On Sat, Mar 03, 2012 at 09:24:25AM +, MontyRee wrote:
> surely, I don't use ipv6 and "NETWORKING_IPV6=no" was configured at
> /etc/sysconfig/network file.
That doesn't prevent IPv6 from being autoconfigured on an interface,
it just tells the initscripts to ignore IPv6/pretend it doesn't exist
> I don't disagree that broadcast netbios probably should be disabled
> (though it's not at our site, for historical reasons, and I'm not
> sure I'm willing to take on the monumental task of disabling it).
>
> WINS is slightly different, and the main reason to disable it is
> that it hides misconf
On Mon, Feb 18, 2013 at 03:32:53PM -0500, Robert Moskowitz wrote:
> My registration is up for renewal; it expires 4/6/13 so this is a
> good time to move. But of course my domain is locked and I can't
> see on NS account page how to change that.
Dyn can probably help you with how do get NetSol to
What is the best way to disable RPZ for a few clients (without forcing
those clients to use different DNS server IPs)? I think I could
create a new view that has all the same zones and zone contents except
for the RPZ one. If I go this route, is it still required to set up
per-view IP aliases on
On Thu, Feb 06, 2014 at 09:50:26AM -0800, Doug Barton wrote:
> On 02/06/2014 06:27 AM, Chuck Anderson wrote:
> >I was kinda hoping that newer
> >versions of BIND could share zones (with identical zone contents)
> >between views without requiring the messy multiple IP alias
On Thu, Feb 06, 2014 at 02:49:03PM -0600, Jay Ford wrote:
> I like the "trick" of having view A pull the zone from the real master &
> notify view B, while view B pulls the zone locally from view A, using TSIG
> keys to indicate the "other" view for the notify & transfer.
>
> Adapting your config,
In the following two Best Practices documents, it is recommended to
disable stateful firewalls for DNS traffic (outbound on recursive
servers, and inbound on authoritative servers). Can people share
their Linux iptables configurations for how they have accomplished
this?
https://deepthought.isc.o
On Sat, Mar 01, 2014 at 03:35:25PM +, Phil Mayers wrote:
> The DNS-QUERY chain allows all traffic inbound to port 53 and
> fragments, and denies all other TCP/UDP. It permits all others,
> which is relatively open but you could lock this down to allowing
> ICMP etc. if you wanted.
>
> The DNS-
On Fri, Sep 05, 2014 at 08:04:05AM -0500, Reade Taylor wrote:
> I have a subdomain prod.mydomain.com today all of our internal resources
> that use this prod subdomain stopped being able to reach eachother. I
> believe the issue is related to the release of .prod as a TLD. Is there a
> way I can
RFC 2181 section 5.2 says that differing TTLs in RRSet with the same
label/class/type should be deprecated with the behavior that an
authoritative server should reply with all the TTLs set to the lowest
TTL in the RRSet:
"Should an authoritative source send such a malformed RRSet, the client
shoul
On Thu, Sep 25, 2014 at 11:39:37AM +0200, Lars Hanke wrote:
> Now we decided to move our authentication to a samba4 based AD. This
> means that the AD runs yet another domain .ad.my.official.tld, which
> introduces a third name for those systems, which joined the domain.
> But not all systems are
For the second time (at least), an automatic BIND update on Scientific
Linux 6 (RHEL 6 clone) failed to restart the named process. The RPM
package runs this to restart:
postuninstall scriptlet (using /bin/sh):
/sbin/ldconfig
if [ "$1" -ge 1 ]; then
/sbin/service named try-restart >/dev/null 2>&
On Sat, Dec 13, 2014 at 11:05:52AM -0500, Chuck Anderson wrote:
> For the second time (at least), an automatic BIND update on Scientific
> Linux 6 (RHEL 6 clone) failed to restart the named process. The RPM
> package runs this to restart:
...
> Now I believe what is happening is &q
On Mon, Feb 09, 2015 at 01:03:51PM +, Phil Mayers wrote:
> On 09/02/15 13:00, Reindl Harald wrote:
> >
> >Am 09.02.2015 um 13:33 schrieb Phil Mayers:
> >>On 09/02/15 01:29, Carl Byington wrote:
> >>>On Sun, 2015-02-08 at 16:10 +0200, Eliezer Croitoru wrote:
> I had some issues in some old v
Perhaps you should update the OS to RHEL 6.5 or 6.6 which may have a
newer BIND? Or at least grab the latest RHEL or CentOS package from
6.5 or 6.6 and install it on RHEL 6.0. Or if you don't want to use
the Red Hat patched version and want the absolute latest version, get
the RPM from here:
htt
Fedora Core 6 is no longer supported. It went End-Of-Life in 2007:
http://en.wikipedia.org/wiki/Fedora_%28operating_system%29#Releases
On Mon, Feb 16, 2015 at 10:16:37AM -0500, Sundram Bharti wrote:
> Hi Team,
>
> My DNS current version is "BIND 9.8.4-P1" and OS is "Fedora Core
> release 6 (Zod
I have load balancers (I know, run away now) acting as authoritative
servers for a GSLB zone. The sub-zone is delegated properly from my
main zone which runs BIND. All my clients are using the BIND server
as their caching resolver.
Every once in a while, my mail server gets back a 'NOANSWER' for
I forgot to mention, this is on RHEL 6.6's package of bind, named -V
returned "BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2", so I don't
think 9.10's prefetch feature is involved.
On Wed, Apr 08, 2015 at 03:25:16PM -0400, Chuck Anderson wrote:
> I have load balancers (
On Wed, Apr 08, 2015 at 03:58:00PM -0400, Barry Margolin wrote:
> In article ,
> Chuck Anderson wrote:
> > 1. On TTL expiry, BIND sends an 'ANY' query for the RR in question to
> >the authoritative servers for the zone (load balancers). This
> >h
On Thu, Apr 09, 2015 at 12:31:14PM +0100, Phil Mayers wrote:
> On 08/04/15 22:00, Chuck Anderson wrote:
>
> >No, you are right. My filtered view of the packet capture was missing
> >the fact that another unrelated client did an 'ANY' query. I found it
> >in th
I'm not sure keeping "dnssec-enable yes" is a good idea, because you
are creating a fake root zone and you won't have the real root keys to
sign answers with.
The best way I've found to allow some DNS queries to resolve to their
regular answers is to create a forward-only zone. That way you don't
On Wed, Mar 23, 2016 at 01:51:58PM +, Tony Finch wrote:
> Lightner, Jeff wrote:
> >
> > With systemd the methodology isn't that BIND notifies other things that
> > it is up. It is that other things, if dependent upon BIND, have in
> > their systemd files a requirement that BIND be up before t
I'm using bind-9.5.1-P3 (yes, I know it's old). I have a zone in
multiple views. When I update the zone and reload, the "match-clients
{ any }" view sees new DNS records right away, but another view
doesn't see them for "a while".
Given this configuration:
view "global" {
match-clien
It was pointed out to me that order of views matters, and indeed I do
have the correct order in my config--I just pasted it out of order in
my original email. Here is the corrected version where I still have
this problem.
On Mon, Jan 10, 2011 at 03:09:40PM -0500, Chuck Anderson wrote:
>
On Mon, Jan 16, 2012 at 01:13:44PM +0100, Tom Schmitt wrote:
>
> Original-Nachricht
> > Datum: Mon, 16 Jan 2012 11:49:46 +0100
> > Von: Roel Wagenaar
> > Betreff: Re: Defense against a client?
>
> >
> > In this case iptables is your friend.
> >
> > One of my solutions is part
On Mon, Jan 16, 2012 at 03:41:15PM +, Florian Weimer wrote:
> * Chuck Anderson:
>
> > Unfortunately, these sorts of per-IP limiting are going to become more
> > and more inappropriate with the likes of Carrier Grade NATs, since
> > there will be many subscribers sh
On Mon, Dec 28, 2009 at 07:56:56AM -0800, Pamela Rock wrote:
> I posted this query a while ago but have not yet been able to resolve the
> issue...
>
> I have a DNS server and client that can ping each other using ping6. The
> following query works:
>
> dig -6 test.com +notcp
>
> When I quer
On Tue, Apr 27, 2010 at 07:40:20PM -0600, ic.nssip wrote:
> I hope somebody can tell me why I'm getting so many "DNS format
> error" on a DNS Server running BIND 9.7.0 on a Solaris 10 machine.
> The server is resolving fine queries for normal traffic. Is just
> syslog that gets tones of messages
On Wed, Jun 16, 2010 at 02:18:21PM +0530, rams wrote:
> Is there any tool available for IPv6 addresses correct or not.
> The following IPv6 addresses is valid or not?
Short answer: use inet_pton()
Longer answers:
http://forums.dartware.com/viewtopic.php?t=452
http://www.perlmonks.org/?node_id=2
On Tue, Feb 07, 2017 at 11:59:39AM +1100, Mark Andrews wrote:
> I really don't want to add new automatic work arounds for broken
> servers but it requires people being willing to accepting that
> lookups will fail. That manual work arounds will now have to
> be done. e.g. "server ... { send-cookie
30 matches
Mail list logo
