date:20240428

[help]how to configure ecs subnet for bind-9.18-21

2024-04-28 Thread Yang via bind-users

dear admin:
  now, i use bind-9.18-21, i want to use ecs client subnet function; but i 
don't know how to configure it, and i don't get method from google
  please give me some example,or document , or google links to learn about 
it ;
  thanks!





Yang
395096...@qq.com-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [help]how to configure ecs subnet for bind-9.18-21

2024-04-28 Thread Greg Choules

Hello.
Do you mean 9.18-S1?


> On 28 Apr 2024, at 08:06, Yang via bind-users  
> wrote:
> 
> 
> dear admin:
>   now, i use bind-9.18-21, i want to use ecs client subnet function; but i 
> don't know how to configure it, and i don't get method from google
>   please give me some example,or document , or google links to learn about it 
> ;
>   thanks!
>   
> Yang
> 395096...@qq.com
>  
> --
>  
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [help]how to configure ecs subnet for bind-9.18-21

2024-04-28 Thread Greg Choules

OK.

Firstly, the bad news. ECS is only available in the subscription version of 
BIND. That is, versions ending with -S. To get this version you need a (paid) 
support contract with ISC. If you are interested, let me know.

Secondly, 9.18.21 is not current. I would recommend that you use the latest 
version, which is 9.18.26 (you can see in your screenshot).

I hope that helps.
Greg

> On 28 Apr 2024, at 08:42, Yang <395096...@qq.com> wrote:
> 
> 
> 
> is v.9.18.21 below this reference
> 

> 
> 
>   
> Yang
> 395096...@qq.com
>  
> 
>  
> 
> 
> -- Original --
> From: "Greg Choules" ;
> Date: Sun, Apr 28, 2024 03:39 PM
> To: "Yang"<395096...@qq.com>;
> Cc: "bind-users";
> Subject: Re: [help]how to configure ecs subnet for bind-9.18-21
> 
> Hello.
> Do you mean 9.18-S1?
> 
> 
>> On 28 Apr 2024, at 08:06, Yang via bind-users  
>> wrote:
>> 
>> 
>> dear admin:
>>   now, i use bind-9.18-21, i want to use ecs client subnet function; but i 
>> don't know how to configure it, and i don't get method from google
>>   please give me some example,or document , or google links to learn about 
>> it ;
>>   thanks!
>>  
>> Yang
>> 395096...@qq.com
>>  
>> --
>>  
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
>> this list
>> 
>> ISC funds the development of this software with paid support subscriptions. 
>> Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail

2024-04-28 Thread Walter H. via bind-users


|Try these four
|
|
|
|fail01.dnssec.works|
|fail02.dnssec.works|
|fail03.dnssec.works|
|fail04.dnssec.works|

and then with   +cd and note the difference;

On 28.04.2024 08:17, Walter H. via bind-users wrote:

On 27.04.2024 16:54, Lee wrote:

On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users
 wrote:

# host dnssec-analyzer.verisignlabs.com
dnssec-analyzer.verisignlabs.com is an alias for
dnssec-analyzer-gslb.verisignlabs.com.
dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42

Right, the IPv4 address lookup works.  Now try looking up the IPv6 
address.


if there was one it would be presented there

see here for full answer

# host one.one.one.one
one.one.one.one has address 1.1.1.1
one.one.one.one has address 1.0.0.1
one.one.one.one has IPv6 address 2606:4700:4700::1001
one.one.one.one has IPv6 address 2606:4700:4700::



I get a status: SERVFAIL instead of a status: NOERROR

$ dig dnssec-analyzer.verisignlabs.com 

; <<>> DiG 9.16.48-Debian <<>> dnssec-analyzer.verisignlabs.com 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60491
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

Lee


this can't be a matter of DNSSEC, as there are only signed whole zones 
and not just single DNS-records ...


would it be a problem with just this DNS zone, why are only problems 
getting the IPv6?








smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail

2024-04-28 Thread Mark Andrews

It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it 
serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is actually 
delegated to it.

% dig dnssec-analyzer-gslb.verisignlabs.com  +trace +all
;; BADCOOKIE, retrying.

; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com  +trace 
+all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: c5e52f94b77c61ce0100662edf9c4fed996a259c1d43 (good)
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 277488 IN NS f.root-servers.net.
. 277488 IN NS d.root-servers.net.
. 277488 IN NS l.root-servers.net.
. 277488 IN NS k.root-servers.net.
. 277488 IN NS a.root-servers.net.
. 277488 IN NS e.root-servers.net.
. 277488 IN NS j.root-servers.net.
. 277488 IN NS h.root-servers.net.
. 277488 IN NS g.root-servers.net.
. 277488 IN NS m.root-servers.net.
. 277488 IN NS c.root-servers.net.
. 277488 IN NS i.root-servers.net.
. 277488 IN NS b.root-servers.net.
. 277488 IN RRSIG NS 8 0 518400 2024050821 2024042520 5613 . 
YeVEKbhLW5fUll0QPjIjDWfKbmrnJ/paeh/H86oG17GPeoFRWkecq+iM 
8kjxy28AHg7cElZ3w8Lq0GND+DJUCYItS6cOHdQ07XdEFCPAoXMnVQe2 
sBwd5nRu8tjH/I6NOn43DtfGkNMxzoHZf/64UeWeMFF8tjlD3y9Y+TQ1 
UjBU0kzpsYXkl+QYHsNJ1nABDH3gdlTqpCmtrVA1UUgDjC/12KLSIiQH 
ykSABJZbHnOsDc7OaRH25QLZadE6zrUwP1xiEZuDfe4xuoz2z5WSBQbv 
6JjCGVpm1WDILRra64v4BpO0kVUYE5fvJgAOV2cJwJwhM4gpcBNlMvG7 e3+WFA==

;; ADDITIONAL SECTION:
i.root-servers.net. 172568 IN  2001:7fe::53
d.root-servers.net. 172568 IN  2001:500:2d::d
h.root-servers.net. 172568 IN  2001:500:1::53
j.root-servers.net. 172568 IN  2001:503:c27::2:30
c.root-servers.net. 172568 IN  2001:500:2::c
e.root-servers.net. 172568 IN  2001:500:a8::e
g.root-servers.net. 172568 IN  2001:500:12::d0d
l.root-servers.net. 172568 IN  2001:500:9f::42
m.root-servers.net. 172568 IN  2001:dc3::35
k.root-servers.net. 172568 IN  2001:7fd::1
a.root-servers.net. 172568 IN  2001:503:ba3e::2:30
f.root-servers.net. 172568 IN  2001:500:2f::f
b.root-servers.net. 172568 IN  2801:1b8:10::b
i.root-servers.net. 172568 IN A 192.36.148.17
d.root-servers.net. 172568 IN A 199.7.91.13
h.root-servers.net. 172568 IN A 198.97.190.53
j.root-servers.net. 172568 IN A 192.58.128.30
c.root-servers.net. 172568 IN A 192.33.4.12
e.root-servers.net. 172568 IN A 192.203.230.10
g.root-servers.net. 172568 IN A 192.112.36.4
l.root-servers.net. 172568 IN A 199.7.83.42
m.root-servers.net. 172568 IN A 202.12.27.33
k.root-servers.net. 172568 IN A 193.0.14.129
a.root-servers.net. 172568 IN A 198.41.0.4
f.root-servers.net. 172568 IN A 192.5.5.241
b.root-servers.net. 172568 IN A 170.247.170.2

;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Mon Apr 29 09:45:32 AEST 2024
;; MSG SIZE  rcvd: 1125

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65435
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dnssec-analyzer-gslb.verisignlabs.com. IN 

;; AUTHORITY SECTION:
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 86400 IN DS 19718 13 2 
8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 2024051117 2024042816 5613 . 
LVYx+2et07A9D8yQEvJfEZuAwwa8jIkmPueaMjyyO4lw0IHMYuQMGTMi 
FGReNSmz9AjHkr6w6c+Xk/mIBM7busd6QppQvtHCwTuVywVZQA1FZUAw 
nKpmp85aFsQyFQRKAIbbdRT1r1MTf7AOzRoi7d1mRsuKbAvzTAMfaXzB 
sfI9dL6Hsl7vdGBYrkAWJ1XawlVaJJ+DPPqISBaI5dTboKH3FGV5Kdyd 
5Pxf/6JGMm4JF4ojARGutPotyz9cE2GrDDHQEg2nsH0WE5WM6SpsRz4B 
gyoDolcj2Kg+AA/1xDeh8vspAe0mmf1RPHQ0XJ7Z1TkiSQOINWdgK2J0 f0SrYA==

;; ADDITIONAL SECTION:
m.gtld-servers.net. 172800 IN A 192.55.83.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
a.gtld-servers.net. 172800 IN A 192.5.6.30
m.gtld-servers.net. 172800 IN  2001:501:b1f9::30
l.gtld-servers.net. 172800 IN  2001:500:d937::30
k.gtld-servers

Re: Question about resolver

2024-04-28 Thread Mark Andrews

This looks like Google  has forgotten to create the zone 96.34.in-addr.arpa but 
have created
180.96.34.in-addr.arpa resulting in answers that should come from 
96.34.in-addr.arpa getting
REFUSED returned.  DNSSEC validation and QNAME minimisation find these sorts of 
configuration errors.
Intermediate zones can’t be missed.

% dig ns 96.34.in-addr.arpa +trace +all
;; BADCOOKIE, retrying.

; <<>> DiG 9.19.24-dev <<>> ns 96.34.in-addr.arpa +trace +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23007
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 7b100d5f1abe6a330100662eea5988229ff2514536e1 (good)
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 274739 IN NS a.root-servers.net.
. 274739 IN NS g.root-servers.net.
. 274739 IN NS h.root-servers.net.
. 274739 IN NS b.root-servers.net.
. 274739 IN NS j.root-servers.net.
. 274739 IN NS i.root-servers.net.
. 274739 IN NS c.root-servers.net.
. 274739 IN NS d.root-servers.net.
. 274739 IN NS l.root-servers.net.
. 274739 IN NS e.root-servers.net.
. 274739 IN NS m.root-servers.net.
. 274739 IN NS k.root-servers.net.
. 274739 IN NS f.root-servers.net.
. 274739 IN RRSIG NS 8 0 518400 2024050821 2024042520 5613 . 
YeVEKbhLW5fUll0QPjIjDWfKbmrnJ/paeh/H86oG17GPeoFRWkecq+iM 
8kjxy28AHg7cElZ3w8Lq0GND+DJUCYItS6cOHdQ07XdEFCPAoXMnVQe2 
sBwd5nRu8tjH/I6NOn43DtfGkNMxzoHZf/64UeWeMFF8tjlD3y9Y+TQ1 
UjBU0kzpsYXkl+QYHsNJ1nABDH3gdlTqpCmtrVA1UUgDjC/12KLSIiQH 
ykSABJZbHnOsDc7OaRH25QLZadE6zrUwP1xiEZuDfe4xuoz2z5WSBQbv 
6JjCGVpm1WDILRra64v4BpO0kVUYE5fvJgAOV2cJwJwhM4gpcBNlMvG7 e3+WFA==

;; ADDITIONAL SECTION:
i.root-servers.net. 169819 IN  2001:7fe::53
d.root-servers.net. 169819 IN  2001:500:2d::d
h.root-servers.net. 169819 IN  2001:500:1::53
j.root-servers.net. 169819 IN  2001:503:c27::2:30
c.root-servers.net. 169819 IN  2001:500:2::c
e.root-servers.net. 169819 IN  2001:500:a8::e
g.root-servers.net. 169819 IN  2001:500:12::d0d
l.root-servers.net. 169819 IN  2001:500:9f::42
m.root-servers.net. 169819 IN  2001:dc3::35
k.root-servers.net. 169819 IN  2001:7fd::1
a.root-servers.net. 169819 IN  2001:503:ba3e::2:30
f.root-servers.net. 169819 IN  2001:500:2f::f
b.root-servers.net. 169819 IN  2801:1b8:10::b
i.root-servers.net. 169819 IN A 192.36.148.17
d.root-servers.net. 169819 IN A 199.7.91.13
h.root-servers.net. 169819 IN A 198.97.190.53
j.root-servers.net. 169819 IN A 192.58.128.30
c.root-servers.net. 169819 IN A 192.33.4.12
e.root-servers.net. 169819 IN A 192.203.230.10
g.root-servers.net. 169819 IN A 192.112.36.4
l.root-servers.net. 169819 IN A 199.7.83.42
m.root-servers.net. 169819 IN A 202.12.27.33
k.root-servers.net. 169819 IN A 193.0.14.129
a.root-servers.net. 169819 IN A 198.41.0.4
f.root-servers.net. 169819 IN A 192.5.5.241
b.root-servers.net. 169819 IN A 170.247.170.2

;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Mon Apr 29 10:31:21 AEST 2024
;; MSG SIZE  rcvd: 1125

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39695
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 11, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;96.34.in-addr.arpa. IN NS

;; AUTHORITY SECTION:
in-addr.arpa. 172800 IN NS c.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS f.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS a.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS b.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS e.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS d.in-addr-servers.arpa.
in-addr.arpa. 86400 IN DS 53696 8 2 
13E5501C56B20394DA921B51412D48B7089C5EB6957A7C58553C4D4D 424F04DF
in-addr.arpa. 86400 IN DS 47054 8 2 
5CAFCCEC201D1933B4C9F6A9C8F51E51F3B39979058AC21B8DF1B1F2 81CBC6F2
in-addr.arpa. 86400 IN DS 63982 8 2 
AAF4FB5D213EF25AE44679032EBE3514C487D7ABD99D7F5FEC3383D0 30733C73
in-addr.arpa. 86400 IN DS 54956 8 2 
E0E2BF5CFBD66572CA05EC18267D91509BA6A9405AF05C3FD4141DFA 45200C08
in-addr.arpa. 86400 IN RRSIG DS 8 2 86400 2024051118 2024042817 43060 
arpa. BBFF1T9b8+woUukDfJj8wBKwDyk2CGVfceNAX5S1LvANDal0g3gf0hFD 
7OhTWZR1yaMoMaLVDgh8b9rDe5gMpOABbCHI/OBByz/rpUgau+XZ5aTJ 
NSJbmBcQRkzelreqm/B+4bjYtn48cK5Lp/iZm7hDHqJ1L/asdF7SRpRc 
BxFQeSf3eOy5BKL/XjlrsGZ510v2bnIlhLZPvjBPinbK10QeXzWOUW3J 
QtsY8MyTl0NE3prBU7bA20bkm+yBn4KMEzWeBz7rYfr6WJoGAw+I2ijM 
J6oC3ims4b1bF7eaPJ4DW6QZJu04a4C/JeluU/RMzWJC11MS2M1RRUf8 /XcxmQ==

;; ADDITIONAL SECTION:
f.in-addr-servers.arpa. 172800 IN A 193.0.9.1
e.in-addr-servers.arpa. 172800 IN A 203.119.86.101
d.in-addr-servers.arpa. 172800 IN A 200.10.60.53
c.in-addr-servers.arpa. 172800 IN A 196.216.169.10
b.in-addr-servers.arpa. 172800 IN A 199.253.183.183
a.in-addr-servers.arpa. 172800 IN A 199.180.182.53
f.in-addr-servers.arpa. 172800 IN  2001:67c:e0::1
e.in-addr-servers.arpa. 172800 IN  2001:dd8:6::101
d.in-addr-servers.arpa. 172800 IN  2001:13c7:7010::53
c.in-addr-

[help]how to configure ecs subnet for bind-9.18-21

Re: [help]how to configure ecs subnet for bind-9.18-21

Re: [help]how to configure ecs subnet for bind-9.18-21

Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail

Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail

Re: Question about resolver

6 matches

Site Navigation

Mail list logo

Footer information