Re: BIND doesn't listen to other loopback addresses

https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-automatic-interface-scan Note the phrase "...and supported by the operating system...". Linux capabilities must also be enabled (i.e. not *disabled* at build time) for BIND to be able to keep scanning as addresses come and g

Re: question about resolving of AAAA amazoses.com

Hi Florian. Well since you mention it, may we see your BIND configuration? Also "named -V", please and, if you can, a packet capture (preferably binary pcap, not just a few lines of tcpdump output) showing what your server is doing at the time you see these messages in the logs. Cheers, Greg On F

Re: Is there any method/config to pass through rcode refused

Hi Neil. Think about what a resolver is doing. A client asks it a question, usually with the RD bit set, meaning essentially, do whatever you have to do to get me my answer. So the resolver attempts to find that answer, somehow. If it already has it in cache, great. If it doesn't it may recurse,

Re: QNAME minimisation question

The help text for delv says you can specify a source using -b, the same as you can with dig: Usage: delv [@server] {q-opt} {d-opt} [domain] [q-type] [q-class] Where: domain is in the Domain Name System q-class is one of (in,hs,ch,...) [default: in] q-type is one of (a,any,mx,

Re: 3Rd Follow Up - Re: My Introduction and current issues

n Bind9 and install Unbound in its place. There seem to be a > lot more configuration options that might help me with the problems I am > having. Problems I never had with Windows Server 2003. > > > Thanks anyway and take care of yourselves. I'm outta here. > > On 2025-05-1

Re: 3Rd Follow Up - Re: My Introduction and current issues

>From the correct alias this time! On Mon, 19 May 2025 at 22:46, Greg Choules wrote: > Your router (or your ISP behind it) is losing a lot of traffic. Here is a > timeline of frames with explanations of each, which would have been so much > simpler if you hadn't tried to

Re: long FQDN resolution

I was beaten to it! It's called QNAME minimisation and is specified here: https://datatracker.ietf.org/doc/html/rfc9156 In BIND it can be disabled with this statement: https://bind9.readthedocs.io/en/v9.20.8/reference.html#namedconf-statement-qname-minimization Hope that helps, Greg On Thu, 15 M

Re: My Introduction and current issues -

others on this list would disagree with me, but that's just my 2p. Cheers, Greg. On Sat, 10 May 2025, 13:43 , wrote: > On 2025-05-10 02:03, Greg Choules wrote: > > @Danilo you are correct, the contents of /etc/resolv.conf are not set by > BIND and BIND itself does not use them. B

Re: My Introduction and current issues -

@Danilo you are correct, the contents of /etc/resolv.conf are not set by BIND and BIND itself does not use them. But all applications running on that machine (including dig, unless you specify @) that want some kind of name resolution will make OS system calls and then the OS *will* use what's in r

Re: My Introduction and current issues -

Hi. I also suspect it's not BIND, but how the OS is going about resolving names. Test your running BIND by using dig (please, not nslookup) @127.0.0.1 for domains you think you are having a problem with. Also check /etc/resolv.conf and see what address(es) is/are listed as nameservers. Third, use

Re: Multiple views (more than 2)

and NOT to external secondaries. > > AFAIK such a configuration of view transfers requires TSIGs for avoiding > zone transfer overwriting. > > Best regards, > Marek > > On 4/14/25 5:27 PM, Greg Choules wrote: > > Hi Marek. > > Please can you show the config that

Re: Multiple views (more than 2)

Hi Marek. Please can you show the config that used to work? Please can you also explain why it is desired to create more views? Maybe give an example of what you're trying to achieve. In general, matching views is done top down - test clients against the criteria in the first view. If they don't m

Re: Custom DNS Filtering Plugin in BIND 9

My take on this is that DNS resolver code is written to (try and) be as fast and efficient as possible and work pretty much entirely in RAM because that's the quickest storage available. Anything that interrupts that and tries to access some external database, however it's done, is bound to slow d

Re: Why do I get underscore DNS queries when my host is running a recursive server?

arting > with an underscore > > Greg Choules 于2025年3月31日周一 18:01写道： > >> Hello. >> The underscore character was an old method for performing QNAME >> minimisation. Look in the CHANGES file for a note about it and the ARM for >> more detailed information. >

Re: Why do I get underscore DNS queries when my host is running a recursive server?

Hello. The underscore character was an old method for performing QNAME minimisation. Look in the CHANGES file for a note about it and the ARM for more detailed information. BIND 9.14 is five years old and has been unsupported for a long time. Please update to 9.18 or 9.20, which contain many impro

Re: Bind internal name space geo-proximity

Hi Karol. The DNS model is that if a zone contains multiple records of the same type with the same owner name - e.g. google.com/NS - then all answers are returned in a response to a query: this is known as an RRSET. In the case of NS records, all RRSETs from anywhere must

Re: Authoritative and caching

Sending from the correct alias this time! On Sun, 16 Mar 2025 at 09:03, Greg Choules wrote: > Thank you. > The problem is that named is running as user "bind" but that user > doesn't have file system permissions to create and write to files (the .jnl > and .jbk files

Re: Authoritative and caching

Hi Danjel. Please send "ls -al" of both "/etc/bind" and "/etc/bind/zones" Thanks, Greg On Sat, 15 Mar 2025 at 16:32, Danjel Jungersen via bind-users < bind-users@lists.isc.org> wrote: > I'm so sorry, but I have to trouble you guys again. > > The help below helped, I have no errors from checkconf

Re: rndc: 'reload' failed: unexpected error

Hi Duan. Firstly, please upgrade to the latest BIND as 9.11 is very old now and has many security flaws that will not be fixed because it is obsolete. Secondly, after you have upgraded try it again and if the problem still exists, come back here. Cheers, Greg > On 13 Mar 2025, at 09:23, Duan D

Re: Is there any config to disable bind9 retry for rcode refused

Hi Neil. I don't think there is. Perhaps you should suggest it in a Gitlab issue? Just to be clear, though, please can you give an example of what you mean? A real life one would be best. Either a binary pcap or +vvv to screen of the query BIND makes and the REFUSED it receives followed by it retr

Re: Anycast DNS VIPs network IPv4

Hi Karol. If I understand you correctly, the choice of address to use is up to you and how it works best in your network. The DNS service addresses only need to be relevant to the network they sit in and the clients that need to reach them. In a private network, any 10 etc. address would work, as l

Re: Using CNAME for _domainkey (DKIM)

My 2p is... You *shouldn't* do a lot of things, but people do anyway, because they can. If you maintain your own DKIM records then deliberately adding a CNAME upfront seems unnecessarily complicated. KISS. If someone else hosts them and CNAME is a pragmatic way to achieve that "ask them" behaviou

Re: Access Control Lists error

Hi. An ACL can match other ACLs, meaning that you can include the name of one ACL in the definition of another. Your config is being interpreted as: acl "tsg_acl" { Start the definition of an ACL called "tsg_acl", which will be followed by a list of things to match, each of which must end with a s

Re: Authoritative and caching

Hi Danjel. To obtain a packet capture use tcpdump, which is probably installed already. If not, add it using your preferred package manager. You can dump to the screen, but I find it more useful to dump to a file, which can then be analysed offline in Wireshark. A typical capture command might be:

Re: ECS subnet

Hi. Is this a question about BIND, or Unbound? Note the name of the list. On Fri, 14 Feb 2025 at 16:36, Rainer Duffner wrote: > Hi, > > I have a setup where I have a BIND resolver behind an unbound resolver. > > The reason is that when I originally set this up, there was no way to > integrate an

Re: forwarding non-domain queries

own and > restart, not just a reload. > Get the messages about the extra NS “.” And unable to find root files, > restored the stanza, same error. > > > > Thanks, > > Brian > > > > *From:* Greg Choules > *Sent:* Thursday, February 6, 2025 3:18 AM > *To:* Cutt

Re: Primary/Secondary (Was: Master/Slave)

Hi Paul. What's a "primary master" as opposed to (presumably?) a "secondary master"? Maybe there are just too many combinations and permutations of type of box for a single word to convey all meanings, though I haven't encountered any yet. Even in an environment like Active Directory, where all se

Re: forwarding non-domain queries

e forward records, pointing to the two primary NYS > internal servers so we should be using that rather than the root servers or > the domain servers. > I do still have in place some more specific forwarding files for some NYS > specific zones. > > > > I have yet to tackle

Re: map as record

Hi Michal. Please share your configuration and the zone file so that we can see what you are trying to do. Thanks, Greg On Wed, 29 Jan 2025 at 08:28, Michal Bednář wrote: > Hello, > i try too make domain record map.domain.tld . I cannot make this in bind9. > Map is probably keyword > in zone fi

Re: localhost name lookup

> On 24 Jan 2025, at 21:32, Lee wrote: > > On Fri, Jan 24, 2025 at 3:27 PM Greg Choules wrote: >> >> >>> On 24 Jan 2025, at 19:07, Lee wrote: >>> >>> On Mon, Jan 20, 2025 at 4:55 AM Petr Špaček wrote: >>>> >>>> On 15

Re: localhost name lookup

> On 24 Jan 2025, at 19:07, Lee wrote: > > On Mon, Jan 20, 2025 at 4:55 AM Petr Špaček wrote: >> >> On 15. 01. 25 19:55, Lee wrote: >>> On Wed, Jan 15, 2025 at 11:55 AM Ondřej Surý wrote: On 14. 1. 2025, at 16:56, Lee wrote: In other words, should I submit a bug report to the D

Re: localhost name lookup

Hi Robert. Having localhost in /etc/hosts works if both of these conditions are satisfied, I think: 1) The client asking the question is on the same box. 2) /etc/nsswitch.conf has been configured to look in hosts first, DNS second If the client is local but nsswitch says to do DNS first then names

Re: Bind and DHCP

Hi Karol. You can run them both together, if you like. I think it comes down to a personal choice between economics, simplicity, cleanliness of design and performance. If you want your DNS server to handle many 1,000 QPS it might be better dedicating resource to that and put Kea (I assume Kea?) on

Re: Hyperlocal recursive servers questions

Hi Roberto. Instead of defining "." as type "static-stub" you should define it as type "mirror". This shows you how: https://bind9.readthedocs.io/en/v9.18.32/reference.html#namedconf-statement-type%20mirror Cheers, Greg On Fri, 27 Dec 2024 at 21:41, Roberto Braga wrote: > Hello, if you could he

Re: cname for apex record

Hi Brian. You can't redirect your entire zone from inside the zone itself. CNAME absolutely will not do it, by design (also DNAME). The reason is, the way that DNS works. wadsworth.org has been delegated to a bunch of DNS servers (see below), which are presumably run by you and associated entities

Re: forwarding non-domain queries

ouldn't get address for 'd.edu-servers.net': failure > > couldn't get address for 'e.edu-servers.net': failure > > couldn't get address for 'f.edu-servers.net': failure > > couldn't get address for 'g.edu-servers.net': failure

Re: forwarding non-domain queries

e changes on before I roll them out > to my primary and secondary servers. > The test server is where we make all tests and updates to zone files. > > > > As I configure the forwarders stanza, I will remove the zone for db.cache > and test it out. > > > > Thanks, >

Re: forwarding non-domain queries

c zones in the internal corp > network. > > > > brian@cedar:/etc/dns-root$ more db.cache > > > > @ IN A 10.108.43.7 > > @ IN A 10.108.43.8 > > > > @ IN NS @ > > > > *From:* Greg Choules > *Sent:* Tuesday, December 10, 2024 9:38 AM >

Re: forwarding non-domain queries

continue to word when I add a forwarders statement for the > servers that ny.gov servers for all more generic queries. > > > > Many thanks, > > Brian > > > > *From:* Greg Choules > *Sent:* Monday, December 9, 2024 6:26 PM > *To:* Cuttler, Brian R (HEALTH) > *

Re: forwarding non-domain queries

2024 at 07:26, Nick Tait via bind-users < bind-users@lists.isc.org> wrote: > On 10/12/2024 12:25, Greg Choules via bind-users wrote: > > Actually you don't need it anyway, even if you are doing recursion, as > > Internet root hints have been built into BIND for many year

Re: forwarding non-domain queries

Hi Brian. If that's what you want to do; answer authoritatively from local zones you own and forward everything else to Corporate, then you have it correct. "forwarders {...etc" and "forward only;" go in the "options" block. Since you are forwarding everything that's not local *and* disabling recu

Re: {Disarmed} Re: Getting BIND to forward a zone to other name servers

I > didn't do a great deal of troubleshooting at the time, as the priority > was digging out a new PSU and getting my ADSL router working again. > > Upon further inspection, when I do dig +trace @10.0.2.10 > server.dmz.example.com, I can see a trace starting at the root and > wo

Re: Getting BIND to forward a zone to other name servers

Hi Mike. What version of BIND are you running? Firstly, please clarify your question and example configuration. You talk about "example.com" and subdomains of "exmaple.com", but your config shows "example.net". It's not easy to understand exactly what you're trying to achieve a) when your problem

Re: How to print details of dns_name_t* when hitting a gdb breakpoint in dns_name_equal

Hi Kees. I would upgrade to 9.18 and not spend time trying to diagnose 9.16, which is not supported anymore. If the same problem occurs on 9.18 (latest), please let us know. I hope that helps. Greg > On 3 Dec 2024, at 10:36, Kees Bakker via bind-users > wrote: > > Hi, > > Background > I hav

Re: Geo DNS for 1 domain in view impossible?

Hi Dimitry. Views are selected by any/all of "match-clients" and "match-destinations". Once a view has been selected it is then completely responsible for handling the query, so there is no automatic fall through to the next view. However, in the "DE" view you could configure global forwarding/for

Re: Accidentally ran rndc-confgen on a working BIND box

My bad. I spotted that afterwards. On Thu, 28 Nov 2024 at 13:48, Anand Buddhdev wrote: > On Tue, 26 Nov 2024 at 09:40, Greg Choules via bind-users < > bind-users@lists.isc.org> wrote: > > Hi Greg, > > Running "named-checkconf -p" will print your entire nam

Re: Accidentally ran rndc-confgen on a working BIND box

but the > basics. This weekend I was just looking to make relatively minor tweaks > when I copy-n-pasted a command in this server’s window like an idiot. 😊 > > > > Best regards, > > Luis > > > > *From:* Greg Choules > > From the ARM, when "rndc-confg

Re: Accidentally ran rndc-confgen on a working BIND box

>From the ARM, when "rndc-confgen -a" is run:: > This option sets automatic rndc configuration, which creates a file rndc.key in /etc (or a different sysconfdir specified when BIND was built) that is read by both rndc and named on startup. The rndc.key file defines a default command channel and auth

Re: How do I make my bind recursively support edns

40%26t%3D1557174854&mail=1422807819%40qq.com&code=0xvGiq3GHMKk6CXySX9HjDeLFZy_0LvinoU7BCGaMtH02Bc96KTEnS_b3sR-8tYU8ZoZE624zgJ8DfHrqGBiBA> > > > > -- 原始邮件 -- > *发件人:* "Mark Andrews"; > *发送时间:* 2024年11月24日(星期天) 凌晨4:57 > *收件人:* "Greg Choules"; &

Re: How do I make my bind recursively support edns

Hi. Please can you clarify what you mean and what you're trying to achieve? EDNS support generally has existed in all versions of BIND for many years. Cheers, Greg On Sat, 23 Nov 2024 at 15:43, 从今以后 via bind-users wrote: > Hey ,guys > > How do I make my bind recursively support edns ? > > The o

Re: Question about recursive client max quota

Hello Pedro. Firstly, which version of BIND are you running? Generally, though, increasing `recursive-clients` on a box with a decent amount of power and RAM is not an issue: 50k, or even bigger, should be fine. But please test it first. We have discussed raising the default but we’re not quite

Re: DNSSEC, OpenDNS and www.cdc.gov

Hi Bob. See if this article helps any first, before we get into configs: https://kb.isc.org/docs/the-umbrella-feature-in-detail Cheers, Greg > On 16 Oct 2024, at 14:55, Robert Mankowski > wrote: > > I recently implemented a forward only BIND server for home. I was forwarding > to OpenDNS Fam

Re: CDNSKEY / CDS for key is now published - but why?

Hi Danilo. The CDS and CDNSKEY are published in your own zone, not anywhere else. You can confirm this by doing a dig for them directly, or AXFR if you permit transfers on your server. They are intended for use with registrars that *do* support automatic DS creation using one of them. If yours doe

Re: Lookup failures

Hi Steven. As you said, `listen-on {...;};` tells BIND which addresses to register for incoming traffic. This can be a list, not just one address. Any query received on (say) 10.0.0.1 will be responded to from the same address. It is possible to choose which address to use for outgoing queries/fet

Re: BIND statistics

Latest Chrome/Safari/Firefox on MacOS as well and it looks good for me. I haven't needed to clear cookies or browsing data or anything, it just worked. My 9.20.0 is running locally on the Mac, installed via homebrew. Maybe try that and see what you get? Perhaps it's something to do with the enviro

Re: BIND statistics

Hi Håvard. Have you tried a different browser? Having said that, I just started 9.20.0 with this config: statistics-channels { inet 127.0.1.0 port 8080 ; }; Then pointed three different browsers at that address/port and it looks fine to me in all of them. Browers tried were Chrome, Safari and Fir

Re: views-based RPZ

Hi Grant. That doesn't work for zones that then get used in a `response-policy` block. In this case you *must* define a zone §each time; so one (or up to 64) per view/instance of `response-policy`. Test it on your laptop/in a VM. What this does mean is that (if you are using views) you *could* have

Re: views-based RPZ

Hi Carlos. If you have enough RAM it should be possible to create multiple views, each with a zone (primary or secondary, up to you) that contains the RPZ data for that view and a response-policy that uses that zone. The limit on number of zones is per response-policy block. But if you're using se

Re: Behavior of 'forward only' zone

Hi John. The reason is step 4c here: https://datatracker.ietf.org/doc/html/rfc1034#section-5.3.3 The A record in the response is for a name that BIND wasn't asked for (otherwise why a CNAME at all?), so in the interests of not just believing random answers that might potentially poison the cache,

Re: I want to know why I suddenly can't resolve names.

Hi. Please, please, please upgrade your OS and BIND. CentOS 6 went EoS 3 years ago, from what I can tell. BIND 9.8 is 12 years old and there have been far too many changes and security fixes in that time to list in a mail. If you want to see for yourself, explore https://downloads.isc.org/isc/bind

Re: 9.16.27 - Cache Prefetch

Hi Gabe. Prefetch still exists; reference here: https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-prefetch Hope that helps. Greg On Tue, 23 Jul 2024 at 17:36, Gabe Loyer wrote: > In searching for documentation I can only find something for prefetch in > 9.10, which appar

Re: netstat showing multiple lines for each listening socket

I’m afraid we’re a little out of sync between the documentation and the code, depending on which code you’re running. -U was changed some time ago to mean the number of dispatchers to use for outgoing queries, not listeners to use for incoming queries. Post 9.18 it won’t do anything at all, so

Re: zone_journal_compact: could not get zone size: not found

Hi Kees. A few questions: - What version of BIND are you running? - How large (number of RRs) are your zones? - What is the peak rate of dynamic updates? - Do you have "max-journal-size" configured to anything? - Are you perhaps getting short on disc storage in the place where BIND keeps its files?

Re: rolling my own hints file

y detrimental? > If it is, its “dot” rather than “at”? > > @ 518400 IN A xx.yy.zz..7 > > @ 518400 IN A xx.yy.zz..8 > > . 518400 IN NS @ > > > > Thank you. > > Brian > > > > *From:* bind-users * On Behalf Of *Cuttler, > Brian R (HEALTH)

Re: forward option in dns server

; > Thanks again > > Il giorno ven 28 giu 2024 alle ore 13:10 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scritto: > >> Hi again Renzo. >> >> In general, BIND (and other resolvers) make non-recursives (aka >> iterative) queries to authoritative

Re: forward option in dns server

lain you what servers I inserted into this > list. > > > I have another doubt, /etc/resolv.conf in bind server is used only from > client services ? E.g. ping tool > I think bind9 dns service doesn't contact any /etc/resolv.conf, right? > > > > > > Il giorno v

Re: forward option in dns server

e "forwarders" ? > 3-- This bind version has root server built-in? If I removed 'named.ca' > reference, Bind would use root server built-in? > > thanks > > Il giorno ven 28 giu 2024 alle ore 07:51 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scr

Re: forward option in dns server

2001:dc3::35 > > > I didn't know some Bind versions had the Internet root hints built-in. > About my configuration I understand that bind makes always queries to root > servers ? Right? > I'd like to re-check configuration of bind > > > Il giorno

Re: forward option in dns server

on is set on every domain > controller) > > Only AD DNS make queries to A.B.C.D server and it’s necessary only to > solve external domains. > > A.B.C.D. server never makes queries to AD server. A.B.C.D. is next dns > server which partecipates when it’s necessary to

Re: forward option in dns server

Hi Renzo. Firstly, please can we see your BIND configuration and have the actual AD domain name. Secondly, BIND, or any other recursive DNS server, does not 'forward' to the root servers, unless you have configured it explicitly to do so, which would be a bad idea and not work anyway. It will recu

Re: rolling my own hints file

ot seeing queries to any of the normal root > servers, so that is in fact a good sign. > > > > New root servers are managed by my parent organization and my manager > asked me to send these queries through them. Wouldn’t be performing this > exercise otherwise. > > > &g

Re: rolling my own hints file

Hi Brian. Yes, you can define your own hint zone and tell BIND to use it. The contents (I called the file "db.root" but the name is your choice) could be as simple as: @ 300 IN A 127.0.0.3 @ 300 IN NS @ which says for this zone (which will be called ".", coming next) the NS is the same name and i

Re: SERVFAIL error during the evening

Hi Sami. If you can, I would set up a new BIND (test) server running the current code - 9.18.27 - next to your current production system and compare how they behave: current code uses NS queries for qmin rather than _... A queries. There may still be failures, but this would allow you to pinpoint b

Re: Problem with a certain domain

Hi Thomas. Firstly, I doubt you actually need to kill and restart `named`. Flushing the cache would probably work, either all of it or just selected names. Secondly, take a packet capture of this happening and analyse what BIND is really doing, in Wireshark. - If it shows up that certain NS are ca

Re: issue with forwarder zones

Hi Brian. We're going to need some details please, like for starters: - What's the domain being queried? - A network diagram showing where your BIND server is and what it's forwarding to. - IP addresses of everything. - A packet capture (binary pcap format, not a snippet or a screenshot) from your

Re: Make dig and nslookup DNSSEC aware?

Odd numbers (9.17, 9.19…) are the development versions. Even numbers (9.18, 9.20 - soon…) are the production versions, based on the odd-numbered version before. So 9.18.27 (currently) would be the one to go for. Cheers, Greg > On 22 May 2024, at 16:53, Robert Wagner wrote: > > https://www.isc

Re: SRV on multiple subdomains

Adding my 2p, I would take that principle a step further. Create a generic, unique SRV record that represents what you want to happen. Then create specific CNAME records for each server. The reasons for the extra, generic record are that it represents the service you want to offer and all "server..

Re: [help]how to configure ecs subnet for bind-9.18-21

; > <https://wx.mail.qq.com/home/index?t=readmail_businesscard_midpage&nocheck=true&name=Yang&icon=http%3A%2F%2Fthirdqq.qlogo.cn%2Fg%3Fb%3Dsdk%26k%3DQCkTfUibqnEM6qRuG2lPLNA%26s%3D100%26t%3D1556340979%3Frand%3D1639145287&mail=395096713%40qq.com&code=> > > > >

Re: [help]how to configure ecs subnet for bind-9.18-21

Hello. Do you mean 9.18-S1? > On 28 Apr 2024, at 08:06, Yang via bind-users > wrote: > > > dear admin: > now, i use bind-9.18-21, i want to use ecs client subnet function; but i > don't know how to configure it, and i don't get method from google > please give me some example,or document

Re: RFC8482: Implementation

Hi. In BIND, since 9.11, there is an option/view statement called "minimal-any", which defaults to "no". That might be what you're after. Cheers, Greg On Sat, 20 Apr 2024 at 17:29, Amaury Van Pevenaeyge < avanpevenae...@outlook.fr> wrote: > Hello everyone, > > I've been looking for days and days

Re: Some Authoritative-Only BCPs

> deal > with getting security exceptions or adverse findings. It's > (unfortunately) > a _really_ good reason to enable it even if it is technically > unnecessary. > > > On 2024-03-28 01:04, Greg Choules wrote: > > Hi cjc. > > My answers would be: > &

Re: Some Authoritative-Only BCPs

Hi cjc. My answers would be: - Leave `dnssec-validation` alone (auto) and ensure your server has a path to the Internet to make queries. - Don't mess with root hints. The only time anyone should need to do this is when running a completely captive server living in a custom namespace that is NOT t

Re: transfert master slave

Hi Sami. "allow-..." statements are to restrict from which sources *this* server will accept messages, of whichever type. On the secondary (slave), "allow-notify {192.168.56.154;};" will permit it to process NOTIFY messages sent to it from the primary (master), but ignore any others. Actually, this

Re: DNSSEC deployement in an isolated virtual environment

Hi Amaury. You should be able to do this by defining your own trust anchors. This should explain what you need: https://bind9.readthedocs.io/en/latest/dnssec-guide.html#trusted-keys-and-managed-keys Have fun. Greg On Sat, 16 Mar 2024 at 13:38, Amaury Van Pevenaeyge < avanpevenae...@outlook.fr> wr

Re: Bind9 "split zones"

Hi. If I understand you correctly, you are trying to get your resolver to go to two different places (main_hidden_dns_server and other_dns_server) for answers to the same question, and then want it combine those answers into a single response to the client, which contains PTR records for both names

Re: fixed rrset ordering - is this still a thing?

Please don't encourage using "search" in resolv.conf or the Windows equivalent. Search domains make queries take longer, impose unnecessary load on resolvers and make diagnosis of issues harder because, when users say "it doesn't work" you have no idea what it was that didn't work. I tried using s

Re: Deprecation notice force BIND 9.20+: "rrset-order fixed" and "sortlist"

2nd $beverage consumed. I have never liked sortlist since I inherited it 16 years ago in my previous job. For me it suffers from at least one fundamental problem: - If a client, say at location "1", is given a bunch of sorted A records with the server at location "1" first, what does the client do

Re: Deprecated DSCP support

Hi Wolfgang. Firstly let me say that I have never been a fan of QoS. So I'm slightly biased against the whole thing in the first place. But regarding your comment "It’s not easy for the network to guess the requirements of an application," I would disagree. Traffic classification and setting of DS

Re: acl in also-nofify

Hi both. You can't do it using ACLs. But you can do it using primaries. This is hinted at in the section about the primaries statement, but not clearly expanded on. For example: # define a primaries list called "also-notifed" (or anything you like). Define as many lists as you need. primaries also

Re: Question about authoritative server and AA Authoritative Answer

Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > *AUTHORITY: 1 : this is ok.* > > > Command dig pc1.reseau1.lan > ;; ->>HEADER<<- opcode: QUERY, status: NOER

Re: Question about authoritative server and AA Authoritative Answer

t; D‌ear Greg, > > Thank you for your reply. > > > Please find attached the markdown file with all the commands and text > from the terminal. > > In /etc/resolv.conf I had "127.0.0.53" so I disabled the DNSStubListener > from systemd-resolved. I hav

Re: Question about authoritative server and AA Authoritative Answer

Hi Michel. Please can you send the following information: - name and IP address of the authoritative server - the full contents of the zone file for "reseau1.lan" - name and IP address of the other server - what does this server do? - What is the machine "pc1", on which you are running the digs? -

Re: Re: zone not loaded in one of view

Hi. The existence of a `.jnl` file for the zone means that, at some point in the past anyway, you *did* allow dynamic updates to this zone and some updates were made, which were stored in the journal file. I would like to ask a couple of questions: 1) What is the timeline of your investigation? Ma

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

Hi Michel. You will get an authoritative answer (AA bit = 1) if the server is either primary (master) or secondary (slave) for the QNAME (query name); in this case "reseau1.lan". From the config snip you provided this is because you have the config: zone "reseau1.lan" { type master; ... }; If

Re: How do I debug if the queries are not getting resolved?

Greg On Tue, 12 Dec 2023 at 17:42, Blason R wrote: > Thanks folks > > I just disabled DNSSEC validation from bind config file (globally) and > those domains started resolving fine. > > > On Tue, Dec 12, 2023, 13:25 Greg Choules < > gregchoules+bindus...@googlemail.com&

Re: How do I debug if the queries are not getting resolved?

Hello. There are well known and documented issues with the zone "gov.in" and there were some recent problems with "gov" as well. Please search this mailing list archive for those domains and you may find some useful hints, tips and information that explain and help you with your own problem. Cheer

Re: Problem with recursion for windows bind for Teamviewer

Have you checked the routeing table on this server? Without any other evidence, this looks to me like packets are going places you aren't expecting. In the first screenshot the query goes to 213.227.191.1 and apparently a response doesn't come back until 4s later. When I try it using dig I get an

Re: Problem with recursion for windows bind for Teamviewer

Hi there. Can you send some information, for those unfamiliar with what you're trying to do? - Full BIND config - IP addresses of relevant things, like interfaces of the servers on which you are running BIND and of Teamviewer. - What does Teamviewer need from DNS? What kinds of queries is it making

Re: How should I configure internal and external DNS servers

Hi Nick. First question, does the internal zone *have* to keep the same name? As has been said already, this is a fairly common setup done by people a long time ago who usually didn't think through the consequences of their actions. What follows assumes you could change the name of the internal zon

Re: Unhelpful startup message re: RPZ

Hi John. From the ARM: response-policy … Blocks: options, view Tags: server, security, query, zone Specifies response policy zones for the view or among global options. Blocks: says where this statement can be used; i.e. in global options or within a view. The description is reasonably clear (I t

  1   2   >