On 05.12.2012 10:23, Daniele Imbrogino wrote:
I restarted BIND9 and then I tried, for example, 'dig www.apple.com'
obtaining "connection timed out; no servers could be reached".
But if I try 'dig @10.0.2.3 www.apple.com' it works correctly and I obtain
the correct answer.
Why? How can I resolve
On 05.12.2012 14:59, Daniele Imbrogino wrote:
resolv.conf contains only 127.0.0.1 as nameserver.
The syslog contains a lot of errors as "insecurity proof failed", "no valid
RRSIG", "got insecure response" that I don't understand.
Your forwarder probably doesn't handle DNSSEC responses well. T
On 21.02.2013 19:20, Nikita Koshikov wrote:
I haven't tested this in detail but here's what I would try:
I'm trying to "cut" /24 network from the scope of /8 network, here is
example:
zone "11.2.10.in-addr.arpa" {
type forward;
forwarders { 192.168.1.
On 26.06.2014 22:53, Matthew Washington wrote:
> May 20 16:32:15 fortress named[6034]: error:260B6084:engine
> routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
> May 20 16:32:15 fortress named[6034]: error:2606A074:engine
> routines:ENGINE_by_id:no such engine:eng_list.c:418:id=gost
> May 20 1
On 22.10.2014 12:30, IDS Submit wrote:
> with www.acer.it I have the same problem as swupdl.adobe.com
Indeed, I the same on a BIND 9.10.1 resolver with SIT requests enabled:
> $ dig swupdl.wip4.adobe.com
[...]
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2510
[...]
> wip4.adobe.com.
On 30.07.2015 03:02, Mathew Ian Eis wrote:
> My reading of that article suggests the RFC compliant behavior is to preserve
> the case in the response, is this correct?
> https://deepthought.isc.org/article/AA-01113/0/Case-Insensitive-Response-Compression-May-Cause-Problems-With-Mixed-Case-Data-a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 14.09.2010 19:32, cybers...@comcast.net wrote:
> Today I was given access to a Linux box on the Verizon network that is using
> their DNS server 71.252.0.12, which is affected by this problem.
Your nameserver software is case-sensitive where it s
> Were there "... more information on these developments early next week"?
I was just about to ask the same question. ;)
I noticed the absence of 9.7.2 on ftp.isc.org, read the announcement here a day
later and rolled back my 9.7.2rc1 servers to 9.7.1-P2.
It would be good to know the nature o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05.10.2010 20:35, Dotan Cohen wrote:
I think the problem is that your two servers return different
answers to the same question:
dig +norec sharingcenter.de ns @178.63.65.171:
> ;; ANSWER SECTION:
> sharingcenter.de. 86400 IN NS ns
Hi Stewart.
> SLAVE (10.5.0.6)
> transfer-source 10.5.0.5;
>
> zone "bard.edu" {
> masters { 10.5.0.5; };
> transfer-source 10.5.0.5;
transfer-source should probably be 10.5.0.6, not .5
> Jan 13 12:37:37 nsi1 named[21007]: zone bard.edu/IN
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 19.01.2011 15:59, Zbigniew Jasiński wrote:
> like i wrote in my previous email I've checked the journal file and
> there are updates with RRSIG records but still named is returning
> answers without signatures
Another thing you might check:
With
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 19.01.2011 22:13, Barry Finkel wrote:
> Is there a
> way on the master to run rndc and tell rndc which IP address to use?
rndc -h doesn't show it. The option is apparently only documented in the
man page:
-b source-address
Use source-address
On 24.01.2011 15:54, Paul Wouters wrote:
> I meant, if you have a zone example.tld. And tld. is not signed, but
> you have a testbed for a signed tld. at IP 1.2.3.4, if static-stub
> would allow you to configure a resolving bind to perform DNSSEC on
> 1.2.3.4 with a loaded trusted-key. So yes, the
On 18.03.2011 10:17, Marc Haber wrote:
> Which it doesn't in the "forward" setup, it just immediately returns NXDOMAIN.
Do you include zones.rfc1918 in your configuration? What SOA RR does the
NXDOMAIN return?
| zone "0.10.in-addr.arpa" {
| type forward;
| forwarders { 10.0.0.2; };
| };
I can't get my 9.8.0-P1 resolvers to crash. The response from the
federalreserve.gov servers looks strange, though:
dig +dnssec +ignore +norec federalreserve.gov soa @ns5.frb.gov
;; Warning: Message parser reports malformed message packet.
;; WARNING: Messages has 57 extra bytes at end
Hauke.
On 30.09.2011 03:32, 刘明星:) wrote:
> How does ISP use a proxy to filters answers and returns whatever they want to
> the customer?
BIND can do that for you with Response Policy Zones (DNS RPZ).
See
http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zone
On 29.09.2011 23:06, Bill Owens wrote:
> *except that perhaps those who enable this feature will use it as an excuse
> to avoid enabling validation, which would be a very bad result, IMO. . .
My reading of the docs says that BIND's NXDOMAIN redirections won't
break DNSSEC-signed results:
"If th
On 01.10.2011 00:09, Michelle Konzack wrote:
> I run my three NS with DNSSEC and now I have encountered, that it has
> stoped maintaining the Zone since september and has not changed to
> october.
Do you mean expired signatures or no signatures at all?
In the latter case, have you checke
On 01.10.2011 02:48, Jeff Reasoner wrote:
> Hmm, I see an A record using the same query:
> [foo@dns1 ~]$ dig +dnssec extended.nau.edu a
I get a SERVFAIL response for the first query and NXDOMAIN for
subsequent request:
named: client 127.0.0.1#54707: query: extended.nau.edu IN A +ED (127.0.0.1)
na
On 05.10.2011 12:58, Roberto Bosticardo wrote:
> If you ask a resolver/cache server running named the resolution of name
> "www.myspace.fr" it returns (SERVFAIL), if you ask the same to a
> dnscache server it correctly resolves to the ip address.
BIND doesn't like NS records resolving to CNAMEs:
On 10.11.2011 02:57, 风河 wrote:
> I have two server IPs, the A records for them are:
>
> mail.dnsbed.com.300 IN A 74.117.233.4
> mail.dnsbed.com.300 IN A 74.117.232.204
>
> The corresponding PTR records are:
>
> 4.233.117.74.in-addr.arpa. 36466 IN
Jan-Piet Mens wrote:
- Original message -
> Would you be willing to give us a few more details, such as the name of
> the USB random source generator (is it an Entropy Key) ?
>
> Of course
, if you do tell us what hardware you're using, the next thing
> will be we'll want a copy of your
Hello.
I run a NSEC3-signed zone with many dynamic updates per day where
mailservers add RBL records and an hourly cronjob removes old entries.
Several times a day I see queries for nonexistent names in the zone fail.
A typical query might start like this:
| resolver: debug 1: createfetch: 17.2
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Erik Lotspeich wrote:
> I have registered with the ISC's DLV registry. I am
> having trouble finding the best way for me to validate that my setup is
> working and that my zone validates.
dlv.isc.org doesn't list your keys yet. It can take a day or
On Fri, Jun 12, 2009 at 04:29:11 +0200, Hauke Lampe wrote:
> Future reference: Once .org completes their testing phase *and* your
> registrar allows you to register DS records for your domain, queries
> should also return AD when validated against the ITAR trust anchor
> reposito
Erik Lotspeich wrote:
> I now get the AD flag when querying external validating resolvers such
> as the ones you mention.
That's good.
May your signatures never expire and your keys always be valid.
> I believe that my BIND is configured properly to be a validating
> resolver as well:
>
> # dig
> --- 9.6.1 released ---
>
> 2607. [bug] named could incorrectly delete NSEC3 records for
> empty nodes when processing a update request.
> [RT #19749]
I installed 9.6.1 with a cleaned zone and the problem has not reocurred.
Thank you
Scott Haneda wrote:
> $dig sugardimplesdesigns.com SOA @ns1.hostwizard.com +short
Do you block 53/tcp anywhere on the path to your nameserver?
It rejects TCP queries:
| dig +tcp sugardimplesdesigns.com SOA @ns1.hostwizard.com +short
| ;; Connection to 64.84.37.14#53(64.84.37.14) for
sugardimples
bsfin...@anl.gov wrote:
> There are problems accessing this domain from the Internet, and I cannot
> determine what the problem is. I have no trouble from Argonne, as the
> domain is slaved on all of my servers. I do not see any problem with
> the delegations, but I may be missing something. Wh
Hello John.
Cherney John-CJC030 wrote:
[rndc freeze ]
> Thanks! I hadn't tried that. I have a problem with that, though. I don't
> know which of my ~600 zones will or won't have dynamic updates.
Well, if there is a .jnl file for a zone, it needs to be flushed. A bit
of shell scripting can genera
Tech W. wrote:
> Can I ask how to call nsupdate in Perl language?
> I know some Perl but not good at it.
The documentation for Net::DNS::Update should get you started. Here's
one example:
use Net::DNS;
my $zone = "ixhash.bl.openchaos.org";
my $master = "nsig3.hauke-lampe.de.";
my $key_name =
Todd wrote:
> Yesterday I needed to flush the cache on a number of my servers, and I
> saw a big spike in queries recorded by the server in the "success"
> category. The spike was about 40% more than the usual traffic.
After a cache flush, the server has to re-fetch glue and nameserver
records fr
Joseph S D Yao wrote:
> It turned out that this latter file was needed, but for some
> inexplicable reason perhaps having to do with library routines [I have
> not gone chasing down the code], it ALSO wants the "mynet.private" file!
The nsupdate manpages mentions this behaviour in the "BUGS" sect
I am looking for way to disable DNSSEC lookaside validation for a given
zone. Would this be possible with BIND already or do I need to file a
feature request (and where)?
My reason is that we use a zone "example.net" for internal hosts, served
by an internal nameserver and configured as a "forwa
Mark Andrews wrote:
> In message <4a99abeb.7080...@hauke-lampe.de>, Hauke Lampe writes:
>> I am looking for way to disable DNSSEC lookaside validation for a given
>> zone.
>>
>> For any query to this zone, BIND tries to look up
>> example.net.dlv.isc.or
I currently explore the new DNSKEY metadata and dnssec-signzone -S with
BIND 9.7.0a3. This feature definitely helps making key management easier
and will motivate more operators to sign their zones. Thank you for that.
For this test, I created a zone with one manually timed KSK, one active
ZSK
Martin McCormick wrote:
> Is there a way using nsupdate to change a $origin directive in a
> zone file?
$origin is a preprocessor statement. It's not an attribute of a zone, so
you cannot change it directly.
When BIND writes zone files, it uses $origin to group records that share
a common base n
Gregory Hicks wrote:
> First, create a 'pipe' in the /var/log directory with the name of the
> logging file. (You probably want to do this in the named startup
> script.) Log absolutely EVERYTHING to the log file.
Your method reminds me that I wanted to take a look at rsyslog filters
for a whil
Niobos wrote:
> When requesting a lookup of "removed", I get a SERVFAIL as well. However,
> every subsequent request for "removed" gets an NXDOMAIN. (dig outputs below)
> Flushing the caches on the RR with "rndc flush" causes the first request to
> be a SERVFAIL again.
I cannot reproduce this b
Niobos wrote:
> As soon as I activate DLV (besides the manual SEP I entered), the "removed"
> behaviour changes:
> * First lookup still returns SERVFAIL
> * Subsequent lookups now return NXDOMAIN with the AD flag *set*! (log
> confirms that my domain is not in the DLV and hence is insecure)
Tha
[I finally gave up on trying to get Thunderbird *not* to wrap long
lines. Prefixing them with ">" seems to be the only way, even if confusing]
Niobos wrote:
>>> dig +dnssec removed.dnssec.dest-unreach.be
>> Even though I have added your DNSKEY as trusted key, I get SERVFAIL on
>> the first query
Autuori Gianluigi wrote:
> I'm using Bind9 and Ubuntu 8.04 kernel 2.6.24.
> Named runs as bind user and in my named.conf.local I wrote:
Ubuntu uses AppArmor (http://en.wikipedia.org/wiki/AppArmor)
You need to edit the profile for usr.sbin.named in /etc/apparmor.d/ if
you want named to write file
Michelle Konzack wrote:
> Jan 19 18:56:42 samba3 named[18333]: 19-Jan-2010 18:56:42.920 general: error:
> dns_master_load: /etc/bind/net.tamay-dogan.debian:18:
> lists.debian.tamay-dogan.net: CNAME and other data
> This give an error?
Yes. Look at line 18. lists is duplicate.
>> [ '/et
Stephane Bortzmeyer wrote:
> Sam Wilson wrote
>
>> Has anyone found any uz5* servers out there yet?
>
> Zero for opendns.com, dnscurve.org, etc.
One:
> dempsky.org. 259200 IN NS
> uz5p4utwsxu5p3r9xrw0ygddw2hxh7bkhd0vdwtbt92lf058ny1p79.dempsky.org.
> dempsky.org.
Stephane Bortzmeyer wrote:
> And strace (Debian/Linux box) shows that key files were opened only in
> read-only and no file was opened for writing:
>
> % strace dnssec-settime -f -v 3 Ktoto.fr.+008+42555 |& grep open
>
> Did anyone managed to use dnssec-settime -f ?
Yes. The key file format is
Stephane Bortzmeyer wrote:
> I cannot get the NSEC3 records through a BIND resolver if it is
> version <= 9.5:
>
> % dig +dnssec jhfgTCFGD564564.org
>
> If BIND >= 9.6, it works (or with Unbound). Yes, NSEC3 support was
> added in 9.6 but, for older BINDs, TYPE50 (NSEC3) shoul
Kevin Darcy wrote:
> But I believe the QTYPE was
> _originally_ intended to be a robust mechanism for fetching multiple
> RRsets at a time.It just didn't work out that way...
PowerDNS Recursor uses ANY to retrieve both A and records in one query:
http://lwn.net/Articles/275823/
| * Full IP
Mark Watts wrote:
> Apr 14 12:06:34 dns01 named[4911]: zone managed-keys.bind/IN/_meta:
> sync_keyzone:dns_journal_open -> unexpected error
Does named have permission to create files in the directory specified by
"directory" in the options block?
BIND uses an internal dynamic zone for RFC5011-u
On 05/09/2010 05:24 PM, Peter Janssen wrote:
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9
> The issue I have with this is, dig announces 9 additional section entries,
> while 3 A, 1 and 4 RRSIG, in my book sums up to 8.
The additional section also contains the EDNS
On 05/20/2010 09:10 PM, itservices88 wrote:
> Verifying the zone using the following algorithms: RSASHA1.
> Missing RSASHA1 signature for . NSEC
You seem to have a record for "." somewhere in your zone file.
Did you load the unsigned zone into BIND before? It should have logged a
warning about t
Ricardo Oliveira wrote:
> Did anyone configured/hacked bind to reflect the ip address of the
> querying resolver as whoami.ultradns.net is doing?
I'd use scapy[1] and its AnsweringMachine module. It's probably easiest to use
and adapt, although quite slow.
BIND could possibly serve the fea
- Original message -
> example.com. IN SOA
[...]
> IN NS ns.example.com.
> IN MX 10 ns.example.com.
The A record for ns.example.com is missing from your zone.
> Will my proposed set up work on the "old
Greetings, everyone.
Now that the signed root is finally in production, how do I initialize BIND's
RFC5011 key management from the XML file published by IANA?
I downloaded the files and checked the PGP signature:
http://data.iana.org/root-anchors/root-anchors.xml
http://data.iana.org/root-anch
On 07/18/2010 12:01 AM, Stephane Bortzmeyer wrote:
>> you should add the -o option to wget, otherwise you may have asecurity risk
That should be "-O". In older versions of wget (1.10.2/Debian Etch),
this option does not works together with "-nc". The empty output file is
created first, therefor
- Original message -
> At present, i
> use the algorithm RSASHA-1 for DNSKEY, but i want migrate the RSASHA-1 to
> RSASHA-256, when i resigning the zone,it failed. so i wonder if DNSSEC
> supporting migrating RSASHA-1 to RSASHA-256 smoothly?
Yes, it does. Smoothness depends on the tim
Dwayne Hottinger wrote:
> I made the entry for the new website's ip (174.143.193.47). But when
> I do a dig, it still comes back with 204.111.40.10.
From what I can see here, your ns1 returns SERVFAIL, while your ns2 still
serves an old zone with SOA serial 2009111201.
I'd suggest you look
Joachim Tingvold wrote:
> During initial startup of NS3, most zones gets «tsig verify failure»,
> but some zones are successfully transferred. All zones uses the same
> transfer-key.
> Could this be an issue with different BIND-versions, or are there
> other matters that could cause
On 18.08.2010 14:31, Phil Mayers wrote:
> After a bit of investigation, it seems that the problem is a missing
> NSEC/NSEC3 record in the empty reply for:
>
> $ dig +dnssec @165.112.4.230 ncbi.nlm.nih.gov ds
>
> ...since the "ncbi" zone is an unsigned child zone, there needs to be an
> NSEC/NSEC3
58 matches
Mail list logo
