Re: dig -t txt output variation

2012-03-10 Thread Kevin Darcy
On 3/9/2012 5:42 PM, Mark Andrews wrote: In message, "M. Meadows" writes: We've noticed that the following command gets a variable result: dig -t txt exacttarget.com @ns2.exacttarget.com +short We get 2 results from this. Seems to be somewhat random. They are: "v=3Dspf1 a mx ip4:207.250.79.10

Re: Loadbalance caching dns server

2012-03-20 Thread Kevin Darcy
On 3/20/2012 5:19 AM, Matus UHLAR - fantomas wrote: On 20.03.12 14:41, trm asn wrote: Is there any mechanism to load balance Caching-DNS server. For example.. Cache-DNS1 : 192.168.1.98 Cache-DNS2: 192.168.1.99 Client : 192.168.1.199 When 192.168.1.199 send 10 request to query cache-dns then

Re: query issue

2012-03-29 Thread Kevin Darcy
On 3/29/2012 11:45 AM, Anand Buddhdev wrote: On 29/03/2012 17:35, Paul A wrote: Hi Paul, However when I query kingstonmass.org I don't see any returned answer and it eventually times out. 11:03:34.310559 2002:c690:8cc6:c:206:5bff:fe8e:334d.54795> b2.org.afilias-nst.org.domain: 54297 NS? king

Re: Slave zone configuration -- purpose of forward/forwarders?

2012-04-22 Thread Kevin Darcy
On 4/20/2012 10:55 AM, John Wingenbach wrote: I've noticed the support in ARM for specifying both the "forward" and "forwarders" configuration in a zone stanza for "slave" zones. What is the purpose and value of specifying such? It seems contradictory and confusing. Yes, it is confusing IMO

Re: How does a child find its parent?

2012-05-08 Thread Kevin Darcy
On 5/8/2012 1:56 PM, Mike Bernhardt wrote: Reading the section on delegation in the O'Reilly book, I'm confused about something: The parent is configured to delegate the subdomain to the child with glue records, etc. But how does the child know who to ask if a host in the subdomain requests a rec

Re: How does a child find its parent?

2012-05-08 Thread Kevin Darcy
Selective forwarding and stub zones are available in Microsoft DNS, or so I'm told... (Although I feel obligated to point out that this is a BIND-oriented list, so you may not get a lot of configuration advice for Microsoft products).

Re: DNS behind firewall

2012-05-20 Thread Kevin Darcy
On 5/20/2012 10:07 AM, Saif Ahmed wrote: Hi, I have configured authuritive only DNS, It's respond well internally But not answer the public quires, options { directory "/etc/named"; // version statement - inhibited for security // (avoids hacking any known weaknesses) version "not cu

Re: Selective filtering of multi-address answers

2012-06-11 Thread Kevin Darcy
**Configure sortlists to push those bad A records to the end of the response. This may on the surface seem like a kludge, but remember, the whole point of sortlists is to give preference to certain addresses over others, and IMO, a working/reachable address is "preferred" over one that isn't wo

Re: Selective filtering of multi-address answers

2012-06-11 Thread Kevin Darcy
On 6/11/2012 5:29 PM, Andris Kalnozols wrote: On 6/11/2012 1:23 PM, Kevin Darcy wrote: **Configure sortlists to push those bad A records to the end of the response. This may on the surface seem like a kludge, but remember, the whole point of sortlists is to give preference to certain addresses

Re: Selective filtering of multi-address answers

2012-06-11 Thread Kevin Darcy
out all IP applications). This is relatively easy for TCP. https://www.isc.org/community/blog/201101/how-to-connect-to-a-multi-homed-server-over-tcp Mark In message<4fd66331.1050...@hpl.hp.com>, Andris Kalnozols writes: On 6/11/2012 1:23 PM, Kevin Darcy wrote: **Configure sortlists to

Re: Any Way to See IP Address of A record Addition or Deletion?

2012-06-28 Thread Kevin Darcy
On 6/28/2012 4:27 PM, Martin McCormick wrote: Is it possible to log the actual IP address of A records being added or deleted? The kind of log entry I refer to is as follows: client 192.168.103.93#26446: updating zone 'osu/IN': adding an RR at 'lse213_sharpmx5111n.cas.osu' A Is

Re: Using proxy DNS servers for bind as an alternative to slave servers.

2012-07-02 Thread Kevin Darcy
On 7/1/2012 2:42 PM, J P wrote: Hello all! I understand RFC compliant DNS servers use AXFR and IXFR for synching bewteen masters and slaves... and that this is the general scenario for that purpose. However, I need somebody to technically explain to me why cant I use a DNS resolver daemon s

Re: using 127.0.0.1 in resolv.conf

2012-07-23 Thread Kevin Darcy
We've been running with 127.0.0.1 in /etc/resolv.conf for years, on a wide variety of platforms (including Berkeley-derived ones), and never run into this bug. 127.0.0.1 in /etc/resolv.conf is good from a configuration-consistency standpoint: it helps prevent the fairly-common accident where

Re: PATCH: dig warn user when querying ANY towards recursive server (fwd)

2012-07-23 Thread Kevin Darcy
On 7/22/2012 7:27 PM, Andris Kalnozols wrote: On 7/22/2012 10:19 AM, Paul Wouters wrote: (I don't think this made it to the list before, mixup of email addresses) Please consider including this patch, Paul -- Forwarded message -- Date: Mon, 2 Jul 2012 17:45:08 From: Paul Wo

Re: PATCH: dig warn user when querying ANY towards recursive server (fwd)

2012-07-23 Thread Kevin Darcy
On 7/23/2012 6:23 PM, Kevin Darcy wrote: On 7/22/2012 7:27 PM, Andris Kalnozols wrote: On 7/22/2012 10:19 AM, Paul Wouters wrote: (I don't think this made it to the list before, mixup of email addresses) Please consider including this patch, Paul -- Forwarded me

Re: "Nintendo"('s NSes) are asking my IP for it's rdns

2012-07-25 Thread Kevin Darcy
I'm assuming this "greatunwashed" view has recursion turned off, right? If so, then the following approaches come to mind: a) create a master zone for 5.37.58.216.in-addr.arpa in the non-recursive view, putting the PTR record at the apex b) become a "stealth" (unpublished) slave for 5.37.58.216.

Re: SRV query with no domain?

2012-08-15 Thread Kevin Darcy
There's no point in answering a "domain-less" SRV-record query, since the whole point of the SRV record type is to allow clients to find resources associated with a particular domain (and protocol/transport). You need to set the proper domain on the client doing the lookup. - Kevin

Re: SRV query with no domain?

2012-08-15 Thread Kevin Darcy
sue as I would expect the P-CSCF to get that NXDOMAIN and be able to handle it, likely an openims bug. thanks for all your replies!!!1 On Wed, Aug 15, 2012 at 10:57 AM, Kevin Darcy <mailto:k...@chrysler.com>> wrote: There's no point in answering a "domain-less" SRV-record

Re: repeated several times request

2012-08-20 Thread Kevin Darcy
BIND does not control what DNS queries clients send to it. That's a client configuration issue. My preference is to not have any domain suffixing at all (the practice leads to waste and inefficiency on the infrastructure side, and potential security issues), but obviously not everyone shares th

Re: How to validate SRV record?

2012-08-23 Thread Kevin Darcy
On 8/23/2012 6:09 PM, Kevin Oberman wrote: On Thu, Aug 23, 2012 at 8:52 AM, Nikolay Shaplov wrote: Hi! I am trying to write a validator for name field of SRV record, and I met several issues I can not understand. May be you can help me with that. 0. Bind does not really validate name of SRV r

Re: How to validate SRV record?

2012-08-23 Thread Kevin Darcy
On 8/23/2012 6:46 PM, Kevin Darcy wrote: On 8/23/2012 6:09 PM, Kevin Oberman wrote: On Thu, Aug 23, 2012 at 8:52 AM, Nikolay Shaplov wrote: Hi! I am trying to write a validator for name field of SRV record, and I met several issues I can not understand. May be you can help me with that. 0

Re: How to validate SRV record?

2012-08-24 Thread Kevin Darcy
Fine, the validator would confirm that the SRV's owner name is compliant with RFC 6335, no more, no less. - Kevin On 8/23/2012 7:01 PM, Doug Barton wrote: On 8/23/2012 3:49 PM, Kevin Darcy wrote: Sorry, I meant to say that it's pretty clear that it *restricts* what

Re: How to validate SRV record?

2012-08-26 Thread Kevin Darcy
I wouldn't assume that BIND would _unconditionally_ reject non-RFC-6335-compliant names. check-names can be set to warn, fail or ignore. - Kevin On 8/25/2012 2:31 AM, Kevin Oberman wrote: On Fri, Aug 24, 2012 at 8:38 PM, Kevin Darcy wrote:

Re: ho to filter hundeds of domains ?

2012-08-30 Thread Kevin Darcy
On 8/30/2012 10:33 AM, Rick Coloccia wrote: add this line to /etc/named.conf include "locallyblockeddomains.zones"; contents of locallyblockeddomains.zones: // This bind zone is intended to be included in a running dns server for a local net // // It will return a 127.0.0.1 for the domains

Re: ho to filter hundeds of domains ?

2012-08-31 Thread Kevin Darcy
On 8/31/2012 2:50 AM, sth...@nethelp.no wrote: Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance end up almost in the same situation very recently, so this is NOT an Italian-only problem), there is no way to inhibi

Re: ho to filter hundeds of domains ?

2012-08-31 Thread Kevin Darcy
On 8/31/2012 10:42 AM, Oscar Ricardo Silva wrote: On 08/31/2012 08:22 AM, Kevin Darcy wrote: On 8/31/2012 2:50 AM, sth...@nethelp.no wrote: Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance end up almost i

Re: Sunos 5.8 Error:EDNS not supported by your namesever

2012-09-05 Thread Kevin Darcy
On 9/5/2012 10:19 AM, Mark Andrews wrote: In message <7e1c5160a2aa122a39e879c8343bf459.squir...@webmail.aminor.no>, "Eivi nd Olsen" writes: Mark Andrews wrote: SunOS 5.8 is ancient (12+ year old)and no longer supported by Oracle. I can't remember which version of BIND 8, SunOS 5.8 shipped with

Re: Host sometimes Succeeds with Empty Output

2012-09-14 Thread Kevin Darcy
On 9/14/2012 10:48 AM, Martin McCormick wrote: I needed to delete the CNAME record of physicscourses.okstate.edu. After the deletion, the host command would silently exit successfully as if this alias was still there. I have seen this behavior a few times before but am not sure what triggers it a

Re: Host sometimes Succeeds with Empty Output

2012-09-14 Thread Kevin Darcy
On 9/14/2012 2:05 PM, Martin McCormick wrote: Kevin Darcy writes: I don't use "host" very much, but I would assume it returns a "successful" exit code as long as the RCODE of the response is NOERROR. This would explain the behavior you are seeing,

Re: question about how a particular dig works ...

2012-09-18 Thread Kevin Darcy
On 9/18/2012 9:45 AM, M. Meadows wrote: dig www.careerone.com.au +short @8.8.8.8 www.careerone.com.au.edgesuite.net. a903.g.akamai.net. 208.44.23.99 208.44.23.121 Why does the above dig work when dig careerone.com.au +nssearch @8.8.8.8 SOA dns0.news.com.au. hostmaster.news.com.au. 2012082200 3

Re: question about how a particular dig works ...

2012-09-18 Thread Kevin Darcy
On 9/18/2012 12:59 PM, M. Meadows wrote: Thanks Kevin. I understand how the chained alias works. Sorry, I didn't explain my question very well. I can see that the 8.8.8.8 google public dns server gets an answer. I know that this domain has a cname coexisting with an SOA record and NS record

Re: error (unexpected RCODE REFUSED) resolving

2012-10-12 Thread Kevin Darcy
On 10/12/2012 12:28 PM, James Tingler wrote: Hello, I'm getting what appears to be a common "error (unexpected RCODE REFUSED) resolving" error. My research has lead me to disable IPv6 when starting the named service with "named -4" as it could be related to IPv6 broken connectivity (of which

Re: error (unexpected RCODE REFUSED) resolving

2012-10-12 Thread Kevin Darcy
360 IN 2001:dc3::35 ;; Query time: 147 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Mon Feb 18 13:29:18 2008 ;; MSG SIZE rcvd: 615 "named.ca" 52L, 1892C >>> "Kevin Darcy" 10/12/2012 1:20 PM >>> On 10/12/2012 12:28 PM, James Tingle

Re: ISC Bind in Active Directory

2012-10-18 Thread Kevin Darcy
You should think of DNS hosting, DNS resolution and DHCP, as separate services that can either be put together on a single platform, or run on separate platforms in various combinations, interoperating with each other. Another important factor is whether your AD domain is colocated with a bunch

Re: ISC Bind in Active Directory

2012-10-24 Thread Kevin Darcy
On 10/24/2012 9:50 AM, Nicholas F Miller wrote: On Oct 24, 2012, at 7:12 AM, Matus UHLAR - fantomas wrote: We use Bind for all DNS including DDNS for our AD. We use GSS-TSIG to control what record types and machines can make dynamic updates to our AD zone. We use ISC's DHCP but don't allow it

Re: ISC Bind in Active Directory

2012-10-25 Thread Kevin Darcy
On 10/24/2012 6:02 PM, Phil Mayers wrote: Hell, if you've got WINS running and broadcast netbios, I think it's still possible to log in with *no* working DNS at all. At the risk of getting *totally* off-topic, no-one who cares about security or about broadcast traffic on their LANs would ev

Re: Delegations

2012-10-31 Thread Kevin Darcy
On 10/31/2012 5:15 PM, Phil Mayers wrote: On 10/31/2012 06:51 PM, Doug Barton wrote: It may or may not be strictly necessary to do this depending on everything else you have in the zone, but it's safer in the long term to do it this way. Are you suggesting it's best of the OP creates "l2.exam

Re: Need to improve named performance

2012-11-11 Thread Kevin Darcy
On 11/10/2012 1:39 PM, Ed LaFrance wrote: Hello all - First post to this list, hope I'm on the right place. Running BIND 9.3.6-P1-RedHat-9.3.6-16.P1.el5 on a quadcore xeon server (3Ghz) with 2GB RAM. Named is being used only for rDNS queries against our address space. The issue is that name

Re: User wanting to use a .local domain to host DNS

2012-11-14 Thread Kevin Darcy
The .local TLD is "reserved" for link-local names, in the context of multicast DNS ("mDNS"), however, I don't think mDNS has progressed beyond the Internet Draft stage of the IETF Standards Track process. See http://www.multicastdns.org for latest updates. It would be imprudent to use .local f

Re: User wanting to use a .local domain to host DNS

2012-11-14 Thread Kevin Darcy
On 11/14/2012 10:08 AM, Tony Finch wrote: King, Harold Clyde (Hal) wrote: I'm a bit confused by a user request. I think he is trying to keep some hosts on the private side of DNS, but he wants to use a DNS name like host.sub.local. I do not know of the use of the .local TLD except in bonjure.

Re: "Short" domains...

2012-12-18 Thread Kevin Darcy
On 12/17/2012 11:04 AM, Ray Van Dolson wrote: I'm not sure quite how to properly describe this, and as a result my searches aren't turning up much To support a legacy app, I need to have a domain defined called "selfservice" so I can support resolution of "www.selfservice". Yes, no trailing

Re: Name resolution fails if not forwarding

2013-01-08 Thread Kevin Darcy
On 1/8/2013 9:35 AM, Daniele wrote: If I use BIND9 forwarding all the queries not belonging to my local zones, it works. But if I don't forward those queries, `dig` sometimes (and this is weird) fails (with "connection timed out; no servers could be reached") and the logs are full of "lame s

Re: Sharing zones between views to conserve memory

2013-01-09 Thread Kevin Darcy
On 1/9/2013 10:57 AM, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-01-09 at 14:37 +0200, Jan Gutter wrote: So, here's my question: is there a way to share zones between views to conserve memory? One way is to put the master copy of those large zones in one vi

Re: transparently forwarding a zone

2013-01-18 Thread Kevin Darcy
What do you have against Internet clients querying the storage device? It's obvious that the storage device wants to serve that part of the DNS namespace. If you don't want the clients to query the device "directly" you could do it through a NAT, or proxy, or whatever. Anything other than "dire

Re: IPv6 Only NS

2013-02-07 Thread Kevin Darcy
On 2/7/2013 1:42 PM, Matt wrote: I am using Bind for caching only. Currently my VM only has IPv4 access. Is there a way to selectively forward any requests that only have IPv6 nameservers to another DNS server that is dual stacked? Hmmm... Is anyone actually publishing IPv6-accessible nameserve

Re: IPv6 Only NS

2013-02-08 Thread Kevin Darcy
On 2/8/2013 10:44 AM, Matt wrote: Also, is there a way to specify a backup parent NS and ONLY use it if primary fails? Do you mean "NS" here? Or "forwarder"? I know of no way to manually "preference" the forwarders in a list, although you might find that the forwarder that responds fastest -- an

Re: name caching and forwarding

2013-02-26 Thread Kevin Darcy
On 2/26/2013 11:39 AM, Robert Moskowitz wrote: On 02/26/2013 11:14 AM, Phil Mayers wrote: On 26/02/13 16:07, Robert Moskowitz wrote: And I am having challenges with the forward option. It reads that 'forward only' will always ask the forwarder about the query and seems to defeat caching? An

Re: bind returns with localdomain.com with out DOT at the end of the domain

2013-02-28 Thread Kevin Darcy
This is a combination of a) your client appending a search suffix *before* looking up the fully-qualified domain name _as_is_, and b) your local nameserver, or something in your forwarding path (if you have one), having a local definition of localdomain.com with a wildcard entry in it You cou

Re: 3rd party CNAMEs and open recursion

2013-03-04 Thread Kevin Darcy
On 3/4/2013 3:26 PM, Verne Britton wrote: On 3/4/2013 2:45 PM, Barry Margolin wrote: In article , Verne Britton wrote: I have been testing and testing and either just don't see what I'm doing wrong, or have a learning block :-) current thinking is that a open recursion DNS server is bad

Re: Blocking private addresses with a optionq

2013-03-14 Thread Kevin Darcy
On 3/14/2013 6:29 AM, Tony Finch wrote: King, Harold Clyde (Hal) wrote: Is there an option for bind like the allow-recursion { } For blocking out going records of 10.0.0.0/8 and 192.168.0.0/16 so I could do a view like: I'm not sure what you mean by "blocking out going records" but there ar

Re: Dig for link-local

2013-03-22 Thread Kevin Darcy
I'm not sure what you're asking, exactly. Are you surprised that named would respond on an IPv6 link-local address if configured with "listen-on-v6 { any; };"? - Kevin On 3/22/2013 5:35 AM, Alok Raj wrote: Hi, How dig-command is able to resolve an ip using link-local address, /etc/r

Re: Dig for link-local

2013-03-25 Thread Kevin Darcy
Works fine for me on RedHat 5.7 without a scope-identifier in /etc/resolv.conf. I notice, however, that the stock dig (9.3.6-P1-RedHat-9.3.6-16.P1.el5, yeah, I know I should upgrade) shows the scope identifier in its output: ;; SERVER: fe80::250:56bf:fe8d:47b%2#53(fe80::250:56bf:fe8d:47b) so

Re: Forward First on Master Zone (bypass SOA)

2013-03-28 Thread Kevin Darcy
On 3/28/2013 3:28 PM, Ben-Eliezer, Tal (ITS) wrote: Hello, My organization is evaluating the use of split-view DNS in our environment. One of the challenges I've yet to overcome in my trials, is the ability to minimize the administrative overhead of maintaining two copies of the zone. Up

Re: Forward First on Master Zone (bypass SOA)

2013-03-31 Thread Kevin Darcy
On 3/29/2013 6:12 PM, Lawrence K. Chen, P.Eng. wrote: - Original Message - On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: I’ve spent hours researching a way to accomplish this without any luck. Is there any way to accomplish what I’m trying to do? No, not unless you want

Re: BIND 9.8.2: forward zone not working

2013-04-01 Thread Kevin Darcy
On 3/19/2013 8:30 PM, Gerry Reno wrote: On 03/19/2013 08:10 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 23.04, Gerry Reno wrote: On 03/18/2013 10:25 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 20.27, Gerry Reno wrote: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ

Re: Forward First on Master Zone (bypass SOA)

2013-04-01 Thread Kevin Darcy
On 3/29/2013 12:09 AM, Doug Barton wrote: On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: My organization is evaluating the use of split-view DNS in our environment. Simple ... don't do it. It's almost never the right answer, and as you're learning carries with it more administrative ov

Re: Forward First on Master Zone (bypass SOA)

2013-04-03 Thread Kevin Darcy
On 4/2/2013 2:00 AM, Doug Barton wrote: On 04/01/2013 11:46 AM, Kevin Darcy wrote: On 3/29/2013 12:09 AM, Doug Barton wrote: On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: My organization is evaluating the use of split-view DNS in our environment. Simple ... don't do it. It

Re: “Foreign” name in the reverse lookup zone

2013-04-17 Thread Kevin Darcy
You can point PTR records anywhere you want. In fact, there's nothing that even says that PTR records are limited to representing reverse mappings, or that they can only appear in the in-addr.arpa hierarchy. Strictly speaking, they're just name-to-name mappings, _sans_ the special "aliasing" fu

Re: BIND 9.5.0 DoS?

2013-04-23 Thread Kevin Darcy
Of course it's readable; your packet decoder isn't particularly smart, however. You might want to consider saving off the capture and viewing it in something like Wireshark. In any case, you're returning 4 RRSIG records (that's what type 46 is), all 13 root NSes in the Authority Section, and a

Re: Dig 9.9 FORMERR with NetWare

2013-04-30 Thread Kevin Darcy
The last (and presumably final) point release (6.5) of NetWare was in 2003, only 4 years after RFC 2671. Just saying... - Kevin On 4/30/2013 7:08 PM, Pascal wrote: Thank you. That does appear to be the problem. -Pascal On 4/30/2013 5:

Re: Negative zones; NXDOMAIN responses

2013-05-20 Thread Kevin Darcy
On 5/20/2013 11:36 AM, Chris Buxton wrote: On May 20, 2013, at 12:51 AM, Narcis Garcia wrote: - Yes, I thought about not using DNS from the same internet provider, but wanted to know if there is a way to patch only the .local response. - This is the configuration I use in one of the LANs: vi

Re: Negative zones; NXDOMAIN responses

2013-05-21 Thread Kevin Darcy
Ugh, I'm trying _really_ hard not to be an annoying nitpicker (yeah, I know, try harder :-), but... The relevant verbiage of RFC 6762 is: Caching DNS servers SHOULD recognize these names as special and SHOULD NOT attempt to look up NS records for them, or otherwise query authoritative

Re: Authoritative internal server - how do I get rid of...

2013-05-21 Thread Kevin Darcy
The rule of thumb is: BIND instances need access to a root zone. Either a) you forward for it, or b) you are authoritative (master or slave) for it, or c) you're set up as a "stub" for it, d) you prime it via the contents of an explicitly-configured "hints" zone, or e) you use the compiled-in In

Re: [Architecture discussion] IPv6 and best practices for DNS naming and the MX/SMTP problem

2013-05-28 Thread Kevin Darcy
On 5/26/2013 2:36 PM, Andreas Meile wrote: Hello BIND users The following post discusses some complexer questions in context with enabling dual-stack in corporate networks. It's very TCP/IP generic but has also a lot to do with DNS (and of course BIND which I use to implement it => all example

Re: does zone trump forward?

2013-06-03 Thread Kevin Darcy
Why would you use forwarding over links that are "neither fat nor reliable"? Are you a masochist? Replication of the data is much recommended over such links... As for your "pecking order", what distinction are you drawing between forwarding and recursion? Forwarding is recursive. The high-lev

Re: Queries using forwarders

2013-06-03 Thread Kevin Darcy
The point of being authoritative is to have a full copy of the zone, so that one is basically autonomous, not dependent on anyone else to resolve names in the zone. In BIND terms, that means "type master" or "type slave". That's why authoritative zones "override" forwarding, since forwarding is

Re: does zone trump forward?

2013-06-04 Thread Kevin Darcy
in response to a question from the field. I was certainly not recommending a configuration. Not everyone has to deal with these issues in a clinical environment. I do. Alan *From:*bind-users-bounces+ashackel=jhmi@lists.isc.org [mailto:bind-users-bounces+ashackel=jhmi....@lists.isc.org]

Re: Can I change the zone file from command line?

2013-07-23 Thread Kevin Darcy
I'm not sure I understand your concern. nsupdate will only update the records you tell it to update. So, if you have a "static" record, then don't target it with nsupdate and you should be fine. When you dial a telephone number, do you worry that your dialing may have "consequences" against te

Re: Can I change the zone file from command line?

2013-07-24 Thread Kevin Darcy
On 7/24/2013 5:50 AM, Stephane Bortzmeyer wrote: On Tue, Jul 23, 2013 at 02:30:49PM -0400, Kevin Darcy wrote a message of 565 lines which said: When you dial a telephone number, do you worry that your dialing may have "consequences" against telephone numbers that you *didn'

Re: duplicate records

2013-08-20 Thread Kevin Darcy
Since such behavior would flagrantly violate RFC 2181, Section 5, look for a version prior to the publication date of that RFC (July 1997). - Kevin On 8/20/2013 3:14 PM, Nidal Shater wrote: we know that BIND eleminate duplicate records, which version of BIND that doesn't do

Re: Strange problem with a query deleting a record...

2013-08-23 Thread Kevin Darcy
On 8/22/2013 12:55 PM, jo...@primebuchholz.com wrote: Greetings All, First of all, I apologize if this is out of place - I'm having a very strange issue that is either a problem with bind itself, or at least, affecting it. Summary: For only ONE address, whenever I attempt to access it through

Re: redirecting root hints to fake internal root server

2013-08-27 Thread Kevin Darcy
On 8/27/2013 1:07 PM, Colin Harvey wrote: My environment is firewalled from the real world. For queries on zones to which I'm not master, I want to recurse to a corporate server. nslookup some.internal.hostname.com internal.corporate.server works fine. nslookup is a terrible DNS troubleshooti

Re: redirecting root hints to fake internal root server

2013-08-28 Thread Kevin Darcy
On 8/28/2013 5:25 AM, Cathy Almond wrote: On 27/08/13 21:28, Kevin Darcy wrote: On 8/27/2013 1:07 PM, Colin Harvey wrote: My environment is firewalled from the real world. For queries on zones to which I'm not master, I want to recurse to a corporate server. nsl

Re: SERVFAIL when two SOA in the domain

2013-08-29 Thread Kevin Darcy
When RFC 1035 was written, the strict rules between SHOULD/MUST didn't yet exist. That "should" is to be considered a MUST from the standpoint of modern RFCs. - Kevin On 8/29/2013 2:31 PM, Steven Carr wrote: On 29 August 2013 19:22, Stephane Bortzmeyer wrote: I'm not sur

Re: detect if zone/s is frozen

2013-09-03 Thread Kevin Darcy
On 9/3/2013 5:24 PM, Mike Hoskins (michoski) wrote: -Original Message- From: /dev/rob0 Organization: RTFM Reply-To: "bind-users@lists.isc.org" Date: Tuesday, September 3, 2013 5:17 PM To: "bind-users@lists.isc.org" Subject: Re: detect if zone/s is frozen On Tue, Sep 03, 2013 at 12:3

Re: bind/sendmail resolving.. (NXDOMAIN)

2013-09-20 Thread Kevin Darcy
"host" performs A, and MX queries, by default. If you want to limit it to a specific query type, use the "-t" option. Having said that, I didn't get an NXDOMAIN for any of the query types, from any of the delegated nameservers, when using dig, but I'm getting SERVFAILs when using host, *a

Re: forwarders and zone transfer to the same set of servers

2013-09-30 Thread Kevin Darcy
On 9/28/2013 12:31 PM, sar...@slashroot.in wrote: Hi Team, I have an architecture where i have one bind server that is forward-only and is authoritative for a domain ab.dc.example.com. It should forward all requests other than it is authoritative for (ab.dc.example.com) to a set of servers.

Re: Recursive server forwarding dynamic updates

2013-10-03 Thread Kevin Darcy
As others have pointed out, "allow-update-forwarding" only works for slaves. Yet another reason to go with a large-authoritative-core approach, instead of stringing stuff together with recursive arrangements. Would you rather build an enterprise-strength DNS infrastructure from fragile filamen

Re: Refreshing cache in other DNS servers

2013-10-15 Thread Kevin Darcy
There's no way within the DNS protocol itself to reach out and tell a nameserver to purge an entry in its cache that hasn't expired yet. There are "out of band" ways: e.g. restart, recycle, rndc commands, etc. All of those require admin access to the nameserver instances in question. But nothi

Re: Performance Tuning RHEL 5 and Bind

2013-10-22 Thread Kevin Darcy
Are these queries mostly for names in an Active Directory domain? The default for Active Directory is for *every* Domain Controller to register NS records at the apex of the AD domain. Pretty soon, for any reasonably-sized AD infrastructure, all of those NSes cause *all* queries for *any* name

Re: zone delegation/forwarding in a non-recursive view

2013-10-25 Thread Kevin Darcy
Although you lump them together, forwarding and delegation are very different things. Forwarding is a way to bypass the normal resolution mechanism, forcing your resolver to essentially "daisy-chain" recursion on behalf of a requesting recursive client. Another way to put it, is that you're d

Re: stealth with views?

2013-11-07 Thread Kevin Darcy
There's no requirement that the contents of SOA.MNAME have a matching A record in the zone. Even if such a formal requirement existed, you might be able to satisfy it by putting an A record of 0.0.0.0 in the zone. That doesn't expose much :-) If you're paranoid about zone expiration, tune the

Re: DNS with several ip adessess

2014-01-03 Thread Kevin Darcy
Views are like any advanced technology or technique in IT: if understood and used properly, they can be a big benefit; poorly understood and/or implemented, they can create a huge, unsupportable mess. I try to keep the number of views to a minimum, but given the complexity I have to deal with,

Re: DNS with several ip adessess

2014-01-03 Thread Kevin Darcy
On 1/2/2014 5:47 PM, Johan Ihrén wrote: On 02 Jan 2014, at 16:37 , Alan Clegg wrote: On Jan 2, 2014, at 9:19 AM, wbr...@e1b.org wrote: Use views Views +1 When were views added to BIND? We started using using multiple servers in BIND 4, and I don't recall views being available back then, b

Re: DNS with several ip adessess

2014-01-09 Thread Kevin Darcy
nment is to have no views at all (or, technically, only the "default" view), but I won't hesitate to implement views where they make sense as temporary "bridge" measures and/or for legitimate business reasons. - Kevin On 1/3/2014 6:20 PM, Johan Ihrén wrote: Hi, On

Re: Sites that points their A Record to localhost

2014-01-14 Thread Kevin Darcy
If the domain owner *really* feels that they have to publish *some* address record for a particular name, but there is no available service at that name, then the null or "unspecified" address (IPv4 = 0.0.0.0, IPv6 = ::0) is the appropriate value to put there. Loopback is anti-social; an appar

Re: additional section policy

2014-01-21 Thread Kevin Darcy
If the names of the referred nameservers are in the domain of the referral (e.g. *.example.com nameservers referred for the example.com delegation), then it is *mandatory* to fill in the Additional Section with the relevant A/ address records, since there is no other way for the referral to

Re: how to modify the cache

2014-02-17 Thread Kevin Darcy
Ugh, that mixes apples (recursive resolution) and oranges (iterative resolution). Use a "stub" zone if you want to "override" published NSes _without_ crossing the very-important boundary between iterative and recursive resolution. - Kevin On 2/17/2014 4:09 AM, Steven Carr wrote: O

Re: how to modify the cache

2014-02-17 Thread Kevin Darcy
... - Kevin On 2/17/2014 5:44 PM, Doug Barton wrote: On 02/17/2014 11:37 AM, Kevin Darcy wrote: Ugh, that mixes apples (recursive resolution) and oranges (iterative resolution). Out of curiosity, what bad thing do you think will happen if you mix these two

Re: how to modify the cache

2014-02-17 Thread Kevin Darcy
ive to forwarding, than to complain about "mixing". - Kevin On 2/17/2014 5:56 PM, Kevin Darcy wrote: Bad performance, bad reliability, clandestine IP-over-DNS tunnels between networks that are supposed to be isolated... Is that enough? Understanding the pros and cons of iterative versus rec

Re: how to modify the cache

2014-02-17 Thread Kevin Darcy
Indeed. Regular "stub" only overrides the parent's delegation NS records; "static-stub" overrides the apex NS records of the zone as well. My uses of the words "stub" (which I intended to cover both forms of "stub"bing) and "published" (which I intended to cover both the delegating and apex rec

Re: how to modify the cache

2014-02-19 Thread Kevin Darcy
Not a good solution. Even under "normal" circumstances, there will be temporary bottlenecks, dropped packets, etc.. that will trigger failover and users will get different answers at different times. Not good for support, maintainability, user experience/satisfaction, etc. If all you want is r

Re: how to hidden the salve

2014-02-20 Thread Kevin Darcy
uired by local DNS server only when all name servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua -- On 2/19/2014 11:54 AM, Kevin wrote: Date: Wed, 19 Feb 2014 11:54:44 -0500 From: Kevin Darcy To: bind-users@lists.isc.org Subject

Re: how to hidden the salve

2014-02-24 Thread Kevin Darcy
records. Also-notify directive. Either in an options stanza or a zone stanza. > > thanks, > Guanghua -- Daniel J McDonald, CISSP # 78281 > Date: Thu, 20 Feb 2014 10:48:36 -0500 > From: Kevin Darcy > To: bind-users@lists.isc.org > Subject: Re: how to hidden the salve >

Re: how to hidden the salve

2014-02-25 Thread Kevin Darcy
ic NSs are out of service. Thanks! Guanghua > Date: Mon, 24 Feb 2014 13:41:03 -0500 > From: Kevin Darcy > To: bind-users@lists.isc.org > Subject: Re: how to hidden the salve > Message-ID: <530b923f.8070...@chrysler.com> > Content-Type: text/plain; charset="iso-8859-

Re: Internal clients' queries for "myhostname." get sent to forwarders. Why?

2014-03-10 Thread Kevin Darcy
Options: 1) Change nameservice-switch order (e.g. /etc/nsswitch.conf) on your hosts to prefer another source of name resolution (e.g. /etc/hosts) which can resolve the shortname. Thus DNS is never used for these lookups 2) Simply :-) change your DNS architecture fundamentally, from one which f

Re: Internal clients' queries for "myhostname." get sent to forwarders. Why?

2014-03-10 Thread Kevin Darcy
On 3/10/2014 6:05 PM, Andreas Ntaflos wrote: On 2014-03-10 22:23, Kevin Darcy wrote: Options: First, thanks a lot for the reply! So it seems what I described is indeed the expected behaviour for the type of DNS we operate? 1) Change nameservice-switch order (e.g. /etc/nsswitch.conf) on

Re: How to create a fake root server?

2014-03-12 Thread Kevin Darcy
First of all, don't use .loc as an internal TLD. There are *many* proposals in process with ICANN for establishing new TLDs, and for all you know, .loc might be one of them. If .loc gets established on the Internet, and you're using it internally, that presents abundant opportunities for confus

Re: How to create a fake root server?

2014-03-13 Thread Kevin Darcy
t. . 3600 NS another.example.net. server.example.net. 3600 A 1.2.3.4 another.example.net. 3600 A 1.2.3.5 It's for a school project. Regards, Peter On 12/03/14 19:56, Kevin Darcy wrote: First of all, don't use .loc as an internal TLD. There are *many* proposals in process with ICANN f

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Kevin Darcy
On 3/14/2014 8:28 AM, Maren S. Leizaola wrote: Hello, What do you guys recommend to audit every resource record in a zone file against all the records in all the DNS servers that host the zone file. I want something that I feed the master zone file and then goes to each NS serv

  1   2   3   4   5   6   >