Re: Can not query localhost

Am 13.01.2023 schrieb David Carvalho via bind-users : > I get SERVFAIL when querying outside my domain. Have you enabled an ACL that allows any IP address to query your public zones? You can only restrict recursive requests to your own IP addresses. -- Visit https://lists.isc.org/mailman/listin

Re: Resolving and caching illegal names

Am 24.01.2023 um 12:15:58 Uhr schrieb John Thurston: > This comes up because my "resolvers" don't actually resolve. All they > are allowed to do is forward external queries to Akamai, and accept > the response from Akamai. And Akamai (thank you very much), is happy > to accept queries like "What

Re: filter-a and dns64 in a ipv6-only network

Am 31.01.2023 um 19:52:11 Uhr schrieb Thomas Schäfer: > Am Montag, 30. Januar 2023, 23:12:53 CET schrieb Mark Andrews: > > Do you want a correctly operating DNS64 server or do you want to > > filter all A records? They are mutually exclusive requirements. > > Please read RFC 6147 to understand wh

Re: DNS DDoS protection

Am 24.02.2023 um 13:25:40 Uhr schrieb Bob Harold: > Before answering this question, can you tell me the proper place > where I should be asking this question? > > "We are researching DDoS protection, including DNS. What companies or > products or methods should I be looking at?" If it is about

Re: DNS DDoS protection

Am 24.02.2023 um 20:09:15 Uhr schrieb King, Harold Clyde (Hal): > I would like to hear the latest configurations for BIND to help with > DDoS. There are some basic configurations: Allow recursion only for you own networks - not for the global internet, to avoid amplify attacks and to avoid recurs

Re: help with notify

Am 17.04.2023 um 08:59:29 Uhr schrieb Matt Zagrabelny via bind-users: > I'm running a little older Debian bind: > > bind9 1:9.9.5.dfsg-9 The upgrade your OS, stretch already has 9.10 and that is very old. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fr

Re: Permission issue ¿?

Am 22.06.2023 um 11:47:50 Uhr schrieb Daniel Armando Rodriguez via bind-users: > drwxr-sr-x   4 root bind 4,0K jun 22 11:17 . That means that the group bind is not allowed to write into that directory. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC

Re: help me with the ipv6 PTR generation

Am 23.08.2023 23:13 schrieb Cesar Augusto Camacho Sierra: > I am looking to generate IPv6 PTR records in a specific format for my > BIND 9 server. The desired format is [insert format]. I've tried > [describe any approach you've tried], but I'm having a hard time > getting it done. Could anyone pr

Re: help me with the ipv6 PTR generation

Am 24.08.2023 schrieb Jan-Piet Mens : > easier said than done, for some of us. I use BIND's arpaname(1) > utility which does the work for me: > > $ arpaname 2001:db8::1 > 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA Thanks for telling me. I used dig and extracted the

Re: Local network IPv6 addresses

Am 03.09.2023 um 18:36:53 Uhr schrieb Alessandro Vesely: > DHCP server has options to insert leased addresses in a dynamic zone. > That works for IPv4. PCs connected to the LAN somehow discover the > gateway has a routable IPv6 address and self-assign an address in > that range, besides the fe80

Re: DNS NXDOMAIN flood

Am 02.11.2023 10:58 schrieb Mosharaf Hossain: > The attack originates from an external network, and it periodically > saturates our entire internet bandwidth. Can you verify that the source IP is not spoofed (TCP ACK replies instead of ACK RST, no ICMP port unreachable for UDP)? If yes, contact t

Re: Adaptation response ton ANY queries

Am 03.11.2023 schrieb avanpevenaeyge : > However, I know that BIND is designed to respond to ANY requests via > TCP for security reasons. So my question is: how can I make my BIND9 > server respond to ANY queries via UDP and not TCP for the purposes of > my thesis? Thank you in advance for your re

Re: Adaptation response ton ANY queries

Am 03.11.2023 schrieb avanpevenaeyge : > Ok but what about the response to ANY queries on ubuntu 22.04? I > tried to do some ANY queries from my client but the server always > responds with TCP. Is it a security measure to prevent DNS > amplification attack? Please tell us how you do the lookup.

Re: How should I configure internal and external DNS servers

Am 04.11.2023 15:03 schrieb Nick Tait via bind-users: > I only included this because the idea had been put forward already. > But even if the logistics of assigning public IPv6 addresses to your > internal hosts was palatable to you, you'd also want to think about > whether you are comfortable m

forward first and fallback not working

t expected. Anyone with this behavior ? best regards Marco ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: forward first and fallback not working

> }; > > If i dig from localhost or any client and 8.8.8.8 answers all is ok > but if 8.8.8.8 is unreachable or it doesn't respond, bind doesn't > fallback on himslef asking to root server etc . > > This is not expected. > Anyone with this behavior ? > > best r

Re: automatic reverse and forwarding zones

Am 27.10.2022 um 07:23:01 Uhr schrieb JAHANZAIB SYED: > Edit the corresponding REVERSE zone & add following line in the end > > $GENERATE 1-255 $ IN PTR 10-11-11-$.example.com. > > Dont forget to Reload bind config & you are done. Thanks. How is the syntax for IPv6? Is it possible to do it for

Re: automatic reverse and forwarding zones

Am 27.10.2022 um 10:58:18 Uhr schrieb Bjørn Mork: > Possible, but only for very small pools. Note that $GENERATE only is > a short form for easier hand editing of zone files on the primary > server. The zone is expanded on load and zone transfers etc will > contain the expanded data set. It doesn

Re: automatic reverse and forwarding zones

Am 27.10.2022 um 09:52:55 Uhr schrieb Grant Taylor via bind-users: > This is a singular IP (presumably link-net) for a customer. So there > would be exactly one forward and one reverse PTR record. It isn't, because a customer gets /48 or /56 in most cases. The customer's router can use var

Re: automatic reverse and forwarding zones

Am 27.10.2022 um 13:08:40 Uhr schrieb Grant Taylor via bind-users: > Aside: I do question what you would populate the /48 ~ /56 ip6.arpa > zone with. What hypothetical data would you put in it? If it's PD > to an end user, what information would the ISP put in there that > wouldn't be confiden

Re: 9.18 BIND not resolving .gov.bd site

Am 30.10.2023 um 12:25:32 Uhr schrieb Mosharaf Hossain: > mofa.gov.bd.86400 IN NS ns1.bcc.gov.bd. > mofa.gov.bd.86400 IN NS ns2.bcc.gov.bd. > couldn't get address for 'ns1.bcc.gov.bd': not found > couldn't get address for 'ns2.bcc.gov.bd': not found

Re: DNS NXDOMAIN flood

Am 02.11.2023 um 12:02:00 Uhr schrieb Mosharaf Hossain: > We are receiving the traffic form random IP addresses to DNS servers. Even when those IP addresses change, can you verify in any way that those are not spoofed, so the traffic originates rom that networks? -- Visit https://lists.isc.org/m

Re: Help about DNS documentation

Am 03.11.2023 um 15:20:50 Uhr schrieb Amaury Van Pevenaeyge: > Hello everyone, > > I'm currently a final year Master's student at the Free University of > Brussels. As part of my Master's thesis, I have to implement a DNS > amplification scenario within a Cyber Range. However, before > achieving

Re: How should I configure internal and external DNS servers

Am 03.11.2023 um 15:51:32 Uhr schrieb Nick Howitt via bind-users: > As this site is externally accessible as well, we also have to put an > identical entry in bind-external so we end up having many identical > entries in bind-internal and bind-external. It seems they people who set that up didn't

Re: How should I configure internal and external DNS servers

Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users: > My problem is the use of external IP's duplicated between the > internal and external masters for some IPs/FQDNs which I want to get > rid of. Implement IPv6 and get rid of the old IPv4 technology for internal communication. It

Re: How should I configure internal and external DNS servers

Am 03.11.2023 um 17:58:51 Uhr schrieb Nick Howitt via bind-users: > On 03/11/2023 17:54, Marco M. wrote: > > Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users: > > > >> My problem is the use of external IP's duplicated between the > >> inte

Re: How should I configure internal and external DNS servers

Am 03.11.2023 um 19:15:45 Uhr schrieb Nick Howitt via bind-users: > You are preaching to the converted, but we have a huge mix of SLES > 11, Ubuntu 16, 18, 20 and 22 machines + Windows Server 2016. Getting > them all current is a long term project and it has to go through all > sorts of customer a

Re: How should I configure internal and external DNS servers

Am 03.11.2023 um 19:18:49 Uhr schrieb Nick Howitt via bind-users: > Can the bind-internal not be made to caching only and not > authoritative? If so, how? Of course it can, simply remove the zone configuration, but it will then cache the records from the authoritative server (your "external-bind

Re: How should I configure internal and external DNS servers

Am 03.11.2023 um 19:54:32 Uhr schrieb Nick Howitt: > How do you mean remove the zone information? In your /etc/bind are configuration files. Look for named.conf* and find those that include zones: zone "f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa" { type master; file "/etc/bind/db.f.8.1.1.0.7.1.0.1.0.a.2.i

Re: How should I configure internal and external DNS servers

Am 03.11.2023 um 20:12:59 Uhr schrieb Nick Howitt via bind-users: > I have those lines, but if I remove them, then presumably I cannot > have internal overrides anywhere, like a hosts file would or like > dnsmasq would? BIND doesn't care about /etc/hosts. If you make it authoritative for a zone,

Re: How should I configure internal and external DNS servers

Am 04.11.2023 um 19:41:44 Uhr schrieb Nick Howitt via bind-users: > Thanks for the reply. Interesting. > Option A - It works but I would like to stop maintaining two > different servers with the same data. > Option B - I have no chance of getting the company to agree to IPv6. Then you are in a st

Re: How do I debug if the queries are not getting resolved?

Am 11.12.2023 um 23:37:36 Uhr schrieb Blason R: > I require assistance in troubleshooting the resolution issue for > specific domains that are not being resolved properly. The version of > BIND I am currently using is BIND 9.18.20-1. First, tell us if those queries are authoritative on that serve

Re: unable-resolve-bank=domain

Am 17.12.2023 um 10:21:05 Uhr schrieb MEjaz via bind-users: > One of the banking domain www.services.online-banking.gslb.sabbnet.com > unable to > resolve with our primary namservers 212.119.64.2 whearas as my > another server 212.119.64.3 is

Re: [Windows] [9.16.45] Missing IPv4 DNS prevents tools from working

Am 09.01.2024 um 01:41:46 Uhr schrieb Gentry Deng via bind-users: > Due to an accident my local network is missing IPv4 DNS but has IPv6 > DNS so it has little impact on accessing the internet. > > But I found that neither `dig `nor `nslookup` worked, and reported an > error: Windows Linux subsy

Re: BIND Upgrade

Am 15.02.2024 schrieb Semra Türkkal Nazlımoğlu : > Our bind version seems below. How can we upgrade bind version? It comes from the OS you are using. Upgrade to the current RHEL release. If you prefer bleeding-edge versions, use Fedora instead. > And if we upgrade bind version, is there any prob

Re: record PTR

Am 14.03.2024 schrieb sami.ra...@sofrecom.com: > Hello, please, I want to know if I need to delegate a range of IP > addresses to my authoritative DNS server with my registrar before > creating a PTR record or not. In other words, if I want to create a > PTR record on my authoritative server (ns1.

Re: DoH credentials

want to have a reverse proxy, this is a way to use auth. If you don't want to have an open resolver, you have to control that at the apache side. -- Gruß Marco Send unsolicited bulk mail to 1711382983mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc

Re: CNAME and IPv6

2001:db8::1 ftp2A 172.16.0.1 ftp22001:db8:::1 That makes it possible to redirect it to the actual machines that runs the service. -- Gruß Marco Send unsolicited bulk mail to 1716890409mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/li

Re: CNAME and IPv6

Am 28.05.2024 um 18:48:38 Uhr schrieb Peter: > On Tue, May 28, 2024 at 12:25:03PM +0200, Marco Moock wrote: > ! > Now we add an IPv6 address for 'myhost'. But portforwarding > ! > doesn't work for IPv6. Instead we are required to use different > ! > addres

Re: CNAME and IPv6

Am 30.05.2024 um 00:47:56 Uhr schrieb Peter: > On Wed, May 29, 2024 at 12:20:09PM +0200, Matus UHLAR - fantomas > wrote: ! > On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock > wrote: ! > > rinetd manages 2 separate connections and should work > with PMTUD. ! > !

Re: MDLZ user activation

list. Message-ID: <6661e181d6fce_20e3f8fc856fcec65140...@sidekiq-frequent-fd-poduseast1-free-blue-fc47b6fff-n44lb.mail> If you need it, I can forward it to you. -- Gruß Marco Send unsolicited bulk mail to 1717750707mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fro

Re: strange reply dumped URGENT

.com has address 45.225.75.8 811.vps.CONFIARED.com has IPv6 address 2803:1920::c:1963 m@ryz:~$ You should have redundant servers and not 2 NS records that point to the same machine. Please fix that first and update your glue records. -- Gruß Marco Send unsolicited bulk mail to 1720786383mu...@cartoo

Re: strange reply dumped URGENT

In which way is this router involved in DNS resolution? -- Gruß Marco Send unsolicited bulk mail to 1720787938mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions.

Re: strange reply dumped URGENT

Gruß Marco Send unsolicited bulk mail to 1720788988mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ fo

Re: strange reply dumped URGENT

Am Fri, 12 Jul 2024 15:51:32 -0400 schrieb Herman Brule : > Loop detected! We were referred back to '45.225.75.8' That's why I say: Have real NS records that point to unique systems. If you forward, make sure the other machine is the master. I operate DNS with 2 NS records, one dual-stack,

Re: strange reply dumped URGENT

Am Fri, 12 Jul 2024 22:44:38 -0400 schrieb Herman Brule : > For now your method fail, include I try: > > zone "ore.org.bo" { >     type master; >     file "/etc/bind/ore.org.bo.db"; > }; Only have one, exactly one master for a zone. Everything else will create a big mess. The other servers ar

!AAAA in statistics

378 RRSIG 6 NSEC 21 DNSKEY 6 HTTPS 12 ! 10 !DS 4 !HTTPS 6 NXDOMAIN [View: _bind (Cache: _bind)] What do the lines with the ! mean? -- kind regards Marco -- Visit

v6-bias

ations that are reachable via IPv6 and have a latency under 20 ms. -- kind regards Marco -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/co

Re: v6-bias

Am 18.08.2024 um 23:44:26 Uhr schrieb Mark Andrews: > > On 18 Aug 2024, at 20:32, Marco Moock wrote: > It is. Go to the product page. Look at panel 3 “Configuration". > Click on "Administrator Reference Manual (ARM)” then enter “v6-bias” > in the search box. https:

Re: 9.18 horrendous

oduced, it can be fixed. -- Gruß Marco Send unsolicited bulk mail to 1724443067mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.i

Re: 9.18 horrendous

Am Fri, 23 Aug 2024 16:28:22 -0400 schrieb David Farje : > The whole point of open source software is that you as a user get > software for free You get certain freedoms because of the license. This doesn't mean it needs to be provided for free. ISC also sells BIND9 together with a support contra

Re: Query Regarding NSEC RR in DNSSEC

Hello Gaurav, You might want to have a look at our whitepaper on 'authenticated denial of existence' to gain better understanding of this somewhat complicated aspect of the DNSSEC specification: https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf Regards, -- Marco

Bind and views

ns chain like Bind do not has the pippo.it zone in the ViewA. Of corse if i run dig hosta.pippo.it @IpA all is working properly. Is it possible to force the Bind's resolver to lookup in all the views ? Important: i need the views binded to

Re: Bind and views

Hi Mark, yes of corse if i put the zone in both views all is fine but we want to partition the dns server without duplication. Is it possible ? Marco On Wed, 07 Oct 2015 21:32:48 +1100 Mark Andrews wrote: > > Just put the zone in both views. > > If you upgrade to 9.10

Re: forward first and fallback not working

ind-users@lists.isc.org > > Subject: forward first and fallback not working > > > > Hi, > > bind 9.10.3_p4 with this global option: > > > > forward first; > > > > forwarders { > >8.8.8.8; > > }; > > > > If i dig from loc

automatic reverse and forwarding zones

3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.d.0.0.1.0.0.2.isp.example.org This has an record of 2001:db::3. Is it possible to let bind create that automatically for certain zones? -- kind regards Marco -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds

Debugging recursive bind

Hi all, I have a recursive dns server that sometimes returns errors on queries even if the requested domain exists: # dig @myserver agriturismolacapraccia.it mx ; <<>> DiG 9.3.4-P1.1 <<>> @myserver agriturismolacapraccia.it mx ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>

Need to use dnsperf with bind 9.5.0

generate a file like that. I basically need a very large query file to run lots of queries. Thank you, __ Marco Bicca ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS Bulk Query Tool

retty well. Thanks, ___ Marco Bicca -Original Message- From: bind-users-bounces+marco_bicca=symantec@lists.isc.org [mailto:bind-users-bounces+marco_bicca=symantec@lists.isc.org] On Behalf Of Gaurav Kansal Sent: Wednesday, November 02, 2011 10:49 AM To: bind-users@lists.isc.org Subject

RE: DNS Bulk Query Tool

Hi Gaurav, Not sure, I used dnsperf just fine on a centos box. Thanks, Marco -Original Message- From: Gaurav Kansal [mailto:gaurav.kan...@nic.in] Sent: Friday, November 11, 2011 1:33 AM To: Marco Bicca; bind-users@lists.isc.org Subject: RE: DNS Bulk Query Tool Hi Marco, Thanks

Re: DNSSEC closed environment

projects/ldns/ (sorry, for being a bit off-topic here) Regards, -- Marco Davids SIDN ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

multithreading for dnssec-signzone

I tried 'configure' with and without '--enable-threads', but there is no notable difference. I also tried 'dnssec-signzone' with and without the '-n' option. No difference either. Can anyone point me in the right direction please? Thank you so much. -- Ma

Re: multithreading for dnssec-signzone

Op 23-12-2009 15:14, schreef Paul Wouters: > On Wed, 23 Dec 2009, Marco Davids wrote: > >> It seems as if my 'dnssec-signzone' runs on one CPU-core only, where as >> I would have expected it to run on all four. > > dnssec-signzone first does a lot of prep

Re: multithreading for dnssec-signzone

On 12-23-2009 15:33, Marco Davids wrote: >>> It seems as if my 'dnssec-signzone' runs on one CPU-core only, where as >>> I would have expected it to run on all four. >> >> dnssec-signzone first does a lot of preprocessing on one core, before >> it f

Re: SERVFAIL in BIND when resolving certain domains (.gov.co)

o) in 179 ms ;; communications error to 119.26.56.250#53: timed out ;; expected opt record in response ;; Received 43 bytes from 190.26.56.250#53(hillstone.cundinamarca.gov.co) in 191 ms Both servers are reachable, via IPv6 using ICMP echo req, but the DNS server isn't listening on UDP nor TCP. --

Re: SERVFAIL in BIND when resolving certain domains (.gov.co)

Am 01.11.2024 um 22:37:30 Uhr schrieb Marco Moock: > Both servers are reachable, via IPv6 using ICMP echo req, but the DNS > server isn't listening on UDP nor TCP. I have to catch that up: I don't receive any answer when querying UDP or TCP, also on other ports. Maybe it is also

Re: secondary dns server question :)

Am Mon, 18 Nov 2024 19:03:55 +0100 schrieb Jean-François Bachelet : > just to be sure, in case we have two (internals) dns servers on the > same network (for the case of one is unavaillable), if I understand > well the docs, the two servers should have the exact same > configurations, appart that

Re: notify IPv6

the zone" Try a zone transfer manually with dig axfr example.org -6 @dns-server Does that work? How do the records of the server look? Is the slave in the different zone? If so, check the glue records of it too. Generally, which version are you running? -- Gruß Marco Send un

Re: Master/Slave

e ?  Such a config works perfectly fine. -- Gruß Marco Send unsolicited bulk mail to 1738353786mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact

Re: BIND DNS Server on Windows

Am 09.02.2025 um 10:51:35 Uhr schrieb Turritopsis Dohrnii Teo En Ming via bind-users: > Can I install WinBIND on Windows 10 and Windows 11? The following > guide mentioned installation of WinBIND on Windows Server only. Should work, give it a try. -- Gruß Marco -- Visit https://lists.i

Re: Authoritative and caching

Am Wed, 19 Feb 2025 10:58:14 +0100 schrieb Danjel Jungersen via bind-users : > But if I change /etc/resolv.conf to 127.0.0.1 something happens > If I do a dig or ping from my postfixbox to something that the 2 main > bind-boxes are authoratative for, it doesn't work. Please sniff the DNS traffic

Re: IPv6 Geolocation per /64

nd.com/en/locate-my-ip-address At least for my IP the geo information I get from there is simply junk. -- Gruß Marco Send unsolicited bulk mail to 1739901031mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the develo

Re: Upgrading the Bind Server issue

Run ll and in the folder and post it here if you really want to compile yourself. -- Gruß Marco Send unsolicited bulk mail to 1742386989mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this softwar

Re: long FQDN resolution

Am 15.05.2025 um 14:31:40 Uhr schrieb DEMBLANS Mathieu: > It is problematic for DNSBL requests because it generate a lot of > useless requests and this kind of service look at the number of > requests done (usage policy): Disable qname minimization for that. -- Gruß Marco Send un

Re: Dns tunnel detection/prevention

uch lines. -- Gruß Marco Send unsolicited bulk mail to 1747916585mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Hi, It is not possible to configure NSEC3 as a default in named.conf (on a per zone basis), is it? I would welcome such a feature. I also find it a bit strange that BIND decides to go for NSEC, even when the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1). Thanks. -- Marco On 03

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Phil, On 03/07/12 10:27, Phil Mayers wrote: > On 03/07/2012 08:50 AM, Marco Davids (SIDN) wrote: > >> I also find it a bit strange that BIND decides to go for NSEC, even when >> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1). >> > AS I understand i

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

ove to NSEC3 (but meanwhile, older resolvers will validate your replies). Are there still any 'older' resolvers around? Maybe not... Anyway, thanks for your insights! -- Marco ___ Please visit https://lists.isc.org/mailman/listinfo/bind

Dig 9.9.1 AD-bit

. Regards, -- Marco ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

allow-recursion slowing server to crawl

real suggestions. I've tried it with ACL and without. Any suggestions would be appreciated. Marco acl "internal" { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; "localnets"; "localhost"; }; options { directory "/var/named"; /* * If there is a fir

Re: allow-recursion slowing server to crawl

On 2/27/2013 5:18 PM, Mark Andrews wrote: I suspect this is just logging. send the security channel to null; for a while. Once your server gets off the I'm a recursive reflector lists you can turn it on again. In message <512e7940.7060...@argontech.net>, "Marco C. Coelho" wri

Re: Configuring DNSSEC for child domains

ld remove ns[12].transip.net from your NS-set and try again? It seems as if these name servers are causing some problems. (see attachment) http://dnsviz.net/d/zuid.dapadam.nl/responses/ Regards, -- Marco dig +dnssec DS zuid.dapadam.nl @ns2.transip.net. ;; Got bad packet: extra input data 424 bytes 07

Who is right?

hat I should know about? Thank you. -- Marco smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND

On 05/03/14 15:15, Klaus Darilion wrote: > Does it only happen for IPv6 DNS requests? Maybe it is related to this: > https://open.nlnetlabs.nl/pipermail/nsd-users/2014-January/001783.html Or, less likely, this: http://marc.info/?l=linux-netdev&m=139352943109400&

Re: localhoast A record?

may want to consider adding it in such a case (although I don't do so). But if you do, don't forget to add an -record for ::1 as well ;-) Regards, -- Marco smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://

Re: DNS weirdness

Darcy Kevin (FCA) schreef op 06-01-15 om 19:56: > This nameserver is forwarding to 208.67.222.222 and 208.67.220.220. Are those > valid and working? OpenDNS, right? -- Marco smime.p7s Description: S/MIME-cryptografische ondertekening ___

DNSSE logging and parsing it

SSEC-validation problem): dnssec.log:05-Mar-2015 12:48:37.969 dnssec: info: validating www.example.nl/A: no valid signature found What would be the best, unambiguous string(s) to grep for, in order to find domain names that have validation-problems? Please advise. -- Marco smime.p7s Desc

Re: [OT] Re: configuration error in lists.isc.org

IM > sign > them on behalf of isc.org That is what the IETF list servers do anyway. Unfortunately they don't rewrite the From headers, thereby breaking the alignment. So in total it doesn't help a whole lot, but it's one step closer to the solution. Regards, -- Marco sm

Re: Bind 9.8 with dlz and dnssec

future DLZ developments. http://powerdnssec.org/ -- Marco ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: ipv6 PTR in zone file

On 04/12/11 10:50, walter.jontofs...@t-systems.com wrote: > you could use ipv6calc (ftp://ftp.bieringer.de/pub/linux/ipv6/ipv6calc) to > calculate the reverse strings. Yes. Or do it 'the BIND way': dig -x 2001:7b8:c05::80:1 | grep ip6.arpa | tail -1 | awk '{print

Re: AW: ipv6 PTR in zone file

l -1 | awk '{print $1}' > Beside them, is any potential possibility to have something build-in > in BIND config/zone file as kind of beautiful (my, and my team, > personal point of view) solution? I wonder if the $GENERATE directive could work for you. Not sur

Strange issue - please enlighten me

while BIND 9.7.x returns a SERVFAIL. dig +trace www.airfrance.fr works as expected. logging says: lame-servers: info: lame server resolving 'www.airfrance.fr' (in 'www.airfrance.fr'?): 193.57.219.253#53 Thank you. Regards, -- Marco Davids ___

Re: bind multi-threaded question

7;proc'-directory in your chroot jail. Something like: mkdir /chroot/bind/proc mount --bind /proc /chroot/bind/proc and then in your /etc/fstab add something like this: /proc /chroot/bind/proc none bind,ro 0 0 Regards, -- Marco Davids Technical Advisor SIDN __

ad flag for RRSIG queries

Hi, Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org How does a validating resolver determine that such an answer is secure? Thank you. -- Marco Davids ___ bind-users mailing list

Re: ad flag for RRSIG queries

re you using? > Hi Doug, I use BIND 9.7.0rc1, configured to work with the IANA testbed. dig +dnssec rrsig www.forfunsec.org @149.20.64.20 has the AD flag too, though. It run's BIND 9.6.1-P2. (DNS-OARC validating resolvers), The other one, 149

Re: ad flag for RRSIG queries

VKIQ yXA= ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jul 14 04:46:41 2010 ;; MSG SIZE rcvd: 428 dig +short chaos txt version.bind @localhost "9.7.1-P1" -- Marco ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

DNAME + DNSSEC

NS perhaps?) not doing the right thing? I've been looking to long to this matter so this is the time to ask for your help. It didn't help that DNS-OARCs open BIND-resolver (184.105.193.73) broke down, having the same effect as a timeout). Thanks. -- Marco smime.p7s Description:

Re: DNAME + DNSSEC

On 20/10/2016 14:41, Marco Davids (SIDN) wrote: > For testing-purposes I tried to simulate the situation in sidnlabs.nl: > > dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.sidnlabs.nl ERROR! That should be: dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.dname.si

make AAAA type the default for dig

Hi, Not sure if this has been proposed before, but I am wondering: Has ISC ever considered to change the default 'dig -t' option from A to AAAA? -- Marco signature.asc Description: OpenPGP digital signature ___ Please visit https://lis

Re: Proper Way to Configure a Domain which never sends emails

A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful. -- Marco On 19/08/2019 23:31, Kevin Darcy wrote: > [ Classification Level: PUBLIC ] > > MXes are for *receiving* mail of course. The request is about *sending* > mail. > > Setting the SPF record to

  1   2   >