With the deprecation of "max-zone-ttl" coming soon, noting comments about it
being moved to the dnssec-policy statements, how can we stop an upstream zone
from accepting a dynamic update with a TTL out of range?
Basic situation:
- Primary zone server, no DNSSEC policies
- Prima
Hello Evan and Petr!
Thanks for the details.
Klaus
> -Original Message-
> From: Evan Hunt
> Sent: Thursday, January 9, 2025 7:32 PM
> To: Klaus Darilion
> Cc: Greg Choules via bind-users
> Subject: Re: Binary zone file and journal compatibility between Bind9 version
On Thu, Jan 09, 2025 at 11:40:33AM +, Klaus Darilion via bind-users wrote:
> For testing I often up- and downgrade Bind versions, ie. Between 9.18,
> 9.20 and 9.21. I wonder how stable the binary zone file format and
> journal file format is, and if there are changes in the binary f
On 09. 01. 25 12:40, Klaus Darilion via bind-users wrote:
Hello!
For testing I often up- and downgrade Bind versions, ie. Between 9.18,
9.20 and 9.21. I wonder how stable the binary zone file format and
journal file format is, and if there are changes in the binary format,
if Bind would
Hello!
For testing I often up- and downgrade Bind versions, ie. Between 9.18, 9.20 and
9.21. I wonder how stable the binary zone file format and journal file format
is, and if there are changes in the binary format, if Bind would detect that
and behave properly.
I am concerned about zones
A quick follow-up for posterity, this was resolved by manually editing
the bind 9.18 zone files and removing all DNSSEC records.
On 2024-10-22 9:57 p.m., Paul Galbraith wrote:
I am getting this error with bind 9.20.2, when trying to delete an
record with nsupdate on the same host. Using
.2.11 to
serve internal.exmaple.com ...".
According to the config shown (changing "example.net" to "example.com" and
assuming you meant "example" instead of "exmaple") I think there are four
actions that could happen, depending on the QNAME. Firstly I
. Let's say the DMZ is 10.0.1.0/24 and for a laugh,
> let's imagine it's routable via the Interwebs. Let's say the internal
> zone is 10
> .0.2.0/24 and it not Internet routable.
>
> Let's say that .com has NS recording point example.com to 10.0.1.10 and
&
Folks,
I have a domain "exmaple.com" and two subdomains, tied to two subnets
behind an ADSL line. Let's say dmz.exmaple.com and
internal.exmaple.com. Let's say the DMZ is 10.0.1.0/24 and for a laugh,
let's imagine it's routable via the Interwebs. Let's say th
On 25. 11. 24 10:24, Klaus Darilion via bind-users wrote:
Hi!
Sometimes it is hard to grep the logs for a certain zone, as sometimes
the zone name is within single quotation marks, sometimes not. For example:
zone at/IN: Transfer started.
transfer of 'at/IN' from ...
Hi!
Sometimes it is hard to grep the logs for a certain zone, as sometimes the zone
name is within single quotation marks, sometimes not. For example:
zone at/IN: Transfer started.
transfer of 'at/IN' from ...
zone at/IN: transferred ...
transfer of 'at/IN' from ...
tran
Thank you so much for the detailed explanation!
Wish you all a great weekend.
Kind regards
David Carvalho
-Original Message-
From: Mark Andrews
Sent: 21 November 2024 22:23
To: David Carvalho
Cc: bind-users
Subject: Re: Simple question - trailing "." in zone file
The final
The final period is a way of differentiating relative and absolute domain names.
In zone files there is the $ORIGIN value (defaults to the zone name) that names
are
relative to. This is there to reduce the amount of typing people have to do
when
entering records. To enter a name that doesn’t
On Thu, Nov 21, 2024 at 12:45 PM David Carvalho via bind-users <
bind-users@lists.isc.org> wrote:
> Hi!
>
> Sorry for this “beginner” question. If I knew this before, than I
> completely forgot.
>
> I know a “.” Inside a zone file can be used to define top level en
Hi!
Sorry for this "beginner" question. If I knew this before, than I completely
forgot.
I know a "." Inside a zone file can be used to define top level entry .If a
record entry doesn't have it, it gets itself along with the domain name.
Today I was comparing my master
>view inside {
>
> match-clients {
>key local-ddns;
>inside-nets; # includes localhost
> };
> allow-query {
>... includes localhost
> };
> allow-transfer {
>... includes localhost
> };
> also-notify {
>notify-hosts;
&
first
view inside {
match-clients {
key local-ddns;
inside-nets; # includes localhost
};
allow-query {
... includes localhost
};
allow-transfer {
... includes localhost
};
also-notify {
notify-hosts;
};
notify explicit;
...
zone "example.com" in
Thanks!
This did the trick for me, once I built the missing zone and got the DS records
in the correct spots everything is now reporting green.
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.-Original Message-
From: Mark Andrews
Sent: Wednesday
Create the zone 0.0.6.d.7.0.6.2.ip6.arpa and delegate
3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa from it.
The ARIN servers delegate 0.0.6.d.7.0.6.2.ip6.arpa to ns1.itctel.com and
ns2.itctel.com which are
not configured to serve it or they have an overly restrictive ACL (it should be
open to the world
working fine and without error. This is our
first reverse zone. I am currently using the same policy as the forward zone,
but if necessary can create a separate policy for the reverse zone.
When I query
https://dnssec-debugger.verisignlabs.com/3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa
it looks like
I am getting this error with bind 9.20.2, when trying to delete an
record with nsupdate on the same host. Using rndc on the host to sign
the zone seems to work fine, so I'm quite confused. Is there any way to
get more detail about these "zone keys" that named "could n
second issue is that I have multiple zones that all point
to the
same file since those domains all go to the same set of
servers. Right
now, I am using the same zone file for all of them. This works
fine
currently, but when I try to enable DNSSEC for those domains, I
get an
that might come up with
this setup?
I think this will work because the key files include the zone name,
so they will be unique.
I've been doing the same for years and never had any issues.
Good to know.
The second issue is that I have multiple zones that all point to
the
> and all views return the same keys when I test with dig. So this appears
to
> work. Are there any gotchas that might come up with this setup?
I'm not sure how you are doing these tailored replies if they all have the
same zone file. But, maybe a good idea would be to mak
You can’t do this. The signatures are unique per zone and thus the files need
to be unique as well. Just write a small provisioning on your side that
duplicates the files.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
th dig.
So this
appears to work. Are there any gotchas that might come up with
this setup?
I think this will work because the key files include the zone name,
so they will be unique.
I've been doing the same for years and never had any issues.
The second issue is that I have mult
the request comes from. I found that if I point
>> the zones in the different views to the same key directory, there are no
>> errors and all views return the same keys when I test with dig. So this
>> appears to work. Are there any gotchas that might come up with this setup?
>
ver uses a few views to give different IPs
>>> based on which network the request comes from. I found that if I point
>>> the zones in the different views to the same key directory, there are no
>>> errors and all views return the same keys when I test with dig. So
t might come up with
this setup?
I think this will work because the key files include the zone name, so
they will be unique.
The second issue is that I have multiple zones that all point to the
same file since those domains all go to the same set of servers.
Right
now, I am usin
with this setup?
>
I think this will work because the key files include the zone name, so they
will be unique.
>
> The second issue is that I have multiple zones that all point to the
> same file since those domains all go to the same set of servers. Right
> now, I am using the
ght
now, I am using the same zone file for all of them. This works fine
currently, but when I try to enable DNSSEC for those domains, I get an
error "writable file ... already in use". The simple answer would be to
make a unique file for each zone, however I would rather keep a s
> On 4 Oct 2024, at 10:43, 大浦 義 wrote:
>
> Are searches from one authoritative zone to another authoritative zone using
> cname no longer allowed?
It is pointless to follow CNAMEs when returning non recursive (RA=0) responses
as recursive servers throw the rest of the resp
If you want it to chase down the CNAME target data from another zone,
you're asking for recursion, not authoritative-only, so those results make
perfect sense.
Think of it this way. The fact both zones happen to be served by the same
name server is irrelevant. You should get the
Are searches from one authoritative zone to another authoritative zone using
cname no longer allowed?
/etc/named.conf
acl "local" {
xxx.xxx.xxx.xxx; 127.0.0.1;
};
・
・
・
allow-recursion { local; };
--
Client xxx.xxx.xxx.xxx→9.9.4:OK 9.9.18:OK
Client yyy.yyy.yyy.yyy(not i
MSG SIZE rcvd: 89
-Original Message-
From: bind-users On Behalf Of Matus UHLAR -
fantomas
Sent: Thursday, October 3, 2024 6:50 PM
To: bind-users@lists.isc.org
Subject: Re: Referencing by cname from one authoritative zone to another
authoritative zone
On 03.10.24 09:21, 大浦 義 wrote:
&g
These are authoritative servers and the other domain is out of bailiwick, see
minimal-responses:
https://bind9.readthedocs.io/en/v9.18.30/reference.html#namedconf-statement-minimal-responses
Anyway any extra records are going to be thrown away by any DNS resolver
following the protocol,
so ther
. 3600IN CNAME ns2.bbb.co.jp.
Now do:
dig @ns1-2024.bbb.co.jp ns2.bbb.co.jp.
what records does ns2.bbb.co.jp. have on ns1-2024.bbb.co.jp ?
On 03.10.24 08:40, 大浦 義 wrote:
Referencing by cname from one authoritative zone to another authoritative zone
may not work properly
Oct 03 18:16:36 JST 2024
;; MSG SIZE rcvd: 103
-Original Message-
From: bind-users On Behalf Of Matus UHLAR -
fantomas
Sent: Thursday, October 3, 2024 5:58 PM
To: bind-users@lists.isc.org
Subject: Re: Referencing by cname from one authoritative zone to another
authoritative zone
On 03.10
On 03.10.24 08:40, 大浦 義 wrote:
Referencing by cname from one authoritative zone to another authoritative zone
may not work properly depending on the version.
Is this due to a specification change? Is there a way to handle this?
I am running nslookup from a client that is not included in acl
Dear All
Referencing by cname from one authoritative zone to another authoritative zone
may not work properly depending on the version.
Is this due to a specification change? Is there a way to handle this?
I am running nslookup from a client that is not included in acl respectively.
I would
This is probably overblown:
On Mon, 23 Sep 2024, Lars Kollstedt wrote:
[...]
since the discovery of the real name of text.example.com (if this is
requestable from unvalidated source IP addresses - almost any source IP
address in
the "internet" has to be considered unvalidated - since there is
On 23.09.24 10:23, I wrote:
The attacker just needs to send requests for text.example.com IN TXT with the
forged IP of the victim, and the victim will get your hundreds of TXT records
under this name from your server for each of them.
s/forged/faked/g
;-)
--
Lars Kollstedt
Telefon: +49 61
d-users"
*Sent: *Monday, 23 September, 2024 07:48:32
*Subject: *Assistance Needed: "Too Many Records" Error When Reloading Zone
`example.com`, BIND: 9.18.29
Hi BIND Community,
[...]
*`general.log` Output:*
23-Sep-2024 10:33:48.625 general: info: received control channel comm
On 23. 09. 24 8:07, Peter Davies wrote:
*Additional Information:*
- Zone File Structure: The zone file contains a high number of TXT
records, particularly for infrastructure asset IDs.
*Request for Assistance:*
1. _Understanding the Limit:_ Is there a configurable limit in BIND that
ypes-per-name
/Peter
From: "Nagesh Thati"
To: "bind-users"
Sent: Monday, 23 September, 2024 07:48:32
Subject: Assistance Needed: "Too Many Records" Error When Reloading Zone
`example.com`, BIND: 9.18.29
Hi BIND Community,
I hope this message fin
Hi BIND Community,
I hope this message finds you well.
We are encountering an issue with our DNS zone `example.com`, which
contains approximately 10,000 resource records of various types, including
A, CNAME, TXT, and MX records. When attempting to perform an `rndc reload`
for this zone, we
the answer for it?
Hope that helps.
Cheers, Greg
On Tue, 20 Aug 2024 at 21:28, John Thurston <mailto:john.thurs...@alaska.gov>> wrote:
__
We are asked to forward queries for foo.example.com
<http://foo.example.com> to a set of private resolvers. So we have
so
nt of that domain to
another resolver that can get the answer for it?
Hope that helps.
Cheers, Greg
On Tue, 20 Aug 2024 at 21:28, John Thurston
wrote:
> We are asked to forward queries for foo.example.com to a set of private
> resolvers. So we have something like this in ou
We are asked to forward queries for foo.example.com to a set of private
resolvers. So we have something like this in our .conf
zone "foo.example.com" {type forward; forward only;
forwarders { 10.1.2.3; 10.1.4.5; };
};
And when queried for an A-record for bar.foo.example.co
Hi Irwin,
BIND 9.16 is end-of-life, and we also don't provide support for commercial
appliances
based on BIND 9.
Since you didn't provide any actionable details (like the contents of the
zone), I would
suggest you try to reproduce the issue you have with supported version of BIND
I'm encountering the max-records-per-type limit when loading an authoritative
zone, so named won't load the zone.
But an audit of the zone (count the records returned by AXFR) finds no records
exceeeding the limit.
Is anyone else encountering this?
--
Details:
I'm using In
age to appear in our logs (note that I have
> modified all of the following log entries to replace our domain with
> example.org):
> 25-Jul-2024 10:12:32.202 general: error: zone example.org/IN/internal
> (signed): receive_secure_serial: not exact
> The solution I’ve always
signed versions of the domain get out of sync, which
causes this message to appear in our logs (note that I have modified all of the
following log entries to replace our domain with example.org):
25-Jul-2024 10:12:32.202 general: error: zone example.org/IN/internal (signed
{
>>> REQUIRE(DNS_DB_VALID(db));
>>> REQUIRE(dns_db_iszone(db));
>>> if (db->methods->getsize != NULL) {
>>> return ((db->methods->getsize)(db, version, records, bytes));
>>> }
>>> return (ISC_R_NOTFOUND);
>>> } That db->methods-g
TFOUND);
} That db->methods-getsize is NULL. Here is a piece of the gdb
session 08-Jul-2024 16:39:29.587 dump_done: zone
29.16.172.in-addr.arpa/IN: enter Thread 2 "isc-net-" hit
Breakpoint 2, zone_journal_compact (zone=0x7062ffd0,
db=0x76151268, serial=1720448567)
08-Jul-2024 16:39:29.587 dump_done: zone 29.16.172.in-addr.arpa/IN: enter
Thread 2 "isc-net-" hit Breakpoint 2, zone_journal_compact (zone=0x7062ffd0, db=0x76151268, serial=1720448567) at ../../../lib/dns/zone.c:11654
11654 dns_db_currentversion(db, &ver);
(gdb) n
11655
ethods->getsize)(db, version, records, bytes));
}
return(ISC_R_NOTFOUND);
} That db->methods-getsize is NULL. Here is a piece of the gdb session
08-Jul-2024 16:39:29.587 dump_done: zone 29.16.172.in-addr.arpa/IN:
enter Thread 2 "isc-net-" hit Breakpoint 2, zone_journa
On 08-07-2024 13:42, Greg Choules wrote:
Hi Kees.
Hi Greg, thanks for the quick reply.
A few questions:
- What version of BIND are you running?
9.16.23 (in centos that is 32:9.16.23-15.el9)
- How large (number of RRs) are your zones?
My main zone (renamed to example.com) is about 800 RRs
; wrote:
> Hi,
>
> At the moment I have three FreeIPA systems (replicas), recently
> installed with CentOS 9-Stream.
> All three of these show this message at irregular intervals.
>
> Jul 03 07:50:44 iparep5.example.com named[541]: zone example.com/IN:
> zone_journal_compact:
Hi,
At the moment I have three FreeIPA systems (replicas), recently
installed with CentOS 9-Stream.
All three of these show this message at irregular intervals.
Jul 03 07:50:44 iparep5.example.com named[541]: zone example.com/IN:
zone_journal_compact: could not get zone size: not found
Jul
Hi Mounika
If you connect to a secondary nameserver to accept dynamic zone updates you
have to configure on the secondary inside the slave zone section a statement:
allow-update-forwarding { dhcp-updates; };
...where "dhcp-updates" is an ACL (that could be na
n 'allow-update' is not allowed in 'slave' zone
'zonename.com'"
Following is the named.conf file (part)
zone "zonename.com" {
type slave;
file "com/zonename/sec.zonename.com";
masters {
IP address;
};
allow-update {
key rndc-key;
};
allow-transf
Hello,
I configured Bind 9.18.12 as slave DDNS with dynamic updates from DHCP (ISC
DHCP 4.4)
running on the same server (Ubuntu 22.04 server)
When I run "named-checkconf named.conf", I get the following error
"named.conf:2018: option 'allow-update' is no
the past. When I using the older named,
/etc/named.data/db.ynu.edu.cn.intranet always got updated unexpected, detailed
information is on Zone file got updated via named process unexpected (isc.org),
so I update the named, but this problem still exists. After I make some changes
to named.conf like
Hi.
The existence of a `.jnl` file for the zone means that, at some point in
the past anyway, you *did* allow dynamic updates to this zone and some
updates were made, which were stored in the journal file.
I would like to ask a couple of questions:
1) What is the timeline of your investigation
I found there was a db.ynu.edu.cn.intranet.jnl beside db.ynu.edu.cn.intranet, I
tried to remove it, then restarted and checked the new cache_dump.db, no `zone
not loaded` anymore.
For the original problem, because I modified serial of SOA and updated bind9 to
the latest version, it could not
DNSSEC via `dnssec-checkds`.
[root@pridns ~]# dnssec-checkds -f /etc/named.data/db.ynu.edu.cn.intranet
ynu.edu.cn
dnssec-dsfromkey: fatal: no DNSKEY RR for ynu.edu.cn in
/etc/named.data/db.ynu.edu.cn.intranet
No DNSKEY records found in zone apex
[root@pridns ~]# echo $?
1
[root@pridns ~]#
And not
On 17/12/2023 5:30 pm, liudong...@ynu.edu.cn wrote:
I found this zone file got updated in about 15 minutes when I made
changes or restarted named, and this behavior seems match the docs
bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can
confirm I DO NOT configure allow
Read your logs and/or use named-checkzone and/or tell name-checkconf to load
the zones.
--
Mark Andrews
> On 17 Dec 2023, at 15:22, liudong...@ynu.edu.cn wrote:
>
>
> Hi, I have a bind9 authoritative name server running, but I found a strange
> problem. One of zone in a sp
Sorry for the mixed format. I updated the post here.
Hi, I have a bind9 service running on the server, and some views configured,
but I found a zone file got updated unexpected when I made some resolve changes.
Here is parts of the original contents of the updated zone file.
$TTL 86400
Hi, I have a bind9 authoritative name server running, but I found a strange
problem. One of zone in a specific view not loaded when I view the
cache_dump.db after I execute `rndc dumpdb -all`.
The zone data file is almost the same for difference views execpted some few
domain resolution
Hi, I have a bind9 service running on the server, and some views configured,
but I found a zone file got updated unexpected when I made some resolve changes.
Here is parts of the original contents of the updated zone file.
$TTL 86400 ; 1 day@ IN SOA pridns.ynu.edu.cn
Hi list.
I've just implemented a mirror zone for ".", and I noticed that it works
even though I haven't removed the hint zone (also for ".").
What is the recommendation here? Is it OK to have both mirror and hint
zones? Or should I remove the hint zone f
Matthijs Mekking wrote:
> Please file a bug report:
https://gitlab.isc.org/isc-projects/bind9/-/issues/4453
Björn Persson
pgpEviPQ3dVa_.pgp
Description: OpenPGP digital signatur
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development
This should be possible.
Please file a bug report:
https://gitlab.isc.org/isc-projects/bind9/-/issues/new
Mention the version used and describe the steps how to reproduce.
Best regards,
Matthijs
On 11/22/23 13:20, Björn Persson wrote:
My zone was previously signed with a KSK and a ZSK with
My zone was previously signed with a KSK and a ZSK with unlimited
lifetime. I switched the zone over to a dnssec-policy using CSKs and
automatic key rotation. After the DS record was updated, most of the
RRSIG records were removed, leaving the zone broken to validating
resolvers.
Am I not
multiple named processes running on different ports, with PF redirecting port
53 to the appropriate port based on the user's source IP.
Some of my RPZ zones are quite large, and if the same zone records exist for
multiple configurations, this means loading a lot of the same data into
mul
> On 9 Nov 2023, at 01:25, G H via bind-users wrote:
>
> I have a master and a slave server setup with functional catalog zone
> transfers. Upon initial daemon start, the slave will pull the catalog zone,
> and then pull the domain zones contained within said catalog zone (le
I have a master and a slave server setup with functional catalog zone
transfers. Upon initial daemon start, the slave will pull the catalog zone, and
then pull the domain zones contained within said catalog zone (let's refer to
these domains as child domains).
If I modify the serial o
Hi,
Disabling inline-signing is a good workaround. The issue is that BIND
with inline-signing maintains a signed file separately and needs to bump
the SOA SERIAL.
The serial queried is for the DNSSEC signed zone, but the dynamic update
is done against the unsigned version of the zone. Hence
er.net-beta.fechner.net: signer
"idefix.fechner.net-beta.fechner.net" approved
08-Jul-2023 07:40:22.962 update: info: client @0x848ac0760
93.182.104.69#18475/key idefix.fechner.net-beta.fechner.net: updating
zone 'fechner.net/IN': update unsuccessful: fechner.net/SOA: '
Hi,
Have a look at nsupdate
(https://bind9.readthedocs.io/en/v9.18.19/manpages.html#nsupdate-dynamic-dns-update-utility)
as well. This can be used to update the zone without direct editing
and thus no need for freezing and thawing.
Thank you,
Darren Ankney
On Fri, Sep 22, 2023 at 3:43 PM Jan
After the first automated
name change, my zone file was unformatted. I lost the comments and more
than 500 occurrences of the ORIGIN parameter were inserted.
Configuring dynamic DNS updates on a zone means that named takes control over
how the zone file is (periodically) rewritten to disk
Hello!
I´m using Bind 9.11 .
I´m automating my dns server with ansible (nsupdate module). To do this I
enabled the configuration directive allow-update. After the first automated
name change, my zone file was unformatted. I lost the comments and more
than 500 occurrences of the ORIGIN parameter
itt wrote:
That gets me more information, and I think puts the problem onto
axfrdns. Thanks.
xfer-in: info: zone example.net/IN: Transfer started.
xfer-in: debug 1: zone example.net/IN: forced reload, requesting AXFR of
initial version from 198.51.100.1#53
xfer-in: info: transfer of &
That gets me more information, and I think puts the problem onto
axfrdns. Thanks.
xfer-in: info: zone example.net/IN: Transfer started.
xfer-in: debug 1: zone example.net/IN: forced reload, requesting AXFR of
initial version from 198.51.100.1#53
xfer-in: info: transfer of 'example.net/IN&
023, at 09:23, Ian Bobbitt wrote:
>
> I have a system running BIND 9.18.17 that needs to transfer a zone from
> djbdns/axfrdns. I receive FORMERRs, and haven't been able to get any log
> messages indicating the problem.
>
> xfer-in: info: zone example.net/IN: Transfe
I have a system running BIND 9.18.17 that needs to transfer a zone from
djbdns/axfrdns. I receive FORMERRs, and haven't been able to get any log
messages indicating the problem.
xfer-in: info: zone example.net/IN: Transfer started.
xfer-in: info: transfer of 'example.net/IN' fr
Thank you Timothe for this. I tested this on some of my domains and
found AXFR worked the best
dig @::1 $zone axfr | grep -v '^;' | grep -v '^$zone' | grep 'NS
' | cut -f1 | cut -f1 -d' ' | sed 's/\.$//' |sort -u > axfr.$zon
(Sorry for the duplicate/reply without context). See below.
On 21-Aug-23 11:11, Mark Elkins wrote:
Hi,
I'm writing some software to be able to read information from a Zone
file. I am a legally authorised Secondary Authoritative Nameserver for
a number of domains or rather zone file
deltas; add / change / delete, will likely be outside of
the scope of what bind will provide unless you crank up logging and
parse it or behave as an incremental zone transfer client.
3) find out how many unique names have DS records (I can DIG I suppose)
Mind your $ORIGIN and check the number
Hi,
I'm writing some software to be able to read information from a Zone
file. I am a legally authorised Secondary Authoritative Nameserver for a
number of domains or rather zone files, eg. EDU.ZA (and others). Is
there an easy way to:-
1) Count how many delegated domains there are (
Hi,
I'm fairly certain that the content of string is a valid DNS zone.
So, whatever is allowed by RFC 1034 is allowed there. I'm not sure
BIND will emit an error, however, as I don't think it enforces any
domain label rules. The zone may not work, however, if it is
incorrectly na
I didn't find the format specification of in the documentation here
https://bind9.readthedocs.io/en/latest/reference.html#zone-block-grammar
Can it contain wildcard characters? Will it cause problems if I define
hundreds of zones in the config file?
I'm setting up a forwarding reso
.
Original message From: Ondřej Surý Date:
31/07/23 8:10 PM (GMT+12:00) To: matt...@peregrineit.net Cc:
bind-users@lists.isc.org Subject: Re: Zone Transfers Being Refused Well, for
starters your primaries list 192.168.2.10, but your logs show connection from
192.168.1.1…--Ondřej Surý — ISC
uot;;
};
};
options {
blackhole {
"bogusnets";
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
flush-zones-on-shutdown yes;
managed-keys-directory "/var/named/dynamic";
mem
gt; "auth_servers_log";
> "default_debug";
> };
> category "security" {
> "client_security_log";
> "default_debug";
> };
> category "update" {
> &qu
"zone_transfers_log";
"default_debug";
};
};
options {
blackhole {
"bogusnets";
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
flush-zones-on-shutdown yes;
managed-keys-directory &
ork (192.168.1.10/24). The gateway for each (ie the router) is
> 192.168.x.1.
>
> The external domain is dynamic, with dnssec set up, and everything *seems* to
> be working correctly.
>
> So I did a rndc to update a record in the external zone on the primary. The
> prima
c set up, and everything
*seems* to be working correctly.
So I did a rndc to update a record in the external zone on the primary.
The primary's logs show that the update went through and that a zone
transfer notification was sent out to the external secondary. I can also
see the updated rec
1 - 100 of 1047 matches
Mail list logo
