On 16/05/14 05:38, Yossi Eskenazi wrote:
but there are many domains which cannot get through. The problem
appeared rather recently, so I suspect that an update in a firewall
brand, or a dns server update is causing this.
Almost certainly not. It's very likely your network provider or one of
t
On 18/05/14 09:26, Hongyi Zhao wrote:
Yes, I want to let bind/named prefetch records that are being queried
regularly. In this way, I'll have a set of up-to-date cached records
that I've been queried. Can the prefetch function plus caching mode of
bind/named do this for me?
Re-read Marks rep
On 21 May 2014 10:24:23 BST, Klaus Darilion
wrote:
>> Further, I see that sometimes there are no private records at all.
>When
>> does this happen? (I never called "rndc signing -clear")
>
>It seems that this happens when Bind is restarted.
>
>So, what is the suggested (and reliable) way for ext
On 06/06/14 12:35, Reindl Harald wrote:
Am 06.06.2014 13:28, schrieb Matus UHLAR - fantomas:
On 06.06.14 13:13, Reindl Harald wrote:
why does in case of asking the slave always come a
"WARNING: recursion requested but not available"
even if you dig a A-record he is authoritative?
because you
On 09/07/14 14:16, Reindl Harald wrote:
however, i wonder what takes 90 seconds to load 5000 zones
Depends how big they are.
the records-sql table has 3000 entries for all zones (backend
That is not very big. We've got zones with nearly 1M records in them,
including NSEC/RRSIG.
_
On 11/07/14 16:45, Steffen Sledz wrote:
We have a local DNS server providing local IPv6 zones (fd44:...).
The server itself is reachable via IPv4 and IPv6 but has no IPv6 uplink.
With our current configuration everything works well, but we've a lot of errors
in the logfile:
"Jul 11 17:39:48 z
On 01/08/14 15:46, Reindl Harald wrote:
if listen-on {0.0.0.0;}; would work a lot of problems
could go away - keep in mind that on modern systemd
systems a service can bind to 0.0.0.0 even before
the network is started
Most people just use "rndc reconfig". In bind 9.10 the routing socket,
on
On 19/08/14 13:12, Bazy V wrote:
$ORIGIN 20.172.IN-ADDR.ARPA.
0.220/24 NS ns2.sub.test.com
You don't need to do this. You just need:
$ORIGIN 20.172.IN-ADDR.ARPA.
220 NS ns2.sub.test.com.
RFC 2317 is only need for /25 and longer.
___
Plea
On 20/10/14 14:22, Frank Bulk (iname.com) wrote:
We’re using this in a bash shell script. I don’t think there’s a native
shell command to get the IP, so I’ll use a mixture of host and dig as
necessary.
If your system has it, try "getent" e.g.
getent ahosts hostname
___
On 24/12/14 17:08, Frank Bulk wrote:
Except queries from 96.31.0.5 and 199.120.69.24 reliably return the
while queries from 96.31.0.20 do not. And we're all the same ISP, and in
the one case, from the same /24. I don't think Google is that granular. And
we do have good IPv6 connectivity.
On 06/01/15 22:52, Anne Bennett wrote:
I don't know what to make of this; it looks as though the
technology is several years old, and my experience with ISC
bind is usually excellent. Has anyone else encountered this
type of flakiness?
No, but we're not using client-ip RPZ, just qname-based b
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
# dig +norec +dnssec +nsid @193.104.215.247 ardownload.wip4.adobe.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50062
...versu
On 13/01/15 12:27, Phil Mayers wrote:
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
...and in fact "sit", which is the actual problem option we're hitting
(our 9
On 13/01/15 12:37, Anand Buddhdev wrote:
On 13/01/15 13:27, Phil Mayers wrote:
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
It's not just NSID. They're responding with
On 13/01/15 12:39, Phil Mayers wrote:
On 13/01/15 12:37, Anand Buddhdev wrote:
On 13/01/15 13:27, Phil Mayers wrote:
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
It's no
On 16/01/2015 13:00, John wrote:
But for this to work I would need to enable recursion on the
authoritative server for masters
Why?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
On 16/01/2015 15:07, John wrote:
On 1/16/2015 8:59 AM, Phil Mayers wrote:
On 16/01/2015 13:00, John wrote:
But for this to work I would need to enable recursion on the
authoritative server for masters
Why?
Because the last time I tried it, it did not work!
Authoritative servers don&#
On 21/01/15 15:46, eric.berthiaume.exter...@banque-france.fr wrote:
So it it does seem to be rolling the changes but jnl files still
persist. It’s not terribly bothering but I would like to know if this
is the normal behavior.
It's normal. The .jnl files contain the data required to perform
On 03/02/15 05:51, Ray Van Dolson wrote:
We have a Lync 2013 environment with all of its DNS records living
within our primary domain (esri.com). I have a need to override all of
the Lync related DNS records so that they resolve differently for a set
of client IP's (clients which connect via VPN
On 09/02/15 01:29, Carl Byington wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, 2015-02-08 at 16:10 +0200, Eliezer Croitoru wrote:
I had some issues in some old versions of CentOS 6 for a caching
server so I have compiled bind from sources.
You might try the building the source
On 09/02/15 13:00, Reindl Harald wrote:
Am 09.02.2015 um 13:33 schrieb Phil Mayers:
On 09/02/15 01:29, Carl Byington wrote:
On Sun, 2015-02-08 at 16:10 +0200, Eliezer Croitoru wrote:
I had some issues in some old versions of CentOS 6 for a caching
server so I have compiled bind from sources
On 09/02/15 13:29, Chuck Anderson wrote:
He could build a nosrc.rpm by using NoSource: tags instead of Source:
tags in the spec file.
Just to clarify I don't want this to come across as criticism - this is
a suggestion that might save the person providing the download some
bandwidth. If it's
On 08/03/15 16:09, Carsten Strotmann wrote:
Hi,
I'm doing some performance tests on some modern Haswell CPU machines (20
cores) using Ubuntu Linux 14.04 (Kernel 3.13.0-46-generic) using BIND
9.10.1-P2 compiled with "--with-tuning=large".
With using 8 worker threads I get near 400K QPS via IPv4
On 08/04/15 20:25, Chuck Anderson wrote:
My questions are, what is at fault here? Is it a BIND bug to expect
It all sounds really odd. In particular, if there is no recursive client
triggering them, and no prefetch, where are these ANY/A queries on TTL
expiry coming from?
Are you certain
On 08/04/15 22:00, Chuck Anderson wrote:
No, you are right. My filtered view of the packet capture was missing
the fact that another unrelated client did an 'ANY' query. I found it
in the query log. BIND 9.10 implements prefresh, but I'm on 9.8.2.
Oops just saw this, disregard my other ema
On 11/04/15 14:03, Chuck Anderson wrote:
I can't stop clients from making certain kinds of queries (unless BIND
has a feature to refuse such queries or not recurse for them?).
Whenever a client makes the 'ANY' query, it effectively causes a DoS
on that name. Luckily the MinTTL is only 30 second
On 13/04/15 13:48, Tony Finch wrote:
Phil Mayers wrote:
TBH I wonder if bind mightn't be better caching ANY as a separate
pseudo-type, if I'm understanding the problem correctly.
Actually I think you are asking for BIND not to treat ANY specially :-)
Maybe. I don't have ANY
On 13/04/15 14:12, Tony Finch wrote:
Phil Mayers wrote:
Ah ha. This is interesting.
If you like that you'll loathe this:
http://www.ietf.org/mail-archive/web/dnsop/current/msg13667.html
Yowza! The threads surrounding that one... I see djb chimed in.
ANY is useful. It would be a mar
On 13/04/15 14:28, Tony Finch wrote:
Phil Mayers wrote:
Be interesting to see what happens. I like the NSEC/TYPExxx idea for
simplicity.
The best suggestion so far is
http://www.ietf.org/mail-archive/web/dnsop/current/msg13945.html
Nice, didn't spot tha
On 14/04/15 00:44, Mark Andrews wrote:
No. Named caches NXDOMAIN and NOERROR NODATA to ANY queries
indendently of qtype (with the exception of DS/NXDOMAIN).
Shrug. As I've said a couple of times, I'm not experiencing this
problem, so it makes no difference to me. I'm really just wondering al
On 26/05/15 22:00, Mike Hoskins (michoski) wrote:
However, as we've mostly just been turning knobs in an attempt to minimize
log entries... insight from operators is appreciated.
We run with:
rate-limit { responses-per-second 20; };
3x internet-facing resolvers answering about 5-25k qps a
On 02/09/15 21:57, Carl Byington wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://www.five-ten-sg.com/mapper/bind contains links to the source
Sigh. FYI, Chrome popped this error up for me:
"""
Google Safe Browsing recently found harmful programs on www.five-ten-sg.com.
"""
Silly
Minor cosmetic bug, but we're seeing logs like:
03-Sep-2015 12:18:50.751 (re)loading policy zone 'rpz.' changed
from 0 to 77406 qname, 0 to 0 nsdname, 769 to 771 IP, 0 to 0 NSIP, 0 to
0 CLIENTIP entries
03-Sep-2015 12:18:58.029 (re)loading policy zone 'rpz.'
changed from 77406 to 1213943 qna
On 03/09/15 15:14, Mukund Sivaraman wrote:
The numbers are overall counts for that view, after the contents of that
policy zone have been loaded. Cumulatively, they should match the number
of records in your policy zones (named starts with empty RPZ state).
In that case, those counts are absol
On 20/10/15 07:26, Harshith Mulky wrote:
Hi All,
How can a Client verify if the DNS Server is Running(named service is
Running) or Down?
By the presence or absence of a reply to a query.
Does it periodically send any messages to the server.
No. It just sends a query when it has one, and wa
On 22/10/15 16:30, Steve Arntzen wrote:
As a test, I tried forwarding (and forward only) google.com to Google's
public DNS server. Although the packets did go directly to 8.8.8.8 as
expected, my Bind server still (for safe verification) performed the
second look up. Note, the requesting client
On 22/10/15 16:37, Reindl Harald wrote:
since in a normal environment that don't matter consider in case of a
caching-only nameserver in such an environment using unbound instead of
named because it supports "cache-min-ttl" which is also strongly
recommended on a inbound mailserver using RBL's
All,
This isn't strictly a "bind" question, but it kind-of, sort-of is.
We've got an Office 365 tenancy, along with offsite voicemail. We send
our SIP connections to a hostname:
$GUID.um.outlook.com
This hostname is resolvable using "dig" & "host", but on Linux (glibc
2.20) the "ping", "tel
On 18/11/15 21:26, Stephane Bortzmeyer wrote:
On Wed, Nov 18, 2015 at 12:19:57PM +,
Phil Mayers wrote
a message of 44 lines which said:
I suspect getaddrinfo isn't parsing the DNS response for some reason.
...
Obviously the *.thing on the RHS of the first CNAME is weird, but
On 09/12/15 23:32, blrmaani wrote:
Hi, I would like to put 4 DNS masters behind a vip and have several
slaves doing the zone transfer from the VIP-IP. Is this normal?
In my experience no, this is not normal.
You might consider putting a "virtual" or "service" IP on your master(s)
that you can
On 04/01/16 13:54, MAYER Hans wrote:
As you can see “named” is using 842 MB physical and 982 MB virtual
memory. Much more than configured.
Well, bind will use memory for things other than cache.
Try accessing the statistics XML channel over HTTP with a browser; it'll
render to HTML via style
On 13/01/2016 19:38, blrmaani wrote:
Here is the issue:
I am sending approx 200 'A' queries to the DNS server and my above calculation
is showing a value of 2 queries-per-second.
Does the XML value you're looking at measure outbound or inbound
queries, and are the queries you're sending bein
On 21/01/2016 18:41, Darcy Kevin (FCA) wrote:
If the answer to both of those questions is “yes”, then I think you’re
in for a bit of a challenge, since I don’t know that the DHCP server
Agreed, this is hard.
Personally I think views are almost always a mistake, but if OP has to
do this, the
We've run into our first minor weirdness with an application that gets
tripped over by a mixed-case response.
Just so I can communicate accurately to the relevant parties in our
discussions - what is the anticipated lifetime of the "no-case-compress"
config option? Does ISC think it might get
On 13/03/16 18:07, David Li wrote:
We are implementing an enterprise distributed system with many Centos
7 servers. Each server or a group of servers may run a different app
or provide a difference service to others. These service may come and
go. The challenge is how to use DNS-SD to let them
On 15/03/16 23:06, Mike Bernhardt wrote:
So, I'm hoping that either
1) There is a way to tell BIND to use an IP address that is not on an
interface, or
I don't think there is.
I can think of all kinds of horrible workarounds - iptables SNAT, shell
script doing a config-change & rndc reconfig
On 16/03/16 12:48, Lightner, Jeff wrote:
You might want to try "ip a" vs ifconfig. RHEL7 uses Network
Manager and in the past I've found some things don't show up in
ifconfig output when doing alias/virtual interfaces.
Usually even when other products (e.g. Oracle RAC/GRID) create
virtual inte
On 18/03/16 14:52, /dev/rob0 wrote:
On Fri, Mar 18, 2016 at 10:04:05AM -0400, Thomas Schulz wrote:
I turns out that it is harder than I thought to allow incomming
connections from both providers at the same time, so I may not do
that after all.
Multiple route tables (and rules to choose the ap
On 30/03/16 10:50, Tony Finch wrote:
Yes, we encountered that problem recently :-) You can revert to the old
behaviour using
no-case-compress { any; };
+1 super confusing when we first ran into it (Exim dnslookup.c, by any
chance? ;o)
In detail, since I spent ages figuring this ou
On 30/03/16 01:19, Mark Andrews wrote:
Your monitoring probe is broken.
STD 13 says that that the DNS is case preserving. The problem is
that lots of servers aren't case preserving instead they echo back
the query case in the owner names of records returned which named
then records.
Can I be
On 30/03/2016 12:25, Mark Andrews wrote:
The recent change was to record and return the learnt case of
ownernames (to the RRset level) rather than use whatever was used
to build the red-black tree names.
What is considered the source of the ownername for, say, "com."? One
thing I saw when I w
On 30/03/2016 13:23, Tony Finch wrote:
Phil Mayers wrote:
What is considered the source of the ownername for, say, "com."?
It should be the root zone master file.
Doh, of course - brainfade, it should be the root.
I am mildly surprised that the root and TLD/2LD servers aren&#
On 30/03/2016 13:32, Mark Andrews wrote:
That said anything matching ownernames should be doing this case
insensitively.
Absolutely. In our case it was something a little more subtle - the app
(Exim) was actually looking for case-changed replies and altering its
input to match, which under c
On 30/03/2016 13:15, Tony Finch wrote:
Phil Mayers wrote:
On 30/03/16 10:50, Tony Finch wrote:
Yes, we encountered that problem recently :-) You can revert to the old
behaviour using
no-case-compress { any; };
+1 super confusing when we first ran into it (Exim dnslookup.c, by any
On 01/04/16 11:52, Niall O'Reilly wrote:
If you are going to pick a single authority for a particular label, it
should be the zone that determines whether that label exists or not.
That seems no less arbitrary a rule of thumb than one which would
give priority to the zone which contains
On 27/04/16 20:44, Barry Margolin wrote:
I've long since stopped getting bothered by sloppy language like this,
ever since people started using "IP" as short for "IP address", or using
"class A, B, C" to refer to /8, /6, and /24 prefixes, rather than the
original address ranges.
The context alw
On 30/04/16 04:49, jaso...@mail-central.com wrote:
Hi
On Fri, Apr 29, 2016, at 08:42 PM, Mark Andrews wrote:
Just give it time. The zone contents are the masterfile + journal.
The masterfile only gets written periodically as it can be a expensive
operation.
Sure, under normal operation, as I
On 01/05/16 19:05, Phil Mayers wrote:
On 30/04/16 04:49, jaso...@mail-central.com wrote:
Hi
On Fri, Apr 29, 2016, at 08:42 PM, Mark Andrews wrote:
Just give it time. The zone contents are the masterfile + journal.
The masterfile only gets written periodically as it can be a expensive
On 01/05/16 19:15, jaso...@mail-central.com wrote:
On Sun, May 1, 2016, at 11:05 AM, Phil Mayers wrote:
IIUC, though, a nameserver restart is supposed to force the
write-to-journal immediately, right?
No, I don't think so.
Perhaps the behaviour in flush-zones-on-shutdown (which defaul
On 18/05/16 22:10, Con Wieland wrote:
I am having an issue resolving www.cloudsat.cira.colostate.edu
"rndc dumpdb" can be helpful in this case, IME. Dump the cache then
inspect the records and parent delegations, see what bind thinks is
in-cache when it's broken.
On 16/06/16 12:15, Tony Finch wrote:
Thomas Sturm wrote:
We are experiencing strange intermittent issues when resolving
outlook.office365.com, but also with other domains like e.g.
amazonaws.com or snort.org.
Based on recent discussions on the mailop list
For what it's worth, I've been agg
On 16/06/16 12:58, Reindl Harald wrote:
hence you can't compare it with normal usecases since bind 9.10 does
prefetch which mask any upstream problem, especially TTL when you query
it all the time
If you're running bind 9.10, then bind 9.10 doing prefetch is a normal
use-case.
You make a go
On 16/06/16 13:01, Daniel Stirnimann wrote:
(This was as part of "proving" that various O365 issues were client
side, not network-triggered)
If a resolver cannot resolve outlook.office365.com why should this be a
client side issue? Or do you mean the resolver is the client for
upstream queries?
On 16/06/16 13:09, Thomas Sturm wrote:
- with "prefetch 0” I am able to reproduce it every single time the TTL
expires, even on quiet dev hosts
- with “prefetch 2” I am able to reproduce it on loaded hosts only
- with “prefetch 10” I am NOT able to reproduce it at all
Hmm.
I thought prefetch
On 16/06/16 13:01, Tony Finch wrote:
Phil Mayers wrote:
For what it's worth, I've been aggressively monitoring DNS resolution of
outlook.office365.com from all four of our recursives, both A & , once a
minute for the past 3 months.
I wonder if you would notice more pr
On 22/06/16 11:59, Leonardo Oliveira Ortiz wrote:
Hello.
Someone had success to build it? I got make test errors...
I had no problems, but we build w/o tests to save time.
It's a quick edit to the .spec file to disable the tests.
%{?!test: %define test 0}
I think someone else repo
On 12/07/16 15:13, Daniel Dawalibi wrote:
#dig @localhost soa domainname
Don't hide the domain. It makes it impossible for people to help you.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-use
On 19/07/16 00:38, Ian Veach wrote:
Negative Ghostrider...:
[root@foo:~]# iptables -t raw -nvL
Might want to check "-t nat" as well.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailin
Yep, that's it. The MASQ entry will nat all outbound traffic to the primary IP
of the interface. If you want to be playing with secondary IPs this is almost
certainly not right.
--
Sent from my mobile device, please excuse brevity and typos___
Please v
On 26/07/16 01:40, /dev/rob0 wrote:
Features which would work well behind a GUI frontend exist, and more
are coming in BIND 9.11. See the rndc(8) manual and the various
commands it has.
To expand on this - the catalog zones in bind 9.11 should permit in-band
provisioning of new DNS zones. On
On 22/08/16 13:07, Tony Finch wrote:
Alternatively, maybe you could add something to the ExecStartPre in the
unit file to poll `ip addr show` until all the expected interface
addresses are present, so that named doesn't start until the rest of the
system has untangled its legs.
I've run into s
On 02/09/16 15:22, Daniel Stirnimann wrote:
Hi all
We maintain a block list with RPZ on our BIND resolvers. I noticed that
the RPZ policy action does not apply for domain names which SERVFAIL
(i.e. cannot be resolved by the resolver because of a timeout, lame
delegation etc.).
RPZ applies to r
On 14/09/16 20:41, Matthew Pounsett wrote:
Your best option is something that can do the job statelessly. As
Warren says, anything that keeps state (firewall, load balancer, etc.)
becomes a DoS target... or, at best, becomes the thing that runs out of
resources before your network or your DNS s
On 15/09/16 15:49, bert hubert wrote:
Sorry for running advertisement here. But please know dnsdist is software
neutral, it is not "powerdnsdist".
I've never come across dnsdist before. Would you describe it as
production-ready?
___
Please visit ht
On 16/09/16 14:16, bert hubert wrote:
Your question is justified of course. The history of dnsdist goes back to
2013. We spent most of 2015 ramping it up, and even as we were doing so it
was already being deployed, pre-1.0.0.
I was mainly wondering about the comment:
"""
dnsdist is still ver
On 08/18/2010 06:55 PM, Dave Sparro wrote:
On 8/18/2010 1:12 PM, Casey Deccio wrote:
On Wed, Aug 18, 2010 at 9:48 AM, Dave Sparro wrote:
On 8/18/2010 8:30 AM, Phil Mayers wrote:
...since the "ncbi" zone is an unsigned child zone, there needs to be an
NSEC/NSEC3 record to prove t
On 19/08/10 15:52, Steve Arntzen wrote:
I would like to resolve dns.ourdomain.com to a list of our DNS server
names and possibly their IPs.
CNAMEs are singleton; this:
dns.ourdomain.com. IN CNAME nsdev1.ourdomain.com.
dns.ourdomain.com. IN CNAME nsdev2.ourdomain.com.
...is illegal.
__
On 19/08/10 16:18, Phil Mayers wrote:
On 19/08/10 15:52, Steve Arntzen wrote:
I would like to resolve dns.ourdomain.com to a list of our DNS server
names and possibly their IPs.
CNAMEs are singleton; this:
dns.ourdomain.com. IN CNAME nsdev1.ourdomain.com.
dns.ourdomain.com. IN CNAME nsdev2
On 09/09/2010 03:45 PM, Timothe Litt wrote:
There is other advice in the ARM that says to put 'your organization's
public keys in the trusted-keys list'. That doesn't help - and in fact,
confuses me even more since example.net has TWO different public keys - one
for each view. And trusted-key
On 09/10/2010 03:05 AM, Mark Andrews wrote:
In message<4c891404.3000...@imperial.ac.uk>, Phil Mayers writes:
On 09/09/2010 03:45 PM, Timothe Litt wrote:
There is other advice in the ARM that says to put 'your organization's
public keys in the trusted-keys list'. That
On 09/10/2010 11:12 PM, Timothe Litt wrote:
So it looks like the new (r-internal) view is starting at the root when it
resolves -- ignoring what it has data for locally. It sorta works for
You'll need a:
zone "name" {
type forward;
forward only;
forwarders {
ips;
};
};
It won't
On 09/12/2010 03:41 AM, Chris Buxton wrote:
Use a stub zone instead of a forward zone, so that the query will
actually reach the authoritative view. With a forward zone, the query
is recursive, so will be picked up by the recursive view - the view
will query itself and not receive an answer.
O
On 21/09/10 14:43, Niobos wrote:
On 2010-09-21 15:32, Kalman Feher wrote:
On 21/09/10 8:43 AM, "Niobos" wrote:
I personally find protection against zone enumeration to be a false sense of
security. If it's public people will find it. Ask your self what it is that
you want publically accessible
On 21/09/10 16:40, Lightner, Jeff wrote:
I always liken arguments such as this to a leaky boat. While one
certainly does more to eliminate the boat filling with water by plugging
the big holes that does NOT mean there is no value is caulking the small
ones. Over time enough of the small ones m
On 24/09/10 17:22, Lars Hecking wrote:
Stewart Dean writes:
More questions...(CentOS 5.5, bind-9.7.1-P2)
The arguably easiest way to deal with this, if you prefer a recent version
of bind on CentOS, is to grab the most recent srpm from the updates/testing
directory of your nearest Fedo
On 09/26/2010 09:25 PM, David S. wrote:
Dear All,
I had problem when trying to use "view" class on my named.conf, please
see attached file and below my query log:
You've set "additional-from-cache" but not "allow-query-cache" ACL. The
default has everyone denied.
Do you need to set "additio
On 09/26/2010 10:57 PM, David S. wrote:
I've removed "additional-from-cache" and restart bind, below part of
named.conf
Ok, bad guess on my part :o(
Not sure I'm afraid. I don't really understand your config; do you mean
to have recursion off in both views?
What is sending the queries? They
On 09/27/2010 09:25 AM, David S. wrote:
I want to build name server for ISP:
Please don't email me directly; replying to the list is the correct
thing to do.
view "mynetwork" allow "trusted" to lookup domain / host in internet.
In that case, don't you want "recursion on" in view "mynetwo
On 27/09/10 09:45, David S. wrote:
Hi Pil,
"In that case, don't you want "recursion on" in view "mynetwork"?"
I won't recursion in my network, so recursion is no.
Sorry, I don't understand. Perhaps someone else can help you.
___
bind-users mailing li
On 10/01/2010 09:59 PM, Tony Finch wrote:
I haven't seen any answers to Timothe's questions below, though I
have been keeping an eye out for them. The documentation in this area
is a bit thin...
A few comments based on what I've observed.
Consider this configuration snippet:
View "internal"
On 10/02/2010 10:01 AM, lst_ho...@kwsoft.de wrote:
So the problem are not resolvers unaware of DNSSEC but resolvers with
inappropriate defaults or configured wrong by accident. Additionally
this problem is not easy detectable as it can occur far downstream. So
i would say it is a valid concern f
On 13/10/10 15:16, Eivind Olsen wrote:
Has anyone here made use of the XML statistics interface in BIND9, to get
some numbers into Cacti (or another similar tool)? If so, how, and which
numbers did you feel were worth turning into graphs?
Yes.
We have a system where local scripts on our machin
On 13/10/10 15:50, Phil Mayers wrote:
On 13/10/10 15:16, Eivind Olsen wrote:
Has anyone here made use of the XML statistics interface in BIND9, to get
some numbers into Cacti (or another similar tool)? If so, how, and which
numbers did you feel were worth turning into graphs?
Yes.
We have a
On 21/10/10 12:50, Stephane Bortzmeyer wrote:
Unlike the failure of an authoritative name server, the failure of a
resolver is not really transparent for the Unix stub resolver, as you
have discovered. You may consider solutions using a redundancy at
layer 3 such as VRRP or CARP.
Yeah, we've o
On 10/27/2010 06:46 PM, Mark Elkins wrote:
I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to
do this in PHP as this is inside some existing PHP (Web) scripts but I
guess calling a C program would not be too inconvenient.
I use some Python code to do this in our debugging/
On 28/10/10 11:56, Tony Finch wrote:
On Thu, 28 Oct 2010, Gregory Machin wrote:
My question is why would "INMX10mcvpemr01" and "INMX
10mcvpemr02" be repeated trough the zone file surely this is
redundant ?
Some hostmasters like to ensure that mail is not directed to host
On 12/11/10 12:49, David Forrest wrote:
and, on checking named.conf, I found the entry for br. as:
trusted-keys {
"br." 257 3 5
"AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7PMNpyw3XCFQWP/XsT0pdzeEGJ400kdbbPqXr2lnmEtWMjj3Z/ejR8mZbJ/6OWJQ0k/2YOyo6Tiab1NGbGfs513y6dy1hOFpz+peZzGsCm
On 12/11/10 14:51, Alan Clegg wrote:
On 11/12/2010 7:49 AM, David Forrest wrote:
While running BIND 9.7.2-P2 built with defaults on F11
[..]
and, on checking named.conf, I found the entry for br. as:
trusted-keys {
"br." 257 3 5
"AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7PMN
On 12/11/10 15:45, Lightner, Jeff wrote:
For Production (RPM based system) you should use RHEL or CentOS which
has a much longer life cycle. (Speaking of which, RHEL6 was just put in
I don't agree with your line of reasoning. RHEL may have longer update
cycles, but there's no guarantee a par
On 17/11/10 13:48, Martin McCormick wrote:
We are chasing down some problems in which clients are trying to
resolve lookups to a domain related to Microsoft Active
Directory zones. We were able to determine that clients were
querying this AD zone when it was thought they weren't needing
to do so.
201 - 300 of 492 matches
Mail list logo
