Re: Problems with Bind-Kerberos-Windows-Linux

On 12/06/2010 02:20 PM, Jürgen Dietl wrote: I have read that there is a special mode called User-To-User Mode. This mode enables the client to ask for a service direct without asking for a That's not quite how u2u works. TGT before. I found out that my client use this special user-to-user mod

Re: Problems with Bind-Kerberos-Windows-Linux

On 12/06/2010 03:18 PM, Jürgen Dietl wrote: The Log-File from the DNS-SUSE-Server tells me "wrong principal". Is there a way to find out what principal it expects? You can configure it: tkey-domain "YOUR.DOMAIN"; tkey-gssapi-credential "DNS/hostname.your.domain"; (I've never

Re: Problems with Bind-Kerberos-Windows-Linux

On 12/06/2010 04:01 PM, Jürgen Dietl wrote: Hello Phil thanx again for your answer. So I read between the lines that even if there were bugfixes for GSSTSIG in Bind V. 9.7.2 - it dont work. So we have to wait until MS follow the standards? :-) That's not what I said. Forgive me but what is a

Re: Fwd: Problems with Bind-Kerberos-Windows-Linux

On 12/07/2010 07:53 AM, Jürgen Dietl wrote: Hello Sergiu, I tried to put in 2 credential Entries in the named.conf: tkey-gssapi-credential "DNS/test.loc"; (that was in before) tkey-gssapi-credential "USER/test.loc", (new entry) tkey-domain "TEST.LOC"; This is all wrong. There are two principa

Re: Silently drop queries for AAAA records

On 12/08/2010 07:40 AM, Niobos wrote: On 2010-12-07 23:31, David A. Evans wrote: I'm in the mood to prove a point. I have a very poorly written application that is generating a few hundred queries per second of completely bogus records before attempting a lookup of the correct A

Re: OT: checking subnet delegation?

On 04/01/11 15:32, online-reg wrote: Hi All: I have a /28 that was supposed to be delegated to my NS by my ISP. How can I check that it is correctly delegated? I have the in-addr.arpa zone configured in my NS and it resolves properly when I test it locally, but if I test using a remote service n

Re: enable a dynamic zone

On 01/05/2011 03:32 AM, Paul Ooi Cong Jen wrote: Hi, Nope. Dynamic zone require keys exchange for zone transfer. This is not correct. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: enable a dynamic zone

On 01/05/2011 03:01 AM, p...@mail.nsbeta.info wrote: Hello, When adding a statement of something like: allow-update { 127.0.0.1; }; to the zone configuration, this zone will become a dynamic zone, is it? Yes. You can also do: allow-update { key NAME; }; ...and in newer versions of bind I

Re: nsupdate problem after DNSSEC

On 01/05/2011 08:09 AM, Michelle Konzack wrote: I have update my to DNSSEC and now I have two probems... Do you mean you have signed your zone? If so, you are aware that bind requires the zone-signing key to be available in order to perform updates - like this: zone "$name" { type master

Re: enable a dynamic zone

On 01/05/2011 11:45 AM, Sten Carlsen wrote: Maybe just a detail without much significance. Will the zone become dynamic when you enable updates OR when you have actually done the first update - i.e. created the .jnl file? A dynamic zone is a zone that allows dynamic updates, so the former. Yo

Re: Confused about /24 in-addr.arpa NS delegation debug problem

On 01/06/2011 11:30 PM, Gary Wallis wrote: (Some dig output lines deleted to keep short) Why does this not work (but below next dig with +trace seems to imply that it should?): The delegation looks invalid: 147.95.81.in-addr.arpa. 172800 IN NS ns1.theplanet.com. 147.95.81.in-addr

Re: Dns doctoring/dnsmasq -V on bind?

On 17/01/11 00:23, someone wrote: If you have any ideas how to do dns doctoring with bind9 (or netfilter) please give me some hints ;) Have you considered that this will break DNSSEC, and as time goes by, may not work at all (if clients become full validating DNSSEC resolvers)? I'm a little

Re: AW: Dns doctoring/dnsmasq -V on bind?

On 17/01/11 14:30, someone wrote: Running internal stuff over nat and the firewall is bad practice and should be avoided as it uselessly loads the firewall, increases the complexity of the rules and creates bottlenecks on a fast network backbone. Ah, I see. I misunderstood what you were trying

Rejected queries for mx???.emailfiltering.com

On the subject of rejected queries - although this isn't a bind question per-se, I'm curious if anyone else here sees a lot of these: client 178.123.92.141#23861: view main: query (cache) 'mx242.emailfiltering.com/A/IN' denied We get *loads* of them to our authoritative resolvers. I am assumi

Re: why queries rejected?

On 19/01/11 02:03, p...@mail.nsbeta.info wrote: My zone is game.yy.com, and there are so many "auth queries rejected" in named.stats which was generated by "rndc stats". Could you show me some way to debug it? Thanks. You can log rejected queries: logging { channel "security_logfile" { file

Re: Telling rndc Which IP Address to Use

On 01/20/2011 09:28 PM, Mark Andrews wrote: Or one can not worry about the IP address being used. The addresses are still there for backwards compatibilty with BIND 8 where only the IP address is used. TSIG is really so much stronger than any IP based authentication. It's like putting a scree

Re: get a domain's dns records

On 21/01/11 13:50, Barry Margolin wrote: In article, Joseph S D Yao wrote: On Fri, Jan 21, 2011 at 02:19:45PM +0800, p...@mail.nsbeta.info wrote: I'm jsut curious, how does "who.is" know the dns records in my domain (nsbeta.info)? The page shows some of my RRs exactly: http://who.is/dns/

Re: get a domain's dns records

On 21/01/11 14:18, Phil Mayers wrote: On 21/01/11 13:50, Barry Margolin wrote: In article, Joseph S D Yao wrote: On Fri, Jan 21, 2011 at 02:19:45PM +0800, p...@mail.nsbeta.info wrote: I'm jsut curious, how does "who.is" know the dns records in my domain (nsbeta.info)?

Re: get a domain's dns records

On 21/01/11 14:21, p...@mail.nsbeta.info wrote: Dave Knight writes: I guess the tool just always assumes that there's probably a www worthy asking about But how does the site know I have a sub domain test.nsbeta.info and its name servers? I didn't think that I have got this sub domain be

Re: lost records in a view

On 01/24/2011 12:23 PM, p...@mail.nsbeta.info wrote: I want the result that, when clients matching vb query for s2.example.com, they will get the answer from default view vc, since s2.example.com doesn't exist in vb. How to setup bind for this purpose? Copy the records from vc to vb. You cann

Re: Bind 9.7 - sanity check or a bug

On 28/01/11 10:50, Din Jo wrote: case 1: # nsupdate > server 127.0.0.1 > update delete server2.test.com A > update add server2.test.com A 10.0.0.2 > send > quit case 2: # nsupdate > server 127.0.0.1 > update delete server2.test.c

Re: Bind 9.7 - sanity check or a bug

In case two, you are sending the delete as one transaction and the add as a 2nd transaction. I'm surprised the 2nd case fails at the 2nd transaction, not the first. Known bug. The version information was not passed down to the checking routines. Interesting; can you be more specific - what

Re: bind8 and bind9 installed on the same server: possible?

On 01/02/11 16:33, hugo hugoo wrote: Dear all, I plan to upgrade my nameservers from bind8 to bind9. I guess I will encounter some compatibility problems notably in the layout of the zone files - can anybody give me the point of attention for this upgrade? Your experience will be appreciated.

Re: Spurious "TYPE65534" at the end of a NSEC3, why?

On 02/13/2011 10:07 AM, Stephane Bortzmeyer wrote: Note the TYPE65534, which I cannot explain. Greping bind-users archives, or googling, reveal that other persons saw them but I did not find a final explanation. This is documented in the Bind ARM (at least, the one that comes with the 9.8 bet

Re: Spurious "TYPE65534" at the end of a NSEC3, why?

On 02/13/2011 10:40 AM, Stephane Bortzmeyer wrote: On Sun, Feb 13, 2011 at 11:07:31AM +0100, Stephane Bortzmeyer wrote a message of 35 lines which said: Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and the AEP keyper HSM), with DNSSEC enabled, dynamically signing records

Re: Spurious "TYPE65534" at the end of a NSEC3, why?

On 02/13/2011 11:30 AM, Stephane Bortzmeyer wrote: On Sun, Feb 13, 2011 at 11:01:48AM +, Phil Mayers wrote a message of 23 lines which said: The zone at the moment seems to be signed with NSEC; Hmmm, no, .FR has been signed by NSEC3 from the beginning. Could you post this strange

Re: Spurious "TYPE65534" at the end of a NSEC3, why?

On 02/13/2011 11:35 AM, Stephane Bortzmeyer wrote: On Sun, Feb 13, 2011 at 10:51:30AM +, Phil Mayers wrote a message of 31 lines which said: This is documented in the Bind ARM OK, thanks, I missed this section. i.e. the *presence* of the record is normal. I'm not convinced

"external" update policy (was: BIND 9.8.0rc1 is now available.)

On 15/02/11 01:15, Mark Andrews wrote: * There is a new update-policy match type "external". This allows named to decide whether to allow a dynamic update by checking with an external daemon. Contributed by Andrew Tridgell of the Samba Project. [RT #22758] This is

Re: Bind9 Log data consistency

On 03/08/2011 09:46 PM, Stefan Certic wrote: Hi Sebastian, Thanks for response. Problem with another log file is that solution is doubling number of I/O transactions. At some point, data needs to be phrased into database and written to disk. I'm afraid doubling operations will cause bottlenecks

Re: dots in hostnames problem

On 03/09/2011 06:09 PM, Matt Rae wrote: Hi, I'm working on setting up a slave dns server. Dots have historically been used in the hostnames here. The dots cause the resulting zone file from a zone transfer to have $ORIGIN automatically set assuming the dots are indicating a subdomain. Oh god, n

Re: Bind 9.8 with dlz and dnssec

On 10/03/11 17:26, Christian Laursen wrote: On 03/10/11 17:05, Evan Hunt wrote: Incidentally, we've been expanding DLZ support further. In 9.8.1, the dlopen driver will be part of the default build on unix/linux platforms, no longer requiring a configure option, so you can use the Samba module

Re: dots in hostnames problem

On 11/03/11 15:53, John Wobus wrote: On Mar 10, 2011, at 4:24 PM, Matt Rae wrote: Thanks guys, sounds like a solution would be to transfer the zone files outside of bind. I'll give some of the suggestions a try. Matt I can't help but be curious. What problem would be solved by transferring th

Re: dynamically updating the forwarders with bind/rndc

On 29/03/11 12:25, Paul Wouters wrote: Hi, Is there a way for bind9 (or planned for bind10) to dynamically update the forwarders via rndc? I believe currently the only way to do this is to rewrite the config file and then cal rndc reload. I believe there's a DBUS interface that NetworkManager

Re: children whose zones do not reflect the delegation from the parent

On 03/30/2011 04:45 AM, ben thielsen wrote: both fail to do so. so - it would seem to me that at least somehow, in some sense, the delegation is broken. however, if queried further It does seem a bit broken - there's no SOA for 33.50.in-addr.arpa i.e. no zone there. for a /24 within that

Re: BIND 9.4.3-P2 doesn't delegate zone!

On 04/02/2011 11:44 AM, Яцко Эллад Геннадьевич wrote: $ORIGIN domain.united-networks.ru. IN NS srvmain IN A 172.16.77.2 srvmain IN A 172.16.77.2 Huh, delegation looks ok. Are you sure you've reloaded the zone? I tried to nslookup from 172.16.77.11: Try a "dig" on the DNS

Re: shared KSK for static zone and dynamic subzone?

On 04/26/2011 02:13 AM, /dev/rob0 wrote: I feel like I am understanding the "how" of this DNSSEC stuff, but I'm not so sure about some of the "whys". This post is asking a bit of both. I've got a static zone, nodns4.us., which is now signed. It's the parent zone to dynamic.nodns4.us., a dynamic

Re: shared KSK for static zone and dynamic subzone?

On 04/27/2011 04:40 AM, /dev/rob0 wrote: With one KSK and one ZSK per zone, we're looking at *12* keys to go in the connected sites' trusted-keys. Errr, no, I guess I only need the KSKs, but still, that's 6. I'd prefer that it be fewer than that. One sounds simpler, in fact. But the trusted-ke

Re: AXFR/IN' denied

On 04/28/2011 04:10 AM, jeffrey j donovan wrote: master 192.168.1.2 zone "mydomain.com" { type master; file "domain.db"; allow-transfer { 192.168.96.3; }; Ok, you have an allow-transfer so this is working. allow-update {none;}; }; zone "96.168.192.in-addr.ar

Re: IPv6 prefix length error

On 04/29/2011 02:17 PM, Khuu, Linh Contractor wrote: Thanks Mark for your recommendation!!! However, in the ifconfig -a output, I have: lo0: flags=e08084b inet 127.0.0.1 netmask 0xff00 broadcast 127.255.255.255 inet6 ::1/128 So? As Mark said, the problem is that: """n

Re: IPv6 prefix length error

On 04/29/2011 03:24 PM, Mark Andrews wrote: The fix is likely to be a couple of lines of code to retrieve the value but without access to the correct documentation or kernel source code its hard to work out how to fix it. This code apparently works for AIX 5.3: http://lists.samba.org/archive/

Re: proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?

On 05/10/2011 07:58 AM, Mark Andrews wrote: "date -u" may now be correct but is plain "date"? If it isn't you should correct timezone for the server so that both "date" and "date -u" are correct. Otherwise you leave the server open to the accidental misconfiguration that probably caused this

Re: no free leases

On 05/10/2011 05:20 PM, Steven Stromer wrote: Hi. I see that there was some discussion in distant past of the "no free leases" reply when defining a range within a pool, especially I think you've posted to the wrong list... this is the BIND (DNS server) list, not the dhcpd list. _

Re: GSS-TSIG update policy identity field

On 11/05/11 12:17, Mark Andrews wrote: {ms,krb5}-subdomain allows updates of *.machinename One note - this isn't so handy if you have a disjoint namespace, where: machinename.*.example.com ...is what you want. We are in this boat, and can't use the built in ACLs for this very reason. _

Re: GSS-TSIG update policy identity field

On 11/05/11 14:55, Mark Andrews wrote: In message<4dca7893.5060...@imperial.ac.uk>, Phil Mayers writes: On 11/05/11 12:17, Mark Andrews wrote: {ms,krb5}-subdomain allows updates of *.machinename One note - this isn't so handy if you have a disjoint namespace, where:

Re: GSS-TSIG update policy identity field

On 12/05/11 09:33, Juergen Dietl wrote: Hello Mark i am not that professional in bind. Normally I am a CISCO expert but now I also do the bind for 6 months. I cannot imagine why this post should help me. It doesn't really. You should only need this: grant EXAMPLE.COM ms-self * any; What

Re: Bind 9.8 DNS recursion dont work from the client side - Bug?

On 16/05/11 11:00, Juergen Dietl wrote: Hello, I try to make an nslookup from the client. The server dont know the zone and for this it should do recursion to another DNS-Server options { dump-file "/var/log/named_dump.db"; notify-source xx.x.xxx.xxx port 53; notify yes; listen-on port 53 { xx.

Re: [dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

On 05/20/2011 05:56 AM, Matthew Pounsett wrote: If, for some reason, you can't wait for your TTLs to expire, then forwarding the relevant zones to your authoritative servers is a better solution than slaving the zones. How? The whole point of stealth slaving is timely (NOTIFY/IXFR) updates of

Re: norecursion on external zone, but how do I allow CNAMEs to be fully resolved?

On 05/20/2011 07:16 AM, Tory M Blue wrote: This causes all types of failures if just using dig, or Linux built in lookup mechanism, or heck Perl or PHP methods as well. None of the stated methods, know that they should now query cdn.domain.net.edgesuite.net, so they provide the CNAME and SERVFAI

Re: DNS Racing -Multi ISP load balancing with failover using DNS.

On 31/05/11 09:28, Matus UHLAR - fantomas wrote: This problem could be avoided by providing the same data, but differently sorted, correct? Not really. Client side sorting may take place (e.g. to comply with RFC 3484 policies in calls to getaddrinfo) and destroy any server-side sorting. ___

Re: DNS Racing -Multi ISP load balancing with failover using DNS.

On 01/06/11 08:11, Matus UHLAR - fantomas wrote: On 31/05/11 09:28, Matus UHLAR - fantomas wrote: This problem could be avoided by providing the same data, but differently sorted, correct? On 31.05.11 12:27, Phil Mayers wrote: Not really. Client side sorting may take place (e.g. to comply

Re: BIND 9.7 Serial Number Decrease Problem

On 06/03/2011 04:57 PM, Barry Finkel wrote: I have a problem with BIND 9.7.x on Ubuntu. I have two servers that are running 9.7.3. They slave 332 zones, and they also master 213,750 malware/spyware zones that we have defined to reroute these domains to a local machine. That's a hell of a lot of

Re: BIND 9.7 Serial Number Decrease Problem

On 06/06/2011 08:01 PM, Barry Finkel wrote: Phil Mayers suggested a corrupt .jnl file; I am not sure. How do I debug this? Given what Mark has said, I think it's unlikely; I didn't realise bind wrote a new journal and did a rename() which is atomic on every POSIX system that you

Re: BIND 9.7 Serial Number Decrease Problem

On 07/06/11 13:51, Barry Finkel wrote: In my last posting I was confused as to the .jnl file. I have about 44 AD slave files on my BIND servers, and 40 .jnl files. The two zones in question do not have .jnl files. As I do not look at .jnl files much, I had forgotten about the tool to list them.

Re: MX record IP address instead of hostnames

On 06/07/2011 08:31 PM, Lear, Karen (Evolver) wrote: Can anyone tell me why my MX record for the coop-uspto.gov domain are IP addresses instead of hostnames? [klear@dns1 conf]$ nslookup As of right now, that's not what I see: ;; ANSWER SECTION: coop-uspto.gov. 7200IN MX

Re: Problem resolving CNAME in BIND 9.8.0 and 9.8.0-P2

On 10/06/11 15:50, Per-Olof Axelsson wrote: When I run the following dig command below I sometimes get different answers, generally 20-30 minutes after restarting BIND. It doesn't This might be the problem resolving CNAMEs that was discussed on the list recently: https://lists.isc.org/piperm

Re: ksk in a volume

On Wed, Jun 15, 2011 at 10:51:38AM -0300, Noel Rocha wrote: Thanks. In this situation: - KSK signed ZSK(DNSKEY RR). - ZSK signing others RR of zone. I don't see reason for the KSK be present in operations unless add/delete RR DNSKEY. Signature expiration.

Re: I can't resolve one domain: nhs.uk

On 17/06/11 12:10, Andrew Benton wrote: And it works well for every domain on the internet. Except for www.nhs.uk - I can't resolve nhs.uk www.nhs.uk is, currently, a CNAME to www.prod.nhs.uk.akadns.net You might be suffering from the bind 9.8 CNAME issue. See the recent, repeated discussion

Re: I can't resolve one domain: nhs.uk

On 17/06/11 14:33, Andrew Benton wrote: Do you mean this patch? Yep. http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/dns/bind98/files/patch-bin__named__query.c?rev=1.1 I've just tried it and it made no difference. I'm not convinced of this CNAME hypothesis. Could you point me toward

Re: I can't resolve one domain: nhs.uk

On 17/06/11 14:40, G.W. Haywood wrote: Hi there, On Fri, 17 Jun 2011 Andrew Benton wrote: I can't resolve one domain: nhs.uk laptop:~$>>> whois nhs.uk Error for "nhs.uk". This domain cannot be registered because it contravenes the Nominet UK naming rules. The reason is:

Re: DNSSEC key rollover failure

On 17/06/11 15:13, Spain, Dr. Jeffry A. wrote: As of today (6/17/2011), RRSIG records for key 2750 are present for every RRset in the zone. The only RRSIG record for key 33722 is for the SOA RRset. See http://dnsviz.net/d/countryday.net/dnssec/. As I understand the process, based on the dates in

Re: DNSSEC key rollover failure

On 06/17/2011 09:25 PM, Spain, Dr. Jeffry A. wrote: Our zone has 115 records, not counting DNSSEC-related records. I originally signed it by specifying the zone file and key directory along with "auto-dnssec maintain" in the configuration file. Looking at all the RRSIGs, they expire for the most

Re: Resign a signed zone

On 06/17/2011 04:51 PM, rams wrote: Hi , Can we resign a signed zone with out key files? Please clarify me. No. Keys are required for signing. Have you lost the key files? If so you may need to transition to unsigned, then re-sign from scratch. _

Re: DNSSEC key rollover failure

On 06/17/2011 09:35 PM, Phil Mayers wrote: In which case you're going to have a serious problems I think. You can't delete a DNSKEY which has any extant RRSIGs until $MAX_TTL *after* those RRSIGs finally disappear. There's an RFC describing the key rotation schedules you must

Re: DNSSEC Key Rollover Questions

On 06/18/2011 03:48 PM, Spain, Dr. Jeffry A. wrote: Assume that bind 9.8.0 is in operation. A zone is configured with auto-dnssec maintain, and the zone signing keys K and its successor K’ are published. Further assume that the activation time for K has passed and the zone is properly signed with

Re: I can't resolve one domain: nhs.uk

On 06/21/2011 12:59 AM, Kevin Darcy wrote: On 6/17/2011 8:01 AM, Phil Mayers wrote: On 17/06/11 12:10, Andrew Benton wrote: And it works well for every domain on the internet. Except for www.nhs.uk - I can't resolve nhs.uk www.nhs.uk is, currently, a CNAME to www.prod.nhs.uk.akadns.net

Re: Logging Response Results

On 06/23/2011 09:27 PM, Stefan Certic wrote: Thanks Chuck Yes, that would be a solution, but i need logs processed through syslog and stored into database (matching the initial query from query log). Pharsing tcpdump is not going to be suitable for highly loaded system. I was more looking for a

Re: bind restart needed to reflect changes to dynamic zone in multiple views

On 24/06/11 14:22, Brian J. Murrell wrote: I am using BIND 9.7.2-P2. I have two views, one "internal" and one for "external" queries. In both of those views I have some zones which are common so I put them into their own file "zones.common" and include that file in both of the views. The probl

Re: Better solution than making a recursive nameserver authoritative?

On 06/24/2011 06:39 PM, David Coulthart wrote: configure the zone as forward first, the recursive nameserver gets back the NS delegation& then uses that to perform an iterative query against the authoritative nameserver for the subdomain. This actually seems like it might solve my issues. Are

Re: bind restart needed to reflect changes to dynamic zone in multiple views

On 06/24/2011 10:47 PM, Brian J. Murrell wrote: On 11-06-24 03:19 PM, David Sparro wrote: Do you have control of the update process. Sure. You could potentially send and update to both views (in other words, send two updates). How do I, with nsupdate, specify which view's zone I want to u

Re: BIND Statistics is required

On 06/27/2011 10:29 AM, Parashar Singh wrote: Hello, I need to collect zone statistics for zones defined withing BIND name server. Due to some server performance issues, the logging facility has not been enable within BIND. We want to have a statistics of which zone has been quaried hpw many time

Re: Named.conf logical blocks

On 06/28/2011 05:53 PM, Stefan Certic wrote: Hi Guys, Does anyone have a sample grammar for pharsing named.conf into a data structure? Perl or PHP are preffered, but anything would be fine just to get a clear picture about grammar and logical blocks. The only think I ever wrote was a quick pyt

Re: Named.conf logical blocks

On 06/28/2011 09:54 PM, Stefan Certic wrote: I am more looking for a solution to read data with perl and convert to some native data structure, like hash reference, or multidimenzional array, so i can access and change data in form of: $named_conf_file->{view1}-{zoneblah} = 'somedata' and then du

Re: Named.conf logical blocks

On 06/29/2011 02:37 PM, Chris Buxton wrote: Not entirely. There is at least one construct that looks like this (using your terms): thing+ block thing block semicolon For example, within the controls statement: inet * allow { trusted; } keys { some.key; }; Good point. __

Re: Disabling DNSSEC validation per zone?

On 08/07/11 15:13, Daniel McDonald wrote: I have a number of zones being served by rbldnsd, with bind as a front-end. The zones are defined as forward only in named.conf. When I enable dnssec validatation, these zones report that they are insecure. 08-Jul-2011 08:55:58.700 dnssec: info: validati

Re: Allowing resolution of off-server CNAMEs

On 07/08/2011 05:11 PM, Joseph S D Yao wrote: It should be possible to set up an authoritative-only name server so that it does not recurse for anyone [except perhaps itself], but still allow someone to get a full resolution of a name whose canonical name is elsewhere. IMHBUCO. Why? The recu

Re: Clients get DNS timeouts because ipv6 means more queries for each lookup

On 07/11/2011 07:11 PM, Jonathan Kamens wrote: The number of DNS queries required for each address lookup requested by a client has gone up considerably because of IPV6. The problem is being exacerbated by the fact that many DNS servers on the net don't yet support IPV6 queries. The result is t

Re: monitoring BIND

On 07/13/2011 03:43 PM, Karl Auer wrote: So I was wondering if there is a better solution out there? People I know speak highly of DSC: http://dns.measurement-factory.com/tools/dsc/index.html ___ Please visit https://lists.isc.org/mailman/listinfo/b

Re: about the dig

On 07/19/2011 06:32 AM, Feng He wrote: Hi list, When I deleted all the entries in /etc/resolv.conf (I am using Linux), dig can't work. I was thinking since dig is a standard resolver, it should have the capibility to follow the referrel from root, thus it will work fine even there is no system d

Re: MX choosing

On 07/22/2011 09:50 AM, Feng He wrote: Given the MX hosts for sympatico.ca domain: $ dig sympatico.ca mx +short 5 mxmta.sympatico.ca. $ dig mxmta.sympatico.ca +short 67.69.240.17 67.69.240.24 67.69.240.22 67.69.240.23 67.69.240.21 67.69.240.20 67.69.240.19 67.69.240.18 when the peer MTA fail

Re: MX choosing

On 22/07/11 14:01, Feng He wrote: On Fri, Jul 22, 2011 at 5:58 PM, Tony Finch wrote: The question of whether a sender should attempt retries using the different addresses of a multihomed host has been controversial. The main argument for using the multiple addresses is that it maximizes

Re: Bind time up.

On 07/23/2011 09:22 AM, Vbvbrj wrote: Hello. I have a server at home, that runs Bind 9 dns and routes internal traffic to internet. Its working fine. When I'm out of home, I disconnect my home switch. In bind log appears "no longer listening on 192.168.0.1#53". After a return to home and connect

bind 9.7.0 auto-dnssec doesn't remove final RRSIG on key inactivation?

We have a hidden master doing DNSSEC on our zones, and I've observe the following problem when doing a ZSK rollover. Zones are updated from our database using DDNS, and bind of course is (re)generating the signatures at the standard intervals. I first create and publish a new ZSK with no acti

Re: Upgrading From 9.7.2 to 9.8.1 startup failed (due to fatal error)

On 16/09/11 15:45, Ken Schweigert wrote: logging { ... channel "dev_null_log" { file "/dev/null"; }; … category lame-servers { dev_null_log; }; Why not just: category lame-servers { null; }; ...which is built-in? ___ Please vis

Re: updating Bind made it slower

On 26/09/11 08:48, Tom Schmitt wrote: Hi, I just updated a couple of my DNS-servers from the rather old version 9.4.1 to a newer version 9.8.0-P4. After this I have problem with outages. Looking into it, I found that the time for a "rndc reload" has nearly doubled! This has been pointed out t

Re: Experience with DDNS (RFC 2136)

On 10/06/2011 09:44 AM, Jan-Piet Mens wrote: [ pardon the possible duplicate ] I'm a fan of RFC 2136 Dynamic DNS and, if I think it appropriate for a particular use case, sometimes suggest DDNS to customers. I often have a hard time convincing people to use DDNS and am doubted regarding its stab

Re: Experience with DDNS (RFC 2136)

On 10/07/2011 06:43 PM, JINMEI Tatuya / 神明達哉 wrote: Maybe an off topic in this thread, but out of curiosity, is there any specific reason you don't use the database as the direct source of the zone with BIND 9's dlz or PowerDNS? In general it will be slower, and I can't speak for Chris but he

Re: host versus nslookup

On 10/13/2011 07:05 AM, listmail wrote: On Thu, 13 Oct 2011 03:33:30 +0700, Fajar A. Nugraha wrote If you're concern about what address programs gets when they resolve host names, then getent is a better choice as it also respects nsswitch.conf and hosts file. According to the (almost useless)

Re: Mixing Algorithms for DNSSEC

On 10/15/2011 08:32 PM, Mark Elkins wrote: So what you are saying in practical terms is in order to migrate from RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which cycle once a year) and then at exactly the same time start using RSASHA256 on the KSK's (which cycle every mont

Re: CNAME record for the root of the domain

On 17/10/11 13:00, Niccolò Belli wrote: Il 17/10/2011 13:40, Chris Thompson ha scritto: A *CNAME* in the parent would, but only as long as you didn't mind losing all the rest of the zone. I don't mind, but how can I create a CNAME in the parent? Can you please make an example? *You* can't. O

Re: DNS Sinkhole in BIND

On 10/17/2011 06:38 PM, babu dheen wrote: YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. In older versions of bind, you needed to create a local zone per malware domain (or hostname).

Re: DNS Sinkhole in BIND

On 10/17/2011 09:05 PM, Lightner, Jeff wrote: I’m confused – does the OP want to block or does he want to redirect. “block/redirect” are two different things. What I wrote will block. If It'll block IPs, and whole IPs at that. If the server is shared, you block all traffic to it, not just the

Re: Blocking malware URL lookup using BIND

On 10/25/2011 10:03 AM, babu dheen wrote: Dear All, We are seeing huge number of malware request going to malware domains performed by some malware infected clients. This was discussed on the list just the other day; you have two options: 1. Create a dummy zone with no content for each hostna

Re: DNSSEC and forward zones

On 01/11/11 16:14, vinny_abe...@dell.com wrote: resolution fail since NXDOMAIN is the valid answer... done, end of story. I thought the forwarder type would bypass this but apparently I am wrong. Is there some other way to handle this for non-existent domains just for testing purposes? Don't d

Re: DNSSEC and forward zones

On 11/01/2011 06:24 PM, Lyle Giese wrote: A work-around (and it has some side effects and could be undesirable, just be aware of the side effects of doing this) is to declare .internal as a master zone in your DNS servers and then delegate policydomain.internal to your Windows AD servers in your

Re: DNSSEC and forward zones

On 11/01/2011 06:34 PM, Scott Morizot wrote: Alternatively, you can sign 'policydomain.internal' and configure its key as one of the trust anchors on the validating name servers. The order of validation is, if I recall correctly, locally configured trust anchors, then chain of trust from root, a

Re: DNS requests with Rd flag cleared

On 04/11/11 16:21, patrice.wacren...@orange.com wrote: Suppose that my organization has one authoritative DNS server (let’s call it DNS1) for the zone “myzone.fr” configured in such way that the subzone “subzone1.myzone.fr” is delegated to another authoritative DNS server (let’s say DNS2). Supp

Re: several master ip's for a slave zone

On 11/05/2011 08:21 AM, kalpesh varyani wrote: How does this feature address the risk that data provided by one master might get overwritten by another? The zone serial number is checked, and a transfer is only done if the serial is higher than the local one. It is assumed the zone admin won't

Re: several master ip's for a slave zone

On 11/05/2011 01:32 PM, Felix New wrote: if i have several master servers, whether i must ensure that all the master server's serial are the same? i think this is a little complex, in particular zone is updated by dynamic update(In such a scenario, the serial number is controled by every single b

Re: Securing zone transfer and DDNS

On 07/11/11 14:31, Aleksander Kurczyk wrote: Maybe this is a stupid question but what is ARM? Google for "bind ARM". 1st hit. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list b

Re: how to split TXT record for IpSEC?

On 09/11/11 13:59, Matus UHLAR - fantomas wrote: On 09.11.11 14:35, Matus UHLAR - fantomas wrote: I have a domain with TXT record that does not fit into 255 characters, some king of ipsec record: sofia.dashofer.sk. 3600 IN TXT "X-IPsec-Server(10)=@sofia.dashofer.sk" " AQNqdEjqL33Pf4MFgJYs5v4xRh

<    1   2   3   4   5   >