Re: CVE-2012-1033 (Ghost domain names) mitigation

2012-02-09 Thread michoski
On 2/9/12 9:43 AM, "Lyle Giese" wrote: > This is just my opinion, but this is not a bug. It's the side effect of > a desirable feature called caching. > > Yea, we can brainstorm how to mitigate the effect, but in order to > mitigate a problem, we have to know that there is a problem(revoked or >

Re: Query Regarding AKAMAI Working Model

2012-02-17 Thread michoski
On 2/17/12 11:35 AM, "Anand Buddhdev" wrote: > Gaurav, >> I want to know how AKAMAI works > First of all, don't use so many question marks; one is enough. And use > it only if you're actually asking a question, not when stating something. No one reads RFC 1855 anymore. ;-) >> May be this is

Re: lists.isc.org rDNS failed, DNSSEC?

2012-02-23 Thread michoski
On 2/23/12 8:48 PM, "vinny_abe...@dell.com" wrote: > I kind of had the same thought... If ISC had a DNS outage due to expired > signatures of a zone, what chance do I have in successfully deploying and > maintaining DNSSEC for my zones? Sure, everyone makes mistakes, but I think it > speaks volum

Re: lists.isc.org rDNS failed, DNSSEC?

2012-02-28 Thread michoski
On 2/28/12 9:26 AM, "/dev/rob0" wrote: > On Tue, Feb 28, 2012 at 01:16:16PM +0100, Marc Lampo wrote: >> First of all : I do not deny DNSSEC adds a challenge for administrators. >> They must understand that adding this additional SECurity aspect, >> will generate extra work (keygeneration/re-genera

Re: Master/slave configuration

2012-03-07 Thread michoski
On 3/7/12 9:15 AM, "Barry Margolin" wrote: > In article , > ro...@free.fr wrote: >> I use bind on my network as DNS Server. Running bind >> 1:9.6.ESV.R4+dfsg-0+lenny4 >> on Debian Lenny. >> >> The setup is quite usual : one master server with one slave server. >> >> The slave sync the zone from

Re: Master/slave configuration

2012-03-08 Thread michoski
On 3/8/12 8:15 AM, "Romgo" wrote: > I can use a VIP for DNS server, but I though that master/slave > configuration was made in order to avoid to use a VIP. Master/slave was to avoid SPOF -- if the master dies, who cares with a reasonable expire time. :-) So go ahead, setup a VIP...even using fr

Re: Master/slave configuration

2012-03-08 Thread michoski
On 3/8/12 10:20 AM, "Mike Hoskins" wrote: > On 3/8/12 8:15 AM, "Romgo" wrote: >> I can use a VIP for DNS server, but I though that master/slave >> configuration was made in order to avoid to use a VIP. > > Master/slave was to avoid SPOF -- if the master dies, who cares with a > reasonable expir

Re: Cisco ACE config for internal DNS load balancing

2012-03-09 Thread michoski
On 3/9/12 8:39 AM, "Phil Mayers" wrote: > On 09/03/12 16:23, Matthew Huff wrote: >> Anyone have any suggestions/best practices/config examples for DNS load >> balancing for internal use on CISCO ACE blades? >> >> I¹ve got the standard example working, but wondered about keepalive >> frequency, t

Re: Master/slave configuration

2012-03-09 Thread michoski
On 3/9/12 7:58 AM, "Romgo" wrote: > Even if I use a VIP I can reproduce the issue : > If the first VIP (so the nameserver 1) is down, I'll have the same > drawbacks. As the resolver will timeout before falling back to the second > nameserver. Sure, we don't live in a perfect world. You can estab

Re: zone transfer with DIG: SOA duplicate

2012-03-19 Thread michoski
On 3/19/12 10:49 AM, "hugo hugoo" wrote: > thanks for this quick answer. > I am a liitle bit lost... > > What is the starting and ending SOA record? > > In the original zone, there is ony one SOA record... FWIW, When transferring it is normal to get the SOA as first and last record. Use +on

Re: reverse dns for IPV6 ranges

2012-03-19 Thread michoski
On 3/19/12 11:58 AM, "Peter Andreev" wrote: > 2012/3/19 hugo hugoo >> Jay, >> >> - Can you give me an example of such configuration? >> >> As anyone else some examples of IPV6 reverse configuration used in >> production environment? >> >> Thanks for sharing your experience... > > We use IPv6

Re: Convice Bind to listen on IP alias with a range of IPs.

2012-04-30 Thread michoski
On 4/30/12 2:56 PM, "Augie Schwer" wrote: > I must be doing something wrong, because what I want to do doesn't > seem that difficult. > > I have a range of IPs bound to a local interface: > > lo:1 Link encap:Local Loopback > inet addr:10.0.0.1 Mask:255.255.255.224 This isn't a /

Re: Convice Bind to listen on IP alias with a range of IPs.

2012-04-30 Thread michoski
On 4/30/12 4:14 PM, "Augie Schwer" wrote: > I think you've all missed the netmask there, 10.0.0.2 is in that range. > > augie@augnix:~$ sudo ifconfig lo:1 10.0.0.1 netmask 255.255.255.224 > > augie@augnix:~$ ifconfig lo:1 > lo:1 Link encap:Local Loopback > inet addr:10.0.0.1 Mask

Re: Convice Bind to listen on IP alias with a range of IPs.

2012-04-30 Thread michoski
On 4/30/12 10:17 PM, "Mark Andrews" wrote: > The fact that you can ping them just means that you have a kernel > bug. Yeah, the bug is using Linux. ;-) -- Don't worry about avoiding temptation -- as you grow older, it starts avoiding you. -- The Old Farmer's Almanac _

Re: dynamic update to SOA records

2012-05-01 Thread michoski
On 5/1/12 8:10 AM, "Anand Buddhdev" wrote: > On 01/05/2012 16:36, Chris Thompson wrote: > >> Our regular DNS changes (via [scripted] nsupdate) always add the SOA >> explicitly (it's going to change anyway, after all), setting the serial >> to the Unix time(2) value. BIND may have been incrementin

Re: Convice Bind to listen on IP alias with a range of IPs.

2012-05-01 Thread michoski
On 5/1/12 2:32 PM, "Augie Schwer" wrote: >> Contrary to what a lot of other people have suggested, it is in fact >> possible using the socket API to bind() to IPs which aren't explicitly >> created, due to special handling on the loopback interface. This can >> certainly be done under Linux, for e

Re: New to BIND - Setting up slaveserver

2012-05-07 Thread michoski
On 5/7/12 1:02 PM, "James Sheffer" wrote: > We have been running name servers using QDNS (Mac) for eons but now I want to > change that. welcome to bind. > I still have "NS1" (Master) set up and running with QDNS. It is also set to > be the master for "NS2" so that shouldn't need changing (I ho

Re: New to BIND - Setting up slaveserver

2012-05-07 Thread michoski
note: keeping replies on-list, so others can also chime in and help... On 5/7/12 2:41 PM, "James Sheffer" wrote: > On May 7, 2012, at 3:56 PM, michoski wrote: >> On 5/7/12 1:02 PM, "James Sheffer" wrote: >>> My first question is about my options. For

Re: New to BIND - Setting up slaveserver

2012-05-07 Thread michoski
On 5/7/12 5:57 PM, "Barry Margolin" wrote: > In article , > michoski wrote: >> note: keeping replies on-list, so others can also chime in and help... >> On 5/7/12 2:41 PM, "James Sheffer" wrote: >>> My mistake - I thought "allow-notify"

Re: I use ProBind and you ?

2011-08-30 Thread michoski
On 8/30/11 12:08 PM, "Kevin Oberman" wrote: > On Tue, Aug 30, 2011 at 11:33 AM, mfla wrote: >> I use ProBIND to administrate my BIND servers. >> I would like to know which other possibities be available for DNS central >> management ? > At my former employer, we used Nixu Namesurfer. While we're

Re: couldn't add command channel 127.0.0.1#54 error

2011-09-07 Thread michoski
On 9/7/11 10:02 AM, "michoski" wrote: > I'm guessing the BIND upgrade caused your startup script, named.conf location, > or something critical to change location... > > Cliché I know, but there are good pointers on Google: > > http://is.gd/create.php Apologies

Re: couldn't add command channel 127.0.0.1#54 error

2011-09-07 Thread michoski
On 9/7/11 9:39 AM, "Norman Fournier" wrote: > I was running BIND successfully on OS X 10.4 Tiger. That webserver crashed and > I replaced it with a new cpu and installed OS X 10.5 Leopard and have > encountered a number of errors in my configuration. This is the latest error > from the old config

Re: SERVFAIL

2011-09-15 Thread michoski
On 9/15/11 4:14 AM, "kshitij mali" wrote: > I repeated see domain lookup issue for the certain domain give an error > :SERVFAIL . my server is configured for simple caching nameserver for the  > email delivery > > please find the error example below > = > > > dig com

Re: Compelling Reason for Deploying DNSSEC

2011-09-15 Thread michoski
On 9/15/11 12:19 PM, "Paul Romano" wrote: > Does the lack of response indicate a lack of compelling reason or just lack of > interest in this topic?  Not at all, folks are just busy I bet... > Is there a way to tie an ROI into a DNSSEC deployment?  It's basically a risk analysis game. You shou

Re: Upgrading From 9.7.2 to 9.8.1 startup failed (due to fatal error)

2011-09-16 Thread michoski
On 9/16/11 7:45 AM, "Ken Schweigert" wrote: > Thinking maybe something happened to these devices, I listed them out > and didn't see anything obviously wrong: > > [root@ns1 dev]# ls -l /dev/null > crw-rw-rw- 1 root root 1, 3 Apr 8 14:46 /dev/null > [root@ns1 dev]# ls -l /chroot/named/dev/null >

Re: how to add NS record in Windows DNS?

2011-09-19 Thread michoski
On 9/17/11 2:56 AM, "babu dheen" wrote: > I know that this forum is not meant for windows DNS environement. but if you > can let me know some website or guide to add customer NS record in windows DNS > environement, will be much helpful. It's been many years since I administered AD, but I recall

Re: updating Bind made it slower

2011-09-26 Thread michoski
On 9/26/11 12:48 AM, "Tom Schmitt" wrote: > I just updated a couple of my DNS-servers from the rather old version 9.4.1 to > a newer version 9.8.0-P4. You want to get another cup of coffee, and plan an upgrade to 9.8.1 -- isn't adminspotting fun? :-) > After this I have problem with outages. Lo

Re: updating Bind made it slower

2011-09-27 Thread michoski
On 9/27/11 1:15 PM, "Warren Kumari" wrote: > On Sep 27, 2011, at 3:52 PM, Tom Schmitt wrote: >> I tested "rndc reload" against "rndc reconfig" on five differrent servers, >> Solaris and Linux, 9.8.0 and 9.4.1. On all servers the same result: >> Both commands take roughly the same amount of time! S

Re: dnssec question. confused.

2011-09-28 Thread michoski
On 9/28/11 5:32 AM, "Steve Arntzen" wrote: > Is your firewall Cisco based? > > There is a known "default" setting in Cisco with respect to packet size > for DNS. Our network guys run into this anytime they do an upgrade, > etc. and have to go in and update the setting. This bit me the first tim

Re: NXDOMAIN redirection in BIND 9.9

2011-09-30 Thread michoski
On 9/30/11 10:12 AM, "John Wobus" wrote: > I'm a BIND user who is clamoring to keep such a feature out of BIND. In reality, there are plenty of you (us)... However, as usual (and particularly for anything ruled by committee), a few (often with the most capital) will ruin it for the many. For be

Re: dnssec config sanity check

2011-10-05 Thread michoski
On 10/4/11 3:49 PM, "Paul B. Henson" wrote: > dnssec is fairly complicated, and the issue of timing can be complex, > but once the variables are determined than the actual procedures of > implementation are pretty simple. Generate keys with appropriate > publication, activation, inactivation, and

Re: BIND/named on VM

2011-10-14 Thread michoski
On 10/14/11 10:49 AM, "Walter Smith" wrote: > I would like to setup latest BIND/named [slaves] within VMware environment - > is there any implications I should be aware of? > Since I saw some issues running NTPd on VMware - thinking may be 'named' might > have similar issues... No issues to date

Re: Turning log on bind for troubleshooting

2011-11-15 Thread michoski
Grab the BIND ARM for your version: http://www.isc.org/software/bind/documentation There it indirectly calls out that logging is it's own section (e.g. It doesn't say "this is valid in options or views" like it does for many other things)... It is it's own stanza: options { }; controls { }; a

Re: bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset))failed

2011-11-16 Thread michoski
On 11/16/11 5:14 AM, "Phil Mayers" wrote: > On 16/11/11 13:07, Warren Kumari wrote: >> It was (very convincingly!) explained to me that INSISTS() are only >> used for the "this should not happen" cases, and if the INSISTS() >> were not there, many of the recent attacks may have led to much worse >

Re: trigger point for new bug

2011-11-16 Thread michoski
On 11/16/11 10:55 AM, "Chris Brookes" wrote: > Any info on whether the newly announced bug can be triggered before > the query ACL is applied on a recursive only server? An authoritative > only server ought to be safe? Hmm, good question. Then folks with IDS/IPS hooks could potentially catch who

Re: trigger point for new bug

2011-11-16 Thread michoski
On 11/16/11 1:20 PM, "Michael McNally" wrote: > According to our best current understanding of the issue: > > + Authoritative-only nameservers should be safe and only > recursing servers at risk. > > + From the security advisory we have posted on our website: > ( http://www.isc.org/sof

Re: trigger point for new bug

2011-11-16 Thread michoski
On 11/16/11 2:35 PM, "Michael McNally" wrote: > On 11/16/11 1:22 PM, michoski wrote: >> Short time ago I grabbed the latest tarball from your download site, and >> generated internal packages. I could have sworn that was 9.8.1-P4 (our >> internal packages still hav

Re: Query zone expiration time

2011-11-16 Thread michoski
On 11/16/11 10:20 PM, "Hajducko, Steven" wrote: > We're actually going to move the zones to our Infoblox system, which is why we > wanted to determine if we had enough time or if we had to bother with the > recovery, hence the question. Perhaps you want `dig @ soa +multiline`. -- By nature, me

Re: trigger point for new bug

2011-11-17 Thread michoski
On 11/17/11 3:58 AM, "Gaurav Kansal" wrote: > Can you please explain What is the meaning of "INVALID RECORD"? I think doing so in overly verbose terms just helps script kiddies while parts of the community schedule upgrades... It can be best not to rush this type of detail. Granted, "determ

Re: nanny (was Re: bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset)) failed)

2011-11-17 Thread michoski
On 11/17/11 1:45 PM, "/dev/rob0" wrote: > What I should perhaps do: separate the authoritative named instance > from the recursive one on the mail server. I suppose BIND 10 does > this, by design? Yes, that is best practice (I keep reading it in docs from people I trust, like Cricket Liu). I've

Re: About root zones

2012-01-03 Thread michoski
On 1/3/12 12:46 PM, "Kevin Darcy" wrote: > Those server folks have strange ideas about name resolution. Strange > enough that sometimes I don't even understand what the hell they are > trying to accomplish. In all fairness, lots of folks have strange ideas. We should start with standards -- soft

Re: Bind to INADDR_ANY

2012-01-10 Thread michoski
On 1/9/12 5:12 PM, "Bostjan Skufca" wrote: > is binding to all interfaces at once already supported in bind9? I know named > binds to each at-the-moment-available IP address but in HA environment with > virtual interfaces a "rndc reload" is necessary for named to pick up a new > interface, which l

Re: Help to identify Microsoft DNS version

2012-01-10 Thread michoski
On 1/9/12 11:38 PM, "babu dheen" wrote: > Can anyone help me how to find bind & microsoft DNS software version using > dig or nslookup command remotely? There are various fingerprinting methods you can use, with widely varying degrees of accuracy, but the most polite way is to use the SOA: $ di

Re: RFC 6303 vs. BIND: NS ... has no address records (A or AAAA)

2012-01-11 Thread michoski
On 1/11/12 10:57 AM, "Doug Barton" wrote: > Apples and oranges. The things listed below are actual bogons. Compare > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf?rev=1.36 When tracking bogons, it's certainly good to stay up to date. Another related data point: http://www.team

Re: prevent DNS attack

2012-06-27 Thread Michael Hoskins (michoski)
define "fake" -- if you mean rfc1918, you can block the ranges at ingress, or with iptables or similar to avoid letting it hit bind at all. -Original Message- From: pangj Date: Wednesday, June 27, 2012 6:36 PM To: Tony Finch Cc: "bind-users@lists.isc.org" Subject: Re: prevent DNS attac

Re: getting edns disabling message in logs

2012-07-04 Thread Michael Hoskins (michoski)
-Original Message- From: Tony Finch Date: Wednesday, July 4, 2012 7:54 AM To: Cathy Almond Cc: "bind-users@lists.isc.org" Subject: Re: getting edns disabling message in logs >Cathy Almond wrote: >> >> >>https://kb.isc.org/article/AA-00708/55/Why-does-BIND-log-messages-about-d >>isabl

Re: What is the deal on missing "Authority Section" and "additional section" from google's DNS servers?

2012-07-10 Thread Michael Hoskins (michoski)
-Original Message- From: Ted Mittelstaedt Date: Tuesday, July 10, 2012 6:24 PM To: "bind-users@lists.isc.org" Subject: What is the deal on missing "Authority Section" and "additional section" from google's DNS servers? > I can't seem to find an option to turn off additional data.

Re: Survey - how many people running ISP nameservers define "minimal-responses" - was Re: What is the deal on missing "Authority Section" and "additional section" from google's DNS servers?

2012-07-11 Thread Michael Hoskins (michoski)
-Original Message- From: Ted Mittelstaedt Date: Wednesday, July 11, 2012 11:26 AM To: "bind-users@lists.isc.org" Subject: Survey - how many people running ISP nameservers define "minimal-responses" - was Re: What is the deal on missing "Authority Section" and "additional section" fr

Re: BIND 9.9.1-P1 reload bug

2012-07-12 Thread Michael Hoskins (michoski)
stupid question: i spent all of five minutes looking around isc.org -- but i did click all the top-level bind-related links, and couldn't find a pointer to rt to search for this ticket. does it require a support contract, is it internal-only, or am i just looking in the wrong place? i wanted to

Re: RHEL, Centos, Fedora rpm vs ISC bind versions

2012-07-16 Thread Michael Hoskins (michoski)
-Original Message- From: Drunkard Zhang Date: Sunday, July 15, 2012 5:29 PM To: Eivind Olsen Cc: "" Subject: Re: RHEL, Centos, Fedora rpm vs ISC bind versions >2012/7/16 Eivind Olsen : >> Den 15. juli 2012 kl. 16:57 skrev Benny Pedersen : >> >>> change to gentoo/funtoo ? >> >> Some mig

redhat package versions [ was Re: 9.8.2 Assertion Failures ]

2012-07-17 Thread Michael Hoskins (michoski)
turning a dead horse into a wet spot on the ground (in-line)... -Original Message- From: Oscar Ricardo Silva Date: Tuesday, July 17, 2012 7:13 AM To: "'bind-users@lists.isc.org'" Subject: Re: 9.8.2 Assertion Failures >Bailey, Morgan [BT] wrote: >> Hi all >> >> >> >> We have recentl

Re: Filtering IPv6 AAAA records?

2012-07-24 Thread Michael Hoskins (michoski)
-Original Message- From: Paul Reilly Date: Tuesday, July 24, 2012 11:06 AM To: "bind-users@lists.isc.org" Subject: Filtering IPv6 records? >Is it possible using the BIND resolver to filter out record replies >to end clients? > >Since Google added an IPv6 record, I'm havin

Re: Block some users with Bind9

2012-07-24 Thread Michael Hoskins (michoski)
I would try using RPZ with a combination of views and match-clients. http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-us ing-response-policy-zones-rpz/ -Original Message- From: Emiliano Vazquez Organization: PcCentro Informatica & CCTV Date: Tuesday, July 24, 201

Re: Block some users with Bind9

2012-07-27 Thread Michael Hoskins (michoski)
-Original Message- From: Emiliano Vazquez Organization: PcCentro Informatica & CCTV Date: Thursday, July 26, 2012 7:28 PM Cc: "bind-users@lists.isc.org" Subject: Re: Block some users with Bind9 >I was reading about rpz zones but i understand what i need to do. >I follow instructions but

Re: What does "deleted from unreachable cache" mean?

2012-08-02 Thread Michael Hoskins (michoski)
-Original Message- From: Peter Olsson Date: Thursday, August 2, 2012 10:25 AM To: Cathy Almond Cc: "bind-users@lists.isc.org" Subject: Re: What does "deleted from unreachable cache" mean? >Excellent information, thanks! Agreed. I really appreciate the effort ISC has put into the KB.

Re: security BIND

2012-08-05 Thread Michael Hoskins (michoski)
-Original Message- From: Carsten Strotmann Date: Saturday, August 4, 2012 8:37 AM To: Alberto Rasillo Cc: "bind-users@lists.isc.org" Subject: Re: security BIND >On Sat, 4 Aug 2012, Alberto Rasillo wrote: > >> Hi what are recomendations regarding security and DNS service?Thnks > >it is

Re: new bind 9.9 and root NS

2012-08-05 Thread Michael Hoskins (michoski)
-Original Message- From: "dkole...@olearycomputers.com" Organization: http://groups.google.com Date: Tuesday, July 31, 2012 2:16 PM To: "comp-protocols-dns-b...@isc.org" Subject: new bind 9.9 and root NS >I have a client who's migrating from an old bind 9.3 installation to a >new bind 9

Re: new bind 9.9 and root NS

2012-08-06 Thread Michael Hoskins (michoski)
-Original Message- From: Doug O'Leary Date: Monday, August 6, 2012 9:58 AM To: 'Doug Barton' , Mike Hoskins Cc: "comp-protocols-dns-b...@isc.org" Subject: RE: new bind 9.9 and root NS >After the network admin verified there was no firewall rule differences, >we >powered off the old sec

Re: Version statement...

2012-08-16 Thread Michael Hoskins (michoski)
You can specifically set version, authors, etc. but why not just block all "CHAOS" queries? Do you really need it? view "chaos" chaos { match-clients { any; }; allow-transfer { none; }; allow-query { none; }; allow-recursion { none; }; recursion no;

Re: Version statement...

2012-08-17 Thread Michael Hoskins (michoski)
-Original Message- From: Jeff Justice Date: Friday, August 17, 2012 6:10 PM To: "bind-users@lists.isc.org" Subject: Re: Version statement... >Okay, here's what I know: > >named-checkconf says there are no errors. >There is only one named process running. >When I apply my edited named.co

Re: Mangled secondary records...

2012-08-18 Thread Michael Hoskins (michoski)
-Original Message- From: Jeff Justice Date: Saturday, August 18, 2012 12:24 AM To: "bind-users@lists.isc.org" Subject: Mangled secondary records... >I made a change in all of the master records and wanted to force the >slave to update. > >I deleted all the host files on the secondary an

Re: 2 dns records for same server

2012-08-18 Thread Michael Hoskins (michoski)
-Original Message- From: Dwayne Hottinger Date: Saturday, August 18, 2012 5:49 AM To: "bind-users@lists.isc.org" Subject: 2 dns records for same server >I need to have 2 seperate dns records for the same servername. >Essentially when inside my network (10.) I need it to resolve to a 10

Re: Static-stub zones and forwarding

2012-08-24 Thread Michael Hoskins (michoski)
-Original Message- From: Mark Picone Date: Thursday, August 23, 2012 10:45 PM To: "bind-users@lists.isc.org" Subject: Static-stub zones and forwarding >Hi All, > >I am in the process of migrating all of our client facing resolver hosts >back to BIND (from unbound) and have hit a roadblo

Re: transparent DNS load-balancing with a Cisco ACE

2012-10-19 Thread Michael Hoskins (michoski)
-Original Message- From: Chuck Swiger Date: Friday, October 19, 2012 5:09 PM To: John Miller Cc: DNS BIND Subject: Re: transparent DNS load-balancing with a Cisco ACE >> >> We're on a /16, so we have plenty of public IPs (though not as many as >>you!) to play with, too. The choice to

Re: Disable log message

2012-10-19 Thread Michael Hoskins (michoski)
-Original Message- From: Warren Kumari Date: Friday, October 19, 2012 8:56 PM To: Alan Clegg Cc: "bind-us...@isc.org" Subject: Re: Disable log message > >On Oct 19, 2012, at 6:13 PM, Alan Clegg wrote: > >> >> On Oct 18, 2012, at 1:13 PM, Chris Thompson wrote: >> >>> On Oct 18 2012,

Re: transparent DNS load-balancing with a Cisco ACE

2012-10-25 Thread Michael Hoskins (michoski)
-Original Message- From: jagan padhi Date: Thursday, October 25, 2012 1:21 PM To: DNS BIND Subject: Re: transparent DNS load-balancing with a Cisco ACE >Hi, > >Is it possible to configure BIND for IPV4 and IPV6 in the same server? > >Regards, >Jagan Yes, we've been doing that since w

Re: Should Root Servers Always be Queried First? bind9.7.7

2012-11-07 Thread Michael Hoskins (michoski)
-Original Message- From: Martin McCormick Date: Wednesday, November 7, 2012 1:12 PM To: "bind-users@lists.isc.org" Subject: Should Root Servers Always be Queried First? bind9.7.7 >If I do: > >dig @localhost +short +trace somehost.okstate.edu > >on a server authoritative for the okstate.

Re: truncated responses vs. minimal-responses?

2012-11-27 Thread Mike Hoskins (michoski)
-Original Message- From: Matus UHLAR - fantomas Date: Tuesday, November 27, 2012 12:28 PM To: "bind-users@lists.isc.org" Subject: truncated responses vs. minimal-responses? >Hello, > >last few weeks I have seen many discussions over UDP truncating and using >"minimal-responses yes;" to

Re: another performance tuning question

2012-12-02 Thread Mike Hoskins (michoski)
-Original Message- From: "Jeremy C. Reed" Date: Friday, November 30, 2012 4:18 PM To: "Adamiec, Lawrence" Cc: "bind-users@lists.isc.org" Subject: Re: another performance tuning question >On Fri, 30 Nov 2012, Adamiec, Lawrence wrote: > >> I got similar results when running against the m

Re: Distribute named.conf

2013-01-03 Thread Mike Hoskins (michoski)
-Original Message- From: Phil Mayers Date: Thursday, January 3, 2013 9:44 AM To: "bind-users@lists.isc.org" Subject: Re: Distribute named.conf >On 03/01/13 14:36, Warren Kumari wrote: > >> Yup, have a look at Puppet. >> >> For the first while it will seem like way way more work than it

Re: open-source tool for filter out stats from dns logs

2013-01-03 Thread Mike Hoskins (michoski)
-Original Message- From: Jeff Wright Date: Thursday, January 3, 2013 8:41 AM To: "bind-users@lists.isc.org" Subject: Re: open-source tool for filter out stats from dns logs >There might be some tools already out there (like Splunk) that do this >for you. I think you can get a free Splu

Re: Distribute named.conf

2013-01-03 Thread Mike Hoskins (michoski)
-Original Message- From: "wbr...@e1b.org" Date: Thursday, January 3, 2013 2:29 PM To: "bind-users@lists.isc.org" Subject: Re: Distribute named.conf >How does Puppet compare to Ansible? http://ansible.cc/ Thanks for sharing, first I'd heard of it... >From a quick glance (in a rush atm

Re: Distribute named.conf

2013-01-03 Thread Mike Hoskins (michoski)
-Original Message- From: "wbr...@e1b.org" Date: Thursday, January 3, 2013 3:15 PM To: Mike Hoskins Cc: "bind-users@lists.isc.org" , "bind-users-bounces+wbrown=e1b@lists.isc.org" Subject: Re: Distribute named.conf >Mike wrote on 01/03/2013 02:45:29 PM: > >> Thanks for sharing, first

Re: gitnamed, a project to manage name server by git

2013-01-08 Thread Mike Hoskins (michoski)
-Original Message- From: Jan-Piet Mens Date: Tuesday, January 8, 2013 4:35 PM To: "bind-users@lists.isc.org" Subject: Re: gitnamed, a project to manage name server by git >> GitNamed is a project that manage name server by git. you can clone >> the git repo to any workstation, edit zone

Re: Name resolution fails if not forwarding

2013-01-09 Thread Mike Hoskins (michoski)
-Original Message- From: Daniele Date: Wednesday, January 9, 2013 9:17 AM To: "bind-users@lists.isc.org" Subject: Re: Name resolution fails if not forwarding >This is the scenario. > >I installed BIND9 via `apt-get` on a newly installed UBUNTU 12.04, >virtualized on VirtualBox. >The net

Re: query about EDNS UDP Packet

2013-01-09 Thread Mike Hoskins (michoski)
-Original Message- From: Gaurav Kansal Date: Wednesday, January 9, 2013 12:34 AM To: Sten Carlsen , "bind-users@lists.isc.org" Subject: Re: query about EDNS UDP Packet >Thanks for help. >My Firewall was dropping packet size larger than 512 bytes. >Cisco 5580 having ASA 8.3. It is by def

Re: MNAME not a listed NS record

2013-01-16 Thread Mike Hoskins (michoski)
-Original Message- From: Vernon Schryver Date: Wednesday, January 16, 2013 5:05 PM To: "bind-users@lists.isc.org" Subject: Re: MNAME not a listed NS record >> From: Dave Warren > >> Various online DNS diagnostic tools throw warnings, > >Speaking of so called DNS diagnostic tools, one c

Re: what do you use for logging?

2013-01-17 Thread Mike Hoskins (michoski)
-Original Message- From: Alan Batie Date: Thursday, January 17, 2013 1:52 PM To: "bind-users@lists.isc.org" Subject: Re: what do you use for logging? >On 1/17/13 10:48 AM, Jan-Piet Mens wrote: > >>> By the way, all of the BIND10 logging >>> messages are unique and we provide a paragraph

Re: BIND 9.9.3b1 is now available

2013-01-25 Thread Mike Hoskins (michoski)
-Original Message- From: Timothe Litt Date: Friday, January 25, 2013 6:13 PM To: "bind-users@lists.isc.org" Subject: Re: BIND 9.9.3b1 is now available >On 25-Jan-13 17:32, Michael McNally wrote: >> BIND 9.9.3b1 is the first beta release of BIND 9.9.3. >> >> Makes available a new X

Re: Slaving from DNS masters behind LVS

2013-02-12 Thread Mike Hoskins (michoski)
Note: Removing cross-post, but feel free to forward. -Original Message- From: Nick Urbanik Date: Tuesday, February 12, 2013 10:00 PM To: "keepalived-de...@lists.sourceforge.net" , "bind-users@lists.isc.org" Subject: Slaving from DNS masters behind LVS >Dear Folks, > >We have a pair of

Re: chroot/etc/named/ directory?

2013-02-13 Thread Mike Hoskins (michoski)
-Original Message- From: Robert Moskowitz Date: Wednesday, February 13, 2013 10:53 AM To: "bind-users@lists.isc.org" Subject: chroot/etc/named/ directory? >I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in >Centos 6.3. > >I have and will run bind chrooted and on my tes

Re: chroot/etc/named/ directory?

2013-02-13 Thread Mike Hoskins (michoski)
-Original Message- From: Robert Moskowitz Date: Wednesday, February 13, 2013 2:15 PM To: Mike Hoskins Cc: "bind-users@lists.isc.org" Subject: Re: chroot/etc/named/ directory? >>Having said all that, you might search the archives (SRPMS have been >> provided by community members) or oth

Re: BIND9 statistics-server: JSON?

2013-02-15 Thread Mike Hoskins (michoski)
-Original Message- From: Jan-Piet Mens Date: Friday, February 15, 2013 12:57 AM To: "bind-users@lists.isc.org" Subject: BIND9 statistics-server: JSON? >As a fan of BIND's statistics-server I was tempted to see if I could >reduce the size of the data (XML) named produces by adding an opt

Re: Randoming ports and firewall rules

2013-02-15 Thread Mike Hoskins (michoski)
-Original Message- From: Robert Moskowitz Date: Friday, February 15, 2013 1:33 PM To: "bind-users@lists.isc.org" Subject: Randoming ports and firewall rules >So it is past time for me to only use port 53 and support port >randomization. But I do run iptables (and ip6tables) and the ser

Re: Cannot create A record issue

2013-02-20 Thread Mike Hoskins (michoski)
-Original Message- From: Jsilliman Date: Wednesday, February 20, 2013 1:57 PM To: Alan Clegg Cc: "bind-users@lists.isc.org" Subject: Re: Cannot create A record issue >Ubuntu does not use that: > >root@:/etc/bind# cat /etc/resolv.conf ># Dynamic resolv.conf(5) file for glibc res

Re: allow-query and views

2013-02-21 Thread Mike Hoskins (michoski)
-Original Message- From: Robert Moskowitz Date: Thursday, February 21, 2013 12:53 PM To: Vernon Schryver Cc: "bind-users@lists.isc.org" Subject: Re: allow-query and views >Whow... This is news. A hidden view? Where is this documented. I >have no restrictions in my general options s

Re: BIND master , Windows 2008 stub zone not transferring

2013-02-21 Thread Mike Hoskins (michoski)
-Original Message- From: Sowmya Manjanatha Date: Thursday, February 21, 2013 1:11 PM To: "bind-users@lists.isc.org" Subject: Re: BIND master , Windows 2008 stub zone not transferring >Well, I have a stub zone on Windows 2008 server set-up to use two >different BIND server as its list of

Re: Registrar that supports self-run domains and provides DNSSEC support

2013-02-22 Thread Mike Hoskins (michoski)
-Original Message- From: Shawn Bakhtiar Date: Friday, February 22, 2013 12:06 AM To: "bind-users@lists.isc.org" Subject: RE: Registrar that supports self-run domains and provides DNSSEC support >2) We don't buy or maintain street addresses from a for profit company, >why should domain

Re: Forward First on Master Zone (bypass SOA)

2013-04-01 Thread Mike Hoskins (michoski)
-Original Message- From: Kevin Darcy Date: Monday, April 1, 2013 2:46 PM To: "bind-users@lists.isc.org" Subject: Re: Forward First on Master Zone (bypass SOA) >On 3/29/2013 12:09 AM, Doug Barton wrote: >> On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: >>> My organization is evalu

Re: Simple question about zone and CNAME

2013-04-05 Thread Mike Hoskins (michoski)
-Original Message- From: Chris Thompson Date: Friday, April 5, 2013 3:10 PM To: Bind Users Mailing List Subject: Re: Simple question about zone and CNAME >On Apr 5 2013, John Wobus wrote: > >>> DNAME? >> >>Or SRV records. Surely browsers are adding support >>in the next day or two? >

Re: ANNOUNCEMENT: New BIND versions are available.

2013-04-13 Thread Mike Hoskins (michoski)
-Original Message- From: Doug Barton Date: Saturday, April 13, 2013 12:34 AM To: "bind-users@lists.isc.org" Subject: Re: ANNOUNCEMENT: New BIND versions are available. >Michael, > >Thanks for this announcement, and a welcome change. > >Given the following: > >1. bind-announce is very l

Re: Caching server - named process is limit at 500MB

2013-04-16 Thread Mike Hoskins (michoski)
-Original Message- From: Chu Ha Khanh Date: Tuesday, April 16, 2013 10:25 PM To: 'Jaco Lesch' Cc: "bind-users@lists.isc.org" Subject: RE: Caching server - named process is limit at 500MB >Hi, > >How to check 64 bit version of bind? > >I often download source code from isc.org and com

Re: architecture question

2013-05-08 Thread Mike Hoskins (michoski)
-Original Message- From: Jeremy P Date: Wednesday, May 8, 2013 1:33 PM To: Steven Carr Cc: bind-users Subject: Re: architecture question >I understand letter of the law, spirit of the law and playing it safe to >avoid headaches. > >However, there are times where registering a real doma

Re: architecture question

2013-05-08 Thread Mike Hoskins (michoski)
-Original Message- From: Jonathan Reed Date: Wednesday, May 8, 2013 4:38 PM To: Jeremy P Cc: bind-users Subject: Re: architecture question >It would be a waste of money as their systems never leave the local >network, except through a NAT connection. > >Godaddy is selling .coms for $0.

Re: architecture question

2013-05-09 Thread Mike Hoskins (michoski)
-Original Message- From: Tony Finch Date: Thursday, May 9, 2013 11:01 AM To: Matus UHLAR - fantomas Cc: "bind-users@lists.isc.org" Subject: Re: architecture question >Matus UHLAR - fantomas wrote: >> On 09.05.13 10:21, Tony Finch wrote: >> > Right. Give each student a subdomain of som

Re: This list's prefix

2013-06-05 Thread Mike Hoskins (michoski)
-Original Message- From: Narcis Garcia Date: Wednesday, June 5, 2013 12:43 PM To: "bind-users@lists.isc.org" Subject: This list's prefix >It's not the only mailing list where I'm subscribed. >Could please the administrator setup a prefix for messages' subject? > >For example: >[bind-u]

Re: This list's prefix

2013-06-05 Thread Mike Hoskins (michoski)
-Original Message- From: Narcis Garcia Date: Wednesday, June 5, 2013 1:02 PM To: "bind-users@lists.isc.org" Subject: Re: This list's prefix >Somebody has answered me privately and didn't realized until I've >checked all details of each message. I've been near to respond to the >list abo

Re: This list's prefix

2013-06-05 Thread Mike Hoskins (michoski)
-Original Message- From: Warren Kumari Date: Wednesday, June 5, 2013 1:46 PM To: Narcis Garcia Cc: "bind-users@lists.isc.org" Subject: Re: This list's prefix >-- >Curse the dark, or light a match. You decide, it's your dark. >-- Valdis Kletnieks Very appropriate!

Re: This list's prefix

2013-06-06 Thread Mike Hoskins (michoski)
-Original Message- From: "Elmar K. Bins" Organization: unorganized since 1789 Date: Thursday, June 6, 2013 6:18 AM To: "bind-users@lists.isc.org" Subject: Re: This list's prefix >s...@resistor.net (SM) wrote: > >> >And the 100-dollar-question is: How do you remove them on outgoing >>mai

Re: Health Check feature in BIND ?

2013-06-17 Thread Mike Hoskins (michoski)
-Original Message- From: Gaurav Kansal Date: Monday, June 17, 2013 3:27 AM To: "bind-users@lists.isc.org" Subject: Health Check feature in BIND ? >Dear All, > >I was just thinking whether it is possible to have a some type of health >checking of servers through BIND DNS Server and DNS

  1   2   >