec-policy that matches your current keys (so in your case
> algorithm 7, also make sure you use the same length).
>
> So I guess something like:
>
>dnssec-policy alg13-ksk-unlimited-zsk-60day {
>keys {
>
On 02 Feb 2021, at 07:36, Matthijs Mekking wrote:
> If the PDF is not working for you, perhaps https://bind9.readthedocs.io/
> suits you better?
The PDF works fine, and I can search for "dnssec" and "policy" but it is using
some emdash or similar character for the - in between which makes searc
Is the mechanism of using $INCLUDE in the zone file still used?
If so, do I need to update the when moving to a new alg method or
are they only used when initially creating a signed zone file or are they no
longer needed at all?
--
'I'll tell you this!' shouted Rincewind. 'I'd rather trust
So, with my test domain that is using dsnssec-policy default dnsviz reports
"DNSKEY: No response was received from the server over UDP"
But:
dig +norec +dnssec +bufsize=512 +ignore dnskey
Shows a DNSKEY record.
(There is no DNSKEY record shown on the domains still using auto-dnssec
maintain;
On 06 Feb 2021, at 17:45, Paul Kosinski via bind-users
wrote:
> It sounds to me like dnssec-verify is sending the output in question to
> STDERR instead of STDOUT.
Dnssec-verify sends errors (like missing /Bad/Expected lines) to stderr, it
sends status warnings like "The zone is not fully sign
I feel I am getting close. I got the digest generated for hover.com and updated
the DNS on the test zone, but I am getting errors on verify that I don't
understand.
#v+
# dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed
Loading zone 'example.com' from file '/etc/namedb
> On 08 Feb 2021, at 07:24, Matthijs Mekking wrote:
>
> Hi,
>
> On 08-02-2021 12:20, @lbutlr wrote:
>> I feel I am getting close. I got the digest generated for hover.com and
>> updated the DNS on the test zone, but I am getting errors on verify that I
On 09 Feb 2021, at 16:19, Mal via bind-users wrote:
> On 09/02/2021 10:47 pm, @ wrote:
>> Well, I have finally ogttenteh test zone to the point where dnssec-verify is
>> happy and everything that I can check also seems happy except dnsviz which
>> is very very VERY angry and basically says the z
On 11 Feb 2021, at 16:38, John W. Blue via bind-users
wrote:
> I have found to tshark to be useful as well but the failing it has is that it
> is generally not included in a unix OS distribution.
Is bind? I mean, I have to install a bunch of stuff right off on a new bistro
just to get a useabl
On 23 Feb 2021, at 23:02, Evan Hunt wrote:
> DoH is supported in named in 9.17.10 (server side only). Client-side
> support will be added to dig in 9.17.11.
There's 9.17.10? I have 9.16.12 and see no sign of 9.17.x in FreeBSD ports. Is
it "bind9-devel"?
I seem to recall something about the odd
On 24 Feb 2021, at 03:38, Ondřej Surý wrote:
>> On 24. 2. 2021, at 11:36, @lbutlr wrote:
>> I also see this note from last year:
>>
>> <https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9.17-Plan>
>> "September 2020 DoH backported to Extended Sup
On 26 Mar 2021, at 14:32, alcol alcol wrote:
> seriously? is like linux/unix FAQ 😄
Oh, I would say learning how to post to mailing lists in linux/unix 101.
Perhaps you could review that yourself and not send bloated messages full of
HTML garbage?
--
"Are you pondering what I'm pondering?"
"We
If I do:
cd /etc/named/working/main/
for i in *; do dig $i +dnssec | grep "A 13 2" | awk '{print $1}';done
I see a list of all the domains on the system, so that's good, everything has a
ALG-13 signature.
If I do
for i in *; do dig $i +dnssec | grep "A 7 2" | awk '{print $1}';done
I see a lis
On 06 Apr 2021, at 01:13, Matthijs Mekking wrote:
> In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By
> default the keys are retained for 90 days after their latest usage. So in
> that case keys will be cleaned up automatically.
Excellent. Does that go in the zone record
> On 12 Apr 2021, at 01:12, Matthijs Mekking wrote:
>
>
>
> On 11-04-2021 01:22, @lbutlr wrote:
>> On 06 Apr 2021, at 01:13, Matthijs Mekking wrote:
>>> In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By
>>
I restored a backup of my named.conf after a little bit of an oops. The file is
the same exact file as it was yesterday, bt on starting bind I get:
named[24161]
named[24161] BIND 9 is maintained by Internet Systems Consortium,
named[24161] Inc.
On 12 Apr 2021, at 07:04, Matthijs Mekking wrote:
> Perhaps inspect the zone file?
Ah, since it is named localhost-reverse.db I assumed it was not plain txtm but
some db format.
>>>FILE
$ORIGIN .
$TTL 3600 ; 1 hour
0.ip6.arpa IN SOA localhost. nobody.localhost. (
On 13 Apr 2021, at 04:02, Anand Buddhdev wrote:
> A legitimate client, following a normal chain of referrals, has *no*
> reason to query a server for zones it is not authoritative for.
Well, that's not really true. A mobile user might have their device configured
to always check their corporate
On 29 Apr 2021, at 05:35, Ondřej Surý wrote:
> * Windows now has WSL2
> (https://docs.microsoft.com/en-us/windows/wsl/install-win10) that can be used
> to run BIND 9 natively
I'd suggest this be the first listed reason as it pretty much makes all the
other reasons irrelevant. OTOH, I don't hav
On 30 Apr 2021, at 08:21, Jordan Tinsley wrote:
> Is BIND 9.11.6 (Extended Support Version) vulnerable?
>
> Is BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 (Extended Support Version)
> vulnerable?
The CVE descriptions indicates both of those versions are vulnerable.
"In BIND 9.5.0 -> 9.11.29 … c
On 30 Apr 2021, at 12:15, Tony Finch wrote:
>
> dig +ttlunits example.com ds @$(dig +short com ns | head -1)
I update the last of my zones over a month ago and they are still showing
alg-7. The longest TTL int e zone files is 2w, but we're 29 days in.
Te signed file has
I've been getting a few errors along these lines (bind 9.16.18), the IPs
changes, but I don't know what "non0improving referral" means or if I should be
concerned.
DNS format error from 64.70.78.82#53 resolving ok.contact/NS for
127.0.0.1#16749: non-improving referra
This IP is owned bv Cent
On 2021 Jul 05, at 18:20, Mark Andrews wrote:
> On 6 Jul 2021, at 06:40, @lbutlr wrote:
>> DNS format error from 64.70.78.82#53 resolving ok.contact/NS for
>> 127.0.0.1#16749: non-improving referra
>
> This is an error with the delegation of ok.contact. The NS records
I am invoking nsupdate with
nsupdate -k /etc/namedb/admin.key
When I make the changes to a domain and `send` I get,
; TSIG error with server: expected a TSIG or SIG(0)
update failed: REFUSED
/etc/namedb is an alias to /usr/local/etc/namedb/ and admin.jet contains:
# cat admin.key
key "rndc-k
On 2022 Feb 24, at 14:19, @lbutlr wrote:
> I am invoking nsupdate with
Oh, never mind. Major Brain Fart.
--
"Everyone has a photographic Memory, some just don't have film."
~Steven Wright
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fr
Is this a result of the propagation of DNS still occurring and dnsviz still
seeing the old DNS servers? The DNS pointers have been changed with the
registrar, but dnsviz is throwing quite a few errors, including this one.
"DNSKEY: The Authoritative Answer (AA) flag was not set in the response."
On 2022 Feb 22, at 04:31, Julien Salort wrote:
> For information, bind 9.18.0 compiles fine under Macports on a variety of
> systems, including Catalina.
And with homebrew as well, though I don't know what versions of macOS it does
back to (Everything here is now on M1s with Monterey).
--
Al
On 2022 Feb 27, at 05:46, Bob McDonald wrote:
> I'm guessing that the zone files hosted on the new DNS servers still contain
> NS records pointing to the old DNS servers.
After propagation everything seems to have settled out properly, no errors on
dnsviz now.
Thanks though.
--
Advance and
I have an several domains setup in bind, all with DNSSEC implemented, and am
trying to add a new domain, and seem to have missed a step.
# dnssec-keygen -a 13 example,com
# dnssec-keygen -f KSK -a 13 example,com
Add $INLCUDE to the zone file for each of these 4 keys.
# dnssec-signzone -3 $(
On 2022 Apr 10, at 05:37, Bjørn Mork wrote:
> "@lbutlr" writes:
>
>> # dnssec-keygen -a 13 example,com
>> # dnssec-keygen -f KSK -a 13 example,com
>>
>> Add $INLCUDE to the zone file for each of these 4 keys.
>
> 4? You've generated 2 key p
My secondary DNS server (bind916-9-16-27) is reporting:
managed-keys-zone: Failed to create fetch for DNSKEY update
At this point it only respond SERVFAIL to all queries.
The secondary DNS is a spare machine that is not used for anything else but
DNS, so no one has touched it other than to upda
On 2022 Apr 12, at 18:25, @lbutlr wrote:
>
> My secondary DNS server (bind916-9-16-27) is reporting:
>
> managed-keys-zone: Failed to create fetch for DNSKEY update
Named.conf relevant settings (I think) are:
recursion yes;
allow-query { any; };
all
Using nsupdate when I try to delete an MX record for a domain, I get REFSUED.
When I try to add an MX record with the same priority (or not), it leaves the
old record as well.
How do I remove and replace the MX record for a domain with nsupdate?
--
A woman stays up all night with two men
On a domain all the subdomain names resolve to IP address (mail, ns1, www, etc
etc) but the base domain name does not.
the config files looks like:
$ORIGIN .
$TTL 86400 ; 1 day
covisp.net. IN SOA ns1.covisp.net. root.covisp.net. (
2016103100 ; ser
On Nov 2, 2016, at 3:24 AM, Alberto wrote:
> @INAip.ip.ip.ip
Ah, of course!
Thanks!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.is
It looks like there are three version of Bindcurrently supported, 9.9.9, 9.10,
and 9.11.
Are there specific reasons to move from 9.9 to 9.10 or 9.11 other than the
usual "it's newer and you're going to have to move at some point anyway"?
Any gotchas?
--
Apple broke AppleScripting signatures i
On 2017-01-18 (09:07 MST), Mukund Sivaraman wrote:
>
> On Wed, Jan 18, 2017 at 08:02:04AM -0700, lbutlr wrote:
>> It looks like there are three version of Bindcurrently supported,
>> 9.9.9, 9.10, and 9.11.
>>
>> Are there specific reasons to move from 9.9 to 9.10 o
Running bind 9.9.9 and am interested in setting up dnscrypt to go with it.
Is dnscrypt-proxy the right way to go, or encrypt-wrapper? (it looks like
wrapper is a client tool and that -proxy is what actually talks to the clients).
If anyone has done this is it reasonably simple to setup and maint
I am looking at a config file and seeing:
2017112100 ; serial
1H ; refresh
15 ; retry
1w ; expire
1H ; minimum
Is that 15 15 seconds?
I'm guess ion it should be 15m?
--
ADVANCE TO THE REAR!
___
Please visit https://lists.isc.org/mailman/listinfo/bind
On 2 Feb 2018, at 12:57, Warren Kumari war...@kumari.net> wrote:
>
> ) yes, that is 15 seconds, and is almost definitely not what
> you want.
That's what I figured. I suspect, based on the spacing in the file, someone<1>
inadvertently deleted the 'm'.
Thanks all (and yes, that was /PART/ of an
On 2018-02-08 (03:10 MST), Michelle Konzack
wrote:
>
> Hi,
>
> Am 2018-02-08 hackte LuKreme in die Tasten:
>> Is it possible to tell bind to ignore very short TTLs and enforce
>> a...say... 5 second minimum TTL?
>
> VERY SHORT TTL?
YEs.
> 5 sec minimum?
Yes.
> What Du you mean with ignorin
On 2018-02-08 (08:51 MST), Mukund Sivaraman wrote:
>
> Also, just for argument's sake, one user wants to extend TTLs to
> 5s. Another wants 60s TTLs. What is OK and what is going too far?
For the record, the issue is not RBLs or legitimate domains, it is spammer scum
that set super-low DNS bec
On 2018-02-09 (21:11 MST), John Levine wrote:
>
> In article you write:
>> For the record, the issue is not RBLs or legitimate domains, it is =
>> spammer scum that set super-low DNS because they are shotgunning spam =
>> from a a vast botnet and they want to have maximal impact, so you get a =
On 2018-02-10 (12:15 MST), Barry Margolin wrote:
>
> Just because you have the right to do something doesn't mean it's a
> reasonable thing to do.
No one has made an argument that would imply this is not reasonable.
> And if you're offering a service, you have responsibilities to your customer
On 2018-02-17 (02:48 MST), Niall O'Reilly wrote:
>
> In my not-very-extensive experience, Google's 8.8.8.8 service seems to have
> limited tolerance of badly-behaving authority servers; in such a case, it
> seems to give up early and report SERVFAIL.
>
> As it happens, there seem to be problem
On Feb 17, 2018, at 06:04, Reindl Harald wrote:
> "Is google just b0rked?" is mostly wrong to start with
As I said, that seems unlikely. But the different behavior from multiple large
DNS services was odd.
> Delegation
>
> Failed to find name servers of david-dodge.com/IN.
I may have been muc
If I set
allow-query { 127.0.0.1; [myipblock]; }
Then my DNS doesn't respond to any other servers, right? This would be bad for
being authoritative. so, should I set that and then set allow-query { any; };
in each zone?
Is that better than simply setting the IPs that are allowed recursion?
On Feb 28, 2018, at 09:57, G.W. Haywood via bind-users
wrote:
> On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote:
>> Good morning, I'm trying to make it more difficult for an attacker to
>> get my DNS server version.
>
> Waste of time. The attacks are automated, and will be mounted
On 2018-03-22 (08:13 MDT), John Miller wrote:
>
> Is this normal or am I missing something.
It is normal. It is confusing, but it is normal.
--
Traveling through hyperspace ain't like dusting crops, boy.
___
Please visit https://lists.isc.org/mailma
On 2018-03-29 (11:58 MDT), Kim Culhan wrote:
>
> Made a change to an ip address in an A record and bind is still showing the
> old
> address.
> Updated the serial and it doesn't show the new serial either.
>
> How can I get bind to update from the data in the zone file?
>
> I 've restarted nam
So, I setup up DNSSEC on my authoritative bind 9.12 server, which was very
straightforward and works fine:
dig covisp.net +dnssec +short @8.8.8.8
65.121.55.42
A 7 2 86400 20181008122535 20180908122535 17363 covisp.net.
pkpVdFONJ2dYN+7wQ4pVcQTlWIThY3+mbNdXsE8p5uWiLNvIefVT32JE
i9itA3Si91/pImofmPn
On 08 Sep 2018, at 09:59, Niall O'Reilly wrote:
> On 8 Sep 2018, at 14:58, @lbutlr wrote:
>
>> so I think there must be something else.
>
> You might need to so some other housekeeping:
>
> https://zonemaster.net/domain_check
> http://dnsviz.net/d/covis
On 08 Sep 2018, at 11:46, @lbutlr wrote:
> I need to check that I am supposed to generate the digest.
to check *HOW* I am supposed to generate the digest.
--
Ille Qui Nos Omnes Servabit
___
Please visit https://lists.isc.org/mailman/listinfo/b
On 08 Sep 2018, at 10:21, Mark Elkins wrote:
> Have you DNSSEC Signed your Domain - that is "covisp.net" because I
> don't see any DS records for it in the "net" zone.
Not yet, I want to have everything working on my side before I go upstream.
Hover is pretty simple to setup the DNSSEC but I nee
On 9 Sep 2018, at 14:58, Mark Elkins wrote:
> Umm... this initially looks great but something is seriously strange. The
> first numerical value after DS should be the Key ID (or Key Tag). I really
> doubt that you would (randomly) create two different DNSKEY records with
> sequential Key-ID's (
On 30 Sep 2018, at 09:59, Alex wrote:
> It also tends to happen in bulk - there may be 25 SERVFAILs within the
> same second, then nothing for another few minutes.
That really makes it seem like either you modem or you ISP is interfering
somehow, or is simply not able to keep up.
--
'Who's th
A couple of questions
First, guides on setting up DNSSEC say to add dnssec-lookaside auto; in the
options, but bind repots an error:
/usr/local/etc/namedb/named.conf:35: dnssec-lookaside 'auto' is no longer
supported
Does this mean the entire declaration is not supported, or that auto should
On 21 Jan 2019, at 13:49, Mark Andrews wrote:
Thanks for the info on the first two questions.
>> Third, what does “not at top of zone” mean in dnssec-verify?
>
> Some record that should have been at the zone’s apex (name) wasn’t. Either
> you passed the wrong
> zone name to dnssec-verify or y
On 26 Jan 2019, at 12:20, @lbutlr wrote:
> I then removed "auto-dnssec maintain" and "inline-signing yes" from the zone
> record in name.conf and now everything is behaving as expected when I query
> localhost for the DNSSEC info.
I should have said, I have upd
On 26 Jan 2019, at 12:55, Alan Clegg wrote:
> With the appropriate trust anchors in place, data in the zone validates.
Everything appears to be working locally at this point, including with
"auto-dnssec maintain;" which I swear was not working a few hours ago. Perhaps
I tyoped.
> Does this hel
On 21 Jan 2019, at 12:32, @lbutlr wrote:
> A couple of questions
I’d like to thank everyone who helped out on this, got it all sorted, added to
the registrar, and it is all working, Now to do it for all the other domains. :)
--
The most perfidious way of harming a cause consists of defend
> On 29 Jan 2019, at 00:25, ObNox wrote:
>
> On 24/01/2019 10:26, Sam Wilson wrote:
>
Note: I'm assuming a zone expiry of a week to a month. I think that
would accommodate most outages.
>>>
>>> I thought of that too :-) A week would be far enough in my case.
>> Be careful of what
1 - 100 of 138 matches
Mail list logo
