On Wed Sep 07 2011 at 12:54:31 CEST, Chris Thompson wrote:
> >Named doesn't yet have the ability to disable DNSSEC validation
> >for specified namespaces.
>
> "Yet"? Is there a hint of a future change there?
*Please* say yes.
-JP
___
Please v
> But just for the sake of convenience, is there a way to rename
> TYPE<#> to something that I want?
If you dig (pun not necessarily intended) into the source of BIND you
can actually change the source so that `named' can read your type from a
zone master file and `dig' displays it however you wis
> Well, I'm going to run the modified bind on a local testbed
> disconnected of internet.
You won't be causing harm, even if connected. :)
> Thanks on the hint, now I have to find out where to dig first.
> Any knowledge?
I'm no specialist, but this might get you started:
lib/dns/code.h
On Tue Sep 27 2011 at 17:32:22 CEST, Issam Harrathi wrote:
> and you say here it's cached for 30 seconds?!
Evan said:
> and we've discussed implementing it in BIND9, but haven't had time yet.
In other words, they are *not* cached in BIND9.
-JP
__
> > '_' is an illegal character in hostnames in the DNS...
>
> Yeah, I got hosed by that one by a consultant.
MCSE per chance? [Sorry; couldn't resist.]
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
fro
On Wed Sep 28 2011 at 16:43:17 CEST, 风河 wrote:
> this is the stuff what should be done by webserver rather than by DNS. i,e,
> Apache rewrite will do that.
That is incorrect. DNS is needed to "find" the Web server. Web server
rewriting/configuration is needed to "find" the site.
-JP
> *except that perhaps those who enable this feature will use it as an
> excuse to avoid enabling validation, which would be a very bad result
+1 +1
A *very* bad result.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
On Fri Sep 30 2011 at 11:50:51 CEST, Hauke Lampe wrote:
> > *except that perhaps those who enable this feature will use it as an excuse
> > to avoid enabling validation, which would be a very bad result, IMO. . .
>
> My reading of the docs says that BIND's NXDOMAIN redirections won't
> break DNS
[ pardon the possible duplicate ]
I'm a fan of RFC 2136 Dynamic DNS and, if I think it appropriate for a
particular use case, sometimes suggest DDNS to customers. I often have
a hard time convincing people to use DDNS and am doubted regarding its
stability and/or performance.
I'm looking for
> 4. Perceived second-class status of DLZ
Ack.
> 6. Too-tight coupling between the SQL DB and DNS
It'll be interesting to see how BIND 10 [1] handles this coupling [2]. I
haven't (yet) had the inclination to experiment, mainly because (and now
back on topic :-) DDNS is apparently not yet ready
> >What have you tried so far?
> @ IN CNAME linuxsystems.it.
No CNAME and other data [1]. You have an SOA and NS at the apex, so a
CNAME isn't allowed.
-JP
[1] Until you start with DNSSEC :)
___
Please visit https://lists.isc.org/ma
> host is four characters shorter.
Use `dig' and save 25% ;-)
`nslookup' must die. (Until a few years ago, it printed a deprecation
notice which, unfortunately, has since been removed.)
-JP
___
Please visit https://lists.isc.org/mailman/listinf
> I'm looking for success (or failure) stories to back up my statement :)
Thank you all for replies, on and off-list. If you are interested in a
summary, I've posted it at [1].
Regards,
-JP
[1] http://dnssexy.net/538
___
Please visit
> I don't mind, but how can I create a CNAME in the parent?
Why don't you describe what you are trying to accomplish and what you
need that an additional A/ record won't solve? You've been told how
to solve the problem, and the members on this list are helping you avoid
shooting yourself in th
> Is there an IETF/ICANN reserved TLD for internal use? I've seen plenty of
> .loc and .local, but I haven't seen an RFC reserving it. RFC 2606
> reserves .example, .invalid, .localhost and .test but these don't seem
> approriate.
Not IETF/ICANN reserved, but ISO 3166 [1] reserves the follow
> Note, the new .XXX TLD is included in that list.
Does that mean it is or isn't safe for work? ;-)
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.i
> Bind version is: 9.7.4
Upgrade; 9.8.1 is current. (In addition, you're reading a book called
BIND 10 -- even though the book doesn't once mention that software!)
> Maybe this is a stupid question but what is ARM?
BIND 9 Administrator Reference Manual. It is provided in multiple
formats within
> I have one more question - how can I block every update for every zone
> in options section using update-policy?
Are you actually *reading* the documentation: the ARM actually defines
`allow-update':
"Specifies which hosts are allowed to submit Dynamic DNS updates
for master zon
> So the error being logged isn't really an error, it just looks like
> one; we should probably see about silencing it.
The error is indeed confusing, maybe it should say "not yet signed" ?
11-Nov-2011 12:32:35.838 zone inline.aa/IN/internal (unsigned): loaded serial 2
11-Nov-2011 12:32:35.838 zo
> I have found that www.thisisgame.com does not resolve on our DNS servers
You haven't done anything wrong. thisisgame.com has a single name
server, and that is currently not open to business, at least not from
my part of the world, maybe due to some firewall rule. (Google's NS do
indeed have acce
It seems as though you haven't followed some of the advice given you on
this list -- you'll have to do a bit more reading. Nevertheless:
> 1. How frequently DNS server will download the malware domain database
That depends on how frequently the RPZ provider publishes updates to the
zone. RPZ zone
Hello,
I'm looking at a BIND installation with a largish number of views, each
of which allow recursion and contain a couple of RPZ zones. Each view
has a `match-clients{}' option limiting access to the view to a very
small number of addresses. (Typically the single address of a client
with a dyna
> afaik your client can identify itself by TSIG instead of IP address.
> of course, this requires tyour client to support TSIG ...
Unfortunately the clients are dumb stub resolvers (Linux, Mac, Windows),
so TSIG is not an option.
-JP
___
Please
> 22-Nov-2011 11:25:28.320 general: notice: all zones loaded
> 22-Nov-2011 11:25:28.320 general: notice: running
This looks to me as though you've cycled the server, which isn't
currently allowed. Evan pointed out recently here that it can actually
corrupt the zone...
My experience is that, after
On Tue Nov 22 2011 at 20:34:46 CET, Spain, Dr. Jeffry A. wrote:
> I did something similar, using nsupdate to modify the unsigned zone
> instead of a manual edit. [...] "rndc reload" is not necessary.
`rndc reload' never is necessary if you use DDNS to update master zones.
-JP
_
> I have 1 domain name, and 1 reverse in-addr.arpa
> citires.ca and0-127.254.194.207.in-addr.arpa
>
> which my two slaves log that the master is "not authoritative" for
Seen from here (.DE) the NS for citires.ca both refuse to answer
queries, so they are indeed not authoritative:
On Wed Nov 23 2011 at 20:21:00 CET, Evan Hunt wrote:
> Correct, but... let me start by explaining the situation in releases prior
> to 9.9, without the inline-signing feature.
And would you now kindly do all of us and all future readers a favor and
copy/paste that text *verbatim* into the ARM? Th
On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote:
> I use `dig axfr dotat.at | grep -v RRSIG`
... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM
hoping, of course, that no owner name is called 'RRSIG' et. al. ;-)
-JP
__
Jeffry,
> I have had a tendency to dig axfr from my Windows workstation
+1 to you for using `dig' on Windows; most don't even know it exists
and suffer the `nslookup' pain. ;-)
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-us
> Do I *have* to use views to deal with such distinction or can I specify
> it just as above without views?
You have to use views so that the server can decide which clients get
which responses. This you specify in a match-clients {} stanza within
the view.
-JP
__
> given that their respective administrators have
> declared an intention to follow RFC 5011 if they ever roll over their
> KSKs.
As you say "if they ever roll"; I'm not placing any money on that. ;-)
> I could of course set up such a test zone and try to perform an RFC 5011
> rollover on it, usi
> The documentation for `match-clients' isn't comprehensive enough... Can
> I add all host from, for example 172.16/16 except a single host? Does:
>
> match-clients { 172.16.0.0/16;!172.16.1.1; }
BIND checks the ACL in the order you specify. In your example,
172.16.1.1 will be allowed by the firs
> May I transfer *views* rather than zone description files?
No. That's why it is called "zone" transfer. :)
> May I transfer two zone description files for a single zone to a
> single server?
Again no. (See previous thread on your request to serve two zone files
for the same zone in the one vi
> Judicious use of views with ACLs
I haven't actually tested this, but there's a recent thread [1] which
describes what I mean. Pay particular attention to the issue of getting
master notification into the slaves.
-JP
[1] https://lists.isc.org/pipermail/bind-users/2011-May/083664.html
_
> Feature suggestion: some sort of synthetic clock option to named for
> use in the test suite ("--test-unixtime-offset") or something?
>
> Obviously non-trivial.
Indeed.
I think Chris' & Evan's suggestion of a public zone that revokes and
replaces trust anchors periodically (every few hours?) i
On Wed Nov 30 2011 at 20:45:30 CET, Michael Graff wrote:
> For my VM environment, I bought a USB random source, and share it
> across the VMs with a little daemon I wrote.
Would you be willing to give us a few more details, such as the name of
the USB random source generator (is it an Entropy Ke
Thanks Michael, and Hauke.
I've had relatively good prior experience with Haveged [1], but I've
always wanted to experiment with a USB random generator.
Both the Araneus Alea [2] and the Entropy Key [3] look very interesting.
I'd heard of the latter previously, and I've ordered that because the
A
> I'd recommend checking the next four octets as well; they'll be "00 00 00 00"
> or "00 00 00 01".
I've hacked up a magic(5) file which seems to work for me:
$ file *
inline.aa:BIND raw format zone file < v9.9
inline.aa.jnl:BIND journal file v9
> I don't know what you mean by that. Apex of what exactly - my zone
> file? Can you tell me exactly what the zone file should look like
> with the CNAME record at the "apex"?
Determine the address(es) for the target domain name
shop4water.hostedbywebtstore.com (I'm using 127.0.0.1 as an example
During a bout of excessive boredom I created a Lua back-end for DLZ's
dlopen() driver. If anybody is interested, I've put up a short
description [1] and the source code [2]. Patches are welcome. :)
-JP
[1] http://jpmens.net/2011/12/01/lua-back-end-for-bind/
[2] https://github.com/jpmens/d
> Has anyone tried the new features of rndc addzone|delzone with
> BIND-9.7?
> Will the zone added|deleted get transfered between master and slaves?
No, the newly added (or deleted) zone will not be automatcially added to
(deleted from) slave servers. (Slaves require a different zone
definition co
> $ORIGIN 184.16.172.in-addr.arpa.
> $TTL 14400; 4 hours
> 105 PTR GVC-E237-A01.wks-gvc.domain.com.
> 88PTR GVC-LIB-C07.wks-gvc.domain.com.
> 9 PTR gvc-busdrivers.wks-gvc.domain.com.
> 90PTR nb-csiler.
> I tried from google dns (8.8.8.8) also but didnt get AD bit set. This may
> be because 8.8.8.8 might not be configured for DLV validation.
Google's DNS servers don't do proper DNSSEC validation.
> Is there any open dns available from which I can check my domain for AD
> flag set??
> DNS OARC runs a pair of validating servers, open to the public.
It appears their BIND server has DLV anchor configured, but their
Unbound instance doesn't.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> Next great thing would be for ISC to support the Soft-HSM that
> OpenDNSSEC uses. I believe that this would make the step of moving to a
> real hardware HSM a lot easier (if necessary).
BIND has supported the PKCS#11 interface (./configure --with-pkcs11)
since 9.6 IIRC, so it ought to be possibl
> > Now if FreeBSD would just add 9.9 to the ports collection
>
> I generally don't add new versions until they are released,
ISC said today in the inline-signing Webinar, that 9.9 would probably be
released on February 7th. Maybe wait for that?
-JP
__
> include "/etc/bind/sites-enabled/*"
That won't work.
What you could do though is to create the content of the file you're
including, which ought to solve your problem.
cd /var/path
ls > /etc/bind/sites-enabled.include
And then in named.conf [ include "/etc/bind/sites-enabled
> the online documentation it says
> that addzone will add it to the config files. But after running a test,
> all this does is add it to the cache. So does this would mean that every
> time the cache is purged, I would have to run addzone again?
No. Zones are added to / removed from a .nzf "cache
Hello,
FWIW and for the record, I received an EntropyKey and have shortly described my
experience with it so far at http://dnssexy.net/903
Regards,
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
> After setting up a zone with DNSSEC using inline-signing, I have run into
> the issue where if I do anything that updates the unsigned file that is
> input into BIND, that it never seems to update the signed data it generated.
I've previously [1] received "the Gold Star" for suggesting ;-)
> That said, instead of using 'rndc reload leadmon.org', I actually have to
> use 'rndc reload leadmon.org IN external', or internal as the case may be to
> separate the zone I am reloading.
Not here, in spite of multiple views; BIND 9.9.0rc1
-JP
_
> I consider it a feature, though opinions may vary.
I consider it a bug, and it's going to bite hard.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
htt
give or take some kludgery in the scripts that manage the config files
as Warren pointed out, configuration management can go a long way in
helping to get that set up; judicious use of templating, for instance,
can actually produce configs for NSD, BIND, and Knot. :)
-JP
10 ; include "/etc/bind/named.conf.local";
It is at this point, IMNSHO, that anybody attempting to configure a software of
the complexity of a BIND name server should begin to ask themselves what the
'include' directive might actually be. It is then, that said person would
probably begin looking
Are you leveraging your existing configuration management tools (e.g.
Puppet, Ansible, Chef)?
Ansible (my choice of poison) works well for this type of situation I find,
particularly because a lot of work can be done via Jinja templating. This
trivial example hopefully illustrates what I mean:
Where is the documentation for how to interpret log file content?
You might want to begin your journey at [1], followed by [2].
At least for querylogs you should find what you're looking for, many (most?)
other logs will require a bit of experience to interpret.
-JP
[1] https://kb.i
Ansible's template module is what you'd probably use for #1, the service
module (with handlers) for #2, and #3 comes out of the box when you use
Ansible.
While you might find existing roles and playbooks on the internets, I
would strongly recommend to vet them carefully in a test environment
Fun is a sufficient reason.
Definitely.
IATA airport codes to LOC:
% dig +short CDG.air.jpmens.net LOC
49 0 46.073 N 2 33 0.000 E 119.00m 1m 1m 10m
and more fun with an associated TXT:
% dig +short CDG.air.jpmens.net TXT
"cc:FR; m:Paris; t:large, n:Charles de Gaulle International Airport
Is there a guide on transitioning the DNSSEC signing algorithm,
One of the best concise instructions on doing this was written by Tony Finch
while at Cambridge, and I have used this [1] successfully a few times.
My recommendation: print it out, and use a red pen to tick off the individual
point
The values in the file dsset-example.com generated by signing the zone are not
good.
If they are 'not good' then it's possible you are using an outdated dsset
file. (And you are hiding domain names; I doubt example.com has been delegated
to you.)
dnssec-signzone creates dsset- files when sig
Suppose I was working on a problem for Barclays Bank
In that case I would think Barclays Bank's Platinum Enterprise BIND Support
contract would cover answering such questions.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the de
I am ridiculed by an ISC member for using a reserved domain according to
For the record, assuming you mean me, I am not affiliated with the gold folk at
ISC.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this
Does anyone know whether it's possible to generate with Bind these
kind of A records automatically on the authoritative side
BIND has DLZ, Dynamically Loadable Zones, which is an extension which allows
zone data to be retrieved from basically anywhere. DLZ are loadable modules
written in the C l
DLZ are loadable modules
I should have pointed to the documentation [1] and some example modules [2].
-JP
[1] https://github.com/isc-projects/bind9/tree/main/contrib/dlz/example
[2] https://github.com/isc-projects/bind9/tree/main/contrib/dlz/modules
--
Visit https://lists.isc.org/mailm
Does the $GENERATE directive in BIND zone files do what you need?
The $GENERATE statement is executed when loading the zone file results in an
expanded in-memory version of the zone being used. That can get quite large.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to u
dnssec-policy default;
Slightly off-topic, but I believe ISC reccomend using a custom policy instead
of `default' in case the default changes in future.
view "internal" {
zone "penguinpee.nl" {
typeprimary;
file"dynamic/penguinpee.nl.internal.zone";
};
};
view "
(I've tried to reformat some of this; it was illegible to me and I'm probably
misreading some of it)
www IN CNAME www.baidu.com.
[root@centos7 ~]# dig www.kaixinduole.com# it should be cname to
You've not specified an address for dig to use so it's using you
the domain name is kaixinduole.com
Querying the SOA record for kaixinduole.com shows the SOA serial number
is less than what you showed in the screenshot:
;; ANSWER SECTION:
kaixinduole.com.21600 IN SOA ns1.kaixinduole.com.
shawn.kaixinduole.com. (
20220
All queries are from the same client whose ip is 192.168.100.126, but why the
port which each query from is so different?
The source port is random and it should be different.
I disabled the recursion of bind 9 ,but all the Recursion Desired flag was set
'+', this confused me. >
If you add
I just modified the serial number
this is not currently a problem, but please note that you've changed the first
four digits which are likely to 2023.
Also if the zone is reloaded there's no need to restart named.
Actually nothing changed ,
Indeed. Are you doing these changes on the
2. [image: image.png]
In this screenshot you've shown the result of `cat named.conf', but where's the
zone definition for kaixinduole.com? What we are seeing here is a recursive
server.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC f
(putting this back on list)
thank you for the feedback,now I have already start the slave server
[root@bind-master-centos7 ~]# dig kaixinduole.com +nssearch
SOA ns1.kaixinduole.com. shawn.kaixinduole.com. 2022041566 3600 900 604800
86400 from server 52.130.145.30 in 0 ms.
SOA ns1.kaixinduole.com
26-May-2022 10:06:14.458 debug 3: zone penguinpee.nl/IN/external:
zone_rekey failure: unexpected error (retry in 600 seconds)
One of the first things BIND does, if I'm reading lib/dns/zone.c correctly, is
to attempt to lock the keys, and if it fails it emits that diagnostic.
Assuming the signin
20220317-a4qe._domainkeyTXT (
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAA
^ begin comment
OCAQ8AMIIBCgKCAQEAmEsWuQCj+OenaSQ3dM6WItExor
The bit from the first semicolon to the end of the line was missing.
Is that expected behavior?
A semicolon begins a comm
Using nsupdate when I try to delete an MX record for a domain, I get REFSUED.
REFUSED is also reported when attempting to update a non-dynamic zone. Are you
sure the zone you're trying to update is actually dynamic?
How do I remove and replace the MX record for a domain with nsupdate?
del o
Maybe in the future dnssec-signzone won't generate the deprecated entry to
begin with.
BIND 9.16.0 stopped generating SHA1 digests [1] :
"DS and CDS records are now generated with SHA-256 digests only, instead of
both SHA-1 and SHA-256. This affects the default output of dnssec-dsfromk
A Beginner's Guide to DNSSEC with BIND 9.
Well done! A few comments, if I may:
1. in your zone stanzas you use the term "master" (type: master, ... masters
{}). BIND has been updated already a while ago to support the term primary, e.g. `type
primary;' and `primaries {};' (likewise for 'secon
The inline-signing feature will not go away.
Thanks, Matthijs, I stand corrected. I believe I had seen that in ISC
documentation and/or issues, but I will now stop saying that. :)
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds t
the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in order to
_not_ overwrite original zone files/data on signing.
I cannot confirm that (9.17.22):
% ls -1
example.aa
named.conf
% cat named.conf
options {
directory ".";
listen-on port 5301 { 127.0.0.2; };
The change is that with 9.16, if the requested name is a CNAME, only the
CNAME value is returned by dig, while with 9.11 dig would return both the CNAME
value and the IP of the CNAME.
as others have said, this needs more details, but I wonder whether you might
now be querying a server which has
Retried my named.conf with BIND 9.19.7-dev (Development Release)
which reports:
26-Oct-2022 21:31:42.021 /private/tmp/b/named.conf:11: 'inline-signing
yes;' must also be configured explicitly for zones using dnssec-policy without
a configured 'allow-update' or 'update-policy'. See
ht
101 - 181 of 181 matches
Mail list logo
