Re: Getting the name of responding server(s)

On Tue, Sep 07, 2021 at 09:44:43AM +0200, Stephane Bortzmeyer wrote a message of 34 lines which said: > I'm not aware of a tool (free software or not) which does it. Some > programming will be required. Attached is an example program. Free software licence, whatever you prefe

Re: Getting the name of responding server(s)

On Tue, Sep 07, 2021 at 12:40:14PM -0700, Ronald F. Guilmette wrote a message of 36 lines which said: > >I'm not aware of a tool (free software or not) which does it. Some > >programming will be required. > > I was afraid of that, but thank you for confirming. Don't despair, see the other me

Re: Getting the name of responding server(s)

On Tue, Sep 07, 2021 at 10:48:57AM -0400, Matthew Pounsett wrote a message of 32 lines which said: > Yeah, you can pretty reliably get the answer in one or two steps by > requesting the NS set for the FQDN. You'll either get your answer, or > get an SOA with the name of the enclosing zone. S

Re: Getting the name of responding server(s)

On Thu, Sep 09, 2021 at 03:20:14AM -0700, Ronald F. Guilmette wrote a message of 48 lines which said: > I don't want and don't need SOA records. I want and need only the > relevant NS records. The algorithm proposed by Matt Pounsett uses the SOA but only to find the NS (through the name of t

Re: Getting the name of responding server(s)

On Thu, Sep 09, 2021 at 12:33:22PM +0200, Matus UHLAR - fantomas wrote a message of 59 lines which said: > Note that some domains can be horribly broken and different > nameservers can send different NS, or no NS at all but SOA. Doing this sort of survey on the wild (and wide) Internet leads

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

On Sat, Jan 08, 2022 at 03:34:37PM +, Jason Vas Dias wrote a message of 146 lines which said: >"Book An Appointment": https://covid19booster.healthservice.ie/ > >to make an appointment, Firefox and Chrome both return >"Server Not Found" errors . This domain name seems OK for

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

On Sat, Jan 08, 2022 at 04:55:24PM +0100, Stephane Bortzmeyer wrote a message of 52 lines which said: > This domain name seems OK for me but I notice that a fair number of > RIPE Atlas probes in Ireland return a fake NXDOMAIN for this name: On Twitter, an Irish DNS expert said t

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

On Sat, Jan 08, 2022 at 06:10:26PM +, Jason Vas Dias wrote a message of 72 lines which said: > What are "RIPE Atlas Probes" ? Small boxes that volunteers from all over the world install in various networks to run active measurements (DNS, ping, traceroute, etc). Very handy to see the Inte

Re: Supporting LOC RR's

On Wed, Apr 13, 2022 at 03:39:33PM +0200, Bjørn Mork wrote a message of 14 lines which said: > Which problems do LOC solve? > > I remember adding LOC records for fun?() in the previous millennium when > RFC 1876 was fresh out of the press. But even back then paranoia > finally took over, and

Re: Setting Up An Running Your Own Dmarc using Bind DNS

On Mon, Jun 27, 2022 at 02:16:26PM -0400, daniel jay foran wrote a message of 370 lines which said: > I cant be the only one that has racked his brains and written > hundreds of lines of code trying to get ISC BIND 9 to authenticate > Dmarc records correctly. I'm not sure I understand you sin

Re: Slave Servers Return SERVFAIL

On Mon, Nov 17, 2008 at 08:25:13PM -0800, Merton Campbell Crockett <[EMAIL PROTECTED]> wrote a message of 51 lines which said: > My colleagues decided to do away with the delegations and separate > zone files and placed all the PTR records in a single zone file. This is mostly a matter of tast

Re: bind9 no longer detect my ipv6 interface after having upgrade from ubuntu server 8.04 to 8.10

On Tue, Nov 18, 2008 at 02:17:46PM +0100, Manson Thomas <[EMAIL PROTECTED]> wrote a message of 150 lines which said: > Yesterday I configure a new '.fr' domain which require a > successfull zonecheck That's a good example of why it is a good thing... > f: Server doesn't listen/answer on por

Re: Is it possible to use one KSK for multiple domains?

On Wed, Nov 19, 2008 at 09:55:52PM +0100, Adam Tkac <[EMAIL PROTECTED]> wrote a message of 17 lines which said: > If I understand correctly what RFC 4034, section 2.1.1 says "... If > bit 7 has value 1, then the DNSKEY record holds a DNS zone key, and > the DNSKEY RR's owner name MUST be the na

Re: Is it possible to use one KSK for multiple domains?

On Thu, Nov 20, 2008 at 11:55:17AM +, Chris Thompson <[EMAIL PROTECTED]> wrote a message of 33 lines which said: >> The text you quote is for DNS publication. But you typically do not >> put KSK in the DNS, no? > > Sure you do. How could a validator use it if you didn't? Because it is pub

Re: check Availability before sending response

On Wed, Dec 03, 2008 at 10:53:43PM +0800, Ken DBA <[EMAIL PROTECTED]> wrote a message of 21 lines which said: > ie, given the domain name www.site.com was pointed to 1.1.1.1 and > 2.2.2.2 in Bind. When a client query for www.site.com, Bind will > check the health status for these two servers.

Re: GTLD servers still promoting glue to answer :-(

On Wed, Dec 10, 2008 at 12:26:51PM +, Chris Thompson wrote a message of 28 lines which said: > As the recent thread ("can't see nameserver externally") reminds us > -- for edu rather than com/net, but there can't really be a > difference, can there? the nameservers are just a subset -- > g

Re: 50 million records under one domain using Bind

On Sat, Dec 13, 2008 at 05:09:57PM +0530, Vinay Y S wrote a message of 23 lines which said: > Also, is there any known deployments of bind of this scale out there? Half of the ".de" name servers are BIND and ".de" has 12 millions of domains, which probably means close to 50 millions of record

Re: Testing my configuration

On Wed, Dec 17, 2008 at 12:36:44PM +0100, Holger Honert wrote a message of 113 lines which said: > check out dig eith the zone-transfer option (man dig): He asked for information about a DOMAIN NAME, which may or may not be also a ZONE. If it is not a zone, zone transfer wont' work. Using:

Re: General performance

On Tue, Dec 23, 2008 at 08:36:36PM -0800, Scott Haneda wrote a message of 35 lines which said: > First, if I learn it is in fact true that all 50K zones will be > identical, is there any reason to make 50K zone files? No. > Is it ok to point different domains to the same zone file? Yes. h

Re: Domains ignored on named start

On Wed, Dec 24, 2008 at 08:47:10AM -0500, Robert G. Brown wrote a message of 58 lines which said: > What are the next steps YOU would take to diagnose or isolate the problem? 1) Triple-check that the loaded named.conf is the one you write. A good trick is to make a big syntax error in it to

Re: Bind open to query from anyone

On Mon, Jan 05, 2009 at 03:15:36AM -0800, Chris Henderson wrote a message of 12 lines which said: > That is, any one can use my name server to query any host name, > eg. www.google.com, www.yahoo.com etc. Is this a bad idea? Yes, very bad. See RFC 5358 __

Re: DNS lookups getting blocked , cant trace where is the block

On Fri, Jan 16, 2009 at 11:44:06AM +0530, ram wrote a message of 44 lines which said: > [r...@smtpout1 ~]# dig @localhost bsnl.in > ; <<>> DiG 9.3.3rc2 <<>> @localhost bsnl.in > ; (1 server found) > ;; global options: printcmd > ;; connection timed out; no servers could be reached Since you

Re: Reverse DNS with delegation

On Fri, Jan 16, 2009 at 12:27:54PM +0100, Jérémie Grauer wrote a message of 282 lines which said: > I'm encountering a very strange behavior with our dns server No, it is dig behavior. You never indicate the Resource Record type so dig picks "A" (IPv4 address). If you indicate "ANY" or "PTR

Re: Conflicting glue records?

On Thu, Jan 08, 2009 at 02:46:44AM -0800, Milo Hyson wrote a message of 127 lines which said: > stale glue records for our name-servers that appear to be coming > from a domain we host that is owned by someone else. I don't really like to work on hypothetical situations. Either you post the r

Re: ACL ?

On Tue, Jan 20, 2009 at 12:24:37PM +0100, GanGan wrote a message of 20 lines which said: > how to make a bind that reponde DNS fields with which he's the > master ? List the zones for which it is a master in named.conf. > and it doesnt meet the request of the domain from which there is no ma

Re: in-addr.arpa delegation failure

On Tue, Jan 20, 2009 at 04:14:01PM +, Lars Hecking wrote a message of 87 lines which said: > This host is set up as a master for 172.30/16. It delegates 172.30 > to a subdomain (A record for ns1.sub.domain.com is present > elsewhere). Hold on! There is already a contradiction. It is su

Re: 512 byte limit

On Wed, Jan 21, 2009 at 11:47:01AM -0500, Todd Snyder wrote a message of 38 lines which said: > I am sure there is much in the RTFM category, and I will continue to > RTFM, The FM here is RFC 2671, published nine years ago (a lot of time in Internet terms). > We are seeing some firewall mess

Re: dig for domain registration

On Thu, Jan 22, 2009 at 01:16:00PM -0800, Scott Haneda wrote a message of 18 lines which said: > If I do `dig NS example.com` and grep out my NS, does that suffice > for making sure my primary and secondary are listed? It depends on the TLD policy. For ".com", as far as I know, there is no re

Re: 512 byte limit

On Thu, Jan 22, 2009 at 11:06:38AM +, Chris Thompson wrote a message of 28 lines which said: >> As mentioned by Anton Korotin, the root name servers send answers > 512. > > Well not unless the EDNS flag and buffer size are set in the query, of > course. Which BIND does by default. > a,

[DNSSEC] Validating resolver which is also authoritative: no AD bit set

I configure a BIND 9.5.0 P2 which is both a DNSSEC-validating resolver and an authoritative server. With proper trust anchors, it DNSSEC-validates domains like iis.se or sources.org and sets the AD bit in the answers to 'dig +dnssec XXX iis.se'. Except for one domain, generic-nic.net, for which t

Re: Manual for Bind-9.5 or 9.6

On Fri, Jan 23, 2009 at 11:06:16AM -0500, Peter Fraser wrote a message of 12 lines which said: > Can someone please tell me where the manuals are, better yet PDF > versions of it. It seems ISC does not put them online but they are included with BIND. To quote the ISC Web site: DOCUMENTATION

Re: What are these entries in the log file - " query: . IN NS +"?

On Tue, Jan 27, 2009 at 11:50:51AM +0100, Jan Buchholz <96de...@googlemail.com> wrote a message of 38 lines which said: > i think disable queries at the root-zone for not internal networks > is another answer for this problem . Good practices about this attack (with specific BIND advice) is al

Re: How many nameservers?

On Sun, Feb 01, 2009 at 04:51:52PM -0800, shulkae wrote a message of 17 lines which said: > How may NS entries typically is allowed per zone? The protocol has no limit. But you may run into problems with old software which still limits the DNS packets to 512 bytes. See all the gory details in

Re: How many nameservers?

On Mon, Feb 02, 2009 at 02:25:35PM -0600, bsfin...@anl.gov wrote a message of 41 lines which said: > One downside - if you have many NS records, then they might not all > fit in one UDP packet Let me demonstrate a bit of pedantism: the correct sentence is rather "they might not all fit in a t

Re: NS validation?

On Mon, Feb 09, 2009 at 07:32:03AM -0600, Frank Bulk wrote a message of 54 lines which said: > Please forgive me for my naivety, but since when did a host name > have a WHOIS record? In the registry of .net/.com, many, many years. % whois -h whois.verisign-grs.com ns4.generic-nic.net Whois

Re: loads of Query denied... is it an attack or a misconfiguration ?

On Wed, Feb 11, 2009 at 01:21:35AM +0100, Thomas Manson wrote a message of 88 lines which said: > I believed I was on bind mailing list, a mailing list is where you > usually get some help... isn't it ? You're right, it's a shame. Ask immediately for a refund, both for your registration to th

Re: loads of Query denied... is it an attack or a misconfiguration ?

On Wed, Feb 11, 2009 at 01:35:31AM +0100, Thomas Manson wrote a message of 80 lines which said: > I'll temporray block the ip on my firewall Very bad idea, since it is forged. You do exactly what the attacker wanted you to do. The proper thing to do is: https://www.dns-oarc.net/oarc/article

Re: Multiple SOA

On Wed, Feb 11, 2009 at 12:19:20PM -0800, Prabhat Rana wrote a message of 16 lines which said: > Is it possible to have more than one hosts assigned as SOA in a > given zone file? There is no reason to do so. > Currently I have host1 as master and host2 configured as slave for > x.host.com.

Re: Multiple SOA

On Thu, Feb 12, 2009 at 06:44:30AM -0800, Prabhat Rana wrote a message of 68 lines which said: > So as long as named.conf host2 states it as master after the change > even if SOA in the zonefile lists host1 as SOA. The file transfer > will resume even when host1 is down? May I give an advice?

Re: empty DoS queries

On Mon, Feb 23, 2009 at 02:20:03PM +0100, Frank Kirschner <147...@celebrate.de> wrote a message of 65 lines which said: > 23-Feb-2009 13:20:15.516 queries: info: client 10.48.0.19#2048: query: > \(none\) IN A + I have no idea. But capturing such queries with something like: tcpdump -w dos-o

Re: More than four name server for whois record

On Sun, Mar 01, 2009 at 11:41:22AM -0800, Chris Henderson wrote a message of 8 lines which said: > I cannot put more than four name servers in the domain management > web interface Bad "domain management Web interface", use another one (four is a very low limit). What software is it (BIND h

Re: how to create a private "test." zone?

On Sun, Mar 01, 2009 at 08:46:11PM +, Rui Lopes wrote a message of 168 lines which said: > I did the delegation by > adding the following RR in the "test." zone (in the Sun host): > > example IN NS plesk May be an error prevented the loading of the zone? Check the S

Re: Adding records to a domain I don't control for anyone who uses my nameserver

On Mon, Mar 02, 2009 at 01:07:36PM -0500, Matthew Huff wrote a message of 62 lines which said: > Spoofing the dns zones are the only solution. It won't work when (if) DNSSEC will be deployed (and I assume the banking sector will be one of the first to adopt it)... Why not using your own XMP

Re: Unable to resolve visitriverside.com

On Tue, Mar 03, 2009 at 08:58:28AM -0800, Scott Baker wrote a message of 18 lines which said: > I am unable to resolve visitriverside.com with my Bind 9 server. I > don't have any problems resolving other domains, it just appears to > be this host. visitriverside.com is highly broken: it has

Re: Bind not starting

On Fri, Oct 01, 2010 at 09:44:42AM +0530, rams wrote a message of 300 lines which said: > But bind is started successfully when commented below ns domains > which are marked as RED. Some people are color-blind and some do not use a Web browser to read email. Using colors on a technical list i

Re: nsupdate

On Fri, Oct 01, 2010 at 02:58:28PM +0530, rams wrote a message of 240 lines which said: > Suppose we have two A records as , These two records have the same {name, class, type} and therefore belong to the same RRset (Resource Record Set). > When we update TTL value as below for one of the re

Re: Bind not starting

On Fri, Oct 01, 2010 at 12:13:33PM -0400, John Wingenbach wrote a message of 440 lines which said: > NS records must point to an A record. Or a record. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Re: DNS Propagation

On Thu, Oct 14, 2010 at 11:54:27AM -0300, João Alberto Kuchnier wrote a message of 23 lines which said: > Can someone help me? Without the actual domain name? Unlikely. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailm

Re: DNS Propagation

On Thu, Oct 14, 2010 at 01:51:25PM -0500, Lyle Giese wrote a message of 416 lines which said: > That's how glue records get inserted into the root servers. Small fix: unless the OP manages a TLD, "his" glue won't be inserted in the root servers but in the servers of the TLD he uses (.COM in y

Re: DNS Propagation

On Thu, Oct 14, 2010 at 04:04:20PM -0300, João Alberto Kuchnier wrote a message of 148 lines which said: > Oct 14 16:00:42 ns1 named[4602]: error (connection refused) resolving > 'guide.opendns.com/A/IN': 200.198.101.4#53 > > 200.198.101.3 -> Master > 200.198.101.4 -> Slave Master and Slave

Re: Multiple zones pointing to same zone file

On Tue, Oct 19, 2010 at 05:29:01PM -0400, John Wingenbach wrote a message of 18 lines which said: > What about for a master server? Are there any issues with named > supporting that? Not at all. It works fine . (Didn't try DNSSEC y

Re: DNS Redundancy

On Thu, Oct 21, 2010 at 06:32:09AM -0500, Martin McCormick wrote a message of 39 lines which said: > Example: > > nameserver139.78.100.1 > nameserver139.78.200.1 I always add: timeout:1 because the default timeout is 5 seconds, much too important to allow for a smooth fallback. Ot

Re: DNS Redundancy

On Thu, Oct 21, 2010 at 02:27:52PM +0100, lheck...@users.sourceforge.net wrote a message of 35 lines which said: > > Other options could be interesting, such as "rotate". See > > resolv.conf(5). > > Nearly off-topic, but how does one specify such options via dhcp? It depends on the DHCP cl

Re: Clarification

On Fri, Oct 22, 2010 at 05:05:06PM +0530, rams wrote a message of 38 lines which said: > What is the bind response when queried MX record. % dig @ns3.nic.fr MX nic.fr ; <<>> DiG 9.7.1-P2 <<>> @ns3.nic.fr MX nic.fr ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- op

Loading MX record with illegal preference (Lame subject replaced: clarification

On Fri, Oct 22, 2010 at 06:01:22PM +0530, rams wrote a message of 42 lines which said: > I have a record in BIND as follows: > > mxdomain.com. 86400 IN MX 65536 gmail.com. I don't think you tell us the truth. Because BIND refuses to load it: % named-checkzone example large-mx.zone dns_rdat

Re: Loading MX record with illegal preference (Lame subject replaced: clarification

On Fri, Oct 22, 2010 at 09:02:49AM -0500, Jeremy C. Reed wrote a message of 8 lines which said: > Because subject was replaced I didn't find it before my response :) You should really used a threaded mail client software (which understands the In-Reply-To: header) :-)

Re: error (broken trust chain) resolving

On Wed, Nov 03, 2010 at 11:44:18AM +, Brian J. Murrell wrote a message of 46 lines which said: > named error (broken trust chain) resolving '133.168.163.66.sa- > trusted.bondedsender.org/TXT/IN': 173.45.100.146#53 > > Where/why does it break? Who's is breaking it? I can see that > org.

Re: DNSSEC and Bind 9.3.6

On Wed, Nov 03, 2010 at 11:24:03AM -0200, alexan...@nautae.eti.br wrote a message of 31 lines which said: > So, is that possible in any way to use DNSSEC with Bind 9.3.6? Yes. DNSSEC appeared in BIND 9.0. > Is there any documentation to follow? The ARM. > What are the general important DNS

Re: error (broken trust chain) resolving

On Wed, Nov 03, 2010 at 04:00:48PM +, Brian J. Murrell wrote a message of 19 lines which said: > > Another possibility: sa-trusted.bondedsender.org is badly lame (none > > of the name servers reply), so it may trigger a bad error message from > > BIND. > > Both s0.rpdns.net. and s1.rpdns.

Re: How does Yahoo/Google find unknown domains?

On Mon, Nov 08, 2010 at 02:02:52AM +0100, Michelle Konzack wrote a message of 94 lines which said: > If I read the conditions of Networksolutions and Co, spidering of > WHOIS records is prohibited also the commercial use of the data. The list of domains in .COM (and other ICANN TLDs) can be o

Re: How does Yahoo/Google find unknown domains?

On Wed, Nov 10, 2010 at 01:47:44AM +0100, Michelle Konzack wrote a message of 115 lines which said: > Even my simple squirrelmal login page from > is spidered daily with more then 800 hits and I have already counted > more then 80 different searchbots. HTTP spidering issues are clearly off-t

Re: Is it Possible to Log nxdomain Responses?

On Wed, Nov 17, 2010 at 07:48:55AM -0600, Martin McCormick wrote a message of 22 lines which said: > It would be nice to log each nxdomain for a while so we can verify > that the new deligated zone we are about to install fixed the > problem. May be with dnscap

Re: query with TSIG key

On Tue, Jan 18, 2011 at 02:18:53PM +0800, p...@mail.nsbeta.info wrote a message of 11 lines which said: > How to query for a A or CNAME record with TSIG key? [A records are quite outdated in 2011. I'll use ] dig -y hmac-sha1:name-of-the-key:iGSDB9st...Ra9JQ @the.name.server exampl

Re: Delegation question

On Fri, Feb 04, 2011 at 09:55:07PM +1100, Jean-Yves Avenard wrote a message of 112 lines which said: > Now if I uncomment the NS ad.domain.com. mel.domain.com will not > resolve anymore: General rule with Unix daemons: always read the log. You'll find the error message. BIND-specific rule: t

Re: Public Advisory on DNSSEC Failures with New DS Records

On Fri, Feb 04, 2011 at 04:11:03PM -0800, Larissa Shapiro wrote a message of 37 lines which said: > The full advisory is located at: > > https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record It is no longer a _public_ advisory. The above URL redirects to

Spurious "TYPE65534" at the end of a NSEC3, why?

Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and the AEP keyper HSM), with DNSSEC enabled, dynamically signing records. Most of the time, the typical NSEC3 looks like ('dig +dnssec @a.nic.fr A www.toto.fr' if you want to see it): meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC

Re: Spurious "TYPE65534" at the end of a NSEC3, why?

On Sun, Feb 13, 2011 at 11:07:31AM +0100, Stephane Bortzmeyer wrote a message of 35 lines which said: > Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and > the AEP keyper HSM), with DNSSEC enabled, dynamically signing > records. ... > at least in the second

Re: Spurious "TYPE65534" at the end of a NSEC3, why?

On Sun, Feb 13, 2011 at 11:01:48AM +, Phil Mayers wrote a message of 23 lines which said: > The zone at the moment seems to be signed with NSEC; Hmmm, no, .FR has been signed by NSEC3 from the beginning. Could you post this strange dig output? > are you trying to perform an online trans

Re: Spurious "TYPE65534" at the end of a NSEC3, why?

On Sun, Feb 13, 2011 at 10:51:30AM +, Phil Mayers wrote a message of 31 lines which said: > This is documented in the Bind ARM OK, thanks, I missed this section. > i.e. the *presence* of the record is normal. I'm not convinced (and the ARM is far from clear about it). Most of the time

Re: Spurious "TYPE65534" at the end of a NSEC3, why?

On Sun, Feb 13, 2011 at 11:07:31AM +0100, Stephane Bortzmeyer wrote a message of 35 lines which said: > is flagged as invalid by a BIND ('meqimi6fje5ni47pjahv5qigu1lv3jlj.fr > NSEC3: no valid signature found') or an Unbound resolver ('debug: > verify: signature mism

Re: Spurious "TYPE65534" at the end of a NSEC3, why?

On Mon, Feb 14, 2011 at 01:50:49PM +1100, Mark Andrews wrote a message of 40 lines which said: > I could reproduce it in 9.7.1-P1 by just adding a DNSKEY record at > the apex I cannot reproduce it. Any more detailed instructions? It will be more difficult to convince the people in charge of t

Re: Spurious "TYPE65534" at the end of a NSEC3, why?

On Mon, Feb 14, 2011 at 10:37:57AM +0100, Stephane Bortzmeyer wrote a message of 10 lines which said: > I cannot reproduce it. Now, it works. Bug report sent to ISC [ISC-Bugs #23232] No, it is not fixed in recent BINDs. ___ bind-users mailing l

Re: Multi script support in BIND

[I changed the subject, which seemed wrong to me.] On Wed, Feb 23, 2011 at 02:33:56PM +0530, babu dheen wrote a message of 56 lines which said: >  Can anyone tell me how to enable Arabic domain name query in BIND > running Redhat RHEL 5.  You have absolutely nothing to do. Read

Re: How to allow set Host file dns query priorities in BIND

On Wed, Feb 23, 2011 at 02:38:19PM +0530, babu dheen wrote a message of 61 lines which said: > if Internet connection is down, our Internal DNS severs are not able > to get the DNS query from ISP DNS server. Because of this, all users > are not able to access many critical application hosted i

Re: mx selection order

On Tue, Feb 22, 2011 at 04:37:03PM -0500, David Sparro wrote a message of 24 lines which said: > it is up to the application how it will use the data. MX records are only used by MTA and, no, it is NOT up to the MTA to decide how to handle MX records, there is a standard for that, RFC 5321, s

Re: Help on recursive set up

On Wed, Feb 23, 2011 at 05:59:06PM +0530, rams wrote a message of 33 lines which said: > Could you please tell me how to set up for recursive server for NS > delegation records. > > It would be great if you give named.conf It would be great if you rewrite your requirments because I simply ca

Re: Help on recursive set up

On Wed, Feb 23, 2011 at 06:45:11PM +0530, rams wrote a message of 104 lines which said: > I have configuered recursion yes in named.conf and i queried for NS > delegated records against bind. Actually that domain is not exist in > my system. Here how bind will work. To tell the truth, I do no

Re: dots in hostnames problem

On Thu, Mar 10, 2011 at 01:24:01PM -0800, Matt Rae wrote a message of 54 lines which said: > sounds like a solution would be to transfer the zone files outside > of bind. The solution to what? There is no problem at all, the files are absolutely identical after the transfer. The only issue is

Re: RRSIG Expired

[Stealing email threads is a bad idea: ] On Tue, Mar 29, 2011 at 03:25:29PM +0800, Paul Ooi Cong Jen wrote a message of 28 lines which said: > Anyone has issue with RRSIG expired on in-addr.arpa on b.root > server? You probably mean

Re: Help to solve ROOT DNS query

On Wed, Mar 30, 2011 at 01:04:24PM +0530, babu dheen wrote a message of 43 lines which said: >  We are using Microsoft AD server as DNS server This is a BIND list so if you use another software, you are in the wrong place. > firewall logs shows that internal AD servers is contacting root DN

Re: RRSIG Expired

On Fri, Apr 01, 2011 at 05:24:57PM +0800, Paul Ooi Cong Jen wrote a message of 266 lines which said: > This file came with default bind installation There is a zone file of in-addr.arpa with BIND? I strongly doubt it. Anyway, check your named.conf: you must not declare in-addr.arpa in a zone

[DNSSEC] Resolver behavior with broken DS records

In an (involuntary) experiment under .FR, I discovered that the rule "at least one DS must match for a child zone to be authenticated" is wrong if a broken DS is present. In our case, the field Algorithm in the DS did not match the one in the DNSKEY. While there was another correct DS for the child

Re: DNSSEC submit of DLV vs DNSKEY records?

On Fri, May 06, 2011 at 12:45:17PM +1000, Mark Andrews wrote a message of 52 lines which said: > Once the parent zone is signed and is accepting DS/DNSKEY records "is accepting" is not sufficient. Many TLD are managed in a strict registry/registrar fashion which means that it is not enough f

Re: which port for nsupdate?

On Mon, May 09, 2011 at 02:37:04PM +0800, Jeff Pang wrote a message of 14 lines which said: > which port is used by BIND for nsupdate? 53 by default, the standard port. nsupdate is for Dynamic Update, which uses the regular DNS protocol (unlike rndc which uses a BIND proprietary protocol). _

Re: [DNSSEC] Resolver behavior with broken DS records

On Mon, May 09, 2011 at 01:41:08PM +0200, Marc Lampo wrote a message of 28 lines which said: > So the "error" of the mismatched must be in the SHA-2 DS records ? Yes. > And *not* in the SHA-1's ? Or in both ? RFC 4509 section 3 gives a strong priority to SHA-2. So, there is no symmetry: th

Re: [DNSSEC] Resolver behavior with broken DS records

On Mon, May 09, 2011 at 01:00:03PM +0200, Marc Lampo wrote a message of 47 lines which said: > 1 correct DS record, > 1 DS record, correct in everything but the algorithm And one DS record hashed with SHA-1 and one hashed with SHA-2? This was necessary to trigger the problem, because of RFC

Re: [DNSSEC] Resolver behavior with broken DS records

On Mon, May 09, 2011 at 03:33:21PM +0200, Marc Lampo wrote a message of 38 lines which said: > 4 DS's in total, > for each KSK 1 DS with SHA-1, one with SHA-2 > for one KSK, the algorithm used was changed from 5 to 8. If I understand well, you have two KSK. In that case, yes, it should work (

Re: Hosting my company DNS server in Internet

On Mon, May 30, 2011 at 10:31:28AM +0530, babu dheen wrote a message of 44 lines which said: > Can anyone have any idea as to how we can host our own autherative > DNS server for my company. There is not much diference between the hosting of a DNS server and the hosting of any other Internet

Re: Hosting my company DNS server in Internet

On Mon, May 30, 2011 at 04:51:18PM +0530, babu dheen wrote a message of 227 lines which said: >  I am not sure why i do need to pay money to my ISP for hosting my > website on my company DNS server. This sentence seems to indicate that you know very little about Internet services (hosting a W

Re: Hosting my company DNS server in Internet

On Mon, May 30, 2011 at 06:14:25PM +0530, babu dheen wrote a message of 83 lines which said: > please note that i am not going to host my website in DNS server You said the opposite before: > I am not sure why i do need to pay money to my ISP for hosting my > website on my company DNS serve

Re: Compromised BIND?

On Tue, May 31, 2011 at 02:38:13PM -0400, Supersonic wrote a message of 38 lines which said: > My firewall is showing repeated attempts by named.exe to connect to > IP addresses in foreign countries on ports , 6667 and 6669 Not enough information to decide. For instance, what was the sour

Re: Compromised BIND?

On Tue, May 31, 2011 at 05:59:08PM -0400, Warren Kumari wrote a message of 52 lines which said: > Does anyone else find the bind-users list to be very slow? Same problem for me. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.

Re: Bind9 Random Whois and Dig Fails

On Fri, Jun 03, 2011 at 03:09:13PM -0700, Sri Harsha Yalamanchili wrote a message of 145 lines which said: > o query-source address X.X.X.X port 53; That's typically a very bad idea because it makes the source port predictable and therefore makes you much more vulnerable to the Kamin

Re: Does the CVE-2011-1910 vulnerability affect the BIND 9.7.0-P2?

On Fri, Jun 10, 2011 at 04:09:31PM +0900, YABUKI Youichi wrote a message of 7 lines which said: > The BIND security advisory for CVE-2011-1910 does not mention about > versions 9.7.0, 9.7.0-P1 and 9.7.0-P2. 9.7.0* is not supported, I believe. IF you use the 9.7 branch, you should be in a late

Re: How to Setup a Name Servers visible on Internet?

On Tue, Jun 14, 2011 at 08:11:53AM +0200, eric...@kom.za.net wrote a message of 86 lines which said: > root@ns1:~# named-checkzone metropolitanbuntu.co.za > /var/cache/bind/metropolitanbntu.co.za.inv > /var/cache/bind/metropolitanbntu.co.za.inv:3: ignoring out-of-zone data > (0.0.10.in-addr.ar

Re: Need some help

On Tue, Jun 14, 2011 at 12:17:48PM +0530, Vignesh Gadiyar wrote a message of 41 lines which said: > i mean in which function do we get the IP addresses looked up from > the Domain names inputted I'm afraid there is no simple answer to this question. > so as to perform the required functions

Re: How to Setup a Name Servers visible on Internet?

On Tue, Jun 14, 2011 at 09:58:36AM +0200, eric...@kom.za.net wrote a message of 80 lines which said: > sorry for that, please see below the content for my reverse file data: > > File: /var/cache/bind/metropolitanbntu.co.za.inv: ... > 41.134.194.90. IN PTR ns1.metropolitanbuntu.co.za

Re: Help needed

On Tue, Jun 14, 2011 at 04:38:06PM +0700, Fajar A. Nugraha wrote a message of 29 lines which said: > most programming language has gethostbyname() and gethostbyaddr() These routines are deprecated for a long time (the main reason being they are specific of an old version of IP) and you should

Re: How to Setup a Name Servers visible on Internet?

On Tue, Jun 14, 2011 at 02:25:12PM +0200, eric...@kom.za.net wrote a message of 307 lines which said: > root@ns1:/var/cache/bind# named-checkzone metropolitanbuntu.co.za > 0.0.10.metropolitanbuntu.co.za.inv Wrong zone name. The file 0.0.10.metropolitanbuntu.co.za.inv contains data about 0.0.

Re: tell BIND the nameservers have been changed

On Tue, Jun 14, 2011 at 08:41:50PM -0800, Jeff Peng wrote a message of 18 lines which said: > I changed ns[1-2].myzone.com to new IPs in myzone.com's DNS, then > how to let BIND for example.com to know the NS has been changed? Wait for the TTL to expire seems the most reasonable course of act

<    1   2   3   4   >