Re: Survey on the impact of software regulation on DNS systems

2025-04-08 Thread Peter 'PMc' Much
Michael, thank You very much for this message! it came at the right time and it is truly inspiring! I missed that. On Fri, Mar 28, 2025 at 01:59:02AM +0100, Michael De Roover wrote: ! > So, while I am not strictly against regulation, the bottomline question ! > appears to be: how do we manage

Re: Survey on the impact of software regulation on DNS systems

2025-03-27 Thread Peter 'PMc' Much
On Sun, Feb 02, 2025 at 02:45:08PM -0500, Paul Kosinski via bind-users wrote: ! On Sat, 1 Feb 2025 14:47:35 + ! Marc wrote: ! ! "You have to get the bigger picture. Everything requires regulation otherwise big tech is going to fuck you. There are enough examples out there." ! ! The even big

Re: xfer-in: Transfer status: timed out (selective failures)

2025-02-25 Thread Peter 'PMc' Much
Thanks a lot, folks! The problem is solved - I put a "checksum" module between the firewall and the "nat" module (I have netgraph[1] modules), and that works now as expected. Apparently, when NAT-rewriting the address of a /locally created/ packet, at the time of rewriting the checksum has not

Re: xfer-in: Transfer status: timed out (selective failures)

2025-02-24 Thread Peter 'PMc' Much
On Mon, Feb 24, 2025 at 10:01:49PM +0100, Peter 'PMc' Much wrote: ! Packets do arrive, but are ignored. ! The local firewall is switched to pass-thru. ! ! I don't know what else could selectively swallow packets without ! notice. Okay, I figured it out. tcpdump was friendly enou

xfer-in: Transfer status: timed out (selective failures)

2025-02-24 Thread Peter 'PMc' Much
Hi, I started to get these messages, when some secondary tries to fetch a zonefile from a primary. So I looked into it - The primary is running: # ps ax | grep named 13667 - IsJ 0:00.39 /usr/local/sbin/named -n 1 -u bind -c /usr/local/etc/namedb/named.conf It has ports configured:

Re: IPv6 Geolocation per /64

2025-02-19 Thread Peter 'PMc' Much
On Tue, Feb 18, 2025 at 07:20:26PM -0500, Michael Richardson wrote: ! There is also https://www.rfc-editor.org/info/rfc9632. ! ! This document specifies how to augment the Routing Policy Specification ! Language (RPSL) inetnum: class to refer specifically to geofeed ! comma-separated values

Re: IPv6 Geolocation per /64

2025-02-18 Thread Peter 'PMc' Much
On Tue, Feb 18, 2025 at 09:48:02PM +, Andrew Pavlin wrote: ! Think about it. Who _has_ to know your physical/geographical address and its associated Internet address block to provide you with Internet service? Your ISP! Question: is an ISP legally oblidged to divulge their customer's locations

Re: IPv6 Geolocation per /64

2025-02-18 Thread Peter 'PMc' Much
On Tue, Feb 18, 2025 at 08:48:15PM +0100, Michael De Roover wrote: ! Hi all, ! ! > It may be inside DNS, or it may be elsewhere, I do not know. There ! > is a DNS "LOC" record, but that doesn't seem to be used anymore. It ! > seems to be something else. But what, and where? ! I find it a shame tha

Re: IPv6 Geolocation per /64

2025-02-18 Thread Peter 'PMc' Much
On Tue, Feb 18, 2025 at 09:51:51PM +0100, Michael De Roover wrote: ! On Tuesday, February 18, 2025 9:38:58 PM CET Peter 'PMc' Much wrote: ! > Then they make a business of selling my own information back to me - ! > and I would like to know how they do that. ! ! Hehe.. about that.

Re: IPv6 Geolocation per /64

2025-02-18 Thread Peter 'PMc' Much
On Tue, Feb 18, 2025 at 08:04:28PM +0100, Marco Moock wrote: ! Am 18.02.2025 um 18:50:31 Uhr schrieb Peter 'PMc' Much: ! ! > Consideration: ! >Since every /64 in IPv6 carries it's own distinct geolocation info, ! >there must be somewhere a database

IPv6 Geolocation per /64

2025-02-18 Thread Peter 'PMc' Much
Consideration: Since every /64 in IPv6 carries it's own distinct geolocation info, there must be somewhere a database of -quick average- 2^64 = 18446744073709551616 records. I'm currently trying to figure out where that database is located. It may be inside DNS, or it may be elsewhere, I

Re: Survey on the impact of software regulation on DNS systems

2025-02-01 Thread Peter 'PMc' Much
On Wed, Jan 29, 2025 at 03:43:23PM +, Marcus Kool wrote: ! I participated in the survey and think it is good to also have a ! public discussion. I tried to, but got the impression that the target audience is rather commercial providers of infrastructure services, like domain registrars and dns

Re: localhost name lookup

2025-01-15 Thread Peter 'PMc' Much
On Tue, Jan 14, 2025 at 10:47:35PM +0100, Emmanuel Fusté wrote: ! localhost is defined as a (local) hostname of the loopback interface, not a ! domain name. Where would that be defined? Because, what You state is a contradiction in itself: a hostname is a designation of the metal (or virtual, now

Re: SVCB/HTTPS vs. getaddrinfo: how to merge?

2024-12-26 Thread Peter 'PMc' Much
On Thu, Dec 26, 2024 at 04:53:51AM -0500, Darren Ankney wrote: ! Hi, ! ! It seems to me that the HTTPS/SVCB records describe where and how a ! service is available (could be several IPv4 and IPv6 addresses as well ! as several ports). It does nothing to select how a client might ! connect to the

SVCB/HTTPS vs. getaddrinfo: how to merge?

2024-12-25 Thread Peter 'PMc' Much
Folks, recent messages here mentioned some HTTPS and SVCB RRs. This is completely news to me, so I gave it some read. Then I found that these new tools are supposed to provide (IPv4 and IPv6) addresses, which seems to me as rather strange from a logical viewpoint. Normally, the addresses to be

Re: Recently started invalid signings

2024-11-29 Thread Peter 'PMc' Much
maintained manually (I didn't find anybody listening to CDNSKEY yet) and I have two KSK for high-availability, and the third is currently introduced or retiring (the rollover scheme works for RFC 5011 also). cheerio, PMc ! ! > On 29 Nov 2024, at 13:54, Peter 'PMc' Much

Recently started invalid signings

2024-11-28 Thread Peter 'PMc' Much
Hi, I just noticed my dns-signer recently started to create some invalid signings - the two red arrows in here: https://dnsviz.net/d/daemon.contact/Z0ka0A/dnssec/ There is a history, one can go back and see these weren't present in March '24 and earlier. The problem is, I didn't change an

Re: BIND RPZ is not blocking A record

2024-11-14 Thread Peter Davies
Hi Blason, Your configuration looks correct, though BIND will try to resolve the "wg.custom.block" through your forwarders. What reply do you get from: dig @172.1.254.243 custom.block soa /Peter -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: FYI: FreeBSD: upgrade to protobuf-c 1.4.1_6 breaks dig

2024-10-14 Thread Peter
On Mon, Oct 14, 2024 at 06:10:20AM -0700, Steve Rikli wrote: ! On Mon, Oct 14, 2024 at 07:19:06AM +0200, Peter wrote: ! > On Sun, Oct 13, 2024 at 10:55:52PM +0100, Niall O'Reilly wrote: ! > ! FYI only. I've submitted a [bug report][] to the FreeBSD Bugzilla. ! > ! > ! Afte

Re: FYI: FreeBSD: upgrade to protobuf-c 1.4.1_6 breaks dig

2024-10-14 Thread Peter
On Mon, Oct 14, 2024 at 11:26:58AM +0100, Niall O'Reilly wrote: ! On 14 Oct 2024, at 6:19, Peter wrote: ! ! > I cannot reproduce: ! ! Thanks. I've been made aware, off list, of people who can. Interesting. I for my part do normally not link dig against protobuf at all: $ pkg in

Re: FYI: FreeBSD: upgrade to protobuf-c 1.4.1_6 breaks dig

2024-10-13 Thread Peter
On Sun, Oct 13, 2024 at 10:55:52PM +0100, Niall O'Reilly wrote: ! FYI only. I've submitted a [bug report][] to the FreeBSD Bugzilla. ! After upgrading to 1.4.1_6, I see: ! ! ``` ! grab(maint)$ uname -a ! FreeBSD grab.no8.be 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64 ! grab(maint)$ pkg

Re: Date not updated in serial number

2024-09-25 Thread Peter Davies
me". The default setting is "serial-update-method increment;" For more details, see: https://bind9.readthedocs.io/en/v9.18.30/reference.html#namedconf-statement-serial-update-method /Peter From: "Burn Zero" To: "bind-users" Sent: Thursday, 26 September

Re: Assistance Needed: "Too Many Records" Error When Reloading Zone `example.com`, BIND: 9.18.29

2024-09-22 Thread Peter Davies
e" default setting is 100. https://downloads.isc.org/isc/bind9/9.18.30/doc/arm/html/reference.html#namedconf-statement-max-records-per-type The "max-types-per-name" default setting is 100. https://downloads.isc.org/isc/bind9/9.18.30/doc/arm/html/reference.html#namedconf-statement-max-t

Re: bind918 malfunction?

2024-09-06 Thread Peter
On Fri, Sep 06, 2024 at 09:12:51PM +0200, Ondřej Surý wrote: ! Now the question remains - why? I don’t really see a reason for this ! behavior from where I tested it, so what is the traffic between your ! recursor and the Internet during the time this happens? Well, I can see why - but I don't kno

Re: bind918 malfunction?

2024-09-06 Thread Peter
On Fri, Sep 06, 2024 at 08:05:18PM +0200, Ondřej Surý wrote: ! Try using running `named -d 9 (plus other existing args)` to see why there are 31+ queries. There must be something wonky going on. ! Alright. "-d 9" does nothing. Changing the named.conf does something: channel named_log {

Re: bind918 malfunction?

2024-09-06 Thread Peter
On Fri, Sep 06, 2024 at 12:55:20PM -0400, Bob Harold wrote: ! Recently (2024/9/21) I ran into an issue that might be similar. Due to ! DDoS attacks that use complicated lookups to make DNS servers do extra ! work, to slow them down, some recent DNS server software has tightened the ! amount of 'wo

Re: bind918 malfunction?

2024-09-06 Thread Peter
This one was accidentially not sent to the list, sorry! On Thu, Sep 05, 2024 at 08:04:37PM +0200, Ondřej Surý wrote: ! I’m on my phone, so this is a long shot, but you can try disabling the qname minimization. Thank You for the suggestion, I can try this occasionally. Rather I'd prefer to figure

Re: bind918 malfunction?

2024-09-05 Thread Peter
On Thu, Sep 05, 2024 at 07:05:29PM +0200, Ondřej Surý wrote: ! It’s impossible to answer your question as you haven’t provided ! absolutely no information about your problem. Perhaps if you provide ! detailed information about nature of the problem, your DNS ! configuration, and your network config

bind918 malfunction?

2024-09-05 Thread Peter
I have complaints about network malfunction. From the logs I can see that a device which always regained network access within ~40 seconds, now takes 1-2 hours to recover, and this happening almost daily. There is a possible alignment between the start of the malfunction and an upgrade from 9.16 t

Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-28 Thread Peter DeVries via bind-users
a significant effort to do what we are doing and happy to contribute but just to note we have no objections to how ISC is doing it and appreciate that these are being produced. I use them anytime my custom ones are not available. Peter > > Alpine is popular for small images, but is it good

Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Peter DeVries via bind-users
For what it's worth this is how we build our dockers, with a builder and then the runner. IMO it's cleaner that way and not much more complicated. We'll continue to roll our own though so no real dog in this fight. Peter On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý wrote: >

Re: Deleting a key

2024-08-07 Thread Peter DeVries via bind-users
The DS for the new key is only rumored. I believe you want a `rndc dnssec -checkds -key 48266 published` and maybe another to withdraw the 50277 key. Peter -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with

Re: qname minimization: me too :(

2024-06-25 Thread Peter
On Tue, Jun 25, 2024 at 04:41:54PM +0200, Stephane Bortzmeyer wrote: ! On Tue, Jun 25, 2024 at 04:22:40PM +0200, ! Peter wrote ! a message of 16 lines which said: ! ! > Jun 25 16:18:31 conr named[4725]: lame-servers: ! >info: success resolving 'bar.foo.isc.org/A'

Re: qname minimization: me too :(

2024-06-25 Thread Peter
On Tue, Jun 25, 2024 at 07:00:51AM +1000, Mark Andrews wrote: ! It’s just a false positive when the result is NXDOMAIN. Because > people forget to put delegating NS records in parent zones when both > are served by the same server the lookups continue on NXDOMAIN. There > is an issue to address thi

Re: qname minimization: me too :(

2024-06-24 Thread Peter
On Fri, Jun 21, 2024 at 04:58:55PM +0200, Stephane Bortzmeyer wrote: ! On Fri, Jun 21, 2024 at 07:03:14AM +, ! 65;6800;1c Michael Batchelder wrote ! a message of 59 lines which said: ! ! > You'll need to fix these zones so that the response is NOERROR rather than NXDOMAIN. ! ! Yes and, if

Re: qname minimization: me too :(

2024-06-21 Thread Peter
, different view), and> ! > that one basically says, this is bogus. ! > ! > Case 3: ! > --- ! > Jun 19 18:28:48 conr named[24481]: lame-servers: ! >info: success resolving ! > '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.1.0.0.3.2.f.1.0.7.4.0.1.0.0

Re: qname minimization: me too :(

2024-06-19 Thread Peter
On Wed, Jun 19, 2024 at 10:33:41PM +0200, Stephane Bortzmeyer wrote: ! On Wed, Jun 19, 2024 at 10:15:48PM +0200, ! Peter wrote ! a message of 32 lines which said: ! ! > today I happened to look into a named.log, and found it full of ! > qname minimization messages. ! ! Which message?

qname minimization: me too :(

2024-06-19 Thread Peter
rvers" happen do be some of my own? What do I do then? Because I've seen through the proceedings, and I do not yet see the error. cheerio, Peter -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software wi

Re: CNAME and IPv6

2024-05-29 Thread Peter
On Wed, May 29, 2024 at 12:20:09PM +0200, Matus UHLAR - fantomas wrote: ! > On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock wrote: ! > > rinetd manages 2 separate connections and should work with PMTUD. ! ! On 28.05.24 22:17, Peter wrote: ! > I'm wondering how it would. Th

Re: CNAME and IPv6

2024-05-28 Thread Peter
On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock wrote: > Am 28.05.2024 um 18:48:38 Uhr schrieb Peter: > > > On Tue, May 28, 2024 at 12:25:03PM +0200, Marco Moock wrote: > > > > > Now we add an IPv6 address for 'myhost'. But portforwarding > >

Re: CNAME and IPv6

2024-05-28 Thread Peter
On Tue, May 28, 2024 at 12:25:03PM +0200, Marco Moock wrote: ! Am 28.05.2024 um 12:00:09 Uhr schrieb Peter: ! ! > if I understand corrently, the use of CNAME is just a convenience ! > and no technical feature, right? ! ! It is technical because the query is redirected to the domain lis

CNAME and IPv6

2024-05-28 Thread Peter
Hello, if I understand corrently, the use of CNAME is just a convenience and no technical feature, right? In lots of examples on the net, a zonefile for a domain might contain things similar to this: @ORIGIN example.com. .. myhost A1.2.3.4 www CNA

bind_dlz and views and samba

2024-05-15 Thread Peter Carlson
ther DNS and setup views there, but that doesnt work either as all requests now come from IP of the DC and so the ACLs wont match. Any ideas how I can accomplish this? Peter -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of t

Re: Switching from rhel base 9.16 to 9.18 copr

2024-05-05 Thread Peter
On Sun, May 05, 2024 at 06:15:13PM +0200, Luca vom Bruch via bind-users wrote: ! Hello, ! ! I use bind (stock from alma 9.3) as a nameserver for a webhosting server ! with webmin/virtualmin. ! ! If I install BIND via copr (RHEL9 and derivatives only offer 9.16 instead of ! 9.18 - I want to experi

named 100% utilization

2024-04-30 Thread Peter Carlson
};     zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; };     zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; include "/var/lib/samba/bind-dns/named.conf"; }; view vpn {     match-clients { vpn; };

Re: XFR killed by security

2024-03-04 Thread Peter
On Mon, Mar 04, 2024 at 03:43:48PM +0100, Ondřej Surý wrote: ! > On 4. 3. 2024, at 14:55, Peter wrote: ! > ! > I don't find it really surprizing that XFR would contain "multiple ! > RRSIG entries". ! ! Unfortunately, this is obviously surprising to the vendor of the s

XFR killed by security

2024-03-04 Thread Peter
Hi folks, a few days ago I apparently lost the beneficence of my zone feeds, and XFR started to get into timeout. Looking at the usual culprits I then found this: DNS Response containing multiple DNSSEC RRSIG Entries (Algorithm 14) - Possible CVE-2023-50387 Activity [Classification: De

Re: occasional SERVFAIL error

2024-02-29 Thread Peter Davies
7200 3600 604800 86400 Nameserver 2001:67c:1bd4:8080::10:     jiscd.sk has SOA record ns1.gov.sk. gov.sk. 2024022800 7200 3600 604800 86400 Nameserver 195.49.191.162:     jiscd.sk has SOA record ns1.gov.sk. gov.sk. 2024022800 7200 3600 604800 86400 Kind Regards Peter On 29/02/2024 15.20

Re: Stub zones, but secndary?

2023-11-20 Thread Peter
On Mon, Nov 20, 2023 at 03:30:13PM +1300, Nick Tait via bind-users wrote: ! On 20/11/2023 1:00 pm, Peter wrote: ! > It's tricky. One problem is these are slave zones, they are ! > authoritative and do not work well with DNSSEC. ! ! I'm curious... What issues did you have with

Re: Stub zones, but secndary?

2023-11-19 Thread Peter
ke this. ! ! I'm wondering whether there's a more elegant way. Like "secondary-hint" zones. ! Have I overlooked something? Maybe. As You can see, it can be done, but it's a bit weird - I got the fancy that I want to have all six-way in one running image. ;) (Originally I just

DNS DevRoom at FOSDEM2024 - Call for Participation

2023-11-16 Thread Peter van Dijk
Hello DNS enthusiasts and other developers, After four earlier successful and packed DNS devrooms, we are happy to announce a half-day DNS devroom at FOSDEM 2024. As with the previous events, we hope to host talks anywhere from hardcore protocol stuff, to practical sessions for programmers that a

Re: Unable to upgrade BIND v9.19.11 on Ubuntu without error

2023-07-11 Thread Peter Davies
Hi Richard, FYI: The BIND 9.19.12 Release Notes contain the following: Removed Features ... Zone type delegation-only, and the delegation-only and root-delegation-only statements, have been removed. Using them is a configuration error. ... Kind Regards Peter

Re: How to make SRV records work with caching resolvers?

2023-06-07 Thread Peter
Hi, In July last year I asked about a problem with an IP telephone mis-handling the DNS responses (and got the clear answer that the telephone is to blame). I quote my original message here: On Wed, Jul 13, 2022 at 01:06:13PM +0200, Peter wrote: ! My Telco has removed the A record for their

Re: RPZ zone response delay time ?

2023-04-13 Thread Peter van Dijk
` on Linux) that goes to your local system. 0.0.0.0 is not the right DNS response here, or almost anywhere. NXDOMAIN likely fits better. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from t

BIND Process failed during logrotate

2023-03-22 Thread White, Peter
I had the named process fail this past weekend on two secondaries running BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13. It seems that logrotate.d is calling the following script at the time of the failure. /var/named/data/named.run { missingok su named named create 0644 named named

Re: dnstab-read with detailed information

2023-03-15 Thread Peter
On Wed, Mar 15, 2023 at 09:34:40PM +, MAYER Hans wrote: ! ! ! Dear All, ! ! dnstab is a great feature to analyse the details what’s going on. But I think there is room for improvement. ! ! I write the data to a file and once a day I do a log rotate. ! With "dnstab-read FILE | grep IP“ I ge

Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

2023-01-17 Thread Peter
On Tue, Jan 17, 2023 at 05:28:57PM -0600, E R wrote: ! I am planning on implementing the current version of BIND to replace the ! aging, undocumented authoritative servers I inherited. I want to hide the ! primary server on our internal network and have two secondary servers be ! publicly availabl

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2))

2022-12-30 Thread Peter
On Thu, Dec 29, 2022 at 03:43:35PM -0500, Timothe Litt wrote: ! So much like DNSSEC itself, the technology is there, but the will to use it ! everywhere it's needed is not. Timothy, thank You for the update. I agree to Your viewpoints, and we have seen mostly the same with IPv6. Apparently it nee

RFC7344 (was: Funky Key Tag in AWS Route53 (2))

2022-12-29 Thread Peter
On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote: ! (Manual processes ! are error-prone.  That getting registrars to adopt CDS/CDNSKEY - RFC7344 - ! has been so slow is unfortunate.) Seconded. Do You have information about this moving at all? Because to me it looks very much like dead

Containerizing BIND with Kubernetes

2022-12-06 Thread White, Peter
Is there any good source of documentation on containerizing an authoritative BIND instance in a Kubernetes cluster? The main part I’m trying to grasp is how to dynamically horizontally scale the cluster and keep the BIND notify process working between the containers. Thanks, Peter -- Visit

New BIND Releases are available: 9.16.35, 9.18.9, and 9.19.7

2022-11-16 Thread Peter Davies
from the EOL BIND 9.11 branch to the BIND 9.16 branch read the following document: https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-911-to-916 -- Peter Davies ISC Support -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the

Re: Question about dnstap

2022-09-13 Thread Peter
On Tue, Sep 13, 2022 at 12:24:15PM +0200, Petr Špaček wrote: ! On 12. 09. 22 15:49, Peter wrote: ! > On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! > ! My testing did not uncover anything problematic. ! > ! ! > ! Versions: ! > ! fstrm 0.6.1-1 ! > ! protobuf 21.5-

Re: Question about dnstap

2022-09-12 Thread Peter
On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! My testing did not uncover anything problematic. ! ! Versions: ! fstrm 0.6.1-1 ! protobuf 21.5-1 ! protobuf-c 1.4.1-1 ! ! ! A procedure which works: ! - start BIND configured with ! options { ! dnstap { all; }; ! dnstap-o

Re: Question about dnstap

2022-09-12 Thread Peter
On Mon, Sep 12, 2022 at 12:27:25PM +0200, Borja Marcos wrote: ! I am not sure this is intended behavior, or maybe I should file a bug. ! ! I am doing some tests with dnstap and bind (9.18.6 now but I see the same behavior with older 9.18 versions). I am using ! dnstap-go. ! ! I have configured

Re: isc python module

2022-08-16 Thread White, Peter
I don’t mean to hijack the thread, but I think this is related. I also use the BIND python modules. In particular, I'm using it to update my catalog zones as described here: https://kb.isc.org/docs/aa-01401 This document has several references to BIND 9.18 without any mention of the BIND python

Re: DNSSEC adoption

2022-08-03 Thread Peter
I see a two-fold issue with DNSSEC: 1. The wide-spread tutorials seem to explain a key rollover as an exceptional activity, a *change* that is infrequently done. And changes, specifically the infrequent ones, bring along the possibility of failure, mostly due to human error. I don't s

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-03 Thread Peter
On Wed, Aug 03, 2022 at 04:49:35PM +1000, Mark Andrews wrote: ! Additionally authoritative servers for a zone are supposed to answer queries with RD=1 set with RA=0 if the client is not being offered recursion. REFUSED is the wrong answer of the query name involves zones you serve. Only if you a

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-03 Thread Peter
On Tue, Aug 02, 2022 at 02:04:22PM -0400, Timothe Litt wrote: ! On 02-Aug-22 13:18, Peter wrote: ! > On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wr

Re: Stopping ddos

2022-08-02 Thread Peter
On Tue, Aug 02, 2022 at 11:16:15PM +0200, Michael De Roover wrote: ! For my servers I'm using iptables rules to achieve ratelimiting. They ! look as follows: ! -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent -- ! update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.2

Re: bind-users Digest, Vol 4031, Issue 3

2022-08-02 Thread Peter
On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote: ! ! On 02-Aug-22 11:09, bind-users-requ...@lists.isc.org wrote: ! ! > | Before your authoritative view, define a recursive view with the internal ! > ! zones defined as static-stub, match-recursive-only "yes",  and a ! > ! server-addre

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-02 Thread Peter
On Tue, Aug 02, 2022 at 05:51:28AM -0400, Timothe Litt wrote: ! You can get the AD flag set, with a bit of extra work.  I've done this for ! years. Thanks for Your message, Timothe. After investigating the matter, I had figured out a similar approach - but didn't know if this is a recommended or

Re: Bind 9.11/RHEL7 Server Freezes FUTEX_WAKE_PRIVATE

2022-08-01 Thread White, Peter
problem continues. Thanks so much for your help! From: Greg Choules Date: Monday, August 1, 2022 at 6:21 PM To: White, Peter Cc: bind-users@lists.isc.org Subject: Re: Bind 9.11/RHEL7 Server Freezes FUTEX_WAKE_PRIVATE CAUTION: This email originated from outside of Penguin Random House. Please be

Bind 9.11/RHEL7 Server Freezes FUTEX_WAKE_PRIVATE

2022-08-01 Thread White, Peter
I’m running BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 (Extended Support Version) on RHEL 7 in a chroot jail. As of late, at times running some rndc commands are causing my server to lock up. It’s usually an “rndc addzone” that triggers the issue. I’ll also mention that I have recently started

Re: How to make SRV records work with caching resolvers?

2022-07-25 Thread Peter
again. (Obviousely there can be many other reasons for a temporary outage.) The plan is now to put this on hold until it appears at annoying daytimes again, and ideally obtain a kind of VoIP-proxy or PBX to put in between. -- PMc ! > On 13. 7. 2022, at 13:18, Peter wrote: ! > ! >  ! > My Telc

Re: How to make SRV records work with caching resolvers?

2022-07-13 Thread Peter
On Wed, Jul 13, 2022 at 09:22:17PM +1000, Mark Andrews wrote: ! The client is supposed to lookup missing address records. Now that's clear and short. Thank You very much, Mark! ! Complain to the supplier of the phone that they have a defective product. I still have to see a linux plastic box wit

How to make SRV records work with caching resolvers?

2022-07-13 Thread Peter
My Telco has removed the A record for their VoIP server, and now has only SRV data there - which seems not to work properly. The SRV data contains various services (SIP via UDP, TCP, secure TCP, whatever), and these get individual expiry counters in the caching resolver. So when a telephone send

IPv6 scoped address disambiguation

2022-06-16 Thread Peter
Hi @all, the reference manual says something about scoped ipv6 addresses, so I might assume they are understood and useable. But maybe either I did misunderstand something, or something is wrong here: My configuration: listen-on-v6 port 53{ fe80::2%lo0;

Re: Bugfix: missing line in message.c

2022-06-05 Thread Peter
On Thu, Jun 02, 2022 at 08:23:27AM +1000, Mark Andrews wrote: ! Thanks. ! ! INDENT is being addressed. ! ! Can you add an issue on https://gitlab.isc.org/ for the view name in dnstap? Bad luck for me, my login does actually work there - so I probably have to... ;) Done, it says #3391. -- PMc

Bugfix: missing line in message.c

2022-06-01 Thread Peter
Hi, this is broken in 916 (and apparently 918 also). Consequentially, output from dnstap gets unreadable (invalid YAML) when using dynamic zone updates. PATCH --- lib/dns/message.c.orig 2022-05-10 11:02:21.0 +0200 +++ lib/dns/message.c 2022-

Re: DNS traffic tracking

2022-05-09 Thread Peter Coghlan
he traffic is and getting a better idea of who is responsible for generating it and why. In my opinion, in the absence of knowing what the problem is, experimenting with stuff like rate limiting or blocking is unlikely to solve the problem. Regards, Peter Coghlan. -- Visit https://lists.isc.org/mail

Re: getting answers from DNS queries

2022-04-25 Thread Peter Coghlan
here in dealing with the subject of malicious, bogus queries etc. Regards, Peter Coghlan. > > -- > > Hal King - h...@utk.edu > Systems Administrator > Office of Information Technology > Shared Services > > The University of Tennessee > 103c5 Kingston Pike Buildin

9.18.0 now available

2022-01-26 Thread Peter Davies
For those of you that may not be on the -announce list, I would like to make you aware of the following: https://lists.isc.org/pipermail/bind-announce/2022-January/001205.html -- Peter Davies Support Engineer Internet Systems Corporation pet...@isc.org 001 650-423-1460

Re: Found the bug (was: ERROR: Failed to create fetch for DNSKEY update)

2021-11-21 Thread Peter
On Sun, Nov 21, 2021 at 06:51:13PM +0100, Sten Carlsen wrote: ! As far as I am aware - and what I have always done - the normal | thing to do is to use a hints file. Lately the hints are built-in, | so nothing is really needed. Ah. Well, I have here a named.conf.sample file that comes with the dis

Found the bug (was: ERROR: Failed to create fetch for DNSKEY update)

2021-11-19 Thread Peter
Hija, I finally found the cause of the error! As soon as I stop slaving the root-zones and instead use the (configured or compiled-in) hint-file, the error stops. The actual error-condition (zone is not loaded) then becomes obvious, because this RFC-5011 action happens very early, before any

Re: ERROR: Failed to create fetch for DNSKEY update

2021-11-15 Thread Peter
On Mon, Nov 15, 2021 at 09:14:19AM +0100, Ondřej Surý wrote: ! > On 15. 11. 2021, at 3:41, Peter wrote: ! > ! >

ERROR: Failed to create fetch for DNSKEY update

2021-11-14 Thread Peter
Hi all, I continuousely happen to see this message: > local0.warn named[2291]: > dnssec: warning: managed-keys-zone: Failed to create fetch for DNSKEY update I see it on different nameservers, at different sites, with and without views, with and without IPv6, and I see it every time when named

Re: BIND caching of nxdomain responses

2021-11-08 Thread Peter van Dijk
tps://lists.dns-oarc.net/pipermail/dns-operations/2021-September/021362.html Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC fu

Re: Preventing a particular type of nameserver abuse

2021-09-21 Thread Peter Coghlan
ld be interested to know what the experts think bind might have made of this traffic had it not been filtered out. I have included some of the more usual probes before and after the more interesting traffic for context. Regards, Peter Coghlan. 09:50:12.36 207.244.251.243.41020 > 192.168.80.24.53:

Failure from rate-limit

2021-08-11 Thread Peter
Hi, my servers fail to query the upstream servers with these errors: rate-limit: debug 99: rrl=0x0, HAVECOOKIE=0, result=DNS_R_SERVFAIL, fname=0x8027a5450(0), is_zone=0, RECURSIONOK=1, query.rpz_st=0x0(0), RRL_CHECKED=0 The operator of the upstream servers says it is due to a configuration mis

Re: Without IPv6 half of the queries yield SERVFAIL

2021-08-06 Thread Peter
On Fri, Aug 06, 2021 at 07:22:32AM +0200, sth...@nethelp.no wrote: ! > ! I tried to use this recommendation, https://kb.isc.org/docs/aa-00206, ! > ! marking all IPv6 addrs as bogus, but it does not make a difference in ! > ! behaviour. ! > ! > Update: Actually there is a difference if this recomme

Re: Without IPv6 half of the queries yield SERVFAIL

2021-08-05 Thread Peter
On Thu, Aug 05, 2021 at 11:53:35PM +0200, Peter wrote: ! I tried to use this recommendation, https://kb.isc.org/docs/aa-00206, ! marking all IPv6 addrs as bogus, but it does not make a difference in ! behaviour. Update: Actually there is a difference if this recommended configuration is present

Without IPv6 half of the queries yield SERVFAIL

2021-08-05 Thread Peter
Hi all, first off: I do not have IPv6 physical connectivity yet, but I would like to run a nameserver nevertheless. Sadly, it seems that without IPv6 connectivity, half of the queries fail, in a random fashion. There is no clue in the logfile about any reason for this behaviour, only so much

Re: ITS THE NUMBER OF CORES/THREADS

2021-07-23 Thread Peter via bind-users
update on how to get bind to run with parameters for windows make folder in C:\ named make file called named.bat in the bat file add: sc start named -n 7 in services > ISC BIND recovery tab first failure select run a program check enable actions for stops with errors in run program browse

Re: ITS THE NUMBER OF CORES/THREADS

2021-07-23 Thread Peter via bind-users
reproducer is helpful. Can you try if adding `-n 8` vs `-n 7` have the same effect? Ondřej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 23. 7. 2021, at 20:31, Peter via bind-users

Re: ITS THE NUMBER OF CORES/THREADS

2021-07-23 Thread Peter via bind-users
Well I reported it and we see what happens my main bind is not in a virtual machine I guess I cound disbale Hyper-Threading as a workaround... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds th

ITS THE NUMBER OF CORES/THREADS

2021-07-23 Thread Peter via bind-users
So after ALL that it was down to the number of cores/threads, anything more then 7 cores/threads and 9.16.19 WILL NOT RUN tested in avirtual PC. Man what A BUG ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from thi

Sorry

2021-07-22 Thread Peter via bind-users
I have come to the conclusion that I am being punished! I have moved heaven and earth to get 9.16.19 to work and only seem to work on another old system Core™2 Duo that I installed win 7 activated it then upgrade to win10 only that system work with 9.16.19 on another system I remove NICs unins

New BIND 9.16.19 I think don't run with Intel VLANs

2021-07-21 Thread Peter via bind-users
I have three PC's tested that all work fine on 9.16.15 or 9.17.12 with my Intel VLANs but 9.16.19 simply will not start. Is this a new limitation for BIND on windows now? or a change that causes it not to run if it detects VLANs with the intel APP?

Re: cmdns.dev.dns-oarc.net oddness with windows 10 and bind

2021-06-20 Thread Peter via bind-users
Seems fine now they must of fixed the testing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.o

Re: Windows support has been discontinued in BIND 9.17+ (Was: Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14)

2021-06-19 Thread Peter via bind-users
Well for the time being I give up I think something like this happen before many years ago, I'm sure someone will post having this iusse. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the d

  1   2   3   4   >