Re: how to reduce unnecessary lots of AAAA queries?

2012-03-04 Thread Chuck Anderson
On Sat, Mar 03, 2012 at 09:24:25AM +, MontyRee wrote: > surely, I don't use ipv6 and "NETWORKING_IPV6=no" was configured at > /etc/sysconfig/network file. That doesn't prevent IPv6 from being autoconfigured on an interface, it just tells the initscripts to ignore IPv6/pretend it doesn't exist

Re: ISC Bind in Active Directory

2012-10-27 Thread Chuck Anderson
> I don't disagree that broadcast netbios probably should be disabled > (though it's not at our site, for historical reasons, and I'm not > sure I'm willing to take on the monumental task of disabling it). > > WINS is slightly different, and the main reason to disable it is > that it hides misconf

Re: Registrar that supports self-run domains and provides DNSSEC support

2013-02-18 Thread Chuck Anderson
On Mon, Feb 18, 2013 at 03:32:53PM -0500, Robert Moskowitz wrote: > My registration is up for renewal; it expires 4/6/13 so this is a > good time to move. But of course my domain is locked and I can't > see on NS account page how to change that. Dyn can probably help you with how do get NetSol to

Disabling RPZ for a few clients / views sharing zones

2014-02-06 Thread Chuck Anderson
What is the best way to disable RPZ for a few clients (without forcing those clients to use different DNS server IPs)? I think I could create a new view that has all the same zones and zone contents except for the RPZ one. If I go this route, is it still required to set up per-view IP aliases on

Re: Disabling RPZ for a few clients / views sharing zones

2014-02-06 Thread Chuck Anderson
On Thu, Feb 06, 2014 at 09:50:26AM -0800, Doug Barton wrote: > On 02/06/2014 06:27 AM, Chuck Anderson wrote: > >I was kinda hoping that newer > >versions of BIND could share zones (with identical zone contents) > >between views without requiring the messy multiple IP alias

Re: Disabling RPZ for a few clients / views sharing zones

2014-02-06 Thread Chuck Anderson
On Thu, Feb 06, 2014 at 02:49:03PM -0600, Jay Ford wrote: > I like the "trick" of having view A pull the zone from the real master & > notify view B, while view B pulls the zone locally from view A, using TSIG > keys to indicate the "other" view for the notify & transfer. > > Adapting your config,

disabling stateful firewalls for DNS traffic

2014-03-01 Thread Chuck Anderson
In the following two Best Practices documents, it is recommended to disable stateful firewalls for DNS traffic (outbound on recursive servers, and inbound on authoritative servers). Can people share their Linux iptables configurations for how they have accomplished this? https://deepthought.isc.o

Re: disabling stateful firewalls for DNS traffic

2014-03-01 Thread Chuck Anderson
On Sat, Mar 01, 2014 at 03:35:25PM +, Phil Mayers wrote: > The DNS-QUERY chain allows all traffic inbound to port 53 and > fragments, and denies all other TCP/UDP. It permits all others, > which is relatively open but you could lock this down to allowing > ICMP etc. if you wanted. > > The DNS-

Re: .prod issues

2014-09-05 Thread Chuck Anderson
On Fri, Sep 05, 2014 at 08:04:05AM -0500, Reade Taylor wrote: > I have a subdomain prod.mydomain.com today all of our internal resources > that use this prod subdomain stopped being able to reach eachother. I > believe the issue is related to the release of .prod as a TLD. Is there a > way I can

differing TTLs in RRSet, same label/class/type

2014-09-24 Thread Chuck Anderson
RFC 2181 section 5.2 says that differing TTLs in RRSet with the same label/class/type should be deprecated with the behavior that an authoritative server should reply with all the TTLs set to the lowest TTL in the RRSet: "Should an authoritative source send such a malformed RRSet, the client shoul

Re: Reverse resolution ambiguities

2014-09-25 Thread Chuck Anderson
On Thu, Sep 25, 2014 at 11:39:37AM +0200, Lars Hanke wrote: > Now we decided to move our authentication to a samba4 based AD. This > means that the AD runs yet another domain .ad.my.official.tld, which > introduces a third name for those systems, which joined the domain. > But not all systems are

rndc stop hangs, named stuck at FUTEX WAIT

2014-12-13 Thread Chuck Anderson
For the second time (at least), an automatic BIND update on Scientific Linux 6 (RHEL 6 clone) failed to restart the named process. The RPM package runs this to restart: postuninstall scriptlet (using /bin/sh): /sbin/ldconfig if [ "$1" -ge 1 ]; then /sbin/service named try-restart >/dev/null 2>&

Re: rndc stop hangs, named stuck at FUTEX WAIT

2014-12-13 Thread Chuck Anderson
On Sat, Dec 13, 2014 at 11:05:52AM -0500, Chuck Anderson wrote: > For the second time (at least), an automatic BIND update on Scientific > Linux 6 (RHEL 6 clone) failed to restart the named process. The RPM > package runs this to restart: ... > Now I believe what is happening is &q

Re: Looking new RPMs for CentOS 6.

2015-02-09 Thread Chuck Anderson
On Mon, Feb 09, 2015 at 01:03:51PM +, Phil Mayers wrote: > On 09/02/15 13:00, Reindl Harald wrote: > > > >Am 09.02.2015 um 13:33 schrieb Phil Mayers: > >>On 09/02/15 01:29, Carl Byington wrote: > >>>On Sun, 2015-02-08 at 16:10 +0200, Eliezer Croitoru wrote: > I had some issues in some old v

Re: Getting Error || unable to convert errno to isc_result

2015-02-12 Thread Chuck Anderson
Perhaps you should update the OS to RHEL 6.5 or 6.6 which may have a newer BIND? Or at least grab the latest RHEL or CentOS package from 6.5 or 6.6 and install it on RHEL 6.0. Or if you don't want to use the Red Hat patched version and want the absolute latest version, get the RPM from here: htt

Re: Request to provide procedure for bind upgrade

2015-02-16 Thread Chuck Anderson
Fedora Core 6 is no longer supported. It went End-Of-Life in 2007: http://en.wikipedia.org/wiki/Fedora_%28operating_system%29#Releases On Mon, Feb 16, 2015 at 10:16:37AM -0500, Sundram Bharti wrote: > Hi Team, > > My DNS current version is "BIND 9.8.4-P1" and OS is "Fedora Core > release 6 (Zod

on TTL expiry BIND sends 'ANY' query, gets back 'NOANSWER'

2015-04-08 Thread Chuck Anderson
I have load balancers (I know, run away now) acting as authoritative servers for a GSLB zone. The sub-zone is delegated properly from my main zone which runs BIND. All my clients are using the BIND server as their caching resolver. Every once in a while, my mail server gets back a 'NOANSWER' for

Re: on TTL expiry BIND sends 'ANY' query, gets back 'NOANSWER'

2015-04-08 Thread Chuck Anderson
I forgot to mention, this is on RHEL 6.6's package of bind, named -V returned "BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2", so I don't think 9.10's prefetch feature is involved. On Wed, Apr 08, 2015 at 03:25:16PM -0400, Chuck Anderson wrote: > I have load balancers (

Re: on TTL expiry BIND sends 'ANY' query, gets back 'NOANSWER'

2015-04-08 Thread Chuck Anderson
On Wed, Apr 08, 2015 at 03:58:00PM -0400, Barry Margolin wrote: > In article , > Chuck Anderson wrote: > > 1. On TTL expiry, BIND sends an 'ANY' query for the RR in question to > >the authoritative servers for the zone (load balancers). This > >h

Re: on TTL expiry BIND sends 'ANY' query, gets back 'NOANSWER'

2015-04-11 Thread Chuck Anderson
On Thu, Apr 09, 2015 at 12:31:14PM +0100, Phil Mayers wrote: > On 08/04/15 22:00, Chuck Anderson wrote: > > >No, you are right. My filtered view of the packet capture was missing > >the fact that another unrelated client did an 'ANY' query. I found it > >in th

Re: "sinkhole" DNS with external hosts

2015-09-19 Thread Chuck Anderson
I'm not sure keeping "dnssec-enable yes" is a good idea, because you are creating a fake root zone and you won't have the real root keys to sign answers with. The best way I've found to allow some DNS queries to resolve to their regular answers is to create a forward-only zone. That way you don't

Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

2016-03-23 Thread Chuck Anderson
On Wed, Mar 23, 2016 at 01:51:58PM +, Tony Finch wrote: > Lightner, Jeff wrote: > > > > With systemd the methodology isn't that BIND notifies other things that > > it is up. It is that other things, if dependent upon BIND, have in > > their systemd files a requirement that BIND be up before t

stale cache in alternate views?

2011-01-10 Thread Chuck Anderson
I'm using bind-9.5.1-P3 (yes, I know it's old). I have a zone in multiple views. When I update the zone and reload, the "match-clients { any }" view sees new DNS records right away, but another view doesn't see them for "a while". Given this configuration: view "global" { match-clien

Re: stale cache in alternate views?

2011-01-10 Thread Chuck Anderson
It was pointed out to me that order of views matters, and indeed I do have the correct order in my config--I just pasted it out of order in my original email. Here is the corrected version where I still have this problem. On Mon, Jan 10, 2011 at 03:09:40PM -0500, Chuck Anderson wrote: >

Re: Defense against a client?

2012-01-16 Thread Chuck Anderson
On Mon, Jan 16, 2012 at 01:13:44PM +0100, Tom Schmitt wrote: > > Original-Nachricht > > Datum: Mon, 16 Jan 2012 11:49:46 +0100 > > Von: Roel Wagenaar > > Betreff: Re: Defense against a client? > > > > > In this case iptables is your friend. > > > > One of my solutions is part

Re: Defense against a client?

2012-01-16 Thread Chuck Anderson
On Mon, Jan 16, 2012 at 03:41:15PM +, Florian Weimer wrote: > * Chuck Anderson: > > > Unfortunately, these sorts of per-IP limiting are going to become more > > and more inappropriate with the likes of Carrier Grade NATs, since > > there will be many subscribers sh

Re: IPv6 TCP

2009-12-28 Thread Chuck Anderson
On Mon, Dec 28, 2009 at 07:56:56AM -0800, Pamela Rock wrote: > I posted this query a while ago but have not yet been able to resolve the > issue... > > I have a DNS server and client that can ping each other using ping6.  The > following query works: > > dig -6 test.com +notcp > > When I quer

Re: DNS format error

2010-04-27 Thread Chuck Anderson
On Tue, Apr 27, 2010 at 07:40:20PM -0600, ic.nssip wrote: > I hope somebody can tell me why I'm getting so many "DNS format > error" on a DNS Server running BIND 9.7.0 on a Solaris 10 machine. > The server is resolving fine queries for normal traffic. Is just > syslog that gets tones of messages

Re: IPv6 validation

2010-06-16 Thread Chuck Anderson
On Wed, Jun 16, 2010 at 02:18:21PM +0530, rams wrote: > Is there any tool available for IPv6 addresses correct or not. > The following IPv6 addresses is valid or not? Short answer: use inet_pton() Longer answers: http://forums.dartware.com/viewtopic.php?t=452 http://www.perlmonks.org/?node_id=2

Re: Enforce EDNS

2017-02-07 Thread Chuck Anderson
On Tue, Feb 07, 2017 at 11:59:39AM +1100, Mark Andrews wrote: > I really don't want to add new automatic work arounds for broken > servers but it requires people being willing to accepting that > lookups will fail. That manual work arounds will now have to > be done. e.g. "server ... { send-cookie