in a network.
In the new system, we would have a dynamic zone that was
always current so no need to do a zone transfer. Additions and
deletions would just be there a fraction of a second later and
the file would always be current.
Thanks for any useful ideas.
Martin McCormick
IP address of that A record
also show up in the log?
Thank you.
Martin McCormick
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/m
Kevin Darcy writes:
> Don't think that's a logging option, but if the Dynamic Update is still in
> the zone's journal file, you could use "journalprint" (or
> "named-journalprint" as it's called in later versions) to see the gory
> details...
Thank you. That should do the job.
Martin
keep whatever value we originally
had.
Many thanks.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
Phil Mayers writes:
> If you want TTL, you will need to use DNS-specific functions like the
> res_*
> API. You need to be sure you are querying the master, otherwise the TTL
> will be the one from cache, not the "real" value.
I appreciate this information as it sounds like I am
using the
e
none.
Thanks for any light you can shed on why host still thinks there
is something there.
Martin McCormick
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@list
Kevin Darcy writes:
> I don't use "host" very much, but I would assume it returns a "successful"
> exit code as long as the RCODE of the response is NOERROR. This would
> explain the behavior you are seeing, since by creating a name
> "www.physicscourses.okstate.edu", if its parent
> "physicscourse
today.
Had I not changed the server address in
/usr/local/etc/rndc.conf, it would have sent the stop command to
the correct instance of bind.
Thank you.
Martin McCormick
___
Please visit https://lists.isc.org/mailman/listinfo/bind-use
are not having any
problems like this.
There seems to be no reason why some remote domains
work and others don't. I am asking on this list in hopes that
somebody has seen something like this somewhere else and found
the cause.
Thank you.
Martin McCormick WB5AGZ Stillwater, OK
John Miller writes:
> Just to clarify, how many domain names are doing this for you? Are they
> all
> remote domains, or are some of them okstate.edu domains?
They are all remote as far as I can tell.
I will have some answers for Barry Margolin's questions a bit
later. It seems like the tear of
I described a case where one of our remote campuses can't
resolve a number of remote domains. One example is noaa.gov. It
also successfully resolves random remote domains without
seemingly any rime or reason.
Here is a bad dig trace for noaa.gov
; <<>> DiG 9.7.7 <<>> @localhost +trace no
plaints about a week ago so the
hurricane is not to blame.
I will let the group know what happened as soon as we
find out, ourselves.
Martin McCormick
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
If I do:
dig @localhost +short +trace somehost.okstate.edu
on a server authoritative for the okstate.edu domain, I would
expect resolution via that authoritative system. I do get it but
the query takes the scenic route and I get all the root name
servers just as if the query was for some host out
Thanks to all who reminded me how dig resolves lookups.
I have since learned that we are apparently having
intermittent network issues that are causing a lot of systems to
behave oddly and our DNS's are only reflecting those conditions.
We were taking anywhere from 0 milliseconds
short of internal and external-facing
DNS's that we can do to be sure that local resolution stays up?
Thank you very much.
Martin McCormick Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
Pl
fixed itself
by downloading all its zones again. What should we expect from a
master DNS?
Martin McCormick
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.is
eaven only knows what is actually being received by
bind. Is there any way to narrow down wht part of the request is
broken/missing?
Thank you.
Martin McCormick
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
what a few of the
flags are capable of. If it can read named.conf, it should get
the zone file name from that.
Thank you.
Martin McCormick
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ms to work.
My thanks to a member of this list for helping me better use the
available tools.
I had been using named-checkzone and named-checkconf for
years to check syntax but these do so much more. Many thanks to
the ISC community for designing such good applications.
M
ed-compilezone -oDOMAIN.ZONE -j -k ignore okstate.edu
/var/named/db/zonefilename
This compiles a useble zone, ignores name warnings and prints
all the dodgy MX records and other possible issues you may have
with this zone.
Martin McCormick
___
bind-users
For the sake of thoroughness, the -j flag causes
named-compilezone to also look at the .jnl files so that the
zone you getis as up to date as possible.
Martin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bin
ideas.
Martin McCormick
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
is is my week for asking novice questions, but I don't
get to see what happens when the master goes away all that often
and what I saw wasn't pretty.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications
l over ate that
message and since there was no more input to be read, one could
never see it. I expect the file descripter gets lost in the
rollover.
I built another system and used the same script to set
things up and it had the same problem but it was logging so
that's how I found ou
site lookups.
Any ideas are appreciated. Most of the error messages in
bind9.7.1 are fairly self-explanitory but this one has me
scratching my head.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
se they are mostly
udp.
To be truthful, the firewall was low on the trouble-shooting
list because it had worked for so long.
Thanks very much.
Martin McCormick
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
called and can I put something
in named.conf similar to
category lame-servers { null; };
directive that will make these messages stopp logging without
effecting other possibly important types of messages?
Thank you.
Martin McCormick WB5AGZ Stillwater, OK
Systems E
Paul Ebersman writes:
> category edns-disabled { null; };
>
> should make you happier.
I must get a newer edition of DNS and Bind, but thanks
to you and the list for your patience.
Actually, I am not sure whether it is mentioned in the
4TH edition but searching for something
all at all.
Martin McCormick
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
d the problem.
Thank you.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
holder. So, what should I have in that particular
command to make it generate the ZSK?
Thank you.
Martin McCormick
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Alan Clegg writes:
> dnssec-keygen -K /var/named/etc/namedb/dynamic/okstate.edu okstate.edu
>
> Nothing else needed since you are using the defaults...
Thank you. I was trying to make things difficult, I guess.
___
bind-users mailing list
bind-users@l
After setting up a private zone which should have deligated
queries to some Microsoft DNS's, I received a report that an
additional host in that domain did not resolve. They were right.
I had to put an A record in my deligated zone for that system to
make it resolve so I think I have something set
Barry Margolin writes:
> Do you have recursion enabled on your server?
A good question. I have never explisitly disabled it and
it appears to be on.
We have an allow-query list based on ACL's so that
callers from inside our networks get both recursive and
nonrecursive lookups. Sp
Thanks to two list members, I immediately realized what
I needed to do to make this work correctly.
After setting up an authoritative zone for ds, I put in
the NS and A records for the master server and then put in the A
and NS records for r as a deligated zone. It all works fine,
a "make it good" script where it
just chown's everything to the proper directories? That would be
very helpful.
Martin McCormick
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
I wrote:
> Who is supposed to own /var/named?
I received a response from a kind soul from this list
who reminded me of a directive new to bind9.7.1 that lets you
determine where the managed-keys.bind file lives. I set up
managed-keys-directory "/etc/namedb/working";
and all is now well w
On my test box, I am not seeing any errors so I think we are
signing the test zone. The dnssec part of named.conf options
looks like:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
managed-keys-directory "/etc/namedb/working";
In the actual zone, I have:
zone
any suggestions. this totally breaks nsupdate unless
you force the server and zone information.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
bind-users mailing
Is there a recommended set of firewall rules that insure that all
necessary DNS traffic can enter and leave, even the larger
packets that result from dns-sec?
We want port 53 traffic from anywhere, in this case and
can send it anywhere, and want to be sure that no port 53
traffic is being
anything that might somehow leak out of
this experiment is treated as junk and ignored.
Many thanks.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
bind-users mai
John Wobus writes:
> I think you want a *.com entry as well as the * entry.
I have now put in an entry like:
*.com. IN A 139.78.6.193
I still have the same behavior as before. The allowed
domain succeeds and all others get a SERVFAIL where they should
resolve to 139.78.2.193 whic
Stacey Marshall writes:
>The master NS would only need to load the
> root.zone file,
> Other name servers within the private network would load the hint file.
That was it! The bogus DNS now does it's special
resolution like it should. Many thanks.
Ma
at will blow up dhcpd?
I guess I was lucky before that there wre no spaces in the
previous key.
Thanks for any help.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
bin
Torinthiel writes:
> Try deleting the space. Just this. dnssec-keygen inserts space for
> readability purposes only. If you still have original *.key and
> *.private files, you can check it yourself, that the Key field in
> *private contains exactly the same as *.key, minus the space.
It actually
thanks.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
to reverse the lookup back to a name, but
getnameinfo just takes res->ai_addr as an argument and works
great, but one doesn't see how it extracted the IP address.
Thanks for all good suggestions.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology
When are tcp dns queries necessary?
It was my understanding that clients could user tcp or
udp.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
bind
for TCP, but it can be required for
> normal queries, although that is far from normal.
My thanks to you and to 2 other list members who replied
off list. This confirms what I thought I remembered reading some
time before.
Martin McCormick
conf.local:32: unknown option 'sortlist'
/etc/bind/named.conf.local:38: unknown option 'allow-transfer'
/etc/bind/named.conf.local:42: unknown option 'check-names'
/etc/bind/named.conf.local:43: unknown option 'check-names'
Martin McCormick WB5AGZ Stil
:
Operation not supported
How serious is this? What likely isn't working as things
look quite normal on this test system?
rndc works and the status shows exactly the same output
I used to see in 9.3.6.
Thanks.
Martin McCormick WB5AGZ Stillwater, OK
Systems Enginee
s before hand. One was wrong and, well,
that's another war story. The main thing is that each slave is a
perfect backup for your whole operation. It takes very little
effort to set them up and almost no maintenance afterwards. They
just run thems
nce it is so closely tied to everything else.
Here is an actual example of the message we look for:
08-Jul-2009 08:38:20.296 client 139.78.102.224#53631:
no more recursive clients: quota reached
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Departmen
d put a .TXT record in as this is a suggested
procedure to handle resolvers that don't do SPF yet.
Thanks for any help.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
__
y from the same date.
Both have been completely removed so they are not an issue but
nothing has changed. The host and nsupdate utilities were built
along with bind95.1P2 on July 10 so they are fresh.
Any other ideas as to what to look at?
Thank you.
Martin
g the same thing again and
again and expecting different results. Actually appearing to get
them is also crazy.:-)
Thanks for all the helpful suggestions. I am truly
baffled.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunication
preserve their case, but the names,
themselves, ignore case so let's have them all lower case.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
bind-users mailing
s and the mixed
> case $origin disappears.
Excellent. That is kind of what I thought about doing
but I wasn't completely sure if I was not missing something so
that is what I will do. Thank you.
Martin McCormick
___
bind-users maili
Hauke Lampe writes:
> When BIND writes zone files, it uses $origin to group records that share
> a common base name. Just "update delete/add" all records and the mixed
> case $origin disappears.
It did. Many thanks.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engin
s and the
rest just keeps working.
Thanks for any and all suggestions.
Martin McCormick
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ecords for now.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
pposed to be garbage collected if left untouched
> after 7 days IIRC)
plus much more great information. Thanks for an excellent
answer.
Martin McCormick
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
break our legs as we climb up.
Many thanks.
Martin McCormick
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Niobos writes:
> Definitely consider the 9.7 series! You can enable auto-dnssec which
> will maintain your signatures for you out-of-the-box. It also supports
> key rollover, but IIRC doesn't generate new keys at this moment.
That's not much of a problem. Thanks for reminding
64 matches
Mail list logo
