Re: gitnamed, a project to manage name server by git

[Dave Warren]

On 1/8/2013 13:48, Mike Hoskins (michoski) wrote:

Thanks for sharing both.

Like the built-in sanity checks...Wonder why the fedora folks don't
automate the serial number update, since in my experience that seems to be
one of the top silly mistakes with BIND updates?

Our push process sets that to the mtime of the zone for non-dynamic zones,
which seems to work well except for the occasional DNS validation tool
baulking that we're not using MMDDNN format.  :-)


When I built my DNS zone creator, I got tired of users complaining that 
their zones has "errors" and so I re-coded my serials to start with  
followed by six digits based on the current date/time.


Oddly, that seems to fool most (although not all) of the DNS validation 
tools out there, despite the fact that I generate things like 2012804572 
which doesn't exactly have a "valid" MM or dd.


I've given up contacting so-called validation tools and asking them to 
remove warnings about valid serials, they seem happier reporting 
non-errors, and at best they'll return a "Not standard, but I guess it's 
okay". It's a shame too, as these tools can provide a sanity check.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

MNAME not a listed NS record

[Dave Warren]

Is there anything technically wrong with having a SOA MNAME field that 
isn't listed as a NS record?


The server listed as MNAME will host the zone and is authoritative for 
the zone, but out of latency concerns it isn't ideal to have other 
resolvers querying this server.


Various online DNS diagnostic tools throw warnings, but as far as I can 
tell from the RFCs, this is a valid configuration. Is it valid? Are 
there any operational gotchas to be aware of or can I ignore the "warnings"?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MNAME not a listed NS record

[Dave Warren]

On 1/16/2013 22:17, Jan-Piet Mens wrote:

Is there anything technically wrong with having a SOA MNAME field
that isn't listed as a NS record?

Not at all; that works fine.


Thanks. That's what I thought, but I wanted to confirm that this 
particular "warning" didn't have any backing in reality.




Are there any operational gotchas to be aware of or can I ignore the
"warnings"?

You should be aware of DNS Updates which will, by default, be directed
at the server listed in SOA MNAME. If you don't do DHCP, say, then it's
fine to ignore that.


At this point I don't do any dynamic DNS through BIND at all right now, 
the only dynamic zones we currently host are internal-only on Microsoft 
DNS and update via AD, so I think we'll be safe in this regard.


Thanks!

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MNAME not a listed NS record

[Dave Warren]

On 1/16/2013 13:53, Chuck Swiger wrote:

True, but I don't see much utility from a nameserver which can be dynamically
updated but not queried.


It *can* be queried, it's just not ideal as the machine has a fair 
amount of load and has fairly high latency. Since I have secondaries in 
colocation facilities with available resources, it makes more sense for 
them to handle external queries.


I'm also not sure where you're getting dynamic updates from, but we 
don't do any dynamic updates through BIND at this time.



Sure.  In which case, why publish an internal-only machine into the public
DNS via your SOA record?


Because it is actually the master, and from what I can tell, the slaves 
will check against the MNAME to confirm whether they're up to date or not.


(Yes, notifies will usually take care of this. Usually.)


Someone else made mention of a "stealth master",
but my definition of that is an internal machine which is not visible in
any publicly published records.


Strictly speaking, it's not internal-only, it's just on a slower, 
occasionally overloaded connection which will result in some percentage 
of requests taking significantly longer to answer. It's also on a 
somewhat overloaded server, so it just makes more sense to push external 
traffic to more ideal services.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: broken ISP in china

[Dave Warren]

On 2/18/2013 23:20, Matus UHLAR - fantomas wrote:

On 19.02.13 10:25, Noel Butler wrote:

One thing I need to point out, your SOA timings seem extreme...

refresh 86400  drop that to 3h
retry 3600, drop to 900


I don't see the reason for doing these, unless NOTIFY does not work, 
but in

such case it's the NOTIFY that should be fixed...


I agree in principle. However, the costs of having a low refresh 
probably aren't that significant, whereas all it takes for a NOTIFY to 
get missed is a packet or three getting dropped, and having zones out of 
sync might be more significant.


Or, put another way, dropping REFRESH from 24 hours to 3 hours is what, 
an additional 8 DNS queries per zone, per secondary, per day? Unless 
your zones normally receive only a few hundred queries a day, these 
numbers are so trivial that they probably don't matter, whereas having 
your secondaries return out of date responses is potentially more annoying.


Retry too seems like a good candidate to keep very low since it only 
applies when there is a problem.


But in an ideal world, we've probably just spent more time talking about 
it than will result in any savings from tweaking these numbers.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Registrar that supports self-run domains and provides DNSSEC support

[Dave Warren]

On 2/19/2013 16:30, Vernon Schryver wrote:

My experience wrestling the domains of relatives from GoDaddy was
not as bad as some of the stories, but it took more time, effort,
and sophistication than some people would care or be able to muster.


They still use deceptive tricks to keep domains hostage. For example, 
when you change contact information they display a "Click here if you 
agree with our domain locking policy", which is actually optional, but 
if you enable it, the new owner of the domain is blocked from 
transferring it to any other provider for many weeks.


Such a joy when you're buying domains on behalf of a customer and can't 
actually finish the job for 2-3 months because the seller automatically 
clicked the "Yes, I agree" option.



GoDaddy also likes to "up sell" many "protection" and other services
whose value I don't understand.


GoDaddy wants your money. What more do you need to understand?

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: spf ent txt records.

[Dave Warren]

On 3/13/2013 05:09, G.W. Haywood wrote:


Ref. : Early implementations used TXT records for implementation 
before the new record type was commonly available in DNS software. 
Use of TXT records for SPF was intended
as a transitional mechanism. However, according to the current RFC, 
RFC 4408, section 3.1.1, "An SPF-compliant domain name SHOULD have 
SPF records of both RR types. A
compliant domain name MUST have a record of at least one type," and 
as such, TXT record use is not deprecated.[2]


The SPF type RR seems to me to be dying.  Hardly anyone uses it.


This is very true. I updated my management interface to encourage "SPF" 
records, and to automatically create matching TXT records, but only 
because it's easier to sanity check when I know the intent is SPF.


I almost wouldn't bother with SPF records these days though, except that 
the code was already written.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: spf ent txt records.

[Dave Warren]

On 3/13/2013 17:11, Noel Butler wrote:

On Wed, 2013-03-13 at 14:43 -0700, Dave Warren wrote:

I almost wouldn't bother with SPF records these days though, except that
the code was already written.


# grep SPF maillog |grep -c '\-all'
2438

# grep SPF maillog |grep -c '\~all'
7509


Can you compare that against queries to TXT style SPF records?

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to minimize the downtime in my case

[Dave Warren]

On 3/14/2013 12:04, Manish Rane wrote:

Hey Folks,

I right now have NS server hosted with ISP and I am planning to set up 
my own BIND servers. Now I would like to understand that I need to ask 
my Registrar to populate the entry of my new NS server which would 
take 4-6 hours to propagate over the internet.


To reduce the downtime, can I not add those two new NS servers along 
with my old DNS server with exact zone? once all the NS 
entries populate over the internet I can have my ISP's DNS removed and 
have one of my DNS server as Master?



Current Scenario


ns1.example.com <http://ns1.example.com>1.2.3.4
ns2.example.com <http://ns2.example.com> 5.6.7.8


I am thnking of below scenario

ns1.example.com <http://ns1.example.com>1.2.3.4
ns2.example.com <http://ns2.example.com> 5.6.7.8
mynewns1.example.com <http://mynewns1.example.com>   20.20.20.20
mynewns2.example.com <http://mynewns2.example.com>   30.30.30.30

Then after few days

mynewns1.example.com <http://mynewns1.example.com>   20.20.20.20
mynewns2.example.com <http://mynewns2.example.com>   30.30.30.30

Which eventually should have all the records.




Maybe I'm over-complicating or under-complicating something here, but 
why bother? If you just switched directly from the old servers to the 
new servers, with the zones being identical outside of any NS related 
changes, wouldn't things "just work" throughout the transition?


Sure, depending on TTLs involved, some clients might hit the old NS and 
some would hit the new NS until the records aged out of caches, but as 
long as the other records are identical, users will hit the same web 
servers, the same MX, etc.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: spf ent txt records.

[Dave Warren]

On 2013-03-17 22:35, Doug Barton wrote:

On 3/17/2013 5:59 PM, Mark Andrews wrote:

The rational course would be to set a sunset date on TXT style spf
records.  April 2016 looks like a good date.  10 years after RFC
4408 was published.


+1


Unfortunately there's really no need to change behaviour even if we have 
a sunset date. As a server operator, I'd still check both (because it 
doesn't cost anything) and I'd still publish both because it simply 
doesn't matter.


Sure, some might eventually move away from TXT records, and this would 
(IMO) be a good thing, but still...


Perhaps DK/DKIM got it right here, _spf.example.com. TXT records would 
be a lot more flexible, wouldn't overload a zone/host's TXT records and 
wouldn't require everyone to upgrade DNS infrastructure to add support. 
But water under the bridge, it's not like inventing another standard for 
the majority to ignore would help at this point.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple masters for slave zone

[Dave Warren]

On 2013-03-18 15:50, Mark Andrews wrote:

Named will transfer from the master with the highest serial.  Notify
just triggers early refresh checks.


Does it actually check each master for a serial number, or does it stop 
at the first one queried if it has a higher-than-current serial number?


I've been meaning to test this in the real world, but if anyone can tell 
me, it would save a bit of time :)


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple masters for slave zone

[Dave Warren]

On 2013-03-18 23:12, Steven Carr wrote:

On 18 March 2013 23:08, Dave Warren  wrote:

Does it actually check each master for a serial number, or does it stop at
the first one queried if it has a higher-than-current serial number?

It would have to otherwise how would it know who has the highest and
when to stop checking.


Well, I guess that's part of my question. Does it? Or if the first 
master it queries has a higher serial number, does it grab the zone 
without checking the rest? Does the order of the masters matter?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Dave Warren]

On 2013-04-05 12:18, Sam Wilson wrote:

We're currently prevaricating over putting in an A record for ed.ac.uk.
Whilst my colleagues who manage active directory assure me that having
an A record there - pointing at the content-managed web server that has
difficulty handling arbitrary URLs - won't break anything I'm not going
to try it except under very controlled conditions and after I've spoken
to a lot of other people who do it already.


Is ed.ac.uk your Active Directory root as well? If so, my experience is 
that pointing it at anything but domain controllers will eventually lead 
you to issues.


It's not to say that this totally forbidden, but there is (was?) 
Microsoft best practices documents suggesting avoiding this 
configuration entirely when possible, although there were ways to 
mitigate most of the negative side effects.


Obviously if you can run a split DNS environment this is less of a factor.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Dave Warren]

On 2013-04-08 11:10, Novosielski, Ryan wrote:

It would seem to me there is some other way around this, either by
redirecting traffic to the AD servers or some careful combination of
local host names or something else. In our case, the domain itself has
barely any activity (and no client activity) and we can just lie to
the AD servers and use them as the bare domain name.


It's just just the servers though, it's any client that needs to access 
Active Directory resources that might potentially hit the web server 
when it's looking for your AD environment.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

NS geo-distribution

[Dave Warren]

Thoughts about how to best distribute NS servers hosting authoritative 
data for our zones? We currently host only about 300 zones so all zones 
live on all 3 servers but we're looking at replacing 1-2 of our NS 
servers due to reliability of the current servers.


My thinking is to just pick three sites in Canada/US with good 
connectivity and host there, but I'm getting some pressure to pick a 
location in EU as well.


With the vast majority of our customers being in North America (probably 
75% of users are in Canada), would it make sense to add a Europe based 
NS or would this tend to return slower results on average since a 
potential user would have a 1/3 chance of hitting a NS with a higher 
latency?


I realize that the difference isn't very significant in the grand scheme 
of things, but it's always nice to shave a few ms off of initial page 
load times.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NS geo-distribution

[Dave Warren]

On 2013-04-29 21:35, Gary L. Burnore wrote:

I would contend that fast inititial page load times is achieved through
blazing web servers and a wide data path.


It sure doesn't hurt, but introducing ~200ms of DNS lookups sure won't 
make things any faster.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NS geo-distribution

[Dave Warren]

On 2013-04-30 00:49, Sten Carlsen wrote:
Don't forget that most users will get the address out of "some" cache, 
not directly from the authoritative servers.


Absolutely. This is even more true in our case as many of our clients 
are serve very local areas and 2-3 ISPs and 3-4 mobile providers 
probably cover 90%+ of their clients.



On 2013-04-29 21:48, Chris Buxton wrote:

RTT means almost always hitting the fastest server.


My concern with relying on RTT is that since most of our sites are very 
low volume, will it be effective or does it work better when a host has 
higher traffic? How long do resolvers remember a particular NS's RTT?


We have a handful of Europe based clients, but their number is quite 
small, so I'm not sure if we'd be significantly hurting the majority by 
introducing a high-latency server into the mix or not, or even how to 
evaluate the results.


I realize I've probably spent more time thinking about it than I'll 
possibly save anyone else anyway, so perhaps that's my answer.


I appreciate all the input.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[Dave Warren]

On 2013-05-08 13:50, Mike Hoskins (michoski) wrote:

The spirit of education is often saving money based on a former life as a
lab tech.  While cheap, the proposal to "just go register a real one!"
seems good for $registrar, but potentially bad for the Internet (will we
end up with a bunch of garbage domains that are never used again, and
might actually want to be used by someone else, but will then be squatted
when they expire? yada yada), and better suited for business vs school
networks.

Also, I had a digital entity long before entering a college setting.  I
suspect kids these days are even more likely to have similar.  If real is
the answer, maybe most students wouldn't have to do anything at all.

I really think a lab experiment would be fine using local TLDs, but I
guess it's impossible to really know how valid some of the concerns are
unless we sit through the class or see the course material.  :-)




A reasonable compromise might be a single domain purchased for use in 
course, with students using subdomains. This would cover a 
best-of-all-worlds, including internal and external considerations.


It would also let the students' environments talk to each other, if this 
is desirable (and if the teacher adds appropriate DNS records, and the 
students configure properly)


This is the approach my girlfriend used with a WordPress course she 
taught since one of the goals was to allow students to experiment and 
play from home and it worked well, but it would just as well with NS 
delegations.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[Dave Warren]

On 2013-05-08 20:58, Michael McNally wrote:

The flip side of this is that whatever you teach them they are going
to take out into the wider world with them.  If you teach them to use
.local or .lan, some of them (at least) are going to continue using
.local or .lan long after your class is over, at least until they run
into enough problems to frustrate them into something more compatible
with current practice. 


I made the same mistake many moons ago and I'm still stuck with it. I 
wish I'd known better.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[Dave Warren]

On 2013-05-09 11:27, Jeremy P wrote:
I certainly didn't intend to spark off such a firestorm with my 
original question.  I have learned a lot from the debate though.


On the question of what to use with students, it is a fine thing to 
say "we should only do things the way they are done in real life so 
students don't learn bad habits", but I'm guessing that comes from 
people who have spent very little time in a classroom that has fiscal 
and technical limitations.  If I followed that mantra I would never be 
able to do anything with students other than read out of a book and 
lecture.  We strive to get them as close to real life as financial and 
technical restraints allow. Some have recommended I get a sub domain 
on the school's domain.  Maybe at your company/school that's easy to 
accomplish, but here that would be quite an amount of effort to earn a 
rejection letter.  I'll probably just purchase somedomain.com 
 and handout sub domains, but I won't have 
resources to setup a public facing server that can properly do delegation.


It doesn't necessarily need to be public-facing. Your students will all 
be setting up DNS servers too (or at least I don't see how a MS AD 
course could get by without your students running their own DNS), you 
can have them use your DNS server for resolution, or via a stub zone, 
and delegate from your server.


This also means that students can optionally set up trusts between their 
domains, and their domains can otherwise interact with each other, if 
this is desirable :)


Assuming your student environments don't get public IPs, there's 
probably little advantage in having it fully resolve up from the public 
roots anyway.


However, owning the domain you use as a root will help them to 
understand that making up a .local or .lan isn't a good idea, whereas if 
you do it in class with a "We wouldn't do this in the real world", 
they'll do it in the real world with a "We shouldn't do this in an ideal 
world, but it's good enough for our little clas^H^H^Hompany"


(Or at least that's what I blame for some of the dumb decisions I made 
that I'm still stuck with, like my poor internal naming choice)



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[Dave Warren]

On 2013-05-08 11:13, btb wrote:
it's also mildly humorous that they used to quite religiously endorse 
.local, in some documents even categorizing use of the same domain 
name on an internal and external network as a "security risk". 


Keep in mind that this was before ubiquitous, always-on TCP/IP was the 
norm. It was coming, but we weren't there yet and Microsoft was still 
catching up.


I still think that a reserved-for-local-LAN-TLD use might not be a bad 
idea, similar to how we have private network IP addresses for cases 
where there is internal resistance to using a real domain.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[Dave Warren]

On 2013-05-10 16:39, b...@bitrate.net wrote:

On May 10, 2013, at 01.18, Dave Warren  wrote:


On 2013-05-08 11:13, btb wrote:

it's also mildly humorous that they used to quite religiously endorse .local, in some 
documents even categorizing use of the same domain name on an internal and external 
network as a "security risk".

Keep in mind that this was before ubiquitous, always-on TCP/IP was the norm. It 
was coming, but we weren't there yet and Microsoft was still catching up.

i disagree.  in 1999, when .local was first referenced [and only in id form], 
short of perhaps the residential environment, always-on tcp/ip was commonplace 
- and i'm doubtful you'd even find microsoft references that early to it 
anyway, since microsoft was still catching up [this i heartily agree with, as 
they always are] :)


In those days, I was in the ISP world and we had a huge number of 
customers who were just starting to get IP connectivity to their 
networks, and very few hosted anything themselves, most used us as a web 
host and had no interest in their internal resources being involved with 
that internet thing at all.


I'm not talking IT companies, I'm talking their clients who were just 
discovering the internet and still hadn't really figured out it's value, 
many of which were just starting to consider connecting their computers 
to the internet in any real way.


In this context, a .local type domain isn't actually the worst idea in 
the world.


As far as Microsoft and their documentation and recommendations go, 
Active Directory development started what, 4-5 years before that? So 
best practices pre-dated the W2K release when this stuff went live and 
after that, it was no doubt a fight against inertia to change best 
practices. I know the courses I took in those days were definitely 
recommending some sort of internal-only TLD, just as internal-only IPs 
were recommended.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: does zone trump forward?

[Dave Warren]

On 2013-06-04 06:42, Alan Shackelford wrote:
We have 2843 authoritative zones. We run a split brain DNS. The new 
hospitals and other entities need to see our internal zone view once 
they have "joined". So I have them forward queries during the early 
stages of the merger, until I can get control of their DNS and make 
appropriate changes. There are fatherhood issues and all manner of ego 
problems involved in absorbing someone else's DNS. This step provides 
a workable solution in the very first stages. Then I make them slaves, 
with a reasonable expire time, to give them a copy of the data locally.


To me, it sounds like changing these steps by moving directly to using 
slave zones would fix the issue, no? Is there any particular need to 
start with forwarding rather slaving right from the start?


I realize there are egos, but "Connect our network to yours" includes 
things like routing and DNS. You're not taking over their territory just 
yet, just adding yours to theirs.


Politics aside, it solves the technical issues without butchering DNS or 
adding excessive unreliability.


But then I just hate forwards. Burned 1000x times, lesson learned :)

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: does zone trump forward?

[Dave Warren]

On 2013-06-05 14:27, Jonathan Reed wrote:


But then I just hate forwards. Burned 1000x times, lesson learned :)


What are you referring to? Why are forwards such a bad idea?



They're not automatically a bad idea, but I always prefer having a local 
copy of a zone unless that's not practical.


A couple real world example that I bang my head against daily/weekly:

1) I do some contract work out of a satellite office where we have a 
full time site-to-site VPN to HQ, and as a result, I've forwarded their 
domains to their internal NS over the VPN. Works great, except that when 
the VPN is down, I can't reach their externally hosted resources (which 
don't need the VPN, but do need DNS to work)


2) Even when it works, their office is 200-400ms (or about 16 hours 
door-to-door, including flight times) away from me. The internal DNS 
uses very short TTLs. This means I've got a 200-400ms wait time to 
access their public website (which is CDN hosted and otherwise very 
responsive) to hit the homepage, then a few more 200-400ms waits for 
other resources to start to load, and I do it every $small-TTL seconds 
while I browse their site looking for something because the cache 
expires quickly.


I've never seen a case where slaves are less reliable than forwards, but 
forwards are often less reliable than slaves. When a slave is not 
realistic or practical, forwards get the job done.


Keeping this thread in mind, the situation is a remote office where the 
pipe is neither fat nor reliable. See #1 and #2 above.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: any requests

[Dave Warren]

On 2013-06-05 12:28, Vernon Schryver wrote:

I thought Google Public DNS re-fetched RRsets as they were expiring in
>order to keep the cache populated, which would explain what you see,

I don't understand how they could pre-fetch the gazillions of RRsets
that are rarely requested.



As far as I recall from some documents they published when they first 
came out, they do so for some percentage of the top domains by number of 
queries, not necessarily every domain that exists.


If you figure that keeping 10% of the data that passes through their 
caches each day current probably covers 80%-90% of DNS queries, and they 
only pre-fetch when the current TTL is getting close to expiry, it 
probably does get their average latency between query and response time 
down.


I'm not convinced they really bother with any of that though, I wonder 
if they don't just have giant shared caches on powerful, well connected 
boxes.


Either way, when you're playing with a single test domain, 
experimentally, they'll absolutely expire just the way anybody else does.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RRL and avoiding contributing to DDoS (Was: How to suppress ADDITIONAL SECTION per zone)

[Dave Warren]

On 2013-07-05 07:21, John Wobus wrote:

I endorse this suggestion: we were faced with such attacks and were
naturally leery about issues we might run into running a patched bind
and the additional tuning it could require.  Our experience is: the RRL
patch, used with its default parameters, simply does the job.



I haven't been following the RRL discussions too closely, is this patch 
scheduled to be included in BIND9 proper or will it remain a patch?


We generally prefer to avoid "unsupported" (third party) patches, 
although I am working on getting an exception through for this 
particular situation, but if it's scheduled for inclusion in the nearish 
future, we may wait.


In the mean time, would it make sense to set "minimal-responses yes" 
proactively, or only if a spike of activity is detected (noting that it 
will take us 1-3 days to notice a spike unless it's disruptive to 
performance)


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind99 and a slave named server

[Dave Warren]

On 2013-08-18 10:39, LuKreme wrote:

Since it is all working, what I am looking for now is "how to convert you master 
bind server to a slave".


Change the zones from master to slave in your named.conf? There really 
isn't much more to it than that, assuming you have a new authoritative 
master is already configured and serving the zones.


Watch the logs for any errors indicating that your 
former-master-now-slave has newer versions of zones than the new-master, 
as this might indicate errors, but outside of that, the fact that a 
server used to be a master makes very little difference.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind99 and a slave named server

[Dave Warren]

On 2013-08-18 16:36, LuKreme wrote:

On 18 Aug 2013, at 14:06 , Dave Warren  wrote:


Change the zones from master to slave in your named.conf? There really isn't 
much more to it than that, assuming you have a new authoritative master is 
already configured and serving the zones.

Oh, there's a bit more to it than that. There's allow transfer or something and 
notify and text or binary (I want text).



Sure, I'm presuming you're already technically capable to run a 
master/slave configuration. These aren't special steps for moving from a 
master to a slave configuration, just part of "setting up a slave" like 
any other slave server.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Refreshing cache in other DNS Servers

[Dave Warren]

On 2013-10-16 09:47, Manson, John wrote:

I would add that Windows PC OSs by default have the dns client cache set to 
'enable'.


Yes. And like Windows Server's DNS cache, these honour TTLs too, so as 
long as TTLs are set properly, it's not an issue.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is SpamHaus Feed for RPZ is free or subscription based?

[Dave Warren]

On 2013-11-06 01:04, Steven Carr wrote:

This is all explained clearly on their website...

http://www.spamhaus.org/organization/dnsblusage/



Perhaps you can point out where on that page RPZ is mentioned?

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is SpamHaus Feed for RPZ is free or subscription based?

[Dave Warren]

On 2013-11-06 06:08, Steven Carr wrote:

On 6 November 2013 11:19, Dave Warren  wrote:

Perhaps you can point out where on that page RPZ is mentioned?

The Spamhaus news article announcing the "beta" RPZ service
(http://www.spamhaus.org/news/article/669/) indicates that the
Spamhaus DBL is being repurposed as an RPZ data feed. There is nothing
else on the Spamhaus website regarding RPZ, and since it's using the
DBL as it's basis the logical assumption is the same "licensing"
applies (unless anyone from Spamhaus wants to correct matters).



You're right, if you want to make assumptions based on years-old reports 
of a new service entering beta and assume that it might be licensed 
similarly to other services which are designed and distributed totally 
differently, then it's "explained clearly on their website"


In the real world though, while I suspect you're correct, it's far from 
"explained" "clearly" or "on their website"


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward zone giving SERVFAIL

[Dave Warren]

On 2013-11-27 19:27, Neil Aggarwal wrote:

Anyone have any ideas?


This is a shot in the dark, but is your server carrying a root zone or 
using hints? I vaguely recall running into similar a few weeks back when 
rolling out a new mail server, it turned out that the server was 
configured as a root server (with a copy of the root zone) and this 
broke forwards to a local rdnsbld on :54.


Since no one could remember why our mail servers had root zones and it 
didn't seem to make any practical difference, we switched over to using 
hints and suddenly forwards started working too.


Or so my memory recalls, there were so many minor disasters during 
testing on that roll-out that I might have some details off in my brain, 
but if this doesn't help, I'll ask around and see.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query regardign CNAME

[Dave Warren]

On 2013-12-31 23:30, Gaurav Kansal wrote:


I have 2 domains and i want  both have exact similar entries.

What I tried is to have entries in one zone file and in another I 
tried something as mentioned below:-


**.xyz.gov.in   CNAME *.xyz.in*

where xyz.gov.in and xyz.in are my two domains.

But this doesn't helps.

I want to ask is it possible to have a CNAME configuration by which I 
can divert all queries for my xyz.gov.in domain to xyz.in domain.




That sounds roughly like a possible use for a DNAME record, I believe.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a pig

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sites that points their A Record to localhost

[Dave Warren]

On 2014-01-10 12:25, Alan Clegg wrote:

On Jan 10, 2014, at 3:01 PM, Eduardo Bonsi  wrote:


I have an issue happening here. I actually do have a vague idea what it is but 
I am not real sure how is happening and how to avoid it. I was doing a research 
the other day and landed on this domain;

p3net.net

Yes, it seems that they have an A record for that label that provides the IP 
address 127.0.0.1.

You probably want to ask the owner of the zone about this, as I’m not sure what 
the community can do about it.


unbound, for example, has an option to discard replies that include 
non-routable IP addresses outside of expected/predictable locations.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sites that points their A Record to localhost

[Dave Warren]

On 2014-01-10 12:36, wbr...@e1b.org wrote:

From: Alan Clegg 

Yes, it seems that they have an A record for that label that
provides the IP address 127.0.0.1.

You probably want to ask the owner of the zone about this, as I?m
not sure what the community can do about it.

They have an MX record, so perhaps the domain is only intended for email.

# host p3net.net
p3net.net has address 127.0.0.1
p3net.net mail is handled by 10 aspmx.l.google.com.

Although, they should have more MX records if using google.


And less A records if they don't intend to do anything but email. But 
it's an imperfect world.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Recursive no;" implications?

[Dave Warren]

On 2014-01-22 00:43, Steven Carr wrote:

Well they probably are being subjected to DDoS all the time, but
Google uses their own DNS implementation so more than likely they have
written in functionality to rate-limit and block specific
clients/requests. They also have a lot of bandwidth and they have a
lot of servers, using Anycast for distribution.
http://en.wikipedia.org/wiki/Google_Public_DNS


The fact that they're using anycast possibly helps their code detect 
DDoS attempts too; if their anycast farm in India receives a request 
"from" an IP in the US with half a dozen closer anycast farms/points, it 
can potentially assume that that query is part of an attack and rate 
limit much more drastically than is normally done.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

The cigarette does the smoking, you're just the sucker.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Variable SOAs in negative responses

[Dave Warren]

On 2014-01-28 11:28, Matus UHLAR - fantomas wrote:

On 27.01.14 18:23, John Levine wrote:

A friend (really) asks this question: they have some DNSBLs, which get
a lot of queries.  Sometimes the answer has A or TXT records, meaning
the corresponding address is listed in the DNSBL, sometimes it's
NXDOMAIN which means the address isn't.

For addresses that aren't listed, some of the NXDOMAINs are a lot less
likely to change than others, e.g, the address of an outbound mail
server at a large mail provider is unlikely ever to be listed, but a
random host at a hosting provider in India, who knows.  So he'd like
to have the TTLs on some of those NXDOMAINs be longer than others, by
putting a different TTL in the SOA in the authority section.


If you know those IPs, why do you check them for being listed at all?


John's question was from the point of view of the DNSBL operator. How 
would a DNSBL operator stop users of that DNSBL from performing lookups 
on certain IPs, and why would they bother?



If any IP starts spamming, why to give it longer time to appear in the
blacklists? I don't think this makes sense at all...


Because a lot of IPs simply are not candidates for listing at certain 
types of DNSBL sites. "Too big to block" is a thing.


A more straightforward example: If your DNSBL is designed to only list 
IPs that are running vulnerable web scripts *and* are not also 
legitimate mail servers, then Google's outbound MX will *never* be 
candidates for listing (regardless of how much they spew) and therefore 
a very large TTL'd NXDOMAIN would be appropriate. Frankly, any 
legitimate mail server would be a candidate for a large-TTL'd-NXDOMAIN 
for this type of list, not just big players like Google.


If a DNSBL operator knows that certain IPs are not candidates for 
listing (or at least not candidates for automated listing), why not let 
DNS caches keep that information for as long as possible?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Usenet is like a herd of performing elephants with diarrhea --
massive, difficult to redirect, awe-inspiring, entertaining, and a
source of mind-boggling amounts of shit when you least expect it.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Variable SOAs in negative responses

[Dave Warren]

On 2014-01-28 14:20, Mark Andrews wrote:

In message <52e8258e.3060...@hireahit.com>, Dave Warren writes:

On 2014-01-28 11:28, Matus UHLAR - fantomas wrote:

On 27.01.14 18:23, John Levine wrote:

A friend (really) asks this question: they have some DNSBLs, which get
a lot of queries.  Sometimes the answer has A or TXT records, meaning
the corresponding address is listed in the DNSBL, sometimes it's
NXDOMAIN which means the address isn't.

For addresses that aren't listed, some of the NXDOMAINs are a lot less
likely to change than others, e.g, the address of an outbound mail
server at a large mail provider is unlikely ever to be listed, but a
random host at a hosting provider in India, who knows.  So he'd like
to have the TTLs on some of those NXDOMAINs be longer than others, by
putting a different TTL in the SOA in the authority section.

If you know those IPs, why do you check them for being listed at all?

John's question was from the point of view of the DNSBL operator. How
would a DNSBL operator stop users of that DNSBL from performing lookups
on certain IPs, and why would they bother?


If any IP starts spamming, why to give it longer time to appear in the
blacklists? I don't think this makes sense at all...

Because a lot of IPs simply are not candidates for listing at certain
types of DNSBL sites. "Too big to block" is a thing.

A more straightforward example: If your DNSBL is designed to only list
IPs that are running vulnerable web scripts *and* are not also
legitimate mail servers, then Google's outbound MX will *never* be
candidates for listing (regardless of how much they spew) and therefore
a very large TTL'd NXDOMAIN would be appropriate. Frankly, any
legitimate mail server would be a candidate for a large-TTL'd-NXDOMAIN
for this type of list, not just big players like Google.

Which if the recursive servers are following RFC 2308 will be truncated to
~3 hours.


Which is quite reasonable, given that many DNSBLs (especially those that 
aim to list zombies and other malware infections) update multiple per 
minute (or are simply maintained dynamically, without a defined 
"refresh"), and therefore want to use NXDOMAIN TTLs that are quite 
short, perhaps in the range of minutes, so that freshly discovered 
zombies are listed absolutely as soon as possible.


These are exactly the type of DNSBLs that will benefit from low NXDOMAIN 
TTLs on most IPs and higher TTLs on definitely-won't-be-listed IPs like 
major mail servers.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Usenet is like a herd of performing elephants with diarrhea --
massive, difficult to redirect, awe-inspiring, entertaining, and a
source of mind-boggling amounts of shit when you least expect it.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Monitoring Zonefiletransfer

[Dave Warren]

On 2014-02-19 16:06, Barry S. Finkel wrote:


See MS KB article 282826, where MS documents the handling of zone
serial numbers in an AD environment.



My experience is that it tends to work pretty well if BIND only points 
to one particular MS DNS server at a time, with a failover script that 
detects when that DNS server goes down and flips to another master (if 
you're worried about such things)


That being said, even without that script and with multiple MS DNS 
masters configured in BIND at once, any issues generally work themselves 
out within 15 minutes or so, once the Active Directory serial number 
update propagates through the MS DNS infrastructure. As described in the 
article, the servers self-increment properly when a slave is detected, 
and occasionally sync up the serial numbers between MS DNS servers 
(again, only moving update).


The only inconsistencies are in those recently added/modified records, 
so if you just plan for 15 minute update times for non-MS secondaries to 
sync up and ignore the periodic "serial is lower than expected" 
warnings, multi-mastering works fine in practice.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: whois expiration limit?

[Dave Warren]

On 2014-02-19 20:44, Lightner, Jeff wrote:


Hi,  I know this is the BIND list but I’m thinking folks who deal with 
DNS probably may be able to answer this question about whois.


We recently transferred and renewed a domain by 2 years which pushed 
its expiration to 01/25/2025. The order confirmation shows that 
expiration and looking at the domain at the Registrar’s web site under 
our account it shows that expiration as well.   However, when running 
whois both here and at the Registrar’s site it shows expiration 
01/25/2024.  It makes me wonder if there is a 10 year limit in whois 
since 2024 would be within 10 years but 2025 would be outside of it.


I didn’t see anything in RFC 3912 describing whois that even suggests 
a limit for expirations dates.


Not a big deal as I may be dead by then either way – just wondering if 
anyone knows of a reason this would occur.


Please don’t suggest I contact the Registrar.  I already did and they 
seemed as clueless as I am.




http://www.icann.org/en/resources/compliance/faqs#7

"Each registrar has the flexibility to offer initial and renewal 
registrations in one-year increments, provided that the maximum 
remaining unexpired term shall not exceed ten years."


In reality, they'll probably issue the renewal automagically once you're 
under the 9-year mark and the domain is renewal-eligible.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: whois expiration limit?

[Dave Warren]

On 2014-02-19 23:29, Lightner, Jeff wrote:


Thanks.  My thinking was the limit was on the whois database since the 
Registrar was telling me it was registered for more than 10 years.


It appears based on this Registration FAQ regarding “compliance” that 
the registrar may simply be showing it as 2024 because they can’t 
really report 2025 and be in compliance.





Just to be clear, it's not about showing something different for 
compliance, the domain is only registered for 9.something years, full stop.


ICANN/Internic is the ultimate authority within their gTLD roots, 
everyone else is just a reseller, so at this point you've been sold 
something they're unable to deliver -- But since they can deliver it 
over time, it should work itself out.


In other words, what you have is a domain for 9 years, and the promise 
of one more. That's fair, most service contacts are based on one party 
or the other doing something and the other promising to do something later.


Luckily registrars don't have much of an incentive to jerk people 
around, saving themselves $9 isn't worth the lawsuit and potential loss 
of accreditation.




--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Internal clients' queries for "myhostname." get sent to forwarders. Why?

[Dave Warren]

On 2014-03-10 15:05, Andreas Ntaflos wrote:

On 2014-03-10 22:23, Kevin Darcy wrote:

Options:


First, thanks a lot for the reply! So it seems what I described is 
indeed the expected behaviour for the type of DNS we operate?


To put it another way, why wouldn't it? How would your local BIND know 
whether or not a query for "myhostname." or "museum." is valid or not? 
One of those has records (although just NS records, no A records)






1) Change nameservice-switch order (e.g. /etc/nsswitch.conf) on your
hosts to prefer another source of name resolution (e.g. /etc/hosts)
which can resolve the shortname. Thus DNS is never used for these 
lookups


This might be a solution but I find that our DNS setup is just complex 
enough that relying on /etc/hosts would probably introduce more 
problems. Then there's managing /etc/hosts on hundreds of machines, 
which we could of course do with Puppet, but I find that highly 
unappealing. Currently we use Puppet to ensure /etc/hosts contains 
just "127.0.0.1 localhost" and nothing else.


Can you configure your environment to also write the machine's own 
hostname into the hosts file? We're generally not talking about storing 
every single host into every single HOSTS file, just having each machine 
know it's own hostname matches 127.0.0.1.


This should happen automatically and transparently in the Windows world 
(without appearing in the HOSTS file explicitly), but not in the *nix world.


Beyond that, in the Windows world, a machine will append the local 
domain's search suffix before doing a bare "hostname" lookup, so these 
queries typically won't leak as long as your local search suffix points 
to a zone that resolves local hosts and gives a valid answer. I suspect 
the same is true in *nix environments, but it's been a while since I 
mucked around, so I don't know what modern *nix does.






2) Simply :-) change your DNS architecture fundamentally, from one which
forwards requests to the Internet by default (aka "the Microsoft way"),
to one with an internal root zone and conditionally forwarding only
those parts of the namespace that your internal clients actually need to
see.


I confess that I didn't think there was any feasible way other than 
what you call "the Microsoft way" to operate this kind of internal 
DNS. I also don't think I've ever consciously heard of the setup you 
describe. Can you point me to some reading material on what this 
entails and how to get there?


In general there isn't much to it, if you don't set up a forwarded then 
BIND will use it's .hints file to locate the root servers, and from 
there, it will resolve whatever it needs to resolve recursively, taking 
over the roll of your upstream forwarder.


I'm sure someone can post a link to proper documentation, if you need it.

Incidentally, in the Windows world, you do the same, just leave the 
forwarders list blank and Microsoft DNS does full recursion. The old DNS 
setup wizards encouraged forwarders since they made a lot more sense in 
the high-latency, well maintained DNS server worlds of yester-year, but 
today, you'll probably do a better job of doing your own recursion if 
only because most ISPs do a terrible job of their own DNS servers.



--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.9.1 forward zone "local"

[Dave Warren]

On 2014-03-25 16:16, Mark Andrews wrote:

".local" is reserved for mDNS.  I would say stop trying to use ".local" in
the DNS.


While true, I don't think it will help this particular issue. As I 
understand it, BIND knows, by knowledge of being a root server, that 
local. can't possibly exist, and so that knowledge overrides the 
configuration of the forwarder.


I ran into similar setting up a fake/virtual TLD for wrbldnsd, which I 
was able to resolve by moving it downstream to dnsbl.hireahit.net. 
instead of just dnsbl. Nearly. Until I hit one broken application that 
wouldn't work with this configuration.


Switching BIND to use hints instead of acting as a root seems to work 
around this (broken) local configuration.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to setup a backup NameServer?

[Dave Warren]

On 2014-04-29 18:50, houguanghua wrote:

A lot of zones will be supported. All popular zones in the ISP.
Maybe the best solution is to hire some custom programming to develop 
private system.


How will you obtain copies of "all popular zones"? Are you just talking 
about zones you host, or things like Google?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to setup a backup NameServer?

[Dave Warren]

On 2014-05-03 18:15, houguanghua wrote:

These zones are not owned by ISP, such as: yahoo.com, facebook.com...
If such backup dns server is ready, ISP will talk to these WEB sites 
to keep synchronization with their authority NSs.

It's maybe a huge project.


Do you actually expect to get a zone transfer from all of them? I'd be 
amazed if any is willing.


And if any were willing, why bother setting up a "backup" at all, just 
serve the zone(s) authoritatively all the time and don't waste time 
doing queries for data you already have on-network. But again, I doubt 
they have any incentive to cooperate since there's no advantage to them 
(or you, or your customers for that matter)


While we're on the topic, what's the point? If you have connectivity, 
you can make a reliable DNS infrastructure with normal resolvers and 
caches via a number of different methods. Anycasting within your network 
might be a good choice in a large environment. If your connectivity is 
so badly interrupted that you can't pull off DNS queries against 
authoritative servers, there's little value to keeping DNS up since 
everything else is basically down at this point.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multi-master (HA)

[Dave Warren]

On 2014-05-07 15:06, Lawrence K. Chen, P.Eng. wrote:

OTOH, the idea of multi-master is intriguing.the only down side I see, is 
hat I have one really powerful server for my current master(Sun Fire 
X4170)and my other servers are weak leftoversjust passed EOL last year. 
 And, have all the servers doing full DNSSEC signing could be interesting.

It also raises the question of how does the outside world cope with all the 
servers having identical zones...signed on slightly different times, etc. 
(especially since I'm using unix timestamp for zone serialavoids issues of 
multiple admins incrementing serial without noticing others and/or collisions 
with DNSSEC's incrementing of serials.)


I wouldn't expect any real issues here, Windows DNS has done multimaster 
DNS since Windows 2000. In the case of Windows, dynamic updates (via 
client or GUI) can be done at any location, the serial numbers are 
incremented automatically, but the zones and servers may vary from each 
other for a brief period of time.


So for example, DC1 and DC2 may start with serial 100, DC1 will receive 
2 changes and be up to 102, DC2 will give 5 different changes and be up 
to 105. When Active Directory synchronization happens outside of DNS, 
the two sides merge changes together, and set the serial to the higher 
of the two plus one, so the serial would be 106. To the outside world, 
records can appear/disappear for a brief period while the servers drift 
out of sync, similar to what could happen in a BIND configuration 
without notifies as resolvers hit the two DNS servers round-robin.


The only thing that causes issues is if you use DNS to create a 
non-Active Directory slave. BIND will throw errors because it will see 
serial 100, 101, 102, then get a notify from the second server about 
101. However, the slave will still sync up once the AD servers sync to 
106. The fix here is to configure BIND to only slave off of one master 
or the other, not both.


While there might be other factors involved in turning BIND into a true 
multi-master solution, I wouldn't expect zones drifting out of sync or 
having minor differences to be a big factor since it happens in the wild 
already.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Point domain name of my zone to name in somebody else's zone?

[Dave Warren]

On 2014-05-07 15:54, Lawrence K. Chen, P.Eng. wrote:

Yeah...I currently just look up the name and enter A records.  But, I've 
wondered if there was another record type that allowed it to detect address 
changes of the requested 'CNAME'so I wouldn't have to.  Especially, if the 
requested 'CNAME' is a name that is known to change its IP...

Either that...or come up with a way to script it.


DNSMadeEasy calls this an "ANAME" record, internally they just lookup 
the destination's IP and cache it, updating it as needed.


It works, but it would be nice if this could be done in DNS. Sadly, it 
can't, and probably won't in our lifetimes.


A better solution might be to push the world into using SRV records so 
that a HTTP client could get the correct IP and port, while another 
protocol would get it's correct IP And port for the apex of the same 
zone, but again, in another world...



Though it was just a minor delayfor them to revert back to the old site, 
until they migrated their email accounts to the CNAME site as well


You still can't CNAME the APEX of a zone even if you do migrate your 
email accounts to the CNAME site as you can't have a CNAME and SOA/NS 
records at the same level.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Point domain name of my zone to name in somebody else's zone?

[Dave Warren]

On 2014-05-08 07:45, Barry Margolin wrote:

In article ,
  Tony Finch  wrote:


Dave Warren  wrote:

DNSMadeEasy calls this an "ANAME" record, internally they just lookup the
destination's IP and cache it, updating it as needed.

It works, but it would be nice if this could be done in DNS. Sadly, it
can't,
and probably won't in our lifetimes.

Never say never :-)

You can implement something ANAME-alike with a script that polls the
A and  records at the target name and does a DNS UPDATE on the owner
as necessary, but that might not scale too well.

There are a couple of difficulties with implementing ANAME inside the
server.

Firstly it implies a weird authoritative/recursive hybrid. A bit ugly but
not unreasonable.

Secondly, and more importantly, is the question of how this works with
zone transfers and secondaries. How do you ensure they support ANAME
records? Do you include a backwards compatibility hack by adding the A and
 records to the zone?

It also has adverse implications for DNS-based CDN routing, e.g. Akamai.
Everyone will be routed to the servers close to the auth servers of the
domain containing the ANAME, instead of routing each end user to their
closest servers.


Indeed. Were such a thing implemented, I'd think it would be smart to 
have the authoritative server return both the ANAME and A records, 
allowing a compliant resolver to do it's own A record lookup to find an 
appropriate CDN endpoint, while older resolvers with no concept of ANAME 
would simply ignore it and use the (possibly-less-than-optimal) A record.


Arguably adjusting CNAME to allow it to coexist with other record types 
might be a better long-term solution, perhaps allowing CNAME to coexist 
with SOA, NS and DNAME records? Although allowing a CNAME to coexist 
with NS could have some interesting side effects. There might be 
backward compatibility issues that make this impossible, but I would 
hazard a guess that since DNAMEs already return a matching CNAME and 
nothing explodes, the problems would be minor and limited in scope.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Point domain name of my zone to name in somebody else's zone?

[Dave Warren]

On 2014-05-08 15:09, Mark Andrews wrote:

In message <536bcced.8060...@hireahit.com>, Dave Warren writes:

On 2014-05-08 07:45, Barry Margolin wrote:

In article ,
   Tony Finch  wrote:


Dave Warren  wrote:

DNSMadeEasy calls this an "ANAME" record, internally they just lookup the
destination's IP and cache it, updating it as needed.

It works, but it would be nice if this could be done in DNS. Sadly, it
can't,
and probably won't in our lifetimes.

Never say never :-)

You can implement something ANAME-alike with a script that polls the
A and  records at the target name and does a DNS UPDATE on the owner
as necessary, but that might not scale too well.

There are a couple of difficulties with implementing ANAME inside the
server.

Firstly it implies a weird authoritative/recursive hybrid. A bit ugly but
not unreasonable.

Secondly, and more importantly, is the question of how this works with
zone transfers and secondaries. How do you ensure they support ANAME
records? Do you include a backwards compatibility hack by adding the A and
 records to the zone?

It also has adverse implications for DNS-based CDN routing, e.g. Akamai.
Everyone will be routed to the servers close to the auth servers of the
domain containing the ANAME, instead of routing each end user to their
closest servers.

Indeed. Were such a thing implemented, I'd think it would be smart to
have the authoritative server return both the ANAME and A records,
allowing a compliant resolver to do it's own A record lookup to find an
appropriate CDN endpoint, while older resolvers with no concept of ANAME
would simply ignore it and use the (possibly-less-than-optimal) A record.

Arguably adjusting CNAME to allow it to coexist with other record types
might be a better long-term solution, perhaps allowing CNAME to coexist
with SOA, NS and DNAME records?

But that does not help when you want a MX record at the apex or
some other record at the apex.


I'd argue that it does -- Since the record is now CNAME'd, the MX record 
is now under the control of the destination of the CNAME record and MX 
records can still be set. This is no different than if I CNAME'd 
dog.example.com to cat.example.com, email to @dog.example.com will flow 
to the MX records of cat.example.com.


Not ideal? Well no, it's not. Don't use a CNAME if you don't want to 
delegate everything, instead use a HTTP/HTTPS level redirect to www. 
which is properly distributed.


ANAME records might be more flexible, but since they require 
authoritative servers to gain resolver-like capabilities to provide 
backward compatible A-records, I believe that the concept will be a 
non-starter outside of proprietary solutions that just update A records 
dynamically.




SRV or a HTTP specific record like MX is the correct solution.
However it requires browser vendors to be on board change the initial
lookup and then fallback to A/ if the record does not exist.


Agreed, and I touched upon this in one of my earlier replies. I wish you 
the best of luck pushing the world toward using SRV records; it would 
solve a lot of problems, but they seem to scare too many people.


I actually think that MX records were a boneheaded thing to do, had 
email started using SRV records in the first place we might be in a 
position now where using SRV records is the defacto standard if not the 
actual standard for all services. (No offense to the folks that made MX 
records happen, I realize that in historical context it was the correct 
decision and it solved the very immediate problem -- I'm just saying 
that in an ideal world, SRV records instead of MX records would solved 
the same problem in a more generic fashion, and would have pushed us to 
a better place for other protocols)


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multi-master (HA)

[Dave Warren]

On 2014-05-08 07:13, Barry S. Finkel wrote:

On 2014-05-07 15:06, Lawrence K. Chen, P.Eng. wrote:
OTOH, the idea of multi-master is intriguing.the only down side 
I see, is hat I
>> have one really powerful server for my current master(Sun Fire 
X4170)and my

>> other servers are weak leftoversjust passed EOL last year.
>> And, have all the servers doing full DNSSEC signing could be
>> interesting.

It also raises the question of how does the outside world cope with 
all the servers

>> having identical zones...signed on slightly different times, etc.
>> (especially since I'm using unix timestamp for zone serialavoids
>> issues of multiple admins incrementing serial without
>> noticing others and/or collisions with DNSSEC's
>> incrementing of serials.)

Dave Warren replied:


I wouldn't expect any real issues here, Windows DNS has done multimaster
DNS since Windows 2000. In the case of Windows, dynamic updates (via
client or GUI) can be done at any location, the serial numbers are
incremented automatically, but the zones and servers may vary from each
other for a brief period of time.

So for example, DC1 and DC2 may start with serial 100, DC1 will receive
2 changes and be up to 102, DC2 will give 5 different changes and be up
to 105. When Active Directory synchronization happens outside of DNS,
the two sides merge changes together, and set the serial to the higher
of the two plus one, so the serial would be 106. To the outside world,
records can appear/disappear for a brief period while the servers drift
out of sync, similar to what could happen in a BIND configuration
without notifies as resolvers hit the two DNS servers round-robin.

The only thing that causes issues is if you use DNS to create a
non-Active Directory slave. BIND will throw errors because it will see
serial 100, 101, 102, then get a notify from the second server about
101. However, the slave will still sync up once the AD servers sync to
106. The fix here is to configure BIND to only slave off of one master
or the other, not both.

While there might be other factors involved in turning BIND into a true
multi-master solution, I wouldn't expect zones drifting out of sync or
having minor differences to be a big factor since it happens in the wild
already.



As I have written before, see MS article 282826.  If one is going
to slave an MS AD DNS server, one has to choose ONLY ONE AD DNS
Server as a master.  As I see it, there is no way that AD can
choose a zone serial number from among all of the AD DNS Servers.
Assuming that a zone has the same contents and same serial number,
say n, on all Domain Controllers.  Then, one Windows machine sends
a DDNS update for the zone to DC1 at the same time that another Windows
machine sends a different DDNS update for that zone to DC2.  Now,
each DC has serial number n+1 and different contents.  When AD
synchronizes the zone contents and serial number under the covers,
what serial number can it choose?  It can't choose n+1, as that
serial number has already been used.  It can't choose n+2, as it
does not know if another DDNS for the same zone has arrived before
the synchronization has taken place.


n+2 works fine, the situation is no worse off than it was with two 
servers each at n+1 and being slightly out of sync. At the n+2 step, the 
zones are closer to being in sync then they were. The logic that MS DNS 
uses is to always set the serial number to the highest seen anywhere +1 
and it works very well internally.


Even if you don't follow the advice in 282826, it actually works 
surprisingly well; as AD syncs up (which tends to happen very quickly 
for DNS servers in the same site, slower with intra-site replication), 
the changes merge together, the serial increments and BIND gets the 
latest zone. You obviously have to use AXFR rather than IFXR, and you 
have to accept that newly added records will appear and disappear from 
the BIND zone when/if BIND flips between AD masters, but the effects are 
understandable and manageable.


(I'm not advocating slaving off of multiple AD masters, I agree 
completely with 282826 -- it's a dumb idea. But I've seen it done and if 
you ignore BIND's logs and understand that newly added records need to 
propagate before they will exist reliably, it works well in production)


But again, the point of this isn't "how to integrate MS DNS and BIND", 
it's "What happens, in the real world, if multi-master authoritative 
servers were to serve ever-so-slightly-different-versions of the same 
zone with the same serial", and the answer is that this is already 
battle-tested in the real world and it works very well, outside of 
slaves which aren't aware of this design or aren't part of the 
multi-master configuration.




IIRC, 282826 says that if a
DC is not used as a master for a BIND slave, then its zon

Re: Point domain name of my zone to name in somebody else's zone?

[Dave Warren]

On 2014-05-12 12:29, Lawrence K. Chen, P.Eng. wrote:

Hehit's definitely Monday, today.


Could we please have the following DNS updates made?
  
CNAME: .ksu.edu -> web..ksu.edu

CNAME: www..ksu.edu -> web..ksu.edu
  
We have migrated our public web site to a new server. Thanks!
  
- ..
  
Chief Technology Officer

Sure...

dnssec-signzone: error: dns_master_load: oeie.ksu.edu:16: oeie.ksu.edu: CNAME
and other data
dnssec-signzone: fatal: failed loading zone from 'ksu.edu': CNAME and other data
*** Error code 1

heh


IT is basically figuring out how to phrase your three wishes to an evil 
genie. "CNAME the apex? As you wish, master... mwahahaha!"


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DMARC Record issue

[Dave Warren]

On 2015-01-04 19:30, Chris Vaughan wrote:

I have been given the task of implementing DMARC in our BIND servers due the 
recommendation of a security audit on our systems.

Whenever I create the record in the forward server, and refresh the zone, it 
comes out in the slave zone with escape characters inserted in the TXT record.

This occurs in every version of BIND that I have tried, from 9.7 up to 9.10.

Primary test zone record:

_dmarc.. IN TXT "v=DMARC1; p=reject; rua=root@dns-test-1.; aspf=s; 
rf=afrf; sp=reject"

Slave test zone record:

_dmarc  TXT "v=DMARC1\; p=reject\; 
rua=root@dns-test-1.\; aspf=s\; rf=afrf\; sp=reject"



http://www.dmarc.org/faq.html#s_12 has some information on what is 
happening here.



--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: do not stupidly delete ZSK files

[Dave Warren]

On 2015-08-06 17:26, Heiko Richter wrote:

Root is signed with RSASHA256 at the moment. There is no sence in
having a more secure algorithm because anybody who can't crack that
algorithm may just attack the weakest link in the chain above you.


This only holds while assuming similar key rotation schemes, I believe? 
If the roots are signed with RSASHA256 and rotate every 3 months, while 
you sign, set it and forget it, you're vulnerable to anyone that can 
crack RSASHA256 over any period of time.


Probably a theoretical difference, if it becomes feasible for someone to 
crack RSASHA256 in any reasonable level of time, it would be equally 
feasible to invest in 2x-8x the hardware and start breaking roots in 
under 3 months.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Version Number

[Dave Warren]

On 2015-08-24 12:45, Reindl Harald wrote:


Am 24.08.2015 um 21:41 schrieb HARRIS, RAYMOND D:

When I query the server for version I get back “version: 9.9.7S5”

The ics.org website lists the most current version as “9.9.7-P2”

How do I interpret these numbers to ensure I have implemented the most
current version?


besides that a securely configured server would never respond to such 
a query - options {version ".";} distributions typically have patches 
and in case of self built software use packaging to query the rpm / 
deb database


DNS servers under my control return some variation on "4.9.4-P1", with a 
possible reference to Win98SE for some roles (depending on which system 
manages their configuration), just in case anyone looks. Nobody seems to 
care.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help DNS

[Dave Warren]

On 2015-08-24 03:57, Daniel Ryslink wrote:
As for the SERIAL in SOA, it's just a good practice, it gives you the 
information about when the zone was published, and creates less 
problems when you transfer hosting of the domain to another 
nameserver. Basically yes, it's just a number, but there is no real 
good reason not to use the recommended format. 


For me, the reason is that I don't track the serial number when 
generating zones. I don't have any need to track revision counts or 
dates for any other purpose, so I don't; I just generate a number which 
is guaranteed to be higher than any previous number based on the current 
time.


As a nod to poorly written DNS validation tools that tossed errors 
rather than warnings, I do start my numbers with .


Currently this limits me to around 2 updates a minute with the serial 
creation algorithm I'm using, but that's good enough for our typical 
customer, and we can offer dynamic zones to customers that need it. I 
don't think we have any of those left anymore.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Negative Caching

[Dave Warren]

On 2015-08-28 14:15, Darcy Kevin (FCA) wrote:

As you pointed out (correctly), this isn't an issue which affects anything that goes "on the 
wire", e.g. master-slave replication via AXFR/IXFR, since, "on the wire" the TTL is 
always included with the RR. It's only an issue for how the zone files are managed on the master.

My opinion: named on the master should reject illegal zone files.


Agreed. Could you please cite where in RFC 2308 $TTL is a MUST, or even 
a SHOULD? Or was this made mandatory elsewhere?


RFC 2308 is clear on what should happen after a $TTL directive, but 
seems silent on how to handle resource records prior to, or in the 
absence of a $TTL directive, but it does note that the "minimum TTL" 
field has traditionally had three uses:


First: as a minimum. Result? "is hereby deprecated"

Second: Result? No change in status.

Third: "The remaining of the current meanings, of being the TTL to be 
used for negative responses, is the new defined meaning of the SOA 
minimum field." -- This almost goes far enough to depreciate the second, 
but given the explicit language depreciating the first, I would think 
that the author would have used similar language had they intended to 
depreciate the second.


The closest we get is section 4, "Where a server does not require RRs to 
include the TTL value explicitly, it should provide a mechanism, not 
being the value of the MINIMUM field of the SOA record, from which the 
missing TTL values are obtained."


That's a "should" (not even a "SHOULD"), but in the absence of this 
specified minimum (either by lack of implementation, or lack of 
configuration), the SOA MINIMUM field would seem to be better than 
failing outright.




It's perhaps only an issue for some homebrew zonefile-creation scripts that were written 
a long time ago, and where the administrators have been systematically ignoring the 
"no TTL specified; using SOA MINTTL instead" errors in their logs, every time 
named loads or reloads the zones.


I'm not suggesting I'm going to start writing or recommending zone files 
without a $TTL directive, or that this is even a big deal in the real 
world, but I'm struggling to find a case where the absence of a $TTL 
directive would result in a zone file being illegal, and so falling back 
on the SOA's "minimum" field would seem to be a more sane choice than 
making one up or refusing the zone, if only as a nod to the legacy use 
of this field.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How are DNS Records added dynamically in DNS Servers?

[Dave Warren]

On 2015-09-08 11:53, Robert Edmonds wrote:

Mark Andrews wrote:

Because outlook.com's nameservers are not EDNS compliant which
breaks anyone attempting to use EDNS extensions unless they hack
around this.

Some of their nameservers are not even compliant with RFC 2181 §5.2.

;; QUESTION SECTION:
;outlook.com.   IN  NS

;; ANSWER SECTION:
outlook.com.172800  IN  NS  ns1a.o365filtering.com.
outlook.com.300 IN  NS  ns4a.o365filtering.com.
outlook.com.300 IN  NS  ns2a.o365filtering.com.
outlook.com.172800  IN  NS  ns2.msft.net.
outlook.com.172800  IN  NS  ns4.msft.net.
outlook.com.172800  IN  NS  ns1.msft.net.
outlook.com.172800  IN  NS  ns3.msft.net.


Also interesting, although not necessarily relevant, but there are at 
least three different serial numbers being returned by those various 
servers, with different TTLs on the NS records depending on which server 
you query.


I wonder if they're in the process of updating and the records only 
partially updated? Odd that it was served at all though.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding DNS ALG support to Bind?

[Dave Warren]

On 2015-11-02 15:03, Carl Byington wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, 2015-10-30 at 12:38 -0400, Bill wrote:

>What I would like to do to have the ability to query a DNS server
>located behind a NAT, and have it return the IP of the NAT, and setup
>connection tracking in the NAT to pass traffic thru to the host behind
>the NAT.

I think that is a bad idea, even if you can get it implemented and
working.

If I know the names of your hosts (they will eventually be found via
google or other searches), then I can remotely reconfigure your NAT
device to allow my attack traffic thru - and all it takes is a simple
UDP query to your dns server.


And? NAT != firewall. Your firewall would still need to be configured to 
permit such a connection, and presumably your NAT environment would need 
to be configured to allow it as well.


If that's not desired, one would probably not enable this functionality.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root hints operation

[Dave Warren]

On 2015-11-16 18:09, Grant Taylor wrote:
It's my understanding that ALL of the root servers would have to 
change all of their addresses at the same time for DNS to be impacted. 


Or, the IP formerly used as a root server could turn malicious and start 
offering an alternate response. This would only impact resolvers that 
had outdated root hints, and also happened to try that particular IP 
first, but it's at least a theoretical risk.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root hints operation

[Dave Warren]

On 2015-11-17 14:13, Mark Andrews wrote:

In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes:

On 2015-11-16 18:09, Grant Taylor wrote:

It's my understanding that ALL of the root servers would have to
change all of their addresses at the same time for DNS to be impacted.

Or, the IP formerly used as a root server could turn malicious and start
offering an alternate response. This would only impact resolvers that
had outdated root hints, and also happened to try that particular IP
first, but it's at least a theoretical risk.

Which is why those addresses get held back from reassignment.  It is a
known risk that is mitigated.


Understood and agreed, there's little real-world risk, but it's 
important to understand that this risk is mitigated by policy, not by 
technology.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Overriding a single record with dynamic-dns

[Dave Warren]

On 2016-01-21 08:27, gnafou wrote:

Hello

I have a zone myzone.com where dynamic dns is active ( dhcp updates 
continuously the dns )


I need to respond differently for MX requests  such as :

MX for "internal"   queries  ismxinternal.myzone.com
MX for "internet"  queries   is   mxexternal.myzone.com



I cannot find out how to setup bind to achieve this  while keeping the 
dynamic dns in operation




Maybe I'm missing something, but for this specific example, wouldn't it 
be simpler to use an MX of "magicmx.myzone.com.", and have 
magicmx.myzone.com. in a separate zone entirely, allowing you to use 
views for that that one zone?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: frequent queries to root servers

[Dave Warren]

On 2016-01-29 18:45, Grant Taylor wrote:

On 01/26/2016 04:46 PM, Reindl Harald wrote:

violating what?


Chaining CNAMEs is a violation according to RFCs.

It works, but it is unsupported, and you can only blame yourself when 
it doesn't.


Maybe I'm misremembering RFC 1034, but a CNAME chain only violates a 
"should", and later in that RFC it says that software "should not" fail 
to handle chains, so even if you take a "should" as gospel, the "should 
not" should be equally gospel, making CNAME chains supported (although 
not advised.)


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Tuning for lots of SERVFAIL responses

[Dave Warren]

On 2016-02-18 14:06, Mark Andrews wrote:

For some reason people are afraid to slave internal zones.  Back
when I was working for CSIRO I used to slave all the internal zones
for all of the sites the division had.  Each site administered its
own zones but all sites slaved all of them.  That way local and
inter site lookups always succeeded even when the external links
were down.


While I avidly prefer slaving internal zones, it becomes one more thing 
to maintain, monitor and support, and for every failure point they 
eliminate, the zone transfers themselves become a failure point and 
maintenance task.


I've had issues with Microsoft DNS in particular (when fully integrated 
with Active Directory) periodically losing the list of IPs allowed to 
request zone transfers, although I think it was Server 2008 (pre R2) 
when this last happened. Similarly, if you frequently add and remove 
zones, you've now created an extra task to add the zone to all internal 
resolvers, rather than just using NS records and letting DNS do what it 
does best and recursively resolve. This too can be automated, obviously.


The tipping point for me is that by slaving my internal zones, I can 
effectively do instant DNS updates during normal operations rather than 
having internal resolvers maintain their own cache -- This alone makes 
it worthwhile to slave all of my zones everywhere possible.


Still, if you're not big enough to automate everything, I can see the 
advantage in having your resolvers be as ignorant about internal 
infrastructure as possible.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Tuning for lots of SERVFAIL responses

[Dave Warren]

On 2016-02-18 18:19, John Miller wrote:

Something I just thought of: how did you manage your NS records in
this situation?  To get NOTIFY/IXFR to work properly, either you have
to list every one of your recursive servers in your local NS records
or you have to do an also-notify block on the master.  Or you just
skip the NOTIFY/IXFR altogether and set very low refresh values on
your zones!  How did you handle standing up/taking down servers
quickly?


At one site we had a script that builds the list of IPs for the 
also-notify block and allow-transfer block dynamically, and for 
deploying a new recursive server we run a script that downloads an 
appropriate named.conf and registers with the aforementioned script to 
subscribe to notifications.


It also re-downloads the named.conf (and re-registers for notifies) via 
cron, so the master script refreshes the list of slaves. At least at the 
start, we didn't actually track timestamps or anything fancy, we should, 
but it never got implemented, instead we just dumped the whole list once 
in a while and recursive/slave servers got to wait an hour until their 
cron ran before they got notifies, in the mean time, the short refresh 
value took care of it.


It's not perfect, it could be better, but it worked with a minimum of 
hassle.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Dave Warren]

On 2016-03-18 01:46, Ron wrote:


On Fri, Mar 18, 2016 at 12:12 AM, G.W. Haywood 
mailto:b...@jubileegroup.co.uk>> wrote:


Hi there,

On Thu, 17 Mar 2016, Ron wrote:

... in this case it's a supplier who is unable to keeps his
DNS servers
working, and we just want to keep the connectivity.


I'd just put something in /etc/hosts and send myself an email every
month or so to remind me I'd done that.



This is what we're currently using, but it has the downside of not 
picking up ip address changes.


If you want to reinvent caching, why not go a step further, periodically 
query the records and build a local /etc/hosts


I've done this in a couple places where I need certain records to work 
even if DNS is broken. For example, it's just not worth having a NFS or 
Gluster filesystem mount fail because DNS happens to be down. If DNS is 
down, I'm probably already mid-panic, I don't need to worry about 
whether or remote file systems will come back up if I need to reboot a 
thing.


My current logic is that I do a SOA query and check the serial number, 
if it has changed, I query every needed hostname into a temp file, and 
if every single query was successful, check the SOA again, and if it 
still matches, update the /etc/hosts. If anything goes wrong (including 
a mismatch between the SOA), dump the temp file and try again.


Slaving the zones would be better, but some machines have a resolver 
already, sometimes with unique configuration that I couldn't bulldoze 
(and I'm too lazy to manually review the configuration of every machine) 
and sometimes the local resolver was Unbound, and also the master DNS 
server doesn't have a list of every machine that needs a NOTIFY, or a 
way to keep that list up to date. It was just faster to code up a sloppy 
/etc/hosts script to update a handful of critical records. Lame reasons, 
but it works well enough and hasn't blown up in my face yet.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Dave Warren]

On 2016-03-19 19:03, Barry Margolin wrote:

In article ,
  Dave Warren  wrote:


My current logic is that I do a SOA query and check the serial number,
if it has changed, I query every needed hostname into a temp file, and
if every single query was successful, check the SOA again, and if it
still matches, update the /etc/hosts. If anything goes wrong (including
a mismatch between the SOA), dump the temp file and try again.

That's feasible if you can reconfigure all the client machines to do
this. It's not very scalable if you have a network of machines running
different operating systems, and you'd like to have your central
resolver take care of all the caching.


True enough. I only do this on mission critical systems that cannot go 
down (or more likely, cannot be in a situation where they will fail to 
restart) because DNS happens to be down. Ultimately DNS scales very well 
and it's own scaling and caching mechanisms are the best solution most 
of the time, but there are cases where this isn't true, or where you 
need something more persistent than a cache.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

[Dave Warren]

On 2016-03-24 09:46, Ray Bellis wrote:

On 24/03/2016 16:41, Tony Finch wrote:


>When I changed our TTLs from 24h to 1h last year, it didn't have a visible
>effect on authoritative server query load, much to my surprise.

I'm not that surprised - there's definitely not a linear correlation
between the TTL of an RRset and how frequently it's queried.

Unless your TTL is very short, forced expulsion from cache (due to
cache-size limits) would cause many clients to re-query for a record far
more frequently than once-per-TTL.


Has anyone ever done any evaluation on this? For average resolvers, what 
is the longest TTL that has any utility?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

[Dave Warren]

On 2016-03-24 09:50, Barry Margolin wrote:

The problem with this is that when the Office 365 records expire and are
removed from the cache, but the other records have not, the server will
not know that it should re-query for the O365 records. It still has TXT
records in its cache, and it will return them in response to a query.

It won't go back to the authoritative server until ALL the TXT records
expire. During the period between the short TTL and the longest TTL, it
will be as if the short-TTL records don't exist at all.


Or if a caching resolver did make a "note to self" that there are 
missing records that need to be replaced, what would be the point of 
keeping any records with a longer TTL? A resolver would still be sending 
the same queries to refresh the entry with the shortest TTL anyway, so 
it wouldn't reduce the query volume.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

[Dave Warren]

On 2016-03-24 15:20, Tony Finch wrote:

Dave Warren  wrote:

On 2016-03-24 09:46, Ray Bellis wrote:

On 24/03/2016 16:41, Tony Finch wrote:


When I changed our TTLs from 24h to 1h last year, it didn't have a visible
effect on authoritative server query load, much to my surprise.

I'm not that surprised - there's definitely not a linear correlation
between the TTL of an RRset and how frequently it's queried.

Unless your TTL is very short, forced expulsion from cache (due to
cache-size limits) would cause many clients to re-query for a record far
more frequently than once-per-TTL.

Has anyone ever done any evaluation on this? For average resolvers, what
is the longest TTL that has any utility?

There was a great paper published 15 years ago describing a study of DNS
cache effectiveness at MIT. http://nms.csail.mit.edu/projects/dns/

It concluded (amongst other things) that NS records (and associated
address records) are really important, but leaf records that users ask for
don't matter so much. (Based on cache hits before TTL expiry, IIRC.)

I don't know of a similar study performed more recently.


The internet was a very different place 15 years ago, in particular, 
this was before every Windows client machine had it's own DNS cache 
service and largely before today's connected mobile devices were a thing.


I'm not sure how mobile devices cache, in particular, whether they clear 
their cache when moving between connections or not (although I suspect 
yes, otherwise there would be more issues with split DNS environments)


My gut feeling is that the findings wouldn't be all that different in 
the end anyway.




https://00f.net/2012/05/10/distribution-of-dns-ttls/ is also interesting.


Definitely an interesting read, thanks!

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

[Dave Warren]

On 2016-03-24 18:28, Barry Margolin wrote:

In article ,
  Dave Warren  wrote:


On 2016-03-24 15:20, Tony Finch wrote:

Dave Warren  wrote:

On 2016-03-24 09:46, Ray Bellis wrote:

On 24/03/2016 16:41, Tony Finch wrote:


When I changed our TTLs from 24h to 1h last year, it didn't have a
visible
effect on authoritative server query load, much to my surprise.

I'm not that surprised - there's definitely not a linear correlation
between the TTL of an RRset and how frequently it's queried.

Unless your TTL is very short, forced expulsion from cache (due to
cache-size limits) would cause many clients to re-query for a record far
more frequently than once-per-TTL.

Has anyone ever done any evaluation on this? For average resolvers, what
is the longest TTL that has any utility?

There was a great paper published 15 years ago describing a study of DNS
cache effectiveness at MIT. http://nms.csail.mit.edu/projects/dns/

It concluded (amongst other things) that NS records (and associated
address records) are really important, but leaf records that users ask for
don't matter so much. (Based on cache hits before TTL expiry, IIRC.)

I don't know of a similar study performed more recently.

The internet was a very different place 15 years ago, in particular,
this was before every Windows client machine had it's own DNS cache
service and largely before today's connected mobile devices were a thing.

But it was also before the widespread use of CDNs (Akamai was founded
only 3 years earlier). These days, the most heavily used web sites use
CDNs, which make heavy use of short TTLs for the leaf CNAME and A
records.



Yeah, that's a factor too.

I'm more interested in the impact from the perspective of an 
authoritative server operator and in some respects sites that use short 
TTLs will increase the odds of my longer-TTL's records staying in the 
cache longer before it gets hit by a cache-size limit, but none of my 
zones are really large enough to do A/B testing.



--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

[Dave Warren]

On 2016-03-25 07:21, Barry Margolin wrote:

In article ,
  Dave Warren  wrote:


I'm more interested in the impact from the perspective of an
authoritative server operator and in some respects sites that use short
TTLs will increase the odds of my longer-TTL's records staying in the
cache longer before it gets hit by a cache-size limit, but none of my
zones are really large enough to do A/B testing.

IMHO, memory is so cheap these days that any server that has to eject
cache entries because of memory limits means the server operator isn't
really trying to do their job well.


If you're running a dedicated public/ISP/massive-corporation resolver, 
sure, this is true. But if your resolver is some random DNS server on a 
small corporate Active Directory and one of dozens of services on a 
$1000 server with 1-50 users, who cares if your DNS cache only carries 5 
minutes, 30 minutes, or 6 hours of cache?


In fact, if your resolver just forwards queries to your ISP, and your 
ISP has dedicated caches, there would be very little measurable 
difference at all. I'm not a fan of forwarding, but many admins set it 
up because it's there without considering whether it's needed or not.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: g.root-servers.net not reachable anymore

[Dave Warren]

On 2016-04-14 03:02, 'Stephane Bortzmeyer' wrote:

On Thu, Apr 14, 2016 at 11:55:04AM +0300,
  Daniel Dawalibi  wrote
  a message of 22 lines which said:


Do you think it is better to remove it from named.root?

Certainly not, your resolver removes it automatically from the list of
authoritative servers for the zone.


Also, named will add it right back to the in-memory cache (the one that 
matters) since it will reach out to one of the hints servers to find the 
up to date list of root servers.


The hints file is just a hint of how to find the roots, not an absolute 
list of root servers.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Guidelines for role separations forwarding vs authoritative

[Dave Warren]

On 2016-07-07 23:46, Mik J wrote:
I have a bind DNS that is authoritative for many zones and that same 
system is also forwarding.

I plan to split these two functions on two different systems.

Have some of you done this task ? Do you have any guidelines or advices ?

I'm thinking about migrating the forwarding functionality to a new 
system with a new IP.
This will avoid changing the IP of the authoritative server on the DNS 
at a higher level.


Huh. Oddly, I find changing authoritative servers to be quite trivial in 
a well managed network.


1) Bring up the new servers.

2) Update ACLs, firewall rules and scripts/automation as needed, if needed.

3) Update the zonefiles and upstream zone files. If the primary master 
moved, make the old primary master a temporary slave, such that you can 
update slaves at your convenience.


4) Update any remaining monitoring systems, or client-facing resolvers 
that forward, stub, or anything else. Consider why you forward, and 
whether it's useful or you're just doing configuration for the sake of 
configuration.


5) Wait 2-4x the length of the TTL, and/or monitor traffic levels.

6) Pull down the old servers, clean up after them.

Conversely, changing client facing resolver is a constant pain as there 
are always "things" that are hardcoded and not using DHCP, depending on 
the complexity of your environment, possibly thousands of things. Plus 
there are all the terrible DHCP implementations that renew properly, but 
fail to update their local configuration until they're restarted. And 
the users? Some of them hardcode their resolver settings (see #3 above, 
it's a thing they can configure, therefore some do)


But maybe that's just me -- Plus, my authoritative servers are 
relatively simple, other than the master, but renumbering the master 
without any other changes is also moderately trivial as updating the 
slaves can (and is) scripted.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Additional Section - TXT Format?

[Dave Warren]

On 2016-07-08 18:34, Jun Xiang X Tee wrote:


Dear all,


  I have a simple question here. Is it possible to have a TXT format 
tuple appearing at the additional section?



  For instance, the original dig query shows:

;; ADDITIONAL SECTION:

ns1.google.com. 271647  IN  A 216.239.32.10
ns2.google.com. 259462  IN  A 216.239.34.10
ns3.google.com. 295152  IN  A 216.239.36.10
ns4.google.com. 254408  IN  A 216.239.38.10


  Is it possible to have something like this:


;; ADDITIONAL SECTION:
ns1.google.com. 271647  IN  TXT"v=spf1 arbitrary 
info that I wish to add"
ns2.google.com. 259462  IN TXT"v=spf1 arbitrary info 
that I wish to add"
ns3.google.com. 295152  IN TXT"v=spf1 arbitrary info 
that I wish to add"
ns4.google.com. 254408  IN TXT"v=spf1 arbitrary info 
that I wish to add"




Haven't you asked what is essentially the same question over and over 
before? At least, the answer is ultimately the same as you were given 
before:


That's not really consistent with the DNS standards, and will break if 
you have intermediate caching servers. Why? Because of this clause 
from RFC 2181:


Unauthenticated RRs received and cached from the least trustworthy of 
those groupings, that is data from the additional data section, and 
data from the authority section of a non-authoritative answer, should 
not be cached in such a way that they would ever be returned as 
answers to a received query.


It'll also, irrespective of caching, break DNSSEC.


Whatever you're trying to do, this is not the right way to do it; you 
cannot arbitrarily add data to zones that are not under your control.


What are you trying to do? And why?

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting not authoritative with some notifies - Solved

[Dave Warren]

On 2016-07-29 08:21, Matus UHLAR - fantomas wrote:

On 28.07.16 12:13, Paul A wrote:
Now what is everyone using to make sure the zones in named.conf are 
still

pointing to your NS servers? I have a lot of stale DNS zones I want to
remove.


separate authoritative and recursive servers.
bill for having zones in DNS.
or simply wait till customers complain and tell them they should tell you
when tthey migrated their zones off. 


At what point will a customer complain when they switch authoritative 
servers if the old ones are still online, whether serving current data, 
out of date data, or the zone eventually expires?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting not authoritative with some notifies - Solved

[Dave Warren]

On 2016-07-31 18:00, Carl Byington wrote:

Which customers will complain?

Consider the case where you have customer A and ex-customer B, and you
still have ex-customer B zones loaded in your master dns servers. The
rest of the world properly sees the (new) zone content for ex-customer
B.

But when your existing customer A tries to send mail to ex-customer B,
it may go to the wrong place or bounce. And that will only happen for
your *other* customers. B thinks everything is ok, since they can
receive mail from gmail, etc.

To properly serve your customers like A, you need to purge B's zones
soon after they move, whether they notify you or not.



Or, separate your resolver and authoritative roles, in which case this 
won't be an issue. One should still monitor for zones for customers who 
have departed, obviously, but it's not likely to cause any operational 
issues.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need of caching on bind server

[Dave Warren]

> I am trying to understand why caching is required on the bind server,
> when the client receiving the responses would be caching based on TTL
> values. 
> 
> So,
> Is caching required on the server, if the client is not able to
> cache such responses? Isn't it a overhead on both the client and server
> systems to cache the same responses at respective ends
> What are the possible Use cases of caching the responses at the Server?
> What if there is a dynamic updates of Records on Server and
> Server still sends the cached Responses? 

Ubiquitous client-side DNS caching on workstations is relatively new in
the grand scheme of things, and shouldn't be assumed to exist. Also,
client side caches may be limited in size, may expire data far sooner
than the TTL, and with mobile devices, may dump their entire cache
frequently (perhaps every time the device jumps between networks).

Beyond that, think about the number of queries a resolver must perform
to visit a website, we first need the roots (hints or cached), then the
authoritative NS for the gTLD, then the NS for the domain, and oops it's
in another gTLD so we look that up, from the root again, etc, all just
to get a CNAME for a CDN in yet another TLD, and now a single call to a
single website has taken 10-15 separate queries just to get the final A
record.

I haven't done actual statistics, but I've yet to see any time when my
resolvers don't have the authoritative servers for COM, NET, INFO, ORG,
CA, and various other TLDs in the cache.

Plus, even if you do assume that clients cache effectively, AND you
ignore the resolver's internal needs, most DNS resolvers serve more than
one user and as such, in a company of a few hundred employees (or an ISP
with a tens or hundreds of thousands), at any one time at least half are
watching cat videos from YouTube, so the cache will help the next 'x'
number of users who all need to know www.youtube.com and it's CDN
services. Most of the internet uses Google Analytics, AdWords,
DoubleClick, has Facebook or Twitter links, Disqus, etc, all of those
are in cache approximately 100% of the time if you have more than a
handful of users.

Or maybe I am completely missing your point?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding via different external networks

[Dave Warren]

On Sat, Aug 27, 2016, at 11:32, Paul Kosinski wrote:
> So my question is, is it possible to configure my forwarding BIND to
> have a primary and *secondary* path for sending out DNS queries? As far
> as I can tell, the "query-source address" option in named.conf only
> allows one outbound interface to be (implicitly) specified, and I don't
> want to leave the outbound interface unspecified as that would defeat
> monitoring and logging on the specific interface. The "forwarders"
> option *does* allow multiple DNS servers to be specified, but that
> doesn't help if the network path is down.
> 
> P.S. I suppose I might try something with policy routing, but that was
> already a nightmare to set up, since I use DSL vs cable based on the
> source and type (e.g. HTTP, SSH) of the traffic rather than the more
> common destination.

Since you're forwarding anyway, why not forward to a pair of public
servers, 8.8.8.8 and 8.8.4.4, or 4.2.2.1 and 4.2.2.2, and then use youe
routing table or other technique to route traffic for each destination
IP?

However, since you run BIND, why bother with forwarding queries at all,
I would recommend just resolving without forwarders, in which case BIND
doesn't need any particular connection and whatever else you use to
failover from the primary to the secondary would automatically ensure
BIND resolves too.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding via different external networks

[Dave Warren]

On Sun, Aug 28, 2016, at 19:22, Paul Kosinski wrote:
> "... whatever else you use to failover from the primary to the
> secondary would automatically ensure BIND resolves too."
> 
> That's the root of the problem: there is no automatic failover, and
> providing one is a lot of work. I was hoping there was a simple BIND
> config option so that BIND itself could fail-over the DNS lookups and
> solve the immediate problem.

What is the point of having reliable DNS if your other connectivity
doesn't failover? And/or, can't you just switch your DNS over when you
do the other failover manually?

I run exactly the same configuration here and have been through the ups
and downs of the various methods. They're all terrible. :)





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF and domain keys

[Dave Warren]

The easiest answer is: Whatever you want. Strictly speaking,
alphazulu.com can send mail on behalf of foxtrot.com using a
alphazulu.com DKIM selector, and that's perfectly valid under DKIM.
However, it won't have DMARC alignment, which is becoming more and more
important, so if alignment is relevant, you'll need to use a
foxtrot.com selector.

tl;dr: Use a foxtrot.com selector unless you simply can't.

As for who generates it, it's irrelevant. The sending server will need
the private key, your DNS records will contain the public key, but it
makes no difference if foxtrot.com creates the keys and delivers them to
the appropriate parties, or if alphazulu.com generates generates a
private key and provides the alphazulu._domainkey.foxtrot.com record to
foxtrot.com.

Remember that you can have as many selectors as you want, don't reuse
them across trust boundaries (in other words, consider that in the
future, foxtrot.com and alphazulu.com may part ways, when that happens,
it's ideal if you can remove the selector from your DNS (after a period
of time, at least a week), such that alphazulu.com cannot continue to
sign mail. It's also ideal if you don't have to update DKIM records
elsewhere in your infrastructure.

I hope at least some of this makes sense, but if not, ask. DKIM and
DMARC are fiddly, and a lot of the DKIM advice out there isn't
entirely complete now that DMARC is on the scene and DMARC builds on
top of DKIM and SPF.


On Sun, Aug 28, 2016, at 16:13, project722 wrote:
> Lets say my domain is foxtrot.com and we have SPF records for the SMTP
> servers on foxtrot.com. Now lets say I have decided I want to allow
> alphazulu.com to send mail as foxtrot.I know how to add alphazulu.com
> to the SPF but If I wanted to also use DomainKeys or DKIM to
> authenticate alphazulu.com would the keys need to be in foxtrots name
> or alphazulu? For example,
> Would I use:
>
> _domainkey.foxtrot.com.  IN TXT  "t=y\; o=~\;"
> xxx._domainkey.foxtrot.com.   IN TXT  "k=rsa\;
> p=xxx
>
> or
>
> _domainkey.alphazulu.com.  IN TXT
> "t=y\; o=~\;"
> xxx._domainkey.alphazulu.com.   IN TXT  "k=rsa\;
> p=xxx
>
> Also,
> 1) Who generates the keys? Foxtrot or Alphazulu?
> 2) Would I need both SPF and keys or would keys alone be enough to
>authenticate the other domain? ( I am in a position where I would
>like to use only keys)
> 3) Which one is better to use in terms of provider checking? For
>example, are providers even checking keys as much as they are SPF?
>
> _
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Request reverse dns mapping advice

[Dave Warren]

On Mon, Sep 5, 2016, at 09:46, John Levine wrote:
> >1.  pick a primary domain from the list of virtual hosts (example2.com)
> >2.  use the "real" host name of the server (juvat.example1.com)
> >3.  the mail server name (mail.example1.com)
> >4.  the dns server name (ns2.example1.com)
> >5.  another domain from the virtual hosts list (example 3.com)
> 
> Publish a PTR with the mail server name, forget about the rest of
> them.  
> 
> On today's Internet, you want your mail server to EHLO with a name
> that has matching forward and reverse DNS with the server's IP.  If
> you don't, you look unnecessarily like a spambot.
> 
> Everyone knows that web servers and DNS servers have multiple names,
> and neither should be sending unsolicited traffic, so matching rDNS
> doesn't matter.

Perhaps I'm old fashioned, but I like to see things done "correctly",
and rDNS is one of those things that shows a competent host who worries
about getting the details right, vs a host who has no technical skills
or knowledge and does the bare minimum. Does it make for an operational
difference? Not really. But it does make it obvious what entity is
responsible for a machine and I feel that that's important.

Personally, I set valid and correct names that identify me (the host) on
machines under my control, whether or not they're intended to make
outbound connections (and web servers do). If an IP is dedicated to a
specific client then I'll consider what makes the most sense, but
generally I do assign the client's rDNS to a dedicated IP.

With that being said, I'd do something like ns2.example.com, or
web.juvat.example.com, or whatever is appropriate within your normal
naming scheme.

> Opinions vary on how well it works to return multiple PTRs.  My
> advice is don't borrow trouble you don't need.

I agree on this point. Even if it works with only a few PTRs (and it
mostly will, as long as each PTR has a matching and valid A/
record), what will happen when you have dozens of domains?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Request reverse dns mapping advice

[Dave Warren]

On 2016-09-06 08:01, Bob Harold wrote:

I agree with one PTR per IP.  But since you have 5 IP's, you can have
one PTR record on each, just be sure there is a matching forward "A"
record.  Your list of 5 names looks good, but only if each service uses
the corresponding IP for its outgoing connections, which could be
difficult or not the most efficient.  (What is missing here is why 5
IP's - parallel for more traffic, connections to different Internet
providers, ...?)


It sounds to me like the provider assigned a /29, and speaking as a 
small host, distributing the traffic to different IPs often makes life 
easier in the short and long term.


It could be a matter of separating outbound traffic (separating email 
streams is wise, for example), for firewalling efficiency, they might 
have separate virtual machines answering each IP, HTTP optimization is a 
factor too in a pre-HTTP/2 world.


Tons of other possible reasons, none of which are really relevant to the 
best practices involved with PTR record naming.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: srv lookup in record

[Dave Warren]

On 2020-08-21 16:26, Marc Roos wrote:

Is it possible to use srv lookups, like eg cname. I do not want to
create SRV record, I just want to 'get' the ip addresses, that I would
get vai srv lookup.


I don't think so, nor does it seem to make sense to me that you would 
want such a thing (in the general case, you may have a use-case).


SRV records are more than just pointers to a specific server, there is 
also the priority and weight that need to be considered at the 
application level.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

[Dave Warren]

On 2022-05-03 06:31, Gaurav Kansal wrote:

Yup. But if the DNS infra is under my control, then definitely the keys (which 
i have used for encryption) will also be with me. Am i missing something here ? 
🧐


I'll see your privacy keys and raise you Perfect Forward Secrecy. 
Although I'm not really sure if PFS is implemented anywhere in the DNS 
world at this point, except possibly DoH.

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Supporting LOC RR's

[Dave Warren]

On 2022-05-02 18:01, Timothe Litt wrote:
Still, overall DNS seems to generate more problems than fun, so if LOC 
provides amusement, it's a good thing.


I know one of my users found them quite amusing. I can't recall what 
location they picked or why, but it had some sort of personal 
significance (and wasn't privacy invasive).


I've always wondered if there was a real-world use case.

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Dave Warren]

On Tue, Nov 1, 2016, at 07:45, Ben Croswell wrote:
> The other option being having a master owned by your company and then
> setting both external providers to secondary from your master. You to
> maintain control over data and hqve diversity.



I use this approach here, it's proven to be very robust. Not only is the
internal master well hidden to all but the secondaries, but if it does
get directly targeted by a DDoS it won't impact your slaves at all.
Obviously if your company is the target there probably isn't much you
can do unless you have a very substantial anti-DDoS budget, but in the
case of a DNS neighbour being the target, diversifying your DNS across
2-3 larger providers will ensure that you stay up.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to slave root zones

[Dave Warren]

On Fri, Apr 7, 2017, at 08:22, Thomas Leuxner wrote:
> * Mark Knight  2017.04.07 16:36:
> 
> > masters {
> > 192.5.5.241;// F.ROOT-SERVERS.NET.
> > };
> 
> Hi Mark,
> 
> I had the same issue basically. Tracing the zone transfers with dig it
> turned out they worked for IPv6, but no longer work for IPv4.
> So I ended up with this:
> 
> masters { 2001:500:2f::f; }; // @f.root-servers.net

Why wouldn't you just use the ICANN's authorized zone transfer servers?

http://www.dns.icann.org/services/axfr/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Email & PTR Issues [Solved]

[Dave Warren]

On 2017-11-07 13:09, John Levine wrote:

In article  you write:

 I have issues emailing to certain domains. I use my own mail
 server to deliver mail. It is currently not sending through SMTP
 Relay. The failure says that I have a missing PTR record. For example:

I'm amazed that it works at all.  Like most ISPs, AT&T usually blocks
port 25 on their consumer broadband.

If you want to run your own mail server, get a VPS somewhere.  They're cheap,
like $5/mo or less if you pay by the year.  If you just want your mail to work,
get it hosted somewhere.


Or purchase smarthost service and relay outbound mail through said 
service. This gives you the advantages of hosting locally without the 
deliverability issues of doing the same.




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[Dave Warren]

On 2018-02-28 10:57, G.W. Haywood via bind-users wrote:

Hi there,

On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote:


Good morning, I'm trying to make it more difficult for an attacker to
get my DNS server version.


Waste of time.  The attacks are automated, and will be mounted anyway.



Indeed. At least one of my legacy servers returns "4.9.4-P1-Would you 
believe Win98SE?", which was an in-joke at the time but I like it well 
enough that it is still here 10+ years later.


I've still seen modern attacks. As you say, the attacks are automated 
and there is no real advantage in checking versions first, it is easier 
to just throw everything at everyone.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Odd behavior on a secondary server

[Dave Warren]

On Thu, Mar 22, 2018, at 11:01, @lbutlr wrote:
> On 2018-03-22 (08:13 MDT), John Miller  wrote:
> > 
> > Is this normal or am I missing something.
> 
> It is normal. It is confusing, but it is normal.

Think of it as a "freshness" date rather than a "modified" date and it becomes 
intuitive.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stopping name server abuse

[Dave Warren]

On Sun, Jun 24, 2018, at 15:48, Mukund Sivaraman wrote:
> On Sun, Jun 24, 2018 at 04:30:08PM -0400, Alex wrote:
> > Hi,
> > We had a former customer who parked about 300 domains with his
> > registry on our server but is no longer a customer and hasn't moved
> > his domains. There aren't any hosts behind the domains.
> > 
> > Is there anything more I can do to block/prevent them from continually
> > querying my system outside of just redirecting them to localhost or
> > something?
> > 
> > It's not a terrible amount of traffic, but it's pretty substantial.
> > 
> > Unfortunately asking him nicely didn't work.
> 
> Serve the customer an invoice. They're his domains after all, and he's
> using up your resources. You can identify him and show that your
> resources are being used because he has not moved the delegations.

Absent a situation where the customer has agreed to purchase this service, the 
only result sending an invoice would have is that you have increased your loss 
by adding wasted time, toner, paper, an envelope and the cost of postage.

You might flag the customer's attention, but since "Unfortunately asking him 
nicely didn't work." it seems unlikely that repeatedly annoying the individual 
repeatedly will be productive.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stopping name server abuse

[Dave Warren]

On Tue, Jun 26, 2018, at 01:28, Matus UHLAR - fantomas wrote:
> On 25.06.18 09:06, Dave Warren wrote:
> >Absent a situation where the customer has agreed to purchase this service,
> > the only result sending an invoice would have is that you have increased
> > your loss by adding wasted time, toner, paper, an envelope and the cost of
> > postage.
> >
> >You might flag the customer's attention, but since "Unfortunately asking
> > him nicely didn't work." it seems unlikely that repeatedly annoying the
> > individual repeatedly will be productive.
> 
> I believe this can eb the same situation as putting images owned by getty to
> your website. They will send you invoice with higher price than if you had a
> contract...

Assuming the user ignores the invoice (from you or Getty), your remedy would be 
the same as Getty: Take the user to court.

But Getty has copyright law behind them and therefore has a relatively easy win 
with well understood penalties. A DNS server operator could try small claims 
could, but would probably need to show actual damages to get a judgement. 

Getty also has lawyers on payroll who do this stuff all day, every day, and 
therefore have minimal overhead due to the copy/paste nature of their filings. 
A random DNS server operator likely does not have a lawyer who can copy/paste 
this type of claim, the cost of research and filing would probably exceed the 
(mostly non-existent) cost of just ignoring the unwanted traffic. My money says 
that win or lose, you've already lost by using the legal system even assuming 
you manage to collect on a judgement.

At the end of the day, I doubt there is much you can do legally, the only real 
solutions are technical by returning answers that will discourage resolvers 
from asking as frequently (probably meaning responses carrying a high TTL).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stopping name server abuse

[Dave Warren]

On Tue, Jun 26, 2018, at 11:27, Reindl Harald wrote:
> 
> 
> Am 26.06.2018 um 20:18 schrieb Dave Warren:
> > At the end of the day, I doubt there is much you can do legally, the only 
> > real solutions are technical by returning answers that will discourage 
> > resolvers from asking as frequently (probably meaning responses carrying a 
> > high TTL)
> 
> nonsense - the onbly real solution is non-tchnical by get the registry
> to remove your nameservers - it's that easy

Have you had success in accomplishing such? I've tried in the past and 
universally been ignored or had the request rejected by registrars and 
registries. 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stopping name server abuse

[Dave Warren]

On Tue, Jun 26, 2018, at 11:47, Reindl Harald wrote:
> 
> Am 26.06.2018 um 20:36 schrieb Dave Warren:
> > On Tue, Jun 26, 2018, at 11:27, Reindl Harald wrote:
> >>
> >>
> >> Am 26.06.2018 um 20:18 schrieb Dave Warren:
> >>> At the end of the day, I doubt there is much you can do legally, the only 
> >>> real solutions are technical by returning answers that will discourage 
> >>> resolvers from asking as frequently (probably meaning responses carrying 
> >>> a high TTL)
> >>
> >> nonsense - the onbly real solution is non-tchnical by get the registry
> >> to remove your nameservers - it's that easy
> > 
> > Have you had success in accomplishing such? I've tried in the past and 
> > universally been ignored or had the request rejected by registrars and 
> > registries
> 
> yes
> 
> if i can prove that i am the zone-owner of the nameservers and that i
> don't have any contract with the domain owner where should be the problem?
> 
> just use the abuse-contacts instead support monkeys

Where have you had success? With a registrar (which one?) or a registry (which 
one?)? 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stopping name server abuse

[Dave Warren]

On Tue, Jun 26, 2018, at 11:54, Reindl Harald wrote:
> 
> 
> Am 26.06.2018 um 20:50 schrieb Dave Warren:
> > On Tue, Jun 26, 2018, at 11:47, Reindl Harald wrote:
> >>
> >> Am 26.06.2018 um 20:36 schrieb Dave Warren:
> >>> On Tue, Jun 26, 2018, at 11:27, Reindl Harald wrote:
> >>>>
> >>>>
> >>>> Am 26.06.2018 um 20:18 schrieb Dave Warren:
> >>>>> At the end of the day, I doubt there is much you can do legally, the 
> >>>>> only real solutions are technical by returning answers that will 
> >>>>> discourage resolvers from asking as frequently (probably meaning 
> >>>>> responses carrying a high TTL)
> >>>>
> >>>> nonsense - the onbly real solution is non-tchnical by get the registry
> >>>> to remove your nameservers - it's that easy
> >>>
> >>> Have you had success in accomplishing such? I've tried in the past and 
> >>> universally been ignored or had the request rejected by registrars and 
> >>> registries
> >>
> >> yes
> >>
> >> if i can prove that i am the zone-owner of the nameservers and that i
> >> don't have any contract with the domain owner where should be the problem?
> >>
> >> just use the abuse-contacts instead support monkeys
> > 
> > Where have you had success? With a registrar (which one?) or a registry 
> > (which one?)? 
> 
> where did you *not* have success?

The last time I tried was some years ago, at Network Solutions, with a .COM. 
The owner of the domain was a company that had ceased operations and contact 
information was at the domain itself (therefore they were unreachable by 
email). 

The load wasn't enormous but I was curious if they would be responsive, the 
only answers I received were to contact the owner of the domain, silence, or a 
ticket-closed type response.

Mark Jeftovic from easyDNS has commented on similar situations back in 2015: 
"It's not that rare. It's happened to us (more than once) and it happened to 
DNSimple not too long ago. In those cases we've had problems getting the 
registrar to yank the delegation. In cases like that the registry often won't 
even talk to us."

Maybe the situations has improved over the last few years?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how two dns bind master sync?

[Dave Warren]

On 2018-08-23 14:15, Grant Taylor via bind-users wrote:

On 08/23/2018 01:20 PM, Barry S. Finkel wrote:
Somehow, under the covers, AD synchronizes the zones so that they have 
the same content.


It's my understanding that MS-DNS servers hosting AD Integrated zones 
are actually functioning as application layer gateways between DNS and 
data that's stored in LDAP.


So the case of synchronizing records with different FQDNs is actually 
trivial in that different records are being updated in the back end LDAP 
and the ALG is simply reading the data and replying to clients.


I don't know how to account for the serial number.  I think I've seen 
something like an encoded form of the date / time be used.  ¯\_(ツ)_/¯


tl;dr: The Active Directory logic for the serial number is simple: Each 
update to the zone increments the serial as you expect locally. When DCs 
sync they use the highest serial number of either, +1.


Imagine you have 3 (or more) servers, updates happening everywhere. The 
is an unknown period of latency between updates, not all DCs receive 
updates at the same time, and not all DCs receive updates in the same 
order or use the same schedule.


Start off with serial 100.
Server1 updates, increments to serial 101.
Server1 updates, increments to serial 102.
Server1 updates, increments to serial 103.
Server2 updates, increments to serial 102.
Server1 updates, increments to serial 104.
Server3 updates, increments to serial 102.

At this point all three have different views of the zone, with serials 
104, 102, 102 respectively.


Server2 and Server3 now sync, highest serial is 102 so both are set to 
103. Server1 and Server2 now sync, highest serial is 104 but there are 
other changes, so both increment to 105. Eventually Server1 and Server3 
sync, highest serial is 105, but no other records have changed so both 
agree to 105 and now everything is in sync once again.


Neither Active Directory nor Microsoft DNS care what is in the SOA 
record in terms of the refresh, retry and expire intervals, DNS records 
will instead synchronize around Active Directory along with every other 
type of change.


If you set BIND slaves to master off of just server1 there are no 
problems at all as the serial increases in a predictable and normal way. 
If your BIND slaves off of multiple AD DCs then it will 1) Periodically 
see and complain about (log) older serial numbers, and 2) Perodically 
flip between the zone as reported by the different servers.


However, a lot of this happens if the DCs are sending notifies to BIND 
and BIND is then changing it's mind about which master to use. If you 
only have one DC send notifies then (I believe) BIND will tend to just 
pull updates from that one DC and everybody is happy. If that DC goes 
down then BIND will eventually hit the refresh interval and (if 
configured) try other masters.


Happy weekend all!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind stops answering queries

[Dave Warren]

On Mon, Sep 17, 2018, at 06:07, Ian Collins wrote:
> I have been runnig various versions of ISC Bind for a number of years
> without any issues.> 


> My current server is a Windows 2012 R2 running 9.3.0


> <...> Does anyone have any idea what could be causing the server to
> stop answering queries or suggest any specifiv loggin settings that
> might help identify it please.
I recall a couple of hangs in that era on my Windows Server based Bind
servers. It was due to malformed queries, although I don't recall the
details anymore. Upgrading to a supported version would be the obvious
first step.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Dave Warren]

On Sun, Sep 23, 2018, at 03:24, Ray Bellis wrote:
> On 22/09/2018 02:39, Danny Mayer wrote:
> 
> > No, that's not true. Consider what you are doing. You are substituting
> > SRV records for CNAME records. There is nothing magical here. NTP can
> > use the CNAME records. Either way the records have to be configured.
> > What do you think you are discovering? SRV records aren't magic.
> 
> SRV records aren't magic, but they are an "approved" way of discovering
> services.

If you have a domain, yes. But it doesn't help with network based autodiscovery 
in a meaningful way. I would argue DHCP is the correct answer (even if it 
points to DNS and uses SRV records, the process starts with DHCP). But we also 
know that many clients don't use DHCP provided NTP servers, so split view DNS 
records are the only real practical solution that is client-independent, noting 
that it still needs some initial client configuration.


> We've all seen what happened with the convention of "www." to "discover"
> the HTTP service on a domain and how the (marketing folks) desire to
> drop that has caused no end of CNAME related issues...

Doesn't this predate SRV records?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[Dave Warren]

On 2018-10-24 07:24, Timothy Metzinger wrote:
There's no security in obscurity.  Automated port scanners will sweep 
your system in a couple of seconds.


There is *limited* security in obscurity but it's a valid layer. 
Obviously insufficient as an only layer...


As a trivial example, I get orders of magnitude more ESMTP 
authentication attempts against well known/standardized ports 25 and 587 
than non-standard ports that speak the exact same protocol. Last I 
looked, 25 receives substantially more traffic than 587 despite 587 
being the better choice to attack these days.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND DNS Enable audit logs - Authoritative

[Dave Warren]

On 2019-01-11 11:55, Kevin Darcy wrote:
I don't believe there is any logging category for this, even when zones 
are enabled for Dynamic Update, in which case the versioning is done 
automatically. There used to be a "journalprint" utility that one could 
run against the .jnl files to show the update history. But, even if the 
journaling mechanism and the "journalprint" utility still exist as I 
remember it, it would most likely only work for Dynamic-Update-enabled 
zones. I don't believe .jnl files are created for 
non-Dynamic-Update-enabled zones, although I could be wrong on that -- 
maybe named synthesizes .jnl files for purposes of IXFR (???).


Interestingly enough, it does, but with some limitations/quirks that 
occasionally require you to manually delete your jnl file (and of course 
force a AXFR-style IXFR transfer in these situations).


I don't recall the exact trigger, I think it related to when a zone is 
updated when BIND is offline (or at least, my notes say that it happens 
when the billing system removes a zone from named.conf and later re-adds 
the same zone). I do have something monitoring the log to detect the 
situation and clear the appropriate jnl files, such that if there are 
other situations where this occurs, I wouldn't notice.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users