new here

Hello All, I am new here but have been watching the list for a while. I run a small WISP and we have just moved to a new carrier. They have provided us with a cdir ipv4 block of /22 and a /23. I am trying to get my reverse DNS working correctly but they will not point their servers to my authorit

RE: Should Root Servers Always be Queried First? bind9.7.7

The +trace option ignores the resolver that you specify after the "@" sign, and begins at the root. -DTK -Original Message- From: bind-users-bounces+root=nachtmaus...@lists.isc.org [mailto:bind-users-bounces+root=nachtmaus...@lists.isc.org] On Behalf Of Martin McCormick Sent: Wednesda

Re: Make dig and nslookup DNSSEC aware?

like libdns, ldns, or getdns. Cheers, David On Wed, May 22, 2024 at 7:47 AM Robert Wagner wrote: > Sorry if this has already been hashed through, but I cannot find anything > in the archive. Is there any chance someone can make dig and nslookup > DNSSEC aware and force it to use DoT or

Re: Counters for DNS transports?

I frontend DoH and DoT traffic with nginx and use that for analytics/statistics. Cheers, David On Wed, May 22, 2024 at 11:08 AM Havard Eidnes via bind-users < bind-users@lists.isc.org> wrote: > Hi, > > I recently had reason to enable BIND 9.18.27 to do DoT and DoH > (done v

Re: rolling my own hints file

to use my custom TLD server for the .net domain. Best Regards, David Farje On Wed, Jun 26, 2024 at 10:58 AM Cuttler, Brian R (HEALTH) via bind-users < bind-users@lists.isc.org> wrote: > Running Bind 9.18.18 on Ubuntu 22.04 > > > > We would like to use root servers within our o

Re: 9.18 horrendous

Software problems make some people angry but they make me very happy. Some people are underpaid and work under tremendous pressure leading to anger. It's understandable. That being said. It's preposterous to complain about free software. On Fri, Aug 23, 2024 at 1:52 PM Tim Daneliuk wrote: > O

Re: 9.18 horrendous

My kid would know better than to take free candy. And if he did he would know there is a risk involved for which only he would be responsible. On Fri, Aug 23, 2024 at 3:12 PM Marc wrote: > > > > That being said. It's preposterous to complain about free software. > > > > > > So if some store own

Re: 9.18 horrendous

I get the point you're trying to make. I just don't think a volunteer crosswalk and a car accident is an appropriate analogy for open source software. The whole point of open source software is that you as a user get software for free and if something goes wrong you are free to collaborate to fix

Re: 9.18 horrendous

Why not? It clearly shows that arguing this 'free' argument is a bit narrow. Because the scenarios are completely different. By using open source software you enter a legal contract. No that is not the point of open source software. The point of open source software is that the code is available

Re: Getting a formerr 'invalid response' for winqual.microsoft.com. but dig +trace works.

On 2/8/2012 10:32 PM, Matt Doughty wrote: I have spend the afternoon trying to figure this out. The response I get back from their nameserver looks fine to me, and dig +trace works fine, but a regular dig returns a servfail. I have looked at the code for invalid response, but I don't quite follow

Gandi.net now supports DNSSEC

Today registrar gandi.net opened up a DNSSEC management page to allow user management of their respective tld DS records (.com anyway).. Kudos. Dave -- David Forreste-mail drf @ maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis

BIND 9.9.0 Inline-Signing Out of Control

When BIND 9.9.0 was released, we started converting our DNSSEC-signed zones to inline signing. Everything went smoothly with all but one of our zones ("pesky.zone", below). With that zone, after named signed it and completed an AXFR-style IXFR to each of four slaves, it proceeded to start repea

Re: BIND 9.9.0 Inline-Signing Out of Control

he servers notifying each other? On 2 Mar 2012, at 5:13 PM, David Kreindler wrote: > When BIND 9.9.0 was released, we started converting our DNSSEC-signed zones > to inline signing. > > Everything went smoothly with all but one of our zones ("pesky.zone", below). > With t

Re: BIND 9.9.0 Inline-Signing Out of Control

Thanks for the suggestion. After 48 sets of IXFRs and more than 1200 SOA serial increments, the system finished signing the zone. Manually incrementing the (unsigned) SOA serial now results in just one more set of IXFRs. It would have been helpful if somewhere in the documentation we were warn

Re: lame-servers and network unreachable errors

d by adding a category lame-servers { null; }; statement. -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.or

Re: Anycast DNS

> detect a named is down)? > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- david t. klei

Re: Anycast DNS - LB/LTM

> issue, stop the advertising? > > ------ > *From:* David Klein > *To:* ju wusuo > *Cc:* "bind-users@lists.isc.org" > *Sent:* Wednesday, March 7, 2012 11:18 PM > *Subject:* Re: Anycast DNS > > > You would need to create a custom scr

Re: ISC BIND 9.8.2 followup announcement

fyi, DLZ external has been broken post 9.8.1p1. fails to compile with an undefined reference to main. both for 9.8.2 and 9.9.0 -david make[4]: Entering directory `/usr/vport/portage/net-dns/bind-9.9.0/work/bind-9.9.0/bin/tests/system/dlzexternal' /bin/sh /usr/vport/portage/net-dns

new here

; file "/var/named/localdomain.hosts"; }; zone "localhost" { type master; file "/var/named/localhost.hosts"; }; key rndc-key { algorithm hmac-md5; secret "wh6DFiuNGJHzHwvNTy8JEA=="; }; Here is my resolv.conf : nameser

gss-tsig updates where realm != zone

erably also host/machine.krb5.realm@KRB5.REALM able to update machine.dns.domain, although the latter isn't vital. (I'm assuming host/machine.dns.domain@KRB5.REALM would work, but I'm not sure that is actually useful, and certainly won't work for

Re: logging to syslog on another host?

functions. Cheers David On 30/05/12 19:46, Sten Carlsen wrote: > Hi > > I was considering to use the syslog on a different host for logging > from bind. The purpose was to collect logs from various places into > one repository. > > This is not a busy installation so perfor

Re: gss-tsig updates where realm != zone

lly - my Vista test box appears to try and register records first, and if I deny the types, it never actually bothers trying to register A records. Is this behaviour other people have seen before? Cheers David On 29/05/12 23:38, Mark Andrews wrote: > If you need a different ma

Intermittent Zone Signing Failures

Running BIND 9.9.1, 9.9.0 or 9.7.6 on AIX 5.2, we are experiencing intermittent failures signing zones, both with named and with dnssec-signzone. We first noticed the problem when BIND 9.9.1's inline signing resulted in zones with missing RRSIGs. When we turned off "auto-dnssec maintain" & "inl

Re: Intermittent Zone Signing Failures

Switching from openssl-1.0.1 to openssl-0.9.8 seems to have fixed the problem. On 2 Jun 2012, at 9:57 AM, David Kreindler wrote: > Running BIND 9.9.1, 9.9.0 or 9.7.6 on AIX 5.2, we are experiencing > intermittent failures signing zones, both with named and with dnssec-signzone. > &

[ANNOUNCE] Netmagis 2.1.0 is released

is available on http://netmagis.org/ FreeBSD ports and Debian/Ubuntu packages are also available on http://netmagis.org. See installation instructions. Pierre David & Jean Benoit & Sébastien Boggia ___ Please visit https://lists.isc.org/mailman/

Re: Reverse zones best practices

I strongly recommend splitting on /8 /16 and /24 boundries. With the number of zones you are talking about, doing anything else will get very confusing very quickly. If a netblock is larger than a /24, put at the top and bottom of each /24 a comment lile explaining what size it is For examp

Re: Duplicates in newsgroup gateway

it's posted 2x, slightly different. To: comp.protocols.dns.b...@googlegroups.com To: comp-protocols-dns-b...@isc.org both cc the newsgroup -david On 06/25/2012 06:11 PM, Barry Margolin wrote: I read bind-users through the comp.protocols.dns.bind newsgroup. I'm seeing lots of dupli

Re: Loaded zone files query

Actually, that gives the number of zones its supposed to be serving. if say a zone hasn't been transfered yet, it'll still show in status, (and will authoritivly answer nosuch* for it). As best as I can tell number of zones: X x=number of zones listed in named.conf + any automatically added zon

Re: Version statement...

On 8/17/2012 1:13 AM, Jeff Justice wrote: > I am trying to mask our DNS servers version output to a custom string, but it > doesn't seem to be working for me. In a nutshell, I have added this to my > options block of my named.conf: > >version "[DNS Server]"; options { version "str

Improved SSL Error Logging [RT #29932]

BIND 9.7.7, 9.8.4 and 9.9.2 have "improved" OpenSSL error logging. Unfortunately, our logs are now filling up with "RSA_verify failed" messages. How does one go about tracking down the source of these failures and correcting them? (We are running OpenSSL 1.0.1c.) __

DNS accept filter

there is a full DNS request in the buffer. Named already tries to use FreeBSD's data-ready accept filter, but I've been using the patch below to make it use the DNS filter, if it is available. Would be interest in taking this into the BIND tree? David. (Note, to use the filter, yo

squash 'client query (cache) denied' syslog entries

Some of my external facing nameservers are under attack, and the biggiest fallout, is the machines goign into iowait from logging all the client query denied syslog messages. note: yes, recursion is turned off on these machines. The current logging is a very vanilla logging { catego

Re: Disable log message

On 10/19/2012 11:57 PM, Chris Buxton wrote: > On Oct 19, 2012, at 6:22 PM, Warren Kumari wrote: >> On Oct 19, 2012, at 9:17 PM, "Michael Hoskins (michoski)" >> wrote: >>> -Original Message- On Oct 19, 2012, at 6:13 PM, Alan Clegg wrote: > > On Oct 18, 2012, at 1:13 PM

Re: Need to improve named performance

o have a logging statement of my choices. Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Preference of Master Name Servers

I have some questions and would really appreciate if someone would be able to assist. I just started a new job at a hosting company and am in a little bit over my head. Question 1: In our secondary / slave name servers we specify the master name servers in the normal manner: zone mysample.me.uk {

NSEC3/NSEC transition

Hi, If dynamic signing is used with BIND 9.8, what is the recommended procedure to switch from NSEC3-signed zone to NSEC-signed without changing existing DNSKEYs (currently RSA/SHA-512 algorithms are used for both ZSK and KSK)? Any specific options for dnssec-signzone? Thanks, David

RE: NSEC3/NSEC transition

Thank you, Mark Is it safe to keep -u option for dnssec-signzone in all cases, regardless of current actual NSEC/NSEC3 chains. Thanks, David -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: February-14-13 3:23 PM To: David Sherman Cc: bind-us...@isc.org Subject: Re

RE: NSEC3/NSEC transition

Thank you Mark Regards, David -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: February-14-13 5:39 PM To: David Sherman Cc: bind-us...@isc.org Subject: Re: NSEC3/NSEC transition In message , David Sherman writes: > Thank you, Mark > > Is it safe to keep

Re: Free secondary servers supporting DNSSEC?

On Sun, 17 Feb 2013, Vernon Schryver wrote: In any case, some naming and shaming seems appropriate. Basic Naming and shaming seems excessive for a "free" service. Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lis

Re: broken ISP in china

stebin.com/S9LM6a59 Does your customer have a SPF record with old info (you show no TXT or SPF RRs) ? Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-use

Re: DNS Amplification Attacks... and a trivial proposal

On 06/13/2013 05:33 AM, Phil Mayers wrote: > On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote: > >> 1) If everyone on the planet were to somehow magically and >> immediately be >> converted over to DNSSEC tomorrow, then would DNS amplification attacks >> become a thing of the past, starting tomor

Re: long SPF txt record

On 6/20/2013 1:13 PM, Koehler, Charles wrote: > Our email group wants to change the current SPF txt record and replace it > with one that is 274 characters. > > How can I put it in so that it works correctly? > > Thanks > --cwk >From RFC 4408 ( http://www.ietf.org/rfc/rfc4408.txt ) 3.1.3. M

[ANNOUNCE] Netmagis 2.2.0 is available

thanks to all contributors and especially Schplurtz which have helped a lot to fix the last bugs ;-) Pierre David, Jean Benoit & Sébastien Boggia -- Netmagis is a complete application, which allows a network administr

BIND9 SERVFAIL Issue with Windows 2008 R2 DNS Server

set-order {order fixed;}; I have also tried upgrading the local BIND version to 9.9.3-P1 from 9.9.2-P1, but the behavior did not seem to have changed. Lastly, I could theoretically disable EDNS support in Windows 2008 R2 as a workaround and have these queries work (since disabling EDNS will al

Re: BIND9 SERVFAIL Issue with Windows 2008 R2 DNS Server

no; (setting dnssec-validation no; has no effect) Anyone here has any thoughts? Thanks! David -- David Lam Security Administrator Information Educational Technology dav...@ucdavis.edu (530) 752-6971 ___ Please visit https://lists.isc.org/mailman

Re: BIND9 SERVFAIL Issue with Windows 2008 R2 DNS Server

k our DNS servers would be to blame for this issue (which I half agree, due to the tampering of the order of the RRs by BIND9 returned). Now just hoping that there is a directive that we can use to maintain the authority section RRs' order. -- David Lam Security Administrator Information

Re: IPv4 not working reverse on > /24 cidr

ock. This was on the list a few days ago: https://dougbarton.us/DNS/2317.html Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-us

permissions for DNSSEC zone signing

FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports What are the correct directory and file permissions for DNSSEC static zone signing with bind? By default, everything in /var/named/etc/namedb is owned by bind except for the master directory. For example: drwxr-xr-x bind wheel dynami

Re: permissions for DNSSEC zone signing

On 7/23/13 3:44 PM, Mark Andrews wrote: > In message <51ef00af.4090...@networktest.com>, David Newman writes: >> FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports >> >> What are the correct directory and file permissions for DNSSEC static >> zone si

Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"

On 7/24/13 2:29 AM, Stephane Bortzmeyer wrote: > I'm trying "auto-dnssec maintain;" with a BIND 9.9.3-P1. My > configuration is: > > options { > directory "/tmp/bind"; > key-directory "/tmp/bind"; Not sure if this is the problem, but have you tried with "managed-keys-directory" i

Re: How to get AD flag

On 8/1/13 10:48 PM, rams wrote: > Thanks david, > This the response i get > dig +short rs.dns-oarc.net <http://rs.dns-oarc.net> txt @ > rst.x3827.rs.dns-oarc.net <http://rst.x3827.rs.dns-oarc.net>. > rst.x3837.x3827.rs.dns-oarc.net <http://rst.x3837.x3827.rs.dns-oarc

how-to configure BIND or any DNS implementation for cloud infrastructure

ul if my intentions are possible? Although, the domain name and zone administration recourses to me. With this constraints, is it possible for cloud DNS to be possible? I have this site in mind: polarhome.com, where i intend paying for server space. thanks odimegwu

Re: how-to configure BIND or any DNS implementation for cloud infrastructure

thanks. does cloudns use BIND or what do they use? Just found the site minutes after posting this question. thanks De : SUNDAY A. OLUTAYO À : Odimegwu David Envoyé le : Vendredi 30 août 2013 14h58 Objet : Re: how-to configure BIND or any DNS implementation

Registrars supporting DNSSEC + DS Records

ld have an incentive. For now, my guess is there isn't much incentive (or they would already have done it). So, as a second question, why isn't there a demand? How can systems administrators raise awareness of DNSSEC and help create a demand? -- David White Founder & CEO * * *De

Can anyone help me resolve this named failure report

named error report named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled) Active: failed (Result: exit-code) since Wed, 11 Sep 2013 20:17:05 +0100; 13min ago Process: 1660 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, sta

Re: bind/sendmail resolving.. (NXDOMAIN)

On 9/20/2013 7:28 PM, Mark Andrews wrote: > > In message <021501ceb653$ede37250$c9aa56f0$@leadmon.net>, "Howard Leadmon" > writ > es: >> This is probably easier than I am making it, but my googlefu seems to be >> failing me at the moment when I look around. I handle a batch of FreeBSD >> s

moving DNSSEC to a hidden master

Is there a recommended order of operations when moving DNSSEC-enabled nameservers to a hidden-master setup? I'm hoping it's just as simple as moving all these files into place on the hidden master: *.key *.private managed-keys.bind *.jbk *.jnl *.signed *.signed.jnl If not, what do I need to do?

Re: moving DNSSEC to a hidden master

On 10/1/13 2:16 PM, David Newman wrote: > Is there a recommended order of operations when moving DNSSEC-enabled > nameservers to a hidden-master setup? Actually, this is really a more general question: Is there a recommended order of operations when migrating zones between any two DNSSEC-e

Re: moving DNSSEC to a hidden master

Thanks all for your responses. On 10/1/13 6:42 PM, Mark Andrews wrote: > As Alan said copy the .key and .private files over. > > Disable updating on the old master. > > Transfer the zone contents by setting up as a slave > using "masterfile-format text"; or using by using dig. > This will give y

Re: moving DNSSEC to a hidden master

resume. > > On 04/10/13 02.12, David Newman wrote: >> Thanks all for your responses. >> >> On 10/1/13 6:42 PM, Mark Andrews wrote: >>> As Alan said copy the .key and .private files over. >>> >>> Disable updating on the old master. >>> >&

inactivating and deleting DNSSEC keys

bind 9.9.4 How to troubleshoot issues when keys are supposed to be invalidated or deleted on specific dates, but aren't? In this case, a KSK was supposed to be inactivated on 29 September 2013 and deleted on 9 October 2013. >From the .key file: ; This is a key-signing key, keyid 56989, for netw

Re: inactivating and deleting DNSSEC keys

On 10/8/13 3:51 PM, Alan Clegg wrote: > > On Oct 8, 2013, at 6:42 PM, David Newman > wrote: > >> bind 9.9.4 >> >> How to troubleshoot issues when keys are supposed to be >> invalidated or deleted on specific dates, but aren't? >> >> In

Re: inactivating and deleting DNSSEC keys

On 10/8/13 5:54 PM, Mark Andrews wrote: > In message <52548a5d.3070...@networktest.com>, David Newman writes: >> bind 9.9.4 >> >> How to troubleshoot issues when keys are supposed to be invalidated or >> deleted on specific dates, but aren't? >&g

Re: inactivating and deleting DNSSEC keys

On 10/9/13 1:24 PM, Mark Andrews wrote: >> In UTC terms, we've already passed the key's deletion date. Can I >> retroactively extend the key's deletion date? > > Yes. The files are not removed. You will need to tell named to re-read > the .private file using "rndc signzone" after setting the ti

Re: Install DNS Server

On 10/10/13 4:26 AM, Lightner, Jeff wrote: > CentOS does put > bug and security fixes in (or RedHat does and CentOS gets them because > they build from RHEL source) but you still end up with something very > old (BIND 9.3.x) that most folks on this list don’t want to talk about > because it is lon

Re: Need guidance on configuring DNSSEC

On 10/11/13 7:32 AM, Vishal Gandhi wrote: > We are planning to sign local zone (fdu.local). Is it required to sign > the parent zone (fdu.edu ) as well or we can live with > it unsigned? > What are pros and cons of signing parent zone (fdu.edu )? DNSSEC is based o

Re: moving DNSSEC to a hidden master

On 10/4/13 10:23 AM, David Newman wrote: > On 10/3/13 5:27 PM, Sten Carlsen wrote: >> This works for me and is the standard method: >> >> rndc freeze >> update serial >> rndc thaw > > Bingo. Thanks! Sorry, spoke too soon. I followed your instructions and

Re: moving DNSSEC to a hidden master

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/13/13 1:34 AM, Alan Clegg wrote: > > On Oct 12, 2013, at 7:59 PM, Alan Clegg wrote: > >> >> On Oct 11, 2013, at 10:54 PM, David Newman >> wrote: >> >>> 4. "Check that the new server is w

Re: moving DNSSEC to a hidden master [SOLVED]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Alan, Thanks very much for your responses. Per my comments inline below, this actually wasn't broken to begin with, but I just wasn't seeing it. On 10/14/13 10:43 AM, Alan Clegg wrote: > > On Oct 13, 2013, at 9:03 PM, David

Re: moving DNSSEC to a hidden master [SOLVED]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/14/13 12:39 PM, Alan Clegg wrote: >> In this case, I started with a serial of 2013092700, incremented >> it to 2013092701, and reloaded. 'dig soa' would still return >> 2013092700. >> >> Problem is, bind logged the current serial number as 2013

DNSSEC and split DNS

What is the recommended practice for adding DNSSEC to an environment that currently uses split DNS? Apologies as I'm sure this has come up before, but most discussion I found on bind-users was from 1999, and this isn't covered in the ARM. I did find this draft (not RFC) from 2007, but even the au

Re: DNSSEC and split DNS

f trust, with no delegation from parent domains. True? Thanks again dn > > Mark > > In message <526857a2.8050...@networktest.com>, David Newman writes: >> What is the recommended practice for adding DNSSEC to an environment >> that currently uses split DNS? >>

Re: DNSSEC and split DNS

On 10/23/13 5:20 PM, Mark Andrews wrote: > In message <5268626c.8040...@networktest.com>, David Newman writes: >> On 10/23/13 4:28 PM, Mark Andrews wrote: >>> You sign all versions of the zone. >>> >>> As for key management you can: >>

Re: DNSSEC and split DNS

On 10/25/13 6:11 PM, David Newman wrote: > > > On 10/23/13 5:20 PM, Mark Andrews wrote: >> In message <5268626c.8040...@networktest.com>, David Newman writes: >>> On 10/23/13 4:28 PM, Mark Andrews wrote: >>>>You sign all versions of the zone.

Re: DNSSEC and split DNS

On 10/28/13 1:46 PM, Mark Andrews wrote: > In message <526eba87.7040...@networktest.com>, David Newman writes: >> >>> 3. Another internal nameserver gets intermittent dig +dnssec errors on >>> queries for internal resources. Sometimes after a restart, the result is

Re: Help on DNSSEC

On 11/6/13 1:06 AM, Steven Carr wrote: > Start with chapter 11.4 "The DNS Security Extensions" in DNS & BIND > http://www.amazon.com/DNS-BIND-5th-Edition-Cricket/dp/0596100574 Lucas' "DNSSEC Mastery" is also a useful resource, not only about DNSSEC concepts but also about required prep work and tr

Re: Does anyone have DNSSEC problem with uscg.mil

On 11/14/13 1:29 PM, Kevin Oberman wrote: > Don't forget that Google will white-list domains with known (by them) > broken DNSSEC and reply even though validation is broken, so using > 8.8.8.8 for checking on whether validation is broken is not the best idea. Really? Google sets the ad flag for k

Re: Unable to transfer IPv4 reverse zone

ve root as you appear to do and serve your own 5.168.192.in-addr.arpa. as I do. I don't expect it to transfer out as it only has meaning in an internal view. Dave -- David Forrest e-mail: drf at maplepark dot com St. Louis, Missouri _

Re: Adding DS records

2+gbpewo646pneaDVnaqnYrx2C4fiwedfiJMIhcx9 xAxgH0fG7TZ7zEJOUwCITlWkj1lrU4rH0xVNQaQKYez2pcF+CnGJzy7C A4SYBRdVXAU/slxu56ahvi7GNS7PHkGJiUVUJh65iEpS2HY3qOdv3CUn jRA= (...) -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users t

Re: rndc addzone gets permission denied

I slaved the root zone without a file statement in my named.conf for the slaved file and it worked. I added the file statement later to my named.con as I wanted a local copy for quicker startup. I think I may have touched the file to get it started though. When I finally looked at it, I foun

Re: rndc addzone gets permission denied

outines and not named itself. Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: dumping master file: tmp-xxx: open: permission denied

It can get quite confusing and I have found that just using full paths on all zone files just cuts out any question. Usually the slave server will get a new copy master fairly quickly if you don't save it but it is cleaner if it has a fairly recent copy locally.

Re: dumping master file: tmp-xxx: open: permission denied

On Tue, 14 Jan 2014, LuKreme wrote: On 14 Jan 2014, at 09:02 , David Forrest wrote: On Tue, 14 Jan 2014, LuKreme wrote: On 13 Jan 2014, at 20:36 , Mark Andrews wrote: In message <8919443e-8f62-48cd-8da4-9c9632fc5...@kreme.com>, LuKreme writes: OK, I am getting this error &q

DNSSEC and upgrading/restoring

Are there any recommended practices/config changes needed when upgrading or restoring a bind 9.9.4 server using DNSSEC inline signing and auto maintain? Asking specifically about upgrading a server running on NanoBSD, but this question is really about upgrading or restoring any DNSSEC server with

Re: DNSSEC and upgrading/restoring

for multiple domains. I'm concerned about keeping keys, serial numbers, and any other dynamic info in sync. Thanks! dn On 1/23/14 10:16 AM, David Newman wrote: > Are there any recommended practices/config changes needed when upgrading > or restoring a bind 9.9.4 server using DN

Re: DNSSEC and upgrading/restoring

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/28/14 3:49 AM, Alan Clegg wrote: > > On Jan 27, 2014, at 7:32 PM, David Newman > wrote: > >> Asking again, in a different and more generic form: When >> rebuilding a bind 9.9.4 server running DNSSEC with auto maintain,

Re: DNSSEC and upgrading/restoring

On 1/31/14 3:10 AM, Tony Finch wrote: >> 2. For five domains, the log contains signature-has-expired warnings. >> >> In all five cases, these are for NSEC3PARAM records. >> >> Is any action needed on my part, for example manually doing NSEC3 >> signing of these zones? > > See if named has already

Re: DNSSEC and upgrading/restoring

On 1/31/14 10:35 AM, Tony Finch wrote: > David Newman wrote: >> >> What action, if any, is needed? > > Does rndc sign make it wake up? Alas, no. There are a bunch of successful IXFR messages to slave servers but the dates in that NSEC3PARAM RRSIG did not change. >

Re: DNSSEC and upgrading/restoring

On 2/2/14 5:39 AM, Tony Finch wrote: > David Newman wrote: >> On 1/31/14 10:35 AM, Tony Finch wrote: >>> David Newman wrote: >>>> >>>> What action, if any, is needed? >>> >>> Does rndc sign make it wake up? >> >> Alas, n

changing NSEC3 salt

The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every time a zone's ZSK changes. Is this just a matter of a new 'rndc signing' command, or is some action needed to remove the old salt? thanks dn ___ Please visit https://lists.isc.org/m

Re: changing NSEC3 salt

On 2/11/14 7:38 AM, Chris Thompson wrote: > On Feb 10 2014, Mark Andrews wrote: > >> In message <52f94ee2.7080...@ksu.edu>, "Lawrence K. Chen, P.Eng." writes: > [... snip ...] >>> On 02/06/14 15:07, Timothe Litt wrote: > [... snip ...] >>> > Note also the RFC 5155 recommendation: >>> >> The salt S

Re: BIND 9.10.0b1 has been released.

e, 2017. DHCP 4.1-ESV is the oldest supported ESV, which will become unsupported in December of this year. 4.3 will be the next ESV version. 3.1-ESV and 4.0 were deprecated in 2010. -david ___ Please visit https://lists.isc.org/mailman/listinfo/bind-us

Controls statement BIND 9.10.0b2 CentOS6.5

dress in the /etc/rndc.key file, just the key. Dave -- David Forrest e-mail: drf at maplepark dot com Maple Park Development http://www.maplepark.com St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to un

Re: Controls statement BIND 9.10.0b2 CentOS6.5

Solved: Including the key was incorrect. This works fine: controls { inet ::1 allow { "localhost"; } ; Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bin

Re: Digging to the final IP

# dig +noall +answer dave.knig.ht a|awk '/IN\tA\t/ {print $NF}' 216.235.14.46 signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing li

Sometimes DNS does not resolv domains

Hi I am running bind on slackware 14.1 x86_64 for my own websites, but also as a standard DNS for my other systems to use. I have my /etc/resolv on my laptop pointing at it. It's always worked flawlessly until a few months ago, when sometimes a domain would fail to resolve. Just occasionally. T

Re: Sometimes DNS does not resolv domains

Tel.:+420.226204627 daniel.rysl...@dialtelecom.cz --- www.dialtelecom.cz Dial Telecom, a.s. Jednoduše se připojte --- On 02/08/2015 10:06 PM, Eliezer Croitoru wrote: Hey David, Do you have any logs enabled in you

nsupdate and views

Hello all, I don't quite see how to dynamically manage multiple views of a zone. Specifically I have a zone name with both 'internal' and 'external' views that I'd like to manage with the nsupdate command. Is there a way to specify the zone+view using nsupdate?

Re: nsupdate and views

Mark, Thanks. I found where this was discussed here previously (Jan. 2003); apologies for not being thorough. - David Covey Deophysical Institute, University of Alaska Fairbanks > To: David Covey > Cc: bind-us...@isc.org > From: Mark Andrews > Subject: Re: nsupda

do not stupidly delete ZSK files

I created then loaded then deleted a ZSK, all within an hour, so there's no backup. Yes, that was a dumb thing to do. Now when reloading that zone, named.log complains about the missing ZSK: 29-Jul-2015 17:18:19.439 general: warning: dns_dnssec_keylistfromrdataset: error reading private key file

  1   2   3   4   >