Re: named and database backed systems
In message <29c7b7bc-f017-4404-b011-8b50206c7...@newgeo.com>, Scott Haneda writ es: > Damnit, ever time I search this stuff out, I search for "named > something-or-other" and should use BIND in my search :) > > I am going to test deploy on my worksation on OS X. Named comes up > with relative ease, just add a key and I am pretty much up and > running, albeit out of date, but for testing, I am ok with that. > > Are you telling me I need not even build named to get DLZ support? It > is just there already? You have to tell configure that you want it. It's still contributed code. > I see you are using postgress, mysql or sqllite should not be an issue > either? > > Zones are backed in DB, but not queried in real time are there? If > they are, I can see, sub 50ms return times going way up. > > Thanks for pointing me in the right direction, I will go read the DLZ > pages now. > > On Jan 28, 2009, at 10:25 PM, David Ford wrote: > > > Use the DLZ extension. It's been around for a while. > > > > I.e. put the following in your named.conf and use whatever interface > > you > > wish. I use Ant with a few modifications. I don't have nearly the > > number of domains that you do so my simple system works fine. > > > > > > dlz "postgres zone" { > >database "postgres 2 > > {host=localhost dbname=dns_data user=bind > > password=xx} > > {SELECT 'TRUE' FROM canonical WHERE lower(content) = > > lower('%zone%') limit 1} > > {SELECT ttl, type, priority, data FROM record, canonical WHERE > > lower(content) = lower('%zone%') AND host = '%record%' AND zone = > > domain} > > {} > > {SELECT ttl, type, host, priority, data FROM record, canonical > > WHERE zone = domain AND lower(content) = lower('%zone%')} > > {SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND > > lower(content) = lower('%zone%') AND client = inet '%client%'}"; > > }; > > > > Rather spiffy for centralizing your record store with immediate change > > visibility. > > -- > Scott > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named and database backed systems
Damnit, ever time I search this stuff out, I search for "named something-or-other" and should use BIND in my search :) I am going to test deploy on my worksation on OS X. Named comes up with relative ease, just add a key and I am pretty much up and running, albeit out of date, but for testing, I am ok with that. Are you telling me I need not even build named to get DLZ support? It is just there already? I see you are using postgress, mysql or sqllite should not be an issue either? Zones are backed in DB, but not queried in real time are there? If they are, I can see, sub 50ms return times going way up. Thanks for pointing me in the right direction, I will go read the DLZ pages now. On Jan 28, 2009, at 10:25 PM, David Ford wrote: Use the DLZ extension. It's been around for a while. I.e. put the following in your named.conf and use whatever interface you wish. I use Ant with a few modifications. I don't have nearly the number of domains that you do so my simple system works fine. dlz "postgres zone" { database "postgres 2 {host=localhost dbname=dns_data user=bind password=xx} {SELECT 'TRUE' FROM canonical WHERE lower(content) = lower('%zone%') limit 1} {SELECT ttl, type, priority, data FROM record, canonical WHERE lower(content) = lower('%zone%') AND host = '%record%' AND zone = domain} {} {SELECT ttl, type, host, priority, data FROM record, canonical WHERE zone = domain AND lower(content) = lower('%zone%')} {SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND lower(content) = lower('%zone%') AND client = inet '%client%'}"; }; Rather spiffy for centralizing your record store with immediate change visibility. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named and database backed systems
Use the DLZ extension. It's been around for a while. I.e. put the following in your named.conf and use whatever interface you wish. I use Ant with a few modifications. I don't have nearly the number of domains that you do so my simple system works fine. dlz "postgres zone" { database "postgres 2 {host=localhost dbname=dns_data user=bind password=xx} {SELECT 'TRUE' FROM canonical WHERE lower(content) = lower('%zone%') limit 1} {SELECT ttl, type, priority, data FROM record, canonical WHERE lower(content) = lower('%zone%') AND host = '%record%' AND zone = domain} {} {SELECT ttl, type, host, priority, data FROM record, canonical WHERE zone = domain AND lower(content) = lower('%zone%')} {SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND lower(content) = lower('%zone%') AND client = inet '%client%'}"; }; Rather spiffy for centralizing your record store with immediate change visibility. -david Scott Haneda wrote: > Hello, my past post about wildcarding the "." in a named server seems > it may be wrought with issues in the long term. > > In short, my issues is a auto website creation tool that needs to be > simple for users to change their registrar data, and have their site > be served up. > > The old method works, but is being outgrown, I can come in and try to > solve it with scripts to sync the website to local named files, but it > will always be a battle. > > I am coming up short on finding any database backed store for named. > I think sqllite would be the best for raw performance, but then again, > even a million records in mysql is trivial. I am just worried about > volume of selects. > > Can anyone point me to any info on database backed named solutions? > Thank you named users, you are all very helpful. > -- > Scott > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. VERY NOT-IMPORTANT NOT-LEGAL NOTICES: Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience. Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your "legal" advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email. "Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites." --Thomas Jefferson This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s) and may or may not contain confidential, proprietary and privileged information. It may include sarcastic holier than tho content. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient: (a) any dissemination or copying of this message is strictly prohibited unless you feel otherwise; and (b) immediately notify the sender by return message (but only if the sun has gone black) and de stroy any copies of this message in any form (electronic, paper or carved in stone) that you have. Please destroy by smashing your computer with a 21lb sledge hammer approximately 17 times to ensure destruction of your system. Any unauthorized review, use, disclosure or distribution is most assuredly not prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or emptiest ... extent of the law. If you are not the intended recipient, please immediately notify some random person of your age, sex, and location and your undying desire to fornicate with them by email and destroy all copies of the original message if you sent it to an underage person. Oh, and definitely don't tell me about it. The delivery of this message and its information
Re: wildcarding everything
On Jan 28, 2009, at 3:34 PM, Mark Andrews wrote: In message <30e0039f-b0fd-4322-b0e0-52eeefa76...@newgeo.com>, Scott Haneda writ es: I can remove the entire DNS management, zone creation, and deltion if I wildcard. Any domain in which they enter in my clients ns's will resolve automatically as soon as the whois updates. Actually you can't. You will end up returning answers that will be rejected. If the registrar does any sort of checking the registration will also be rejected. Ok, thanks. So with this, it is a safe estimation, all these domain parking systems actually create DNS records on the fly for their users? I can not imagine someone as large as godaddy with such inferior support, and a rather terrible web interface, actually getting this right most of the time. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named and database backed systems
Hello, my past post about wildcarding the "." in a named server seems it may be wrought with issues in the long term. In short, my issues is a auto website creation tool that needs to be simple for users to change their registrar data, and have their site be served up. The old method works, but is being outgrown, I can come in and try to solve it with scripts to sync the website to local named files, but it will always be a battle. I am coming up short on finding any database backed store for named. I think sqllite would be the best for raw performance, but then again, even a million records in mysql is trivial. I am just worried about volume of selects. Can anyone point me to any info on database backed named solutions? Thank you named users, you are all very helpful. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - " query: . IN NS +"?
Mark Andrews wrote: >> 0.86.80.98 14051 > > So who isn't doing even loose URPF? > 0/8 is totally bogus and is a attack directed at you. Well, if you do a tracert to granite.ab.ca you can see my upstream provider. I was wondering what that 0 was doing there. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips & Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - " query: . IN NS +"?
In message , "Tony Toews [MVP]" wri tes: > "Tony Toews [MVP]" wrote: > > >FWIW In the last 28 hours I have the following alleged IP addresses and coun > t in my > >log file. > > > >Real lookups 1665 > >204.15.80.50 4 > >3.217.28.226 1144 > >4.57.246.146 9541 > >6.9.16.171 577 > >63.217.28.2261463 > >64.57.246.14635163 > >65.173.218.961 > >67.192.144.0 1488 > >7.192.144.0 12054 > >76.9.16.171 1033 > > FWIW in the last 26 hours. > Real Lookups 1673 > 0.86.80.9814051 So who isn't doing even loose URPF? 0/8 is totally bogus and is a attack directed at you. > 4.57.246.123 4425 > 4.57.246.146 22719 > 6.9.16.171419 > 64.57.246.123 4885 > 64.57.246.146 25023 > 67.192.144.0 825 > 7.192.144.0 696 > 70.86.80.98 9317 > 76.9.16.171 295 > > > So some have disappeared and new ones added. > > Tony > -- > Tony Toews, Microsoft Access MVP >Please respond only in the newsgroups so that others can > read the entire thread of messages. >Microsoft Access Links, Hints, Tips & Accounting Systems at > http://www.granite.ab.ca/accsmstr.htm >Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - " query: . IN NS +"?
"Tony Toews [MVP]" wrote: >FWIW In the last 28 hours I have the following alleged IP addresses and count >in my >log file. > >Real lookups 1665 >204.15.80.50 4 >3.217.28.226 1144 >4.57.246.146 9541 >6.9.16.171 577 >63.217.28.226 1463 >64.57.246.146 35163 >65.173.218.96 1 >67.192.144.0 1488 >7.192.144.012054 >76.9.16.1711033 FWIW in the last 26 hours. Real Lookups1673 0.86.80.98 14051 4.57.246.1234425 4.57.246.14622719 6.9.16.171 419 64.57.246.123 4885 64.57.246.146 25023 67.192.144.0825 7.192.144.0 696 70.86.80.98 9317 76.9.16.171 295 So some have disappeared and new ones added. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips & Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcarding everything
In message <30e0039f-b0fd-4322-b0e0-52eeefa76...@newgeo.com>, Scott Haneda writ es: > I can remove the entire DNS management, zone creation, and deltion if > I wildcard. Any domain in which they enter in my clients ns's will > resolve automatically as soon as the whois updates. Actually you can't. You will end up returning answers that will be rejected. If the registrar does any sort of checking the registration will also be rejected. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disableing EDNS messages bind-9.5.0
Matus UHLAR - fantomas wrote: I strongly recommend you upgrading the BIND first. Later versions issue that message much less often. if the only reason is the fix mentioned by Mark 2504. [bug] Address race condition in the socket code. then that doesn't explain why my small manual sample of 20 such queries resulted in dig reporting "timeout" for virtually all of them. These involved lame delegations to non-responsive nameservers. plus the ARM itself says the current behaviour needs to be changed Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned. since this was 9.6 ARM p41, I assume the change has not yet happened but yes, we are about to start an upgrade cycle to 9.6.0-P2 when I will re-enable edns reporting and do another manual sample. Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SPAM] Re: Split view multiple zones
At Wed, 28 Jan 2009 08:59:42 +0100, Matus UHLAR - fantomas wrote: > > >Of course I could just copy and paste all the zones also in 'custom' view > > >but it doubles the configuration size. > > On 27.01.09 17:26, Chris Burton wrote: > > I've been using an include file for zones common between multiple views, it > > might help in your case too. > > I'm afraid they won't eat the same memory, but each view its own memory. Correct. > Can anyone confirm, and if I'm right, tell me that it will be better in next > BIND releases? There's no plan to change this behavior (as far as I know). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcarding everything
Excuse any spelling. I'm mobile. I would be wildcarding "." My client has a website building service. You get a free account and tools to get your site online all built in a browser with web based tools. It works well now but the synchronization of the database with named, users coming and going, keeping a slave up to date, delete zones, all that is a burden. All the time the users need status of their domain. Where the whois is at, if their zone has been created etc. It works, they have growing pains. It us only in private test and growing fast. Free seems to be appealing :) Since users sign up they must change their ns's at their registrar. They own their domains. They can leave at any time. The service does not offer registration. I can remove the entire DNS management, zone creation, and deltion if I wildcard. Any domain in which they enter in my clients ns's will resolve automatically as soon as the whois updates. So yes, these two ns's would be authoritative for all domains, but if I understand it correct, only those that users so chose to. It's not like an end user would request amazon.com and ever hit these two ns's. If that could happen DNS would be easily messed with. The ns's would deny recursion, they of course would not be used as a local resolved either. As a matter pf fact recursion would be denied to all nets entirely. I hope this explains it better. While this is not domain parking, it acts much like it, I would guess large registrars do something similar. I can not imagine them generating all these real zone files in such quantity for every parked domain. I'm trying to bring reliability in the synchronization of services trying to be offered. Thanks fly any suggestions. -- Scott Iphone says hello. On Jan 28, 2009, at 8:44 AM, "Ben Bridges" wrote: What specifically are you intending to wildcard? "com."? "net."? "."? If so, then you would be implicitly making your name servers authoritative for domains for which your servers are not supposed to be authoritative. Ben Bridges -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Scott Haneda Sent: Wednesday, January 28, 2009 3:31 AM To: bind-users@lists.isc.org Subject: wildcarding everything Hello, I am wondering the technical possibility of a DNS change. Even if it is technically possible, I also want to make sure it is compliant as well. I would like to resolve any and all requests to a fixed IP, if there is no zone in place. While I understand I can create a zone for *.example.com and resolve all of the * portion to an A record and further have a web server take over... What I am looking to do now, is have the very act of having my two NS's listed as NS's with their domain, resolve to an A record. Essentially, wildcard the entire DNS machine. There may be cases where a real zone is put in place, to a different A record, and that would need to take priority, but if it does not, I would like to resolve it. The NS's in question will not be answering for recursive queries, so I am not worried about local requests getting hijacked or mis-routed. An example would be: some-domain-foo.com is registered. My NS of ns-me.example.com is set up and working, but does not have some-domain-foo.com entered as a zone. When a request comes in for some-domain-foo.com I want an A record for an IP of my choice, also for www.some-domain-foo.com as well. Possible? Acceptable? Thanks. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: wildcarding everything
What specifically are you intending to wildcard? "com."? "net."? "."? If so, then you would be implicitly making your name servers authoritative for domains for which your servers are not supposed to be authoritative. Ben Bridges > -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Scott Haneda > Sent: Wednesday, January 28, 2009 3:31 AM > To: bind-users@lists.isc.org > Subject: wildcarding everything > > Hello, I am wondering the technical possibility of a DNS > change. Even if it is technically possible, I also want to > make sure it is compliant as well. > > I would like to resolve any and all requests to a fixed IP, > if there is no zone in place. While I understand I can > create a zone for *.example.com and resolve all of the * > portion to an A record and further have a web server take over... > > What I am looking to do now, is have the very act of having my two > NS's listed as NS's with their domain, resolve to an A record. > Essentially, wildcard the entire DNS machine. > > There may be cases where a real zone is put in place, to a > different A record, and that would need to take priority, but > if it does not, I would like to resolve it. > > The NS's in question will not be answering for recursive > queries, so I am not worried about local requests getting > hijacked or mis-routed. > > An example would be: > some-domain-foo.com is registered. My NS of ns-me.example.com > is set up and working, but does not have some-domain-foo.com > entered as a zone. When a request comes in for > some-domain-foo.com I want an A record for an IP of my > choice, also for www.some-domain-foo.com as well. > > Possible? Acceptable? > > Thanks. > -- > Scott > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: error sending response log messages
Mark Andrews wrote: In message <497caef2.80...@yahoo.com>, Andre LeClaire writes: Hello everyone, I've been seeing these syslog messages for about a week on a FreeBSD server running BIND 9.4.3-P1: Jan 25 02:35:21 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 03:43:32 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 04:49:59 asimov named[145]: client 206.71.158.30#139: error sending response: permission denied Jan 25 05:15:40 asimov named[145]: client 66.230.160.1#139: error sending response: permission denied Jan 25 07:45:11 asimov named[145]: client 206.71.158.30#139: error sending response: permission denied Jan 25 07:56:26 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 08:10:29 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 08:54:34 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 09:16:41 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 10:03:51 asimov named[145]: client 206.71.158.30#445: error sending response: permission denied Ports 135-139 and 445 are denied by the firewall on the outside interface. Why do you care about what port you are sending to? Just allow named to send its replies. Ports 135-139 and 445 are blocked on the outside interface to protect the Windows networks on the inside, which use those ports, from the savage Internet. Are you saying that it's normal for named to send replies on those ports? Also, the server has been up for over 3 years with no problems, and these errors just started happening last week. Andre ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4.x vs 9.6.x - pid-file check and creation
In article , Jan Arild =?iso-8859-1?Q?Lindstr=F8m?= wrote: > >Hi, > >ah, of course. I did not think about it as a Solaris bug. > >I patched BIND 9.6.0-P1 os.c code so it first checks for the diretory >before it tries the fast approach of just running mkdir. And that of >course works fine. > >But, since I do not want to run a self-patch BIND in production, I will >instead run with pid-file "/var/run/named/named/named.pid" and be happy >with that. Just wondering. Since /var/run is a swap (memory) based file system, do you have to recreate those directories on each reboot? >Thanks >Jan Arild Lindstr > > >At 15:35 27/01/2009, Mark Andrews wrote: > >>Looking at the publically available parts of SunSolve there are at least >>bug reports about it. >> >>Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with oth= >er xxxfs_mkdir() functions. | Open in a new window >>bug 6253984 >>http://sunsolve.sun.com/search/document.do?assetkey=3D1-1-6253984-1 - Sep = >10, 2007 >> = > >>Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with oth= >er xxxfs_mkdir() functions. | Open in a new window >>bug 2152581 >>http://sunsolve.sun.com/search/document.do?assetkey=3D1-1-2152581-1 - Sep = >10, 2007 = > >>I don't have a copy of the POSIX standard that covers mkdir(2) to >>see what it has to say about it. Historically however EACCES on >>search failure, EEXIST if the file/directory exists, then EACCES on >>parent directory write permissions was the error determination order. >> >>Mark >>-- = > >>Mark Andrews, ISC >>1 Seymour St., Dundas Valley, NSW 2117, Australia >>PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org > >___ >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users -- Tom Schulz sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcarding everything
If the dns only needs to resolve certain domains (you manage) and no other, it can be done Regards, Serge Fonville On Wed, Jan 28, 2009 at 1:11 PM, Alan Clegg wrote: > Scott Haneda wrote: > > > An example would be: > > some-domain-foo.com is registered. My NS of ns-me.example.com is set up > > and working, but does not have some-domain-foo.com entered as a zone. > > When a request comes in for some-domain-foo.com I want an A record for > > an IP of my choice, also for www.some-domain-foo.com as well. > > If I am the owner of said "some-domain-foo.com" and do not publish an A > record for every possible label within my zone, what right do YOU, a > person unknown to me, have to publish such records? > > No, not acceptable. Anything is possible. > > AlanC > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcarding everything
Scott Haneda wrote: > An example would be: > some-domain-foo.com is registered. My NS of ns-me.example.com is set up > and working, but does not have some-domain-foo.com entered as a zone. > When a request comes in for some-domain-foo.com I want an A record for > an IP of my choice, also for www.some-domain-foo.com as well. If I am the owner of said "some-domain-foo.com" and do not publish an A record for every possible label within my zone, what right do YOU, a person unknown to me, have to publish such records? No, not acceptable. Anything is possible. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reg - BIND 9.3.0 - CVE-2009-0025
Ashish wrote: > This is regarding the recent security threat CVE-2009-0025. > > We are using DNS 9.3.0 and unfortunately, we cannot upgrade (management > issues) to 9.3.6 (As suggested in ISC website) > > ISC’s website suggests to Upgrade OpenSSL to at least OpenSSL 0.9.8j and > then to upgrade to 9.3.6-P1. > > Could you please advice how can I upgrade OpenSSL? Since we could not > upgrade DNS is there any other alternative for us. Could we apply the > same patch of 9.3.6-P1 on 9.3.0? Will it help resolving this issue? I suggest that you first attempt to "patch" the "management issues" that are locking you into the use of code that has known issues and is well past End-Of-Life. Beyond that, you can follow the instructions in the section of https://www.isc.org/node/389 labeled "Workarounds" / "9.3.0" that explains how to disable the use of the DSA algorithm. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
reg - BIND 9.3.0 - CVE-2009-0025
Hi Folks, This is regarding the recent security threat CVE-2009-0025. We are using DNS 9.3.0 and unfortunately, we cannot upgrade (management issues) to 9.3.6 (As suggested in ISC website) ISC's website suggests to Upgrade OpenSSL to at least OpenSSL 0.9.8j and then to upgrade to 9.3.6-P1. Could you please advice how can I upgrade OpenSSL? Since we could not upgrade DNS is there any other alternative for us. Could we apply the same patch of 9.3.6-P1 on 9.3.0? Will it help resolving this issue? Do I need to change code somewhere? Kindly suggest what exactly I could do and what options I have to resolve this issue. Thank you in advance for all your help. Ashish Rao Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
wildcarding everything
Hello, I am wondering the technical possibility of a DNS change. Even if it is technically possible, I also want to make sure it is compliant as well. I would like to resolve any and all requests to a fixed IP, if there is no zone in place. While I understand I can create a zone for *.example.com and resolve all of the * portion to an A record and further have a web server take over... What I am looking to do now, is have the very act of having my two NS's listed as NS's with their domain, resolve to an A record. Essentially, wildcard the entire DNS machine. There may be cases where a real zone is put in place, to a different A record, and that would need to take priority, but if it does not, I would like to resolve it. The NS's in question will not be answering for recursive queries, so I am not worried about local requests getting hijacked or mis-routed. An example would be: some-domain-foo.com is registered. My NS of ns-me.example.com is set up and working, but does not have some-domain-foo.com entered as a zone. When a request comes in for some-domain-foo.com I want an A record for an IP of my choice, also for www.some-domain-foo.com as well. Possible? Acceptable? Thanks. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - " query: . IN NS +"?
Sorry remembered wrong, it's not free. But not that expensive either. Yeah now I remember, I browsed for a free firewall for server platform for days, but didn't find any. But have been very happy with the Net Firewall. Jukka "Tony Toews [MVP]" kirjoitti viestissä:... "Jukka Pakkanen" wrote: >There are many free third party firewall packages that can be run in >Window= >s = > >2003 Server, we use the Net Firewall. Do you have a URL? I found http://www.ntkernel.com/w&p.php?id=18 but it's not free. I'm also going to ask my fellow MVPs as well. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips & Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: contacting a external nameserver
In that case you can use either views or a split dns Regards. Serge Fonville On Wed, Jan 28, 2009 at 12:44 AM, Luis Silva wrote: > Yes, basically what I need is a forwarder. Basically I want an internal > network but external queries must be handled by another server. > Thanks a lot for the quick reply. > Kind Regards, > Luis > On Tue, Jan 27, 2009 at 6:51 PM, Serge Fonville > wrote: > >> I should have sent this to the list >> >> >> On Tue, Jan 27, 2009 at 11:42 AM, Serge Fonville < >> serge.fonvi...@gmail.com> wrote: >> >>> Hi, >>> >>> Not sure what your endgoal is, but... >>> >>> If you want a specific zone to be queried on the external nameserver, you >>> can create a forward zone. >>> If you want all unresolvable queries to be forwarded to a specific >>> nameserver, you can define forwarders. >>> >>> Perhaps some information about what your end result should be instead of >>> suggesting solutions up front can be of use. >>> >>> Hope this helps. >>> >>> Regards, >>> >>> Serge Fonville >>> >>> On 1/27/09, Luis Silva wrote: >>> Hi all, I'm having a question related to querying external servers that hope you could answer me. I'm sending a iterative query for an external server and the server is sending a referral answer but only with the authoritive name servers. After that, i send a query A asking the nameservers ip addresses. This A query is supposed to be a recursive query or must be a iterative one? Is there a standard that talks about this? thanks in advance. Kind regards, Luis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users >>> >>> >> >> >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disableing EDNS messages bind-9.5.0
> Dean Clapper wrote: > >I'm trying to troubleshoot why we are getting a lot of disabling EDNS > >messages in /var/log/messages. > > > >We are running bind-9.5.0.P2 on a linux box. [...] > >Jan 27 11:43:39 ns0 named[27764]: too many timeouts resolving > >'196.198.117.216.zen.spamhaus.org/A' (in 'zen.spamhaus.org'?): > >disabling EDNS > > > >I started receiving these messages after updating from 9.4 -> 9.5. > >I've found a couple places to test packet sizes, but have not had any > >problem. The messages about zen.spamhaus.org leads me to possibly > >email related issues. On 28.01.09 08:04, Danny Thomas wrote: > add "category edns-disabled { null; };" > after verifying your nameserver(s) have an EDNS0 clear path > by trying the 2 tests mentioned below by Mark Andrews. I strongly recommend you upgrading the BIND first. Later versions issue that message much less often. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4.x vs 9.6.x - pid-file check and creation
Hi, ah, of course. I did not think about it as a Solaris bug. I patched BIND 9.6.0-P1 os.c code so it first checks for the diretory before it tries the fast approach of just running mkdir. And that of course works fine. But, since I do not want to run a self-patch BIND in production, I will instead run with pid-file "/var/run/named/named/named.pid" and be happy with that. Thanks Jan Arild Lindstrøm At 15:35 27/01/2009, Mark Andrews wrote: >Looking at the publically available parts of SunSolve there are at least >bug reports about it. > >Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with other >xxxfs_mkdir() functions. | Open in a new window >bug 6253984 >http://sunsolve.sun.com/search/document.do?assetkey=1-1-6253984-1 - Sep 10, >2007 > >Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with other >xxxfs_mkdir() functions. | Open in a new window >bug 2152581 >http://sunsolve.sun.com/search/document.do?assetkey=1-1-2152581-1 - Sep 10, >2007 >I don't have a copy of the POSIX standard that covers mkdir(2) to >see what it has to say about it. Historically however EACCES on >search failure, EEXIST if the file/directory exists, then EACCES on >parent directory write permissions was the error determination order. > >Mark >-- >Mark Andrews, ISC >1 Seymour St., Dundas Valley, NSW 2117, Australia >PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
On 27.01.09 10:18, Al Stu wrote: > I not only say it, I have demonstrated it. But you have demonstrated something different than we're discussing all the time. > BIND is the DNS system we are discussing. > Have not looked to see if that specifically is spec'ed in an RFC. > Yes other DNS implementations do return both the A and CNAME. It depends on the query sent. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: e: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
> > You say, "both the A record and the CNAME record are returned." > > We know that BIND does this. On 27.01.09 19:33, sth...@nethelp.no wrote: > No, not all BIND versions do this. I'm running BIND 9.5, and when > asking about the MX for nullmx.domainmanager.com I'm getting > > Answer: nullmx.domainmanager.com. CNAME mta.dewile.net. > Authority:dewile.net. SOA ... > > Even if my BIND 9.5 name server has the A record for mta.dewile.net > in the cache, it is not returned. What was te question? If it was "any" or "cname", the bind won't return that. If the question was "A", it should be returned, unless you have allow-recursion or allow-query-cache turned off -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split view multiple zones
In message <49800cfd.nihabiqjcalhfl+u%akos...@andykosela.com>, Andy Kosela writ es: > "Reinis Rozitis" wrote: > > > > I've been using an include file for zones common between multiple > > > views, might help in your case too. > > > > Thanks somehow didnt think about this way. Pretty much takes to > > acceptable solution :) > > Yes, "include" statement is the best option especially if you have a lot > of zones. That aproach also works great if you need to provide > recursion for some of your clients *and* serve authoritative records for > the rest of the world. By creating multiple views you can also easily > disable answering queries for "." to unknown clients. > > view "internal" { > match-clients { "LAN"; }; > recursion yes; > include "zones"; > }; > > view "external" { > match-clients { any; }; > recursion no; > additional-from-cache no; > include "zones"; > }; Or just run a currently supported version and specify options { allow-recursion { LAN; }; }; include "zones"; and achieve the same thing for half the memory footprint and not have to worry about different views clobbering the same masterfiles. Mark > --Andy > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SPAM] Re: Split view multiple zones
> >Of course I could just copy and paste all the zones also in 'custom' view > >but it doubles the configuration size. On 27.01.09 17:26, Chris Burton wrote: > I've been using an include file for zones common between multiple views, it > might help in your case too. I'm afraid they won't eat the same memory, but each view its own memory. Can anyone confirm, and if I'm right, tell me that it will be better in next BIND releases? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users