Re: migration to new isp - now private addresses showing up publicly?

[Sten Carlsen]

> 
> On 23 May 2023, at 19.00, Kaya Saman  wrote:
> 
> 
>> On 5/23/23 12:47, Matus UHLAR - fantomas wrote:
>>> On 23.05.23 12:22, Kaya Saman wrote:
>>> I've got a very strange problem that has emerged somehow after migrating my 
>>> isp.
>>> 
>>> 
>>> My setup previously used 2x servers in master/slave configuration for my 
>>> public "view" and then had 3x servers for the "internal" view. This was 
>>> working fine for years and I have been regularly testing using online dns 
>>> healthcheck sites such as mxtoolbox etc...
>>> 
>>> 
>>> Now when I try to run any type of check from mxtoolbox or other site eg. 
>>> https://dnschecker.org/ I am getting my private IP's showing instead of the 
>>> public ones?
>>> 
>>> 
>>> Initially it started off by my external zone files not transferring which I 
>>> managed to see that the information was trying to traverse my NAT (I know, 
>>> not the best practice to have all dns servers on the same network).
>>> 
>>> 
>>> As a result external emails from my mail server are not working too well 
>>> with a hit and miss type thing going on right now.
>>> 
>>> 
>>> Just to go over, my zone files are fine as the 'external' ones only have 
>>> public ip addresses in them and do not include any type of internal 
>>> addressing whatsoever.
>>> 
>>> 
>>> Here's an example of the config in named.conf for the master:
>> 
>>> view "external" {
>>> match-clients { !internals; any; };
>> [...]
>>> view "external" {
>>> match-clients { !internals; any; };
>> 
>> I don't see your definition of "internals".
>> Also, I don't see your definition of internal view.
>> if internal IP addresses are visible on the internet, obviously the internet 
>> sources fall into your internal view, not into this one.
>> 
>> 
> 
> Finally, I understand what is going on and things get stranger
> 
> 
> The internal IP addressing is being served up by the slave servers. They seem 
> to have pulled the file domain.db and renamed it to domain-external.db???
> 
> 
> Of course the 'master' machine is already serving up domain-external.db to 
> the public domain. This has the correct IP addressing with everything else 
> such as dkim and dmarc.
> 
> 
> So, currently I think the whole problem is stemming from the fact that the 
> zone transfers are not working correctly for my external view between 
> 'master' and 'slave' servers.
> 
> 
> How can I do that without needing to traverse my NAT?
> 
When migrating ISP, are you sure that there is not another NAT in the ISP 
router?
That would explain this. The internet would present itself as 192.168.xx.xx and 
match your internals.
> 
> Currently I tried putting this into my master config:
> 
> 
> zone "domain.com" {
>type master;
>file "/var/named/var/named/domain-external.db";
> notify explicit;
> also-notify { int_dns2; int_dns3; };
> allow-transfer { ext_dns2; ext_dns3; };
> allow-query { ext_dns2; ext_dns3; !internals; any; };
> };
> 
> 
> 
> And this into my slave config:
> 
> 
> 
> zone "domain.com" {
>type slave;
>file "/var/named/var/named/domain-external.db";
> masters { ext_dns1; };
> // allow-notify { ext_dns1; };
>allow-query { int_dns1; !internals; any; };
> };
> 
> 
> But it doesn't seem to mesh up?
> 
> 
> The general.log file is telling me this:
> 
> zone domain.com/IN/external: refresh: retry limit for master ext_dns1#53 
> exceeded (source 0.0.0.0#0)
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: migration to new isp - now private addresses showing up publicly?

[Sten Carlsen]

> On 23 May 2023, at 19.46, Kaya Saman  wrote:
> 
> 
> 
> On 5/23/23 18:07, Sten Carlsen wrote:
>> 
>>> On 23 May 2023, at 19.00, Kaya Saman  
>>> <mailto:kayasa...@gmail.com> wrote:
>>> 
>>> 
>>>> On 5/23/23 12:47, Matus UHLAR - fantomas wrote:
>>>>> On 23.05.23 12:22, Kaya Saman wrote:
>>>>> I've got a very strange problem that has emerged somehow after migrating 
>>>>> my isp.
>>>>> 
>>>>> 
>>>>> My setup previously used 2x servers in master/slave configuration for my 
>>>>> public "view" and then had 3x servers for the "internal" view. This was 
>>>>> working fine for years and I have been regularly testing using online dns 
>>>>> healthcheck sites such as mxtoolbox etc...
>>>>> 
>>>>> 
>>>>> Now when I try to run any type of check from mxtoolbox or other site eg. 
>>>>> https://dnschecker.org/ I am getting my private IP's showing instead of 
>>>>> the public ones?
>>>>> 
>>>>> 
>>>>> Initially it started off by my external zone files not transferring which 
>>>>> I managed to see that the information was trying to traverse my NAT (I 
>>>>> know, not the best practice to have all dns servers on the same network).
>>>>> 
>>>>> 
>>>>> As a result external emails from my mail server are not working too well 
>>>>> with a hit and miss type thing going on right now.
>>>>> 
>>>>> 
>>>>> Just to go over, my zone files are fine as the 'external' ones only have 
>>>>> public ip addresses in them and do not include any type of internal 
>>>>> addressing whatsoever.
>>>>> 
>>>>> 
>>>>> Here's an example of the config in named.conf for the master:
>>>>> view "external" {
>>>>> match-clients { !internals; any; };
>>>> [...]
>>>>> view "external" {
>>>>> match-clients { !internals; any; };
>>>> I don't see your definition of "internals".
>>>> Also, I don't see your definition of internal view.
>>>> if internal IP addresses are visible on the internet, obviously the 
>>>> internet sources fall into your internal view, not into this one.
>>>> 
>>>> 
>>> Finally, I understand what is going on and things get stranger
>>> 
>>> 
>>> The internal IP addressing is being served up by the slave servers. They 
>>> seem to have pulled the file domain.db and renamed it to 
>>> domain-external.db???
>>> 
>>> 
>>> Of course the 'master' machine is already serving up domain-external.db to 
>>> the public domain. This has the correct IP addressing with everything else 
>>> such as dkim and dmarc.
>>> 
>>> 
>>> So, currently I think the whole problem is stemming from the fact that the 
>>> zone transfers are not working correctly for my external view between 
>>> 'master' and 'slave' servers.
>>> 
>>> 
>>> How can I do that without needing to traverse my NAT?
>>> 
>> When migrating ISP, are you sure that there is not another NAT in the ISP 
>> router?
>> That would explain this. The internet would present itself as 192.168.xx.xx 
>> and match your internals.
> 
> I can certainly ask. Though I am on a business package with multiple static 
> public IPv4 addresses. I think I have a /28 block if memory serves me well
> 
> 
> 
You might find that it has some kind of address translation built-in "to 
protect your business" or whatever. To me it still smells that way.
You might look at the IP address for the port you think is the internet - if 
that has an 192.168.x.x. or 172.16.x.x. or 10.x.x.x it would be clear that is 
what your problem is. It can still be solved but other setup details will be 
needed.
> The crazy thing is that I am using the DNS check tool from mxtoolbox. So far 
> it's telling me:
> 
> 
> 
> Bad Glue Detected
> Parent server gave glue for ns2.domain.com to be int_dns2 but we resolve that 
> hostname to ext_dns2
> 
> 
> 
> Another weird issue is that it's reading the serial from the zone file to be:
> 
> 
> Serial numbers match
> 2022022801
> 
> That's my 'internal' zone! Not the 'external'

Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?

[Sten Carlsen]

> On 29 Jun 2023, at 15.59, Ubence Quevedo  wrote:
> 
> Hi Greg,
> 
> Here's the most recent config that I tried that seemed to work, but 
> ultimately broke resolution for the main zone domain.com 
> , even though I set it to match-clients { any; }.

Please remember that ONLY ONE view is matched. Your main view is only used if 
none of the other views match.

> 
> What I didn't mention in my original post was that I have other subnets 
> configured for this remote host through vlans with different IP addresses.  
> That's why there are so many other views.  I was hoping the match-clients per 
> each view would return the appropriate IP address per subnet making the 
> request.
> 
> include "/etc/bind/rndc.key";
> include "/etc/bind/ddns-key.key";
> 
> view "192.168.10-net" {
>   match-clients { 192.168.10.0/24 ; };
>   zone "system.lab.domain.com " {
> type master;
> file "/var/lib/bind/db.system.lab.domain.com.192.168.10";
> };
> };
> 
> view "10.32.1-net" {
>   match-clients { 10.32.1.0/24 ; };
>   zone "system.lab.domain.com " {
> type master;
> file "/var/lib/bind/db.system.lab.domain.com.10.32.1";
> };
> };
> 
> view "10.32.10-net" {
>   match-clients { 10.32.10.0/24 ; };
>   zone "system.lab.domain.com " {
> type master;
>file "/var/lib/bind/db.system.lab.domain.com.10.32.10";
> };
> };
> 
> view "10.32.20-net" {
>   match-clients { 10.32.20.0/24 ; };
>   zone "system.lab.domain.com " {
> type master;
> file "/var/lib/bind/db.system.lab.domain.com.10.32.20";
> };
> };
> 
> view "10.32.30-net" {
> match-clients { 10.32.30.0/24 ; };
>   zone "system.lab.domain.com " {
> type master;
> file "/var/lib/bind/db.system.lab.domain.com.10.32.30";
> };
> };
> 
> view "main" {
>   match-clients { any; };
>   zone "domain.com " {
> type master;
> forwarders {};
> file "/var/lib/bind/db.domain.com ";
> update-policy {
>   grant ddns-key wildcard *.domain.com  A DHCID;
> };
> notify yes;
> allow-transfer { 192.168.10.183; };
> };
>   zone "lab.domain.com " {
> type secondary;
> masterfile-format text;
> file "/var/lib/bind/db.lab.domain.com ";
> primaries { 192.168.10.183; };
>   };
>   zone "10.168.192.in-addr.arpa" {
> type master;
> forwarders {};
> file "/var/lib/bind/db.10.168.192.in-addr.arpa";
> update-policy {
>   grant ddns-key wildcard *.10.168.192.in-addr.arpa PTR;
> };
>   };
> };
> 
> The contents of /var/lib/bind/db.system.lab.domain.com.192.168.10:
> $ORIGIN .
> $TTL 604800 ; 1 week
> system.lab.domain.com  IN SOA 
> ns1.domain.com . thatrat.gmail.com 
> . (
> 2023062800 ; serial
> 604800 ; refresh (1 week)
> 86400  ; retry (1 day)
> 2419200; expire (4 weeks)
> 604800 ; minimum (1 week)
> )
> NS  ns1.domain.com .
> $ORIGIN system.lab.domain.com .
> A   192.168.10.170
> 
> The other /var/lib/bind/db.system.lab.domain.com.10.32.X.X follow a similar 
> format with the domain name pointing to a different IP address for each 
> "version" of the domain matching a view for a different entry subnet.
> 
> Again, the domain.com  zone currently has an entry for 
> system.lab.domain.com  for 192.168.10.170 and 
> the secondary lab.domain.com  has an entry for 
> system.lab.domain.com  with 10.32.10.1.
> 
> This was all working perfectly until I added the secondary domain to my 
> config [essentially just the contents of the main view above] which it 
> started only returning 10.32.10.1 for the system.lab.domain.com 
>  which again I think had some type of 
> precedence on the "fuller" FQDN being served, and the system.lab from the 
> domain.com  zone taking lesser precedence.
> 
> It also seems that the bind configuration file is read from top down in 
> processing order?  I had the main view on top first, but then moved it below 
> the other views, and then the 192.168.10-net view worked...but the main view 
> did not work.
> 
> I know this is an overly complicated setup and probably the simplest answer 
> is just to remove the secondary zone from config so that there is only the 
> one entry that resolves for the system.lab.domain.com 
> 

Re: Observation: BIND 9.18 qname-minimization strict vs dig +trace

[Sten Carlsen]

Trace from my location dies even earlier:

;; Received 915 bytes from 2001:503:c27::2:30#53(j.root-servers.net) in 17 ms

;; connection timed out; no servers could be reached

Again just a data point.


> On 24 Apr 2024, at 22.03, tale via bind-users  
> wrote:
> 
> Hmm, I wonder if qname-minimisation is at issue here.   My trace dies with:
> 
> 85.191.131.in-addr.arpa. 1800   IN  NS  fs838.click-network.com.
> 85.191.131.in-addr.arpa. 1800   IN  NS  ns102.click-network.com.
> couldn't get address for 'fs838.click-network.com': not found
> couldn't get address for 'ns102.click-network.com': not found
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MDLZ user activation

[Sten Carlsen]

I got one of those mails too, your explanation is correct. Nothing sofisticated 
here.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

  "MALE BOVINE MANURE!!!"

> On 7 Jun 2024, at 12.11, Marco Moock  wrote:
> 
> Am 07.06.2024 um 10:58:27 Uhr schrieb G.W. Haywood:
> 
>> On the face of your description, this sounds like a spammer who has
>> slightly more skill than usual.
> 
> The spammer simply used the name in From: after the Nick posted tothe
> list) (Nick Tait via bind-users) and the mail address
> (bind-users@lists.isc.org) as the recipient.
> 
> I assume this was accidentally sent to the list and not Nick himself,
> but this is just a guess.
> 
>> I'd like to see the headers, or better the entire mail.  Please feel
>> free to send privately.
> 
> They are publicly posted on the list.
> 
> Message-ID:
> <6661e181d6fce_20e3f8fc856fcec65140...@sidekiq-frequent-fd-poduseast1-free-blue-fc47b6fff-n44lb.mail>
> 
> If you need it, I can forward it to you.
> 
> --
> Gruß
> Marco
> 
> Send unsolicited bulk mail to 1717750707mu...@cartoonies.org
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Assistance with SPF Records for BIND

[Sten Carlsen]

Hi

I suggest to use the wizards or look in the RFC:
http://www.ietf.org/rfc/rfc4408.txt



On 18/02/12 17:51, Jonathan Vomacka wrote:
> BIND Community Support,
>
> I am inquiring about how to setup a proper SPF record? I know there
> are SPF wizards/generators available but each seem to have a different
> "opinion" of what should be included and what should not be included.
>
> Let me give you a scenario of my setup, and hopefully someone can help
> me out.
>
> My domain is: test.com
> My mailserver hostname is: mail.host.com which also has a MATCHING PTR
> record
> mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves
> to mail.host.com
>
> This is a STANDALONE mail server without any VIP's or load balancing.
> There is however one additional host that will send out mail from the
> domain but it wont be receiving mail, it will only be used as an SMTP
> server attached to a website automailer... It only generates error
> reports and sends them out... so technically it isn't a full mail
> server but it will be sending (outbound only) mail on behalf of the
> domain.
>
> The additional host is: mail2.test.com which resolves to 50.2.2.2 and
> there is a Matching PTR.
>
> These are the ONLY mail servers and IP addresses that will be sending
> out mail from the test.com domain. Some websites say I should use -all
> and others say -all will cause some MTA's to reject and ~all is better
> to use even if those are the only two hosts sending out mail.
>
> Would you be able to assist with a solid SPF record?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Assistance with SPF Records for BIND

[Sten Carlsen]

Well, there are two parts of this:

1 - make a decision which servers are allowed to send mail on your
behalf - this is entirely up to you. This is expressed in terms of
server names, IP addresses etc.
You may decide that ONLY  servers may send mail or that other
servers are allowed to also send mail. One example is a portable
computer, may that use a local server to send mail or should that be
considered bogus?

2 - express these decisions in an spf statement - this is where the RFC
comes into play, explaining how to interpret the statements.


You need to make decision #1 yourself.

On 18/02/12 18:34, Jonathan Vomacka wrote:
> If someone uses a mobile device to send e-mail? Would ~all be better?
> I also generated the following SPF using a wizard. Let me know if this
> looks correct:
>
> teamwarfare.com. IN TXT "v=spf1 a mx a:mail.teamwarfare.com
> a:mail2.teamwarfare.com ip4:66.90.73.80 ip4:216.250.250.148 ~all"
>
> I wouldn't need an "include:" or "ptr" statement in this right? I
> would told "include:" was to include OTHER domains that are allowed to
> send e-mail, but then again I see some people writing the domain again
> as an include. Also is PTR good to use or not?
>
> Sten,
> I read over the link but am still a bit confused.
>
> On 2/18/2012 11:55 AM, Sten Carlsen wrote:
>> Hi
>>
>> I suggest to use the wizards or look in the RFC:
>> http://www.ietf.org/rfc/rfc4408.txt
>>
>>
>>
>> On 18/02/12 17:51, Jonathan Vomacka wrote:
>>> BIND Community Support,
>>>
>>> I am inquiring about how to setup a proper SPF record? I know there
>>> are SPF wizards/generators available but each seem to have a different
>>> "opinion" of what should be included and what should not be included.
>>>
>>> Let me give you a scenario of my setup, and hopefully someone can help
>>> me out.
>>>
>>> My domain is: test.com
>>> My mailserver hostname is: mail.host.com which also has a MATCHING PTR
>>> record
>>> mail.host.com (for example) resolves to 50.1.1.1 and 50.1.1.1 resolves
>>> to mail.host.com
>>>
>>> This is a STANDALONE mail server without any VIP's or load balancing.
>>> There is however one additional host that will send out mail from the
>>> domain but it wont be receiving mail, it will only be used as an SMTP
>>> server attached to a website automailer... It only generates error
>>> reports and sends them out... so technically it isn't a full mail
>>> server but it will be sending (outbound only) mail on behalf of the
>>> domain.
>>>
>>> The additional host is: mail2.test.com which resolves to 50.2.2.2 and
>>> there is a Matching PTR.
>>>
>>> These are the ONLY mail servers and IP addresses that will be sending
>>> out mail from the test.com domain. Some websites say I should use -all
>>> and others say -all will cause some MTA's to reject and ~all is better
>>> to use even if those are the only two hosts sending out mail.
>>>
>>> Would you be able to assist with a solid SPF record?
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> -- 
>> Best regards
>>
>> Sten Carlsen
>>
>> No improvements come from shouting:
>> "MALE BOVINE MANURE!!!"
>>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Assistance with SPF Records for BIND

[Sten Carlsen]

On 20/02/12 3:00, Noel Butler wrote:
> On Sun, 2012-02-19 at 17:00 +0100, ml wrote:
>
>> fakessh.eu descriptive text "spf2.0/pra ip4:46.105.34.177 
>> ip4:91.121.7.86 ?all"
>
>
>> fakessh.eu descriptive text "v=spf1  ip4:46.105.34.177 ip4:91.121.7.86  
>> ?all"
>>
>
> Why did you bother with the record at all?
> "Question mark"  indicates you don't care and the remote should
> bascially ignore it.
> Waste of time, please do some homework before making such foolish
> recommendations
>
>
Just my point. SPF is a "message" from the sender of mail to the
receiver of mail, describing which senders(hosts, networks) are allowed
to expedite mail for the sender. The message is delivered via DNS.

It is up to the sender to make the rules and nobody can do that for you,
of course it may be good to get inspiration from others. E.g. if you
know that ALL valid mail will be sent from ONE server, you can describe
that, if valid mail can be sent from ANY host, that can be described as
well. This information is meant to be used to evaluate whether a mail
from you is valid or more likely spam. Only you know what the contents
should be.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: slave not updating or creating ofd zone files

[Sten Carlsen]

It has sometimes been seen that the files that are updated are not the
files actually loaded, this could be such a case?

On 29/03/12 10:58, RYAN M. vAN GINNEKEN wrote:
>
> Hello all i have what is to me a very strange bind 9 master slave
> transfer issue.
>
> When i update a zone file on the master the file updates correctly
> the notifies are sent and every thing seems to work perfectly
> except it transfers 0 bytes to the slave.  Checking the slave
> confirms that indeed thier was no transfer and that the slave is
> still serving the old zone, i have gon as far as to completely
> delete the zone files from the slave and restart bind to my
> suprise it puts back all the old files.  What is going on?  Below
> is an example of one of the files that is not updating correctly
> there are many and some of file I have updated more recently are
> not even showing up in the logs of the server.
>
> On the server Ubuntu 8.04 LTS running BIND 9.4.2-P2.1 chrooted
> 29-Mar-2012 06:03:39.461 general: info: zone
> jodygamracy.com/IN/external <http://jodygamracy.com/IN/external>:
> loaded serial 2012031501
> 29-Mar-2012 06:03:39.614 notify: info: zone
> jodygamracy.com/IN/external <http://jodygamracy.com/IN/external>:
> sending notifies (serial 2012031501)
> 29-Mar-2012 06:03:41.761 xfer-out: info: client
> 96.51.192.233#33074: view external: transfer of
> 'jodygamracy.com/IN <http://jodygamracy.com/IN>': IXFR ended
>
> On the slave Ubuntu 10.04 LTS  BIND 9.7.0-P1
> 29-Mar-2012 00:03:41.666 general: info: zone
> jodygamracy.com/IN/external <http://jodygamracy.com/IN/external>:
> Transfer started.
> 29-Mar-2012 00:03:41.706 xfer-in: info: transfer of
> 'jodygamracy.com/IN/external <http://jodygamracy.com/IN/external>'
> from 204.244.122.132#53: connected using 96.51.192.233#33074
> 29-Mar-2012 00:03:41.782 xfer-in: info: transfer of
> 'jodygamracy.com/IN/external <http://jodygamracy.com/IN/external>'
> from 204.244.122.132#53: Transfer completed: 0 messages, 1
> records, 0 bytes, 0.076 secs (0 bytes/sec)
>
> As a side not i have both machines firewalled, but have port 53
> open on both machines, and have ports set using this in these
> lines in the named.conf. file
>   query-source address * port 53;
> transfer-source * port 53;
> notify-source * port 53;
>
> and see this in the dameon logs
> /etc/named.conf:9: using specific query-source port suppresses
> port randomization and can be insecure.
>
> Computer King   CaN-Mail  
>  Surveillance King
> http://computerking.ca http://canmail.org
>  http://surveillanceking.net
>
> Surveillance - Sales Service - Hosting Backup
> Internet Based Surveillance Systems
> Custom Service Pac kages
> Secure IMAP Email - Automated Remote Backups - Photo Blogs -
> Online ERP and Accounting Packages
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> Enlarge your serial!
>
> -- 
> AP
>
> I've tried that had this problem for awhile that is why serial was not
> dated today just picked a random zone file anyways i updated the
> serial with todays date and still get the same behaviour.  Strange but
> the times are messed up i checked the time/date on both machines they
> are very similar what is with the wierd log times?
> .
> 29-Mar-2012 08:44:06.883 notify: info: zone
> jodygamracy.com/IN/external: sending notifies (serial 2012032901)
> 29-Mar-2012 08:44:09.093 xfer-out: info: client 96.51.192.233#43819:
> view external: transfer of 'jodygamracy.com/IN': IXFR ended
>
>
>
> 29-Mar-2012 02:41:45.829 xfer-in: info: transfer of
> 'jodygamracy.com/IN/external' from 204.244.122.132#53: Transfer
> completed: 0 messages, 1 records, 0 bytes, 0.072 secs (0 bytes/sec)
>
> I get lots of these 0 bytes transfers everytime i try to edit a zone
> file now they keep poping up and zones never get updated on the slave
> it just keeps trying and getting 0 bytes
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: slave not updating or creating ofd zone files

[Sten Carlsen]

First find out if that IS the case: on master, is SOA serial updated
when FILE serial is (after reload)? If so, no problem.

If not, chroot is oneof the usual culprits, you update file in
/var/named/..., but bind loads file in /var/named/chroot/var/named/data/...

So in your filesystem, find ALL "zone" files, check which are used by
bind and which you update.

This is not rocket science, just normal file management. Usually the
file in /var/named/... is a link to the file in
/var/named/chroot/var/named/... - maybe you managed to break that link
by editing the wrong file, go searchin your own file structure.



On 29/03/12 20:39, Computer King wrote:
> OK but how do I correct the issue 
> Sent from my Nexus 1
>
> Sten Carlsen  wrote:
>
> It has sometimes been seen that the files that are updated are not the
> files actually loaded, this could be such a case?
>
> On 29/03/12 10:58, RYAN M. vAN GINNEKEN wrote:
>> Hello all i have what is to me a very strange bind 9 master slave
>> transfer issue.
>>
>> When i update a zone file on the master the file updates correctly
>> the notifies are sent and every thing seems to work perfectly
>> except it transfers 0 bytes to the slave.  Checking the slave
>> confirms that indeed thier was no transfer and that the slave is
>> still serving the old zone, i have gon as far as to completely
>> delete the zone files from the slave and restart bind to my
>> suprise it puts back all the old files.  What is going on?  Below
>> is an example of one of the files that is not updating correctly
>> there are many and some of file I have updated more recently are
>> not even showing up in the logs of the server.
>>
>> On the server Ubuntu 8.04 LTS running BIND 9.4.2-P2.1 chrooted
>> 29-Mar-2012 06:03:39.461 general: info: zone
>> jodygamracy.com/IN/external <http://jodygamracy.com/IN/external>:
>> loaded serial 2012031501
>> 29-Mar-2012 06:03:39.614 notify: info: zone
>> jodygamracy.com/IN/external <http://jodygamracy.com/IN/external>:
>> sending notifies (serial 2012031501)
>> 29-Mar-2012 06:03:41.761 xfer-out: info: client
>> 96.51.192.233#33074: view external: transfer of
>> 'jodygamracy.com/IN <http://jodygamracy.com/IN>': IXFR ended
>>
>> On the slave Ubuntu 10.04 LTS  BIND 9.7.0-P1
>> 29-Mar-2012 00:03:41.666 general: info: zone
>> jodygamracy.com/IN/external <http://jodygamracy.com/IN/external>:
>> Transfer started.
>> 29-Mar-2012 00:03:41.706 xfer-in: info: transfer of
>> 'jodygamracy.com/IN/external <http://jodygamracy.com/IN/external>'
>> from 204.244.122.132#53: connected using 96.51.192.233#33074
>> 29-Mar-2012 00:03:41.782 xfer-in: info: transfer of
>> 'jodygamracy.com/IN/external <http://jodygamracy.com/IN/external>'
>> from 204.244.122.132#53: Transfer completed: 0 messages, 1
>> records, 0 bytes, 0.076 secs (0 bytes/sec)
>>
>> As a side not i have both machines firewalled, but have port 53
>> open on both machines, and have ports set using this in these
>> lines in the named.conf. file
>>   query-source address * port 53;
>> transfer-source * port 53;
>> notify-source * port 53;
>>
>> and see this in the dameon logs
>> /etc/named.conf:9: using specific query-source port suppresses
>> port randomization and can be insecure.
>>
>> Computer King   CaN-Mail  
>>  Surveillance King
>> http://computerking.ca http://canmail.org
>>  http://surveillanceking.net
>>
>> Surveillance - Sales Service - Hosting Backup
>> Internet Based Surveillance Systems
>> Custom Service Pac kages
>> Secure IMAP Email - Automated Remote Backups - Photo Blogs -
>> Online ERP and Accounting Packages
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>> Enlarge your serial!
>>
>> -- 
>> AP
>>
>> I've tried that had this problem for awhile that is why serial was not
>> dated today just picked a random zone file anyways i updated the
>> serial with todays date and still get the same behavi

logging to syslog on another host?

[Sten Carlsen]

Hi

I was considering to use the syslog on a different host for logging from
bind. The purpose was to collect logs from various places into one
repository.

This is not a busy installation so performance is not expected to be a
problem.

I looked in the arm but could not see where I could put the IP/hostname
of the host to receive the syslog.

Question:
Can bind send its logging output to an external syslog?
If it can, what is needed in terms of version etc.? How to put this into
log statement?

Thanks in advance.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: logging to syslog on another host?

[Sten Carlsen]

Hi

Thanks for good answers, I now know what to do and how to proceed.

Thanks.


On 30/05/12 13:17, Matus UHLAR - fantomas wrote:
> On 30.05.12 12:16, Sten Carlsen wrote:
>> I was considering to use the syslog on a different host for logging from
>> bind. The purpose was to collect logs from various places into one
>> repository.
> [...]
>> Can bind send its logging output to an external syslog?
>
> Not directly. However, that is what syslog daemon is for, simply
> configure it to forward logs to another machine.
>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Verify raw data within slaves on 9.9.x

[Sten Carlsen]

Would an option be to do a dig axfr on the zone?

On 12/06/12 1:44, Spain, Dr. Jeffry A. wrote:
>> What tools/commands I can run to get plain ascii/text data out of modern 
>> raw/binary on BIND 9.9.x slaves?
>> I just want to verify that changes are correct down to the slaves. So - I 
>> can check-in these changes into svn etc.
> See the ARM under named-checkzone. 
> http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/man.named-checkzone.html.
> For example "named-checkzone -f raw -F text -s relative -j -o 
> example.com.dumped.db example.com /var/lib/named/example.com.db"
>
> Jeffry A. Spain
> Network Administrator
> Cincinnati Country Day School
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: limiting number of requests of a single hosts

[Sten Carlsen]

On 15/06/12 16:37, Holemans Wim wrote:
>
> Wim Holemans
> Netwerkdienst Universiteit Antwerpen
> Network Services University of Antwerp
>
>
> One of the problems is that these firewalls are going to be replaced soon and 
> we don't want to spend to much effort in trying to fix what seems an annoying 
> side-effect of something caused by a DNS system. 
> We actually captured dns traffic around our AD server and were we see an 
> average of 500 dns packets/5s in/out in normal conditions, this drops to 
> about 100 for 20 seconds and then rises to 2000 dns packets/5sec causing our 
> resolving servers to send a multiple amount of requests to the outside world 
> killing the firewall.
One thing that comes to mind is: have you traced outside the firewall
with e.g. wireshark and looked at what precedes the burst? I am thinking
maybe the firewall makes a stop in the packet flow that will then
trigger the flood? Possibly caused by some table in the firewall being
overflowed, maybe even with unrelated traffic.

In this case, only one solution is possible.
> We know changed the settings on the AD server to only use 2 of the resolving 
> servers (which have a max recursive clients implemented) and checked the box, 
> saying that the AD server could do his own lookups if the forwarders are not 
> available.  
>
> -- Best regards Sten Carlsen No improvements come from shouting: "MALE
> BOVINE MANURE!!!" 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slave DNS

[Sten Carlsen]

On 21/07/12 20:03, Jan-Piet Mens wrote:
>> I find it realy annoying, if I have ask every time the owner of the Slave,
>> to add a new zone.
> Assuming your version of BIND is new enough, look at `rndc addzone' with
> which you can add and remove zones at run-time w/out having to edit
> `named.conf'.
>
>
>
> -JP
>
IIRC that will add the zone to the master, the question, as I heard it, 
was to add it to the slave server, to avoid disturbing the owner of 
the slave to manually editing the slave config.



I don't recall any possibility to do this, a new zone on the master may 
have it's own set of slaves, unlike any previous, so there is no way to 
automagically stuff a new zone into "some" slaves.


> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns blacklist?

[Sten Carlsen]

3.51
> it-1.ns.nsatc.net.  172800  IN  A   8.12.209.47
> e.ns.nsatc.net. 172800  IN  A   212.187.162.134
>
> ;; Query time: 36 msec
> ;; SERVER: 194.120.12.245#53(194.120.12.245)
> ;; WHEN: Thu Jul 26 11:19:36 2012
> ;; MSG SIZE  rcvd: 233
>
> My guess is that ISP for thomascook.de tried to fool...err, fix the
> problem for his customer by adding some extra zones to his resolvers.
> My questions are - 'how is this supposed to work?' and 'it this kind
> of dns blacklisting common?'
>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 2 dns records for same server

[Sten Carlsen]

I have solved the same issue with views, one internal and one external in my 
case. I have the same names both internal and external and different IPs.

Views may become too complex in your case. ymmv


On 18/08/2012, at 14:49, Dwayne Hottinger wrote:

> I need to have 2 seperate dns records for the same servername.  Essentially 
> when inside my network (10.)  I need it to resolve to a 10. ip address.  When 
> outside it needs to resolve to my public ip.   Everything Ive done so far 
> with my dns records has returned 2 ip's.  In otherwords when doing a host 
> servername or nslookup servername I get both the external and internal ip's 
> of the server.  This seems to be causing issues with the applicatons on the 
> server.  Some computers inside my network are trying to connect to the public 
> ip (which is being natted from my firewall), those that are connecting are 
> extremely slow.  The slowness leads me to believe that they are first trying 
> the public ip before hitting the private.  
> 
> My dns is setup with a dns server inside my network (serving the 10) and 2 
> dns servers for my public ip's.My lan is setup that each of my sites 
> (schools) are in a different dns zone.  What I want to happen is the url or 
> name of the server to be the same regardless of where the user is either 
> inside or outside my network.   
> 
> So far I have tried setting up a seperate zone file for my internal dns and 
> adding the entry to my external like I normally do.  This is what resolves 
> with 2 ip's.   Is there anyway to get my dns servers to do this?   
> 
> thanks,
> 
> ddh
> 
> 
> -- 
> Dwayne Hottinger
> Network Administrator
> Harrisonburg City Public Schools
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards 
Sten Carlsen 


No improvements come from shouting: 
"MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: repeated several times request

[Sten Carlsen]

If I understand what your question is:
/etc/resolv.conf -> search / domain

Nothing to do with bind, local resolver appends search doamin to check 
if that gives an answer = if you use short form names.



On 20/08/12 16:03, Jose Manuel Delgado G. wrote:
Bind 9.9.1-P2 I have installed on a server with Solaris 10, when a 
client makes a query, this is repeated several times and it comes with 
the domain installed in the client machine.
172.25.3.5 -> 172.25.3.11  DNS C samsungvuieventlog.vlingo.com 
<http://samsungvuieventlog.vlingo.com>. Internet  ?

 172.25.3.11 -> 172.25.3.5   DNS R  Error: 3(Name Error)
  172.25.3.5 -> 172.25.3.11  DNS C samsungvuieventlog.vlingo.com 
<http://samsungvuieventlog.vlingo.com>.*cwpanama.com 
<http://cwpanama.com>*. Internet  ?

 172.25.3.11 -> 172.25.3.5   DNS R  Error: 3(Name Error)
  172.25.3.5 -> 172.25.3.11  DNS C samsungvuieventlog.vlingo.com 
<http://samsungvuieventlog.vlingo.com>. Internet Addr ?

 172.25.3.11 -> 172.25.3.5   DNS R  Error: 3(Name Error)
  172.25.3.5 -> 172.25.3.11  DNS C samsungvuieventlog.vlingo.com 
<http://samsungvuieventlog.vlingo.com>.*cwpanama.com 
<http://cwpanama.com>*. Internet Addr ?

 172.25.3.11 -> 172.25.3.5   DNS R  Error: 3(Name Error)
also happened with earlier versions of Bind
Thanks a lot!
JM


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ho to filter hundeds of domains ?

[Sten Carlsen]

Well, I believe the ideal answer is:
This will prevent the policy makers to access the "bad" pages, so this
is what we do to make them content.

If they can not themselves work a way around the wall we erect, they are
happy and that essentially is the target of this whole exercise. (As I
see it).

On 31/08/12 23:20, Kevin Darcy wrote:
> On 8/31/2012 10:42 AM, Oscar Ricardo Silva wrote:
>> On 08/31/2012 08:22 AM, Kevin Darcy wrote:
>>> On 8/31/2012 2:50 AM, sth...@nethelp.no wrote:
>>>>> Again, it's not about how effective the block is or can be. Unless
>>>>> Italy
>>>>> becomes like China or even worse (but the US had the chance end up
>>>>> almost in the same situation very recently, so this is NOT an
>>>>> Italian-only problem), there is no way to inhibit users from
>>>>> reaching a
>>>>> given resource on the Internet: if the user is motivated enough
>>>>> he/she
>>>>> will circumvent whatever you do, eventually assisted by the
>>>>> counterpart
>>>>> he/she is trying to reach...
>>>> We are in much the same situation in Norway. All the biggest ISPs use
>>>> a list of child porn domains to be blocked, specified by the central
>>>> police authorities. *In principle* implementing this is voluntary for
>>>> the ISPs. In practice there is significant pressure to do so.
>>>>
>>>> Both the police and the ISPs are fully aware that blocking this at the
>>>> DNS level (the ISP recursive resolvers) won't prevent somebody who is
>>>> determined. But the police (and the government) still want this done.
>>>>
>>>> I sometimes suspect their view is of the type "We must do something.
>>>> This is something, therefore we must do it."
>>>>
>>> Nothing is better than paradise.
>>> A ham sandwich is better than nothing.
>>> Therefore, a ham sandwich is better than paradise.
>>
>>
>> And you won't be able to afford that ham sandwich if you've been
>> terminated from your job because you didn't follow the law.  We all
>> have things in our jobs that we don't want to do but we do them
>> anyway.  All the ridiculous suggestions and snarky comments aren't
>> helping the original poster who mentioned these sites were considered
>> illegal and is looking for other ways to do this.
> Doesn't the Eurozone have bigger problems right now, than worrying
> about a few people looking at dirty pictures?
>
> In any case, what does the OP expect us to say here? "Yeah, here's a
> nifty way to violate the spirit of the whole DNS protocol"? It's one
> thing to acknowledge casually that DNS software can be abused by
> unscrupulous administrators as form of social control, it's quite
> another to ask technical experts to actually give details on how that
> abuse can be carried out; giving aid and comfort to the enemy, as it
> were. The OP should report to his boss that the technical community
> provides absolutely *NO*HELP* in this travesty, and therefore any
> "modifications" to the DNS to try and implement this "blocking" will
> be incredibly time-consuming and prone to breakage in unforeseen ways.
>
> - Kevin
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Host sometimes Succeeds with Empty Output

[Sten Carlsen]

Timeouts along the chain?

On 14/09/12 16:48, Martin McCormick wrote:

I needed to delete the CNAME record of
physicscourses.okstate.edu. After the deletion, the host command
would silently exit successfully as if this alias was still
there. I have seen this behavior a few times before but am not
sure what triggers it as one normally gets the usual "host
whatever.com not found" and host exits non zero.

If I specifically command

host -tCNAME physicscourses.okstate.edu

I receive that there is no CNAME record named
physicscourses.okstate.edu but host still exits as if successful
in finding it.

There is a www.physicscourses.okstate.edu CNAME record
and this maybe has something to do with the unusual reply.

I had a script that was using the return status of host
and it works great guns unless you run in to this situation in
which it thinks the alias still exists. This causes an infinite
loop because it is waiting for the lookup to fail which it
normally does as soon as the nsupdate command's results
propagate out in a very short time.

I did check our zone for any other records for
physicscourses.okstate.edu which, of course, would be an error
after having had a CNAME record of that name, but there wre
none.

Thanks for any light you can shed on why host still thinks there
is something there.

Martin McCormick
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error Resolving / EDNS

[Sten Carlsen]

On 19/09/12 17:26, James Tingler wrote:
Thanks for the reply Carsten.  This didn't make a difference but 
potentially I'm using the parameter incorrectly (no errors though).


same problems..

Sep 19 15:25:22 PROD55-DNS2 named[3676]: success resolving 'cnn.com/A' 
(in 'cnn.com'?) after disabling EDNS
Sep 19 15:25:24 PROD55-DNS2 named[3676]: success resolving 
'ns3.timewarner.net/' (in 'timewarner.net'?) after disabling EDNS
Sep 19 15:25:24 PROD55-DNS2 named[3676]: success resolving 
'ns5.timewarner.net/A' (in 'timewarner.net'?) after disabling EDNS
Sep 19 15:25:24 PROD55-DNS2 named[3676]: success resolving 
'ns3.timewarner.net/A' (in 'timewarner.net'?) after disabling EDNS
Sep 19 15:25:24 PROD55-DNS2 named[3676]: success resolving 
'ns1.timewarner.net/' (in 'timewarner.net'?) after disabling EDNS
Sep 19 15:25:24 PROD55-DNS2 named[3676]: success resolving 
'ns1.timewarner.net/A' (in 'timewarner.net'?) after disabling EDNS
Sep 19 15:25:24 PROD55-DNS2 named[3676]: success resolving 
'ns5.timewarner.net/' (in 'timewarner.net'?) after disabling EDNS
Sep 19 15:25:26 PROD55-DNS2 named[3676]: success resolving 
'ns1.timewarner.net/' (in 'timewarner.net'?) after disabling EDNS
Sep 19 15:25:27 PROD55-DNS2 named[3676]: success resolving 
'ns5.timewarner.net/' (in 'timewarner.net'?) after disabling EDNS
Sep 19 15:25:27 PROD55-DNS2 named[3676]: success resolving 
'ns3.timewarner.net/' (in 'timewarner.net'?) after disabling EDNS


So the other possibility is that "some" firewall/router on the path is 
being helpful and thinks it knows that DNS can only be 512 bytes, so 
this weird thing must be illegal and throw it away. This could be 
anywhere in the path, maybe outside your network, maybe only being used 
some of the time.




--
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to prevent BIND from resolving addresses in logs

[Sten Carlsen]

On 27/09/12 21:08, Spumonti Spumonti wrote:
> I just installed BIND 9.9.1-P3 from source and while looking through the 
> query log files I noticed that IP addresses were being resolved:
>
>
> 27-Sep-2012 12:01:56.512 client 192.168.5.10#44863 (host.foo.com): query: 
> www.ibm.com ...
>
>
>
>
> In my other servers which are running the redhat packaged version of BIND 
> (9.8.2), my query logs look like:
>
> 27-Sep-2012 14:04:03.523 client 192.168.5.30#64638: query: www.amazon.com ...
To me this looks like a questionabout what IP is valid for
www.amazon.com and the question was asked from 192.168.5.30. So
www.amazon.com IS the original question, so what you ask is to have the
answer in the log?
>
>
> The logging section of the configuration looks like:
>
>
> channel query_log {
>file "/var/log/queries/query-log" versions 100 size 1m;
>print-time yes;
> };
>
>
> category queries {
>query_log;
> };
>
>
> I'm sure there's something completely obvious that I've missed.  How do I 
> stop BIND from resolving these addresses and just including the IP address in 
> the log file?
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Exceptions for zones with DNS views

[Sten Carlsen]

On 22/10/12 9:32, Stefan Midjich wrote:
> I want to have an exception for certain zones that also exist in my
> main "wan" view.
>
> So I created an acl for the network that needs the exception.
>
> acl OtherNetwork {
>  10.0.2.192/28 <http://10.0.2.192/28>;
> };
>
> Then I made this block.
>
> view "OtherNetwork" {
>  match-clients { OtherNetworkClients; };
>  allow-recursion { OtherNetworkClients; };
>  include "/etc/bind/views/othernetwork.zones";
> };
>
> This worked for the othernetwork.zones, but if I request any zones
> outside of this view I get no response.
>
> I want requests for other zones to be forwarded to the "wan" view
> where the rest of the zones are. How can I accompllish this with Bind?
> The only solution I can see now is to copy and maintain hundreds of
> zones for each view, there must be an easier way.
You should look at each view as a separate server without any connection
to the other servers.

Your "OtherNetwork" server has no other information than what you show
here, your other networks will be resolved by normal recursion from the
root up.

The traditional solution here is to include a copy of the other zones
here, separate files, not a reference to the same files, specially if
any kind of dynamic DNS is valid.
>
> -- 
> Hälsningar / Greetings
>
> Stefan Midjich
> [De omnibus dubitandum]
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Exceptions for zones with DNS views

[Sten Carlsen]

>From the Bind ARM

6.2.24view Statement Definition and Usage

The view statement is a powerful feature of BIND 9 that lets a name
server answer a DNS query differ- ently depending on who is asking. It
is particularly useful for implementing split DNS setups without having
to run multiple servers.

Each view statement defines a view of the DNS namespace that will be
seen by a subset of clients. A client matches a view if its source IP
address matches the address match list of the view's match- clients
clause and its destination IP address matches the address match list of
the view's match- destinations clause. If not specified, both
match-clients and match-destinations default to matching all addresses.
In addition to checking IP addresses match-clients and
match-destinations can also take keys which provide an mechanism for the
client to select the view. A view can also be specified as
match-recursive-only, which means that only recursive requests from
matching clients will match that view. The order of the view statements
is significant --- */_a client request will be resolved in the context
of the first _/**/_view _/**/_that it matches. _/*

Your intranet view is recursive, hence it will resolve your "master
zones" from the root since they don't exist in the view.

My guess is that your DNS server is a hidden master and the recursion
will point to your slaves, which are not in the same machine and will
therefore give you the answer, possibly you will have the benefit from a
side effect of NAT, that in asking the external address, it will look
like you come from !localnets but from your external address.

Wireshark or similar could tell you exactly how the resolution happens,
I suggest you trace queries very carefully, noting both addresses of
every packet involved.

On 22/10/12 10:48, Stefan Midjich wrote:
> This seems very cumbersome to have copies of every single zone for
> every single view. That would quickly reach thousands of zones, all
> have to be maintained for every single change in a zone.
>
> I'm asking, are you sure? My first venture into views was my private
> router at home. It has very few zones but it has two views, one
> intranet and one wan (internet).
>
> Just to show an example, my wan view has domain1.se
> <http://domain1.se> and domain2.se <http://domain2.se>. My intranet
> view has domain1.se <http://domain1.se> and nothing else.
>
> domain1.se <http://domain1.se> in intranet and wan point to different
> IP-addresses, in intranet they're internal and in wan they're external.
>
> domain2.se <http://domain2.se> exists only in wan view and points to
> external IP-addresses.
>
> If I do a query from may LAN for server.domain1.se
> <http://server.domain1.se> I get an internal IP, if I do a query from
> my LAN for domain2.se <http://domain2.se> I get an external IP.
>
> That means I don't have a copy of domain2.se <http://domain2.se> in
> both views, but I can still get a response from BIND for domain2.se
> <http://domain2.se> from the lan and wan views.
>
> This is my configuration at home.
>
> acl lanClients {
>  192.168.22.0/24 <http://192.168.22.0/24>;
>  127.0.0.1;
> };
>
> view "intranet" {
>  match-clients { lanClients; };
>  recursion yes;
>  notify no;
>
>  // Standard zones
>  //
>  zone "." {
>   type hint;
>   file "etc/root.hint";
>  };
>
>  zone "domain1.se <http://domain1.se>" {
>   type master;
>   file "intranet/domain1.se <http://domain1.se>";
>  };
> };
>
> view "internet" {
>  match-clients { !localnets; any; };
>  recursion no;
>  allow-transfer { slaveDNS; };
>
>  include "master.zones";
> };
>
> The above configuration is just a snippet but it works the way I want.
> One zone exists in two views, it responds differently in intranet as
> opposed to wan. Another zone exists only in wan yet it responds
> correctly both from LAN and wan.
>
> I am unable to copy this configuration to two other name servers with
> hundreds of zones. This is my goal.
>
> 2012/10/22 Sten Carlsen mailto:st...@s-carlsen.dk>>
>
>
> On 22/10/12 9:32, Stefan Midjich wrote:
>> I want to have an exception for certain zones that also exist in
>> my main "wan" view.
>>
>> So I created an acl for the network that needs the exception.
>>
>> acl OtherNetwork {
>>  10.0.2.192/28 <http://10.0.2.192/28>;
>> };
>>
>> Then I made this block.
>>
>> view "OtherNetwork" {
>>  match-clients { OtherNetworkClients; };
>>  allow-recursion { OtherNetworkClie

Re: forwarder is ignored when authoritative zone is added

[Sten Carlsen]

On 26/10/12 12:56, Ben Croswell wrote:
>
> The one thing I can think of off the top of my head is to ensure the
> child subdomain is properly delegated in the parent. If you try to
> zone level forward a child domain on a server that loads the parent it
> will ignore the forward if  it can see the child doesn't exist as a
> true delegation.
> I assume the logic is, why would I forward a subdomain I know doesn't
> exist.
>
I should think that internal.org... is properly delegated, so the
forward will not be concerned about a subdomain, only about the domain,
that is actually forwarded. internal.org... will then be looked up in
the normal recursive way, so another forward statement might solve this
issue.
>
> -Ben Croswell
>
> On Oct 26, 2012 2:17 AM, "Frank Even"  <mailto:lists%2bisc@elitists.org>> wrote:
>
> I've recently had an issue that I'm having some issues finding
> information on solving.
>
> I have internal DNS resolvers...they act as recursive name servers for
> general internet queries, but we have forwarders explicitly defined
> for specific internal zones being served by other name servers.
>
> My configuration has one particular zone configured as such:
>
> zone "internal.organization.com
> <http://internal.organization.com>" IN { type forward; forward only;
> forwarders {172.x.x.x; 172.x.x.x; }; };
>
> I have our main zone, organization.com <http://organization.com>,
> hosted in an external area
> outside of a firewall with a wildcard record contained in it for
> anything that is not explicitly defined.  I have some services that I
> need to reach using names that are in this external zone internally.
> What I'm trying to do is to slave the organization.com
> <http://organization.com> zone to my
> internal recursive resolver to mitigate any possible network issues.
>
> So I setup the internal resolver as a slave for the
> "organization.com <http://organization.com>"
> zone and found that queries against "internal.organization.com
> <http://internal.organization.com>" were
> getting answered with the wildcard for the external
> "organization.com <http://organization.com>"
> zone.  I can't seem to figure out why the forwarders are getting
> ignored.  Is it an order of precedence, say authoritative zones are
> respected over forwarders...or something else??
>
> Thanks for any assistance anyone can provide, or point me to some
> documentation I'm missing,
> Frank
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND and DNSSEC

[Sten Carlsen]

On 01/11/12 12:26, Alan Clegg wrote:

On Nov 1, 2012, at 7:14 AM, Kobus Bensch  wrote:


Is that because split horizon doubles admin or because its bad all together?

I have been using split horizon for many years now and found it very useful. 
Any thoughts from any on the list would be most welcomed.

Crafted for a private reply, but being re-used here:

There are places that views/split-horizon fit the model that has been put into place.  It 
does, however, break the "one-question, one-answer" concept that was 
foundational for DNS.

My recommendation is that for "internal" addressing, a separate zone be created that serves that 
address space.  You gain a number of things from this, including easier debugging and better data security 
(no-longer are you concerned about exactly what clients are seeing at "www.internal.example.com" 
since you know that the only people able to resolve/route "internal.example.com" are the ones that 
should be able to).
I believe that thinking is no longer valid with laptops moving around. I 
assume you don't have enough public addresses to give everything its own 
address, I don't, my servers work through a NAT. They are behind NAT 
partly for lack of IPs and partly because I want to keep their other 
ports away from accidental exposure to script kiddies, I know more 
concerted efforts will do more harm.


The typical server setup (for own servers) is that one name is used for 
setting up e.g. the mail server, the ideal situation for everybody is 
that whether I am in house or visiting you, if I have any internet 
access, I can read and send mail.


Now if there is an internal zone with a different name, how will you set 
up the mail client? internal name is not accessible from outside and 
external name is not present in internal name space. -> two mail 
clients? changing setups when moving between networks?


My solution is to have the exactly same names internally and externally, 
any client SW will just ask for the same server but the IP will differ 
with the network segment.


IPv6 will change all that of course.

The problem lies in that over the years, people (usually the higher-ups) have been 
trained (by us, the in-the-trench guys) that "www.example.com" can be one thing 
internally and something else externally, or that their printer really _should_ be named 
myprinter.example.com and not myprinter.internal.example.com.

All the best,
AlanC


--
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND and DNSSEC

[Sten Carlsen]

On 02/11/12 2:08, Barry S. Finkel wrote:
> On 11/1/2012 3:31 PM, Sten Carlsen  wrote:
>> The typical server setup (for own servers) is that one name is used for
>> setting up e.g. the mail server, the ideal situation for everybody is
>> that whether I am in house or visiting you, if I have any internet
>> access, I can read and send mail.
>>
>> Now if there is an internal zone with a different name, how will you set
>> up the mail client? internal name is not accessible from outside and
>> external name is not present in internal name space. -> two mail
>> clients? changing setups when moving between networks?
> In this case, either 1) you have one mail server at the external border
> and one mail server internal, or 2) the same MX record in the external
> and internal view. You can have a common records file that you
> $INCLUDE in both views.
> --Barry Finkel

This will work for smtp service, I see a host of interesting issues with
IMAP service. Two mail servers that must be synchronized within a
minute, I don't think that is standard.

The simple solution (small scale) is to have one server, sitting
internally or in DMZ, the internal address record points to the
192.168.x.x address and the external address record points to the public
address of the router, which then has a virtual server set up for it.
This works flawless, I never consider if I am in or out of the house.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: User wanting to use a .local domain to host DNS

[Sten Carlsen]

On 14/11/12 17:50, btb wrote:
> On 2012.11.14 10.02, King, Harold Clyde (Hal) wrote:
>> I'm a bit confused by a user request. I think he is trying to keep some
>> hosts on the private side of DNS, but he wants to use a DNS name like
>> host.sub.local. I do not know of the use of the .local TLD except in
>> bonjure. Can anyone shed some light on the use of the .local TLD?
>
> this is a bad idea, plain and simple.  don't do it.  .local is
> reserved [as others have mentioned] for mdns/zeroconf, and while there
> may still be some undulation in the various documents which
> standardize it, it is in active, relatively prevalent use today.
>
> i repeatedly see demonstrable, reproducible problems which manifest in
> "mysterious" symptoms to those who do not understand the difference
> between dns and name resolution.  while dns itself does not care in
> the slightest what string a person might choose to use in a label
> [given of course the constraints of character sets in general], the
> various name resolution mechanisms used by a system's stub
> resolver/libraries risk being short circuited [dependent on the
> specifics of the configuration] by the mdns resolution mechanism if
> there is a .local reference.
I did this one time long ago, with the result that all MACs in the
network stopped working properly, they actually use that tld for their
own purposes. Once I switched to .home, everything started to work again
as expected.

So as others said: Don't Do This!  -  at least if you value your sleep.
>
> while there are no formally established "private" tlds, the closest
> thing to a consensus is to user either .site or .internal for this
> sort of thing.  that being said - i question the "necessity" of a
> special "internal" domain.  not only is it likely to generate
> confusion for users, rarely is this truly necessary, with the trivial
> expense of domain names [not to mention the probability of existing
> ownership anyway] and mechanisms like split horizon/views.
>
> -ben
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: User wanting to use a .local domain to host DNS

[Sten Carlsen]

On 15/11/12 15:39, Carsten Strotmann wrote:
> Phil Mayers  writes:
>
>> On 14/11/12 15:02, King, Harold Clyde (Hal) wrote:
>>> I'm a bit confused by a user request. I think he is trying to keep some
>>> hosts on the private side of DNS, but he wants to use a DNS name like
>>> host.sub.local. I do not know of the use of the .local TLD except in
>>> bonjure. Can anyone shed some light on the use of the .local TLD?
>> Pick a private sub-domain of a *real* domain that *you* own e.g. if
>> you are "example.com", pick:
>>
>> sub.private.example.com
> From my experience I recommend the solution Phil is describing. While
> using a private top level domain is technical possible, I have seen too
> many DNS admins that do not understand the implications and end up with
> a system that is a burden for the local network and as well a burden for
> the root-server system in the Internet.
>
>
> A private subdomain of a delegated DNS domain owned by the company
> (organization, individual) is much more save, and simpler to setup, and
> serves the same purpose. 
I will certainly agree, my story about changing .local to .home to make
things work again has a continuation that I eventually use the same
domain inside the nat and outside, with a split DNS. It gives a bit more
work for DNS administration but makes life very easy for clients, they
see no difference because the names are the same but resolve to
different IPs. I believe the load on the roots is not influenced by this.

If having different internal and external domains gives problems this is
a possibility, if the purpose is to isolate internal vs. external hosts,
use different subdomains.

Just my 0.02$
>
> -- Carsten
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance tuning

[Sten Carlsen]

On 26/11/12 19:12, Adamiec, Lawrence wrote:
> To the best of my knowledge, there are no problems with our DNS.  We
> only host 25 domains.
>
> The report must also address these two specific questions:
>
>  1. Why does www.kentlaw.iit.edu <http://www.kentlaw.iit.edu> load
> quicker than kentlaw.iit.edu <http://kentlaw.iit.edu> in any browser?
>  2. What happens if we remove the forwarders option from named.conf?
>
> I can't duplicate the issue in Q1 and I'm trying to determine a way of
> testing Q2.
In my browser the speeds are opposite, in both cases the key time is
spent waiting for the web server.

Case 2: if your DNS server has access to the internet, you will likely
see an increase in speed. There are some test suites to test the general
lookup speeds of servers, try with and without forwarders. I guess your
numbers are better without but nobody will notice any difference in real
life. In some cases there are some blocking of specific sites in place,
those you will lose with no forwarder.
>
> Larry
>
>
> On Mon, Nov 26, 2012 at 11:39 AM, Doug Barton  <mailto:do...@dougbarton.us>> wrote:
>
> What a delightfully vague requirement. :)
>
> I would push back a bit on exactly what problems are attempted to be
> solved here. The BIND defaults are about as efficient as they can be,
> especially so in later versions.
>
> Doug
>
>
> On 11/26/2012 11:01 AM, Adamiec, Lawrence wrote:
> > Hi,
> >
> > I have been tasked with authoring a DNS report "to achieve optimal
> > performance."  The report must include:
> >
> > CPU usage
> > memory usage
> > bandwidth usage
> > throughput
> > latency
> >
> > I have found some information regarding the number of queries
> processed
> > per minute but nothing of value for the above areas.
> >
> > Is there some documentation that discusses the above areas?
> >
> > We are running BIND 9.6-ESV-R5-P1, Solaris 10 on a SPARC server.  My
> > report will include the fact we must upgrade from BIND 9.6-ESV-R5-P1
> >
> > Thank you in advance.
> >
> > Larry
> >
> > Lawrence Adamiec
> > UNIX Mgr
> > IIT Chicago-Kent College of Law
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance tuning

[Sten Carlsen]

On 26/11/12 19:23, Lightner, Jeff wrote:
>
> For question 1:
>
> "Loading" is a function of the web site not DNS.  Your first question
> could have to do what the default site is in your web configuration
> and what kind of rewrite rules are getting you to the other.
>
>  
>
> If it were me I'd probably do some timed "host" or "dig" commands for
> the two records to verify name resolution itself wasn't a problem.  
>
>  
>
> I guess it MIGHT be a minutely slower to resolve www if it is a CNAME
> to the other as opposed to both being A records.   However, since this
> is a fairly common practice I doubt it is likely to be of major
> importance in overall timing.
>
I checked with firebug DNS is in ms and loading the first file was 1.53s
and 3.07s in the two cases(the file is 9.7kB), so external access does
not depend on fast DNS, you need to focus on the web server.
>
>  
>
> *From:*bind-users-bounces+jlightner=water@lists.isc.org
> [mailto:bind-users-bounces+jlightner=water@lists.isc.org] *On
> Behalf Of *Adamiec, Lawrence
> *Sent:* Monday, November 26, 2012 1:13 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: Performance tuning
>
>  
>
> To the best of my knowledge, there are no problems with our DNS.  We
> only host 25 domains.
>
>  
>
> The report must also address these two specific questions:
>
>  
>
>  1. Why does www.kentlaw.iit.edu <http://www.kentlaw.iit.edu> load
> quicker than kentlaw.iit.edu <http://kentlaw.iit.edu> in any browser?
>  2. What happens if we remove the forwarders option from named.conf?
>
> I can't duplicate the issue in Q1 and I'm trying to determine a way of
> testing Q2.
>
>  
>
> Larry
>
>  
>
> On Mon, Nov 26, 2012 at 11:39 AM, Doug Barton  <mailto:do...@dougbarton.us>> wrote:
>
> What a delightfully vague requirement. :)
>
> I would push back a bit on exactly what problems are attempted to be
> solved here. The BIND defaults are about as efficient as they can be,
> especially so in later versions.
>
> Doug
>
>
> On 11/26/2012 11:01 AM, Adamiec, Lawrence wrote:
> > Hi,
> >
> > I have been tasked with authoring a DNS report "to achieve optimal
> > performance."  The report must include:
> >
> > CPU usage
> > memory usage
> > bandwidth usage
> > throughput
> > latency
> >
> > I have found some information regarding the number of queries processed
> > per minute but nothing of value for the above areas.
> >
> > Is there some documentation that discusses the above areas?
> >
> > We are running BIND 9.6-ESV-R5-P1, Solaris 10 on a SPARC server.  My
> > report will include the fact we must upgrade from BIND 9.6-ESV-R5-P1
> >
> > Thank you in advance.
> >
> > Larry
> >
> > Lawrence Adamiec
> > UNIX Mgr
> > IIT Chicago-Kent College of Law
>
>  
>
>  
>
>  
>
>  
>
>  
>
> Athena®, Created for the Cause^(TM)
>
> Making a Difference in the Fight Against Breast Cancer
>
>  
>
>  
>
> *How and Why I Should Support Bottled Water!
> *Do not relinquish your right to choose bottled water as a healthy
> alternative to beverages that contain sugar, calories, etc. Your
> support of bottled water will make a difference! Your signatures
> count! Go to
> http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters
> and sign a petition to support your right to always choose bottled
> water. Help fight federal and state issues, such as bottle deposits
> (or taxes) and organizations that want to ban the sale of bottled
> water. Support community curbside recycling programs. Support bottled
> water as a healthy way to maintain proper hydration. Our goal is
> 50,000 signatures. Share this petition with your friends and family today!
>
>  
>
> -
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
> confidential information and is for the sole use of the intended
> recipient(s). If you are not the intended recipient, any disclosure,
> copying, distribution, or use of the contents of this information is
> prohibited and may be unlawful. If you have received this electronic
> transmission in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank you.
> --
>
>  
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Querying directly a nameserver works, while forwarding not

[Sten Carlsen]

On 05/12/12 18:29, Hauke Lampe wrote:

On 05.12.2012 14:59, Daniele Imbrogino wrote:


resolv.conf contains only 127.0.0.1 as nameserver.

The syslog contains a lot of errors as "insecurity proof failed", "no 
valid

RRSIG", "got insecure response" that I don't understand.


Your forwarder probably doesn't handle DNSSEC responses well. 
Therefore your BIND cannot validate the answers and returns a failure 
code.


Either update the forwarder/enable DNSSEC (older versions of BIND 9 
require "dnssec-enable yes;" in the options clause), or disable DNSSEC 
validation in your local BIND (set "dnssec-validation no;").
Or consider not doing forwarding, that usually gives fewer problems if 
possible.




Hauke

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Querying directly a nameserver works, while forwarding not

[Sten Carlsen]

My next move would be to look for issues in the network, I would look at
what wireshark can sniff out. I would look for packets with errors. The
purpose is to find out if the network is mangling packets.


On 06/12/12 16:46, Daniele Imbrogino wrote:
> I'm testing new configuration on VirtualBox following the advice of
> not forwarding.
> Furthermore, I exclude any reference to DNSSEC.
>
> So, in these conditions and assuming an empty cache, if I query for a
> remote domain name, my server should query a root-server and then
> iterate, right?
> Well, Wireshark shows me outcoming queries and incoming responses
> to/from root-servers, but "dig www.apple.com <http://www.apple.com>"
> (for example) fails with a timeout.
>
> "syslog" has a lot of "DNS format error ... non-improving referral"
> and "error (FORMERR) resolving" entries.
>
> This is my very vary basic "named.conf" file
>
> options {
> directory "/var/cache/bind";
> }
>
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> I've also updated "db.root" from ftp.internic.net/domain/db.cache
> <http://ftp.internic.net/domain/db.cache>
>
>
> 2012/12/5 Sten Carlsen mailto:st...@s-carlsen.dk>>
>
>
> On 05/12/12 18:29, Hauke Lampe wrote:
>> On 05.12.2012 14 :59, Daniele Imbrogino wrote:
>>
>>> resolv.conf contains only 127.0.0.1 as nameserver.
>>>
>>> The syslog contains a lot of errors as "insecurity proof
>>> failed", "no valid
>>> RRSIG", "got insecure response" that I don't understand.
>>
>> Your forwarder probably doesn't handle DNSSEC responses well.
>> Therefore your BIND cannot validate the answers and returns a
>> failure code.
>>
>> Either update the forwarder/enable DNSSEC (older versions of BIND
>> 9 require "dnssec-enable yes;" in the options clause), or disable
>> DNSSEC validation in your local BIND (set "dnssec-validation no;").
> Or consider not doing forwarding, that usually gives fewer
> problems if possible.
>
>>
>>
>>
>> Hauke
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> -- 
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>
>"MALE BOVINE MANURE!!!" 
>
>
> _______
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: is there a also-allow-transfer

[Sten Carlsen]

On 13/12/12 9:46, Feng He wrote:
> Hello Mark,
>
> My named.conf looks as:
>
> acl "NAMESVR" { 74.81.81.82; };
NAMESVR is an acl, it could look like {74.81.0.0/16} or {any}

Essentially it is a kind of bitmask, not a list of IPs.
>
> options {
>   directory "/var/cache/bind";
>   recursion no;
>   version "unknown";
>   allow-transfer { NAMESVR; };
>   also-notify { NAMESVR; };
All notifys must have a list of IPs, if the acl was any, you would have
to notify the full internet. The mechanism is designed to accept only a
list of IPs. It can not accept an acl.
>   allow-update { 127.0.0.1; };
> };
>
>
> # zone begins
> zone "test.com" {
>   type master;
>   file "/var/cache/bind/test.com.db";
>   allow-transfer { NAMESVR; 74.81.81.81; };
>   also-notify { NAMESVR; 74.81.81.81; };
> };
>
>
> When I run named-checkconf I got the error:
>
> # named-checkconf
> /etc/bind/named.conf:8: expected IP address near 'NAMESVR'
>
> Please help. Thanks.
>
>
>
>
> 于 2012-12-13 15:23, Mark Andrews 写道:
>> In message <50c9818e.2060...@nsbeta.info>, Feng He writes:
>>> Hello,
>>>
>>> I have the allow-transfer{} section in the global options{} block.
>>>
>>> But for a special zone, I want to include another IP to allow transfer
>>> besides the global IPs.
>>>
>>> Is there a also-allow-transfer option in BIND?
>>> If not how to control this?
>> acl xxx { };
>>
>> options {
>>  allow-transfer { xxx; };
>> };
>>
>> zone "yyy" {
>>  allow-transfer { xxx; extra; };
>> };
>>
>>> Thanks.
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this l
>>> ist
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: is there a also-allow-transfer

[Sten Carlsen]

On 13/12/12 10:09, Feng He wrote:
> Thanks.
>
> So how to handle the case described as below?
>
> We already have the also-notify{} section in the global options{} block.
>
> But for a special zone, just want to include another IP to also-notify
> besides the global IPs.
>
>
>
>
> 于 2012-12-13 17:00, Sten Carlsen 写道:
>> On 13/12/12 9:46, Feng He wrote:
>>> Hello Mark,
>>>
>>> My named.conf looks as:
>>>
>>> acl "NAMESVR" { 74.81.81.82; };
>> NAMESVR is an acl, it could look like {74.81.0.0/16} or {any}
>>
>> Essentially it is a kind of bitmask, not a list of IPs.
>>> options {
>>>directory "/var/cache/bind";
>>>recursion no;
>>>version "unknown";
>>>allow-transfer { NAMESVR; };
>>>also-notify { NAMESVR; };
>> All notifys must have a list of IPs, if the acl was any, you would have 
>> to notify the full internet. The mechanism is designed to accept only a 
>> list of IPs. It can not accept an acl.
also-notify{ 74.81.81.82;}
>>>allow-update { 127.0.0.1; };
>>> };
>>>
>>>
>>> # zone begins
>>> zone "test.com" {
>>>type master;
>>>file "/var/cache/bind/test.com.db";
>>>allow-transfer { NAMESVR; 74.81.81.81; };
also-notify { 74.81.81.82; 74.81.81.81; };
>>> };
>>>
>>>
>>> When I run named-checkconf I got the error:
>>>
>>> # named-checkconf
>>> /etc/bind/named.conf:8: expected IP address near 'NAMESVR'
>>>
>>> Please help. Thanks.
>>>
>>>
>>>
>>>
>>> 于 2012-12-13 15:23, Mark Andrews 写道:
>>>> In message<50c9818e.2060...@nsbeta.info>, Feng He writes:
>>>>> Hello,
>>>>>
>>>>> I have the allow-transfer{} section in the global options{} block.
>>>>>
>>>>> But for a special zone, I want to include another IP to allow transfer
>>>>> besides the global IPs.
>>>>>
>>>>> Is there a also-allow-transfer option in BIND?
>>>>> If not how to control this?
>>>> acl xxx { };
>>>>
>>>> options {
>>>>allow-transfer { xxx; };
>>>> };
>>>>
>>>> zone "yyy" {
>>>>allow-transfer { xxx; extra; };
>>>> };
>>>>
>>>>> Thanks.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: is there a also-allow-transfer

[Sten Carlsen]

Well, you can NOT use an ACL in any form of notify.

This topic has been discussed a number of times, look in the archives.

BTW: I would think programming a solution from e.g. a database would be
easy.

On 13/12/12 10:43, Feng He wrote:
> This would be easy by hand, but not by programming, since I have lots of
> zones for updates :)
>
> 于 2012-12-13 17:35, Sten Carlsen 写道:
>> also-notify { 74.81.81.82; 74.81.81.81; };

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I migrate my Domain from ISP hosted to my own BIND server?

[Sten Carlsen]

You can find an external DNS provider (I use one that is free) and have
them slave your zones. Just make your TTLs suitable, so even if your own
server dies, the zones will be served from the provider for weeks.

Changes will propagate fast.


On 14/12/12 11:40, Mark Andrews wrote:
> In message 
> 
> , Manish Rane writes:
>> Hi Team,
>>
>> I need to migrate my domain which is hosted at my ISP on to my own
>> internal BIND server and have my own NS record. Does anyone steps I
>> need to take care of or complete procedure?
> 1. take a copy of the zone and make your server a master for it.
> 2. set up new slaves from the new master.
> 3. make the old master a slave from this new master.
> 4. add the new NS records and associated addresses records.
> 5. wait for the old NS RRset to clear the caches as well as any negative
>cache entries for the address records for the new servers.
> 6. update the parent NS RRset to be the final state.  Add glue as necessary.
>remove old glue records that are no longer necessary.
> 7. remove the old NS records from the zone. 
> 8. wait for the combined NS RRset to clear caches.
> 9. decommision old nameservers.
>
>
>> --
>> Thanks and Regards,
>> Manish R
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>  from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Short" domains...

[Sten Carlsen]

On 17/12/12 17:14, Ray Van Dolson wrote:
> On Mon, Dec 17, 2012 at 11:09:57AM -0500, wbr...@e1b.org wrote:
>> Ray wrote on 12/17/2012 11:04:19 AM:
>>
>>> zone "selfservice" {
>>> type forward;
Forward only; ??
>>> forwarders { adserver; };
>>> };
>> Does this work?
>>
>> zone "selfservice." {
>>
> Nope -- had tried that as well with no luck.  Same symptoms.
>
> Ray
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: query about EDNS UDP Packet

[Sten Carlsen]

It means that something in your path limits packet size. That could
likely be a firewall or router with a "helpful" function to pass DNS
packets on; only it thinks that a DNS packet can only be 512 bytes long.

On 31/12/12 10:49, Gaurav Kansal wrote:
>
> Hello Team,
>
>  
>
> I am getting too many entries for reducing the EDNS Packet size to 512
> bytes in my log file.
>
> For Eg:
>
>  
>
> Dec 31 03:07:20 IPv6-DNS named[3769]: success resolving
> 'dns1.vps.net/A' (in 'vps.net'?) after reducing the advertised EDNS
> UDP packet size to 512 octets
>
> Dec 31 03:07:21 IPv6-DNS named[3769]: success resolving
> 'ad.metanetwork.com/A' (in 'metanetwork.com'?) after reducing the
> advertised EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:25 IPv6-DNS named[3769]: success resolving
> 'geo.admetanetwork.com/A' (in 'admetanetwork.com'?) after reducing the
> advertised EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving
> 'tomcat.apache.org/A' (in 'apache.org'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving
> 'www.apache.org/A' (in 'apache.org'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving
> 'issues.apache.org/A' (in 'apache.org'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving
> 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving
> 'ns2.surfnet.nl/' (in 'surfnet.nl'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving
> 'ns2.surfnet.nl/A' (in 'surfnet.nl'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving
> 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the
> advertised EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving './NS' (in
> '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving
> 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised
> EDNS UDP packet size to 512 octets
>
> Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving
> 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the
> advertised EDNS UDP packet size to 512 octets
>
>  
>
> On googling for this, I got to know that this come when remote DNS
> Server doesn't support EDNS0 (i.e., packet size upto 4096 bytes).
>
>  
>
> Now I want to know whether my DNS Server supports EDNS0 for incoming
> request or not.
>
> I use the '*OARC's DNS Reply Size Test Server' *for the same and I got
> the below mentioned O/P:
>
>  
>
> #dig +short rs.dns-oarc.net txt
>
> rst.x476.rs.dns-oarc.net.
>
> rst.x450.x476.rs.dns-oarc.net.
>
> rst.x490.x450.x476.rs.dns-oarc.net.
>
> "Tested at 2012-12-31 09:40:11 UTC"
>
> "164.100.1.206 sent EDNS buffer size 4096"
>
> "164.100.1.206 DNS reply size limit is at least 490"
>
>  
>
> Does this mean that my server is not supporting EDNS0 ???
>
>  
>
>  
>
> Thanks and Regards,
>
> Gaurav Kansal
>
> Mob -- 9910118448
>
>  
>
> Happy New Year 2013.
>
> IPv4 is Over,
>
> Are your ready for new Network.
>
>  
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: query about EDNS UDP Packet

[Sten Carlsen]

With the replies you have shown, the limitation is very likely within
your own walls.

While it is possible that some router on the path between you and the
test server limits the packet size, I would say it is very likely not
the case, much less than 1% propability - according to my experience.

I would use a sniffer along the path between each
switch/router/firewall/xx until you either don't see the longer edns0
packets or some other evidence (could be some ICMP message) shows you
that this is the place.

I would also search for keywords like: DNS EDNS0 truncate.

Good hunting.

On 31/12/12 15:07, Phil Mayers wrote:
> On 12/31/2012 10:54 AM, Gaurav Kansal wrote:
>> I just want to test whether this limit is within my organization.
>>
>> Is any method available by which I can check this?
>>
>
>
> https://www.dns-oarc.net/oarc/services/replysizetest
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging

[Sten Carlsen]

On 08/01/13 14:19, Timothe Litt wrote:
>> 1. Should ISC change the default logging for lame servers to disabled?
>
> Well, since you asked:  the lame server logging goes back to when the
> internet was a small, collegial place and one wrote a quick note to a
> friend to fix these issues.  And people who accidentally had a lame
> server were embarrassed.  Those days, sadly, are gone.
>
> The current logging only tells the victim why a query failed; it's
> pretty much useless unless troubleshooting a persistent, impactful
> problem.  And at that point, it's easy enough to turn on for the
> duration. So I'd vote for disabled - and the ability to enable for
> resolution of queries to specific domains/nameservers via rndc for
> troubleshooting.
>
> What I think would be more useful is if named actually reported the
> issues to where they'd do some good.  Perhaps a DNS extension "I got
> an invalid message from you" - so it shows up in the log of the server
> (and administrator) with the problem.  (I'd worry about denial of
> service, though if the server is in fact lame, it's not providing
> service - at least to that zone .  Abuse of the reporting mechanism is
> the main risk, and avoiding it would take some careful engineering.)
If you have a lame server my guess is that the logs of that server are
never looked at, rather the server is neglected completely, forgotten.
The place to talk to is the next level up, they should probably stop
referring to the lame server and might be the people caring about
whether their web site is reachable.
It has been seen a number of times that, say 5 servers have been
delegated to and only 3 of those actually answer, the other 2 were there
for "historical reasons" (nobody knew why, so better not change).
>
> Or, perhaps logged to a 'troubled' list of nameservers like the email
> RBL blacklists.  People don't like being on 'bad citizen' lists, so if
> that list sent the whois registered technical contact for the domain
> an e-mail once a week in addition to making the list public... maybe
> some shame would work.   But it's probably a dream. And there'd be a
> lot of fingers pointed at client firewalls...
>
> Since choice 2 is out-of-band, it would be a lot easier to put in
> place - if someone (ISC?) volunteered to host the list...
>
> In general, logging is most useful when the data goes to someone who
> can do something about it.  Logging at the victim is useful for
> isolating a problem - but if no-one is actually troubleshooting (and
> won't), it's largely wasted.
>
> DNSSEC is another area where issues need to be forwarded to the
> source, not the victim.
>
> That's my 3 cents.
Up to a Dime.
>
>
>
> _______
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Sharing zones between views to conserve memory

[Sten Carlsen]

IIRC provided you do NOT update the common zones dynamically, you can
share the files. This is a dirty solution, the risk is that on e view
may change a file and the other views using it will be out of sync.


On 10/01/13 0:34, Kevin Darcy wrote:
> On 1/9/2013 10:57 AM, Carl Byington wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> On Wed, 2013-01-09 at 14:37 +0200, Jan Gutter wrote:
>>> So, here's my question: is there a way to share zones between views to
>>> conserve memory?
>> One way is to put the master copy of those large zones in one view, then
>> define those zones in the other views as type 'forward', forwarding to
>> localhost.
> Yeah, I've done that before, but it has some undesirable caching
> behavior, i.e. entries get cached in the view which forwards, so
> clients can get responses from data that is not as "fresh" as they
> might get if the data were authoritative (assuming NOTIFY is in place,
> or some sort of fast replication mechanism). Also, some things care
> whether the AA flag is set in responses.
>
> I've also been told that at least one BIND-based DNS management
> system, to which I'm planning to migrate, will divide up the available
> memory for named equally, among all of the views defined in the
> config. So, if that's true -- and I haven't been able to independently
> confirm it -- then there would be a limit to how much memory a given
> view can have, regardless of what tricks and/or stratagems one uses.
> (I'm hoping it isn't true, since I have some environments where my
> named.conf has 5 views defined in it, 2 of which are non-recursive,
> and another 1 of which sees an extremely small volume and diversity of
> queries, therefore it would be quite painful for the 2 remaining
> "real" recursive views to be limited to only 1/5th of the total memory
> space apiece).
>
> - Kevin
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse resolution failing

[Sten Carlsen]

It does not resolve from my IP, probably there is no reverse entry.


On 07/02/13 18:31, Jim Pazarena wrote:
> my named is 9.9.0
>
> while it can resolve "webmail.acrodex.com" ( 139.142.184.10 )
>
> it cannot reverse resolve 139.142.184.10
>
> (example follows).
> However, if I do a simply nslookup using goodle DNS.
> nslookup 139.142.184.10 8.8.8.8
> IT WORKS!
>
> Can anyone suggest where I may be going wrong with this?
> my "dig" response follows.
> Many thanks!
>
> Jim
>
> mail# dig -x 139.142.184.10
>
> ; <<>> DiG 9.9.0 <<>> -x 139.142.184.10
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49017
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;10.184.142.139.in-addr.arpa.   IN  PTR
>
> ;; Query time: 125 msec
> ;; SERVER: 207.34.147.93#53(207.34.147.93)
> ;; WHEN: Thu Feb  7 09:30:12 2013
> ;; MSG SIZE  rcvd: 56
>
> mail#
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Free secondary servers supporting DNSSEC?

[Sten Carlsen]

I have used Gratisdns.dk for years with no issue. I you buy the domains
through them, they will even remind you in good time to renew ;-)

And you can't beat the price for DNS - I have never been bothered with
advertisements from them.

On 17/02/13 19:10, Tony Finch wrote:
> Robert Moskowitz  wrote:
>> One of my secondaries, though, does not support DNSSEC and it is the one that
>> gives me a bit of geographical diversity.  So I am looking for someplace that
>> will accept my smallish domains.
> Have a look at https://web.gratisdns.dk - Danish only, but that's not too
> much of a problem with automatic translation...
>
> Tony.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: broken ISP in china

[Sten Carlsen]

Just be sure that WHEN your master dies, the slaves will stay
authoritative for long enough that you can get the master up without
working night shift.

On 19/02/13 21:17, Dave Warren wrote:
> On 2/18/2013 23:20, Matus UHLAR - fantomas wrote:
>> On 19.02.13 10:25, Noel Butler wrote:
>>> One thing I need to point out, your SOA timings seem extreme...
>>>
>>> refresh 86400  drop that to 3h
>>> retry 3600, drop to 900
>>
>> I don't see the reason for doing these, unless NOTIFY does not work,
>> but in
>> such case it's the NOTIFY that should be fixed...
>
> I agree in principle. However, the costs of having a low refresh
> probably aren't that significant, whereas all it takes for a NOTIFY to
> get missed is a packet or three getting dropped, and having zones out
> of sync might be more significant.
>
> Or, put another way, dropping REFRESH from 24 hours to 3 hours is
> what, an additional 8 DNS queries per zone, per secondary, per day?
> Unless your zones normally receive only a few hundred queries a day,
> these numbers are so trivial that they probably don't matter, whereas
> having your secondaries return out of date responses is potentially
> more annoying.
>
> Retry too seems like a good candidate to keep very low since it only
> applies when there is a problem.
>
> But in an ideal world, we've probably just spent more time talking
> about it than will result in any savings from tweaking these numbers.
>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Not - Re: New DNS server up and running

[Sten Carlsen]

What about allow-query?

At some point the default changed to allow only localhost.

On 21/02/13 2:59, Robert Moskowitz wrote:
>
> On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
>> It looks like no system, internal or external could access the DNS on
>> my new server.  IPTABLES was set for 53 both UDP and TCP. Firewall
>> was OK.  In fact a local system on the same subnet, thus NOT going
>> through my firewall was denied access to the internal domain.
>> Localhost of course works.
> Oh, here is what I have for options in my internal view:
>
> match-clients{ httnets; };
> match-destinations{ httnets; };
> recursion yes;
> empty-zones-enable yes;
>
> and httnets contains:
>
> acl "httnets" {
> 127.0.0.1;
> 208.83.67.128/26;
> 192.168.32.0/24;
> 192.168.64.0/24;
> 192.168.96.0/24;
> 192.168.128.0/24;
> 192.168.192.0/24;
> ::1;
> 2607:f4b8:3:0::/64;
> 2607:f4b8:3:1::/64;
> 2607:f4b8:3:2::/64;
> 2607:f4b8:3:3::/64;
> 2607:f4b8:3:4::/64;
> 2607:f4b8:3:5::/64;
> 2607:f4b8:3:8::/64;
> 2607:f4b8:3:9::/64;
> 2607:f4b8:3:10::/64;
> 2607:f4b8:3:11::/64;
> 2607:f4b8:3:12::/64;
> 2607:f4b8:3:13::/64;
> };
>
> But I used my Verizon cellular wifi to connect a system from outside,
> and when I did a DIG to my ip address, it was denied by named (as seen
> in /var/log/messages), so the problem is broader than just my internal
> view and why i think it is either the randomized port and firewall
> interaction of selinux.
>
>
>>
>> So it is either the Linux firewall and bind port randomization, or it
>> is SELINUX.  How do I test to find out which?
>>
>> Since the new server is on the same IP address as the old, it is
>> unplugged from the switch.  I can switch back and forth between to
>> two boxes, only taking the time for ARP table updates.
>>
>> So I hope someone can point me to what I have missed.
>>
>>
>> On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
>>> Phase I is hopefully complete.  A new onlo.htt-consult.com is up in
>>> place of the old one.
>>>
>>> This is a faster box with current software.  I will 'leave it alone'
>>> for a week, unless someone tells me something is wrong with it.
>>>
>>> Next I unlock my domain from NetSol and choose my new registrar and
>>> move.  Thank you on all the recommendations.  Now to choose.
>>>
>>> I study up on DNSSEC, maybe read a book or two.
>>>
>>> Then after Passover, start the signing!
>>>
>>> So I will be, ahem, quite here for awhile.  Yeah sure.  Well I DO
>>> have other systems and services to migrate.
>>>
>>>
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: disabling lame server logging

[Sten Carlsen]

On 26/02/13 15:50, Robert Moskowitz wrote:
>
> I would expect that a namecaching server on the mailserver would
> reduce traffic and resources all the way around.
>
> I don't need my mailserver to constantly be asking my name server
> about, say, zen.spamhaus.org.
This is one reason my mailserver has a DNS server. No forward, that only
slows down things.
The question here is whether there is a good reason that this instance
must not go directly to the roots?
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: disabling lame server logging

[Sten Carlsen]

On 26/02/13 18:06, Robert Moskowitz wrote:
>
> On 02/26/2013 11:43 AM, Sten Carlsen wrote:
>>
>> On 26/02/13 15:50, Robert Moskowitz wrote:
>>>
>>> I would expect that a namecaching server on the mailserver would
>>> reduce traffic and resources all the way around.
>>>
>>> I don't need my mailserver to constantly be asking my name server
>>> about, say, zen.spamhaus.org.
>> This is one reason my mailserver has a DNS server. No forward, that
>> only slows down things.
>> The question here is whether there is a good reason that this
>> instance must not go directly to the roots?
>
> To support systems only visable to your internal view?
I have in my internal view mostly systems that are not visible from the
outside but my internal view has direct access to the world with regards
to DNS. I don't see any risk in that , except the predictability of
RBL-lookups as mentioned elsewhere.
Speed is much improved, even with a standard ADSL line I have better
performance than by forwarding to the ISP DNS server.
>
>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: disabling lame server logging

[Sten Carlsen]

On 26/02/13 19:09, Robert Moskowitz wrote:
>
> On 02/26/2013 12:58 PM, Sten Carlsen wrote:
>>
>> On 26/02/13 18:06, Robert Moskowitz wrote:
>>>
>>> On 02/26/2013 11:43 AM, Sten Carlsen wrote:
>>>>
>>>> On 26/02/13 15:50, Robert Moskowitz wrote:
>>>>>
>>>>> I would expect that a namecaching server on the mailserver would
>>>>> reduce traffic and resources all the way around.
>>>>>
>>>>> I don't need my mailserver to constantly be asking my name server
>>>>> about, say, zen.spamhaus.org.
>>>> This is one reason my mailserver has a DNS server. No forward, that
>>>> only slows down things.
>>>> The question here is whether there is a good reason that this
>>>> instance must not go directly to the roots?
>>>
>>> To support systems only visable to your internal view?
>> I have in my internal view mostly systems that are not visible from
>> the outside but my internal view has direct access to the world with
>> regards to DNS. I don't see any risk in that , except the
>> predictability of RBL-lookups as mentioned elsewhere.
>> Speed is much improved, even with a standard ADSL line I have better
>> performance than by forwarding to the ISP DNS server.
>
> What I meant here, rather poorly stated, is that my mail server would
> have to look up clients that only resolve within my internal view. 
> For example foo.bar which resolves to 192.168.178.5.  That query would
> fail if all the caching server had was public DNS data.
>
> I DO run a hidden TLD here for some testing and those devices
> currently do send mail from one to another through my current mail server.
Almost my setup. I don't have a hidden TLD, that was too painful and did
not provide what I wanted.
I use the same domain and the same names inside and outside, except
inside there are many more names.
E.g. my mail server is called mail2. both outside and inside,
outside it has a public IP and inside it has an IP in the 192.168.x.x range.
I also have servers that have the same IP both inside and outside.
>
>>>
>>>
>>
>> -- 
>> Best regards
>>
>> Sten Carlsen
>>
>> No improvements come from shouting:
>>
>>"MALE BOVINE MANURE!!!" 
>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: transfer from multiple views to single view

[Sten Carlsen]

Hi

You can not really share a zone(=file) between views. Both views will
believe they have full rights to the file and one view will see this as
someone (the other view) will change the file behind its back.

What might work is to use a key to allow you to access the views needed.
You should include a masters statement in each zone on the slave,
including wich master to transfer from and the key needed.

A view may be accessed by IPs and/or by keys.

See the ARM for details.


On 05/03/13 17:07, ?? wrote:
> Hi,all
>
> I want to transfer multiple views from master to slave. The zones are
> in different views in master, and in single view in slave.
>
> Ex:
>
> MASTER:
>
> view "v1"{
> zone "z11" {...} //need transfer
> zone "z12" {...}
> zone "z13" {...}
> }
>
> view "v2" {
> zone "z21" {...} //need transfer
> zone "z22" {...}
> zone "z23" {...}
> }
>
> SLAVE:
> view "sv" {
> zone "z11" {...}   // from v1 z11
> zone "z21" {...}  //  from v2 z21
> }
>
> What should I do?
>
> Maybe I can share a dynamic zone between multiple views, but the
> MASTER's named.conf will be very complex.
>
> -- 
> Best Regards!
> =
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: spf ent txt records.

[Sten Carlsen]

I used both types with Bind 9.2.1, so both types should work for you.
As I recall the only difference was txt -> spf as RR type.


hugo hugoo  wrote:

>Dear all,
> 
>I received the following question and I am not able to aswer as spf
>records are still mysterious to me.
>We are using BIND 9.7.
> 
>Thanks in advance for your answers,
> 
>Hugo,
> 
> 
> 
>Does our DNS-server support SPF-type records? Or do we put SPF-info in
>a TXT-record?
> 
>Ref. : 
>Early implementations used TXT records for implementation before the
>new record type was commonly available in DNS software. Use of TXT
>records for SPF was intended as a transitional mechanism. However,
>according to the current RFC, RFC 4408, section 3.1.1, "An
>SPF-compliant domain name SHOULD have SPF records of both RR types. A
>compliant domain name MUST have a record of at least one type," and as
>such, TXT record use is not deprecated.[2]
> 
>
>
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig for link-local

[Sten Carlsen]

One question is whether the server will listen and reply on all
addresses or only on the global address?

I suggest you look into the log file from the server, often there are
good clues there.


On 25/03/13 10:19, Alok Raj wrote:
> Hi Guys,
>
> Basically I am trying to do the following:
>
>   1) If I use link-local ipv6 address (of domain controller) in my 
> resolv.conf, my resolver routines (glibc 2.13) is not able to resolve a 
> domain name to an ip address, though I am able to ping that link-
>local ipv6 address.
>   2) If I use global ipv6 address(of domain controller) in my 
> resolv.conf, it works fine!
>   3) So I wondered, how dig/nslookup/host- commands are able to get a 
> name resolved when there is only one entry @ /etc/resolv.conf and that entry 
> is an ipv6 link-local address of domain 
>   controller.
>   4) I have downloaded the BIND9 code and am looking into it.
>   5) Similarly if I ping using ping6, my domain name gets resolved if 
> global ipv6 address in resolv.conf; not resolved if link-local ipv6 address.
>
> If my doubts sound trivial, I am sorry, I am very new to the above concepts.
>
> Thanks,
> Alok
>
>
>
> -Original Message-
> From: bind-users-bounces+alok.raj=spanservices@lists.isc.org 
> [mailto:bind-users-bounces+alok.raj=spanservices@lists.isc.org] On Behalf 
> Of Carlos M. Martinez
> Sent: Friday, March 22, 2013 9:57 PM
> To: Bryan Harris
> Cc: bind-users@lists.isc.org
> Subject: Re: Dig for link-local
>
> Transport has nothing to do with content in DNS. If your client asks for an 
>  record it will get the appropriate answer according to the zone's 
> records (a value or an error condition) regardless on whether the query was 
> made over IPv6 or IPv4.
>
> That said, you can 'hack' around this expected behavior (see 'no  on
> ipv4') in order to help hosts with broken IPv6 connectivity, but you have to 
> enable it.
>
> regards,
>
> ~Carlos
>
> On 3/22/13 1:19 PM, Bryan Harris wrote:
>> Hello,
>>
>> On Mar 22, 2013, at 12:13 PM, Kevin Darcy  wrote:
>>
>>> I'm not sure what you're asking, exactly. Are you surprised that named 
>>> would respond on an IPv6 link-local address if configured with 
>>> "listen-on-v6 { any; };"? 
>> Can an ipv4-only server give an ipv6 address as part of an overall 
>> answer to a dig?  E.g. Our servers recurse to get outside addresses, 
>> and when I query for www.google.com one of the addresses is ip6
>>
>> Bryan
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> DISCLAIMER: This email message and all attachments are confidential and may 
> contain information that is Privileged, Confidential or exempt from 
> disclosure under applicable law. If you are not the intended recipient, you 
> are notified that any dissemination, distribution or copying of this email is 
> strictly prohibited.  If you have received this email in error, please notify 
> us immediately by return email to mailad...@spanservices.com and destroy the 
> original message.  Opinions, conclusions and other information in this 
> message that do not relate to the official of SPAN, shall be understood to be 
> nether given nor endorsed by SPAN.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Sten Carlsen]

Apparently the DHCP server tries to put the change into BIND but times
out. What does the named log tell about this?

Either it did see the request or it will have an explanation why it
won't do it.

On 28/03/13 18:18, Jim Bucks wrote:
> Hi Mark, Graham, & others.
>
> I've spent the last day trying all sorts of things to get this working
> (to no avail).  I'm still at the stage of DHCP offering the lease IP
> address, but the DNS is not automatically updating the two "zones"
> files with the newly leased addresses.
>
> Here is a grief summary of what I tried/changed.
>- Added the group named to the dhcpd user
>- moved the two zones files into
> /var/named/chroot/var/named/slaves/  (was internal/)
>- added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
>- grabbed a current version named.conf file and added the bare
> minimum config into into it.
>
> Attached are my configs.
>
> Any ideas on what I've hosed up?
>
> Thanks,
>
> Jim
>
>
>
> -- 
> Jim Bucks - IT Director 
> Colorado Studios <http://www.coloradostudios.com>, Mobile TV Group
> <http://www.mobiletvgroup.com>, HDNet <http://www.hd.net>, AXS.tv
> <http://www.axs.tv/>
> 8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
> jbu...@coloradostudios.com <mailto:jbu...@coloradostudios.com>
>Direct 303-542-5520
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NS geo-distribution

[Sten Carlsen]

Don't forget that most users will get the address out of "some" cache,
not directly from the authoritative servers.


On 30/04/13 6:48, Chris Buxton wrote:
> On Apr 29, 2013, at 9:01 PM, Dave Warren wrote:
>> With the vast majority of our customers being in North America (probably 75% 
>> of users are in Canada), would it make sense to add a Europe based NS or 
>> would this tend to return slower results on average since a potential user 
>> would have a 1/3 chance of hitting a NS with a higher latency?
> RTT means almost always hitting the fastest server.
>
> Chris Buxton
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NS geo-distribution

[Sten Carlsen]

On 30/04/13 10:30, Dave Warren wrote:
> On 2013-04-30 00:49, Sten Carlsen wrote:
>> Don't forget that most users will get the address out of "some"
>> cache, not directly from the authoritative servers.
>
> Absolutely. This is even more true in our case as many of our clients
> are serve very local areas and 2-3 ISPs and 3-4 mobile providers
> probably cover 90%+ of their clients.
Which essentially means that the time to get data from the authoritative
servers is irrelevant in almost all cases. Availability vs. network
problems would be more important in my book.
>
>
> On 2013-04-29 21:48, Chris Buxton wrote:
>> RTT means almost always hitting the fastest server.
>
> My concern with relying on RTT is that since most of our sites are
> very low volume, will it be effective or does it work better when a
> host has higher traffic? How long do resolvers remember a particular
> NS's RTT?
>
> We have a handful of Europe based clients, but their number is quite
> small, so I'm not sure if we'd be significantly hurting the majority
> by introducing a high-latency server into the mix or not, or even how
> to evaluate the results.
>
> I realize I've probably spent more time thinking about it than I'll
> possibly save anyone else anyway, so perhaps that's my answer.
>
> I appreciate all the input.
>
> -- 
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolver, search command....

[Sten Carlsen]

You probably want to use host myhost, that does use the resolv.conf as
the system normally would. And it works better than nslookup.

On 08/05/13 16:56, Evan Hunt wrote:
>> dig myhost
> By default dig only uses fully qualified domain names. "dig +search"
> does what you want.
>
>> It would search for that host in path1 or path2 listed above.? It does
>> not, a +trace shows the resolver querying the root servers for myhost.?
>> So it appears the search command does not work in environment.
>>
>> [root@server1 # dig myhost +trace
> ...but "dig +trace" behaves completely differently, searching for the
> name from the root zone down and never touching the local resolver at
> all, so this would have queried the root server even if you'd used a
> FQDN.
>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[Sten Carlsen]

Don't forget that Bonjour actually uses .local and will be very sour if
it is sued for other purposes, I have tried.


On 08/05/13 16:56, Jeremy P wrote:
> I am building a lab environment where there are several separate
> domains, all of them ending in .local
>  
> I've setup a server for the .local TLD, but I'm undecided (or perhaps
> ignorant) as to the best way to have the individual domains
> (domain1.local, domain2.local, etc) refer to the local zone on my TLD
> server.  Currently I've also created a root server and set the root
> hints on domain1.local's dns server to refer to it.  This works for
> local resolution, but this means that domain1.local can't perform
> Internet lookups.
>  
> Thanks for any help,
> Jeremy
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[Sten Carlsen]

You could also make a sub domain of your main domain and use that for
all students, unless of course the purpose is to teach how to set this up.

I have used .home my self, now I would take something that
nobody would ever think of using in the "real" world, in old days I did
consider .xxx, that is now a whole other thing than just something odd.
Generally you may want to consider the new options for people to make
actual TLDs to be their company name.

At the start of the course, you could make a draw among the students and
use the selected persons first name, that any coming thing like mdsn
would use that is not very likely. It also draws attention to the
significance of those letters.



On 08/05/13 19:33, Jeremy P wrote:
> I understand letter of the law, spirit of the law and playing it safe
> to avoid headaches.
>
> However, there are times where registering a real domain just isn't
> practical.  For example, I'm not going to ask all of the students in
> my courses to go out and register a .com for the semester.  It would
> be a waste of money as their systems never leave the local network,
> except through a NAT connection.  So in those types of instances, I'm
> assuming .lan or .test are safest?
>
>
> On Wed, May 8, 2013 at 11:20 AM, Steven Carr  <mailto:sjc...@gmail.com>> wrote:
>
> On 8 May 2013 18:09,  mailto:wbr...@e1b.org>> wrote:
> > This just came up with a site I support.  Thanks to this list
> and the
> > DNS-OARC list, I know better. Hopefully, I can redirect them to use
> > something below their real domain for Active Directory such as
> > ad.example.org <http://ad.example.org>.
>
> FWIW: MS now advises not to use .local for internal AD anymore. They
> suggest you use your owned/registered namespace to prevent domain
> collisions.
>
> http://support.microsoft.com/kb/909264
> Generally, we recommend that you register DNS names for internal and
> external namespaces with an Internet registrar... Registering your DNS
> name with an Internet registrar may help prevent a name collision.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Configuration

[Sten Carlsen]

I believe your major point is the routing tables because they determine
how the response is trying to get out.


On 08/05/13 22:22, Steven Carr wrote:
> You will need to have some form of automation in place to update the
> DNS zone to change the IP address which should now be accessed when
> one of the links goes down. You will also need to ensure you have a
> low TTL value on the records you want to update on link change so that
> the records are refreshed quickly.
>
>
>
> On 8 May 2013 20:40, Ward, Mike S  wrote:
>> Hello all, I was wondering if someone could me out.
>>
>> I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate 
>> networks Lets call them A and B. My Linux Server can listen on A's Network 
>> as well as B's network.
>> I'm using fictitious IPs and names
>>
>> A 111.111.111.1  B 555.555.555.1 
>>Secondary A 111.111.222.1
>>
>>   Redhat & Bind
>>
>> Bind is listening on both IP addresses and we have a secondary server at 
>> 111.111.222.1
>>
>>
>> If A the ISP has a backbone router problem how can I get people trying to 
>> get to our web servers to use B's network? I have been think of different 
>> ways to do this, but have come up empty.
>>
>> Our network is really simple I just want to be able to use diverse ISPS in 
>> case we lose one we still have the other. Can anyone help me out. Any help 
>> appreciated.
>>
>> Thanks.
>>
>> ==
>> This email, and any files transmitted with it, is confidential and intended 
>> solely for the use of the individual or entity to which it is addressed. If 
>> you have received this email in error, please notify the system manager. 
>> This message contains confidential information and is intended only for the 
>> individual named. If you are not the named addressee, you should not 
>> disseminate, distribute or copy this e-mail. Please notify the sender 
>> immediately by e-mail if you have received this message by mistake and 
>> delete this e-mail from your system. If you are not the intended recipient, 
>> you are notified that disclosing, copying, distributing or taking any action 
>> in reliance on the contents of this information is strictly prohibited.
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

[Sten Carlsen]

This is also the way I use mail, so +1.


On 09/05/13 23:02, Carlos M. martinez wrote:
> My mail setup is as limited as my eyesight. As I mentioned, I have
> emails in my inbox and filter afterwards in order to keep mbox size at
> reasonable levels. In this way I don't forget to check this or that folder.
>
> While on inbox I filter by looking at the tags. Works really well and I
> know quite a few people who do the same. I counted and I'm subscribed to
> over 50 mailing lists and this is the only one which does not tag the
> subject.
>
> Probably you've discussed this in the past (I'm a rather new
> subscriber), so I apologize for bringing up a dead horse.
>
> regards,
>
> Carlos
>
> On 5/8/13 10:53 PM, Michael McNally wrote:
>> On 5/8/13 9:43 AM, Carlos M. martinez wrote:
>>> Agreed, but, subject tagging is very useful for those who prefer to have
>>> things hit your inbox first, before archiving. And there seems to be a
>>> lot more agreement on the tagging issue than on the reply to.
>> Unless your mail setup is extremely restricted in what it can filter
>> on, you have several choices of header which can be used by an
>> automated filter to detect and classify appropriately according to list.
>>
>> Personally I have procmail file bind-users traffic based on the
>> "List-Id:" header, but I realize you may be in a different environment
>> with different tools available.)
>>
>>List-Id: BIND Users Mailing List 
>>
>> Michael McNally
>> ISC Support
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Negative zones; NXDOMAIN responses

[Sten Carlsen]

>> These LAN have a BIND9 service to provide name resolving and caching for
>> internet access, and I want to intercept the .local domain to give a
>> NXDOMAIN response. The internet ISP returns positive values for .local
>> queries, and I need that LAN clients receive NXDOMAIN instead.
.local actually has meaning for most modern systems, so I would question
the wisdom of what you want to do.

You may find some functions of systems not working any more. Obviously
it is up to you in the end.
>>>
>>> Can I create a zone file for .local domain and specify there NXDOMAIN
>>> values for SOA and A RRs? How should be the content of the zone sheet?
>>>
>>>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help on NXDOMAIN to try next forwarder in the list

[Sten Carlsen]

Well you can do that.

It does not change the fact that NXDOMAIN is a DEFINITIVE answer - it
does not exist, there is no reason to look further.


On 30/05/13 9:56, Ashok Agarwal wrote:
> Sorry, its not */etc/hosts* file rather its */etc/resolv.conf*.
>
>
> On Thu, May 30, 2013 at 1:25 PM, Ashok Agarwal
> mailto:ashokagarwal.s...@gmail.com>> wrote:
>
> One possible way can also be to set the number of nameservers to
> be looked upon in the /etc/hosts file.
>
> nameserver 8.8.8.8
> nameserver 4.4.2.2
> nameserver 4.1.2.2
>
> Regards,
> Ashok
>
>
> On Thu, May 30, 2013 at 1:05 PM, Steven Carr  <mailto:sjc...@gmail.com>> wrote:
>
> It's not possible. NXDOMAIN is NXDOMAIN, it doesn't exist, it
> doesn't
> mean try another server to see if you get lucky next time.
>
> Steve
>
>
> On 30 May 2013 08:26, sumsum 2000  <mailto:sum2h...@gmail.com>> wrote:
> > Hi,
> > I have the following change to be available from BIND9.
> >
> > I have zone forwarders as follows with BIND9 setup with
> forward only option
> > on a Non Authoritative DNS server
> >
> > zone  "mytestdomain101.com <http://mytestdomain101.com>" IN  {
> > type forward;
> > forwarders {8.8.8.8;4.2.2.1;8.8.4.4};
> > forward only;
> > };
> >
> >
> > If I am doing a dig on mytestdomain101.com
> <http://mytestdomain101.com>, the first DNS server gives
> > NXDOMAIN. In this example, say it tries 8.8.8.8 and returns.
> I would want
> > the other servers 4.2.2.1 and 8.8.4.4 to be tried and then
> finally return
> > NXDOMAIN to have the same functionality as that of the SERVFAIL.
> >
> > This is not currently possible and I have tried it on
> BIND9.8.2  version.
> > Could you please suggest if there is a way to do it.
> >
> > Thanks
> > Sum2hike
> >
> >
> >
> > ___
> > Please visit
> https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
> > https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users
> to unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
>     https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> -- 
> Ashok
>
>
>
>
> -- 
> Ashok
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attacks... and a trivial proposal

[Sten Carlsen]

Just a thought, below:
On 14/06/13 2:41, Ronald F. Guilmette wrote:
> In message <51b9fb6a.1090...@tiggee.com>,
> David Miller  wrote:
>
>> This could lead to wrong headed statements like, "Yes, we sent X GB of
>> traffic at your network.
> Yes.
>
> Last night I reconsidered at some length the scheme I put forward yesterday.
> (Please note that I am very deliberately calling it merely a "scheme"
> rather than a "proposal", because I do not think that it rises to the
> level of that honorable title yet.)
>
> Basically, please ignore everything I put forward yesterday and substitute
> instead the following in place of all that...
>
> 1)  A new DNS/UDP packet/message type is defined.  This new message
>   when sent from from machine A to machine B informs B that A would
>   really really appreciate it if B would cease and desist from sending
>   anything other than HIGHLY ABBREVIATED (12 byte) UDP DNS response
>   packets to the IP address of A for a period of 30 seconds.  (Said
>   highly abbreviated DNS/UDP response packets would all have the TC
>   bit set.)
>
>   In a hypothetical revised future DNS RFC it would be said that all
>   DNS servers attached to the public internet MUST be capable of
>   properly receiving, decoding and obeying any and all such client
>   requests.
>
I wonder what DNS-servers running older versions of the SW will respond
to that? If they silently discard the packet, no problem. If however
they respond with refused or anything else, you create your own storm.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PTR files

[Sten Carlsen]

For what its worth, I run a web server behind a Dlink router(DIR-825). I
have done that for about 6 years, the same box. I have not seen that
type of messages.

It does not need a PTR record, it can run without any DNS , except it is
non-practical.

What it does need is to be included in the virtual servers list in the
D-link router.

I guess you will have to be more specific about exactly which situation
creates the message and if possible which SW-module is responsible
before it is possible to help.



On 18/06/13 1:04, Norman Fournier wrote:
> On 2013-06-17, at 4:11 PM, Charles Swiger wrote:
>
>> On Jun 17, 2013, at 3:00 PM, Norman Fournier  
>> wrote:
>>> [ ... ]
>>> (...Members of the httpd-users list says the same thing - its not an httpd 
>>> problem.
>> From what you've said below, they're quite right.
>>
>>> I am just trying to take possibilities off my list of potential errors, 
>>> sorry if I am annoying you, it's unintentional and symptomatic of my 
>>> ignorance, so I'm asking questions. I think that is a legitimate use of my 
>>> subscription to this list, and the list's raison d'être. Surely the list is 
>>> not exclusively for individuals who know what they're talking about?..)
>> This list is for discussion of ISC's BIND.
> For me, the list is called bind-users, not bind-discussion. BIND discussion 
> would be a higher echelon than a user list. I'm a bind user and I have a 
> Domain Name Server problem, somewhere, that I have been trying to solve for a 
> long time and am going over my steps once again. I need to get my webserver 
> online and there is a problem with the name or lookup or the router. I have 
> not found any errors in httpd, bind or the router configuration that have 
> solved it. The latest hint I got was an ostensible missing in-addr.arpa PTR 
> record, which, to me, made it relevant to BIND.
>
>> Let's assume that you've got a D-Link router which has a single public IP 
>> from your provider, and provides NAT translation for a private RFC-1918 
>> subnet, and you've placed your webserver on a VM which lives behind that 
>> D-Link router.  If so, you will need to enable static port forwarding for 
>> 80/tcp to the VM running the webserver, or perhaps place that IP in the 
>> router's "Enable DMZ Host" section of the firewall config.
>>
>> This is basic networking; it doesn't have any close relationship to either 
>> DNS or webservers.
> The ports forwarded to the 192.168.0.101 webserver are unchanged since 2005; 
> dns, http and ssh to appropriate ports. The router did change, the static ips 
> changed, as well as the physical location of the network and servers. I don't 
> know what the issue is, that's why I asked about including explicit PTR files 
> to the domain name, as well as the localhost in-addr.arpa, which is the 
> latest in a list of "possible irregularities" I have turned up so far that I 
> need to confirm one way or the other.
>
> I do appreciate you taking valuable time to answer. I have to wade into it 
> all again. I hope I am still welcome to ask questions here as I have seen 
> others do, since I subscribed to this list in an effort to learn about BIND 
> and DNS, a number of years ago.
>
> Norman
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Discover Unreferenced Zones/Records

[Sten Carlsen]

There might be some zones that are rarely used, you may see those as
dead using that method.

I was thinking of a script that would take your list of zones
(essentially the .conf file) and for each zone do something like a "dig
+trace" and look for whether your servers are listed as name servers for
that zone.

Those you are no longer listed in can be removed immediately, those
where you are listed but has no or very little traffic, you can make
inquiries about and act accordiingly.

Just my 0.02EUR

On 01/07/13 13:04, Bryan Harris wrote:
> Hi all,
>
> I have discovered that we have an excessive amount of old zones not
> being used.  Is there a trick, or a simple way to determine which
> zones have not been referenced in a long time?
>
> My best guess is to simply log queries and read the log files.  Would
> that be the recommended way?
>
> Our intent is to delete everything we don't need.
> Bryan
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse address entries

[Sten Carlsen]

On 02/07/13 21:02, Eduardo Bonsi wrote:
> I have been reading all your concerns about reverse FQDNS. In my
> example, we are a very small firm and I am the IT network admin
> responsible for configuring our server. One of the reasons I
> configured our server was because we deal with Photography, graphic
> design and occasionally presentations of Movies. These are fat files
> that are not viable to send thru emails. Our setup is far from being
> perfect and does not follow the ISC BIND advised rules of how I would
> like to follow to run a proper server. Like two different networks,
> one ip address for every ns.mydomain.com and web services and so
> forth. Believe me, I would love to do that if I had the budget for it.
> Therefore, that is not really my decision but it falls under the way
> my ISP charges $$$ for each ip address and reverse setup. 
Well, that means your setup is ok, lookups will go like this:
1 - your.mail.server -> some IP
2 - some IP -> a name in your ISP's DNS, typically very generic like
2-45-231-6-isp-dynamic-pool.xx
3 - 2-45-231-6-isp-dynamic-pool.xx -> back to "some IP".

The fact that numbers 2) and 3) match and could be done more times if
needed, is what SMTP is looking for. Hence you are not deemed to be a
spammer on that account.
> So, I decided to work with what I have and be happy with the
> limitations and at the same time try to work around them. I put a lot
> of thought in the beginning about the issue of: -Should I reverse my
> main NS or Should I just leave it alone since I do not do any transfer
> or run any email server from my server. I thought in the beginning;
> "Well, no spammer will attempt to relay through my server since this
> will be one more reason they will not get things to work properly."
> However, this is not really a concern. Like I said, my set up is not
> perfect but everything works fine from my end so far with limitations!
> …and Yes, I do occasionally have a very short delay between the main
> "www.mydomain" and "mydomain" but the same delay never happened with
> the other domains/websites I am running under the same ip address. I
> guess I could reverse my main domain to my one and only static ip
> address and my question would be: - Does that would affect the other
> websites I am serving using the same ip address? Thanks everyone for
> this wealth discussion!
>
> Eduardo

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

[Sten Carlsen]

>From here i see a fast response using the local server:
~
$ dig ic.fbi.gov

; <<>> DiG 9.7.6-P1 <<>> ic.fbi.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: _/*NOERROR*/_, id: 2421
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ic.fbi.gov.INA

;; AUTHORITY SECTION:
fbi.gov.600INSOAns1.fbi.gov. dns-admin.fbi.gov.
2013071601 7200 3600 2592000 43200

;; Query time: 158 msec
~
No error, but no address.

Using Google I get a servfail:
~
$ dig ic.fbi.gov @8.8.8.8

; <<>> DiG 9.7.6-P1 <<>> ic.fbi.gov @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *_/SERVFAIL/_*, id: 11426
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ic.fbi.gov.INA

;; Query time: 102 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 17 18:54:41 2013
;; MSG SIZE  rcvd: 28
~
SERVFAIL, so something is unclear.


On 17/07/13 18:49, Ray Van Dolson wrote:
> Hello;
>
> Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
> bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving
> ic.fbi.gov that seems to be DNSSEC related.
>
> Am fairly certain of this because if I set dnssec-enable and
> dnssec-validation to no (have them at 'yes' normally), resolution
> succeeds.
>
> If I run a dig @nameserver ic.fbi.gov from a client machine, dig just
> hangs for a bit then eventually times out.  dig @nameserver fbi.gov
> works fine
>
> On my BIND server, I see the following in a packet capture:
>
>   0.00 1.1.1.1 -> 156.154.64.48 DNS Standard query A ic.fbi.gov
>   0.026504 156.154.64.48 -> 1.1.1.1 DNS Standard query response
>   0.026927 1.1.1.1 -> 156.154.69.48 DNS Standard query DS 
> 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov
>   0.042998 156.154.69.48 -> 1.1.1.1 DNS Standard query response, No such name
>   0.043485 1.1.1.1 -> 156.154.67.48 DNS Standard query DS 
> 97S2G907NEFOJ79P721E4FEQ9LR3IT1S.fbi.gov
>   0.048186 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name
>   0.048595 1.1.1.1 -> 156.154.67.48 DNS Standard query DS 
> 6VTIGSHGMAR334K0PFDJ5ODURDL6CUFP.fbi.gov
>   0.053765 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name
>  30.043683 1.1.1.1 -> 156.154.65.48 DNS Standard query DS 
> GON9PTIAV4KLS7E9NMHD9LG02RQD6K3I.fbi.gov
>  30.061169 156.154.65.48 -> 1.1.1.1 DNS Standard query response, No such name
>
> So it seems like the issue is related to the DS records queried not
> existing, but I've checked a few DNSSEC validation tools out there by
> plugging ic.fbi.gov in and things appear to check out.  This could be
> firewall related on my side (we have Checkpoint firewalls), but other
> DNSSEC queries appear to be working OK.
>
> A dig @8.8.8.8 +dnssec ic.fbi.gov works OK as well also making me think
> the issue is somehow on my side
>
> Am reading up on additional troubleshooting steps for DNSSEC, but still
> wrapping my head around concepts.
>
> Anyone have any tips as to where to start "digging" next based on what
> I'm seeing above?
>
> Thanks,
> Ray
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind99 and a slave named server

[Sten Carlsen]

On 18/08/13 22:06, Dave Warren wrote:
> On 2013-08-18 10:39, LuKreme wrote:
>> Since it is all working, what I am looking for now is "how to convert
>> you master bind server to a slave".
>
> Change the zones from master to slave in your named.conf? There really
> isn't much more to it than that, assuming you have a new authoritative
> master is already configured and serving the zones.
>
> Watch the logs for any errors indicating that your
> former-master-now-slave has newer versions of zones than the
> new-master, as this might indicate errors, but outside of that, the
> fact that a server used to be a master makes very little difference.
Also look at permissions etc. The new master needs to be told that the
master-turned-to-slave is allowed to axfr and the new slave must know
who to look for as the master.

You need to consider whether you will be happy with the new binary file
format at the slave or you need to specify the text format.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Who is right?

[Sten Carlsen]

AFAIK dig any   will return whatever might be in the cache at the
time of the question.

On 06/09/13 9:27, Marco Davids (SIDN) wrote:
> dig ANY example.org @..
>
> Google Public DNS:
> --
> returns DS: no
>
> BIND 9.9.3-P2:
> --
> returns DS: yes
>
> Unbound 1.4.20:
> ---
> returns DS: no
>
> Personally I don't care much, but perhaps someone on this list has a
> strong opinion about these differences that I should know about?
>
> Thank you.
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: moving DNSSEC to a hidden master

[Sten Carlsen]

On 02/10/13 02.47, Alan Clegg wrote:
> On Oct 1, 2013, at 8:27 PM, David Newman  wrote:
>
>> On 10/1/13 2:16 PM, David Newman wrote:
>>> Is there a recommended order of operations when moving DNSSEC-enabled
>>> nameservers to a hidden-master setup?
>> Actually, this is really a more general question: Is there a recommended
>> order of operations when migrating zones between any two DNSSEC-enabled
>> nameservers, assuming the same version of bind on each?
> Eh... I'm not sure what the complexity here is.
>
> Set the "new" machine up as a slave, use the standard axfr mechanism to 
> replicate the zones, move the keying material and then convert the new system 
> form slave to master while taking the existing master off-line.
>
> What am I missing?
I believe that was the question, what is missing here - if anything.
Seems too easy, there has to be a catch.
Anything to do to catch up on internal states, How to be sure the new
master will continue exactly as the old one had done. Maybe it is that
simple, that would be great, but if you are not sure, it is a good
question to ask.
>
> AlanC
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: moving DNSSEC to a hidden master

[Sten Carlsen]

This works for me and is the standard method:

rndc freeze
update serial
rndc thaw

Rndc freeze merges the .jnl files into the zone files and stops dynamic
updates. Thaw allows dynamic updates to resume.

On 04/10/13 02.12, David Newman wrote:
> Thanks all for your responses.
>
> On 10/1/13 6:42 PM, Mark Andrews wrote:
>> As Alan said copy the .key and .private files over.
>>
>> Disable updating on the old master.
>>
>> Transfer the zone contents by setting up as a slave
>> using "masterfile-format text"; or using by using dig.
>> This will give you the most up to date version of the
>> zone.
>>
>>  dig axfr zone +onesoa @oldmaster
>>
>> Check that the new server is working 
> Converting the new secondary to a new master worked. But incrementing
> the zone's serial number did not, producing an error after 'rndc reload'
> like this:
>
> Oct  3 16:00:29 host named[35249]: malformed transaction:
> dynamic/mydomain.com/mydomain.com.db.jnl last serial 2013092701 !=
> transaction first serial 2013092700
>
>> and you can update
>> the zone by using nsupdate.
> Although the zone file lives under dynamic/mydomain.com so DNSSEC
> updates can happen, I don't have dynamic updates configured, so nsupdate
> won't work. This arrangement -- with static zone files under the dynamic
> directory -- worked OK on the old master. Permissions are the same on both.
>
> This thread suggested the journal issue was separate views pointing to
> the same zone file:
>
> https://lists.isc.org/pipermail/bind-users/2008-June/070807.html
>
> Indeed I had pointers to the same zone file in separate views, but
> removing them and restarting named did not clear the issue. Now I have
> the zone in just one view, and still can't manually increment the serial
> number without that journal complaint.
>
> Thanks in advance for clues on resolving the journal version issue.
>
> dn
>
>> Convert the old master server into a slave.
>>
>> Update the other slaves to talk to a new master.
>>
> _______
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Install DNS Server

[Sten Carlsen]

Hi

I do that and more on an ATOM machine with 2GB RAM. I use Postfix
instead of qmail but see no reason qmail would not work.

I installed all the relevant RPMs, configured them and it works.

One thing to remember is that you need two or more DNS servers, I do
that by being a stealth master with several slaves on my 3rd party provider.


On 10/10/13 12.27, Chandran Manikandan wrote:
> Hi All,
> I am running Centos 5.7 32 bit server machine.
> I have installed and successfully run qmail,web,ftp with the same machine.
> Now am DNS hosting with third party. I would like to install and keep
> DNS hosting myself. 
> How to do that , How to install Dns server with the same machine or
> different machine as well what is the complete procedure and steps.
>
> Any one help me.
>
> -- 
> *Thanks,*
> *Manikandan.C*
> *System Administrator*
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: stealth with views?

[Sten Carlsen]

This is pretty much what I do.

I have one server behind a NAT with two views: internal, resolving, has
all internal names - external, not resolving, has the master for my zones.

My DNS provider slaves my zones off the master on my LAN, I have not put
my master's IP in the zone data, what is in the file is not important.
Slaves transfer the zone data, not the file. I just checked and can not
find any trace of my IP in the output from the public servers.

I can check in my log when the slaves transfer the data, I have not had
any case where data ran out, set TTLs high enough.

I see a major panic when my ISP gives me a new IP (happens rarely, but
has happened), then I need to tell the slaves that a new master is in
place, can be done, but must be done right for this provider.


On 07/11/13 19.52, Jonathan Reed wrote:
> I'd like my global BIND server to slave a copy of my zone from the
> master being hosted on my LAN. It appears that this is called a
> stealth setup. I figured I'd achieve this by having the secondary on
> the internet slave a view, but I've read that this is not ideal from a
> security standpoint. The argument being that the zone file contains an
> IP address of it's master. So whats the best way to do this?
>
> A stealth scenario also seems susceptible to a higher chance where the
> connection is lost between master and slave (complicated by a LAN
> firewall/ISP in between) and the expire exceeding. We're hosting our
> global DNS through a provider, so there doesnt seem like an easy way
> to monitor and confirm a zone transfer from our master alone. Any
> recommendations?
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: script - automatic change A record

[Sten Carlsen]

On 25/11/13 15.00, Alan Clegg wrote:
> On Nov 25, 2013, at 7:55 AM, Pawe? Ch.  wrote:
>
>> Hi list,
>>
>> I would like to write script that change two entry in my zone file: SOA and 
>> A record.
>>
>> I have 2 web site: mail site site1.tld and backup site site2.tld. Script 
>> should monitor site1.tld and when site is unavailable it should change A 
>> record in zone file to indicate to site2.tld. If site1.tld is available 
>> again then A record should indicate to it.
>> Script should change SOA serial number.
If this really is mail only as I read from your mail, SMTP already takes
care to use the backup server, just put correct priority in DNS.
>>
>> Please help with writing a script.
> make the zone dynamic, read man page on nsupdate.
>
> AlanC
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward zone giving SERVFAIL

[Sten Carlsen]

IIRC "forward" means ask the forwarder to do a recursive lookup. If the
server you forward to does not do recursion, there is a problem here.

I think the advice is to look at stub zones, they might be useful here.

On 28/11/13 16.50, Neil Aggarwal wrote:
> Dave:
>
>> This is a shot in the dark, but is your server carrying a root zone or 
>> using hints? I vaguely recall running into similar a few weeks back when
> Bind complained about the pre-defined zones not being in a view when
> I added my views so I removed them.
>
> I added the following to my /var/named/named.zones file:
>
> zone "." in{
>   type hint;
>   file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
>
> I restarted named and I am still getting the SERVFAIL error.
>
> It looks like having those zones is not making a difference.
>
> Thanks,
>   Neil
>
> --
> Neil Aggarwal, (972)834-1565, http://UnmeteredVPS.net/centos
> Virtual private server with CentOS 6 preinstalled
> Unmetered bandwidth = no overage charges
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS with several ip adessess

[Sten Carlsen]

I do this with views, the internal view has recursion the external does not.

I would be interested to hear other ways to do this.


On 30/12/13 10.27, Måns Hagström wrote:
> Hi,
>
> I'm running the same DNS for both my local and global adress-spaces. That is, 
> when I'm on my local net, I want the DNS to reply with my
> local 192.168.0.1-address, and when users from the 'outside' global net 
> queries my DNS, it shall return the global xxx.xxx.xxx.xxx ip-address.
>
> My problem is that I have to allocate both the local and the global address 
> to the same domain-name, giving the result that both my local and global
> ip-address are exposed for the users. Is it possible to isolate the query so 
> that the local users get the local ip-address and the global gets the global 
> ip-address for the same domain-name?
>
> I'm running BIND 9.9.2
>
> BR
> Mons
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slowing down bind answers ?

[Sten Carlsen]

You might also make a list of those who use the old server, send a
message (assuming the management system allows identification) that the
service goes down at a specific date in e.g. a month from that date. And
then remove it. Threats are not much worth if the are not followed through.

The point here is that noone can say they were not warned.

You might offer help to reconfigure to the people.


On 05/01/14 15:13, Phil Mayers wrote:
> On 05/01/2014 13:25, Timothe Litt wrote:
> 
>> To get people's attention, NXDOMAIN to www.* queries is often reasonably
> 
> Interesting idea; implemented how?
> 
>> It may be better to simply alias (if necessary, route) the old IP
> 
> Piece of advice for anyone not already doing this; when you deploy
> recursive resolvers, do them on "portable" IPs, not IPs from the subnet
> they live on, and direct the DNS traffic to them with static /32 or /128
> routes. You'll be glad you did later.
> 
>> instructions on how to reconfigure.  If you have the ownership data,
> 
> If you don't, you've got big(ish) problems ;o)
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slowing down bind answers ?

[Sten Carlsen]

On 05/01/14 21.55, Nicolas C. wrote:
>
>
> As I said in my original request : I did the query logging / warning
> but it had no effect.
>
> I could hold them at gunpoint until they change their configuration
> but we have strict gun laws in France :)
>
Personally I would cut off access for all that is not a life support
system - that is also a kind of gun point?

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slowing down bind answers

[Sten Carlsen]

On 07/01/14 14.16, Bob McDonald wrote:
> > Unless the goal is to move all DNS services off that subnet.  Our
> network
> > staff would love to reclaim the /24 our DNS servers are tying up
> with very
> > little else on it wasting 250 addresses.
>
> I'm not sure I'm describing a properly configured anycast environment
> well.  Since in anycast the client never see the "physical" address of
> a DNS server, it matters not where they (the DNS server(s))
> "physically" are (only if they are in the anycast cloud or not).  You
> can move them around (insert/delete servers to/from the cloud) to your
> heart's content and the client doesn't know.  The requirement here (to
> avoid having clients left on legacy devices) is that all the affected
> servers be in the anycast cloud and all of your client devices point
> to the "logical" anycast address for DNS resolution NOT the "physical"
> address(es) of the DNS server(s).  You add the new server(s) to the
> cloud and delete the legacy server(s) from the cloud.  Easy peasey. 
> Obviously, this takes some up front planning and having a group of
> servers on the same subnet is probably not a good idea (although it
> could be interesting from a load sharing perspective...).  YMMV, it's
> just a thought.
If I understood the problem correctly, the address the anycast would
take is the address the clients actually use and the new servers can be
set anywhere. In this case they want to free that address for other
purposes.
Again if I understand this correctly anycast might be fine for future
but a bit too late in this case.
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Generic reasons for recursive performance not to peg CPU?

[Sten Carlsen]

Wild guess: network bandwidth runs out before CPU? Why the difference, I
have no clue.

On 13/01/14 02.16, Doug Barton wrote:
> Howdy,
>
> Without going into too much detail, doing some performance testing and
> am seeing a weird result. On the same systems authoritative queries
> will happily peg the CPU. However when running recursive queries (with
> a small zone, all data cached before testing) the CPU never gets above
> 80%. The disk is nearly inactive on both systems, and there is no
> swapping. Using BIND 9.9.4.
>
> Is there perhaps something obvious I'm overlooking here? Any
> suggestions are welcome.
>
> Doug
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS passthrough on no explicit result?

[Sten Carlsen]

;> a hard time searching for it because of that. (So I apologize if this
>> is then a dumb question).
>>
>> Any help you can offer is much appreciated. Thanks!
>> Steve
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL @google

[Sten Carlsen]

Did you check the serial? and double check. I mean the serial of your uploaded 
new data.

I have once missed that to the effect that no updates happened.

On February 10, 2014 12:29:41 PM CET, Lucio Crusca  wrote:
>In data lunedì 10 febbraio 2014 11:25:59, Steven Carr ha scritto:
>> On 10 February 2014 11:20, Lucio Crusca  wrote:
>> > Ok, so what should I do now? I want the NS records to point to
>> > ns0|1.virtual-bit.com. Should I change anything in my zone file or
>should
>> > I
>> > open a new ticket at my domain provider?
>> 
>> Contact the domain provider and ask them to either update the records
>> for you, or they will probably tell you to login to their portal and
>> update them yourself.
>
>I've already updated them myself through their portal a few days ago,
>so now I 
>suspect there's something wrong with their portal.
>
>Thanks for the help.
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: using views, normal to see non-authoritative for the views?

[Sten Carlsen]

On 21/02/14 19.11, Linda W wrote:
> I just started using views in bind-9.9.9-P2
>
> Where before I had my internal+external addrs listed, I offered
> responses/services via
> ACL to internalnets,
>
> Recently, I decided to use a split view config between external and
> internal
> (internal addrs being 192.168...).
I wonder why the external view does not have a "match-clients"
statement? When it is listed first, I would assume the internal view
never will be asked?
>
> I now get messages upon startup about my bind server being
> non-authoritative for
> both internal and external addrs (for each subnet I am a master for).
>
> I never used to get that message when they were all in a root config.
>
> Do I need to somehow "delegate" from the root to each zone, or why would
> I be getting non-authoritative for the same data that is now split
> into views?
>
> Any insights/hints would be appreciated -- since it's my first time
> using them, I've no clue if the messages indicate I did something
> wrong...
>
> Am attaching the basic named.conf setup.. with, what I hope,
> are the irrelevant parts deleted...
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

[Sten Carlsen]

Doesn't this look like a DDOS attack on the spoofed origin of the queries?


On 27/02/14 16:18, Ben Croswell wrote:
> I guess I am missing why anyone on the internet should be able to open
> queries against your caching resolver. 
> 
> Why would in bound queries be allowed to servers that are for your
> people to get out?
> 
> On Feb 27, 2014 10:13 AM, "Ivo" mailto:i...@nic.lv>> wrote:
> 
> Hi Dmitry,
> 
> We observed that similar requests are landing on our cache resolver
> mostly from various home routers running dns server as open resolver
> and that also masquerades the original request source.
> We have a collection of ~60 domains involved and most of them are
> related to China. The problem is that attacker selects few domains
> and generates queries with random hostnames which therefore are not
> in the cache and server has to perform recursion for each query. So
> each query will consume one udp or tcp socket for at least 10
> seconds because remote DNS server is responding slowly or is down
> and based on a query volume it can effectively overload the cache
> server.
> 
> Initially we thought we could fix it with " resolver-query-timeout",
> but after bind code analysis it seems that everything less that 10
> seconds would be ignored, it would be great to mention this in the
> documentation.
> So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c and
> recompile named, but  it would be nice to understand why 10 seconds
> as minimum value were selected in the first place, see
> /lib/dns/resolver.c
> 
> #define MAX_SINGLE_QUERY_TIMEOUT 9U
> #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U) 
> 
> snip
> 
> void
> dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int
> seconds) {
> REQUIRE(VALID_RESOLVER(resolver));
> if (seconds == 0)
> seconds = DEFAULT_QUERY_TIMEOUT;
> if (seconds > MAXIMUM_QUERY_TIMEOUT)
> seconds = MAXIMUM_QUERY_TIMEOUT;
> if (seconds < MINIMUM_QUERY_TIMEOUT)
> seconds =  MINIMUM_QUERY_TIMEOUT;
> resolver->query_timeout = seconds;
> }
> 
> We also tried to create local dummy zones for all these domains but
> since domains change frequently we started to block most active open
> resolvers and coordinate with local CERT.
> 
> It would be nice to have some kind of rate limits for query volume
> of different hosts inside a single zone.
> 
> Best regards,
> 
> Ivo
> 
> 
> On 2/27/14 7:59 AM, Dmitry Rybin wrote:
>> Over 2 weeks ago begins flood. A lot of queries:
>>
>> niqcs.www.84822258.com <http://niqcs.www.84822258.com>
>> vbhea.www.84822258.com <http://vbhea.www.84822258.com>
>> abpqeftuijklm.www.84822258.com
>> <http://abpqeftuijklm.www.84822258.com>
>> adcbefmzidmx.www.84822258.com <http://adcbefmzidmx.www.84822258.com>
>> and many others.
>>
>> Bind answers with "Server failure". On high load (4 qps) all
>> normal client can get Servfail on good query. Or query can execute
>> more 2-3 second.
>>
>> Recursion clients via "rnds status" 300-500.
>>
>> I can try to use rate limit:
>> rate-limit {
>> nxdomains-per-second 10;
>> errors-per-second 10;
>> nodata-per-second 10;
>> };
>> I do not see an any improvement.
>>
>> Found one exit in this situation, add flood zones local.
>>
>> What can we do in this situation?
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone transfer doesn't work when I set allow-update statement

[Sten Carlsen]

On 29/04/14 14.50, Jeronimo L. Cabral wrote:
> Dear, thanks for your help.
>
> Please the last question: can I dynamically update a zone and -when
> necessary- make a freeze, manually add/delete records, and after that
> make a thaw to continue with the dynamic update In other words, a
> mix betwwen dynamic and manually update.
>
I do this, not often, works as expected. Do be careful not to interfere
with the DHCP administered entries.
> Thanks again,
>
> JeLo
>
>
> On Fri, Apr 25, 2014 at 6:04 PM, Evan Hunt  <mailto:e...@isc.org>> wrote:
>
> On Fri, Apr 25, 2014 at 05:29:30PM -0300, Jeronimo L. Cabral wrote:
> > But the master zone is not refreshed until I execute "service bind9
> > restart" ("service bind9 reload" doesn't refresh the master zone).
>
> The zone has been updated, but the changes are stored in a journal
> file
> ("zonefile.jnl").  You can look at the contents of the journal file
> with "named-journalprint ".
>
> If you want to dump the current version of the zone to disk so you
> can look at the whole thing, use "rndc sync ".
>
> (That's assuming this is a fairly recent BIND.  If it doesn't support
> sync, use "rndc freeze ; rndc thaw ".)
>
> --
> Evan Hunt -- e...@isc.org <mailto:e...@isc.org>
> Internet Systems Consortium, Inc.
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Promoting a slave to master gives syntax error

[Sten Carlsen]

gt;>
>>> Apparently the systems expects to see a zone file in text format but
>>> because it's in binary it fails. I also tested it with:
>>>
>>> # named-checkzone 24.3.10.in-addr.arpa
>>> /var/cache/bind/db.24.3.10.in-addr.arp
>>> ... Output omitted ...
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:16: syntax
>>> error
>>> dns_master_load: /var/cache/bind/db.24.3.10.in-addr.arpa:17: syntax
>>> error
>>> /var/cache/bind/db.24.3.10.in-addr.arpa: file does not end with newline
>>> zone 24.3.10.in-addr.arpa/IN: loading from master file
>>> /var/cache/bind/db.24.3
>>> .10.in-addr.arpa failed: syntax error
>>> zone 24.3.10.in-addr.arpa/IN: not loaded due to errors.
>>>
>>> I know I must be doing something fundamentally wrong here but I
>>> couldn't
>>> find a guide how to do this properly. Any ideas?
>>>
>>> I am using bind version 9.9.5-3-Ubuntu ( the stock binary that comes
>>> with Ubuntu 14.04 64 bit) and the compiled parameters are:
>>> named[7817]: built with '--prefix=/usr' '--mandir=/usr/share/man'
>>> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
>>> '--localstatedir=/var' '--enable-threads' '--enable-largefile'
>>> '--with-libtool' '--enable-shared' '--enable-static'
>>> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
>>> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
>>> '--enable-filter-' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
>>>
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe
>>> from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test bind before moving to production

[Sten Carlsen]

On 03/07/14 16:39, Jeremy C. Reed wrote:
> On Thu, 3 Jul 2014, brian wrote:
> 
>> I'm new to bind. I want to be able to test the dns server on my local
>> machine before launching it by putting the domain names (ie example.com) in
>> my browser and browsing the site.
>>
>>
>> Both the dev and production machines are CentOS. I assume I'll need to edit
>> the host file to redirect to the local dns. But with this method I'm not
>> sure how it will resolve multiple domains (i.e. example.com and
>> example2.com).
> 
> The host file (/etc/hosts I assume) won't help. You can use 
> /etc/resolv.conf and have nameserver line point to your localhost for 
> testing.
> 
> Or use dig with the @ argument to set the address of the nameserver to 
> use. For example, "dig @127.0.0.1 www.example.com". Then also try that 
> from outside systems to using the @ with the network interface's 
> address.
And note that the name server will not be publicly used until it is
published through the whole DNS chain. That means there is no reason you
could not put everything in place even public facing servers - nobody
will use them until referenced properly.

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Digging to the final IP

[Sten Carlsen]

Would "host" be closer to what you want?


-- 
Best regards

Sten Carlsen

No improvements come from shouting:

  "MALE BOVINE MANURE!!!"

> On 19 Oct 2014, at 08:05, Karl Auer  wrote:
> 
>> On Sun, 2014-10-19 at 00:26 -0500, Frank Bulk wrote:
>> Is there a dig option that will list out the final (IPs) or query result??
>> By default, even with +short, it can list intermediate CNAME(s) and not what
>> IP(s) that CNAME may have.
> 
> Not great, but might be enough to be helpful:
> 
>   dig +nonssearch $1 | egrep -i "STATUS|^$1"
> 
> Regards, K.
> 
> -- 
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
> 
> GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
> Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: can't-resolve

[Sten Carlsen]

If there is no firewall, then what about fixed routing that allows one IP 
access but not the other?

Your focus should be to find the difference between the two IPs in the network. 
If the same configuration works on one IP but not on the other, then the 
configuration should not be the main point of interest.

My 0.02$

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

  "MALE BOVINE MANURE!!!"

> On 28 Dec 2014, at 09:09, Ejaz  wrote:
> 
> Thanks for the suggestion 
> 
> I am sure No firewall at all.  Also See I now I have reassigned  the my
> previous IP which is 212.119.64.12, after that everything is fine. It
> wouldn't have worked with this IP if there is firewall on the box??
> 
> Regards,
> Mohammed Ejaz
> CYBERIAR SAUDI ARABIA
> P.O.Box 301079, Riyadh 11372, Saudi Arabia
> Tel: +966 11 464 7114 Ext. 140
> Fax: +966 11 465 4735
> 
> -Original Message-
> From: bind-users-boun...@lists.isc.org
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Warren Kumari
> Sent: Saturday, December 27, 2014 2:27 AM
> To: Barry Margolin
> Cc: comp-protocols-dns-b...@isc.org
> Subject: Re: can't-resolve
> 
> Also, from querying from the outside (with TCP):
> 
> ~# dig +tcp www.auth-servers.net   @212.119.64.228
> ; <<>> DiG 9.10.1-P1 <<>> +tcp www.auth-servers.net @212.119.64.228 ;;
> global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20716 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.auth-servers.net.  IN  A
> 
> ;; Query time: 8260 msec
> ;; SERVER: 212.119.64.228#53(212.119.64.228) ;; WHEN: Fri Dec 26 18:18:30
> EST 2014 ;; MSG SIZE  rcvd: 49
> 
> Then trying the same query a few seconds later:
> dig +tcp www.auth-servers.net   @212.119.64.228
> 
> ; <<>> DiG 9.10.1-P1 <<>> +tcp www.auth-servers.net @212.119.64.228 ;;
> global options: +cmd ;; connection timed out; no servers could be reached
> 
> This really looks like a firewall -- perhaps there is some firewall software
> on the box itself?
> 
> W
> 
> 
>> On Fri, Dec 26, 2014 at 6:17 PM, Warren Kumari  wrote:
>> What OS is this machine running?
>> 
>> Interestingly enough, it is unpingable, and a quick nmap fingerprints it
> as:
>> Running: Sun Solaris 8
>> OS CPE: cpe:/o:sun:sunos:5.8
>> OS details: Sun Solaris 8 (SPARC)
>> 
>> nmap could only find one open port (TCP 53 :-)) and so its 
>> fingerprinting is unreliable, but it *does* look like you are behind a 
>> firewall type devices.
>> It is unusual for machines themselves to not respond to pings.
>> 
>> fpdns says:
>> fingerprint (212.119.64.228, 212.119.64.228): ISC BIND 9.2.3rc1 --
>> 9.6.1-P1 [recursion enabled]
>> 
>> 
>> 
>> On Fri, Dec 26, 2014 at 5:55 PM, Barry Margolin 
> wrote:
>>> In article ,
>>> "Ejaz"  wrote:
>>> 
>>>> I am sure sir there is no firewall on  in the server you can make 
>>>> sure by telnet to the port 53 of this IP 212.119.64.228
>>> 
>>> That doesn't mean anything. The firewall may be blocking OUTGOING 
>>> packets to port 53, or they're blocking the returning replies (which 
>>> go to an ephemeral port).
>>> 
>>>> 
>>>> 
>>>> Regards,
>>>> Mohammed Ejaz
>>>> CYBERIAR SAUDI ARABIA
>>>> P.O.Box 301079, Riyadh 11372, Saudi Arabia
>>>> Tel: +966 11 464 7114 Ext. 140
>>>> Fax: +966 11 465 4735
>>>> 
>>>> -Original Message-
>>>> From: bind-users-boun...@lists.isc.org 
>>>> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - 
>>>> fantomas
>>>> Sent: Friday, December 26, 2014 7:35 PM
>>>> To: bind-users@lists.isc.org
>>>> Subject: Re: can't-resolve
>>>> 
>>>>> On 26.12.14 19:21, Ejaz wrote:
>>>>> When  run "dig a yahoo.com @212.119.64.228 below is the ouput.
>>>>> 
>>>>> yahoo.com. (38)
>>>>> 17:39:41.363532 IP 212.119.64.228.37891 > 212.119.64.228.domain: 34168+
>>>>> [1au] A?   yahoo.com. (38)
>>>>> 17:39:42.246993 IP 212.119.64.228.53702 > 192.5.5.241.domain: 58238 
>>>>> [1au]
>>>> A?
>>>>> yah  oo.com. (38)
>>>>> 17:39:42.247012 IP 212.119.64.228.

Re: Setup our OWN DNS Server

[Sten Carlsen]

You might be interested in my setup:

I have 2 views, one accessible from inside my network and one from the
outside.

- Inside view is recursive as well as authoritative for my internal
hosts. Everything is in the 192.168.x.x range. This view is dynamically
updated by the DHCP server.

- Outside view is only authoritative for my public names. This view has
fewer entries and serves public IPs. It functions as a stealth master
for 5 public servers.


This setup provides full flexibility and allows me to use the same names
for the internal and the external IPs of my servers.

It is also faster in normal use in terms of resolution speed.


-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!"
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A tale of two nameservers - resolution problems

[Sten Carlsen]

On 01/09/15 17:46, Robert Moskowitz wrote:
>
> There will be a lot of arm IoT boxes in the next few years needing
> their time on boot.  Of course booting will not be that frequent, but
> it will interesting to see how it plays out.   And check devices like
> the esp8266, as $6 IoT device.  It also gets its time once connected.
This will be very interesting when all those boxes have fixed addresses
in IPv4 and the environment goes to IPv6. Or those addresses disappear
for whatever reason.
Obsolete devices?
>
>> so you just need to make sure the correct order
>>
>> * ntpdate xx.xx.xx.xx
>> * start ntpd
>> * start named
>
> I will be looking more into this.  Obvious when you get ones nose
> dragged into time wrong on boot.  This is actually a broader problem
> on arm SoC booting.  Your logs all have the wrong time for the boot
> messages until there is a network to get time.  I have some ideas for
> a process that will set time a boot to the time of the last poweroff. 
> at least that is 'close enough' for starters.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about .ro domain

[Sten Carlsen]

 <http://sec-dns-b.rotld.ro>.
> ro. 172800  IN  NS  primary.rotld.ro
> <http://primary.rotld.ro>.
> ro. 172800  IN  NS  sns-pb.isc.org
> <http://sns-pb.isc.org>.
> ro. 86400   IN  NSECrocher. NS RRSIG NSEC
> ro. 86400   IN  RRSIG   NSEC 8 1 86400
> 2016022505 2016021504 54549 .
> LKnWJRnQdMQ67X7PVrChhY0CuT+A0hpLv1Yh2zOrdglKGGYFQGP+sO24
> A31Uj9g8SAKroH1XlJD000bhm+jTkd9Suf1uefDC8y3hV1HlmwkAzoIE
> cPQ1rKj66R0kVrEfsSYoXK7pau/mq583n7Hw24H6SSuWivQNbHUD+FLt 9rQ=
> ;; Received 624 bytes from 192.33.4.12#53(c.root-servers.net
> <http://c.root-servers.net>) in 7 ms
>
> ebsromania.ro <http://ebsromania.ro>.  86400   IN  NS 
> ns02.ebsromania.ro <http://ns02.ebsromania.ro>.
> ebsromania.ro <http://ebsromania.ro>.  86400   IN  NS 
> ns01.ebsromania.ro <http://ns01.ebsromania.ro>.
> ;; Received 112 bytes from 193.230.31.230#53(sec-dns-b.rotld.ro
> <http://sec-dns-b.rotld.ro>) in 20151 ms
>
> ;; connection timed out; no servers could be reached
>
> The server running the dig is in the US while a server in NL produces
> this:
>
> ; <<>> DiG 9.9.5-P1 <<>> @127.0.0.1 <http://127.0.0.1>
> ns01.ebsromania.ro <http://ns01.ebsromania.ro>. +trace
> ; (1 server found)
> ;; global options: +cmd
> .   92407   IN  NS  m.root-servers.net
> <http://m.root-servers.net>.
> .   92407   IN  NS  b.root-servers.net
> <http://b.root-servers.net>.
> .   92407   IN  NS  c.root-servers.net
> <http://c.root-servers.net>.
> .   92407   IN  NS  g.root-servers.net
> <http://g.root-servers.net>.
> .   92407   IN  NS  h.root-servers.net
> <http://h.root-servers.net>.
> .   92407   IN  NS  j.root-servers.net
> <http://j.root-servers.net>.
> .   92407   IN  NS  l.root-servers.net
> <http://l.root-servers.net>.
> .   92407   IN  NS  a.root-servers.net
> <http://a.root-servers.net>.
> .   92407   IN  NS  d.root-servers.net
> <http://d.root-servers.net>.
> .   92407   IN  NS  e.root-servers.net
> <http://e.root-servers.net>.
> .   92407   IN  NS  i.root-servers.net
> <http://i.root-servers.net>.
> .   92407   IN  NS  f.root-servers.net
> <http://f.root-servers.net>.
> .   92407   IN  NS  k.root-servers.net
> <http://k.root-servers.net>.
> .   518398  IN  RRSIG   NS 8 0 518400
> 2016022505 2016021504 54549 .
> Sh3DsQaxrP1CC31ZxY3fzM2QHKGdZ0sKb3DxI1G974dvdxLubBK7vG5N
> 4A+Cshd8ci/zQmJw6ASWeYL5uUFrS4szqr05FMS8oNLLntbVVWoQTPld
> X+vfmAZo8wQPrVqBHwxJyFucJrWFZN4rWUdhvxrbkoMbYpeqDHGCDioR oow=
> ;; Received 397 bytes from 127.0.0.1#53(127.0.0.1) in 1124 ms
>
> ro. 172800  IN  NS  dns-at.rotld.ro
> <http://dns-at.rotld.ro>.
> ro. 172800  IN  NS  dns-ro.denic.de
> <http://dns-ro.denic.de>.
> ro. 172800  IN  NS  sns-pb.isc.org
> <http://sns-pb.isc.org>.
> ro. 172800  IN  NS  primary.rotld.ro
> <http://primary.rotld.ro>.
> ro. 172800  IN  NS  sec-dns-a.rotld.ro
> <http://sec-dns-a.rotld.ro>.
> ro. 172800  IN  NS  sec-dns-b.rotld.ro
> <http://sec-dns-b.rotld.ro>.
> ro. 86400   IN  NSECrocher. NS RRSIG NSEC
> ro. 86400   IN  RRSIG   NSEC 8 1 86400
> 2016022505 2016021504 54549 .
> LKnWJRnQdMQ67X7PVrChhY0CuT+A0hpLv1Yh2zOrdglKGGYFQGP+sO24
> A31Uj9g8SAKroH1XlJD000bhm+jTkd9Suf1uefDC8y3hV1HlmwkAzoIE
> cPQ1rKj66R0kVrEfsSYoXK7pau/mq583n7Hw24H6SSuWivQNbHUD+FLt 9rQ=
> ;; Received 624 bytes from 198.97.190.53#53(h.root-servers.net
> <http://h.root-servers.net>) in 436 ms
>
> ebsromania.ro <http://ebsromania.ro>.  86400   IN  NS 
> ns02.ebsromania.ro <http://ns02.ebsromania.ro>.
> ebsromania.ro <http://ebsromania.ro>.  86400   IN  NS 
> ns01.ebsromania.ro <http://ns01.ebsromania.ro>.
> ;; Received 112 bytes from 192.162.16.18#53(primary.rotld.ro
> <http://primary.rotld.ro>) in 147 ms
>
> ns01.ebsromania.ro <http://ns01.ebsromania.ro>. 864

Re: writeable file 'domain.com': already in use

[Sten Carlsen]

On 16/06/2016 15:57, Alan Clegg wrote:
> Change where it says:  file "foo"; so that you don't have two zones with
> "foo".
You might keep the names but put them in different folders. That would
eventually be different filenames.
>
> AlanC
>
> On 6/16/16, 4:16 AM, "Daniel Dawalibi"  on behalf of daniel.dawal...@idm.net.lb> wrote:
>
>> Do you have the correct syntax to be adjusted on both views?
>>
>> -Original Message-
>> From: bind-users-boun...@lists.isc.org
>> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ray Bellis
>> Sent: 16 June, 2016 11:04 AM
>> To: bind-users@lists.isc.org
>> Subject: Re: writeable file 'domain.com': already in use
>>
>> On 16/06/2016 07:53, Daniel Dawalibi wrote:
>>
>>> We are upgrading our DNS authoritative BIND version 9.10.4-P1 but we
>>> are facing "writing errors" on the slave zone files that are
>>> transferred from other Master DNS servers.
>>>
>>> Our configuration consists of two views  (local and inter) and the
>>> domain is configured in both views sections.
>>>
>>> The problem was solved after removing the zone from one VIEW but is
>>> there any workaround for this issue without removing the zone from the
>>> view section (either Local or Inter)?
>> BIND 9.10.4 doesn't allow you to use the same filename for the same zone
>> in
>> different views (since the content should be different).
>>
>> Simply change the "file" directive in one of the views and you should be
>> fine.
>>
>> Ray
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "lame-servers: info: no valid RRSIG resolving ..."

[Sten Carlsen]

I see lots of lines like this. They all come from people trying to break into 
my SSH.

-- 
Best regards 
Sten Carlsen 


For every problem, there is a solution that
is simple, elegant, and wrong.
HL Mencken


> On 17 Apr 2020, at 17.24, btb via bind-users  wrote:
> 
> hi-
> 
> i'm seeing what i'm wondering if is a lot of "lame-servers: info: no valid 
> RRSIG resolving ..." messages in the logs [on average ~500 messages per day]. 
>  a small snippet:
> 
> 15-Apr-2020 18:11:46.057 lame-servers: info: no valid RRSIG resolving 
> 'jwplayer.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:11:46.150 lame-servers: info: no valid RRSIG resolving 
> 'tranet.net/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:11:47.559 lame-servers: info: no valid RRSIG resolving 
> 'inboxsdk.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:11:49.146 lame-servers: info: no valid RRSIG resolving 
> 'basis.net/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:11:58.474 lame-servers: info: no valid RRSIG resolving 
> 'starfinancial.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:11:59.665 lame-servers: info: no valid RRSIG resolving 
> 'vice.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:09.501 lame-servers: info: no valid RRSIG resolving 
> 'lithium.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:09.756 lame-servers: info: no valid RRSIG resolving 
> 'sc-static.net/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:10.004 lame-servers: info: no valid RRSIG resolving 
> 'snapchat.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:12.638 lame-servers: info: no valid RRSIG resolving 
> 'yimg.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:16.823 lame-servers: info: no valid RRSIG resolving 
> 'transamerica.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:16.932 lame-servers: info: no valid RRSIG resolving 
> 'quantummetric.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:17.129 lame-servers: info: no valid RRSIG resolving 
> 'tealiumiq.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:17.171 lame-servers: info: no valid RRSIG resolving 
> 'bounceexchange.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:22.971 lame-servers: info: no valid RRSIG resolving 
> 'mwefinancial.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:23.248 lame-servers: info: no valid RRSIG resolving 
> 'redditmedia.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:23.869 lame-servers: info: no valid RRSIG resolving 
> 'imtwjwoasak.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:25.189 lame-servers: info: no valid RRSIG resolving 
> 'b.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:25.313 lame-servers: info: no valid RRSIG resolving 
> 'jquery.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:26.555 lame-servers: info: no valid RRSIG resolving 
> 'forter.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:29.008 lame-servers: info: no valid RRSIG resolving 
> 'quovadisoffshore.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:29.029 lame-servers: info: no valid RRSIG resolving 
> 'quovadisglobal.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:29.974 lame-servers: info: no valid RRSIG resolving 
> 'mixpanel.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:35.786 lame-servers: info: no valid RRSIG resolving 
> 'spotify.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:36.982 lame-servers: info: no valid RRSIG resolving 
> 'freeform.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:38.295 lame-servers: info: no valid RRSIG resolving 
> 'edgedatg.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:12:58.190 lame-servers: info: no valid RRSIG resolving 
> 'footprintdns.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:13:01.282 lame-servers: info: no valid RRSIG resolving 
> 'qualifiedaddress.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:13:01.744 lame-servers: info: no valid RRSIG resolving 
> 'dc-msedge.net/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:14:54.009 lame-servers: info: no valid RRSIG resolving 
> 'facebook.com/DS/IN': 192.5.6.30#53
> 15-Apr-2020 18:16:20.039 lame-servers: info: no valid RRSIG resolving 
> 'pphosted.com/DS/IN': 192.5.6.30#53
> 
> a number of these [most?] are zones that are signed, and some don't even 
> exist, so i'm curious about seeing these messages.  what am i not 
> understanding, and/or what can i do to troubleshoot further?
> 
> thanks!
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DoH plugin for BIND

[Sten Carlsen]

About mail servers from residential IPs. I have done that for a number of 
years, very rarely any issue.

The major problem was that at one time MS required a reverse lookup for the 
actual mail server name. That was then fixed by the ISP and all works again.
In my part of the world it is very bad taste for an ISP to block anything, its 
not their business.

-- 
Best regards 
Sten Carlsen 


For every problem, there is a solution that
is simple, elegant, and wrong.
HL Mencken


> On 2 May 2020, at 17.11, Michael De Roover  wrote:
> 
> I'm sure that most of the list members here are aware of how net neutrality 
> and the internet in general works - we're internet operators after all. What 
> we're here for is ports and protocols, not policy or internet culture. On 
> that subject, we are not policy makers. Let's leave that to politicians who 
> studied for it. Vote some technical people in government while we're at it, 
> but I digress.
> 
> The DoT/DoH argument or what a mail server could be operated from is not one 
> of policy.. well maybe mail servers are, to some extent. Perhaps there's some 
> ISP employees here too. Those are in power to allow or disallow things on 
> their network. But DoT/DoH certainly isn't. What are we supposed to worry 
> about? How do we implement this new encrypted DNS. Do we piggyback off an 
> existing port and rely on its ubiquitous allowance on the internet or do we 
> create a new port for it, where we can make a dedicated new protocol suite?
> 
> On 5/2/20 5:03 PM, Reindl Harald wrote:
>> 
>> Am 02.05.20 um 16:39 schrieb Paul Kosinski via bind-users:
>>> I wasn't complaining about port 25, I was just citing it as a
>>> counterexample to the claim that ISPs "must" pass all traffic.
>> https://en.wikipedia.org/wiki/Net_neutrality
>> 
>>> I think that most ISPs tell customers how to set up their email clients
>>> (NUAs) including what port to use. Of course it seems that now most
>>> people use Web based email like Gmail, Yahoo (and even Comcast/Xfinity)
>>> so they never see port numbers.
>>> 
>>> 
>>> On Sat, 2 May 2020 15:51:58 +0200
>>> Reindl Harald  wrote:
>>> 
>>>> Am 02.05.20 um 15:41 schrieb Michael De Roover:
>>>>> In my experience and from what I've heard, very few.
>>>> if that would be true how comes that most mail clients still default to
>>>> 25 for submission and years after closing port 25 on our mailserver i
>>>> still struggle with customers smartphones still not using 587?
>>>> 
>>>> in fact 10 years ago some ISP's *tried* to kill outbound port 25 because
>>>> there is no point in using it from a homemachine and at that time we
>>>> struggeled also to explain our customers that 25 is plain wrong
>>>> 
>>>> finally they gave up because the damage of open port 25 is killed with
>>>> dnsbl but the customer support went crazy with "why can't i send email
>>>> with my internet connection"
>>>> 
>>>>> Even if your ISP allows it, chances are that other mail servers will 
>>>>> reject it
>>>> that's a completl different story
>>>> 
>>>>> On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote:
>>>>>> How many ISPs allow traffic on port 25? My impression is that even many
>>>>>> (non-enterprise) business customers can't use port 25
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Met vriendelijke groet / Best regards,
> Michael De Roover
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DoH plugin for BIND

[Sten Carlsen]

On 03-05-2020 01.59, Noel Butler wrote:
>
> On 03/05/2020 02:17, Sten Carlsen wrote:
>
>> About mail servers from residential IPs. I have done that for a
>> number of years, very rarely any issue.
>>  
>  
> Most SP's do this
>  
>  
>> The major problem was that at one time MS required a reverse lookup
>> for the actual mail server name.
>  
> Many SP's still do this, some take it the extra mile and block
> anything with things like  cpe/dsl/cable/hfc/dyn/ppp... etc
> in the hostname, we still do it, have done for over 20 years and seen
> no collateral damage.
>  
>> .
>> In my part of the world it is very bad taste for an ISP to block
>> anything, its not their business.
>>  
>>  
>  
> Ordinarily, I agree, but the overall security and protection of the
> network must come first, the protection of teh majority must come
> first.  Then there's the law, in Australia we are required as part of
> the outcome of the iinet V hollywood, to block pirate sites, 99% do
> this by DNS, the Federal court accepts this method, the Federal court
> knows it can be avoided by most 8yos in under 10 seconds, its the
> sweet spot everybody agreed to so they approved it.
>  
> There are also other laws that require its use as well.  That said we
> dont block any ports and have no intention of.
>  
>
> That said, DoH is fairly pointless here because there is no
> requirement to log DNS queries, most of us have far better things to
> do than to know who's going where, none that I know do it, though
> there is a question of Telstra mobile
>
> lets face it, if we really want to know whos going where, netflow
> tells us a whole lot more anyway
>
I agree, if you really want to be anonymous the only way I know is TOR.
Maybe there should be a way to get DNS through TOR?
>
>
>
> -- 
>
> Kind Regards,
>
> Noel Butler
>
> This Email, including attachments, may contain legally privileged
> information, therefore remains confidential and subject to copyright
> protected under international law. You may not disseminate any part of
> this message without the authors express written authority to do so.
> If you are not the intended recipient, please notify the sender then
> delete all copies of this message including attachments immediately.
> Confidentiality, copyright, and legal privilege are not waived or lost
> by reason of the mistaken delivery of this message.
>
>
> _______
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

"MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the proper way to delegate to a private / hidden sub-domain?

[Sten Carlsen]

I have been doing that for quite some time without knowing it should be 
difficult.

I have a domain (in the mail address) which is properly delegated to servers 
and signed. Internally in house I have a number of other internal both hosts 
and one subdomain.

The internal versions have RFC1812 IPs and the outside ones have public IPs.

Both sides are signed by the same key.

The way this is organised is that I use two views, one internal and one 
external, I set both to be signed using:

options {
directory "/var/named/data";
auth-nxdomain no;
dnssec-enable yes;
dnssec-validation auto;
allow-query { any; };
allow-transfer { any; };
listen-on-v6  { any; };
sig-validity-interval 30 20;
dnssec-loadkeys-interval 60;
};

Never caused any problems. The downside is that I use views and have to manage 
both sides.
--
Best regards
Sten Carlsen


For every problem, there is a solution that
is simple, elegant, and wrong.
HL Mencken


> On 6 May 2020, at 19.01, Grant Taylor via bind-users 
>  wrote:
> 
> Hi,
> 
> What is the proper way to delegate to a private / hidden sub-domain?
> 
> I have a globally registered domain, call it example.net for this thread, 
> that has multiple sub-domains that I'd like to be properly delegated to 
> internal labs; lab#.example.net.
> 
> Example.net itself is following all the industry standards and best practices 
> that I'm aware of; registered (read: rented), delegated from roots to 
> multiple public DNS servers which respond to the world.
> 
> I would like to delegate lab1.example.net in such a way that the outside 
> world sees a delegation to what is effectively an empty zone (save for SOA / 
> NS / etc.) on a public server.  However I'd like the internal lab systems see 
> a delegation to a private zone that has all the necessary records in the lab.
> 
> One hack that comes to mind is to have the example.net parent zone delegate 
> to a separate name server with a separate IP and then to anycast that IP & 
> name server inside the lab.  But that would require an additional globally 
> routed IP on the external public Internet.
> 
> I'm not currently worried about supporting DNSSEC, but it would be nice if 
> the solution would allow DNSSEC signing both the public and private zones.  
> With the obvious assumption being the DNS servers would have shared keys to 
> be able to sing their copies of the zone correctly.
> 
> Does anybody have any ProTip(s) on how to go about doing this?  What about 
> gotchas to avoid?
> 
> Thank you and have a nice day.
> 
> 
> 
> --
> Grant. . . .
> unix || die
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the proper way to delegate to a private / hidden sub-domain?

[Sten Carlsen]

-- 
Best regards 
Sten Carlsen 


For every problem, there is a solution that
is simple, elegant, and wrong.
HL Mencken


> On 6 May 2020, at 22.10, Grant Taylor via bind-users 
>  wrote:
> 
> On 5/6/20 1:44 PM, Bob Harold wrote:
>> Good questions.
> 
> :-)
> 
>> I think one possibility (to avoid anycast) is to have an internal and
>> external view for the "example.net" zone, so it can delegate the lab
>> zones to different servers internally and externally.
> 
> But how do you do that if the internal and external views are on different 
> servers with completely different IPs?

I believe the answer must lie in the lookup of a named DNS server, which will 
be resolved to different IPs depending on your location. Then it can point to 
different servers.

> 
> I ask because now you're back to the same issue, just at the parent domain:  
> How does the net zone delegate to different example zones depending on if the 
> client is internal or external.
> 
> I don't see any options that avoid anycast.
> 
>> But that can make the "example.net" zone harder to manage. It would
>> be easier to have a split view for "split.example.net" and lab zones 
>> "lab#.split.example.net", if the extra level was acceptable.
> Please elaborate on what you mean by "split view" hear.  I'm used to "split 
> view DNS" being tantamount to what I would use views for.  Which, as 
> previously stated, won't work in this case because the different views are 
> hosted on different servers.
> 
> 
> 
> -- 
> Grant. . . .
> unix || die
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the proper way to delegate to a private / hidden sub-domain?

[Sten Carlsen]

Thanks

Sten

> On 6 May 2020, at 22.28, Grant Taylor via bind-users 
>  wrote:
> 
> On 5/6/20 2:18 PM, Sten Carlsen wrote:
>> I believe the answer must lie in the lookup of a named DNS server, which 
>> will be resolved to different IPs depending on your location. Then it can 
>> point to different servers.
> 
> If I understand correctly, that would rely on the DNS server's FQDNs being 
> outside of the zone's scope, thus not (potentially) included in the 
> additional information section, which could massively mess with that.

Yes or being answered from your own servers with dat depending on your location.

> 
> 
> 
> --
> Grant. . . .
> unix || die
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hints for forwarding a subdomain on a authoritative server

[Sten Carlsen]

Thanks

Sten

> On 6 Jul 2020, at 16.03, Tom  wrote:
> 
> Hi list
> 
> Our BIND (9.16.4) is authoritative for zone "example.com". Now I need to 
> forward a subzone "sub.example.com" to another nameserver instance on the 
> same server, running for example under port 5353:
> 
> A few years ago, this topic was already discussed:
> https://lists.isc.org/pipermail/bind-users/2009-April/076156.html
> 
> My BIND config looks like this:
> == SCHNIPP ==
> zone "example.com" {
>type master;
>file "master/example.com.hosts";
>};
> zone "sub.example.com" {
>type forward;
>forwarders { 127.0.0.1 port 5353; };
>forward only;
>};
> == SCHNAPP ==
> 
> In the zonefile for "example.com" I have a delegation like this (as described 
> in the post above):
> 
> sub.example.com.IN  NS  subns.example.com.
> 
> So, the authoritative server understands not to be responsible for this zone 
> and forwards the request to the other nameserver.
> 
> But: The zone-forwarding is only working, when I enable "recursion" on the 
> authoritative server. Does this means, that zone-forwarding really requires 
> recursion?
Yes.
> Is there a better way with not enabling recursion (perhaps with views) to 
> accomplish this?
Stub zones are normally recommended instead.
> 
> Many thanks for any hints.
> 
> Kind regards,
> Tom
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users