Re: high volume from outside our networks question

2013-01-30 Thread Steven Carr
So the response you received wasn't recursed ";; WARNING: recursion requested but not available", so at least that ACL is holding up, but it could be that the response you got is still being served from your DNS server's cache. Can you share the exact configuration statements you have implemented f

Re: high volume from outside our networks question

2013-01-30 Thread Steven Carr
I'm not entirely sure about the "allow-query { any; };" option you have configured in the main options section, by default bind allows queries from all anyway, try removing this and see if that fixes the issue, it could be having that set is somehow overriding some of the other statements. Steve _

Re: high volume from outside our networks question

2013-02-01 Thread Steven Carr
You should be complying with BCP 38 [http://tools.ietf.org/html/bcp38] for Inbound Network Filtering which will reduce a lot of unwanted packets getting into your network. Our inbound (Cisco) ACL looks like the following and I check up on the bogon addresses [http://www.team-cymru.org/Services/Bog

Re: high volume from outside our networks question

2013-02-01 Thread Steven Carr
As we've already pointed out it is something in the way your system is configured (you're doing everything in global options instead of using views to separate the different "classes" of users) and that you are running both authoritative and caching functions on the same server. You can create 2 v

Re: high volume from outside our networks question

2013-02-01 Thread Steven Carr
On 1 February 2013 18:42, John Wobus wrote: > On a secondary, the zone files in different views, even if identical, need > to be > distinct. > > Also, if you're allowing dynamical updating and the views need to serve > identical > versions of the zone, then you need to arrange things so the zone i

Re: Building a fresh named.root

2013-02-14 Thread Steven Carr
On 14 February 2013 13:35, Robert Moskowitz wrote: > What went wrong here? > > Which do I use? Not sure what is up with your dig response (can you post the contents) but it works for me and if your dig still isn't working use the one from FTP. sjcarr@elmo:~ $ dig . ns @198.41.0.4 ; <<>> DiG 9.8

Re: Export / Import all zone data

2013-02-14 Thread Steven Carr
On 14 February 2013 19:46, Mailinglists wrote: > I'm looking to migrate all of the zone data from one installation of Bind to > another...hardware move. One machine is very old but running a pretty modern > version of Bind 9.6-ESV-R8. The other server is running Bind 9.8.2 and is in > use, so I

Re: Initial BIND 9.9.2 RPZ xfr (spamhaus) failing with "failed to connect: timed out" ?

2013-03-07 Thread Steven Carr
On 8 March 2013 00:49, Vernon Schryver wrote: > The RPZ log captures only information about response policy zone > rewriting. A response policy zone is the same as every other local > zone, so most problems with the zone itself are logged elsewhere. > > Depending on your ACLs, you can probe a res

Re: Multiple masters for slave zone

2013-03-18 Thread Steven Carr
On 18 March 2013 23:08, Dave Warren wrote: > Does it actually check each master for a serial number, or does it stop at > the first one queried if it has a higher-than-current serial number? It would have to otherwise how would it know who has the highest and when to stop checking. Steve ___

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

2013-03-29 Thread Steven Carr
On 29 March 2013 12:19, Jim Bucks wrote: > Any ideas (and yes, I did do over the "semicomplete" URL provided by > ?Alex?"). The only difference I can see is that I used a 512 bit key vs the > examples 128bit key. And, I'm using a slaves/ directory vs internal/ > directory for the "zones" files.

Re: DDOS attack Bind 9.9 - P2

2013-04-30 Thread Steven Carr
You asked this question a few weeks ago. Patch BIND to include the RRL (Response Rate Limiting) patches (http://www.redbarn.org/dns/ratelimits), blackhole/ignore those clients requesting. On 30 April 2013 21:49, Jose Manuel Delgado G. wrote: > I have isc.org attack." isc.org internet *?". It com

Re: architecture question

2013-05-08 Thread Steven Carr
Enable recursion on your .local TLD server and point the domain1.local server to that server for DNS. Recursion will handle any internet queries and as .local is authoritative it will provide responses when queried. On 8 May 2013 15:56, Jeremy P wrote: > I am building a lab environment where ther

Mailing list "reply-to" setting

2013-05-08 Thread Steven Carr
Any chance someone can correct the settings on this mailing list to reply to the list by default instead of the user posting the message? Thanks Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bin

Re: architecture question

2013-05-08 Thread Steven Carr
On 8 May 2013 18:09, wrote: > This just came up with a site I support. Thanks to this list and the > DNS-OARC list, I know better. Hopefully, I can redirect them to use > something below their real domain for Active Directory such as > ad.example.org. FWIW: MS now advises not to use .local for

Re: architecture question

2013-05-08 Thread Steven Carr
to go out and register a .com for the semester. It would be a waste > of money as their systems never leave the local network, except through a > NAT connection. So in those types of instances, I'm assuming .lan or .test > are safest? > > > On Wed, May 8, 2013 at 11:20 AM

Re: BIND Configuration

2013-05-08 Thread Steven Carr
You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refresh

Re: Negative zones; NXDOMAIN responses

2013-05-19 Thread Steven Carr
Why are you forwarding queries to the ISP? Implement your own caching layer, I for one would never use/trust an ISPs caching servers. If I want to resolve a domain I go direct to the source, not via a 3rd party. On 19 May 2013 20:51, Narcis Garcia wrote: > Hello, > > I'm trying to solve this pro

Re: Negative zones; NXDOMAIN responses

2013-05-19 Thread Steven Carr
local http://www.isc.org/software/rpz http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/ On 19 May 2013 21:22, Steven Carr wrote: > Why are you forwarding queries to the ISP? Implement your own caching > layer, I for one would never u

Re: Negative zones; NXDOMAIN responses

2013-05-19 Thread Steven Carr
On 19 May 2013 23:14, Sten Carlsen wrote: > .local actually has meaning for most modern systems, so I would question the > wisdom of what you want to do. > > You may find some functions of systems not working any more. Obviously it is > up to you in the end. Looking at the bug link that would see

Re: Help on NXDOMAIN to try next forwarder in the list

2013-05-30 Thread Steven Carr
It's not possible. NXDOMAIN is NXDOMAIN, it doesn't exist, it doesn't mean try another server to see if you get lucky next time. Steve On 30 May 2013 08:26, sumsum 2000 wrote: > Hi, > I have the following change to be available from BIND9. > > I have zone forwarders as follows with BIND9 setup

Re: Help on NXDOMAIN to try next forwarder in the list

2013-05-30 Thread Steven Carr
So your administrator is breaking DNS if all 3 servers have been added as NS records but the zone is not available on all 3 servers. Get him/her to fix your DNS hierarchy first then you wont need to check which server is hosting the subdomain. Steve On 30 May 2013 10:30, sumsum 2000 wrote: > Hi

Re: Queries using forwarders

2013-06-03 Thread Steven Carr
If the records which are being requested are in the DNS server's cache then it may return the records directly from cache (depends on your configuration). If the record isn't in the cache it will attempt to fetch it and return it to the client, it will then be placed in the cache so subsequent quer

Re: SPF record with include:

2013-06-17 Thread Steven Carr
Remove the part... "", whatever mailer agent you use has screwed with the information that you were sent, it is not required. So your finished TXT record will be... TXT "v=spf1 mx include:otheremailsrv.otherdomain ~all" Steve On 18 June 2013 06:56, Julie Xu wr

Re: Secondary DNS question...

2013-06-21 Thread Steven Carr
Sounds more like your mailserver is misconfigured and not resolving DNS correctly or not failing over (what is your mail server?). Without seriously in-depth configuration/logs being posted there isn't much we can help with. Steve On 21 June 2013 14:30, SH Development wrote: > No, there is de

Re: How to suppress ADDITIONAL SECTION per zone

2013-06-24 Thread Steven Carr
On 24 June 2013 08:14, Matus UHLAR - fantomas wrote: > You still have not answered my question, so I repeat it: > >>> > What is the point of your question? > I think what Matus wants to know is your reasoning/problem/issue about not returning records from the cache for those zones? The answer is

Re: Answers from cache or authority section?

2013-06-25 Thread Steven Carr
On 25 June 2013 16:53, John Horne wrote: > So what I now do not understand is why (at home) I can do several > reverse lookups for different IP addresses, and they all give me an > answer. Likewise if I do something like: > >dig -x 141.163.99.16 @8.8.8.8 > > I get a non-authoritative answer. I

Re: How to suppress ADDITIONAL SECTION per zone

2013-07-01 Thread Steven Carr
d achieve what I want. > > > On Monday, June 24, 2013 1:13:24 AM UTC-7, Steven Carr wrote: >> On 24 June 2013 08:14, Matus UHLAR - fantomas wrote: >> >> > You still have not answered my question, so I repeat it: >> >> > >> >> >>> &

Re: Reverse address entries

2013-07-02 Thread Steven Carr
On 2 July 2013 14:42, Sam Wilson wrote: > Can anyone here give examples of the types of various software that will > not operate without a PTR record? There have already been numerous listings of software that require reverse lookups. SMTP being the main one. Other services like IRC and some data

Re: Bind unable to get MX reocrd from Parrent name server

2013-07-05 Thread Steven Carr
Your glue is broken. You need to update the glue NS records in the parent to reflect the actual nameservers that are authoritative for the zone. It also looks like you could have some data mismatch between zones hosted on (ns1.yithosting.co.za + ns2.yithosting.co.za) and (demeter.is.co.za + babylo

Re: Bind unable to get MX reocrd from Parrent name server

2013-07-05 Thread Steven Carr
s,google .. (Despite they have issue with their dns > setup for that domain (as you said) ) then why we cant ?? > > Thanks for looking into it . > > On Fri, Jul 5, 2013 at 12:45 PM, Steven Carr wrote: >> Your glue is broken. You need to update the glue NS records in the >

Re: DNS and Remote Host over VPN

2013-07-10 Thread Steven Carr
On 10 July 2013 17:34, IT Support wrote: > I already add a address record on my internal view for that remote host, if > I ping this host by IP address i got answer, but if i ping the same host by > name i got this message: > ping: unknown host In future please copy/paste the commands you have r

Re: DNS and Remote Host over VPN

2013-07-10 Thread Steven Carr
On 10 July 2013 17:54, IT Support wrote: > ** server can't findpc12.mydomain.com: NXDOMAIN So according to BIND the record doesn't exist. Did you reload BIND after adding the record? check the entry you have added into the zone and check the log files to make sure BIND loads the zone properly. C

Re: BIND Performance with Huge RPZ

2013-07-12 Thread Steven Carr
On 12 July 2013 11:11, Arie L. Putra wrote: > > Has anyone have experience, how RPZ with huge list will impact BIND performance, will it reduce DNS response time? we have six DNS server that will point to this server, each server is serving about 15Mbps of DNS Traffic on peak hour. > > this server

Re: Which Forwarder Does Bind Pick?

2013-07-12 Thread Steven Carr
On 12 July 2013 18:44, Jiann-Ming Su wrote: > How does the named process determine when to use one forwarder or both > forwarders? I'm sniffing the traffic and on some queries, it goes for the > first one. On other queries, it goes for both. Thanks for any > clarification. > BIND will query b

Re: resolving-problem

2013-07-21 Thread Steven Carr
Can you post full output of the following dig commands ran on one of your nameservers: dig www.franisplus.com dig +trace www.franisplus.com Steve On 21 July 2013 10:55, Ejaz wrote: > ** ** ** > > Hello, All, > > ** ** > > This lately we have been receiving complain from our customer th

Re: resolving-problem

2013-07-21 Thread Steven Carr
oops, typo... dig www.fransiplus.com dig +trace www.fransiplus.com On 21 July 2013 11:09, Steven Carr wrote: > Can you post full output of the following dig commands ran on one of your > nameservers: > > dig www.franisplus.com > dig +trace www.franisplus.com > > Steve &g

Re: resolving-problem

2013-07-21 Thread Steven Carr
172800 IN NS ns2.alfransi.com.sa. > > ;; Received 87 bytes from 192.5.6.30#53(192.5.6.30) in 202 ms > > > > ** ** > > *From My pc. Where I can’t resolve.* > > ** ** > > > fransiplus.com.sa > > Server: ns1.nesm

Re: resolving-problem

2013-07-21 Thread Steven Carr
So the logs would seem to indicate that the server responded to your PC, the only way you can see exactly what happened with that response is with traffic captures on the name server and your PC. Steve On 21 Jul 2013, at 12:52, "Ejaz" wrote: I can resolve yahoo and here the snippet of lo

Re: resolving-problem

2013-07-21 Thread Steven Carr
On 21 July 2013 13:42, Teerapatr Kittiratanachai wrote: > In my opinion your 'listen-on' options should be changed from > "212.71.32.19" to "any". > Actually I would disagree with that. There may be a very good reason that BIND is configured to listen on a specific IP address, the server may be m

Re: resolving-problem

2013-07-21 Thread Steven Carr
On 21 July 2013 14:24, Teerapatr Kittiratanachai wrote: > As I had resolve the IP address, the "212.71.32.19" which has configured > is point to "ns1.nesma.net.sa". > That seem that the DNS Server will listen only on itself, i think that the > configuration file also came from the `ns1` too. I'm n

Re: NAMED LOGS

2013-07-22 Thread Steven Carr
It looks like those clients are trying to query your DNS server for www.minghui.org.s210.ip4.verteiltesysteme.net and are being denied. Steve On 22 July 2013 13:21, Grace Ingabire wrote: > Dear Team, > > ** ** > > Does anyone know what is going on here? As I can’t understand why we do > re

Re: bind9 and logrotation

2013-07-29 Thread Steven Carr
On 30 July 2013 00:08, Christoph Anton Mitterer wrote: > > You can also configure logrotate to work with the inactive log files > > created by BIND's own logging facility. That is, let BIND write and > > rotate log files, but then process them with logrotate afterward. > Yeah... I thought about th

Re: BIND slave stops updating from master after 1-3 days

2013-07-30 Thread Steven Carr
On 30 July 2013 20:31, Brandon Whaley wrote: > Sorry for the bump here, but through extensive troubleshooting I've > identified a trend in this. It appears that zones hosted on the > lower-numbered masters are still updating without issue. This leads me to > believe that something is causing BI

Re: BIND slave stops updating from master after 1-3 days

2013-07-30 Thread Steven Carr
On 30 July 2013 21:38, Brandon Whaley wrote: > zone "example.com" { > type slave; > file "/var/named/slaves/example.com.db"; > masters { 10.0.1.1; 10.0.2.1; 10.0.3.1; 10.0.4.1; 10.0.5.1; }; > }; > So given what I mentioned before I would envisage BIND contacting 10.0.1.1

Re: BIND slave stops updating from master after 1-3 days

2013-07-30 Thread Steven Carr
On 30 July 2013 22:52, Brandon Whaley wrote: > Once every few minutes the reload occurs on the master, which sends the > notify to our slave servers, who should check serials on all the masters > and transfer from the latest. > I think this is your problem. From what I understand BIND does not d

Re: BIND slave stops updating from master after 1-3 days

2013-07-30 Thread Steven Carr
On 30 July 2013 23:19, Brandon Whaley wrote: > That's certainly disconcerting (and diverges from the behavior we continue > to see with BIND 9.3). Is there any reason these updates would work > without issue immediately after a restart but stop working at some point > later? As you can see in t

Re: Internernal view is answering to external ping

2013-07-31 Thread Steven Carr
On 1 August 2013 00:59, IT Support wrote: > Thanks in advance. Where is your view/zone configuration? (possibly in one of the included files) you will need to post that configuration as well. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-

Re: Internernal view is answering to external ping

2013-08-01 Thread Steven Carr
On 1 August 2013 18:58, Lawrence K. Chen, P.Eng. wrote: > Did I miss something... what does ICMP ping have anything to do with bind? Yes, you missed the actual question. The use of the word 'ping' is a misnomer, what he really meant to say that from a host on the internet he is receiving an inter

Re: Reverse Records on a leash?

2013-08-10 Thread Steven Carr
On 10 August 2013 01:44, Eduardo Bonsi wrote: > I would like to know why we are treat like a dog on a leash when the > question is to reverse our DNS ip address to a FQDN of our choices since our > account is already assigned to us by our ISP? I would guess that for the most part ISPs provide a p

Re: Reverse Records on a leash?

2013-08-10 Thread Steven Carr
On 10 August 2013 18:26, Eduardo Bonsi wrote: > Why should we be subjected to the ISP for reverse when we already have a > static ip and are paying for the internet account, that by the way it is not > cheap or catered to small business? Simple answer... the ISP is the owner of the IP address spa

Re: Can't directory query NS type from nds server.

2013-08-13 Thread Steven Carr
On 13 August 2013 08:20, Sury Bu wrote: > When I use host -a support.ourfirst.org 192.168.122.92, the result contains > following: > > ;; AUTHORITY SECTION: > support.ourfirst.org.86400INNSns.ourfirst.org. > > ;; ADDITIONAL SECTION: > ns.ourfirst.org.86400INA192.168

Re: ISO or virtual appliance

2013-08-21 Thread Steven Carr
On 22 August 2013 05:39, Manish Rane wrote: > So, DNS will monitor the host on port 80 and as soon as it detects that > either of the host/link is down it would remove the associated entry and > re-populate the entries > > Is any one aware of such solution readily available? I believe I already >

Re: /etc/named.conf won't be installed !!

2013-08-27 Thread Steven Carr
This was answered in the other thread, you need to create your own config file when installing from source. Steve On 27 August 2013 17:02, Nidal Shater wrote: > hi > when I install BIND,,,BIND won't install the /etc/named.conf file why ??? I > think bind has problems with centos6.3 > > could an

Re: FW: subscribe in bind-developer

2013-08-28 Thread Steven Carr
The only public developer list that I'm aware of is for the upcoming rewrite of BIND, BIND 10... https://lists.isc.org/mailman/listinfo/bind10-dev Steve On 28 August 2013 19:07, Nidal Shater wrote: > > > > From: ngiw2...@hotmail.com > To: bind-users@lists.isc.or

Re: nxdomain

2013-08-28 Thread Steven Carr
I think the short answer is don't use the host command, always use dig. Not sure how to find the version of host (none of the usual -V -v -h flags seem to work with it) but on my system (OS X 10.8) host returns refused for the same query... sjcarr@elmo:~ $ host www.undernet.org. ns1.ausics.net Us

Re: SERVFAIL when two SOA in the domain

2013-08-29 Thread Steven Carr
On 29 August 2013 19:22, Stephane Bortzmeyer wrote: > I'm not sure of what the RFC say about that... While RFC 1035 doesn't seem to explicitely say that multiple are forbidden, or how to handle the case of multiple records, it does state under section 5.2. (Use of master files to define zones):

Re: Change Monitoring IP address

2013-09-05 Thread Steven Carr
On 5 September 2013 07:50, Bal Krishna Adhikari wrote: > As BIND server periodically query root servers to check it's availability to > Internet. > When Internet is down, I can't fetch the domains of my local exchange too. > We got one of the root servers in local exchange but I don't know if it's

Re: Problem with forward zone in view

2013-09-08 Thread Steven Carr
Using +trace will give you the exact response you are seeing. +trace uses the values returned by the parent for the next part of the query (it will bypass your internal DNS server and go straight to the Internet root and work down the hierarchy, so any forwarding rules in BIND are ignored). You wi

Re: Problem with forward zone in view

2013-09-08 Thread Steven Carr
On 8 September 2013 12:06, Carol Overes wrote: > Apologies if my approach was not clear, after Steve's mail. But I tested > by using dig without the +trace option. I have tested the following from > an IP, which is accepted via the trusted ACL: > > dig @10.10.10.1 www.domain2.com A > dig @10.10.10

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Steven Carr
On 10 September 2013 16:58, Nicholas F Miller wrote: > The only thing between us and the world are Junos FWs. The behavior happens > if you dig a hosted zone on the master DNS server as well. Is there any configuration on the DNS server which is reducing the TTL unnecessarily? (e.g. max-cache-tt

Re: What is proper fault-tolerant behavior?

2013-09-16 Thread Steven Carr
On 17 September 2013 02:54, Dan McDaniel wrote: > My question is shouldn't our nameservers try another fedora NS in order > to resolve the name? If not what good is it for fedora to have multiple > nameservers? Or am I misunderstanding how this should work? So this would really depend on the resp

Re: Dig gives ;; connection timed out; no servers could be reached

2013-10-03 Thread Steven Carr
As others have already commented, it could mean either, there isn't enough information provided to try to identify where the fault lies. Are these systems accessible from the Internet? if so then please provide the correct names so we can also run tests from our locations to see if we get the same

Re: view

2013-10-03 Thread Steven Carr
Please post your full named.conf config file (you can obfuscate any sensitive information). Steve On 3 October 2013 18:53, Paweł Ch. wrote: > Hi list > > I have problem with views in bind9 on debian 6. I configured server like > here https://wiki.debian.org/Bind9 and it works. When i add entry:

Re: view

2013-10-03 Thread Steven Carr
f.default-zones > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1

Re: empty zones and higher zone count after upgrading

2013-10-08 Thread Steven Carr
So a "dig 10.IN-ADDR-ARPA" hasn't queried the root at all, if it had you would have a response with an SOA of prisoner.iana.org and you wouldn't have got an NXDOMAIN. sjcarr@elmo:~ $ dig 10.in-addr.arpa ; <<>> DiG 9.8.5-P1 <<>> 10.in-addr.arpa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<

Re: empty zones and higher zone count after upgrading

2013-10-08 Thread Steven Carr
+trace ALWAYS goes to the root servers. It will bypass your DNS server completely. Steve On 8 October 2013 22:37, Con Wieland wrote: > > On Oct 8, 2013, at 2:13 PM, Mark Andrews wrote: > >> >> In message <93fdc4db-8835-482d-8b7d-7b58d09d5...@uci.edu>, Con Wieland >> writes: >>> I am still tryi

Re: empty zones and higher zone count after upgrading

2013-10-08 Thread Steven Carr
On 8 October 2013 23:27, Alan Clegg wrote: > Except for using your servers to find the root servers to begin with. I stand corrected, I thought it might have done something clever for the first hop and had the root hints compiled in. Steve ___ Please v

Re: DNSSEC resolution

2013-10-09 Thread Steven Carr
Can you be more specific as to what exactly you want to know? What specific dig commands are you using? Do you actually know how DNSSEC works? Have you read chapter 11.4 in "DNS and BIND" (ISBN:0596100574)? A quick Google query brought back quite a few resources on using dig with DNSSEC https://www

Re: Refreshing cache in other DNS servers

2013-10-15 Thread Steven Carr
On 15 October 2013 15:53, babu dheen wrote: > If I change the TTL value on the particular zone after modifying a record > in Redhat Linux BIND Caching DNS server, My Redhat bind Caching DNS server > cache would be refreshed after 300 seconds but what if my backend windows > DNS server is still r

Re: Performance Tuning RHEL 5 and Bind

2013-10-19 Thread Steven Carr
On 20 October 2013 02:34, brett smith wrote: > When all the Windows PC's are switched to our resolver, bind stops responding. > rndc querylog shows queries coming thru, I changed tcp-clients from > 1000 to 1 but DNS seems lagging, so we switched back to the > original Windows Domain resolver.

Re: use bind 9.8 as caching server and authoritative nameserver

2013-10-28 Thread Steven Carr
You're seriously over-complicating the admin for yourselves by creating dummy zones. Look at RPZ as this will achieve what you want in a much simpler and easier to manage way. Steve On 28 October 2013 13:10, wrote: > Hi all , > > I installed a new bind caching server called nameserver.hiddendo

Re: Is SpamHaus Feed for RPZ is free or subscription based?

2013-11-06 Thread Steven Carr
This is all explained clearly on their website... http://www.spamhaus.org/organization/dnsblusage/ On 6 November 2013 08:52, babu dheen wrote: > Dear All, > > I would like to integrate BIND DNS with Spamhaus Malware DB feed. But i > need clarity whether Spamhaus offers this feed for free or >

Re: Help on DNSSEC

2013-11-06 Thread Steven Carr
Start with chapter 11.4 "The DNS Security Extensions" in DNS & BIND http://www.amazon.com/DNS-BIND-5th-Edition-Cricket/dp/0596100574 Steve On 6 November 2013 08:54, babu dheen wrote: > Dear All, > > I would like to understand DNSSEC on BIND Recusive DNS server running in > RHEL 5.0. Can you ple

Re: Is SpamHaus Feed for RPZ is free or subscription based?

2013-11-06 Thread Steven Carr
On 6 November 2013 11:19, Dave Warren wrote: > Perhaps you can point out where on that page RPZ is mentioned? The Spamhaus news article announcing the "beta" RPZ service (http://www.spamhaus.org/news/article/669/) indicates that the Spamhaus DBL is being repurposed as an RPZ data feed. There is n

Re: Host spans Multi-Domains

2013-11-21 Thread Steven Carr
On 21 November 2013 02:55, Davis, Donald W wrote: > A correction. There is only a single IP address for this server. You can either put an A record in each zone pointing to the IP address of the server "red" or you can put an A record in the primary zone which the server is a member of and a CNAM

Re: fowarder not working

2013-11-29 Thread Steven Carr
On 29 November 2013 10:27, rams wrote: > Hi I have configured my bind as forwader but when I query it is not > forwarding and looking into local only. What are you trying to achieve, what are you forwarding? why are you forwarding? >recursion yes; > zone "com." { > type forward;

Re: missing ‘additional section’

2013-12-18 Thread Steven Carr
On 18 December 2013 15:19, houguanghua wrote: > > When I do a DIG, ‘additional section’ isn’t in the response. My bind > environment is: bind 9.8.6P1 + mysql (OS: Centos). > > Is there any way to enable the Additional Section? Thanks. > What are you expecting to see in the additional section? Yo

Re: missing ‘additional section’

2013-12-18 Thread Steven Carr
On 19 December 2013 00:48, houguanghua wrote: > If DLG isn't enabled (bind9+view + zone file , no DB is used), the > additional section is right. Maybe it's a bug of Bind DLG. What is DLG? > What I wanted is as follows : > $ dig @10.3.103.177 www.ctyun.cn > ; <<>> DiG 9.6-ESV-R10-P1 <<>> @10.3.

Re: FW: missing ‘additional section’

2013-12-20 Thread Steven Carr
On 20 December 2013 14:18, houguanghua wrote: > This topic was disscused in 2009. But I don't know the final decision. > Please refer following site: > http://t4605.network-dns-bind9-dlz.dnstalk.us/missing-additional-section-t4605.html Looks like it is potentially a "bug" if you want to call it t

Re: Adding DS records

2013-12-20 Thread Steven Carr
On 20 December 2013 18:10, pgndev wrote: > Gandi.net > Great support, including DNSSEC: Gandi only support DNSSEC if you host the DNS elsewhere, their DNS servers do not support DNSSEC. Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind

Re: Adding DS records

2013-12-20 Thread Steven Carr
On 20 December 2013 18:37, David Forrest wrote: > gandi.net +1 > > I transferred from NS to Gandhi in December 1998. I don't know about their > hosting of primary DNS but they do host a secondary of mine and it seems to > resolve there with an aa flag: Yep, secondary works, but they can't be a DN

Re: RPZ help on BIND

2014-01-02 Thread Steven Carr
On 2 January 2014 10:47, babu dheen wrote: > Kindly help me on my requirement. What exactly are you wanting to do? There is lots of information on the Internet already about implementing RPZ (Google is your friend) and configuration examples in the BIND9.9 ARM (chapter 6.2.16.20). If you can sh

Re: RPZ help on BIND

2014-01-04 Thread Steven Carr
On 4 January 2014 15:13, babu dheen wrote: > Since i am not well familiar with BIND, i am expecting help > from BIND forum. First of all please do not expect help, this mailing list is a community, not guaranteed support, we will help if we can. If you need dedicated help then ISC (and any number

Re: "Recursive no;" implications?

2014-01-21 Thread Steven Carr
On 21 January 2014 09:03, LuKreme wrote: > If you set recursion no; in named.conf, you need to set the forwarders as > well. Is there anything else that must be done so that DNS queries still work? Forwarding will not work if you don't have recursion enabled. With recursion disabled you are a pu

Re: db- files on secondary dns server

2014-01-21 Thread Steven Carr
On 21 January 2014 13:41, Ayca Taskin (Garanti Teknoloji) < ayc...@garanti.com.tr> wrote: > We’re using Bind DNS server with version BIND 9.9.2 as a secondary > (slave) dns server. We saw there is a lot of files starting with “db-“ > under /var/named directory and updating continuously. does an

Re: "Recursive no;" implications?

2014-01-22 Thread Steven Carr
On 22 January 2014 05:29, LuKreme wrote: > OK, so in order to lock down your server agains DDOS DNS attacks you need to > restrict the access to the recursive lookup, yes? But if you set 'recursion > no;' then your own servers will not lookup IP addresses for, for example, you > mail server to

Re: SERVFAIL @google

2014-02-10 Thread Steven Carr
On 10 February 2014 09:01, Lucio Crusca wrote: > Sorry, I thought I might be making some obvious mistake so that you wouldn't > need the actual zone to spot it. > > ; > ; BIND data file for softwareliberopinerolo.org > ; That zone file must be out of date. The record being returned now is an A re

Re: SERVFAIL @google

2014-02-10 Thread Steven Carr
On 10 February 2014 11:10, Lucio Crusca wrote: > How did you find that NS servers are ns1.customer.seflow.it and > ns2.customer.seflow.it? They should be ns0.virtual-bit.com and > ns1.virtual-bit.com (see zone file) and here dig says exactly that: Trace it from the root, your glue records aren't

Re: SERVFAIL @google

2014-02-10 Thread Steven Carr
On 10 February 2014 11:20, Lucio Crusca wrote: > Ok, so what should I do now? I want the NS records to point to > ns0|1.virtual-bit.com. Should I change anything in my zone file or should I > open a new ticket at my domain provider? Contact the domain provider and ask them to either update the re

Re: how to modify the cache

2014-02-14 Thread Steven Carr
On 14 February 2014 13:52, houguanghua wrote: > Who can tell me how to do?Thanks. You can't and shouldn't need to edit the cache. All you can do is clear it. If you want to change the response back to the client then look into RPZ, however by doing so you may break DNSSEC validation and end up n

Re: how to modify the cache

2014-02-17 Thread Steven Carr
On 17 February 2014 01:17, houguanghua wrote: > I want to override the IP address of NS, for I want to use other authority > DNS which isn't registered. For that you use forwarding. Create a zone statement for the zone in question and forward the queries to a different name server. You don't need

Re: how to modify the cache

2014-02-19 Thread Steven Carr
On 19 February 2014 09:51, houguanghua wrote: > But if the specified name server is enabled only when normal dns query > process is down. How to configure the local DNS server? The detailed > scenario is descibed in below figure: I'm not sure if that is possible, you either forward or you allow

Re: FreeBSD ports 9.8.7 problem with transfert to slave

2014-03-27 Thread Steven Carr
On 27 March 2014 12:31, BONNET, Frank wrote: > Since I upgraded to 9.8.7 on my two DNS the automated zones transfert from > master to slave > does not occurs automatically , I haven't change configuration files, > serials are well incremented > by a script that works for years > > BIND is install

Re: Clients Matching Multiple Views

2014-04-09 Thread Steven Carr
On 9 April 2014 08:37, Mike Meredith wrote: > Am I missing something obvious? Such as it should work, but I've > somehow messed up? Or perhaps there's some option I've missed? Or am I > out of luck? That's not how views work. When you match a view then that's it, you don't continue to check other

Re: Clients Matching Multiple Views

2014-04-09 Thread Steven Carr
On 9 April 2014 10:05, Sotiris Tsimbonis wrote: > But when the zone is dynamic, this file "sharing" cannot be done between > views. > > Updates only match one zone, and are kept in memory (or .jnl). > So how would we make this work in dynamic zones? > Maybe we should have one view axfr from the ot

Re: Clients Matching Multiple Views

2014-04-09 Thread Steven Carr
On 9 April 2014 13:09, Mike Meredith wrote: > What I did in testing (and not very much at that) was to define the > zones twice with different file names. Seemed to work fine ... at least > the zone files and the journal files were created for both file names. BIND will allow you to configure it

Re: Help with DKIM record

2014-04-14 Thread Steven Carr
On 14 April 2014 14:21, Felix Rubio Dalmau wrote: > yes, it is the server I've set up in my local LAN. How can I set it > to have these TXT records? Post your current config and zone files (use pastebin if they are larger than a few lines). Then copy/paste the full host command and it's

Re: Help with DKIM record

2014-04-14 Thread Steven Carr
On 14 April 2014 15:59, Felix Rubio Dalmau wrote: > What files, exactly? Named.conf.local and named.conf.options is enough? Yep, and the zone files that you have created that contain the TXT records you want to query for. Steve ___ Please visit https:/

Re: Help with DKIM record

2014-04-14 Thread Steven Carr
On 14 April 2014 17:02, Felix Rubio Dalmau wrote: > Maybe this is my problem: I have not created any zone file :s. The only files > I've created/modified are: > I thought that when requesting fields that are not available in the local dns > server, such requests would be forwarded to the forward

Re: Help with DKIM record

2014-04-14 Thread Steven Carr
On 14 April 2014 18:53, Felix Rubio Dalmau wrote: > it is not actually a pure caching server (at least I didn't wanted it > to be :S). I have server at home, and the DNS is properly configured at the > internet. The problem is that my router is not capable to redirect my > requests to m

  1   2   >