On Monday, July 7, 2025 1:54:41 AM CEST Bagas Sanjaya wrote:
> That override won't persist across reboots, though, in my case (I'm using
> NetworkManager).
>
> Thanks.
...--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this
e proven wrong, but this sure seems like just PEBKAC. If not
there, sure maybe here. Prove it.
--
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
Activisme is pas nuttig, wanneer het kan bereiken wat het wenst te bereiken,
binnen de limieten van het huidige systeem. De res
On Sunday, July 6, 2025 4:40:37 AM CEST Michael De Roover wrote:
> Omit 127.0.0.53, like so:
>
> options {
> listen-on {
> 192.168.0.155;
> };
> };
>
> Works fine for me using IP addresses 192.168.10.{4-6}, on Alpine edge. You
> can keep
#x27;s move on.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
Activisme is pas nuttig, wanneer het kan bereiken wat het wenst te bereiken,
binnen de limieten van het huidige systeem. De rest is geschiedenis.
-- v...@workstation.vm.ideapad.la
};
};
Works fine for me using IP addresses 192.168.10.(4-6}, on Alpine edge. You can
keep v6 none. One of the more basic options that's expected to be stable
across all distributions regardless.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.e
der "chaos engineering".
>
> Dnstap offers application-level logging (DNS is an application protocol
> along with a wire protocol) and you can combine that with e.g. fail2ban
> and/or RPZ, or other things if it keeps you up at night and you like
> picking the legs of
hat software in the first place. Which in itself is a multifaceted
policy question.
(Apologies if this is to be sent twice, I was working on my mail servers as I
wrote this message.)
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
--
Visi
hat software in the first place. Which in itself is a multifaceted
policy question.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the develop
Crist Clark wrote:
> Tired of looking at the log messages warning me that inline-signing
> will be the default in 9.20. I want to convert my 9.18 to using
> inline-signing. Right now all of the zones use dnssec-policy and are
> dynamic.
My experience was that it was best to do bu
Preposterous. PREPOSTEROUS!!!
Expect no meaningful response other than that, not from here. Such a high horse
mentality, utterly diabolical!
Michael De Roover
> On 16 May 2025, at 03:53, akritrim® Intelligence™
> wrote:
>
> i didn’t receive your reply but saw this on list
On Saturday, 10 May 2025 01:35:28 CEST Greg Choules via bind-users wrote:
> Third, use tcpdump to capture port 53. Do this to a file, then look at it
> offline in Wireshark. (Michael just beat me to that tip). Check how queries
> are arriving into BIND and what it does with them. Particul
On Saturday, 10 May 2025 01:18:17 CEST Michael De Roover wrote:
[...]
I do remember writing a reply that got lost while drafting my previous email,
but I don't remember what exactly it is. I do, however, remember its contents,
somewhat. I'll just rewrite it in reply to.. this, I gues
e .default-zones file is
> commented out.
>
> If you need other info about my configuration and setup, please feel
> free to ask and I'll do my best to provide it.
>
> Thank you all so much and I look forward to learning from you.
>
> Regards,
> Arnold
--
Met vr
Ondřej Surý wrote:
>> dig +short +nsid version.bind. txt ch @dns4.p08.nsone.net
> This needs to be this: ^^^
p> You missed @ and thus you asked your local resolver.
Yes, you are right. Bad on me
I actually have a script that does this, but I transcribed it for posting.
I get:
obiwan-
Rob McEwen via bind-users wrote:
> I strongly suspect that this was caused (even if indirectly?) by the
MASSIVE
> and many-hours-long power outages in Europe, mainly in Spain and
> Portugal. That started on April 28, 2025, at approximately 6:33 a.m.
Eastern
> Time (ET) - and the
_.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
> Vincent S. Cojot, Computer Engineering. STEP project.
_.,-*~'`^`'~*-,._.,-*~
> Ecole Polytechnique de Montreal, Comite Micro-Informatique.
_.,-*~'`^`'~*-,.
Bonjour!
Elbows Up.
--
Michael Richardson. o O ( IPv6 IøT c
x27;t going to like
customers who act like that. Those are paid to help you and to be nice to you,
yes, but don't be surprised if it diminishes the quality of the help you are
to receive.
Do consider it, in any case.
N.B.: A trademark office allowed you to get a trademark o
Same here, A returns 147.75.40.150 while returns nothing. MX has records
to Microsoft, as
addressed by Sten.
My chain is recursive to Cloudflare from vantage points at Hetzner, and from
there follows the
usual public chain.
*v...@ideapad.lan* [*~*]
$ dig vodafone.com
; <<>> DiG 9
xmagic.com (fallback)
168.119.103.78 (/32)
AS24940 (Hetzner)
Falkenstein, Germany
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org--- Begin Message ---
This is the mail system at host nixmagic.com.
I'm sorry to have to inform you that your messa
Hi Peter, I really appreciate this discourse too. With what's happening in the
world now
and with this particular executive order affecting even something as niche as
DNS, I like
how it offers a vessel to have this public discussion.
On Tuesday, April 8, 2025 7:40:44 PM CEST Peter 'PMc' Much w
somewhat inaccurate in retrospect, but.. oh well.
Benefit of hindsight I guess. It worked at the time, so back then it should've
been good enough. Either way, I'm glad that such Expert Groups exist. If they
can offer advisory to the politicians themselves and bicker among each other t
On Wednesday, March 19, 2025 4:05:29 PM CET you wrote:
> Michael,
>
> you can hardly create a static list from all of the domains that can
> possibly exists.
>
> I do understand the usefulness of dynamic classification.
>
> There’s just not a straightforward interface f
in general, the gateway or
a forward proxy server may be able to give better results (but encrypted
traffic
would be a pain to deal with).
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-
Negative cache TTL 1 minute
IN NS LOCALHOST.
; Examples
example.net IN CNAME localhost.
Note that the public domain name records to be redirected via RPZ cannot have a
trailing
dot.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
o the operator of this network has decided to add a second DNS
server."
Your work on the ARM is amazing Suzanne, and indeed we/they are :)
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
[1] https://www.ietf.org/rfc/rfc9103
Brett Delmage via bind-users wrote:
> Specifically for me now that's the query log including the flags. But it
> could be other log files too at times. I am running DNSSEC and primary,
> secondary, and internal resolving servers so many logs are of interest at
> different times.
I
ant here, but it's about as much
head-scratching as I can partake in right now. Pretty much just shooting in
the dark I suppose.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-user
There is also https://www.rfc-editor.org/info/rfc9632.
This document specifies how to augment the Routing Policy Specification
Language (RPSL) inetnum: class to refer specifically to geofeed
comma-separated values (CSV) data files and describes an optional scheme that
uses the Resource Pub
deo about that.
https://www.youtube.com/watch?v=vh6zanS_epw[1]
(Long story short, it's MaxMind's secret sauce and therefore a trade secret)
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
[1] https://www.youtube.com/watch?v=vh
regardless, which uh... I don't want to even entertain the idea of for
my business, thank you very much!
Business here, personal there. Overlap yes, but only up to a point.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
--
Visit https
On Tuesday, February 18, 2025 10:06:35 PM CET Peter 'PMc' Much wrote:
> On Tue, Feb 18, 2025 at 09:51:51PM +0100, Michael De Roover wrote:
> ! On Tuesday, February 18, 2025 9:38:58 PM CET Peter 'PMc' Much wrote:
> ! > Then they make a business of selling my own info
On Tuesday, February 18, 2025 8:48:15 PM CET Michael De Roover wrote:
> I find it a shame that this record is no longer in use. GeoIP is anything
> but accurate, and GPS data is not reasonable to request from servers. Not
> like you can just hook up a GPS receiver to a VPS. Even from i
eir API is. ipinfo.io has
been good for a long time, but their commercialization efforts made me look
elsewhere. That's how iplist.cc came to be in this guy's operations.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
--
Visit https://list
in your
environment and why. Then progressively address them as they happen. Helps to
establish rationale for what you build and why.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users t
heart).
As with everything engineering, I suppose it's a variety of compromises.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
[1] https://www.youtube.com/watch?v=6bicunweBAQ
--
Visit https://lists.isc.org/mailman/listinfo/
r option you choose in the end, I wish you good luck :)
Best regards,
Michael
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/
be a physical
limit. Perhaps it's possible to mitigate this with hostapd voodoo, but I have
yet to master that myself.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubs
On Sunday, February 9, 2025 12:54:53 PM CET Michael De Roover wrote:
> Perhaps this would be as good of an email as any to express that I once
> walked the corridors with this teacher-
Not sure to which extent this will be necessary, but by this I meant my own
teacher Gitte. I should
any
peers leave after the first month because they thought it was little more than
LAN parties. That is _not_ what this field is about! It's about network
engineering first, entertainment four-hundred-and-fifteenth!
Anyway, (forwarded) rants aside.. that's what it&#x
lding, alongside burnt libraries),
perhaps we
are now in an ideal position to come back to this issue with the benefit of
hindsight. I for
one look forward to seeing what people from various parts of the world have to
say about
it.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagi
ondary. How ironic that this is probably the
most suitable term here.
Long story short, context matters. Paul Vixie made the context pretty clear,
as an authoritative figure. Perhaps we were mistaken to tie slavery into this
discussion in the first place. Or perhaps the designers at the time were
mist
ve seen a lot
in both tablets and laptops, and that kind of hostile engineering is something
I strongly object to. Heh, maybe I should just go ahead and do that myself
too. Electronics, sysadmin, development... shit never ends, does it.
--
Met vriendelijke groet,
Michael De Roover
Mail: i..
.##;
192.168.##.##;
};
// Masters
// Source: https://www.zytrax.com/books/dns/ch7/masters.html
masters satellite {
192.168.##.#;
};
Hope this helps.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
--
Visit https://lists.isc.org/mailman/li
r everything else. Additionally,
this is separated into 3 servers for the network I'm thinking of.. with 1
master and 2 slaves. It's really just a matter of slicing. Your given server
can certainly be a master for one slice, and a slave for another.
--
Met vriendelijke gr
f that is an undesirable status quo, then perhaps the matter of
actual collaboration is what deserves foreground attention.
For a long time, I've considered the IETF's standards in particular, to be the
"laws of the internet". Perhaps it wouldn't be a bad idea to
On Wednesday, 29 January 2025 11:40:50 CET Michael De Roover wrote:
> Granted, for my own domains, doing zone transfers in plain TLS over a VPN
> connection like WireGuard has never failed me either.
TCP, I meant TCP! Goodness gracious, doing an all-nighter was not a good idea.
-
On Wednesday, 29 January 2025 11:07:51 CET Stephen Farrell wrote:
> Hiya,
>
> On 29/01/2025 02:58, Michael De Roover wrote:
>
> > I appreciate the confirmation of this being about DoT/DoH
>
>
> Do we have any opinions as to whether the document (which
> I've
the Council) too, but they tend to separate
that into their press releases. It's interesting to be able to peek behind the
curtains at how each of these world-leading governments approaches this PR
matter.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: micha
to make? If
so, to what extent? And if authenticity is to be enforced from those with
authoritative servers, to circumvent that problem if identified as such,
wouldn't that just move the ball for ISP's to employ more intrusive methods to
comply with the law?
--
Met vriendelijke
If it doesn't work without docker, then it probably won't work with Docker.
Probably all the clue you need is in the log files. Did you read them?
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works
1. I assume example.com is signed.
2. I don't understand why you can't just remove the NS records and fold the
foo.bar.example.com data in.
3. After some interval of TTL, you can delete the DS records.
If bar.example.com is served by the same server (I assume not: because if it
was, why would
Thanks!
This did the trick for me, once I built the missing zone and got the DS records
in the correct spots everything is now reporting green.
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.-Original Message-
From: Mark Andrews
Sent: Wednesday
file "reverse/2607.d600.9000.300.rev";
dnssec-policy itc-no-rotate;
inline-signing yes;
};
Any idea on what I need to do to resolve this issue?
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.
312 4th Street West * Clear Lake, SD 57226
P
Bowie Bailey via bind-users wrote:
> The first issue is that my server uses a few views to give different IPs
> based on which network the request comes from. I found that if I point
the
> zones in the different views to the same key directory, there are no
errors
> and all vie
On Tuesday, August 27th, 2024 at 4:21 AM, Ondřej Surý wrote:
> the Docker images have been updated to use Alpine Linux as the base image
> and the bind9 binaries are now compiled from the source while building the
> Docker images. This is more in-line with the expected Docker (Podman)
> workfl
ng that you should upgrade).
> How can we ensure that this is a network-level issue?
Through standard network troubleshooting techniques, such as packet captures
and firewall log inspection. Beyond that, you'll need to inquire elsewhere, as
I indicated at the top of this message, as this is a list abo
>> Hello Michael
>> Thank you for your response. Here is a pcap file and some logs.
>
> Hello Sami,
>
> Your pcap shows your resolver making thousands of queries that get
> no responses (or at least the pcap does not contain them). There's
> not much I can say,
> Hello Michael
> Thank you for your response. Here is a pcap file and some logs.
Hello Sami,
Your pcap shows your resolver making thousands of queries that get no responses
(or at least the pcap does not contain them). There's not much I can say,
beyond that this does not app
> Yes, sure. I grabbed three typical cases to analyze further, and
> currently trying to understand the proceedings - unsuccessfully, up
> to now. :(
>
> Case 1:
> ---
> Jun 19 17:42:12 conr named[24481]: lame-servers:
>info: success resolving '26.191.165.185.in-addr.arpa/PTR'
>
Mark Andrews wrote:
> Named and nsupdate validate input for types they know about (both text
> and wire). You would have to use versions that are not HTTPS aware and
> use unknown type format.
So, he could code it in Perl or Python or something which had a dynamic DNS
library. Bind
along with the BIND log segment which contains the
failed queries.
Michael Batchelder
ISC Support
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.
ation to reflect that:
> https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9092/diffs
>
> Petr Špaček
> Internet Systems Consortium
>
> On 06. 06. 24 21:01, Michael Paoli via bind-users wrote:
> > Ah, thanks!
> >
> > Yeah, that's what I
isc.org/isc-projects/bind9/-/blob/main/doc/misc/dnssec-policy.default.conf
>
> On Thu, Jun 6, 2024 at 8:19 AM Michael Paoli via bind-users
> wrote:
>>
>> dnssec-policy default - where/how to determine what all its settings are?
>> Documentation
>> doc/bind9-do
dnssec-policy default - where/how to determine what all its settings are?
Documentation
doc/bind9-doc/arm/reference.html#dnssec-policy-default
https://bind9.readthedocs.io/en/v9.18.27/reference.html#dnssec-policy-default
says:
A verbose copy of this policy may be found in the source tree, in the
fi
Thomas,
I just incorrectly wrote:
> So at minimum add "icmp and arp" to your filter expression.
I did not mean to use the logical "and". Your minimum filter should be
something like:
"src port 53 or icmp or arp"
Sorry for the confusion,
Michael
limit the amount of
information you provide to those who are trying to help you or make them infer
information. It's fine to mention only certain packets in an email, but put the
full packet capture on a public resource somewhere accessible.
Michael Batchelder
ISC Support
--
Visit https:
(or some level of
failure in between all queries and the ones for that one domain)? And at that
time, can you successfully query from the same system using a public resolver
(e.g. "dig @9.9.9.9 s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es TXT")?
And do you have BIND's
Matthijs Mekking wrote:
> As the main developer of dnssec-policy, I would like to confirm that
> what has been said by Michael and Nick are correct.
Cool.
> - When migrating to dnssec-policy, make sure the configuration matches
> your existing keys.
Is there a way
actices. (It also provides
some level of job security :-D.)
But in this case, I think the BIND developers did a good job ensuring
there was a way to create policies that integrate well with
key-management regimes external to BIND.
michael
--
Visit https://lists.isc.org/mailman/listinfo/b
https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors). As it
is, I was too focused on finding a problem with defining a key at all.
Maybe pointing out this would be an acceptable issue...
Thanks again!
- Michael
Am 17.01.24 um 18:26 schrieb Anand Buddhdev:
On 17/01/2024 18:18, Michael
6.42/reference.html#key-statement-definition-and-usage>.
It is defined globally and should be available in all views (and the
output from tsig-list confirms this).
As this has been rejected as an error within minutes
(https://gitlab.isc.org/isc-projects/bind9/-/issues/4539) it must be a
user error.
Greg Choules via bind-users wrote:
> What would be better (IMHO) is for you to keep "example.com" as your
> external zone in an external (hopefully in a DMZ) primary server,
> serving the world with public addresses they need to reach, and
> internally create a new zone - "interna
Given VPNs, RemoteAccess and the like, I strongly recommend against split-DNS
configurations. They were great ideas in 1993, when all sites were concave,
but that's just not the case anymore.
Instead, I recommend having a sub-zone, "internal.example.com", or some other
convenient name. Put a zo
, but it will take a large company to push them to do so.
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.
From: bind-users On Behalf Of Paul Stead
Sent: Saturday, October 28, 2023 11:35 AM
Cc: bind-users@lists.isc.org
Subject: Re: 9.18 BIND not iterated
7#53(2607:d600:9000:330:75:102:160:227)
;; WHEN: Fri Oct 27 09:56:31 CDT 2023
;; MSG SIZE rcvd: 125
[root@brkr-dns2 bind-9.18.12]#
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.
312 4th Street West * Clear Lake, SD 57226
Phone: (605) 874-8313
michael
lves the problem if interactive. Cron running a week
later usually works)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/
In general, you don't want to mix dynamic update zones with ones that you
want to edit by hand. I see that you are doing manual DNSSEC signing in your
cron job.
Your choices are:
a) do everything with dynamic update, and turn on automatic DNSSEC management
in bind9.
b) do your DNSSEC signing
Silva Carlos wrote:
> On server A I configured HyperLocal. On Server B I did NOT configure
> HyperLocal.
> I ran the command "dig @localhost EXAMPLES" on both servers.
> EXAMPLES: blabla.sdf.dd or teste.com.eroterrter or world.nanana
> Problem: Both Servers report that "Quer
e Question section empty."
There are some older implementations out there that don't do this
correctly. I have a vendor supported IPAM implementation, where I have
gone back to the vendor and quoted the above, and they have fixed the
implementation.
michael
On 8/31/23 17:34, Ian Bobb
Mark Andrews wrote:
> where wrong and wouldn’t normally be that way. Something or someone
> changed them. It may have happened again. We can’t see what you see
And, AppArmor can turn things into permission denied, which are rather
mysterious. So, I'd ask for dmesg output too.
sign
itctel.com.zone.jbk /var/named/forward/itctel.com.zone.new
/var/named/forward/itctel.com.zone.signed.jnl
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.
312 4th Street West * Clear Lake, SD 57226
Phone: (605) 874-8313
michael.martin...@itccoop.com
www.itc-w
};
};
My apologies for not double-checking earlier, but I think this should be
everything.
--
Met vriendelijke groet / Best regards,
Michael De Roover
signature.asc
Description: This is a digitally signed message part.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
e, not
the actual
domain on the internet. The only major issue I've been facing with this so far,
is that AXFR
to secondary and tertiary name servers has some issues, and at least Windows 10
Home
will query those when the primary name server does not give a satisfactory
answer.
--
Met v
m...@at.encryp.ch wrote:
> Regarding the usage of [::] - due to usage of firewall I am able to
> block connections to the 53/udp and 53/tcp which are not coming to
> specific IP addresses or ranges, I do not need such filtering
> functionality within bind itself.
Bind doesn't list
Serg via bind-users wrote:
> As an alternative approach I have tried to run with a configuration
> "listen-on-v6 { any; }", but it does behave in a way I need - it binds
> separate socket for each discovered IP address rather wildcard address
> of [::].
Bind needs to bind a new s
Mike Lieberman wrote:
> The newer router blocks my local BIND servers (ONLY not clients using
> downstream servers) from receiving anything from the Internet. OUR BIND
> servers still have the local networks, but nothing else.
Your explanation is rather obtuse, but I think you mean t
Can you share a bit about why you want to get out of using
opendnssec/openhsm?
I would regard this as an opportunity to test key rollover with your parent
zone :-)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works
John Thurston wrote:
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am
> writing "category dnssec" to a log file at "severity info;" When I look
in
> the resulting log file, I'm guessing that lines like this:
> validating com/SOA: got insecure respon
E R wrote:
> I am planning on implementing the current version of BIND to replace the
> aging, undocumented authoritative servers I inherited. I want to hide the
> primary server on our internal network and have two secondary servers be
> publicly available. While reading the DN
r, president
Montague WebWorks
20 River Street, Greenfield, MA
413-320-5336
http://MontagueWebWorks.com
Powered by ROCKETFUSION
On 1/7/2023 6:24 PM, G.W. Haywood via bind-users wrote:
Hi there,
On Sat, 7 Jan 2023, Michael Muller wrote:
This is my first time posting here, and I'm not sure if i
Hello everyone,
This is my first time posting here, and I'm not sure if it's the right
place or not to ask my question. This is a general DNS question,
specifically, I think, SPF.
(Btw, I do use Bind in my system, so that's why I'm here.)
I host email using SmarterMail, and all 400+ customer
On Thu, 2022-12-22 at 05:19 +, Michael De Roover wrote:
> Hello,
>
> I have been running BIND 9 on my external and internal networks for a
> few years now -- as such I have a basic understanding of the most
> common RR types and activities such as zone transfers. However, I
>
ed information disclosure, hence
my curiosity. If it is at all possible to mitigate, I would of course
also appreciate discourse on this matter. Thank you!
[1] https://subdomainfinder.c99.nl
[2] https://criminalip.io/domain
Best regards,
Michael
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
Havard Eidnes via bind-users wrote:
>To "fill" an ip6.arpa zone for a /64 requires 18446744073709551616
> records (yes, that's about 18 x 10^18 if my math isn't off). I predict
> you do not posess a machine capable of running BIND with that many
> records loaded -- I know we
ts are set according to
algorithm and usage (ZSK or KSK)
[1] https://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/
Thanks again for your time to read this email, and for your insights.
--
Met vriendelijke groet / Best regards,
Michael De Roover
--
Visit https://lis
s/ch7/xfer.html
Thank you so much for taking your time to read this, and thanks in advance for
any insights.
--
Met vriendelijke groet / Best regards,
Michael De Roover
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this
ore complicated.
Regarding the legitimate queries, it would be prudent to allow common
recursors (Google, Cloudflare, Quad9 etc) to have exceptions to this
rule. Just allow their IP addresses to send traffic either
unrestricted, or using a more relaxed version of the above.
HTH,
Michael
On Tue, 2
Philip Prindeville wrote:
> What do I need to do on both ends (remote DHCP server and central DNS
> server) to push updates over?
Your list is pretty accurate.
One thing that bites me regularly is that names of the TSIG keys matters, and
that if you have a trailing . in the key name, it
I found this message:
May 8 16:41:18 tilapia named[1268]: zone ox.org/IN:
zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk
It would be great if it could tell me the file name that failed to write, and
ideally what the error was (EPERM is my guess, but there could also be
and I don't have a CDS published.
So what happened? I shall troll my logs and see what else I can find out,
but there sure is a lot of stuff going on. Maybe lots of flotsam from my
previous situation that needs to expunged.
--
] Never tell me the odds!
1 - 100 of 505 matches
Mail list logo
