Justin Krejci wrote:
>
> So I am wondering if this is normal/expected behavior for BIND and if so
> should debug logging or named-checkzone with debugging be able to
> identify this as the problem. Or am I missing something else altogether?
With bind-9.7.3, I get the following log messages with t
hostmas...@g-net.be wrote:
>
> The reason I ask is because I'm setting up a DNS sec server and for easy
> key rollover and manageability I have created several new directories on
> a usb stick for example. Key files and zone files now all have 774
> permissions , owned by bind:bind , but I was won
hostmas...@g-net.be wrote:
>
> 4 dr--r--r-- 2 bind bind 4096 2011-04-18 14:50 .
You should set execute permission on the directory so that bind can
traverse it.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
Rockall and Ma
On 20 Apr 2011, at 01:11, Mark Andrews wrote:
> In message <4dadfb29.6080...@dougbarton.us>, Doug Barton writes:
>> I have had 2 reports now of people using BIND 9.8.0 on FreeBSD compiled
>> against openssl 1.0.0d not being able to chroot unless they copy
>> $PREFIX/lib/engines/libgost.so into t
Adam Goodall wrote:
>
> This certainly seems to have solved the problem. I'm not convinced i
> understand why it didn't work they way i was trying but this is a perfectly
> acceptable alternative - thanks for your help!
A server that you forward queries to is expected to be a recursive server.
Th
rams wrote:
> How to declare multiple signed key paths in key-directory. When i declare as
> follows, named not starting.
>
> key-directory {"/var/named/zones";"/root/ramesh/Largezone";}
You can specify a key-directory inside a zone statement if you want the
keys for that zone to be stored in a
Karl Auer wrote:
>
> Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on
> a particular domain, namely "mailergoat.rsi.co.jp". But from other
> places, we get NOERROR (which is the correct answer, because there is a
> A record with that name). However, from some places outside
A couple of problems:
Firstly, if you are running chrooted and have a recent version of OpenSSL
installed, you must either copy the OpenSSL gost cipher engine loadable module
into your chroot, or hack the build scripts to disable gost support. The
easiest way to do this is to make the obvious o
> A couple of problems:
>
> Firstly, if you are running chrooted and have a recent version of
> OpenSSL installed, you must either copy the OpenSSL gost cipher engine
> loadable module into your chroot, or hack the build scripts to disable
> gost support. The easiest way to do this is to make the o
Marc Lampo wrote:
> Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ...
>
> 4 DS's in total,
> for each KSK 1 DS with SHA-1, one with SHA-2
> for one KSK, the algorithm used was changed from 5 to 8.
As I understand it the problem that Stephane reported occurred when the
sing
Juergen Dietl wrote:
>
> I run bind 9.8 with GSS-TSIG in serveral domains with update-policy list
> for secure updatesand all is working fine. Before my bind was in a
> CHROOT enviroment. But with using GSS-TSIG it seems to need a lot more
> libraries.
Did it stop working when you upgraded to BIN
Carl Byington wrote:
>
> ns.il. 86400 IN CNAME relay.huji.ac.il.
> il. 86400 IN NS nse.ns.il.
>
> With that cname, how are NS records like nse.ns.il supposed to work?
The presence of a CNAME at a name has no effect on subdomains of that na
Barry Finkel wrote:
>
> I am not sure how to decode the .jnl file; I have not looked at the code
> in detail.
Try the named-journalprint program. You can also try named-compilezone -j
which applies the journal to the master file.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Rockall, Malin, He
Phil Mayers wrote:
>
> This might be the problem resolving CNAMEs that was discussed on the list
> recently:
>
> https://lists.isc.org/pipermail/bind-users/2011-May/thread.html#83714
>
> "Bind 9.8.0 intermittent problem with non-recursive responses"
>
> It was fixed in 9.8.1
But note that the cur
Niobos wrote:
>
> However, I don't see any security-benefits in this scenario: If the attacker
> gets hold of the credentials to update the zone dynamically, he can do so in
> both cases (KSK online or offline). If your server is compromised, he can
> add/remove records in both cases. In case of Z
Spain, Dr. Jeffry A. wrote:
>
> I'm sure I could solve this by removing all of the DNSSEC data and
> resigning the zone, but would prefer not to do this except as a last
> resort. If anyone has troubleshooting suggestions or other insights, I
> would be grateful for those. Thanks.
What does `rndc
Daniel McDonald wrote:
> I set up a zone with dnssec, and wanted to verify that it was working
> properly. But I appear to have trouble with the root KSK.
>
> $ dig +dnssec danmcdonald.us +topdown
>
> ;; No trusted key, +sigchase option is disabled
>
> Any advise as to what I might be doing wron
Cathy Zhang wrote:
> # Check direct query for RRSIG: If it's not cached with other records,
> # it should result in an empty response.
>
> Why shouldn't recursive server return RRSIG RRs to the client?
An RRSIG is part of the RRset that it signs, and the whole thing must
travel together
Daniel McDonald wrote:
>
> 08-Jul-2011 08:55:58.700 dnssec: info: validating @0xb4260ad8:
> ips.backscatterer.local SOA: got insecure response; parent indicates it
> should be secure
>
> I¹m not really certain which parent is reporting this
The root zone says that .local does not exist.
> Is t
fddi wrote:
> how to avoid these useless notification ?
notify master-only
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Viking: Easterly, becoming variable, 3 or 4. Slight or moderate. Rain or
thundery showers. Good, occasionally poor.
___
Please v
Daniel McDonald wrote:
>
> ; <<>> DiG 9.8.0-P4 <<>> @localhost ips.backscatterer.local ds
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26308
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
Are you
Jonathan Kamens wrote:
>
> I said above that the problem is exacerbated by the fact that many DNS servers
> don't yet support IPV6 queries. This is because the queries don't get
> NXDOMAIN responses, which would be cached, but rather FORMERR responses, which
> are not cached. As a result, the
Phil Mayers wrote:
> On 07/22/2011 09:50 AM, Feng He wrote:
> >
> > Given the MX hosts for sympatico.ca domain:
> >
> > $ dig sympatico.ca mx +short
> > 5 mxmta.sympatico.ca.
> >
> > $ dig mxmta.sympatico.ca +short
> > 67.69.240.17 [ and several others ]
> >
> > when the peer MTA fail to talk to o
The "nsdiff" program examines old and new versions of a DNS zone and
outputs the differences as a script for use by BIND's nsupdate program.
It allows you to continue to manually maintain flat text master files as
before, and feed the changes you make into named's easy dynamic DNSSEC
support.
This
To use `rndc addzone`, named needs to be able to write to the zone
configuration file in its working directory, called 3bf305731dd26307.nzf
for the _default view. Both named and the user invoking rndc need to be
able to read the rndc.key file which is usually in /etc. You need to
create the zone's
Marc Lampo wrote:
>
> Experimenting with key roll-over timing conditions, with a Bind 9.7.3
> setup, I noticed, today, that this version does not re-validate DNSSEC
> data, once something makes it into its cache.
>
> I wonder though, if that is correct ?
Yes. When you publish a signed zone you mu
Marc Lampo wrote:
> Meaning that that it actually does not re-verify,
> once data was found to be OK and allowed in the cache.
The point of a cache is to avoid network round trips to re-fetch or
re-validate data while it is in the cache. The DNS protocol tells the
cache how long the zone publish
Frank Bulk wrote:
> Would be nice if the error output or log would indicate such failures.
Yes, indeed!
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty, Forth, Tyne, Dogger: Variable 3 or 4, becoming northwest 4
or 5 later in Dogger. Slight, occasionally moderate in Forties an
Phil Mayers wrote:
>
> I first create and publish a new ZSK with no activation date. After waiting
> the requisite amount of time, I use dnssec-settime:
>
> dnssec-settime -A K
> dnssec-settime -I K
> rndc sign
>
> ...and bind immediately starts using the new key for sigs. After 0.75*30 days,
> a
Lyle Giese wrote:
> zone "chaseprod.local"{
> type forward;
> forwarders {10.0.100.205;};};
>
> This seemed to work until I added some stuff for DNSSEC to my named.conf.
In order to forward a zone in the presence of DNSSEC validation, the zone
has to have a valid delegation in the pu
Jaap Akkerhuis wrote:
>
> Additionally .local is reserved for mDNS ..
>
> Can you give some references?
http://tools.ietf.org/html/draft-chapin-rfc2606bis
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Lundy, Fastnet: West or southwest, 6 to gale 8, decreasing 5 at times later.
Rough or ver
michoski wrote:
>
> It's basically a risk analysis game. You should be able to think through
> common use cases for your service, and identify places where DNSSEC would
> add value. Your business values validity of its DNS data, or not.
Apart from protecting the DNS itself, there aren't yet man
Ken Schweigert wrote:
>
> logging {
> ...
> channel "dev_null_log" {
> file "/dev/null";
> };
> …
> category lame-servers { dev_null_log; };
> …
Use the built-in "null" channel instead.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Irish Sea: South or southeast veering west o
I have been playing with the new inline signing feature.
Documentation bug: the inline-signing option is not mentioned in the
syntax for slave zones.
I have not been able to get master inline signing working. Firstly, it
fails to create the signed copy of the zone automatically. If I create it
ma
Bill Owens wrote:
>
> However, in this case I believe your problem is the lack of NS records
> in nau.edu for extended.nau.edu. It's difficult to know for sure, but it
> appears that the only signature for the NS RRSET is using the ZSK for
> extended.nau.edu, not the ZSK for nau.edu.
This is norm
Michael Sinatra wrote:
>
> There are ways of getting the DS records into the zone(s). Here are some
> steps that I took on some test zones:
Alternatively, set "update-policy local;" on your parent zone and use this
little pipeline on the master server. Substitute $parent and $child as
necessary:
Raymond Drew Walker wrote:
> In testing, this pipe sets up the following for nsupdate which fails:
Sorry, I forgot the TTL command. Adjust its value as you require...
dig +noall +answer dnskey $child |
dnssec-dsfromkey -f /dev/stdin $child |
(echo "zone $parent"; echo "ttl 3600"; sed 's/^
McConville, Kevin wrote:
>
> 1) Is there any way to have the zsk be auto-generated based upon the
> inactive date listed in the zsk meta-data?
Not yet, though I believe this feature is on the wish list.
> 2) With a static zone, are the update-policy local and auto-dnssec
> maintain options inv
Sergio Charpinel Jr. wrote:
>
> After suplying DS and the respective NS record for subdomain in the
> parent zone (domain.com), it works.
That sounds like you had no delegation RRs in the parent zone. In that
case the parent zone will contain a secure denial of existence of the
child zone. If you
Raymond Drew Walker wrote:
>
> After reading this, RFC1034, and conferring with the original implementor
> of DNS at our institution, I have a better wrangle on the NS issue. Child
> zone NS records were never populated in the parent because all zones were
> under the same name servers, and "it ju
Jan-Piet Mens wrote:
>
> Any ideas or suggestions?
Not a practical one, but there are moves towards a standard nameserver
control protocol:
http://tools.ietf.org/html/rfc6168
http://tools.ietf.org/html/draft-dickinson-dnsop-nameserver-control
http://ripe63.ripe.net/presentations/151-DNSCCM_RIPE6
Spain, Dr. Jeffry A. wrote:
>
> From time to time I want to review the current state of the zone files.
> I have been accustomed with v9.8 to taking a copy of a signed zone file
> and stripping out the DNSSEC-related records in a text editor for easy
> review.
I use `dig axfr dotat.at | grep -v R
Jan-Piet Mens wrote:
> On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote:
>
> > I use `dig axfr dotat.at | grep -v RRSIG`
>
> ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM
I think it is more useful to see those records than to spend effort
stripping t
Chris Thompson wrote:
>
> If we are trying to turn Tony's ad hoc command into something publishable,
See the loadzone, axfrzone, and cleanzone functions in
http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff
Writing code to process arbitrary zones is a rather different job from a
q
Matus UHLAR - fantomas wrote:
>
> Is it possible to update DNSSEC-signed domain, re-sign and generate small
> differencies to be transferred by IXFR?
Yes, it just works with no special effort if you use dynamic updates and
auto-dnssec maintain.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Sou
Bryton wrote:
>
> I wonder if anyone has ever got the error
In my logs I have some of this:
25-Nov-2011 11:23:00.332 dnssec: info: validating @0xabe00470: uofk.edu MX: bad
cache hit (uofk.edu/DNSKEY)
Which is fairly nicely explained by this:
http://dnsviz.net/d/uofk.edu/dnssec/
Tony.
--
f.a
Marek Kozlowski wrote:
>
> OK. Let's assume I have only one primary and only one secondary DNS. I
> have two views on my primary. May I set up the secondary one for two
> views as well I make it fully synchronized to the primary one? (AFAIK
> for `allow-transfer' I specify IP addresses -- there is
Dan McDaniel wrote:
>
> I'm setting up a new DNS server. We have two offices linked by a VPN.
> I'm trying to decide whether to have everything under a single domain
> (example.com) or to split them into sub-domains (office1.example.com,
> office2.example.com).
If your DNS is mostly static and yo
Evan Hunt wrote:
>
> I'd recommend checking the next four octets as well; they'll be "00 00 00 00"
> or "00 00 00 01". The first of those is the format that's always been used
> up to now; the second is the format that will be used in 9.9.0, starting
> with the next beta.
Would it be possible fo
nsdiff is an add-on tool for BIND that compares old and new versions of a
zone and generates an nsupdate script that turns the old version into the
new version. It is designed to bridge the gap between static master files
and dynamic DNS updates, making it easier to use "auto-dnssec maintain".
htt
Irwin Tillman wrote:
>
> What's the recommended approach?
My empty zone is:
@ SOA localhost. root.localhost. 1 1h 1000 1w 1h
NSlocalhost.
I also have a "localhost." zone (RFC 2606) which is:
@ SOA localhost. root.localhost. 1 1h 1000 1w 1h
NSlocalhost.
A 127.0.0.1
Matus UHLAR - fantomas wrote:
>
> I prefer defining 127.in-addr.arpa and inside:
>
> 1.0.0 PTR localhost.
I used to do that, but I need fewer zone files if I use the same reverse
zone for v6 and v4 :-) I have fairly extensive setup for bogons, and I
have set up empty zones to cover the same range
Howard Leadmon wrote:
>
> So I guess my million dollar question is, I want to use DNSSEC (it's
> actually working now), but I want to be able to edit my zone files the way I
> always have for many years, and just have BIND sign the zones with the keys
> and update as needed to keep DNS running sm
Phil Mayers wrote:
>
> Something like Tony's "nsdiff" script (see his post) makes it relatively easy,
> but it's still "another step".
It's more like a replacement step: run nsdiff | nsupdate instead of rndc reload.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Tyne, Dogger, Fisher, German Big
Sten Carlsen wrote:
>
> Good news is that you should simplify your bogon list, lots of those
> addresses are now actually in use; e.g. I have regular visits on my
> pages by 2.x.x.x as they are now mostly handed out (local ISP here) and
> in legitimate use.
My bogon list only includes IPv4 addres
Dan Letkeman wrote:
> So what is the best practice for adding a static entry to a dynamically
> updated zone?
I would just use nsupdate to manage the static entries.
(Maybe I should add a partial zone mode to nsdiff...)
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Sole: Variable 3 or 4, beco
Mark Elkins wrote:
>
> I also see...
> $TTL 0 ; 0 seconds
> TYPE65534 \# 5 ( 08467D0001 )
> TYPE65534 \# 5 ( 0896730001 )
> appearing on a secondary for this zone. What is it?
> (Yes - an unknown data type - the secondary is running bind 9.8)
That
Alan Clegg wrote:
>
> Just be sure to watch for the extra SOA record. :)
Or use dig axfr +onesoa ...
Tony.
--
f.anthony.n.finchhttp://dotat.at/
South-east Iceland: Southerly 5 to 7, occasionally gale 8, but variable 4 at
first and later in west. Very rough, occasionally high later. Occasio
On Mon, 2 Nov 2009, Mark Andrews wrote:
>
> getaddrinfo() is reporting that aspmx.l.google.com's cannonical
> name is mail-yx0-f102.google.com. Somewhere in the resolution path
> aspmx.l.google.com is being treated as a alias for
> mail-yx0-f102.google.com. In the DNS this is done using a CNAME.
On Fri, 4 Dec 2009, Chris Thompson wrote:
>
> [It's never been entirely clear to me why these functions have to be
> combined, especially given that "server [ipaddr/len] {bogus yes;};"
> can be used to block outgoing queries.]
The CIDR syntax for server clauses is relatively new. Before it was add
On Wed, 6 Jan 2010, Pamela Rock wrote:
>
> Does that imply that +adflag sets the ad bit on the query and the
> response where +dnssec only sets the ad bit on the responce?
The AD flag is meaningless in a query. In a response it tells you whether
the server is authoritative or not. It has nothing t
On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote:
> On Tue, Feb 23, 2010 at 09:56:55PM -0500,
> Diosney Sarmiento Herrera wrote:
>
> > Have any sense to blacklist the private address ranges on a server
> > that is facing Internet?
>
> I am not sure I parse your sentence correctly but may be you ref
On Tue, 23 Feb 2010, Joe Baptista wrote:
>
> Lets not forget the IETF has had 15 years to secure the DNS. The result is
> the DNSSEC abortion. It has failed.
It looks pretty lively to me. DNSSEC has multiple interoperable
implementations, and it will be deployed in the most important zones this
ye
On Sat, 20 Mar 2010, Glenn English wrote:
>
> Just why qmail reports a T_ANY failure as a CNAME failure, I also don't
> know.
This is a bug in qmail. It tries to canonicalize domains in the SMTP
envelope of outgoing messages. It originally did this by performing CNAME
queries on each domain, but t
On Tue, 30 Mar 2010, Abdulla Bushlaibi wrote:
> We are facing query drops by using dnsperf tool from ISC testing the DNS
> service via load balancer. Multiple queries from the same source port are
> being dropped partially by the load balancer and as per the load balancer
> vendor feed back, this
On 19 Apr 2010, at 20:40, Chris Thompson wrote:
On Apr 19 2010, I wrote:
[...]
Of course, it could also prove there is no DS record for
private.cam.ac.uk, but the absence of NS records as well
apparently makes it think that private.cam.ac.uk is bogus.
More experiments indicate that somethi
On Wed, 14 Jul 2010, Chris Thompson wrote:
>
> With 9.7.1-P1 (and a trust anchor for dlv.isc.org) on a local workstation
>
> dig +dnssec -t RRSIG www.forfunsec.org @127.0.0.1
>
> initially times out. But after doing
>
> dig +dnssec -t ANY www.forfunsec.org @127.0.0.1
>
> the same command reports
On Sat, 17 Jul 2010, Stephane Bortzmeyer wrote:
>
> OK, let's rephrase it: as far as I know, the root managers did not
> announce that they will follow RFC 5011. But may be they did and I
> just missed the announcement or may be they will do it in the
> future. But check yourself before using manag
On Tue, 20 Jul 2010, Chris Thompson wrote:
>
> However, I haven't yet been able to work out exactly *what* is wrong
> with the response, as demonstrated by dig (say). Any ideas?
Could it be complaining about the lack of compression?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
NORTH UTSIRE SOU
On Tue, 20 Jul 2010, Chris Thompson wrote:
>
> However, I haven't yet been able to work out exactly *what* is wrong
> with the response, as demonstrated by dig (say). Any ideas?
Got it. The nameservers for ucas.com give a referral for odbc.ucas.com.
That means the zone for odbc.ucas.com is odbc.uc
On Tue, 20 Jul 2010, Kevin Darcy wrote:
>
> It seems that UCAS is just proxying non-A queries from its load-balancers back
> to its regular nameservers.
No, the load balancers are simply braindamaged. Try SOA or NS or TXT
queries and you get a timeout.
Tony.
--
f.anthony.n.finchhttp://dotat.
On Thu, 22 Jul 2010, Atkins, Brian (GD/VA-NSOC) wrote:
> Does anyone know of an existing script or program that can parse a zone
> file and verify records against an active server?
Have you looked at named-checkzone?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
FORTIES: NORTH 5 OR 6, DECREASI
On Sat, 24 Jul 2010, Warren Kumari wrote:
> On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote:
> >
> > Why would any inspection policy not allow fragmented UDP packets?
> > There's nothing wrong with that.
>
> Because it's "hard" The issue is that then you need to buffer
> fragments until you get
On Thu, 5 Aug 2010, Lyle Giese wrote:
>
> zone "mydomain.com"{
> type forward;
> forward only;
> forwarders { ;}; };
>
> The priv server needs to be authorative(and probably master) for
> mydomain.com.
As I understand it, BIND makes recursive queries to forwarding servers. If
the target is authori
On Fri, 6 Aug 2010, Martin McCormick wrote:
> I have started looking at various ways for our
> organization to begin using dns-sec as this appears to be a high
> management priority and it will eventually become necessary to
> operate. We have a fairly simple structure with a official master
On Mon, 9 Aug 2010, Shiva Raman wrote:
>
> I tried implementing dnssec using the following document
> http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/
That is rather out of date: it does not cover some important BIND-9.7
DNSSEC validation features, specifically RFC 5011 autom
On Mon, 9 Aug 2010, CLOSE Dave (DAE) wrote:
> Based on suggestions here, I now have a named.conf file like this:
>
>options { ... };
>logging { ... };
>zone "." IN { type forward; forwarders { PUB; }; forward only; };
>zone "HOST1" { type forward; forwarders { PRIV; }; };
>zone
On Tue, 10 Aug 2010, Joseph S D Yao wrote:
> On Fri, Aug 06, 2010 at 10:43:01PM +0100, Tony Finch wrote:
> ...
> > As I understand it, BIND makes recursive queries to forwarding servers. If
> > the target is authoritative, you configure the zone as a stub. This is not
> > d
Tom wrote:
>
> What is the supported/preferred way for implementing slave-rpz's in views?
> I want to achieve, that view1 has a different policy-configuration (passthru,
> given, nxdomain..) than the ones configured in view2 using the same
> slave-rpz-files. If not obligatory, I would not synchron
/dev/rob0 wrote:
>
> If you're thinking that you can do this replication to improve DNS
> performance, you're right, it will do that. But it certainly will
> not scale (if it's even possible to get axfr/ixfr), and it won't
> handle modern CDN systems properly.
BIND 9.10 and later will keep popul
Frank Even wrote:
> Is there a way to add forwarders for specific zones without a restart?
> Everything I've read seems to indicate an "rndc reconfig" or an "rndc
> reload" should take care of this, but they do not. I add forwarders to
> "named.conf" and neither will load the new forwarded zone
Mukund Sivaraman wrote:
>
> There's an attempt to make it go one step further by refreshing whole
> zones in the cache:
>
> https://github.com/muks/dnsrefresh
>
> It needs another section to be completed before upload, possibly in time
> for IETF-97.
Oh dear, that is deeply problematic wrt DNSSEC
Benny Pedersen wrote:
>
> why does reload not flush ?
Often you want to reload zone files without throwing away the cache.
Tony.
--
f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode
Bailey: Southeast 6 to gale 8, becoming cyclonic, mainly southwest, gale 8 to
storm 10, backing south
rams wrote:
> When we have widlcard in middle labels, are we not treating as wildcard
> record?
In the DNS, a wildcard only occurs when the leftmost label is a *.
> Do we have any specific RFC for this.
https://tools.ietf.org/html/rfc4592#section-2.1
NOTE that wildcard rules can be confusingl
Job wrote:
>
> Actually, dig @host some_url still shows an additional query, maybe not
> needed for a caching-only resolver:
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
That isn't an additional query, it's a record in the additional section of
the response - specifica
Reindl Harald wrote:
>
> just because without additional responses are part of the inital question and
> may save asking for that information - in case the additional info is not
> needed by the client it saves traffic
There are a few situations in which additional data is useful in theory,
but i
Pol Hallen wrote:
>
> is it recommend put a cron script for auto-update root.hind and named.hint db?
No, it's best not to have a hints file and just use the one built in to BIND.
Tony.
--
f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode
Southeast Fitzroy: Southerly 4 or 5, increasi
Mark Andrews wrote:
>
> Both of these are on my to do list.
Yay!
Tony.
--
f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode
Rockall: South 5 to 7, occasionally gale 8 later. Moderate or rough, becoming
very rough later in west. Rain or showers. Moderate or good, occasionally
poor.
_
> On 29.09.16 12:25, Frank Even wrote:
> > I am running chrooted. I'm relying on the "feature" of BIND "mounting" the
> > standard dirs into a chroot via the standard startup scripts in Cent6/7.
Aha, I should have actually read setup-named-chroot.sh rather than
assuming that it copied the files..
/dev/rob0 wrote:
>
> > 3) Change from a forwarder to a slave and thereby become
> > authoritative and no longer have any need of DNSSEC validation on
> > this zone.
>
> Did you try with stub or static-stub?
Stub and static-stub just change how BIND finds a zone's nameservers; they
don't affect va
ben thielsen via bind-users wrote:
>
> zone "example.com" {
> type stub;
> masters {
> "example.com" ;
> };
> };
>
> masters "example.com" {
> 192.168.81.50 ;
> };
If you want a fixed set of master servers for a zone, use static-stub.
A stub zone works a bit
Veaceslav Revutchi wrote:
> I see the server forwarding the query and it gets the answer below:
>
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;;
> ;; ANSWER SECTION:
> aaa.example.org. 200 IN CNAME bbb.example.net.
> bbb.example.net. 60 IN A 10.64.64.64
>
> I would
Eoin Kim wrote:
>
> So, all zone data files were created and when I restarted BIND the zone
> transfer happens except for one zone - reverse zone for external view. I
> checked the log file and it shows the following message.
>
> general: info: zone 10.16.172.IN-ADDR.ARPA/IN/EXTERNAL: refresh: une
Mark Andrews wrote:
> Sebastian Wiesinger wrote:
> >
> > Thank you for explaining this for me. I was reading RFC6781, which I
> > now realize is probably outdated in this regard so I was a bit
> > confused.
RFC 7583 (DNSSEC Key Rollover Timing) is also worth reading.
> > > Once named has comple
Daniel Stirnimann wrote:
>
> BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing
> to validate the following non-existent domain name:
>
> dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec
>
> I believe, the reason for the validation error for the above domain name
> is
Tom wrote:
>
> What's the reason, that it isn't necessary to run modern version of bind in a
> jail?
chroot is a defence against privilege escalation following a remote code
execution vulnerability. It isn't a very solid defence. And BIND 9 tends
to die of a self-check failure before remote code
blrmaani wrote:
> On Sunday, October 23, 2016 at 2:56:37 PM UTC-7, blrmaani wrote:
> >
> > We have hosts in two different zones but use same subnet. Zone1 is
> > generated by Master1 and Zone2 is generated by Master2.
> >
> > Slave1 runs BIND and would like to merge the reverses generated on
> > M
Dns Administrator wrote:
>
> Thought the querying appears to be correct, when I reload the dns server I
> get the following message:
>
> 27-Oct-2016 09:31:29.208 general: info: zone ./IN: (static-stub) removed
Yes, this log message is spurious.
The reason seems to be that named always reconfigur
Jim Popovitch wrote:
>
> It seems to me that anycast is probably much worse in the Mirai botnet
> scenario unless each node is pretty much as robust as a traditional
> unicast node.
This blog post is a pretty good intro to how anycast can help with DDoS
mitgation, though I think Cloudflare are ov
Jim Glassford wrote:
>
> Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd either
> timeout or SERVFAIL depending on version of bind.
It works for me with BIND 9.11 and 9.10.4-P4.
There are some EDNS-related changes in 9.10 which might be why these
versions are better able to reso
601 - 700 of 1038 matches
Mail list logo
