Re: dig and IDN
On 13/10/16 00:17, Mark Elkins wrote: Hi Mark, > Is there any way within dig to switch off the puny to UTF8 translations? > Some flag? Environmental variable? IDN_DISABLE=1 Regards, Anand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dig and IDN
O.S. - Lunux Gentoo. BIND/BIND Tools: BIND 9.10.4-P3 I've been using "dig axfr" to fetch signed and unsigned zones for doing comparisons. The output is easy to parse as dig gives one line records - fully qualified - etc. One of the records includes some IDN (Puny) stuff.. xn--caf-dma.dnssec.co.za. A 160.124.48.8 This comes back in a dig axfr as: café.dnssec.co.za. 86400 IN A 160.124.48.8 If I then use "validns" on this "zone-file" - the "café" records are marked as errors. (record name is not valid) Is there any way within dig to switch off the puny to UTF8 translations? Some flag? Environmental variable? Seems like LANG=en_US.utf8 makes the conversion happen. I actually use LANG=en_ZA.utf8 - so I can type French from my US layout ASCII keyboard ps. Checking with dnssec-verify does not give this error. -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-validation [ ddig_sigchase option ]
On 10/12/16 15:07, Evan Hunt wrote: On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote: On 10/12/16 13:36, Evan Hunt wrote: I recommend using "delv" instead. "dig +sigchase" isn't good code. ? well that is news to me :-\ It's code that was contributed over ten years ago; we put it into dig (hidden behind #ifdef's) because at the time there was no better alternative, but we never formally supported it. It's buggy and broken in a number of edge cases and hasn't really kept up with the evolution of DNSSEC. Please try "delv" and if you find that it doesn't meet your needs, let me know so I can try to improve it. NLNetLabs's "drill" is also useful. I expect we'll be removing it in a future release. cool .. so ... any change in our build process here ? A configure change ? Anything ? No, delv is built and installed in BIND 9.10 and higher. Thing of beauty. Now I understand why there wasn't a configure option for sigchase and we needed a define. Makes sense. Moving upwards to 9.11 anyways. Thanks for the info. Dennis ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-validation [ ddig_sigchase option ]
On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote: > On 10/12/16 13:36, Evan Hunt wrote: > > I recommend using "delv" instead. "dig +sigchase" isn't good code. > > ? well that is news to me :-\ It's code that was contributed over ten years ago; we put it into dig (hidden behind #ifdef's) because at the time there was no better alternative, but we never formally supported it. It's buggy and broken in a number of edge cases and hasn't really kept up with the evolution of DNSSEC. Please try "delv" and if you find that it doesn't meet your needs, let me know so I can try to improve it. NLNetLabs's "drill" is also useful. > > I expect we'll be removing it in a future release. > > cool .. so ... any change in our build process here ? A configure change > ? Anything ? No, delv is built and installed in BIND 9.10 and higher. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to request ixfr updates against public ip directly instead of unicast ip in bind
On 12.10.16 20:57, rams wrote: I have master and slave servers. When we have updates in master, slave is getting updating after 20 or 30 minutes. When I look into tcpdump pcakets, Slave is trying with master unicast ip to get updates. We don't have port opened slave to master with unicast ip and we have port opened slave to master with public ip. Do we have any option checking for SOA value directly with public ip of master instead of unicast ip. I don't get it. What do you mean by "unicast" and "public" IP? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-validation [ ddig_sigchase option ]
On 10/12/16 13:36, Evan Hunt wrote: On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote: Was trying to run dig commands to do some dnssec validation and got the following message " "Invalid option: +sigchase" I recommend using "delv" instead. "dig +sigchase" isn't good code. ? well that is news to me :-\ I expect we'll be removing it in a future release. cool .. so ... any change in our build process here ? A configure change ? Anything ? Dennis ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-validation [ ddig_sigchase option ]
On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote: > Was trying to run dig commands to do some dnssec validation and got the > following message " > > "Invalid option: +sigchase" I recommend using "delv" instead. "dig +sigchase" isn't good code. I expect we'll be removing it in a future release. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-validation [ ddig_sigchase option ]
On 10/12/16 11:40, Bhangui, Sandeep - BLS CTR wrote: Hi Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3. Was trying to run dig commands to do some dnssec validation and got the following message " "Invalid option: +sigchase" When checked found that the dig utility has to be compiled with "-DDIG_SIGCHASE" option for that apparently looks like I have not done when we compiled 9.10.4-P2 I plan to soon compile 9.10.4.-P3 is it simply using " --DDIG_SIGCHASE" when I compile which will than allow me to run the dig binary with the "+sigchase" option? My current compile options are as follows so would I be just adding "--DDIG_SIGCHASE" to get the dig binary which will allow me run dig with +sigchase option when I run the compile for 9.10.4-P3? Create an environment var thus : STD_CDEFINES=-D_TS_ERRNO -D_POSIX_PTHREAD_SEMANTICS -D_LARGEFILE64_SOURCE -DDIG_SIGCHASE=1 The run configure and carry on as usual. Test with : $ dig @my1.mydnsserver.com facebook.com +sigchase +trace Dennis ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec-validation [ ddig_sigchase option ]
Hi Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3. Was trying to run dig commands to do some dnssec validation and got the following message " "Invalid option: +sigchase" When checked found that the dig utility has to be compiled with "-DDIG_SIGCHASE" option for that apparently looks like I have not done when we compiled 9.10.4-P2 I plan to soon compile 9.10.4.-P3 is it simply using " --DDIG_SIGCHASE" when I compile which will than allow me to run the dig binary with the "+sigchase" option? My current compile options are as follows so would I be just adding "--DDIG_SIGCHASE" to get the dig binary which will allow me run dig with +sigchase option when I run the compile for 9.10.4-P3? BIND 9.10.4-P2 running on SunOS sun4u 5.10 Generic_150400-39 built by make with '--build=sparc-sun-solaris2.10' '--host=sparc-sun-solaris2.10' '--with-openssl' '--with-libxml2' '--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset' '--enable-threads' '--enable-sit' '--enable-largefile' '--enable-full-report' '--enable-fetchlimit' '--prefix=/usr/local/named-jail9.10.4P2' '--bindir=/usr/local/named-jail9.10.4P2/usr/bin' '--sbindir=/usr/local/named-jail9.10.4P2/usr/sbin' '--libexecdir=/usr/local/named-jail9.10.4P2/usr/libexec' '--sysconfdir=/usr/local/named-jail9.10.4P2/etc' '--sharedstatedir=/usr/local/named-jail9.10.4P2/usr/shared' '--localstatedir=/usr/local/named-jail9.10.4P2/var' '--libdir=/usr/local/named-jail9.10.4P2/usr/lib' '--includedir=/usr/local/named-jail9.10.4P2/usr/include' '--mandir=/usr/local/named-jail9.10.4P2/usr/man' 'build_alias=sparc-sun-solaris2.10' 'host_alias=sparc-sun-solaris2.10' Thanks in advance Thanks Sandeep ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to request ixfr updates against public ip directly instead of unicast ip in bind
In article , rams wrote: > Hi, > Greetings!!! > I have master and slave servers. When we have updates in master, slave is > getting updating after 20 or 30 minutes. > When I look into tcpdump pcakets, Slave is trying with master unicast ip to > get updates. We don't have port opened slave to master with unicast ip and > we have port opened slave to master with public ip. > > Do we have any option checking for SOA value directly with public ip of > master instead of unicast ip. It uses whatever address is in the "master" statement in named.conf. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to request ixfr updates against public ip directly instead of unicast ip in bind
Hi, Greetings!!! I have master and slave servers. When we have updates in master, slave is getting updating after 20 or 30 minutes. When I look into tcpdump pcakets, Slave is trying with master unicast ip to get updates. We don't have port opened slave to master with unicast ip and we have port opened slave to master with public ip. Do we have any option checking for SOA value directly with public ip of master instead of unicast ip. Thanks & Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users