Re: Help understanding lame server error
In message [EMAIL PROTECTED], Scott Haneda write s: I have a good deal if lame server errors in my logs, which I am not entirely understanding. 19-Nov-2008 15:36:34.657 lame-servers: info: lame server resolving '170.73.234.209.in-addr.arpa' (in '73.234.209.in-addr.arpa'?): 209.234.64.192#53 19-Nov-2008 15:36:34.955 lame-servers: info: lame server resolving '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?): 209.183.48.20#53 19-Nov-2008 15:36:34.975 lame-servers: info: lame server resolving '221.250.53.206.in-addr.arpa' (in '250.53.206.in-addr.arpa'?): 209.43.20.115#53 19-Nov-2008 15:36:34.989 lame-servers: info: lame server resolving '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?): 209.183.52.20#53 19-Nov-2008 15:36:35.050 lame-servers: info: lame server resolving '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?): 209.183.48.21#53 My server is not allowing recursions, other than to localnets. about the only thing hitting it is an email server. So I am not clear on why these lookups are happening, or why they are coming from all these other IP's The IP addresses above are the ones your server is querying. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dropping external recursive requests
In message [EMAIL PROTECTED] t, Alberto Colosi/SI/RM/GSI/it writes: why not? beter handled by isc and done in a clean way then 1.000.000 of dirty ways as these ;) Please go read RFC 5358. No where in there does it say to drop responses. If we though that dropping queries was a good idea it would have been explicitely documented in RFC 5358. Not offering recursive service means returning REFUSED. --- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.5.1rc1 is now available.
BIND 9.5.1rc1 is now available. BIND 9.5.1rc1 is a maintenance release candidate for BIND 9.5. BIND 9.5.1rc1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at http://www.isc.org/about/openpgp/pgpkey2006.txt. A binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip The PGP signature of the binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip.sha512.asc Changes since 9.5.0. --- 9.5.1rc1 released --- 2498. [bug] Removed a bogus function argument used with ISC_SOCKET_USE_POLLWATCH: it could cause compiler warning or crash named with the debug 1 level of logging. [RT #18917] 2496. [bug] Add sanity length checks to NSID option. [RT #18813] 2495. [bug] Tighten RRSIG checks. [RT #18795] 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being installed. [RT #18826] 2493. [bug] The linux capabilites code was not correctly cleaning up after itself. [RT #18767] 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO is cleared when IPV6_V6ONLY is set. [RT #18785] 2489. [port] solaris: Workaround Solaris's kernel bug about /dev/poll: http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 Define ISC_SOCKET_USE_POLLWATCH at build time to enable this workaround. [RT #18870] 2487. [bug] Give TCP connections longer to complete. [RT #18675] 2485. [bug] Change update's the handling of obscured RRSIG records. Not all orphand DS records were being removed. [RT #18828] 2482. [port] libxml2: support versions 2.7.* in addition to 2.6.*. [RT #18806] 2479. [bug] xfrout:covers was not properly initalized. [RT #18801] 2478. [bug] 'addresses' could be used uninitalized in configure_forward(). [RT #18800] 2476. [doc] ARM: improve documentation for max-journal-size and ixfr-from-differences. [RT #15909] [RT #18541] --- 9.5.1b3 released --- 2475. [bug] LRU cache cleanup under overmem condition could purge particular entries more aggressively. [RT #17628] 2474. [bug] ACL structures could be allocated with insufficient space, causing an array overrun. [RT #18765] 2473. [port] linux: raise the limit on open files to the possible maximum value before spawning threads; 'files' specified in named.conf doesn't seem to work with threads as expected. [RT #18784] 2472. [port] linux: check the number of available cpu's before calling chroot as it depends on /proc. [RT #16923] 2471. [bug] named-checkzone was not reporting missing mandatory glue when sibling checks were disabled. [RT #18768] 2470. [bug] Elements of the isc_radix_node_t could be incorrectly overwritten. [RT# 18719] 2469. [port] solaris: Work around Solaris's select() limitations. [RT #18769] 2468. [bug] Resolver could try unreachable servers multiple times. [RT #18739] 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740] 2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue. [RT #18302] 2465. [bug] Adb's handling of lame addresses was different for IPv4 and IPv6. [RT #18738] 2464. [port] linux: check that a capability is present before trying to set it. [RT #18135] 2463. [port] linux:
Re: Oddities in my named.log. Can you explain?
There is a windows box configured to use your domain name and it is trying to lookup/update the active directory configuration. Send a Cease and Desist letter stating that you are the registered owner of the domain name in question and they should cease using it. Mark In message [EMAIL PROTECTED], Keve Nagy writes: Hi Everyone, I see some oddities frequently showing up in our BIND logfiles. This is on the official primary NS for our domain. *Oddity_type#1* ... view external-in: query: server.EXAMPLE.COM IN SOA -E Please note that the only thing I changed here is the domain name. I did not capitalize it, the original domain name also got logged this way. And yes, the original hostname queried was server, I did not change that either. These are repeatedly coming from the same source IP address, once in every 10-70 minutes. We have never had a host named server. So why would an external machine keep asking for a hostname we never had? Especially with such an obvious name! Also, why is the domain part capitalized for these queries, and not in any proper/legitimate query? I assume this is what the query was for. The original request must have been for server.EXAMPLE.COM, having the domain part this way capitalized in the query itself. So why would a remote system look for a never existed host named server in our system, with the domain name capitalized? Any legitimate reason you could think of? *Oddity_type#2* ... view external-in: query: server.EXAMPLE.COM IN SOA + ... view external-in: updating zone 'example.com/IN': update unsucces sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Again note, that I only changed the name of the domain and I did not alter the capitalization or the hostname. These are from another source IP address, but always the same one. For some reason, also looking for the host named server. And a few minutes later, it seems to try to update the domain database. By the way, no host is allowed to update our DNS records. The zone files are updated by hand only. And this has always been the case, no exceptions. *Oddity_type#3* ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve. _sites.dc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc s.EXAMPLE.COM IN SOA -E ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E Look at these add hostnames which are queried for! These are all systematically returning queries. And these come from multiple source IP addresses. Are these queries legitimate? I mean, do you know of any system that may be doing this? Are these strange hostname queries part of some standard way identifying services and I just don't happen to know about this standard? I would very much appreciate some feedback on these. Best regards, Keve Nagy * Debrecen * Hungary -- if you need to reply directly: keve(at)mail(dot)poliod(dot)hu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkconf error
named-checkzone calls getaddrinfo() to lookup addresses of servers which are not in the zone. That lookup has failed. For a start I would fix this delegation error. The NS RRset on both sides of the delegation should be the same. capmark.com.172800 IN NS ns1.gmaccm.com. capmark.com.172800 IN NS ns2.gmaccm.com. ;; Received 116 bytes from 192.42.93.30#53(G.GTLD-SERVERS.NET) in 175 ms quarantine1.capmark.com. 7200 IN A 216.83.188.21 capmark.com.86400 IN NS ns1.capmark.com. capmark.com.86400 IN NS ns2.capmark.com. ;; Received 125 bytes from 216.83.188.8#53(ns1.gmaccm.com) in 227 ms There may be other problems which may only be visible from where you are performing the lookup. Mark In message [EMAIL PROTECTED], Steve Shockley writes: I'm running BIND 9.4.2 on OpenBSD 4.3. I'm getting some errors with named-checkconf I don't really understand. I'm running: named-checkzone -t /var/named capmarksecurities.com /master/db.capmarksecurities.com and I get: zone capmarksecurities.com/IN: getaddrinfo(quarantine1.capmark.com) failed: non-recoverable failure in name resolution zone capmarksecurities.com/IN: getaddrinfo(quarantine2.capmark.com) failed: non-recoverable failure in name resolution zone capmarksecurities.com/IN: getaddrinfo(mailhost3.capmark.com) failed: non-recoverable failure in name resolution zone capmarksecurities.com/IN: getaddrinfo(mxo1.capmark.com) failed: non-recoverable failure in name resolution zone capmarksecurities.com/IN: getaddrinfo(mxo2.capmark.com) failed: non-recoverable failure in name resolution zone capmarksecurities.com/IN: loaded serial 235310359 OK The zone file: $ORIGIN . $TTL 86400 ; 1 day capmarksecurities.com IN SOA ns1.capmark.com. dnsadmin.capmark.com. ( 235310359 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) $TTL 300; 5 minutes NS ns1.capmark.com. NS ns2.capmark.com. $TTL 900; 15 minutes MX 10 quarantine1.capmark.com. MX 10 quarantine2.capmark.com. MX 20 mailhost3.capmark.com. MX 200 mxo1.capmark.com. MX 200 mxo2.capmark.com. $ORIGIN capmarksecurities.com. $TTL 7200 ; 2 hours defeasance CNAME idealweb.capmark.com. investorguide A 70.60.19.129 $TTL 86400 ; 1 day www CNAME www.capmark.com. This appears to happen with all zones with MX records that are in a different zone. The zone loads and seems to work as expected. What's going wrong? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS on SOA
In message 20081211202922.ga32...@sol.planetnet.org, Peter Kringle writes: Is it possible to update the SOA record of a zone via ddns update? Or do I= have to shut bind down complete to change the SOA. =20 Specifically the refresh timer. Thanks Yes. Just make sure that the serial number increases. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MIME garbage in comp.protocols.dns.bind
In message sam.wilson-404a4b.13132515122...@scotsman.ed.ac.uk, Sam Wilson wri tes: In article ghubkr$9l...@sf1.isc.org, Chris Buxton cbux...@menandmice.com wrote: On Dec 11, 2008, at 10:57 PM, Barry Margolin wrote: The old mail-to-news gateway either got this right or extracted the plain text alternative before forwarding. The old mail server stripped messages down to their plaintext values. The new one does not - it allows both formatted text and attachments. This is no doubt the change that's causing this problem with usenet. But it's doing it wrong - it's removing some MIME headers that it shouldn't. (I will defer to other people if there is a mismatch in what is acceptable in MIME headers on Usenet, but the old one worked and the new one creates unreadable news postings.) Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users I've raised a ticket with our ops people. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue with case changing from master on BIND 9 to slave on BIND 8
Mark Andrews writes: In message 9fc47420fb263da9eda170166fd4d...@cornell.edu, John Wobus writes: Some years ago, I had that issue. The problem was that the zone transfer compression mechanism could change the case of individual names. This was fixed in some release of bind (after 9.2.1, if I remember correctly), and bind release notes would pinpoint the exact version with the change. You will need BIND 9.4.0 or later for the master. 1811. [func] Preserve the case of domain names in rdata during zone transfers. [RT #13547] Or you can specify many-answers as the transfer format on the master. Correction one-answer as the transfer format but there is still a small risk if the a compression pointer can be found in the owner name of the record with differing case, The problem was that the compression mechanism would compress a.example.COM and b.example.com by using a pointer to a single string, in one specific instance, example.COM. When uncompressed at at the secondary end, the names came out as a.example.COM and b.example.COM. John Wobus Cornell University CIT On Dec 15, 2008, at 10:51 AM, Ben Croswell wrote: I reaching out to the list on what appears to be a very odd issue that = happened over the weekend. We had an issue where some internal domains had the TLD capitalized = after the zone transfer. i.e. foo.bar.com on the master became foo.bar.COM on the slave. I know that DNS is case insensitive but it caused an issue with apps = that were misbehaving. The master is BIND 9.2.1 and the slaves in question are 8.2.3. The master zone has everything lower case, and BIND 9 slaves show them = as lower case as well. A manual zone xfer on the 8.2.3 boxes to a different local directory = than the actual named directory shows .COM. I was wondering if anyone had experienced an issue like this. And I understand both of those version are ancient and need to be = removed=A0 from the environment. -- = -Ben Croswell ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stuck glue records in the GTLD servers??
In message a82dae2a-44ad-4aeb-a72c-a150e6d7f...@cyberlifelabs.com, Milo Hyson writes: I'm seeing what looks like a stuck glue record in the GTLD servers and I'm hoping I've just overlooked something simple. There are several domains which list the following as their nameservers: ns.netdentalcare.com ns2.netdentalcare.com The zone for these (netdentalcare.com) was moved to a new ISP several days ago. The new servers are properly resolving the names and the old servers no longer are. Unfortunately, nobody can seem to resolve these names unless they directly ask the new servers. Upon investigation, I discovered the GTLD servers seem to be holding onto a stale glue record for the zone's prior server: ns.netdentalcare.com. Server: h.gtld-servers.net. Address: 192.54.112.30#53 QUESTIONS: ns.netdentalcare.com, type = A, class = IN ANSWERS: - ns.netdentalcare.com internet address = 64.84.39.197 AUTHORITY RECORDS: - netdentalcare.com nameserver = ns1.idaserver.com. - netdentalcare.com nameserver = ns2.idaserver.com. ADDITIONAL RECORDS: - ns1.idaserver.com internet address = 207.178.132.75 - ns2.idaserver.com internet address = 207.178.132.76 Non-authoritative answer: Name: ns.netdentalcare.com Address: 64.84.39.197 I assumed this would have timed-out after two-days, but it hasn't. Nobody is resolving the name to that address anymore. I checked the old zone file to ensure it didn't have a long TTL and it didn't (86,400 seconds). If anybody has any insight into this issue it would be greatly appreciated. You need to update the HOST records for the nameservers. -- Milo Hyson Chief Scientist CyberLife Labs ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND Windows?
In message 029c7576bb4b4f1480bf8cf9d125a...@nc4010, Jukka Pakkanen writes: Sorry I've lost track of the different versions, which works in Windows and which don't. So... what is the latest version, working in W2K3? See the immediate downloads on https://www.isc.org/software/bind. And Is W2K still abandoned? Until Microsoft back port the missing functionality, yes. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.6.0rc2 is now available.
BIND 9.6.0rc2 is now available. BIND 9.6.0rc2 is a release candidate for BIND 9.6.0. Please as a minimum perform a test build on your operating system. We don't have test platforms for every operating system and sometimes we accidently break builds. Now is the time to tell us about that. Bugs should be reported to bind9-b...@isc.org. BIND 9.6 has a number of new features over 9.5, including: Full NSEC3 support Automatic zone re-signing New update-policy methods tcp-self and 6to4-self BIND 9.6.0rc2 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.6.0rc2/bind-9.6.0rc2.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.6.0rc2/bind-9.6.0rc2.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.6.0rc2/bind-9.6.0rc2.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.0rc2/bind-9.6.0rc2.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at http://www.isc.org/ISC/isckey.txt. A binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.zip ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.debug.zip The PGP signature of the binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.zip.asc ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.debug.zip.sha512.asc Changes since BIND 9.6.0a1 --- 9.6.0rc2 released --- 2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel. [RT #19063] 2513[bug] Fix windows cli build. [RT #19062] 2510. [bug] dig +sigchase could trigger REQUIRE failures. [RT #19033] 2509. [bug] Specifying a fixed query source port was broken. [RT #19051] 2504. [bug] Address race condition in the socket code. [RT #18899] --- 9.6.0rc1 released --- 2498. [bug] Removed a bogus function argument used with ISC_SOCKET_USE_POLLWATCH: it could cause compiler warning or crash named with the debug 1 level of logging. [RT #18917] 2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure delegation. 2496. [bug] Add sanity length checks to NSID option. [RT #18813] 2495. [bug] Tighten RRSIG checks. [RT #18795] 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being installed. [RT #18826] 2493. [bug] The linux capabilities code was not correctly cleaning up after itself. [RT #18767] 2492. [func] Rndc status now reports the number of cpus discovered and the number of worker threads when running multi-threaded. [RT #18273] 2491. [func] Attempt to re-use a local port if we are already using the port. [RT #18548] 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO is cleared when IPV6_V6ONLY is set. [RT #18785] 2489. [port] solaris: Workaround Solaris's kernel bug about /dev/poll: http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 Define ISC_SOCKET_USE_POLLWATCH at build time to enable this workaround. [RT #18870] 2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records from keyset and .key files. [RT #18694] 2487. [bug] Give TCP connections longer to complete. [RT #18675] 2486. [func] The default locations for named.pid and lwresd.pid are now /var/run/named/named.pid and /var/run/lwresd/lwresd.pid respectively. This allows the owner of the containing directory to be set, for named -u support, and allows there to be a permanent symbolic link in the path, for named -t support. [RT #18306] 2485. [bug] Change update's the handling of obscured RRSIG records. Not all orphaned DS records were being removed. [RT #18828] 2484. [bug] It was possible to trigger a REQUIRE failure when adding NSEC3 proofs to the response in query_addwildcardproof(). [RT #18828]
BIND 9.5.1rc2 is now available.
BIND 9.5.1rc2 is now available. BIND 9.5.1rc2 is a maintenance release candidate for BIND 9.5. BIND 9.5.1rc2 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.5.1rc2/bind-9.5.1rc2.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.5.1rc2/bind-9.5.1rc2.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc2/bind-9.5.1rc2.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc2/bind-9.5.1rc2.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at http://www.isc.org/ISC/isckey.txt A binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.zip ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.debug.zip The PGP signature of the binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.debug.zip.sha512.asc Changes since 9.5.0. --- 9.5.1rc2 released --- 2513[bug] Fix windows cli build. [RT #19062] 2510. [bug] dig +sigchase could trigger REQUIRE failures. [RT #19033] 2509. [bug] Specifying a fixed query source port was broken. [RT #19051] 2504. [bug] Address race condition in the socket code. [RT #18899] --- 9.5.1rc1 released --- 2498. [bug] Removed a bogus function argument used with ISC_SOCKET_USE_POLLWATCH: it could cause compiler warning or crash named with the debug 1 level of logging. [RT #18917] 2496. [bug] Add sanity length checks to NSID option. [RT #18813] 2495. [bug] Tighten RRSIG checks. [RT #18795] 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being installed. [RT #18826] 2493. [bug] The linux capabilites code was not correctly cleaning up after itself. [RT #18767] 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO is cleared when IPV6_V6ONLY is set. [RT #18785] 2489. [port] solaris: Workaround Solaris's kernel bug about /dev/poll: http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 Define ISC_SOCKET_USE_POLLWATCH at build time to enable this workaround. [RT #18870] 2487. [bug] Give TCP connections longer to complete. [RT #18675] 2485. [bug] Change update's the handling of obscured RRSIG records. Not all orphand DS records were being removed. [RT #18828] 2482. [port] libxml2: support versions 2.7.* in addition to 2.6.*. [RT #18806] 2479. [bug] xfrout:covers was not properly initalized. [RT #18801] 2478. [bug] 'addresses' could be used uninitalized in configure_forward(). [RT #18800] 2476. [doc] ARM: improve documentation for max-journal-size and ixfr-from-differences. [RT #15909] [RT #18541] --- 9.5.1b3 released --- 2475. [bug] LRU cache cleanup under overmem condition could purge particular entries more aggressively. [RT #17628] 2474. [bug] ACL structures could be allocated with insufficient space, causing an array overrun. [RT #18765] 2473. [port] linux: raise the limit on open files to the possible maximum value before spawning threads; 'files' specified in named.conf doesn't seem to work with threads as expected. [RT #18784] 2472. [port] linux: check the number of available cpu's before calling chroot as it depends on /proc. [RT #16923] 2471. [bug] named-checkzone was not reporting missing mandatory glue when sibling checks were disabled. [RT #18768] 2470. [bug] Elements of the isc_radix_node_t could be incorrectly overwritten. [RT# 18719] 2469. [port] solaris: Work around Solaris's select() limitations. [RT #18769] 2468. [bug] Resolver could try unreachable servers multiple times. [RT #18739] 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740] 2466. [doc]
Re: General performance
In message 20081224122500.ga13...@nic.fr, Stephane Bortzmeyer writes: On Tue, Dec 23, 2008 at 08:36:36PM -0800, Scott Haneda talkli...@newgeo.com wrote a message of 35 lines which said: First, if I learn it is in fact true that all 50K zones will be identical, is there any reason to make 50K zone files? No. Is it ok to point different domains to the same zone file? Yes. On the master for the zones. On the slave they needed to be seperate files. http://www.bortzmeyer.org/identical-domains-with-bind.html ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Magic for NSEC3
In message fa2e1350901031122w75768929h3b17e0a47b806...@mail.gmail.com, Jonathan Petersson writes: Hi all, Hopefully this post wont cause as much SPAM as my last one. About a year ago I started looking into DNSSEC and how to work with it for dynamic updates etc. Since only NSEC was supported, allowing whomever to do a unauthorized zone-transfer I canceled my projects later finding out that NSEC3 would stop the behavior. One really needs to look at the cost benefit analysis to decide whether to use NSEC or NSEC3. NSEC3 is much more expensive than NSEC3 for both authoritative servers and validators than NSEC. There are almost no zone that need that level of protection. Stopping AXFR/IXFR has almost zero cost so for many people it has become reflex without any need to justify it. Stopping zone enumeration has a relatively high cost. Note for many servers stopping AXFR/IXFR was not about the zone content and more about preserving file descriptors for use by the slaves and legitimate TCP clients rather than the curious. With the release of BIND 9.6 my understanding is that NSEC3 is now supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty clueless as whether there's any magic sauce to get NSEC3 records vs. NSEC. If anyone has a pointer that would be of help, I've tried using NSEC3RSASHA1 keys without success of getting NSEC3 records. NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when signing the zone. You need to tell dnssec-signzone which one to use. dnssec-signzone -3 salt [-H iterations] [-A] Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issues in delegating to subdomain owned by other company
In message 937b61bf-c12f-4498-b20c-8cd5613bd...@z1g2000yqn.googlegroups.com, blrmaani writes: I have configured my named (BIND-9) to delegate a subdomain owned by our partner company. The queries in the subdomain are failing intermittently. Our partner company IT team is not ready to reveal their DNS configuration. When we delegate a subdomain, should the nameserver to which we delegate be AUTHORITATIVE? Not should, MUST be authoritative. It MUST return responses with aa set in the flags to non-reqursive queries for names within the delegated namespace or it MUST return a referral to nameservers which in turn are authoritative for the sub-delegated namespace. Note: queries for the SOA record at the delegation MUST return the SOA record with aa set. There is no horizontal delegation in the DNS. What happens if the nameserver to which we delegate the subdomain is a NON-AUTHORITATIVE nameserver (eg., cache-only name server ). ? It won't work. Could this be the reason for failure? Yes. Any comments? Cheers Maani ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?
In message a0e00a9b-89cc-4b94-a3a5-49fd22fe3...@johani.org, Johan Ihren writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I realise this just has to be a user error, but sofar I've been completely unsuccessful in getting an authenticated response from a 9.6.0 recursive server with trusted keys correctly configured. I've done this: * Signed the zones: parent is signed with NSEC semantics, key algorithm is RSASHA1 child1.parent is signed with NSEC, key algorithm is RSASHA1 child2.parent is signed with NSEC3, key algorithm is NSEC3RSASHA1 Did you tell dnssec-signzone to generate NSEC3 chains rather than NSEC chains. NSEC3RSASHA1 allows for both NSEC and NSEC3 chains and dnssec-signzone defaults to NSEC chains. dnssec-signzone -3 salt [-H iterations] [-A] * Created the secure delegations: the DS records for child1.parent and child2.parent both use the correct algorithm numbers (5 and 7 respectively) * Configured a trusted key for parent in a recursive server: The trusted key is correctly configured, because I'm able to validate positive responses from all three zones (which also proves that the delegations are correctly secured via the DS records). I'm also able to validate negative responses from parent and child1.parent. And, yes, I have dnssec-enable yes; dnssec-validation yes; in relevant places. But I fail to validate the interesting case, i.e. a negative response from child2.parent containing NSEC3 records as the proof. I get the response, with all the NSEC3s and their RRSIGs. But no AD bit. Anyone done this recently who can give me a suggestion to where I may go wrong? Johan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFJZy3KKJmr+nqSTbYRAgR9AKCioFf7n+IZmKfH0qenvlZnnh6FpQCeLl0e w3pw5x1lyPwkJnM3iRGjiP4= =tnBX -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?
In message 088512ac-625e-4a72-aa90-65c73fb8b...@johani.org, Johan Ihren writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Mark, On 12 Jan 2009, at 23:49, Mark Andrews wrote: I realise this just has to be a user error, but sofar I've been completely unsuccessful in getting an authenticated response from a 9.6.0 recursive server with trusted keys correctly configured. I've done this: * Signed the zones: parent is signed with NSEC semantics, key algorithm is RSASHA1 child1.parent is signed with NSEC, key algorithm is RSASHA1 child2.parent is signed with NSEC3, key algorithm is NSEC3RSASHA1 Did you tell dnssec-signzone to generate NSEC3 chains rather than NSEC chains. NSEC3RSASHA1 allows for both NSEC and NSEC3 chains and dnssec-signzone defaults to NSEC chains. dnssec-signzone -3 salt [-H iterations] [-A] Absolutely, and the signed zone looks fine (except that it is full of ugly NSEC3's ;-). This is my dnssec-signzone invocation: dnssec-signzone -N increment -v 9 -a -A -H 1 -3 -o $ZONE $ZONE $ZSK $KSK * Created the secure delegations: the DS records for child1.parent and child2.parent both use the correct algorithm numbers (5 and 7 respectively) * Configured a trusted key for parent in a recursive server: The trusted key is correctly configured, because I'm able to validate positive responses from all three zones (which also proves that the delegations are correctly secured via the DS records). I'm also able to validate negative responses from parent and child1.parent. And, yes, I have dnssec-enable yes; dnssec-validation yes; in relevant places. But I fail to validate the interesting case, i.e. a negative response from child2.parent containing NSEC3 records as the proof. I get the response, with all the NSEC3s and their RRSIGs. But no AD bit. Anyone done this recently who can give me a suggestion to where I may go wrong? NXDOMAIN + OPTOUT - AD=0 Johan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFJa9hRKJmr+nqSTbYRAuDKAJ4upG/n5lww2yrST29HDzteQX369QCfUqxt WcZi55ArpM58re2gtd6reAI= =+sNo -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operators, how do you handle EDNS?
In message 20090114021016.ga24...@esri.com, Ray Van Dolson writes: On Tue, Jan 13, 2009 at 05:00:38PM -0800, Ray Van Dolson wrote: On Tue, Jan 13, 2009 at 04:35:46PM -0800, Mark Andrews wrote: The number of nameservers that fail to respond to EDNS queries is miniscule. The majority of nameservers on the net actually talk EDNS. I suggest that you re-analyse the failures to determine their true causes. Mark I'd thought we'd ruled this out, but testing again from an OOB server confirms what you're saying. Will definitely reinvestigate. Initially I am getting these in response to my dig queries: # dig @130.76.96.65 boeing.com soa +dnssec +norec ;; Warning: ID mismatch: expected ID 1582, got 13152 ;; Warning: ID mismatch: expected ID 1582, got 13152 ;; Warning: ID mismatch: expected ID 1582, got 13152 ; DiG 9.3.5-P2 @130.76.96.65 boeing.com soa +dnssec +norec ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached I guess our firewall could be tinkering with the request ID's? Perhaps as a result of dnssec being on... hmm. Thanks Mark. Alright, I believe the DNS Scrambling feature of our firewall could be causing the issue -- that or scrambling on boeing.com's end. Maybe someone can comment... It seems that the transaction ID's are being changed and so the Format Error packets coming back from boeing are dropped by BIND. This is why I see BIND cycling through all their nameservers -- the query timeout is being triggered. If the transaction ID's matched correctly, the Format Error would be processed and the query would be retransmitted without EDNS correctly. What I'm trying to figure out is if this is a result of scrambling on *our* end, the remote end or a combination of both. Clearly the vast majority of our queries succeed, but I don't know how exactly our CheckPoint firewall decides to do its scrambling magic, and, of course no clue on the remote end. Anyone have any thoughts to add? 100% your end. Ray ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unified Root - Domain Configuration Issue
In message 496fb92d.5050...@peter-dambier.de, Peter Dambier writes: Hi ozgurs, can you give me your address so I can settup a zone for you? e.g. ozgursA 127.0.0.1 Then you have the proof that it is working. http://tld and u...@tld can *never* work *reliably* as they would cause namespace clashes. Single label represent local names not global names. Mark Please have a look at http://www.cesidianroot.net/ to find how to settup your DNS for the test. If you have a dynamic ip address things are a little bit more complicated but can be solved too. Cheers Peter ozgurs wrote: We want to buy a unified root domain, but they say we can not use the domain only one word. like ozgurs = so that it opens http://ozgurs = = but we have to use a connected word to this TLD, like example.ozgurs = here, my quetion comes! :) = i bet with my friend that we can not use the domain itself. NOW I NEED A PROOF : = We want to know the reason why we can not use TLD alone itself, without a word in connected to it. = = = ( I mean: instead of the URL = = = ozgurs = = = we have to use = = = example.ozgurs = ) = = = = = We want the reasons, with exact documents (for example a university=92s DNS managerment document from their site link or a scientific article regarding this issue (about the must of usage and reasons why we must use a word connected to the domain.) = = = = = Note: We will buy these products after we are satisified with the explanations and documents=92 reliability about the explained issue above. (the usages, rules of domains, configurations, DNS) = I mean I have to prove this that it is impossible to use the domain as one word (like ozgurs) with very reliable indications and strongly that no one can deny it any way of idea) = = = = = = With best regards, = = OzgurS ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- = Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: pe...@peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ ULA=3D fd80:4ce1:c66a::/48 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: denied NS/IN
In message 232b45f8-acd3-427a-95e9-bc3ca5fc9...@newgeo.com, Scott Haneda writ es: Hello, looking at my logs today, I am getting hammered with these: 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517: query (cache) './NS/IN' denied 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593: query (cache) './NS/IN' denied Repeated over and over, how do I tell what they are, and if they are bad, what is the best way to block them? -- Scott You should talk to your ISP to chase the traffic back to its source and get BCP 38 implemented there. BCP 38 is ~10 years old now. There is no excuse for not filtering spoofed traffic. If the source doesn't want to implement BCP 38 then de-peering the source should be considered. Mark http://www.ietf.org/rfc/rfc2267.txt January 1998 http://www.ietf.org/rfc/rfc2827.txt May 2000 (BCP 38) http://www.ietf.org/rfc/rfc3704.txt March 2004 (BCP 84) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: denied NS/IN
In message fb979b33-df83-4460-a3e4-040cd165e...@newgeo.com, Scott Haneda writ es: On Jan 20, 2009, at 5:44 PM, Mark Andrews wrote: In message 232b45f8-acd3-427a-95e9-bc3ca5fc9...@newgeo.com, Scott Haneda writ es: Hello, looking at my logs today, I am getting hammered with these: 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517: query (cache) './NS/IN' denied 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593: query (cache) './NS/IN' denied Repeated over and over, how do I tell what they are, and if they are bad, what is the best way to block them? -- Scott You should talk to your ISP to chase the traffic back to its source and get BCP 38 implemented there. BCP 38 is ~10 years old now. There is no excuse for not filtering spoofed traffic. If the source doesn't want to implement BCP 38 then de-peering the source should be considered. Is BCP 38 really as solid and plug and play as it sounds? In a shared, or colo'd environment, can that ISP really deploy something like this, without it causing trouble for those that assume unfettered inbound and outbound traffic to their servers? Yes it is. Everyone in a colo should be able to tell you which source address (prefixes) they should be emitting. You filter everything else. The closer to the edge that you do this the easier it is to do. Mark -- Scott -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
In message 49773369.4080...@corbina.net, Dmitry Rybin writes: Matus UHLAR - fantomas wrote: This is _NOT_ a problem of BIND. This is a problem of its admin who can't read the docs and set up max-cache-size, which does exactly what is needed in this case. Hmm... And why bind allocate all system memory, if max-cache-size 16M? And views... 50 views. 16*50=800M. Only 800M, this is not 3..4GB of system memory. +50 views of zone data + memory for 10 clients + You have a 32bit build which will give a maximum of 2G data. You are just trying to cram too much into too small a place. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc halt -p behavior
In message 2971f259-4897-48f8-b418-2f7599075...@gronkulator.com, Rich Goodson writes: The behavior of 'rndc halt -p' appears to be different from the =20 documentation. According to the BIND 9.4 ARM rndc section: halt [-p] Stop the server immediately. Recent changes made through =20 dynamic update or IXFR are not saved to the master =EF=AC=81les, but will be rolled forward = from the =20 journal =EF=AC=81les when the server is restarted. If -p is speci=EF=AC=81ed named=E2=80=99s process = id is =20 returned. This allows an external process to determine when named had completed halting. But the actual behavior seems to be that 'rndc halt -p' returns =20 immediately with the PID of named, but a 'ps -ef' shows named still =20 running until it's done answering its unfinished recursive queries (or =20= whatever it's busy doing). Is rndc broken, or is the documentation wrong, or am I missing =20 something? If it makes a difference, this is on a server that exclusively does =20 recursive resolution and does not serve any authoritative zones. -rich named is just freeing all memory that it has allocated. If there has been a memory leak this is when it will be detected. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: denied NS/IN
In message 1232561124.6369.187.ca...@d410-heron, Niall O'Reilly writes: On Wed, 2009-01-21 at 12:44 +1100, Mark Andrews wrote: You should talk to your ISP to chase the traffic back to its source and get BCP 38 implemented there. BCP 38 is ~10 years old now. There is no excuse for not filtering spoofed traffic. Absolutely. Putting myself at the other end of the telescope, I'm wondering what tools (if any) are available for verifying that the ingress filtering actually in place is indeed compliant with BCP 38. I try to be conscientious, but drawing valid conclusions from visual inspection of the ACLs is already a challenge for my domestic network (3 LANs and an upstream). Enterprise (even with only one upstream) or ISP networks are likely more difficult to verify. Pointers for my next RTFM binge are welcome. Further discussion is probably off-topic for the bind-users list. /Niall One way to test is to have a test box that sends spoofed traffic to a machine you control. You should be able to detect acl or other hits. Checking the acls regularly is also a way to detect compromised machines that could be used for a different badness. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc halt -p behavior
In message 1a345677-0c03-45a7-a1e1-af364fe87...@gronkulator.com, Rich Goodson writes: Basically, I'm trying to use a shell script to replace the missing 'restart' argument to rndc, so I was looking for some sort of return value that tells me, hey, your old named process is now gone, feel free to start a new one. What doesn't seem to jibe to me with the behavior I see is this line: If -p is specified named's process id is returned. This allows an external process to determine when named had completed halting. pid=`rndc halt -p` case $pid in pid:*) pid=`expr $pid : pid: \([0-9]*\)` echo -n waiting for $pid to exit while kill -0 $pid 2 /dev/null ; do echo -n .; sleep 1; done echo . done.; ;; esac Whether named is still answering queries or just cleaning up its allocated memory, the PID is returned BEFORE named is gone, as named is still running for a good while after the PID is returned (I've seen up to 15 or 20 seconds or so). So, if I use this in a script, assuming the behavior that seems to be implied in the documentation, I'm going to be starting a new instance of named once the PID is returned, so I'm going to end up with 2 concurrent named processes. I understand that I probably seem like a pedantic pain in the ass, but is this broken, or is the documentation wrong? You seem to be saying that rndc is behaving correctly, so I must therefore assume that the documentation is wrong in this respect and use some sort of logic in my script to tell me when named has gone *poof*. Unless the documentation is using a different definition of the word halt than I am, which is entirely possible. I'm defining halted in my head as the process is gone and no longer appears in a process listing, whereas you may be defining halted as when named has stopped answering queries and has released its hold on port 53. If this is the case, it might not be a big deal if there are two concurrent named processes, as the new one is free to grab the port and start answering queries while the old one simply cleans up after itself, memory-wise. -rich On Jan 21, 2009, at 5:00 PM, Mark Andrews wrote: In message 2971f259-4897-48f8-b418-2f7599075...@gronkulator.com, Rich Goodson writes: The behavior of 'rndc halt -p' appears to be different from the =20 documentation. According to the BIND 9.4 ARM rndc section: halt [-p] Stop the server immediately. Recent changes made through =20 dynamic update or IXFR are not saved to the master =EF=AC=81les, but will be rolled forward = from the =20 journal =EF=AC=81les when the server is restarted. If -p is speci=EF=AC=81ed named=E2=80=99s process = id is =20 returned. This allows an external process to determine when named had completed halting. But the actual behavior seems to be that 'rndc halt -p' returns =20 immediately with the PID of named, but a 'ps -ef' shows named still =20 running until it's done answering its unfinished recursive queries (or =20= whatever it's busy doing). Is rndc broken, or is the documentation wrong, or am I missing =20 something? If it makes a difference, this is on a server that exclusively does =20 recursive resolution and does not serve any authoritative zones. -rich named is just freeing all memory that it has allocated. If there has been a memory leak this is when it will be detected. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org --Apple-Mail-20-871872810 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable htmlbody style=3Dword-wrap: break-word; -webkit-nbsp-mode: space; = -webkit-line-break: after-white-space; divdivBasically, I'm trying = to use a shell script to replace the missing 'restart' argument to rndc, = nbsp;so I was looking for nbsp;some sort of return value that tells = me, hey, your old named process is now gone, feel free to start a new = one./divdivbr/divdivWhat doesn't seem to jibe to me with the = behavior I see is this line:/divdivbr/divdiv/divblockquote = type=3DcitedivIf -p is specified named's process id is returned. = This allows an external process to determine when named had completed = halting./div/blockquotedivbr/divdivWhether named is still = answering queries or just cleaning up its allocated memory, the PID is = returned BEFORE named is gone, as named is still running for a good = while after the PID is returned (I've seen up to 15 or 20 seconds or = so). nbsp;So, if I use this in a script, assuming the behavior that = seems to be implied in the documentation, I'm going to be starting a new = instance of named once the PID is returned, so I'm
Re: denied NS/IN
In message f4058b15-888b-4cbd-b682-2ea2e1889...@stupendous.net, Nathan Ollerenshaw writes: On 21/01/2009, at 10:40 AM, Scott Haneda wrote: Hello, looking at my logs today, I am getting hammered with these: 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517: query (cache) './NS/IN' denied 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593: query (cache) './NS/IN' denied Repeated over and over, how do I tell what they are, and if they are bad, what is the best way to block them? -- Scott Scott, As you know, these are spoofed queries, created in the hope that you will reflect traffic back to these IPs to assist in DDoSing them. Patrik Rak posted to my blog an iptables rule, which is useful for those of us running linux, that drops this specific type of recursive query; namely IN NS queries against '.'. iptables -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \ 0220...@1216=10220...@2024=00220...@21=0x00020001 I've tested it, and it appears effective. I now have blessed silence in my logfiles. You you don't also have blessed silence on the counters on this rule there is still a problem and you should be complaining to whoever is sending the packets to you. This just stops the amplification it doesn't clear up the problem. Ideally it'd be great to be able to track back through the internet and get every single network operator to implement BCP 38, but while that's getting done (and good luck with that), you at least have a workaround. At least until the kiddies change what kind of query they use ... god forbid they work out what names an authoritative nameserver WILL respond to and query that. Hope this helps, Nathan. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
In message bay133-w4474fd4aa8331c2dc6bee1b4...@phx.gbl, wiskbr...@hotmail.com writes: Hello; I have two DMZ BIND/DNS servers running whose purpose is to allow lookups v ia them from my otherwise incapable internal network. I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND 9.5.1-P1. Both servers are running Sparc/Solaris 9. Upon upgrading one to BIND 9.5.0-P2, which was in an effort to resolve failed lookups for .gov sites, I found that the server was now attempting to resolv e using IPv6 style addresses. I am not able to find any such attempts in the past at all from either server (See messages from BIND 9.5.1-P1 server below ). It always was. Named now uses connected UDP sockets so the error codes make it back from the kernel. I've installed a newer db.root file by running dig then saving the output to db.root. The newer file contained IPv6 style entries, which I've manually re moved (about the same time attempts ceased) I've also tried to force any attempts at using IPv6 and what appear to be iss ues resolving .gov domains in my named.conf like this: To disable the use of IPv6 use named -4. I would however recommend that you get yourself IPv6 connectivity instead. options { edns-udp-size 512; max-udp-size 512; Unless you have a firewall or NAT that has trouble with EDNS packets of particular sizes you should not need to set these. If you do need to set these then you really should look at replacing/reconfiguring the offending box. listen-on-v6 { none; }; }; logging { category lame-servers {null;}; category edns-disabled {null;}; }; The issues that I was seeing with .gov sites resulted in this type of error i n my logfile: Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many timeouts re solving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling EDNS The problem here is too many timeouts. This may or may not be related to EDNS. Any help would be greatly appreciated, am I missing something obvious, or per haps I need to add something else into my configs? Thank you, .vp Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53 Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53 Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'indom80.indomco.hk/A/IN': 2001:dc0:1:0:4777::140#53 Which are perfectly understandable if you don't have IPv6 connectivity. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
MX records are supposed to be pointed to the name the mail exhanger knows itself as. This will correspond to a A record. If I could work out a way to determine which A records don't correspond to the name by which the mail exchanger knows itself as I'd also have named issue a warning for such A records. Unfortunately there isn't a way to make such a determination. When a CNAME is used you configuration errors reported from MTA's when they try to send email to themselves. This still happens today. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unified Root - Domain Configuration Issue
In message 497cae4b.4020...@dougbarton.us, Doug Barton writes: Joe Baptista wrote: So a little more testing using firefox as an application gives us some interesting results. Using the .TM TLD I entered http://tm/ into my browsers. It did not work. Firefox replaced http://tm/ with http://www.tm.com/ - which is not the web site I wanted to reach. In Firefox' titlebar enter 'about:config' (no quotes) then in the filter type 'keyword.enabled' and double-click that entry to toggle it to false. The correct fix for this is: browser.fixup.alternate.enabled - false keyword.enabled - false stop the seach engine lookup. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: error sending response log messages
In message 497caef2.80...@yahoo.com, Andre LeClaire writes: Hello everyone, I've been seeing these syslog messages for about a week on a FreeBSD server running BIND 9.4.3-P1: Jan 25 02:35:21 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 03:43:32 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 04:49:59 asimov named[145]: client 206.71.158.30#139: error sending response: permission denied Jan 25 05:15:40 asimov named[145]: client 66.230.160.1#139: error sending response: permission denied Jan 25 07:45:11 asimov named[145]: client 206.71.158.30#139: error sending response: permission denied Jan 25 07:56:26 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 08:10:29 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 08:54:34 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 09:16:41 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 10:03:51 asimov named[145]: client 206.71.158.30#445: error sending response: permission denied Ports 135-139 and 445 are denied by the firewall on the outside interface. Why do you care about what port you are sending to? Just allow named to send its replies. It looks like it might be some kind of Windows exploit, but I've Googled and searched the BIND mailing lists, and haven't found any clues yet. Has anybody else seen this? Thanks! Andre ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
In message 2d378cb064ba4d06880aed8ed81f3...@ahsnbw1, Al Stu writes: Thus, if an alias is used as the value of an NS or MX record, no address will be returned with the NS or MX value. Above statement, belief, perception etc. has already been proven to be a fallacy (see the network trace attached to one of the previous messages). Both the CNAME and A record is in fact returned, unless the CNAME RR points to some other zone such as say smtp.googlemail.com. Please show one vendor that follows a CNAME when processing the *additional* section. AFAIK there is no vendor that does this. Named doesn't. CNAME is followed when processing the *answer* section. So within the zone SMTP requirements are in fact met when the MX RR is a CNAME. So there is no need to prevent this nor to label it as illegal. The MX RR CNAME check should be improved to include this case and not throw a message if the MX RR CNAME is resolvable within the zone. A lot of the reason why people think they can do this is that it doesn't always blow up in their faces when they do it. When there is only one MX record and that name points to a CNAME the MX records are not looked up on the mail exchanger so things don't blow up. Have multiple MX records with different preferences and point those at CNAMEs then thing start blowing up because the higher preference mail exchanger does lookup the MX RRset and does processes it. That is when things blow up. The rules are there to prevent this situation. The message is staying. If you don't want to see it turn it off in named.conf but don't log a bug report complaining that we didn't detect the misconfiguration. Mark - Original Message - From: Matus UHLAR - fantomas uh...@fantomas.sk To: bind-users@lists.isc.org Sent: Monday, January 26, 2009 8:18 AM Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal On 26.01.09 09:19, bsfin...@anl.gov wrote: If I have in DNS cn IN CNAME realname and I query for cn, the DNS resolver will return realname. BIND also returns the A record for realname. Is this a requirement? If not, then mx IN 10 MX cn will result in: 1) the MX query returning cn, 2) the cn query returning realname, 3) a third (and RFC-breaking) query to get the A for realname. There are only two queries if the resolver returns the A record along with the realname of the CNAME record. according to RFC1035 sect. 3.3.9 MX records cause type A additional section processing for the host specified by EXCHANGE. according to RFC2181 sect 10.3. The domain name used as the value of a NS resource record, or part of the value of a MX resource record must not be an alias. It can also have other RRs, but never a CNAME RR. Additional section processing does not include CNAME records... Thus, if an alias is used as the value of an NS or MX record, no address will be returned with the NS or MX value. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The box said 'Requires Windows 95 or better', so I bought a Macintosh. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In message fvhsn493t2pb75c93nm1s14lkttiu0i...@4ax.com, Tony Toews [MVP] wri tes: Gregory Hicks ghi...@hicks-net.net wrote: 2) What are they? They look like the DDoS being discussed on the NANOG list. Have you implemented BCP38? If not, why not... I have no idea what BCP38 is and how I can implement that. http://www.ietf.org/rfc/rfc3704.txt Would you be so k ind as to supply links relevant to Windows 2003 Server? Thanks, Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
In message 0aa37ce829ba458b9ba2d199a6d96...@ahsnbw1, Al Stu writes: How about these two? nullmx.domainmanager.com Non-authoritative answer: Name:mta.dewile.net Address: 69.59.189.80 Aliases: nullmx.domainmanager.com smtp.secureserver.net Non-authoritative answer: Name:smtp.where.secureserver.net Address: 208.109.80.149 Aliases: smtp.secureserver.net Which just goes to show you don't understand the issue. Ask the correct question and you will see a response which demonstates what people are talking about. If the server was doing what you say it does you would see the CNAME in the additional section. ; DiG 9.3.6-P1 mx secureserver.net @cns2.secureserver.net. +norec ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21506 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;secureserver.net. IN MX ;; ANSWER SECTION: secureserver.net. 3600IN MX 0 smtp.secureserver.net. ;; AUTHORITY SECTION: secureserver.net. 3600IN NS cns2.secureserver.net. secureserver.net. 3600IN NS cns1.secureserver.net. ;; ADDITIONAL SECTION: cns1.secureserver.net. 3600IN A 208.109.255.100 cns2.secureserver.net. 3600IN A 216.69.185.100 ;; Query time: 181 msec ;; SERVER: 216.69.185.100#53(216.69.185.100) ;; WHEN: Tue Jan 27 12:54:26 2009 ;; MSG SIZE rcvd: 125 There are two reasons it does not blow up in peoples face. 1) If it is in the CNAME RR points to an A record in the same zone, both the A record and the CNAME record are returned, thus meeting the A record requirement. 2) SMTP servers are required to accept an alias and look it up. Thus there is no need for this. And no it does not matter if there are multiple MX records with different preferences values. Which just means you have not ever experienced the problems causes. MTA are not required to look up the addresses of all the mail exchangers in the MX RRset to process the MX RRset. MTA usually learn their name by gethostname() or similar and that name is not a CNAME or there is a misconfiguration. The fact that email still gets delivered in the presence of misconfigurations is good luck rather than good management. Mark - Original Message - From: Mark Andrews mark_andr...@isc.org To: Al Stu al_...@verizon.net Cc: bind-users@lists.isc.org Sent: Monday, January 26, 2009 2:55 PM Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal In message 2d378cb064ba4d06880aed8ed81f3...@ahsnbw1, Al Stu writes: Thus, if an alias is used as the value of an NS or MX record, no address will be returned with the NS or MX value. Above statement, belief, perception etc. has already been proven to be a fallacy (see the network trace attached to one of the previous messages). Both the CNAME and A record is in fact returned, unless the CNAME RR points to some other zone such as say smtp.googlemail.com. Please show one vendor that follows a CNAME when processing the *additional* section. AFAIK there is no vendor that does this. Named doesn't. CNAME is followed when processing the *answer* section. So within the zone SMTP requirements are in fact met when the MX RR is a CNAME. So there is no need to prevent this nor to label it as illegal. The MX RR CNAME check should be improved to include this case and not throw a message if the MX RR CNAME is resolvable within the zone. A lot of the reason why people think they can do this is that it doesn't always blow up in their faces when they do it. When there is only one MX record and that name points to a CNAME the MX records are not looked up on the mail exchanger so things don't blow up. Have multiple MX records with different preferences and point those at CNAMEs then thing start blowing up because the higher preference mail exchanger does lookup the MX RRset and does processes it. That is when things blow up. The rules are there to prevent this situation. The message is staying. If you don't want to see it turn it off in named.conf but don't log a bug report complaining that we didn't detect the misconfiguration. Mark - Original Message - From: Matus UHLAR - fantomas uh...@fantomas.sk To: bind-users@lists.isc.org Sent: Monday, January 26, 2009 8:18 AM Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal On 26.01.09 09:19, bsfin...@anl.gov wrote: If I have in DNS cn IN CNAME realname and I query for cn, the DNS resolver will return realname. BIND also returns the A record for realname. Is this a requirement? If not, then mx IN 10 MX cn will result in: 1) the MX query
Re: What are these entries in the log file - query: . IN NS +?
In message barmar-3c4a47.20101026012...@mara100-84.onlink.net, Barry Margolin writes: In article gllha9$2ot...@sf1.isc.org, Tony Toews [MVP] tto...@telusplanet.net wrote: Gregory Hicks ghi...@hicks-net.net wrote: 2) What are they? They look like the DDoS being discussed on the NANOG list. Have you implemented BCP38? If not, why not... I have no idea what BCP38 is and how I can implement that. Would you be so kind as to supply links relevant to Windows 2003 Server? BCP38 is not something you implement, it's something that has to be implemented by the ISPs hosting the attacking systems. They have to block forged source IPs from their customers. BCP 38 is something everyone should implement. A site shouldn't allow packets to leave with bogus source addresses. That being said there is no real expectation that home users will be implementing BCP 38 so it falls back to the ISP's implement to catch the bad packets when they reach their network. Since there are many ISPs out there that are too lazy, incompetent, or just don't care, where probably never going to be rid of these kinds of attacks. Agreed. You can however do your part by choosing ISP/IAP's that deploy BCP 38 over ones that don't. Add it to the selection criteria for a ISP/IAP. Ones that do are probably more clueful overall and you will have less problems in the end. Mark -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In message ulssn453ohc7rj6lobgkje0g0prvqd3...@4ax.com, Tony Toews [MVP] wri tes: Tony Toews [MVP] tto...@telusplanet.net wrote: How do I know I'm not answering those? Since your on win, I can't help you, but whatever your packet monitor is, see if you are replying to their requests, even with a REFUSED response. It looks like the server is replying with a refused statement. The following are the two lines that WireShark captured. Standard query NS Root Standard query response, refused Good. The attacker is trying to you as a amplifier and that is not happening. That is all one can reasonably expect. The next thing you should do is ask your ISP to chase them back to their source and if they are local to the ISP block them by implementing BCP 38 other wise to pass on the request to the peers they are getting them from. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
In message 3c802402a28c4b2390b088242a91f...@ahsnbw1, Al Stu writes: RFC 974: There is one other special case. If the response contains an answer which is a CNAME RR, it indicates that REMOTE is actually an alias for some other domain name. The query should be repeated with the canonical domain name. And that is talking about the response to a MX query. The section from which you quote starts with: Issuing a Query The first step for the mailer at LOCAL is to issue a query for MX RRs for REMOTE. It is strongly urged that this step be taken every time a mailer attempts to send the message. The hope is that changes in the domain database will rapidly be used by mailers, and thus domain administrators will be able to re-route in-transit messages for defective hosts by simply changing their domain databases. and the paragraph after that which you quote is: If the response does not contain an error response, and does not contain aliases, its answer section should be a (possibly zero length) list of MX RRs for domain name REMOTE (or REMOTE's true domain name if REMOTE was a alias). The next section describes how this list is interpreted. So I would suggest that you stop taking text out of context. CNAME - MX is legal MX - CNAME is illegal Mark - Original Message - From: Scott Haneda talkli...@newgeo.com To: Al Stu al_...@verizon.net Cc: bind-users@lists.isc.org Sent: Monday, January 26, 2009 8:09 PM Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal On Jan 26, 2009, at 7:54 PM, Al Stu wrote: If you refuse a CNAME then it is your SMTP server that is broken. The SMTP RFC's clearly state that SMTP servers are to accept and lookup a CNAME. [RFC974] explicitly states that MX records shall not point to an alias defined by a CNAME. That is what I was talking about, are you saying this is not correct? As this is what I was under the impression for quite some time. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
In message b3ba5e37553642e28149093cdee78...@ahsnbw1, Al Stu writes: Yes, the response to an MX query, that is the subject here. And a CNAME is in fact permitted and specified by the RFC's to be accepted as the response to an MX lookup. No one is saying a CNAME is not permitted in response to a MX query. If the response does not contain an error response, and does not contain aliases See there, alias is permitted. You just keep proving the my case. We are saying that when you lookup the address of the mail exchanger that you shouldn't get a CNAME record. MX - CNAME is not permitted. Others have quoted similar text from more recent RFC's. RFC 974 Note that the algorithm to delete irrelevant RRs breaks if LOCAL has a alias and the alias is listed in the MX records for REMOTE. (E.g. REMOTE has an MX of ALIAS, where ALIAS has a CNAME of LOCAL). This can be avoided if aliases are never used in the data section of MX RRs. I am not taking it out of context. It is very explicitly stated. And the context is that of locating the target/remote host by first submitting an MX query, then submitting an A query of the MX query result. The text you quote is ONLY talking about the MX query. There is no then submitting an A query of the MX query result at this point in the RFC. The MX query result is permitted to be and alias, which in turn when submitted for an A query results in both the A and CNAME being returned. Thus meeting the SMTP RFC requirements. - Original Message - From: Mark Andrews mark_andr...@isc.org To: Al Stu al_...@verizon.net Cc: bind-users@lists.isc.org Sent: Monday, January 26, 2009 8:41 PM Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal In message 3c802402a28c4b2390b088242a91f...@ahsnbw1, Al Stu writes: RFC 974: There is one other special case. If the response contains an answer which is a CNAME RR, it indicates that REMOTE is actually an alias for some other domain name. The query should be repeated with the canonical domain name. And that is talking about the response to a MX query. The section from which you quote starts with: Issuing a Query The first step for the mailer at LOCAL is to issue a query for MX RRs for REMOTE. It is strongly urged that this step be taken every time a mailer attempts to send the message. The hope is that changes in the domain database will rapidly be used by mailers, and thus domain administrators will be able to re-route in-transit messages for defective hosts by simply changing their domain databases. and the paragraph after that which you quote is: If the response does not contain an error response, and does not contain aliases, its answer section should be a (possibly zero length) list of MX RRs for domain name REMOTE (or REMOTE's true domain name if REMOTE was a alias). The next section describes how this list is interpreted. So I would suggest that you stop taking text out of context. CNAME - MX is legal MX - CNAME is illegal Mark - Original Message - From: Scott Haneda talkli...@newgeo.com To: Al Stu al_...@verizon.net Cc: bind-users@lists.isc.org Sent: Monday, January 26, 2009 8:09 PM Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal On Jan 26, 2009, at 7:54 PM, Al Stu wrote: If you refuse a CNAME then it is your SMTP server that is broken. The SMTP RFC's clearly state that SMTP servers are to accept and lookup a CNAME. [RFC974] explicitly states that MX records shall not point to an alias defined by a CNAME. That is what I was talking about, are you saying this is not correct? As this is what I was under the impression for quite some time. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
In message bc7c01a4-1803-4906-bd90-93037b4ae...@newgeo.com, Scott Haneda writ es: On Jan 26, 2009, at 10:03 PM, Barry Margolin wrote: In article gllr91$2vq...@sf1.isc.org, Scott Haneda talkli...@newgeo.com wrote: 100% right. I refuse MX's that are cnamed, and I get emails from customers asking what is up. What is strange, and I can not figure it out, is that the admins of the DNS/email server always tell me this is the first time they have heard of it. So you're not following the be liberal in what you accept half of the Interoperability Principle, which is intended specifically to avoid problems due to such confusion. Because that worked so well for HTML :) I was thinking about that quote just the other day. To be honest, I think it applies well to social issues, but not technical or engineering/programming ones. The second you accept liberally, that tells the submitter that it is ok. I am hard pressed to think of one case in which liberally accepting data is a good thing. It is that very expression that defines why we have bpisometextpbi Just consider the ramifications of parsing that one simple string, which is now non trivial to parse. What is C worked this way? Just some thoughts I was having the other day. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Liberal in what you accepts means don't die on arbitary input. You should still reject rubbish. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file (blocking)
In message 260425.38131...@web38201.mail.mud.yahoo.com, W Sanders writes: The easy way to block people trying to DoS you, without needing a firewall, is to just null route their IP: add route 1.2.3.4 127.0.0.1. Of course this blocks ALL traffic from that IP, but in most cases the IP trying to DoS you is someo ne you don't care about anyway. If you have an authoritative server, this has the side effect of blocking them from get ting any DNS about your domain - USUALLY a good thing. Remember to remove the route after a while (in Unix with an at job) so a year from now you or another sysadmin isn't completely confused - the routing table on a server isn't exactly the first thing one looks at. You can also write a script that grabs these IPs out of the syslog and automatically null routes them. Call it intrusi on detection if you will. -w Which does collateral damage. Complain to your ISP if you are receiving these forged queries. they should be tracked back to their source and eliminated. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
In message d53c69e1f478453a8371b49b4f04c...@ahsnbw1, Al Stu writes: So then you disagree that the following example returns a valid address record for srv1? The MX query won't return the A record for srv1. The additional section processing rules say to add A / records not CNAME records. You fail to understand that the rule is there so that MX processing can be done in a deterministic manner. I don't care that when you look up mx1.xyz.com you eventually get a address record. The damage is done long before that lookup is performed. Email is processed in this order: Look up MX records. Process the MX RRset. Lookup address records and attempt to deliver the email. Mark srv1 300 IN A 1.2.3.4 mx1 300 IN CNAME srv1.xyz.com. @ 300 IN MX 1 mx1.xyz.com. 1) Select Target Host: The MX query for xyz.com delivers mx1.xyz.com which is a CNAME. 2) Get Target Host Address: The A query for mx1.xyz.com delivers the address (A) record of srv1.xyz.com, 1.2.3.4, and also delivers the alias (CNAME) record of mx1.xyz.com. *** PLEASE don't copy me on replies, I'll read them in the group *** - Original Message - From: Mark Andrews mark_andr...@isc.org To: Al Stu al_...@verizon.net Cc: bind-users@lists.isc.org Sent: Tuesday, January 27, 2009 1:46 AM Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal In message 10b3763032c94ae2ba4900b3137d1...@ahsnbw1, Al Stu writes: The paragraph you cite regarding LOCAL has a alias and the alias is listed in the MX records for REMOTE... is a peripery issue which is handled by not doing that. Them why are you complaining? The error message is only emitted when you add such a alias. No one is saying a CNAME is not permitted in response to a MX query. Well good then, we agree. No. The MX record data value can be a CNAME. No. That is what BIND is complaining about, and I in turn saying should be changed/removed. i.e. BIND should not complain about the following, but it does. It says the MX record is illegal. But it is not. srv1 300 IN A 1.2.3.4 mx1 300 IN CNAME srv1.xyz.com. @ 300 IN MX 1 mx1.xyz.com. The MX query for xyz.com delivers mx1.xyz.com which is a CNAME. The A query for mx1.xyz.com delivers the address (A) record of srv1.xyz.com, 1.2.3.4, and the alias (CNAME) record of mx1.xyz.com. *** PLEASE don't copy me on replies, I'll read them in the group *** - Original Message - From: Mark Andrews mark_andr...@isc.org To: Al Stu al_...@verizon.net Cc: bind-users@lists.isc.org Sent: Monday, January 26, 2009 10:03 PM Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal In message b3ba5e37553642e28149093cdee78...@ahsnbw1, Al Stu writes: Yes, the response to an MX query, that is the subject here. And a CNAME is in fact permitted and specified by the RFC's to be accepted as the response to an MX lookup. No one is saying a CNAME is not permitted in response to a MX query. If the response does not contain an error response, and does not contain aliases See there, alias is permitted. You just keep proving the my case. We are saying that when you lookup the address of the mail exchanger that you shouldn't get a CNAME record. MX - CNAME is not permitted. Others have quoted similar text from more recent RFC's. RFC 974 Note that the algorithm to delete irrelevant RRs breaks if LOCAL has a alias and the alias is listed in the MX records for REMOTE. (E.g. REMOTE has an MX of ALIAS, where ALIAS has a CNAME of LOCAL). This can be avoided if aliases are never used in the data section of MX RRs. I am not taking it out of context. It is very explicitly stated. And the context is that of locating the target/remote host by first submitting an MX query, then submitting an A query of the MX query result. The text you quote is ONLY talking about the MX query. There is no then submitting an A query of the MX query result at this point in the RFC. The MX query result is permitted to be and alias, which in turn when submitted for an A query results in both the A and CNAME being returned. Thus meeting the SMTP RFC requirements. - Original Message - From: Mark Andrews mark_andr...@isc.org To: Al Stu al_...@verizon.net Cc: bind-users@lists.isc.org Sent: Monday, January 26, 2009 8:41 PM Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal In message 3c802402a28c4b2390b088242a91f...@ahsnbw1, Al Stu writes: RFC 974: There is one other special case. If the response contains an answer which is a CNAME RR, it indicates
Re: disableing EDNS messages bind-9.5.0
In message pine.neb.4.64.0901271203100.26...@tx.reedmedia.net, Jeremy C. Ree d writes: I'm trying to troubleshoot why we are getting a lot of disabling EDNS messages in /var/log/messages. We are running bind-9.5.0.P2 on a linux box. Jan 27 11:42:23 ns0 named[27764]: too many timeouts resolving 'host2.centmine.com/' (in 'centmine.com'?): disabling EDNS Please consider using 9.5.1-P1 or 9.6.0-P1. They include EDNS improvements related to logging. They also have this fix which can result in packets appearing to get lost. Mark 2504. [bug] Address race condition in the socket code. [RT #18899] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split view multiple zones
In message 49800cfd.nihabiqjcalhfl+u%akos...@andykosela.com, Andy Kosela writ es: Reinis Rozitis r...@roze.lv wrote: I've been using an include file for zones common between multiple views, might help in your case too. Thanks somehow didnt think about this way. Pretty much takes to acceptable solution :) Yes, include statement is the best option especially if you have a lot of zones. That aproach also works great if you need to provide recursion for some of your clients *and* serve authoritative records for the rest of the world. By creating multiple views you can also easily disable answering queries for . to unknown clients. view internal { match-clients { LAN; }; recursion yes; include zones; }; view external { match-clients { any; }; recursion no; additional-from-cache no; include zones; }; Or just run a currently supported version and specify options { allow-recursion { LAN; }; }; include zones; and achieve the same thing for half the memory footprint and not have to worry about different views clobbering the same masterfiles. Mark --Andy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In message fl82o4hqjudbc65bkfk08ilg3lmk4hq...@4ax.com, Tony Toews [MVP] wri tes: Tony Toews [MVP] tto...@telusplanet.net wrote: FWIW In the last 28 hours I have the following alleged IP addresses and coun t in my log file. Real lookups 1665 204.15.80.50 4 3.217.28.226 1144 4.57.246.146 9541 6.9.16.171 577 63.217.28.2261463 64.57.246.14635163 65.173.218.961 67.192.144.0 1488 7.192.144.0 12054 76.9.16.171 1033 FWIW in the last 26 hours. Real Lookups 1673 0.86.80.9814051 So who isn't doing even loose URPF? 0/8 is totally bogus and is a attack directed at you. 4.57.246.123 4425 4.57.246.146 22719 6.9.16.171419 64.57.246.123 4885 64.57.246.146 25023 67.192.144.0 825 7.192.144.0 696 70.86.80.98 9317 76.9.16.171 295 So some have disappeared and new ones added. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named and database backed systems
In message 29c7b7bc-f017-4404-b011-8b50206c7...@newgeo.com, Scott Haneda writ es: Damnit, ever time I search this stuff out, I search for named something-or-other and should use BIND in my search :) I am going to test deploy on my worksation on OS X. Named comes up with relative ease, just add a key and I am pretty much up and running, albeit out of date, but for testing, I am ok with that. Are you telling me I need not even build named to get DLZ support? It is just there already? You have to tell configure that you want it. It's still contributed code. I see you are using postgress, mysql or sqllite should not be an issue either? Zones are backed in DB, but not queried in real time are there? If they are, I can see, sub 50ms return times going way up. Thanks for pointing me in the right direction, I will go read the DLZ pages now. On Jan 28, 2009, at 10:25 PM, David Ford wrote: Use the DLZ extension. It's been around for a while. I.e. put the following in your named.conf and use whatever interface you wish. I use Ant with a few modifications. I don't have nearly the number of domains that you do so my simple system works fine. dlz postgres zone { database postgres 2 {host=localhost dbname=dns_data user=bind password=xx} {SELECT 'TRUE' FROM canonical WHERE lower(content) = lower('%zone%') limit 1} {SELECT ttl, type, priority, data FROM record, canonical WHERE lower(content) = lower('%zone%') AND host = '%record%' AND zone = domain} {} {SELECT ttl, type, host, priority, data FROM record, canonical WHERE zone = domain AND lower(content) = lower('%zone%')} {SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND lower(content) = lower('%zone%') AND client = inet '%client%'}; }; Rather spiffy for centralizing your record store with immediate change visibility. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4.x vs 9.6.x - pid-file check and creation
In message 4981c105.8080...@sun.com, Stacey Jonathan Marshall writes: Mark Andrews wrote: Looking at the publically available parts of SunSolve there are at least bug reports about it. Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with othe r xxxfs_mkdir() functions. | Open in a new window bug 6253984 http://sunsolve.sun.com/search/document.do?assetkey=1-1-6253984-1 - Sep 10, 2007 FYI this has been fixed in OpenSolaris, alas it has not been fixed in Solaris 9 or 10 and currently there are no plans to do so. Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with othe r xxxfs_mkdir() functions. | Open in a new window bug 2152581 http://sunsolve.sun.com/search/document.do?assetkey=1-1-2152581-1 - Sep 10, 2007 This is the Solaris 10 reference, its closed (hence no plans to fix). With sufficient justification it could be re-opened. The problem isn't that you can't work around it. The problem is that every application that calls mkdir(2) or mkdir will eventually discovery it the hard way by having something break that shouldn't. The net cost involved will far exceed the cost to fix. I would argue that it already has past that point. I programed for the expected error behaviour and did not get it. Error behavior that goes back to the initial creation of the open(2) system call. That the error heirarchy on all file system system calls is access, existance, write. I learn't about this well before POSIX was even thought about. I called mkdir(2) knowing that I would effectively get the stat(2) call for free. Now I need to call stat(2) then call mkdir(2) on ENOENT to work around this bug. Every programer in the world that has worked with mkdir(2) should know what I knew. We don't do looking for gotcha's in really on system calls. We just program for the known interface. I would ask that Sun re-think this decision not to fix the bug. Mark Stace I don't have a copy of the POSIX standard that covers mkdir(2) to see what it has to say about it. Historically however EACCES on search failure, EEXIST if the file/directory exists, then EACCES on parent directory write permissions was the error determination order. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Caching-only Name server does Zone Updates
In message 009201c985c0$aff05cb0$f9281...@wipro74039c7ca, Ashish writes: Hello All, Thank you for your replies. Our configuration file is fairly simple (I have changed the domain name for security). You care about security yet you run BIND 4? domain example.group.net cache ./etc/dnscache We use BIND 4. Actually our DNS was doing lot of CPU utilization and when we started it in Debug mode we found that there was a reverse lookup for some IP address which was in the dnscache file. (dnscache is the root hint file) This started zone updates, as we can observe in the debug file which calls function db_update() Here is the debug file content (I have modified the IP address for security reasons. Here 21.x.x.x is one of the entries in dnscache file. I mean that there was a network address starting with 21 in our dnscache file) dgram from 1.2.3.4, 2 () ns_req() req: nlookup(5.6.7.21.in-addr.arpa) id 111 type=11 req: found '5.6.7.21.in-addr.arpa' as '21.in-addr.arpa' (cname=0) findns: np 0x6b41e findns: 2 NS's added for '21' ns_forw() qnew(x45gte8) nslookup(nsp=x2433d,qp=xfdgfv4) nslookup: NS server01.example.grp.net c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS cerver01.example.grp.net c1 t2 (x0) nslookup: 2 ns addrs nslookup: 2 ns addrs total retrytime: nstime 0ms. schedretry(0x1dfd8, 4sec) Dgram from 21.x.x.x Ns_req() Qfindid(12345) USER response nsid= id Respose from upexpected source 21.x.x.x Stime z/z now yy/yy rtt x NS #2 addr 21.x.x.x used rtt y NS #1 21.x.x.x rtt now z Resp: ancount 0, aucount 1, arcount 0 Doupdate(zone 0, savens x, flags y) Doupdate: dname 21.in-addr.arpa type 6 class 1 ttl 600 Db_update(21.in-addr.arpa, 0x12345, 0x56789, 087, 0x76543) This is strange, there was NSLOOKUP for some IP 5.6.7.21 which caused zone updates and we do not have any zone specified in our configuration file. zone 0 is the cache. The cache was updated. Mark Kindly advice Thanks Ashish -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS prevention - how to restrict queries to hint (root) zones?
In message 1233658532.12933.42.ca...@muccalla.uninsubria.it, MAtteo HCE Valsa sna writes: hi all, We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's package), that do both recursive queries for internal clients (with proper allow-recursion clause) and authoritative servers for the institution's domain. There are reports of DDOS attacks based on DNS requests for the root zone with spoofed source IP address: * the attacker sends a request for the root zone with spoofed source address to a DNS server * The intermediate victim (DNS server) sends the reply packet - significatively larger than the request - to the ultimate victim (the owner of the spoofed source IP address in the request packet). * the ultimate victim connection is flooded http://isc.sans.org/diary.html?storyid=5773 I verified that our servers reply when queried from a non-trusted source address for the root zone. (and we must also notice that the non-trusted source address argument is pretty pointless when dealing with spoofed source addresses: if a query with a spoofed internal source address could reach the server, the server would just DDOS an internal machine. But we do discard inbound packets with internal source IP addresses on the network border). The first answer to this threat would be to disallow queries for the root zone would for any client (the root zone is used only by the server itself, right?). * Do you think there is any reason NOT do do this? * Do you know a simple way to do this? the trivial solution of adding an allow-query clause to the root zone definition is refused by the server, as hint type zones cannot have an allow-query clause - see https://lists.isc.org/pipermail/bind-users/2006-January/061077.html there is possibly a way to do this using views, but... anything simpler? options { allow-query { recusrsive-clients; }; allow-recursion { recusrsive-clients; }; }; zone { type (slave|master); ... allow-query { any; }; }; Or upgrade to BIND 9.4 or later and use allow-query-cache, BIND 9.3 is past end-of-life. Mark best regards and thanks for any answer MAtteo Valsasna ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unexpected error question
In message f021020da23b6641a05e616d5ead146304597...@de01exm60.ds.mot.com, Ch erney John-CJC030 writes: Yes, I normally use svcadm disable dns/server to stop named. Also, I've modified the dns/server stop method from the usual kill: to /usr/sbin/rndc stop. I did that because I want to make sure the cache gets written to the db files, which an rndc stop does. It seems that named is having a problem with one of the files, but I can't tell which one from the first syslog message. It is only one error split over two messages. isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ISC_LOG_ERROR, %s:%d: unexpected error:, file, line); isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ISC_LOG_ERROR, format, args); Mark jwc -Original Message- From: Gregory Hicks [mailto:ghi...@hicks-net.net] Sent: Thursday, February 05, 2009 10:56 AM To: bind-us...@isc.org; Cherney John-CJC030 Cc: mark_andr...@isc.org Subject: RE: Unexpected error question Subject: RE: Unexpected error question Date: Thu, 5 Feb 2009 09:51:05 -0500 From: Cherney John-CJC030 john.cher...@motorola.com To: bind-us...@isc.org I see. I was assuming that the second line was caused by the first line, and that if I could get more info on the first line, I could take care of both of them. I have a named user that the named process is run as. However, I see these errors even when I use rndc stop as root. Is there any resource that recommends what permissions need to be on specific SMF files for DNS? (or in general). Or is this even a permissioning issue with SMF files? The problem comes from the idea that SMF wants to be the 'controller'. When the program in question (named in the case) receives a 'stop' command from rndc, SMF doesn't know WHY the program stopped, just that it DID stop. Thus the error. A better way to stop named might be svcadm named disable (I think that's the right syntax but could be wrong. I am NOT an SMF expert...) That should avoid the error message. There was some discussion on the smf-disc...@opensolaris.org list last month on how to avoid error messages when you don't care if the underlying service stops all by itself. Regards, Gregory Hicks Thanks! jwc -Original Message- From: mark_andr...@isc.org [mailto:mark_andr...@isc.org] Sent: Thursday, February 05, 2009 1:18 AM Cc: Cherney John-CJC030; bind-us...@isc.org Subject: Re: Unexpected error question In message 200902050609.n1569ktg082...@drugs.dv.isc.org, Mark Andrews writes: In message f021020da23b6641a05e616d5ead146304597...@de01exm60.ds.mot.com, Ch erney John-CJC030 writes: I'm seeing the following lines in syslog, which occur when I shut down named: =20 general: error: ./main.c:858: unexpected error: general: error: smf_disable_instance() failed for svc:/network/dns/server:default : insufficient privileges for action =20 I'm running 9.3.5-P1 on Solaris 10 x86 =20 I took a quick look at the source code and it looks like there should be a file and/or filenumber as part of the unexpected error line. I've noticed the same two lines when I issue an rndc stop. The named process does stop, but I'm worried that there may be data in the cache that isn't getting written to the db files. Nothing jumped out at me from my google search. It seems like I have a file permissions issue, but I haven't recently changed any file permissions. I don't see any unusual messages on startup.=20 =20 Can someone point me the right direction for this? Is there any other information I should/could provide? =20 Thanks! jwc SMF is Sun's management facility. The code in question was submitted by Sun. I would be looking at how you have SMF set up in particular how to give the user named is running under permission to disable itself. See also http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris as mentioned in the FAQ. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unexpected error question
In message 200902051556.n15ftxrx004...@metis.hicks-net.net, Gregory Hicks wri tes: Subject: RE: Unexpected error question Date: Thu, 5 Feb 2009 09:51:05 -0500 From: Cherney John-CJC030 john.cher...@motorola.com To: bind-us...@isc.org I see. I was assuming that the second line was caused by the first line, and that if I could get more info on the first line, I could take care of both of them. I have a named user that the named process is run as. However, I see these errors even when I use rndc stop as root. Is there any resource that recommends what permissions need to be on specific SMF files for DNS? (or in general). Or is this even a permissioning issue with SMF files? The problem comes from the idea that SMF wants to be the 'controller'. When the program in question (named in the case) receives a 'stop' command from rndc, SMF doesn't know WHY the program stopped, just that it DID stop. Thus the error. A better way to stop named might be svcadm named disable (I think that's the right syntax but could be wrong. I am NOT an SMF expert...) That should avoid the error message. There was some discussion on the smf-disc...@opensolaris.org list last month on how to avoid error messages when you don't care if the underlying service stops all by itself. This is a plain permissions problem. The user named doesn't have enough permissions to disable the service svc:/network/dns/server:default in smf. Regards, Gregory Hicks Thanks! jwc -Original Message- From: mark_andr...@isc.org [mailto:mark_andr...@isc.org] Sent: Thursday, February 05, 2009 1:18 AM Cc: Cherney John-CJC030; bind-us...@isc.org Subject: Re: Unexpected error question In message 200902050609.n1569ktg082...@drugs.dv.isc.org, Mark Andrews writes: In message f021020da23b6641a05e616d5ead146304597...@de01exm60.ds.mot.com, Ch erney John-CJC030 writes: I'm seeing the following lines in syslog, which occur when I shut down named: =20 general: error: ./main.c:858: unexpected error: general: error: smf_disable_instance() failed for svc:/network/dns/server:default : insufficient privileges for action =20 I'm running 9.3.5-P1 on Solaris 10 x86 =20 I took a quick look at the source code and it looks like there should be a file and/or filenumber as part of the unexpected error line. I've noticed the same two lines when I issue an rndc stop. The named process does stop, but I'm worried that there may be data in the cache that isn't getting written to the db files. Nothing jumped out at me from my google search. It seems like I have a file permissions issue, but I haven't recently changed any file permissions. I don't see any unusual messages on startup.=20 =20 Can someone point me the right direction for this? Is there any other information I should/could provide? =20 Thanks! jwc SMF is Sun's management facility. The code in question was submitted by Sun. I would be looking at how you have SMF set up in particular how to give the user named is running under permission to disable itself. See also http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris as mentioned in the FAQ. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL from validating nameservers for advocaat.pro advocaten.pro
In message prayer.1.3.1.0902051754210.4...@hermes-2.csi.cam.ac.uk, Chris Thompson writes: On Feb 5 2009, I wrote: DLV records for advocaat.pro advocaten.pro are among the recent additions to dlv.isc.org. Using validating recursive nameservers running BIND 9.5.1-P1 (configured to trust dlv.isc.org), I get SERVFAILs looking things up in them, although not consistently. This doesn't happen with non-validating nameservers. I can't work out what is wrong with them. Does anyone else see the same effect? More info about the not consistently bit. With nothing about them in the cache (rndc flushname advocaat.pro) looking up SOA or NS records for them gives SERVFAIL. But looking up A records does not, and after that SOA and NS lookups work OK as well. Hmmm... The TLD lies. DNSSEC is doing exactly what it is supposed to do and is blocking ibad answers. Mark ; DiG 9.3.6-P1 advocaat.pro soa @c.gtld.pro +dnssec ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 29667 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;advocaat.pro. IN SOA ;; AUTHORITY SECTION: pro.14400 IN SOA a.gtld.pro. hostmaster.registrypro.pro. 2009020518 28800 7200 604800 300 ;; Query time: 186 msec ;; SERVER: 192.149.64.10#53(192.149.64.10) ;; WHEN: Fri Feb 6 11:45:31 2009 ;; MSG SIZE rcvd: 96 -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: expired or non-authoritative domains
In message 2070cf420902060124ged41b99jf56a15306c9b2...@mail.gmail.com, Konst antin N. Bezruchenko writes: Hello, I have a two DNS servers, which our customers uses to host their domains. Sometimes customers forgot to renew domain, or just don't want to renew it, or they move domain to other name servers. However i still have records for this domains in my configs. Is there any way to determine which domains are no longer use my name servers ? Sure, i can write some script just to make queries to root servers, parse answers and look if domains is still refers to my nameservers, but i believe there must be some native way? Unless you are serving tld's you don't want to query the root servers. You want to query the parent servers and yes that is the easiest way. Mark Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: manually generating tsig keys
In message 20090206194146.ga24...@norchemlab.com, Justin T Pryzby writes: ARM9.5 still mentions manual generation of TSIG data: https://www.isc.org/software/bind/documentation/arm95#tsig Is there any advtantage to using -keygen ? It really depends on how you are going to use the key. For zone transfers there is no benefit as you have to copy and paste at both ends. For nsupdate there is benefit as you can use nsupdate -k keyfile. ISTR some mention of an algorithm used to minimize the possibility of collisions. Or is that true for any key used with HMAC? Justin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: possible noob question - @ CNAME?
In message e4b42c39-914d-42be-9488-7ae0eba34...@r41g2000prr.googlegroups.com, RJValenta writes: forever ago, i set myself up with a solid bandwidth and static IPs and started to host websites for my friends their small businesses. basically, they covered the cost of my internet access. so for 10 years i've been hosting my own name, mail, and web servers allowing me to '@ A xxx.xxx.xxx.xxx' and then to make life easy i would 'www IN CNAME mywebserver.mydomain.com.' i say easy, because that way in the event that i changed ISPs and got new IP addresses, there was less chance of my screwing up a www and MX record if i made sure to change the two primary machines' A records properly. however, the '@ IN xxx.xxx.xxx.xxx' would always need to be changed manually. Is there a way around this? is it possible in some fashion to '@ IN CNAME my.server.com' ? I ask because I'm trying to trim back here, and move my NS hosting to NetSol and subsequently trim back on what i have to manage. at this stage in the game i'd rather have more time to not worry about my friend's personal website about their kids, and still be confident that their wife's home business website will still stay up. any ideas on how i can CNAME their @ record so their http://whatever.com will still work, but in the end, i'm only managing one domain's IP records? thanks, richard ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users No you can't. From the FAQ. Q: I get error messages like multiple RRs of singleton type and CNAME and other data when transferring a zone. What does this mean? A: These indicate a malformed master zone. You can identify the exact records involved by transferring the zone using dig then running named-checkzone on it. dig axfr example.com @master-server tmp named-checkzone example.com tmp A CNAME record cannot exist with the same name as another record except for the DNSSEC records which prove its existence (NSEC). RFC 1034, Section 3.6.2: If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. This rule also insures that a cached CNAME can be used without checking with an authoritative server for other RR types. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices For Coexisting
One example in closing for ya, go try and get an RFC complient Bind server to respond to a request for name resoloution on a host that has an _ (underscore) in the name, MS allows this, and a zone transfer of this kinda stuff between and MS Server and a Bind server, can give you MUCH grief! It will be noisy but it won't fail with default settings. You can tell named not to complain. See check-names. check-names master fail; check-names slave warn; check-names response ignore; Mark Good luck!! wiskbr...@hotmail.com wrote in message news:bay133-w543f0f7a46c3153066cf86b4...@phx.gbl... Hello; My site is presently using a product derived from BIND-8 for internal DNS only. For years our Windows team has been arguing that they want to be non-dependent on the non-MS DNS servers; which they say causes them much grief on firmwide shutdown/bootups. Well, their concerns have fallen on ears of those who can make that decision and it now appears as though we must either come up with good reasons why we should retain BIND, or a BIND derived product, or simply a plan to allow MSDNS and BIND to coexist at all. Can anyone provide me, or point me at, any good docs on this subject, I am certain that their a tons of stuff out there, I need simple, to the point type of stuff. Also, can anyone think of any good reason why our internal, non-public accessible network, should not just be allowed to run either a mixed BIND/MS-DNs setup? The slave/cache/whatever-but not master, would have to be BIND. The case the windows team made was ease of adding entries, you simply add into the MMC, or even easier, when you join a host into a domain, it adds itself. Thanks all, .vp ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
Please go read the list achives. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
In message f43eb7e60902101552l524787b1t72fcc821437af...@mail.gmail.com, Thoma s Manson writes: The subject matter has been discussed in lots of detail over the last month. Go read the archives of the mailing list. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
In message f43eb7e60902101621y66133c17lc46a1df451f1b...@mail.gmail.com, Thoma s Manson writes: --00163646c41c20dc350462999600 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit That's some awesome answer... (did you get helped to elaborate it?) equivalent : google is your friend, search the RFCs Feeding the error message into Google would have given you lots of relevent information. query (cache) './NS/IN' denied I didn't want to start yet another debate about what is the right thing to do. Mark Then... read the list archives... I guess I can spend the next ten years if I read it from the beginning Could you give any clue of what to look for ? I believed I was on bind mailing list, a mailing list is where you usually get some help... isn't it ? Thomas. On Wed, Feb 11, 2009 at 00:52, Thomas Manson dev.mansontho...@gmail.comwrot e: On Wed, Feb 11, 2009 at 00:51, Mark Andrews mark_andr...@isc.org wrote: Please go read the list achives. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org --00163646c41c20dc350462999600 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable That#39;s some awesome answer... (did you get helped to elaborate it?)br= brequivalent : google is your friend, search the RFCsbrbrThen... read= the list archives... I guess I can spend the next ten years if I read it f= rom the beginningbr brCould you give any clue of what to look for ? brbrI believed I was = on bind mailing list, a mailing list is where you usually get some help... = isn#39;t it ?brbrThomas.brbrdiv class=3Dgmail_quoteOn Wed, Feb= 11, 2009 at 00:52, Thomas Manson span dir=3Dltrlt;a href=3Dmailto:d= ev.mansontho...@gmail.comdev.mansontho...@gmail.com/agt;/span wrote:= br blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;divdiv/d= ivdiv class=3DWj3C7cbrbrdiv class=3Dgmail_quoteOn Wed, Feb 11,= 2009 at 00:51, Mark Andrews span dir=3Dltrlt;a href=3Dmailto:Mark_A= ndr...@isc.org target=3D_blankmark_andr...@isc.org/agt;/span wrote= :br blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex; br nbsp; nbsp; nbsp; nbsp;Please go read the list achives.br br nbsp; nbsp; nbsp; nbsp;Markbr font color=3D#88--br Mark Andrews, ISCbr 1 Seymour St., Dundas Valley, NSW 2117, Australiabr PHONE: +61 2 9871 4742 nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nb= sp; INTERNET: a href=3Dmailto:mark_andr...@isc.org; target=3D_blankMar= k_andr...@isc.org/abr /font/blockquote/divbr /div/div/blockquote/divbr --00163646c41c20dc350462999600-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange results from dnssec-dsfromkey
Looks like a silly bug that will be simple to fix. In message prayer.1.3.1.0902161618270.29...@hermes-2.csi.cam.ac.uk, Chris Thompson writes: I don't understand the results I am getting from dnssec-dsfromkey (BIND 9.6.0-P1, Solaris 10_x86, Sun Studio 10 C compiler). For instance: $ /usr/local/sbin/dnssec-keygen -a RSASHA1 -b 512 -n ZONE -f KSK test Ktest.+005+21283 $ cat Ktest.+005+21283.key test. IN DNSKEY 257 3 5 AwEAAbmcz5O8AzmbwidEoTMkHbaDhr0EfqKsq6WUyXWn5icJgqMTEoBO T03sgCEDXvnMUNthrV6vBIW9sINCLHzrAJc= $ /usr/local/sbin/dnssec-dsfromkey Ktest.+005+21283 test. IN DS 26153 5 1 4DB6296434AA1E9C95C6B68AC1A325AFF2BF856A test. IN DS 61367 154 2 7733D6D7F56602BB709BE521AFB861AEAF522E1A1946AF788EC994C8 259D3882 $ /usr/local/sbin/dnssec-dsfromkey -1 Ktest.+005+21283 test. IN DS 26153 5 1 4DB6296434AA1E9C95C6B68AC1A325AFF2BF856A $ /usr/local/sbin/dnssec-dsfromkey -2 Ktest.+005+21283 test. IN DS 32741 47 2 344D72A40621EF9F6C6FF665B6CAA8E6165928E0AA33074668668C88 8364E27F In that case the SHA256 records are inconsistent, but at least the SHA1 ones came out the same each time... $ /usr/local/sbin/dnssec-keygen -a RSASHA1 -b 1024 -n ZONE -f KSK test Ktest.+005+45172 koala:~:2.2166$ cat Ktest.+005+45172.key test. IN DNSKEY 257 3 5 AwEAAd0QNMsmSdlyOmMCQX95VS/cOVCK18PorGVmpptTz/pZaCKuErxT RLNEnJb1qDw7HoFu2uSs40YhiqI4p/gyBwcK Tj3qr+hGLqX1+zQ6Gf5T SQJEMysWgmFrsqxaUx5M1V1HykprwP+td1rTUPktsrRX3y9JhftYjgCr jlxhz2x1 koala:~:2.2167$ /usr/local/sbin/dnssec-dsfromkey Ktest.+005+45172 test. IN DS 57820 5 1 4154C73FB7759E846C90092E8EF5CE16FB2630C3 test. IN DS 361 36 2 1F88F1C881EA4353C838C56837161A1719B03CE57FA74015CACD3611 9BC82F22 koala:~:2.2168$ /usr/local/sbin/dnssec-dsfromkey -1 Ktest.+005+45172 test. IN DS 57820 5 1 B05B7CD38865DED8B4C2F3360764DFF6B3C7C86C koala:~:2.2169$ /usr/local/sbin/dnssec-dsfromkey -2 Ktest.+005+45172 test. IN DS 60190 254 2 85FEA41A86A84F76E067180884E8A86943870F8FE0554DE81E834306 92EE1DEF ... but this time the SHA1 digests come out differently as well! Does dnssec-dsfromkey behave properly for others? -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adb.c:1526: INSIST(find-adbname == ((void *)0)) failed
In message 1234867921.16690.43.ca...@d410-heron, Niall O'Reilly writes: On Mon, 2009-02-16 at 12:17 +1100, Mark Andrews wrote: It should be unrelated. I would however still upgrade. Thanks, Mark. If I don't see the same assertion failure with the current release, I guess that's closed. One advantage of upgrading is getting all those nice log entries reporting EDNS faults. 8-) No. You get log entries reporting TIMEOUTS. Using EDNS is only one possible reason for the timeout and it is one we have control over so that is why it is mentioned. Mark /Niall ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NOTAUTH on dynamic zone update
In message gnalak$f1...@news.motzarella.org, Benedikt Gollatz writes: Hello everyone, I use nsupdate to dynamically update a reverse lookup zone hosted by my BIND9 setup. For that purpose, I've created host-type HMAC-MD5 keys, added an appropriate key section to my configuration, added the updating host to the controls section, and added an allow-update parameter to the zone configuration like this: zone [...] in { type master; [...] allow-update { key key-name; }; }; I pass the key to nsupdate using one (either) of the keyfiles generated by dnssec-keygen with the -k parameter. Unfortunately this doesn't work. When running nsupdate, I get a failed: not authoritative for update zone (NOTAUTH) error in my server log file, and no updating is done. The zone section in the update message does NOT match a master/slave zone configured in the view that the update message matched. Mark I'm confused about the error message because both the BIND configuration file and the SOA record of the zone state that the server indeed is authoritative for the update zone. Also, this configuration works fine with a dhcpd updating a different zone hosted by the same server. Googling yields a few people with similar problems but no real solution. Any hints on what I might be doing wrong are appreciated. Benedikt ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Catch ALL Setup
In message 1234976434.12081.26.ca...@d410-heron, Niall O'Reilly writes: On Wed, 2009-02-18 at 16:19 +1100, Mark Andrews wrote: $ORIGIN . @ 0 SOA ... @ 0 NS ... * 0 A 1.2.3.4 That may be too minimal. I found I needed a few couple of extra wildcard records. $ORIGIN . @ IN SOA . bit-bucket.ucd.ie. ( 2009021302 ; serial 14400 ; Refresh - 4 hours 7200; Retry - 2 hours 1209600 ; Expire - 14 days 1800 ) ; Neg. Caching - 30 minutes ; @ IN NS captive.ucd.ie. ; ; Over-ride wildcard for captive.ucd.ie captive.ucd.ie. INTXT Unaddressable ; ; Target for all name resolution netreg.ucd.ie.IN A 137.43.116.32 ; ; Wildcard alias * IN CNAME netreg.ucd.ie. ; ; Wildcards otherwise masked by empty non-terminals *.ie. IN CNAME netreg.ucd.ie. *.ucd.ie. IN CNAME netreg.ucd.ie. /Niall Well if you want to go to such a complicated setup then yes you need to add the extra wildcards. You also need to add additional address records which you are missing for ie and ucd.ie. The OP said that *everything* had to resolve to the one address. Everything includes the nameserver. The only thing that doesn't resolve is the root and I think one can get by without that resolving to a address. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.60p1 on solaris 10
In message 937393c4-77a8-4dba-8a4f-14560c25c...@o11g2000yql.googlegroups.com, SN writes: Hi Group. libcrypto.so.0.9.8 is not being found as a link library. Trying to run as in a chroot'ed environment on solaris 10 (core install). Kindly advise. Install the package that includes OpenSSL. r...@qdc-dns2(bash-3.0)/dns/chroot/usr/local/sbin# ldd /dns/chroot/usr/ local/sbin/named libcrypto.so.0.9.8 =(file not found) libnsl.so.1 = /usr/lib/libnsl.so.1 libnsl.so.1 (SUNW_1.9.1) = (version not found) libsocket.so.1 =/usr/lib/libsocket.so.1 libscf.so.1 = /usr/lib/libscf.so.1 libpthread.so.1 = /usr/lib/libpthread.so.1 libthread.so.1 =/usr/lib/libthread.so.1 libxml2.so.2 = /usr/lib/libxml2.so.2 libz.so.1 = /usr/lib/libz.so.1 libm.so.2 = /usr/lib/libm.so.2 libc.so.1 = /usr/lib/libc.so.1 libmp.so.2 =/lib/libmp.so.2 libmd.so.1 =/lib/libmd.so.1 libdoor.so.1 = /lib/libdoor.so.1 libuutil.so.1 = /lib/libuutil.so.1 libgen.so.1 = /lib/libgen.so.1 /platform/SUNW,Serverblade1/lib/libc_psr.so.1 /platform/SUNW,Serverblade1/lib/libmd_psr.so.1 r...@qdc-dns2(bash-3.0)/dns/chroot/usr/local/sbin# /etc/init.d/dns start ld.so.1: named: fatal: libcrypto.so.0.9.8: open failed: No such file or directory Killed Kind Regards, -Sajed Naseem ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question re separating caching and authoritative servers
In message d6e873fbd84699096e9d6cf291634...@cornell.edu, John Wobus writes: What are the good ways to let your local caching server serve your own site's data even after a caching-server reboot during an Internet outage? If the caching server locates your own authoritative data through normal delgation channels, and cannot reach the roots and TLDs, then your own local clients could be unable to resolve names of local servers, etc. Any especially good or bad practices? Things that have worked well or poorly? Right now, I'm leaning toward having the caching server transfer key zones. That's reasonable. The other alternative is to set up stub zones which short circuit the resolution process. John Wobus -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: client query logging (refused message)
In message b8cf98c8-86d0-42df-95a4-e98a65cab...@i15g2000pro.googlegroups.com, asd...@gmail.com writes: 62.109.4.89 and 195.68.176.4 are compromized/attackers Actually they are more likely to be under attack. Make sure that you (and your ISP) have deployed the measures in BCP 38 to ensure that you are not the source of such a attack. Mark See my post here:http://www.linuxforums.org/forum/redhat-fedora-linux- help/140848-var-log-messages-question.html Sample log entries: Feb 19 08:24:17 asdlkf named[6459]: client 62.109.4.89#32721: query (cache) './NS/IN' denied Feb 19 08:24:18 asdlkf named[6459]: client 195.68.176.4#25853: query (cache) './NS/IN' denied Frequency: 40 to 90 queries from those hosts per minute. -- Chris On Feb 17, 2:19 pm, JINMEI Tatuya / ...@l@C#:H(B jinmei_tat...@isc.org wrote: At Tue, 17 Feb 2009 08:15:39 -0500, Matthew Huff mh...@ox.com wrote: 17-Feb-2009 08:14:17.376 queries: client 62.109.4.89#49464: view external-in: query: . IN NS + ... logged, and I have verified that the query is refused, but nothing in the log shows that it was refused. Is there anyway to log the success/failure of the queries? Not yet, but BIND 9.7 (and perhaps next minor versions of 9.6 and 9.5) will provide a new logging category that can log the information you seem to want: 17-Feb-2009 14:15:45.998 debug 3: client ::1#50076: query failed (REFUSED) for ./IN/NS at query.c:3887 --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: empty DoS queries
I suspect you have a broken application on 10.48.0.19. Mark In message 70fo2df49pf...@mid.individual.net, Frank Kirschner writes: Hello, since last night we log emtpty queries (approx. 4000 per seconds) like this from a client in our LAN: 23-Feb-2009 13:20:15.516 queries: info: client 10.48.0.19#2048: query: \(none\) IN A + 23-Feb-2009 13:20:15.518 queries: info: client 10.48.0.19#2048: query: \(none\) IN A + 23-Feb-2009 13:20:15.519 queries: info: client 10.48.0.19#2048: query: \(none\) IN A + 23-Feb-2009 13:20:15.523 queries: info: client 10.48.0.19#2048: query: \(none\) IN A + 23-Feb-2009 13:20:15.524 queries: info: client 10.48.0.19#2048: query: \(none\) IN A + 23-Feb-2009 13:20:15.525 queries: info: client 10.48.0.19#2048: query: \(none\) IN A + 23-Feb-2009 13:20:15.527 queries: info: client 10.48.0.19#2048: query: \(none\) IN A + 23-Feb-2009 13:20:15.531 queries: info: client 10.48.0.19#2048: query: \(none\) IN A + 23-Feb-2009 13:20:15.533 queries: info: client 10.48.0.19#2048: query: \(none\) IN A + Additional there are also such log entries, (approx. 4000 per seconds): 23-Feb-2009 14:05:56.464 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.470 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.483 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.489 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.500 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.508 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.517 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.521 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.533 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.539 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.546 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.558 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.565 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.572 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.584 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + 23-Feb-2009 14:05:56.591 queries: info: client 10.48.0.19#2048: query: luca.inetgate.net IN A + What could be the resons for it? Should I investigate and limit the packet flow by iptables/netfilter on port 53 of my BIND 9, actual release for Centos 5.2 best regards Frank ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hostname Naming Compliance
In message 49a3a09a.2000...@blue-labs.org, David Ford writes: Here's a question. Are we incapable of dealing with things like underscores in hostnames? Is there any significant harm in adapting? When does it stop? What will be the next character you just have to have? At the moment you have 1 inter label seperator and 1 intra label seperator. That should be enough for anyone. Additionally underscore is used in names in the DNS to keep those names out of the hostname namespace. Mark -david ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDNS - edns-udp-size and max-udp-size
In message 200902240828.n1o8slln027...@mail42.nsc.no, Jan Arild =?iso-8859-1? Q?Lindstr=F8m?= writes: How can it reduce it from 512 that is in the config, down to 512? The code just looks at the number of timeouts not at what size was sent in the initial query. triededns512() records when the DNS_FETCHOPT_EDNS512 has been set not when the initial query advertised a receive buffer of 512 bytes. if ((triededns512(fctx, query-addrinfo-sockaddr) || fctx-timeouts = (MAX_EDNS0_TIMEOUTS * 2)) (query-options DNS_FETCHOPT_NOEDNS0) == 0) { query-options |= DNS_FETCHOPT_NOEDNS0; fctx-reason = disabling EDNS; } else if ((triededns(fctx, query-addrinfo-sockaddr) || fctx-timeouts = MAX_EDNS0_TIMEOUTS) (query-options DNS_FETCHOPT_NOEDNS0) == 0) { query-options |= DNS_FETCHOPT_EDNS512; fctx-reason = reducing the advertised EDNS UDP packet size to 512 octets; } I was expecting to see only after disabling EDNS messages after setting t= he size(s) to 512. It seems to me that max-udp-size and/or edns-udp-size does not do what I wa= nt, wich is to use 512 bytes packets. max-udp-size controls the size of packets you send. edns-udp-size controls the size of packets you receive. A pack trace should show you that they are working as you wont see UDP packets over 512 bytes in either direction is you have that set. What you need to find out is what is causing the packet loss. Even with a clear EDNS path you will see some of these logged as not all timeouts are due to EDNS issues. Mark OS: Solaris 10 (SunOS 5.10 13-01) BIND: 9.6.0-P1, threaded. Regards Jan Arild Lindstr=F8m ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDNS - edns-udp-size and max-udp-size
In message 20090225002133.gb99...@isc.org, Evan Hunt writes: The code just looks at the number of timeouts not at what size was sent in the initial query. triededns512() records when the DNS_FETCHOPT_EDNS512 has been set not when the initial query advertised a receive buffer of 512 bytes. But, if the initial query uses a receive buffer of 512 bytes or less, can't we just set DNS_FETCHOPT_EDNS512 straight off and save a step? eh One could but, as was evident from the logs, it would cause named to switch back to plain DNS more often when it didn't need to. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to create a private test. zone?
: ;example.test. IN A ;; ANSWER SECTION: example.test. 86400 IN A 192.168.2.10 ;; AUTHORITY SECTION: example.test. 86400 IN NS plesk.test. ;; Query time: 2 msec ;; SERVER: 192.168.2.10#53(192.168.2.10) ;; WHEN: Sun Mar 1 10:41:43 2009 ;; MSG SIZE rcvd: 66 What I'm doing wrong in the delegation, and how can I fix it? My network diagram is: +-+ | isp | +-+ 10.0.2.3 (DNS) | ---+--- 10/24 | +-+ 10.0.2.15 +-+ | sun | |plesk| +-+ 192.168.2.1 +-+ 192.168.2.10 | | ---+-+- 192.168.2/24 isp my ISP DNS server host. sun my local DNS server host that hosts the test. zone. NB: this is an recursive server. NB: it also forwards to isp dns server. NB: local resolv.conf points to 192.168.2.1 plesk my other local DNS server host that hosts the example.test. zone. NB: this is an authoritative server only. NB: local resolv.conf points to 192.168.2.1 This is what the Sun DNS server has about the test. zone: $TTL10m ; default TTL $ORIGIN test. ; base domain-name @ IN SOA sun hostmaster ( 2008042800 ; serial 10m; refresh 15m; retry 3w ; expire 10m; minimum ) IN NS sun sun IN A 192.168.2.1 plesk IN A 192.168.2.10 ; delegate example.test. to plesk.test. example IN NS plesk ;exampleIN A 192.168.2.10 And this is what the Plesk DNS server has about the example.test. zone: @ IN SOA plesk.test. ironman.example.test. ( 1235830200 ; Serial 10800 ; Refresh 3600; Retry 604800 ; Expire 10800 ) ; Minimum example.test.IN NS plesk.test. example.test.IN A192.168.2.10 If you need more information, please let me known. Thanks! Best regards, Rui Lopes ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 and BIND 8 issue
In message 397019c15b5a45899bb02b1b212e1...@bradon, bradonkuo writes: Dear all bind users, I am new to manage 3 BIND 9 servers, lately, I got some complains about = users cannot connect to=20 some websites while they use our BIND 9 servers, this issue will be = solved if they use other ISP's BIND 8 servers, one example is as below. Can we modify any = configurations of BIND 9 server to solve this issue so that users don't need to change anything? Sincerly, Bradon Kuo from Taiwan, Taipei, lserver 168.95.1.1 Default Server: dns.hinet.net Address: 168.95.1.1 www.hangan.org.tw Server: dns.hinet.net Address: 168.95.1.1 Non-authoritative answer: Name:www.hangan.org.tw Address: 211.21.92.25 lserver 163.21.249.166 Default Server: dns.tp.edu.tw Address: 163.21.249.166 www.hangan.org.tw Server: dns.tp.edu.tw Address: 163.21.249.166 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to dns.tp.edu.tw timed-out Depending apon how old the BIND 8 server is it may be promoting the glue below to answer. I can't get any reponse out of the nameserver itself. tcpdump shows queries going out and no responses coming back. Either the nameserver is dead or it is firewalled off. Try asking for the mx record at both servers and see if you get a response. This requires the other ISP to query the nameserver rather than rely on glue. Mark ; DiG 9.7.0pre-alpha www.hangan.org.tw @c.twnic.net.tw ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34204 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.hangan.org.tw. IN A ;; AUTHORITY SECTION: hangan.org.tw. 86400 IN NS www.hangan.org.tw. hangan.org.tw. 86400 IN NS mail.hangan.org.tw. ;; ADDITIONAL SECTION: www.hangan.org.tw. 86400 IN A 211.21.92.25 mail.hangan.org.tw. 86400 IN A 211.21.92.25 ;; Query time: 359 msec ;; SERVER: 168.95.192.10#53(168.95.192.10) ;; WHEN: Wed Mar 4 07:36:47 2009 ;; MSG SIZE rcvd: 100 ; DiG 9.3.6-P1 www.hangan.org.tw @211.21.92.25 ;; global options: printcmd ;; connection timed out; no servers could be reached 07:38:43.523517 211.30.172.21.62657 211.21.92.25.53: 27058+ A? www.hangan.org.tw. (35) 07:38:48.543936 211.30.172.21.62657 211.21.92.25.53: 27058+ A? www.hangan.org.tw. (35) 07:38:53.566828 211.30.172.21.62657 211.21.92.25.53: 27058+ A? www.hangan.org.tw. (35) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to create a private test. zone?
In message 49ace778.6040...@ruilopes.com, Rui Lopes writes: Mark Andrews wrote: Mark Andrews writes: In message 49ac5d59.1010...@ruilopes.com, Rui Lopes writes: Hi, Ben Bridges wrote: [...] You could try creating example.test as a forward zone in named.conf on your sun server and specifying plesk as the forwarder for that zone. Indeed, adding a forward zone like bellow works! but why does it work? or why is it needed? zone example.test { type forward; // forward only; // forwarders { 192.168.2.10; }; }; Note that I only needed to include the type forward line, the other lines do not seem to be needed. I'm I missing something? they aren't really needed? By reading the bind manual it seems we have to include th em . You turned off forwarding for that namespace. It's the equivalent of: zone example.test { type forward; forwarders { /* empty */ }; }; You could have also added it to the test zones config. zone test { type master; // or slave // or stub ... forwarders { /* empty */ }; }; Mark Thanks! Why isn't bind just following the example.test. NS plesk.test. RR that is inside the test. zone without removing the forwarders? Because you have a forwarding turned on at the options/view level. Unless you have a special reason (like you can't reach the root servers) that requires forwarding I don't recommend using it. Mark Best regards, Rui Lopes ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dumping running config/named.conf
bin/tests/cfg_test --named /etc/named.conf In message 1d8c9a4471119a40bd574f9d8d464ae304bd3...@xch60ykf.rim.net, Todd S nyder writes: Good morning, We utilize a number of include files as part of our named.conf. I am looking to see if there is a clever way to dump the entire named.conf (or, even better, the entire RUNNING named.conf), which includes all the include files. I say running config, because sometimes you do an rndc reconfig and it rejects some lines, but loads the ones that work. I'd like to be able to dump the running config (like sh run). Cheers, Todd. - This transmission (including any attachments) may contain confidential inform ation, privileged material (including material protected by the solicitor-cli ent or other applicable privileges), or constitute non-public information. An y use of this information by anyone other than the intended recipient is proh ibited. If you have received this transmission in error, please immediately r eply to the sender and delete this information from your system. Use, dissemi nation, distribution, or reproduction of this transmission by unintended reci pients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: $generate lhs problem. Manual needs to be updated.
In message 1e4079388e04544fa3ffa6a900d6fb65015d7...@exchange.vplsnet.net, Ta kahiro Masuda writes: Hi I was trying to get the $generate directive to work like so=20 11 IN PTR 14.cool.com. 30 IN PTR 33.cool.com. $GENERATE 11-30 ${3,0,d} PTR $.COOL.COM. Which doesn't match what you wanted to do. I've read the manual here = http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#id2566761--- Syntax: $GENERATE range lhs [ttl] [class] type rhs [ comment ] lhs describes the owner name of the resource records to be created. Any = single $ symbols within the lhs side are replaced by the iterator value. = To get a $ in the output you need to escape the $ using a backslash \, = e.g. \$. The $ may optionally be followed by modifiers which change the = offset from the iterator, field width and base. Modifiers are introduced = by a { immediately following the $ as ${offset[,width[,base]]}. e.g. = ${-20,3,d} which subtracts 20 from the current value, prints the result = as a decimal in a zero padded field of with 3. Available output forms = are decimal (d), octal (o) and hexadecimal (x or X for uppercase). The = default modifier is ${0,0,d}. If the lhs is not absolute, the current = $ORIGIN is appended to the name. For compatibility with earlier versions $$ is still recognized a = indicating a literal $ in the output. --- The tricky part is ${3,0,d} waas not working. I bumped into a site that = stated $GENERATE range rhs type lhs I then tried $GENERATE 11-30 $ PTR ${3,0,d}.COOL.COM. and this worked. Hopefully this will help somebody. Anybody here have the ability to update the manual? ${3,0,d} works on both the left hand side and the right hand side. The same code is called to process both the lhs and the rhs. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: $generate lhs problem. Manual needs to be updated.
In message 49af42f8.9070...@chrysler.com, Kevin Darcy writes: Jeremy, I don't think the definitions of rhs and lhs are at issue. What apparently led the original poster to the wrong solution initially was the verbiage in the manual stating Any single *$* symbols within the *lhs* side are replaced by the iterator value, which implies that $ replacement _only_ occurs within the LHS. As Mark confirmed, $ can also occur in the RHS, and in fact that's what was required for the correct solution. Personally, I wouldn't remove within the LHS from the verbiage completely, otherwise someone will undoubtedly complain about not being able to perform a $ replacement in the class, type or TTL fields (users being users :-) But, maybe it could be amended to within the LHS or RHS... The quoted text was taken from a table describing all the elements of a $GENERATE. I don't see how anyone reading the table could say that $ only is valid on the left hand side especially when there are examples above the table showing it on both sides. Mark range This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. All of start, stop and step must be positive. lhs This describes the owner name of the resource records to be created. Any single $ (dollar sign) symbols within the lhs side are replaced by the iterator value. To get a $ in the output, you need to escape the $ using a backslash \, e.g. \$. The $ may optionally be followed by modifiers which change the offset from the iterator, field width and base. Modifiers are introduced by a { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} subtracts 20 from the current value, prints the result as a decimal in a zeropadded field of width 3. Available output forms are decimal (d), octal (o) and hexadecimal (x or X for uppercase). The default modifier is ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended to the name. For compatibility with earlier versions, $$ is still recognized as indicating a literal $ in the output. ttl Specifies the time-to-live of the generated records. If not specified this will be inherited using the normal ttl inheritance rules. class and ttl can be entered in either order. class Specifies the class of the generated records. This must match the zone class if it is specified. class and ttl can be entered in either order. type At present the only supported types are PTR, CNAME, DNAME, A, and NS. rhs rhs is a domain name. It is processed similarly to lhs. Jeremy C. Reed wrote: On Wed, 4 Mar 2009, Takahiro Masuda wrote: The tricky part is ${3,0,d} waas not working. I bumped into a site that stated $GENERATE range rhs type lhs That is wrong. I then tried $GENERATE 11-30 $ PTR ${3,0,d}.COOL.COM. and this worked. Anybody here have the ability to update the manual? Yes. But it appears your second try is correct. I can improve the documentation to make sure that it explains the two abbreviations: lhs is left hand side (the label). rhs is the right hand side (the RDATA). Will that work for you? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.6.0-P1's nsupdate dumps core on NetBSD/i386 4.x
In message p05200f70c5d52b51d...@[130.102.20.138], Ray Phillips writes: I've built bind 9.6.0-P1 on NetBSD/i386 machines (versions 3.1, 4.0, 4.0.1 and 5.0_RC2) and discovered that nsupdate dumps core on the 4.x ones. The build process was just: % sh -c './configure --disable-threads configure.log 21' % sh -c 'make make.log 21' % su Password: # sh -c 'make install make-install.log 21' # I've also tried without --disable-threads but it made no difference. % ls -l /usr/local/bin/nsupdate -rwxr-xr-x 1 root wheel 3517495 Mar 5 17:19 /usr/local/bin/nsupdate % file /usr/local/bin/nsupdate /usr/local/bin/nsupdate: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for NetBSD 4.0, dynamically linked (uses shared libs), not stripped % ldd /usr/local/bin/nsupdate /usr/local/bin/nsupdate: -lcrypt.0 = /lib/libcrypt.so.0 -lcrypto.3 = /usr/lib/libcrypto.so.3 -lc.12 = /usr/lib/libc.so.12 % pwd /tmp % ls -l % /usr/local/bin/nsupdate Segmentation fault (core dumped) % ls -l total 3648 -rw--- 1 ray wheel 1846100 Mar 5 17:21 nsupdate.core % file nsupdate.core nsupdate.core: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), NetBSD-style, from 'nsupdate' (signal 11) % gdb nsupdate.core You need to call gdb correctly. gdb /usr/local/bin/nsupdate nsupdate.core GNU gdb 6.5 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386--netbsdelf.../tmp/nsupdate.core: not in executable format: File format not recognized (gdb) quit % It would be nice if it worked on the 4.x versions. Could you suggest what I could do to troubleshoot it please? bind9 9.5.0-P2's nsupdate worked fine on them. Ray ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.6.0-P1's nsupdate dumps core on NetBSD/i386 4.x
In message p05200f72c5d61071b...@[130.102.20.138], Ray Phillips writes: You need to call gdb correctly. gdb /usr/local/bin/nsupdate nsupdate.core Thanks Mark. Sorry, I (obviously) don't have much of a clue about using gdb. Looks like you have hit this bug. 2547. [bug] openssl_link.c:mem_realloc() could reference an out-of-range area of the source buffer. New public function isc_mem_reallocate() was introduced to address this bug. [RT #19313] Mark Index: bind9/CHANGES diff -u bind9/CHANGES:1.2991 bind9/CHANGES:1.2992 --- bind9/CHANGES:1.2991Fri Feb 6 12:33:17 2009 +++ bind9/CHANGES Wed Feb 11 03:04:18 2009 @@ -1,3 +1,8 @@ +2547. [bug] openssl_link.c:mem_realloc() could reference an + out-of-range area of the source buffer. New public + function isc_mem_reallocate() was introduced to address + this bug. [RT #19313] + 2546. [func] Add --enable-openssl-hash configure flag to use OpenSSL (in place of internal routine) for hash functions (MD5, SHA[12] and HMAC). [RT #18815] Index: bind9/lib/dns/openssl_link.c diff -u bind9/lib/dns/openssl_link.c:1.24 bind9/lib/dns/openssl_link.c:1.25 --- bind9/lib/dns/openssl_link.c:1.24 Sat Jan 17 23:47:42 2009 +++ bind9/lib/dns/openssl_link.cWed Feb 11 03:04:18 2009 @@ -148,18 +148,8 @@ static void * mem_realloc(void *ptr, size_t size) { - void *p; - INSIST(dst__memory_pool != NULL); - p = NULL; - if (size 0U) { - p = mem_alloc(size); - if (p != NULL ptr != NULL) - memcpy(p, ptr, size); - } - if (ptr != NULL) - mem_free(ptr); - return (p); + return (isc_mem_reallocate(dst__memory_pool, ptr, size)); } isc_result_t Index: bind9/lib/isc/mem.c diff -u bind9/lib/isc/mem.c:1.147 bind9/lib/isc/mem.c:1.148 --- bind9/lib/isc/mem.c:1.147 Thu Jan 22 23:47:54 2009 +++ bind9/lib/isc/mem.c Wed Feb 11 03:04:18 2009 @@ -1365,6 +1365,40 @@ return (si); } +void * +isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) { + void *new_ptr = NULL; + size_t oldsize, copysize; + + REQUIRE(VALID_CONTEXT(ctx)); + + /* +* This function emulates the realloc(3) standard library function: +* - if size 0, allocate new memory; and if ptr is non NULL, copy +* as much of the old contents to the new buffer and free the old one. +* Note that when allocation fails the original pointer is intact; +* the caller must free it. +* - if size is 0 and ptr is non NULL, simply free the given ptr. +* - this function returns: +* pointer to the newly allocated memory, or +* NULL if allocation fails or doesn't happen. +*/ + if (size 0U) { + new_ptr = isc__mem_allocate(ctx, size FLARG_PASS); + if (new_ptr != NULL ptr != NULL) { + oldsize = (((size_info *)ptr)[-1]).u.size; + INSIST(oldsize = ALIGNMENT_SIZE); + oldsize -= ALIGNMENT_SIZE; + copysize = oldsize size ? size : oldsize; + memcpy(new_ptr, ptr, copysize); + isc__mem_free(ctx, ptr FLARG_PASS); + } + } else if (ptr != NULL) + isc__mem_free(ctx, ptr FLARG_PASS); + + return (new_ptr); +} + void isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) { size_info *si; Index: bind9/lib/isc/include/isc/mem.h diff -u bind9/lib/isc/include/isc/mem.h:1.80 bind9/lib/isc/include/isc/mem.h:1.81 --- bind9/lib/isc/include/isc/mem.h:1.80Sat Jan 17 23:47:43 2009 +++ bind9/lib/isc/include/isc/mem.h Wed Feb 11 03:04:18 2009 @@ -154,6 +154,7 @@ #define isc_mem_get(c, s) isc__mem_get((c), (s) _ISC_MEM_FILELINE) #define isc_mem_allocate(c, s) isc__mem_allocate((c), (s) _ISC_MEM_FILELINE) +#define isc_mem_reallocate(c, p, s) isc__mem_reallocate((c), (p), (s) _ISC_MEM_FILELINE) #define isc_mem_strdup(c, p) isc__mem_strdup((c), (p) _ISC_MEM_FILELINE) #define isc_mempool_get(c) isc__mempool_get((c) _ISC_MEM_FILELINE) @@ -612,6 +613,8 @@ isc__mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG); void * isc__mem_allocate(isc_mem_t *, size_t _ISC_MEM_FLARG); +void * +isc__mem_reallocate(isc_mem_t *, void *, size_t _ISC_MEM_FLARG); void isc__mem_free(isc_mem_t *, void * _ISC_MEM_FLARG); char * -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: will blocking getting hammered by cache request do anything?
One thing I should add is that chasing down lack of BCP38 compliance isn't wack-a-mole though it may feel like it. This is a configuration change and as such tends to be premanent especially once it get written into the procedures documents. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: starting namd
In message 1236826414.19160.23.ca...@localhost.localdomain, Chris writes: --===4107670139043331750== Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary==-lXNGXJD0JCnKOzRI/kAz --=-lXNGXJD0JCnKOzRI/kAz Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2009-03-11 at 21:29 -0500, Chris wrote: I've just recently upgraded from Mandrake 10.1 to Mandriva 2009. I had it running great before the upgrade. Tonight I installed BIND 9.5.0-P2 via rpm and can't get it to start for some reason. named-checkconf gives me no errors and neither does named-checkconf -z.=20 =20 Adding a bit to this, syslog shows: Mar 11 21:43:02 localhost named[7290]: starting BIND 9.5.0-P2 -u named -t /var/lib/named Mar 11 21:43:02 localhost named[7290]: found 1 CPU, using 1 worker thread Mar 11 21:43:02 localhost named[7290]: loading configuration from '/etc/named.conf' Mar 11 21:43:02 localhost named[7290]: /etc/named.conf:9: open: /var/lib/named/etc/rndc.key: file not found Mar 11 21:43:02 localhost named[7290]: loading configuration: file not found Mar 11 21:43:02 localhost named[7290]: exiting (due to fatal error) The file is there: [r...@localhost etc]# cd /var/lib/named/etc [r...@localhost etc]# ls -l total 36 -rw-r--r-- 1 root root 1966 2009-02-15 05:18 bogon_acl.conf -rw-r--r-- 1 root root 116 2009-03-11 21:46 hosts -rw-r--r-- 1 root root 3543 2009-03-11 21:47 localtime -rw-r--r-- 1 root root 2123 2009-02-15 05:18 logging.conf -rw-r--r-- 1 root root 4094 2009-03-11 21:09 named.conf -rw-r--r-- 1 root named 350 2009-03-11 21:01 rndc.conf -rw-r--r-- 1 root named 259 2009-03-11 20:22 rndc.key -rw-r--r-- 1 root root 627 2009-02-15 05:18 trusted_networks_acl.conf Named is looking for /var/lib/named/var/lib/named/etc/rndc.key. You arn't taking into account the choot() call. Mark Don't know what the problem is --=20 KeyID 0xE372A7DA98E6705C --=-lXNGXJD0JCnKOzRI/kAz Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEABECAAYFAkm4eS4ACgkQ43Kn2pjmcFyusACgicHa7SRFgrN+jvUO+10JKuVa fbsAoIuIA4WDGw8+ZrM4E/gHS8km50Nb =b8pW -END PGP SIGNATURE- --=-lXNGXJD0JCnKOzRI/kAz-- --===4107670139043331750== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===4107670139043331750==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Two outgoing queries for each incoming query
In message 200903121454.n2cesvel019...@metis.hicks-net.net, Gregory Hicks wri tes: Date: Thu, 12 Mar 2009 13:43:44 +0200 Subject: Two outgoing queries for each incoming query From: My Name mylistuser1...@gmail.com To: bind-users@lists.isc.org Is this possible with 9.6.0-P1 or do I need to change the code (all ideas where to start are welcome, I haven't looked at the code yet). I want to setup a forwarder and each incoming query (in fact only A or ) should be sent to two different upstream servers. Why? Bind already does this. If there are two (or more) servers serving a zone, it will already query all of them for the initial query. However, it uses the answer from the server that has the fastest response time. No. It will query multiple servers in turn as needed to satisfy queries. RTT estimates are most effective with infrastructure zones as those are the ones queried most often. Named tries to minimize the number of queries it makes. Regards, Gregory Hicks - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Trouble publishing dkim via nsupdate
In message 20090313031347.ga19...@csy.ca, Shane W writes: Hey all, I am trying to publish a dkim record in a signed dynamic zone using nsupdate. My query looks like the below but nsupdate is having none of it, giving formerr. Can anyone see an obvious error with this query: Pasting the entry directly into the zone (freeze/thaw) does work but then the record doesn't get signed. nsupdate: zone csy.ca update delete continuum._domainkey.csy.ca any update add continuum._domainkey.csy.ca 86400 txt k=rsa\; t=y\; p=MIGfMA0GCSq GSIb3DQEBAQUAA4GNADCBiQKBgQDGDqQOjvR2NkesUp+rMl164OdruvyT/hcvwWpPJVZZpYJ7C0rU FoZeGdIsi0Riv8wbMd0YspPEfXEslt+neNBTp+nGtkbzpV23PnVwxaqaCpUOZtc7LN2BTKLnpQATL 30JJE6LwafHPmM5I9S6y1pBQBV9KLdBuxG4+xlIwQf6HwIDAQAB send Remove the any from the delete command. update delete continuum._domainkey.csy.ca output with -d Reply from SOA query: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11757 ;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;csy.ca.ANY SOA ;; ANSWER SECTION: csy.ca. 86400 IN SOA continuum.ns.csy.ca. hostmast er.csy.ca. 207 14400 900 2419200 3600 ;; AUTHORITY SECTION: csy.ca. 86400 IN NS dme6.ns.csy.ca. csy.ca. 86400 IN NS dme7.ns.csy.ca. csy.ca. 86400 IN NS continuum.ns.csy.ca. csy.ca. 86400 IN NS dme5.ns.csy.ca. ;; ADDITIONAL SECTION: dme5.ns.csy.ca. 86400 IN A 63.219.151.12 dme6.ns.csy.ca. 86400 IN A 64.246.42.203 dme7.ns.csy.ca. 86400 IN A 205.234.170.139 continuum.ns.csy.ca.3600IN A 70.71.3.27 Found zone name: csy.ca The master is: continuum.ns.csy.ca Sending update to 70.71.3.27#53 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 2080 ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 0 ;; ZONE SECTION: ;csy.ca.ANY SOA ;; UPDATE SECTION: continuum._domainkey.csy.ca. 0 ANY ANY continuum._domainkey.csy.ca. 86400 ANY TXT k=rsa\; t=y\; p=MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDGDqQOjvR2NkesUp+rMl164OdruvyT/hcvwWpPJVZZpYJ7C0rUF oZeGdIsi0Riv8wbMd0YspPEfXEslt+neNBTp+nGtkbzpV23PnVwxaqaCpUOZtc7LN2BTKLnpQATL3 0JJE6LwafHPmM5I9S6y1pBQBV9KLdBuxG4+xlIwQf6HwIDAQAB Reply from update query: ;; -HEADER- opcode: UPDATE, status: FORMERR, id: 2080 ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 Thanks, Shane ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rDNS for /20
In message 200903122311.24920.bli...@nobaloney.net, Jeff Lasman writes: I've read the relevant parts of DNS and Bind over and over again, and I'm still going crazy. I've searched this list going back about three years. I've googled. Each step confuses me more frown. I'm trying to set up a reverse delegation to two nameservers for a /20. Netmask is 255.255.240.0 (I think). Is there a cookbook somewhere? Thanks in advance for any possible help. Just set up each of the /24's which make up the /20. Jeff -- Jeff Lasman, Nobaloney Internet Services P.O. Box 52200, Riverside, CA 92517 Our blists address used on lists is for list email only voice: +1 951 643-5345, or see: http://www.nobaloney.net/contactus.html; ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: number of zones not matching
privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohib ited. If you have received this transmission in error, please immediately rep ly to the sender and delete this information from your system. Use, dissemina tion, distribution, or reproduction of this transmission by unintended recipi ents is not authorized and may be unlawful. /pre /blockquote br br pre class=moz-signature cols=72-- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator a class=moz-txt-link-abbreviated href=mailto:j...@eagle.net;j...@eagle.net /a Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- /pre /body /html --===8258205717685425773== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===8258205717685425773==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ACL ?
In message 49c79d6b.7060...@eagle.net, John D. Vo writes: Greetings: Trying to implement acl in my named.conf... for Bind 9.2.2 acl eagle { 192.168.1.0/24; localhost; }; But when I issued an reload, I got: Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] /etc/named.conf:2: unknown option 'acl' Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] reloading configuration failed: failure You have the acl in the wrong place in named.conf. It should be like: acl { }; options { }; not options { acl { ... }; ... }; Mark Help? Thanks. -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DNS Behaviour
c1 t2 (x0) nslookup: 3 ns addrs nslookup: 3 ns addrs total forw: forw - 137.33.1.2 7 (53) nsid=7 id=4 0ms retry 4 sec datagram from 137.33.1.2 port 53, fd 7, len 92 USER response nsid=7 id=4 stime 712944912/917744 now 712944912/967742 rtt 49 NS #0 addr 137.33.1.2 used, rtt 49 NS #1 128.214.4.29 rtt now 0 NS #2 137.33.1.9 rtt now 0 resp: ancount 0, aucount 1, arcount 0 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname kemira.com type 6 class 1 ttl 3600 db_update(kemira.com, 0x556f8, 0x556f8, 031, 0x44ca0) db_update: adding 556f8 resp: leaving auth NO send_msg - 130.230.1.1 (UDP 9 1539) id=4 = Kindly advice! Many Thanks, Ashish Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to t his message are intended for the exclusive use of the addressee(s) and may co ntain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-ma il. Please notify the sender immediately and destroy all copies of this messa ge and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FORMERR resolving AAAA/IN records
In message 20090326141903.1917917...@britaine.cis.anl.gov, b19...@anl.gov writ es: Oliver Henriot oliver.henr...@imag.fr wrote: dnsserver% !! dig auniarael.com @216.69.185.38 ; DiG 8.3 auniarael.com @216.69.185.38 ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0 ;; QUERY SECTION: ;; auniarael.com, type = , class = IN ;; AUTHORITY SECTION: . 1D IN SOA cpns01.secureserver.net. dns.jomax.net . ( 20080922; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ); minimum auniarael.com. 1H IN NScpns01.secureserver.net. auniarael.com. 1H IN NScpns02.secureserver.net. ;; Total query time: 62 msec ;; FROM: dnsserver.anl.gov to SERVER: 216.69.185.38 216.69.185.38 ;; WHEN: Thu Mar 26 09:06:02 2009 ;; MSG SIZE sent: 31 rcvd: 157 Note this answer is internally self inconsistant. AA=1 which indicates the answer is authoritative yet the authority section contains SOA and NS RRsets with different owners with the SOA being higher in the namespace than the NS RRset. Even if AA=0 it would still be self inconsistant and the relationship between the SOA and NS RRsets is impossible in a well formed response. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dhcp options 226 and 227
Try the next list over, dhcp-us...@isc.org. Also see https://www.isc.org/software/dhcp/documentation In message 20090330124035.7mp9s88srossk...@mail.harrisonburg.k12.va.us, dhottin...@harrisonburg.k12.va.us writes: Im trying to figure out how to add options 226 and 227 to my dhcp server. I have not been able to find much about this through google. Has anyone implemented these options for their dhcp server? I added the following to my dhcpd.conf (main file) option option-226 code 226 = array of integer 8; option option-227 code 227 = ip-address; option option-226 10,40,0,29; option option-227 10.40.0.29; Im not sure what the array of integer 8 is at all, but the only example I could find had that in the main options area. thanks, ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools Everything should be made as simple as possible, but not simpler. -- Albert Einstein The hottest places in Hell are reserved for those who, in times of moral crisis, preserved their neutrality. -- Dante ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minor query (cache) denied Logging Bug?
: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 13081 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cname.dv.isc.org. IN A ;; ANSWER SECTION: cname.dv.isc.org. 86400 IN CNAME ftp.uu.net. ;; Query time: 0 msec ;; SERVER: 192.168.191.236#53(192.168.191.236) ;; WHEN: Thu Apr 2 12:11:09 2009 ;; MSG SIZE rcvd: 58 drugs# dig cname.dv.isc.org @192.168.191.236 Apr 2 12:11:50 drugs named[896]: client 192.168.191.236#60255: view default: query (cache) 'ftp.uu.net/A/IN' denied ; DiG 9.3.6-P1 cname.dv.isc.org @192.168.191.236 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24655 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cname.dv.isc.org. IN A ;; ANSWER SECTION: cname.dv.isc.org. 86400 IN CNAME ftp.uu.net. ;; Query time: 1 msec ;; SERVER: 192.168.191.236#53(192.168.191.236) ;; WHEN: Thu Apr 2 12:11:50 2009 ;; MSG SIZE rcvd: 58 drugs# dig ftp.uu.net @192.168.191.236 Apr 2 12:20:47 drugs named[896]: client 192.168.191.236#58715: view default: query (cache) 'ftp.uu.net/A/IN' denied ; DiG 9.3.6-P1 ftp.uu.net @192.168.191.236 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 61980 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.uu.net.IN A ;; Query time: 0 msec ;; SERVER: 192.168.191.236#53(192.168.191.236) ;; WHEN: Thu Apr 2 12:20:47 2009 ;; MSG SIZE rcvd: 28 drugs# -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC DLV dnssec
In message e754e90904051051i60b347b6paf44a833c02a8...@mail.gmail.com, R Dicai re writes: Hi folks, last night the ISC server responsible for responding to DLV lookups was apparently down. Since all lookups were failing due to a lack of response from this server, bind couldn't resolve anything at all. I had to comment out a couple lines in named.conf to restore function. bind-9.4.3-P2 Here's the dnssec configuration lines used in named.conf: dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; trusted-keys { dlv.isc.org. 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeN D4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf 8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF 1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh; }; I'm not sure, but if a lookup fails dnssec auth, shouldn't bind treat the answer as insecure, and return said answer? No. Otherwise you could cause the nameserver to accept a bogus answer when it shouldn't. In the scenario described above, I wasn't even able to get answers, let alone whether said answers could be authenticated. Bv9ARM.pdf is unclear regarding how bind should behave regarding use of dnssec-validation directive. Shouldn't the behaviour for DLV lookups be such that if the query can't be answered by the DLV server, then fall back to a non-dnssec lookup? No. Perhaps there's a configuration issue I'm using that caused this unexpected behaviour I describe? There was a fault which caused RRSIG of the key signing key to be missing. The key signing key is the one listed in the trusted-keys clause above. This caused a break in the chain of trust as the DNSKEY RRset could not be validated which meant named could not determine if the answers to the DLV queries were valid or not and in turn the answers to all other queries. Mark Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC DLV dnssec
In message e754e90904051454m8a240cbh17a177a069455...@mail.gmail.com, R Dicair e writes: On Sun, Apr 5, 2009 at 5:40 PM, Mark Andrews mark_andr...@isc.org wrote: Shouldn't the behaviour for DLV lookups be such that if the query can't be answered by the DLV server, then fall back to a non-dnssec lookup? =A0 =A0 =A0 =A0No. May I ask why? You enable DNSSEC and DLV to prevent the nameserver from accepting forged answers from secured zones. DLV tells named which zones are secured or not. This needs to be secured to prevent named accepting forged answers from secured zones. B.T.W. The servers did answer the queries. The resolver just wasn't able to validate them as a signature was missing. I'm sure something was learned from whatever caused the DLV server to malfunction, but was that kind of malfunction something we can look forward to when . and TLDs are signed? Signing errors will happen. Hopefully not too often. If that kind of breakage in lookups can occur, should there not be a contingency to be able to continue to use the Internet when such breakage occurs? Named is still able to return answers if you tell it not to validate the answers by setting CD=1 in the query. This flag is usually used when you have a validating resolver using another validating resolver to get its answers. When the lookups were failing answers like this were returned. ; DiG 9.3.6-P1 dnskey dlv.isc.org +dnssec +cd +multi ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4255 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN DNSKEY ;; ANSWER SECTION: dlv.isc.org.6518 IN DNSKEY 256 3 5 ( BEOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAa GPT+Q0kpiN+7GviFh+nIazoB8e2Yv7mupgqkmIjObdcb GstYpUltdECdNpNmBvASKB9SBdtGeRvXXpORi3Qyxb9k HGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBFtCibp/mk hw== ) ; key id = 64263 dlv.isc.org.6518 IN DNSKEY 256 3 5 ( BEPGBAwVFzuE6r0zjxHMug8if94gouJXT4xnKqOt BRNJ9KmIvHVh97hn5VN2T9z0SZ3Y2nPxTyksoX+X7L62 QveGvHzHSEuo8iYq6INevwFTX1beCj/dhk9ZfEYkleoB 4NUlHcam7juJWncRi/Vz/BpF2ec9fLqaAaP15AojoIoa Aw== ) ; key id = 49899 dlv.isc.org.6518 IN DNSKEY 257 3 5 ( BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn 4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW 58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6B D4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/o Q+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte /URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw /mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+ al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh ) ; key id = 19297 dlv.isc.org.6518 IN RRSIG DNSKEY 5 3 7200 20090504233310 ( 20090404233310 64263 dlv.isc.org. VXvnxUqXwPWDRL0eN3AW5obDm+8h/X+DbvqF/MPaD9NO 1SYO6tcPvs+Ih3+kQQ/7PZxWHJjGpvIz/sSGWPUbqzyr LJBTq90+jUbIuCX0KYb4PAT1l5zhjC5UvOKY1Va4NoI7 J/jGrE1hb6C/ZOlDuQR7mXTn/KwkkxK+JzpxT+0= ) ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Apr 5 15:21:28 2009 ;; MSG SIZE rcvd: 786 The trusted key entered into named.conf has key id 19297. There was not a signature for the DNSKEYs using this key. The only signature available was generated using key id 6426 (7th field in the RRSIG record). Mark I could see online businesses panicking when something like this happens. =A0 =A0 =A0 =A0There was a fault which caused RRSIG of the key signing key =A0 =A0 =A0 =A0to be missing. =A0The key signing key is the one listed in =A0 =A0 =A0 =A0the trusted-keys clause above. =A0This caused a break in t= he =A0 =A0 =A0 =A0chain of trust as the DNSKEY RRset could not be validated =A0 =A0 =A0 =A0which meant named could not determine if the answers to the =A0 =A0 =A0 =A0DLV queries were valid or not and in turn the answers to =A0 =A0 =A0 =A0all other queries. Could you provide more details as to what specifically caused the fault? Perhaps then other dns admins may learn something new to look
Re: ISC DLV dnssec
In message e754e90904051805i6ac1dda6k57f78be2cf00a...@mail.gmail.com, R Dicai re writes: On Sun, Apr 5, 2009 at 8:48 PM, Mark Andrews mark_andr...@isc.org wrote: Named is still able to return answers if you tell it not to validate the answers by setting CD=1 in the query. This flag is usually used when you have a validating resolver using another validating resolver to get its answers. When the lookups were failing answers like this were returned. The one thing I didn't do was a direct dig itself. I was tailing dnssec.log and watching the DLV lookups failing, and my web browser was failing to load any site, reporting the hostname couldn't be resolved. Above, you mention setting CD=1 in the query. How is this done by applications trying to resolve hostnames when there's a problem like last nights? Only DNSSEC aware validating applications should do this. Would setting the named.conf directive dnssec-validation no; do this? (as I mentioned previously, I had to comment out dnssec-validation and the trust anchor directive that points to ISC so I could resolve queries) Which is a reasonable response. DNSSEC is a bit like digital TV it's all or nothing. Zones will work or not if there are operator errors. DLV is just a very critical zone in that it works out which zone are secure or not so it is involved in every lookup which is not part of a seperately configured island of trust. When the root is signed and you have a trust anchor for the root configured DLV will be used to bridge the gaps in the delegation chains. Lookups in secure zones for which there is a theoretical secure path won't use DLV. Mark -- = aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I:Couldn't start server ns1
In message 49da221b020100045...@gwiasmtp.uct.ac.za, Erisan Nyamutenha w rites: Hi, I'm installing Bind 9.6.0 on Suse Enterprise Linux 10 and I get this error me ssage when iI do a make test I:Couldn't start server ns1 Have you set up the test interfaces? 10.53.0.1 ... 10.53.0.7 This is from my FreeBSD box where I run make test pretty reqularly. lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 inet 10.53.0.1 netmask 0x inet 10.53.0.2 netmask 0x inet 10.53.0.3 netmask 0x inet 10.53.0.4 netmask 0x inet 10.53.0.5 netmask 0x inet 10.53.0.6 netmask 0x inet 10.53.0.7 netmask 0x inet 127.0.0.2 netmask 0x inet 127.0.0.3 netmask 0x Any ideas what I should do before I can install bind? Regards Erisan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: ip forwarding DNS 9.6.0
size=3D3 style=3Dfont: 12.0px = Helveticamyron lt;a = href=3Dmailto:kowal...@cs.moravian.edu;kowal...@cs.moravian.edu/a/fo= nt/divdiv style=3Dmargin-top: 0px; margin-right: 0px; = margin-bottom: 0px; margin-left: 0px; font face=3DHelvetica = size=3D3 color=3D#00 style=3Dfont: 12.0px Helvetica; color: = #00bDate: /b/fontfont face=3DHelvetica size=3D3 = style=3Dfont: 12.0px HelveticaApril 6, 2009 12:00:55 PM = EDT/font/divdiv style=3Dmargin-top: 0px; margin-right: 0px; = margin-bottom: 0px; margin-left: 0px; font face=3DHelvetica = size=3D3 color=3D#00 style=3Dfont: 12.0px Helvetica; color: = #00bTo: /b/fontfont face=3DHelvetica size=3D3 = style=3Dfont: 12.0px Helveticaa = href=3Dmailto:bind-users@lists.isc.org;bind-users@lists.isc.org/a/fon= t/divdiv style=3Dmargin-top: 0px; margin-right: 0px; margin-bottom: = 0px; margin-left: 0px; font face=3DHelvetica size=3D3 = color=3D#00 style=3Dfont: 12.0px Helvetica; color: = #00bSubject: /b/fontfont face=3DHelvetica size=3D3 = style=3Dfont: 12.0px Helveticabip forwarding DNS = 9.6.0/b/font/divdiv style=3Dmargin-top: 0px; margin-right: 0px; = margin-bottom: 0px; margin-left: 0px; min-height: 14px; br/div = /divdivI upgraded from 9.2.3.brbrI can't seem to do forwarding = from a browser.brbrEverything works from 9.2.3. When I swap out to = 9.6.0, from a command line Ibrcan do: nslookup; ping outside the = domain; traceroute outside the domain.brbr=46rom a web browser I can = get out if I use the ip address. However, when Ibrput in a canonical = name get an rcode 5.brbrThere's a barracuda spam firewall in the = path. If I take it out, then everything works.brThere's really nothing = to change on the barracuda as far as dns is concerned, otherbrthan = pointing to a dns server.brbrsnoop on the = wire:br9.6.0brbarracuda - ns nbsp;nbsp;nbsp;nbsp;DNS C = www22.verizon.com. Internet Addr ?br nbsp;nbsp;ns - barracuda DNS R = nbsp;Error: 5(Refused)brbr9.2.3brbarracuda - ns = nbsp;nbsp;nbsp;nbsp;DNS C www22.verizon.com. Internet Addr ?br = nbsp;nbsp;ns - barracuda DNS R www22.verizon.com. Internet CNAME = www22.verizon.com.edgekey.net.brbrI glanced through the archives and = found some suggestions about recursions to ip forwarding. I think = thebrconf is set up correctly. At least, it works fine with = 9.2.3.brbrHere's some of my named.conf edited.brbracl mylab = {br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;10.0.0.0/8;br};broptions = {br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;directory = nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;/etc/dns;br = nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;auth-nxdomain = nbsp;nbsp;yes;br};brview trusted {br match-clients { mylab; = };br recursion yes;br zone moravian.edu in {br = nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;type forward;br = nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;forwarders { 10.22.5.32; 10.22.5.38; = };br };brbrAny help = appreciated.brbr--myronbr=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DbrMyron = KowalskibrMoCoSIN Network/Systems AdministratorbrMoravian = Collegebra = href=3Dmailto:my...@cs.moravian.edu;my...@cs.moravian.edu/abrbrbr= br___brbind-users = mailing = listbrbind-users@lists.isc.orgbrhttps://lists.isc.org/mailman/listinfo= /bind-usersbr/div/blockquote/divbr/body/html= --Apple-Mail-233-881694232-- --===0424927304202673050== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===0424927304202673050==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [OT] zonedit.com and changing DNS servers from current provider
In message c8e4fbfa-e27c-4b25-9af5-541413950...@newgeo.com, Scott Haneda writes: On Apr 6, 2009, at 3:30 PM, Michelle Konzack wrote: My hosting contract is running out on 2009-04-16 and now I like to use zonedit.com to host my zones. Unfortunately I have not found the answer to my qustion on there help page and they do not reply to my question per mail except an autoreply. Maybe you should reconsider using them if you are already having support issues before you even use their services. So does someone know, if I setup Zonedit how to eliminate the ZONE at my current ISP and HOW to change the WHOIS record? You should email your current ISP and ask them to delete the zone, unless you have a control panel in which you an do so yourself. I can say, as a small ISP, this never happens, and we have developed tools to run on a schedule to let us know when a domain has been moved. To update the WHOIS, you just login to the registrar (the place you purchased the domain for) and make a update in the NS section. If you want a smooth transition, the ISP should slave the new zone content until the caches are cleared of the old NS RRsets (parent and zone). Mark -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Round robin load distribution among servers does not work properly
will never get x.y.z.2 and x.y.z.4 as top entries in this response. Can anybody tell me why this limitation and is there any sollution to resove this problem? Thanks in advance. Mallappa Not sure what version of BIND you are using, but here I am using 9.5.1-P2. I just loaded a zone with 10 www records and different IP's and they are handed out round robin just fine. The idea of using DNS for load balancing has been brought up here so many times its hard to count. The answer is always the same. DNS was *never* meant to provide this functionality. Spend the big bucks and get a device meant to do *load balancing*. Search the archive for previous threads on this subject. http://marc.info/?l=bind9-usersw=2r=1s=load+balancingq=b ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Round robin load distribution among servers does not work properly
In message 96c8e9660904071112p557840a4kfd85120d7c275...@mail.gmail.com, Mallappa Pallakke writes: Hi Mark/Kevin, I did the changes you suggested and it worked fine. Thanks a lot for all your help. Regarding round-robin load sharing instead of random, I have planned to have a dynamic update (nsupdate) triggered at realtime when ever a server goes down or comes up so that there will not be any possibility of putting double load on any server. My only challenge is to load the traffic on newly coming up server equal to other servers during high traffic. I need to do some controlled distribution of load (more on new server than others untill it comes close to other servers!). Please tell me if it has got any problem. If you need that much control you really need something other than named or you need a extra server. The DNS really isn't designed to, nor is it capable of, distributing load so precisely. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 53/TCP port unresponsive
In message 7caf9cc3b3625c46adb0a816877f5916f89...@a1dal1swpes16mb.ams.acs-inc.net, Deslatte, Curtis writes: This problem is very very similar to the one I posted a couple of months ago on the list. Since then I have found that the couple of servers where this was frequently occurring, were misconfigured. (I admit it, NOT proudly though; I'm only proud anymore on Saturday afternoons, once I've caught up on my sleep from the previous week, and then just barely...) The misconfiguration was related to the use of a second master that another admin had removed and I had not caught the deferrals that were piling up. I had thought that each zone was going to choose the first master listed, in my case the local primary, the failover was listed second. It would appear that is not always the case as the master which had been removed was the second one listed in the master ACL that was being referenced by many of the PTR zones being differed! I had been troubleshooting another issue and noticed deferrals logging fairly regularly. I started looking into the deferred zones (i.e. allowed myself to be rabbit trailed) and found that the zones being deferred, were being sought out at the second listed master, not the first where I could actually pull any of the zones manually.=20 In any case, I edited the master ACL, removing the MIA server, and zapped it. The deferrals stopped (naturally) as the remaining master, the primary, was working correctly. I haven't experienced a TCP seizure since =20 I now think... The cyclic nature of the seizures was related to the backing up of deferrals, perhaps a constrained resource under the hood somewhere? I don't know that for a fact though. A would assume it's going to be a different cycle based on the differences between configurations (zones, or whatever) and servers where the presumed resource is concerned. So manifestations would be significantly different from victim to victim. If it's actually a resource, application or server, it may actually manifest with totally different symptoms. Setting try-tcp-refresh no; would have most probably fixed it. This was 9.5.0-P1, BTW. =20 =20 Thanks, CJD =20 Curt Deslatte curtis.desla...@acs-inc.com =20 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Andrews Sent: Friday, April 03, 2009 1:08 PM To: Chris Buxton Cc: bind-users@lists.isc.org; bind-work...@lists.isc.org Subject: Re: 53/TCP port unresponsive=20 There is no such version as BIND 9.5P1. There are both BIND 9.5.0-P1 and BIND 9.5.1-P1. If Mark is using BIND 9.5.0-P1 then I would recommend upgrading. Mark In message fd6f686b-c502-4166-8a46-3d547c3ea...@menandmice.com, Chris Buxton writes: We've seen this repeatedly with our customers, usually evidenced by=20 slaves that stop refreshing and eventually expire the zone. It seems=20 to happen most on Mac OS X and Solaris, and less often (or perhaps never) on Linux. =20 named just stops listening on the TCP port. If you execute lsof -i:=20 53, you'll see that it's still listening on 127.0.0.1:53/TCP, but not on some other interface. UDP seems to be unaffected by this. =20 The only solution we've found is to stop and restart named. =20 Chris Buxton Professional Services Men Mice =20 On Apr 2, 2009, at 5:26 PM, Mark Koehler wrote: =20 Greetings. We have 4 masters (rsync'd together) and a pair of load balancers=20 each of which distributes queries to any of the 4. On the masters,=20 we run Solaris 10 with BIND 9.5P1. Recently, one of the 4 stopped=20 using TCP on port 53, but UDP traffic continued unaffected. What=20 would cause the TCP port to stop? The port was unresponsive from=20 the backside of the load balancers, and no DNS TCP packets came from the server either. Is there anything in BIND which would detect and block a potential DOS attack? Thanx, mrak ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users =20 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind
Re: ADDITIONAL Section Contains Wrong Data
In message 3d0aa5df-c7ce-4f43-ab30-bbf97f220...@roadrunner.com, Merton Campbell Crockett writes: Under what conditions would a response to a DNS query return a correct answer but have the AUTHORITY and ADDITIONAL sections the names and addresses of the gTLD root servers? If the answer was from a cache and the NS RRset for the zone has timed out. I would have expected to see the domain names and addresses of the UltraDNS name servers as they are the Registrar for the domain name being queried. The query was part of the data captured on 06 April 2009 when investigating a problem with Microsoft's Office Communicator. Merton Campbell Crockett m.c.crock...@roadrunner.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ip forwarding DNS 9.6.0
In message 83f1e37b-72bd-4454-8c2d-4fa91d5fc...@cs.moravian.edu, myron writes : On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote: In message d7656c59-094f-4b37-b3cc-4496db3af...@cs.moravian.edu, myron writes: I started reading up on Kirk's suggestions of the allow-*** settings. In the global options level I put options { directory /etc/dns; allow-query-cache { any; }; allow-query { any; }; auth-nxdomain yes; }; and that definitely worked. By no means do I understand the paragraph below from the README. I need to mull over it for a while and determine where the options should go, whether globally or in a view and whether any is the right setting. Basically there are people using recursive DNS servers as amplifiers in DoS attacks by sending forged UDP queries. By restricting who can get access to the cache you reduce the effect of such queries to just anonymising the original query source. The defaults were changed so that only locally connected nets get recursive service and access to the cache. This default is right for a large majority of the users of named. You should expand allow-query-cache to include all the networks you want to offer recursive service to. Mark I think I got it right. I just changed any to my network. It works. options { directory /etc/dns; allow-query-cache { int-net; }; allow-query { int-net; }; allow-query would normally be any; as you are normally publishing zones to the world. auth-nxdomain yes; }; Thanks for all the help. --myron = Myron Kowalski MoCoSIN Network/Systems Administrator Moravian College my...@cs.moravian.edu -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Necessity of DNSSEC Lookaside Validation(DLV)
In message ofd3c12b6c.284d328a-on65257592.005ec291-65257593.002c4...@itc.co.in, Chandan Laskar writes: Thanks Bill. We have authoritative Name Server. Caching is not enable in the Name Server. Also based on website (http://www.netwidget.net/books/apress/dns/info/dlv.html), DLV is not an IETF standarized feature and BIND 9.3.2 (We have 9.6.0.-P1) is the current recommended implementation Version. DLV fits into this section of RFC 4035. 5. Authenticating DNS Responses The process for obtaining and authenticating this initial trust anchor is achieved via some external mechanism. For example, a resolver could use some off-line authenticated exchange to obtain a zone's DNSKEY RR or to obtain a DS RR that identifies and authenticates a zone's DNSKEY RR. So I am still not convince about the necessity of DLV incorporation in our Setup. For an authoritative only setup I would be using TSIG to validate the zone transfers as you have a existing trust relationship. If you want other people to be able to validate the data you publish you need to sign your zone and publish your SEP's. If you parent zone is not signed you can use DLV as a substitute for the parent zone. Mark Will grateful if you provide me more suggestion. Thanks and regards, Chandan Laskar 2nd Floor Data Center, ITC Center, 4, Russel Street, Kolkata - 700 016 Phone:(033)-22889900 Extn.: 3944 (0)-9830057396 (M) Bill Larson wlla...@swcp.com 04/07/2009 09:30 PM To Chandan Laskar chandan.las...@itc.in cc bind-users@lists.isc.org Subject Re: Necessity of DNSSEC Lookaside Validation(DLV) On Apr 7, 2009, at 9:43 AM, Chandan Laskar wrote: Hi, We have deployed DNS on RHEL 5 Update 1. Below are feature of our DNS. 1. Implemented OS Security Best Practice ( e.g. Enable MD5 and shadow passwords, Root Login Console Restricted, Configure SSH as an alternative of Telnet e.t.c.). 2. Configured Openssl Version 0.9.8j. 3. Configured BIND 9.6.0-P1 with CHROOT Environment. So BIND is not running as root user. 4. IPTABLES has been configured to block all the irrelevant ports. 5. Allow Update Feature in named.conf is not changed. So, by default it is 'NO' After all the above mentioned protection do we really need to incorporate DNSSEC Lookaside Validation(DLV) in our DNS? Suggestion Please. Your implementation is protecting the DNS server itself - very good. The purpose of DLV is to insure that the DNS data that your server provides, and all DNSSEC data your server processes, is valid. The DNSSEC/DLV configuration protects your DNS data from being spoofed on another DNS server. It also insures that the DNS data that your server may be handing out recursively from being compromised. Protecting both sides of the DNS service for your users is necessary (at least important). Can you avoid printing this? Think of the environment before printing the email. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fix bind 9.4.3_p2 cross-compilation
In message 20090418113920.2acbb...@jojo.scabb, Beber writes: exporting enable_epoll=3D make bind-tools build, but this bypass epoll test running with configure with --enable-epoll doesn't change anything, it still fail on : ./configure --prefix=3D/usr --build=3Dx86_64-pc-linux-gnu --host=3Di586-geo= de-linux-uclibc --mandir=3D/usr/share/man --infodir=3D/usr/share/info --dat= adir=3D/usr/share --sysconfdir=3D/etc --localstatedir=3D/var/lib --enable-i= pv6 --with-iconv --enable-epoll checking for kqueue... no checking epoll support... configure: error: cannot run test program while c= ross compiling See `config.log' for more details. --=20 Beber This is in the next maintenance release, yet to be released. It's also in 9.6.1. 2521. [bug] Improve epoll cross compilation support. [RT #19047] Index: configure.in === RCS file: /proj/cvs/prod/bind9/configure.in,v retrieving revision 1.355.18.85 retrieving revision 1.355.18.94 diff -u -r1.355.18.85 -r1.355.18.94 --- configure.in21 Oct 2008 02:47:02 - 1.355.18.85 +++ configure.in15 Feb 2009 22:57:42 - 1.355.18.94 @@ -355,10 +355,10 @@ # so we need to try running the code, not just test its existence. # AC_ARG_ENABLE(epoll, - [ --enable-epoll use Linux epoll when available [[default=yes]]], - want_epoll=$enableval, want_epoll=yes) +[ --enable-epoll use Linux epoll when available [[default=auto]]], + want_epoll=$enableval, want_epoll=auto) case $want_epoll in -yes) +auto) AC_MSG_CHECKING(epoll support) AC_TRY_RUN([ #include sys/epoll.h @@ -373,6 +373,9 @@ [AC_MSG_RESULT(no) ISC_PLATFORM_HAVEEPOLL=#undef ISC_PLATFORM_HAVEEPOLL]) ;; +yes) + ISC_PLATFORM_HAVEEPOLL=#define ISC_PLATFORM_HAVEEPOLL 1 + ;; *) ISC_PLATFORM_HAVEEPOLL=#undef ISC_PLATFORM_HAVEEPOLL ;; -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users