ecord, so it patiently kept waiting and logging this fact. We informed
ICANN, and they fixed the operational issue in their provisioning system
that was blocking the update. We expect to update the DS records of all
zones this week.
Regards,
Anand Buddhdev
RIPE NCC
___
resumably because they couldn't synchronise the zone with the master.
Knot seems to think that it's okay to serve the zone as long as it can
query the master, even if the master's serial number is different.
Is Knot's behaviour acceptable?
Regards,
Anand Buddhdev
___
On 15/08/2014 00:00, Nat Morris wrote:
> BGP sessions between the ASR 9 and each DNS server in the cluster,
> ExaBGP running on them announcing their loopback/service /32 + /128
> address(es).
>
> Health check scripts on each service to probe for service ability,
> retract the announcement up
/
Their current DS record points to a key that has the revoke bit set,
but it is no longer signing the DNSKEY rrset.
Regards,
Anand Buddhdev
RIPE NCC
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlUahw8ACgkQi+U8Q0SwlCtKAQCfX3kq7G+YN4oKbQuQBbI6bybV
On 31/03/15 13:53, Stephane Bortzmeyer wrote:
> There are other problems:
>
> * 10 (!) DNSKEY which seems too many
I saw 9 when I looked. This seems to be getting worse.
> * lame delegations to mzizi.kenic.or.ke
mzizi.kenic.or.ke was answering earlier, but is now giving SERVFAIL as well.
Anan
On 04/05/15 09:11, Stephane Bortzmeyer wrote:
Bonjour Stéphane,
> A new edition of the DNS security guide by ANSSI (French cybersecurity
> agency) recommends to prefer delegations with glue because glueless
> delegations "may carry additional risks since they create a
> dependency". Is there any
On 19/05/15 23:12, Jim Popovitch wrote:
Hi Jim,
> Hello,
>
> I'm stuck in the middle with $registrar saying glue exists, and
> intodns, et.al., saying no glue exists. I would appreciate any
> insight into why there is no glue appearing for speedyiguana.com (a
> mailman dev/test system that i u
ach .MW's masters:
23-Jun-2015 19:05:26.224 general: zone mw/IN/main: refresh: retry limit
for master 196.45.188.5#53 exceeded (source 0.0.0.0#0)
23-Jun-2015 19:05:56.225 general: zone mw/IN/main: refresh: retry limit
for master 41.221.99.135#53 exceeded (source 0.0.0.0#0)
Re
On 17/07/15 07:51, Frank Bulk wrote:
> I've completed writing the first iteration of a NAGIOS-oriented Perl script
> that does the checks I've described. It was actually more painful to get
> the Net:DNS:DNSsec Perl module installed than anything else.
I haven't seen your script, of course, so I
On 30/12/2019 10:38, Yonah Peng wrote:
Hi Yonah Peng,
> As IPv4 addresses were exhausted today, if we have deployed the
> nameservers with IPv6 addresses only, can they be resolvable by world wide?
If your domain's authoritative name servers have only IPv6 addresses,
then your domain will not be
8af1379
specify that www.heaven.af.mil will have address 1.2.3.4 until time
400038af1379 (2000-02-19 22:04:31 UTC) and will then switch to IP
address 1.2.3.7."
Regards,
Anand Buddhdev
___
dns-operations mailing list
dns-operations@lists.dns
On 03/04/2020 11:43, Greg Choules via dns-operations wrote:
> Good morning all.
> Did anyone else experience service outages around 22:20 to 22:30 (UTC)
> yesterday?
Yes. No. Maybe. If you ask a more specific question about which service
you're talking about, it might be easier to answer.
> Just
experienced some failures if they had
cached signatures made by the old ZSKs.
We apologise for any operational problems this may have caused. We are
looking at the issue with the developers of our Knot DNS signer to
prevent such an occurrence in the future.
Regards,
Anand Buddhdev
RIPE NCC
Hi,
Anyone from the Polish ccTLD around?
The .PL delegation contains a-dns.pl and e-dns.pl, but when the name
server addresses of .PL are queried for A and records for these
names, I get NXDOMAIN responses.
; <<>> DiG 9.16.3 <<>> +trace +nodnssec a-dns.pl a
;; global options: +cmd
.
On 01/03/2021 18:55, Viktor Dukhovni wrote:
Hi Viktor,
> Cool, but at first blush the feature appears to have a bug in BIND 9.16.12:
>
> # dig +noall +ans +nocl +nottl +nosplit +norecur -t rrsig .org
> @ | awk '{print $2}' | uniq -c
>1 RRSIG
>
> # dig +noall +ans +nocl +nottl +
ustom commands when
changes are detected. It can also listen for NOTIFY messages and act
immediately on zone changes. You could use it to run your custom checks
before distributing your zones.
https://github.com/fanf2/nsnotifyd
Regards,
Anand Buddhdev
___
already said this, but I'd like to make it clear that
the K-root server was NOT emitting false responses for Facebook and
WhatsApp. The responses were being modified by something between the
server and its clients.
Regards,
Anand Buddhdev
RIPE NCC
On 08/11/2021 08:45, Davey Song wrote:
records will be imported
with the TTLs as published by the origin RIR.
Regards,
Anand Buddhdev
RIPE NCC
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
On 30/08/2022 18:42, Randy Bush wrote:
Hi Randy, Viktor,
another day of no response from afrinic, and i guess i should ask the
iana to remove them from the NS RRset for GN and LR.
anyone have a way to get afrinic dns folk's attention?
Try the address dns-mast...@afrinic.net. This is the addr
On 03/06/2023 23:09, Doug Barton wrote:
Hi Doug,
[snip]
Since the host records are the interesting bit, we do absolutely need to
make sure that we can sanity check them somehow. I'm not sure Chris'
suggestion to essentially "vote" on which host records are the right
ones based on the results
On 22/06/2023 16:48, Matthew Pounsett wrote:
Hi Matt,
Which of the below would you suggest?
SOA rname:ns...@iana.org
WHOIS Administrative: i...@iab.org
WHOIS Technical: tld-cont...@iana.org
I would have started with the IANA addresses, since they publish the
z
On 18/12/2023 19:48, Weinberg, Matt via dns-operations wrote:
Hi Matt,
The latest patched versions of macOS Ventura (13.6.3) and Sonoma
(14.1.2) both include an old version of the dig client:
% dig -v
DiG 9.10.6
I only noticed the issue when I attempted to retrieve the ZONEMD record
of the ro
Hello DNS gurus,
I'm writing a minimalistic DNS server (in python, using the dnspython
module), whose purpose will simply be to provide AXFR for a fixed set of
zones. The clients will be BIND and/or NSD. It will send NOTIFY messages
to the clients, and provide (some) responses.
As far as I c
e XFR). So I can get away with
implementing just AXFR over TCP, and nothing else (including returning
AXFR in response to IXFR).
Regards,
Anand
On 16/07/2012 16:49, Anand Buddhdev wrote:
> Hello DNS gurus,
>
> I'm writing a minimalistic DNS server (in python, using the dnspython
> module
On 17/07/2012 15:33, Mark Andrews wrote:
> Actually named does do SOA queries over TCP before AXFR.
Hi Mark,
On my MacOS X laptop (which comes with BIND 9.7.3-P3), I didn't see SOA
queries over TCP. I saw a SOA query over UDP, followed by an AXFR
request over TCP. Besides TC in a UDP response, w
On 17/07/2012 21:38, Jaap Akkerhuis wrote:
Hi Bert,
> Anand,
>
> Sorry to be obtuse, and of course, nothing on the internet needs a reason.
>
> But inquiring minds want to know. WHY are you inventing yet another
> nameserver when we have so many fine ones available alrea
gistration. Karen should
be able to use the ARIN web interface to upload DS records. ARIN will
then publish the NS+DS records in the 151.in-addr.arpa zonelet on its
FTP server, and the RIPE NCC will pick it up and insert the delegation
information into 151.in-addr.arpa.
Regards,
Anand Buddhdev
RIPE
On 07/08/2012 13:40, Faasen, Craig wrote:
> RD is set to 1 in the query, but is 0 in the response.
> Which is not compliant with RFC 1035: "RD Recursion Desired - this
> bit may be set in a query and is copied into the response."
>
> Out of curiosity, any idea why a name server would want to chan
On 18/08/2012 12:00, sasa sasa wrote:
Hello sasa sasa (please use your real name; it's polite),
> So I use match-destination in BIND views on a server with multiple interfaces.
>
> If I want to configure one of these interfaces to be part of an
> anycast network, should I change match-destinatio
welcome.
Regards,
Anand Buddhdev
RIPE NCC
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
any of you do this?
Aside from this idea, are there any other clever ideas people have
implemented?
Regards,
Anand Buddhdev
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operation
ou all think is the correct behaviour? Or are both correct?
PS. I realise that Knot's behaviour could break a DNSSEC-signed zone,
but then, no sane signer will sign a zone with out-of-zone records, so
that the process of signing a zone would force the operator to clean up
their zone.
Regards,
hibited",
"serverRenewProhibited", "serverTransferProhibited" and
"serverUpdateProhibited" lines. These ensure that the domain cannot be
deleted, transferred, or modified without a manual check by the registry.
Is anyone aware of registrars that provide this service?
Regards,
Roy Arends has already provided a contact for H-root. For
e.in-addr-servers.arpa, contact APNIC .
Regards,
Anand Buddhdev
RIPE NCC
On Wed, 9 Apr 2025 at 11:22, Thomas Mieslinger via dns-operations <
dns-operati...@dns-oarc.net> wrote:
>
>
>
> -- Forwarded message
34 matches
Mail list logo
