Re: Non English Domain names

On Wed, Nov 18, 2009 at 04:38:22PM +0300, Alans wrote a message of 141 lines which said: > I know this is a little bit off topic but I would like to know how > BIND will handle non English domain names? Non-English domain names? What's that? Is coca-cola.com an english domain name? I do not f

Re: Non English Domain names

On Wed, Nov 18, 2009 at 03:36:56PM +0100, Stephane Bortzmeyer wrote a message of 25 lines which said: > If you are talking about IDN (Internationalized Domain Names), domain > names in Unicode, the way they are specified, they don't require a > change in the name servers, so B

Re: Non English Domain names

On Wed, Nov 18, 2009 at 04:14:14PM +0200, Sener ATAS wrote a message of 106 lines which said: > www.xn--b-eha.edu.tr But you could fix a few name servers: % check_soa xn--b-eha.edu.tr asiyan.cc.boun.edu.tr has serial number 1219834947 There was no response from simurg.cc.boun.edu.tr There wa

BIND does not listen at all when the interface is temporarily down (only with IPv6)

When I listen on one specific address: listen-on-v6 { 2001:db8::53;}; If the interface is not UP at the time BIND starts, and therefore this IP address not local, BIND does not listen: 18-Nov-2009 17:31:24.588 not listening on any interfaces and does not resume if the interface becomes UP late

Re: Insecure response BIND 9.7.0b2

On Fri, Nov 20, 2009 at 09:27:35AM +1100, Mark Andrews wrote a message of 34 lines which said: > There are also firewalls that block DNS/UDP responses bigger 512 > bytes or block EDNS queries/responses 10 years after the > introduction of EDNS. There are also middleware that blocks/drops > DN

Re: manage large dns record

On Thu, Nov 19, 2009 at 03:40:32PM +0700, Sokvantha YOUK wrote a message of 44 lines which said: > Could you advice me what is the good way to manage large dns record > in zone file? You mean a large number of records, not a large single record? > I'm using bind v9, currently I need to add a

Re: CLASS support

On Mon, Nov 30, 2009 at 10:43:08PM +0100, JFC Morfin wrote a message of 15 lines which said: > I guessed the format from the code. But it fails. named-checkconf > says that "CLASS999 does not match view\default class"? People who read the code can certainly read the man page: -c clas

Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

On Mon, Dec 14, 2009 at 08:05:40PM -0800, Doug Barton wrote a message of 44 lines which said: > While this reminder is timely and helpful, more welcome would be the > news that BIND 9.6.2 is going to have actual support for > RSASHA{256|512}. No, it won't. Migrating to >= 9.6.1 is necessary t

Re: Host/nslookup/dig queries wrong server

On Wed, Feb 03, 2010 at 11:42:19AM -, Duncan Berriman wrote a message of 75 lines which said: > How do I check which one it is? I can't see any option to tell me. which host rpm -q -f `which host` ___ bind-users mailing list bind-users@lists.isc

Update returns FORMERR: ran out of space

Trying to add/delete DNSSEC keys with dynamic update (first time I try that), the nsupdate client gets a FORMERR and BIND logs: Feb 23 14:53:24 jezabel named[10174]: client ::1#29411: updating zone 'bortzmeyer.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space I checked the disk space (ple

Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO

On Mon, Feb 22, 2010 at 11:40:49AM +0300, Eugene Crosser wrote a message of 49 lines which said: > Reviewed version placed here: http://www.average.org/dnssec/ There is nothing about key rollover, it seems? How do you handle it? ___ bind-users mail

Re: nsec3 in bind 9.7

On Sat, Feb 20, 2010 at 12:31:38AM +, Evan Hunt wrote a message of 36 lines which said: > To answer the question, those values are the NSEC3PARAM data for the > zone, as defined in RFC 5155. [...] flags of 1 means opt-out and 0 > means no opt-out; It is not exactly what the RFC says:

Re: Scripts for zsk rollover in 9.7

On Sat, Feb 20, 2010 at 09:15:23PM +, Evan Hunt wrote a message of 22 lines which said: > We have plans to improve this in 9.7.x (where x probably equals 1) > in a couple of ways: first, by making it possible to assign each key > an explicit successor key and warn the user if a key is set

Re: no hostname become unresolvable.

On Tue, Feb 23, 2010 at 10:41:37PM +0800, Cefull Lo wrote a message of 89 lines which said: > But when I try to ping the server without hostname, [Technicality: there *is* a hostname, superease.net *is* an hostname.] > Here the zone file There is no A or record for @ (superease.net).

Re: no hostname become unresolvable.

On Tue, Feb 23, 2010 at 09:50:29AM -0500, Lightner, Jeff wrote a message of 66 lines which said: > superease.net. IN A 202.68.195.36 ... > The dot is important Using @ would be simpler and would allow the zone file to be used for other zones as well. http://www.bortzmeyer.org/id

Re: Differences between 9.3 and later versions

On Tue, Feb 23, 2010 at 09:53:37AM -0500, jcarrol...@cfl.rr.com wrote a message of 9 lines which said: > However, whenever someone tries to nslookup (or dig) an external > site (i.e. cnn.com) they get REFUSED. If I back down to the 9.3 > version all is well. allow-query and allow-query-cache

Cannot use dnssec-settime with old keys

I try to play with the new toy, DNSSEC timing meta-data in key files. % dnssec-settime -v 3 Ktoto.fr.+008+42555 dnssec-settime: fatal: Key toto.fr/RSASHA256/42555 has incompatible format version 1.2, use -f to force upgrade to new version. OK, I upgrade: % dnssec-settime -v 3 -f Ktoto.fr.+008

Re: Update returns FORMERR: ran out of space

On Tue, Feb 23, 2010 at 02:56:15PM +0100, Stephane Bortzmeyer wrote a message of 17 lines which said: > Trying to add/delete DNSSEC keys with dynamic update (first time I try > that), the nsupdate client gets a FORMERR and BIND logs: Some details: * I use NSEC3 with opt-out * I checke

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 06:06:16AM +, Evan Hunt wrote a message of 22 lines which said: > Is there a requirement that Dr. Bernstein must personally do the dancing? > Let someone else write the RFC, if it needs writing. Also, there are not only RFCs. Standards can be described by other mea

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Tue, Feb 23, 2010 at 07:28:48PM -0800, Michael Sinatra wrote a message of 34 lines which said: > While I think the OpenDNS people (especially David U., their > founder) have a huge amount of clue, I think they're barking up the > wrong tree here. On the other hand, they are crystal-clear:

Re: Blacklisting private address range

On Tue, Feb 23, 2010 at 09:56:55PM -0500, Diosney Sarmiento Herrera wrote a message of 20 lines which said: > Have any sense to blacklist the private address ranges on a server > that is facing Internet? I am not sure I parse your sentence correctly but may be you refer to the "Rebinding prev

Re: Update returns FORMERR: ran out of space

On Wed, Feb 24, 2010 at 11:32:35AM +1100, Mark Andrews wrote a message of 35 lines which said: > Turn the debugging up to 3. With 'severity debug 30', all I get is: 24-Feb-2010 10:17:01.047 update: debug 8: client ::1#45986: updating zone 'toto.fr/IN': prerequisites are OK 24-Feb-2010 10:1

Re: Modifying a response

On Wed, Feb 24, 2010 at 01:28:09PM +0300, Peter Andreev wrote a message of 31 lines which said: > Is it possible to modify responses on caching server side? Not with BIND (short of modifying the source code). Other name servers may do it

Re: Update returns FORMERR: ran out of space

On Wed, Feb 24, 2010 at 10:18:31AM +0100, Stephane Bortzmeyer wrote a message of 39 lines which said: > With 'severity debug 30', all I get is: And, for a successful dynamic update (it works with A records): 24-Feb-2010 14:31:44.803 update: debug 8: client ::1#13202: updating z

Re: Update returns FORMERR: ran out of space

On Wed, Feb 24, 2010 at 10:18:31AM +0100, Stephane Bortzmeyer wrote a message of 39 lines which said: > 24-Feb-2010 10:17:01.057 update: error: client ::1#45986: updating zone > 'toto.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space Adding a fair amount of debuggi

Re: Modifying a response

On Wed, Feb 24, 2010 at 11:37:29AM +0100, Stephane Bortzmeyer wrote a message of 18 lines which said: > Other name servers may do it http://www.unbound.net/documentation/pythonmod/index.html http://www.unbound.net/documentation/pythonmod/examples/example3.h

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 05:42:06PM +, Sam Wilson wrote a message of 28 lines which said: > Has anyone found any uz5* servers out there yet? Zero (0) among the 40301 name servers listed in .FR, for instance (1.6 million domains). Zero for opendns.com, dnscurve.org, etc. __

Re: Update returns FORMERR: ran out of space

On Thu, Feb 25, 2010 at 10:02:45AM +1100, Mark Andrews wrote a message of 68 lines which said: > Try this patch. It resets the scratch space 'data' used by > dns_dnssec_sign(). It works fine. Many thanks. Sending update to ::1#8053 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, stat

Re: Cannot use dnssec-settime with old keys

On Tue, Feb 23, 2010 at 05:54:01PM +0100, Stephane Bortzmeyer wrote a message of 18 lines which said: > OK, I upgrade: > > % dnssec-settime -v 3 -f Ktoto.fr.+008+42555 > dnssec-settime: toto.fr/RSASHA256/42555 > > But it changed nothing, ls -l shows that the file di

Re: Cannot use dnssec-settime with old keys

On Thu, Feb 25, 2010 at 10:47:58AM +0100, Hauke Lampe wrote a message of 55 lines which said: > For example, try: > > dnssec-settime -P+0 -A+0 -f -v 3 Ktoto.fr.+008+42555 OK, it works, thanks. ___ bind-users mailing list bind-users@lists.isc.org htt

Re: Question about dig command

On Thu, Feb 25, 2010 at 10:58:49AM -0500, Khuu, Linh MicroTech wrote a message of 54 lines which said: > client ::1#33086: query (cache) 'dnssec12.datamtn.com//IN' denied > > Then I switched to use the ???dig??? command from 9.4.1-P1 to query the same > record, I got result nicely

Re: SERVFAIL for some domains on some servers

On Sat, Feb 27, 2010 at 06:51:44PM +0100, Oliver Henriot wrote a message of 104 lines which said: > but my computing skills are scarce and I still have a lot to learn. For instance, that you should always use real names > - servers "2

NSEC3 records not available through a BIND resolver <= 9.5?

I cannot get the NSEC3 records through a BIND resolver if it is version <= 9.5: % dig +dnssec jhfgTCFGD564564.org ; <<>> DiG 9.5.1-P3 <<>> +dnssec @dnssec.generic-nic.net jhfgTCFGD564564.org ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode:

Re: no more recursive clients: quota reached

On Wed, Mar 24, 2010 at 05:08:01PM +, Chris Thompson wrote a message of 46 lines which said: > It is the length of the queue of all outstanding recursive queries. > This depends not just on the RATE of queries coming in, but also the > time it takes to resolve them. (If the queue fills up,

Re: Bind Clustering

On Thu, Apr 08, 2010 at 01:18:33PM +0200, Arnoud Tijssen wrote a message of 14 lines which said: > Since everything nowadays is dependant on DNS I would like to > cluster my primary server in case of a hardware failure or error. Why? I really do not see your point. You have three authoritativ

Re: Bind Clustering

On Thu, Apr 08, 2010 at 09:46:04AM -0500, Michael Hare wrote a message of 29 lines which said: > Doesn't DDNS rely on a single SOA? If so, is there a best practice > on how to deal with this? Are you sure the OP uses dynamic udpates? It is not obvious from his message. In that case, yes, he

Re: Switching to TCP in BIND.

On Wed, Apr 28, 2010 at 11:59:11AM -0400, Kevin Darcy wrote a message of 21 lines which said: > I know of no such feature. What do you mean by "spoofed" anyway? How > would you expect named to detect "spoofing", and is that its job? It seems (not tested by me) that Nominum CNS does that: when

Re: DNSSEC

On Tue, May 04, 2010 at 10:27:25AM -0400, Linux Addict wrote a message of 89 lines which said: > lacks EDNS, defaults to 512" > DNS reply size limit is at least 490" > "Tested at 2010-05-04 14:21:02 UTC" You edited the responses (which includes an IP address). Is it the IP address of your res

Re: DNSSEC

On Tue, May 04, 2010 at 11:01:24AM -0400, Linux Addict wrote a message of 94 lines which said: > One information I neglected to mention is bind forwards to a tinydns > appliance > > So what are my options now? 1) Drop this piece of crap 2) Do nothing > Will the internet work for me tomorr

Re: Create DS and DLV records

On Wed, May 05, 2010 at 11:59:23AM +0530, rams wrote a message of 36 lines which said: > could you please explain me, how to create DS and DLV records into my zone. If you want to add DS or DLV records in _your_ zone, you typically never create them. Managers of child zones do it and they sen

Re: Switching to TCP in BIND.

On Wed, May 05, 2010 at 09:35:38AM +0100, Sam Wilson wrote a message of 22 lines which said: > > It seems (not tested by me) that Nominum CNS does that: when many > > responses arrive which do not match (src IP address, query ID, etc) > > any pending answer, it switches to TCP, assuming someon

Re: help on NESC3PARAM

On Thu, May 06, 2010 at 02:25:45PM +0530, rams wrote a message of 36 lines which said: > How to sign a zone for getting NSEC3, NSEC3PARAM RR's in a signed zone. Regarding this question and your previous one, it may be a good idea to start reading the documentation: -3 salt Ge

Re: KAMINSKY vulnerability !!

On Mon, May 10, 2010 at 10:19:33AM -0400, P.A wrote a message of 314 lines which said: > I think I see what the issue is, No. Completely unrelated. > http://www.kb.cert.org/vuls/id/725188 In that case, the error was: Jul 29 09:10:57 lilith named[2428]: db.c:619: \ REQUIRE(type

Re: KAMINSKY vulnerability !!

On Mon, May 10, 2010 at 10:05:47AM -0400, P.A wrote a message of 242 lines which said: > My question is did I just get rid by the kaminsky vulnerability? Not at all. The Kaminsky attack poisons the server, it does not crash it. > Primary server: BIND 9.4.3b2 Why do you run a beta version (a

Re: Dnssec zone signing problem

On Thu, May 20, 2010 at 12:10:53PM -0700, itservices88 wrote a message of 92 lines which said: > # dnssec-signzone -N INCREMENT mydomain.org > Verifying the zone using the following algorithms: RSASHA1. > Missing RSASHA1 signature for . NSEC > The zone is not fully signed for the following alg

Re: DNSSEC for recursive server

On Fri, May 21, 2010 at 09:54:01AM +0300, Techi wrote a message of 46 lines which said: > I have a Centos 5.x with Bind 9.3.6-4. That's an extremely old version. Even Debian :-) has a more recent one. For instance, you won't be able to validate the root (which uses SHA256) or .ORG (which use

Re: Web forwarding in BIND

On Thu, May 20, 2010 at 05:18:10PM -0700, Hoover Chan wrote a message of 15 lines which said: > A pointer please to information on how to use BIND to "translate" a > domain name to a target URL. For example, www.domain -> > http://www.someother.domain/folder1/folder2/index.html. Unlike what m

Re: Web forwarding in BIND

On Fri, May 21, 2010 at 08:30:47AM -0400, Chris Buxton wrote a message of 26 lines which said: > Another such solution (and simpler) would be SRV records, It maps a domaine name to a set of {domain name, port}, not to URL (with the path and so on) :-) So, no, you still need NAPTR if you want

Re: DNSSEC Status...

On Tue, Jun 01, 2010 at 06:55:14AM -0700, Heavy Man wrote a message of 61 lines which said: > I understand the root zones are currently getting signed There is only one root zone... > Just for sanity sake, should I be able to DIG +dnssec > a.gtld-servers.net and be able to see a RRSIG record

Re: IPv6 validation

On Wed, Jun 16, 2010 at 02:18:21PM +0530, rams wrote a message of 86 lines which said: > Is there any tool available for IPv6 addresses correct or not. > > The following IPv6 addresses is valid or not? Define "correct" and "valid". Karl Auer proposed a definition (valid == pingable) which is

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

On Fri, Jul 16, 2010 at 06:16:13PM +0900, Kazunori Fujiwara wrote a message of 25 lines which said: > You can check root DNSKEY RR and root-anchors.xml > using dig and dnssec-dsfromkey. Good idea and here is a Makefile and a XSLT script which automates the whole thing. Bug reports welcome. K

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

On Fri, Jul 16, 2010 at 03:00:11PM +0200, Kalman Feher wrote a message of 85 lines which said: > anchors2keys worked fine so long as the format was correct so... I didn't know this tool. Where can we find it? Google does not know. ___ bind-users ma

Re: root-anchor.xml & anchors.xml in Bind

On Sat, Jul 17, 2010 at 08:49:04AM -0500, Lyle Giese wrote a message of 30 lines which said: > What is the difference between managed-keys and trusted-keys? managed-keys are automatically updated *if* the zone manager follows RFC 5011 (which, as far as I know, the root does not use yet). tru

Re: root-anchor.xml & anchors.xml in Bind

On Sat, Jul 17, 2010 at 01:36:05PM -0700, Doug Barton wrote a message of 24 lines which said: >> *if* the zone manager follows >> RFC 5011 (which, as far as I know, the root does not use >> yet). > > How could it, when this is the first key deployed? :) OK, let's rephrase it: as far as I know

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

On Fri, Jul 16, 2010 at 01:57:05PM +, ALAIN AINA wrote a message of 20 lines which said: > https://itar.iana.org/instructions/ It does not work, it was only for ITAR and the published Trust Anchor uses a different format: % ./anchors2keys -v root-anchors.xml No DNSKEYs found, quitting T

Re: manage managed-keys?

On Sat, Jul 17, 2010 at 10:36:39PM +0200, Gilles Massen wrote a message of 21 lines which said: > I there a way to ask bind which key (for a given zone) is actually > in use? In the log? 23-Oct-2009 10:55:10.169 zone managed-keys.bind/IN/_meta: Initializing automatic trust anchor management

Re: dnssec validation issue

On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote a message of 677 lines which said: > # dig @localhost www.icann.org A +dnssec When you suspect a DNSSEC issue, always retry dig with +cd (Checking Disabled). And post the result. ___

Re: Suggestions for a distributed DNS zone hosting solution I'm designing

On Thu, Mar 08, 2018 at 12:52:57PM +, Tony Finch wrote a message of 49 lines which said: > Best way to achieve this is with anycast, which can be pretty > time-consuming to set up - try searching for Nat Morris's > presentation "anycast on a shoestring" which he gave at several NOG > meeti

Re: BIND9 and AS112

On Fri, Mar 09, 2018 at 12:32:41PM +0300, Diarmuid O Briain wrote a message of 122 lines which said: > Mar 09 08:11:43 as112 named[3787]: internal_send: 2620:4f:8000::42#53: > Invalid argument > Mar 09 08:11:43 as112 named[3787]: internal_send: 192.175.48.42#53: Invalid > argument I suspect t

Re: BIND9 and AS112

On Fri, Mar 09, 2018 at 03:28:18PM +0300, Diarmuid O Briain wrote a message of 427 lines which said: > However quite frankly I do not get how the AS112 service is accessed via > anycast. Did you configure your routing as mentioned in section 3.4 of RFC 7534? > Another thing that is confusing

Re: TLD Registries supporting RFC 7344/8078

On Tue, Mar 13, 2018 at 10:52:50AM +0100, Carsten Strotmann wrote a message of 19 lines which said: > is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078) > already support at the TLD level somewhere? I know it is implemented > in BIND 9.11+ and Knot, but can it be used in the real

Re: My domain name name not propagating through the Internet.

On Sat, May 26, 2018 at 11:44:58AM -0500, Thomas Strike wrote a message of 269 lines which said: > they say that the problem is with my server. They were right. > I am here asking for fresh sets of eyes to look at my setup file and the > domain zone record that is at issue. My domain is slee

Re: My domain name name not propagating through the Internet.

On Sat, May 26, 2018 at 12:57:26PM -0400, Rick Dicaire wrote a message of 276 lines which said: > Hi Thomas, obfuscating IP addresses doesn't help in the least. No problem, the IP address is known by the TLD name servers. % dig @a.gtld-servers.net ns1.sleepyvalley.net ; <<>> DiG 9.10.3-P4-U

Re: cyberia.net.sa

On Tue, Jun 26, 2018 at 03:36:25PM +0200, Matus UHLAR - fantomas wrote a message of 19 lines which said: > Some web DNS checkers do great job. And some are really bad and/or broken. Let's mention the right ones: https://dnsviz.net/ https://zonemaster.net/ ___

Re: Strange DNS problem

On Mon, Jun 10, 2019 at 02:28:46PM +, Jukka Pakkanen wrote a message of 382 lines which said: > An example, the client domain is raimoasikainenoy.fi. dig clearly says it's a cookie issue: % dig @193.184.54.212 NS raimoasikainenoy.fi ;; Warning: Client COOKIE mismatch An DNSviz confirms

Re: Strange DNS problem

On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen wrote a message of 58 lines which said: > Then, unfortunately our nameservers won't resolve ns.kpk.fi either. Same authoritative name server, same problem. See my email. % dig @ns.datatower.fi. NS kpk.fi. ;; Warning: Client COOKIE mis

Re: Unable to completely transfer root zone

On Mon, Feb 10, 2020 at 02:32:55PM -0500, Warren Kumari wrote a message of 70 lines which said: > Also, can you try: > dig +tcp . axfr @192.0.32.132 > dig +tcp . axfr @192.0.47.132 > dig +tcp . axfr @b.root-servers.net > > (no, I'm not really sure why trying with the first 2 IPs instead of >

Re: cname for apex record

On Tue, Dec 24, 2024 at 03:22:44PM +, 11;rgb://Cuttler, Brian R (HEALTH) via bind-users wrote a message of 593 lines which said: > Stefane - thank you for your input as well, I'll recheck my > delegation and see where we've lost proper delegation. I used check-soa and a bit of

Re: cname for apex record

On Tue, Dec 24, 2024 at 03:27:06PM +, Cuttler, Brian R (HEALTH) via bind-users wrote a message of 646 lines which said: > Apologies, meant to write Stephane and not Stefane. No problem, US-based people often miswrite it Stephanie :-) -- Visit https://lists.isc.org/mailman/listinfo/bind-

Re: cname for apex record

On Tue, Dec 24, 2024 at 02:38:51PM +, Cuttler, Brian R (HEALTH) via bind-users wrote a message of 163 lines which said: > The cname we create for our webserver > www.wadsworth.org is working well. > However, I've been asked if we can point the apex record at the >

Re: Executive Order 14144 - encrypted DNS

On Mon, Jan 27, 2025 at 12:55:08PM +, Marc wrote a message of 36 lines which said: > What is this referring to DNSSEC? The way I understand it, it is referring to DoH and DoT. > What is the point of encrypting data with the current implementation > of certificates. I fail to see the rel

<    1   2   3   4