Hello,
I'm looking at setting up RRL. Bind versions that we are running on our
servers are 9.9x and 9.10x. Is there a way to setup RRL to rate limit by source
IP / or certain net blocks?
Thanks,
Nick
___
Please visit https://lists.isc.org/ma
Hi,
In a recent discussion on another list, it was discussed the pros and
cons of splitting the main conf file to a per domain.
In binds case it would be to /etc/named.d/*.conf
So each zone would have a file in that directory containing only the
relevant info
eg:
zone "example.com" {
ty
I am an old hand at bind, but - DNSSEC Newbie alert :->
I am after clarification on how slaves handle DNSSEC.
I have two slaves, both were stale, like since Feb 9 ! One I directly
control, the second, I do not, so I can not provide details on how
that one is configured, but given it is a reputab
On 3/7/12, Mark Andrews wrote:
>> resigned it again as about 3 months using:dnssec-signzone -a -e
>> +15724800 -K keys/ -N INCREMENT guilty_domain.here
>
> You should have fed dnssec-signzone the old signed zone not the unsigned
> zone.
>
> dnssec-signzone -f guilty_domain.here.signed -N
On 3/8/12, Nick Edwards wrote:
> On 3/7/12, Mark Andrews wrote:
>
>>> resigned it again as about 3 months using:dnssec-signzone -a -e
>>> +15724800 -K keys/ -N INCREMENT guilty_domain.here
>>
>> You should have fed dnssec-signzone the old signed zone no
Thanks, that did the trick!
On 3/8/12, Mark Andrews wrote:
>
> In message
>
> , Nick Edwards writes:
>> On 3/8/12, Nick Edwards wrote:
>> > On 3/7/12, Mark Andrews wrote:
>> >
>> >>> resigned it again as about 3 months using:dnssec-si
Hi All,
Is there a way for RPZ zone file to act on domain AND subdomains
without using two separate entries?
At present I can only get them to match on one or the other unless I do
example.comblah
*.example.com blah
I'm sure I've missed the obvious, but thought I'd ask
be V, or A or B?
2. Should the NS records for the zones be A, B and V, or just V?
3, Should S slave from A and B, or should it slave from V?
4. Should F forward to V, or to both A and B?
--
Nick Urbanik http://nicku.org 808-71011 nick.urba...@optusnet.com.au
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF
Dear WBrown,
Thank you for your helpful reply.
On 13/02/13 08:11 -0500, wbr...@e1b.org wrote:
Nick wrote on 02/12/2013 10:00:27 PM:
We have a pair of DNS servers running BIND behind a direct routing LVS
director pair running keepalived. Let's call these two DNS servers A
and B, and th
Hi,
In just testing a few things with our authoritative server, I made a
typo, and, much to my surprise the server responds NXDOMAIN to
requests from unauthed requesters, this used to return REFUSED, when
did this error change?
(bind 9.9.3-P2)
___
Pleas
ile-format text;
interface-interval 0;
dnssec-enable yes;
dnssec-validation yes;
};
On 8/28/13, Matus UHLAR - fantomas wrote:
> On 28.08.13 23:13, Nick Edwards wrote:
>>In just testing a few things with our authoritative server, I made a
>>typo, and, much to my surprise t
Mark,
On 8/29/13, Mark Andrews wrote:
>
> In message
>
> , Nick Edwards writes:
>> The typos was more of how I came about my request, forget the typo as
>> such, it the actual answer, to use a more common well known name, if
>> I type
>>
>> ~$ host w
easy.
On 8/29/13, Mark Andrews wrote:
>
> In message
>
> , Nick Edwards writes:
>> Mark,
>>
>> On 8/29/13, Mark Andrews wrote:
>> >
>> > In message
>> >
>> > , Nick Edwards writes:
>> >> The typos was more of how I c
bugger off with your dictatorship
do not bring it here like you take it every list you go to, well,
those that you have not been kicked off of that is
On 8/2/14, Reindl Harald wrote:
> why do you reply off-list, in HTML and top-posting?
>
___
Please vi
maybe he will, when you learn to stop being so offensive and abusive
on every list you decide to join, and to tink a cvertain blacklsit
operator on this list a few days ago said you were well behaved, hrmmm
are you paying him you off so he wont list you again in his rbl
On 8/3/14, Reindl Harald
skipping nameserver 'ns5.concord.org' because it is a CNAME, while
resolving '210.128-25.119.138.63.in-addr.arpa/PTR'
I have logs grow by about 30 megs a day with pretty much only this in
it (of course not always same remote server), how do I shut this up ?
My logging statments are
logging {
Dear Folks,
It's easy enough to flush an A or PTR record with rndc flushname
name. But how do you flush a TXT or SPF record? (I don't want to
flush the whole zone).
--
Nick Urbanik http://nicku.org ni...@nicku.org
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB
On 23/11/10 06:55 +1100, Nick Urbanik wrote:
Dear Folks,
It's easy enough to flush an A or PTR record with rndc flushname
name. But how do you flush a TXT or SPF record? (I don't want to
flush the whole zone).
Simple! Just rndc flushname domainname works.
--
Nick Urbanik
.991 fetch 0xa0ddd60 (fctx
0xaf24578(www.andra.com.au/A)): destroyfetch
26-Jun-2009 09:30:29.991 fctx 0xaf24578(www.andra.com.au/A'): shutdown
Is this issue caused by bind caching the glue result from the root
servers, then ignoring the authoritative result or something like that?
Th
On Wed, 2010-01-06 at 19:47 -0800, Mike wrote:
> Can someone help me understand? Here is a snippet from the strace output:
>
>
> 19120 <... futex resumed> ) = 1
> 19120 epoll_ctl(8, EPOLL_CTL_DEL, 517, {EPOLLIN, {u32=517, u64=517}}) = 0
For EPOLL_CTL_DEL, the last argument, the epoll_
Hi,
We have a customer who has their own cache server, but in the afternoons
before they close up for the day, they commit off-site backups, this
process takes them about 90 mins, anyone trying to use the internet in this
time fails 99.9% of the time due to DNS lookup errors, but if they use an
ex
Thanks Mark, it's likely reason, they are using a microtek or such junk if
my memory serves me correct, we will drop in a juniper and see if that
resolves it.
On Tue, Sep 20, 2016 at 7:51 AM, Mark Andrews wrote:
>
> In message qozh...@mail.gmail.com>, Nick Edwards writ
On Tue, Oct 25, 2016 at 12:11 AM, Reindl Harald
wrote:
> identical like the first one
>
> Which IP should be use?
>>
>
> i don't understand your question
>
>
Since you have NOTHING to do with ISC or even remotely with bind, if you
dont understand , LEAVE IT TO SOMEONE WHO DOES
but you just cant
On Tue, Oct 25, 2016 at 12:42 AM, Reindl Harald
wrote:
>
>
>
>>
> don't get me wrong but that question shows that you are not ready to run a
> public dns server - there is no "local" or
>
when you make statements like that to be sure you include the fact you have
NOTHING to do with ISC or bind.
On Tue, Oct 25, 2016 at 7:11 AM, Reindl Harald
wrote:
>
> i don't understand your question
>>
>>
>> Since you have NOTHING to do with ISC or even remotely with bind, if you
>> dont understand , LEAVE IT TO SOMEONE WHO DOES
>>
>
> and YOU have something to do with ISC?
> i doubt!
>
> since i m
On Tue, Oct 25, 2016 at 7:14 AM, Reindl Harald
wrote:
>
>
>
> this is a public mailing list - so what!
>
> when someone don't yet get the connection between nameservers, webserver
> and ip-addresses he is not ready to connect public servers and that's
> completly independent of the fact you ra el
lots of things failing in recent times, even with CentOS, mostly because of
openssl min version changes, and most recently even latest releases wont
build now because of a change in min python versions *sigh*, i'm just going
to leave it as is, thats all we can do.
On Fri, Apr 26, 2019 at 5:05 AM
#x27;ve glossed over the details of replicating
the two different copies of the zone to your secondary DNS servers, but
the general idea is to have the secondaries use different TSIG
signatures for transferring each copy, and have the "match-clients" use
the TSIG key to figure out which
the internal machines continue to use the public address, but the
packets don't actually get routed out to the Internet.
Nick.
On 7/02/23 19:45, Matthias Fechner wrote:
Hi Darren, Hi Nick,
at first thanks a lot for your answer.
I see that I have not explained my use-case detailed
On 9/02/23 05:17, adrien sipasseuth wrote:
so it works BUT I need to know more than 48h in advance that the
rollover is starting to submit the new KSK to my registar.
How can I set this up if it's not with "public-safety"?
If it was me, I'd set the KSK to not roll-over automatically, and
inste
On 14/02/23 05:39, adrien sipasseuth wrote:
"You configure parental agents and named will check which DS’s are
published. Named won’t complete the
roll until it knows the new DS is published."
=> what is parental agent ? i don't find this term in Bind
documentation. From what I understand, you
Hi Carsten.I've been running split views with a DNSSEC zone using dnssec-policy
for at least a couple of years.I'm using a CSK (i.e. combined KSK+ZSK) and
haven't yet worked out the best way to automate key rollover wrt DS in parent
zone, so my key rollovers are manual currently. Consequently I'
, can BIND be configured to poll a child zone for
CDS/CDNSKEY records, and automatically add corresponding DS records into
a zone that it controls?
If this isn't on the radar already, I'll be happy to submit an
enhancement request?
Thanks,
Nick.
--
Visit https://lists.isc.org/mai
ound the bottom of the zone
(where they are not authoritative), but never in between.
The terminology is a bit confusing, but it boils down to this: The NS
records for the zone must be included in the zone itself, and also in
the parent zone.
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bi
something that would
work within the inline-signing framework. But perhaps I was being overly
optimistic?
I've decided I'll stick with manual KSK roll-overs for now... :-)
Thanks again.
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this
DOMAIN (i.e. same as suggested by Evan Hunt) rather than returning a
bogus IP address.
FWIW I haven't experienced any issues with youtube, so I wonder whether
one of these differences could be the cause of your CPU usage issue?
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
chive.com/bind-users@lists.isc.org/msg28526.html
Just make sure you aren't using an ancient version of BIND! :-)
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact
192.0.2.1 key "external.example.com"; };
};
};
The secondary server would need a similar match-clients set-up so that
it associated the notify with the correct view (based on key). And as
I'm sure you know it would also need a "primaries" (or "masters"
th/to/file";
allow-query { any; };
notify no;
};
NB: In all my examples "192.0.2.2" is the primary (master) and
"192.0.2.1" is the secondary (slave).
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the d
recall that
without these, if the parent zone is DNSSEC-signed and doesn't use the
OPT-OUT feature, then a DNSSEC-validating resolver (e.g. running "delv"
tool) would complain when querying names in the internal zone.)
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind
ameter in the SOA record, so that the
secondaries poll the primary more frequently?
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/conta
the sub zone configuration (i.e. from 4.4.4.4)
below. What do the zone stanza in the config file, and the zone file
itself look like?
3. What answer do you get if you try: *dig @4.4.4.4 **fish.hub soa
+norecurse*
Nick.
On 10/05/23 16:07, bindu...@thegeezer.net wrote:
Howdy
I'm strug
f working it out for itself?
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind
Hi Matthias.It looks like nobody solved your /original/ problem? If you are
still looking for an answer it might help if you posted some logs? The people
on this list are good at interpreting any errors you're seeing. :-)Nick.
Original message From: Matthias Fechner
Date:
Hi Dulux-Oz.It looks like the router between the primary and secondary DNS
servers is performing NAT on the packets it is forwarding between those
subnets?It would make your life much simpler if you can turn that off? I.e only
NAT packets going out to the Internet/your ISP?Nick
t specific DS records
are published and/or withdrawn.
Nick.
On 11/09/23 23:52, Björn Persson wrote:
Hello, I'm trying to configure automatic KSK (or CSK) rollover. I'm
confused about how to poll securely for DS records.
Section 5.1.2.1 of the BIND 9 Administrator Reference Manual sa
g-dnssec>/./
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.is
<https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec>/.
where 12345 and 54321 are the key tags of the successor and
predecessor key, respectively./
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds t
27;t stick around.
I can only assume that the reason you have rumoured state is because you
are trying to roll your ZSK to soon after the previous ZSK rollover?
Have you checked the various timing settings in the KASP definition?
Nick.
On 30/09/23 11:32, Nick Tait via bind-users wrote:
On 2
hen go out to either bind-external or the domain
host's DNS to get the answer from the authoritative servers and then
there is no need to maintain external IPs in bind internal.
TIA,
Nick
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the dev
their resolver. I was hoping I could set something like
recursion=true in bind-internal and recursion=false on bind-external,
only in my configs for BIND 9.9.6-P1, it is not set at all so I am not
sure how it is configured as authoritative.
Nick
On 2023-11-03 16:01, Andrew Latham wrote:
* T
On 03/11/2023 17:17, Marco M. wrote:
Am 03.11.2023 um 15:51:32 Uhr schrieb Nick Howitt via bind-users:
As this site is externally accessible as well, we also have to put an
identical entry in bind-external so we end up having many identical
entries in bind-internal and bind-external.
It seems
On 03/11/2023 17:54, Marco M. wrote:
Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:
My problem is the use of external IP's duplicated between the
internal and external masters for some IPs/FQDNs which I want to get
rid of.
Implement IPv6 and get rid of the old
On 03/11/2023 18:06, Marco M. wrote:
Am 03.11.2023 um 17:58:51 Uhr schrieb Nick Howitt via bind-users:
On 03/11/2023 17:54, Marco M. wrote:
Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:
My problem is the use of external IP's duplicated between the
internal and ext
tlook for Android <https://aka.ms/AAb9ysg>
*From:* bind-users on behalf of Nick
Howitt via bind-users
*Sent:* Friday, November 3, 2023 1:58:51 PM
*To:* bind-users@lists.isc.org
*Subject:* Re: How should I configure i
On 03/11/2023 19:30, Marco M. wrote:
Am 03.11.2023 um 19:18:49 Uhr schrieb Nick Howitt via bind-users:
Can the bind-internal not be made to caching only and not
authoritative? If so, how?
Of course it can, simply remove the zone configuration, but it will
then cache the records from the
On 03/11/2023 20:07, Marco M. wrote:
Am 03.11.2023 um 19:54:32 Uhr schrieb Nick Howitt:
How do you mean remove the zone information?
In your /etc/bind are configuration files.
Look for named.conf* and find those that include zones:
zone "f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa" {
t
Hi Nick.
Your current set-up sounds like a fairly common configuration. And
depending on your requirements there are a number of options that you
might consider.
But let's start with requirements: I've made some assumptions - please
advise if I've got any of this wrong?:
s
it is almost certainly something that you will have no control over.
E.g. It could be something bogus on a web page that these devices have
all accessed?
Nick.
On 4/11/23 11:30, J Doe wrote:
Hello,
On a Bind 9.18.19 server configured as a recursive resolver, I
sometimes see URL's be
ink I have any chance of pushing this through. Also DNSMasq does not
support replication (but it could be scripted). I could look for other
solutions but I doubt I would get anywhere in the company.
I'll spend some time investigating option F, thanks.
Nick
On 04/11/2023 02:03, Nick Tait
As on other replies, a different internal zone is a huge project for the
company, not a quick win, unfortunately.
On 04/11/2023 08:55, Michael Richardson wrote:
Given VPNs, RemoteAccess and the like, I strongly recommend against split-DNS
configurations. They were great ideas in 1993, when all
Unfortunately, redesigning the internal zone is way beyond the scope of
what I can do, but thanks for the info.
On 04/11/2023 13:40, Greg Choules wrote:
Hi Nick.
First question, does the internal zone *have* to keep the same name?
As has been said already, this is a fairly common setup done
e?
Anyway, I remembered seeing "ZRRSIGState: rumoured" in your ZSK state
file before you initiated your ZSK roll-over, and so I suspect that all
your issues stem from the fact that not everything was omnipresent
before you initiated the roll-over?
Nick.--
Visit https://lists.isc.org/mai
On 20/11/2023 1:00 pm, Peter wrote:
It's tricky. One problem is these are slave zones, they are
authoritative and do not work well with DNSSEC.
I'm curious... What issues did you have with these zones and DNSSEC? I
would have expected that the signed zones should just work?
Nick.
rom my configuration, to avoid
potential issues in future versions of BIND?
Thanks,
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact
: Thu Dec 07 09:01:33 NZDT 2023
;; MSG SIZE rcvd: 80
I could be wrong, but based on the output above it looks like the
current TTL is 0, which means that doing this should provide immediate
relief.
Add a new DS record once you've fixed your KSK issues.
Nick.
--
Visit https:
On 7/12/2023 9:05 am, Nick Tait via bind-users wrote:
I could be wrong, but based on the output above it looks like the
current TTL is 0, which means that doing this should provide immediate
relief.
Sorry it looks like the DNS server on the Wi-Fi network I'm connected to
has done some
have been many improvements in BIND's support for DNSSEC
over the last few years, so if this is a server that you've inherited,
it is probably worth reviewing the DNSSEC configuration options to see
if it can be improved?
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-
ng dnssec-policy you
should be able to change the algorithm and Bind should do a graceful roll-over?
Just make sure everything is “omnipresent” in your state files (in the keys
directory) first.
Nick. --
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this lis
understand (and agree) that this behaviour makes the most sense,
given my confusion based on the documentation, I wonder if the
documentation could be made clearer? E.g. Add the sentence: "In the case
where the primaries option specifies a TSIG key, it is not necessary for
the received NOTI
ll-overs,
you may need to run rndc commands to tell BIND when DS records are
added/removed -- but that is possibly what you already do with auto-dnssec?
Of course in life there are no absolute guarantees, so you should back
up your configuration and make a plan to mitigate the impacts in the
rts of the network to resolve the unqualified name
"firewall1" differently. E.g. If you "ssh firewall1" from a management
host it could expand that to firewall1./management/.example.com?
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this l
On 02/03/2024 11:36, Greg Choules wrote:
Please don't encourage using "search" in resolv.conf or the Windows
equivalent. Search domains make queries take longer, impose
unnecessary load on resolvers and make diagnosis of issues harder
because, when users say "it doesn't work" you have no idea w
"|
I couldn't help noticing that when you ran dnssec-dsfromkey you
referenced this directory: /usr/home/dns/Fixed
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Cont
ce(s) and then rerun your test?
If you have just a single process listening on port 53, then I'd suggest
using "tail -f" to watch your BIND logs (or syslog?) while you are
running your test, to see what is going on from the recursive resolver's
point of view? Hopefully you'
:
22.1.10.168.192.rpz-ip IN CNAME .
Thanks,
- J
Hi J.
Yes you can specify a CIDR network length that isn't on an 8-bit boundary.
In your example the /22 network address for 192.168.10.1 is actually
192.168.8.0, so you'd specify:
22.0.8.168.192.rpz-ip IN CNAME .
Nick.
--
V
specific recursive resolver. See:
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-type%20forward
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions
e link), or the email below is bogus
and they have exploited the list MTA to distribute spam?
Can anyone shed any light on this? Happy to share all the mail headers
if that helps?
Thanks,
Nick.
On 07/06/2024 04:19, gustavojavi...@gmail.com wrote:
Hi Nick Tait via bind-users,
A new MDLZ a
the mailing list archive:
https://www.mail-archive.com/bind-users@lists.isc.org/msg34359.html
Ged, I'll forward the email headers to you privately, but I trust you'll
find that they support the explanation offered below.
Thanks again everyone who took the time to respond. :-)
Nick.
quot;resolvectl status" to see current settings.
Thanks,
Nick.
On 23/04/22 03:50, Ondřej Surý wrote:
I think you also might want to mask the service:
https://fedoramagazine.org/systemd-masking-units/
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be differen
an anybody please give an example to explain what
this is trying to say?
Thanks,
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/cont
On 1/05/2022 9:13 pm, Reindl Harald wrote:
Am 01.05.22 um 06:38 schrieb Nick Tait via bind-users:
I'm not 100% sure, but I wonder if disabling systemd-resolved may
create issues if, for example, you are using netplan with
systemd-networkd as the renderer? E.g. Will it still be possib
oid statements like "no matter what" because it
makes an assumption that everyone has the same goal.
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at http
;ve done that, run "sudo rndc reload" on your the primary DNS
server for the zone (or alternatively restart BIND), and see if that
makes a difference?
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this sof
suggested that you add that address to your zone file?
My suggestion was to simply update the SOA serial number.
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Cont
sounds like exactly the sort of use case for Response Policy Zones:
https://bind9.readthedocs.io/en/v9_18_2/reference.html#response-policy-zone-rpz-rewriting
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software
On 13/05/22 09:02, Grant Taylor via bind-users wrote:
On 5/12/22 2:41 PM, Nick Tait via bind-users wrote:
This sounds like exactly the sort of use case for Response Policy Zones:
How are you going to have RPZ return different addresses for different
clients? Are you suggesting use different
his: Is it expected that the DSState won't change
until 26 hours after the "rndc dnssec -checkds published" command is
run? And if so why does it take so long?
Thanks,
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC fund
y configuration management by
means of a single set of data which can be deployed to all
authoritative servers - I don't think the RPZ solution proposed by
Nick achieves that.
That being said, can RPZ-CLIENT-IP be a subnet? I don't think it can.
Hi Angus.
Thanks for clarifying. Based on
On 16/05/22 21:34, Matthijs Mekking wrote:
Hi Nik,
On 16-05-2022 07:49, Nick Tait via bind-users wrote:
Hi there.
Ever since I updated my BIND configuration to use the new
dnssec-policy feature (a year or so ago) my KSK/CSK rollovers have
been a complete shambles. My problems stem from the
x27;ve got that wrong?
Thanks,
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-user
DNSSEC=yes
DNSStubListener=no
After editing the configuration run "sudo systemctl restart
systemd-resolved".
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
nd if so try turning that function
off to see if the problem goes away?Nick.
Original message From: salma smaoui
Date: 22/09/22 11:18 PM (GMT+12:00) To: bind-users@lists.isc.org Subject:
Dnssec issues
Hello All,
We are facing some resolution problems on a CENTOS resolver t
validation doesn't occur. i.e. The behaviour
you described above is how it is supposed to work.
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at http
file "db.drop.ip.dtq";
primaries { deteque-primary; };
notify explicit;
also-notify { nick-secondary-deteque; };
allow-transfer { nick-nameservers-private; };
allow-query { nick-nameservers-private; loopback-net
16
aren't the same, what is the actual problem you are trying to solve?
i.e. Why does it matter if the A record is or isn't returned in a
/non-recursive/ query for "spectrum.cern.ch"?
Nick.
On 28/10/22 01:28, Veronique Lefebure wrote:
Well,
So here a bit more details.
Sorry,
wever the obvious drawback of this approach would seem to be that the
resolver will only check one of the parent NSs for the DS record,
whereas if you explicitly specify all the NSs in parental-agents, then
they all get checked?
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-use
ecursive query includes the AD flag (but
not the AA flag).
It could actually work without the static-stub zone, but I prefer to
keep this to stop the /resolver/ view from sending the queries to a
different (authoritative) server.
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-u
type master;
file "db.test.com";
};
I would like to have DNSSEC active on both domains, but since they are
sharing a file, Bind complains about it.
If you are using Linux, I'd suggest looking at using filesystem links so
that you can have separate files that share the same c
or all records, and/or the negative response caching TTL (5th
parameter in the SOA record)?
Nick.
On 3/11/2024 11:28 pm, Hans Mayer via bind-users wrote:
Dear All,
I am running BIND 9.18.32-dev (Extended Support Version)
running on Linux x86_64 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Deb
1 - 100 of 116 matches
Mail list logo
