Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

On 01/06/2023 15:58, Jesus Cea wrote: I am getting errors "Name huawei.com (SOA) not subdomain of zone cloud.huawei.com". The problem raises when requesting on oauth-login.cloud.huawei.com . The problem was described in the mailing list: https://lists.isc.org/pipermail/bind-users/2021-Ja

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

On 02/06/2023 13:59, Jesus Cea wrote: > On 2/6/23 10:38, Cathy Almond wrote: >> Has this just started - as in, it worked before ... when? > > No idea. We have been biten by this because a new client. The issue > could be for ages, no idea.> That may be so. For the clien

Re: Stub zones, but secndary?

Have you looked at mirror zones for root? Zone type "mirror" = it's appropriate for "." but not for other zones. (Oh - and don't forget to disable ixfr for this zone when you do that - it's more efficient for the validation step) Details in the BIND ARM. Cathy On 19/11/2023 21:10, Elmar K.

Re: Can I set TTL served to users in bind?

On 09/03/12 08:22, Jeff Peng wrote: > 于 2012-3-9 16:11, Drunkard Zhang 写道: >> I got some bind servers doing iteration resolution, and return the >> results to users. But I found that some names got too big TTLs, whose >> RRs can not be replaced correctly by new RRs in time. This leads to >> user‘s

Re:

On 13/03/12 20:46, Mark Andrews wrote: > > In message , Daniel McDonald > writ > es: >> >> On 3/13/12 8:20 AM, "hugo hugoo" wrote: >> >>> ==> do I have to create in zone "toto.be" the following NS record: >>> >>> titi.toto.be. TTL IN NSns1.xxx.be >>> >>> >>> I ha

Re: BIND 9.9.0 assertion failure

On 14/03/12 10:11, Eivind Olsen wrote: >> In BIND 9.9.0(CentOS 4.6) >> >> Mar 9 06:58:51 X named[17533]: general: critical: client.c:318: >> INSIST(client->newstate <= 3) failed, back trace

Re: journal rollforward failed: journal out of sync with zone

Is the journal file on the master (the source of the zone files that are transferred via cron jobs) or on the slave (the recipient of the zone files)? Why are you using ixfr-from-differences - what operational purpose does it serve for you? The other thing to consider also is your operational pro

Re: ADB messages

On 17/11/11 19:28, Binu B Nair wrote: > Hello, > > I am getting the following informational messages on starting named after > installing bind 9.8.1-P1 on a set of resolvers. Please advise. > > 18-Nov-2011 03:35:14.872 database: info: adb: grow_entries to 1531 starting > 18-Nov-2011 03:35:14.874

Re: Moving DNS out of non-cooperative provider

On 19/06/12 11:18, Alexander Gurvitz wrote: >> >> 3282. [bug] Restrict the TTL of NS RRset to no more than that >> >>of the old NS RRset when replacing it. >>[RT #27792] [RT #27884] >> > > Just to clarify - does this rule applies also whi

Re: Bind 9.8.1-P1 is crashing again and again

On 02/07/12 14:32, Gaurav Kansal wrote: > Dear Team, > > > > My BIND DNS Server is crashing again and again. > > > > I am getting these logs: > > > > Jul 2 12:03:33 gaurav named[30523]: query.c:5379: INSIST(!is_zone) failed, > back trace > > Jul 2 12:03:33 gaurav named[30523]: #0 0x8

Re: getting edns disabling message in logs

On 04/07/12 07:12, Ben wrote: > Hi Tony, > > Thanks for your kind response. Disabling EDNS due to firewall > misconfiguration, raise any problem to DNS activity.? I mean my users > face any name resolution problesms or ...? https://kb.isc.org/article/AA-00708/55/Why-does-BIND-log-messages-about-d

Re: getting edns disabling message in logs

On 04/07/12 20:14, Michael Hoskins (michoski) wrote: > -Original Message- > > From: Tony Finch > Date: Wednesday, July 4, 2012 7:54 AM > To: Cathy Almond > Cc: "bind-users@lists.isc.org" > Subject: Re: getting edns disabling message in

Re: BIND CPU load problems

On 10/07/12 13:08, Phil Mayers wrote: > On 10/07/12 12:56, Shon Stephens wrote: >> Dear Mike, >> >> I am not being hit with a Denial of Service attack and the query >> logging doesn't appear to be any different from other hosts in the DNS >> complex. There are no errors in logs or messages fil

Re: BIND 9.9.1-P1 reload bug

> This just happened on our nameserver: > > 11-Jul-2012 13:54:01.711 general: info: received control channel command > 'reload' > 11-Jul-2012 13:54:01.712 general: info: loading configuration from > '/etc/named.conf' > 11-Jul-2012 13:54:01.891 general: critical: server.c:4436: fatal error: > 11-J

Re: BIND 9.9.1-P1 reload bug

On 12/07/12 08:20, Michael Hoskins (michoski) wrote: > stupid question: i spent all of five minutes looking around isc.org -- but > i did click all the top-level bind-related links, and couldn't find a > pointer to rt to search for this ticket. does it require a support > contract, is it internal-

ISC Security Advisory: High TCP Query Load Can Trigger a Memory Leak in BIND 9

ISC Security Advisory: Note: This email advisory is provided for your information. The most up to date advisory information will always be at: https://kb.isc.org/article/AA-00730 please use this URL for the most up to date advisory information. Title: High TCP Query Load Can Trigger a Memory Leak

ISC Security Advisory: Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND9

Note: This email advisory is provided for your information. The most up to date advisory information will always be at: https://kb.isc.org/article/AA-00729 please use this URL for the most up to date advisory information. Title: Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failur

BIND 9.7.6-P2 is now available

Introduction BIND 9.7.6-P2 is the latest production release of BIND 9.7. This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can al

BIND 9.6-ESV-R7-P2 is now available

Introduction BIND 9.6-ESV-R7-P2 is the latest production release of BIND 9.6-ESV. BIND 9.6-ESV is an Extended Support Version of BIND 9. This document summarizes changes from BIND 9.6-ESV-R6 to BIND 9.6-ESV-R7-P2. Please see the CHANGES file in the source code release for a complete

BIND 9.8.3-P2 is now available

Introduction BIND 9.8.3-P2 is the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can al

BIND 9.9.1-P2 is now available

Introduction BIND 9.9.1-P2 is the latest production release of BIND 9.9. This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can al

Re: BIND 9.8.3-P2 is now available

On 30/07/12 06:50, John Marshall wrote: > On 25/07/2012 04:04, Cathy Almond wrote: >> Introduction >> >> BIND 9.8.3-P2 is the latest production release of BIND 9.8. >> > > Would whoever is responsible for release announcements please note that > this wasn&

Re: What does "deleted from unreachable cache" mean?

On 19/07/12 00:49, Peter Olsson wrote: > Hello! > > After my latest bind upgrade our slave server started > occasionally writing these messages to the log: > > master 2a02:::::2#53 (source ::#0) deleted from unreachable cache > > master 62.xxx.xxx.2#53 (source 0.0.0.0#0) deleted from

Re: What does "deleted from unreachable cache" mean?

On 02/08/12 19:00, Michael Hoskins (michoski) wrote: > -Original Message- > > From: Peter Olsson > Date: Thursday, August 2, 2012 10:25 AM > To: Cathy Almond > Cc: "bind-users@lists.isc.org" > Subject: Re: What does "deleted from unreachable cach

Re: Problem with ACL in named.conf

On 30/08/12 03:19, GS Bryan wrote: > My BIND version, as shown by 'named -v' is BIND > 9.9.1-P1-RedHat-9.9.1-2.P1.el6. > > 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever. > -- > Bryan S.G. > You're correct - named-checkconf doesn't see the problem, but named error

Re: Problem with ACL in named.conf

On 30/08/12 03:17, GS Bryan wrote: > hmm... that explains it. > > Damn, DNSMadeEasy needs to have notify notices sent to a different IP > set than their nameserver service. This means that I have to hardcode > this myself. > > Another question then, if zone 'example.net' has the NS records of > '

Re: about the wild record

On 15/10/12 05:23, pangj wrote: > Hello, > > I have setup a wild record for cloudns.tk, the record: > > *.cloudns.tk. 300 IN A 209.141.54.207 > > And I added another A record as this: > > s1.test.cloudns.tk. 300 IN A 8.8.8.8 > > After adding this record, the

Re: Bind 9.9.2 ADB Question Update

On 15/11/12 15:49, Manson, John wrote: > The adb grow-names process? does not appear to be related to recursive cache > as I cleared cache while monitoring syslog and the counter kept increasing. > However a reload did start the adb grow-names process anew. > Both shown below > > . > . > . > Nov

Re: Bind 9.9.2 ADB Question Update

On 15/11/12 16:17, Cathy Almond wrote: > On 15/11/12 15:49, Manson, John wrote: >> The adb grow-names process? does not appear to be related to recursive cache >> as I cleared cache while monitoring syslog and the counter kept increasing. >> However a reload did start the a

Re: "rndc sign", "auto-dnssec maintain" and TYPE65534 record "stickyness"?

On 26/11/12 14:47, Phil Mayers wrote: > All, > > Up front, I should note that this was on a hidden master server which > was running 9.7.0 (since updated). So it may not work this way on > current versions of bind. > > We (well, I) had a little accident recently when rolling a ZSK. We use > "auto

Re: Preference of Master Name Servers

On 06/12/12 14:12, Matus UHLAR - fantomas wrote: > On 05.12.12 17:28, David Hall wrote: >> Question 1: >> In our secondary / slave name servers we specify the master name >> servers in >> the normal manner: >> zone mysample.me.uk { type slave; file "m/y/db.mysample.me.uk"; masters { >> 10.10.100.12

Re: Named stopped loging?

On 28/12/12 15:54, Manson, John wrote: > Good Day > > Running 9.9.2 for about a month now with no worries. > Today I noticed only the reload message in the namedlog and not the zone > messages that are usually there after stopping and restarting the named > process. > > Worked fine on the 26th

Re: Noisy messages from BIND about root hints change

On 07/01/13 17:14, Chris Thompson wrote: > One (but only one) of our recursive nameservers, running BIND 9.8.3-P4 > we got a whole lot of messages in the log as a result of last week's change > of address for d.root-servers.net: > > Jan 4 06:24:08 recdns1.csx.cam.ac.uk named[9496]: general: warni

Re: Define an internal zone with only a couple of A records, then forward to an external dns server

On 17/01/13 15:16, wbr...@e1b.org wrote: > Alberto wrote on 01/17/2013 10:09:00 AM: >> - I want to define in my dns server a zone "external_partner.com", >> which is the domain of our partner who manages it with his dns >> public server "dns.external_partner.com". >> - I need to define into this

Re: disabling lame server logging

On 26/02/13 21:34, Bryan Harris wrote: > Hi Robert, > > On Feb 26, 2013, at 2:23 PM, Robert Moskowitz wrote: > >> >> On 02/26/2013 01:57 PM, Doug Barton wrote: >>> On 02/26/2013 10:38 AM, Robert Moskowitz wrote: I would like a scalpel for lame logging, but probably would not discover a

Re: Stalling slave transfers

On 08/05/13 08:26, Tom Sommer wrote: > Hi, > > I have a problem with one of 3 slave servers, all set up the exact same > way, with the exact same bind version and configuration. > > One slave has a problem transfering zones from the master. > > The logfiles are flooded with "received notify for

Re: Stalling slave transfers

On 08/05/13 19:15, Tom Sommer wrote: > > On 5/8/13 12:25 PM, Cathy Almond wrote: >> On 08/05/13 08:26, Tom Sommer wrote: >>> Hi, >>> >>> I have a problem with one of 3 slave servers, all set up the exact same >>> way, with the exact same bind ve

Re: Stalling slave transfers

On 15/05/13 15:58, Tony Finch wrote: > Tom Sommer wrote: >> >> That works fine, but I think I figured out the problem, it was due to >> the server having acquired a 2nd (autodiscovered) IPv6 address, and it >> was using that as transfer source. It would be very helpful if the >> logfile said the a

Re: redirecting root hints to fake internal root server

On 27/08/13 21:28, Kevin Darcy wrote: > On 8/27/2013 1:07 PM, Colin Harvey wrote: >> My environment is firewalled from the real world. For queries on >> zones to which I'm not master, I want to recurse to a corporate >> server. nslookup some.internal.hostname.com internal.corporate.server >> work

Re: Slave displaying all domain info when using $INCLUDE on master

On 05/09/13 09:54, Jobst Schmalenbach wrote: > Hi. > > I have a master/slave combo, the master is ok, displays the correct info when > queried, but the slave displays too much info, including the internal stuff. > > The master uses two zone files (*internal and *external) that each include > di

Re: caps compiling error

On 26/11/2013 16:56, Paul A wrote: > Yeah I have compline Bind on that machine many times currently I'm on BIND > 9.8.4-P2. > > Not sure what header file is missing. > > -Original Message- > From: bind-users-bounces+razor=meganet@lists.isc.org > [mailto:bind-users-bounces+razor=megane

Re: Unable to transfer IPv4 reverse zone

On 19/12/2013 23:32, Daniel Lintott wrote: > I have now tried recreating the zone file on the master, removed and > re-added the configuration for the zone on both master and slave, yet > still I am unable to transfer the zone. > > I have also added the following logging to the master server: > >

Re: Unable to transfer IPv4 reverse zone

It might be a silly question - but have you checked how many instances of named you have running on the master (thinking that you might not be 'talking to' the one you think you are)? Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-us

Re: changing NSEC3 salt

On 05/02/2014 18:54, David Newman wrote: > The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every > time a zone's ZSK changes. > > Is this just a matter of a new 'rndc signing' command, or is some action > needed to remove the old salt? > > thanks > > dn rndc signing -nsec3param

Re: changing NSEC3 salt

On 06/02/2014 12:58, Timothe Litt wrote: > On 06-Feb-14 05:56, Cathy Almond wrote: >> On 05/02/2014 18:54, David Newman wrote: >>> The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every >>> time a zone's ZSK changes. >>> >>> Is this

Re: how to modify the cache

> Use a "stub" zone if you want to "override" published NSes _without_ > crossing the very-important boundary between iterative and recursive > resolution. Actually no - use static-stub (newer versions of BIND) - otherwise the NS records received from the zone may override the NS that you want to

Re: Bind vs flood

On 28/02/2014 17:57, Chris Buxton wrote: > On Feb 28, 2014, at 2:12 AM, Jason Brown > wrote: > >> But, it will respond with a valid response (your choice) and therefore >> not create a servfail due to trying.. that’s my point. >> >> ** >> > > Nope. RPZ only alters re

Re: High recursive client counts

On 25/03/2014 16:14, Jason Brandt wrote: > Mike, > > I appreciate your insight here. We are indeed on virtual systems, > using enterprise grade hardware as well. I will be doing more > investigation today, to see if I can duplicate the behavior, which I > have been able to do recently. > > Yo

Re: Problem dlz_mysql_driver

On 04/06/2014 08:25, Claudia Koch wrote: > Hello, > > I've a installation of bind 9.4.0 with dlz_mysql_driver and I have a > zone test.de. In this zone I have a record > > *.dev IN A 1.2.3.4 > > With dig a.dev.test.de I've get the answer 1.2.3.4. > > Now I like to do a update to debian 7.0 and

Re: stub zones

On 02/06/2014 23:38, John Miller wrote: > So... without stub zones, you know the drill: your local resolver > follows delegation, starting from the root nameservers. Delegation > happens, and life is good. If you're running views, then things work > fine as well: your view just needs to be config

Re: unable to obtain neither an IPv4 nor an IPv6 dispatch

It might have something to do with the number of CPUs that named detects when it starts, which (by default) drives how many listening tasks it starts per listening interface. BIND 9.10 changed the defaults slightly, but you can also control how many listening tasks per interface using the -U optio

Re: Bind 9.9.5 high CPU and when will Bind9.8 EOL?

Have a look at reducing -n to the number of physical cores (which might be 4 or 8) and then also have a look at -U (number of listening tasks per interface). Multiple listeners defaults to -n (number of worker threads). It's worth trying some tuning experiments from n/2 to n-1. What works best

Re: unable to obtain neither an IPv4 nor an IPv6 dispatch

On 24/07/2014 01:35, Matthew Calder wrote: > At the moment I'm limited to using 2 UDP listeners per interface. When > stress testing I can see that only 2 out of 4 CPUs are being used, I'm > guessing because I'm limited to 2 listeners. Any suggestions for what > could be limiting BIND from using a

Re: bind-9.10.0-P2 memory leak?

... > Heh thanks, yeah...initially I was erring on the side of caution and using > 9.9.x because it's served us well (~20k recursive clients without any > significant problems). Meanwhile we've been keeping a close eye on > community comments, and to be honest opinions wax and wane. Just as I > t

Re: something about rrl

On 22/09/2014 11:55, 陈超 wrote: > Dear developers, > > I've recently encountered a problem with the response rate limit of > bind-9.9.5. > > That is,after I configured RRL and started named,I noticed for those > queries,BIND9 would do recursion first,and check the rate limit to decide > whether

Re: BIND listen backlog too small

On 16/10/2014 23:52, Shawn Zhou wrote: > Thanks Mark. That's what I was looking for! > > > On Thursday, October 16, 2014 3:36 PM, Mark Andrews wrote: > > > > 2fd63cf5 (Mark Andrews 2003-04-10 02:16:11 + 279) > tcp-listen-queue ; > More info here too: https://kb.isc.org/artic

Re: named assertion failure

On 06/01/2015 04:11, James Brown wrote: > Running BIND 9.10.1-P1 on Mac OS X 10.10.1. It’s been running fine - no > problems until this morning, when I got: > > > 06-Jan-2015 01:33:33.356 transfer of 'rpz.spamhaus.org/IN/external' > from 199.168.90.51#53: T

Re: Different answer when querying @server from different clients

On 08/03/2015 16:00, Steven Carr wrote: > On 8 March 2015 at 13:50, Barry S. Finkel wrote: >> Using "+trace" with "@8.8.8.8" ignores the "@8.8.8.8", as >> that server is never queried when the query starts at the root >> and moves down the DNS tree to authorized servers. > > Incorrect, specifying

Re: Issue in calling same zone in more than one VIEW

On 29/05/2015 10:39, Gaurav Kansal wrote: > Thanks for information. > Is there any other way by which I can define the zone (which are same for > all views) outside the view or anything else by which I don't need to > replicate the file for all the views. > > Regards, > Gaurav Kansal > > -Ori

Re: delay between nsupdate and NOTIFY

On 05/06/2015 07:39, Charles Musser wrote: >> >> Adjust serial-query-rate. This also controls the notify rate in BIND 9.9. >> A seperate control "notify-rate" is coming in BIND 9.11. >> > Today we tried increasing serial-query-rate from our original value of 1000 > up to 5000 for a while, and the

Re: Automatic . NS queries from BIND

On 16/06/2015 01:51, Kevin Oberman wrote: > On Mon, Jun 15, 2015 at 1:29 PM, Darcy Kevin (FCA) > mailto:kevin.da...@fcagroup.com>> wrote: > > Right, we know how hints files are used, but I think you guys may be > missing the underlying conundrum: why is named querying the NS > records

Re: file descriptor exceeds limit

On 18/06/2015 12:00, Matus UHLAR - fantomas wrote: > On 17.06.15 22:39, Shawn Zhou wrote: >> BIND on my resolvers reaches the max open file limit and I am getting >> lots >> of SERVFAILs >> http://pastebin.com/SxRsHLff > >> After I increased the max-socks (-s 8192) to 8192, I no longer saw the >>

Re: BIND slave server ignoring responses to all UDP-based SOA queries (zone refresh) for hours at a time

What can happen (and this is really really subtle) is that if there are some source ports that named could randomly select, but where intermediate firewalls or filters are just dropping, either the SOA refresh queries, or the responses, then named can 'get stuck' on using and re-using the same refr

Re: rndc status field meaning please

Hi, I don't think we do document the output from "rndc status" explicitly line by line in the BIND Administrator Manual, so I'll respond to your questions below, and I'll see about getting the documentation updated. For anything else you need to know, please refer to the manuals https://kb.isc.or

Re: Negation in view match-clients ACL doesn't work?

On 04/08/2015 21:29, Darcy Kevin (FCA) wrote: > The short answer is that that is how address-match-lists work: a non-negated > match allows access, a negated match denies access, and if there is *no* > match, access is denied. The only real reason to use a negated match, > therefore, is when wha

Re: root hints operation

On 17/11/2015 02:31, Grant Taylor wrote: ... > The idea that a (maliciously) blank root.hints file would prevent BIND > from using the compiled in version is new to me. If someone *could* maliciously replace a file on your DNS server with a blank one, you have more problems than just a blank root

Re: Bind bind high recv-q

On 04/12/2015 12:34, Tony Finch wrote: > Søren Andersen wrote: >> >> I'm experiencing some strange problems with my bind installation. - I >> notice my bind recv-q is quite high sometimes.. therefore my DNS clients >> can experience DNS lookup to take 1-4 secs. My bind is running on a 4 >> core vm

Notice: scheduled maintenance on lists.isc.org commencing 0200 UTC Thursday June 23 2016

ISC's Operations Team will be performing software upgrades on lists.isc.org commencing on Thursday June 23 2016 at 0200 UTC Our online mailing list information and list archives will be unavailable during this period, and any postings to the lists will be held and distributed once the maintenance

Re: named and use of resolv.conf? - how to "learn" this

On 03/08/2016 14:59, Matthew Pounsett wrote: > > > On 2 August 2016 at 19:50, Evan Hunt > wrote: > > On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote: > > Yes it will. But, as far as I understand, it uses the recursive code > paths > > to do th

Re: rndc on local host: need named running?

On 28/08/2016 02:48, Lyle wrote: > Use any in the allow stanza. You'll be using a shared key for this to work anyway, but I'd suggest being slightly more paranoid than 'any' in the allow stanza - perhaps the address range in which your local machine is to be allocated its address? ___

Re: NSEC3 salt change - temporary performance decline

On 29/01/2020 11:50, Klaus Darilion wrote: > Hello Niels! > > Thanks for bringing this to attention. I have reported it before [1][2] > without response. > > We see this regulary. AFAIS it happens actually always, but if the IXFR > is small, the performance decline is so short that you usually wo

Re: A And Cname-record

On 17/06/2020 22:44, Ejaz Ahmed wrote: > when i am trying to add A and CNAME record together  for the same > subdomain, getting an error as below, you all kind  assistance would be > highly appreciated thanks in  advance > > my records are as follows in zone  > > auotdiscover IN A 1.1.1.1 > autod

Re: 9.16 needs more RAM then 9.11

On 19/04/2021 20:11, Klaus Darilion wrote: > Hello! > > On our servers where we use Bind 9.16, named needs approx. 29G RAM. On the > servers with Bind 9.11 named needs approx. 25G RAM. > > Is this a known issue? Are there some config options to tune memory > consumption? Are these resolvers, a

Re: Forward map update unsuccessful from windows - IPv6

The named log shows two attempts to add records. The first succeeds the second fails due to the prerequisite check. Looking at the reverse address request that succeeds we have an address of: fd80:1010::de74 While the dhcpd log message has an address of: fd80:1010::f274 Are you perhaps look

Re: discrepancy with rndc dumpdb -zones

Hi Gordon, We've not seen this before (and it doesn't sound like anyone else has either). What version of BIND is it? Has it reappeared since? Is this a particularly heavily loaded/busy server? Does it have recursive cache as well as authoritative zones? Kind regards, Cathy Gordon A. Lang w

Re: DNSSEC, views & trusted keys...

Phil Mayers wrote: > On 09/10/2010 03:05 AM, Mark Andrews wrote: >> >> In message<4c891404.3000...@imperial.ac.uk>, Phil Mayers writes: >>> On 09/09/2010 03:45 PM, Timothe Litt wrote: >>> There is other advice in the ARM that says to put 'your organization's public keys in the truste

Re: bind 9.6-esv-r1 segfault

Hi Sergey, At the moment this doesn't sound like anything we've seen before. Please could you report it to bind9-b...@isc.org: https://www.isc.org/software/bind/news We'll need the core dump, the binary that generated it and the libs associated with the binary (ldd named should capture the list w

Re: BIND 9.7.2-P2 is now available.

Hi Florian, It's this one which is also in 9.6-ESV-R2: 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. RT #20877] Regards, Cathy On 03/10/10 11:06, Florian Weimer wrote: * Mark Andrews: * If BIND, acting as a DNSSEC validating server, has two or more trust

Re: RNDC for 9.7.1 p2

Hi Anand. It sounds like when did the upgrade that either you didn't install the new rndc utility, or it installed somewhere else rather than replacing the old one that you encounter first from your path variable? If you did a make install, did you give configure the same parameters that you

Re: BIND 9.8.0b1 Released Today

On 24/01/11 10:56, Matus UHLAR - fantomas wrote: > On 21.01.11 10:45, Sue Graves wrote: >> * BIND now supports a new zone type, static-stub. This allows the >> administrator of a recursive nameserver to force queries for a >> particular zone to go to IP addresses of the administrator's choosing

Re: BIND 9.8.0b1 Released Today

> so, iiuc, the difference is that "type forward" sends queries with RD bit > set, while "type static-stub" sends them with RD cleared... and > the "forward first" option appears to be applicable only in forward zones. > > did I get it right? Yes > > I use forward zones for blacklists - while I

Re: Public Advisory on DNSSEC Failures with New DS Records

Stephane, It looks like something went awry on the website. We've fixed it. Thanks for the heads-up. Cathy On 07/02/11 08:49, Stephane Bortzmeyer wrote: > On Fri, Feb 04, 2011 at 04:11:03PM -0800, > Larissa Shapiro wrote > a message of 37 lines which said: > >> The full advisory is located

Re: bind makes RRSIG disappear?

Hi Gilles, You've identified a corner-case bug - the logic is incorrect in the case where the ACL holds "none" instead of being empty. There's no compile-time option - but we are treating what you've reported to us as a bug (RT #23120). It is currently under investigation/discussion. Many thank

Re: Q on clients-per-query, max-clients-per-query

> > So, does BIND behave the same whether it is a single PC making 100 queries > for > the same record compared to 555 PCs making queries for the same record? > That is, how does BIND treat "clients-per-query, max-clients-per-query" > differently based upon the query requesters' IP address(es)

Re: Resolver issue - drop in qps and memory leak

Hi Dennis, There are some fixes for cache management issues on recursive servers that have been released recently. This sounds like it might have been one of those problems. If you want to stay on 9.6, then I'd recommend 9.6-ESV-R4 to you Otherwise you might like to take a look at 9.7.3. Cathy

Re: EDNS request problem on TTL=0 data

On 27/06/11 16:39, Paul Wouters wrote: > On Mon, 27 Jun 2011, Florian Weimer wrote: > >>> 1 Is this problem happening because EDNS failure is not remembered for >>> forwarders? >> >> There is no realiable way to detect EDNS support in forwarders, so there >> isn't anything to remember, really. Sa

Re: Fwd: Re: Fwd: Re: Difference between netstat & rndc status

On 05/07/11 06:25, Bind wrote: > -Original Message- > From: "Bind" > To: "Mark Andrews" > Date: Tue, 05 Jul 2011 09:55:03 +0430 > Subject: Re: Fwd: Re: Difference between netstat & rndc status > > > Thanks for your best support and answers all the time. > Could u explain more about

Re: BIND 9.6.1-P3 Vulnerabilities

On 07/06/11 16:21, Borgia, Joe A CTR USAF AFMC AFRL/RIOS wrote: > BIND 9.6.1-P3 seems to be a somewhat old release of BIND, and yet, I can > find no vulnerabilities listed on the ISC Security Advisories pages. Am > I missing something? Yes. :-( https://www.isc.org/software/bind/security/matrix CV

Re: stub zone

On 25/07/11 20:55, ju wusuo wrote: > Would like to use the BIND stub zone function, however, heard that ISC > considers stopping support to stub zone in the future, is that true? I think we may have confused some people in the past about support for this because of what's written in the ARM abou

Re: CVE-2011-1910 vs bind 9.6-ESV-R4-P3

On 03/08/11 10:25, Issam Harrathi wrote: > Hi all, > when i see this about the affected version by the CVE-2011-1910: 9.6: 9.6.3, > 9.6-ESV-R2, -R3, -R4, -R5b1 > does this mean that the 9.6-ESV-R4-P1 is affected? I know it's a bit unwieldy and large at the moment (we have thoughts on how to remedy

Re: what does dig +trace do?

On 31/08/11 16:36, Tom Schmitt wrote: > What strikes me as odd is that the first query does return 4 (internal) root servers, but no glue records ? >>> >>> I have no idea why this is this way. >> >> Because +trace only displays the answer section of the responses by >> default. >> Try "d

Re: R: Bind DLZ and Postgres 8.4.8

On 04/10/11 21:38, Job wrote: > Hello, > > everything is fine, i patched the source tree! > > Thank you, regards! > > Francesco Whose source tree? Is it the patch something that would be useful/appropriate to share here? Regards, Cathy ___ Please

Re: host versus nslookup

On 12/10/11 23:09, Kevin Darcy wrote: > As far as I know, only HP-UX has hacked nslookup to look at /etc/hosts. > And I don't think it even looks at the "switch" file or other naming > sources (e.g. Yellow Plague). HP-UX's nslookup "enhancement" is a > one-off, I believe. For the record, on HP-UX i

Re: maximum number of FD events

On 25/10/11 21:09, Fr34k wrote: > > > Hello, > > Environment: Solaris10 SPARC and x86, BIND 9.7.3-P3 and 9.8.1 > > Anomaly: In our logs, we have been noticing "maximum number of FD events" > entries. For example, > named[8592]: [ID 873579 daemon.info] sockmgr 288760: maximum number of FD

Re: (Non existing domain) query lookup logs in a seperate log file

On 13/11/11 07:59, babu dheen wrote: > Dear Support, > > Can anyone help me how to enable a seperate log file for NXDOMAIN(Non > exististance) DNS query lookup in BIND? > > Regards > Papdheen M BIND doesn't log query responses - only queries received. There are statistics available on how m

Re: Can't compile bind 9.8.1-P1 on Solaris

On 17/11/11 05:33, King, Harold Clyde (Hal) wrote: > With great help I got Bind 9.8.1 to compile on solaris but I can not get > Bind to start up. I am getting: > > 17-Nov-2011 00:31:23.609 initializing DST: openssl failure > 17-Nov-2011 00:31:23.609 exiting (due to fatal error) > > Is anyone else

Re: Question About max-clients-per-query

There's a bit more information about how clients-per-query works in this article here too - and importantly, make sure you're on a current version of BIND to avoid a bug with it (but you'd be updating anyway for CVE-2011-4313?): https://www.isc.org/software/bind/advisories/cve-2011-4313 https://d

Re: query-source to all

Nelson Serafica wrote: > Is it possible to set query-source to all? I'm using AMAZON EC2 and I > want to setup a DNS Server. I just notice it was bind to private ip > address. Since the public ip address was not on the OS ( probably a NAT > define by AMAZON), I cannot connect to it even just a teln

Re: Recursive Query.

I would recommend tracing or similar to find out why your named daemon is not able to send to the IP address being logged. You may find that there are network connectivity issues or that the remote IP is sending back an ICMP response. The reason this particular logged error is seen on HP-UX is se

Re: Bind9.6 & Pkcs#11

徐东 wrote: > Hi all, > I installed the BIND 9.6 and saw the new features in Bind > 9.6. > I noticed that the Bind 9.6 gave a surpport for pkcs #11, but in the > file*README.pkcs11 > *，i found this festure was tested with the SUN Solaris, so i

  1   2   >