Re: Value of a DNSSEC validating resolver

Hi there, On Sat, 2 Dec 2023, Mark Andrews wrote: On Fri, 1 Dec 2023, John Thurston wrote: > Can someone make a good case to me for continuing to perform DNSSEC > validation on my central resolvers? Think of a recursive server as a town water treatment plant. You could filter and treat at ever

Re: Deprecation notice for BIND 9: "resolver-nonbackoff-tries", "resolver-retry-interval"

Hi there, On Fri, 8 Dec 2023, Fred Morris wrote: I welcome birds of a feather. Need to define / refine the problem statement first. ... ... Er, tweet! Up to my @$$ in aligators and can't afford the time to more than chime in here, but this is all absolutely fascinating. Fwiw I'd love to see

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

Hi there, On Wed, 13 Dec 2023, Greg Choules wrote: If your server can reach the Internet it can recurse all on its own. And for extra information, I recommend you give the '+trace' option to dig. I hope that helps. Ditto. :) -- 73, Ged. -- Visit https://lists.isc.org/mailman/listinfo/bi

Re: BIND Upgrade

Hi there, On Fri, 16 Feb 2024, Semra T?rkkal Nazl?mo?lu wrote: Our bind version seems below. How can we upgrade bind version? And if we upgrade bind version, is there any problem? Recently I upgraded from 9.11.26 (not 9.11.36) to 9.18.24 using the source from the ISC Website. It's a very sma

Re: Deprecated DSCP support

Hi there, On Thu, 29 Feb 2024, Wolfgang Riedel wrote: In my case it?s dscp 24 in named.conf ... If you don't set it, ... ns9:~# >>> man named.conf | grep dscp dscp ; // obsolete -- 73, Ged. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this

Re: Deprecation notice force BIND 9.20+: "rrset-order fixed" and "sortlist"

Hi there, On Fri, 1 Mar 2024, Matus UHLAR wrote: On 01.03.24 08:24, Ond?ej Sur? wrote: > The "sortlist" option allows to define a complicated rules when and > how to reorder the resource records in the responses. The same > caveats as with the "rrset-order" apply - relying on any specific > orde

Re: Problem upgrading to 9.18 - important feature being removed

Hi there, On Fri, 1 Mar 2024, Ond?ej Sur? wrote: On 26. 2. 2024, at 22:41, Al Whaley wrote: > A lot of pain and suffering in this world comes from people being > sure they have a 'better idea' and everybody needs to do whatever. > This feels a bit like that. ... ... ultimately, the developers

Re: Problem upgrading to 9.18 - important feature being removed

Hi there, On Fri, 1 Mar 2024, Petr ?pa?ek wrote: On 01. 03. 24 12:23, G.W. Haywood wrote: ... Maybe the lesson here is that if you're using BIND other than because it happened to come with your distro, then it's probably a good idea to keep an eye on this list to monitor the

Re: MDLZ user activation

Hi there, On Fri, 7 Jun 2024, Nick Tait wrote: ... Happy to share all the mail headers ... On the face of your description, this sounds like a spammer who has slightly more skill than usual. Another explanation is that you might have been targeted specifically, which could be more worrying.

Re: MDLZ user activation

Hi there, On Fri, 7 Jun 2024, Marco Moock wrote: Am 07.06.2024 um 10:58:27 Uhr schrieb G.W. Haywood: > On the face of your description, this sounds like a spammer who has > slightly more skill than usual. The spammer simply used the name in From: after the Nick posted tothe list) (Nic

Re: views-based RPZ

Hi there, On Sat, 24 Aug 2024, Carlos Horowicz wrote: ... ... is there an algorithm in bind9 or out there that quickly maps a client IP address to a CIDR, e.g. a something like a binary tree quicksearch ? or balanced red-black tree ? I don't know if this is going to help, but we use IP to CID

Re: BIND statistics

Hi there, On Mon, 26 Aug 2024, Greg Choules wrote: On Sun, 25 Aug 2024 at 21:06, Havard Eidnes via bind-users < I've started testing 9.20.x. ... firefox ... version 120.0... informs me ... This XML file does not appear to have any style information associated with it. The document tree i

RE: fermat primes and dnssec-keygen bug?

Hi there, On Thu, 8 Mar 2012, Spain, Dr. Jeffry A. wrote: Other posts have alluded to the Debian openssl flaw reported in May 2008 (http://www.debian.org/security/2008/dsa-1571). This led to predictable random primes being used to generate RSA moduli ... Just in case anyone thinks that this i

Re: Recursive queries fail after bind has been running for a few hours

B0;261;0cHi there, On Mon, Mar 12, 2012 at 12:05 PM, Mr X wrote: I'm having a bizarre issue with 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 - recursive queries stop functioning after bind has been running for a few hours. It's a very low volume system (dev), maybe a few queries per hour ... I saw so

Re: nslookup fails if missing PTR record for IPv6 DNS server.

Hi there, On Fri, 16 Mar 2012, Matus UHLAR - fantomas wrote: the main problem is nslookup itself, and this is just one of reasons nslookup is not recommended for use. You didn't tell the OP what to use instead of nslookup! It's 'dig'. -- 73, Ged. ___

Re: Test

Hi there, On Sun, 18 Mar 2012, Rob Leslie wrote: As the owner of the address forged by the sender, I am particularly annoyed. http://www.openspf.org/ -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fr

Re: random-device purpose in DNSSEC

Hi there, On Thu, 10 May 2012, Alexander Gurvitz wrote: What random device used for ? Cryptographic operations, loading libraries in random locations to avoid insidious attacks, that kind of thing. This bothers me as I'm implementing DNSSEC now, and I know that my systems are low at entropy

Re: limiting number of requests of a single hosts

Hi there, On Fri, 15 Jun 2012, Holemans Wim wrote: ... Once or twice a day a DNS burst (20K requests/15sec) kills all connections on the firewall. Have you disabled firewall connection tracking for DNS requests? We have 6 dns servers (bind) on our campus, that are all authoritative for our

Re: Possible DDoS?

B0;261;0cHi there, On Wed, 17 Oct 2012, Manson, John wrote: Does this rise to the level of a DDoS attack? 82 queries in a second is modest, but you're in US government and that IP is in China. Given the recent publicity, IMO that's probable cause. I blackhole IPs that behave like this. I

Re: ISC Bind in Active Directory

Hi there, On Thu, 18 Oct 2012, bind-users-requ...@lists.isc.org wrote: ISC Bind in Active Directory (Aaron Thompson) I'm hopping Sometimes AD has that effect. :) to get some feedback from people who use ISC Bind and DHCPD in Active Directory environments. I've been working on a client's

Re: Need to improve named performance

Hi there, On Sun, 11 Nov 2012, Ed LaFrance wrote: Running BIND 9.3.6-P1-RedHat-9.3.6-16.P1.el5 ... Somebody already said upgrade. Generally that's the first thing to do in a case like this (before asking on mailing lists:). The issue is that named is not keeping up with rdns requests. The

Re: Need to improve named performance

Hi there, On Mon, 12 Nov 2012, Ed LaFrance wrote: ... No idea on ip_conntrack. How do I check and if so, what setting should I try and how do I do it? Look for something like /proc/sys/net/netfilter/ip_conntrack_tcp_timeout_established and cat it to the terminal. It will just be a number (

Re: User wanting to use a .local domain to host DNS

Hi there, On Wed, 14 Nov 2012, Phil Mayers wrote: On 14/11/12 15:39, Kevin Darcy wrote: > I stopped reading as soon as I saw the requirement to add a NetBIOS > name, being overpowered by the stench of obsolescence. Does anyone As per our recent thread, there's load of (recent, modern) stuff th

Re: broken ISP in china

Hi there, On Mon, 18 Feb 2013, Vernon Schryver wrote: ... Recently I moved this domain(lcrcomputer.net) to a registrar that suports DNSSEC and inserted the DS record for this domain. I checked DNSSEC via http://dnsviz.net and http://dnssec-debugger.verisignlabs.com. Both show DNSSEC is

Re: spf ent txt records.

Hi there, On Wed, 13 Mar 2013, hugo hugoo wrote: I received the following question and I am not able to aswer as spf records are still mysterious to me. We are using BIND 9.7. Does our DNS-server support SPF-type records? Or do we put SPF-info in a TXT-record? My answers would be "Yes" an

Re: FW: CVE-2013-2266 Question

Hi there, On Wed, 27 Mar 2013, Manson, John wrote: Does 'make clear' affect the running named No. The 'configure' step and the 'make' steps are repsectively configuring the software source files for your environment before the build (more or less compile and link) process, and then the build

Re: listen-to clusterIP address

Hi there, On Wed, 5 Jun 2013, paul wrote: I need to automatically listen to the new ip address without manual intervention. Listen on a virtual/alias whatever interface amnd forward ports from the real one(s)? -- 73, Ged. ___ Please visit https://

Re: DNS Amplification Attacks... and a trivial proposal

B0;261;0cHi there, On Fri, 14 Jun 2013, rfg wrote: [Quite a lot of off-topic stuff, which I've snipped.] For the avoidance of doubt, this is absolutely not a reply to any of Mr. Guilmette's posts, and I neither expect nor even want to see any reply from him. But I am on the digest list, so f

Re: SPF record with include:

Hi there, On Tue, 18 Jun 2013, Julie Xu wrote: I be asked to add: include:otheremailsrv.otherdomain so the TXT records will be looked like: TXT "v=spf1 mx include:otheremailsrv.otherdomain ~all" Question, from my limited re

Re: bind 2.1a3 on centos 6.4

Hi there, On Fri, 21 Jun 2013, Brian Cuttler wrote: # /usr/bin/nslint -ddd -c /etc/dns-source/named.conf-test nslint: doconf: opened /etc/dns-source/named.conf-test nslint: doconf: opened nslint.conf nslint: 0/131072 items used, 0 errors Problem - I know there are errors. It's late and I hav

Re: BIND Performance with Huge RPZ

Hi there, On Fri, 12 Jul 2013, Arie L. Putra wrote: We are building a server for recursive DNS Server, this server will be acted as a cache for our network. (several user-side DNS Server will forward to this server) Using Ubuntu Server with latest BIND version, we are trying to have RPZ incuded

Re: New warning message...

Hi there, On Mon, 22 Jul 2013, Jason Hellenthal wrote: It's exactly as it says... Instead of ... TXT "SPF ..." You now do ... SPF "SPF ..." Caution! The SPF record type is near enough dead. See in particular RFC6686 paragraph 5.6; paragraph 6.2; and Appendix A point 4. -- 73, Ged. __

Re: BIND 9.10.0b1 has been released.

Hi there, On Wed, 26 Feb 2014, Michael McNally wrote: At ISC we are quite excited about the long list of new features and ... I don't want to rain on your parade, and I know that this is likely to be contentious, but I would just like to ask all at ISC (and I know it isn't necessary, but I'll

Re: dns firewall, proof of concept howto published, rpz. request for feedback

Hi there, On Sun, 11 May 2014, Hans-Cees Speel wrote: Feedback is welcome! ... pdf at: https://app.younited.com/... Put it somewhere else? -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this lis

Re: Checking proper SPF record

Hi there, On Tue, 8 Jul 2014, Alex wrote: ... Does this look correct? ... No, it's terrible. Drop a line over at the SPF-users mailing list, they'll sort you out. Use real names and addresses, then it's more than just a conjecture. This will all be published for the world to see anyway, so

Re: Checking proper SPF record

Hi there, On Wed, 9 Jul 2014, Alex wrote: Thought I'd try this again. ... You'll get much better help on the right list. spf-h...@listbox.com -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this

Re: Log Monitoring

Hi there, On Thu, 7 Aug 2014, Davis, Donald W wrote: I am looking for scripts that can be used to parse and monitor the DNS logs for suspicious activity. If Nagios didn't exist, I'd have to invent it: http://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS http://www.nagios.com/so

RE: sporatic, noaa.gov SERVFAIL

Hi there, On Thu, 29 Jan 2015, Brad Bendily wrote: Any way for me to pinpoint the specific firewall? ping -s packetsize host or traceroute host packetsize ? -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsub

RE: unable-resolving (Mohammed Ejaz)

Hi there, ... we have been receiving complain from our customer that they are unable to open the websites when they use our DNS server ... Does your server allow your customer to make recursive queries? ~$ dig @ns1.cyberia.net.sa www.jubileegroup.co.uk ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>>

Re: bind-users Digest, Vol 2085, Issue 1

Hi there, On Tue, 7 Apr 2015, bind-users-requ...@lists.isc.org wrote: Message: 1 [Snip 51 lines] Message: 2 [Snip 75 lines] > Message: 1 [Snip 37 lines] > Message: 1 [Snip 45 lines] > Message: 2 [Snip 49 lines] > Message: 2 [Snip 16 lines] >> Message: 1 [Snip 49 lines] > Message:

Re: shutting up logs

Hi there, On Fri, 15 May 2015, Reindl Harald wrote: Am 15.05.2015 um 02:01 schrieb Nick Edwards: > skipping nameserver 'ns5.concord.org' because it is a CNAME, while > resolving '210.128-25.119.138.63.in-addr.arpa/PTR' > > I have logs grow by about 30 megs a day with pretty much only this in >

Re: Again Crashed Bind

Hi there, On Thu, 3 Dec 2015, Re: Again manasa.jamuna wrote: Bind version used is 9.6.2-P2. Named crashed ... No big surprise. I did a google search ... Did you look at the ISC Website? https://www.isc.org/downloads/ 9.6.x has been End Of Life for nearly two years. Upgrade. -- 73, Ge

Re: bind-users Digest, Vol 2277, Issue 1

Hi there, On Sun, 27 Dec 2015, kev wrote: I am using bind9 with ubuntu 14.04. I was wondering how to log by indivudual IP. Ive googled it but didnt find what i was looking for.Thanks,? I find p0f is a very useful tool, and can be used for more than just OS fingerprinting. http://lcamtuf.core

Re: Allow-Query=any

Hi there, On Thu, 7 Jan 2016, Reindl Harald wrote: ... when somebody wants a information which exists in the DNS he can ask for that information - unconditionally laptop3:~$ >>> dig -t any lloyds.co.uk ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk ;; global options: +cmd ;; Got a

Re: CVE-2015-7547: getaddrinfo() stack-based buffer overflow

Hi there, On Wed, 17 Feb 2016, Dominique Jullier wrote: Are they any thoughts around, how to handle yesterday's glibc vulnerability[1][2] from the side bind? This is a glibc issue, not a bind issue. It makes no sense to attempt to fix the problem by modifying bind. Firstly, bind is not the

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

Hi there, On Thu, 17 Mar 2016, Ron wrote: ... in this case it's a supplier who is unable to keeps his DNS servers working, and we just want to keep the connectivity. I'd just put something in /etc/hosts and send myself an email every month or so to remind me I'd done that. -- 73, Ged. ___

Re: *Reminder of the* L-Root IPv6 address renumbering

Hi there, On Tue, 22 Mar 2016, Bob Harold wrote: I appreciate the announcement of the change ahead of time, but I don't feel like it is safe to update my root hints file based on an email ... Hint: the 'hints' file contains hints. :) https://deepthought.isc.org/article/AA-01309/0/Root-hints-

Re: installation issues

Hi there, On Sun, 8 May 2016, Rajesh M wrote: i am getting error this is not a valid win32 application. I suspect that you've downloaded the wrong archive. Does the .zip file that you downloaded say 'x86' somewhere in its name? Try https://www.isc.org/downloads/file/bind-9-10-4/?version=wi

Re: Append a Hard-coded Text Tuple into Additional Section of "dig" Feature

Hi there, On Wed, 15 Jun 2016, Jun Xiang X Tee wrote: ... I wish to append a hard-coded text tuple into end of the section. ... I think what you want to do sounds strange, but if I wanted to do something like that I would not modify an existing perfectly good utility. I would create a new o

RE: bind-users Digest, Vol 1727, Issue 1

Hi there, On Mon, 4 Jul 2016, Amit Kumar Gupta wrote: [An entire digest message, which I've snipped] It would be extremely helpful to those of us on the digest list, and generally more polite, if you would NOT include in your posts to the list, simply in order to save yourself the time and ef

Re: Sending extra info in bind dns query packet

Hi there, On Thu, 14 Jul 2016, Sachin Patil wrote: I am just looking into bind and want to send extra information while querying dns bind server. ... Is there an echo in here? -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bin

Re: outgoing-traffic

Hi there, On Tue, 26 Jul 2016, Ejaz wrote: There is huge traffic coming out from my DNS server since yesterday and flooding the IP 212.107.121.110 ... Are you able to let us see your bind configuration? This might be IP spoofing, an attempted a DOS attack on the IP. Is there any reason why

Re: error (broken trust chain) resolving

Hi there, On Thu, 25 Nov 2010 Brian J. Murrell wrote: > I am going to bug report with said distro also as I hate varying from the > "working set" because it just causes possible future problems trying to bug > report with them. "you are not using the version we support, bla, bla, bla". > > So in

Re: auto update signatures dnssec

Hi there, On Wed, 29 Dec 2010 Alan Clegg wrote: > In your named.conf, you should have "key-directory <...>;" defined. The > keys should be there (and readable by the named process). > > If you don't have a "key-directory" statement, then named will look in > the working directory from which the

Re: Dynamic zone...

Hi there, On Fri, 31 Dec 2010 Jeff Justice wrote: > ... > I have a computer on a remote network that gets its IP dynamically > from the ISP. I need to always know where that computer is. > ... > if my main domain for our company were: > > abc.com > > then it would be nice to have: > > remote.abc

Re: I can't resolve one domain: nhs.uk

Hi there, On Fri, 17 Jun 2011 Andrew Benton wrote: > I can't resolve one domain: nhs.uk laptop:~$ >>> whois nhs.uk Error for "nhs.uk". This domain cannot be registered because it contravenes the Nominet UK naming rules. The reason is: the domain name contains too few parts.

Re: SPF implementation schedule.

Hi there, On Tue, 12 Jul 2011 kalpesh varyani wrote: > Looking at zytrix and spf2 sites, it seems that SPF is yet to be > implemented at functional level. If my understanding of that sentence is correct, then the sentence is not correct. SPF is implemented by (1) Publication of TXT or SPF reco

Re: about the dig

Hi there, On Tue, 19 Jul 2011 wrote: > When I deleted all the entries in /etc/resolv.conf (I am using > Linux), dig can't work. > > I was thinking since dig is a standard resolver... man resolv.conf " If this file doesn't exist the only name server to be queried will be on the local machine

Re: MX choosing

Hi there, On Fri, 22 Jul 2011 Tony Finch quoted the RFCs thus: > The question of whether a sender should attempt retries using the > different addresses of a multihomed host has been controversial. ... I know of at least one substantial organization which uses this kind of thing as part of its

Re: DNS Sinkhole in BIND

Hi there, On Thu, 27 Oct 2011 Michelle Konzack wrote: > Am 2011-10-17 13:28:43, hacktest Du folgendes herunter: > > > ... I found that setting up iptables to do drops for known bad > > IPs/ranges was slightly better as the traffic never gets to BIND > > ... > > Example rules for various IPs that

Re: nanny (was Re: bind-9.8.1: INSIST(! dns_rdataset_isassociated(sigrdataset)) failed)

Hi there, On Thu, 17 Nov 2011 Jeremy C. Reed wrote: > On Wed, 16 Nov 2011, Phil Mayers wrote: > > > > It might be good if bind were able to re-start itself, rather than dying > > outright (e.g. re-exec the process) but that is dangerous too; it's better > > done by an unrelated supervising process

Re: Exercising RFC 5011 rollovers

Hi there, On Sat, 26 Nov 2011 Phil Mayers wrote: > Feature suggestion: some sort of synthetic clock option ... They say there's a thin line between genius and insanity. Did you just cross it? -- 73, Ged. ___ Please visit https://lists.isc.org/mailma

Re: Suspecious DNS queries dropped by Firewall

Hi there, On Wed, 14 Dec 2011 babu dheen wrote: > Can you tell me list of URL which size exceed 514 bytes to verify > whether my internal server truncate/return failure code when query > such URL using UDP query? You really ought to be able to do this for yourself. Find any domain using DNSSEC

Re: bind-users Digest, Vol 1081, Issue 2

Hi there, On Wed, 4 Jan 2012, With No Name wrote: Where can I find a HOWTO which tell me how to setup my Name Server correctly including DNSEC3 For learning things, HOWTOs are mostly useless. This book might be a good start, but it is some years old now: http://shop.oreilly.com/product/9780

Re: Old record audit/cleanup

Hi there, On Fri, 26 Mar 2010 laura.l.ling wrote: > Other than enabling query logging and parsing the results, is there > a way to find out which records are not being 'used'? It depends on which records you're talking about. Presumably you mean those which could conceivably affect people on th

Re: what is a SPF (type 99) record and who do I implement?

Hi there, On Wed, 24 Mar 2010 Security Admin (NetSec) wrote: > Struggled to find anything explicit on this subject via google The subject line should probably read "how..." not "who...". :) It seems that your first language is not English, and unfortunately that is a disadvantage, but you proba

Re: lookout timesouts

Hi there, On Mon, 19 Sep 2016, bind-users-requ...@lists.isc.org wrote: We have a customer who has their own cache server, but in the afternoons before they close up for the day, they commit off-site backups, this process takes them about 90 mins, anyone trying to use the internet in this time f

Re: Multiple A Records - Followup Question

Hi there, On Sun, 2 Oct 2016, Tim Daneliuk wrote: ... can a given *IP* appear in more than one A record? ... http://serverfault.com/questions/56539/dns-multiple-a-records-or-1-a-record-and-lots-of-cnames -- 73, Ged. ___ Please visit https://lists.

Re: BIND 9.11.0 RPZ performance issue

Hi there, On Mon, 17 Oct 2016, Daniel Stirnimann wrote: I have upgraded some of our BIND resolvers from BIND 9.9.9-P3 to BIND 9.11.0 and I notice timeouts for 3 - 5 seconds about every 1 to 5 hour. Something to do with dlv.isc.org? -- 73, Ged. ___

Re: Slow recursion with ipv6 enabled?

Hi there, On Sat, 19 Nov 2016, Job wrote: on Bind 9.10 (latest version of this stable branch), i notice in some cases a relevant slowdown when resolving (for the first time) hostname, when named is launched with both ipv4 and ipv6. It use recursion to fetch for the first time the information a

Re: "Jumbo" Security Release of BIND corrects four exploitable vulnerabilities.

Hi there, On Thu, 12 Jan 2017, Michael McNally wrote: ISC has issued new security releases of BIND today [..snip..] These are available via the http://www.isc.org/downloads web page: BIND 9.9.9-P5 BIND 9.10.4-P5 BIND 9.11.0-P2 ... I'm trying to get BIND 9.9.9-P5 from the downloads pag

Re: "Jumbo" Security Release of BIND corrects four exploitable vulnerabilities.

Hello again, On Thu, 12 Jan 2017, Andrey Fanin wrote: On Thu, 12 Jan 2017, G.W. Haywood wrote: > On Thu, 12 Jan 2017, Michael McNally wrote: > > > ISC has issued new security releases of BIND today [..snip..] > > I'm trying to get BIND 9.9.9-P5 from the downloads pag

RE: Bind Queries log file format

Hi there, For the avoidance of doubt, It seems to me that the stability of BIND has been improving over the last couple of years. Thank you. Keep it up. If I were hunting some rarely-seen fault condition, I think I'd write any output which is more useful for debugging than anything else to a s

Re: Enforce EDNS

Hi there, On Tue, 7 Feb 2017, Mark Andrews wrote: I really don't want to add new automatic work arounds for broken servers but it requires people being willing to accepting that lookups will fail. That manual work arounds will now have to be done. e.g. "server ... { send-cookie no; };" +2 -

Re: Recognizing remote IP in shared connections

Hi there, On Tue, 28 Feb 2017, Job wrote: for policies purpuose, we need to know which remote site is resolving a Bind 9.x public DNS Server. The problem occurs when some carriers "share" the same IP address between more customers and they surf behind a shared NAT. Sounds like a trial. Is

Re: BIND 9 windows XP builds

Hi there, On Tue, 18 Apr 2017, Evan Hunt wrote: ... I wanted to find out whether there's a reason for so many people to still be doing this -- even if it wasn't a very good reason -- before I cut them off. Personally I'm more than a bit surprised, and even a little offended that ISC still pro

Re: bind unexpectedly quit, how to debug

Hi there, On Tue, 9 May 2017, Paul Seward wrote: ... I'm not so much asking for a fix as asking how I can find more information. ... grep '\(released\|security\)' bind-9.10.5/CHANGES | head -n 90 -- 73, Ged. ___ Please visit https://lists.isc.org/

Re: are you using lwres?

Hi there, On Fri, 19 May 2017, Evan Hunt wrote: Do you run lwresd or named-with-lwres? Do you have code that links with liblwres? If so, please let me know. 8<-- mail6:~# >>> cat /etc/debian_version 8.7 mail6:~# >>> apt-get

Re: designing the DNS from the scratch

Hi there, On Sun, 9 Jul 2017, Abdulhadi Ettwejiri wrote: Re: designing the DNS from the scratch we are ISP company , we are providing Internet to our customer, Recently one of our VIP customer ask for DNS service, and need the response time 3msec, we don't have enough knowledge of DNS ... Bu

Re: Question about DNSSEC

Hi there, On Thu, 31 Oct 2024, Crist Clark wrote: Name names. DNS is out there in public. There are a LOT of US .gov sites where the .gov is all signed, but it ends up in $BIGCLOUDPROVIDER that is not. www.gsa.gov www.state.gov www.house.gov www.senate.gov www.cia.gov www.cisa.gov (*ehem*) ww

Re: Zones list mask or wildcard

Hi there, On Wed, 27 Nov 2024, Dimitry Bansikov wrote: ... I need to simplify adding and removing a domain so that it is enough to just add the zone file itself whitout editing the big list. Is this possible? I'm sure it's possible. If it were my "big list", and I could see no alternative bu

Re: cname for apex record

Hi there, On Tue, 24 Dec 2024, Cuttler, Brian R (HEALTH) wrote: ... We are running bind 9.14.28 ... Just to point out that if this version number is correct, it's more than four years past its EOL. https://kb.isc.org/docs/bind-9-end-of-life-dates -- 73, Ged. -- Visit https://lists.isc.org

RE: cname for apex record

Hello again, On Tue, 24 Dec 2024, Cuttler, Brian R (HEALTH) wrote: ... I think its to avoid re-writing the links in the web pages ... You can do that sort of thing on the fly. I'd probably be thinking along the lines of Apache and mod_rewrite (and showing my age:) https://httpd.apache.org/d

RE: cname for apex record

Hello again, On Tue, 24 Dec 2024, Cuttler, Brian R (HEALTH) wrote: ... web developer wants to tell me they don't have any html ... Er, right. :) I'll look at those links, are you saying that they re-write them between the server reading the page source and sending the page/with anchors to t

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2)) (2)

Hi there, On Fri, 30 Dec 2022, Timothe Litt wrote: The problem is politics, not technology. Well there might be a little more to it than that. People just don't know. When my wife asked about the security of her bank's Website they told her, "Don't worry, if there's a little padlock in the

Re: General DNS / SPF question

Hi there, On Sat, 7 Jan 2023, Michael Muller wrote: This is my first time posting here, and I'm not sure if it's the right place or not to ask my question. This is a general DNS question, specifically, I think, SPF. Probably not really the right place but the SPF users' list has been a bit de

Re: General DNS / SPF question

Hi there, On Sun, 8 Jan 2023, Mark Andrews wrote: Please don't hijack an existing thread by replying to an existing message for a unrelated subject. It is bad form. Just create a new message and send it to bind-us...@isc.org. Oh, blast, I missed that, sorry. -- 73, Ged. -- Visit https://l

Re: General DNS / SPF question

Hi there, On Mon, 9 Jan 2023, Michael Muller wrote: Thanks for responding to my question. Again, if there's a better place to ask this question, I can go there. ... Taking this off list. -- 73, Ged. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list I

Re: consolidating in-addr.arpa data

Hi there, On Sat, 16 Sep 2023, John Thurston wrote: A host which auto-registers in MS DNS, creates an A in foo.alaska.gov and PTR in whatever.10.in-addr.arpa. MS DNS is happy to publish those. But the DNS system running on BIND also has a whatever.10.in-addr.arpa zone. So if I want to find

Re: consolidating in-addr.arpa data

Hi there, On Sat, 16 Sep 2023, Greg Choules wrote: On Sat, 16 Sep 2023, G.W. Haywood wrote: ... > Is there a reason not to split the /8 into two /9s or something like that? ... Although it is technically possible to do reverses on non-octet boundaries (for example, see https://www.ietf.org/

Re: Advice on balancing web traffic using geoip ACls

Hi there, On Sun, 23 Feb 2020, Scott A. Wozny wrote: Greetings BIND gurus, Sorry, I can't make any claim to be a BIND guru. ... webserver clusters hosted on the west and east coasts of the US and would like to use Bind 9.11.4 Hmmm. You might want to look e.g. at all the fixes since 9.11.

Re: recursive resolver

Hi there, On Thu, 12 Mar 2020, ShubhamGoyal wrote: we made a recurive resolver (Cent OS 7, 8GB RAM ,250 GB Hard disk and network speed is also good ) . It reply in 1200 msec and 1800 msec (which is very slow). if it gave Reply by Cache (80 msec or 76 msec). so i want to know about, How can i

Re: recursive resolver

Hi there, On Thu, 12 Mar 2020, G.W. Haywood wrote: On Thu, 12 Mar 2020, ShubhamGoyal wrote: How can i improve my recursive resolver speed. I wonder if you have some kind of networking misconfiguration which results in timeouts while BIND is waiting for responses. Perhaps you will learn

Re: Machine friendly alternative to nsupdate

Hi there, On Wed, 1 Apr 2020, Petr Bena wrote: ... Is there any alternative to nsupdate, something that can work with XML or JSON payloads or provide output in such machine parseable format? ... If it's any help DNS::ZoneParse claims to be able to output XML - but I don't have any experience

Re: Does 'make uninstall' work?

Hi there, On Thu, 28 May 2020, Nyamkhand Buluukhuu wrote: ... Does 'make uninstall' command work? I have a source folder remained. Or do I need to compile a newer version with a different prefix and make a link? Which one is the safest way? If make uninstall doesn't work, how do you guys upgr

Re: BIND Masters and slaves

Hi there, On Mon, 15 Jun 2020, bind-users-requ...@lists.isc.org wrote - and wrote, and wrote: ... [all sniped] ... Please guys[1], stop it. -- 73, Ged. [1] The masculine embraces the feminine where the context permits. ___ Please visit https://li

Re: Steps to reload zone files automatically?

Hi there, On Wed, 1 Jul 2020, Harshith Mulky wrote: Is there an automatic way we could use reloading the zone files rather than using rndc reload or named restart? It should be trivial to implement this, but I'm not sure that I'd want to do it on a server of mine. We are running bind with v

Re: Bind 9.16.x won't start from systemd

Hi there, On Wed, 8 Jul 2020, Adrian van Bloois wrote: When I try to start bind 9.16.x from systemd it fails not being able to find something. When I start it straight from the CMD-line like: sudo /usr/local/sbin/named There is no problem and it works fine. What could be the problem??? syste

Re: NXDOMAIN problems

Hi there, On Tue, 17 Nov 2020, Boylan, Ross wrote: I have been experiencing NXDOMAIN errors ... ... There are a lot of complications. ... The remote machine is only accessible though VPN ... the nameserver ... is also accessible only through VPN ... The VPN connection has always been a bit to

Re: BIND through COPR after CentOS

Hi there, On Fri, 18 Dec 2020, Leroy Tennison wrote: ... switching from an rpm world to a deb world ... Not an enormous change but significant. Indeed. I'd suggest that if it's just about BIND, it's easier to grab the source and build it. That way you don't ever have to wait for the package

  1   2   >