Re: Distribute named.conf

On 03/01/13 14:36, Warren Kumari wrote: Yup, have a look at Puppet. For the first while it will seem like way way more work than it is worth (and the whole declarative language bit makes my head hurt) but after investing a few hours getting things setup you'll wonder how you ever managed withou

Re: set directory for "auto" key files

On 07/01/13 14:31, Michael W. Lucas wrote: Hi, Running BIND 9.9 on FreeBSD. named wants to write managed-keys.bind & the journal file in named's root directory. I can change that with the "directory" option, but then I have to move all the other directories. Company security policy is that name

Re: lame-servers: error (FORMERR) resolving [something]

On 09/01/13 13:53, Daniele wrote: This is the scenario. I installed BIND9 via `apt-get` on a newly installed UBUNTU 12.04, virtualized on VirtualBox. The network works properly because if I indicate a different server from my own BIND9 (the first line of '/etc/resolv.conf' is, for example, `name

Re: injecting a temp entry into dns cache

On 02/02/2013 09:41 PM, Veaceslav Revutchi wrote: There is a credit union website that our users access from work and their dns has been broken for the past few days where the www. version works, but the plain name (without the www.) points to some old IP that's not responding. Tried to call the

Re: Selective resolution in a corporate environment

On 05/02/13 15:16, funky monkey wrote: But to get back to what I'm often asked for, more as a tactical solution, is there any way of being able to subvert specific DNS names with alternate responses, whilst leaving the rest of the resolution to be obtained in the normal way - I know that doesn't

Re: Selective resolution in a corporate environment

On 05/02/13 15:36, funky monkey wrote: Could you sandwich that in a forwarding chain - say have a bind 9. in between your normal forwarders to internet, and does it just look fo rthe entries you've specified as either alternate data or does not exist, but otherwise, carries on to forward to an a

Re: adding DS record via nsupdate

On 02/06/2013 12:56 AM, Doug Barton wrote: I do the following as an example: nsupdate -d server zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F I don't think this makes sense. Shouldn't you have a proper zone for subzone.test.net? What

Re: libbind 6.0

On 08/02/13 18:07, Jack Tavares wrote: I have been using libbind(6.0) to do dynamic updates via res_mkupdate() Out of curiosity, is there any reason not to port the code to something running in a higher-level language (or wrapper/script "nsupdate"?) FWIW we use dns-python for this. _

Re: Slaving from DNS masters behind LVS

On 13/02/13 14:30, Nick Urbanik wrote: I think that it is not necessarily always true that you should avoid a load balancer. Every day, our DNS caches are answering about 140,000 queries per second. I think that it is rather hard to configure resolvers to query only three machines yet still m

Re: Slaving from DNS masters behind LVS

On 13/02/13 15:34, Tony Finch wrote: Nick Urbanik wrote: I think that it is not necessarily always true that you should avoid a load balancer. Every day, our DNS caches are answering about 140,000 queries per second. I think that it is rather hard to configure resolvers to query only three m

Re: Unwanted resolver usage of /etc/host.conf

I don't believe it is correct to say "unused". Host.conf is still parsed and various directives obeyed. An absent / empty file may well be a sane default, but glibc still reads the file - just "strace" any process doing a name lookup. Fwiw fedora 18 has: multi on ...in the file. > >the host

Re: disabling lame server logging

On 26/02/13 13:54, Robert Moskowitz wrote: I would be interested in which client is requesting these lookups that end up going to lame servers. I am assuming the IP address in the log is the address of the lame server, not the requesting client. Look at the query logs? ___

Re: disabling lame server logging

On 26/02/13 14:31, Robert Moskowitz wrote: On 02/26/2013 09:25 AM, Robert Moskowitz wrote: On 02/26/2013 09:13 AM, Phil Mayers wrote: On 26/02/13 13:54, Robert Moskowitz wrote: I would be interested in which client is requesting these lookups that end up going to lame servers. I am

Re: disabling lame server logging

On 26/02/13 14:50, Robert Moskowitz wrote: Yes. Note that you can enable this by default in the "options" statement. This is all pretty well documented and easy to find in the ARM... This is traffic I only want occationally! I am trying to reduce the logging size to find new problems. Fair

Re: name caching and forwarding

On 26/02/13 16:07, Robert Moskowitz wrote: And I am having challenges with the forward option. It reads that 'forward only' will always ask the forwarder about the query and seems to defeat caching? And 'forward first' only looks in cache after a forward fails? This does not sound right and I

Re: Problems with resolving a local tld

Our experience has been they break, unexpectedly and in hard to troubleshoot ways. FQDN for the win! Vernon Schryver wrote: > >With "search" lists in /etc/resolv.conf (and the Windows equivalent) >or checking /etc/hosts (and the Windows equivalent) before DNS (while >ignoring the DNS ubber all

Re: a lot of transfer when slave start

On 05/03/13 11:39, Felix New wrote: Hi all, we have one master server and several slave servers with Bind 9.9.2-P1, and service for about 50K zones. i shutdown one slave,start it, then a lot of transfer between the slave and server: log segment(rand zone for test): *** 05-Mar-2013 18:36:18.675

100% CPU / wedge with 9.8.3-P4 & RPZ?

All, In the last 12 hours, we've had repeated instances of named getting wedged. The symptoms are: * named consuming nearly 100% CPU, all in user-time * lots of queries apparently not processed, and based on query logging, a sharp drop in the rate of queries that are * a very sharp drop (a

Re: 100% CPU / wedge with 9.8.3-P4 & RPZ?

On 03/16/2013 12:43 PM, Matus UHLAR - fantomas wrote: On 16.03.13 11:39, Phil Mayers wrote: In the last 12 hours, we've had repeated instances of named getting wedged. The symptoms are: * named consuming nearly 100% CPU, all in user-time * lots of queries apparently not processed, and bas

Re: 100% CPU / wedge with 9.8.3-P4 & RPZ?

On 03/16/2013 02:21 PM, Vernon Schryver wrote: From: Phil Mayers In the last 12 hours, we've had repeated instances of named getting wedged. The symptoms are: * named consuming nearly 100% CPU, all in user-time * lots of queries apparently not processed, and based on query logging, a

Re: 100% CPU / wedge with 9.8.3-P4 & RPZ?

On 03/16/2013 03:31 PM, Vernon Schryver wrote: To debug and so have the least hope of eventually fixing this or any similar problem, I would build BIND with -g and capture a core file and associated libraries for a hung example,. Whether your guess blaming RPZ is right or wrong, no progess is l

Re: 100% CPU / wedge with 9.8.3-P4 & RPZ?

On 03/16/2013 06:46 PM, Vernon Schryver wrote: From: Phil Mayers It's unfortunate I wasn't able to obtain one; gdb wasn't installed on the box, and I couldn't get the package installed because DNS was down. Depending on the flavor of the system and its configuration,

Re: OT: UK Routing issue

On 03/16/2013 06:52 PM, waynemerricks wrote: Any help of where to go next would be appreciated, apologies in advance if this is not suitable for the Bind lists. Nanog? UKNof? Any other routing/ops-related list? ___ Please visit https://lists.isc.or

Re: Dig for link-local

On 25/03/13 09:19, Alok Raj wrote: Hi Guys, Basically I am trying to do the following: 1) If I use link-local ipv6 address (of domain controller) in my resolv.conf, my resolver routines (glibc 2.13) is not able to resolve a domain name to an ip address, though I am able to ping that l

Re: Dig for link-local

On 25/03/13 16:20, Kevin Darcy wrote: Works fine for me on RedHat 5.7 without a scope-identifier in /etc/resolv.conf. I notice, however, that the stock dig (9.3.6-P1-RedHat-9.3.6-16.P1.el5, yeah, I know I should upgrade) shows the scope identifier in its output: ;; SERVER: fe80::250:56bf:fe8d:47

Re: Dig for link-local

On 25/03/13 17:13, Phil Mayers wrote: On 25/03/13 16:20, Kevin Darcy wrote: Works fine for me on RedHat 5.7 without a scope-identifier in /etc/resolv.conf. I notice, however, that the stock dig (9.3.6-P1-RedHat-9.3.6-16.P1.el5, yeah, I know I should upgrade) shows the scope identifier in its

Re: Hack Attempt?

On 27/03/13 15:57, Manson, John wrote: Found this entry in external named log: Mar 26 20:07:18 local@mercury named[4043]: [ID 873579 daemon.notice] client *72.13.58.93*#39043: view outhouse: notify question section contains no SOA This IP is not one of mine. Does the word ‘notify’ related to z

Re: Auto-dnssec maintain and 'continous' resigning

On 04/01/2013 07:36 PM, Carlos M. Martinez wrote: Reframing the question in more general terms... Which events trigger a zone re-sign and reload when using "auto-dnssec maintain" ? As someone else has already said, zone updates, signature expiration and key events. In particular, it's normal

Re: RPZ and negative answers

On 04/04/2013 12:50 AM, Chris Buxton wrote: Thanks for the explanation. It seems to me this is a gap in coverage of RPZ -- the algorithm should be updated, in my opinion, to cover the case of a negative answer. AIUI it's a deliberately limited mechanism aimed at preventing resolution of harmf

Re: Auto-dnssec maintain and 'continous' resigning

On 04/04/13 16:55, Carlos M. Martinez wrote: Thank you very much for all the bits, certainly very helpful. My problem is that this cycle of zone signing triggers zone number increases and generates dozens of NOTIFY messages and the corresponding zone transfers to all slaves within a short period

Re: Simple question about zone and CNAME

On 04/05/2013 10:13 AM, Thomas Manson wrote: @ IN CNAME somehost.com Correct. CNAMEs are mutually exclusive with other records (DNSSEC signatures excepted) and zone apex requires SOA and NS. How can I achive this configuration ? You will have to use an A record.

Re: Simple question about zone and CNAME

On 05/04/13 14:16, Warren Kumari wrote: DNAME? DNAME doesn't do it, because it directs a sub-tree, not the name itself. You'd need the DNAME in the parent zone, and if you can do that, you can just put two CNAMES (zone and *.zone). ___ Please vis

Re: Simple question about zone and CNAME

Sam Wilson wrote: >In article , > Chris Thompson wrote: > >> On Apr 5 2013, John Wobus wrote: >> >> >> DNAME? >> > >> >Or SRV records. Surely browsers are adding support >> >in the next day or two? >> >> Come on, April 1 has been over for too long for this. >> >> Incidentally, we have just

Re: Simple question about zone and CNAME

On 08/04/13 14:46, Sam Wilson wrote: In article , Phil Mayers wrote: Sam Wilson wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not

Re: Simple question about zone and CNAME

On 04/08/2013 06:59 PM, Novosielski, Ryan wrote: Someone can correct me if I'm wrong, but I think they'd be right if and only if the webserver they're adding the A record for happens to also be the AD server. In principle that's correct. In practice, running a publicly accessible webserver on

Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat

On 16/04/13 12:41, Kebba Foon wrote: my server is not an open recursive server its only open to my clients and these are not even from my country. You're right, it's probably a spoofed-source DNS amplification attack. If your DNS server isn't open (good to hear) you could consider just ACLi

Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat

On 16/04/13 14:04, Denis Laventure wrote: These seems like some attack going on, after reading the mails i also check my recursive server and found a lot of these in my logs: my server is not an open recursive server its only open to my clients and these are not even from my country. Same her

Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat

On 16/04/13 14:28, Denis Laventure wrote: Instead of blocking the source (which aren't even real - they're spoofed) why not just block access to your recursive resolver on port 53. I need my DNS server to resolve for my authoritative domain, I have 30+ domains here I can't block acces to port

Re: Response Rate Limiting Patch

On 10/05/13 17:41, Wilson, Lesley-Anne wrote: Hello, Has anyone here implemented Response Rate Limiting? If so have you Yes, recently. experienced any bugs with the RRL Patch for BIND 9.9.2? Can the feature No bugs. I'm not a huge fan of the logging categories, but that's a personal thing

Re: Negative zones; NXDOMAIN responses

On 05/21/2013 08:23 AM, Matus UHLAR - fantomas wrote: On 21.05.13 11:03, Mark Andrews wrote: The simplest solution is to slave the root zone and turn off notify to so you don't spam the official root servers. 192.5.5.241 is f.root-servers.net. zone "." IN { type slave;

Re: Negative zones; NXDOMAIN responses

On 05/21/2013 08:39 AM, Phil Mayers wrote: ICANN run a specifc AXFR service for various infrastructure zones: http://dns.icann.org/services/axfr/ ...which IIRC some configs for root-slaving (FreeBSD?) use by default. I should probably add that, AFAICT, opinion about the value of slaving

Re: Negative zones; NXDOMAIN responses

On 05/21/2013 09:28 AM, Doug Barton wrote: ...which IIRC some configs for root-slaving (FreeBSD?) use by default. It's not used by default, but it is in the config, commented out. Ah, faulty RAM on my part ;o) ___ Please visit https://lists.isc.org

Re: any requests

Leonard Mills wrote: >If your some of your clients are SMTP relays, then ANY is the default >lookup for an MX and is perfectly normal. > Not correct. This is only done by some brokenware. The vast majority of mtas do correct MX and a/ lookups. And as has been pointed out elsewhere in the t

Re: listen-to clusterIP address

On 06/05/2013 07:37 PM, paul wrote: Hi. I have a two node active passive cluster serving webpages. When a failover occurs, I have to restart named on the now active node because You don't have to restart it. "rndc reconfig" will re-check the IPs on the machine and re-listen. the cluster Ip

Re: listen-to clusterIP address

Peter Andreev wrote: >2013/6/5 Phil Mayers > >> On 06/05/2013 07:37 PM, paul wrote: >> >>> Hi. I have a two node active passive cluster serving webpages. When >a >>> failover occurs, I have to restart named on the now active node >because >>>

Re: listen-to clusterIP address

On 05/06/13 20:06, paul wrote: Thanks for the quick reply. rndc reconfig has the same problem as a restart. I need to automatically listen to the new ip address without manual intervention. "rndc reconfig" need not be manual - surely your cluster software can execute a script on IP failover?

Re: listen-to clusterIP address

On 05/06/13 12:42, Mark Andrews wrote: Use IPv6 and listen-on-v6 { any; };. The IPv4 socket api doesn't have the hooks to force the UDP replies from the correct address. The IPv6 socket api has more functionality. For what it's worth, there is code to do this in other projects: https://gith

Re: This list's prefix

On 05/06/13 17:43, Narcis Garcia wrote: It's not the only mailing list where I'm subscribed. Could please the administrator setup a prefix for messages' subject? This is getting to be an FAQ. Please read this entire (recent) thread: https://lists.isc.org/pipermail/bind-users/2013-May/090574.ht

Re: DNS Amplification Attacks... and a trivial proposal

On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote: 1) If everyone on the planet were to somehow magically and immediately be converted over to DNSSEC tomorrow, then would DNS amplification attacks become a thing of the past, starting tomorrow? Does DNSSEC "solve" the DNS amplification attack p

Re: Rate-Limit Question

On 14/06/13 15:27, Manson, John wrote: We are running Bind 9.9.2 and would like to invoke the rate-limit option but named says ‘unknown option’. Do we need to upgrade bind to get this option? You need to apply the patches here: http://ss.vix.su/~vjs/rrlrpz.html It's not built into bind (yet)

Re: Answers from cache or authority section?

On 25/06/13 16:53, John Horne wrote: servers. However, there is a whole load of muttering that Microsoft and AD won't like that; it's all integrated with each other; running the DNS zone on Linux servers will be a problem with the MS servers etc etc. I'm sure you know this, but just in case -

Re: How to suppress ADDITIONAL SECTION per zone

On 01/07/13 12:02, blrmaani wrote: We are noticing that a handful of our domains are being used for amplification attacks and we would like to reduce outgoing (DNS response) packet size. One solution is to reduce the additional sections in the response for these handful zones and I would like to

Re: BIND Performance with Huge RPZ

On 12/07/13 11:11, Arie L. Putra wrote: Has anyone have experience, how RPZ with huge list will impact BIND performance, will it reduce DNS response time? we have six DNS server that will point to this server, each server is serving about 15Mbps of DNS Traffic on peak hour. We don't have that

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

On 18/07/13 14:35, Barry S. Finkel wrote: The SOA RNAME should work: fbi.gov.600INSOAns1.fbi.gov. dns-admin.fbi.gov. 2013071601 7200 3600 2592000 43200 In my years as a DNS administrator, about 50% of the time I tried to send e-mail to the SOA RNAME, that mail was returned

Re: DNSSEC troubleshooting on a recursive server.

On 08/07/2013 12:09 AM, Grant Keller wrote: Hello, We have 7 recursive DNS servers running Bind 9.9.2, and we are seeing some strange behavoir validating DNSSEC. We have seen this happen a few times, and in the past the problem has gone away when the server is rebooted, so my first guess is that

Re: DNSSEC troubleshooting on a recursive server.

On 08/08/13 17:22, Grant Keller wrote: Its strange, I get the records when querying one of my other DNS servers: As per my original email - firewall? middlebox? crazy ISP transparent caching DNS server? I would break out tcpdump; clear the cache on the affected server, re-do the dig, then

Re: RPM SPEC file for el6

On 16/08/2013 16:58, Samuel Lentz wrote: I am trying to build 9.9.3-P2 RPM for CentOS 6. Is there a spec file that I can use? I have been searching the mail list and google and can't find anything official for 9.9.x Carl Byington does a nice one: http://www.five-ten-sg.com/mapper/bind ...whi

Re: RPM SPEC file for el6

Samuel Lentz wrote: >So will this be able to be a drop in replacement for bind in CentOS 6? > Yes. We use it for exactly that. Why not just try it? -- Sent from my phone with, please excuse brevity and typos ___ Please visit https://lists.isc.org/mail

Re: ISO or virtual appliance

On 22/08/13 10:05, Manish Rane wrote: Well, I was thinking on the same line. Use nagios plugins check_tcp and monitor the status. The only challenge I am seeing here is updating zone and nsupdate I believe can only work with Dynamic zones and not with static entries. Either: * Make the zone d

Re: ISO or virtual appliance

On 22/08/13 11:10, Manish Rane wrote: Hmm...can you be please more elaboration. I mean in that case how the IP addresses or A records will be removed as the one CNAME entry is pointed to 2 hostsnames. Or would you want to monitor www.lb.example.com instead of www.examp

Re: ISO or virtual appliance

On 22/08/13 11:09, Niall O'Reilly wrote: On 22 Aug 2013, at 10:49, Phil Mayers wrote: * Make the service name a CNAME into another small dynamic (sub-)zone. This is what most DNS-based LB do e.g. www.example.com CNAME www.lb.example.com, then make "lb.example.com" a small, dyna

Re: after Install

On 22/08/13 11:05, Nidal Shater wrote: Hi After I installed bind9, by using configuration,make and make install, I typed "/etc/init.d/named restart" to test Bind, but linux(centos6.3) return this : "/etc/init.d/named: No such file or directory" "make install" does not install a SysV init script

Re: Who is right?

On 09/06/2013 08:27 AM, Marco Davids (SIDN) wrote: dig ANY example.org @.. ANY is a tricky record to send to a recursive server. Some DNS servers (e.g. bind) just return anything in-cache. Others (e.g. unbound) do things differently. In short: ANY is a debugging tool and can't be relie

Re: ZSK rollover weirdness

On 06/09/13 17:39, Tony Finch wrote: It is the same key as 14565 but the addition of the revoke bit has changed the tag. Oops yes, not crazy flags - revoke bit. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: ZSK rollover weirdness

On 06/09/13 17:28, Lawrence K. Chen, P.Eng. wrote: And, the prior ZSK was 14565 ; This is a zone-signing key, keyid 14565, for ksu.edu. ; Created: 2013060109 (Sat Jun 1 04:00:00 2013) ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013) ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013)

Re: Problem with forward zone in view

On 09/08/2013 11:38 AM, Carol Overes wrote: Hi Steve, Thanks for your reponse. On Sun, Sep 08, 2013 at 10:57:15AM +0100, Steven Carr wrote: You will need to perform a packet capture on the DNS server itself, from a client they query for records in domain2.com and then analyse the packet captur

Re: Weird dig behavior when querying ANY

On 10/09/13 17:22, Nicholas F Miller wrote: We have a winner! I disabled RPZ on a test DNS server and the problem went away. We do not have a whitelist zone so the issue must be with RPZ zones in general (or the format of the RPZ zone file). We see the same behaviour, and likewise don't have a

Re: How can I determine if 9.9.4 bind named executable was built with --enable-rrl?

On 24/09/13 18:06, Red Cricket wrote: Hi, I understand to be able to use rate-limiting with BIND 9.9.4 it needed to have been built with this "./configure --enable-rrl" configure command. But what if I am not the person that builds named? How can I determine if it was built with rate-limiting?

Re: One zone in 2 views

On 26/09/13 16:02, Evan Hunt wrote: BIND 9.10 is going to include the ability to reference the same zone from more than one view, sparing the need to keep two copies in memory and deal with intra-server zone transfers. Interesting; static zones only, or dynamic ones too? __

Re: Recursive server forwarding dynamic updates

On 10/02/2013 07:51 AM, Bojan Tomic wrote: Hi, I'm looking for a way to setup a recursive/forwarding named server to forward dynamic updates See "allow-update-forwarding" in the ARM. Obviously you will lose source IP / TSIG key info, so will need to perform access checks at the forwarding se

Re: Recursive server forwarding dynamic updates

On 02/10/13 11:31, Mark Andrews wrote: Also TSIG signatures are preserved when UPDATE requests are forwarded. TSIG was designed to allow signed messages to be forwarded. The ID field is not covered by the the TSIG to allow the message to be forwarded. The slave does NOT have to know the shared

Distinguishing between parent and DLV sigs

I know DLV probably won't live forever, but lookaside zones might for some time. It doesn't look as it bind distinguishes between a signature in the parent, or a signature in DLV (with "dnssec-lookaside auto"). Am I missing something? If I'm not, could the log message: validating X: ZONE RR

Re: ARIN IP assignments

On 10/08/2013 12:54 AM, Jim Pazarena wrote: I have a client who has been assigned a /20 from ARIN. They asked me to help them with their DNS. The DNS for me is the easy part. except... ARIN has told them that you use the DNS to set up the routing so that the traffic for this /20 gets routed to

Re: Terrible trouble with DNSSEC and GoDaddy

On 10/13/2013 10:34 PM, John Oliver wrote: Venting aside, does anyone have a contact at GoDaddy that doesn't suffer from a terminal case of rectal-cranial invesrion? I'm mainly experimenting with DNSSEC, and don't want to move all of my domains over this one issue. But then, if this is the lev

Re: [External] Re: intermittent resolution

On 02/11/2013 15:34, Con Wieland wrote: I added edns-udp-size 512; which solved the issue but after more reading it seems like a better option would be to disable EDNS for the specific hosts since we have had no luck working with them. Looking at the ARM I thought I could add a server statemen

Re: RPZ Errors

On 08/11/13 23:52, Crist Clark wrote: I've just set up an RPZ using a third party feed. I am getting lots and lots of "info" and "warning" messages in the logs. However, I am not sure whether they actually are indicative of a problem I that may be impacting operations or just a "nice to know" abo

Re: Can I have Inbound load balancing achieved with below settings

On 13/11/13 22:21, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-11-13 at 16:49 -0500, Barry Margolin wrote: It means that users will have to wait for an arbitrary number of timeouts before the browser can give them an error message. Well, the browser *could*

Re: any news/info re: RPZ2+RRL patches for bind 9.9.4-P1?

On 21/11/2013 18:38, /dev/rob0 wrote: On Thu, Nov 21, 2013 at 10:33:18AM -0800, jen...@promessage.com wrote: Seems the question pops up with every bind release; this time I waited for at least a couple of weeks since the bind release. Anyone know what's happening with the RPZ2+RRL patches f

Re: RHEL 6 CPU load

On 21/11/13 14:57, - wrote: Are others seeing the named process run at 130-180% on RHEL 6? We've No. Our RHEL6 boxes rune fine. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: RHEL 6 CPU load

On 21/11/13 17:30, Sean Channel wrote: What version of BIND did you have on RHEL5? Does your RHEL6 named get any better if you try ‘-U #’ (where # is half or less your cpu count)? We moved from RHEL5 9.8.3 to RHEL6 9.8.3, and saw no performance change. We then upgraded through various versions

Re: Recursive BIND server doesn't execute recursion for IPv6 fd00::/8 reverse zone

On 25/11/13 16:16, Listas wrote: Hi, I'm enabling IPv6 dual stack in my network and my Bind authoritative servers are working perfectly with the ip6.arpa zones. But my Recursive DNS server cannot resolve the reverse zone records from my private network. I tried to make a setup similar to what I

Re: Recursive BIND server doesn't execute recursion for IPv6 fd00::/8 reverse zone

On 25/11/13 17:31, Listas wrote: On 25-11-2013 14:22, Phil Mayers wrote: No, because you told your recursive it was authoritative and gave it an empty zone file. Thank you Phil. But it is a private network zone. The query cannot go to the DNS root servers, must be forwarded to the

Re: Recursive BIND server doesn't execute recursion for IPv6 fd00::/8 reverse zone

On 25/11/13 22:46, Listas wrote: On 25-11-2013 15:42, Phil Mayers wrote: 2. Put a proper zone cut (delegation) into your local master, pointing at your authoritative server Thanks Phil. Your help has been valuable. I think this is exactly what I'm doing here: As Barry pointed ou

Re: bad owner name - Unable to add forward map from Nintendo Wii U ... REFUSED

On 27/12/13 11:16, Matus UHLAR - fantomas wrote: I would ask nintendo to produce a release... Ha ha ;o) No, the only realistic option here is to override the client DDNS hostname option with something sanitised. Since the client-supplied hostname isn't even unique, let alone sane, I would j

Re: Slowing down bind answers ?

On 05/01/2014 13:25, Timothe Litt wrote: To get people's attention, NXDOMAIN to www.* queries is often reasonably Interesting idea; implemented how? It may be better to simply alias (if necessary, route) the old IP Piece of advice for anyone not already doing this; when you deploy recursi

Re: rndc addzone gets permission denied

On 12/01/14 12:17, Georgy Goshin wrote: Selinux disabled, /var/named/slave is 770 and owned by named. Is there a It should go without saying that wholesale disabling of SELinux, if your distro enables it by default, is unwise. If you must, set the specific daemon to disabled. We run with SE

Re: Generic reasons for recursive performance not to peg CPU?

On 13/01/14 01:16, Doug Barton wrote: Howdy, Without going into too much detail, doing some performance testing and am seeing a weird result. On the same systems authoritative queries will happily peg the CPU. However when running recursive queries (with a small zone, all data cached before test

Re: specifics of downgrading from rpz2 (3rd party patch) -> rpz1 (in Bind release) ?

On 13/01/2014 17:27, pgndev wrote: Can anyone clarify specifically the *diff* between rpz1, as in the Bind9 release, and rpz2? Particularly, which specific features/capabilities I need to unwind to get back to 'just' rpz1? IIRC there's no syntax/feature difference. Rather, RPZ2 is a set of (

Re: "Recursive no;" implications?

Alan Clegg wrote: > >In addition to being rate-limited, blocking, etc., I'm sure the Google >servers are instrumented as data collection devices and are providing >data back to someone regarding what DNS is actually doing and being >used for. > >Why else would they do it? 8-) > >AlanC Google ha

Re: retransfer zone from stealth master

On 26/02/14 14:57, Lawrence K. Chen, P.Eng. wrote: How can I get an initial transfer of the zone from a stealth master? Or do I have to wait to get the administrator of the master to give it another kick? rndc retransfer? ___ Please visit https://li

RE: Bind vs flood

I think Chris is right here. IIRC even qname policies perform an upstream query - we've seen this reflected in response times. I don't know what it does for servfail but it would certainly be reasonable to pass them unchanged. Remember rpz is deliberately limited. -- Sent from my phone with, pl

Re: Bind vs flood

> >As Cathy mentioned, it's possible to bypass the recursion in RPZ now. >The feature is in the rpz2 patches, which are included with BIND 9.10 >and are also built into some packaged versions of BIND. So I just saw. I hadn't spotted that this was in the rpz2 patches; potentially quite useful. --

Re: disabling stateful firewalls for DNS traffic

On 01/03/2014 14:30, Chuck Anderson wrote: How should these rules be changed to adhere to the Best Practices while not breaking anything and still allowing the servers to do their own DNS lookups? I know theoretically how I would do this, but I'm looking for others' experiences. There are pro

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

On 06/03/14 08:53, Tony Finch wrote: Jason Hellenthal wrote: I recall spending a LOT of time with DNSSEC figuring out all the nonsense but like anything else stability and friendliness has to start somewhere. And development should not be impeded by adoption of bad practices. Fix the root caus

Re: Audit the consistency of zone files on DNS servers

On 14/03/14 12:28, Maren S. Leizaola wrote: Hello, What do you guys recommend to audit every resource record in a zone file against all the records in all the DNS servers that host the zone file. I want something that I feed the master zone file and then goes to each NS s

Re: Audit the consistency of zone files on DNS servers

Quite right I should have noted the need to canonicalise. -- Sent from my phone with, please excuse brevity and typos___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lis

Re: Audit the consistency of zone files on DNS servers

On 15/03/2014 10:09, Maren S. Leizaola wrote: Can someone provide an answer that does not refer to zone transfers? Your original email said: What I want to be able to detect are serial number errors, where a zone has been updated but the serial number has not changed Then you said: I am

Re: Multi-master (HA)

On 06/05/2014 19:39, Evan Hunt wrote: I don't want to influence the conversation here by saying too much about the ideas we've had so far, but I wanted to say: if anyone has specific thoughts on how to make this sort of thing easier in BIND -- even just at the level of "boy, it irritates me that

Re: RPZ and www.rackspace.com

On 07/05/14 15:05, David A. Evans wrote: Can anyone else verify this behavior? What is going on with www.rackspace.com? If this is a miss configuration on Rackspace's DNS servers how are they not getting hit with support calls like crazy? We don't have any NSDNAME RPZ entries, an

Re: Answer for a specific host, but recurse for all others within a zone

On 09/05/2014 18:47, Jon Fullmer wrote: (Sorry, let's try that again WITHOUT "smart quotes":) Yeaaahhh that did not work out so well: Content-Type: text/plain; charset="big5" Your apostrophes ended up being a chinese character, CJK UNIFIED IDEOGRAPH-6613 according to Python's unicodedata

<    1   2   3   4   5   >