Re: bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset)) failed

On 16/11/11 13:07, Warren Kumari wrote: It was (very convincingly!) explained to me that INSISTS() are only used for the "this should not happen" cases, and if the INSISTS() were not there, many of the recent attacks may have led to much worse things like buffer overflows / more worrying securit

Re: Modify BIND ACLs on-the-fly?

On 22/11/11 12:42, Jan-Piet Mens wrote: Maybe I'm dreaming along the lines of a BIND zone updatable via DDNS, that I can use to configure ACL content ... ;-) I've wondered about that before. Seems it would be useful for a bunch of things. ___ Pleas

Re: Exercising RFC 5011 rollovers

On 11/25/2011 08:49 PM, Evan Hunt wrote: Timing considerations make it difficult to have an automatic test for this in the standard BIND test suite; the RFC requires certain things to take a very long time. Unless you modify named to speed Feature suggestion: some sort of synthetic clock opti

Re: Exercising RFC 5011 rollovers

On 11/26/2011 12:21 PM, Jan-Piet Mens wrote: Feature suggestion: some sort of synthetic clock option to named for use in the test suite ("--test-unixtime-offset") or something? Obviously non-trivial. Indeed. I think Chris'& Evan's suggestion of a public zone that revokes and replaces trust a

Re: Exercising RFC 5011 rollovers

On 11/26/2011 01:13 PM, G.W. Haywood wrote: Hi there, On Sat, 26 Nov 2011 Phil Mayers wrote: Feature suggestion: some sort of synthetic clock option ... They say there's a thin line between genius and insanity. Did you just cross it? Thanks for the compliment! But I can't take

Re: Choosing max-journal-size

On 11/29/2011 11:53 PM, Doug Barton wrote: On 11/29/2011 15:33, Chris Thompson wrote: With a mixture of small and large zones, signed and unsigned, choosing sensible values for max-journal-size can become rather tedious (unless one is prepared to to say "disc space is cheap, make them all"). I

Re: Choosing max-journal-size

On 11/29/2011 11:33 PM, Chris Thompson wrote: With a mixture of small and large zones, signed and unsigned, choosing sensible values for max-journal-size can become rather tedious (unless one is prepared to to say "disc space is cheap, make them all "). We sort of did this accidentally. "max-jo

Re: Choosing max-journal-size

On 30/11/11 10:09, Matus UHLAR - fantomas wrote: Well, that's way too much. The main point of journal is imho to provide I think this is a decision for each operator to make themselves. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-use

Re: Choosing max-journal-size

On 30/11/11 12:10, Matus UHLAR - fantomas wrote: On 30/11/11 10:09, Matus UHLAR - fantomas wrote: Well, that's way too much. The main point of journal is imho to provide On 30.11.11 11:51, Phil Mayers wrote: I think this is a decision for each operator to make themselves. I was tryi

Re: Zone Transfer Query

On 05/12/11 12:32, Gaurav Kansal wrote: Dear All, I have a master DNS on IPv4 AND slave DNS on IPv6. I also have a IPv4 address on slave (But only IPv6 address is entered in NS). Now I am trying to transfer my zone from master to slave through the IPv4 address. But it is giving me a error “fai

Re: Zone Transfer Query

On 05/12/11 12:43, Gaurav Kansal wrote: I have already check this too. I have done an entry in "allow-transfer" ACL. Show the relevant config - the zone & ACL from the master, and the zone statement from the slave. Are you sure the allow-transfer ACL includes the correct IP family i.e. if y

Re: CNAME only zone?

On 09/12/11 16:25, Lightner, Jeff wrote: Is it possible to create a zone file that only contains a CNAME? This comes up a lot, it seems. No. CNAME conflicts with any other record - including the SOA and NS records required at the apex. You will have to put an A record at the apex. _

Re: CNAME only zone?

On 09/12/11 16:55, Lightner, Jeff wrote: I don't know what you mean by that. Apex of what exactly - my zone file? The zone is a tree. The records at the apex of the zone are those with the same name as the zone - normally the SOA, NS, MX, and other records. Since all zones must have a SOA a

Re: CNAME only zone?

On 09/12/11 17:08, Phil Mayers wrote: i.e. put an "A" record at the zone apex, with the IP of the "other" server. It does mean you need a script / process in place to update the A record if the name ...blast. "if the IP of

Re: Suspecious DNS queries dropped by Firewall

On 13/12/11 12:46, babu dheen wrote: Dear Anand, In what situation, DNS packet size can exceed more than 512 bytes. In This has been discussed many times in the list and elsewhere. There's no need to re-iterate it again. DNS packets >512 bytes are legal. You should permit them. In this cas

segfaults with bind RPZ?

All, I had a use-case for bind RPZ today, so enabled it on our internal testing DNS servers (running 9.8.1-P1). I had already created and deployed the "rpz" zone, as a sub-zone of our (DNSSEC-signed) main zone. As soon as the cfengine job ran, which basically added: response-policy { zon

Re: recursive clients quota maxes out when dnssec-validate and dlv-lookaside set to auto

On 12/19/2011 11:14 PM, Mark Jeftovic wrote: And it sorta almost works. Except what happens when we restart or reconfigure bind is that the number of recursive clients skyrockets to the maximum (currently the default 1000) in under a minute and then everything starts failing or timing out with a

Re: How can someone know Sub-Domains?

If you are being DOSed at a rate higher than you can handle then you need to liase with your provider to get them to drop the traffic before it reaches you. Google "srtbh". There are 4 ways attackers might have extracted a list of target hosts. 1. Axfr I.e. Zone transfer - have you locked this

Re: IPv4 & IPv6 Queries

On 06/01/12 13:05, Brian Hamacher wrote: I would like to configure my DNS Server to respond with A and records when someone queries for a specific site. I don’t know if this functionality is even available but if it is would someone mind pointing me in the right direction to get this configu

Re: ddns and views

On 01/09/2012 07:42 AM, Psychobyte wrote: Sorry, I didn't mean rndc I meant DDNS updates. in particular using the Perl Net::DNS module. DDNS works the same way as every other DNS packet with views; the "view" "match" statement determines which view you are talking to. The match statement ca

Re: Bind to INADDR_ANY

On 01/10/2012 01:12 AM, Bostjan Skufca wrote: Hi everyone, is binding to all interfaces at once already supported in bind9? I know named binds to each at-the-moment-available IP address but in HA environment with virtual interfaces a "rndc reload" is necessary for named to pick up a new interfac

Re: DNSSEC made simple, is this possible?

On 11/01/12 15:31, Howard Leadmon wrote: Then I go to make a change to my DNS file, whoa was I in for a shock, as apparently BIND took my nice text file for DNS I have edited for ages, and As you found out, you cannot do that. "auto-dnssec maintain" requires that updates to the zone by via

Re: DNSSEC made simple, is this possible?

On 11/01/12 17:04, Ryan Novosielski wrote: Not that this is honestly so hard, however. I have played with it at home some and the ns-update command means that you can still at least do this manually fairly easily from the command line. Is my read on that correct? Performing a dynamic DNS updat

Re: recursion and forwarding

On 01/12/2012 06:15 PM, Adamiec, Lawrence wrote: So when does recursion occur, before the query is forwarded or never? I thought recursion was supposed to go looking for the answers. If recursion does not return an answer then does the query get forwarded? "forwarders" IIRC works as follows:

Re: 9.9 query log change

On 01/15/2012 08:11 PM, Evan Hunt wrote: Looking at some query log output from BIND 9.9.0rc1, e.g. 15-Jan-2012 18:24:45.358 client 131.111.11.47#58644 (www.playground.test): ^ query: www.playground.test IN A +E (131.111.9.11

Re: 9.9 query log change

On 16/01/12 14:13, Chris Thompson wrote: I'm confused. The name being queried is already in the line. Why is it now in there twice? Obviously I'm not understanding something... I think Evan is saying that the change applies to all messages in which the client info appears, not just the query

Re: 9.9 query log change

On 16/01/12 15:19, Bostjan Skufca wrote: IP in parenthesis: It is the destination IP to which the client has sent his query. No, not that item. That's not new, and is obvious & known. The *first* item in parenthesis, right after client#port. ___ Plea

Re: Defense against a client?

On 01/17/2012 05:13 AM, Mark Andrews wrote: If one sets up a infrastructure such that a large number of end users "share the same fate" through having the same source address... then one should not be surprised when these end users actually do share the same fate... -DMM Assuming that there i

Re: Permissions change after running dnssec-settime bind 9.9.0rc2

On 02/01/2012 04:56 AM, Evan Hunt wrote: Now the private key is inaccessible to the named process, which is running as user bind. User bind is a member of group bind. Any time a private key file is rewritten, the mode is changed to 600. This kind of keyfile nannying annoys me, with other prod

GSS-TSIG / nsupdate -g problems

All, We have an Active Directory environment here, but use bind9 as our DNS servers. We have for years delegated out the zones: _tcp.ic.ac.uk _udp.ic.ac.uk ...and so forth, and used "allow-update" from the IPs of the AD servers. We're moving to DNSSEC-sign our zones shortly and I though I mi

Re: one record to be redirected to a specific IP

On Sun, Apr 25, 2010 at 09:19:18PM +0100, hugo hugoo wrote: Yes I need more help on this item. Your answer seems to indicate thate there is no way to only redirect www.abcd.com to IP 1.2.3.4 toto.www.abcd.com will either be redirected to the same IP (zone file with * A 1.2.

Re: one record to be redirected to a specific IP

On 26/04/10 12:44, Torsten wrote: Am Mon, 26 Apr 2010 11:30:26 +0200 schrieb Sten Carlsen: I wonder if the following could be done: - make the zone for www.abcd.com, which would also redirect the "anything else" part. - delegate the "anything else" back to its original owner. like: www.abcd.

Splitting off a sub-zone "atomically"

We're doing some DNSSEC testing with sub-zones of our main zone, and I had a little accident largely due to my own incompetence today where I basically did this: 1. Existing zone "example.com"; create new zone "sub.example.com" 2. Run a SQL->DNS update; *.sub.example.com RRs are removed from

Re: Splitting off a sub-zone "atomically"

On 05/11/2010 09:12 AM, Matus UHLAR - fantomas wrote: On 10.05.10 16:20, Phil Mayers wrote: We're doing some DNSSEC testing with sub-zones of our main zone, and I had a little accident largely due to my own incompetence today where I basically did this: 1. Existing zone "example.co

Out-of-zone data mistaken for glue?

Following on from yesterdays query; if I have this zone: test.com. 86400 IN SOA ... test.com. 86400 IN NS ... foo.test.com. 86400 IN NS ns.foo.test.com. ns.foo.test.com.86400 IN A 192.168.254.254 www.foo

Re: Out-of-zone data mistaken for glue?

On 11/05/10 12:20, Barry Margolin wrote: In article, Phil Mayers wrote: Following on from yesterdays query; if I have this zone: test.com. 86400 IN SOA ... test.com. 86400 IN NS ... foo.test.com. 86400 IN NS

Re: Multi-mastering with dynamic updates

On 17/05/10 16:02, arcan...@free.fr wrote: Hi all, Like a lot of people over the web, I am looking for a clean multi-master (multi-primary) solution that allow dynamic updates. Interesting. What's the use-case for this? And like a lot of people over the web, I haven't found anything intere

Re: Multi-mastering with dynamic updates

On 17/05/10 16:59, Arcan_- wrote: Thanks for the reply. Interesting. What's the use-case for this? I have a few hundreds of dhcp clients and a two nodes pseudo cluster (for the VIP). I need a solution that enable high availability on the same level of service. That way, if one node fails, t

Re: How to resign a signed zone

On 05/27/2010 06:43 AM, rams wrote: Hi, How do we resign the signed zone? What is the command to do the RESIGNING ? Resign with a new ZSK, or resign with the existing ZSK to a avoid signature expiry? Which version of bind are you running? What's the zone statement look like? ___

Re: bind 9.7, dnssec and multiple key directories and resalt NSEC3

On 04/06/10 11:11, Tim Verhoeven wrote: Hi, I'm currently testing the automatic signing for DNSSEC present in Bind 9.7. I'm currently using Bind 9.7.0 and I have 2 questions. The first one, can I configure multiple key directories? The reasoning for this is that I would like to seperate the KSK

Re: bind-users Digest, Vol 538, Issue 1

On 07/06/10 14:21, rams wrote: Hi , When we resign using "dnssec-signzone -o -f " , we don't get SOA incremented . In general AXFR looks for SOA comparison to reload zone file. In this case how will AXFR happen? Thanks & Regards, Ramesh You've forgotten the: -N increment ...argument. __

Re: Running both a cache-only and an authoritative server on the same server

On 17/06/10 13:35, Phil Mayers wrote: On 17/06/10 12:39, Jørn Skjerven wrote: Hi! I've tried to search the archive for for this, but could not find anything relevant. We currently run a server with an authoritative set for domains. We want to use the same server as a cache-only DNS for

Re: Running both a cache-only and an authoritative server on the same server

On 17/06/10 12:39, Jørn Skjerven wrote: Hi! I've tried to search the archive for for this, but could not find anything relevant. We currently run a server with an authoritative set for domains. We want to use the same server as a cache-only DNS for other customers as well on a secondary IP. Is

Re: Running both a cache-only and an authoritative server on the same server

On 17/06/10 14:36, Torsten wrote: The important part seems to be "on a secondary IP" and afaik listen-on statements don't work inside of view statements. That leaves you with running two seperate instances of Bind on the same server. Eh?. You simply do: options { listen-on { ip-primary; ip

Re: What does the following entry mean, in particular, what is SOA -E?

On 25/06/10 16:22, Regid Ichira wrote: What does the following entry mean: 25-Jun-2010 15:32:20.669 queries: info: client 192.168.196.55#53: view remote: query: nik.cyp.net IN SOA -E (192.168.1.1) http://www.isc.org/files/arm96.html#the_category_phrase ___

Re: What does the following entry mean, in particular, what is SOA -E?

On 25/06/10 16:28, Phil Mayers wrote: On 25/06/10 16:22, Regid Ichira wrote: What does the following entry mean: 25-Jun-2010 15:32:20.669 queries: info: client 192.168.196.55#53: view remote: query: nik.cyp.net IN SOA -E (192.168.1.1) http://www.isc.org/files/arm96.html

Re: rndc: 'sign' failed: permission denied

On 07/07/2010 08:24 PM, L. Gabriel Somlo wrote: view "global" { zone "example.org" { type master; file "example.org.signed"; allow-update { key foo; }; }; The problem is that, when I attempt

Re: Does bind send email?

On 09/07/10 12:18, tomasz dereszynski wrote: check below link apparently viruses (some) hide themselves behind that name/process. http://www.file.net/process/named.exe.html mind you, it might be something else ... Maybe McAfee is triggering on MX lookups? ___

Re: odbc.ucas.com lookup problem

On 20/07/10 15:10, Chris Thompson wrote: We're having some local reports about delays resolving odbc.ucas.com. The problem is undoubtedly the response of "ns-lp.ucas.com", which seems to be some sort of load balancer, to queries. I get log entries from BIND like Jul 20 14:35:12 koala.csi.ca

Re: IPv6 Records on an IPv4 Network

On 07/21/2010 10:10 PM, Martin McCormick wrote: This is admittedly not a bind question, but it has become a major nag factor and I am not sure what to recommend. We delegate our Microsoft Active Directory zone to Microsoft domain controllers and they have stuffed their zone with

Re: connect call failing with EINPROGRESS error code.

On 07/22/2010 07:52 AM, R Juneja wrote: Hi, I am new to socket programming. Please help me with a situation. This is the wrong place to ask. This mailing list is for discussing the Bind DNS server, not socket programming. The function call connect (non -blocking) is failing with setting

Re: IPv6 Records on an IPv4 Network

On 22/07/10 12:19, Rock July wrote: Windows Vista and 7 clients will query both type A and query even The OS might make the query, but the application will (should) be using getaddrinfo, and this will return the IPv4 addresses first, so it doesn't matter. only IPv4 interface is enable

Re: IPv6 Records on an IPv4 Network

On 22/07/10 16:45, Alan Clegg wrote: On 7/22/2010 8:33 AM, Phil Mayers wrote: only IPv4 interface is enabled. If I put the option "filter--on-v4 {yes;};", will my DNS reject the queries? This option breaks DNSSEC. Actually, it doesn't. If the DO bit is set in

Re: Multiple masters expected behavior?

On 07/22/2010 10:59 PM, Peter Laws wrote: I have multiple interfaces on my master and multiple interfaces on most of my slaves. I've got one of the slaves set up so that its masters {}; statement has two of the master's interfaces in it. The preferred is first, with the non-preferred second. I

Re: IPv6 Records on an IPv4 Network

On 23/07/10 13:23, Danny Mayer wrote: On 7/22/2010 11:33 AM, Phil Mayers wrote: On 22/07/10 12:19, Rock July wrote: Windows Vista and 7 clients will query both type A and query even The OS might make the query, but the application will (should) be using getaddrinfo, and this will return

Re: IPv6 Records on an IPv4 Network

On 07/24/2010 03:57 AM, Danny Mayer wrote: Applications that depend on specific behaviors are broken. You should I think we're going to have to agree to disagree here. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailma

Re: DNS update from Linux to Windows DNS Server

On 26/07/10 16:32, Cory Coager wrote: I'm not sure if this is the right place to ask this but I am trying to execute a DNS update using the nsupdate utility to update an A record from a Linux server to a Windows 2008 R2 DNS server. Sending the request using 'nsupdate -o' responds with 'response

Re: DNS update from Linux to Windows DNS Server

On 26/07/10 16:56, Cory Coager wrote: 'nsupdate -g' responds with 'dns_request_getresponse: FORMERR' Sorry then. I don't know. Personally I can't make nsupdate work at all with GSSAPI; I get: dns_tkey_buildgssquery failed: ran out of space ...before it even tries to talk to the network. I h

Re: BIND integration with windows DNS

On 07/27/2010 07:10 AM, Arnoud Tijssen wrote: I`m facing kind of a challenge. At the moment we have BIND and windows DNS within our corporate network. I would like to get rid of windows DNS and switch completely over to BIND, but since DNS is so intertwined with AD this is not an option since it

Re: BIND integration with windows DNS

On 07/27/2010 08:17 AM, Kalman Feher wrote: Since I don`t want all dynamic updates from windows clients polluting my main zone file, but still want one primary DNS serving the main domain instead of two, BIND and windows, what it is the best option if there is one. Create a subdomain for your

Re: BIND integration with windows DNS

On 07/27/2010 08:31 AM, Arnoud Tijssen wrote: From previous mail; Since I don`t want all dynamic updates from windows clients polluting my main zone file, but still want one primary DNS serving the main domain instead of two, BIND and windows, what it is the best option if there is one. Sor

Re: Subnet reverse delagation, RFC 2317

On 07/29/2010 08:58 AM, Jukka Pakkanen wrote: Doing first time the RFC 2317 style subnet reverse DNS, and have a problem with recursion. When doing a query like "dig @ns1.qnet.fi -x 62.142.217.200" is succeeds from the local network, but outside I get "recursion requested but not available". Ou

Re: Subnet reverse delagation, RFC 2317

On 29/07/10 10:00, Jukka Pakkanen wrote: 29.7.2010 11:29, Phil Mayers kirjoitti: On 07/29/2010 08:58 AM, Jukka Pakkanen wrote: Doing first time the RFC 2317 style subnet reverse DNS, and have a problem with recursion. When doing a query like "dig @ns1.qnet.fi -x 62.142.217.200" i

Re: Subnet reverse delagation, RFC 2317

On 29/07/10 12:34, Jukka Pakkanen wrote: 29.7.2010 14:23, Mark Andrews kirjoitti: In message<4c5134af.2080...@qnet.fi>, Jukka Pakkanen writes: Doing first time the RFC 2317 style subnet reverse DNS, and have a problem with recursion. When doing a query like "dig @ns1.qnet.fi -x 62.142.217.200

Re: list zones

On 03/08/10 10:39, Mihamina Rakotomandimby wrote: Manao ahoana, Hello, Bonjour, Without grepping the configuration files from the system shell, is it possible to lists all the master zones on a running bind9? What tool with? How about this: # add this to named.conf statistics-channels { inet

Re: dns-sec and Maintaining Human Sanity

On 06/08/10 12:24, Martin McCormick wrote: The one thing that impresses me about dns-sec is that it appears to be one of those things that will probably work fine after installation but getting there may be an adventure to put it mildly. My advice is to investigate upgrading to Bind 9.

Can an NS point to a CNAME

All, We've had a report this morning that a user can't resolve: 71.225.219.134.in-addr.arpa PTR ...I think this is because the parent zone NS records point to CNAMEs. I can see references to (much) older versions of bind not following such delegations, but I'm not getting anything logged at t

Re: Can an NS point to a CNAME

On 12/08/10 16:34, Yohann Lepage wrote: 2010/8/12 Phil Mayers: Is this still the case (that NS->CNAME is invalid)? http://www.rfc-editor.org/rfc/rfc2181.txt 10.3. MX and NS records The domain name used as the value of a NS resource record, or part of the value of a MX resou

Re: Can an NS point to a CNAME

On 13/08/10 08:49, Matus UHLAR - fantomas wrote: On 12.08.10 17:07, Phil Mayers wrote: Thanks, but perhaps I should be more specific about what I'm asking: Is it still the case that *Bind* will not follow a delegation where an NS record points at a CNAME? In any event, as has been pointe

Re: Can an NS point to a CNAME

On 13/08/10 14:14, Dave Sparro wrote: On 8/13/2010 6:08 AM, Phil Mayers wrote: Still puzzled that bind didn't seem to log anything. I will have a trawl through the source I think; I'm sure it must be my logging config. I don't know if I'm on the right path, but w

Re: DNS Rebinding Prevention for the Weak Host Model Attacks

On 08/17/2010 04:31 PM, Florian Weimer wrote: * Bradley Falzon: Craig Heffner's version of the DNS Rebinding attack, similar to all DNS Rebinding attacks, requires the DNS Servers to respond with an Attackers IP Address as well as the Victims IP Address, in a typical Round Robin fashion. Previo

www.ncbi.nlm.nih.gov / pubmed

All, It seems this zone is broken as of a couple of days ago. Is anyone else seeing it? Is there an appropriate bind workaround? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: www.ncbi.nlm.nih.gov / pubmed

On 18/08/10 13:30, Phil Mayers wrote: On 18/08/10 13:15, Lightner, Jeff wrote: It comes right up in Firefox but prompts for a username and password. Do you have DNSSEC validation enabled? Because as per my email, it's a DNSSEC problem. Damn - in fact sorry, scratch that. I reali

Re: www.ncbi.nlm.nih.gov / pubmed

On 18/08/10 13:15, Lightner, Jeff wrote: It comes right up in Firefox but prompts for a username and password. Do you have DNSSEC validation enabled? Because as per my email, it's a DNSSEC problem. After a bit of investigation, it seems that the problem is a missing NSEC/NSEC3 record in the

Re: BIND 9.11.0 RPZ performance issue

On 18/10/16 08:26, Mukund Sivaraman wrote: We know that IXFR with RPZ policy zones (esp. this DBL zone) causes some trouble due to a less than desirable design / implementation of RPZ in BIND. We have a plan to refactor the RPZ implementation for 9.12 to remove these inefficiencies. Can you sh

Re: refused rcode is not working RPZ?

On 17/11/16 02:29, LEE SUKMOON wrote: This domain causes many recursive query. And client received late SERVFAIL response. I want to quickly response "*.jifr.net". I want to solve this problem using RPZ. See "qname-wait-recurse" in the bind ARM. This will apply policy to the query for QNAME

Re: "Jumbo" Security Release of BIND corrects four exploitable vulnerabilities.

On 12/01/17 15:37, G.W. Haywood wrote: Maybe it makes a difference that I'm in England, and using IPv6? FWIW I see the same thing - also UK-based on IPv6 but traceroute shows I'm hitting a server in the US so I doubt that's relevant. Download of: https://www.isc.org/downloads/file/bind-9-9-

Re: Graphing BIND 9.11/9.10 Queries

On 19/01/17 15:12, John W. Blue wrote: Daniel, Thanks for sharing. I like the HTTP statistics channel but trying slice up the XML has been challenging. Going to be checking this combo out. We moved to the JSON stats recently to get around a memory leak in our XML based script. Far nicer IMO

Re: Graphing BIND 9.11/9.10 Queries

On 19/01/17 15:18, Matthew Pounsett wrote: Yeah, I find processing the JSON stats much easier.. the tools for importing JSON into tend to be pretty straightforward to use. Plug here for excellent CLI tools like httpie and jq for the development/exploration phase of dealing with the stats (al

Re: Bind Queries log file format

On 03/02/17 16:53, Alan Clegg wrote: The "rndc" option allows those that KNOW that they may need the data begin the collection where everyone else isn't impacted. If you know that this customer is at risk, tell them "run this command, it's going FWIW, I would tend to agree with this approach;

Re: Bind Queries log file format

On 03/02/17 16:45, Mukund Sivaraman wrote: The query log is getting more fields at the end of it such as CLIENT-SUBNET logging. Although it would be super-disruptive, has any thought been given to moving to an entirely new log format, for example k/v or JSON? They're a lot more extendable go

Re: Bind Queries log file format

On 04/02/2017 09:18, Phil Mayers wrote: On 03/02/17 16:53, Alan Clegg wrote: The "rndc" option allows those that KNOW that they may need the data begin the collection where everyone else isn't impacted. If you know that this customer is at risk, tell them "run this comman

Re: Bind failing to start on new 9.9.4 server

On 09/02/17 14:51, Reindl Harald wrote: just take the "ExecStart" line, look in the environment file which defines $OPTIONS, add them and finally -g and press enter On RH-based systems, the SELinux transition behaviour is different running something from the CLI versus init scripts/systemd, s

Re: Configuration advice for a post-8020 world

On 12/02/2017 11:09, Woodworth, John R wrote: SAMPLE ZONES: 101{redacted}.com. (REAL ZONE FILE) jwjw.sales.101{redacted}.com. (REAL ZONE FILE) You are missing the glue NS records in the parent zone (just verified by local test of the before/after case). You need: jwjw.sales.1

Re: Concatenating more RPZ zones?

On 23/02/17 13:05, Job wrote: Hi guys, i have this situation with RPZ zones (and can grow up with more RPZ zones): This is the third time you've posted this query. It's not necessary or polite to continually re-post the same message to the list. If no-one has replied, it's possible no-one

Re: switching entire DNS system to new servers and IP addresses

On 23/02/17 20:21, Mitchell Kuch wrote: In practice, we have encountered caching resolvers that provide non-decrementing TTL values to downstream resolvers and clients. Even That is a depressingly common residential ISP trick :o( ___ Please visit htt

Re: global server load balancing with the domain name

On 14/04/17 22:40, McDonald, Daniel (Dan) wrote: That works fine for test.example.com. But when I go to production, I need to do it for example.com As others have noted, you can't delegate a single record from the apex. tl;dr - vendor specific, as your GSLB vendor. There are multiple soluti

Re: Tuning suggestions for high-core-count Linux servers

On 02/06/17 08:12, Browne, Stuart wrote: Just some interesting investigation results. One of the URL's Matthew Ian Eis linked to talked about using a tool called 'perf'. For the hell of it, I gave it a shot. perf is super-powerful. On a sufficiently recent kernel you can also do interesting th

Re: BIND and Windows DNS logging and archiving

On 22/07/2017 07:33, Mick Lee wrote: Hi Guys, Can anyone offer any advice based on their experience? Well, if I understand correctly, your main problem is the windows boxes running windows DNS, so this is not a bind problem. You might be better asking elsewhere. However, honestly I would c

Re: BIND and Windows DNS logging and archiving

On 23/07/2017 15:16, Mick Lee wrote: I have a colleague who has said he has a parts of a PCAP to BIND query log agent that runs on UNIX platforms, and he is happy to port that to Windows for me - he's actually working on it now (for a few beers :) ). dnscap basically does the same thing. No i

Re: botched KSK rollover

On 18/08/17 16:25, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Sigh, it sure would be nice if I had a registrar with a means to automate DS submission. You might want to look at gkg.net Gandi are another excellent registrar that I can recommend. They have a compre

Re: botched KSK rollover

On 21/08/2017 14:23, Matthew Pounsett wrote: On 21 August 2017 at 07:18, Phil Mayers <mailto:p.may...@imperial.ac.uk>> wrote: Gandi are another excellent registrar that I can recommend. They have a comprehensive API for all their features, including uploading DNSSEC pu

<    1   2   3   4   5