I don't think tcpdump was installed by default with various versions of Debian
that I set up in the last few years for networking. I didn't bother to install
it, as it's output is different enough (old fashioned?) from the sharks to be
annoying. It *was* installed with OpenSuSE 15.2 though. (Ope
..@lists.isc.org] On Behalf Of @lbutlr
Sent: Thursday, February 11, 2021 6:18 PM
To: bind-users
Subject: Re: Bind 9.11 serving up false answers for a single domain.
On 11 Feb 2021, at 16:38, John W. Blue via bind-users
wrote:
> I have found to tshark to be useful as well but the failing
On 11 Feb 2021, at 16:38, John W. Blue via bind-users
wrote:
> I have found to tshark to be useful as well but the failing it has is that it
> is generally not included in a unix OS distribution.
Is bind? I mean, I have to install a bunch of stuff right off on a new bistro
just to get a useabl
0, 2021 10:37 PM
To: bind-users@lists.isc.org
Cc: John W. Blue
Subject: Re: Bind 9.11 serving up false answers for a single domain.
I rather prefer tshark to tcpdump: it's essentially the command line version of
wireshark, and thus has wireshark's protocol "dissecting" abilities.
Thanks! That was the response I was looking for. Much appreciated!
--
Ondřej Surý (He/Him)
ond...@isc.org
> On 11. 2. 2021, at 9:03, stuart@registry.godaddy wrote:
>
> Good to know.
>
> Will attach a task to the next our next KSK roll process. Should halve the
> number of SHA1 DS's in the root
Good to know.
Will attach a task to the next our next KSK roll process. Should halve the
number of SHA1 DS's in the root.
Will also tweak some of our other DNSSEC process documentation to stop
providing them.
Stuart
On 11/2/21, 6:49 pm, "bind-users on behalf of Ondřej Surý"
wrote:
Not
Original Message-
From: mailto:Stuart@registry.godaddy [mailto:Stuart@registry.godaddy]
Sent: Wednesday, February 10, 2021 7:20 PM
To: John W. Blue; bind-users
Subject: Re: Bind 9.11 serving up false answers for a single domain. (OT)
Ah, SHA1 DS record or an RSASHA256 DNSKEY, yes.
Stu
> On 11. 2. 2021, at 7:01, Stuart@registry.godaddy wrote:
>
> It's one of those old compatibility things.
Also called *downgrade attack vector*.
Stuart, there’s absolutely no reason to keep any SHA1 in the DNS at the time I
am writing this message.
Cheers,
Ondrej
--
Ondřej Surý (He/Him)
ond...
gistry.godaddy]
Sent: Wednesday, February 10, 2021 5:24 PM
To: John W. Blue; bind-users
Subject: Re: Bind 9.11 serving up false answers for a single domain.
(OT)
If you look closer, you’ll see that ‘us.’ is RSASHA256. ‘state.ma.us.’
however, is deleg
ddy [mailto:Stuart@registry.godaddy]
Sent: Wednesday, February 10, 2021 7:20 PM
To: John W. Blue; bind-users
Subject: Re: Bind 9.11 serving up false answers for a single domain. (OT)
Ah, SHA1 DS record or an RSASHA256 DNSKEY, yes.
Stuart
On 11/2/21, 11:42 am, "bind-
I rather prefer tshark to tcpdump: it's essentially the command line version of
wireshark, and thus has wireshark's protocol "dissecting" abilities.
On Wed, 10 Feb 2021 22:20:08 +
"John W. Blue via bind-users" wrote:
> Three words: tcpdump and wireshark
>
> It is like peanut and jelly ..
SSEC for US TLD.
From: bind-users on behalf of "John W.
Blue via bind-users" Reply to: "John W. Blue"
Date: Thursday, 11 February 2021 at 9:21 am
To: bind-users
Subject: RE: Bind 9.11 serving up false answers for a single domain.
Notice: This email is
30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
-Original Message-
From: Stuart@registry.godaddy [mailto:Stuart@registry.godaddy]
Sent: Wednesday, February 10, 2021 5:24 PM
To: John W. Blue; bind-users
Subject: Re: Bind 9.11 serving up false answers for a single domain. (OT
lf of "John W. Blue
via bind-users" Reply to: "John W. Blue"
Date: Thursday, 11 February 2021 at 9:21 am
To: bind-users
Subject: RE: Bind 9.11 serving up false answers for a single domain.
Notice: This email is from an external sender.
Three words: tcpdump and wireshar
via bind-users"
Reply to: "John W. Blue"
Date: Thursday, 11 February 2021 at 9:21 am
To: bind-users
Subject: RE: Bind 9.11 serving up false answers for a single domain.
Notice: This email is from an external sender.
Three words: tcpdump and wireshark
It is like peanut a
...@lists.isc.org] On Behalf Of sami's
strat
Sent: Wednesday, February 10, 2021 11:54 AM
To: Mark Andrews
Cc: bind-users
Subject: Re: Bind 9.11 serving up false answers for a single domain.
Thank you all for responding. One final query about this. I'm seeing this
issue on my production servers at
Because they are connected at different points in the network and as such see
different network faults. The servers can all be working fine, it the
connections between them that are not working.
--
Mark Andrews
> On 11 Feb 2021, at 04:54, sami's strat wrote:
>
>
> Thank you all for respo
Thank you all for responding. One final query about this. I'm seeing this
issue on my production servers at work. Yet, when I run the same queries
at home, I don't see those failed queries. I actually flushed DNS cache,
cleared Linux O/S cache, and even bounced my personal DNS server trying to
r
Run ‘dig +trace +all internet-dns1.state.ma.us’ which will show you the glue
records then try ‘dig +dnssec +norec internet-dns1.state.ma.us @’ for
all the addresses in the glue records.
e.g.
dig +dnssec +norec internet-dns1.state.ma.us @146.243.122.17
Mark
> On 10 Feb 2021, at 14:50, sam
Do you know about mxtoolbox.com? It (and other similar sites) does a good job
of diagnosing DNS-related problems. I use it now and then to check out my own
sites, as it gives a "second opinion".
In particular its "DNS Lookup' function reported the following for
"internet-dns1.state.ma.us"
Ty
Thanks Mark.
However, the traceroute to the hostnamed failed for the same reason.
Please note:
[root@myhost data]# dig internet-dns1.state.ma.us
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> internet-dns1.state.ma.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, s
Well you could try tracing the addresses of the nameservers for which
there where errors reported. It could be as simple as a routing issue
between you and these servers.
> On 10 Feb 2021, at 13:25, sami's strat wrote:
>
> couldn't get address for 'internet-dns1.state.ma.us': not found
> couldn
I'm running BIND 9.11 on a CentOS 7 VM/ BIND is giving me the wrong answer
for a single domain. I've cleared cache, restarted BIND, restarted the
server, and ensured that I don't have the referenced domain anywhere in my
configuration hardcoded.
Please note the following query:
[root@myhost ~]
23 matches
Mail list logo
