rds.
Regards,
- Håvard
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.o
ent from the sender. Yixi Meta is registered with the Dutch Chamber of
> Commerce trade register with number 85744115.*
> --
> *Van:* Greg Choules
> *Verzonden:* Wednesday, April 19, 2023 11:01:00 PM
> *Aan:* Jiaming Zhang
> *CC:* bind-users@lists.isc.org
> *Onderwerp:* R
Hi,
I have a situation where in a BIND 9 zone with dnssec-policy and
inline-signing, after a ZSK rollover, the (old) ZSK is refusing to retire.
Although the timing metadata shows the retire and deletion dates in the past,
the ZSK is still in the zone and is signing the records (along with the
.ext IN TXT "ns-gshapiro-net-xfer"
allow-query.ext IN APL 1:0.0.0.0/0
;; Zones (% printf '\7example\3org\0' | openssl sha1)
8477e81e5c5997a573ae2f33b5863c403c5d45fc.zones IN PTR gshapiro.net.
--
Visit https://lists.isc.org/mailman/li
hy the zone entries would use that tsig labeled one instead of the
globals since they were not referencing the tsig custom properties.
Thanks for the pointer, I'm up and running.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the developme
Hello,
I have gss-tsig running for authenticating dynamic DNS update requests for a small MIT Kerberos realm, which is working fine. Is it possible to further use gss-tsig for zone transfers instead of shared keys?
Thanks,
Richard
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
Hi Bind Users,
Any one familiar with the error we encountered on DNS BIND 9.18.2 Ubuntu
for DNS Caching, below;
We are using RPZ for redirecting domains (porn sites) where we already have
20k+ entries.
The domain (globem2m.com.ph) from below logs is not in the RPZ list but was
processed for RPZ
Hello.
By far the simplest way to install BIND natively on Mac is to use the
Homebrew package manager. I have 9.18.14 installed on mine and it works
fine.
The other alternative is to run it from the Docker image. See here for
details: https://hub.docker.com/r/internetsystemsconsortium/bind9
Hope
The named binary *could* exist in many places; it depends on the OS. For
example, with a Homebrew install on my Mac it's here:
/usr/local/Cellar/bind/9.18.14/sbin/named because of this build parameter:
--prefix=/usr/local/Cellar/bind/9.18.14
It's linked to from /usr/local/opt/bind/sbin/
S record
# host -t a ns1.fish.hub localhost
> Host ns1.fish.hub not found: 3(NXDOMAIN)
# host -t NS fish.hub localhost
> Host fish.hub not found: 3(NXDOMAIN)
Any suggestions gratefully received. Pertinent parts of named.conf
and zone file are shown below, if you need more info plea
Hi Darren,
Sorry for late response, see below scrubbed config;
We updated the bind to 9.18.14 but still experienced the same issue.
controls {
inet 127.0.0.1 port 953 allow {
127.0.0.1/32;
} keys {
"rndc-key";
};
};
logging {
channel "default_syslog" {
fil
hings out of cache
that 192.168.1.10 & 192.168.1.11 queried from ${UPSTREAM_DNS_PROVIDER}.
Grant. . . .
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.
Hi Alex.
TL;DR 9.18 is stricter than 9.16 at handling junk responses from
authoritative servers.
Looking at a packet capture for this from my own BIND server (9.18.14) the
response from 195.178.56.17 is FORMERR, which tends to mean that it objects
to something in the query. The correct response
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
https://www.five-ten-sg.com/mapper/bind contains links to the source
rpm, and build instructions. This .src.rpm contains a .tar.gz file with
the ARM documentation, so the rpm rebuild process does not need sphinx-
build and associated dependencies
You are most welcome, I'm glad you got it running. Now the fun starts! :D
Greg
On Tue, 30 May 2023 at 21:02, Pacific wrote:
> Thank you and to everyone who took the time to respond. Your collective
> input did the trick and I now have bind running successfully through a brew
>
On 2/06/23 15:02, Jesus Cea wrote:
What I get from your reply is that BIND is not expected to do anything
about this. It is a bit disappointed but I agree that BIND is doing
the right thing. Too bad big players don't care. But I need to "solve"
this, so dropping BIND (noo
v5.com.
cloud.huawei.com. 600 IN NS ns4.dnsv5.com.
So... Neither of those three appear to even implement the
concept of "zone", and the observed behaviour ensues, as the SOA
when asked for or NS records for that name results in an
upwards referral, and that now t
nt named to use, but might
want other outgoing traffic to use, you would need some "policy based routing",
which can get complicated. In Linux, this is controlled by "ip rule" (not "ip
route").
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr
"rndc reconfig && rndc reload && systemctl
restart bind" on both servers.
They are both Centos 7 running Bind 9.16.40.
When it fails, I get this message:
[root@ns2 ~]# delv itctel.com @ns2.itctel.com
;; validating itctel.com/A: verify failed due to bad signature (
t! for that does not work for a domain name that
> already has the return code "SERVFAIL" and we want to change this code by
> "NXDDOMAIN" like this domain name "antlauncher.com"
> regards Rahal
>
> -Message d'origine-
> De : bind-users
s why I wanted to change the return code for this
> domain name to "NXDOMAIN" so as not to distort the monitoring result .
>
> Regards
>
> *De :* Greg Choules
> *Envoyé :* lundi 19 juin 2023 10:03
> *À :* RAHAL Sami SOFRECOM
> *Cc :* bind-users@lists.isc.org
&g
Hi Sami.
That's not what I said.
Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but
it's not something I would do.
Cheers, Greg
On Mon, 19 Jun 2023 at 12:40, wrote:
> Thank you Greg
>
> So if I understand correctly if we receive a servfail
;antlauncher.com" doesn't is down
> to BIND needing to perform recursion and get an answer before RPZ kicks in
> and overwrites it (unless you specify `qname-wait-recurse no;`). "
> example.com" actually gets an answer (from IANA) but "antlauncher.com"
> get
There are several tools with different features and behavior. I would take
alook at dnsperf, kxdpgun and flamethrower
regards
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von
> sami.ra...@sofrecom.com
> Gesendet: Mittwoch, 21. Juni 2023 17:59
> An: bind-user
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
https://www.five-ten-sg.com/mapper/bind contains links to the source
rpm, and build instructions. This .src.rpm contains a .tar.gz file with
the ARM documentation, so the rpm rebuild process does not need sphinx-
build and associated dependencies
ic to match LAN to LAN configuration in the VPN.
(LAN A)---[.1 R1 .83]---(Internet)---[.77 R2 .1]---(LAN B)
Something like / from memory:
r1# ip route add $LANB via $GW from $LANA.1
Grant. . . .
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
nce between the two values?
>
>
>
> Regards, Sami
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
&
Hello,
I think
chmod ug+x /etc/bind/zonas/
should solve the issue by giving the
owner (bind) and the group (bind) permissions to enter the
directory.
Danilo
On
4].
>
> I have a system that has two network cards on both the 192.168.10.X
> network and 10.32.10.X network.
>
> I have a remote system that is also configured to on both networks, with
> hostnames on both domains/networks.
>
> I have a hostname entry in my primary mast
Hi Ubence.
That is starting to get complex!
Firstly, yes BIND parses views top down, so order matters.
Secondly, most specific domain wins (like more specific routes).
I now see that you have created three levels of zones:
domain.com
lab.domain.com
system.lab.domain.com
This config looks like
On 6/29/23 6:44 AM, Matus UHLAR - fantomas wrote:
bind has "sortlist" statement that could do what you want. It will
provide all IPs but sorted differently.
+1 to "sortlist". I couldn't remember the exact nomenclature nor how it
was used.
Otherwise, you can s
elow is the config from the lab DNS server at 10.32.1.6/192.168.10.183:
> include "/etc/bind/rndc.key";
> include "/etc/bind/ddns-key.key";
>
> zone "lab.domain.com" {
> type master;
> forwarders {};
> file "/var/lib/bind/db.lab.domain.com";
&
2/07/23 11:29 PM (GMT+12:00) To: bind-users@lists.isc.org Subject: How
to update zone with dnssec-policy Dear all,I have the following problem that
changes in a zone file do not get active, no matter if I reload the zone using
rndc or restarting bind 9.16.42 on FreeBSD.If I update a zone I edi
misconfiguration works fine for 99.9%
of their users, clients of more "lax" DNS resolvers.
What I get from your reply is that BIND is not expected to do anything
about this. It is a bit disappointed but I agree that BIND is doing
the right thing. Too bad big players don't care. But I
On 2023-07-07 12:17, Emmanuel Fusté wrote:
Le 07/07/2023 à 11:57, Jakob Bohm via bind-users a écrit :
On 2023-06-02 05:02, Jesus Cea wrote:
On 2/6/23 4:25, Mark Andrews wrote:
Yep, some people just don’t take care with delegations. Complain
to Huawei.
Complain to the other companies you
180 IN SOA ns3.dnsv5.com.
enterprise3dnsadmin.dnspod.com. 1688974445 3600 180 1209600 180
...
Again, "Additional" count is wrong, and the SOA owner name is
wrong -- it should have been cloud.huawei.com, since the copy of
the NS RRset from the huawei.com zone indicates tha
org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
c:8042
> 11-Jul-2023 10:36:21.146 query-errors: debug 4: fetch completed at
> resolver.c:4983 for cadyst.com/A in 10.000118: timed out/success [domain:
> cadyst.com
> ,referral:0,restart:3,qrysent:6,timeout:5,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
>
> Regard
Real data please:
- example queries (genuine, not invented for illustration)
- real domains
- real IP addresses
- packet captures
- both BIND server configs
- zone file contents
- startup logs
There are so many things it *could* be, the more information the better.
Cheers, Greg
On Sun, 16 Jul
or may not give the result
> you were expecting.
> - I did a dig for "specific.wildcard-test.dynx.me" against my own BIND
> server and it resolved to 1.1.1.1. So the issue is with your resolver. This
> is not new, just confirming that this must be the problem end, not the auth
> e
2361 seconds
2361 seconds
2362 seconds
For example, there are 8 secondaries (Mumbai, LosAngeles, Melbourne, Atlante,
SaoPaulo...) to which the XFR took 2361 seconds.
Are there some mechanisms in Bind that put multiple XFRs together into a common
stream? Or do you have any other ideas how it come that
Hi Petr!
> > For example, there are 8 secondaries (Mumbai, LosAngeles, Melbourne,
> > Atlante, SaoPaulo...) to which the XFR took 2361 seconds.
> >
> > Are there some mechanisms in Bind that put multiple XFRs together into
> a
> > common stream? Or do you have
.
Original message From: Ondřej Surý Date:
31/07/23 8:10 PM (GMT+12:00) To: matt...@peregrineit.net Cc:
bind-users@lists.isc.org Subject: Re: Zone Transfers Being Refused Well, for
starters your primaries list 192.168.2.10, but your logs show connection from
192.168.1.1…--Ondřej Surý — ISC
ure doesn’t yet exist but is tentatively planned for the
9.19.x timeframe. You can see more about it here:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2748
<https://gitlab.isc.org/isc-projects/bind9/-/issues/2748>
Best,
Richard.
*From:*bind-users *On Behalf Of
*Ritterhoff, Flori
ost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
Posix SystemsVCARD for MJ Elkins
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at h
On 8/21/23 10:11 AM, Mark Elkins via bind-users wrote:
Hi,
Hi,
1) Count how many delegated domains there are (Names with NS records)
Mind your $ORIGIN and check the number of NS record owners.
2) Extract the above Names - so I can look for changes (Added/Deleted names)
I suspect that
You may already have BIND installed; most distros do. If not, it's easy.
You don't *have* to run named, but tools like this (and dig, particularly)
are very useful to have.
Do "which arpaname" to see if you have it already.
Cheers, Greg
On Thu, 24 Aug 2023 at 08:00,
t Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Hi Blason.
"incometax.gov.in" is a domain known to cause problems. Take a binary
packet capture and look at it in Wireshark. Also see this
https://dnsviz.net/d/incometax.gov.in/dnssec/
A workaround in BIND is to disable DNSSEC validation for just that domain
whilst leaving it on gene
ELKINS - Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the devel
ime. This is so that, for popular domains, BIND only has to get an answer
once, for all clients who want it.
There is no such thing though as per-client query rate limiting. However,
there is response rate limiting, configured with "rate-limit", which (as
the name implies) limits the rate a
check for those issues? Thanks for any insight.--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users ma
Thanks for your reply, I certainly appreciate it.
On Tuesday, September 5, 2023 at 12:24:30 PM CDT, Fred Morris
wrote:
On Tue, 5 Sep 2023, Leroy Tennison via bind-users wrote:
>
> After some recent upgrading it was discovered that both DNS servers were
> configured as mas
primary because it
already has the zone file stored locally. Just change the "type", leave the
"file" statement alone and delete (or comment) the "primaries".
Does that help?
Greg
On Thu, 7 Sept 2023 at 19:31, Fred Morris wrote:
> Re-reading the KB article refe
ready has the zone file stored locally. Just change the "type", leave the
> "file" statement alone and delete (or comment) the "primaries".
Agreed.
> Does that help?
No. I have personally set up and administered a corosync / pacemaker
cluster to do a st
th, as examples. Not the whole
config.- "rndc zonestatus ". Use the same zones you chose from above.
Let’s see what we see.Cheers, Greg
On 8 Sep 2023, at 01:24, Leroy Tennison via bind-users
wrote:
Just to clarify, the configuration I was referring to was supposed to have a
master and slav
Hi John.
Can you tell me a bit more please?
- What zones exist in both BIND and MS DNS for something.10.in-addr.arpa?
- Where are hosts auto registering to? I'd guess MS, but it would be good
to confirm.
- What does fragmentation look like? A few real examples would be useful.
I'm
DNS of the list
of zones. Screenshots? In a mailing list?? Try it anyway. You can redact
hostnames if you like, though they won't mean anything out of context.
Secondly, why do you have ...10 in BIND at all? What's its purpose?
Next, I would keep it simple. Don't try and replica
Hi there,
On Sat, 16 Sep 2023, John Thurston wrote:
A host which auto-registers in MS DNS, creates an A in foo.alaska.gov
and PTR in whatever.10.in-addr.arpa. MS DNS is happy to publish those.
But the DNS system running on BIND also has a whatever.10.in-addr.arpa
zone.
So if I want to
. Haywood via bind-users <
bind-users@lists.isc.org> wrote:
> Hi there,
>
> On Sat, 16 Sep 2023, John Thurston wrote:
>
> > A host which auto-registers in MS DNS, creates an A in foo.alaska.gov
> > and PTR in whatever.10.in-addr.arpa. MS DNS is happy to publish those.
>
ard, I'd really like to know in case I ever
come up against this myself.
(And it's the thirtieth anniversary of RFC1517. What did we miss? :)
--
73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software
On Sat, 16 Sep 2023 10:22:26 +0100 (BST)
"G.W. Haywood via bind-users" wrote:
> Hi there,
> ...
>I'd be surprised if the OP couldn't manage with 2^20 IPs in a segment -
> but then I guess he does work in the .gov domain.
^^^
g different
> technologies both want a piece of the 10 pie. So it doesn't make sense that
> both of them have the whole /8. He needs to make a decision about which DNS
> is higher in the pecking order. Personally I would make it BIND.
> For instance, if you use 10.1 in MS land but
>
> zone "example.com" IN {
> type forward;
> forwarders { 127.0.0.1 port xxx; a.b.c.d port xxx; };
> forward only;
> };
>
>
> Please share any other possible solutions.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
&g
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
https://www.five-ten-sg.com/mapper/bind contains links to the source
rpm, and build instructions. This .src.rpm contains a .tar.gz file with
the ARM documentation, so the rpm rebuild process does not need sphinx-
build and associated dependencies
that server is publishing the new DS record.
I suppose the theoretical risk with #1 is that because the responses
from the authoritative servers aren't validated, it would be possible
for a MITM to trick BIND into thinking that the new DS records had been
published before they actually
g-dnssec>/./
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.is
me both
DNSKEY records for the ZSK after I initiate the rollover when there
should be overlap as described in Automatic DNSSEC Zone Signing Key
rollover explained (isc.org) <https://kb.isc.org/docs/aa-00822>?
Bind 9.16.23 which seems to be the newest release provided by my
distributi
27;t stick around.
I can only assume that the reason you have rumoured state is because you
are trying to roll your ZSK to soon after the previous ZSK rollover?
Have you checked the various timing settings in the KASP definition?
Nick.
On 30/09/23 11:32, Nick Tait via bind-users wrote:
On 2
Hello,
At this point I am hoping that somebody might have a workaround so that we can
exclude domains from this behavior if they are broken on the far end. Does
anybody have a workaround for this?
We are a small ISP and run BIND compiled from source. We currently run 9.16.x
Every time we try
mofa.gov.bd.86400 IN NS ns1.bcc.gov.bd.
mofa.gov.bd.86400 IN NS ns2.bcc.gov.bd.
couldn't get address for 'ns1.bcc.gov.bd': not found
couldn't get address for 'ns2.bcc.gov.bd': not found
dig: couldn't get address for
, but it will take a large company to push them to do so.
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.
From: bind-users On Behalf Of Paul Stead
Sent: Saturday, October 28, 2023 11:35 AM
Cc: bind-users@lists.isc.org
Subject: Re: 9.18 BIND not iterated
Hi,
I am fairly new to bind but I am thinking my company's use of it is
sub-optimal. We have two bind masters (and a few slaves), one for
internal use so all our internal servers point to it or its slaves as
their DNS resolvers. I will call the internal one bind-internal and the
externa
Hmm, I'll admit to only skim reading it but is seems quite complicated
for what I was hoping for. It would be trivial if I could change the
bind-internal machine to using dnsmasq (ugh!). Then the bind-internal
machine would serve up anything it explicitly knew about to the internal
cl
On 03/11/2023 17:17, Marco M. wrote:
Am 03.11.2023 um 15:51:32 Uhr schrieb Nick Howitt via bind-users:
As this site is externally accessible as well, we also have to put an
identical entry in bind-external so we end up having many identical
entries in bind-internal and bind-external.
It seems
On 03/11/2023 17:54, Marco M. wrote:
Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:
My problem is the use of external IP's duplicated between the
internal and external masters for some IPs/FQDNs which I want to get
rid of.
Implement IPv6 and get rid of the old
On 03/11/2023 18:06, Marco M. wrote:
Am 03.11.2023 um 17:58:51 Uhr schrieb Nick Howitt via bind-users:
On 03/11/2023 17:54, Marco M. wrote:
Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:
My problem is the use of external IP's duplicated between the
internal and ext
Unfortunately they are not separate subdomains. They are all part of the
same domain. Can the bind-internal not be made to caching only and not
authoritative? If so, how?
On 03/11/2023 19:01, Andrew Pavlin wrote:
Have you considered making your internal DNS servers unpublished
secondaries for
On 03/11/2023 19:30, Marco M. wrote:
Am 03.11.2023 um 19:18:49 Uhr schrieb Nick Howitt via bind-users:
Can the bind-internal not be made to caching only and not
authoritative? If so, how?
Of course it can, simply remove the zone configuration, but it will
then cache the records from the
On 03/11/2023 20:07, Marco M. wrote:
Am 03.11.2023 um 19:54:32 Uhr schrieb Nick Howitt:
How do you mean remove the zone information?
In your /etc/bind are configuration files.
Look for named.conf* and find those that include zones:
zone "f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa" {
t
* You have two distinct sets of authoritative servers, which don't
overlap in any way currently. E.g. Servers A (primary/master), B & C
(secondaries/slaves) are authoritative for internal zone
("Bind-internal"); Servers C (primary), D & E (secondaries) are
authorita
s
it is almost certainly something that you will have no control over.
E.g. It could be something bogus on a web page that these devices have
all accessed?
Nick.
On 4/11/23 11:30, J Doe wrote:
Hello,
On a Bind 9.18.19 server configured as a recursive resolver, I
sometimes see URL's be
ink I have any chance of pushing this through. Also DNSMasq does not
support replication (but it could be scripted). I could look for other
solutions but I doubt I would get anywhere in the company.
I'll spend some time investigating option F, thanks.
Nick
On 04/11/2023 02:03, Nick Tait
do:
https://www.ietf.org/archive/id/draft-ietf-add-split-horizon-authority-06.html#name-internal-only-subdomains
It's just so much easier, particularly if you are starting from scratch.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds
ally because that will
obscure the external version completely. Zones like
"internal-www.example.com <http://internal-www.example.com>",
"internal-mail.example.com <http://internal-mail.example.com>" and
what have you are fine because they are more specific than the g
ely. Zones like "
internal-www.example.com", "internal-mail.example.com" and what have you
are fine because they are more specific than the general "example.com",
queries for which will just fall through to the outide world along with any
other name.
That was a bit of
nts of the
child domain zone is to delete the /var/cache/bind contents and restart the
slave daemon. What is the correct method of letting slave servers know that the
child domain zones are changed? I really want to avoid putting an "also-notify"
in the definition for child zone on the mas
oal is still not achievable, unless I'm missing something.
Is there some other mechanism to achieve this end result (sharing zones between
different user populations without loading multiple copies of the zone into
memory)?
I am currently running BIND 9.16.44 by the way.
Thanks for any advice!
If I add "type master;" to the cf1 zone in view B, I get
zone 'cf1': 'in-view' used with incompatible zone options
So it appears my goal is still not achievable, unless I'm missing
something. Is there some other mechanism to achieve this end result
(shar
not sure if this approach will work, but at this
point I'm grasping at straws.
Thanks for your help
PS - sorry for the double post to the mailing list, I wasn't sure if my
last message in this thread went through.
On Sat, Nov 11, 2023 at 11:31 AM Evan Hunt wrote:
> On Fri, Nov 10, 202
uot; (respectively). This was in spite of the fact that all
RRSIG records were replaced with the new ZSK more than a week prior. I
can only assume that the 9 days somehow relates to how long BIND wanted
to allow itself to generate RRSIGs for all the records in a really,
really large zone fil
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lis
Hi there.
Can you send some information, for those unfamiliar with what you're trying
to do?
- Full BIND config
- IP addresses of relevant things, like interfaces of the servers on which
you are running BIND and of Teamviewer.
- What does Teamviewer need from DNS? What kinds of queries
ee where key packets are going, whether you receive ICMP unreachables
or retries etc.
Also do some tests. If you have BIND you should also have dig. If you don't
have dig, use Windows nslookup in interactive mode and send queries to the
teamviewer NSs.
Right now I would prove that the network is clean
rom my configuration, to avoid
potential issues in future versions of BIND?
Thanks,
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact
Hi everyone,
I'm a developer on the Apache Pekko project, an open source fork of Akka.
One of our mentors has queried if we have a licensing issue for the files in
this directory.
https://github.com/apache/incubator-pekko/tree/main/actor-tests/src/test/bind/etc
The configs there are
Hi,
I used this tutorial as reference to setup DNSSEC with SoftHSM2:
https://kb.isc.org/docs/bind-9-pkcs11
I installed the Debian package instead of building libp11:
libengine-pkcs11-openssl:amd640.4.12-0.1
It works until reaching this command:
$ dnssec-keyfromlabel \
-E pkcs11 \
-a
Please do not feel
obligated to reply outside your normal working hours.
On 3. 12. 2023, at 18:41, Gérard Parat via bind-users
wrote:
Hi,
I used this tutorial as reference to setup DNSSEC with SoftHSM2:
https://kb.isc.org/docs/bind-9-pkcs11
I installed the Debian package instead of build
.
Gérard
Le 03/12/2023 à 18:40, Gérard Parat via bind-users a écrit :
Hi,
I used this tutorial as reference to setup DNSSEC with SoftHSM2:
https://kb.isc.org/docs/bind-9-pkcs11
I installed the Debian package instead of building libp11:
libengine-pkcs11-openssl:amd64 0.4.12-0.1
It works until
, but unless you have a specific reason to use PKCS#11 I
would
suggest to simply avoid it until the dust settles.
Adding SoftHSM2 on top of BIND 9 doesn't really increase security as the user
under named
runs has to have access to the private key data anyway.
Ondrej
--
Ondřej Surý (He/Him)
401 - 500 of 2152 matches
Mail list logo
