igning information for wunderkind.co and found
none. That's cool, we didn't expect them to be."
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.
valid.
I have my suspicions of what's happening, but not enough information to
form a solid hypothesis or perform tests. I want higher confidence that
I'm recognizing the important lines in the logs before I start casting
stones.
--
Do things because you should, not just because you
e to do so, and
returns a SERVFAIL to the customer.
I haven't yet tried, but I don't expect I can define an RPZ to trap such
illegal names. Can I? If I could, it would reduce the traffic to Akamai,
and the number of validations I'm trying to do.
--
--
Do things
D of the numerics I see in my logs, and ignore the
rest. I think this will get me what I want, at a level of complexity I
can accept.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
O
.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 1/25/2023 8:36 AM, John Thurston wrote:
Off-list, it was suggested to me that I _could_ handle this in my RPZ,
by enumerating all 255
zone). Is anyone else seeing similar behavior?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
th
serial
number, and waiting patiently for the refresh interval to expire before
checking again.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 1/27/2023 1:53 AM, Ondřej Surý wrote:
FTR
think of a good way to test this.
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds
the other views, would be
uninterrupted.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 2/17/2023 10:23 AM, Ondřej Surý wrote:
*CAUTION:* This email originated from o
e you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 2/17/2023 10:46 AM, Ondřej Surý wrote:
Well, the serial number arithmetics is there for a reason - you
usually don’t want to rollback to previous versi
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software
Fr2+XHeB8O8GTLqk7HgfdM8=
) ; KSK; alg = RSASHA256 ; key
id = 46144
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State o
en performing these tests.
Arguments against:
* Maybe I misunderstand, and such NS records aren't actually benign
Unknown:
* Does the answer change if we want to start signing either zone?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
joh
ned appserviceenvironment.net
names? Were you able to do it with your RPZ?
*
https://learn.microsoft.com/en-us/azure/app-service/environment/create-ilb-ase
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Admin
look at https://launchpad.net/~isc/+archive/ubuntu/bind I think
it is telling me that 1:9.18.16-1+ubuntu22.04.1+isc+1 should be available.
Has anyone successfully updated to 9.18.16 from this PPA? Can you
suggest what I'm doing wrong today?
--
--
Do things because you should, not just be
amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main
amd64 Packages
1:9.11.3+dfsg-1ubuntu1 500
500 http://azure.archive.ubuntu.com/ubuntu bionic/main amd64
Packages
--
Do things because you should, not just because you can.
John Thurston907-465
Welp, there I have it. I thought I had until April 2028 :(
Sorry for the noise.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 6/23/2023 12:04 PM, Ondřej Surý wrote
-
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software w
, and accept an NXDOMAIN with
confidence.
And since writing my earlier note, I have re-located the code I think I
stumbled across earlier
Tony Finch's "nsdiff"
https://dotat.at/prog/nsdiff/
--
Do things because you should, not just because you can.
John Thurston907-465
shing accurate PTRs from all of the
possible DNS services in the environment. But this is achievable, and
will address the problem (of our own making) which is causing pain.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
De
ittedly, the second and third hours were of diminishing value, as
my caffeine wore off and my frustration grew. After a night's sleep, and
a pot of fresh tea I figured it out.
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@ala
ones the best way to correct
this?
Or maybe add the un-used RFC 1918 zones to our RPZ?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/li
get, why should my clients be trusting *me* to validate them?
Can someone make a good case to me for continuing to perform DNSSEC
validation on my central resolvers?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.go
things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 2/26/2024 7:35 AM, Victoria Risk wrote:
The BIND 9.16 release branch is approaching EOL as of April, 2024. We
encourage users running 9.16 or
I can use dig to request a zone transfer:
dig AXFR foo.com
I am unable to find a simple way to craft a NOTIFY message. Can anyone
help me out?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
(i.e. We found what we wanted in the cache of bad
entries)
Can anyone confirm my hypothesis?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/ma
ssec-failed.org. IN A
;; ANSWER SECTION:
www.dnssec-failed.org. 7198 IN A 68.87.109.242
www.dnssec-failed.org. 7198 IN A 69.252.193.191
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(localhost) (UDP)
;; WHEN: Tue Apr 16 15:21:46 AKDT 2024
;; MSG
success
17-Apr-2024 08:40:40.323 validating dnssec-failed.org/DS: marking as
secure, noqname proof not needed
17-Apr-2024 08:40:40.323 validator @0x7fb8722b7a00:
dns_validator_destroy
17-Apr-2024 08:40:40.323 validating www.dnssec-failed.org/A: in
validator_callback_ds
17-Apr-2024 08:40:4
such
signatures. Is there a way to narrow it down?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 4/17/2024 9:21 AM, Ondřej Surý wrote:
Let me guess - you are running on RHEL (w
};
Can such forward-zones be defined in catalog-zones?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsu
will
notice it.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 5/5/2024 8:15 AM, Luca vom Bruch via bind-users wrote:
Hello,
I use bind (stock from alma 9.3) as a nameserver for
uld not just be hammered into our RPZ ?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
Assurance you are actually trying to compile current code.
A statement of what your operating system is.
Actual output of your compile steps.
Actual logged output of your attempt to launch.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs
It doesn't answer your original question, but I suggest looking at the
'algorithm' of that key.
Might it be a hmac-md5 ?
If you 'named-conf -px' does it appear in the list of keys?
--
Do things because you should, not just because you can.
John Thurston
ould, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 6/17/2024 2:32 AM, Michał Kępień wrote:
While I don't have a specific date for you, we plan to do such a
"rollover" again when BIND 9.20.1 or 9.20.
than expected
3. every query to the server will be slower than expected
4. something else
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 8/1/2024 2:03 PM, James Stegemeyer wrote:
broken trust chain resolving 'scra.dmdc.osd.mil/A/IN': 96.7.136.4#53
;; resolution failed: broken trust chain
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://list
When the answer contains an alias to some other
domain, my server hands that name back into its own recursing process.
Is there some way to configure BIND so it will simply pass back to the
customer whatever answer is received from the distant resolver?
--
--
Do things because you should, n
cause you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
Can those of you who care about performance, who have worked to improve
your performance, share some of your suggestions that have the most
impact? Please also comment if you thin
"yum
install"? Is it simpler than that?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mai
ded?
B) If so, which properties?
(FWIW, BIND version 9.11.24 on the primary and 9.16.8 on the secondary.)
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
__
having to download and compile the source
code?
Please take a look at the ISC "Software Collection":
https://copr.fedorainfracloud.org/coprs/isc/
We use those packages with CentOS 7 and 8 to deliver ISC BIND 9.11 and 9.16.
--
Do things because you should, not just because you can.
need to crank up the logging level for something?
If so, for what? and how high?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
offer up other linux distributions on which
they have had unqualified success with these same packages?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
multaneous transfers?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc
u can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 12/11/2020 11:13 AM, John Thurston wrote:
Running BIND 9.16.9 on CentOS 8
I have the following in my .conf
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { &
ly, and quickly decided
that was a path to madness.
The only thing I can come up with is to activate dnstap, and have some
other process absorbing the data and spewing it directly to the central
syslogd.
--
--
Do things because you should, not just because you can.
John Thurston907-465-
When started for the first time, imfile will read the existing
file and start forwarding. If the query log already contains 800MB of
lines, those will all be read in and passed through the parser and
output modules.
--
Do things because you should, not just because you can.
John Thurston907
e. This would let
our monitoring application ask for "status" without also letting it ask
for "reload" or "flushname".
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
S
he two return
BIND 9.16.17 (Stable Release)
BIND 9.16.18-Ubuntu (Stable Release)
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
__
te the desired TXT
records, while letting the current key continue to work.
Is there a way to get the configuration I want? or must I make a
wholesale swap of each md5 key for something newer?
--
--
Do things because you should, not just because you can.
John Thurston907-465
e you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the dev
some validity checks
into your edit/deploy process.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org
On 11/10/2021 6:25 AM, Giddings, Bret wrote:
Is there any other facility for including effectively the same grant
statements within multiple zones?
I am not aware of any
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
ble?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
On 11/16/2021 2:41 AM, Tony Finch wrote:
John Thurston wrote:
If I have a Reverse Policy Zone (RPZ) defined, I can define a specific answer
to be sent for a specific record-type for a specific name:
foo.bar.com IN A 10.11.12.13
foo.bar.com IN TXT "Hello World"
But I
If you update your resolver to 9.16, I think you can do exactly what you
want with the "validate-execpt" option.
{rolls eyes} been there. done that. for exactly the same reason :/
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
Define an explicit forward-zone on the recursive server for
private.dns.com In the zone definition, put the addresses of the
servers which can answer for private.dns.com.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
s in those stupid domains; there must be an explicit 'forward' zone
defined.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
__
overed
by subscribing to 'announce' and 'user' mailing lists. I need to find
and plug this communication hole.)
B) What are the plans for the 'bind-esv' COPR? (Will it soon start
serving 9.16? Do I need to manually switch from 'bind-esv' to 'bind&#
Check the list archives beginning April 2021 for the thread:
Deprecating BIND 9.18+ on Windows (or making it community improved and
supported)
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
uot;db.localhost";
};
while 'ak.gov' is defined on the primary like so:
zone "ak.gov" {type forward;forward only;forwarders
{ 10..11.12.13; };
};
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...
On 2/9/2022 2:36 AM, Tony Finch wrote:
John Thurston wrote:
Are we not able to use catalog zones to propagate zone-configuration for
anything other than 'master' zones?
>
It is only for configuring authoritative secondary zones.
That's unfortunate, but thanks for t
command-line parameter, or compiled in), then named-checkconf isn't
going to help. To learn those, I think you'll need to query the
operating system for information about the specif process. I'd be
looking at pgrep and ps, but there's probably better ways to do it.
--
D
esv,
bind, and bind-dev
Is it reasonable to expect these changes will occur in about the middle
of the month?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lis
o the
zone transfers.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 9/6/2022 2:31 PM, Greg Choules via bind-users wrote:
Hi Michael.
Have you tried without the "allow-tran
version of BIND?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 12/7/2022 10:32 AM, Ben Bridges wrote:
The BIND version is 9.16.1 running on a fully patched Ubuntu 20.04.5
server.
c/isc-bind/log/
Since I'm new the "Software Collection" paradigm, I don't know if this
is an acceptable location for my operational logs. Is that location
going to get trashed when I install the next update?
--
Do things because you should, not just because you can.
John
ner:group and permissions on /var/opt/isc/isc-bind/log?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.
next interactive
work, but I don't want my automated processes to stop working because
something will be going away at some point in the near future.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Depa
On a server with both static and dynamic zones, is there any reason to
perform an:
rndc sync
prior to issuing an:
rndc reload
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
s' list doesn't work.
Is there some way to do this?
alias { 10.10.1.2; 10.10.3.4; 10.10.5.6; }
zone "foo" {type forward; forwarders ( alias;}; };
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
ests to be addressed?
Is there a timeline somewhere?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/m
o'
and 'bar' back to the servers which are already answering for them?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Pl
lans to stabilize it?
Are there outstanding feature requests to be addressed?
Is there a timeline somewhere?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administra
make the "software
collection" concept meet our needs, and I'd dearly like to be able to
consider it stable.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
looked over the BIND release notes and don't see anything about a
change to the logging behavior. Did I miss something?
Or maybe some kernel (or other package) patch broke some dependency?
I'm looking for ideas here.
--
Do things because you should, not just because you can.
John
log path in my named.conf is currently set to a relative path
"../../log/query.log", but I could easily change it to an absolute path
"/var/log/named/query.log"
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
De
On 11/19/2019 8:34 AM, Reindl Harald wrote:
Am 19.11.19 um 18:23 schrieb John Thurston:
A) Should I expect these file permissions be altered by a minor update?
I know I started at 9.11.8 and have updated to 9.11.9 and 9.11.10
without seeing this behavior.
yes, every by a package owned
e you leveraging your existing configuration management tools (e.g.
Puppet, Ansible, Chef)?
Have you rolled your own using git or rync?
Do you have a script to base64 an 'included' .conf into a TXT record, so
it can be consumed elsewhere?
--
--
Do things because you should, not just b
ormation. I do not like the idea of pulling information
from public DNS records for use as configuration data. While an
interesting idea at first glance, I don't think this looks like a good
idea when it is scrutinized.
--
Do things because you should, not just because you can.
John Thurst
t
Which makes my next question:
Will BIND even let me do this? Or will it the automation rake out
the expired records and refuse to serve them
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software w
* find both the new and the old RRSIG in my resolvers
Is there a simpler way to force an expired RRSIG into a response-set?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 2/7/2025 12:
+1 for Greg's suggestion.
You may want those services co-hosted today. But if you want to separate
them next year, your life will be easier if they had unique IP addresses
from the start.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.
IMO nothing.
If a client really wanted a meaningful answer for a .local name, it
wouldn't be asking your resolver the question; it would be making a
multicast-DNS query.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alask
ojects
may have been exposed?
--
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
IS
Thank you for the clear and concise explanation.
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 3/20/2025 8:42 AM, Ondřej Surý wrote:
On 20. 3. 2025, at 23:12, John Thurston
89 matches
Mail list logo
