Re: Internernal view is answering to external ping
In article , IT Support wrote: > Thanks Mark for the advice, that output is my whole named.conf, please > let me know if I need to post another output file It contains: include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; One of these files should contain the view configuration. > > This is what do i have on my bind folder: > > named.conf > named.conf.dpkg-dist > named.conf.local > named.conf.local.bfRFC1918 > named.conf.local.orig > named.conf.options > named.conf.options.dpkg-di > mydomain.com.hosts > mydomain.com.hosts.lan > db.0 > db.127 > db.192 > 192.168.0 > db.192.168.0.internal > db.192.168.0.internal.jnl > db.192.168.external > db.192.168.internal > db.192.168.internal.jnl > db.192.internal > db.192.jnl > db.255 > db.empty > db.local > db.root > root b > > On 31/07/2013 7:09 PM, Mark Andrews wrote: > > Post your *full* config not half of it. How the hell do you expect > > people to identify problems unless you give them the neccessary > > details. > > > > Do you give you car mechanic only access to the boot when you have > > a engine problem? > > > > You said you created views yet you didn't send anything that described > > how the views were configured. > > > > Mark > > > > In message <51f9a4dc.6040...@gmail.com>, IT Support writes: > >> Dear Carl > >> > >> Thanks for your answer here the output: > >> > >> acl allowed-users { > >> localhost; > >> 200.57.66.77/28; > >> 192.168.0.0/23; > >> 189.0.0.0/8; > >> 172.16.102.1; > >> 172.28.76.0/24; > >> }; > >> > >> acl internal { > >> localhost; > >> 200.57.66.77/28; > >> 192.168.0.0/23 > >> }; > >> > >> acl slaves { > >> 200.57.66.78; > >> }; > >> > >> // This is the primary configuration file for the BIND DNS server named. > >> // > >> // Please read /usr/share/doc/bind9/README.Debian.gz for information on > >> the > >> // structure of BIND configuration files in Debian, *BEFORE* you customize > >> // this configuration file. > >> // > >> // If you are just adding zones, please do that in > >> /etc/bind/named.conf.local > >> > >> include "/etc/bind/named.conf.options"; > >> > >> // prime the server with knowledge of the root servers > >> //zone "." { > >> // type hint; > >> // file "/etc/bind/db.root"; > >> //}; > >> > >> // be authoritative for the localhost forward and reverse zones, and for > >> // broadcast zones as per RFC 1912 > >> > >> //zone "localhost" { > >> // type master; > >> // file "/etc/bind/db.local"; > >> //}; > >> //zone "127.in-addr.arpa" { > >> // type master; > >> // file "/etc/bind/db.127"; > >> //}; > >> > >> //zone "0.in-addr.arpa" { > >> // type master; > >> // file "/etc/bind/db.0"; > >> //}; > >> > >> //zone "255.in-addr.arpa" { > >> // type master; > >> // file "/etc/bind/db.255"; > >> //}; > >> > >> //zone "168.192.IN-ADDR.ARPA" { > >> //type master; > >> //file "/etc/bind/db.192"; > >> //}; > >> > >> //zone "10.IN-ADDR.ARPA" { > >> // type master; > >> // file "/etc/empty"; > >> //}; > >> > >> //zone "16.172.IN-ADDR.ARPA" { > >> // type master; > >> // file "/etc/empty"; > >> //}; > >> > >> > >> > >> // zone "com" { type delegation-only; }; > >> // zone "net" { type delegation-only; }; > >> > >> // From the release notes: > >> // Because many of our users are uncomfortable receiving undelegated > >> answers > >> // from root or top level domains, other than a few for whom that > >> behaviour > >> // has been trusted and expected for quite some length of time, we have > >> now > >> // introduced the "root-delegations-only" feature which applies > >> delegation-only > >> // logic to all top level domains, and to the root domain. An > >> exception list > >> // should be specified, including "MUSEUM" and "DE", and any other top > >> level > >> // domains from whom undelegated responses are expected and trusted. > >> // root-delegation-only exclude { "DE"; "MUSEUM"; }; > >> > >> include "/etc/bind/named.conf.local"; > >> logging { > >> category lame-servers { null; }; > >> category edns-disabled { null; }; > >> }; > >> key dhcpupdate { > >> algorithm hmac-md5; > >> secret "ddjsdfruifhrfr88r8rr5544=="; > >> }; > >> > >> Thanks in advance. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
Send the output of "named-checkconf -p". This will combine all the configuration files into one file. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
Hi Steven Can you tell me what files do I have to post here? On 31/07/2013 7:04 PM, Steven Carr wrote: On 1 August 2013 00:59, IT Support wrote: Thanks in advance. Where is your view/zone configuration? (possibly in one of the included files) you will need to post that configuration as well. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
Thanks Mark for the advice, that output is my whole named.conf, please let me know if I need to post another output file This is what do i have on my bind folder: named.conf named.conf.dpkg-dist named.conf.local named.conf.local.bfRFC1918 named.conf.local.orig named.conf.options named.conf.options.dpkg-di mydomain.com.hosts mydomain.com.hosts.lan db.0 db.127 db.192 192.168.0 db.192.168.0.internal db.192.168.0.internal.jnl db.192.168.external db.192.168.internal db.192.168.internal.jnl db.192.internal db.192.jnl db.255 db.empty db.local db.root root b On 31/07/2013 7:09 PM, Mark Andrews wrote: Post your *full* config not half of it. How the hell do you expect people to identify problems unless you give them the neccessary details. Do you give you car mechanic only access to the boot when you have a engine problem? You said you created views yet you didn't send anything that described how the views were configured. Mark In message <51f9a4dc.6040...@gmail.com>, IT Support writes: Dear Carl Thanks for your answer here the output: acl allowed-users { localhost; 200.57.66.77/28; 192.168.0.0/23; 189.0.0.0/8; 172.16.102.1; 172.28.76.0/24; }; acl internal { localhost; 200.57.66.77/28; 192.168.0.0/23 }; acl slaves { 200.57.66.78; }; // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; // prime the server with knowledge of the root servers //zone "." { // type hint; // file "/etc/bind/db.root"; //}; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 //zone "localhost" { // type master; // file "/etc/bind/db.local"; //}; //zone "127.in-addr.arpa" { // type master; // file "/etc/bind/db.127"; //}; //zone "0.in-addr.arpa" { // type master; // file "/etc/bind/db.0"; //}; //zone "255.in-addr.arpa" { // type master; // file "/etc/bind/db.255"; //}; //zone "168.192.IN-ADDR.ARPA" { //type master; //file "/etc/bind/db.192"; //}; //zone "10.IN-ADDR.ARPA" { // type master; // file "/etc/empty"; //}; //zone "16.172.IN-ADDR.ARPA" { // type master; // file "/etc/empty"; //}; // zone "com" { type delegation-only; }; // zone "net" { type delegation-only; }; // From the release notes: // Because many of our users are uncomfortable receiving undelegated answers // from root or top level domains, other than a few for whom that behaviour // has been trusted and expected for quite some length of time, we have now // introduced the "root-delegations-only" feature which applies delegation-only // logic to all top level domains, and to the root domain. An exception list // should be specified, including "MUSEUM" and "DE", and any other top level // domains from whom undelegated responses are expected and trusted. // root-delegation-only exclude { "DE"; "MUSEUM"; }; include "/etc/bind/named.conf.local"; logging { category lame-servers { null; }; category edns-disabled { null; }; }; key dhcpupdate { algorithm hmac-md5; secret "ddjsdfruifhrfr88r8rr5544=="; }; Thanks in advance. On 31/07/2013 5:46 PM, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote: I have running bind9 on debian, with master zone for mydomain.com i created internal view for resolve names on my lan, and external zone for resolve my host on Internet, standard answer - post your bind config. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go 8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC =knAS -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri be from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --050203070403020006060804 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Dear Carl Thanks for your answer here the output: acl allowed-users { localhost; 200.57.66.77/28; 192.168.0.0/23; 189.0.0.0/8; 172.16.102.1; 172.28.76.0/24; }; acl internal { localhost; & nbsp; 200.57.66.77/28; 192.168.0.0/23 }; acl slaves { 20
Re: Internernal view is answering to external ping
Post your *full* config not half of it. How the hell do you expect people to identify problems unless you give them the neccessary details. Do you give you car mechanic only access to the boot when you have a engine problem? You said you created views yet you didn't send anything that described how the views were configured. Mark In message <51f9a4dc.6040...@gmail.com>, IT Support writes: > > Dear Carl > > Thanks for your answer here the output: > > acl allowed-users { > localhost; > 200.57.66.77/28; > 192.168.0.0/23; > 189.0.0.0/8; > 172.16.102.1; > 172.28.76.0/24; > }; > > acl internal { > localhost; > 200.57.66.77/28; > 192.168.0.0/23 > }; > > acl slaves { > 200.57.66.78; > }; > > // This is the primary configuration file for the BIND DNS server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for information on the > // structure of BIND configuration files in Debian, *BEFORE* you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > > // prime the server with knowledge of the root servers > //zone "." { > // type hint; > // file "/etc/bind/db.root"; > //}; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > //zone "localhost" { > // type master; > // file "/etc/bind/db.local"; > //}; > //zone "127.in-addr.arpa" { > // type master; > // file "/etc/bind/db.127"; > //}; > > //zone "0.in-addr.arpa" { > // type master; > // file "/etc/bind/db.0"; > //}; > > //zone "255.in-addr.arpa" { > // type master; > // file "/etc/bind/db.255"; > //}; > > //zone "168.192.IN-ADDR.ARPA" { > //type master; > //file "/etc/bind/db.192"; > //}; > > //zone "10.IN-ADDR.ARPA" { > // type master; > // file "/etc/empty"; > //}; > > //zone "16.172.IN-ADDR.ARPA" { > // type master; > // file "/etc/empty"; > //}; > > > > // zone "com" { type delegation-only; }; > // zone "net" { type delegation-only; }; > > // From the release notes: > // Because many of our users are uncomfortable receiving undelegated > answers > // from root or top level domains, other than a few for whom that behaviour > // has been trusted and expected for quite some length of time, we have now > // introduced the "root-delegations-only" feature which applies > delegation-only > // logic to all top level domains, and to the root domain. An > exception list > // should be specified, including "MUSEUM" and "DE", and any other top > level > // domains from whom undelegated responses are expected and trusted. > // root-delegation-only exclude { "DE"; "MUSEUM"; }; > > include "/etc/bind/named.conf.local"; > logging { > category lame-servers { null; }; > category edns-disabled { null; }; > }; > key dhcpupdate { > algorithm hmac-md5; > secret "ddjsdfruifhrfr88r8rr5544=="; > }; > > Thanks in advance. > > On 31/07/2013 5:46 PM, Carl Byington wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote: > >> I have running bind9 on debian, with master zone for mydomain.com i > >> created internal view for resolve names on my lan, and external zone > >> for resolve my host on Internet, > > standard answer - post your bind config. > > > > > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v2.0.14 (GNU/Linux) > > > > iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go > > 8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC > > =knAS > > -END PGP SIGNATURE- > > > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri > be from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > --050203070403020006060804 > Content-Type: text/html; charset=ISO-8859-1 > Content-Transfer-Encoding: 7bit > > > >http-equiv="Content-Type"> > > > Dear Carl > > Thanks for your answer here the output: > > acl allowed-users { > localhost; > face="Bodoni MT">200.57.66.77/28; > 192.168.0.0/23; > 189.0.0.0/8; > 172.16.102.1; > 172.28.76.0/24; > }; > > acl internal { > localhost; > & > nbsp; > 200.57.66.77/28; > 192.168.0.0/23 > }; > > acl slaves { > face="Bodoni MT">200.57.66.78; > }; > > // This is the primary configuration file for the BIND DNS server > named. > // > // Please read /usr/share/doc/bind9/READM
Re: Internernal view is answering to external ping
On 1 August 2013 00:59, IT Support wrote: > Thanks in advance. Where is your view/zone configuration? (possibly in one of the included files) you will need to post that configuration as well. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
Dear Carl Thanks for your answer here the output: acl allowed-users { localhost; 200.57.66.77/28; 192.168.0.0/23; 189.0.0.0/8; 172.16.102.1; 172.28.76.0/24; }; acl internal { localhost; 200.57.66.77/28; 192.168.0.0/23 }; acl slaves { 200.57.66.78; }; // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; // prime the server with knowledge of the root servers //zone "." { // type hint; // file "/etc/bind/db.root"; //}; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 //zone "localhost" { // type master; // file "/etc/bind/db.local"; //}; //zone "127.in-addr.arpa" { // type master; // file "/etc/bind/db.127"; //}; //zone "0.in-addr.arpa" { // type master; // file "/etc/bind/db.0"; //}; //zone "255.in-addr.arpa" { // type master; // file "/etc/bind/db.255"; //}; //zone "168.192.IN-ADDR.ARPA" { //type master; //file "/etc/bind/db.192"; //}; //zone "10.IN-ADDR.ARPA" { // type master; // file "/etc/empty"; //}; //zone "16.172.IN-ADDR.ARPA" { // type master; // file "/etc/empty"; //}; // zone "com" { type delegation-only; }; // zone "net" { type delegation-only; }; // From the release notes: // Because many of our users are uncomfortable receiving undelegated answers // from root or top level domains, other than a few for whom that behaviour // has been trusted and expected for quite some length of time, we have now // introduced the "root-delegations-only" feature which applies delegation-only // logic to all top level domains, and to the root domain. An exception list // should be specified, including "MUSEUM" and "DE", and any other top level // domains from whom undelegated responses are expected and trusted. // root-delegation-only exclude { "DE"; "MUSEUM"; }; include "/etc/bind/named.conf.local"; logging { category lame-servers { null; }; category edns-disabled { null; }; }; key dhcpupdate { algorithm hmac-md5; secret "ddjsdfruifhrfr88r8rr5544=="; }; Thanks in advance. On 31/07/2013 5:46 PM, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote: I have running bind9 on debian, with master zone for mydomain.com i created internal view for resolve names on my lan, and external zone for resolve my host on Internet, standard answer - post your bind config. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go 8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC =knAS -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote: > I have running bind9 on debian, with master zone for mydomain.com i > created internal view for resolve names on my lan, and external zone > for resolve my host on Internet, standard answer - post your bind config. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go 8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC =knAS -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Internernal view is answering to external ping
Hi brothers I have running bind9 on debian, with master zone for mydomain.com i created internal view for resolve names on my lan, and external zone for resolve my host on Internet, this is the working scenario Internal view LAN IP 192.168.0.67 Hostname sales.mydomain.com External view WAN IP 200.57.66.77 Hostname sales.mydomain.com When I make a ping from a other Internet access I get the answer from internal View Pinging sales.mydomain.com [192.168.0.67] with 32 bytes o Ping statistics for 192.168.0.67 Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 2ms, Average = 1ms Is it possible to change this issue? Thanks in advance. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[auto-dnssec] Switching to NSEC3 leaves behind stale NSEC signatures?
I have a zone maintained by: inline-signing yes; auto-dnssec maintain; update-policy local; I switched it from the default NSEC to NSEC3 with: rndc signing -nsec3param 1 0 10 68f499ee auto.rd.nic.fr It seems to work but the zone still contains NSEC signatures (but no NSEC records): auto.rd.nic.fr. 86400 IN RRSIG NSEC 8 4 86400 20130829140232 20130730135801 53989 auto.rd.nic.fr. FNHDlnIq1fN0bVJtLvP56BNw3Pydmogp8KWn2n200zMWSuHrq1sgU3Q3 cv8o+Cbr6w871IHBKwd+edz67URntzWferPzy2aklAEIdsRlvHSDHJyD WzUs915+GeUR0NOU2m/zfWQBAYBj8UP2i1puxh4NBzfnGF9ChCRKuhrT pBz+hxgdNKpQ2rt+NkBXFGKtZUz1eIDCpiT5F8CweetnajSyKRUVFCod emrOfdR1axr4Bp5Jaokrp5XbC2tefSs+NqXJycHBhmMGisAXOho4fOKY 5OWMb7IrcXA0xh8LUF5+uuQ6mpM7j+i0ZLiubt2TR6VxkcGbb4yfXWef x7vYAQ== Some checking tools complain. For instance, validns: auto.rd.nic.fr:8: auto.rd.nic.fr. RRSIG exists for non-existing type NSEC Is it a bug? Or did I use the wrong procedure to switch to NSEC3? BIND 9.9.2-P1 (the last version in the current Ubuntu) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users