Re: Magic for NSEC3

nutes by specifying NSEC3. The resultant data files were much smaller than those signed with NSEC. On the other hand zones that predominately needed to be signed by NSEC3 are as expensive or even more expensive that NSEC signing. The other advantage of NSEC3 is “increased” privacy over NSEC by preventing zone walking. As results are data dependent you should evaluate both signing types and use the one that meets your needs for both speed of signing and data size as well a privacy. Jim Jackson Senior Test Engineer Secure64 Software Corp. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

named-checkzone error "NSEC node already exists"

Hi, Running BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6 New setup/install and attempting to setup DNSSEC and clean any dirty data. Got the zone signed and ran named-checkzone against it and got the following (11) times: addnode: NSEC node already exists The .signed loads but want to have clean befor

dnssec subzone not signed question

? example.edu is signed subzone.example.edu is not signed thanks! jim ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec subzone not signed question

Hi Alan, Sorry, still needing spoon fed. When you say DS record in the parent, would this be .example.edu or my parent .edu The end result is get example.edu as a dnssec secured zone by getting a DS record in .edu So it sounds like when I do upload the example.edu DS record to .edu, my subdomain

rcode 5, refused since upgrade

wish to perform a particular operation (e.g., zone transfer) for particular data. thanks! jim ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: rcode 5, refused since upgrade

FUSED " and even in CAPs :-) thanks! jim On Thu, Jan 6, 2011 at 2:55 PM, Jeremy C. Reed wrote: > On Thu, 6 Jan 2011, jim wrote: > > > Upgraded today from BIND 9.2.4 to BIND > 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1. > > Pretty much copied the named.conf file from one to the

one authoritative name server and each domain requires ns1.thisdomain.com

domain.TLD and ns2.anotherdomain.TLD" are only seen as the name servers for zones in TLD? Maybe a view for zones in TLD ... or possibly a separate view for each zone from TLD that needs this treatment of name servers? Thanks, Jim Peters jpet...@dovetailinternet.com -- Visit https://lists.

Re: Deprecation notice force BIND 9.20+: "rrset-order fixed" and "sortlist"

> On 1 Mar 2024, at 10:37, Greg Choules via bind-users > wrote: > > In summary, Do the hard work of traffic steering somewhere else and let your > DNS resolvers deliver the chosen answer. Don't make the resolvers themselves > try to do this on the basis of incomplete information. Well said

Re: 9.18 horrendous

I agree. Banning them because you disagree with what they say ? You have shares in facebook ? TikTok ? Federal Govt ? On 2024-08-23 7:19 AM, Marcus Kool wrote: The user was angry and ranted about named 9.18.x.  He did not rant about any developer or any member of your team.  Removing a user fr

Re: dhcpd

and ignore them. Five doing it so far today out of 4200. dhcpd: BOOTREQUEST from 14:5a:05:eb:dc:f3 via 144.80.36.19: bootp disallowed jim On 10/18/2012 8:42 AM, Dwayne Hottinger wrote: I recently setup a new dhcp server. In my logfiles yesterday I noticed the following message: BOOTP from

Re: User wanting to use a .local domain to host DNS

Just fyi, some talk about Extensions of the Bonjoure Protocol Suite few days ago; Date: Tuesday, November 6, 2012 9:11 AM The mdnsext BoF is today at 15:20 US Eastern Time. The agenda is below. Slides are available here: https://datatracker.ietf.org/meeting/85/materials.html. Remote participat

reverse resolution failing

with this? my "dig" response follows. Many thanks! Jim mail# dig -x 139.142.184.10 ; <<>> DiG 9.9.0 <<>> -x 139.142.184.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49017 ;; flags: qr rd ra;

odd compile error in a lib

suggestions. Thanks, Jim export MAKE_SYMTABLE="yes"; export BASEOBJS="builtin.o client.o config.o control.o controlconf.o interfacemgr.o listenlist.o log.o logconf.o main.o notify.o query.o server.o sortlist.o statschannel.o tkeyconf.o tsigconf.o update.o xfrout.o zonec

Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

t;keys" to tell / let dhcpd update the DNS "zones" file, but I'll be 'derned if I can figure out what's breaking. Any pointers on what to look for in order to get this working would be appreciated. Thanks, Jim I've attached the current configs in the hopes th

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Thanks Graham, I appreciate the hints. However, I'm still having problems (after finding a few more "how-to's"). Any other pointers / tips on what to look for? Jim Mar 26 14:18:24 dns04 dhcpd: DHCPRELEASE of 172.10.20.51 from 00:0b:cd:33:b6:49 (proccilapxp) via eth1 (fo

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

the bare minimum config into into it. Attached are my configs. Any ideas on what I've hosed up? Thanks, Jim -- Jim Bucks - IT Director Colorado Studios <http://www.coloradostudios.com>, Mobile TV Group<http://www.mobiletvgroup.com>, HDNet <http://www.hd.net>, AXS.tv &l

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

it did see the request or it will have an explanation why it won't > do it. > > On 28/03/13 18:18, Jim Bucks wrote: > > Hi Mark, Graham, & others. > > I've spent the last day trying all sorts of things to get this working (to > no avail). I'm still at t

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Hi Jim, Lost track but have you tried using the IP address of the server for the primary, 172.10.20.101 instead of 127.0.0.1? zone dhcp.coloradostudios.com. { primary 172.10.20.101; <- change from 127.0.0.1 key DHCP_UPDATER; } best! jim On 3/28/201

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

710]: error (network unreachable) resolving 'dns04.den.coloradostudios.com/A/IN': 2001:503:ba3e::2:30#53 Mar 28 11:38:30 dns04 named-sdb[3710]: error (network unreachable) resolving './NS/IN': 2001:500:2d::d#53 Mar 28 11:38:30 dns04 named-sdb[3710]: error (network unrea

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

No I have not tried that, but .101 is a leased IP address for a Windows workstation. I'm willing to try it, but it seems like that would mean I would need a zone like this for all of my leased addresses??? Jim On Thu, Mar 28, 2013 at 11:42 AM, Jim Glassford wrote: > Hi Jim, > &

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Hi Jim, No, sorry, wrong IP address, the real IP address of the dns server, not the client. zone dhcp.coloradostudios.com <http://dhcp.coloradostudios.com>. { primary your_dns_server_IP_address; <- change from 127.0.0.1 key DHCP_UPDATER; } Also do you have a /var/log/named

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Thanks Leonard, I thought I had all the IP6 stuff turned off! I'll scour through the configurations & make sure that whatever straggler is left has been commented out / de-activated. Jim On Thu, Mar 28, 2013 at 12:08 PM, Leonard Mills wrote: > Hi Jim, > > Based on

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Hi All (sorry for the top-posting) Alan - thanks for the link. I'll be checking it out / looking it over. Jim, Based on the nsupdate output (below), it looks like I've hosed up something in my "key". I used the key string from the .private key file (I've found som

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Hi All, Alan, I looked that doc over and the only thing I found different than what I used the key string from the .private key file. Jim, thanks for the nsupdate pointer. I've never had to delve into that level of debugging. When using nsupdate, I was able to update the forward and re

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Hi Jim, Looking at your config files, believe the keys do not match in named.conf and dhcpd.conf but maybe they were adjusted for the posting to the list. Alan Clegg's link shows creating the key and adding it to the files and also some nsupdate examples. Would want like the foll

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Hi Jim, Shouldn't there be quotes around the key string in the named .conf file? I have quotes around mine in named.conf. I do not have quotes around the key string in the dhcpd.conf. If this is correct, I've made sure they match (I was trying to "genericize" the key str

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

lete" URL provided by ?Alex?"). The only difference I can see is that I used a 512 bit key vs the examples 128bit key. And, I'm using a slaves/ directory vs internal/ directory for the "zones" files. Jim INTERACTIVE WORKS [root@dns04 ch

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

On Fri, Mar 29, 2013 at 6:39 AM, Mark Elkins wrote: > Try using a more simple MD5, short key. > > Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA) > There was also some sort of length bug? - try 128 bit length. > > On Fri, 2013-03-29 at 06:19 -0600, Jim

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

On Fri, Mar 29, 2013 at 10:02 AM, Steven Carr wrote: > On 29 March 2013 14:57, Jim Bucks wrote: > > I just noticed (has been there all along), that the subdomain is not > showing > > up in the "automated" unable to line. > > I want it to add dhcp-172-

Re: reverse resolution failing

Jim Pazarena wrote, On 2013-02-07 9:31 AM: my named is 9.9.0 while it can resolve "webmail.acrodex.com" ( 139.142.184.10 ) it cannot reverse resolve 139.142.184.10 (example follows). However, if I do a simply nslookup using goodle DNS. nslookup 139.142.184.10 8.8.8.8 IT WORKS!

ARIN IP assignments

I have a client who has been assigned a /20 from ARIN. They asked me to help them with their DNS. The DNS for me is the easy part. except... ARIN has told them that you use the DNS to set up the routing so that the traffic for this /20 gets routed to the correct up-stream provider. Is this cor

authoritative rDNS

I set up a subnet on my server, complete with rdns, and ARIN has been adjusted for my two dns servers (ns.qcislands.net & ns2.qcislands.net) the subnet: 23.235.75.0/24 if you do a lookup of, for instance: 23.235.75.10 and bounce that nslookup off of other dns servers, SOME say: Authoritative an

DNS format error

I see in my logs "DNS format error from 205.178.190.53#53 resolving excelwetsuits.com/MX for client 207.34.147.83#54521: invalid response" The client is *my* mail server IP. I am wondering is this error on MY side or their's ? It doesn't sound like it. If it's on their end.. how far should someo

classless ptr setup

I have a full /24, which I would like to separate into two /25's, and assign each half to two of my customers. The snag is that *I* maintain the DNS for each of these customers. Is it possible to create the classless setup within my system so that it starts with the /24 but can assign the two cla

Re: classless ptr setup

t;0/25.z.y.x.in-addr.arpa" { ... ... } ...and in the zone file: 1 PTR some.host. ... as normal. HTH, -John From: Jim Pazarena To: bind-users@lists.isc.org Date: 01/20/2014 01:43 PM Subject:classless ptr setup Sent by:bind-users-bounces+johnh=primebuchholz...

Re: Master to Slave initial zone transfer question

specified with each *also-notify* address to send the notify messages to a port other than the default of 53. *also-notify* is not meaningful for stub zones. The default is the empty list. best! jim ___ Please visit https://lists.isc.org/mailm

logging via named.conf

Is there an easy way in the named.conf logging to have ALL logging go to local2 ? I've created: logging { channel syslog-local2 { syslog local2; print-category yes; print-severity yes; }; category default { syslog-local2; }; category general {

Re: Digging to the final IP

g.^I^I299^IIN^IA^I216.235.14.46 There is only one ASCII TAB (represented as ^I with cat -t) between "cerebus.kreme.com." and "21409." but two ASCII TABs between "sb.sanxion.org." and "299". I'm guessing a very short name might result in three

Re: [Ext] RRL settings that work for you

Hi Mike, In production since July 2013 without complaints and believe it has helped here. rate-limit { responses-per-second 10; window 5; }; best! jim On 5/26/2015 5:00 PM, Mike Hoskins (michoski) wrote: Hi folks, I've read about RRL with interest since its inception, but jus

Bind v9.9.7-P2 inline-signing hourly?

red to the alternative. :-) -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind v9.9.7-P2 inline-signing hourly?

;s a check to see if the zone keys have been changed (e.g., a new key > added, an existing key scheduled for deletion, a standby key activated, > etc). Thanks! -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc

auto-dnssec sanity check (please)

. That concerns me. Is it as simple as cached responses? -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Spurious DNSKEY records on slave

o longer a .jnl file there. I'm not sure where it came from in the first place. Master is running 9.9.5-9+deb8u6-Debian Slave is running 9.8.4-rpz2+rl005.12-P1 (both obtained from Debian distribution) Is this a known problem? -Jim ___ Please vi

Re: SPF and domain keys

t selector name and d=foxtrot.com in the signatures of the email it sends as foxtrot.com. This is a very common arrangement used by domains that use email sending providers. -Jim On 8/28/16 4:13 PM, project722 wrote: > Lets say my domain is foxtrot.com <http://foxtrot.com> and we have SP

ipv6 implementation in an ipv4 camp

I am curious if anyone can point out articles or deeper instructions regarding an implementation and launch of ipv6 in a fully ipv4 camp? If the upstream ISP still provides the end user an ipv4 number as a gateway, and the end user still has a /24 or /23 assigned by the ISP, need they be concerne

? bad cache hit (eduftcdnsp01.ed.gov/DS)

NS eduftcdnsp02.ed.gov. ed.gov. 2777IN NS eduftcdnsp01.ed.gov. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 15:07:01 2011 ;; MSG SIZE rcvd: 148 thanks! jim ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

(fixed) bad cache hit (eduftcdnsp01.ed.gov/DS)

Thanks to everyone who replied on and off list, my first dnssec related problem and no self confidence. :-) They got it fixed yesterday evening and working OK again. have a great weekend! jim On Fri, 27 May 2011 15:09:39 -0400  Jim Glassford wrote: Hi, Running BIND 9.7.0-P2 Is this

Re: Slaves do not more update

Hi, May have already been covered by another but just to verify, "beating a dead horse" Do you update the serial number before you sign the zone? If automated at all with scripts, make sure you update the SOA serial number then sign. jim On 6/22/2011 1:42 PM, Michelle Kon

reverse delegation from Telco

I've got a fractional subnet 207.34.147.80/28 (.240) To which my reverse always responds, but claims to be non-authoritative. Then it points AT MY DNS to be authoritative. I am unsure, but think it has something to do with way I have described my in-addr.arpa file. Would someone please offer sugge

Re: reverse delegation from Telco

rds, Chris Buxton BlueCat Networks yup, they're all mine. but that non-auth kinda bugs me, because for my 'full' /24 subnets, that never happens. And it's delegated from the same Telco (Telus) look at ns2.qcislands.net which cleanly resolves back and forth to 209.53.238.4 O

slave nags that master is not authoritative

I have 1 domain name, and 1 reverse in-addr.arpa citires.ca and0-127.254.194.207.in-addr.arpa which my two slaves log that the master is "not authoritative" for I have plenty of rdns subnets, and 3 fractional subnets in that group so my copy & paste of this new /25 looks 100%. y

Re: slave nags that master is not authoritative

Jan-Piet Mens wrote, On 2011-11-23 12:21 AM: I have 1 domain name citires.ca which my two slaves log that the master is "not authoritative" for Seen from here (.DE) the NS for citires.ca both refuse to answer queries, so they are indeed not authoritative: $ dig @ns.qcislands.net

Re: slave nags that master is not authoritative

Jan-Piet Mens wrote, On 2011-11-23 12:21 AM: I have 1 domain name, and 1 reverse in-addr.arpa citires.ca and0-127.254.194.207.in-addr.arpa which my two slaves log that the master is "not authoritative" for I found the issue! I had TWO named.conf files for my slaves, one not

Zone File Permission Question

Hello, I have what seems to be a very basic question that I have been unable to find an answer for. What determines the settings of the file permissions (and how can I change those default settings) on zone files created during a zone transfer, BIND or the OS (Solaris)? thanks - jw

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

ks cooler than the later. -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

uch worse in the Mirai botnet scenario unless each node is pretty much as robust as a traditional unicast node. -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list b

Re: The DDOS attack on DYN & RRL ?

On Mon, Oct 31, 2016 at 11:27 AM, Matthew Seaman wrote: > On 2016/10/31 14:53, Jim Popovitch wrote: >> On Mon, Oct 31, 2016 at 10:25 AM, Matthew Seaman >> wrote: >>> This despite the fact that Dyn has a global anycast network with >>> plenty of bandwidth, point

Re: The DDOS attack on DYN & RRL ?

On Mon, Oct 31, 2016 at 12:21 PM, Tony Finch wrote: > Jim Popovitch wrote: >> >> It seems to me that anycast is probably much worse in the Mirai botnet >> scenario unless each node is pretty much as robust as a traditional >> unicast node. > > This blog post is a

Question on prod.msocdn.com

n1dspg.akamaiedge.net. 3966IN A 209.48.71.60 n6dspg.akamaiedge.net. 3966IN A 165.254.211.13 ;; Query time: 25 msec ;; WHEN: Tue Nov 8 19:18:06 2016 ;; MSG SIZE rcvd: 475 thanks! jim ___ Please visit https://lists.isc.

Re: [Ext] Re: Question on prod.msocdn.com

On 11/9/2016 4:55 AM, Tony Finch wrote: Jim Glassford wrote: Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd either timeout or SERVFAIL depending on version of bind. It works for me with BIND 9.11 and 9.10.4-P4. There are some EDNS-related changes in 9.10 which might be

Re: Question on prod.msocdn.com

On 11/9/2016 2:42 PM, Jim Glassford wrote: On 11/9/2016 4:55 AM, Tony Finch wrote: Jim Glassford wrote: Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd either timeout or SERVFAIL depending on version of bind. It works for me with BIND 9.11 and 9.10.4-P4. There are some

Re: Question on prod.msocdn.com

Just fyi, Found my problem here, our Tipping Point IPS was misbehaving for msocdn.com, all well now. The contributors on the ISC lists are a wealth of information and appreciated. best! jim On 11/9/2016 2:50 PM, Jim Glassford wrote: On 11/9/2016 2:42 PM, Jim Glassford wrote: On 11/9/2016

Re: bind does not resolved all domains (SERVFAIL)

Hi, For me, today's problem is philasd.org, getting SERVFAIL # dig +trace philasd.org couldn't get address for 'dns1.philasd.org': not found couldn't get address for 'dns2.philasd.org': not found dig: couldn't get address for 'dns1.philasd.org': no more / Missin

RPZ zone load failure ran out of space

policy records. ; Note: There are no periods (.) after the (relativised) owner names. bad.domain.com A 10.0.0.1 ; redirect to walled garden 2001:2::1 Thanks, Jim ___ Please visit https

Re: RPZ zone load failure ran out of space

Hi Bob, Thank you for the explanation. It makes sense to me now. Best, Jim From: Bob Harold Sent: Wednesday, June 28, 2017 4:38 PM To: Jim Yang Cc: bind-users@lists.isc.org Subject: Re: RPZ zone load failure ran out of space On Wed, Jun 28, 2017 at 3:44 PM

RPZ zone name label length limit

name label that is longer than 63 characters)? When I dig these DNS records using 8.8.8.8, which reports them as ‘NXDOMAIN’. Thanks, Jim ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users

Re: RPZ zone name label length limit

Hi Mukund, Yes, I will send the report with a sample RPZ zone that contains the name to bind-b...@isc.org. Thanks, Jim On 6/29/17, 2:40 PM, "Mukund Sivaraman" wrote: Hi Jim On Thu, Jun 29, 2017 at 01:57:16PM +, Jim Yang wrote: > Hi, > > W

Re: Should we remove the DLV code?

> On 21 May 2019, at 16:00, Hugo Salgado-Hernández wrote: > > One important thing is that the "islands of security" concept > may be necessary in different places (companies? communities?) > and the DLV technique is not limited to the root. For the same > reason I consider that Bind's support i

Re: A policy for removing named.conf options.

> On 13 Jun 2019, at 14:18, Warren Kumari wrote: > >> A configuration option that is candidate for removal will be deprecated >> first. During this phase the option will still work, but we will be >> communicating to users that the option is going to be removed soon. A >> user that has depreca

Re: NSEC3 salt change - temporary performance decline

> On 21 Jan 2020, at 15:59, Daniel Stirnimann > wrote: > > I agree that re-salting is kind of pointless So, just like NSEC3 then? :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mai

Re: Problem upgrading to 9.18 - important feature being removed

ants to have bind9 used by the 42 people who are experts of bind9. -Jim P. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more

minimal-all on master

Hello, Should minimal-all (v9.11.0-rc1) work on a master? My testing shows that it only works on the slave DNS servers. relevant named.conf: http://paste.debian.net/plainh/62ee2440 -Jim P. signature.asc Description: Digital signature ___ Please

Re: minimal-all on master

On Fri, Sep 02, 2016 at 06:59:35PM +, Jim Popovitch via bind-users wrote: > Hello, > > Should minimal-all (v9.11.0-rc1) work on a master? My testing shows that it > only works on the slave DNS servers. > And by minimal-all I mean minimal-any (i keep typo'ing that fo

Re: minimal-any on master

On Mon, Sep 05, 2016 at 09:51:25AM +0100, Tony Finch wrote: > Jim Popovitch via bind-users wrote: > > > > Should minimal-all (v9.11.0-rc1) work on a master? My testing shows > > that it only works on the slave DNS servers. > > Works for me :-) minimal-any is implement

Re: minimal-any on master

On Mon, Sep 05, 2016 at 05:12:47PM +0100, Tony Finch wrote: > Jim Popovitch via bind-users wrote: > > > > Thanks. Now I'm seeing something slighly different. I have 3 NS > > servers, ns{1-3}.domainmail.org. > > > > When I first asked 3 days ago I was seein

update-policy wildcard grant

am I doing wrong? tia! -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: update-policy wildcard grant

On Thu, 2020-04-02 at 09:27 +1100, Mark Andrews wrote: > > On 2 Apr 2020, at 06:53, Jim Popovitch via bind-users < > > bind-users@lists.isc.org> wrote: > > > > Hello! > > > > I started on #bind, moved on to the ARM, and now I am here. > > > >

Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?

On Wed, 2020-04-15 at 10:35 +0200, Klaus Darilion wrote: > Thanks for answer! > > So actually it is just a cosmetic change not addressing a real problem. > > I will miss the bind9 service :-( Wait until you find out about Predicatable Network Interface Names and iptables ru

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

On Wed, 2020-04-15 at 14:21 +0200, Reindl Harald wrote: > > Am 15.04.20 um 14:17 schrieb Jim Popovitch via bind-users: > > On Wed, 2020-04-15 at 10:35 +0200, Klaus Darilion wrote: > > > Thanks for answer! > > > > > > So actually it is just a cosmet

Re: rbldnsd and DNSSEC compatibility issues - any suggestions?

efined as a trust anchor, for instance in a trust-anchors statement, or dnssec- validation auto must be active. You might want to try adding "dnssec-validation auto" to the zone stanza. zone "invaluement.local" in { type forward; forward only; forwarders { 1

Re: rbldnsd and DNSSEC compatibility issues - any suggestions?

On Thu, 2020-09-10 at 13:50 -0400, Jim Popovitch via bind-users wrote: > On Thu, 2020-09-10 at 11:56 -0400, Rob McEwen wrote: > > I manage an anti-spam DNSBL and I've been running into an issue in recent > > years - that I'm FINALLY getting around to asking about. I just

Re: getting a later-version of BIND on various linux OS's

ou are looking for is Debian Backports: https://backports.debian.org/ Stable (Buster) Backports has v9.16.6 https://packages.debian.org/buster-backports/bind9 It's built and maininted by: https://tracker.debian.org/pkg/bind9 -Jim P.___ Plea

Re: Two copies of recent posts

rify who they are replying to, it's easy to see from the "Servfail on Bind -9.16.1" thread where the problem(s) exist. Note Paul, I only received one copy of your post, and you should be only receiving one copy of my reply. -Jim P. __

Re: Two copies of recent posts

On Mon, 2020-11-23 at 08:13 +0100, Reindl Harald wrote: > > Am 23.11.20 um 04:58 schrieb Jim Popovitch via bind-users: > > On Sun, 2020-11-22 at 21:56 -0500, Paul Kosinski via bind-users wrote: > > > I've been getting two identical copies of recent posts to this list...

Re: Two copies of recent posts

il. > I just received 2 copies of your post, with 2 different ESMTP IDs... because you sent it to 2 different recipients. That same thing would happen if you sent it to bind-users@lists.isc.org and bind-users@lists.isc.org. -Jim P. ___ Please visit

Testing KASP, CDS, and .ch

04:06:33 2021) ; Delete: 20210303051133 (Wed Mar 3 05:11:33 2021) ; SyncPublish: 20210221023255 (Sun Feb 21 02:32:55 2021) -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of th

Re: Testing KASP, CDS, and .ch

the whole purpose of CDS/CDNSKEY is to not have to do that, no? -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions.

Re: Testing KASP, CDS, and .ch

NS query returned: "Server failed to complete the DNS request". >" > >You should check the requirements. You'd need to answer for three >consecutive days, be consistent in all NS IP addresses, etc. > >Hugo > >On 15:11 09/04, Jim Popovitch via bind-users wr

RE: Testing KASP, CDS, and .ch

ink you're missing the point of this thread. I'm not asking about how to configure DNSSEC the traditional way. Btw, one *can* manually setup a DS RR at Gandi, but they take and decode the actual key data not the DS. -Jim P ___ Please visi

Re: Testing KASP, CDS, and .ch

On Sat, 2021-04-10 at 13:18 +0200, Oli Schacher wrote: > Hi Jim > let me give you a bit more info > > > On April 9, 2021 8:23:48 PM UTC, Hugo Salgado wrote: > > > Switch has a website to test the CDS processing for .ch: > > > https://www.nic.ch/security/cds/

Re: FW: Preventing a particular type of nameserver abuse

e reserved IPs and quickly transfer them from server to server using the OVH API. This is great for database resiliency/failover, etc. -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds

Re: Using RNDC to control remote access to my BIND server

t the runner docker/js/etc environment can talk to the staging named. There's 10,000 ways to do things in CI/CD, the 1 way that doesn't exist is the only one you will recall in the middle of a weekend while you are on vacation. :) -Jim P. __

Re: 'managed-keys' is deprecated ??

On Tue, 2021-06-15 at 14:27 +1000, Mark Andrews wrote: > https://downloads.isc.org/isc/bind9/9.16.16/doc/arm/Bv9ARM.pdf The modern-day RTFM :-) -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this l

bind 9.8.2 "no valid signature found"

xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fs

Roadmap for DNSSEC signing/automation?

d9 fully manage this, perpetually. Thx, - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlqn/MAACgkQJxVetMRa JwUIRhAAmB7SewSVkChuKRMqnZdPAvjA30vXOqQFUUiMD91waGhhzlWIesuL5PfH uU9UrBLp6O2V+tZTAPvnogJeIBa7zm1QB9LXK4wWqhyU+ywu4ADS6Fzt6OFgWL08 y5xXuZK+Nxcxjg

v9.12.1-P2 changed files

/plainh/470058dd - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlr/N2gACgkQJxVetMRa JwU02w//bWw5TAoVjmTsMlUJndA7Yd3DM14fsWBMTBGGxKYZjG9JskBOOoGYFrbZ gR+ljJAGEOTRBGYStG6f+M7ocPK9brXVpFiqhGB/cG0ntM9vgczKWC0HjWHvQuZf 3vdqu6hs77fQyxy82mkOeVB/dRCJdbAQWt7I7ezstWhvlYqs

Re: v9.12.1-P2 changed files

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sat, 2018-05-19 at 01:03 +, Evan Hunt wrote: > On Fri, May 18, 2018 at 04:28:24PM -0400, Jim Popovitch via bind- > users wrote: > > Honest question Why are there so many sourcecode > > modifications/additions/deletions b

Is it possible to...

that possible with a(ny)? recent version of Bind9? tia, - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAltsmgYACgkQJxVetMRa JwUWaw/9FU02HPacQQtH6AVhp3IFDlbvCcMgodcxzeYvIrFLiJU0pGUlkg31XqBd T4UZkZViaydmDBpZY2igPvBInF8ZzwrgWdLlpJIFNurdLe67nvptF0qcll+2ExHy

Re: [BIND] Re: Is it possible to...

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, 2018-08-10 at 09:47 +1000, Mark Andrews wrote: > > On 10 Aug 2018, at 5:46 am, Jim Popovitch via bind-users > s...@lists.isc.org> wrote: > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > >

Definitive guide for purging old DNSSEC key files

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 What is the definitive steps for purging (rm -f) old DNSSEC key files that expired months ago? tia, - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlvHefsACgkQJxVetMRa JwX3HxAAhze9yaypBQdqkz9r0qOUeB6OmU

  1   2   >