Re: Help with ISC-BIND 9.20.7 COPR package DOH support

Hey Everyone, Need help with the COPR packages for BIND, they don’t seem to have DOH enabled / working sudo yum-config-manager --add-repo https://copr.fedorainfracloud.org/coprs/isc/bind/repo/epel-9/isc-bind-epel-9.repo sudo yum --enablerepo="copr:copr.fedorainfracloud.org:isc:bind" install is

Re: XoT Testing: TLS peer certificate verification failed

I see this note and some examples on this page that include the DNS: option: http://wiki.cacert.org/FAQ/subjectAltName FAQ/subjectAltName (SAN) What is subjectAltName ? subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) :

Re: XoT Testing: TLS peer certificate verification failed

When validating a certificate, be sure to use the context of the DNS service... So, if your service runs under user BIND, you may need to su to BIND to test. This may help flush out issues where the ca.crt file was set so BIND could not read it. I don't know what happens when you set TLS to str

Re: Just a suspicion for now: Memory leak in 9.20.4?

tools are particularly useful for quickly checking if a process is consuming too much memory over time. We’ll focus on htop for now, which can be installed using apt: www.baeldung.com Robert Wagner From: bind-users on behalf of Ondřej Surý Sent: Thursday, Feb

Re: Survey on the impact of software regulation on DNS systems

This is not a good survey... 1. The 2025 US Executive orders point to a dead links. Use the Federal Registrar link as it should be there long-term. 2025-01470.pdf CISA Federal Register :: Improving the Nation's Cybersecurity

Executive Order 14144 - encrypted DNS

FYI - EO 14144 has the following provision related to encrypting DNS: (c) Encrypting Domain Name System (DNS) traffic in transit is a critical step to protecting both the confidentiality of the information being transmitted to, and the integrity of the communication with, the DNS resolver. (i

Re: localhost name lookup

ry 14, 2025 10:48 AM To: Robert Wagner Cc: bind-users@lists.isc.org Subject: Re: localhost name lookup This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know the content is safe. On Tue, Jan 14, 2025 at 6:56 AM Robert Wagner

Re: localhost name lookup

All, I wanted to better understand the use-case of having a DNS server provide localhost lookup. I think every OS has a hosts file with localhost set for 127.0.0.1. This is an instantaneous resolution for localhost, rather than going through the process of setting of a network connection or wors

Re: Bind and DHCP

I am not sure this was clear, but are you talking about DNS/DHCP for internal computers or trying to DNS for both internal and external, DHCP for internal. As mentioned below, your load (QPS) will probably determine may determine if you can support a single server. A small network supplying in

Re: Question about post-quantum X25519Kyber768

>From my poke a few months back - stuff like PQC and NSA's Commercial Solutions >for Classified settings need to go through the RFC process. Since both the DNS >server and DNS client need to be on the same page as to which cipher suites >they agree on. Around 10/16: Robert,

Re: SIG(0) "request has invalid signature: not verified yet (NOERROR)"

Crypto question - You mention using RSASHA512, but the record shows ed25519 (elliptic curve) crypto. Any chance you can standardize on one or the other (RSA or ECC)? This may not be an issue, but it seems odd. Robert Wagner From: bind-users on behalf of

Re: DNSSEC, OpenDNS and www.cdc.gov - DNS Compliance checker?

it working/functional and nothing needs to be done. Having a tool that reviews your configuration and points out issues would help us advocate for proper configuration. Kind of a SSL checker for DNS... Thanks in advance for any thoughts you can provide. Robert Wagner

Re: DNSSEC, OpenDNS and www.cdc.gov

e have been reported to DNS-OARC's dns-operations mailing list over the years (as well as other forums). The most recent thread is archived here: https://lists.dns-oarc.net/pipermail/dns-operations/2024-July/022642.html Robert Mankowski wrote: > I recently implemented a forward only BIND ser

RE: DNSSEC, OpenDNS and www.cdc.gov

Thanks Greg. That is very helpful. Sorry I didn't find that article on my own. Bob From: Greg Choules Sent: Wednesday, October 16, 2024 10:10 AM To: Robert Mankowski Cc: bind-users@lists.isc.org Subject: Re: DNSSEC, OpenDNS and www.cdc.gov Hi Bob. See if this article helps any first, b

DNSSEC, OpenDNS and www.cdc.gov

I recently implemented a forward only BIND server for home. I was forwarding to OpenDNS FamilyShield using TLS and DNSSEC at first, but I was getting a noticeable amount of SERVFAIL responses. I believe it is related to DNSSEC (see delv tests below), but I don't believe it is my configuration be

Re: DS digest type(s)

ng DNSSEC algorithms? Danilo On 16. 10. 24 14:15, Robert Wagner wrote: Our preference would be to at least allow SHA-384 and SHA-512 per the CNSA 2.0 requirements: CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov)<https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF

Re: DNSSEC algo rollover fails to delete old keys

Can do to provide instructions on how to follow the upcoming post quantum cryptography requirements? CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov) It would be exteremely helpful. If the crypto is not ready yet,

Re: DS digest type(s)

Our preference would be to at least allow SHA-384 and SHA-512 per the CNSA 2.0 requirements: CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov) My understanding is this will be the base requirement for all US Governm

Re: 9.18 horrendous

istaken, I know of other local admin who > moved to unbound because of this, I hope we are not next, but I suspect we > will be. > > vent over. > -- Robert M. Stockmann - RHCE Network Engineer - UNIX/Linux Specialist crashrecovery.org st...@stokkie.net -- Visit https://lists.isc

Adding Extra Text to EDNS EDE Responses in BIND 9.19.24

Hello All, I’m currently working with BIND 9.19.24 and have successfully implemented EDNS EDE (Extended DNS Error) with the following configuration: response-policy { zone "rpz.example.com" ede blocked; } add-soa false This correctly returns the OPT code 15 for a

Re: netstat showing multiple lines for each listening socket

instances. Looking at the process ID, you may be able to track back to the root process and determine if these are just service threads. Robert Wagner From: bind-users on behalf of Thomas Hungenberg via bind-users Sent: Monday, July 8, 2024 4:52 AM To: bind

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

n the pipeline. The rollover plan and the graphic ISC's Software Support Policy and Version Numbering<https://kb.isc.org/v1/docs/aa-00896> do not seem to match. Robert Wagner From: bind-users on behalf of John Thurston Sent: Monday, June 17, 2024 1

Re: Make dig and nslookup DNSSEC aware?

https://www.isc.org/blogs/bind-doh-update-2021/ BIND DoH Update Status of DNS-over-HTTPS support in BIND 9 as of March, 2021 The latest development release of BIND 9 contains a significant number of improvements to DNS-over-HTTP (DoH). www.isc.org

Make dig and nslookup DNSSEC aware?

Sorry if this has already been hashed through, but I cannot find anything in the archive. Is there any chance someone can make dig and nslookup DNSSEC aware and force it to use DoT or DoH ports - TCP 443 or 853 only? RW -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: Deprecated DSCP support

ms to have fallen out of favour as it's easier to solve most problems with more bandwidth, and it's not clear what's important anyway (and you can often only tell at layer 7), but there are still cases where it's necessary. - Bob -- Robert Franklin / (+44 1223 7) 48479 U

Re: Deprecation notice for BIND 9.18: Differentiated Services Code Point (DSCP) support

On Thu, 5 Jan 2023, [utf-8] Ondřej Surý wrote: > Date: Thu, 5 Jan 2023 14:51:52 +0100 > From: "[utf-8] Ondřej Surý" > To: Robert M. Stockmann > Cc: BIND users > Subject: Re: Deprecation notice for BIND 9.18: Differentiated Services > Code Point (DSCP) supp

Re: Deprecation notice for BIND 9.18: Differentiated Services Code Point (DSCP) support

20 because it's already non-operational. > This is like Mercedes Benz announcing they will only sell the Baby Benz model, which is a Volkswagen EV barebonez with the VW logo replaced with a plastic Mercedes Benz star. -- Robert M. Stockmann - RHCE Network Engineer - UNIX/Linux Speciali

TTL is varying across nameservers

;; ANSWER SECTION: stokkie.net.21600 IN A 84.87.53.162 ;; Query time: 23 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Sep 25 07:46:18 2022 ;; MSG SIZE rcvd: 45 $ Is this proper behavior ? -- Robert M. Stockmann - RHCE Network Engineer - UNIX/Linux Specialist crash

Re: caching does not seem to be working for internal view

This is boarderline not thinking on my part. OF COURSE those FQDNs resolve fast; they are in local ZOne files. No lookup needed. Sheesh. "Slow down, you move to fast.  Got to make the Mornin' last!"  :) On 8/3/22 14:43, Robert Moskowitz wrote: Perhaps this is only caching t

Re: caching does not seem to be working for internal view

fined exactly what IS cached. On 8/3/22 10:52, Robert Moskowitz via bind-users wrote: thanks Greg.  Yes I need to figure out how to troubleshoot this. But here is some stuff: # cat resolv.conf # Generated by NetworkManager search attlocal.net htt-consult.com nameserver 23.123.122.146 nameserver

Re: ,Re: caching does not seem to be working for internal view

This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 03-Aug-22 12:36, Robert Moskowitz wrote: On 8/3/22 11:35, Timothe Litt wrote: On 03-Aug-22 10:53, bind-users-requ...@lists.isc.org wrote: # cat resolv.conf My server is 23.123.122.146. 

Re: ,Re: caching does not seem to be working for internal view

On 8/3/22 13:10, Anand Buddhdev wrote: On 03/08/2022 18:36, Robert Moskowitz wrote: Hi Robert, [snip] ARGH! I want the IPv6 addr from my firewall/gateway.  But I don't want that IPv6 nameserver! Calm down. Just add "PEERDNS=no" in your ifcfg-eth0 file. This way, the r

Re: ,Re: caching does not seem to be working for internal view

On 8/3/22 11:35, Timothe Litt wrote: On 03-Aug-22 10:53, bind-users-requ...@lists.isc.org wrote: # cat resolv.conf My server is 23.123.122.146.  That IPv6 addr is my ATT router. You don't want to do that.  The ATT router will not know how to resolve internal names.  There is no guarantee

Re: caching does not seem to be working for internal view

.htt-consult.com" {    type master;    file "test.httin-consult.com.hosts";    };     zone "128.168.192.in-addr.arpa" {     type master;     file "128.168.192.in-addr.arpa.zone";  };     zone "0-24.128.168.192.in-addr.arpa" {

Re: Stopping ddos

low their IP addresses to send traffic either unrestricted, or using a more relaxed version of the above. HTH, Michael On Tue, 2022-08-02 at 16:02 -0400, Robert Moskowitz wrote: Recently I have been having problems with my server not responding to my requests.  I thought it was all sorts of issues,

caching does not seem to be working for internal view

Part of my problem is that caching does not seem to be working in my internal view. Something is happening such that my internal systems AND the server itself cannot resolve names and looses it even 5 min later, indicating not caching. I read https://kb.isc.org/docs/aa-00851 In my include f

Re: Stopping ddos

On 8/2/22 17:30, Nathan Ollerenshaw via bind-users wrote: On 8/2/22 1:02 PM, Robert Moskowitz wrote: Recently I have been having problems with my server not responding to my requests.  I thought it was all sorts of issues, but I finally looked at the logs and: You're being used

Stopping ddos

Recently I have been having problems with my server not responding to my requests.  I thought it was all sorts of issues, but I finally looked at the logs and: Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied Aug  2 15:47

Re: resolving www.ecb.europa.eu tages ages

ns1lux.europa.eu) in 18 ms www.ecb.europa.eu. 300 IN CNAME www-ecb-europa-eu.ax4z.com. ;; Received 86 bytes from 156.154.64.109#53(pdns109.ultradns.com) in 25 ms 0.00user 0.00system 0:00.56elapsed 0%CPU (0avgtext+0avgdata 17072maxresident)k 0inputs+0outputs (15major+1204minor)pagefaults

Re: resolving www.ecb.europa.eu tages ages

.net. . 5812IN NS g.root-servers.net. --//-- ;; Received 891 bytes from 147.67.12.3#53(ns2lux.europa.eu) in 16 ms www.ecb.europa.eu. 300 IN CNAME www-ecb-europa-eu.ax4z.com. ;; Received 86 bytes from 2001:502:4612::91#53(pdns109.ultradns.org) in 4 m

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported)

article "C11 atomic variables and the kernel" By Jonathan Corbet, February 18, 2014 https://lwn.net/Articles/586838/ Best Regards, Robert -- Robert M. Stockmann - RHCE Network Engineer - UNIX/Linux Specialist crashrecovery.org st...@stokkie.net _

Confused about query_source(-v6) address statement

queries always use a random unprivileged port." Which one is true? I only neet the source address to be set (both udp and tcp, for source based routing of dns queries), not the port. Thanks for clarification, Robert -- Robert Senger _

Re: BIND 9.11.6-P1 build fails on Solaris

d in recursive mode, i.e. your workstation uses bind-9.11.7 as a caching nameserver to browse the internet, my laptop suddenly started to make al lot more noise and was heating up substantially. After going back to 9.11.6-P1 the heating of my laptop also went away. -- Robert M. Stockmann - RH

Re: BIND 9.11.4 dnstap not capturing updates

greg.ra...@bt.com wrote: > Thanks Robert. I've added a few lines of code to BIND's client.c source > module to call dns_dt_send for updates with a type of AUTH_QUERY, and it > works as expected. > > Is there any reason that you can think that it should not be par

Re: BIND 9.11.4 dnstap not capturing updates

ing something that hooks into the > network IO layer. > > If you want to record other kinds of messages (UPDATE, NOTIFY, etc.) it > would probably be best to extend the dnstap `Type` enum, and add > corresponding dns_dt_send() calls to BIND's code. But you should check > with R

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

Ronald F. Guilmette wrote: > In message <20180320205558.23ld7b2orcfky...@mycre.ws>, > Robert Edmonds wrote: > > >Rick Dicaire wrote: > >> For libbind9, https://packages.ubuntu.com/trusty/libbind9-90 > > > >You would also need the ".so" symlin

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

also shipped a copy of the old BIND4/8 "libbind" resolver (configure --enable-libbind). At which point it was split out into a separate tarball distribution (https://ftp.isc.org/isc/libbind/) and given the arbitrary version number 6.0. -- Robert Edmonds

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

bly have been named libbind9-dev. It's unrelated to the original "libbind" (https://www.isc.org/downloads/libbind/). However, note that there's also a proposal to get rid of the public BIND9 libraries and turn these into private APIs: https://gitlab.isc.org/isc-projects/bi

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

Ronald F. Guilmette wrote: > In message <20180320193041.d2bwvgkgyvqem...@mycre.ws>, > Robert Edmonds wrote: > > >For glibc versions that are less than about ten years old, these should > >be available in libresolv, which is part of glibc. > > Thanks Robert!

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

unctions from from libresolv in version GLIBC_2.9. [...] See the resolver(3) manpage, which is probably in the manpages-dev package on Ubuntu 14. This is unrelated to libbind9, which is a different API. -- Robert Edmonds ___ Please visit https://list

Re: Enable systemd hardening options for named

bility to perform privileged binds at runtime. Or you could eliminate CAP_SYS_CHROOT and use other systemd functionality to make parts of the filesystem inaccessible, etc.) This pattern might be a bit hard to retrofit into BIND at this point, though, other than by adding more knobs. -- Robert Edmond

Re: Providing GeoIP information for servers

On 05/11/2017 10:46 AM, Timothe Litt wrote: On 10-May-17 17:50, John W. Blue wrote: >From the it-could-be-worse department: https://arstechnica.com/tech-policy/2016/08/kansas-couple-sues-ip-mapping-firm-for-turning-their-life-into-a-digital-hell/ I am more a fan of continental geolocation ac

Re: Providing GeoIP information for servers

On 05/10/2017 05:41 PM, Mark Andrews wrote: In message , Robert Mosko witz writes: I am kind of tired in my systems being reported as being in Plymouth MI instead of Oak Park MI. That is the best Comcast seems to be willing to do for where my IP addresses (which are static) reside. Is there

Providing GeoIP information for servers

I am kind of tired in my systems being reported as being in Plymouth MI instead of Oak Park MI. That is the best Comcast seems to be willing to do for where my IP addresses (which are static) reside. Is there anyway to provide location information for a server via DNS that would feed into Geo

SOLVED - Re: Bind failing to start on new 9.9.4 server

File permission problems. On 02/09/2017 10:38 AM, Ray Bellis wrote: On 09/02/2017 15:32, Robert Moskowitz wrote: Now doing it 'right' and seeing: 09-Feb-2017 09:59:52.191 could not open file '/run/named/named.pid': Permission denied 09-Feb-2017 09:59:52.192 generating ses

Re: Bind failing to start on new 9.9.4 server

Strange.. On 02/09/2017 09:31 AM, Ray Bellis wrote: On 09/02/2017 14:28, Robert Moskowitz wrote: I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, I am building this on a new server. I currently do not have DNSSEC enabled, and not enabling it for the initial migration

Re: Bind failing to start on new 9.9.4 server

On 02/09/2017 09:55 AM, Alan Clegg wrote: On 2/9/17 8:53 AM, Robert Moskowitz wrote: On 02/09/2017 09:31 AM, Ray Bellis wrote: On 09/02/2017 14:28, Robert Moskowitz wrote: I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, I am building this on a new server. I

Re: Bind failing to start on new 9.9.4 server

On 02/09/2017 09:31 AM, Ray Bellis wrote: On 09/02/2017 14:28, Robert Moskowitz wrote: I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, I am building this on a new server. I currently do not have DNSSEC enabled, and not enabling it for the initial migration work. I

Re: Bind failing to start on new 9.9.4 server

On 02/09/2017 09:31 AM, Ray Bellis wrote: On 09/02/2017 14:28, Robert Moskowitz wrote: I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, I am building this on a new server. I currently do not have DNSSEC enabled, and not enabling it for the initial migration work. I

Bind failing to start on new 9.9.4 server

I am migrating to Centos7 from Centos6. Going from Bind 9.8.2 to 9.9.4, I am building this on a new server. I currently do not have DNSSEC enabled, and not enabling it for the initial migration work. I have looked over changes in named.conf and believe I have made the necessary changes. My

Re: 9.11/dnstap on centos: fstrm

is maintained by Farsight Security (https://www.farsightsecurity.com/) and the source code is available on GitHub: https://github.com/farsightsec/fstrm -- Robert Edmonds ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: semicolons in dig output

is here: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=9a36fb86f5019f25705d25ea729d03fcf8ecaa95 -- Robert Edmonds ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users m

Re: Question about dynamic IPv6-PTR-Generation

ations that use NAPTR. For DNS servers, NAPTR is > just a record it handles the way it does any other normal record, like > A or HINFO. Or the URI RR, which requires authoritative nameservers to know absolutely nothing about the encoding of URIs. -- Robert Edmonds _

Re: Question about dynamic IPv6-PTR-Generation

re). But I don't see how you get from those marginal benefits to: DNS should have had regex-driven template engines (!) in authoritative nameservers from the beginning. -- Robert Edmonds ___ Please visit https://lists.isc.org/mailman/list

Re: Question about dynamic IPv6-PTR-Generation

n templates in your nameserver. Knot DNS's "minimal viable product" implementation is ~300 SLOC and uses a hardcoded template. -- Robert Edmonds ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from th

Re: Question about dynamic IPv6-PTR-Generation

s or making static PTR-entries? How does other > companies handle this issue? A very popular option is to only create or delegate IPv6 PTR entries for hosts with static address assignments, and to return NXDOMAIN for address space used for dynamic address assignm

RE: Delegation questions

th" Do you ever have seen a significant issue with this in real life? Some companies I forward queries t, even give back their answers with a TTL of zero - so there is not even a theoretical difference in the TTL between forwarding and other means of resolution in these cases. Mit fr

RE: Delegation questions

t exactly went wrong. Do you see other downsides to forwarding? Mit freundlichen Grüßen Robert Willmann -- Commerzbank AG Group Information Technology GS-IT 8.2.3 Core Services Postanschrift: 60261 Frankfurt am Main Geschäftsräume: Mainzer Landstr. 151, 60327 Frankfurt am Main Tel.: +49 69

Re: ISC considering a change to the BIND open source license

Victoria Risk wrote: > Hi Robert, > > > I don't think the MPL-2.0 has a "pay for an exception" clause, so this > > would seem to imply that you plan to dual license BIND, or license BIND > > under a modified license based on the MPL-2.0. Is that correct? &g

Re: ISC considering a change to the BIND open source license

e, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ How does ISC then both a) Merge this contribution into the BIND mainline, and b) Sell a "pay for exception" version of BIND containing this contribution? -- Rob

Re: BIND started replying to queries for .com with .COM

Tony Finch wrote: > Phil Mayers wrote: > > > > What is considered the source of the ownername for, say, "com."? > > It should be the root zone master file. Why not the com zone master file? -- Robert Edmonds ___ Ple

Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

fy(0, "READY=1");' once the daemon is ready to accept requests. -- Robert Edmonds ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Responds to Customer Questions About CVE-2015-5745 (glibc buffer overflow vulnerability.)

vice Switch (NSS). Static linking of glibc is not supported on Red Hat Enterprise Linux, but the potential breakage is nevertheless a reason to minimize changes in this area. [...] -- Robert Edmonds ___ Please visit https://lists.isc.o

Re: pre heat cache

in DNS tree order, or could it be convinced to follow the LRU order? -- Robert Edmonds ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: frequent queries to root servers

ting output for messages having a 'query_zone' field set to the root label, which is a little less awkward and more future-proof than enumerating all of the root server addresses. -- Robert Edmonds ___ Please visit https://lists.isc.org/mailman/l

Re: Allow-Query=any

mmunity. +1 -- Robert Edmonds ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: How are DNS Records added dynamically in DNS Servers?

ns2.msft.net. outlook.com.172800 IN NS ns4.msft.net. outlook.com.172800 IN NS ns1.msft.net. outlook.com.172800 IN NS ns3.msft.net. -- Robert Edmonds ___ Please visit https://lists.i

SOLVED - Re: Secondarying DLZ zones

At least the 'right' way with turning down the SOA TTL for the zone. This is one of the set it and forget it items (at least for me), and once I started reading finding enough articles on secondaries it was an oh yeah moment. On 09/07/2015 04:09 PM, Robert Moskowitz wrote: On the

Re: Secondarying DLZ zones

inful, especially for longer TTL values." Is there some way to get the secondary to check frequently, like once an hour? On 09/07/2015 03:12 PM, Robert Moskowitz wrote: It seems I have this working, but... I have a regular Centos7 Bind 9.9 server that I want to secondary a Samba AD (Also Centos7

Re: DNSSEC ZSK key rollover, why is my zone double signed?

week ;) Thanks again, Robert Am Montag, den 07.09.2015, 12:48 +0200 schrieb Holger Zuleger: > On 05.09.2015 11:53, Robert Senger wrote: > > Hi all, > > > > I am having trouble with the DNSSEC ZSK rollover for one of my zones. > > Key rollover for all zones was sched

Secondarying DLZ zones

It seems I have this working, but... I have a regular Centos7 Bind 9.9 server that I want to secondary a Samba AD (Also Centos7) DLZ zone. On the DNS server (192.168.192.5) I have: zone "home.htt" { type slave; file "slaves/bak.home.htt";

DNSSEC ZSK key rollover, why is my zone double signed?

any zone. Any hints what might have happened here? If you need more information, let me know (the logs only show not very helpful information). Cheers, Robert -- Robert Senger ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to un

Re: Installing bind is not very clear for me

On 09/03/2015 05:02 PM, Reindl Harald wrote: Am 03.09.2015 um 22:59 schrieb Robert Moskowitz: On 09/03/2015 04:35 PM, Leandro wrote: Ok ... I got BIND 9.10.2-P3 working. I compiled with ./configure --with-openssl --enable-threads --with-libxml2 --with-libjson make make install Json

Re: Installing bind is not very clear for me

2:40 PM, "bind-users-boun...@lists.isc.org on behalf of Robert Moskowitz" wrote: Ok On 09/03/2015 01:45 PM, Leandro wrote: Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not very comfortable with Centos7 yet. My final goal is to

Re: Installing bind is not very clear for me

On 09/03/2015 01:45 PM, Leandro wrote: Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not very comfortable with Centos7 yet. My final goal is to get an updated and stable version and also use json format for the statistics channel. 1) Some bin

Re: Solved - Re: A tale of two nameservers - resolution problems

On 09/03/2015 04:09 AM, Matus UHLAR - fantomas wrote: On 01.09.15 13:36, Robert Moskowitz wrote: On the Fedora-arm list I was told about systemd-timesyncd. Much better for these systems than chronyd which is suppose to be the replacement for ntpdate... chrony is replacement for ntpd (not

Final on - Re: A tale of two nameservers - resolution problems

is also systemd-timesync, but Fedora/redhat went the chrony route, and I got more help figuring it out. On to the next fun challenge. On 09/01/2015 12:16 PM, Sam Wilson wrote: In article , Robert Moskowitz wrote: I will be looking more into this. Obvious when you get ones nose dragged int

Solved - Re: A tale of two nameservers - resolution problems

On 09/01/2015 12:16 PM, Sam Wilson wrote: In article , Robert Moskowitz wrote: I will be looking more into this. Obvious when you get ones nose dragged into time wrong on boot. This is actually a broader problem on arm SoC booting. Your logs all have the wrong time for the boot

Re: A tale of two nameservers - resolution problems

On 09/01/2015 10:38 AM, Reindl Harald wrote: Am 01.09.2015 um 16:28 schrieb John Miller: On Tue, Sep 1, 2015 at 9:31 AM, Robert Moskowitz wrote: On 09/01/2015 09:20 AM, John Miller wrote: If you check pcap, logs, etc., is the server's following delegation for 0.centos.pool.nt

Re: A tale of two nameservers - resolution problems

On 09/01/2015 10:28 AM, John Miller wrote: On Tue, Sep 1, 2015 at 9:31 AM, Robert Moskowitz wrote: On 09/01/2015 09:20 AM, John Miller wrote: If you check pcap, logs, etc., is the server's following delegation for 0.centos.pool.ntp.org? Where do outbound packets stop? I don'

Re: A tale of two nameservers - resolution problems

On 09/01/2015 09:36 AM, Reindl Harald wrote: Am 01.09.2015 um 15:31 schrieb Robert Moskowitz: On 09/01/2015 09:20 AM, John Miller wrote: If you check pcap, logs, etc., is the server's following delegation for 0.centos.pool.ntp.org? Where do outbound packets stop? I don't believ

Re: A tale of two nameservers - resolution problems

esolving 0.centos.pool.ntp.org. So there is something about that resolution that does not like the early date. So I am caught in a time bind here! Is there anyway to get bind not to be particular about system time at first? John On Tue, Sep 1, 2015 at 9:09 AM, Robert Moskowitz wrote: I ha

A tale of two nameservers - resolution problems

I have one nameserver running bind 9.8.2 and a new one running 9.9.4. Both can resolve www.ietf.org Only the 9.8.2 can resolve 0.centos.pool.ntp.org I literally rsynced all the of the conf and zone files from the old to the new, then changed all of the server name references. I have done thi

Re: DNSSEC ZSK rollover

Thanks, that's what I wanted to know. I'll leave it like it is now. Robert Am Freitag, den 28.08.2015, 21:24 + schrieb Evan Hunt: > On Fri, Aug 28, 2015 at 07:24:23PM +0200, Robert Senger wrote: > > Is that the intended behaviour, or do I miss a point to get the zones

DNSSEC ZSK rollover

IXFR zone transfer to the secondary nameservers every time a RR is resigned. Is that the intended behaviour, or do I miss a point to get the zones resigned in one single action (and transfered with one single IXFR) rather than getting each RR resigned separately? C

Re: Identify source of "rndc reconfig" command?

, Robert Am Montag, den 24.08.2015, 23:01 +0200 schrieb Robert Senger: > Hi all, > > after upgrading from Debian Wheezy to Jessie, bind9 receives "rndc > reconfig" commands every 30 minutes. I've never seen this before. Some > of my own scripts run "rndc restart/

Identify source of "rndc reconfig" command?

nop,TS val 196636465 ecr 196636465], length 0 Is there a way to identify the source of these reconfig commands? It's really annoying as it messes up the log with 350 useless lines every 30 minutes. Thanks! Robert -- Robert Senger ___ Please

Re: Can I run two name servers on one host with two IP addresses?

gt; > Best regards, > > -Tom > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://

Re: dynamic update of split view acl

you want to move a client's ip from one view to the other? Cheers, Robert Am Samstag, den 28.02.2015, 04:27 -0800 schrieb Matt Calder: > .57.0.0/24 is still matched > by view1. Is there any way to accomplish this? -- Robert Senger PGP/GPG Public Key ID: 24E78B5E signature.asc D

DNSSEC: validation with "dnssec-must-be-secure" AND "dnssec-lookaside" fails

sec-must-be-secure" statements? I am running bind 9.8.4 on Debian. Cheers, Robert -- Robert Senger PGP/GPG Public Key ID: 24E78B5E signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mai

  1   2   3   >