On 11.12.2013 11:09, Dnsbed Ops wrote:
Does the slave verify the notify IP?
When the master send a notify to slaves, does the slave make sure it is
from the correct master IP?
yes
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https
On 13.12.2013 15:21, Emmanuel Thierry wrote:
Hello
(First time posting on this ML)
After several months of waiting, i'm testing DNSSEC deployment with some on my
domains, using opendnssec software.
However, some principles still are hard to envision for dummies, especially
time schedules.
As
On 13.12.2013 16:10, Emmanuel Thierry wrote:
Hello,
Le 13 déc. 2013 à 15:43, Klaus Darilion a écrit :
On 13.12.2013 15:21, Emmanuel Thierry wrote:
Does material exists to explicit graphically (in an ideal way) each specific
key and DNSSEC records life cycle, in the same manner of
Hi!
I have some questions about the IANA checks for name servers, especially
this one:
>
>> - GlueCoherencyCheck
>>
>> - The A and records [] returned from the authoritative name server
>> [B.DNS.NIC.WIEN] are not the same as the supplied glue records
>> [193.170.61.4, 2001:62A:A:2000:0:0
I agree with the bad behavior of the stub resolver.
On 22.04.2014 21:04, Chuck Anderson wrote:
2. Use a local DNS daemon on every server with forwarders configured
to the network's nameservers, and fix resolv.conf to 127.0.0.1.
The problem here is that you add another single point of failu
On 06.06.2014 12:48, Tony Finch wrote:
> The web page says something about them using BGP anycast for speed, but
> they don't have any nodes near me. But they do not appear to be aiming
> their service at Europeans :-)
AFAIS both name servers are located in China.
regards
Klaus
On 11.07.2014 23:40, Chris Adams wrote:
> Once upon a time, Edward Peschko said:
>> I'm trying to create a /etc/resolv.conf where one dns server is used
>> in the case of one domain, and a different dns server is used for
>> another.
>
> Basically, you can't with just /etc/resolv.conf (aka via
Am 02.04.2020 um 05:51 schrieb Tessa Plum:
Hello Paul
We were under some attack like UDP flood to the authority servers, there
were a lot of UDP requests flooding to the servers. The traffic size was
about 20Gbps last time as I have said in last message. The clients seem
using spoofed IP addr
Am 02.04.2020 um 09:15 schrieb Frank Louwers:
dnsdist allows you to do general ratelimiting/blocking
Ratelimiting is often not the correct choice.
If the source IP is random (which is usually the case with spoofed
source IP addresses), a rate limiting based on source IP is not useful.
If th
switched to high performance backends for the zones which
are under constant attack.
regards
Klaus
Am 02.04.2020 um 13:22 schrieb Frank Louwers:
That's very selective cutting of my sentence Klaus
On 2 Apr 2020, at 13:09, Klaus Darilion <mailto:klaus.mailingli...@pernau.at>&g
Hello!
In my setup I receive zones from various hidden primaries to my
"incoming" nameserver. Before my "distribution" nameserver fetches the
zone from the "incoming" nameserver (and hence sends NOTIFYs to the
public secondaries) I I want to perform various checks on the zone
loaded on the in
Hi Anand!
Am 04.05.2021 um 16:30 schrieb Anand Buddhdev:
You might want to look at Tony Finch's nsnotifyd, which is a custom
program that can monitor zones for changes, and run custom commands when
changes are detected. It can also listen for NOTIFY messages and act
immediately on zone changes.
Hi all!
In my DNSSEC key rollover processes, before deleting a key and when
activating a key, I check if the signed zone contains signatures from
the respective key. Up to know this was more or less:
dig ... axfr | grep RRSIG | grep $KEYID
This worked fine for long time but when having key
Am 07.05.2021 um 00:57 schrieb Benno Overeinder:
Hi Klaus,
On 04/05/2021 15:59, Klaus Darilion wrote:
In my setup I receive zones from various hidden primaries to my
"incoming" nameserver. Before my "distribution" nameserver fetches the
zone from the "incoming&quo
Hi Tony!
Am 06.07.2021 um 18:00 schrieb Tony Finch:
Klaus Darilion wrote:
dig ... axfr | grep RRSIG | grep $KEYID
This worked fine for long time but when having keys with the same keyid this
obviously does not work anymore.
If it is one of your zones then your key management software
On 22.07.2012 18:19, Mark Jeftovic wrote:
Am I right in thinking that Google public DNS simply does not cycle the
multiple records on a round-robin host. There have been a few threads on
this (i.e. google "round robin 8.8.8.8")
At first I thought this was just impacting a specific customer doma
Hi!
Lately, there was much discussion and examples on how to block the DNS
requests of DNS Amplification Attacks. Such filters prevent the name
server seeing the request, thus of course massively reducing the
outgoing traffic. But such filters can not reduce the incoming traffic -
the attacke
Hi Paul!
On 10.09.2012 19:48, Paul Vixie wrote:
please don't do, or promulgate, this. ddos filtering in order to do more
good than harm has to be based on the attack's answer, not on its query.
see also the three flaws identified above, which also apply here. (so,
your approach has four, adding
On 11.09.2012 17:09, Robert Schwartz wrote:
The other interesting thing I noticed about the attack packets, is that
the source port and transaction ID are transposed. This could be used to
finger print the abusive packets. Here's a few lines from our TinyDNS
log (domain names removed and time-c
On 11.09.2012 18:38, Vernon Schryver wrote:
The tuple is used to select a
>state blob. In the amplification attacks on our authoritative servers we
>Thus, it may take some time until the attacker starts with domain1.com
>again. If I understand the Responder Behavior correct, this would mean
>t
On 12.09.2012 11:06, Simon Munton wrote:
We've been seeing 1000's of ANY queries/sec for many months, but use RRL
to filter them, so haven't been too bothered - mostly hitting our Tokyo
node.
http://stats.cdns.net/public/0.0.0.1/D4AE52-BBA337.html
But I can confirm we ARE getting the same pat
On 25.10.2012 22:16, David Miller wrote:
On 10/25/2012 1:48 PM, paul vixie wrote:
On 10/25/2012 5:08 PM, Michael Hoskins (michoski) wrote:
...
Seems to show clever hacks can be useful (looks good for roots), but don't
generally work against real hackers who typically read lists (and source
On 29.10.2012 11:13, Dobbins, Roland wrote:
On Oct 29, 2012, at 4:28 PM, Klaus Darilion wrote:
We apply iptables based rate-limiting on ANY queries with RD bit set.
The problem with fronting your DNS servers with a stateful firewall is that it
makes it susceptible to trivial state
On 31.10.2012 02:52, Dobbins, Roland wrote:
On Oct 31, 2012, at 4:37 AM, Florian Weimer wrote:
Reflection attacks do not use totally random source addresses, so the typically
state exhaustion vector does not necessarily apply.
There are many more types of attacks other than reflection/amp
Hi!
I'm looking for sample zone files for name server testing after software
upgrades. The zone files should contain "normal" stuff but also complex
stuff like CNAME/DNAME, wildcard records ...
Is anyone aware of such existing zone files (and even better: existing
test clients)?
Thanks
Kla
Nice.
Feature Request:
- Set NSID flag while querying and report the NSID in the JSON response.
- Specify IP address of the authoritative server that should be queried
Further, what are the requirements when sponsoring resolvers? Do you use
some dedicated software on the lg-nodes, or just simpl
On 11.07.2013 16:38, Frederic Cambus wrote:
Hi Klaus,
On Mon, Jul 8, 2013 at 1:04 PM, Klaus Darilion
wrote:
Feature Request:
- Set NSID flag while querying and report the NSID in the JSON response.
Added to the WishList, thanks. For the next iteration, I'm also pondering
addin
27 matches
Mail list logo
