Re: Anycast DNS

On Feb 29, 2012, at 11:00 AM, Todd Snyder wrote: > The reason I’ve heard a few times is that users are uncomfortable using only > 1 address. In the past I’ve done 2 or 3 addresses just so that we can give > out 3 addresses that all point to the same pool of servers. > > Silly, I know, but so

Re: Clarification on question and the answer section uppercase lower case mis match

http://www.ietf.org/rfc/rfc4343.txt Some resolvers use 0x20 tricks to encode additional entropy into queries. This works by randomly adding 0x20 to characters in the qname and then making sure they are the same when they come back (e.g: example.com -> eXAmpLe.coM)... W On Apr 10, 2012, at 5:5

Re: Exclude a domain from DNSSEC validation, like Unbound's "domain-insecure".

On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote: > Augie, > >> Is there a way to exclude a domain from DNSSEC validation, like >> Unbound's "domain-insecure"? > > That is regrettably not possible at the moment, at least not in BIND > 9.9.0. > > The only (quite impracticable) workaround would

Re: DNSSEC

On May 10, 2012, at 11:20 AM, Daniel Ryšlink wrote: > > On 05/10/2012 04:33 PM, Barry Margolin wrote: >> In article, >> Tony Finch wrote: >> >>> Barry Margolin wrote: [Validation is] only untroublesome until someone screws things up on their auth server. When one of your users can

Re: DNSSEC

On May 10, 2012, at 12:52 PM, wbr...@e1b.org wrote: > Warren wrote on 05/10/2012 11:50:30 AM: > >> Nope -- Comcast does a large amount of checking before turning off >> validation for a failing domain. >> This is (IMO) more secure than the alternative, which is to simply >> leave it failing,

Re: random-device purpose in DNSSEC

On May 10, 2012, at 3:41 PM, Alexander Gurvitz wrote: > Hello all. > > What random device used for ? > ARM says "Entropy is primarily needed for DNSSEC operations, > such as ... dynamic update of signed zones". I don't get why signing a zone > requires any randomness. > > This bothers me as I'm

Re: bind caching dns

On May 15, 2012, at 4:05 AM, Ben wrote: > Hi, > > Any clue to resolve this. Lets see... You posted a question on May 8th asking for some assistance. You worded your initial question poorly, but within 2 hours you got a complete and well written response from Matthew (and less than 24 hours a

Re: Checking for zone expiration?

On May 21, 2012, at 3:16 PM, Alan Batie wrote: > We had a rather key zone mysteriously expire on a slave this morning - > the log files show a transfer a couple weeks ago, but it hadn't been > updated so there was no reason for one since and there were no log > entries about failed connection att

Re: Monitoring of "blackholed" DNS servers

If it were me I'd just block access with iptables (and maybe blackhole as well if I were sufficiently concerned) and combine that with the iptables log action… W On Jun 8, 2012, at 1:44 PM, wrote: > All, > > We have a list of DNS servers that we do not want our BIND DNS server > interacting

Re: limiting number of requests of a single hosts

On Jun 15, 2012, at 4:25 AM, Holemans Wim wrote: > We have a problem with one of our firewalls caused by DNS peaks. Yes. W > Once or twice a day a DNS burst (20K requests/15sec) kills all connections on > the firewall. > The firewall is due for replacement but in the mean time we would like

Re: RPM [was: Re: bind dies with assertion failure]

On Jul 3, 2012, at 10:58 AM, wbr...@e1b.org wrote: > Jan-Piet wrote on 07/03/2012 10:41:20 AM: > >> Building BIND is easy; turning it into an installable RPM not so. >> I highly recommend fpm [1] which makes building an RPM trivial. :) > > Any advice or tricks for making a DEB for Ubuntu? > >

Re: Can I disable caching without disabling recursion?

On Jul 10, 2012, at 2:37 AM, rams wrote: > Hi , > > Can I disable cache without disabling recursion? For many of your questions is would be really helpful if you explained *why* you wanting to do X / what you are trying to accomplish… For example, forwarding may be what you want here, but wi

Re: Operation Cancelled Error

On Jul 10, 2012, at 2:25 AM, Ben wrote: > Hi, > > We deploy BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 and trying to do load test > while doing it we got so many erros logs in named.run. I must admit to being a little confused… It *looks* to me like you are forwarding all queries to 8.8.8.8? (If

Re: What is the deal on missing "Authority Section" and "additional section" from google's DNS servers?

On Jul 11, 2012, at 6:30 AM, Ted Mittelstaedt wrote: > On 7/10/2012 6:37 PM, Michael Hoskins (michoski) wrote: >> -Original Message- >> >> From: Ted Mittelstaedt >> Date: Tuesday, July 10, 2012 6:24 PM >> To: "bind-users@lists.isc.org" >> Subject: What is the deal on missing "Authority

Re: ho to filter hundeds of domains ?

On Aug 31, 2012, at 10:42 AM, Oscar Ricardo Silva wrote: > On 08/31/2012 08:22 AM, Kevin Darcy wrote: >> On 8/31/2012 2:50 AM, sth...@nethelp.no wrote: Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance en

Re: cache does truely in local and doesn't work in remote

On Sep 2, 2012, at 2:29 PM, Mohsen Pahlevanzadeh wrote: > On Sun, 2012-09-02 at 13:59 -0400, Barry Margolin wrote: >> In article , >> Mohsen Pahlevanzadeh wrote: >> >>> According to result, my bind work truly, But when i the same command on >>> my machine , i get the following result: >>> /

Re: about the wild record

On Oct 15, 2012, at 3:45 AM, pangj wrote: > 于 2012-10-15 15:38, Cathy Almond 写道: >> On 15/10/12 05:23, pangj wrote: >>> Hello, >>> >>> I have setup a wild record for cloudns.tk, the record: >>> >>> *.cloudns.tk. 300 IN A 209.141.54.207 >>> >>> And I added another A record as t

Re: about the wild record

On Oct 15, 2012, at 12:25 PM, Chris Thompson wrote: > On Oct 15 2012, pa...@riseup.net wrote: > >> no SOA for test.cloudns.tk IMO. see: >> >> PromatoMacBook-Pro:~ pro$ dig test.cloudns.tk soa >> >> ; <<>> DiG 9.7.6-P1 <<>> test.cloudns.tk soa >> ;; global options: +cmd >> ;; Got answer: >> ;;

Re: Disable log message

On Oct 18, 2012, at 1:13 PM, Jack Tavares wrote: > I am running bind9.8.x built from source and I see this message in the logs > built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' > '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' > '--mandir=/usr/share/man' '--

Re: Disable log message

On Oct 19, 2012, at 6:13 PM, Alan Clegg wrote: > > On Oct 18, 2012, at 1:13 PM, Chris Thompson wrote: > >> On Oct 18 2012, Jeremy C. Reed wrote: >> >>> On Thu, 18 Oct 2012, Jack Tavares wrote: >>> I am running bind9.8.x built from source and I see this message in the logs b

Re: Disable log message

On Oct 19, 2012, at 9:17 PM, "Michael Hoskins (michoski)" wrote: > -Original Message- > > From: Warren Kumari > Date: Friday, October 19, 2012 8:56 PM > To: Alan Clegg > Cc: "bind-us...@isc.org" > Subject: Re: Disable log message > &g

Re: Disable log message

On Oct 20, 2012, at 12:34 AM, David Miller wrote: > > > On 10/19/2012 11:57 PM, Chris Buxton wrote: >> On Oct 19, 2012, at 6:22 PM, Warren Kumari wrote: >>> On Oct 19, 2012, at 9:17 PM, "Michael Hoskins (michoski)" >>> wrote: >>>> -

Re: [DNSSEC] Dealing with an inconsistent NSEC

On Oct 23, 2012, at 4:08 AM, Stephane Bortzmeyer wrote: > It may be a bug in BIND and it is certainly a bug in the zone > pcextreme.nl. > > BIND validating resolvers are unable to get the IP address of > v1.pcextreme.nl. > > I believe this is because of the strange NSEC: > > tools-newerst.pce

Re: Just wondering if BIND can do GLB -Global Load Balancing Stuff?

On Dec 12, 2012, at 10:28 AM, Manish Rane wrote: > I understand BIND by default can not work like GLB but wondering if there are > any patches available or any other Open source software community is aware of > who can perform such thing. This isn't really something that BIND does well nativ

Re: With the announcement that: “Advisory — D-root is changing its IPv4 address on the 3rd of January.”

On Dec 14, 2012, at 12:19 PM, Chris Buxton wrote: > > On Dec 14, 2012, at 6:59 AM, Hayward, Bruce wrote: > >> Hi >> >> With the announcement that: “Advisory — D-root is changing its IPv4 address >> on the 3rd of January.” >> >> https://lists.dns-oarc.net/pipermail/dns-operations/2012-Dece

Re: Distribute named.conf

On Jan 3, 2013, at 6:06 AM, Joerg Stephan wrote: > Hi all, > > > we are currently using PowerDNS on our 12 Nameservers. Now we are thinking > about a migration to bind. > > So we are seeking a way to distribute the named.conf.x for the several > zonfiles. Currently this is solved by powerd

Re: Distribute named.conf

On Jan 3, 2013, at 9:44 AM, Phil Mayers wrote: > On 03/01/13 14:36, Warren Kumari wrote: > >> Yup, have a look at Puppet. >> >> For the first while it will seem like way way more work than it is >> worth (and the whole declarative language bit makes my head hurt

Re: lame-servers: error (FORMERR) resolving [something]

On Jan 17, 2013, at 9:04 AM, Daniele wrote: > I'm going crazy. > > This is my named.conf > > logging { > > channel default_logfile { > file "/var/cache/bind/logs/default.log"; > severity info; > print-category yes; > prin

Re: lame-servers: error (FORMERR) resolving [something]

On Jan 18, 2013, at 9:44 AM, Daniele wrote: > These are the outputs. I also attach the file containing them. > > [ SNIP ] Weird…. Do things work well enough for: dig +short rs.dns-oarc.net txt ? Can you also do: the following queries starting with the slightly less plain DNS query

Re: lame-servers: error (FORMERR) resolving [something]

On Jan 22, 2013, at 5:18 AM, Daniele wrote: > Ok! Thank you all! > > My router doesn't maintain a DNS cache, And what are you basing this upon? W > so it must be my IPS's fault. > > The last questions, if it's possible: what happens when my 'named' starts an > iterative query? Does it arri

Re: reverse resolution failing

On Feb 7, 2013, at 12:51 PM, Tony Finch wrote: > Jim Pazarena wrote: >> >> while it can resolve "webmail.acrodex.com" ( 139.142.184.10 ) >> it cannot reverse resolve 139.142.184.10 > > They are using classless reverse DNS, which is fine except that the > nameservers for the target zone are ve

Re: Building a fresh named.root

BIND now comes with a baked in roots file (in the imaginatively named lib/dns/rootns.c ) There is no need for a named.root file, and is just another thing to go wrong… W On Feb 14, 2013, at 8:35 AM, Robert Moskowitz wrote: > The Centos 6.3 bind and bind-chroot do not seem to come with a named.

Re: Building a fresh named.root

On Feb 14, 2013, at 9:28 AM, Robert Moskowitz wrote: > > On 02/14/2013 09:05 AM, Warren Kumari wrote: >> BIND now comes with a baked in roots file (in the imaginatively named >> lib/dns/rootns.c ) > > Not (at least by that name) in the Redhat/Centos 6.3 bind 9.8.2.

Re: Registrar that supports self-run domains and provides DNSSEC support

On Feb 20, 2013, at 1:14 AM, Chuck Peters wrote: > Robert Moskowitz said: >> Delving further into my challenges. >> >> But they don't seem to support DNSSEC protected domains, and even >> IPv6 glue records are special requests, it seems. > > I would like to know how can I handle DNSSEC key rol

Re: Cannot create A record issue

Are you sure BIND is loading the zone file? Are you remembering to update the SOA / serial? Are you restarting BIND after making changes? If you make a change (and update the SOA), if you do: dig soa example.com do you see the new serial #? W On Feb 20, 2013, at 12:40 PM, Jsilliman wrote: > I

Re: Cannot create A record issue

On Feb 20, 2013, at 2:17 PM, Jsilliman wrote: > I just changed the domain name in output. If I do a dig on > > dig example.com > > ** Returns nothing. I have to actually dig on ns1.example.com, > www..., or mail... > > I am trying to add an A record (remote.example.com), and have it work...

Re: Suspecious DNS traffic

On Mar 26, 2013, at 3:09 PM, "Novosielski, Ryan" wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > It sounds like exactly the reverse of what Niall described in his > other e-mail (brackets mine): > > "The reply to such a query originates from port 53 on the remote > server [in this

Re: Simple question about zone and CNAME

On Apr 5, 2013, at 5:23 AM, Phil Mayers wrote: > On 04/05/2013 10:13 AM, Thomas Manson wrote: > >> @ IN CNAME somehost.com > > Correct. CNAMEs are mutually exclusive with other records (DNSSEC signatures > excepted) and zone apex requires SOA and NS. > > >> >> How can

Re: Simple question about zone and CNAME

On Apr 5, 2013, at 3:48 PM, wbr...@e1b.org wrote: >>> Incidentally, we have just been asked for an A record for cam.ac.uk to >>> duplicate www.cam.ac.uk because, and I quote, "all the publicity > material >>> sent out by the nominator [for an award for the web site] gave the URL >>> as http://ca

Re: BIND Configuration

On May 9, 2013, at 8:44 AM, Carlos Martinez wrote: > DNS is not the place to solve that problem, it's the routing layer. Yes, but *sometimes* DNS is the right layer for this… For example, if you have 2 sites (so you can remain up when a meteor / flood / avalanche hits one), if you need better

Re: Queries using forwarders

On Jun 3, 2013, at 4:31 PM, John Miller wrote: > Hi Mike, > > To keep my answer simple, if BIND is set up to allow recursion, and gets a > recursive query for a zone it's not authoritative for, it'll: > > 1) Answer from cache > 2) pass the query off to the configured forwarders > 3) If the fo

Re: CVE-2013-3919 [was Re: resolver.c:4858: fatal error]

Can you / ISC confirm that authoritative only (recursion no) are not affected? The implication from the advisory is that they are not, but explicit confirmation would be nice... Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On Jun 4, 2013

Re: Confused about a basic concept

On Jun 5, 2013, at 9:02 AM, Bryan Harris wrote: > Hi all, > > I think I may be confused about a very basic DNS concept. Many people are, but most don't a: know or B: admit it :-P > Sorry if this has been asked before. > > 1. I have a master and two slaves. > 2. The master server is the SOA

Re: This list's prefix

On Jun 5, 2013, at 11:43 AM, Narcis Garcia wrote: > It's not the only mailing list where I'm subscribed. > Could please the administrator setup a prefix for messages' subject? You have unwittingly walked into a religious argument. If, like me, you really like list prefixes, *and* you use proc

Re: This list's prefix

Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On Jun 5, 2013, at 2:27 PM, "Elmar K. Bins" wrote: > war...@kumari.net (Warren Kumari) wrote: > >> If, like me, you really like list prefixes, *and* you use procmial

Re: DNS Amplification Attacks... and a trivial proposal

On Jun 14, 2013, at 6:28 AM, "Ronald F. Guilmette" wrote: > > In message <201306140321.r5e3l7py017...@calcite.rhyolite.com>, > Vernon Schryver wrote: > >>> From: "Ronald F. Guilmette" >> >> } That is an interesting contention. Is there any evidence of, or even any >> } reasonably reliabl

Re: Rate-Limit Question

On Jun 14, 2013, at 10:37 AM, Stephane Bortzmeyer wrote: > On Fri, Jun 14, 2013 at 02:27:50PM +, > Manson, John wrote > a message of 138 lines which said: > >> We are running Bind 9.9.2 and would like to invoke the rate-limit >> option but named says 'unknown option'. > > RRL (Response R

Re: Rate-Limit Question

On Jun 14, 2013, at 12:08 PM, Evan Hunt wrote: > On Fri, Jun 14, 2013 at 03:36:19PM +0100, Phil Mayers wrote: >> It's not built into bind (yet). > > Correct. For the record, it'll be in 9.10.0 by default and 9.9.4 as a > compile-time option (--enable-rrl). Thank you for the clarification. Loo

Re: d root server

On Aug 20, 2013, at 6:34 PM, Lyle Giese wrote: > Have you read the source code for these versions of BIND and examined the set > of HINTS that are internal to the code inside BIND? These are loaded before > any external HINTS file is loaded up. Hint[0] -- look in /lib/dns/rootns.c W [0]: P

Re: The Path of source code

On Aug 21, 2013, at 4:27 PM, Nidal Shater wrote: > I have installed BIND by using the command " yum install bind" in > "centos6.3",what is the location(path) of the source code and espically the > ".c" files on my filesystem Yeah, if you did 'yum install bind' then you probably don't have t

Re: ISO or virtual appliance

On Aug 22, 2013, at 4:06 PM, Mike wrote: > On 13-08-22 01:39 AM, Manish Rane wrote: >> Well the main idea behind and have been struggling to configure for >> almost last one year is to have a open source alternative to DNS Based >> failover/System monitoring thus have inbound loadbalancer. > >

Re: statistics file and views

Probably a stupid question, but are you sure that any queries are matching / hitting your external view? W On Sep 24, 2013, at 9:06 AM, Sébastien WENSKE wrote: > Hi List, > > I have the feeling that something is wrong with my stats, external view is > empty. > > Do I set something other in a

Re: Dig gives ;; connection timed out; no servers could be reached

On Oct 3, 2013, at 12:47 AM, Kevin Oberman wrote: > On Wed, Oct 2, 2013 at 9:18 PM, Balanagaraju Munukutla <9ba...@sg.ibm.com> > wrote: > > Hi > > Any one could help on the error below. > > > [andrew@oc8163211842 ~] $ dig @.com abcd.com.sg mx > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16

Re: Adding DS records

On Dec 20, 2013, at 10:38 AM, /dev/rob0 wrote: > On Fri, Dec 20, 2013 at 10:04:59AM -0500, Thomas Schulz wrote: >> Has anyone been able to get Network Solutions to add DS records >> for their domain? I am trying to get DS records added for my >> domain and so far it looks like Network Solutions

Re: Named process suddenly down

BIND 9.9.3-P2 is vulnerable to CVE 2014-0591 ("A Crafted Query Against an NSEC3-signed Zone Can Crash BIND") and CVE 2013-6320 ("A Winsock API Bug can cause a side-effect affecting BIND ACLs") While it doesn't look (after a very quick glance) like CVE 2014-0591 ( https://kb.isc.org/article/AA-010

Re: Can we do a sub-domain delegation with godaddy?

On Tue, Jan 14, 2014 at 12:39 PM, Blason R wrote: > Hi Folks, > > I am not sure if this is an appropriate forum to answer since more or less > it is pertaining to Go Daddy support but since its a huge community our > there and I am sure many of them are already using Go Daddy wondering if > su-dom

Re: Monitoring Zonefiletransfer

On Tue, Feb 18, 2014 at 10:34 PM, /dev/rob0 wrote: > On Tue, Feb 18, 2014 at 11:44:15PM +0100, markus weber wrote: >> I am new to administer a Bind server and after a few problems i ran >> into i need to monitor the zonefile transfers of my slave server. > > I think the terminology you use shows a

Re: which Name sever is selected?

On Fri, Feb 28, 2014 at 2:55 PM, Georg Kahest wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 02/28/2014 04:14 PM, houguanghua wrote: >> If there is a list of NS records, the local name server uses the >> RTT (round trip time) algorithm to find the fatest, and queries >> that serve

Re: Book recomendations?

On Tue, May 27, 2014 at 6:51 PM, Baird, Josh wrote: > Hi, > > Can someone recommend a modern/new-ish book on DNS (specifically BIND)? I > know there have been several O'Reily books throughout the years, but haven't > kept up on anything in the past few years. I'm looking for architecture > de

Re: Book recomendations?

a good solid grasp of the fundamentals is still the most important thing -- and that's what the D&B books provide. W > > Josh > > -----Original Message- > From: Warren Kumari [mailto:war...@kumari.net] > Sent: Tuesday, May 27, 2014 7:24 PM > To: Baird, Josh > Cc: b

Re: Logs problem with Bind 9.9.4

[Intentional top post] Moderator to the white courtesy phone please... Folk come to this list for discussions and advice on using BIND, not for A: discussions of mailing list etiquette or B: pissing matches. W On Fri, Aug 8, 2014 at 6:33 AM, Reindl Harald wrote: > who do you think you are that

Re: dns topology and zone transfer over wan links

On Wednesday, October 15, 2014, Darcy Kevin (FCA) wrote: > I’m sorry to disappoint you, but I actually think, based on the info > you’ve shared thusfar, you’re probably on the wrong side of this argument. > > > > Zone transfer has been incremental, by default, for some time now, so I > wouldn’t

Re: Digging to the final IP

On Mon, Oct 20, 2014 at 1:19 PM, Mark Andrews wrote: > > Why do we need to have a option to dig to massage the results into > every possible different form? > > dig A $name | awk '$0 ~ /status/ && $0 !~ /status: NOERROR,/ { > sub(",", "", $6 ); print $6; x=1 >

Re: Sudden large increase in process size, machine hang

On Wed, Dec 3, 2014 at 1:39 PM, Thomas Schulz wrote: > This last week we had a sudden large increase in the size of the named > process resulting in the machine running out of memory and hanging. > This is with bind 9.9.6 on a Solaris 10 Sparc machine. This is probably going to be an annoying sug

Re: Problem with resolution

On Wed, Dec 17, 2014 at 9:41 AM, Baird, Josh wrote: > Hi, > > Does anyone see anything strange about the two hosts? > > www.ca.greattextbookgiveaway.com > www.sorteodelibrospucmm.com.do > > My BIND 9.9.4 servers are unable to resolve these hosts, but I have older > servers that can. I noticed th

Re: can't-resolve

What OS is this machine running? Interestingly enough, it is unpingable, and a quick nmap fingerprints it as: Running: Sun Solaris 8 OS CPE: cpe:/o:sun:sunos:5.8 OS details: Sun Solaris 8 (SPARC) nmap could only find one open port (TCP 53 :-)) and so its fingerprinting is unreliable, but it *does

Re: can't-resolve

This really looks like a firewall -- perhaps there is some firewall software on the box itself? W On Fri, Dec 26, 2014 at 6:17 PM, Warren Kumari wrote: > What OS is this machine running? > > Interestingly enough, it is unpingable, and a quick nmap fingerprints it as: > Running: Sun Sol

Re: can't-resolve

you'd been mistaken... W > > > > -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org ] On Behalf Of Ejaz > Sent: Sunday, December 28, 2014 11:10 AM > To: 'Warren Kumari'; 'Barry Margolin' > Cc: co

Re: Odd response from upstream DNS servers

On Tue, Jan 6, 2015 at 2:48 PM, Evan Hunt wrote: > On Tue, Jan 06, 2015 at 01:03:10PM -0600, Levi Pederson wrote: >> However I can see the request come back to my server only to be rejected as >> FORMERR and DNS format error badresp:1 > > It looks like the upstream server send a badly formatted r

Re: reject invalid dns queries

Perhaps if you explained a little more clearly what you are trying to accomplish you might get more replies... What are "invalid DNS queries"? What are they in the configuration? On Wed, Jan 14, 2015 at 5:53 AM, Daniel Dawalibi wrote: > Hello, > > > > > > Is there any solution to drop the inval

Re: AW: Disable DNSSEC Validation for selected Domains

NSEC. W On Wed, Jan 14, 2015 at 5:12 PM, Stuart Browne wrote: >> Unfortunately we can't sign the fictional TLD, since we are neither master >> nor slave of the zone. >> We are just forwarding our queries to a foreign authorative Server. >> >> Grüße, >> Stefan > > If the zone isn't signed, it shou

Re: Observed named crash crit named[4294]: mem.c:1094: INSIST(ctx-stats[i].gets == 0U) failed

You are running a really old version of BIND - 9.7.x, deprecated in ~2012. It has numerous remotely exploitable, high severity security issues, see: https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html There seem to be a number of bugs that could have caused that crash,

Re: Testing RFC 5011 key roll

On Mon, Apr 20, 2015 at 3:41 PM, Edward Lewis wrote: > Thanks. rm'd the file and added the timers. (I did that also after > sending, so it is the deleting the old file that did the trick.) The > start-up lines look good. > > Got an AD bit again too. > > (I may have a few more issues as I move t

Re: Testing RFC 5011 key roll

On Mon, Apr 20, 2015 at 4:33 PM, Evan Hunt wrote: > On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote: >> That page says (for BIND): >> "Note: When using this config file you will probably need to delete >> /var/named/21ce078705d04ca6324c1d0313fc08ea99f3ce

Re: Testing RFC 5011 key roll

On Tue, Apr 21, 2015 at 9:55 AM, Edward Lewis wrote: > On 4/21/15, 9:45, "Tony Finch" wrote: >>rndc secroots >> >>You can also look in the .mkeys file. > > I tried secroots with my set up, I got nothing despite the mkeys file. > (Kind of asking - does that work?): > > (I had my rndc port bumped o

Future of BIND's built-in empty zone list

On Thursday, May 14, 2015, Rob Foehl > wrote: > On Thu, 14 May 2015, Chris Thompson wrote: > > Now that RFCs 7[5]34 & 7[5]35 have been published, how do ISC see the >> future >> of the seemingly ever-expanding built-in empty zone list in BIND? >> >> One possibility that seems plausible to me is t

Re: different answers for different users - are views my only option?

On Thu, Jun 11, 2015 at 10:11 AM, Tony Finch wrote: > McDonald, Dan wrote: > >> Is there a way to use RPZ to return different answers depending on the >> ip address of the querying box? > > Yes in 9.10 but not in 9.9. However I think rpz-client-ip triggers rewrite > all queries from metching clie

Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA

On Mon, Jun 15, 2015 at 8:41 AM, Gaurav Kansal wrote: > Dear All, > > > > I am not able to query over IPv6 from F.ROOT-SERVERS.NET over IPv6 from > India. > > The F Root server instance is hosted in NIXI in India. I just wanted to confirm - you are trying to ping 2001:4f8:0:2::69, yes? What IP /

Re: Automatic . NS queries from BIND

On Mon, Jun 15, 2015 at 3:06 PM, Kevin Oberman wrote: > On Mon, Jun 15, 2015 at 5:56 AM, Gaurav Kansal wrote: >> >> Dear Team, >> >> >> >> My caching DNS server is generating log of . NS queries to ROOT Servers. >> >> I have a hint file in my bind configuration and the same is up-to date. >> >> >

Re: Automatic . NS queries from BIND

On Wed, Jun 17, 2015 at 9:59 AM, Anand Buddhdev wrote: > On 17/06/15 15:00, Matus UHLAR - fantomas wrote: > > Hi Matus, > >> well, the hard-coded hints file changes whenever new BIND release gets out, >> while the bungled hints file may be updated by packagers or manually. >> >> I'd say that the b

Re: Can I run two name servers on one host with two IP addresses?

On Thu, Aug 20, 2015 at 12:14 PM, Tony Finch wrote: > /dev/rob0 wrote: >> >> This is good news! I knew there were several good choices for free >> DNS hosting, but this is the first I heard of them supporting signed >> zones. > > https://web.gratisdns.dk/ > https://puck.nether.net/dns/ > I have

Re: monitoring/graphing/tracking named queries

See: DSC - http://dns.measurement-factory.com/tools/dsc/ Hedgehog - https://github.com/dns-stats/hedgehog/wiki ("demo": http://stats.dns.icann.org/hedgehog/hedgehog.html ) W On Fri, Nov 13, 2015 at 5:45 PM, Frank Even wrote: > What does everyone do for monitoring their DNS traffic, if anything?

Re: Panic due to insist assertion error in BIND 9.6.2-P2

BIND 9.6.2-P2 was EOL February 2014. It has many security issues: https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html Why wouldn't you just install a "current" from https://www.isc.org/downloads/ ? (e.g: 9.10.3 or 9.9.8) W On Thu, Dec 3, 2015 at 5:30 AM manasa gowd

Re: Allow-Query=any

On Thu, Jan 7, 2016 at 3:25 PM Reindl Harald wrote: > > > Am 07.01.2016 um 21:18 schrieb G.W. Haywood: > > Hi there, > > > > On Thu, 7 Jan 2016, Reindl Harald wrote: > > > >> ... when somebody wants a information which exists in > >> the DNS he can ask for that information - unconditionally > > y

Re: Allow-Query=any

From: bind-users-boun...@lists.isc.org [mailto: > bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald > Sent: Thursday, January 07, 2016 4:41 PM > To: bind-users@lists.isc.org > Subject: Re: Allow-Query=any > > > Am 07.01.2016 um 22:31 schrieb Warren Kumari: > > Reind

Re: DNS BIND traffic capture ICMP/UDP

On Fri, Jan 15, 2016 at 8:49 AM Daniel Dawalibi wrote: > Hello > > > > We observed an unusual traffic combining ICMP and UDP packets while > running the tcpdump command on the DNS caching server > > Kindly note that only UDP DNS traffic is allowed on this server (ICMP is > not allowed from outsid

Re: How to check slave zone freshness

The standard, compatible way to do this is simply to do a lookup for the SOA record and make sure that the serial number matches what you expect it to be / what is on the master. I'm not sure what monitoring tool you are using (or if you are writing your own), but most standard monitoring tools hav

Re: How to check slave zone freshness

There is also transfer logs -- you could watch those and see if you are getting any failures, but this seem, um, more brittle.. W On Mon, Feb 8, 2016 at 6:22 AM Klaus Darilion wrote: > > > Am 08.02.2016 um 14:59 schrieb Warren Kumari: > > The standard, compatible way to do this

Re: Interesting behavior with wildcard domains

On Wed, Feb 24, 2016 at 12:30 PM Mark Andrews wrote: > > In message , Mathew Ian Eis > write > s: > Illegal character '-' in input file. > > Hi BIND, > > > > Ive encountered (quite by accident) an interesting behavior in BIND with > > wildcard domains: > > > > The relevant configuration is a zone

Re: Ns records rfc

... also, you mention TLD zone - if this is for a gTLD, ICANN has some additional requirements, including more than one AS number. W On Sun, Mar 6, 2016 at 5:11 AM S Carr wrote: > On 6 March 2016 at 04:08, rams wrote: > > Is there any rfc that a tld zone should have atleast two ns records when

Re: DNS Service Discovery

On Sun, Mar 13, 2016 at 2:34 AM David Li wrote: > Hi Everyone, > > Is this the right place ask general DNS-SD questions? If not, can > someone point me to the right list? I can't seem to find one. > It almost definitely is not the right place, but what is the question? Perhaps someone can poi

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

On Fri, Mar 25, 2016 at 12:49 PM John Wobus wrote: > On Mar 18, 2016, at 6:28 AM, Barry Margolin wrote: > > In article , > > Mark Andrews wrote: > > > >> How do you actually expect this to ever work in real life? > > > > I'm pretty sure Google DNS does this. Other resolver operators often get >

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

On Mon, Apr 25, 2016 at 2:34 PM Matthew Pounsett wrote: > > > On Monday, 25 April 2016, wrote: > >> >> >> On Mon, Apr 25, 2016, at 10:58 AM, Matthew Pounsett wrote: >> > It's not clear to me why one would want to destroy/rebuild the chroot >> every >> > time you restart the process. >> >> Well,

Re: Monitor DNS queries toward Root severs

On Wed, May 4, 2016 at 4:37 AM, Daniel Dawalibi wrote: > Hello > > > > Is there any tool or configuration that allows us to monitor/graph the > number of outbound DNS queries toward the Root servers? > Others have provided information on how to capture the traffic. > As you can see in the below

Re: UDP Packet Hack

Sorry, but isn't this almost exactly the same question which you asked in: https://lists.isc.org/pipermail/bind-users/2016-June/097012.html ("Append a Hard-coded Text Tuple into Additional Section of "dig" Feature") ? And "Query "resolver" and "lwresd" via "dig"" ? Perhaps if you explained what yo

Re: disable ipv6 source query

On Tuesday, June 21, 2016, Mark Andrews wrote: > > server ::/0 { bogus yes; }; Eeeeww! That's gross, but in a bizarrely satisfying way. W > > In message < > cajs9+yby3vl3kehtjmt58ekqrf6qazfvt3khvy05q26lmpt...@mail.gmail.com > >, Hillary Nelson writes: > > We are moving our v6 DN

Re: Can anyone tell me a good DNS server testing program

Kinda depends on what you are testing, but there is also Nominum's dnsperf: http://nominum.com/measurement-tools/ This is easy to install, simple to use, and comes with a sample query file. W On Wed, Jun 22, 2016 at 8:48 AM, Emil Natan wrote: > queryperf, supplied with BIND, found under contrib.

Re: Additional Section - TXT Format?

On Sat, Jul 9, 2016 at 12:56 AM, Ian Manners wrote: > Hi Jun Xiang X Tee, > >> I have a simple question here. Is it possible to have >> a TXT format tuple appearing at the additional section? > > Are you meaning to ask what switches dig requires to > return txt records that include a term such as

Re: Breaking trusted chain in dnssec

Or nsec3 with opt-out? The question is unclear... W On Wednesday, July 13, 2016, Tony Finch wrote: > rams > wrote: > > > Is any one explain how to break trusted chain in dnssec with example how > to > > create zone or data with trusted chain break. > > Create a delegation without a DS record.

Re: rndc on local host: need named running?

On Saturday, August 27, 2016, Tom Browder wrote: > My plan is to have two remote, authoritative name servers (master and > slave) for my owned domains. I would like to use rndc to control them from > my local host. > > A couple of questions: > > 1. Does named need to be running on the local host

  1   2   3   >