ction. At the domain register
I'll either point to this dns server or host the dns at the domain
register and point the A record to the IP.*
*Brian*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bin
on't get any output
If I run
named-checkzone tst.com /var/named/tst.com.zone
I get:
zone tst.com/IN: loaded serial 1
OK
I checked the apache error log and it is empty.
Brian
On 07/03/2014 10:39 AM, Jeremy C. Reed wrote:
On Thu, 3 Jul 2014, brian wrote:
I'm new to bind. I want to be ab
Introduction
BIND 9.7.5 is the most recent production release of BIND 9.7.
This document summarizes changes from BIND 9.7.4 to BIND 9.7.5.
Please see the CHANGES file in the source code release for a
complete list of all changes.
Download
The latest versions of BIND 9 software can alw
Introduction
BIND 9.6-ESV-R6 is the most recent release of BIND 9.6-ESV.
BIND 9.6-ESV is an Extended Support Version of BIND 9.
This document summarizes changes from BIND 9.6-ESV-R5 to BIND
9.6-ESV-R6. Please see the CHANGES file in the source code
release for a complete list of all c
Introduction
BIND 9.8.2 is the latest production release of BIND 9.8.
This document summarizes changes from BIND 9.8.1 to BIND 9.8.2.
Please see the CHANGES file in the source code release for a complete
list of all changes.
Download
The latest versions of BIND 9 software can always b
Brian Paul Kroth 2013-01-15 23:19:
Hello All,
First, I'm not currently on the list, so please CC if me if you could.
Let's try this again now that I'm on the list.
Next, I've been working on some scripts to get KSK rotation
semi-automated or at least alerting in our
Tony Finch 2013-01-17 12:02:
Brian Kroth wrote:
RFC 4035 sec 2.2 says
There MUST be an RRSIG for each RRset using at least one DNSKEY of
each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
itself MUST be signed by each algorithm appearing in the DS RRset
located at the
7;s caused us a few
problems, mostly in pointing out a few of our mistakes (eg: lazy zone
delegation [1]). Still, better to wade in than to jump in. On the
whole DNSSEC has been largely uneventful.
Key rollover is a non-trivial task though, one that I'm still working
through automating an
eliminated from the report).
I know nslint but work, so it has got to be something I'm doing, but
I just don't see it.
Any suggestions would be appreciated.
thank you,
Brian
---
Brian R C
missing?
On Fri, Jun 21, 2013 at 11:24:54AM -0700, Leonard Mills wrote:
> Hi Brian,
>
> I don't understand why you would expect to see errors, when nslint says:
>
> nslint: 0/131072 items used, 0 errors
>
> Zero items used/checked strongly i
newer nslint versions. Or what the
work-around is.
Do you?
thank you,
Brian
On Fri, Jun 21, 2013 at 11:24:54AM -0700, Leonard Mills wrote:
> Hi Brian,
>
> I don't understand why you
Thank you, that explains a lot.
Had assumed that the one nslint # yum found would be at least
somewhat current.
Will see if I can't find a newer one to install.
thank you,
Brian
On Sat, J
ferences. But this also
does not check A/PTR pairs, check for illegal characters "_" etc.
Oh - the purpose of having a test server for the database is because
we've accidently dropped zones by causing syntax errors, by the time
we've run our checks we know we are passing val
Chris,
Looks like 3.0a2-1 understands views statement.
Not sure if there is a newer version, but this will
do the deed.
thank you,
Brian
On Mon, Jun 24, 2013 at 10:21:17AM -0700, Chris Buxton
thanks in advance,
Brian
---
Brian R Cuttler brian.cutt...@wadsworth.org
Computer Systems Support(v) 518 486-1697
Wadsworth Center(f) 518 473-6384
NYS Department of Health
new mount name, remains
to be seen...
Thank you,
Brian
On Fri, Sep 13, 2013 at 12:02:13PM -0700, Chris Buxton wrote:
> On Sep 11, 2013, at 8:11 AM, Brian Cuttler wrote:
> > We have remapped some of our DNS clients to point to another
> > DNS resolver, one that we do not co
m this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-u
ame syntax.
Thanks,
Brian Conry
ISC Support
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ory in our knowledge base...
I can confirm that those patches do include several minor functionality
differences in addition to potentially significant performance improvements.
I apologize for the confusion.
Thanks,
Brian
___
Please visit https://lists.isc.org/m
t https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
---
Brian R Cuttler brian.cutt...@wadsworth.org
Com
records or explicitely allowing
recursive queries on our internal and private network.
On Wed, Sep 25, 2013 at 04:23:57PM -0400, Alan Clegg wrote:
>
> On Sep 25, 2013, at 3:23 PM, Brian Cuttler wrote:
>
> > In our switch from BIND 8.3.3 to 9.8.2 we failed to add the now
> >
rg/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
---
Brian R Cuttler brian.cutt...@wadsworth.org
Computer Systems Support(v) 518 486-1697
scribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
---
Brian R Cuttler brian.cutt...@wadsworth.org
Computer Systems Support(v) 518 486-1697
Wadsworth Center
; fi
> sleep 60
> done
>
>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> _______
> Please visit https://lists.isc.org/mailman/listin
ostmaster, Security, and Timelord!
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.i
o unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
---
Brian R Cuttler brian.cutt...@wadsworth.org
Computer Systems Support(v) 518 486-1697
Wadsworth Center
On Tue, Aug 05, 2014 at 09:21:07AM -0400, Brian Cuttler wrote:
>
> rndc addzone sounds like a very interesting tool, but
> if you want an automated sync, will require something to
> read the source config of the master and then write the
> requisit slave zone information for the d
On Tue, Aug 05, 2014 at 09:41:14AM -0500, /dev/rob0 wrote:
> On Tue, Aug 05, 2014 at 09:31:31AM -0400, Brian Cuttler wrote:
> > On Tue, Aug 05, 2014 at 09:21:07AM -0400, Brian Cuttler wrote:
> > > rndc addzone sounds like a very interesting tool, but
> > > if you w
er [default any; if
> missing]
> allow-update is a EDNS acl option of subtype update [default none; if missing]
> conf is a EDNS which contains other configuration data for a zone
>
> Mark
>
> In message <20140805164053.ga11...@fantomas.sk>, Matus UHLAR - fantomas
>
sounds good. thanks
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of
bind-users-requ...@lists.isc.org
Sent: Wednesday, April 08, 2015 10:39 AM
To: bind-users@lists.isc.org
Subject: bind-users Digest, Vol 2086, Issue 1
Send
I am running bind 9.8.2 on a pair of RHEL 6 DNS servers.. One server is the
master, one is the slave. My goal is to setup 2 views so that our internal
folks can resolve hostnames to internal IP's while still allowing our
external customers to resolve from the outside. Both of these servers are
exte
Hello:
I am a hobbyist and am using BIND 9.5 on my Linux system. I run my own
DNS server as a master server for my own domains and as a slave for my
friend's domains (we are each other's backup). I would like to start
using views so that I can have a different zone definition within and
outsi
I transfer the master external
view into the slave's internal view?
Am I making this harder than it needs to be?
Thanks again.
--
Brian Schang
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Hello:
On 9/6/2010 9:45 AM, Brian Schang wrote:
On 9/5/2010 10:17 PM, Mark Andrews wrote:
Is it possible to:
(1) Allow the master external view to be transferred into the slave's
internal and external views?
More specifically, it seems simple to transfer the master external view
int
;
file "slaves/B/example";
masters { 127.0.0.1 key transfer-key; };
};
};
This all makes sense. Thank you very much for the help.
--
Brian Schang
___
bind-users mailing list
bind-users@lists.isc.org
htt
This issue was initially reported to me by a customer running CentOS 5.5
x86_64. I was able to duplicate it on CentOS 5.5 i386 with dig version:
DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
When doing a dig +trace to a DNSBL for a TXT record they're getting a segfault
after making the final query (pr
On Dec 9, 2010, at 1:16 PM, Brian Keefer wrote:
> This issue was initially reported to me by a customer running CentOS 5.5
> x86_64. I was able to duplicate it on CentOS 5.5 i386 with dig version:
> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
>
> When doing a dig +trace to a DNSBL f
On Dec 9, 2010, at 4:20 PM, Mark Andrews wrote:
>
> In message , Brian Keefer
> write
> s:
>> Downloading the tarball for bind-9.7.2-P1 from ftp.isc.org and building it fr
>> om source fixed the segfault issue.
>>
>> I'm still seeing a (possibly related
to have the IP addresses, why not just use the standard
port on multiple IPs on one machine, then use the 'listen-on' for each
instance to point at the individual IPs? If you don't have the IP
addresses available to do that, the
I would like to configure my DNS Server to respond with A and
records when someone queries for a specific site. I don't know if this
functionality is even available but if it is would someone mind pointing
me in the right direction to get this configured.
__
Been looking at this for hours and can't figure it out. Views without recursion
don't return a response. I don't know what I'm doing wrong. Setting
"recursion yes" allows the zone to respond.
Sorry if this format is ugly.
Ideas?
Thanks!
>>named.conf
view "internal"
{
match
to a non-existent IP in the
top level, which makes unauthorised queries time out - clearly not ideal.
Anyone have any better suggestions?
Many thanks,
Brian.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
to give a similar level of control for DNS lookups too;
otherwise, in the event of a virus infection, the virus could use the DNS as
a covert channel.
Regards,
Brian.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
> Or else set up secure proxies and disallow all DNS resolution (an
> empty root zone).
I'm not sure what you mean by "secure proxies". Do you mean some non-BIND
software capable of forwarding and filtering DNS queries/responses? If so,
do you have anything particular in
attention of the larger security community.
We believe that in the long run this increased scrutiny will help us
further increase the security and stability of BIND, but in the near
term it does increase the risk of operating an unpatched server.
Thanks,
Brian Conry
ISC Support
ing in the query log (or is there?) that
indicates that a query was rewritten.
Is there any way to get the ECS information in the RPZ log? Failing that,
suggestions on how to accomplish this would be greatly appreciated.
Thanks!
-Brian
___
Please visit htt
You could setup a DNSMASQ / Unbound service as a front end, which then queried
bind. Both of those allow the setting of a minimum TTL (max of 3600 seconds in
DNSMASQ). It cannot be done with bind by itself.
> On Oct 26, 2018, at 11:41, Grant Taylor via bind-users
> wrote:
>
> On 10/26/2018 01
On Fri, 2023-05-26 at 16:51 +0530, Shailendra Gautam wrote:
> Does bind provide any way to manage(add,update,delete) resource
> records
> with HTTP API, like powerdns?
Not TTBOMK. It does have an API for managing RRs but that is using RFC
2136 and not HTTP.
> I currently use zonefiles to store D
Not having dipped my toe into DNSSEC yet (yes, I know, but time is
always so scarce)...
So I am seeing a bunch of this sort of thing in my BIND logs now:
04:02:18 named validating @0xb0f58988: 124.in-addr.arpa SOA: no valid signature
found
04:02:18 named validating @0xb0f58988: 124.in-addr.arpa
On 12-05-02 09:29 AM, Mark Andrews wrote:
>
>
> The zones are signed. Possible reason are:
>
> * a firewall blocking EDNS queries.
This shouldn't be the case. Outgoing traffic from the bind9 server
being used here should be completely unfettered.
> * using a non DNSSEC enabled forwarder so y
On 12-05-02 09:29 AM, Mark Andrews wrote:
>
> * a firewall blocking EDNS queries.
> * using a non DNSSEC enabled forwarder so you don't get signatures.
> * a firewall blocking fragmented UDP and named falling back to
> plain DNS.
> * other packet loss causing named to fallback to plain DNS.
Gi
On 12-05-15 09:01 AM, Phil Mayers wrote:
>
Sorry about the way delayed response. There seems to be some confusion
about which list/group gmane is following.
> Isn't it more likely it's a local problem?
Indeed. But what, is the question (and I do have the answer, now --
see below).
> Which v
On 12-07-20 08:34 AM, Brian J. Murrell wrote:
>
> The problem here seems to be fragmented UDP.
I seem to have misdiagnosed this due to tcpdump peculiarities. I only
initially saw/suspected the problem since my capture for port 53
packets was including (only the first) ipv4 fragments.
On 12-07-20 09:11 AM, Phil Mayers wrote:
>
> Or, what happens if you start bind up in debug mode and run the query?
> There will be a lot of output, but I've found most problems to be fairly
> obvious if you read through it.
Yeah, there is a lot of output. Too big of a haystack for me to find
th
On 12-07-20 10:42 AM, Mark Andrews wrote:
>
> The NS RRset is the delegation records and as such has no RRSIGs.
> If you turn on minimal-responses the NS rrset won't be added and
> AD won't be cleared. AD is only set to 1 if all the records in the
> answer and authority sections are marked as se
On 12-07-20 11:40 AM, Mark Andrews wrote:
>
> In message <500978a5.4070...@imperial.ac.uk>, Phil Mayers writes:
>> On 20/07/12 16:21, Mark Andrews wrote:
>>>
>>> In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" writes:
>>
On 12-07-20 07:16 PM, Mark Andrews wrote:
>
> "dnssec-validation auto;"
Well, this seems to have done the trick. Changing it from yes to auto
has eliminated most (almost all in fact) of the validation
warnings/errors I was getting in my logs.
> tells named to use the compiled
>
I've come across something interesting in my named logs:
00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache)
'5.37.58.216.in-addr.arpa/PTR/IN' denied
00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache)
'5.37.58.216.in-addr.arpa/PTR/IN' denied
00:
On 12-07-24 07:05 AM, Brian J. Murrell wrote:
> I've come across something interesting in my named logs:
>
> 00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache)
> '5.37.58.216.in-addr.arpa/PTR/IN' denied
> 00:14:37 named client 205.166.7
On 12-07-24 07:53 AM, Phil Mayers wrote:
> On 24/07/12 12:05, Brian J. Murrell wrote:
>
> Change ISP?
A. You must be one of those people who live in that part of the
world where internet service providing is not a monopoly, duopoly or at
best a price-fixing oligopoly. :-) Unfo
ther people are
successfully doing this for it to be a bug (right??).
thank you,
Brian Cuttler
Wadsworth Center
Albany, NY
# uname -a
Linux znix.wadsworth.org 3.10.0-123.6.3.el7.x86_64 #1 SMP Wed Aug 6
21:12:36 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Installed Packages
Name: bind
Arch
t not resolved.
Will talk with my manager about the query-source address issue, don't recall if
he'd mandated this, or it's a holdover from an earlier config. It is not a
setting in the example config that installed with the package.
Thank you,
Brian
-Original Message-
F
[mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch
Sent: Thursday, January 29, 2015 11:57 AM
To: Cuttler, Brian (HEALTH)
Cc: Alan Clegg; bind-users@lists.isc.org
Subject: RE: problem loading dynamic zone
Cuttler, Brian (HEALTH) wrote:
> Error: db.dynamic.jnl: create: permission denied
Tony,
Thank you, I had no idea... I also had no luck moving to the more common
directory structure. the security switch named_write_master_zones proved
ineffective until I set security to "permissive".
Thank you, the link contained the key I needed.
Now its DHCP time.
Many tha
Trying to follow an example I found of manually verifying a name's
DNSSEC records I did the following:
# dig . DNSKEY | grep -Ev '^($|;)' > root.keys
# dig +sigchase +trusted-key=./root.keys www.eurid.eu. A
That resulted in some errors but more importantly the following in my
syslog:
Mar 23 08:1
pull the tables, even after the table expiration date.
The work-around, which is really not supportable, has been to remove the tables
from the slave servers and restart named on them.
I am aware that I'm the cause of the problem, just not sure of the solution.
Thanks in
Of Simon Hobson
Sent: Thursday, April 02, 2015 11:27 AM
To: Users of ISC DHCP; bind-users@lists.isc.org
Subject: Re: problem with static range in dynamic table
"Cuttler, Brian (HEALTH)" wrote:
> Except-I set my available address range to 10.57.36.10 - 10.57.39.150, as I
> have so
the
named.conf, though I could have overlooked it, certainly I did nothing to
enable such a switch.
It's a mystery to me.
Thanks,
Brian
-Original Message-
From: dhcp-users-boun...@lists.isc.org
[mailto:dhcp-users-boun...@lists.isc.org] On Behalf Of dave c
Sent: Tuesday, June 09, 20
I have a BIND9 server configured as a resolver for the local network to
forward all requests to 1.1.1.1. Given that that 1.1.1.1 includes
(RFC8914) EDE EDNS options in it's responses, can I configure the BIND
resolver to forward those EDNS options in it's response to the client?
While I know BIND
On Sat, 2022-02-19 at 19:02 +0100, Matus UHLAR - fantomas wrote:
>
> what's the point of this setup?
> BIND can resolve by itself perfectly and you wouldn't rely on 3rd
> party
> service
Except that it cannot do EDE, as I already said in my original message.
Cheers,
b.
signature.asc
Descri
On Sun, 2022-02-20 at 08:16 +1100, Mark Andrews wrote:
>
> EDNS is hop by hop. There is no copying by any compliant server.
Fair enough. I thought it was a long shot.
Cheers,
b.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the developme
I am trying to do some testing of an IPv6-only network here using some
nat64 to reach the "legacy" :-) IPv4 Internet. My network is currently
dual-stack.
I have dns64 query mapping working, but I am still seeing some clients
that I am trying to test with (that still have IPv4 addresses until the
Since enabling DNSSEC on my resolving server I have been seeing various
instances of the following sort of messages:
named error (broken trust chain) resolving '133.168.163.66.sa-
trusted.bondedsender.org/TXT/IN': 173.45.100.146#53
named error (broken trust chain) resolving
'173.65.147.69.bb.bar
Alan Clegg isc.org> writes:
>
Hi Alan,
> There isn't a chain of signed DS records that lead from a trust anchor
> to the thing that you are trying to resolve.
I guess I'm going to have to learn a bit more about DNSSEC in order to parse
that. :-)
Are there any good tutorials on the mechanics
Alan Clegg isc.org> writes:
>
> On 11/2/2010 8:11 AM, Brian J. Murrell wrote:
> >
> > named error (broken trust chain) resolving '133.168.163.66.sa-
> > trusted.bondedsender.org/TXT/IN': 173.45.100.146#53
> There isn't a chain of signed DS records
Casey Deccio deccio.net> writes:
>
> There is a difference between a "broken" trust chain and a trust chain
> that securely "ends" before reaching the name being queried.
Ahhh. That makes sense.
> However, a broken chain means that the validating resolver expects a
> chain to exist, but the c
Stephane Bortzmeyer nic.fr> writes:
>
> Indeed. Your analysis seems right. May be you have somewhere another
> trust anchor (for DLV ISC or directly for bondedsender.org?)
Hrm. I'm not sure TBH. I know I didn't install any trust anchor specifically
for bondedsender.org, but I do have "dnsse
Stephane Bortzmeyer nic.fr> writes:
>
> They are not name servers of sa-trusted.bondedsender.org:
Damn. Yes, you are correct. I forgot it was sa-trusted.bondedsender.org. in
our example and stopped at bondedsender.org. However going that one more sub-
domain deeper and testing it's NSes, the
Casey Deccio deccio.net> writes:
>
> This can happen in a number of different ways: If any RRSIGs in the
> chain of trust are bogus, expired, or missing. If NSEC/NSEC3 records
> are not provided or are insufficient to prove that no DS records exist
> for an insecure delegation. If DS RRs do e
Casey Deccio deccio.net> writes:
>
> Reproducing these errors and analyzing the debug-level log messages
> would be helpful since everything looks consistent from a DNSSEC
> perspective, as far as I can see.
Well, I have attempted this. I reproduced my existing bind configuration and
added the
Casey Deccio deccio.net> writes:
>
> On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell interlinx.bc.ca>
wrote:
> > $ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt
Doh! I forgot the +dnssec.
> What happens when you run the following queries:
>
>
Brian J. Murrell interlinx.bc.ca> writes:
>
> Casey Deccio deccio.net> writes:
> >
> > Do you get a NOERROR response with the AD bit set?
>
> Yup:
> ...
Was any of that information I posted in the previous message useful? If not,
Casey Deccio deccio.net> writes:
>
> After a review of NSEC3 showed that this particular behavior is
> expected because org has been signed using NSEC3 with the opt-out bit
> set.
I'm afraid I'm getting a bit lost due to my real lack of understanding of the
details of DNSSEC. I wish I had the
Casey Deccio deccio.net> writes:
>
> I still don't have the answer to this.
Fair enough. I was just looking for clarification on your previous statements.
> Perhaps a BIND developer may
> have better insight into the log messages and what may be going on.
Yeah, I was hoping to have caught th
Jeremy C. Reed isc.org> writes:
>
> I was reading it all along, but could never reproduce.
Given the new information I have, I'll hazard to guess that you were trying to
reproduce with something newer than 9.7.0-P2.
> I thought it was
> a temporary issue.
>
> I see your new bug report. Some
I am using BIND 9.7.2-P2.
I have two views, one "internal" and one for "external" queries. In
both of those views I have some zones which are common so I put them
into their own file "zones.common" and include that file in both of the
views.
The problem I am having is that when I make a dynamic
On 11-06-24 09:57 AM, Lyle Giese wrote:
>
> It's expected behavior in a way.
Given your explanation, indeed. :-)
> You are probably making this change in
> the internal view and the internal named process knows about the change
> and reloads the zone.
>
> The external view's process is unaware
On 11-06-24 12:39 PM, Evan Hunt wrote:
>
> You can specify the view in the reload command:
>
> $ rndc reload example.com in external
But reload doesn't work for dynamic zones:
# rndc reload rbl.interlinx.bc.ca in greatunwashed
rndc: 'reload' failed: dynamic zone
and since I want the sa
On 11-06-24 01:47 PM, Evan Hunt wrote:
>
> Do the internal and external versions *both* need to be dynamic?
No, only the internal in fact.
> I'd expect it to work okay if you had only one of them dynamic, and
> sent periodic reload commands to the other one.
Yeah. I got the master/slave appro
On 11-06-24 03:19 PM, David Sparro wrote:
>
> Do you have control of the update process.
Sure.
> You could potentially send
> and update to both views (in other words, send two updates).
How do I, with nsupdate, specify which view's zone I want to update?
> I think
> you'd need separate zone f
I have a BIND (9.9.4)[1] server that runs well most of the time, but
periodically it will start returning SERVFAIL for very high-level
domains such as *.google.com, *.gstatic.com, *.github.com, etc. It
seems to happen most frequently with Google domains, but I wonder if
that is just a reflection o
On Thu, 2018-01-18 at 15:41 +, Tony Finch wrote:
>
> Does the time to recovery correspond to the lame-ttl setting?
I am not sure. I'm not always aware of when it starts. I guess if I
am running a trace level permanently the log would tell me though.
> The default
> is 10 minutes - try redu
On Thu, 2018-01-18 at 17:46 +, Tony Finch wrote:
> Brian J. Murrell wrote:
> > On Thu, 2018-01-18 at 15:41 +, Tony Finch wrote:
> > >
> > > The default is 10 minutes - try reducing it and see if the outage
> > > becomes shorter.
> >
> &
On Fri, 2018-01-19 at 14:54 +, Tony Finch wrote:
>
> Those responses look like referrals from the root servers to the .com
> servers;
Ahhh. Right. That makes sense.
> I would expect you to see `named` repeating the queries as it
> follows the iterative resolution algorithm.
Indeed. I wil
On Fri, 2018-01-19 at 15:22 +, Tony Finch wrote:
>
> You don't have any weird middleboxes between your resolver and the
> Internet, do you?
I don't believe so. Not entirely sure what "weird middleboxes" refers
to in this context though. And by resolver are you referring to my
BIND9 server o
OK. I now have named trace logging
http://brian.interlinx.bc.ca/named.run.log
and a packet dump:
http://brian.interlinx.bc.ca/dns-packets.txt
that demonstrates how BIND is getting .com referrals from the root
servers when doing a query for www.google.com and then doing nothing
with those refer
On Mon, 2018-01-22 at 12:04 +, Tony Finch wrote:
>
> That indicates that it has already marked the servers as lame, so the
> packet trace isn't going to tell you what caused the lameness.
OK.
> The thing to look out for is the minutes before the outage starts -
> see
> what kind of failures
On Mon, 2018-01-22 at 12:45 +, Tony Finch wrote:
>
> They'll have a log category of edns-disabled.
But if the problem were EDNS, would it be so intermittent and always
fixable by rndc reload?
> But, looking through the
> code, if this is leading to lameness you will also get lame-servers
> l
On Mon, 2018-01-22 at 12:04 +, Tony Finch wrote:
>
> The thing to look out for is the minutes before the outage starts -
> see
> what kind of failures you get.
So, taking this approach, looking for the first occurrence of just any
one of the names ns[1-4].google.com prior to the A/ querie
On Mon, 2018-01-22 at 16:10 +, Tony Finch wrote:
>
> You should make sure it is enabled, because there are vital clues in
> those
> log lines :-)
But they will only occur if there is some lameness with the ns[1-
4].google.com records and that will already be reported with lame:n in
the "fetch
1 - 100 of 166 matches
Mail list logo
