e statement.
My personal recommendation: get over the idea of looking at zone
files; use "dig axfr example.com. | less". Let named manage and
serve the DNS data as it will. Comments can be included as TXT
records if you like.
--
the "rndc stats" output, in real time as needed, and
designed to be easily parsed by automated tools.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mai
also the ISC KB article on best practices for resolvers.
I probably missed something, but that's a good start.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.is
e.
>
> Does anyone have any insights or suggestions?
A query will only be forwarded if RD is set and recursion is
permitted for that client, as you have already discovered.
Perhaps a zone of type "stub" or "static-stub&quo
tually run that /16 zone ... 168.192.in-addr.arpa.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-
t. :/
Or start eating bugs? ;)
/me stares at a lightning bug going by the window (a light meal)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/l
e distributor if we don't know
the distro & version.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
r 19 years ago!)
Various commercial DNS appliance vendors have implemented GUI
frontends, but those are now within reach of mere mortals.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please vi
this fallback isn't a very good idea
anyway; you'll probably be better off just doing the recursion
without forwarders in the picture.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
__
your IP address is and we
might be able to tell you who to contact.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
f
ttp://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
gt;> match-clients {
> >> // this list must match 127.0.0.1
> >> any;
> >> };
> >> zone "itd.umich.edu" {// this zone is different in the two views
> >> type master;
> >> file &q
t; about 500 or even more.
>
> Does anyone have ideas how recude server loads because bind is
> problem...
If that is so, how did you determine that? How could we know?
> Thank you for answers or ideas.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob
essages is nsupdate."
So if I wanted my home server to be able to nspdate with a SIG(0)
key, that works, but I can't have my named use that key to AXFR or
IXFR my zones?
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject
ates, and TSIG for restricting AXFR.
Good enough. Makes sense, anyway, not to expect too much from a
single key. I'll do this as well.
Thanks for taking the time to reply.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subj
nt.
How/where do you get these DS records with dynamic signing? My
dsset-nodns4.us. was generated by dnssec-signzone(8). I see no
mention in the ARM about this.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
have answered
most of the "how", but the replies covered the "why". Thanks again.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
bind-users mailing list
b
On Tue, Apr 26, 2011 at 10:15:18AM +0100, Phil Mayers wrote:
> On 04/26/2011 02:13 AM, /dev/rob0 wrote:
> > Is there any
> >reason why I can't use the parent zone's KSK for the dynamic
> >zone? Better yet, is there a reason why I shouldn't?
>
> Better
zones/ directory, and symlinked back. But any given zone
in general should not need more than one key-directory. What is the
real problem and goal here?
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
__
with a plain "make".
(The script falls back to plain "make" if the "make -j7" fails, of
course. I don't know if mine did or not, because I didn't watch it,
and now the evidence is gone.)
--
Offlist mail to this
name server servername.
When no server statement is provided, nsupdate will send updates
to the master server of the correct zone. The MNAME field of
that zone's SOA record will identify the master server for that
zone."
--
Offlist mail to this address is discarded unle
http://www.spinics.net/lists/netfilter/msg49676.html
The approach for DNS, at least on the UDP side, will have to be
similar, because this whole attack would be in conntrack --ctstate
ESTABLISHED (after the initial refused query.)
--
Offlist mail to this addr
is is typical for many or most busy
domains: they do a rudimentary form of load balancing through DNS
results. Nothing interesting here.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
On Wed, Jun 01, 2011 at 09:54:04AM +0200, Jan-Piet Mens wrote:
> > Does anyone else find the bind-users list to be very slow?
>
> Yes, very. [Pressing 's'end at 09:54 CET]
I think it's moderated. Sending at 11:16 UTC.
--
Offlist mail to this address is discarde
isn't part of the BIND distribution, so questions about its use are
offtopic here.
Mark threw you a fish for the other domain. I'm giving you a fishing
net. Jump in there now and catch some fish!
--
Offlist mail to this address is discarded unless
"/dev/rob
ike to gain a greater understanding of what is going on.
And now, as July 1 has passed and July 9 approaches, can you share a
summary of what you found? Thanks.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
ress is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
; - If I do a reverse zone resolution I suppose that the more
> specific zone (for 10.10.10.10 zone 10.10.10.in-addr.arpa) would
> be the chosen by Bind to respond (instead of 10.in-addr.arpa). Is
> that true?
I have no idea. You could try it and see? Or, just do it as I
suggested, which
56.dhcp-bl.indiana.edu. IN A 10.100.60.256
First one is valid, second one is not.
That said, I wouldn't have thought that a $GENERATE range could go
"over the top" like that, so to speak. I could see calling that a
possible bug.
--
Offlist mail to this addres
w .XXX TLD is included in that list.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
is "0.0.0.0 port 53". You will probably also want
different directory settings. See listen-on and directory in ARM
chapter 6.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
_
t,alert} message in
syslog.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
o compile
and install, which is fine for me, but what should I do if I needed
DLZ support?
> In general, issues like this are best sent to the
> bind9-b...@isc.com alias, which opens a ticket in our bug
> database. I'll do so now.
--
Offlist mail to this address is discarded
What I should perhaps do: separate the authoritative named instance
from the recursive one on the mail server. I suppose BIND 10 does
this, by design?
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
__
ean, are you blocking APNIC space?
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
I:testing that incorrectly signed transfers will fail...
> I:initial correctly-signed transfer should succeed
> I:ns4 server reload successful
> I:failed
> I:unsigned transfer
> I:bad keydata
> I:partially-signed transfer
> I:unknown key
> I:incorrect key
> I:exit statu
nk this is what you are asking), IXFR is not
possible without the journal, and the journal is created by dynamic
update. Both master and slave should then fall back to AXFR.
--
Offlist mail to this address is discarded unless
"/dev/rob0&q
e, quoting from the OP:
> > > > We upgraded our DNS server from bind 8.2.3 to bind 9.2.1.
> > > > "named" worked without any problem about 1 day. ...
When upgrading, it makes no sense at all to choose an ancient,
unmaintained version as replacement software.
--
tstore is not the same as hostedbywebstore;
we're sticklers for precise spelling.
Also note that other workarounds will solve the same problem in a
better way.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
at a a minimum has NS records for
shop4water.com, and your zone *must* contain SOA and NS records for
shop4water.com.
Those SOA and NS violate the rule that a CNAME cannot coexist with a
record of the same name and any other RRtype.
--
Offlist mail to this address i
ou are asking regarding "risk" and other
implementations.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
Please visit https://lists.isc.org/mailman/listinfo/bi
ns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-use
nding. Perhaps you can
elaborate on what you want to do and why?
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo
y people who
have a poor understanding of DNS.)
This was my reply in a thread last month; refer to the entire thread
for more:
https://lists.isc.org/pipermail/bind-users/2011-December/085918.html
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen o
file "named.root";
};
"
Each project is well-documented; refer to the manual pages as
indicated and to the BIND 9 ARM for more information.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in
umed, perhaps wrongly, that the dnamasq configuration
wasn't mangled to the point of not listening on port 53. When that
assumption is valid, this does indeed work fine.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0&quo
t;FAIL" in xfer
> . The same story with bind-9.8.1-P1: compilation OK but 'make test'
> failed. We are stuck since we cannot go ahead with installing any
> new version when the test fails.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlis
d it won't
handle modern CDN systems properly.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
es into detail.[1] My
personal recommendation, however, is that if you wish to learn more
about how DNS works, consult a book such as the Cricket book.
[1] Sorry, I am too lazy this morning to look it up for you.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "
r of my config if it would be of use.
>
> zone "stc.corp" IN {
> type forward;
> forwarders { 10.21.0.100; 10.21.0.101; };
> forward only;
> };
Oh, another thing you can try; offhand I don't know if it will work,
but try a zone of type "
ct 127.0.0.1:53 (both TCP
and UDP) to :1035 (or other such non-privileged port as needed.)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-u
On Fri, Sep 30, 2016 at 01:32:29PM -0400, jratl...@bluemarble.net wrote:
> On Fri, 30 Sep 2016 11:37:39 -0500, /dev/rob0 wrote:
> >>
> >> This seems to indicate that the servers at 10.21.0.100 and 101
> >> are telling me that stc.corp domain is DNSSEC enabled.
isy, very quickly.
Coincidentally, I happen to be working on this very issue, with a
different approach: shortened TTL for conntrack entries for UDP DNS.
It came up on the Netfilter mailing list recently. I'll be sure to
post here when that (a documentation patch) is completed.
--
http
.html
(Users of BIND 9.8 and earlier versions would need to contact their
distributor for support.)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/
it might not be worth it.
You might also want to look at dnstap. NOTE: I have not tried
either, so I don't know if they'll report what you want to see.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
e-key; 192.168.1.0/24; };
This way, any query ("query" being a generic term including
nsupdates) signed by the update-key is not routed to your
"internal" view.
> };
> };
> };
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only i
; > 86400 ; minimum (1 day)
> > )
> > NS local.atlanta.com.
> > NS kabulvm8.atlanta.com.
and these, likewise.
NS local
NS kabulvm8
> > ;A Records
> > local
use this format (missing owner names) you should
keep all the same names together.
I suggest always using an owner name on every line. It might not
look as pretty, but it is definitely more grep-friendly.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in
ou implement your "courteous" NXDOMAIN abuse?
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ular rabid
> weasels and that pair of pants.
>---maf
LOL, perfect, thanks for that one. I've seen you use it before, but
it's especially fitting in this thread. :)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
n carrying the
President (or for any USMC aircraft which might happen to
transport the President, for that matter.
[2] Similarly, this would be the designation of a USMC aircraft
transporting the Vice President.[3]
[3] And all this is terribly o
#x27;t be resolved theough the regular authority for example.com
(or whatever subzone might be delegated.)
This is, however, a feature of dnsmasq. Simply list the name and
address in /etc/hosts and that name [only] is served out via DNS to
your local resolver clients.
--
http://rob0.nod
";"
inside the catalog-zones option. I spoke to Witold, who told me the
syntax was modeled after response-policy. Fine, but note that
another multi-setting option, rate-limit, terminates subordinate
options semicolons. So I still think there is some inconsistency.
--
h
ke to log everything else but not the reverse
> resolution queries.
Why (and why not?) What's the actual problem? And what do you plan
to do with all those query logs? Query logging has a substantial
impact on server performance.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen
is still there, and your wildcard
A record in the zone would not be used for that name.
> Has anyone else come across this?
That's the best guess I can come up with without seeing the query and
the zone data. If you need more help you will have to share that
information.
--
htt
.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On Tue, Jun 20, 2017 at 09:29:59AM -0500, /dev/rob0 wrote:
> On Tue, Jun 20, 2017 at 09:17:58AM -0400, Maria Iano wrote:
> > Thanks for your answer. There are no other records with that name
> > in the zone, and an ANY query comes back empty but still with
> > status of NOER
thing will use it.
> Does zbc.com (for example) need DS, or is just passed by the TLD?
Zbc.com. is not a zone, it is a CNAME in the com. TLD. There would
be no NS to delegate to, therefore no DS.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/r
nger listening on 127.0.0.1#53 Aug
> 8 16:00:19 FedoraServer named[10120]: no longer listening on
> 50.124.80.106#53 Aug 8 16:00:19 FedoraServer named[10120]: exiting
And named obediently did a clean shutdown.
Your issue might more effectively be dealt with in a Fedo
r search configuration in /etc/resolv.conf
>
> man resolv.conf
Note that this still work for dig(1) and host(1) as per the OP's
examples. But things like ping(1) and browsers will work with a
search domain.
--
http://rob0.nodns4.us/
Offlist GMX mail is s
rding to both DNSViz and Verisign's dnssec-debugger this has put
me back in business for the time being. For some reason I am not
successful in wrestling with Godaddy over the new DS, but that's not
a matter for this list.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only i
s
nice mailing list. :)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
u would
need to share it with us: "named-checkconf -px" (leave off "x" if
you're using RHEL who like to stay back from useful "new" features
added to software they distribute.)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0"
n article on compiling BIND for
Windows. But again, I doubt that could be the problem.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-u
(1)? Or are you talking about a slave receiving a
notify and pulling a zone transfer? "Zone update fails" is an
ambiguous phrase.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please
n "rndc reconfig". When testing
is completed, remove that and "rndc reload".
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/b
dns, why not just use those forwarders for
all queries? What benefit could there be in querying the ISP
nameservers first?
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit h
t's
very easy to run your own caching resolver.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from thi
The certificate for lists.isc.org expired today, and because of STS
my browser does not allow a security exception.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lis
this, so you need Windows help. I'm unable to provide
that. Good luck.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
aware of the feature, so they distribute
named.conf with kludges.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
1 cannot be routed to on the Internet, so this is not
really an urgent matter.
> but what is a quick way for me to change/recreate the key/secret?
See the rndc-confgen manual.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0
rsion, because it hyperlinks to
relevant syntax documentation in chapter 6. And again, see the KB.
TSIG can be used for any form of query, including the notify sent
from master to slave[s]. See the section in ARM chapter 6, on
"server Statement Grammar".
--
http://rob0.nodns4.us/
Offl
under /etc.
> However, PowerDNS seems a good server I am willing to explore the
> option.
Indeed, and I know some PDNS developers; they're good folks and
highly competent.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
101 - 184 of 184 matches
Mail list logo
