Re: Internernal view is answering to external ping

2013-07-31 Thread Barry Margolin
In article ,
 IT Support  wrote:

> Thanks Mark for the advice, that output is my whole named.conf, please 
> let me know if I need to post another output file

It contains:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

One of these files should contain the view configuration.

> 
> This is what do i have on my bind folder:
> 
> named.conf
> named.conf.dpkg-dist
> named.conf.local
> named.conf.local.bfRFC1918
> named.conf.local.orig
> named.conf.options
> named.conf.options.dpkg-di
> mydomain.com.hosts
> mydomain.com.hosts.lan
> db.0
> db.127
> db.192
> 192.168.0
> db.192.168.0.internal
> db.192.168.0.internal.jnl
> db.192.168.external
> db.192.168.internal
> db.192.168.internal.jnl
> db.192.internal
> db.192.jnl
> db.255
> db.empty
> db.local
> db.root
> root b
> 
> On 31/07/2013 7:09 PM, Mark Andrews wrote:
> > Post your *full* config not half of it.  How the hell do you expect
> > people to identify problems unless you give them the neccessary
> > details.
> >
> > Do you give you car mechanic only access to the boot when you have
> > a engine problem?
> >
> > You said you created views yet you didn't send anything that described
> > how the views were configured.
> >
> > Mark
> >
> > In message <51f9a4dc.6040...@gmail.com>, IT Support writes:
> >> Dear Carl
> >>
> >> Thanks for your answer here the output:
> >>
> >> acl allowed-users {
> >>   localhost;
> >> 200.57.66.77/28;
> >>   192.168.0.0/23;
> >>   189.0.0.0/8;
> >>   172.16.102.1;
> >>   172.28.76.0/24;
> >>   };
> >>
> >> acl internal {
> >>   localhost;
> >> 200.57.66.77/28;
> >>   192.168.0.0/23
> >>   };
> >>
> >> acl slaves {
> >> 200.57.66.78;
> >>   };
> >>
> >> // This is the primary configuration file for the BIND DNS server named.
> >> //
> >> // Please read /usr/share/doc/bind9/README.Debian.gz for information on 
> >> the
> >> // structure of BIND configuration files in Debian, *BEFORE* you customize
> >> // this configuration file.
> >> //
> >> // If you are just adding zones, please do that in
> >> /etc/bind/named.conf.local
> >>
> >> include "/etc/bind/named.conf.options";
> >>
> >> // prime the server with knowledge of the root servers
> >> //zone "." {
> >> //  type hint;
> >> //  file "/etc/bind/db.root";
> >> //};
> >>
> >> // be authoritative for the localhost forward and reverse zones, and for
> >> // broadcast zones as per RFC 1912
> >>
> >> //zone "localhost" {
> >> //  type master;
> >> //  file "/etc/bind/db.local";
> >> //};
> >> //zone "127.in-addr.arpa" {
> >> //  type master;
> >> //  file "/etc/bind/db.127";
> >> //};
> >>
> >> //zone "0.in-addr.arpa" {
> >> //  type master;
> >> //  file "/etc/bind/db.0";
> >> //};
> >>
> >> //zone "255.in-addr.arpa" {
> >> //  type master;
> >> //  file "/etc/bind/db.255";
> >> //};
> >>
> >> //zone "168.192.IN-ADDR.ARPA" {
> >> //type master;
> >> //file "/etc/bind/db.192";
> >> //};
> >>
> >> //zone "10.IN-ADDR.ARPA" {
> >> //  type master;
> >> //  file "/etc/empty";
> >> //};
> >>
> >> //zone "16.172.IN-ADDR.ARPA" {
> >> //  type master;
> >> //  file "/etc/empty";
> >> //};
> >>
> >>
> >>
> >> // zone "com" { type delegation-only; };
> >> // zone "net" { type delegation-only; };
> >>
> >> // From the release notes:
> >> //  Because many of our users are uncomfortable receiving undelegated
> >> answers
> >> //  from root or top level domains, other than a few for whom that 
> >> behaviour
> >> //  has been trusted and expected for quite some length of time, we have 
> >> now
> >> //  introduced the "root-delegations-only" feature which applies
> >> delegation-only
> >> //  logic to all top level domains, and to the root domain.  An
> >> exception list
> >> //  should be specified, including "MUSEUM" and "DE", and any other top
> >> level
> >> //  domains from whom undelegated responses are expected and trusted.
> >> // root-delegation-only exclude { "DE"; "MUSEUM"; };
> >>
> >> include "/etc/bind/named.conf.local";
> >> logging {
> >>   category lame-servers { null; };
> >>   category edns-disabled { null; };
> >>   };
> >> key dhcpupdate {
> >>   algorithm hmac-md5;
> >>   secret "ddjsdfruifhrfr88r8rr5544==";
> >>   };
> >>
> >> Thanks in advance.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Internernal view is answering to external ping

2013-07-31 Thread Mark Andrews

Send the output of "named-checkconf -p".  This will combine all the
configuration files into one file.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Internernal view is answering to external ping

2013-07-31 Thread IT Support

Hi Steven

Can you tell me what files do I have to post here?

On 31/07/2013 7:04 PM, Steven Carr wrote:

On 1 August 2013 00:59, IT Support  wrote:

Thanks in advance.

Where is your view/zone configuration? (possibly in one of the
included files) you will need to post that configuration as well.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Internernal view is answering to external ping

2013-07-31 Thread IT Support
Thanks Mark for the advice, that output is my whole named.conf, please 
let me know if I need to post another output file


This is what do i have on my bind folder:

named.conf
named.conf.dpkg-dist
named.conf.local
named.conf.local.bfRFC1918
named.conf.local.orig
named.conf.options
named.conf.options.dpkg-di
mydomain.com.hosts
mydomain.com.hosts.lan
db.0
db.127
db.192
192.168.0
db.192.168.0.internal
db.192.168.0.internal.jnl
db.192.168.external
db.192.168.internal
db.192.168.internal.jnl
db.192.internal
db.192.jnl
db.255
db.empty
db.local
db.root
root b

On 31/07/2013 7:09 PM, Mark Andrews wrote:

Post your *full* config not half of it.  How the hell do you expect
people to identify problems unless you give them the neccessary
details.

Do you give you car mechanic only access to the boot when you have
a engine problem?

You said you created views yet you didn't send anything that described
how the views were configured.

Mark

In message <51f9a4dc.6040...@gmail.com>, IT Support writes:

Dear Carl

Thanks for your answer here the output:

acl allowed-users {
  localhost;
200.57.66.77/28;
  192.168.0.0/23;
  189.0.0.0/8;
  172.16.102.1;
  172.28.76.0/24;
  };

acl internal {
  localhost;
200.57.66.77/28;
  192.168.0.0/23
  };

acl slaves {
200.57.66.78;
  };

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
//zone "." {
//  type hint;
//  file "/etc/bind/db.root";
//};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

//zone "localhost" {
//  type master;
//  file "/etc/bind/db.local";
//};
//zone "127.in-addr.arpa" {
//  type master;
//  file "/etc/bind/db.127";
//};

//zone "0.in-addr.arpa" {
//  type master;
//  file "/etc/bind/db.0";
//};

//zone "255.in-addr.arpa" {
//  type master;
//  file "/etc/bind/db.255";
//};

//zone "168.192.IN-ADDR.ARPA" {
//type master;
//file "/etc/bind/db.192";
//};

//zone "10.IN-ADDR.ARPA" {
//  type master;
//  file "/etc/empty";
//};

//zone "16.172.IN-ADDR.ARPA" {
//  type master;
//  file "/etc/empty";
//};



// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };

// From the release notes:
//  Because many of our users are uncomfortable receiving undelegated
answers
//  from root or top level domains, other than a few for whom that behaviour
//  has been trusted and expected for quite some length of time, we have now
//  introduced the "root-delegations-only" feature which applies
delegation-only
//  logic to all top level domains, and to the root domain.  An
exception list
//  should be specified, including "MUSEUM" and "DE", and any other top
level
//  domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };

include "/etc/bind/named.conf.local";
logging {
  category lame-servers { null; };
  category edns-disabled { null; };
  };
key dhcpupdate {
  algorithm hmac-md5;
  secret "ddjsdfruifhrfr88r8rr5544==";
  };

Thanks in advance.

On 31/07/2013 5:46 PM, Carl Byington wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote:

I have running bind9 on debian, with master zone for mydomain.com i
created internal view for resolve names on my lan, and external zone
for resolve my host on Internet,

standard answer - post your bind config.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go
8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC
=knAS
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri

be from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--050203070403020006060804
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit


   
 
   
   
 Dear Carl
   
   Thanks for your answer here the output:
   
   acl allowed-users {
       localhost;
       200.57.66.77/28;
       192.168.0.0/23;
       189.0.0.0/8;
       172.16.102.1;
       172.28.76.0/24;
       };
   
   acl internal {
       localhost;
   &
nbsp;   
   200.57.66.77/28;
       192.168.0.0/23
       };
   
   acl slaves {
       20

Re: Internernal view is answering to external ping

2013-07-31 Thread Mark Andrews

Post your *full* config not half of it.  How the hell do you expect
people to identify problems unless you give them the neccessary
details.

Do you give you car mechanic only access to the boot when you have
a engine problem?

You said you created views yet you didn't send anything that described
how the views were configured.

Mark

In message <51f9a4dc.6040...@gmail.com>, IT Support writes:
> 
> Dear Carl
> 
> Thanks for your answer here the output:
> 
> acl allowed-users {
>  localhost;
> 200.57.66.77/28;
>  192.168.0.0/23;
>  189.0.0.0/8;
>  172.16.102.1;
>  172.28.76.0/24;
>  };
> 
> acl internal {
>  localhost;
> 200.57.66.77/28;
>  192.168.0.0/23
>  };
> 
> acl slaves {
> 200.57.66.78;
>  };
> 
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in 
> /etc/bind/named.conf.local
> 
> include "/etc/bind/named.conf.options";
> 
> // prime the server with knowledge of the root servers
> //zone "." {
> //  type hint;
> //  file "/etc/bind/db.root";
> //};
> 
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
> 
> //zone "localhost" {
> //  type master;
> //  file "/etc/bind/db.local";
> //};
> //zone "127.in-addr.arpa" {
> //  type master;
> //  file "/etc/bind/db.127";
> //};
> 
> //zone "0.in-addr.arpa" {
> //  type master;
> //  file "/etc/bind/db.0";
> //};
> 
> //zone "255.in-addr.arpa" {
> //  type master;
> //  file "/etc/bind/db.255";
> //};
> 
> //zone "168.192.IN-ADDR.ARPA" {
> //type master;
> //file "/etc/bind/db.192";
> //};
> 
> //zone "10.IN-ADDR.ARPA" {
> //  type master;
> //  file "/etc/empty";
> //};
> 
> //zone "16.172.IN-ADDR.ARPA" {
> //  type master;
> //  file "/etc/empty";
> //};
> 
> 
> 
> // zone "com" { type delegation-only; };
> // zone "net" { type delegation-only; };
> 
> // From the release notes:
> //  Because many of our users are uncomfortable receiving undelegated 
> answers
> //  from root or top level domains, other than a few for whom that behaviour
> //  has been trusted and expected for quite some length of time, we have now
> //  introduced the "root-delegations-only" feature which applies 
> delegation-only
> //  logic to all top level domains, and to the root domain.  An 
> exception list
> //  should be specified, including "MUSEUM" and "DE", and any other top 
> level
> //  domains from whom undelegated responses are expected and trusted.
> // root-delegation-only exclude { "DE"; "MUSEUM"; };
> 
> include "/etc/bind/named.conf.local";
> logging {
>  category lame-servers { null; };
>  category edns-disabled { null; };
>  };
> key dhcpupdate {
>  algorithm hmac-md5;
>  secret "ddjsdfruifhrfr88r8rr5544==";
>  };
> 
> Thanks in advance.
> 
> On 31/07/2013 5:46 PM, Carl Byington wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote:
> >> I have running bind9 on debian, with master zone for mydomain.com i
> >> created internal view for resolve names on my lan, and external zone
> >> for resolve my host on Internet,
> > standard answer - post your bind config.
> >
> >
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v2.0.14 (GNU/Linux)
> >
> > iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go
> > 8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC
> > =knAS
> > -END PGP SIGNATURE-
> >
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
> be from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> --050203070403020006060804
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> 
> 
>   
>http-equiv="Content-Type">
>   
>   
> Dear Carl
>   
>   Thanks for your answer here the output:
>   
>   acl allowed-users {
>       localhost;
>         face="Bodoni MT">200.57.66.77/28;
>       192.168.0.0/23;
>       189.0.0.0/8;
>       172.16.102.1;
>       172.28.76.0/24;
>       };
>   
>   acl internal {
>       localhost;
>   &
> nbsp;   
>   200.57.66.77/28;
>       192.168.0.0/23
>       };
>   
>   acl slaves {
>         face="Bodoni MT">200.57.66.78;
>       };
>   
>   // This is the primary configuration file for the BIND DNS server
>   named.
>   //
>   // Please read /usr/share/doc/bind9/READM

Re: Internernal view is answering to external ping

2013-07-31 Thread Steven Carr
On 1 August 2013 00:59, IT Support  wrote:
> Thanks in advance.

Where is your view/zone configuration? (possibly in one of the
included files) you will need to post that configuration as well.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Internernal view is answering to external ping

2013-07-31 Thread IT Support

Dear Carl

Thanks for your answer here the output:

acl allowed-users {
localhost;
200.57.66.77/28;
192.168.0.0/23;
189.0.0.0/8;
172.16.102.1;
172.28.76.0/24;
};

acl internal {
localhost;
200.57.66.77/28;
192.168.0.0/23
};

acl slaves {
200.57.66.78;
};

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in 
/etc/bind/named.conf.local


include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
//zone "." {
//  type hint;
//  file "/etc/bind/db.root";
//};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

//zone "localhost" {
//  type master;
//  file "/etc/bind/db.local";
//};
//zone "127.in-addr.arpa" {
//  type master;
//  file "/etc/bind/db.127";
//};

//zone "0.in-addr.arpa" {
//  type master;
//  file "/etc/bind/db.0";
//};

//zone "255.in-addr.arpa" {
//  type master;
//  file "/etc/bind/db.255";
//};

//zone "168.192.IN-ADDR.ARPA" {
//type master;
//file "/etc/bind/db.192";
//};

//zone "10.IN-ADDR.ARPA" {
//  type master;
//  file "/etc/empty";
//};

//zone "16.172.IN-ADDR.ARPA" {
//  type master;
//  file "/etc/empty";
//};



// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };

// From the release notes:
//  Because many of our users are uncomfortable receiving undelegated 
answers

//  from root or top level domains, other than a few for whom that behaviour
//  has been trusted and expected for quite some length of time, we have now
//  introduced the "root-delegations-only" feature which applies 
delegation-only
//  logic to all top level domains, and to the root domain.  An 
exception list
//  should be specified, including "MUSEUM" and "DE", and any other top 
level

//  domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };

include "/etc/bind/named.conf.local";
logging {
category lame-servers { null; };
category edns-disabled { null; };
};
key dhcpupdate {
algorithm hmac-md5;
secret "ddjsdfruifhrfr88r8rr5544==";
};

Thanks in advance.

On 31/07/2013 5:46 PM, Carl Byington wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote:

I have running bind9 on debian, with master zone for mydomain.com i
created internal view for resolve names on my lan, and external zone
for resolve my host on Internet,

standard answer - post your bind config.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go
8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC
=knAS
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Internernal view is answering to external ping

2013-07-31 Thread Carl Byington
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 2013-07-31 at 17:39 -0500, IT Support wrote:
> I have running bind9 on debian, with master zone for mydomain.com i
> created internal view for resolve names on my lan, and external zone
> for resolve my host on Internet,

standard answer - post your bind config.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlH5k9MACgkQL6j7milTFsEtzgCeKCNBwf7sAtPQDXC+qU+vq6Go
8esAn2aWS7UaRcqWx8CDgG95+jZA1jXC
=knAS
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Internernal view is answering to external ping

2013-07-31 Thread IT Support

Hi brothers

I have running bind9 on debian, with master zone for mydomain.com i 
created internal view for resolve names on my lan, and external zone for 
resolve my host on Internet, this is the working scenario


Internal view
LAN IP 192.168.0.67
Hostname sales.mydomain.com

External view
WAN IP 200.57.66.77
Hostname sales.mydomain.com

When I make a ping from a other Internet access I get the answer from 
internal View


Pinging sales.mydomain.com [192.168.0.67] with 32 bytes o

Ping statistics for 192.168.0.67
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 1ms

Is it possible to change this issue?

Thanks in advance.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[auto-dnssec] Switching to NSEC3 leaves behind stale NSEC signatures?

2013-07-31 Thread Stephane Bortzmeyer
I have a zone maintained by:

inline-signing yes;
auto-dnssec maintain;
update-policy local; 

I switched it from the default NSEC to NSEC3 with:

rndc signing -nsec3param 1 0 10  68f499ee auto.rd.nic.fr

It seems to work but the zone still contains NSEC signatures (but no
NSEC records):

auto.rd.nic.fr. 86400   IN  RRSIG   NSEC 8 4 86400 20130829140232 
20130730135801 53989 auto.rd.nic.fr. 
FNHDlnIq1fN0bVJtLvP56BNw3Pydmogp8KWn2n200zMWSuHrq1sgU3Q3 
cv8o+Cbr6w871IHBKwd+edz67URntzWferPzy2aklAEIdsRlvHSDHJyD 
WzUs915+GeUR0NOU2m/zfWQBAYBj8UP2i1puxh4NBzfnGF9ChCRKuhrT 
pBz+hxgdNKpQ2rt+NkBXFGKtZUz1eIDCpiT5F8CweetnajSyKRUVFCod 
emrOfdR1axr4Bp5Jaokrp5XbC2tefSs+NqXJycHBhmMGisAXOho4fOKY 
5OWMb7IrcXA0xh8LUF5+uuQ6mpM7j+i0ZLiubt2TR6VxkcGbb4yfXWef x7vYAQ==

Some checking tools complain. For instance, validns:

auto.rd.nic.fr:8: auto.rd.nic.fr. RRSIG exists for non-existing type NSEC

Is it a bug? Or did I use the wrong procedure to switch to NSEC3?

BIND 9.9.2-P1 (the last version in the current Ubuntu)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users