Re: dig -- only RRSIG present.

On 13/02/12 12:28, dE . wrote: On 02/13/12 11:00, Spain, Dr. Jeffry A. wrote: Using this DNS server, I'm still not getting the DNSKEY for any DNSSEC capable domain; infact this server has issues - dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net. I'd be really happy if I could get some domain

Re: DNS RPZ and different answers for IPv6 vs IPv4

On 13/02/12 12:42, John Hascall wrote: What I would like to have happen is for the IPv6 () query for "evil-domain.com" to return "no data", but for the IPv4 (A) query for "evil-domain.com" to return "CNAME". Is this possible? If so, how? Maybe alias the name to a local name, then insert

Re: dig -- only RRSIG present.

On 13/02/12 13:03, dE . wrote: Ok, thanks a lot. I thought it was a client process. Now I can query for the DS, DNSKEY records from isc.org. Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind has such a caching program? Do we have a DNSSEC capable resolver in BIND? Bind *is*

Re: Logging issue with bind

On 02/16/2012 09:48 AM, Raven wrote: Hi guys. I am currently trying to setup query logging with bind on a debian server, but I seem unable to. I have the exact same setup on another debian box and it works flawlessly. I've been scratching my head all morning.. My configuration: /etc/bind/named.c

Re: Logging issue with bind

On 02/16/2012 06:02 PM, Chris Thompson wrote: "severity dynamic" starts at 0 i.e. off. No 0 is equivalent to "info", except in one case: Ah, my mistake. I took a quick look at the posters config and saw this as the only difference from our standard one, hence called it out. Sorry for the

Re: A few conceptual question about dnssec.

On 02/18/2012 04:35 PM, dE . wrote: On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? The DS record is a signature right? Wrong. You're asking a lot of basic questions here. Maybe you could go off and

Re: Anycast DNS

On 01/03/12 03:40, Beavis wrote: Just want to piggy back on this topic is there any documentation available online that shows a deployment guideline for Anycast? There's not much to it: 1. Create the anycast IP on your servers 2. Route the anycast IP to your servers 3. Make bind listen on t

Re: Anycast DNS

On 29/02/12 03:55, ju wusuo wrote: Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? We do that. We use two different, indepentent methods to route traffic to the IPs. We feel this provides

Re: BIND 9.9.0 is now available

On 02/03/12 10:13, Matus UHLAR - fantomas wrote: On 29.02.12 17:53, Michael McNally wrote: NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of "no such domain". This allows

Re: BIND 9.9.0 Inline-Signing Out of Control

On 05/03/12 17:46, David Kreindler wrote: Are there guidelines or suggestions for setting the values of sig-signing-nodes and sig-signing-signatures? For what it's worth, we do "auto-dnssec maintain" with dynamic zones, and have left them at their default. It's a big zone, and the constant t

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

On 03/07/2012 08:50 AM, Marco Davids (SIDN) wrote: I also find it a bit strange that BIND decides to go for NSEC, even when the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1). AS I understand it, NSEC3 incurs overhead at validating resolvers. That being the case, it is unfriendl

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

On 03/07/2012 09:38 AM, Marco Davids (SIDN) wrote: AS I understand it, NSEC3 incurs overhead at validating resolvers. That being the case, it is unfriendly to use it unless you really need it I don't have a problem with that. It's just that I find the current way BIND works a bit tricky. I wou

Re: Master/slave configuration

On 03/08/2012 06:26 PM, michoski wrote: Meant to add one thing... In our configuration, we actually have two recursive VIPs per site, and even considered three (internal IPs are cheap). We do this. We also make the two different VIPs use different underlying tech - one is an anycast route a

Re: Cisco ACE config for internal DNS load balancing

On 09/03/12 16:23, Matthew Huff wrote: Anyone have any suggestions/best practices/config examples for DNS load balancing for internal use on CISCO ACE blades? I’ve got the standard example working, but wondered about keepalive frequency, timeouts, fragments, etc… Anyone got any examples they us

Re: journal rollforward failed: journal out of sync with zone

On 12/04/12 11:50, Bryton wrote: Hi, I have observer a SERVFAIL error in one of my zone.On checking the logs I realized there is this error /journal rollforward failed: journal out of sync with zone/ I tried to learn more about it and I found out the solution is to delete the journal file and

Re: re-bind named to all interfaces

On 12/04/12 15:32, Mihai Moldovan wrote: Is there any way to tell bind9 to re-evaluate the network situation and bind to all new interfaces (if allowed, see listen-on)? I have tried firing up rndc reload and rndc reconfig via the pppd if-up/if-down scripts, but neither try was successful. "rn

Re: re-bind named to all interfaces

On 12/04/12 16:44, Mihai Moldovan wrote: Hmm, permission denied while binding to ppp0? Maybe that's because my named is running as the non-privileged system user "named" and binding to the privileged port 53? Makes sense... but... hm. I guess in this case there's no other way but running named a

Re: Configuring CNAME for nosslsearch.google.com

On 04/15/2012 11:40 PM, Tobias Krais wrote: Hi Ben, hmm. How can I manage what google suggests: "Information for school network administrators about the No-SSL option To utilize the no SSL option for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.c

Re: How to stop ANY zone transfer

On 16/04/12 10:35, Chiesa Stefano wrote: Hello all. I'm developing a web application to apply massive dns changes automatically. I have a master dns server and three slaves. To test the application I'm going to create an identical copy of the master server (in the same network too). What is scari

Re: Split DNS and zone transfers

On 16/04/12 16:36, Eric Chandler wrote: Now, what I would like to have are slave servers that would zone-xfer both the internal and external-flavored files for example.com and serve You need to use TSIG keys, and match on key rather than IP address. This comes up on the list from time to time

Re: Configuring CNAME for nosslsearch.google.com

On 17/04/12 13:24, Tobias Krais wrote: Hi all together, very interesting this discussion. For I am a newbie I understood only half. Thus I detected 2 ways to continue: I believe you can use response policy (RPZ) to achieve this. Or you can use just about any non-BIND resolver (e.g. unbound) t

Re: Question about KSK

On 27/04/12 13:40, wbr...@e1b.org wrote: We are authoritative for a few dozen small zones. Is it possible to use the same KSK for all of them? I can see where if it gets compromised we would need to resign all zones using the KSK at once. How much effort would I be saving sharing the KSK? Th

Re: dynamic update to SOA records

On 04/27/2012 02:37 AM, cloud cache wrote: Hello, How to use nsupdate to dynamic update the SOA records? For example, I want to update the zone's contact email and main NS As others have pointed out, you just need to use "nsupdate" and send a valid SOA. NOTE: "valid" means "must have a seri

Re: Convice Bind to listen on IP alias with a range of IPs.

On 04/30/2012 10:56 PM, Augie Schwer wrote: I must be doing something wrong, because what I want to do doesn't seem that difficult. I have a range of IPs bound to a local interface: lo:1 Link encap:Local Loopback inet addr:10.0.0.1 Mask:255.255.255.224 And I want to convince B

Re: Convice Bind to listen on IP alias with a range of IPs.

On 05/01/2012 10:00 AM, Phil Mayers wrote: So you might be being a bit too clever, and foxing the named socket code I'm afraid. That should of course be "the named socket code is foxing you". Sigh. ___ Please visit https://lists.

Re: dynamic update to SOA records

On 01/05/12 11:20, cloud cache wrote: But, how will I know the current serial number of the zone, if the zone has been changing frequently? In the past, I've used a script that queries the SOA just before doing the update (which is safe, because in a race condition you'll be "too low" and fa

Re: erros in logs

On 10/05/12 09:47, Ben wrote: Hi, I just enable bind as caching name server and when watching logs i got below erros. It looks like you have broken IPv6 connectivity - your machine believes it has an IPv6 address and possibly a default route, but it doesn't work. Check your networking confi

Re: named validating @0x...: ... SOA: no valid signature found

On 15/05/12 13:22, Brian J. Murrell wrote: On 12-05-02 09:29 AM, Mark Andrews wrote: * a firewall blocking EDNS queries. * using a non DNSSEC enabled forwarder so you don't get signatures. * a firewall blocking fragmented UDP and named falling back to plain DNS. * other packet loss causing n

Re: DNS64 - multiple mapping

On 05/24/2012 07:36 AM, Rock July wrote: Hi All, Is it possible for me to add multiple dns64 in options? I want to have Yes. different IPv6 prefix for each IPv4 network address. I don't know what the means, but the dns64 option takes a quite comprehensive set of ACLs to match client and or

Re: Partial forwarding.

On 30/05/12 12:03, Stephen James wrote: We have a lab setup where we are testing a customer configuration but do not have all of the same equipment. Is it possible to have a bind server that resolves certain FQDNs in a zone, while forwarding the remaining to another DNS? Not easily. You could c

Re: How to handle zones that need to be the same in all views?

On 06/12/2012 01:03 AM, Max Bowsher wrote: That won't help me for slave zones: * the zones get needlessly re-transferred once for each view If you actually want a copy of each zone in each view, you can't avoid this. * the files on disk will be repeatedly overwritten as bind tries to save t

Re: How to handle zones that need to be the same in all views?

On 12/06/12 15:31, Barry Margolin wrote: In article, Phil Mayers wrote: Have you considered a single view containing all the common zones, then a view per "different" zone that forwards to 127.0.0.1? Provided you arrange your "match-clients" correctly this should wor

Delegation bit-rot detection?

All, Over the years, we have offered DNS secondary services to various organisations. Some of those organisations are (ahem) fairly small, and lots of the delegations and zone transfers have suffered bit-rot - there are zones delegated to us that I have no records on, and certainly can't AXFR

Re: Moving DNS out of non-cooperative provider

On 18/06/12 16:49, Alexander Gurvitz wrote: with each query gets new NS record, and... refreshes the NS TTL ? No, that's not how TTLs work. They always count down. Will ns.isp.com EVER query ns.NEWprovider.net ? Yes, when the TTL has expired

Re: Moving DNS out of non-cooperative provider

On 06/19/2012 04:18 AM, Barry Margolin wrote: Didn't this used to be a problem? When the caching server queries the cached nameservers, the response would include the old NS records in the Authority section. The caching server would then replaced the cached NS records with these records, reset

Re: Compiling and testing on Fedora

On 21/06/12 15:21, Lightner, Jeff wrote: Turning off SELinux also requires a reboot after changing mode. "setenforce 0" does not require a reboot. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-

Re: Reverse zones best practices

On 26/06/12 16:42, nex6 wrote: * Brad Bendily [2012-06-25 16:35:28 -0500]: wouldn't it be more confusing, in a big IP space with servers, desktops etc all mashed together into one zone? If you have enough hosts for this to be confusing, you have enough hosts to store the data in some master

Re: Reverse zones best practices

On 26/06/12 17:25, nex6 wrote: * Phil Mayers [2012-06-26 16:54:55 +0100]: I am not going to be editing files by hand, we actually have a tool. I am more concerned about best practices, and how to fix the mess. eg, say we have about 500 vlans (/24s) and say only 350 have reverse zones. from

Re: Reverse zones best practices

On 27/06/12 15:30, nex6 wrote: so, you *should* have a larger 10.x.x.x zone? *and* smaller 10.x.x.0/24 zones? so i am assuming the workflow would be in this case, records go in the smaller zones, and the larger zone is the catchall to prevent leakage? It is good practice, and polite, to preven

Re: prevent DNS attack

On 06/28/2012 02:36 AM, pangj wrote: There is also a patch for BIND which can help: http://www.redbarn.org/dns/ratelimits Thank you. The traffic is incoming, and the incoming IPs are fake, how will the patch work to stop them? Read the archives that Tony pointed you at. There is much disc

Re: CNAME+A record in response

On 06/29/2012 07:50 AM, Srinivas Krishnan wrote: A lot of times we get responses that look like: FOO.BAR CNAME EXAMPLE.BAR EXAMPLE.BAR A 1.1.1.1 BIND currently (atleast with the default settings) when it encounters a CNAME stops processing and checks if EXAMPLE.BAR is in cache or else sends ou

Re: bind dies with assertion failure

On 07/03/2012 01:16 AM, Oscar Ricardo Silva wrote: I *THINK* I found the reason for why we're exposed to this bug ... It would appear that Redhat based their BIND package on 9.8.2rc1. Guess where the patch for this bug was applied? 9.8.2rc2. Are you sure about this? From what I can see in ou

Re: How can I set the interface used to transfer zones?

On 05/07/12 15:34, Carlos Ribas wrote: I tried transfer-source before, but this is what happened: You still need to set "masters { 10.x.x.x; };" on the zone. Transfer source controls the source IP. Masters controls the destination IP. ___ Please visi

Re: Resolve only authoritative domain for internet/public addresses

On 07/08/2012 07:15 AM, Mr BeEye wrote: Hello all. Let's have a finite list of IPv4 (private and public) addresses, e.g. {A, B, C, ... N}. It is possible to configure BIND in the way: 1) BIND resolves EVERYTHING for {A, B, C, ... N}. 2) BIND resolves ONLY its authoritative domain for internet e

Re: Resolve only authoritative domain for internet/public addresses

On 07/08/2012 09:32 AM, Jukka Pakkanen wrote: Why not just: acl "X" {A; B, C; ...; }; options { ... allow-query { "any"; }; allow-recursion { "X"; }; ...}; Doh, of course. This is a better idea, thanks. ___ Please visit https://lists.isc.o

Re: BIND CPU load problems

On 10/07/12 12:56, Shon Stephens wrote: Dear Mike, I am not being hit with a Denial of Service attack and the query logging doesn't appear to be any different from other hosts in the DNS complex. There are no errors in logs or messages files either. I have not installed a previous version f

Re: disabling "Any" requests

On 12/07/12 14:38, Chuck Swiger wrote: On Jul 12, 2012, at 2:27 AM, Dns Administrator wrote: Hi bind-users, please excuse my ignorance being a novice to dns, but is there some way of disabling or choking "Any" type requests? This has been discussed on the list recently - see the archives

Re: disabling "Any" requests

On 12/07/12 15:16, Lightner, Jeff wrote: Personally I don't know why "dig -t any" would be a problem. It's not exactly the same as doing an axfr transfer of the zone - it still only gets limited information. They're the current query type du jour for DDoS amplification attacks, which I assu

Re: disabling "Any" requests

On 12/07/12 16:48, sth...@nethelp.no wrote: Personally I don't know why "dig -t any" would be a problem. It's not exactly the same as doing an axfr transfer of the zone - it still only gets limited information. They're the current query type du jour for DDoS amplification attacks, which I ass

Re: named validating @0x...: ... SOA: no valid signature found

On 20/07/12 14:03, Brian J. Murrell wrote: # dig +dnssec @localhost 119.in-addr.arpa SOA ; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713 ;; flags: qr rd ra; QUERY

Re: named validating @0x...: ... SOA: no valid signature found

On 20/07/12 15:33, Brian J. Murrell wrote: On 12-07-20 09:11 AM, Phil Mayers wrote: Or, what happens if you start bind up in debug mode and run the query? There will be a lot of output, but I've found most problems to be fairly obvious if you read through it. Yeah, there is a lot of o

Re: named validating @0x...: ... SOA: no valid signature found

On 20/07/12 16:21, Mark Andrews wrote: In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" writes: Just for good measure, since I think I have posted this before, but here are the options I have set in my bind configuration with regard to dnssec= : dnssec-enable yes;

Re: lot of 'ripe.net IN ANY +ED' queries

On 23/07/12 13:07, Marek Salwerowicz wrote: Hi all, I am new subscriber of your list. I browsed the archive but didn't find answer/hint for my problem. I am running (at FreeBSD 9.1-PRERELEASE) public caching DNS server. Since about 2 months I've been receiving lot of (DNS flood attack?) queries

Re: "Nintendo"('s NSes) are asking my IP for it's rdns

On 24/07/12 12:05, Brian J. Murrell wrote: Is this just broken NS software or are they (Nintendo, FWIW) doing Looks broken to me. I note that IP doesn't have a reverse. This suggests to me it's not any kind of nameserver, but rather part of their general pool - perhaps a random desktop.

Re: "Nintendo"('s NSes) are asking my IP for it's rdns

On 24/07/12 14:30, Brian J. Murrell wrote: Why? I mean other than a knee-jerk reaction to that behavior not (yet) being documented in an RFC somewhere? I mean for practical purposes why is what they are (or rather, could be, assuming my suggestion about what they could be doing is correct) doi

Re: getaddrinfo and TTL

On 08/03/2012 05:48 PM, Martin McCormick wrote: Can one read the TTL for a given lookup in getaddrinfo? I don't believe so. Better yet, is there a listing of the entire range of values one can read from all the structures? The getaddrinfo() interface is specified in RFC 349

Re: Delayed Zone Transfers?

On 06/08/12 17:03, Jiann-Ming Su wrote: Here's an example of the zone file being updated, but BIND not serving out the new data. Running dig locally: # dig @localhost myhost.uts-sa.mydomain.ddns I note from your other email that you are using views. Are you sure you are querying the right v

Re: Delayed Zone Transfers?

On 08/06/2012 05:33 PM, Jiann-Ming Su wrote: Yeah, I've wondered about views. We went to views to work around a MTA config issue. The weird zone transfer performance seem to have coincided with our transition to views. Here's my named.conf, FWIW: view hc { include "/etc/named.zones"; view a

Re: SRV query with no domain?

On 15/08/12 15:42, Thomas Secula wrote: Hello, I hope this is the right list.. I am using bind 9.8.2on centos 6 with a system called openims. I am trying to get my bind server to respond to an SRV query of _sip._udp where the query has no domain. Yuck. That's horrible. Are you *sure* that's wh

Re: Zone Transfer issue on BIND9

On 24/08/12 12:09, sn...@email.it wrote: Hi there, I have an issue related to zone transfer which I couldn't fix. I've found a "presumable" fix googling a lot but it doesn't seem to work. You haven't said *how* it isn't working. Be specific. Note that the FAQ link you reference puts the "serve

Re: Question related to domain names and less to bind straight.

On 09/05/2012 07:31 AM, Doron Shikmoni wrote: Hello Eliezer, Not an RFC, but you may find this list helpful: http://mxr.mozilla.org/mozilla-central/source/netwerk/dns/effective_tld_names.dat?raw=1 See also: http://publicsuffix.org/ http://www.dkim-reputation.org/regdom-libs/ ...which are mor

Re: RHEL, Centos, Fedora rpm 9.9.1-P3

On 13/09/12 17:21, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.five-ten-sg.com/util/bind-9.9.1-0.1.P3.fc18.src.rpm Are you sure the "useradd" command in %pre is valid on RHEL4/5? Specifically the "-N" argument? We had to change that in our local .spec file

Re: Moving from "type forward" to "type static-stub"

> >It's time to back in again (front in?). Now that Comcast is >validating, >any mistakes that people make will get fixed right quick. 1.7 million >people doing validation is good incentive to get things right and fix >them quickly. At UC Berkeley, validation has been turned on for four >years

Re: about DNS RRL

On 10/17/2012 09:17 AM, pangj wrote: I have read the document of redbarn RRL for BIND and this NSD RRL: https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ I have a question that, since the DDoS to DNS are coming from spoofed IPs. But RRL is working based on source IP. So how can it stop the

Re: Possible DDoS?

On 10/17/2012 07:39 PM, Dennis Clarke wrote: I have the exact same problem with an ip inside State of Colorado General Government Computer subnet : http://whois.arin.net/rest/org/SCGGC That's not exactly a fly-by-night organisation; have you contacted them? Some server there has been pound

Re: 答复： Re: Possible DDoS?

On 10/18/2012 12:12 AM, Tony Xue wrote: I am pretty sure the sources were hacked because one of my another What makes you think the source IPs were real? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this li

Re: ISC Bind in Active Directory

Nicholas F Miller wrote: >DDNS record scavenging is the only feature I'm aware of that MS DNS has >that Bind doesn't . On the flip side, ISC Bind can ACL who can add >certain record types to a dynamic zone using GSS-TSIG as well as >supports views and ACLs for recursion. Everything else should be

Re: ISC Bind in Active Directory

b...@bitrate.net wrote: eful. > > >to be honest, this doesn't seem to me to be something that would fall >within bind's purview. comparing bind to "microsoft dns" isn't really >apples to apples. microsoft dns is more than just a dns server. it's >also a dns management system [whereas bind is no

Re: ISC Bind in Active Directory

On 24/10/12 16:54, Kevin Darcy wrote: Why do you feel the need to register clients in your AD domain at all? We register our clients outside of the AD domain via the DHCP server; Our experience is that this can cause (minor) problems. The basic issue is that, if you have an AD realm: EXAMPLE

Re: ISC Bind in Active Directory

On 10/24/2012 10:17 PM, Carsten Strotmann wrote: my experience is that it is safe to place clients in either a DNS domain with the same name as the AD domain, or in a subdomain of the AD domain. What does "place" mean, exactly? Bear in mind that, unfortunately, Microsoft chose to embed DNS na

Re: transparent DNS load-balancing with a Cisco ACE

On 10/19/2012 07:25 PM, John Miller wrote: Here's a question, however: how does one get probes working for a transparent LB setup? If an rserver listens for connections on all interfaces, then probes work fine, but return traffic from the uses the machine's default IP (not the VIP that was orig

Re: ISC Bind in Active Directory

On 10/25/2012 08:44 PM, Kevin Darcy wrote: On 10/24/2012 6:02 PM, Phil Mayers wrote: Hell, if you've got WINS running and broadcast netbios, I think it's still possible to log in with *no* working DNS at all. At the risk of getting *totally* off-topic, no-one who cares about s

Re: ISC Bind in Active Directory

On 10/27/2012 04:28 PM, Chuck Anderson wrote: I don't disagree that broadcast netbios probably should be disabled (though it's not at our site, for historical reasons, and I'm not sure I'm willing to take on the monumental task of disabling it). WINS is slightly different, and the main reason to

Re: Delegations

On 31/10/12 17:12, wbr...@e1b.org wrote: I have a zone file for example.org that has entries for a subdomain l2.example.org like this: vpn.l2 IN A10.1.2.3 Now they want to add a subdomain below l2, ie. ad.l2.eboces.org with hosts such as dc.ad.l2.eboces.org You terminology is

Re: Delegations

On 10/31/2012 06:51 PM, Doug Barton wrote: It may or may not be strictly necessary to do this depending on everything else you have in the zone, but it's safer in the long term to do it this way. Are you suggesting it's best of the OP creates "l2.example.com" as a sub-zone? Why it this nece

Re: Need to improve named performance

On 12/11/12 15:23, Ed LaFrance wrote: I really don't need this kind of logging in the messages log. I can turn on query logging in the named.conf if I need more detail on named. I think the simplest thing would just be to have an exclusion in the syslog config for named. I confess some general i

Re: User wanting to use a .local domain to host DNS

On 14/11/12 15:39, Kevin Darcy wrote: I stopped reading as soon as I saw the requirement to add a NetBIOS name, being overpowered by the stench of obsolescence. Does anyone As per our recent thread, there's load of (recent, modern) stuff that still uses NetBIOS. Sadly. actually run "2000"

Re: User wanting to use a .local domain to host DNS

On 14/11/12 15:02, King, Harold Clyde (Hal) wrote: I'm a bit confused by a user request. I think he is trying to keep some hosts on the private side of DNS, but he wants to use a DNS name like host.sub.local. I do not know of the use of the .local TLD except in bonjure. Can anyone shed some light

Re: rsa_sign.c:263

On 14/11/12 16:19, Daniel Ryšlink wrote: Hello, I started to see a flood of these errors after upgrading to the latest BIND 9.9.2: 14-Nov-2012 17:14:15.304 general: warning: RSA_verify failed 14-Nov-2012 17:14:15.304 general: info: error:04077068:rsa routines:RSA_verify:bad signature:/usr/src/s

Re: Change in statistics format

On 15/11/12 16:44, John Miller wrote: Hello everyone, When did BIND 9 switch over from the older I think that was *years* ago? I'm getting ready to file a bug for our monitoring software (Hyperic HQ), because it only reads the older format, and wanted to be sure I had my ducks in a row. Y

Re: First usage of BIND9

On 11/25/2012 04:12 PM, Daniele Imbrogino wrote: Using Wireshark I can see that there are queries from my IP to a root-server and replies in the reverse way, but then dig always fails with a SERVFAIL. Why? iptables? ___ Please visit https://lists.isc.

Re: First usage of BIND9

On 11/25/2012 04:38 PM, Daniele Imbrogino wrote: There are no rules in iptables, and they accept everything by default. To debug this further you may need to look in the bind logs and/or run it under debug mode. Ensure the packet is actually being received by the bind process. You should a

Re: First usage of BIND9

On 11/25/2012 04:33 PM, Phil Mayers wrote: On 11/25/2012 04:12 PM, Daniele Imbrogino wrote: Using Wireshark I can see that there are queries from my IP to a root-server and replies in the reverse way, but then dig always fails with a SERVFAIL. Why? iptables? It has been pointed out to me

"rndc sign", "auto-dnssec maintain" and TYPE65534 record "stickyness"?

All, Up front, I should note that this was on a hidden master server which was running 9.7.0 (since updated). So it may not work this way on current versions of bind. We (well, I) had a little accident recently when rolling a ZSK. We use "auto-dnssec maintain" like so: zone "blah" { file

Re: "rndc sign", "auto-dnssec maintain" and TYPE65534 record "stickyness"?

On 27/11/12 09:13, Cathy Almond wrote: It's tricky to answer your questions since this was on BIND 9.7.0 which has been substantially updated between 9.7.0 and 9.7.7 (the CHANGES log of 9.7.7 might give you some clues). But also of particular relevance to this would be the change in how automat

Re: Can't find named_dump.db

On 03/12/12 15:41, Daniele Imbrogino wrote: Using BIND 9.8.1 on Ubuntu 12.04, I try to save the server cache using the command "sudo rndc dumpdb -cache" (without quotes, obviously), but then I can't find the file "/etc/bind/named_dump.db" being "/etc/bind/" the working directory of the server.

Re: DNS Blackholing

On 12/04/2012 02:44 AM, John Hascall wrote: We have found that RPZ works quite well for us. We have 366825 names in our RPZ zone at present and scaling thus far has been a non-issue.ot ( Likewise. We have 675k entries in an RPZ zone, and performance is fine. It's genuinely surprising how many

Re: DNS Blackholing

On 12/05/2012 06:10 AM, Nick Edwards wrote: Hi All, Is there a way for RPZ zone file to act on domain AND subdomains without using two separate entries? At present I can only get them to match on one or the other unless I do example.comblah *.example.com blah I'm sure I've missed

Re: DNS Blackholing

On 12/04/2012 06:35 PM, Barry S. Finkel wrote: A question from the OP that has not yet been answered - Make the zones masters on all servers. Surely not for RPZ? The whole point with RPZ is that you have one zone containing all the blacklists, master in one place, and slave it in all the oth

Re: DNS Blackholing

On 12/05/2012 11:45 AM, Noel Butler wrote: RPZ: dig bobi.at ;; Query time: 996 msec You're correct that blackhole zones and RPZ have different performance characteristics. For others reading, this is because with RPZ, the real name is queried first, then RPZ applies to the answers, so if the

Re: how t orestrict nsupdate to a single A or PTR record ?

On 12/05/2012 07:29 PM, fddi wrote: Hello, I have a domain called mydomain.org I would need a way to allow access with nsupdate not to the entire domain mydomain.org but only to specific hosts and specific IP Address do be modified using nsupdate. here is my config zone "mydomain.org" IN {

Re: RHEL, Centos, Fedora rpm 9.9.2-p1

On 12/05/2012 04:46 AM, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.five-ten-sg.com/util/bind-9.9.2-0.2.P1.fc18.src.rpm Carl, Thanks for this. One minor thing - the -P1 is missing from the embedded tarball. I think there might be something going on with the

Re: Getting RPZ statistics

We do much the same. If you have a pointer to the technique you're using to distinguish images and serve up replies, i'd be interested to see it. John Hascall wrote: > >We point our DNS-RPZ records at a server ("here-be-dragons") >that records connections at that point. Also the webserver >li

Re: Requesting tips on setting TTLs so that expired RRSIG data doesn't stay in the zone

On 12/14/2012 10:48 AM, GS Bryan wrote: Reference: http://dnssec-debugger.verisignlabs.com/imouto.my How to configure named (version BIND 9.9.2-P1-RedHat-9.9.2-2.P1.el5) so that expired RRSIG data doesn't stay in the zone? I heard it has omething to do with the TTL of the zone (the expiry timer

Re: Disabling A records for IPv6?

Robin Lee Powell wrote: > >So I've got some IPv6-only VMs set up that need to talk to the >general internet for things like downloading packages. As you can >imagine, this requires that they have NAT64 and DNS64, because lots >and lots of things are IPv4 only. > >The problem is that many things

Re: Disabling A records for IPv6?

>On Fri, Dec 28, 2012 at 07:57:24PM +, Phil Mayers wrote: >> Robin Lee Powell wrote: >> >> > >> >So I've got some IPv6-only VMs set up that need to talk to the >> >general internet for things like downloading packages. As you >> >can imag

Re: Disabling A records for IPv6?

I'm still a bit dubious - node is pretty new and it seems crazy such a new framework would spoon up getaddrinfo() - are you sure it isn't an os or stack config issue? Phil Mayers wrote: >Not hard - rpz zone with a single record will do it. I'm not typing on >an ideal device to g

Re: rndc reconfig does not work

On 12/29/2012 11:09 AM, Carsten Strotmann wrote: For some configuration changes (for example change of IP addresses to listen on, change of fundamental operations, new log-file entries) the BIND nameserver requires a full restart, esp. if BIND is running as an non-privileged user (not "root"), a

Re: query about EDNS UDP Packet

On 12/31/2012 10:54 AM, Gaurav Kansal wrote: I just want to test whether this limit is within my organization. Is any method available by which I can check this? https://www.dns-oarc.net/oarc/services/replysizetest ___ Please visit https://lists.

Re: Distribute named.conf

On 03/01/13 11:06, Joerg Stephan wrote: Hi all, we are currently using PowerDNS on our 12 Nameservers. Now we are thinking about a migration to bind. So we are seeking a way to distribute the named.conf.x for the several zonfiles. Currently this is solved by powerdns via mysql replication. Is

  1   2   3   4   5   >