Eventually, if you have done the parent delegations (through where you register
your zone) and have updated the new NS records to point only to the new spot,
the old zone will only be used by that provider, and nowhere else. So, if com
points to the new set of name servers, and example.com has
On Jun 13, 2012, at 5:02 PM, Dan Letkeman wrote:
> I understand the concept, as I have read many documents like that. I
> am more interested in a real world example of how much free memory for
> caching is recommended for an average server.
>
> Dan.
It depends on many things, but what I'd do t
s ?
>
> The default value is 32MB. We have 8GB RAM. I don't know if its better to
> start with 1GB (1/8th of RAM)?
>
> thanks
> blr
>
>
> On Thu, May 31, 2012 at 8:17 PM, Michael Graff wrote:
> Hmm, I don't quite think this is a good idea. BIND 9 (s
Hmm, I don't quite think this is a good idea. BIND 9 (since 9.5) manages
memory quite well, but it will happily consume all you have and go into swap.
I'd set it high enough (on a dedicated machine) to use plenty of RAM, but low
enough to not cause other OS components to swap out or BIND itself
Some signature methods require this, some do not. RSA should not (in general)
but RSA encryption in practice may. Signing is different, in that you know
both halves (encrypted and cleartext) so it should not require padding.
I think DSA does require randomness in signing.
--Michael
On May 10
"v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> spf_16419 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
> spf_16420 900 IN TXT "v=spf1 ip4:XX.XX.XXX.XX/28 ip4:XX.XX.XXX.XX ?all"
>
> I hope those informations can help you to help me :)
>
>
more than 4k will exceed the default settings for EDNS0 UDP responses.
If you dig @ your server, with +tcp, do you get a reply? If not, perhaps you
are not allowing TCP connections to port 53?
What error you are getting may be of help.
--Michael
On Feb 29, 2012, at 1:20 PM, Darvin Denmian wro
It is a known issue, and is indeed a bug. We're working on it already, so stay
tuned.
--Michael
On Feb 14, 2012, at 12:44 PM, Alex wrote:
> Hi,
>
> I have a fedora16 x86_64 box and named keeps dying with an assertion failure:
>
> 14-Feb-2012 13:24:41.137 general: critical: rbtdb.c:1619:
> IN
Key management (and how BIND 9 in the form of named handles issues like this)
is likely too large a topic to address before 9.9.0 is out. I don't think the
management has gotten worse from 9.8 to 9.9 though.
We're hoping to make key management the next major focus area in bind 9, now
that we h
Do you happen to have some sort of web proxy (perhaps transparent) that is
sitting between your windows machine and our server?
In any case, I'll open a ticket with our ops people to investigate from our end.
--Michael
On Feb 1, 2012, at 10:06 AM, TAN BUI wrote:
> I have filed a bug report to
As Evan mentioned earlier, we are coming close to releasing a final BIND 9.9.0.
It's scheduled to go to our Forum members on the 7th of February and as a
public release about a week later.
Some inline signing defects were resolved earlier this week, and we've released
9.9.0RC2. This release c
This is one of the reasons we are doing things differently in BIND 10. BIND 9
had some early stuff (under doc directory) but it was never fully fleshed out.
--Michael
On Jan 26, 2012, at 10:58 AM, Cong Guo wrote:
> Hello,
>
> How can I get the design documents of Bind9, like the ones for Bin
ISC is also, by pure luck, offering a web seminar on inline signing in BIND 9.9
today. While the first one starts in 15 minutes as I write this message, there
are a total of three sessions today.
Head on over to http://www.isc.org/webinar to find out the times and
information on how to join.
You want BIND 9.9 (currently 9.9.0rc1) with inline signing. This will do
exactly what you want, I think.
--Michael
On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote:
>
> OK, in an attempt to start using DNSSEC over here, I suppose I bit myself
> in the backside, and even spending some time us
On Nov 18, 2011, at 4:44 AM, G.W. Haywood wrote:
> Never in several machine decades have I had to do anything like that
> for BIND. The fact that people are even talking about it is of some
> concern to me. Twice in approximately the last month I have had one
> particular server go down for no
I see many valid IP addresses in your list. But that said, are the responses
going back "large" individually, or is it the number of them that is "large"?
If you think this is attempting to crash the server with a single large answer,
that's different than if your server is getting a lot of que
k, it won't do so for very long. I believe the daemon
checks once every 100ms or so.
--Michael
On Dec 1, 2011, at 5:17 AM, Jan-Piet Mens wrote:
> On Wed Nov 30 2011 at 20:45:30 CET, Michael Graff wrote:
>
>> For my VM environment, I bought a USB random source, and sha
Hello 张海阔,
I've opened a bug ticket for this one. I don't know that bind-users is a good
place to continue discussions, but consider perhaps bind-workers (which is more
for coders).
I'll send you a link to the bug in separate message.
--Michael
On Nov 30, 2011, at 6:09 AM, 张海阔 wrote:
> hell
On Nov 30, 2011, at 3:01 AM, Torsten Segner wrote:
> In RHEL there is a RPM package called unuran.
> It's a random number generator daemon using either a piece of hardware or
> /dev/urandom as source. Running this will provide enough entropy to create
> lots of keys.
I'd be rather wary of keys
On Nov 30, 2011, at 4:09 AM, Matus UHLAR - fantomas wrote:
>> On 11/29/2011 11:33 PM, Chris Thompson wrote:
>> I wonder if an external tool to "trim" the journal would be an option? You'd
>> need a timestamp on records (relying on the RRSIGs mean it only works for
>> signed). Not sure about the
Do you see that each time named starts or just on the first load of the zone?
What happens if you send a query to the server with dig +dnssec?
On Nov 10, 2011, at 14:23, "McConville, Kevin" wrote:
> I know that this isn’t the forum for betas, which is why I put off-topic on
> the subject li
NXDOMAIN means the name does not exist. NODATA means the name exists but the
type does not. NXDOMAIN will never be returned for either name as they both
exist.
On Nov 9, 2011, at 3:34, "Beisiegel, Sven"
wrote:
> Hi everyone,
> I tried to find a solution to this using Google, but I failed… I
Are you saying you cannot compile from source, or that you must use the vendor
supplied version of bind?
On Nov 7, 2011, at 10:04, Aleksander Kurczyk wrote:
> I'm using Mac OS X 10.4.11 Tiger on G4 400 MHz PPC Mac and BIND 9.7.4 is the
> last version that I'm able to use.
_
Is there something else running on those UDP ports?
On Oct 26, 2011, at 12:49 AM, Benzi Mizrahi
wrote:
> Hi,
>
> I've recently upgraded our nameservers from version 9.6.2.-p3 to 9.7.4 , and
> the following
> messages started to appear on all nameservers logs:
>
>
> 22-Oct-2011 16:58:41.54
I opened a ticket on Tony's behalf so we can track the crash problem and the
other defects he mentioned. As I told him there, the master functionality is
still a work in progress, and the code's not there yet. "Soon."
Thank you Tony for giving this a try as an alpha! Your time is appreciated.
On Sep 29, 2011, at 4:06 PM, Bill Owens wrote:
> I've obviously been asleep and not following along with the announcements of
> new features in BIND 9.9 until today
I'm happy you read it, and hope to see you at the forum/customer webinar next
week! I'll be speaking, and will bring my fireproof
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2011-09-28 9:36 AM, feralert wrote:
> Thanks Jeff,
>
> But I really only wrote that as an example :) . The real question
> is what is best or what is recommended, two A RR (one for domain,
> one for www) or a single A RR for domain and a CNAME RR f
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2011-08-30 12:06 PM, Klaus Darilion wrote:
> Unfortunately I fail to find the options where I can configure the
> number of retransmissions, timeouts and number of transactions -
> please give me some hints.
I don't believe there are external kno
Yes. It is correct behavior.
There is no revoke method for a publisher. I don't think adding one would be
wise.
--Michael (from an iPhone)
On Aug 17, 2011, at 7:18, "Marc Lampo" wrote:
> Hello,
>
> Experimenting with key roll-over timing conditions,
> with a Bind 9.7.3 setup, I noticed, t
While calling them sounds fun, I wonder if we need a Soft Failure mode sooner
rather than later during dnssec deployment.
Or a way to have bind 9 report broken dnssec to a central site where we or a
group of ISC-blessed volunteers call them after X reports of brokenness.
--Michael (from an iP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I am very interested in hearing what you are looking for. I have some
thoughts about "performance" measurements, mostly to answer the age-old
question, "Are my servers working well?"
Would you release the patches, and if so, would you be willing to w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2011-07-14 2:28 PM, Chris Thompson wrote:
> So is there anything that could go wrong if the style sheet reference *was*
> relative rather than absolute?
Not that I can see. It's probably that we never considered that use case.
Send in a bug repo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/29/11 4:28 PM, Sven Eschenberg wrote:
> P.S.: If all parts of bind were optimized towards multicore processing and
> the pattern of queries fits, yes, then the 8 core machine could probably
> outrun the 4 core machine, even when having a slower cl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/29/11 3:00 PM, Sven Eschenberg wrote:
> One thing that just popped up my mind:
> Does it increase performance, when you, let's say, bind multiple IPs to
> the same NIC and make bind listen to all of those IPs, while of course
> taking care to fix
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/29/11 9:16 AM, iharrathi@orange-ftgroup.com wrote:
> Do i have to use bind compiled and running on 32 bit server to have
> better performance rather than bind compiled and running on 64 bit server?
No matter what, what gets you the best perfo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/29/11 9:08 AM, Sven Eschenberg wrote:
> Maybe some bind developer can shed a light on this:
> Does bind use epoll()?
> AIO (as in Posix RT extensions)
BIND 9 uses epoll() I believe, but AFAIK does not touch AIO. I've not
touched that code recen
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
We've been working on the start-up time of BIND 9, when many many zones
are configured.
By many, I mean in the 10k to 1m range.
If you are someone who has a large number of zones loaded into BIND 9,
and would like to try out some test code to see if
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/29/11 8:19 AM, Eivind Olsen wrote:
> Really? I thought you said the 64 bit server had a CPU with 1.6GHz cores,
> and the 32 bit server had 2.33GHz cores?
Benchmarking on different machine types, even if they are identical
speed, can be affected b
38 matches
Mail list logo
