RFC7344 (was: Funky Key Tag in AWS Route53 (2))

On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote: ! (Manual processes ! are error-prone.  That getting registrars to adopt CDS/CDNSKEY - RFC7344 - ! has been so slow is unfortunate.) Seconded. Do You have information about this moving at all? Because to me it looks very much like dead

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2))

On Thu, Dec 29, 2022 at 03:43:35PM -0500, Timothe Litt wrote: ! So much like DNSSEC itself, the technology is there, but the will to use it ! everywhere it's needed is not. Timothy, thank You for the update. I agree to Your viewpoints, and we have seen mostly the same with IPv6. Apparently it nee

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

On Tue, Jan 17, 2023 at 05:28:57PM -0600, E R wrote: ! I am planning on implementing the current version of BIND to replace the ! aging, undocumented authoritative servers I inherited. I want to hide the ! primary server on our internal network and have two secondary servers be ! publicly availabl

Re: dnstab-read with detailed information

On Wed, Mar 15, 2023 at 09:34:40PM +, MAYER Hans wrote: ! ! ! Dear All, ! ! dnstab is a great feature to analyse the details what’s going on. But I think there is room for improvement. ! ! I write the data to a file and once a day I do a log rotate. ! With "dnstab-read FILE | grep IP“ I ge

Re: How to make SRV records work with caching resolvers?

Hi, In July last year I asked about a problem with an IP telephone mis-handling the DNS responses (and got the clear answer that the telephone is to blame). I quote my original message here: On Wed, Jul 13, 2022 at 01:06:13PM +0200, Peter wrote: ! My Telco has removed the A record for their

Re: Stub zones, but secndary?

ke this. ! ! I'm wondering whether there's a more elegant way. Like "secondary-hint" zones. ! Have I overlooked something? Maybe. As You can see, it can be done, but it's a bit weird - I got the fancy that I want to have all six-way in one running image. ;) (Originally I just

Re: Stub zones, but secndary?

On Mon, Nov 20, 2023 at 03:30:13PM +1300, Nick Tait via bind-users wrote: ! On 20/11/2023 1:00 pm, Peter wrote: ! > It's tricky. One problem is these are slave zones, they are ! > authoritative and do not work well with DNSSEC. ! ! I'm curious... What issues did you have with

XFR killed by security

Hi folks, a few days ago I apparently lost the beneficence of my zone feeds, and XFR started to get into timeout. Looking at the usual culprits I then found this: DNS Response containing multiple DNSSEC RRSIG Entries (Algorithm 14) - Possible CVE-2023-50387 Activity [Classification: De

Re: XFR killed by security

On Mon, Mar 04, 2024 at 03:43:48PM +0100, Ondřej Surý wrote: ! > On 4. 3. 2024, at 14:55, Peter wrote: ! > ! > I don't find it really surprizing that XFR would contain "multiple ! > RRSIG entries". ! ! Unfortunately, this is obviously surprising to the vendor of the s

Re: Switching from rhel base 9.16 to 9.18 copr

On Sun, May 05, 2024 at 06:15:13PM +0200, Luca vom Bruch via bind-users wrote: ! Hello, ! ! I use bind (stock from alma 9.3) as a nameserver for a webhosting server ! with webmin/virtualmin. ! ! If I install BIND via copr (RHEL9 and derivatives only offer 9.16 instead of ! 9.18 - I want to experi

CNAME and IPv6

Hello, if I understand corrently, the use of CNAME is just a convenience and no technical feature, right? In lots of examples on the net, a zonefile for a domain might contain things similar to this: @ORIGIN example.com. .. myhost A1.2.3.4 www CNA

Re: CNAME and IPv6

On Tue, May 28, 2024 at 12:25:03PM +0200, Marco Moock wrote: ! Am 28.05.2024 um 12:00:09 Uhr schrieb Peter: ! ! > if I understand corrently, the use of CNAME is just a convenience ! > and no technical feature, right? ! ! It is technical because the query is redirected to the domain lis

Re: CNAME and IPv6

On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock wrote: > Am 28.05.2024 um 18:48:38 Uhr schrieb Peter: > > > On Tue, May 28, 2024 at 12:25:03PM +0200, Marco Moock wrote: > > > > > Now we add an IPv6 address for 'myhost'. But portforwarding > >

Re: CNAME and IPv6

On Wed, May 29, 2024 at 12:20:09PM +0200, Matus UHLAR - fantomas wrote: ! > On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock wrote: ! > > rinetd manages 2 separate connections and should work with PMTUD. ! ! On 28.05.24 22:17, Peter wrote: ! > I'm wondering how it would. Th

qname minimization: me too :(

rvers" happen do be some of my own? What do I do then? Because I've seen through the proceedings, and I do not yet see the error. cheerio, Peter -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software wi

Re: qname minimization: me too :(

On Wed, Jun 19, 2024 at 10:33:41PM +0200, Stephane Bortzmeyer wrote: ! On Wed, Jun 19, 2024 at 10:15:48PM +0200, ! Peter wrote ! a message of 32 lines which said: ! ! > today I happened to look into a named.log, and found it full of ! > qname minimization messages. ! ! Which message?

Re: qname minimization: me too :(

, different view), and> ! > that one basically says, this is bogus. ! > ! > Case 3: ! > --- ! > Jun 19 18:28:48 conr named[24481]: lame-servers: ! >info: success resolving ! > '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.1.0.0.3.2.f.1.0.7.4.0.1.0.0

Re: qname minimization: me too :(

On Fri, Jun 21, 2024 at 04:58:55PM +0200, Stephane Bortzmeyer wrote: ! On Fri, Jun 21, 2024 at 07:03:14AM +, ! 65;6800;1c Michael Batchelder wrote ! a message of 59 lines which said: ! ! > You'll need to fix these zones so that the response is NOERROR rather than NXDOMAIN. ! ! Yes and, if

Re: qname minimization: me too :(

On Tue, Jun 25, 2024 at 07:00:51AM +1000, Mark Andrews wrote: ! It’s just a false positive when the result is NXDOMAIN. Because > people forget to put delegating NS records in parent zones when both > are served by the same server the lookups continue on NXDOMAIN. There > is an issue to address thi

Re: qname minimization: me too :(

On Tue, Jun 25, 2024 at 04:41:54PM +0200, Stephane Bortzmeyer wrote: ! On Tue, Jun 25, 2024 at 04:22:40PM +0200, ! Peter wrote ! a message of 16 lines which said: ! ! > Jun 25 16:18:31 conr named[4725]: lame-servers: ! >info: success resolving 'bar.foo.isc.org/A'

bind918 malfunction?

I have complaints about network malfunction. From the logs I can see that a device which always regained network access within ~40 seconds, now takes 1-2 hours to recover, and this happening almost daily. There is a possible alignment between the start of the malfunction and an upgrade from 9.16 t

Re: bind918 malfunction?

On Thu, Sep 05, 2024 at 07:05:29PM +0200, Ondřej Surý wrote: ! It’s impossible to answer your question as you haven’t provided ! absolutely no information about your problem. Perhaps if you provide ! detailed information about nature of the problem, your DNS ! configuration, and your network config

Re: bind918 malfunction?

This one was accidentially not sent to the list, sorry! On Thu, Sep 05, 2024 at 08:04:37PM +0200, Ondřej Surý wrote: ! I’m on my phone, so this is a long shot, but you can try disabling the qname minimization. Thank You for the suggestion, I can try this occasionally. Rather I'd prefer to figure

Re: bind918 malfunction?

On Fri, Sep 06, 2024 at 12:55:20PM -0400, Bob Harold wrote: ! Recently (2024/9/21) I ran into an issue that might be similar. Due to ! DDoS attacks that use complicated lookups to make DNS servers do extra ! work, to slow them down, some recent DNS server software has tightened the ! amount of 'wo

Re: bind918 malfunction?

On Fri, Sep 06, 2024 at 08:05:18PM +0200, Ondřej Surý wrote: ! Try using running `named -d 9 (plus other existing args)` to see why there are 31+ queries. There must be something wonky going on. ! Alright. "-d 9" does nothing. Changing the named.conf does something: channel named_log {

Re: bind918 malfunction?

On Fri, Sep 06, 2024 at 09:12:51PM +0200, Ondřej Surý wrote: ! Now the question remains - why? I don’t really see a reason for this ! behavior from where I tested it, so what is the traffic between your ! recursor and the Internet during the time this happens? Well, I can see why - but I don't kno

How to create a fake root server?

e "xxx.loc, yyy.loc, zzz.loc". 1 server for the .loc root 3 servers for xxx.loc (server1), yyy.loc (server2), zzz.loc (server3) Running BIND 9 at every server. Any suggestions or good links are highly appreciated. Best regards, Peter __

Re: How to create a fake root server?

ver with Bind. I haven't found any useful examples at the web yet. It's for a school project. Regards, Peter On 12/03/14 19:56, Kevin Darcy wrote: First of all, don't use .loc as an internal TLD. There are *many* proposals in process with ICANN for establishing new TLDs, and fo

Re: How to create a fake root server?

hey will use their own internal DNS server for lookups. All servers are on the same 172.16.0.x network. What am I doing wrong here? Sincerely, Peter On 13/03/14 11:10, Mark Andrews wrote: In message <53216b43.8040...@gmail.com>, Peter writes: Hi Kevin, Thanks for your reply. It

Without IPv6 half of the queries yield SERVFAIL

Hi all, first off: I do not have IPv6 physical connectivity yet, but I would like to run a nameserver nevertheless. Sadly, it seems that without IPv6 connectivity, half of the queries fail, in a random fashion. There is no clue in the logfile about any reason for this behaviour, only so much

Re: Without IPv6 half of the queries yield SERVFAIL

On Thu, Aug 05, 2021 at 11:53:35PM +0200, Peter wrote: ! I tried to use this recommendation, https://kb.isc.org/docs/aa-00206, ! marking all IPv6 addrs as bogus, but it does not make a difference in ! behaviour. Update: Actually there is a difference if this recommended configuration is present

Re: Without IPv6 half of the queries yield SERVFAIL

On Fri, Aug 06, 2021 at 07:22:32AM +0200, sth...@nethelp.no wrote: ! > ! I tried to use this recommendation, https://kb.isc.org/docs/aa-00206, ! > ! marking all IPv6 addrs as bogus, but it does not make a difference in ! > ! behaviour. ! > ! > Update: Actually there is a difference if this recomme

Failure from rate-limit

Hi, my servers fail to query the upstream servers with these errors: rate-limit: debug 99: rrl=0x0, HAVECOOKIE=0, result=DNS_R_SERVFAIL, fname=0x8027a5450(0), is_zone=0, RECURSIONOK=1, query.rpz_st=0x0(0), RRL_CHECKED=0 The operator of the upstream servers says it is due to a configuration mis

ERROR: Failed to create fetch for DNSKEY update

Hi all, I continuousely happen to see this message: > local0.warn named[2291]: > dnssec: warning: managed-keys-zone: Failed to create fetch for DNSKEY update I see it on different nameservers, at different sites, with and without views, with and without IPv6, and I see it every time when named

Re: ERROR: Failed to create fetch for DNSKEY update

On Mon, Nov 15, 2021 at 09:14:19AM +0100, Ondřej Surý wrote: ! > On 15. 11. 2021, at 3:41, Peter wrote: ! > ! >

Found the bug (was: ERROR: Failed to create fetch for DNSKEY update)

Hija, I finally found the cause of the error! As soon as I stop slaving the root-zones and instead use the (configured or compiled-in) hint-file, the error stops. The actual error-condition (zone is not loaded) then becomes obvious, because this RFC-5011 action happens very early, before any

Re: Found the bug (was: ERROR: Failed to create fetch for DNSKEY update)

On Sun, Nov 21, 2021 at 06:51:13PM +0100, Sten Carlsen wrote: ! As far as I am aware - and what I have always done - the normal | thing to do is to use a hints file. Lately the hints are built-in, | so nothing is really needed. Ah. Well, I have here a named.conf.sample file that comes with the dis

Bugfix: missing line in message.c

Hi, this is broken in 916 (and apparently 918 also). Consequentially, output from dnstap gets unreadable (invalid YAML) when using dynamic zone updates. PATCH --- lib/dns/message.c.orig 2022-05-10 11:02:21.0 +0200 +++ lib/dns/message.c 2022-

Re: Bugfix: missing line in message.c

On Thu, Jun 02, 2022 at 08:23:27AM +1000, Mark Andrews wrote: ! Thanks. ! ! INDENT is being addressed. ! ! Can you add an issue on https://gitlab.isc.org/ for the view name in dnstap? Bad luck for me, my login does actually work there - so I probably have to... ;) Done, it says #3391. -- PMc

IPv6 scoped address disambiguation

Hi @all, the reference manual says something about scoped ipv6 addresses, so I might assume they are understood and useable. But maybe either I did misunderstand something, or something is wrong here: My configuration: listen-on-v6 port 53{ fe80::2%lo0;

How to make SRV records work with caching resolvers?

My Telco has removed the A record for their VoIP server, and now has only SRV data there - which seems not to work properly. The SRV data contains various services (SIP via UDP, TCP, secure TCP, whatever), and these get individual expiry counters in the caching resolver. So when a telephone send

Re: How to make SRV records work with caching resolvers?

On Wed, Jul 13, 2022 at 09:22:17PM +1000, Mark Andrews wrote: ! The client is supposed to lookup missing address records. Now that's clear and short. Thank You very much, Mark! ! Complain to the supplier of the phone that they have a defective product. I still have to see a linux plastic box wit

Re: How to make SRV records work with caching resolvers?

again. (Obviousely there can be many other reasons for a temporary outage.) The plan is now to put this on hold until it appears at annoying daytimes again, and ideally obtain a kind of VoIP-proxy or PBX to put in between. -- PMc ! > On 13. 7. 2022, at 13:18, Peter wrote: ! > ! >  ! > My Telc

Re: DNSSEC signing of an internal zone gains nothing (unless??)

On Tue, Aug 02, 2022 at 05:51:28AM -0400, Timothe Litt wrote: ! You can get the AD flag set, with a bit of extra work.  I've done this for ! years. Thanks for Your message, Timothe. After investigating the matter, I had figured out a similar approach - but didn't know if this is a recommended or

Re: bind-users Digest, Vol 4031, Issue 3

On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote: ! ! On 02-Aug-22 11:09, bind-users-requ...@lists.isc.org wrote: ! ! > | Before your authoritative view, define a recursive view with the internal ! > ! zones defined as static-stub, match-recursive-only "yes",  and a ! > ! server-addre

Re: Stopping ddos

On Tue, Aug 02, 2022 at 11:16:15PM +0200, Michael De Roover wrote: ! For my servers I'm using iptables rules to achieve ratelimiting. They ! look as follows: ! -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent -- ! update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.2

Re: DNSSEC signing of an internal zone gains nothing (unless??)

On Tue, Aug 02, 2022 at 02:04:22PM -0400, Timothe Litt wrote: ! On 02-Aug-22 13:18, Peter wrote: ! > On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wr

Re: DNSSEC signing of an internal zone gains nothing (unless??)

On Wed, Aug 03, 2022 at 04:49:35PM +1000, Mark Andrews wrote: ! Additionally authoritative servers for a zone are supposed to answer queries with RD=1 set with RA=0 if the client is not being offered recursion. REFUSED is the wrong answer of the query name involves zones you serve. Only if you a

Re: DNSSEC adoption

I see a two-fold issue with DNSSEC: 1. The wide-spread tutorials seem to explain a key rollover as an exceptional activity, a *change* that is infrequently done. And changes, specifically the infrequent ones, bring along the possibility of failure, mostly due to human error. I don't s

Re: Question about dnstap

On Mon, Sep 12, 2022 at 12:27:25PM +0200, Borja Marcos wrote: ! I am not sure this is intended behavior, or maybe I should file a bug. ! ! I am doing some tests with dnstap and bind (9.18.6 now but I see the same behavior with older 9.18 versions). I am using ! dnstap-go. ! ! I have configured

Re: Question about dnstap

On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! My testing did not uncover anything problematic. ! ! Versions: ! fstrm 0.6.1-1 ! protobuf 21.5-1 ! protobuf-c 1.4.1-1 ! ! ! A procedure which works: ! - start BIND configured with ! options { ! dnstap { all; }; ! dnstap-o

Re: Question about dnstap

On Tue, Sep 13, 2022 at 12:24:15PM +0200, Petr Špaček wrote: ! On 12. 09. 22 15:49, Peter wrote: ! > On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! > ! My testing did not uncover anything problematic. ! > ! ! > ! Versions: ! > ! fstrm 0.6.1-1 ! > ! protobuf 21.5-

named 9.14.6 memory leak, cannot start

When starting named 9.14.6, before doing any activity it immediately grows infinitely, hits the system limits and crashes with: > mem.c:710: fatal error: > malloc failed: Cannot allocate memory > exiting (due to fatal error in library) Version 9.14.3 does not have this memory leak and runs flaw

Re: named 9.14.6 memory leak, cannot start

On Wed, Oct 16, 2019 at 12:27:39PM +0200, Ondřej Surý wrote: ! Hi Peter, ! ! we had a similar report in the past, Ah, that's a good message! ! so maybe you can chime in and add ! the information to the issue here https://gitlab.isc.org/isc-projects/bind9/issues/1179 ? Okay, done. Fu

Re: FYI: FreeBSD: upgrade to protobuf-c 1.4.1_6 breaks dig

On Mon, Oct 14, 2024 at 06:10:20AM -0700, Steve Rikli wrote: ! On Mon, Oct 14, 2024 at 07:19:06AM +0200, Peter wrote: ! > On Sun, Oct 13, 2024 at 10:55:52PM +0100, Niall O'Reilly wrote: ! > ! FYI only. I've submitted a [bug report][] to the FreeBSD Bugzilla. ! > ! > ! Afte

Re: FYI: FreeBSD: upgrade to protobuf-c 1.4.1_6 breaks dig

On Sun, Oct 13, 2024 at 10:55:52PM +0100, Niall O'Reilly wrote: ! FYI only. I've submitted a [bug report][] to the FreeBSD Bugzilla. ! After upgrading to 1.4.1_6, I see: ! ! ``` ! grab(maint)$ uname -a ! FreeBSD grab.no8.be 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64 ! grab(maint)$ pkg

Re: FYI: FreeBSD: upgrade to protobuf-c 1.4.1_6 breaks dig

On Mon, Oct 14, 2024 at 11:26:58AM +0100, Niall O'Reilly wrote: ! On 14 Oct 2024, at 6:19, Peter wrote: ! ! > I cannot reproduce: ! ! Thanks. I've been made aware, off list, of people who can. Interesting. I for my part do normally not link dig against protobuf at all: $ pkg in

BIND Process failed during logrotate

I had the named process fail this past weekend on two secondaries running BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13. It seems that logrotate.d is calling the following script at the time of the failure. /var/named/data/named.run { missingok su named named create 0644 named named

Re: Unable to upgrade BIND v9.19.11 on Ubuntu without error

Hi Richard, FYI: The BIND 9.19.12 Release Notes contain the following: Removed Features ... Zone type delegation-only, and the delegation-only and root-delegation-only statements, have been removed. Using them is a configuration error. ... Kind Regards Peter

Re: occasional SERVFAIL error

7200 3600 604800 86400 Nameserver 2001:67c:1bd4:8080::10:     jiscd.sk has SOA record ns1.gov.sk. gov.sk. 2024022800 7200 3600 604800 86400 Nameserver 195.49.191.162:     jiscd.sk has SOA record ns1.gov.sk. gov.sk. 2024022800 7200 3600 604800 86400 Kind Regards Peter On 29/02/2024 15.20

named 100% utilization

};     zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; };     zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; include "/var/lib/samba/bind-dns/named.conf"; }; view vpn {     match-clients { vpn; };

bind_dlz and views and samba

ther DNS and setup views there, but that doesnt work either as all requests now come from IP of the DC and so the ACLs wont match. Any ideas how I can accomplish this? Peter -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of t

Re: CVE-2012-1033 (Ghost domain names) mitigation

2012/2/9 John Hascall > > > Questions: > > (1) It looks to me like if the ghost name is in our >DNS RPZ zone, then that 'fixes' the problem for >that name. Is this correct? > Ghost domain could be redelegated to a new owner and become absolutely legal. > > (2) It also looks like resta

Re: Anycast DNS

2012/3/1 Beavis > Just want to piggy back on this topic is there any documentation > available online that shows a deployment guideline for Anycast? > > -beavis > What about RFC 4786? > On Wed, Feb 29, 2012 at 10:31 AM, Warren Kumari wrote: > > > > On Feb 29, 2012, at 11:00 AM, Todd Snyder wr

Re: "rndc reconfig" vs. "rndc reload"

2012/3/16 Mark Pettit > I've read carefully through the BIND ARM and am still not sure of the > answer to this, so I figured I'd ask on here. > > "rndc reconfig" causes BIND to re-load its config file, but unlike "rndc > reload", BIND will not scan the zone files it's mastering to see if there >

Re: reverse dns for IPV6 ranges

2012/3/19 hugo hugoo > Jay, > > - Can you give me an example of such configuration? > > > > As anyone else some examples of IPV6 reverse configuration used in > production environment? > > Thanks for sharing your experience... > > Hugo, > We use IPv6 in production environment. It was a real hea

Re: reverse dns for IPV6 ranges

2012/3/20 michoski > On 3/19/12 11:58 AM, "Peter Andreev" wrote: > > 2012/3/19 hugo hugoo > >> Jay, > >> > >> - Can you give me an example of such configuration? > >> > >> As anyone else some examples of IPV6 reverse configu

Re: slave not updating or creating ofd zone files

2012/3/29 RYAN M. vAN GINNEKEN > Hello all i have what is to me a very strange bind 9 master slave transfer > issue. > > When i update a zone file on the master the file updates correctly the > notifies are sent and every thing seems to work perfectly except it > transfers 0 bytes to the slave.

Re: slave not updating or creating ofd zone files

2012/3/29 Peter Andreev > > > 2012/3/29 RYAN M. vAN GINNEKEN > >> Hello all i have what is to me a very strange bind 9 master slave >> transfer issue. >> >> When i update a zone file on the master the file updates correctly the >> notifies are sent and

Re: Bind doesn't make zone delegation.

Hi, First of all, nslookup isn't a good tool for debug DNS problems. Use dig instead. Could you show the output of "dig @freebsdbox sokol.msk.united-networks.ru. NS +norec" run from freebsd box itself? 2012/4/19 Ellad G. Yatsko > > Hello! >> >>I have FreeBSD 7.2 x64 installed. And Bin

Re: Bind doesn't make zone delegation.

2012/4/19 Ellad G. Yatsko > Hello! > Here is output: > /etc/namedb> dig @172.16.0.1 sokol.msk.united-networks.ru. NS +norec > > ; <<>> DiG 9.4.3-P2 <<>> @172.16.0.1 sokol.msk.united-networks.ru. NS > +norec > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- op

Re: Bind doesn't make zone delegation.

2012/4/19 Ellad G. Yatsko > Nope. FreeBSD is not the master for sokol.msk.united-networks.ru. It > delegates zone sokol.msk only. > Not more.Master for sokol.msk.united-networks.ru is > srvgate.sokol.msk.united-networks.ru (Ubuntu > server). > > Indeed, now when I try nslookup sokol.msk.united-n

Re: Can I build a new DNS/BIND system parallel to our existing DNS production system?

Hello, Samad, Another way to estimate you query rate is using system's udp counters. Not as precise as query logging, but doesn't cause performance drop in case of high query rates and accurate enough for estimation. 2012/5/4 Samad Agha > Thanks Daniel, I really appreciate your help. > > SA > >

Re: TTL for name servers

Just to clarify, let's assume that you maintain zone example.be. Let's also say that in .be zone TTL for your NS'es is 86400 and TTL for NS'es in your zone is 345600. In such scenario the latter will be cached by resolver because it is the authoritative data. For some resolver implementations this

Re: TTL for name servers

2012/6/6 Mark Andrews > > In message c...@mail.gmail.com> > , Alexander Gurvitz writes: > > Hi. > > > > TTL returned by YOUR zone authoritative server will (at least should) be > > preferred by caches. > > > > Matt Larson from verisign explained on these: > > > > http://www.merit.edu/mail.archiv

What does "deleted from unreachable cache" mean?

eeBSD, running port bind97-9.7.6.1. Thanks! -- Peter Olssonp...@leissner.se ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org

Re: What does "deleted from unreachable cache" mean?

On Thu, Aug 02, 2012 at 03:26:08PM +0100, Cathy Almond wrote: > On 19/07/12 00:49, Peter Olsson wrote: > > Hello! > > > > After my latest bind upgrade our slave server started > > occasionally writing these messages to the log: > > > > master 2a02::xxx

Re: What does "deleted from unreachable cache" mean?

On Fri, Aug 03, 2012 at 09:13:50AM +0100, Cathy Almond wrote: > On 02/08/12 19:00, Michael Hoskins (michoski) wrote: > > -Original Message- > > > > From: Peter Olsson > > Date: Thursday, August 2, 2012 10:25 AM > > To: Cathy Almond > > Cc: &quo

Re: Using BIND-DLZ for a hidden master [was: Re: dns master-slave transfer]

2012/11/1 Chris Thompson : > On Oct 29 2012, Feng He wrote: > >> 于 2012-10-29 9:58, kavin 写道: >>> >>> Now，I want transfer the zone data from the master dns serverto slave >>> dns server ,the master dns use bind-dlz+mysql and the slave dns server >>> use bind+file. >> >> >> AFAIK, BIND DLZ doesn't s

Lots of "RSA_verify failed" after upgrade to 9.7.7

/crypto/rsa/rsa_sign.c:263: I have never seen these before. I tried Google but got no recent results. Anyone know what this means and how to get rid of these errors? Thanks! Peter Olsson ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange issue with signed zone

Hi everybody! We signed another zone and met the same problem again. The only difference is algorithm - now it is RSASHA256. > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. > Recently we realised that our servers don't

Re: Strange issue with signed zone

2012/11/9 Tony Finch : > Peter Andreev wrote: >> >> We signed another zone and met the same problem again. The only >> difference is algorithm - now it is RSASHA256. >> >> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we >> > signed f

Re: Strange issue with signed zone

2012/11/9 Peter Andreev : > 2012/11/9 Tony Finch : >> Peter Andreev wrote: >>> >>> We signed another zone and met the same problem again. The only >>> difference is algorithm - now it is RSASHA256. >>> >>> > We have ~30 servers running BIND

Re: Change in statistics format

e to parse our XML, >> they might want to know there'll be a few different schema versions in >> the field soon.) >> >>> Is this a tunable parameter? >> >> No. >> > ___ > Please visit https://lists.isc.org/mailman/listinf

Re: reverse zone of type forward when /28 subnet

Please correct me if I'm wrong: you'd like to edit PTR records for your part of the /24 zone? If so, what you ISP says about rfc2317? 2012/12/27 Dmitri Tarkhov : > Hi, > I've searched the list archives and Google and don't see anything > to answer my question subj. > we have let's say x.y.z.240/28

Re: reverse zone of type forward when /28 subnet

ne to work. > May be some other unknown by me approach exists. > Again, there is no problem with reverse resolving in general but > I cannot achieve this directly at my dns, that is to receive a response > from it no matter wherever it forwards the request or from where it > gets the P

Re: reverse zone of type forward when /28 subnet

ody but zone owner. >But I don't want to indulge into such remote circumventions. > 4. That's possible to not bother about the issue but for now >I am not ready to fold hands. I just meant that fencing your resolver without really good reasons is a bad idea. If you do it &qu

Re: reverse zone of type forward when /28 subnet

r now the best defence against cache poisoning is DNSSec and since we have signed all russian TLDs you could implement it. > > > Peter Andreev wrote: > >> 2012/12/27 Dmitri Tarkhov : >> >>> Hi, >>> thanks a lot for the information. >>> Contains

Re: reverse zone of type forward when /28 subnet

Actually, Mark's advice is much better. 2012/12/29 Dmitri Tarkhov : > Hi, > this finally works: > > view "reverse1" IN { > recursion yes; > > zone "z.y.x.in-addr.arpa" IN { type forward; forward only; > forwarders { A; B; }; }; > > > zone "localhost" IN { type maste

Re: Wildcard CNAME record?

uld be SOA and NS records for somewhere.com, the CNAME would conflict with them. This should be OK: * IN CNAMEsub.somewhere.com. Cheers ~ollie -- Oliver PETER oli...@opdns.de 0x456D688F "You need healthy, natural sleep. Chew some Valeri

Re: Wildcard CNAME record?

On Wed, Jan 16, 2013 at 10:33:03AM -0500, Barry Margolin wrote: > In article , > Oliver Peter wrote: > > > On Wed, Jan 16, 2013 at 02:57:48PM +, Baird, Josh wrote: > > > Is it acceptable to have a wildcard CNAME? Example: > > > >

Re: high volume from outside our networks question

/filter.html#antispoof -- Oliver PETERoli...@peter.de.com 0x456D688F signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-u

Re: listen-to clusterIP address

2013/6/5 Phil Mayers > On 06/05/2013 07:37 PM, paul wrote: > >> Hi. I have a two node active passive cluster serving webpages. When a >> failover occurs, I have to restart named on the now active node because >> > > You don't have to restart it. "rndc reconfig" will re-check the IPs on the > mach

Forwarding requests when DNS name doesn't exist?

to external DNS. Thanks! Peter Olsson ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

Hi Dmitry, If your problem is a lot of strange queries, then there is two ways: 1. You operate an open resolver. If you can - restrict it to a limited scope of clients, otherwise the only way you can lower number of incoming queries is DPI; 2. You operate a non-open resolver. Then you can find wh

Re: Bind vs flood

Well, at first glance it looks like malicious activity, so the best action is to call all users, suspected in sending such requests, and warn them. The fast and very (very-very-very) dirty solution is to set up zone 84822258.com on your resolver. This should supress

Re: Bind vs flood

However, if you choose the second action, then your tech support should be ready. 2014-02-28 13:36 GMT+04:00 Peter Andreev : > Well, at first glance it looks like malicious activity, so the best action > is to call all users, suspected in sending such requests, and warn them. > The

Re: All client resolvers support DNSSEC compatible queries ???

2014-04-24 13:46 GMT+04:00 Carsten Strotmann : > Hello Jeronimo, > > "Jeronimo L. Cabral" writes: > >> Dear, we have several hosts in our LAN that ask our BIND DNS: Debian, >> Windows 7, Red Hat and CentOS. >> >> If we implement DNSSEV validation support in our BIND9 server...how >> can I know if

Re: Multi-master (HA)

Well, we use two masters in different locations, w/o DLZ. Files for signed zones are being generated from databases and uploaded to servers. What we need here - is propagating of DDNS plus periodical synchronizing of zones, journals etc. Regarding zone templates - I'm using it with NSD4 and I'm to

Is it possible to have separate query logs for different views?

ide.log" versions 30 size 5M; print-time yes; severity debug; }; }; Thanks! -- Peter Olsson ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri

  1   2   3   4   >