named[1095]: error (unexpected RCODE REFUSED)

8.247.135#53 Do I have something in my setup incorrect? Thanks for any advice Chris -- Chris KeyID 0xE372A7DA98E6705C 31.11°N 97.89°W (Elev. 1092 ft) 08:26:07 up 1 day, 11:08, 1 user, load average: 0.22, 0.24, 0.25 Ubuntu 14.04.2 LTS, kernel 4.0.0-997

named[10663]: network unreachable resolving

I use Bind as a local caching nameserver at my house mainly to speed up spamassassin queries. Until I upgraded my Ubuntu 14.04 to 16.04 last week all was working great. After the upgrade bind has been filling up my syslog with the above error. Running 'named -V' outputs: chris@localhos

Re: Syncing DNS zones with different names

Thanks for the advice guys. The DNAME record is something I'd never heard of, and is quite interesting. Unfortunately it does not quite fulfill my needs due to, as Chris pointed out, the inability to alias the records on the name itself. I think Barry's suggestion of a common zo

starting namd

p and udp allowed in my firewall. I'm sure whatever I'm doing wrong is stupid and simple but I can't seem to find it. Any help would be appreciated. Thanks Chris -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: starting namd

On Wed, 2009-03-11 at 21:29 -0500, Chris wrote: > I've just recently upgraded from Mandrake 10.1 to Mandriva 2009. I had > it running great before the upgrade. Tonight I installed BIND 9.5.0-P2 > via rpm and can't get it to start for some reason. named-checkconf gives > me

local caching nameserver

This is just a local box not connected to any others. Thank you for any advice Chris -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.

Re: local caching nameserver

quot;; }; zone "168.192.IN-ADDR.ARPA" { type master; file "/var/lib/named/var/lib/named/master/empty"; }; My hosts file in /var/lib/named/etc and /var/lib/named/var/lib/named/etc is: 127.0.0.1 localhost.localdomain cpollock.localdomain cpollock l

the working directory is not writable

ignored? Thanks Chris Note - I'm only using bind as a local caching name server on my stand alone, single user box to speed up spam processing. -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part ___

RE: Unknown RR in .in domain

ecific iterative stage it was working through at the time - in your example, the response of the authoritative "in" servers. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users t

Re: PLEASE READ: An Important Security Announcement from ISC

that these are "common in practice". Well yes, in spades! It would also be quite inconsistent with the existing credibility rules, and with the fact that in signed zones the delegation NS RRset is unsigned, on the basis that it is a hint, not authoritative. -- C

Re: CVE-2012-1033 (Ghost domain names) mitigation

correct? AFAIK 'rndc flush' will do the same. If you know the domain name in question, "rndc flushname ghost.example" should be enough. (BIND 9.9 has "rndc flushtree" as well, but I think clobbering the cached NS records for the ghost domain should be enough

Re: Query Regarding NSEC RR in DNSSEC

prove the negative, and that happens by enumerating all the possible positive answers "near" the query. Regards, Chris Buxton BlueCat Networks On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote: > Dear Team, > > We have a Authenticated Response in DNSSEC through trust chain. >

Re: Efficacy of using short timeout values for an A record

ue to connect (and reconnect as needed) to whatever address was first retrieved via the stub resolver. Regards, Chris Buxton BlueCat Networks On Feb 14, 2012, at 2:59 AM, goran kent wrote: > Hi, > > I need to setup an A record for a machine who's IP might change > unexpectedly

Re: Efficacy of using short timeout values for an A record

data, but most implementations do not enable this. As I recall, the value has to be set in the source code before compiling the binary. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to un

Re: Query Regarding NSEC RR in DNSSEC

ameserver". The security functions end-to-end, between the zone administrator (she who generates its contents and signs it) and the validator, not point-to-point. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/li

Looking for speakers on DNS-related topics

x27;ve put some suggested topics there on the meetup page, but I'm open to anything in this area. If you're going to be in the Bay Area on that date, and could give a talk, please contact me through that meetup, or at cwestin (at) yahoo (dot) com. Thanks! Chris Westin ___

Re: Logging issue with bind

> The default_debug channel has the special property that it only ARM> produces output when the server's debug level is nonzero. It's actually quite a pain that one can't define one's own channels with that "special property". -- Chris Thompson Email: c...@cam.a

Re: block ddns by name

t;*" name /^a-zA-Z0-9_\-/; }; > ? > > (For thos who don't speak regex: deny all names with something in it what is > no letter or digit or underscore or dash. Does a check-names policy achieve this? I'm honestly not sure. BTW: _ is not a valid host

Re: named.conf splitting

topic: http://www.isc.org/community/blog/201107/major-improvement-bind-9-startup-performance http://www.isc.org/community/blog/201107/isc-bind-981b3-provides-startup-performance-improvements Regards, Chris Buxton BlueCat Networks On Feb 17, 2012, at 1:24 AM, Nick Edwards wrote: > Hi, > In a

Re: bind public/private domain question

accepts it - BIND sends answer back to client, along with the best auth and add'l data it has in cache, which might be from the root zone - Client gets answer, but drops auth and add'l sections Harmless. Normal. Nothing to be worried about. Regards, Chris Buxton BlueCat Networks

Re: Configuring a domain slave to look up subdomain hosts

. Disable forwarding selectively or remove it from your architecture completely. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Configuring a domain slave to look up subdomain hosts

on stub zones. Regards, Chris Buxton BlueCat Networks On Feb 28, 2012, at 3:11 PM, Mike Bernhardt wrote: > So, it seems that the stub zone only works as I expected if I disable ALL > forwarding- not just in the parent zone but also in global options. Is that > the expected behavior f

RE: RFC 6303 and bind 9.9.0

it up to date in most of my own nameserver configurations.] -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: fermat primes and dnssec-keygen bug?

worrying about people using buggy pre-2006 versions of OpenSSL and go back to using RSA public exponents of 3 again most of the time. I notice that this is what VeriSign do for the DNSKEY records in "com", "net" & "edu". -- Chris Thompson Email: c...@cam.ac.uk ___

Re: fermat primes and dnssec-keygen bug?

On Mar 7 2012, Bill Owens wrote: On Wed, Mar 07, 2012 at 12:13:35PM +, Chris Thompson wrote: This is wrong (although I have seen the same thing stated in a number of other places). When the default public exponent was changed from 3 to 2^16+1 (change 2088) the one selected by -e was

Re: fermat primes and dnssec-keygen bug?

6+1 except for the following: com, net & edu use 3 for all DNSKEYs gov uses 3 for its KSK and active ZSKs, 2"32+1 for an idle ZSK cz uses 2^16+1 for its KSK, 2^32+1 for its ZSK la my & us use 2^32+1 for all DNSKEYs -- Chris Thompso

Re: problem with bind manually installation on debian

On Mar 7, 2012, at 9:15 AM, mustafa alhussona wrote: > hi > i have problem with installing bind (i tried 9.7.4,9.8.1,9.9.0 versions) > service manually on debian squeeze, the problem is the service is installed > but i cant find the configuration file and there is some error logs, please > can

Re: Exercising RFC 5011 rollovers

the SERVFAILs no longer occur. I think this may indicate that the data structure in managed-keys.bind cannot quite capture all the complexities of RFC 5011. The BIND version used in the later part of this experiment was (early-access) 9.8.2rc2 but I doubt that is particularly sign

Re: NS record for subzone definition

ted as deep as you like[*] without you needing to make a zone cut. [*] subject to the overall limit of 253 characters on the fully qualified name -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users t

Re: with subject: NS record for subzone definition

ate the NS records. If you are using the exact same set of servers for the subzone as for the child, and are not using DNSSEC, you can get away without the NS records, but you shouldn't get into this bad habit. Regards, Chris Buxton BlueCat Networks _

Re: "rndc reconfig" vs. "rndc reload"

different process: instead of "rndc reload" after updaing some of the zone files, I loop through the list of updated zone files and run "rndc reload " for each one. This is better, of course, if you can do it. -- Chris Thompson Email: c...@cam.ac.uk

Re: masters ordering in named.conf

Regards, Chris Buxton BlueCat Networks___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: How to reset the serial number?

sure to reload the zone after each change, or if your zone is dynamic, use a dynamic update that adds the SOA record again and sets the new serial number. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-

Re: How to reset the serial number?

of wrapping our serials round from MMDDNN style to seconds-since-1970, the stealth-slaving Windows DNS servers of that time (even the 2008 ilk) just could not cope, and went into a tizzy continuously trying to fetch the zones and then rejecting them for their "smaller" serials.

Re: How to reset the serial number?

uld work, but "rndc retransfer [zone]" is a lot simpler! -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: journal rollforward failed: journal out of sync with zone

ever mechanism caused it to be created), then you have to get rid of your cron job, or modify how it works. Arbitrarily replacing a zone file when there's a journal file can cause exactly the problem you're seeing. Chris Buxton BlueCat Networks > On 04/12/2012 02:03 PM, Phil Mayers

Re: Bind forwarding...

the name server (or some other host), rather than getting the real answer from Apple's name servers, what you want is an authoritative zone, not forwarding. zone "guzzoni.apple.com" { type master; file "short-circuit-queries.db"; }; Chris Buxton BlueCat

Re: Configuring CNAME for nosslsearch.google.com

response policy (RPZ) to achieve this. Or you can use just about any non-BIND resolver (e.g. unbound) to achieve this. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: www.glb.hud.gov

idation is off, I am not sure why it would be bothering to (try to) fetch the DNSKEY records. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-user

Re: Exercising RFC 5011 rollovers

managed-keys.bind file to remove the noxious entry, and then restarting it. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-user

Re: Exclude a domain from DNSSEC validation, like Unbound's "domain-insecure".

anchors, which maybe does not bode well for them ever appearing in BIND. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.

Re: dynamic update to SOA records

re-signing activity, but we assume it hasn't been doing so as often as once a second... -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing

Re: Secondary Zone 'Raw' File format

ee if you ran a sniffer during a zone transfer. You can convert it to text format to see what's in the file with: named-checkzone -D -f raw The other things that changed in BIND 9.9 is that there is a new version of the "raw" format (as in "-F raw=1" versus "-F

Re: Configuring CNAME for nosslsearch.google.com

L directive than rely on it defaulting to the SOA.MINTTL value (or specify all TTLs explicltly). You probably meant "root.localhost." for the SOA.rname. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailma

Re: records via GENERATE

ration occurs while the zone file is being read, at startup or after e,g, an "rndc reload [zone]". -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Interaction of -S and recursive-clients?

numbers are reached only when the network has gone pear-shaped anyway.) -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Interaction of -S and recursive-clients?

On May 17 2012, Daniel Deighton wrote: On 05/17/2012 12:20 PM, Chris Thompson wrote: [... snip ...] named: general: error: socket: file descriptor exceeds limit (4096/4096) last message repeated 1194 times named: general: error: socket: file descriptor exceeds limit (4096/4096) last message

Re: Checking for zone expiration?

quot;. This works better if the files for "type slave" zones are kept in a separate directory (or directories) from the "type master" ones, if any. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/

Re: Recommended value for max-cache-size for cache-only shared hosts..

ts to 16M. got into BIND 9.5.0, but 2457. [tuning]max-cache-size is reverted to 0, the previous default. It should be safe because expired cache entries are also purged. [RT #18684] was there before 9.5.1, and AFAICS it has been like that e

Re: VMware & Bind

On Jun 5, 2012, at 9:58 AM, Manson, John wrote: > Will bind run on VMware? Yes. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-us

Re: transfer the same zone from a split-view master

from the slave server. - 'rndc reload' on both servers. - Check the logs and the slave's zone files. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind

Re: Corrupted zone files on 9.9.1 slave, temp files with text contents...

Probably nothing. I believe the default format for slave zones is now compiled rather than text. Remove all the zone files on the slave and reload it. Chris Buxton BlueCat Networks On Jun 8, 2012, at 12:26 PM, David L. Beem wrote: > Just upgraded to 9.9.1 from 9.8.0, the end results seem to

Re: check-names via command line

uot;warn" anyway, but you may want to use "fail". -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org htt

Re: check-names via command line

". Well, I have to take that back. As far as I can see the -k option of named-checkzone has no effect at all, despite the man page, at least with BIND 9.8.3-P1. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/

Re: check-names via command line

7;t check CNAME labels) ... :-( Apologies for the FUD. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https:/

Re: rndc stats command

ics channel, but not in the file written by "rndc stats".] -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Journal File Question

portion of the zone file was "accidentally" deleted. I'm running BIND 9.7.0-P1 Kind Regards, Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@list

Re: Journal File Question

On Jul 25, 2012, at 7:25 AM, wbr...@e1b.org wrote: > Chris wrote on 07/25/2012 09:04:49 AM: > >> Is it possible to restore a zone file from its associated journal file? > > No. The journal file only records updates to the zone. At best you would > only recover the chan

Re: Journal File Question

On Jul 25 2012, wbr...@e1b.org wrote: Chris Buxton wrote on 07/25/2012 12:07:22 PM: > It doesn't sync the files to make two equal copies. It applies all of the > outstanding transactions in the journal file to the zone file and then > empties the journal. I don

Re: Journal File Question

peat of this problem. Kind Regards, Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Multi-master DNS with Bind

On Aug 5, 2012, at 11:26 PM, Evan Hunt wrote: >> Looking to find information as to whether I can set up bind for >> multi-master DNS. I want to be able to update DNS records via any or more >> than one nameserver in the domain and have the records updated and >> propagated regardless if the "master

Re: Multi-master DNS with Bind

On Aug 6, 2012, at 7:37 PM, john.debe...@teradyne.com wrote: > Don't know. I haven't used it. Do you have experience with it? > No, I don't have experience with DLZ. However, I believe multi-master DNS should be possible with DLZ and active-active database replication.

Re: Listen-on per view?

, i.e. on which of the the nameservers's own addresses it arrived on.) Thinking in terms of "listen-on" was a category error. Views don't have separate listening apparatus. Instead the queries that come in are farmed out to the views on the basis of their matching conditions

Re: cname and soa record in the same zone file -- problem?

ectly, but I can't see how the bad effects would go any further than that. Perhaps someone else can explain how this misbehaves in this particular situation. Chris Buxton BlueCat Networks On Sep 18, 2012, at 8:08 AM, M. Meadows wrote: > > Why / how does this work? > >

Re: question about how a particular dig works ...

ry. But at least it's able to answer queries. Chris Buxton BlueCat Networks On Sep 18, 2012, at 9:59 AM, M. Meadows wrote: > > Thanks Kevin. I understand how the chained alias works. Sorry, I didn't > explain my question very well. > > I can see that the 8.8.8.8 goog

Re: does a stub zone require an IXFR?

names. Chris Buxton BlueCat Networks signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: Moving from "type forward" to "type static-stub"

guration, are there any downsides to changing from forward > zones to static-stub? Type static-stub should work great here. Type stub, which has been around since before I started managing DNS servers (a very long time now), would probably also have worked. Chris Buxton BlueCat Networks

Re: statistics-file and file rotation

On Sep 20, 2012, at 5:38 PM, Alex wrote: > I have a bind-9.7.4 server running on fc15. I use the 'size' parameter > with the query log file to automatically rotate them. How can I do > this with the statistics-file file? It doesn't seem to be documented? AFAIK, you can&

Re: Unintended Consequences; I shut down the wrong bind.

r this reason, the default server in rndc.conf should always be some form of localhost. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind

Re: Improved SSL Error Logging [RT #29932]

AILURE)); Presumably we need to change this code return (dst__openssl_toresult2( "RSA_public_decrypt", DST_R_VERIFYFAILURE)); similarly? -- Chris Thompson Email: c...@cam.ac.uk __

Re: query (cache) 'domain.com/AAAA/IN' denied

ne is not loading for some reason. The reason it works locally and not remotely is, the local query is in the default allow-recursion ACL, but the remote host is not. The recursion settings are a red herring. Solve the missing 'aa' flag. Chris Buxton BlueCat Networks _

Re: error (unexpected RCODE REFUSED) resolving

ot;, which does seem to happen when the nameservers for a zone behave abnormally. This time I have got around to reporting it to bind9-bugs. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc

Re: about the wild record

say the least. But you should notice that the above response - rcode NOERROR with an empty data section - is what RFC 2308 calls "NODATA", and not an NXDOMAIN. This is because test.cloudns.tk is an "empty non-terminal" in the name tree within the zone, and it is that which p

Re: about the wild record

the following names to cover all of the names other than s1.test: test.cloudns.tk. *.test.cloudns.tk. *.s1.test.cloudns.tk. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this l

Re: Disable log message

out with the internal defaults for category and priority (daemon.notice). Any suppression would need to be done at the syslog level. But I have some difficulty understanding why anyone would want it suppressed. It's true that BIND is a bit noisier t

Re: Disable log message

On Oct 19, 2012, at 6:22 PM, Warren Kumari wrote: > On Oct 19, 2012, at 9:17 PM, "Michael Hoskins (michoski)" > wrote: >> -Original Message- >>> On Oct 19, 2012, at 6:13 PM, Alan Clegg wrote: >>> >>>> >>>> On Oct 18, 201

Re: Disable log message

, the more that the actually executing named says about itself, the better. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.is

Re: BIND does not answer

eB, I don't see anything. > > What could be wrong, and how do I solve it? What tools are available to help > out? If I try to ask for recursive request (let's say www.google.com) from > anywhere, pointing at SiteA, I get a proper answer. What happens if you use 'dig +nore

Re: ISC Bind in Active Directory

do both -- use the client-supplied value if one is supplied, or else use the default. Bear in mind, I'm not saying client updates are necessarily bad, only that you could have done it the other way. Chris Buxton BlueCat Networks ___ Please visit https://

Re: Delegations

providing records for the number of labels between cuts. I don't see how "safer" would apply, either. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this

Re: Delegations

ames on the basis of a "domain part" taken to be all but the first label. It was hard work to change it to allow the "domain part" for authorisation purposes to be any trailing set of labels, but by ${DEITY?} it was necessary! -- Chris Thompson Email: c...@cam.ac.uk __

Using BIND-DLZ for a hidden master [was: Re: dns master-slave transfer]

e unsigned version provided by a DLZ interface? -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND and DNSSEC

On Nov 1 2012, Jan-Piet Mens wrote: I do as well, and this will be documented in the next version of this document. I believe you've mentioned that here before. Several times. Today. ;-)  "What I tell you three times is true.” The Bellman, pp Lewis Carroll -- Chris Thompso

Re: Delegations

to Microsoft's DNS snap-in for MMC, whereby users then develop mistakes in their thinking about how DNS works and therefore are unable to properly troubleshoot and fix real problems when they occur. I would prefer to promote a correct understanding of the actual rules of DNS. Chris Bux

Re: Delegations

think this way when designing such a product. We have mostly managed to avoid this type of stupidity, but I still get tripped up by it occasionally. When I find it, it gets logged as a bug report, of course, because we have plenty of customers who rely on &qu

Re: Logging no such name

you are best off using a packet sniffer of some kind. There are even commercial offerings available from multiple vendors that will capture, collect, and analyze this data for you. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/

Re:

e pretty useless. If there isn't a matching A record in the videolinedvd.com zone as served by those two servers, it just won't work. Chris Buxton BlueCat Networks signature.asc Description: Message signed with OpenPGP using GPGMail ___ P

Re:

>> actually, they have glue A record in .com zone: >>> >>> ;; AUTHORITY SECTION: >>> videolinedvd.com. 172800 IN NS ns1.videolinedvd.com. >>> videolinedvd.com. 172800 IN NS ns2.videolinedvd.com. >>> >>> ;; ADDITION

Re: Expiration TTLs

er is not a TTL timer. The two are different. Zone expiration should usually be at least a week. I've set mine to 6 weeks. This timer has nothing to do with the refresh interval, which is also defined in the SOA record. Chris Buxton BlueCat Networks

Re: Expiration TTLs

On Dec 2, 2012, at 6:10 PM, Paul Romano wrote: > Chris. > Thanks for the correction on the term TTL instead of timer. The engineer I > inherited this environment from has the refresh set to 40 minutes and the > zone expiration set to 2 hours. The explanation I got was that

Re: Can't find named_dump.db

ot; being "/etc/bind/" the working > directory of the server. Look in /var/cache/bind. That's the working directory for the bind9 package default configuration. (To see this, use 'grep directory /etc/bind/named.conf.options'.) Chris Buxton BlueCat Networks

Re: Requesting tips on setting TTLs so that expired RRSIG data doesn't stay in the zone

olver, on encountering a stale RRSIG, would typically query one of the zone's authoritative servers directly (in the absence of forwarding configuration) to get a current RRSIG record. Therefore, the only problem these expired RRSIGs might cause is a little bit of

Re: With the announcement that: “Advisory — D-root is changing its IPv4 address on the 3rd of January.”

7.3-P3 on the Auths, and 9.8.1-P1 on the resolvers. > > We currently do not use a root hints file – If we put a hints file in > named.conf, then will named will use it, rather than the compiled in hints? Yes. Chris Buxton BlueCat Networks_

Re: Duplicate records?

ias. If the target of that alias changes (gets a new address, gets a new MX record, or whatever), the alias need not change to gain the same benefit. Deciding when to use a CNAME record in place of one or more other records is a matter of taste, management tools, and use cases. Chris Buxton BlueCat

Re: set directory for "auto" key files

}; zone "232.128.in-addr.arpa" { type slave; file "slave/232.128.in-addr.arpa"; journal "slave-jnl/232.128.in-addr.arpa"; ... }; ... One slight niggling disadvantage is that you can't tell named-checkzone / named-compilezone with the -j option where to find the journ

Noisy messages from BIND about root hints change

cords for "." and the address records for the *.root-servers.net names so referenced. But why did it keep going on and on about it? And what made it stop? Has anyone else seen anything similar? -- Chris Thompson Email: c...@cam.ac.uk ___ Ple

Re: Transfers-out

On Jan 8, 2013, at 1:24 PM, Manson, John wrote: > Can this option be used in a ‘slave’ config to prevent out-bound transfers? > Transfers-out 0; > The 9.9.2 ARM is ambiguous. Wouldn't it be simpler to just write this instead, in your options statement? allow-transfer { none; };

Re: lame-servers: error (FORMERR) resolving [something]

dig +trace +nodnssec www.isc.org -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman

Re: MNAME not a listed NS record

he client will try three times, assuming these three cases are all different. (I'm not counting potential retries to the same target to attempt use of GSS-TSIG.) I believe nsupdate behaves the same as dhcpd, but it's been a while since I last tested this. Chris Buxton BlueCa

Re: private trust anchor

nd validate the responses. Type forward? Really? I didn't expect that to come from someone at ISC. Use 'type stub' instead, with a masters statement rather than a forwarders statement. Chris Buxton ___ Please visit https://lists.isc.org/m

  1   2   3   4   5   6   7   8   9   >