CSTA? Are you talking about the Unify Openscape Voice stuff? If so, then
that's a VoIP platform, the SRV records are used for SIP stuff. So the
service name is "sip" or "sips". You can't just make up service names, out
of thin air, for "dumb" devices that have service names baked into their
code --
I'll second the use of tcpdump, and also add that DNS query traffic, using
UDP by default, tends to be hypersensitive to packet loss. TCP will retry
and folks may not even notice a slight drop in performance, but DNS
queries, under the same conditions, can fail completely. Thus, DNS is often
the "c
As someone who has had to deal with the interaction between BIND and
AD-integrated DNS for most of my DNS career, I think it's important, from a
BIND perspective, to understand how a given AD-integrated DNS zone is used.
If clients are registering themselves in the AD zone, then there is going
to b
So, the short answer is that check-names is pretty granular, doing
"check-names response fail" is just asking for trouble, for a resolver at
the Internet edge, since there's too much squirrely stuff out there. Most
folks just limit check-names "fail" to authoritative data (master or slave).
The lo
I'm no expert in DNSTAP, but I see this in the output:
opcode: UPDATE
along with proper reinterpretations of the sections:
ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
How is that "not record[ing} the DNS update"? Are you looking for something
prettier? More detailed?
- Kevin
On Fri,
RFC 1918 forbade the publishing of private addresses outside of the enterprise:
"Indirect references to [private] addresses should be contained within the
enterprise. Prominent examples of such references are DNS Resource
Records and other information referring to internal private
addresses. In pa
half Of Grant Taylor
via bind-users
Sent: Wednesday, June 27, 2018 11:04 PM
Cc: bind-users@lists.isc.org
Subject: Re: Domain name based multihome routing?
On Jun 27, 2018, at 12:27 PM, Darcy Kevin (FCA)
wrote:
> I’m not convinced DNS has any valuable role to play here.
I can see the value
IANAL, but even if one considers this scenario to constitute a DDoS attack, and
there is plenty of case law supporting prosecution under CFAA (Computer Fraud
and Abuse Act) for DDoS attacks, CFAA generally requires *intent*, and this
appears to be simple negligence.
"Trespass to chattel" might
Domain Controllers certainly need to have their hostnames registered in the AD
domain, but regular domain-joined members do *not*. We've been running AD for
decades, without registering members in the AD domain. Works fine. Instead, we
get our (non-Microsoft) DHCP servers to register dynamic cli
, 2018 2:18 PM
To: Darcy Kevin (FCA)
Cc: bind-users@lists.isc.org
Subject: Re: Domain name based multihome routing?
On Wed, Jun 27, 2018 at 12:27 PM, Darcy Kevin (FCA)
mailto:kevin.da...@fcagroup.com>> wrote:
I’m not convinced DNS has any valuable role to play here. Seems like this is a
t
I’m not convinced DNS has any valuable role to play here. Seems like this is a
traffic-shaping challenge; maybe one of the open source traffic shaping tools
would fit the bill.
“We are aware that we should not mix the plain text configuration with these
dynamic records (and use a subdomain instead)”
So, why don’t you do that? As far as I know, Domain Controllers still only
maintain SRV records, so the “underscore zones” approach should still work.
Make _tcp.example.co
Sorry, but the "that's what they're there for" argument is often misapplied to
justify reckless, irresponsible or just plain unauthorized use of resources,
and I think this is an example of that.
The AS112 project (https://www.as112.net/), who collectively run those
"blackhole" servers, set the
On a case-by-case basis, one can use stub zones, conditional forwarding, etc.
but if you're looking for a "break Internet standards" switch, I think you're
going to be disappointed. Vix has stopped calling BIND a "reference"
implementation of DNS, but it still tries to set a good example.
"Stealth" implies something that isn't seen in the normal course of activity,
so it's really the *wrong* word to use here, since the apex NS records are seen
during normal iterative resolution, and in fact the apex NS records take
precedence over the delegated NS records in the sense of RFC 2181
Why are you letting the clients register their own addresses in DNS in the
first place? If you want a higher level of control, move the DDNS
responsibility to the DHCP server.
We're getting a little afar of DNS and BIND here, since this is OS networking
configuration stuff, made slightly more complicated by the fact that (as far as
I can see) you didn't specific what OS and/or distro you're running.
So let's get generic.
Google'ing "pppd override resolvers". First hi
Call me a contrarian, but I've never really signed onto the conventional wisdom
that recursive and authoritative roles should never be mixed, even as I've
transitioned into the InfoSec realm, where, generally speaking, we are quite
wary of mixing roles within a single service (more software comp
You mean, don't slave 100.10.in-addr.arpa at all, and just maintain
10.in-addr.arpa locally?
The problem the original poster may run into, however, is that there may be
other records in 100.10.in-addr.arpa that change dynamically, and those changes
may not be reflected if only 10.in-addr.arpa i
Are you asking about the search algorithm in *DNS* (hierarchical, labelwise
exact match, with aliasing and wildcarding special cases), or the algorithm by
which *BIND* -- as one *implementation* of DNS -- accesses data in its internal
structures (modified red-black tree, IIRC)?
You can certainly configure the subdomains that way, but the same resolver
which followed the subdomain.example.com delegation in the first place, to your
BIND instance, will presumably follow the delegation of
sub.subdomain.example.com (as it is published via NS records in the parent
zone) to
But surely you’d get an NXDOMAIN in that case, not a SERVFAIL.
The assumption I made in my post was that the delegation was pointed to the
forwarding BIND instance, which is a non-starter.
- Kevin
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ben
Croswell
S
It doesn't work to delegate to a forwarder; you have to delegate to something
that's authoritative for the zone (master or slave). Delegated nameservers are
expected to have a full copy of the zone, either as the source (master) or
through replication (slave).
Now, if you have restrictions/limi
For this reason, "stub" resolvers typically set RD=1, and only "full-service
resolvers", such as the one integrated into named (although there are
standalone ones, like Knot, Unbound, [1]), generate RD=0 queries. Full-service
resolvers are capable of taking the referrals, and using them to follo
Well, it's not *obvious* how Dynamic Update works in the case of an SOA RR, but
RFC 2136 does say:
3.4.2.2. Any Update RR whose CLASS is the same as ZCLASS is added to
the zone. In case of duplicate RDATAs (which for SOA RRs is always
the case, and for WKS RRs is the case if the ADDRESS an
Just as a general piece of advice, if you're trying to troubleshoot a zonefile
parsing issue, sometimes it's useful to just do a zone transfer of the loaded
zone and eyeball it. This is obviously more practical with a smaller zone (such
as the one you showed) than a huge one, but even if the zon
Appending suffixes to short names to make them legal DNS names, is considered
the responsibility of the *client*, not the *server*.
Look up “resolver search list” (more Unix-ish/Linux-ish) or “suffix search
list” (more Windows-ish), and you should find some useful information.
- Kevin
bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Reindl
Harald
Sent: Wednesday, August 09, 2017 6:48 PM
To: bind-users@lists.isc.org
Subject: Re: bind-chroot, runs, works, dies
Am 10.08.2017 um 00:35 schrieb Darcy Kevin (FCA):
> I’m not very familiar with Fedora, but on Redhat,
I’m not very familiar with Fedora, but on Redhat, at least, there is no /run
directory. Which makes me think that “/var/named/chroot/run/named/named.pid” is
a misconfiguration. That would be seen as “/run/named/named.pid” from *within*
the chroot. Following usual conventions, I think you probabl
The bottom line is that a *zone* is the basic administrative unit of
AXFR/IXFR-based replication. If you create a new zone and you want a replica to
serve it, you need to configure the replica to replicate it. There is no
"automatic" mechanism within BIND to tell replicas to start slaving new zo
You have a trailing dot in the zone definition. It makes a difference.
Personally, I wouldn't use forwarding at all, and I'd build this for
scalability. Define a master zone for, say, 168.136.dnssd.presto, and then
delegate from that to whatever address ranges you deploy Presto to in the
future
BIND has no way of differentiating these queries, since reverse-lookup queries
aren't "special".
But certainly, if you syslog rather than writing directly to a file, there are
syslog daemons that can filter, based on regex'es and the like.
In the grand tradition of _ceci_n'est_pas_une_pipe_, how dig *represents* a
piece of TXT contents isn't necessarily how it *is*.
I just verified (via tcpdump) that a TXT record label that shows up as "blah\\"
in dig's (and host's) output, actually only contains a single backslash (hex
code 5C),
As far as I know, the only "special" thing that BIND does consistently on a
restart, that it doesn't do on a regular basis in normal operation, is a
"priming" query to whatever is configured as root nameservers. I suppose it's
_possible_ that there is something about priming queries, particularl
As others have commented, more information about your config and your setup
need to be provided, before a proper troubleshooting can occur. I would add,
you should be more specific than just “resolution error”. Is it a timeout? An
NXDOMAIN? A SERVFAIL? A so-called “NODATA” response or a referral
om the Internet, even under
transitive closure of the internal network? It's surely a proper subset of all
instances of BIND, but I doubt if it's other than a quite small subset.
On Tue, 18 Apr 2017 17:22:24 +
"Darcy Kevin (FCA)" wrote:
> Unspoken and false assumpti
Unspoken and false assumption: that every machine running BIND is connected to
the Internet.
I'm no fan of old, broken Microsoft OSes (or even the newer ones, for that
matter), but let's be clear here: BIND is for anyone who doesn't want to
maintain a "hosts" file. "Connected to the Internet" i
Honestly, this is like asking for a closet that automatically throws out the
items you pitch into it, once the items are deemed obsolete or junk.
The DNS database is a repository of information, like a closet, but it has no
inherent way of knowing the value or currency of the information that is
I think the ISP may have done something untoward with
87.233.202.162.in-addr.arpa, since I'm getting a NODATA response for that name,
from the 233.202.162.in-addr.arpa zone, most probably because it's an empty
non-terminal. But what would be under that, and why?
Seems like your requirements call for the classic, old-school "internal root"
setup. Define your own root zone that *only* has delegations for example.com
and whatever parts of the in-addr.arpa namespace you want to resolve. That way,
everything outside the example.com namespace and the in-addr.
Well, I suppose it's a little silly that the informational message would count
"none" as an "IP address", but on the other hand, why specify "allow-update {
none; };" when that's the default? It probably never occurred to the
creator/author of the informational message that someone would "superf
Same here. Slave the AD zones, all end-user machines use BIND-based (Infoblox)
servers for resolution, on Anycast addresses. DHCP servers (also Infoblox)
update DNS for the clients, with the client names being registered in non-AD
zones (some of which are defined by geography, with a generic "ca
Correct, wildcards don't work that way; in fact, it would be more accurate to
say that _vlmcs._tcp.*.foo. isn't a wildcard at all (it's just a DNS name that
happens to have an asterisk as one of its labels). See RFC 4592.
- Kevin
-Orig
Ideally, whatever frontend you use to maintain the "forward" records for these
zones, should be smart enough to, in parallel, populate the corresponding
entries in the common reverse zone.
But, failing that, it shouldn't be that hard to write a script that
periodically pulls zone transfers of t
ssage-
From: Darcy Kevin (FCA)
Sent: Monday, October 17, 2016 3:11 PM
To: bind-users@lists.isc.org
Subject: RE: defines ip to acl
Well, things are messy, because you haven't carved up your subnet on
bit-boundaries. BIND ACLs are either individual IPs, CIDR blocks, negations, or
some comb
Well, things are messy, because you haven't carved up your subnet on
bit-boundaries. BIND ACLs are either individual IPs, CIDR blocks, negations, or
some combination of these. It can be done:
192.168.1.1 through 192.168.1.99 = !192.168.1.0; 192.168.1.0/26;
192.168.1.64/27; 192.168.1.96/30;
192
To be clear, the zone is defined in named.conf -- otherwise the original poster
would have never said that "allow-update" was configured for the zone -- but
there is something wrong with the configuration, or in the zone file itself,
that is preventing it from being properly loaded and served.
There's nothing particularly unusual about the "retrying in TCP mode" message -
as Mark explained, that happens whenever the packet size is big and EDNS0 is
not being used.
I looked up this name from an internal Windows 7 box through a BIND-based
forwarder (in North America), and it resolves fi
Yeah, sure, just run it with your own special config file (with -c); in that
config file, set the listen-on to an unprivileged port, and make sure all of
the pathnames (including implicit pathnames like the pid-file) are to
files/directories to which the unprivileged user has read and (where nec
Are you sure that's what you want? In a different thread, you said you had a
second LAN besides 192.168.1.0/24; you called it "LAN2", and further described
it as being "DHCP only". That second LAN was identified by you as
192.168.10.0/24.
I'm thinking you meant to define the second zone as 10.1
delay.
- Kevin
-Original Message-
From: Pol Hallen [mailto:bin...@fuckaround.org]
Sent: Monday, September 19, 2016 6:14 PM
To: Darcy Kevin (FCA); bind-users@lists.isc.org
Subject: Re:
In the first case, your resolver probably had to resolve all levels of the
hierarchy from the root all of the way down to the leaf node (root, .it,
yahoo.it and then the leaf records). 96 msec.
In the second case, the answer was cached and so your resolver didn't have to
talk to anything on the
That's not a valid IPv6 address representation. You probably mistyped a double
colon as a single colon in the middle of the address.
(RFC 4291)
2.2. Text Representation of Addresses
There are three conventional forms for representing IPv6 addresses as
text strings:
1. The preferred f
AXFR over UDP is explicitly undefined. See RFC 5936 Section 4.2. Given this, I
would have expected either a FORMERR response (interpreting the request itself
as "illegal"), or a NOTIMPL response (interpreting "undefined" as "might have
been defined by an RFC subsequent to 5936, but I don't happe
>From an InfoSec standpoint, of course one would prefer to use cryptographic
>methods of securing DNS data, but, in the absence of that, slaving could,
>arguably, be considered more secure than forwarding, in the sense that
>forwarding usually generates more network transactions, over time, for
Look in your logs at the time of named startup to see if your root-server
priming failed at that time.
- kevin
-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.is
Or just check the RFCs.
https://www.ietf.org/rfc/rfc5452.txt
- Kevin
-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund
Sivaraman
Sent: Friday, August 19, 2016 2:27 AM
To: pm8...@t-online.de
Cc: bind
Well, the cost/benefits/risks of separating authoritative and recursive on
different *servers* (as opposed to different NICs, views, or whatever) is
actually a hotly-debated topic among experts. I know some non-DNS-expert
opinions, from the InfoSec side of the house, consider hardware-level
sep
>
> - Kevin
>
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf
> Of Barry Margolin
> Sent: Wednesday, August 17, 2016 4:34 PM
> To: comp-protocols
Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry
Margolin
Sent: Wednesday, August 17, 2016 4:34 PM
To: comp-protocols-dns-b...@isc.org
Subject: Re: Selective forwarding from an internal only name server
In article ,
"Darcy Kevin (FCA)" wrot
Well, sharepoint.com is a CNAME to sharepoint.microsoft.com, so you might need
to make arrangements for that to be resolvable as well.
Forwarding is a different beast from "stub" (recursive rather than iterative
resolution).
I'd look at "static-stub", if your NS list is overgrown with
useless/unreachable stuff. It's configured basically the same way as
forwarding, but without making the paradigm shift (and possible unforeseen
True, strictly from a per-hop latency standpoint, there shouldn't be much
difference between forwarding a packet or forwarding a DNS query.
Having said that -- and I'm sure the BIND developers could elaborate further on
this -- I know that there's big difference between processing *packets*, fro
environment.
In any case, multi-hop forwarding is always the least-preferred option.
- Kevin
From: Darcy Kevin (FCA)
Sent: Thursday
No, you would never get rid of a valid delegation of a child zone; why *reduce*
the resolvability of that zone? Whatever you do to get around this connectivity
issue would be *in*addition*to* the delegation, not as a replacement for it.
That having been said, I outlined your options in a previou
The bottom line is: any resolver which is using iterative resolution (as
opposed to just forwarding) to resolve names in a zone, needs to be able to
talk to at least *some* of the published nameservers for the zone, or to
“override” the regular referral-chain using something like a “stub” zone.
As already noted, allow-query will cause you to send back a REFUSED response.
That’s sort of the whole point of the REFUSED RCODE.
If you want to not send back any response *whatsoever*, then take a look at the
“blackhole” statement, but, honestly, this kind of “drop” function may,
depending on
mpensate, eventually we
reach a point of equilibrium.
- Kevin
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Thursday, August 04, 2016 7:47 PM
To: Da
016 2:32 PM
To: Darcy Kevin (FCA); bind-users@lists.isc.org
Subject: Re: change response cache ttl (--enable-cache-ttl)
Am 04.08.2016 um 20:27 schrieb Darcy Kevin (FCA):
> "many client have caused a burst DNS traffic" is not much of a problem
> statement, honestly.
>
> W
"many client have caused a burst DNS traffic" is not much of a problem
statement, honestly.
What does this patch add, of value, that isn't already covered by
"max-cache-ttl"?
If you're trying to allow the operators of intermediate resolvers to override
the intentions of the data owner, by enfo
Most likely, it has to do with recursion settings, yes, but indirectly. When
recursion is not honored for a client, the next thing that named does is check
whether the answer, or anything relevant to the answer, is in cache. But access
to the cache, these days, defaults to being as restrictive a
nslookup sucks.
What’s most likely happening is:
· On your initial query, some sort of transient error is occurring
while trying to resolve centos.mirror.iweb.ca, e.g. a timeout, a misconfigured
server returning SERVFAIL, a delegated server not being authoritative, etc.
· nsloo
Is it really necessary to document everything that *isn't* true? That could
fill volumes...
named is the thing that resolves stuff; /etc/resolv.conf tells processes whom
to talk to if they want to resolve stuff. Put those things together, why would
named need /etc/resolv.conf? To talk to *itsel
Darcy
NAFTA Information Security Projects
FCA US LLC
1075 W Entrance Dr,
Auburn Hills, MI 48326
USA
Telephone: +1 (248) 838-6601
Mobile: +1 (810) 397-0103
Email: kevin.da...@fcagroup.com
From: Vinícius Ferrão [mailto:fer...@if.ufrj.br]
Sent: Thursday, July 28, 2016 10:03 AM
To: Darcy Kevin (FCA
, July 28, 2016 12:52 PM
To: Darcy Kevin (FCA)
Cc: bind-users@lists.isc.org
Subject: Re: Multiple AD domains
The OP's question was about setting up BIND, not MS DNS, related to using
Samba, not Windows, as the domain controller.
Regards,
Chris
Sent from my iPhone
On Jul 27, 2016, at 12:36 PM,
My preference? Have all your clients use BIND to resolve DNS (this gives access
to more advanced features like sortlisting, good query logging,
blacklisting/redirection through the RPZ mechanism, Anycast, etc.). Set up the
BIND instances as slaves for the AD zones, and have the AD folks add the
Sachin,
I strongly suggest that you consider other methods to
accomplish what you’re trying to achieve. You seem to have latched onto one
particular method to reach your goal – modifying the contents of the DNS
request and/or response packets – but this amounts to changing the DN
I think what the kids would say is "client PCAP or it didn't happen".
Now, get off my lawn... :-)
- Kevin
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John W. Blue
Sent: Thursday, June 16, 2016
brid" responses like that?
- Kevin
-Original Message-
From: Tony Finch [mailto:d...@dotat.at]
Sent: Thursday, June 16, 2016 7:09 AM
To: Darcy Kevin (FCA)
Cc: bind-users@lists.isc.org
Subject: RE: Append a Hard-coded Text Tuple into Additional Section of "dig"
Feature
That's not really consistent with the DNS standards, and will break if you have
intermediate caching servers. Why? Because of this clause from RFC 2181:
Unauthenticated RRs received and cached from the least trustworthy of
those groupings, that is data from the additional data section, and
data f
Margolin
Sent: Monday, May 02, 2016 5:08 PM
To: comp-protocols-dns-b...@isc.org
Subject: Re: also-notify and nsupdate doesnt work
In article ,
"Darcy Kevin (FCA)" wrote:
> Apologies if this has already been asked, but are you sending these
> NOTIFYs from a master which is _not_
Apologies if this has already been asked, but are you sending these NOTIFYs
from a master which is _not_ in the "masters" clause of the nameserver which is
receiving it? That's precisely the use case for "allow-notify"...
-
just now , i found some error info about
( ipv6)
In article ,
"Darcy Kevin (FCA)" wrote:
> Really, there's no excuse, in this day and age, for a DNS-serving
> device -- even a load-balancer pretending to be a nameserver -- to
> botch its responses to queries.
To be clear, "turning off" IPv6 in named (via the -4 flag or other means),
doesn't mean named won't try to resolve any records, especially if one of
your (presumably IPv6-enabled) clients requests them. So, even with IPv6
"turned off", if there are nameservers on the Internet that -- for wh
This is deliberately forbidden by standard. See RFC 2181, Section 5.2 ("TTLs of
RRs in an RRSet")
Why would you want to do this?
- Kevin
From: bind-users-boun...@lists.isc.org
[mai
Would they be receptive to letting you slave the zone? At least then you’d have
the whole EXPIRE time before the names stopped resolving.
If they’re concerned about security, then the transfers could be locked down by
source IP address, or, if their software supports it, TSIG key.
One of the do
By “upstream” I assume you’re talking about forwarders. If your forwarders are
flakey, have you ever considered simply *not*forwarding*? That would seem to be
a better, structural solution to your problem, than holding DNS data beyond its
cache-expiration time (a really BAD idea).
.
- Kevin
From: Ron [mailto:ron.a...@gmail.com]
Sent: Thursday, March 17, 2016 11:46 AM
To: Darcy Kevin (FCA)
Cc: bind-users@lists.isc.org
18, 2016 4:41 PM
To: bind-users@lists.isc.org
Subject: Re: Can bind be configured to not drop RR's from the cache when the
upstream DNS server is unresponsive
Slave the zone? Oh, run secondary. Fat chance.
Ron
On Fri, Mar 18, 2016 at 5:03 PM, Darcy Kevin (FCA)
mailto:kevin.da...@fcagrou
Don't turn your DNS and/or network infrastructures into pretzels trying to get
this "forwarding" or "(reverse) proxying" to work. Ultimately, I expect you'll
end up maintaining the records of interest in both an internal and an external
version of the subzone. Then the only question becomes to w
I wouldn't be so quick to assume that.
Nota bene this part of the ARM:
"Integers may take values 0 <= value <= 18446744073709551615, though certain
parameters (such as max-journal-size) may use a more limited range within these
extremes. In most cases, setting a value to 0 does not literally me
As the Perl folks say: TMTOWTDI (There's More Than One Way To Do It)
Those who are familiar and/or conversant with structured-database technologies
tend to gravitate towards a structured-database-centric approach.
Those who, conversely, think structured databases are overkill, or for whatever
r
See “empty non-terminal” in https://www.rfc-editor.org/rfc/rfc4592.txt.
- Kevin
[FCA_Pantone_email]
--
Kevin Darcy
NAFTA Information
Let's be transparent here: reverse lookups are not a formal requirement, and,
if I'm not mistaken, not even officially published as a Best Practice. Many
folks don't bother with them.
Having said that, they are *very* useful, and I insist on them wherever
possible.
If an organization decides t
The Internet roots publish both A (IPv4) and (IPv6) address records.
The log noise you show is what happens when you enable IPv6 but don't have the
necessary routing in place to the IPv6 Internet, either natively or through
some sort of tunnel mechanism.
You could certainly turn IPv6 *off*
Look at your "allow-query". It appears your master isn't letting your slave
query it. Query access is a prerequisite for zone-refresh transactions.
- Kevin
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.
As pointed out previously, however, with a 1-minute REFRESH, NOTIFY is pretty
much a non-issue.
- Kevin
-Original Message-
From: Darcy Kevin (FCA)
Sent: Friday, February 19, 2016 4:25 PM
To: BIND Users
Subject: RE: A Zone Transfer Question
How
How do you suppose named knows where to send the NOTIFY messages? It's only
"automatic" to the nameservers listed in the NS records of the zone. But you
didn't list your slave, did you? I seem to recall there was only 1 NS record,
and that's presumably the master...
Guys,
REFRESH is set to 1 minute. That's not a long time to wait. Just do
a packet capture and see if the slave is issuing zone-refresh queries regularly
in the 30-second-to-1-minute range (it's randomized, of course, between
REFRESH/2 and full REFRESH).
If the slave isn't issuing r
Ah, so "recursive-clients" is the quota of queries that require named to
recurse to get the answer, right? I was going to respond with the same advice
-- slave your internal zones -- but then I somehow convinced myself that
"recursive-clients" was merely the quota of concurrent RD=1 queries that
1 - 100 of 158 matches
Mail list logo
