BIND9 is 25 today!

Please raise a beverage of choice and celebrate the 25th birthday of BIND9: commit 7ee52cc7d195433bb8f55972e2a8ab29668f7bce Date: Mon Aug 17 22:05:58 1998 + -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software wi

Re: Is this KB example backwards? Re: Multiple master servers for the same zones

infrastructure (good question!). All they say is that after an > upgrade all servers were masters. > > The amount of direct relevance of the article is questionable. > Nonetheless, paragraph two seems factually incorrect on its face: changing > type master; to type slave; does not swi

Re: Unhelpful startup message re: RPZ

Hi John. From the ARM: response-policy … Blocks: options, view Tags: server, security, query, zone Specifies response policy zones for the view or among global options. Blocks: says where this statement can be used; i.e. in global options or within a view. The description is reasonably clear (I t

Re: [help]how to configure ecs subnet for bind-9.18-21

Hello. Do you mean 9.18-S1? > On 28 Apr 2024, at 08:06, Yang via bind-users > wrote: > > > dear admin: > now, i use bind-9.18-21, i want to use ecs client subnet function; but i > don't know how to configure it, and i don't get method from google > please give me some example,or document

Re: [help]how to configure ecs subnet for bind-9.18-21

; > <https://wx.mail.qq.com/home/index?t=readmail_businesscard_midpage&nocheck=true&name=Yang&icon=http%3A%2F%2Fthirdqq.qlogo.cn%2Fg%3Fb%3Dsdk%26k%3DQCkTfUibqnEM6qRuG2lPLNA%26s%3D100%26t%3D1556340979%3Frand%3D1639145287&mail=395096713%40qq.com&code=> > > > >

Re: Make dig and nslookup DNSSEC aware?

Odd numbers (9.17, 9.19…) are the development versions. Even numbers (9.18, 9.20 - soon…) are the production versions, based on the odd-numbered version before. So 9.18.27 (currently) would be the one to go for. Cheers, Greg > On 22 May 2024, at 16:53, Robert Wagner wrote: > > https://www.isc

Re: netstat showing multiple lines for each listening socket

I’m afraid we’re a little out of sync between the documentation and the code, depending on which code you’re running. -U was changed some time ago to mean the number of dispatchers to use for outgoing queries, not listeners to use for incoming queries. Post 9.18 it won’t do anything at all, so

test - ignore

Hello. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-

Re: DNSSEC, OpenDNS and www.cdc.gov

Hi Bob. See if this article helps any first, before we get into configs: https://kb.isc.org/docs/the-umbrella-feature-in-detail Cheers, Greg > On 16 Oct 2024, at 14:55, Robert Mankowski > wrote: > > I recently implemented a forward only BIND server for home. I was forwarding > to OpenDNS Fam

Re: Question about recursive client max quota

Hello Pedro. Firstly, which version of BIND are you running? Generally, though, increasing `recursive-clients` on a box with a decent amount of power and RAM is not an issue: 50k, or even bigger, should be fine. But please test it first. We have discussed raising the default but we’re not quite

Re: How to print details of dns_name_t* when hitting a gdb breakpoint in dns_name_equal

Hi Kees. I would upgrade to 9.18 and not spend time trying to diagnose 9.16, which is not supported anymore. If the same problem occurs on 9.18 (latest), please let us know. I hope that helps. Greg > On 3 Dec 2024, at 10:36, Kees Bakker via bind-users > wrote: > > Hi, > > Background > I hav

Re: localhost name lookup

> On 24 Jan 2025, at 19:07, Lee wrote: > > On Mon, Jan 20, 2025 at 4:55 AM Petr Špaček wrote: >> >> On 15. 01. 25 19:55, Lee wrote: >>> On Wed, Jan 15, 2025 at 11:55 AM Ondřej Surý wrote: On 14. 1. 2025, at 16:56, Lee wrote: In other words, should I submit a bug report to the D

Re: localhost name lookup

> On 24 Jan 2025, at 21:32, Lee wrote: > > On Fri, Jan 24, 2025 at 3:27 PM Greg Choules wrote: >> >> >>> On 24 Jan 2025, at 19:07, Lee wrote: >>> >>> On Mon, Jan 20, 2025 at 4:55 AM Petr Špaček wrote: >>>> >>>> On 15

Re: Bind internal name space geo-proximity

Hi Karol. The DNS model is that if a zone contains multiple records of the same type with the same owner name - e.g. google.com/NS - then all answers are returned in a response to a query: this is known as an RRSET. In the case of NS records, all RRSETs from anywhere must

Re: rndc: 'reload' failed: unexpected error

Hi Duan. Firstly, please upgrade to the latest BIND as 9.11 is very old now and has many security flaws that will not be fixed because it is obsolete. Secondly, after you have upgraded try it again and if the problem still exists, come back here. Cheers, Greg > On 13 Mar 2025, at 09:23, Duan D

Re: Views vs Separate Authoritative & Recursive DNS

Hi E R. My short answer would be, don't configure views unless you have a good use case for them. For example you are running resolvers that have two different kinds of clients that need to be handled differently - one client set needs RPZ, the other doesn't. Or something like that. BIND has views

Re: I need to find statistics on a running server.

Hi Jeff. Query logging is quite an overhead and very heavy on writing to storage, so use it sparingly as it can have a detrimental impact on performance. For any moderately loaded server I would not have it enabled by default. Cheers, Greg On Thu, 12 Jan 2023 at 18:22, Jeff Sumner wrote: > I’ve

Re: Use UDP for (small) incremental zone transfers?

Hi Jesus. No. Zone Transfer always uses TCP. Is it really that much of an overhead for you? Cheers, Greg On Fri, 13 Jan 2023 at 05:56, Jesus Cea wrote: > I have a dns zone with many dns updates per minute. The updates are > tiny, like 2-3 records, <500 bytes in total. > > Currently my secondari

Re: Use UDP for (small) incremental zone transfers?

x27;s not worth worrying about. Cheers, Greg On Fri, 13 Jan 2023 at 06:19, Jesus Cea wrote: > On 13/1/23 7:12, Greg Choules via bind-users wrote: > > Hi Jesus. > > No. Zone Transfer always uses TCP. Is it really that much of an overhead > > for you? > > Not now

Re: SERVFAIL IPv6 debugging

Hi Bruce. There's potentially a bunch of things to note here. DNS conversations are independent of each other. The dig to your own server (dig -6 ec.europa.eu) may be over v4 or v6. But the subsequent queries that server makes (if any) may be over v4, or v6, or both. It depends how your server is c

Re: recursion yes/no?

Hi David. "recursion yes;" tells named that it can (if it has to) make queries to other places if it needs more information in order to answer a client query. Pure authoritative servers shouldn't need it and should have "recursion no;". So the first question is, do your servers make queries out to

Re: Resolving and caching illegal names

Hi John. A few questions, if I may. - Why *must* you forward everything to Akamai? - Was that a real example of a daft query: 10.11.12.13 type A? If not, do you have some real examples of queries being made to your servers please? - Notwithstanding the nature of these illegal queries, if they *are*

Re: recursion yes/no?

after setting > minimal-responses to no, now I get the usual output when querying. > > For what I understand, there is no downside in maintaining this setting, > right? > > Thank you! > > > > Kind regards. > > David > > > > > > *From:* Greg Choules

Re: Gratuitous AXFRs of RPZ after 9.18.11

Hi John. Personally, I would start by drawing a picture (I like pictures) of all the players in the game and gathering data, leaving nothing out, including: - All servers, with all IP addresses. - SOA and NS records of working zones and the troublesome RPZ zone. - Which servers are author

Re: Converting between zone file formats

Hi Håvard. I currently have 9.18.8 installed; the version of named-compilezone is the same. As a test I just converted a text format zone file to raw and then that raw file back to text and it looks fine to me: - named-compilezone -f text -F raw -o junk.raw junk db.junk - named-compilezone -f raw -

Re: Intermittent issues resolving "labor.upload.akamai.com"

Hi Sandeep. >From a quick look in Wireshark at what my own server (9.18.8) is doing, this looks like Akamai not responding correctly to a BIND QNAME minimisation query. Here's one response, from 95.101.36.192 for example, of many similar ones showing an issue. The response code shouldn't be REFUSED

Re: named out of swap on NetBSD/amd64

Hi Jan. There could be SO many things going on here. I have a few questions: - Do you mean 200 QPS or 200,000 QPS? I was wondering if a "k" had missed the print. If it's really 200, this box (not necessarily just BIND) sounds very ill. 200 QPS is background noise and (depending what's going on) sho

Re: named out of swap on NetBSD/amd64

lt) called "named_dump.db" in named's working directory. Grep for NXDOMAIN in that file. Cheers, Greg On Tue, 14 Feb 2023 at 15:29, Jan Schaumann via bind-users < bind-users@lists.isc.org> wrote: > Jan Schaumann via bind-users wrote: > > Greg Choules wrote: > >

Re: named out of swap on NetBSD/amd64

much RAM as you can afford. That way you minimise the frequency of cache cleaning, which is an overhead. Greg On Wed, 15 Feb 2023 at 19:45, Jan Schaumann via bind-users < bind-users@lists.isc.org> wrote: > Greg Choules wrote: > > > Since the queries are unique the responses

Re: Is there an incompatibility between 9.16.37/9.18.11 and 9.9 when doing HMAC-MD5 AXFR?

Hi Patrik. 9.9? Classic! :D I don't believe there should be any incompatibilities. Are you perhaps falling foul of this? From Cricket's book, chapter 11 It’s important that the name of the key—not just the binary data the key points to— be identical on both ends of the transaction. If it’s not, th

Re: Bind listener to an IPv6 from AnyIP subnet

Hi Serg. Can you post the output of "named -V" please? You're looking for "--disable-linux-caps", which you don't want. I'm not sure how (if) BIND interacts with AnyIP, but it should pick up new interfaces as they are added, *if* it is built with the necessary capabilities enabled. 'named' starts

Re: RPZ answer me NXDOMAIN for some domain

Hi Nath. What have you got on SrvB for biopyrenees.net, or net? On SrvB, please do "dig @127.0.0.1 sri.biopyrenees.net" (please use the actual address rather than "localhost") and paste the full result here. I am interested in flags and the query time right now. Cheers, Greg On Wed, 22 Mar 2023 a

Re: bind with qname min. fails to continue recursing on one specific query

Hi Jason. I just tried this on my server (9.18.11) and it does indeed appear to be qname minimisation. The following servers (NS for tn.gov) just don't respond to the query "_.edison.tn.gov": dns4.tn.gov: type A, class IN, addr 170.141.167.222 dns5.tn.gov: type A, class IN, addr 170.141.168.22 QM

Re: Best practice MultiView

Hi Jiaming. The arguments to "also-notify {...};" are explicit IP addresses. Why do you need it? Do you have some secondaries that are not listed as NS in zones? Regarding views. Why would you have the same zone in an internal and external view? A few years ago, having to maintain multiple zones

Re: Best practice MultiView

tended recipient, we kindly request you to delete the > message and inform the sender. It is strictly prohibited to disclose, copy > or distribute this email or the information inside it, without a written > consent from the sender. Yixi Meta is registered with the Dutch Chamber of > Com

Re: Best practice MultiView

quest you to delete the > message and inform the sender. It is strictly prohibited to disclose, copy > or distribute this email or the information inside it, without a written > consent from the sender. Yixi Meta is registered with the Dutch Chamber of > Commerce trade register with number

Re: Fully automated DNSSEC with BIND 9.16

Hi Håvard Odd, it works for me. Try a literal copy/paste of the link below. Or go to https://kb.isc.org and search for packages: https://kb.isc.org/docs/isc-packages-for-bind-9 Cheers, Greg On Wed, 19 Apr 2023 at 12:03, Havard Eidnes via bind-users < bind-users@lists.isc.org> wrote: > >>and

Re: Best practice MultiView

or the information inside it, without a written > consent from the sender. Yixi Meta is registered with the Dutch Chamber of > Commerce trade register with number 85744115.* > -- > *Van:* Greg Choules > *Verzonden:* Tuesday, April 18, 2023 2:51:05 PM >

Re: Best practice MultiView

ent from the sender. Yixi Meta is registered with the Dutch Chamber of > Commerce trade register with number 85744115.* > -- > *Van:* Greg Choules > *Verzonden:* Wednesday, April 19, 2023 11:01:00 PM > *Aan:* Jiaming Zhang > *CC:* bind-users@lists.isc.org > *Onderwerp:* R

Re: bind9 (9.18.14) build / install on macOS Ventura (13.3.1) fails to create dirs or files as expected

Hello. By far the simplest way to install BIND natively on Mac is to use the Homebrew package manager. I have 9.18.14 installed on mine and it works fine. The other alternative is to run it from the Docker image. See here for details: https://hub.docker.com/r/internetsystemsconsortium/bind9 Hope t

Re: bind9 (9.18.14) build / install on macOS Ventura (13.3.1) fails to create dirs or files as expected

The named binary *could* exist in many places; it depends on the OS. For example, with a Homebrew install on my Mac it's here: /usr/local/Cellar/bind/9.18.14/sbin/named because of this build parameter: --prefix=/usr/local/Cellar/bind/9.18.14 It's linked to from /usr/local/opt/bind/sbin/named, for c

Re: resolver: DNS format error from

Hi Alex. TL;DR 9.18 is stricter than 9.16 at handling junk responses from authoritative servers. Looking at a packet capture for this from my own BIND server (9.18.14) the response from 195.178.56.17 is FORMERR, which tends to mean that it objects to something in the query. The correct response to

Re: thank you - Re: bind9 (9.18.14) build / install on macOS Ventura (13.3.1) fails to create dirs or files as expected

install. > > I got pulled into another project and wanted to reply with thanks sooner. > Your time is valuable and I sincerely appreciate everyone who took the time > to make suggestions. > > On May 10, 2023, at 1:39 AM, Greg Choules < > gregchoules+bindus...@googlemail.c

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

Hi Sami. Firstly, a couple of definitions: NXDOMAIN is a response from an authoritative server (or a resolver because it cached it). It is a positive confirmation that "this name does not exist". It means that the QNAME in the query cannot be found, for any record type. SERVFAIL is a response from

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

s why I wanted to change the return code for this > domain name to "NXDOMAIN" so as not to distort the monitoring result . > > Regards > > *De :* Greg Choules > *Envoyé :* lundi 19 juin 2023 10:03 > *À :* RAHAL Sami SOFRECOM > *Cc :* bind-users@lists.isc.org &g

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

return code we can > not modify this code by nxdomain with the rpz configuration? > > Regards > > > > *De :* Greg Choules > *Envoyé :* lundi 19 juin 2023 12:02 > *À :* RAHAL Sami SOFRECOM > *Cc :* bind-users@lists.isc.org > *Objet :* Re: replace "SERVFAIL"

Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

>From the correct email alias this time! On Mon, 19 Jun 2023 at 16:50, Greg Choules wrote: > Hi Lee/Sami. > `break-dnssec yes;` *may* also be needed in some cases. But not here as > the zone isn't signed anyway. > > The reason that "example.com" works but "

Re: latency and response time

Hi Sami. Let me ask you a question. How would you define the terms "latency" and "response time"? Greg On Tue, 27 Jun 2023 at 17:23, wrote: > Hello In DNS benchmarking which is more important latency or response > time? for a DNS server what is the difference between the two values? > > > > R

Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?

Hi Ubence. Firstly, may we see your configs please. It's impossible to say exactly what's going on from a human description. Secondly, views and different answers. Yes it *is* entirely possible to use views to provide answers based on client IP - `match-clients. I would start with the most specifi

Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?

the system.lab from the domain.com zone taking lesser > precedence. > > It also seems that the bind configuration file is read from top down in > processing order? I had the main view on top first, but then moved it > below the other views, and then the 192.168.10-net view work

Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?

different hostname being resolved > and still keep the lab.domain.com domain name. > > Ultimately, views won't work, which is very clear now, but having distinct > hostnames for each instance on a different subnet *should* work and could > be put on the lab.domain.com system so tha

Re: extended dns error

Hi Sami. In the "response-policy" block in your config, what (if anything) is the value of the statement "qname-wait-recurse"? If you do not have that set explicitly, please do "named -C" to list the defaults and see what it is; probably "yes". This parameter controls whether RPZ waits until succe

Re: Bind to Bind DNS Lookup - Returns wildcard value for defined A record

Real data please: - example queries (genuine, not invented for illustration) - real domains - real IP addresses - packet captures - both BIND server configs - zone file contents - startup logs There are so many things it *could* be, the more information the better. Cheers, Greg On Sun, 16 Jul 20

Re: Bind to Bind DNS Lookup - Returns wildcard value for defined A record

This time from the correct email alias! On Mon, 17 Jul 2023 at 22:58, Greg Choules wrote: > Hi. > Some observations: > - Please don't use nslookup. Please use dig, it is much more versatile and > gives much more information with which to try and interpret what might be > goi

Re: help me with the ipv6 PTR generation

You may already have BIND installed; most distros do. If not, it's easy. You don't *have* to run named, but tools like this (and dig, particularly) are very useful to have. Do "which arpaname" to see if you have it already. Cheers, Greg On Thu, 24 Aug 2023 at 08:00, Marco wrote: > Am 24.08.202

Re: Facing issues while resolving only one record

Hi Blason. "incometax.gov.in" is a domain known to cause problems. Take a binary packet capture and look at it in Wireshark. Also see this https://dnsviz.net/d/incometax.gov.in/dnssec/ A workaround in BIND is to disable DNSSEC validation for just that domain whilst leaving it on generally: see bel

Re: Recursive client query rate-limiting

Hi Ben. In short, kinda. "recursive-clients" limits the overall number of concurrent recursive queries the server will handle. For each of those queries there is also "clients-per-query", which limits the number of different sources all asking the same question at the same time. This is so that, fo

Re: Is this KB example backwards? Re: Multiple master servers for the same zones

Hi Fred. No, the sense is correct. Imagine you have a server with a secondary zone of (say) "example.com", which transfers data for that zone from a primary somewhere. The secondary loads data received during a zone transfer straight into memory and uses it. It is optional for the secondary to also

Re: consolidating in-addr.arpa data

Hi John. Can you tell me a bit more please? - What zones exist in both BIND and MS DNS for something.10.in-addr.arpa? - Where are hosts auto registering to? I'd guess MS, but it would be good to confirm. - What does fragmentation look like? A few real examples would be useful. I'm trying to underst

Re: consolidating in-addr.arpa data

NXDOMAIN with confidence. > > And since writing my earlier note, I have re-located the code I think I > stumbled across earlier > > Tony Finch's "nsdiff" > > > https://dotat.at/prog/nsdiff/ > > > -- > Do things because you should, not just because

Re: consolidating in-addr.arpa data

Hi. Although it is technically possible to do reverses on non-octet boundaries (for example, see https://www.ietf.org/rfc/rfc2317.txt) it is a complete pita, in my experience. Personally I would not head down that path. Stick to /8, /16 or /24. Cheers, Greg On Sat, 16 Sept 2023 at 09:20, G.W. Hay

Re: consolidating in-addr.arpa data

>From the correct mail alias! On Sat, 16 Sept 2023 at 21:50, Greg Choules wrote: > Hi Ged. > 172.16/12 is not a special case. The whole problem (IMHO) stems from how > humans have chosen to represent both IP addresses (v4; v6 are different and > actually a little easier) AND D

Re: Forwarders working differently on bind9.8 & bind9.11

Hi Prashasti. I'm on my phone, so I'll keep it brief. - ditch both 9.8 and 9.11; install 9.18 - why are you forwarding to yourself? 127.0.0.1 - get binary packet captures and look at them in Wireshark to see what's actually going on. - real IPs please. - why use "port xxx"? Cheers, Greg On Tue, 1

Re: How should I configure internal and external DNS servers

Hi Nick. First question, does the internal zone *have* to keep the same name? As has been said already, this is a fairly common setup done by people a long time ago who usually didn't think through the consequences of their actions. What follows assumes you could change the name of the internal zon

Re: Problem with recursion for windows bind for Teamviewer

Hi there. Can you send some information, for those unfamiliar with what you're trying to do? - Full BIND config - IP addresses of relevant things, like interfaces of the servers on which you are running BIND and of Teamviewer. - What does Teamviewer need from DNS? What kinds of queries is it making

Re: Problem with recursion for windows bind for Teamviewer

Have you checked the routeing table on this server? Without any other evidence, this looks to me like packets are going places you aren't expecting. In the first screenshot the query goes to 213.227.191.1 and apparently a response doesn't come back until 4s later. When I try it using dig I get an

Re: How do I debug if the queries are not getting resolved?

Hello. There are well known and documented issues with the zone "gov.in" and there were some recent problems with "gov" as well. Please search this mailing list archive for those domains and you may find some useful hints, tips and information that explain and help you with your own problem. Cheer

Re: How do I debug if the queries are not getting resolved?

Greg On Tue, 12 Dec 2023 at 17:42, Blason R wrote: > Thanks folks > > I just disabled DNSSEC validation from bind config file (globally) and > those domains started resolving fine. > > > On Tue, Dec 12, 2023, 13:25 Greg Choules < > gregchoules+bindus...@googlemail.com&

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

Hi Michel. You will get an authoritative answer (AA bit = 1) if the server is either primary (master) or secondary (slave) for the QNAME (query name); in this case "reseau1.lan". From the config snip you provided this is because you have the config: zone "reseau1.lan" { type master; ... }; If

Re: Re: zone not loaded in one of view

Hi. The existence of a `.jnl` file for the zone means that, at some point in the past anyway, you *did* allow dynamic updates to this zone and some updates were made, which were stored in the journal file. I would like to ask a couple of questions: 1) What is the timeline of your investigation? Ma

Re: Question about authoritative server and AA Authoritative Answer

Hi Michel. Please can you send the following information: - name and IP address of the authoritative server - the full contents of the zone file for "reseau1.lan" - name and IP address of the other server - what does this server do? - What is the machine "pc1", on which you are running the digs? -

Re: Question about authoritative server and AA Authoritative Answer

t; D‌ear Greg, > > Thank you for your reply. > > > Please find attached the markdown file with all the commands and text > from the terminal. > > In /etc/resolv.conf I had "127.0.0.53" so I disabled the DNSStubListener > from systemd-resolved. I hav

Re: Question about authoritative server and AA Authoritative Answer

Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > *AUTHORITY: 1 : this is ok.* > > > Command dig pc1.reseau1.lan > ;; ->>HEADER<<- opcode: QUERY, status: NOER

Re: acl in also-nofify

Hi both. You can't do it using ACLs. But you can do it using primaries. This is hinted at in the section about the primaries statement, but not clearly expanded on. For example: # define a primaries list called "also-notifed" (or anything you like). Define as many lists as you need. primaries also

Re: Deprecated DSCP support

Hi Wolfgang. Firstly let me say that I have never been a fan of QoS. So I'm slightly biased against the whole thing in the first place. But regarding your comment "It’s not easy for the network to guess the requirements of an application," I would disagree. Traffic classification and setting of DS

Re: Deprecation notice force BIND 9.20+: "rrset-order fixed" and "sortlist"

2nd $beverage consumed. I have never liked sortlist since I inherited it 16 years ago in my previous job. For me it suffers from at least one fundamental problem: - If a client, say at location "1", is given a bunch of sorted A records with the server at location "1" first, what does the client do

Re: fixed rrset ordering - is this still a thing?

Please don't encourage using "search" in resolv.conf or the Windows equivalent. Search domains make queries take longer, impose unnecessary load on resolvers and make diagnosis of issues harder because, when users say "it doesn't work" you have no idea what it was that didn't work. I tried using s

Re: Bind9 "split zones"

Hi. If I understand you correctly, you are trying to get your resolver to go to two different places (main_hidden_dns_server and other_dns_server) for answers to the same question, and then want it combine those answers into a single response to the client, which contains PTR records for both names

Re: DNSSEC deployement in an isolated virtual environment

Hi Amaury. You should be able to do this by defining your own trust anchors. This should explain what you need: https://bind9.readthedocs.io/en/latest/dnssec-guide.html#trusted-keys-and-managed-keys Have fun. Greg On Sat, 16 Mar 2024 at 13:38, Amaury Van Pevenaeyge < avanpevenae...@outlook.fr> wr

Re: transfert master slave

Hi Sami. "allow-..." statements are to restrict from which sources *this* server will accept messages, of whichever type. On the secondary (slave), "allow-notify {192.168.56.154;};" will permit it to process NOTIFY messages sent to it from the primary (master), but ignore any others. Actually, this

Re: Some Authoritative-Only BCPs

Hi cjc. My answers would be: - Leave `dnssec-validation` alone (auto) and ensure your server has a path to the Internet to make queries. - Don't mess with root hints. The only time anyone should need to do this is when running a completely captive server living in a custom namespace that is NOT t

Re: Some Authoritative-Only BCPs

> deal > with getting security exceptions or adverse findings. It's > (unfortunately) > a _really_ good reason to enable it even if it is technically > unnecessary. > > > On 2024-03-28 01:04, Greg Choules wrote: > > Hi cjc. > > My answers would be: > &

Re: RFC8482: Implementation

Hi. In BIND, since 9.11, there is an option/view statement called "minimal-any", which defaults to "no". That might be what you're after. Cheers, Greg On Sat, 20 Apr 2024 at 17:29, Amaury Van Pevenaeyge < avanpevenae...@outlook.fr> wrote: > Hello everyone, > > I've been looking for days and days

Re: SRV on multiple subdomains

Adding my 2p, I would take that principle a step further. Create a generic, unique SRV record that represents what you want to happen. Then create specific CNAME records for each server. The reasons for the extra, generic record are that it represents the service you want to offer and all "server..

Re: issue with forwarder zones

Hi Brian. We're going to need some details please, like for starters: - What's the domain being queried? - A network diagram showing where your BIND server is and what it's forwarding to. - IP addresses of everything. - A packet capture (binary pcap format, not a snippet or a screenshot) from your

Re: Problem with a certain domain

Hi Thomas. Firstly, I doubt you actually need to kill and restart `named`. Flushing the cache would probably work, either all of it or just selected names. Secondly, take a packet capture of this happening and analyse what BIND is really doing, in Wireshark. - If it shows up that certain NS are ca

Re: SERVFAIL error during the evening

Hi Sami. If you can, I would set up a new BIND (test) server running the current code - 9.18.27 - next to your current production system and compare how they behave: current code uses NS queries for qmin rather than _... A queries. There may still be failures, but this would allow you to pinpoint b

Re: rolling my own hints file

Hi Brian. Yes, you can define your own hint zone and tell BIND to use it. The contents (I called the file "db.root" but the name is your choice) could be as simple as: @ 300 IN A 127.0.0.3 @ 300 IN NS @ which says for this zone (which will be called ".", coming next) the NS is the same name and i

Re: rolling my own hints file

ot seeing queries to any of the normal root > servers, so that is in fact a good sign. > > > > New root servers are managed by my parent organization and my manager > asked me to send these queries through them. Wouldn’t be performing this > exercise otherwise. > > > &g

Re: forward option in dns server

Hi Renzo. Firstly, please can we see your BIND configuration and have the actual AD domain name. Secondly, BIND, or any other recursive DNS server, does not 'forward' to the root servers, unless you have configured it explicitly to do so, which would be a bad idea and not work anyway. It will recu

Re: forward option in dns server

on is set on every domain > controller) > > Only AD DNS make queries to A.B.C.D server and it’s necessary only to > solve external domains. > > A.B.C.D. server never makes queries to AD server. A.B.C.D. is next dns > server which partecipates when it’s necessary to

Re: forward option in dns server

2001:dc3::35 > > > I didn't know some Bind versions had the Internet root hints built-in. > About my configuration I understand that bind makes always queries to root > servers ? Right? > I'd like to re-check configuration of bind > > > Il giorno

Re: forward option in dns server

e "forwarders" ? > 3-- This bind version has root server built-in? If I removed 'named.ca' > reference, Bind would use root server built-in? > > thanks > > Il giorno ven 28 giu 2024 alle ore 07:51 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scr

Re: forward option in dns server

lain you what servers I inserted into this > list. > > > I have another doubt, /etc/resolv.conf in bind server is used only from > client services ? E.g. ping tool > I think bind9 dns service doesn't contact any /etc/resolv.conf, right? > > > > > > Il giorno v

Re: forward option in dns server

; > Thanks again > > Il giorno ven 28 giu 2024 alle ore 13:10 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scritto: > >> Hi again Renzo. >> >> In general, BIND (and other resolvers) make non-recursives (aka >> iterative) queries to authoritative

Re: rolling my own hints file

y detrimental? > If it is, its “dot” rather than “at”? > > @ 518400 IN A xx.yy.zz..7 > > @ 518400 IN A xx.yy.zz..8 > > . 518400 IN NS @ > > > > Thank you. > > Brian > > > > *From:* bind-users * On Behalf Of *Cuttler, > Brian R (HEALTH)

Re: zone_journal_compact: could not get zone size: not found

Hi Kees. A few questions: - What version of BIND are you running? - How large (number of RRs) are your zones? - What is the peak rate of dynamic updates? - Do you have "max-journal-size" configured to anything? - Are you perhaps getting short on disc storage in the place where BIND keeps its files?

Re: 9.16.27 - Cache Prefetch

Hi Gabe. Prefetch still exists; reference here: https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-prefetch Hope that helps. Greg On Tue, 23 Jul 2024 at 17:36, Gabe Loyer wrote: > In searching for documentation I can only find something for prefetch in > 9.10, which appar

Re: I want to know why I suddenly can't resolve names.

Hi. Please, please, please upgrade your OS and BIND. CentOS 6 went EoS 3 years ago, from what I can tell. BIND 9.8 is 12 years old and there have been far too many changes and security fixes in that time to list in a mail. If you want to see for yourself, explore https://downloads.isc.org/isc/bind

Re: Behavior of 'forward only' zone

Hi John. The reason is step 4c here: https://datatracker.ietf.org/doc/html/rfc1034#section-5.3.3 The A record in the response is for a name that BIND wasn't asked for (otherwise why a CNAME at all?), so in the interests of not just believing random answers that might potentially poison the cache,

  1   2   >