Re: Help understanding lame server error

[Mark Andrews]

In message [EMAIL PROTECTED], Scott Haneda write
s:
 I have a good deal if lame server errors in my logs, which I am not  
 entirely understanding.
 
 19-Nov-2008 15:36:34.657 lame-servers: info: lame server resolving  
 '170.73.234.209.in-addr.arpa' (in '73.234.209.in-addr.arpa'?):  
 209.234.64.192#53
 19-Nov-2008 15:36:34.955 lame-servers: info: lame server resolving  
 '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
 209.183.48.20#53
 19-Nov-2008 15:36:34.975 lame-servers: info: lame server resolving  
 '221.250.53.206.in-addr.arpa' (in '250.53.206.in-addr.arpa'?):  
 209.43.20.115#53
 19-Nov-2008 15:36:34.989 lame-servers: info: lame server resolving  
 '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
 209.183.52.20#53
 19-Nov-2008 15:36:35.050 lame-servers: info: lame server resolving  
 '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
 209.183.48.21#53
 
 My server is not allowing recursions, other than to localnets.  about  
 the only thing hitting it is an email server.  So I am not clear on  
 why these lookups are happening, or why they are coming from all these  
 other IP's

The IP addresses above are the ones your server is querying.
 
 
 --
 Scott
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dropping external recursive requests

[Mark Andrews]

In message [EMAIL PROTECTED]
t, Alberto Colosi/SI/RM/GSI/it writes:
 why not? beter handled by isc and done in a clean way then 1.000.000 of 
 dirty ways as these ;)

Please go read RFC 5358.  No where in there does it say to
drop responses.  If we though that dropping queries was a
good idea it would have been explicitely documented in RFC
5358.  Not offering recursive service means returning
REFUSED.
 
 ---
 Alberto Colosi
 IBM Global Business Services
 Sistemi Informativi S.P.A.
 IT NetWork  Security Department
  *-* *-* *-*
 SECURITY IS EVERYONE'S BUSINESS
 
 Member of
 IBM Information Security WW CoP
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.5.1rc1 is now available.

[Mark Andrews]

BIND 9.5.1rc1 is now available.

BIND 9.5.1rc1 is a maintenance release candidate for BIND 9.5.

BIND 9.5.1rc1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at http://www.isc.org/about/openpgp/pgpkey2006.txt.

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip
ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip.sha512.asc

Changes since 9.5.0.

--- 9.5.1rc1 released ---

2498.   [bug]   Removed a bogus function argument used with
ISC_SOCKET_USE_POLLWATCH: it could cause compiler
warning or crash named with the debug 1 level
of logging. [RT #18917]

2496.   [bug]   Add sanity length checks to NSID option. [RT #18813]

2495.   [bug]   Tighten RRSIG checks. [RT #18795]

2494.   [bug]   isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
installed. [RT #18826]

2493.   [bug]   The linux capabilites code was not correctly cleaning
up after itself. [RT #18767]

2490.   [port]  aix: work around a kernel bug where IPV6_RECVPKTINFO
is cleared when IPV6_V6ONLY is set. [RT #18785]

2489.   [port]  solaris: Workaround Solaris's kernel bug about
/dev/poll:
http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
Define ISC_SOCKET_USE_POLLWATCH at build time to enable
this workaround. [RT #18870]

2487.   [bug]   Give TCP connections longer to complete. [RT #18675]

2485.   [bug]   Change update's the handling of obscured RRSIG
records.  Not all orphand DS records were being
removed. [RT #18828]

2482.   [port]  libxml2: support versions 2.7.* in addition
to 2.6.*. [RT #18806]

2479.   [bug]   xfrout:covers was not properly initalized. [RT #18801]

2478.   [bug]   'addresses' could be used uninitalized in
configure_forward(). [RT #18800]

2476.   [doc]   ARM: improve documentation for max-journal-size and
ixfr-from-differences. [RT #15909] [RT #18541]

--- 9.5.1b3 released ---

2475.   [bug]   LRU cache cleanup under overmem condition could purge
particular entries more aggressively. [RT #17628]

2474.   [bug]   ACL structures could be allocated with insufficient
space, causing an array overrun. [RT #18765]

2473.   [port]  linux: raise the limit on open files to the possible
maximum value before spawning threads; 'files'
specified in named.conf doesn't seem to work with
threads as expected. [RT #18784]

2472.   [port]  linux: check the number of available cpu's before
calling chroot as it depends on /proc. [RT #16923]

2471.   [bug]   named-checkzone was not reporting missing mandatory
glue when sibling checks were disabled. [RT #18768]

2470.   [bug]   Elements of the isc_radix_node_t could be incorrectly
overwritten.  [RT# 18719]

2469.   [port]  solaris: Work around Solaris's select() limitations.
[RT #18769]

2468.   [bug]   Resolver could try unreachable servers multiple times.
[RT #18739]

2467.   [bug]   Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]

2466.   [doc]   ARM: explain max-cache-ttl 0 SERVFAIL issue.
[RT #18302]

2465.   [bug]   Adb's handling of lame addresses was different
for IPv4 and IPv6. [RT #18738]

2464.   [port]  linux: check that a capability is present before
trying to set it. [RT #18135]

2463.   [port]  linux: 

Re: Oddities in my named.log. Can you explain?

[Mark Andrews]

There is a windows box configured to use your domain name
and it is trying to lookup/update the active directory
configuration.

Send a Cease and Desist letter stating that you are the
registered owner of the domain name in question and they
should cease using it.

Mark

In message [EMAIL PROTECTED], Keve Nagy writes:
 Hi Everyone,
 I see some oddities frequently showing up in our BIND logfiles.
 This is on the official primary NS for our domain.
 
 *Oddity_type#1*
 ... view external-in: query: server.EXAMPLE.COM IN SOA -E
 
 Please note that the only thing I changed here is the domain name. I did 
 not capitalize it, the original domain name also got logged this way. 
 And yes, the original hostname queried was server, I did not change 
 that either. These are repeatedly coming from the same source IP 
 address, once in every 10-70 minutes.
 We have never had a host named server. So why would an external 
 machine keep asking for a hostname we never had? Especially with such an 
 obvious name! Also, why is the domain part capitalized for these 
 queries, and not in any proper/legitimate query? I assume this is what 
 the query was for. The original request must have been for 
 server.EXAMPLE.COM, having the domain part this way capitalized in the 
 query itself.
 So why would a remote system look for a never existed host named 
 server in our system, with the domain name capitalized?
 Any legitimate reason you could think of?
 
 
 
 *Oddity_type#2*
 
 ... view external-in: query: server.EXAMPLE.COM IN SOA +
 ... view external-in: updating zone 'example.com/IN': update unsucces
 sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' 
 prerequisite not satisfied (NXRRSET)
 
 Again note, that I only changed the name of the domain and I did not 
 alter the capitalization or the hostname. These are from another source 
 IP address, but always the same one. For some reason, also looking for 
 the host named server. And a few minutes later, it seems to try to 
 update the domain database.
 By the way, no host is allowed to update our DNS records. The zone files 
 are updated by hand only. And this has always been the case, no exceptions.
 
 
 
 *Oddity_type#3*
 
 ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E
 ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA
 -E
 ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA
 -E
 ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E
 ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E
 ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve.
 _sites.dc._msdcs.EXAMPLE.COM IN SOA -E
 ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee
 fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E
 ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc
 s.EXAMPLE.COM IN SOA -E
 ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E
 ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E
 
 Look at these add hostnames which are queried for!
 These are all systematically returning queries. And these come from 
 multiple source IP addresses.
 Are these queries legitimate? I mean, do you know of any system that may 
 be doing this? Are these strange hostname queries part of some standard 
 way identifying services and I just don't happen to know about this 
 standard?
 
 I would very much appreciate some feedback on these.
 Best regards,
 Keve Nagy * Debrecen * Hungary
 
 -- 
 if you need to reply directly:
 keve(at)mail(dot)poliod(dot)hu
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named-checkconf error

[Mark Andrews]

named-checkzone calls getaddrinfo() to lookup addresses of servers
which are not in the zone.  That lookup has failed.

For a start I would fix this delegation error.  The NS RRset on both
sides of the delegation should be the same.

capmark.com.172800  IN  NS  ns1.gmaccm.com.
capmark.com.172800  IN  NS  ns2.gmaccm.com.
;; Received 116 bytes from 192.42.93.30#53(G.GTLD-SERVERS.NET) in 175 ms

quarantine1.capmark.com. 7200   IN  A   216.83.188.21
capmark.com.86400   IN  NS  ns1.capmark.com.
capmark.com.86400   IN  NS  ns2.capmark.com.
;; Received 125 bytes from 216.83.188.8#53(ns1.gmaccm.com) in 227 ms

There may be other problems which may only be visible from where you
are performing the lookup.

Mark

In message [EMAIL PROTECTED], Steve Shockley writes:
 I'm running BIND 9.4.2 on OpenBSD 4.3.  I'm getting some errors with 
 named-checkconf I don't really understand.  I'm running:
 
 named-checkzone -t /var/named capmarksecurities.com 
 /master/db.capmarksecurities.com
 
 and I get:
 
 zone capmarksecurities.com/IN: getaddrinfo(quarantine1.capmark.com) 
 failed: non-recoverable failure in name resolution
 zone capmarksecurities.com/IN: getaddrinfo(quarantine2.capmark.com) 
 failed: non-recoverable failure in name resolution
 zone capmarksecurities.com/IN: getaddrinfo(mailhost3.capmark.com) 
 failed: non-recoverable failure in name resolution
 zone capmarksecurities.com/IN: getaddrinfo(mxo1.capmark.com) failed: 
 non-recoverable failure in name resolution
 zone capmarksecurities.com/IN: getaddrinfo(mxo2.capmark.com) failed: 
 non-recoverable failure in name resolution
 zone capmarksecurities.com/IN: loaded serial 235310359
 OK
 
 The zone file:
 
 $ORIGIN .
 $TTL 86400  ; 1 day
 capmarksecurities.com   IN SOA  ns1.capmark.com. dnsadmin.capmark.com. (
  235310359  ; serial
  10800  ; refresh (3 hours)
  3600   ; retry (1 hour)
  604800 ; expire (1 week)
  86400  ; minimum (1 day)
  )
 $TTL 300; 5 minutes
  NS  ns1.capmark.com.
  NS  ns2.capmark.com.
 $TTL 900; 15 minutes
  MX  10 quarantine1.capmark.com.
  MX  10 quarantine2.capmark.com.
  MX  20 mailhost3.capmark.com.
  MX  200 mxo1.capmark.com.
  MX  200 mxo2.capmark.com.
 $ORIGIN capmarksecurities.com.
 $TTL 7200   ; 2 hours
 defeasance  CNAME   idealweb.capmark.com.
 investorguide   A   70.60.19.129
 $TTL 86400  ; 1 day
 www CNAME   www.capmark.com.
 
 This appears to happen with all zones with MX records that are in a 
 different zone.  The zone loads and seems to work as expected.  What's 
 going wrong?
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS on SOA

[Mark Andrews]

In message 20081211202922.ga32...@sol.planetnet.org, Peter Kringle writes:
 Is it possible to update the SOA record of a zone via ddns update?  Or do I=
  have to shut bind down complete to change the SOA. =20
 Specifically the refresh timer.
 
 Thanks

Yes.  Just make sure that the serial number increases.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MIME garbage in comp.protocols.dns.bind

[Mark Andrews]

In message sam.wilson-404a4b.13132515122...@scotsman.ed.ac.uk, Sam Wilson wri
tes:
 In article ghubkr$9l...@sf1.isc.org,
  Chris Buxton cbux...@menandmice.com wrote:
 
  On Dec 11, 2008, at 10:57 PM, Barry Margolin wrote:
   The old mail-to-news gateway either got this right or
   extracted the plain text alternative before forwarding.
  
  The old mail server stripped messages down to their plaintext values.  
  The new one does not - it allows both formatted text and attachments.  
  This is no doubt the change that's causing this problem with usenet.
 
 But it's doing it wrong - it's removing some MIME headers that it 
 shouldn't.  (I will defer to other people if there is a mismatch in what 
 is acceptable in MIME headers on Usenet, but the old one worked and the 
 new one creates unreadable news postings.)
 
 Sam
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

I've raised a ticket with our ops people.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issue with case changing from master on BIND 9 to slave on BIND 8

[Mark Andrews]

Mark Andrews writes:
 
 
 
 In message 9fc47420fb263da9eda170166fd4d...@cornell.edu, John Wobus writes:
  Some years ago, I had that issue.  The problem was that the
  zone transfer compression mechanism could change the case
  of individual names.  This was fixed in some release of bind
  (after 9.2.1, if I remember correctly), and bind release notes
  would pinpoint the exact version with the change.
 
   You will need BIND 9.4.0 or later for the master.
 
 1811.   [func]  Preserve the case of domain names in rdata during
 zone transfers. [RT #13547]
 
   Or you can specify many-answers as the transfer format
   on the master.

Correction one-answer as the transfer format but there is still
a small risk if the a compression pointer can be found in the
owner name of the record with differing case,
 
  The problem was that the compression mechanism would compress
  a.example.COM and b.example.com by using a pointer to a single string,
  in one specific instance, example.COM.  When uncompressed
  at at the secondary end, the names came out as a.example.COM and
  b.example.COM.
  
  John Wobus
  Cornell University CIT
  
  
  On Dec 15, 2008, at 10:51 AM, Ben Croswell wrote:
  
   I reaching out to the list on what appears to be a very odd issue that =
  
   happened over the weekend.
   We had an issue where some internal domains had the TLD capitalized =
  
   after the zone transfer.
   i.e. foo.bar.com on the master became foo.bar.COM on the slave.
I know that DNS is case insensitive but it caused an issue with apps =
  
   that were misbehaving.
  
   The master is BIND 9.2.1 and the slaves in question are 8.2.3.
   The master zone has everything lower case, and BIND 9 slaves show them =
  
   as lower case as well.
A manual zone xfer on the 8.2.3 boxes to a different local directory =
  
   than the actual named directory shows .COM.
  
   I was wondering if anyone had experienced an issue like this.
  
   And I understand both of those version are ancient and need to be =
  
   removed=A0 from the environment.
  
   -- =
  
   -Ben Croswell
   ___
   bind-users mailing list
   bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 -- 
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stuck glue records in the GTLD servers??

[Mark Andrews]

In message a82dae2a-44ad-4aeb-a72c-a150e6d7f...@cyberlifelabs.com, Milo Hyson
 writes:
 I'm seeing what looks like a stuck glue record in the GTLD servers and  
 I'm hoping I've just overlooked something simple. There are several  
 domains which list the following as their nameservers:
 
   ns.netdentalcare.com
   ns2.netdentalcare.com
 
 The zone for these (netdentalcare.com) was moved to a new ISP several  
 days ago. The new servers are properly resolving the names and the old  
 servers no longer are. Unfortunately, nobody can seem to resolve these  
 names unless they directly ask the new servers. Upon investigation, I  
 discovered the GTLD servers seem to be holding onto a stale glue  
 record for the zone's prior server:
 
   ns.netdentalcare.com.
 Server:   h.gtld-servers.net.
 Address:  192.54.112.30#53
 
 
  QUESTIONS:
   ns.netdentalcare.com, type = A, class = IN
  ANSWERS:
  -  ns.netdentalcare.com
   internet address = 64.84.39.197
  AUTHORITY RECORDS:
  -  netdentalcare.com
   nameserver = ns1.idaserver.com.
  -  netdentalcare.com
   nameserver = ns2.idaserver.com.
  ADDITIONAL RECORDS:
  -  ns1.idaserver.com
   internet address = 207.178.132.75
  -  ns2.idaserver.com
   internet address = 207.178.132.76
 
 Non-authoritative answer:
 Name: ns.netdentalcare.com
 Address: 64.84.39.197
 
 I assumed this would have timed-out after two-days, but it hasn't.  
 Nobody is resolving the name to that address anymore. I checked the  
 old zone file to ensure it didn't have a long TTL and it didn't  
 (86,400 seconds).
 
 If anybody has any insight into this issue it would be greatly  
 appreciated.

You need to update the HOST records for the nameservers.
 
 --
 Milo Hyson
 Chief Scientist
 CyberLife Labs
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND Windows?

[Mark Andrews]

In message 029c7576bb4b4f1480bf8cf9d125a...@nc4010, Jukka Pakkanen writes:
 Sorry I've lost track of the different versions, which works in Windows and 
 which don't.
 
 So... what is the latest version, working in W2K3?

See the immediate downloads on https://www.isc.org/software/bind.

 And Is W2K still abandoned?

Until Microsoft back port the missing functionality, yes.

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.6.0rc2 is now available.

[Mark Andrews]

BIND 9.6.0rc2 is now available.

BIND 9.6.0rc2 is a release candidate for BIND 9.6.0.

Please as a minimum perform a test build on your operating
system.  We don't have test platforms for every operating
system and sometimes we accidently break builds.  Now is
the time to tell us about that.

Bugs should be reported to bind9-b...@isc.org.

BIND 9.6 has a number of new features over 9.5, including:

Full NSEC3 support

Automatic zone re-signing

New update-policy methods tcp-self and 6to4-self

BIND 9.6.0rc2 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.6.0rc2/bind-9.6.0rc2.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.6.0rc2/bind-9.6.0rc2.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.6.0rc2/bind-9.6.0rc2.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.0rc2/bind-9.6.0rc2.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at http://www.isc.org/ISC/isckey.txt.

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.zip
ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.0rc2/BIND9.6.0rc2.debug.zip.sha512.asc

Changes since BIND 9.6.0a1

--- 9.6.0rc2 released ---

2515.   [port]  win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
[RT #19063]

2513[bug]   Fix windows cli build. [RT #19062]

2510.   [bug]   dig +sigchase could trigger REQUIRE failures.
[RT #19033]

2509.   [bug]   Specifying a fixed query source port was broken.
[RT #19051]

2504.   [bug]   Address race condition in the socket code. [RT #18899]

--- 9.6.0rc1 released ---

2498.   [bug]   Removed a bogus function argument used with
ISC_SOCKET_USE_POLLWATCH: it could cause compiler
warning or crash named with the debug 1 level
of logging. [RT #18917]

2497.   [bug]   Don't add RRSIG bit to NSEC3 bit map for insecure
delegation.

2496.   [bug]   Add sanity length checks to NSID option. [RT #18813]

2495.   [bug]   Tighten RRSIG checks. [RT #18795]

2494.   [bug]   isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
installed. [RT #18826]

2493.   [bug]   The linux capabilities code was not correctly cleaning
up after itself. [RT #18767]

2492.   [func]  Rndc status now reports the number of cpus discovered
and the number of worker threads when running
multi-threaded. [RT #18273]

2491.   [func]  Attempt to re-use a local port if we are already using
the port. [RT #18548]

2490.   [port]  aix: work around a kernel bug where IPV6_RECVPKTINFO
is cleared when IPV6_V6ONLY is set. [RT #18785]

2489.   [port]  solaris: Workaround Solaris's kernel bug about
/dev/poll:
http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
Define ISC_SOCKET_USE_POLLWATCH at build time to enable
this workaround. [RT #18870]

2488.   [func]  Added a tool, dnssec-dsfromkey, to generate DS records
from keyset and .key files. [RT #18694]

2487.   [bug]   Give TCP connections longer to complete. [RT #18675]

2486.   [func]  The default locations for named.pid and lwresd.pid
are now /var/run/named/named.pid and
/var/run/lwresd/lwresd.pid respectively.

This allows the owner of the containing directory
to be set, for named -u support, and allows there
to be a permanent symbolic link in the path, for
named -t support.  [RT #18306]

2485.   [bug]   Change update's the handling of obscured RRSIG
records.  Not all orphaned DS records were being
removed. [RT #18828]

2484.   [bug]   It was possible to trigger a REQUIRE failure when
adding NSEC3 proofs to the response in
query_addwildcardproof().  [RT #18828]

BIND 9.5.1rc2 is now available.

[Mark Andrews]

BIND 9.5.1rc2 is now available.

BIND 9.5.1rc2 is a maintenance release candidate for BIND 9.5.

BIND 9.5.1rc2 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.5.1rc2/bind-9.5.1rc2.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.5.1rc2/bind-9.5.1rc2.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc2/bind-9.5.1rc2.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc2/bind-9.5.1rc2.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at http://www.isc.org/ISC/isckey.txt

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.zip
ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1rc2/BIND9.5.1rc2.debug.zip.sha512.asc

Changes since 9.5.0.

--- 9.5.1rc2 released ---

2513[bug]   Fix windows cli build. [RT #19062]

2510.   [bug]   dig +sigchase could trigger REQUIRE failures.
[RT #19033]

2509.   [bug]   Specifying a fixed query source port was broken.
[RT #19051]

2504.   [bug]   Address race condition in the socket code. [RT #18899]

--- 9.5.1rc1 released ---

2498.   [bug]   Removed a bogus function argument used with
ISC_SOCKET_USE_POLLWATCH: it could cause compiler
warning or crash named with the debug 1 level
of logging. [RT #18917]

2496.   [bug]   Add sanity length checks to NSID option. [RT #18813]

2495.   [bug]   Tighten RRSIG checks. [RT #18795]

2494.   [bug]   isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
installed. [RT #18826]

2493.   [bug]   The linux capabilites code was not correctly cleaning
up after itself. [RT #18767]

2490.   [port]  aix: work around a kernel bug where IPV6_RECVPKTINFO
is cleared when IPV6_V6ONLY is set. [RT #18785]

2489.   [port]  solaris: Workaround Solaris's kernel bug about
/dev/poll:
http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
Define ISC_SOCKET_USE_POLLWATCH at build time to enable
this workaround. [RT #18870]

2487.   [bug]   Give TCP connections longer to complete. [RT #18675]

2485.   [bug]   Change update's the handling of obscured RRSIG
records.  Not all orphand DS records were being
removed. [RT #18828]

2482.   [port]  libxml2: support versions 2.7.* in addition
to 2.6.*. [RT #18806]

2479.   [bug]   xfrout:covers was not properly initalized. [RT #18801]

2478.   [bug]   'addresses' could be used uninitalized in
configure_forward(). [RT #18800]

2476.   [doc]   ARM: improve documentation for max-journal-size and
ixfr-from-differences. [RT #15909] [RT #18541]

--- 9.5.1b3 released ---

2475.   [bug]   LRU cache cleanup under overmem condition could purge
particular entries more aggressively. [RT #17628]

2474.   [bug]   ACL structures could be allocated with insufficient
space, causing an array overrun. [RT #18765]

2473.   [port]  linux: raise the limit on open files to the possible
maximum value before spawning threads; 'files'
specified in named.conf doesn't seem to work with
threads as expected. [RT #18784]

2472.   [port]  linux: check the number of available cpu's before
calling chroot as it depends on /proc. [RT #16923]

2471.   [bug]   named-checkzone was not reporting missing mandatory
glue when sibling checks were disabled. [RT #18768]

2470.   [bug]   Elements of the isc_radix_node_t could be incorrectly
overwritten.  [RT# 18719]

2469.   [port]  solaris: Work around Solaris's select() limitations.
[RT #18769]

2468.   [bug]   Resolver could try unreachable servers multiple times.
[RT #18739]

2467.   [bug]   Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]

2466.   [doc]

Re: General performance

[Mark Andrews]

In message 20081224122500.ga13...@nic.fr, Stephane Bortzmeyer writes:
 On Tue, Dec 23, 2008 at 08:36:36PM -0800,
  Scott Haneda talkli...@newgeo.com wrote 
  a message of 35 lines which said:
 
  First, if I learn it is in fact true that all 50K zones will be
  identical, is there any reason to make 50K zone files?
 
 No.
 
  Is it ok to point different domains to the same zone file?
 
 Yes. 

On the master for the zones.  On the slave they needed
to be seperate files.
 
 http://www.bortzmeyer.org/identical-domains-with-bind.html
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Magic for NSEC3

[Mark Andrews]

In message fa2e1350901031122w75768929h3b17e0a47b806...@mail.gmail.com, 
Jonathan Petersson
 writes:
 Hi all,
 
 Hopefully this post wont cause as much SPAM as my last one. About a
 year ago I started looking into DNSSEC and how to work with it for
 dynamic updates etc. Since only NSEC was supported, allowing whomever
 to do a unauthorized zone-transfer I canceled my projects later
 finding out that NSEC3 would stop the behavior.

One really needs to look at the cost benefit analysis to
decide whether to use NSEC or NSEC3.  NSEC3 is much more
expensive than NSEC3 for both authoritative servers and
validators than NSEC.  There are almost no zone that need
that level of protection.

Stopping AXFR/IXFR has almost zero cost so for many people
it has become reflex without any need to justify it.  Stopping
zone enumeration has a relatively high cost.

Note for many servers stopping AXFR/IXFR was not about the
zone content and more about preserving file descriptors for
use by the slaves and legitimate TCP clients rather than the
curious.

 With the release of BIND 9.6 my understanding is that NSEC3 is now
 supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty
 clueless as whether there's any magic sauce to get NSEC3 records vs.
 NSEC.
 
 If anyone has a pointer that would be of help, I've tried using
 NSEC3RSASHA1 keys without success of getting NSEC3 records.

NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when
signing the zone.  You need to tell dnssec-signzone which
one to use.

dnssec-signzone -3 salt [-H iterations] [-A] 

 Thx
 
 /Jonathan
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issues in delegating to subdomain owned by other company

[Mark Andrews]

In message 937b61bf-c12f-4498-b20c-8cd5613bd...@z1g2000yqn.googlegroups.com, 
blrmaani writes:
 I have configured my named (BIND-9) to delegate a subdomain owned by
 our partner company. The queries in the subdomain are failing
 intermittently.
 
 Our partner company IT team is not ready to reveal their DNS
 configuration.
 
 When we delegate a subdomain, should the nameserver to which we
 delegate
 be AUTHORITATIVE?

Not should, MUST be authoritative.  It MUST return responses
with aa set in the flags to non-reqursive queries for
names within the delegated namespace or it MUST return a
referral to nameservers which in turn are authoritative for
the sub-delegated namespace.

Note: queries for the SOA record at the delegation MUST return
the SOA record with aa set.  There is no horizontal delegation
in the DNS.
 
 What happens if the nameserver to which we delegate the subdomain is a
 NON-AUTHORITATIVE nameserver (eg., cache-only name server ). ?

It won't work.

 Could this be the reason for failure?

Yes.
 
 Any comments?
 
 Cheers
 Maani
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?

[Mark Andrews]

In message a0e00a9b-89cc-4b94-a3a5-49fd22fe3...@johani.org, Johan Ihren 
writes:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 I realise this just has to be a user error, but sofar I've been  
 completely unsuccessful in getting an authenticated response from a  
 9.6.0 recursive server with trusted keys correctly configured.
 
 I've done this:
 
 * Signed the zones:
 
 parent is signed with NSEC semantics, key algorithm is RSASHA1
 child1.parent is signed with NSEC, key algorithm is RSASHA1
 child2.parent is signed with NSEC3, key algorithm is NSEC3RSASHA1

Did you tell dnssec-signzone to generate NSEC3 chains rather
than NSEC chains.  NSEC3RSASHA1 allows for both NSEC and
NSEC3 chains and dnssec-signzone defaults to NSEC chains.

dnssec-signzone -3 salt [-H iterations] [-A] 

 * Created the secure delegations:
 
 the DS records for child1.parent and child2.parent both use the  
 correct algorithm numbers (5 and 7 respectively)
 
 * Configured a trusted key for parent in a recursive server:
 
 The trusted key is correctly configured, because I'm able to validate  
 positive responses from all three zones (which also proves that the  
 delegations are correctly secured via the DS records). I'm also able  
 to validate negative responses from parent and child1.parent.
 
 And, yes, I have dnssec-enable yes; dnssec-validation yes; in  
 relevant places.
 
 But I fail to validate the interesting case, i.e. a negative response  
 from child2.parent containing NSEC3 records as the proof. I get the  
 response, with all the NSEC3s and their RRSIGs. But no AD bit.
 
 Anyone done this recently who can give me a suggestion to where I may  
 go wrong?
 
 Johan
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.5 (Darwin)
 
 iD8DBQFJZy3KKJmr+nqSTbYRAgR9AKCioFf7n+IZmKfH0qenvlZnnh6FpQCeLl0e
 w3pw5x1lyPwkJnM3iRGjiP4=
 =tnBX
 -END PGP SIGNATURE-
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?

[Mark Andrews]

In message 088512ac-625e-4a72-aa90-65c73fb8b...@johani.org, Johan Ihren 
writes:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Hi Mark,
 
 On 12 Jan 2009, at 23:49, Mark Andrews wrote:
 
  I realise this just has to be a user error, but sofar I've been
  completely unsuccessful in getting an authenticated response from a
  9.6.0 recursive server with trusted keys correctly configured.
 
  I've done this:
 
  * Signed the zones:
 
  parent is signed with NSEC semantics, key algorithm is RSASHA1
  child1.parent is signed with NSEC, key algorithm is RSASHA1
  child2.parent is signed with NSEC3, key algorithm is NSEC3RSASHA1
 
  Did you tell dnssec-signzone to generate NSEC3 chains rather
  than NSEC chains.  NSEC3RSASHA1 allows for both NSEC and
  NSEC3 chains and dnssec-signzone defaults to NSEC chains.
 
  dnssec-signzone -3 salt [-H iterations] [-A] 
 
 Absolutely, and the signed zone looks fine (except that it is full of  
 ugly NSEC3's ;-). This is my dnssec-signzone invocation:
 
 dnssec-signzone -N increment -v 9 -a -A -H 1 -3  -o $ZONE $ZONE $ZSK  
 $KSK
 
  * Created the secure delegations:
 
  the DS records for child1.parent and child2.parent both use the
  correct algorithm numbers (5 and 7 respectively)
 
  * Configured a trusted key for parent in a recursive server:
 
  The trusted key is correctly configured, because I'm able to validate
  positive responses from all three zones (which also proves that the
  delegations are correctly secured via the DS records). I'm also able
  to validate negative responses from parent and child1.parent.
 
  And, yes, I have dnssec-enable yes; dnssec-validation yes; in
  relevant places.
 
  But I fail to validate the interesting case, i.e. a negative response
  from child2.parent containing NSEC3 records as the proof. I get the
  response, with all the NSEC3s and their RRSIGs. But no AD bit.
 
  Anyone done this recently who can give me a suggestion to where I may
  go wrong?

NXDOMAIN + OPTOUT - AD=0
 
 Johan
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.5 (Darwin)
 
 iD8DBQFJa9hRKJmr+nqSTbYRAuDKAJ4upG/n5lww2yrST29HDzteQX369QCfUqxt
 WcZi55ArpM58re2gtd6reAI=
 =+sNo
 -END PGP SIGNATURE-
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operators, how do you handle EDNS?

[Mark Andrews]

In message 20090114021016.ga24...@esri.com, Ray Van Dolson writes:
 On Tue, Jan 13, 2009 at 05:00:38PM -0800, Ray Van Dolson wrote:
  On Tue, Jan 13, 2009 at 04:35:46PM -0800, Mark Andrews wrote:
 The number of nameservers that fail to respond to EDNS
 queries is miniscule.  The majority of nameservers on the
 net actually talk EDNS.
   
 I suggest that you re-analyse the failures to determine
 their true causes.
   
 Mark
  
  I'd thought we'd ruled this out, but testing again from an OOB server
  confirms what you're saying.
  
  Will definitely reinvestigate.
  
  Initially I am getting these in response to my dig queries:
  
  # dig @130.76.96.65 boeing.com soa +dnssec +norec
  ;; Warning: ID mismatch: expected ID 1582, got 13152
  ;; Warning: ID mismatch: expected ID 1582, got 13152
  ;; Warning: ID mismatch: expected ID 1582, got 13152
  
  ;  DiG 9.3.5-P2  @130.76.96.65 boeing.com soa +dnssec +norec
  ; (1 server found)
  ;; global options:  printcmd
  ;; connection timed out; no servers could be reached
  
  I guess our firewall could be tinkering with the request ID's?  Perhaps
  as a result of dnssec being on... hmm.
 
 Thanks Mark.
 
 Alright, I believe the DNS Scrambling feature of our firewall could
 be causing the issue -- that or scrambling on boeing.com's end.  Maybe
 someone can comment...
 
 It seems that the transaction ID's are being changed and so the Format
 Error packets coming back from boeing are dropped by BIND.  This is
 why I see BIND cycling through all their nameservers -- the query
 timeout is being triggered.  If the transaction ID's matched correctly,
 the Format Error would be processed and the query would be
 retransmitted without EDNS correctly.
 
 What I'm trying to figure out is if this is a result of scrambling on
 *our* end, the remote end or a combination of both.  Clearly the vast
 majority of our queries succeed, but I don't know how exactly our
 CheckPoint firewall decides to do its scrambling magic, and, of
 course no clue on the remote end.
 
 Anyone have any thoughts to add?

100% your end.

 
 Ray
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unified Root - Domain Configuration Issue

[Mark Andrews]

In message 496fb92d.5050...@peter-dambier.de, Peter Dambier writes:
 Hi ozgurs,
 
 can you give me your address so I can settup a zone for you?
 
 e.g.
 
 ozgursA   127.0.0.1
 
 Then you have the proof that it is working.

http://tld and u...@tld can *never* work *reliably* as they
would cause namespace clashes.   Single label represent local
names not global names.

Mark
 
 Please have a look at
 
 http://www.cesidianroot.net/
 
 to find how to settup your DNS for the test.
 
 If you have a dynamic ip address things are a little bit
 more complicated but can be solved too.
 
 Cheers
 Peter
 
 
 ozgurs wrote:
  We want to buy a unified root domain,
  but they say we can not use the domain only one word.
  like
  ozgurs
  =
 
  so that it opens
  http://ozgurs
  =
 
  =
 
  but we have to use a connected word to this TLD, like
  example.ozgurs
  =
 
  here, my quetion comes! :)
  =
 
  i bet with my friend that we can not use the domain itself.
  NOW
  I NEED A PROOF :
  =
 
  We want to know the reason why we can not use TLD alone itself,
  without a word in connected to it.
  =
 
  =
 
  =
 
  ( I mean: instead of the URL
  =
 
  =
 
  =
 
  ozgurs
  =
 
  =
 
  =
 
  we have to use
  =
 
  =
 
  =
 
  example.ozgurs
  =
 
  )
  =
 
  =
 
  =
 
  =
 
  =
 
  We want the reasons, with exact documents (for example a university=92s
  DNS managerment document from their site link or a scientific article
  regarding this issue (about the must of usage and reasons why we must
  use a word connected to the domain.)
  =
 
  =
 
  =
 
  =
 
  =
 
  Note: We will buy these products after we are satisified with the
  explanations and documents=92 reliability about the explained issue
  above. (the usages, rules of domains, configurations, DNS)
  =
 
  I mean I have to prove this that it is impossible to use the domain as
  one word (like ozgurs) with very reliable indications and strongly
  that no one can deny it any way of idea)
  =
 
  =
 
  =
 
  =
 
  =
 
  =
 
  With best regards,
  =
 
  =
 
  OzgurS
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 -- =
 
 Peter and Karin Dambier
 Cesidian Root - Radice Cesidiana
 Rimbacher Strasse 16
 D-69509 Moerlenbach-Bonsweiher
 +49(6209)795-816 (Telekom)
 +49(6252)750-308 (VoIP: sipgate.de)
 mail: pe...@peter-dambier.de
 http://www.peter-dambier.de/
 http://iason.site.voila.fr/
 https://sourceforge.net/projects/iason/
 ULA=3D fd80:4ce1:c66a::/48
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: denied NS/IN

[Mark Andrews]

In message 232b45f8-acd3-427a-95e9-bc3ca5fc9...@newgeo.com, Scott Haneda writ
es:
 Hello, looking at my logs today, I am getting hammered with these:
 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:  
 query (cache) './NS/IN' denied
 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:  
 query (cache) './NS/IN' denied
 
 Repeated over and over, how do I tell what they are, and if they are  
 bad, what is the best way to block them?
 --
 Scott

You should talk to your ISP to chase the traffic back to
its source and get BCP 38 implemented there.  BCP 38 is ~10
years old now.  There is no excuse for not filtering spoofed
traffic.

If the source doesn't want to implement BCP 38 then de-peering
the source should be considered.

Mark
 
http://www.ietf.org/rfc/rfc2267.txt January 1998
http://www.ietf.org/rfc/rfc2827.txt May 2000  (BCP 38)
http://www.ietf.org/rfc/rfc3704.txt March 2004 (BCP 84)

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: denied NS/IN

[Mark Andrews]

In message fb979b33-df83-4460-a3e4-040cd165e...@newgeo.com, Scott Haneda writ
es:
 On Jan 20, 2009, at 5:44 PM, Mark Andrews wrote:
 
  In message 232b45f8-acd3-427a-95e9-bc3ca5fc9...@newgeo.com, Scott  
  Haneda writ
  es:
  Hello, looking at my logs today, I am getting hammered with these:
  20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:
  query (cache) './NS/IN' denied
  20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:
  query (cache) './NS/IN' denied
 
  Repeated over and over, how do I tell what they are, and if they are
  bad, what is the best way to block them?
  --
  Scott
 
  You should talk to your ISP to chase the traffic back to
  its source and get BCP 38 implemented there.  BCP 38 is ~10
  years old now.  There is no excuse for not filtering spoofed
  traffic.
 
  If the source doesn't want to implement BCP 38 then de-peering
  the source should be considered.
 
 
 Is BCP 38 really as solid and plug and play as it sounds?  In a  
 shared, or colo'd environment, can that ISP really deploy something  
 like this, without it causing trouble for those that assume unfettered  
 inbound and outbound traffic to their servers?

Yes it is.  Everyone in a colo should be able to tell you which
source address (prefixes) they should be emitting.  You filter
everything else.

The closer to the edge that you do this the easier it is to do.

Mark

 --
 Scott
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable cache in bind 9.6

[Mark Andrews]

In message 49773369.4080...@corbina.net, Dmitry Rybin writes:
 Matus UHLAR - fantomas wrote:
 
  
  This is _NOT_ a problem of BIND. This is a problem of its admin who can't
  read the docs and set up max-cache-size, which does exactly what is needed
  in this case.
  
 
 Hmm... And why bind allocate all system memory, if max-cache-size 16M?
 And views... 50 views. 16*50=800M. Only 800M, this is not 3..4GB of
 system memory.

+50 views of zone data + memory for 10 clients + 

You have a 32bit build which will give a maximum of 2G data.

You are just trying to cram too much into too small a place.

Mark
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc halt -p behavior

[Mark Andrews]

In message 2971f259-4897-48f8-b418-2f7599075...@gronkulator.com, Rich Goodson
 writes:
 The behavior of 'rndc halt -p' appears to be different from the =20
 documentation.
 
 According to the BIND 9.4 ARM rndc section:
 halt [-p] Stop the server immediately. Recent changes made through =20
 dynamic update or IXFR
 are not saved to the master =EF=AC=81les, but will be rolled forward =
 from the =20
 journal =EF=AC=81les when the
 server is restarted. If -p is speci=EF=AC=81ed named=E2=80=99s process =
 id is =20
 returned. This allows an external
 process to determine when named had completed halting.
 
 But the actual behavior seems to be that 'rndc halt -p' returns =20
 immediately with the PID of named, but a 'ps -ef' shows named still =20
 running until it's done answering its unfinished recursive queries (or =20=
 
 whatever it's busy doing).
 
 Is rndc broken, or is the documentation wrong, or am I missing =20
 something?
 
 If it makes a difference, this is on a server that exclusively does =20
 recursive resolution and does not serve any authoritative zones.
 
 -rich

named is just freeing all memory that it has allocated.  If there
has been a memory leak this is when it will be detected.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: denied NS/IN

[Mark Andrews]

In message 1232561124.6369.187.ca...@d410-heron, Niall O'Reilly writes:
 On Wed, 2009-01-21 at 12:44 +1100, Mark Andrews wrote:
  You should talk to your ISP to chase the traffic back to
  its source and get BCP 38 implemented there.  BCP 38 is ~10
  years old now.  There is no excuse for not filtering spoofed
  traffic.
 
   Absolutely.
 
   Putting myself at the other end of the telescope, I'm wondering
   what tools (if any) are available for verifying that the ingress
   filtering actually in place is indeed compliant with BCP 38.
 
   I try to be conscientious, but drawing valid conclusions from 
   visual inspection of the ACLs is already a challenge for my 
   domestic network (3 LANs and an upstream).  Enterprise (even 
   with only one upstream) or ISP networks are likely more 
   difficult to verify.
 
   Pointers for my next RTFM binge are welcome.  Further discussion
   is probably off-topic for the bind-users list.
 
   /Niall

One way to test is to have a test box that sends spoofed traffic
to a machine you control.  You should be able to detect acl
or other hits.  Checking the acls regularly is also a way to
detect compromised machines that could be used for a different
badness.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc halt -p behavior

[Mark Andrews]

In message 1a345677-0c03-45a7-a1e1-af364fe87...@gronkulator.com, Rich Goodson 
writes:
 Basically, I'm trying to use a shell script to replace the missing  
 'restart' argument to rndc,  so I was looking for  some sort of return  
 value that tells me, hey, your old named process is now gone, feel  
 free to start a new one.

 What doesn't seem to jibe to me with the behavior I see is this line:
 
  If -p is specified named's process id is returned. This allows an  
  external process to determine when named had completed halting.
 
pid=`rndc halt -p`
case $pid in
pid:*)
pid=`expr $pid : pid: \([0-9]*\)`
echo -n waiting for $pid to exit
while kill -0 $pid 2 /dev/null ; do echo -n .; sleep 1; done
echo . done.;
;;
esac
 
 Whether named is still answering queries or just cleaning up its  
 allocated memory, the PID is returned BEFORE named is gone, as named  
 is still running for a good while after the PID is returned (I've seen  
 up to 15 or 20 seconds or so).  So, if I use this in a script,  
 assuming the behavior that seems to be implied in the documentation,  
 I'm going to be starting a new instance of named once the PID is  
 returned, so I'm going to end up with 2 concurrent named processes.
 
 I understand that I probably seem like a pedantic pain in the ass, but  
 is this broken, or is the documentation wrong?  You seem to be saying  
 that rndc is behaving correctly, so I must therefore assume that the  
 documentation is wrong in this respect and use some sort of logic in  
 my script to tell me when named has gone *poof*.
 
 Unless the documentation is using a different definition of the word  
 halt than I am, which is entirely possible.  I'm defining halted  
 in my head as the process is gone and no longer appears in a process  
 listing, whereas you may be defining halted as when named has  
 stopped answering queries and has released its hold on port 53.  If  
 this is the case, it might not be a big deal if there are two  
 concurrent named processes, as the new one is free to grab the port  
 and start answering queries while the old one simply cleans up after  
 itself, memory-wise.
 
 -rich
 
 On Jan 21, 2009, at 5:00 PM, Mark Andrews wrote:
 
 
  In message 2971f259-4897-48f8-b418-2f7599075...@gronkulator.com,  
  Rich Goodson
  writes:
  The behavior of 'rndc halt -p' appears to be different from the =20
  documentation.
 
  According to the BIND 9.4 ARM rndc section:
  halt [-p] Stop the server immediately. Recent changes made through  
  =20
  dynamic update or IXFR
  are not saved to the master =EF=AC=81les, but will be rolled  
  forward =
  from the =20
  journal =EF=AC=81les when the
  server is restarted. If -p is speci=EF=AC=81ed named=E2=80=99s  
  process =
  id is =20
  returned. This allows an external
  process to determine when named had completed halting.
 
  But the actual behavior seems to be that 'rndc halt -p' returns =20
  immediately with the PID of named, but a 'ps -ef' shows named still  
  =20
  running until it's done answering its unfinished recursive queries  
  (or =20=
 
 whatever it's busy doing).
 
  Is rndc broken, or is the documentation wrong, or am I missing =20
  something?
 
  If it makes a difference, this is on a server that exclusively does  
  =20
  recursive resolution and does not serve any authoritative zones.
 
  -rich
 
  named is just freeing all memory that it has allocated.  If there
  has been a memory leak this is when it will be detected.
 
  Mark
  -- 
  Mark Andrews, ISC
  1 Seymour St., Dundas Valley, NSW 2117, Australia
  PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
 
 
 
 --Apple-Mail-20-871872810
 Content-Type: text/html;
   charset=US-ASCII
 Content-Transfer-Encoding: quoted-printable
 
 htmlbody style=3Dword-wrap: break-word; -webkit-nbsp-mode: space; =
 -webkit-line-break: after-white-space; divdivBasically, I'm trying =
 to use a shell script to replace the missing 'restart' argument to rndc, =
 nbsp;so I was looking for nbsp;some sort of return value that tells =
 me, hey, your old named process is now gone, feel free to start a new =
 one./divdivbr/divdivWhat doesn't seem to jibe to me with the =
 behavior I see is this line:/divdivbr/divdiv/divblockquote =
 type=3DcitedivIf -p is specified named's process id is returned. =
 This allows an external process to determine when named had completed =
 halting./div/blockquotedivbr/divdivWhether named is still =
 answering queries or just cleaning up its allocated memory, the PID is =
 returned BEFORE named is gone, as named is still running for a good =
 while after the PID is returned (I've seen up to 15 or 20 seconds or =
 so). nbsp;So, if I use this in a script, assuming the behavior that =
 seems to be implied in the documentation, I'm going to be starting a new =
 instance of named once the PID is returned, so I'm

Re: denied NS/IN

[Mark Andrews]

In message f4058b15-888b-4cbd-b682-2ea2e1889...@stupendous.net, Nathan 
Ollerenshaw writes:
 On 21/01/2009, at 10:40 AM, Scott Haneda wrote:
 
  Hello, looking at my logs today, I am getting hammered with these:
  20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:  
  query (cache) './NS/IN' denied
  20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:  
  query (cache) './NS/IN' denied
 
  Repeated over and over, how do I tell what they are, and if they are  
  bad, what is the best way to block them?
  --
  Scott
 
 Scott,
 
 As you know, these are spoofed queries, created in the hope that you  
 will reflect traffic back to these IPs to assist in DDoSing them.
 
 Patrik Rak posted to my blog an iptables rule, which is useful for  
 those of us running linux, that drops this specific type of recursive  
 query; namely IN NS queries against '.'.
 
 iptables -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
 0220...@1216=10220...@2024=00220...@21=0x00020001
 
 I've tested it, and it appears effective. I now have blessed silence  
 in my logfiles.

You you don't also have blessed silence on the counters
on this rule there is still a problem and you should be
complaining to whoever is sending the packets to you.

This just stops the amplification it doesn't clear up the
problem.
 
 Ideally it'd be great to be able to track back through the internet  
 and get every single network operator to implement BCP 38, but while  
 that's getting done (and good luck with that), you at least have a  
 workaround.
 
 At least until the kiddies change what kind of query they use ... god  
 forbid they work out what names an authoritative nameserver WILL  
 respond to and query that.
 
 Hope this helps,
 
 Nathan.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses

[Mark Andrews]

In message bay133-w4474fd4aa8331c2dc6bee1b4...@phx.gbl, wiskbr...@hotmail.com
 writes:
 
 Hello;
 
 I have two DMZ BIND/DNS servers running whose purpose is to allow lookups v
 ia them from my otherwise incapable internal network.
 
 I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND 9.5.1-P1. 
 Both servers are running Sparc/Solaris 9.
 
 Upon upgrading one to BIND 9.5.0-P2, which was in an effort to resolve failed
  lookups for .gov sites, I found that the server was now attempting to resolv
 e using IPv6 style addresses.  I am not able to find any such attempts in the
  past at all from either server (See messages from BIND 9.5.1-P1 server below
 ).

It always was.  Named now uses connected UDP sockets so the
error codes make it back from the kernel.
 
 I've installed a newer db.root file by running dig then saving the output to 
 db.root.  The newer file contained IPv6 style entries, which I've manually re
 moved (about the same time attempts ceased)
 
 I've also tried to force any attempts at using IPv6 and what appear to be iss
 ues resolving .gov domains in my named.conf like this:

To disable the use of IPv6 use named -4.  I would however
recommend that you get yourself IPv6 connectivity instead.
 
 options {
 edns-udp-size 512;
 max-udp-size  512;

Unless you have a firewall or NAT that has trouble with
EDNS packets of particular sizes you should not need to set
these.  If you do need to set these then you really should
look at replacing/reconfiguring the offending box.

 listen-on-v6 { none; };
 };
 
 logging {
 category lame-servers {null;};
 category edns-disabled {null;};
 };
 
 
 The issues that I was seeing with .gov sites resulted in this type of error i
 n my logfile:
 
 Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many timeouts re
 solving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling EDNS
 
The problem here is too many timeouts.  This may or may
not be related to EDNS.

 Any help would be greatly appreciated, am I missing something obvious, or per
 haps I need to add something else into my configs?
 
 Thank you,
 
 
 .vp
 
 
 Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable 
 resolving 'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53
 
 Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable 
 resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53
 
 Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable 
 resolving 'indom80.indomco.hk/A/IN': 2001:dc0:1:0:4777::140#53

Which are perfectly understandable if you don't have IPv6
connectivity.
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

[Mark Andrews]

MX records are supposed to be pointed to the name the mail
exhanger knows itself as.  This will correspond to a A
record.  If I could work out a way to determine which A
records don't correspond to the name by which the mail
exchanger knows itself as I'd also have named issue a warning
for such A records.  Unfortunately there isn't a way to
make such a determination.

When a CNAME is used you configuration errors reported from
MTA's when they try to send email to themselves.  This still
happens today.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unified Root - Domain Configuration Issue

[Mark Andrews]

In message 497cae4b.4020...@dougbarton.us, Doug Barton writes:
 Joe Baptista wrote:
  So a little more testing using firefox as an application gives us some
  interesting results.  Using the .TM TLD I entered http://tm/ into my
  browsers.  It did not work.  Firefox replaced http://tm/ with
  http://www.tm.com/ - which is not the web site I wanted to reach.
 
 In Firefox' titlebar enter 'about:config' (no quotes) then in the
 filter type 'keyword.enabled' and double-click that entry to toggle it
 to false.

The correct fix for this is:

browser.fixup.alternate.enabled - false

keyword.enabled - false stop the seach engine lookup.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error sending response log messages

[Mark Andrews]

In message 497caef2.80...@yahoo.com, Andre LeClaire writes:
 Hello everyone,
 I've been seeing these syslog messages for about a week on a FreeBSD 
 server running BIND 9.4.3-P1:
 
 Jan 25 02:35:21 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 03:43:32 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 04:49:59 asimov named[145]: client 206.71.158.30#139: error 
 sending response: permission denied
 Jan 25 05:15:40 asimov named[145]: client 66.230.160.1#139: error 
 sending response: permission denied
 Jan 25 07:45:11 asimov named[145]: client 206.71.158.30#139: error 
 sending response: permission denied
 Jan 25 07:56:26 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 08:10:29 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 08:54:34 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 09:16:41 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 10:03:51 asimov named[145]: client 206.71.158.30#445: error 
 sending response: permission denied
 
 Ports 135-139 and 445 are denied by the firewall on the outside 
 interface.

Why do you care about what port you are sending to?  Just
allow named to send its replies.

 It looks like it might be some kind of Windows exploit, but 
 I've Googled and searched the BIND mailing lists, and haven't found any 
 clues yet.
 Has anybody else seen this?
 
 Thanks!
 
 Andre
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

[Mark Andrews]

In message 2d378cb064ba4d06880aed8ed81f3...@ahsnbw1, Al Stu writes:
 Thus, if an alias is used as the value of an NS or MX record, no address 
 will be returned with the NS or MX value.
 
 Above statement, belief, perception etc. has already been proven to be a 
 fallacy (see the network trace attached to one of the previous messages). 
 Both the CNAME and A record is in fact returned, unless the CNAME RR points 
 to some other zone such as say smtp.googlemail.com.

Please show one vendor that follows a CNAME when processing the
*additional* section.  AFAIK there is no vendor that does this.
Named doesn't.

CNAME is followed when processing the *answer* section.
 
 So within the zone SMTP requirements are in fact met when the MX RR is a 
 CNAME.  So there is no need to prevent this nor to label it as illegal. 
 The MX RR CNAME check should be improved to include this case and not throw 
 a message if the MX RR CNAME is resolvable within the zone.

A lot of the reason why people think they can do this is
that it doesn't always blow up in their faces when they do
it.  When there is only one MX record and that name points
to a CNAME the MX records are not looked up on the mail
exchanger so things don't blow up.  Have multiple MX records
with different preferences and point those at CNAMEs then
thing start blowing up because the higher preference mail
exchanger does lookup the MX RRset and does processes it.
That is when things blow up.  The rules are there to prevent
this situation.

The message is staying.  If you don't want to see it turn
it off in named.conf but don't log a bug report complaining
that we didn't detect the misconfiguration.

Mark

 - Original Message - 
 From: Matus UHLAR - fantomas uh...@fantomas.sk
 To: bind-users@lists.isc.org
 Sent: Monday, January 26, 2009 8:18 AM
 Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT 
 Illegal
 
 
  On 26.01.09 09:19, bsfin...@anl.gov wrote:
  If I have in DNS
 
   cn IN CNAME realname
 
  and I query for cn, the DNS resolver will return realname.
  BIND also returns the A record for realname.  Is this a requirement?
  If not, then
 
   mx IN 10 MX cn
 
  will result in:
 
   1) the MX query returning cn,
 
   2) the cn query returning realname,
 
   3) a third (and RFC-breaking) query to get the A for realname.
 
  There are only two queries if the resolver returns the A record along
  with the realname of the CNAME record.
 
  according to RFC1035 sect. 3.3.9
 
  MX records cause type A additional section processing for the host
  specified by EXCHANGE.
 
  according to RFC2181 sect 10.3.
 
  The domain name used as the value of a NS resource record, or part of the
  value of a MX resource record must not be an alias.
 
  It can also have other RRs, but never a CNAME RR.
 
  Additional section processing does not include CNAME records...
 
  Thus, if an alias is used as the value of an NS or MX record, no address
  will be returned with the NS or MX value.
 
 
  -- 
  Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
  Warning: I wish NOT to receive e-mail advertising to this address.
  Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
  The box said 'Requires Windows 95 or better', so I bought a Macintosh.
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What are these entries in the log file - query: . IN NS +?

[Mark Andrews]

In message fvhsn493t2pb75c93nm1s14lkttiu0i...@4ax.com, Tony Toews [MVP] wri
tes:
 Gregory Hicks ghi...@hicks-net.net wrote:
 
 
  2) What are they?
 
 They look like the DDoS being discussed on the NANOG list.
 
 Have you implemented BCP38?  If not, why not...
 
 I have no idea what BCP38 is and how I can implement that.

http://www.ietf.org/rfc/rfc3704.txt

 Would you be so k ind as to supply links relevant to Windows 2003 Server?
 
 Thanks, Tony
 -- 
 Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can 
 read the entire thread of messages.
Microsoft Access Links, Hints, Tips  Accounting Systems at 
 http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

[Mark Andrews]

In message 0aa37ce829ba458b9ba2d199a6d96...@ahsnbw1, Al Stu writes:
 How about these two?
 
  nullmx.domainmanager.com
 Non-authoritative answer:
 Name:mta.dewile.net
 Address:  69.59.189.80
 Aliases:  nullmx.domainmanager.com
 
  smtp.secureserver.net
 Non-authoritative answer:
 Name:smtp.where.secureserver.net
 Address:  208.109.80.149
 Aliases:  smtp.secureserver.net

Which just goes to show you don't understand the issue.

Ask the correct question and you will see a response which
demonstates what people are talking about.  If the server was
doing what you say it does you would see the CNAME in the
additional section.

;  DiG 9.3.6-P1  mx secureserver.net @cns2.secureserver.net. +norec
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 21506
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;secureserver.net.  IN  MX

;; ANSWER SECTION:
secureserver.net.   3600IN  MX  0 smtp.secureserver.net.

;; AUTHORITY SECTION:
secureserver.net.   3600IN  NS  cns2.secureserver.net.
secureserver.net.   3600IN  NS  cns1.secureserver.net.

;; ADDITIONAL SECTION:
cns1.secureserver.net.  3600IN  A   208.109.255.100
cns2.secureserver.net.  3600IN  A   216.69.185.100

;; Query time: 181 msec
;; SERVER: 216.69.185.100#53(216.69.185.100)
;; WHEN: Tue Jan 27 12:54:26 2009
;; MSG SIZE  rcvd: 125

 There are two reasons it does not blow up in peoples face.  1) If it is in 
 the CNAME RR points to an A record in the same zone, both the A record and 
 the CNAME record are returned, thus meeting the A record requirement.  2) 
 SMTP servers are required to accept an alias and look it up.  Thus there is 
 no need for this.
 
 And no it does not matter if there are multiple MX records with different 
 preferences values.

Which just means you have not ever experienced the problems
causes.  MTA are not required to look up the addresses of
all the mail exchangers in the MX RRset to process the MX
RRset.  MTA usually learn their name by gethostname() or
similar and that name is not a CNAME or there is a
misconfiguration.

The fact that email still gets delivered in the presence
of misconfigurations is good luck rather than good management.

Mark
 
 - Original Message - 
 From: Mark Andrews mark_andr...@isc.org
 To: Al Stu al_...@verizon.net
 Cc: bind-users@lists.isc.org
 Sent: Monday, January 26, 2009 2:55 PM
 Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT 
 Illegal
 
 
 
  In message 2d378cb064ba4d06880aed8ed81f3...@ahsnbw1, Al Stu writes:
  Thus, if an alias is used as the value of an NS or MX record, no address
  will be returned with the NS or MX value.
 
  Above statement, belief, perception etc. has already been proven to be a
  fallacy (see the network trace attached to one of the previous messages).
  Both the CNAME and A record is in fact returned, unless the CNAME RR 
  points
  to some other zone such as say smtp.googlemail.com.
 
  Please show one vendor that follows a CNAME when processing the
  *additional* section.  AFAIK there is no vendor that does this.
  Named doesn't.
 
  CNAME is followed when processing the *answer* section.
 
  So within the zone SMTP requirements are in fact met when the MX RR is a
  CNAME.  So there is no need to prevent this nor to label it as illegal.
  The MX RR CNAME check should be improved to include this case and not 
  throw
  a message if the MX RR CNAME is resolvable within the zone.
 
  A lot of the reason why people think they can do this is
  that it doesn't always blow up in their faces when they do
  it.  When there is only one MX record and that name points
  to a CNAME the MX records are not looked up on the mail
  exchanger so things don't blow up.  Have multiple MX records
  with different preferences and point those at CNAMEs then
  thing start blowing up because the higher preference mail
  exchanger does lookup the MX RRset and does processes it.
  That is when things blow up.  The rules are there to prevent
  this situation.
 
  The message is staying.  If you don't want to see it turn
  it off in named.conf but don't log a bug report complaining
  that we didn't detect the misconfiguration.
 
  Mark
 
  - Original Message - 
  From: Matus UHLAR - fantomas uh...@fantomas.sk
  To: bind-users@lists.isc.org
  Sent: Monday, January 26, 2009 8:18 AM
  Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT
  Illegal
 
 
   On 26.01.09 09:19, bsfin...@anl.gov wrote:
   If I have in DNS
  
cn IN CNAME realname
  
   and I query for cn, the DNS resolver will return realname.
   BIND also returns the A record for realname.  Is this a requirement?
   If not, then
  
mx IN 10 MX cn
  
   will result in:
  
1) the MX query

Re: What are these entries in the log file - query: . IN NS +?

[Mark Andrews]

In message barmar-3c4a47.20101026012...@mara100-84.onlink.net, Barry Margolin
 writes:
 In article gllha9$2ot...@sf1.isc.org,
  Tony Toews [MVP] tto...@telusplanet.net wrote:
 
  Gregory Hicks ghi...@hicks-net.net wrote:
  
  
   2) What are they?
  
  They look like the DDoS being discussed on the NANOG list.
  
  Have you implemented BCP38?  If not, why not...
  
  I have no idea what BCP38 is and how I can implement that.  Would you be so
  
  kind as
  to supply links relevant to Windows 2003 Server?
 
 BCP38 is not something you implement, it's something that has to be 
 implemented by the ISPs hosting the attacking systems.  They have to 
 block forged source IPs from their customers.

BCP 38 is something everyone should implement.  A site
shouldn't allow packets to leave with bogus source addresses.

That being said there is no real expectation that home users
will be implementing BCP 38 so it falls back to the ISP's
implement to catch the bad packets when they reach their
network.
 
 Since there are many ISPs out there that are too lazy, incompetent, or 
 just don't care, where probably never going to be rid of these kinds of 
 attacks.

Agreed.  You can however do your part by choosing ISP/IAP's that
deploy BCP 38 over ones that don't.  Add it to the selection
criteria for a ISP/IAP.  Ones that do are probably more clueful
overall and you will have less problems in the end.
 
Mark

 -- 
 Barry Margolin, bar...@alum.mit.edu
 Arlington, MA
 *** PLEASE don't copy me on replies, I'll read them in the group ***
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What are these entries in the log file - query: . IN NS +?

[Mark Andrews]

In message ulssn453ohc7rj6lobgkje0g0prvqd3...@4ax.com, Tony Toews [MVP] wri
tes:
 Tony Toews [MVP] tto...@telusplanet.net wrote:
 
  How do I know I'm not answering those?
  
 Since your on win, I can't help you, but whatever your packet monitor
 is, see if you are replying to their requests, even with a REFUSED
 response.
 
 It looks like the server is replying with a refused statement.  The following
  are the
 two lines that WireShark captured.
 
 Standard query NS Root
 Standard query response, refused

Good.  The attacker is trying to you as a amplifier and
that is not happening.  That is all one can reasonably
expect.

The next thing you should do is ask your ISP to chase them
back to their source and if they are local to the ISP block
them by implementing BCP 38 other wise to pass on the request
to the peers they are getting them from.

Mark
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

[Mark Andrews]

In message 3c802402a28c4b2390b088242a91f...@ahsnbw1, Al Stu writes:
 
 RFC 974:
 There is one other special case.  If the response contains an answer which
 is a CNAME RR, it indicates that REMOTE is actually an alias for some other
 domain name. The query should be repeated with the canonical domain name.

And that is talking about the response to a MX query.  The section
from which you quote starts with: 

Issuing a Query

   The first step for the mailer at LOCAL is to issue a query for MX RRs
   for REMOTE.  It is strongly urged that this step be taken every time
   a mailer attempts to send the message.  The hope is that changes in
   the domain database will rapidly be used by mailers, and thus domain
   administrators will be able to re-route in-transit messages for
   defective hosts by simply changing their domain databases.

and the paragraph after that which you quote is:

   If the response does not contain an error response, and does not
   contain aliases, its answer section should be a (possibly zero
   length) list of MX RRs for domain name REMOTE (or REMOTE's true
   domain name if REMOTE was a alias).  The next section describes how
   this list is interpreted.

So I would suggest that you stop taking text out of context.

CNAME - MX is legal
MX - CNAME is illegal

Mark
 
 - Original Message - 
 From: Scott Haneda talkli...@newgeo.com
 To: Al Stu al_...@verizon.net
 Cc: bind-users@lists.isc.org
 Sent: Monday, January 26, 2009 8:09 PM
 Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT 
 Illegal
 
 
  On Jan 26, 2009, at 7:54 PM, Al Stu wrote:
 
  If you refuse a CNAME then it is your SMTP server that is broken.   The 
  SMTP RFC's clearly state that SMTP servers are to accept and  lookup a 
  CNAME.
 
 
  [RFC974] explicitly states that MX records shall not point to an alias 
  defined by a CNAME.  That is what I was talking about, are you saying 
  this is not correct?  As this is what I was under the impression for 
  quite some time.
  --
  Scott
  
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

[Mark Andrews]

In message b3ba5e37553642e28149093cdee78...@ahsnbw1, Al Stu writes:
 
 Yes,  the response to an MX query, that is the subject here.  And a CNAME is 
 in fact permitted and specified by the RFC's to be accepted as the response 
 to an MX lookup.

No one is saying a CNAME is not permitted in response to a MX
query.
 
 If the response does not contain an error response, and does not contain 
 aliases
 See there, alias is permitted.  You just keep proving the my case.

We are saying that when you lookup the address of the mail
exchanger that you shouldn't get a CNAME record.  MX -
CNAME is not permitted.  Others have quoted similar text
from more recent RFC's.

RFC 974

   Note that the algorithm to delete irrelevant RRs breaks if LOCAL has
   a alias and the alias is listed in the MX records for REMOTE.  (E.g.
   REMOTE has an MX of ALIAS, where ALIAS has a CNAME of LOCAL).  This
   can be avoided if aliases are never used in the data section of MX
   RRs.

 I am not taking it out of context.  It is very explicitly stated.  And the 
 context is that of locating the target/remote host by first submitting an MX 
 query, then submitting an A query of the MX query result.

The text you quote is ONLY talking about the MX query.
There is no then submitting an A query of the MX query
result at this point in the RFC.

 The MX query 
 result is permitted to be and alias, which in turn when submitted for an A 
 query results in both the A and CNAME being returned.  Thus meeting the SMTP 
 RFC requirements.

 - Original Message - 
 From: Mark Andrews mark_andr...@isc.org
 To: Al Stu al_...@verizon.net
 Cc: bind-users@lists.isc.org
 Sent: Monday, January 26, 2009 8:41 PM
 Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT 
 Illegal
 
 
 
  In message 3c802402a28c4b2390b088242a91f...@ahsnbw1, Al Stu writes:
 
  RFC 974:
  There is one other special case.  If the response contains an answer 
  which
  is a CNAME RR, it indicates that REMOTE is actually an alias for some 
  other
  domain name. The query should be repeated with the canonical domain 
  name.
 
  And that is talking about the response to a MX query.  The section
  from which you quote starts with:
 
  Issuing a Query
 
The first step for the mailer at LOCAL is to issue a query for MX RRs
for REMOTE.  It is strongly urged that this step be taken every time
   a mailer attempts to send the message.  The hope is that changes in
the domain database will rapidly be used by mailers, and thus domain
administrators will be able to re-route in-transit messages for
defective hosts by simply changing their domain databases.
 
  and the paragraph after that which you quote is:
 
If the response does not contain an error response, and does not
contain aliases, its answer section should be a (possibly zero
length) list of MX RRs for domain name REMOTE (or REMOTE's true
domain name if REMOTE was a alias).  The next section describes how
this list is interpreted.
 
  So I would suggest that you stop taking text out of context.
 
  CNAME - MX is legal
  MX - CNAME is illegal
 
  Mark
 
  - Original Message - 
  From: Scott Haneda talkli...@newgeo.com
  To: Al Stu al_...@verizon.net
  Cc: bind-users@lists.isc.org
  Sent: Monday, January 26, 2009 8:09 PM
  Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT
  Illegal
 
 
   On Jan 26, 2009, at 7:54 PM, Al Stu wrote:
  
   If you refuse a CNAME then it is your SMTP server that is broken. 
   The
   SMTP RFC's clearly state that SMTP servers are to accept and  lookup a
   CNAME.
  
  
   [RFC974] explicitly states that MX records shall not point to an alias
   defined by a CNAME.  That is what I was talking about, are you saying
   this is not correct?  As this is what I was under the impression for
   quite some time.
   --
   Scott
  
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
  -- 
  Mark Andrews, ISC
  1 Seymour St., Dundas Valley, NSW 2117, Australia
  PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

[Mark Andrews]

In message bc7c01a4-1803-4906-bd90-93037b4ae...@newgeo.com, Scott Haneda writ
es:
 On Jan 26, 2009, at 10:03 PM, Barry Margolin wrote:
 
  In article gllr91$2vq...@sf1.isc.org,
  Scott Haneda talkli...@newgeo.com wrote:
 
  100% right.  I refuse MX's that are cnamed, and I get emails from
  customers asking what is up.  What is strange, and I can not figure  
  it
  out, is that the admins of the DNS/email server always tell me this  
  is
  the first time they have heard of it.
 
  So you're not following the be liberal in what you accept half of  
  the
  Interoperability Principle, which is intended specifically to avoid
  problems due to such confusion.
 
 
 Because that worked so well for HTML :)
 I was thinking about that quote just the other day.  To be honest, I  
 think it applies well to social issues, but not technical or  
 engineering/programming ones.  The second you accept liberally, that  
 tells the submitter that it is ok.
 
 I am hard pressed to think of one case in which liberally accepting  
 data is a good thing.  It is that very expression that defines why we  
 have bpisometextpbi
 
 Just consider the ramifications of parsing that one simple string,  
 which is now non trivial to parse.  What is C worked this way?
 
 Just some thoughts I was having the other day.
 --
 Scott
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

Liberal in what you accepts means don't die on arbitary
input.  You should still reject rubbish.


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What are these entries in the log file (blocking)

[Mark Andrews]

In message 260425.38131...@web38201.mail.mud.yahoo.com, W Sanders writes:
 The easy way to block people trying to DoS you, without needing a firewall, 
 is to just null route their IP: add route 
 1.2.3.4 127.0.0.1. Of course this blocks ALL traffic from that IP, but in 
 most cases the IP trying to DoS you is someo
 ne you don't care about anyway. If you have an authoritative server, this has 
 the side effect of blocking them from get
 ting any DNS about your domain - USUALLY a good thing. 
 
 Remember to remove the route after a while (in Unix with an at job) so a 
 year from now you or another sysadmin isn't 
 completely confused - the routing table on a server isn't exactly the first 
 thing one looks at.
 
 You can also write a script that grabs these IPs out of the syslog and 
 automatically null routes them. Call it intrusi
 on detection if you will. 
 
 -w

Which does collateral damage.

Complain to your ISP if you are receiving these forged queries.
they should be tracked back to their source and eliminated.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal

[Mark Andrews]

In message d53c69e1f478453a8371b49b4f04c...@ahsnbw1, Al Stu writes:
 So then you disagree that the following example returns a valid address 
 record for srv1?

The MX query won't return the A record for srv1.  The
additional section processing rules say to add A / 
records not CNAME records.

You fail to understand that the rule is there so that MX
processing can be done in a deterministic manner.  I don't
care that when you look up mx1.xyz.com you eventually get
a address record.  The damage is done long before that
lookup is performed.

Email is processed in this order:
Look up MX records.
Process the MX RRset.
Lookup address records and attempt to deliver the email.

Mark
 
 srv1  300 IN A 1.2.3.4
 mx1   300 IN CNAME srv1.xyz.com.
 @   300 IN MX 1 mx1.xyz.com.
 
 1) Select Target Host:
 The MX query for xyz.com delivers mx1.xyz.com which is a CNAME.
 
 2) Get Target Host Address:
 The A query for mx1.xyz.com delivers the address (A) record of srv1.xyz.com, 
 1.2.3.4, and also delivers the alias (CNAME) record of mx1.xyz.com.
 
 
 *** PLEASE don't copy me on replies, I'll read them in the group ***
 
 
 - Original Message - 
 From: Mark Andrews mark_andr...@isc.org
 To: Al Stu al_...@verizon.net
 Cc: bind-users@lists.isc.org
 Sent: Tuesday, January 27, 2009 1:46 AM
 Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT 
 Illegal
 
 
 
  In message 10b3763032c94ae2ba4900b3137d1...@ahsnbw1, Al Stu writes:
 
  The paragraph you cite regarding LOCAL has a alias and the alias is 
  listed
  in the MX records for REMOTE... is a peripery issue which is handled by 
  not
  doing that.
 
  Them why are you complaining?  The error message is only emitted
  when you add such a alias.
 
  No one is saying a CNAME is not permitted in response to a MX query.
 
  Well good then, we agree.
 
  No.
 
  The MX record data value can be a CNAME.
 
  No.
 
  That is
  what BIND is complaining about, and I in turn saying should be
  changed/removed.
 
  i.e. BIND should not complain about the following, but it does.  It says 
  the
  MX record is illegal.  But it is not.
 
  srv1  300 IN A 1.2.3.4
  mx1   300 IN CNAME srv1.xyz.com.
  @   300 IN MX 1 mx1.xyz.com.
 
  The MX query for xyz.com delivers mx1.xyz.com which is a CNAME.
  The A query for mx1.xyz.com delivers the address (A) record of 
  srv1.xyz.com,
  1.2.3.4, and the alias (CNAME) record of mx1.xyz.com.
 
  *** PLEASE don't copy me on replies, I'll read them in the group ***
 
 
  - Original Message - 
  From: Mark Andrews mark_andr...@isc.org
  To: Al Stu al_...@verizon.net
  Cc: bind-users@lists.isc.org
  Sent: Monday, January 26, 2009 10:03 PM
  Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT
  Illegal
 
 
  
   In message b3ba5e37553642e28149093cdee78...@ahsnbw1, Al Stu writes:
  
   Yes,  the response to an MX query, that is the subject here.  And a 
   CNAME
   is
   in fact permitted and specified by the RFC's to be accepted as the
   response
   to an MX lookup.
  
   No one is saying a CNAME is not permitted in response to a MX
   query.
  
   If the response does not contain an error response, and does not 
   contain
   aliases
   See there, alias is permitted.  You just keep proving the my case.
  
   We are saying that when you lookup the address of the mail
   exchanger that you shouldn't get a CNAME record.  MX -
   CNAME is not permitted.  Others have quoted similar text
   from more recent RFC's.
  
   RFC 974
  
 Note that the algorithm to delete irrelevant RRs breaks if LOCAL has
 a alias and the alias is listed in the MX records for REMOTE.  (E.g.
 REMOTE has an MX of ALIAS, where ALIAS has a CNAME of LOCAL).  This
 can be avoided if aliases are never used in the data section of MX
 RRs.
  
   I am not taking it out of context.  It is very explicitly stated.  And
   the
   context is that of locating the target/remote host by first submitting 
   an
   MX
   query, then submitting an A query of the MX query result.
  
   The text you quote is ONLY talking about the MX query.
   There is no then submitting an A query of the MX query
   result at this point in the RFC.
  
   The MX query
   result is permitted to be and alias, which in turn when submitted for 
   an
   A
   query results in both the A and CNAME being returned.  Thus meeting 
   the
   SMTP
   RFC requirements.
  
   - Original Message - 
   From: Mark Andrews mark_andr...@isc.org
   To: Al Stu al_...@verizon.net
   Cc: bind-users@lists.isc.org
   Sent: Monday, January 26, 2009 8:41 PM
   Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT
   Illegal
  
  
   
In message 3c802402a28c4b2390b088242a91f...@ahsnbw1, Al Stu 
writes:
   
RFC 974:
There is one other special case.  If the response contains an 
answer
which
is a CNAME RR, it indicates

Re: disableing EDNS messages bind-9.5.0

[Mark Andrews]

In message pine.neb.4.64.0901271203100.26...@tx.reedmedia.net, Jeremy C. Ree
d writes:
  I'm trying to troubleshoot why we are getting a lot of disabling EDNS 
  messages in /var/log/messages.
  
  We are running bind-9.5.0.P2 on a linux box.
  
  Jan 27 11:42:23 ns0 named[27764]: too many timeouts resolving 
  'host2.centmine.com/' (in 'centmine.com'?): disabling EDNS
 
 Please consider using 9.5.1-P1 or 9.6.0-P1. They include EDNS improvements 
 related to logging.

They also have this fix which can result in packets appearing to
get lost.

Mark

2504.   [bug]   Address race condition in the socket code. [RT #18899]

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Split view multiple zones

[Mark Andrews]

In message 49800cfd.nihabiqjcalhfl+u%akos...@andykosela.com, Andy Kosela writ
es:
 Reinis Rozitis r...@roze.lv wrote:
 
   I've been using an include file for zones common between multiple 
   views, might help in your case too.
 
  Thanks somehow didnt think about this way. Pretty much takes to 
  acceptable solution :)
 
 Yes, include statement is the best option especially if you have a lot
 of zones.  That aproach also works great if you need to provide
 recursion for some of your clients *and* serve authoritative records for
 the rest of the world.  By creating multiple views you can also easily 
 disable answering queries for . to unknown clients.
 
 view internal {
   match-clients { LAN; };
   recursion yes;
   include zones;
 };
 
 view external {
   match-clients { any; };
   recursion no;
   additional-from-cache no;
   include zones;
 };

Or just run a currently supported version and specify

options {
allow-recursion { LAN; };
};

include zones;

and achieve the same thing for half the memory footprint and
not have to worry about different views clobbering the same
masterfiles.

Mark

 --Andy
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What are these entries in the log file - query: . IN NS +?

[Mark Andrews]

In message fl82o4hqjudbc65bkfk08ilg3lmk4hq...@4ax.com, Tony Toews [MVP] wri
tes:
 Tony Toews [MVP] tto...@telusplanet.net wrote:
 
 FWIW In the last 28 hours I have the following alleged IP addresses and coun
 t in my
 log file.
 
 Real lookups 1665
 204.15.80.50 4
 3.217.28.226 1144
 4.57.246.146 9541
 6.9.16.171   577
 63.217.28.2261463
 64.57.246.14635163
 65.173.218.961
 67.192.144.0 1488
 7.192.144.0  12054
 76.9.16.171  1033
 
 FWIW in the last 26 hours.
 Real Lookups  1673
 0.86.80.9814051

So who isn't doing even loose URPF?
0/8 is totally bogus and is a attack directed at you.

 4.57.246.123  4425
 4.57.246.146  22719
 6.9.16.171419
 64.57.246.123 4885
 64.57.246.146 25023
 67.192.144.0  825
 7.192.144.0   696
 70.86.80.98   9317
 76.9.16.171   295
 
 
 So some have disappeared and new ones added.
 
 Tony
 -- 
 Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can 
 read the entire thread of messages.
Microsoft Access Links, Hints, Tips  Accounting Systems at 
 http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and database backed systems

[Mark Andrews]

In message 29c7b7bc-f017-4404-b011-8b50206c7...@newgeo.com, Scott Haneda writ
es:
 Damnit, ever time I search this stuff out, I search for named  
 something-or-other and should use BIND in my search :)
 
 I am going to test deploy on my worksation on OS X.  Named comes up  
 with relative ease, just add a key and I am pretty much up and  
 running, albeit out of date, but for testing, I am ok with that.
 
 Are you telling me I need not even build named to get DLZ support?  It  
 is just there already?

You have to tell configure that you want it.  It's still
contributed code.
 
 I see you are using postgress, mysql or sqllite should not be an issue  
 either?
 
 Zones are backed in DB, but not queried in real time are there?  If  
 they are, I can see, sub 50ms return times going way up.
 
 Thanks for pointing me in the right direction, I will go read the DLZ  
 pages now.
 
 On Jan 28, 2009, at 10:25 PM, David Ford wrote:
 
  Use the DLZ extension.  It's been around for a while.
 
  I.e. put the following in your named.conf and use whatever interface  
  you
  wish.  I use Ant with a few modifications.  I don't have nearly the
  number of domains that you do so my simple system works fine.
 
 
   dlz postgres zone {
 database postgres 2
   {host=localhost dbname=dns_data user=bind  
  password=xx}
   {SELECT 'TRUE' FROM canonical WHERE lower(content) =
  lower('%zone%') limit 1}
   {SELECT ttl, type, priority, data FROM record, canonical WHERE
  lower(content) = lower('%zone%') AND host = '%record%' AND zone =  
  domain}
   {}
   {SELECT ttl, type, host, priority, data FROM record, canonical
  WHERE zone = domain AND lower(content) = lower('%zone%')}
   {SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND
  lower(content) = lower('%zone%') AND client = inet '%client%'};
   };
 
  Rather spiffy for centralizing your record store with immediate change
  visibility.
 
 --
 Scott
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.4.x vs 9.6.x - pid-file check and creation

[Mark Andrews]

In message 4981c105.8080...@sun.com, Stacey Jonathan Marshall writes:
 Mark Andrews wrote:
  Looking at the publically available parts of SunSolve there are at least
  bug reports about it.
 
  Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with othe
 r xxxfs_mkdir() functions.  |  Open in a new window
  bug 6253984
  http://sunsolve.sun.com/search/document.do?assetkey=1-1-6253984-1 - Sep 10,
  2007

 
 FYI this has been fixed in OpenSolaris, alas it has not been fixed in 
 Solaris 9 or 10 and currently there are no plans to do so.
   
  Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with othe
 r xxxfs_mkdir() functions.  |  Open in a new window
  bug 2152581
  http://sunsolve.sun.com/search/document.do?assetkey=1-1-2152581-1 - Sep 10,
  2007 

 This is the Solaris 10 reference, its closed (hence no plans to fix). 
 With sufficient justification it could be re-opened.

The problem isn't that you can't work around it.

The problem is that every application that calls mkdir(2)
or mkdir will eventually discovery it the hard way by having
something break that shouldn't.  The net cost involved will
far exceed the cost to fix.  I would argue that it already
has past that point.  I programed for the expected error
behaviour and did not get it.  Error behavior that goes
back to the initial creation of the open(2) system call.

That the error heirarchy on all file system system calls
is access, existance, write.  I learn't about this well
before POSIX was even thought about.

I called mkdir(2) knowing that I would effectively get the
stat(2) call for free.  Now I need to call stat(2) then
call mkdir(2) on ENOENT to work around this bug.  Every
programer in the world that has worked with mkdir(2) should
know what I knew.  We don't do looking for gotcha's in
really on system calls.  We just program for the known
interface.

I would ask that Sun re-think this decision not to fix the
bug.

Mark
 
 Stace
  I don't have a copy of the POSIX standard that covers mkdir(2) to
  see what it has to say about it.  Historically however EACCES on
  search failure,  EEXIST if the file/directory exists, then EACCES on
  parent directory write permissions was the error determination order.
 
  Mark

 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching-only Name server does Zone Updates

[Mark Andrews]

In message 009201c985c0$aff05cb0$f9281...@wipro74039c7ca, Ashish writes:
 Hello All,
 
 Thank you for your replies.
 
 Our configuration file is fairly simple (I have changed the domain name for
 security). 

You care about security yet you run BIND 4?
 
 domain  example.group.net 
 cache   ./etc/dnscache  
 
 We use BIND 4. Actually our DNS was doing lot of CPU utilization and when we
 started it in Debug mode we found that there was a reverse lookup for some
 IP address which was in the dnscache file. (dnscache is the root hint file)
 
 This started zone updates, as we can observe in the debug file which calls
 function db_update()
 
 Here is the debug file content (I have modified the IP address for security
 reasons. Here 21.x.x.x is one of the entries in dnscache file. I mean that
 there was a network address starting with 21 in our dnscache file)
 
 dgram from 1.2.3.4, 2 ()
  ns_req()
  req: nlookup(5.6.7.21.in-addr.arpa) id 111 type=11
  req: found '5.6.7.21.in-addr.arpa' as '21.in-addr.arpa' (cname=0)
  findns: np 0x6b41e
  findns: 2 NS's added for '21'
  ns_forw()
  qnew(x45gte8)
  nslookup(nsp=x2433d,qp=xfdgfv4)
  nslookup: NS server01.example.grp.net c1 t2 (x0)
  nslookup: 1 ns addrs
  nslookup: NS cerver01.example.grp.net c1 t2 (x0)
  nslookup: 2 ns addrs
  nslookup: 2 ns addrs total
  retrytime: nstime 0ms.
  schedretry(0x1dfd8, 4sec)
 
 Dgram from 21.x.x.x
 Ns_req()
 Qfindid(12345)
 USER response nsid= id 
 Respose from upexpected source 21.x.x.x
 Stime z/z now yy/yy rtt x
 NS #2 addr 21.x.x.x used rtt y
 NS #1 21.x.x.x rtt now z
 Resp: ancount 0, aucount 1, arcount 0
 Doupdate(zone 0, savens x, flags y)
 Doupdate: dname 21.in-addr.arpa type 6 class 1 ttl 600
 Db_update(21.in-addr.arpa, 0x12345, 0x56789, 087, 0x76543)
 
 This is strange, there was NSLOOKUP for some IP 5.6.7.21 which caused zone
 updates and we do not have any zone specified in our configuration file.

zone 0 is the cache.  The cache was updated.

Mark
 
 Kindly advice
 
 Thanks 
 Ashish
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDOS prevention - how to restrict queries to hint (root) zones?

[Mark Andrews]

In message 1233658532.12933.42.ca...@muccalla.uninsubria.it, MAtteo HCE Valsa
sna writes:
 hi all,
 
 We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's
 package), that do both recursive queries for internal clients (with
 proper allow-recursion clause) and authoritative servers for the
 institution's domain.
 
 
 There are reports of DDOS attacks based on DNS requests for the root
 zone with spoofed source IP address: 
 * the attacker sends a request for the root zone with spoofed source
 address to a DNS server 
 * The intermediate victim (DNS server) sends the reply packet -
 significatively larger than the request - to the ultimate victim (the
 owner of the spoofed source IP address in the request packet).
 * the ultimate victim connection is flooded
 
 http://isc.sans.org/diary.html?storyid=5773
 
 
 I verified that our servers reply when queried from a non-trusted source
 address for the root zone. (and we must also notice that the
 non-trusted source address argument is pretty pointless when dealing
 with spoofed source addresses: if a query with a spoofed internal source
 address could reach the server, the server would just DDOS an internal
 machine. But we do discard inbound packets with internal source IP
 addresses on the network border).
 
 The first answer to this threat would be to disallow queries for the
 root zone would for any client (the root zone is used only by the server
 itself, right?).
 
 * Do you think there is any reason NOT do do this? 
 
 * Do you know a simple way to do this?
 
 the trivial solution of adding an allow-query clause to the root
 zone definition is refused by the server, as hint type zones
 cannot have an allow-query clause - see
 https://lists.isc.org/pipermail/bind-users/2006-January/061077.html
 
 there is possibly a way to do this using views, but...
 anything simpler?

options {
allow-query { recusrsive-clients; };
allow-recursion { recusrsive-clients; };
};

zone {
type (slave|master);
...
allow-query { any; };
};
 
Or upgrade to BIND 9.4 or later and use allow-query-cache,
BIND 9.3 is past end-of-life.

Mark

 best regards and thanks for any answer
 
 
 MAtteo Valsasna
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unexpected error question

[Mark Andrews]

In message f021020da23b6641a05e616d5ead146304597...@de01exm60.ds.mot.com, Ch
erney John-CJC030 writes:
 Yes, I normally use svcadm disable dns/server to stop named. Also, I've
 modified the dns/server stop method from the usual kill: to
 /usr/sbin/rndc stop. I did that because I want to make sure the cache
 gets written to the db files, which an rndc stop does. It seems that
 named is having a problem with one of the files, but I can't tell which
 one from the first syslog message. 

It is only one error split over two messages.

isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
  NS_LOGMODULE_MAIN, ISC_LOG_ERROR,
  %s:%d: unexpected error:, file, line);
isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
   NS_LOGMODULE_MAIN, ISC_LOG_ERROR,
   format, args);

Mark
 
 jwc
 
 -Original Message-
 From: Gregory Hicks [mailto:ghi...@hicks-net.net] 
 Sent: Thursday, February 05, 2009 10:56 AM
 To: bind-us...@isc.org; Cherney John-CJC030
 Cc: mark_andr...@isc.org
 Subject: RE: Unexpected error question 
 
 
  Subject: RE: Unexpected error question
  Date: Thu, 5 Feb 2009 09:51:05 -0500
  From: Cherney John-CJC030 john.cher...@motorola.com
  To: bind-us...@isc.org
  
  I see. I was assuming that the second line was caused by the first
 line,
  and that if I could get more info on the first line, I could take care
 
  of both of them. I have a named user that the named process is run
 as.
  However, I see these errors even when I use rndc stop as root. 
  
  Is there any resource that recommends what permissions need to be on 
  specific SMF files for DNS? (or in general). Or is this even a 
  permissioning issue with SMF files?
 
 The problem comes from the idea that SMF wants to be the 'controller'.
 When the program in question (named in the case) receives a 'stop'
 command from rndc, SMF doesn't know WHY the program stopped, just that
 it DID stop.  Thus the error.
 
 A better way to stop named might be
 
 svcadm named disable
 
 (I think that's the right syntax but could be wrong.  I am NOT an SMF
 expert...)  That should avoid the error message.
 
 There was some discussion on the smf-disc...@opensolaris.org list last
 month on how to avoid error messages when you don't care if the
 underlying service stops all by itself.
 
 Regards,
 Gregory Hicks
 
  
  Thanks!
  jwc
  
  -Original Message-
  From: mark_andr...@isc.org [mailto:mark_andr...@isc.org]
  Sent: Thursday, February 05, 2009 1:18 AM
  Cc: Cherney John-CJC030; bind-us...@isc.org
  Subject: Re: Unexpected error question
  
  
  In message 200902050609.n1569ktg082...@drugs.dv.isc.org, Mark
 Andrews
  writes:
   
   In message
  f021020da23b6641a05e616d5ead146304597...@de01exm60.ds.mot.com, 
   Ch
   erney John-CJC030 writes:
I'm seeing the following lines in syslog, which occur when I shut 
down
named:
=20
general: error: ./main.c:858: unexpected error:
general: error: smf_disable_instance() failed for 
svc:/network/dns/server:default : insufficient privileges for
 action
  
=20 I'm running 9.3.5-P1 on Solaris 10 x86 =20 I took a quick look
 
at the source code and it looks like there should be a file and/or
 
filenumber as part of the unexpected error line. I've noticed the 
same two lines when I issue an rndc stop. The named process does 
stop, but I'm worried that there may be data in the cache that
 isn't
  
getting written to the db files. Nothing jumped out at me from my 
google search. It seems like I have a file permissions issue, but
 I 
haven't recently changed any file permissions. I don't see any 
unusual messages on startup.=20 =20 Can someone point me the right
 
direction for this? Is there any other information I should/could 
provide?
=20
Thanks!
jwc
   
 SMF is Sun's management facility.  The code in question was
 submitted by Sun.  I would be looking at how you have SMF set
 up in particular how to give the user named is running under
 permission to disable itself.
  
  See also
  http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
  as mentioned in the FAQ.
  
   
 Mark
   --
   Mark Andrews, ISC
   1 Seymour St., Dundas Valley, NSW 2117, Australia
   PHONE: +61 2 9871 4742 INTERNET: 
 mark_andr...@isc.org
   ___
   bind-users mailing list
   bind-users@lists.isc.org
   https://lists.isc.org/mailman/listinfo/bind-users
  --
  Mark Andrews, ISC
  1 Seymour St., Dundas Valley, NSW 2117, Australia
  PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users

Re: Unexpected error question

[Mark Andrews]

In message 200902051556.n15ftxrx004...@metis.hicks-net.net, Gregory Hicks wri
tes:
 
  Subject: RE: Unexpected error question 
  Date: Thu, 5 Feb 2009 09:51:05 -0500
  From: Cherney John-CJC030 john.cher...@motorola.com
  To: bind-us...@isc.org
  
  I see. I was assuming that the second line was caused by the first 
 line,
  and that if I could get more info on the first line, I could take care
  of both of them. I have a named user that the named process is run 
 as.
  However, I see these errors even when I use rndc stop as root. 
  
  Is there any resource that recommends what permissions need to be on
  specific SMF files for DNS? (or in general). Or is this even a
  permissioning issue with SMF files?
 
 The problem comes from the idea that SMF wants to be the 'controller'.
 When the program in question (named in the case) receives a 'stop'
 command from rndc, SMF doesn't know WHY the program stopped, just that
 it DID stop.  Thus the error.
 
 A better way to stop named might be
 
 svcadm named disable
 
 (I think that's the right syntax but could be wrong.  I am NOT an SMF
 expert...)  That should avoid the error message.
 
 There was some discussion on the smf-disc...@opensolaris.org list last
 month on how to avoid error messages when you don't care if the
 underlying service stops all by itself.

This is a plain permissions problem.  The user named doesn't
have enough permissions to disable the service 
svc:/network/dns/server:default in smf.
 
 Regards,
 Gregory Hicks
 
  
  Thanks!
  jwc
  
  -Original Message-
  From: mark_andr...@isc.org [mailto:mark_andr...@isc.org] 
  Sent: Thursday, February 05, 2009 1:18 AM
  Cc: Cherney John-CJC030; bind-us...@isc.org
  Subject: Re: Unexpected error question 
  
  
  In message 200902050609.n1569ktg082...@drugs.dv.isc.org, Mark 
 Andrews
  writes:
   
   In message
  f021020da23b6641a05e616d5ead146304597...@de01exm60.ds.mot.com, 
   Ch
   erney John-CJC030 writes:
I'm seeing the following lines in syslog, which occur when I shut 
down
named:
=20
general: error: ./main.c:858: unexpected error:
general: error: smf_disable_instance() failed for 
svc:/network/dns/server:default : insufficient privileges for 
 action
  
=20 I'm running 9.3.5-P1 on Solaris 10 x86 =20 I took a quick look 
at the source code and it looks like there should be a file and/or 
filenumber as part of the unexpected error line. I've noticed the 
same two lines when I issue an rndc stop. The named process does 
stop, but I'm worried that there may be data in the cache that 
 isn't
  
getting written to the db files. Nothing jumped out at me from my 
google search. It seems like I have a file permissions issue, but 
 I 
haven't recently changed any file permissions. I don't see any 
unusual messages on startup.=20 =20 Can someone point me the right 
direction for this? Is there any other information I should/could 
provide?
=20
Thanks!
jwc
   
 SMF is Sun's management facility.  The code in question was
 submitted by Sun.  I would be looking at how you have SMF set
 up in particular how to give the user named is running under
 permission to disable itself.
  
  See also
  http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
  as mentioned in the FAQ.
  
   
 Mark
   --
   Mark Andrews, ISC
   1 Seymour St., Dundas Valley, NSW 2117, Australia
   PHONE: +61 2 9871 4742 INTERNET: 
 mark_andr...@isc.org
   ___
   bind-users mailing list
   bind-users@lists.isc.org
   https://lists.isc.org/mailman/listinfo/bind-users
  --
  Mark Andrews, ISC
  1 Seymour St., Dundas Valley, NSW 2117, Australia
  PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 -
 Gregory Hicks   | Principal Systems Engineer
 | Direct:   408.569.7928
 
 People sleep peaceably in their beds at night only because rough men
 stand ready to do violence on their behalf -- George Orwell
 
 The price of freedom is eternal vigilance.  -- Thomas Jefferson
 
 The best we can hope for concerning the people at large is that they
 be properly armed. --Alexander Hamilton
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL from validating nameservers for advocaat.pro advocaten.pro

[Mark Andrews]

In message prayer.1.3.1.0902051754210.4...@hermes-2.csi.cam.ac.uk, Chris 
Thompson writes:
 On Feb 5 2009, I wrote:
 
 DLV records for advocaat.pro  advocaten.pro are among the recent
additions to dlv.isc.org. Using validating recursive nameservers
 running BIND 9.5.1-P1 (configured to trust dlv.isc.org), I get SERVFAILs
 looking things up in them, although not consistently. This doesn't
 happen with non-validating nameservers.
 
 I can't work out what is wrong with them. Does anyone else see the
 same effect?
 
 More info about the not consistently bit. With nothing about
 them in the cache (rndc flushname advocaat.pro) looking up SOA or
 NS records for them gives SERVFAIL. But looking up A records does
 not, and after that SOA and NS lookups work OK as well.
 
 Hmmm...

The TLD lies.  DNSSEC is doing exactly what it is
supposed to do and is blocking ibad answers.

Mark

;  DiG 9.3.6-P1  advocaat.pro soa @c.gtld.pro +dnssec
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 29667
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;advocaat.pro.  IN  SOA

;; AUTHORITY SECTION:
pro.14400   IN  SOA a.gtld.pro. 
hostmaster.registrypro.pro. 2009020518 28800 7200 604800 300

;; Query time: 186 msec
;; SERVER: 192.149.64.10#53(192.149.64.10)
;; WHEN: Fri Feb  6 11:45:31 2009
;; MSG SIZE  rcvd: 96

 
 -- 
 Chris Thompson
 Email: c...@cam.ac.uk
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: expired or non-authoritative domains

[Mark Andrews]

In message 2070cf420902060124ged41b99jf56a15306c9b2...@mail.gmail.com, Konst
antin N. Bezruchenko writes:
 Hello,
 
 I have a two DNS servers, which our customers uses to host their domains.
 
 Sometimes customers forgot to renew domain, or just don't want to
 renew it, or they move domain to other name servers.
 However i still have records for this domains in my configs.
 
 Is there any way to determine which domains are no longer use my name servers
 ?
 
 Sure, i can write some script just to make queries to root servers,
 parse answers and look if domains is still refers to my nameservers,
 but i believe there must be some native way?

Unless you are serving tld's you don't want to query the root
servers.  You want to query the parent servers and yes that
is the easiest way.
 
Mark
 Thanks.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: manually generating tsig keys

[Mark Andrews]

In message 20090206194146.ga24...@norchemlab.com, Justin T Pryzby writes:
 ARM9.5 still mentions manual generation of TSIG data:
 https://www.isc.org/software/bind/documentation/arm95#tsig
 
 Is there any advtantage to using -keygen ?

It really depends  on how you are going to use the key.
For zone transfers there is no benefit as you have to copy
and paste at both ends.  For nsupdate there is benefit as
you can use nsupdate -k keyfile.

  ISTR some mention of an
 algorithm used to minimize the possibility of collisions.  Or is that
 true for any key used with HMAC?
 
 Justin
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: possible noob question - @ CNAME?

[Mark Andrews]

In message e4b42c39-914d-42be-9488-7ae0eba34...@r41g2000prr.googlegroups.com, 
RJValenta writes:
 forever ago, i set myself up with a solid bandwidth and static IPs and
 started to host websites for my friends  their small businesses.
 basically, they covered the cost of my internet access.
 
 so for 10 years i've been hosting my own name, mail, and web servers
 allowing me to '@ A xxx.xxx.xxx.xxx' and then to make life easy i
 would 'www IN CNAME mywebserver.mydomain.com.'  i say easy, because
 that way in the event that i changed ISPs and got new IP addresses,
 there was less chance of my screwing up a www and MX record if i made
 sure to change the two primary machines' A records properly.
 
 however, the '@ IN xxx.xxx.xxx.xxx' would always need to be changed
 manually.
 
 Is there a way around this?  is it possible in some fashion to '@ IN
 CNAME my.server.com' ?
 
 I ask because I'm trying to trim back here, and move my NS hosting to
 NetSol and subsequently trim back on what i have to manage.  at this
 stage in the game i'd rather have more time to not worry about my
 friend's personal website about their kids, and still be confident
 that their wife's home business website will still stay up.
 
 any ideas on how i can CNAME their @ record so their http://whatever.com
 will still work, but in the end, i'm only managing one domain's IP
 records?
 
 thanks,
 
 richard
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

No you can't.  From the FAQ.

Q: I get error messages like multiple RRs of singleton type and CNAME
   and other data when transferring a zone. What does this mean?

A: These indicate a malformed master zone. You can identify the exact
   records involved by transferring the zone using dig then running
   named-checkzone on it.

   dig axfr example.com @master-server  tmp
   named-checkzone example.com tmp

   A CNAME record cannot exist with the same name as another record except
   for the DNSSEC records which prove its existence (NSEC).

   RFC 1034, Section 3.6.2: If a CNAME RR is present at a node, no other
   data should be present; this ensures that the data for a canonical name
   and its aliases cannot be different. This rule also insures that a
   cached CNAME can be used without checking with an authoritative server
   for other RR types.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices For Coexisting

[Mark Andrews]

 One example in closing for ya, go try and get an RFC complient Bind server 
 to respond to a request for name resoloution on a host that has an _ 
 (underscore) in the name, MS allows this, and a zone transfer of this kinda 
 stuff between and MS Server and a Bind server, can give you MUCH grief!

It will be noisy but it won't fail with default settings. 
You can tell named not to complain.  See check-names.

check-names master fail;
check-names slave warn;
check-names response ignore;

Mark
 
 Good luck!!
 
 
 wiskbr...@hotmail.com wrote in message 
 news:bay133-w543f0f7a46c3153066cf86b4...@phx.gbl...
 
 
  Hello;
 
  My site is presently using a product derived from BIND-8 for internal DNS 
  only.
 
  For years our Windows team has been arguing that they want to be 
  non-dependent on the non-MS DNS servers; which they say causes them much 
  grief on firmwide shutdown/bootups.
 
  Well, their concerns have fallen on ears of those who can make that 
  decision and it now appears as though we must either come up with good 
  reasons why we should retain BIND, or a BIND derived product, or simply a 
  plan to allow MSDNS and BIND to coexist at all.
 
  Can anyone provide me, or point me at, any good docs on this subject, I am 
  certain that their a tons of stuff out there, I need simple, to the point 
  type of stuff.
 
  Also, can anyone think of any good reason why our internal, non-public 
  accessible network, should not just be allowed to run either a mixed 
  BIND/MS-DNs setup?  The slave/cache/whatever-but not master, would have to 
  be BIND.
 
 
  The case the windows team made was ease of adding entries, you simply add 
  into the MMC, or even easier, when you join a host into a domain, it adds 
  itself.
 
  Thanks all,
 
  .vp
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
  
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: loads of Query denied... is it an attack or a misconfiguration ?

[Mark Andrews]

Please go read the list achives.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: loads of Query denied... is it an attack or a misconfiguration ?

[Mark Andrews]

In message f43eb7e60902101552l524787b1t72fcc821437af...@mail.gmail.com, Thoma
s Manson writes:
 

The subject matter has been discussed in lots of detail
over the last month.  Go read the archives of the mailing
list.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: loads of Query denied... is it an attack or a misconfiguration ?

[Mark Andrews]

In message f43eb7e60902101621y66133c17lc46a1df451f1b...@mail.gmail.com, Thoma
s Manson writes:
 --00163646c41c20dc350462999600
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 7bit
 
 That's some awesome answer... (did you get helped to elaborate it?)
 
 equivalent : google is your friend, search the RFCs

Feeding the error message into Google would have given you
lots of relevent information.

query (cache) './NS/IN' denied

I didn't want to start yet another debate about what is the
right thing to do.

Mark

 Then... read the list archives... I guess I can spend the next ten years if
 I read it from the beginning
 
 Could you give any clue of what to look for ?
 
 I believed I was on bind mailing list, a mailing list is where you usually
 get some help... isn't it ?
 
 Thomas.
 
 On Wed, Feb 11, 2009 at 00:52, Thomas Manson dev.mansontho...@gmail.comwrot
 e:
 
  
 
 
  On Wed, Feb 11, 2009 at 00:51, Mark Andrews mark_andr...@isc.org wrote:
 
 
 Please go read the list achives.
 
 Mark
  --
  Mark Andrews, ISC
  1 Seymour St., Dundas Valley, NSW 2117, Australia
  PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
 
 
 
 
 --00163646c41c20dc350462999600
 Content-Type: text/html; charset=UTF-8
 Content-Transfer-Encoding: quoted-printable
 
 That#39;s some awesome answer... (did you get helped to elaborate it?)br=
 brequivalent : google is your friend, search the RFCsbrbrThen... read=
  the list archives... I guess I can spend the next ten years if I read it f=
 rom the beginningbr
 brCould you give any clue of what to look for ? brbrI believed I was =
 on bind mailing list, a mailing list is where you usually get some help... =
 isn#39;t it ?brbrThomas.brbrdiv class=3Dgmail_quoteOn Wed, Feb=
  11, 2009 at 00:52, Thomas Manson span dir=3Dltrlt;a href=3Dmailto:d=
 ev.mansontho...@gmail.comdev.mansontho...@gmail.com/agt;/span wrote:=
 br
 blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, =
 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;divdiv/d=
 ivdiv class=3DWj3C7cbrbrdiv class=3Dgmail_quoteOn Wed, Feb 11,=
  2009 at 00:51, Mark Andrews span dir=3Dltrlt;a href=3Dmailto:Mark_A=
 ndr...@isc.org target=3D_blankmark_andr...@isc.org/agt;/span wrote=
 :br
 blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, =
 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;
 br
  nbsp; nbsp; nbsp; nbsp;Please go read the list achives.br
 br
  nbsp; nbsp; nbsp; nbsp;Markbr
 font color=3D#88--br
 Mark Andrews, ISCbr
 1 Seymour St., Dundas Valley, NSW 2117, Australiabr
 PHONE: +61 2 9871 4742 nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nb=
 sp; INTERNET: a href=3Dmailto:mark_andr...@isc.org; target=3D_blankMar=
 k_andr...@isc.org/abr
 /font/blockquote/divbr
 /div/div/blockquote/divbr
 
 --00163646c41c20dc350462999600--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange results from dnssec-dsfromkey

[Mark Andrews]

Looks like a silly bug that will be simple to fix.

In message prayer.1.3.1.0902161618270.29...@hermes-2.csi.cam.ac.uk, Chris 
Thompson writes:
 I don't understand the results I am getting from dnssec-dsfromkey
 (BIND 9.6.0-P1, Solaris 10_x86, Sun Studio 10 C compiler).
 
 For instance:
 
 $ /usr/local/sbin/dnssec-keygen -a RSASHA1 -b 512 -n ZONE -f KSK test
 Ktest.+005+21283
 
 $ cat Ktest.+005+21283.key
 test. IN DNSKEY 257 3 5 
 AwEAAbmcz5O8AzmbwidEoTMkHbaDhr0EfqKsq6WUyXWn5icJgqMTEoBO 
 T03sgCEDXvnMUNthrV6vBIW9sINCLHzrAJc=
 
 $ /usr/local/sbin/dnssec-dsfromkey Ktest.+005+21283
 test. IN DS 26153 5 1 4DB6296434AA1E9C95C6B68AC1A325AFF2BF856A
 test. IN DS 61367 154 2 
 7733D6D7F56602BB709BE521AFB861AEAF522E1A1946AF788EC994C8 259D3882
 
 $ /usr/local/sbin/dnssec-dsfromkey -1 Ktest.+005+21283
 test. IN DS 26153 5 1 4DB6296434AA1E9C95C6B68AC1A325AFF2BF856A
 
 $ /usr/local/sbin/dnssec-dsfromkey -2 Ktest.+005+21283
 test. IN DS 32741 47 2 
 344D72A40621EF9F6C6FF665B6CAA8E6165928E0AA33074668668C88 8364E27F
 
 In that case the SHA256 records are inconsistent, but at least the
 SHA1 ones came out the same each time...
 
 $ /usr/local/sbin/dnssec-keygen -a RSASHA1 -b 1024 -n ZONE -f KSK test
 Ktest.+005+45172
 
 koala:~:2.2166$ cat Ktest.+005+45172.key
 test. IN DNSKEY 257 3 5 
 AwEAAd0QNMsmSdlyOmMCQX95VS/cOVCK18PorGVmpptTz/pZaCKuErxT 
 RLNEnJb1qDw7HoFu2uSs40YhiqI4p/gyBwcK
 Tj3qr+hGLqX1+zQ6Gf5T SQJEMysWgmFrsqxaUx5M1V1HykprwP+td1rTUPktsrRX3y9JhftYjgCr 
 jlxhz2x1
 
 koala:~:2.2167$ /usr/local/sbin/dnssec-dsfromkey Ktest.+005+45172
 test. IN DS 57820 5 1 4154C73FB7759E846C90092E8EF5CE16FB2630C3
 test. IN DS 361 36 2 1F88F1C881EA4353C838C56837161A1719B03CE57FA74015CACD3611 
 9BC82F22
 
 koala:~:2.2168$ /usr/local/sbin/dnssec-dsfromkey -1 Ktest.+005+45172
 test. IN DS 57820 5 1 B05B7CD38865DED8B4C2F3360764DFF6B3C7C86C
 
 koala:~:2.2169$ /usr/local/sbin/dnssec-dsfromkey -2 Ktest.+005+45172
 test. IN DS 60190 254 2 
 85FEA41A86A84F76E067180884E8A86943870F8FE0554DE81E834306 92EE1DEF
 
 ... but this time the SHA1 digests come out differently as well!
 
 Does dnssec-dsfromkey behave properly for others?
 
 -- 
 Chris Thompson
 Email: c...@cam.ac.uk
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: adb.c:1526: INSIST(find-adbname == ((void *)0)) failed

[Mark Andrews]

In message 1234867921.16690.43.ca...@d410-heron, Niall O'Reilly writes:
 On Mon, 2009-02-16 at 12:17 +1100, Mark Andrews wrote:
  It should be unrelated.  I would however still upgrade.
 
   Thanks, Mark.
 
   If I don't see the same assertion failure with
   the current release, I guess that's closed.
 
   One advantage of upgrading is getting all those nice
   log entries reporting EDNS faults.  8-)

No.  You get log entries reporting TIMEOUTS.

Using EDNS is only one possible reason for the timeout and
it is one we have control over so that is why it is mentioned.

Mark

   /Niall
 
   
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NOTAUTH on dynamic zone update

[Mark Andrews]

In message gnalak$f1...@news.motzarella.org, Benedikt Gollatz writes:
 Hello everyone,
 
 I use nsupdate to dynamically update a reverse lookup zone hosted by my 
 BIND9 setup. For that purpose, I've created host-type HMAC-MD5 keys, 
 added an appropriate key section to my configuration, added the updating 
 host to the controls section, and added an allow-update parameter to the 
 zone configuration like this:
 
 zone [...] in {
 type master;
 [...]
 allow-update { key key-name; };
 };
 
 I pass the key to nsupdate using one (either) of the keyfiles generated by 
 dnssec-keygen with the -k parameter.
 
 Unfortunately this doesn't work. When running nsupdate, I get a failed: not 
 authoritative for update zone (NOTAUTH) error in my server log file, and no 
 updating is done.

The zone section in the update message does NOT match a
master/slave zone configured in the view that the update
message matched.

Mark
 
 I'm confused about the error message because both the BIND configuration file
 and the SOA record of the zone state that the server indeed is authoritative 
 for the update zone.
 
 Also, this configuration works fine with a dhcpd updating a different zone 
 hosted by the same server.
 
 Googling yields a few people with similar problems but no real solution. Any 
 hints on what I might be doing wrong are appreciated.
 
 Benedikt
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Catch ALL Setup

[Mark Andrews]

In message 1234976434.12081.26.ca...@d410-heron, Niall O'Reilly writes:
 On Wed, 2009-02-18 at 16:19 +1100, Mark Andrews wrote:
  
  $ORIGIN .
  @ 0 SOA ...
  @ 0 NS ...
  * 0 A 1.2.3.4
 
   That may be too minimal.
   I found I needed a few couple of extra wildcard records.
 
 $ORIGIN .
 @ IN  SOA . bit-bucket.ucd.ie. (
   2009021302  ; serial
   14400   ; Refresh - 4 hours 
   7200; Retry - 2 hours
   1209600 ; Expire - 14 days
   1800 )  ; Neg. Caching - 30 minutes
 ;
 @ IN  NS  captive.ucd.ie.
 ;
 ; Over-ride wildcard for captive.ucd.ie
 captive.ucd.ie. INTXT Unaddressable
 ;
 ; Target for all name resolution
 netreg.ucd.ie.IN  A   137.43.116.32
 ;
 ; Wildcard alias
 * IN  CNAME   netreg.ucd.ie.
 ;
 ; Wildcards otherwise masked by empty non-terminals
 *.ie. IN  CNAME   netreg.ucd.ie.
 *.ucd.ie. IN  CNAME   netreg.ucd.ie.
 
   /Niall

Well if you want to go to such a complicated setup then yes
you need to add the extra wildcards.  You also need to add
additional address records which you are missing for ie
and ucd.ie.

The OP said that *everything* had to resolve to the one
address.  Everything includes the nameserver.  The only
thing that doesn't resolve is the root and I think one can
get by without that resolving to a address.

Mark

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.60p1 on solaris 10

[Mark Andrews]

In message 937393c4-77a8-4dba-8a4f-14560c25c...@o11g2000yql.googlegroups.com,
 SN writes:
 Hi Group.
 
 libcrypto.so.0.9.8 is not being found as a link library.  Trying to
 run as in a chroot'ed environment on solaris 10 (core install).
 Kindly advise.

Install the package that includes OpenSSL.
 
 r...@qdc-dns2(bash-3.0)/dns/chroot/usr/local/sbin# ldd /dns/chroot/usr/
 local/sbin/named
 libcrypto.so.0.9.8 =(file not found)
 libnsl.so.1 =   /usr/lib/libnsl.so.1
 libnsl.so.1 (SUNW_1.9.1) =  (version not found)
 libsocket.so.1 =/usr/lib/libsocket.so.1
 libscf.so.1 =   /usr/lib/libscf.so.1
 libpthread.so.1 =   /usr/lib/libpthread.so.1
 libthread.so.1 =/usr/lib/libthread.so.1
 libxml2.so.2 =  /usr/lib/libxml2.so.2
 libz.so.1 = /usr/lib/libz.so.1
 libm.so.2 = /usr/lib/libm.so.2
 libc.so.1 = /usr/lib/libc.so.1
 libmp.so.2 =/lib/libmp.so.2
 libmd.so.1 =/lib/libmd.so.1
 libdoor.so.1 =  /lib/libdoor.so.1
 libuutil.so.1 = /lib/libuutil.so.1
 libgen.so.1 =   /lib/libgen.so.1
 /platform/SUNW,Serverblade1/lib/libc_psr.so.1
 /platform/SUNW,Serverblade1/lib/libmd_psr.so.1
 
 r...@qdc-dns2(bash-3.0)/dns/chroot/usr/local/sbin# /etc/init.d/dns
 start
 ld.so.1: named: fatal: libcrypto.so.0.9.8: open failed: No such file
 or directory
 Killed
 
 Kind Regards,
 -Sajed Naseem
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question re separating caching and authoritative servers

[Mark Andrews]

In message d6e873fbd84699096e9d6cf291634...@cornell.edu, John Wobus writes:
 What are the good ways to let your local caching server serve your
 own site's data even after a caching-server reboot during an Internet
 outage? If the caching server locates your own authoritative data
 through normal delgation channels, and cannot reach the roots and
 TLDs, then your own local clients could be unable to resolve names
 of local servers, etc.
 
 Any especially good or bad practices? Things that have worked well
 or poorly? Right now, I'm leaning toward having the caching server
 transfer key zones.

That's reasonable.   The other alternative is to set up
stub zones which short circuit the resolution process.

 John Wobus

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: client query logging (refused message)

[Mark Andrews]

In message b8cf98c8-86d0-42df-95a4-e98a65cab...@i15g2000pro.googlegroups.com,
 asd...@gmail.com writes:
 62.109.4.89 and 195.68.176.4 are compromized/attackers

Actually they are more likely to be under attack.

Make sure that you (and your ISP) have deployed the measures
in BCP 38 to ensure that you are not the source of such a
attack.

Mark
 
 See my post here:http://www.linuxforums.org/forum/redhat-fedora-linux-
 help/140848-var-log-messages-question.html
 
 Sample log entries:
 Feb 19 08:24:17 asdlkf named[6459]: client 62.109.4.89#32721: query
 (cache) './NS/IN' denied
 Feb 19 08:24:18 asdlkf named[6459]: client 195.68.176.4#25853: query
 (cache) './NS/IN' denied
 Frequency: 40 to 90 queries from those hosts per minute.
 
 -- Chris
 
 
 
 On Feb 17, 2:19 pm, JINMEI Tatuya / ...@l@C#:H(B jinmei_tat...@isc.org
 wrote:
  At Tue, 17 Feb 2009 08:15:39 -0500,
 
  Matthew Huff mh...@ox.com wrote:
   17-Feb-2009 08:14:17.376 queries: client 62.109.4.89#49464: view
   external-in: query: . IN NS +
   ...
 
   logged, and I have verified that the query is refused, but nothing in the
   log shows that it was refused. Is there anyway to log the success/failure
  of
   the queries?
 
  Not yet, but BIND 9.7 (and perhaps next minor versions of 9.6 and 9.5)
  will provide a new logging category that can log the information you
  seem to want:
 
  17-Feb-2009 14:15:45.998 debug 3: client ::1#50076: query failed (REFUSED) 
 for ./IN/NS at query.c:3887
 
  ---
  JINMEI, Tatuya
  Internet Systems Consortium, Inc.
  ___
  bind-users mailing list
  bind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: empty DoS queries

[Mark Andrews]

I suspect you have a broken application on 10.48.0.19.

Mark

In message 70fo2df49pf...@mid.individual.net, Frank Kirschner writes:
 Hello,
 since last night we log emtpty queries (approx. 4000 per seconds) like 
 this from a client in our LAN:
 
 23-Feb-2009 13:20:15.516 queries: info: client 10.48.0.19#2048: query: 
 \(none\) IN A +
 23-Feb-2009 13:20:15.518 queries: info: client 10.48.0.19#2048: query: 
 \(none\) IN A +
 23-Feb-2009 13:20:15.519 queries: info: client 10.48.0.19#2048: query: 
 \(none\) IN A +
 23-Feb-2009 13:20:15.523 queries: info: client 10.48.0.19#2048: query: 
 \(none\) IN A +
 23-Feb-2009 13:20:15.524 queries: info: client 10.48.0.19#2048: query: 
 \(none\) IN A +
 23-Feb-2009 13:20:15.525 queries: info: client 10.48.0.19#2048: query: 
 \(none\) IN A +
 23-Feb-2009 13:20:15.527 queries: info: client 10.48.0.19#2048: query: 
 \(none\) IN A +
 23-Feb-2009 13:20:15.531 queries: info: client 10.48.0.19#2048: query: 
 \(none\) IN A +
 23-Feb-2009 13:20:15.533 queries: info: client 10.48.0.19#2048: query: 
 \(none\) IN A +
 
 
 Additional there are also such log entries, (approx. 4000 per seconds):
 
 23-Feb-2009 14:05:56.464 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.470 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.483 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.489 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.500 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.508 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.517 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.521 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.533 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.539 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.546 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.558 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.565 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.572 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.584 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 23-Feb-2009 14:05:56.591 queries: info: client 10.48.0.19#2048: query: 
 luca.inetgate.net IN A +
 
 What could be the resons for it? Should I investigate and limit the 
 packet flow by iptables/netfilter on port 53 of my BIND 9, actual 
 release for Centos 5.2
 
 best regards
 Frank
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

[Mark Andrews]

In message 49a3a09a.2000...@blue-labs.org, David Ford writes:
 Here's a question.  Are we incapable of dealing with things like
 underscores in hostnames?  Is there any significant harm in adapting?

When does it stop?  What will be the next character you
just have to have?  At the moment you have 1 inter label
seperator and 1 intra label seperator.  That should be
enough for anyone.

Additionally underscore is used in names in the DNS to
keep those names out of the hostname namespace. 

Mark

 -david
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS - edns-udp-size and max-udp-size

[Mark Andrews]

In message 200902240828.n1o8slln027...@mail42.nsc.no, Jan Arild =?iso-8859-1?
Q?Lindstr=F8m?= writes:

 How can it reduce it from 512 that is in the config, down to 512?

The code just looks at the number of timeouts not at what
size was sent in the initial query.  triededns512() records
when the DNS_FETCHOPT_EDNS512 has been set not when the
initial query advertised a receive buffer of 512 bytes.

if ((triededns512(fctx, query-addrinfo-sockaddr) ||
 fctx-timeouts = (MAX_EDNS0_TIMEOUTS * 2)) 
(query-options  DNS_FETCHOPT_NOEDNS0) == 0) {
query-options |= DNS_FETCHOPT_NOEDNS0;
fctx-reason = disabling EDNS;
} else if ((triededns(fctx, query-addrinfo-sockaddr) ||
fctx-timeouts = MAX_EDNS0_TIMEOUTS) 
   (query-options  DNS_FETCHOPT_NOEDNS0) == 0) {
query-options |= DNS_FETCHOPT_EDNS512;
fctx-reason = reducing the advertised EDNS UDP packet 
   size to 512 octets;
}
 
 I was expecting to see only after disabling EDNS messages after setting t=
 he size(s) to 512.
 
 It seems to me that max-udp-size and/or edns-udp-size does not do what I wa=
 nt, wich is to use 512 bytes packets.

max-udp-size controls the size of packets you send.
edns-udp-size controls the size of packets you receive.

A pack trace should show you that they are working as you
wont see UDP packets over 512 bytes in either direction is
you have that set.

What you need to find out is what is causing the packet
loss.  Even with a clear EDNS path you will see some of
these logged as not all timeouts are due to EDNS issues.

Mark
 
 OS: Solaris 10 (SunOS 5.10 13-01)
 BIND: 9.6.0-P1, threaded.
 
 
 Regards
 Jan Arild Lindstr=F8m
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS - edns-udp-size and max-udp-size

[Mark Andrews]

In message 20090225002133.gb99...@isc.org, Evan Hunt writes:
  The code just looks at the number of timeouts not at what
  size was sent in the initial query.  triededns512() records
  when the DNS_FETCHOPT_EDNS512 has been set not when the
  initial query advertised a receive buffer of 512 bytes.
 
 But, if the initial query uses a receive buffer of 512 bytes or less,
 can't we just set DNS_FETCHOPT_EDNS512 straight off and save a step?
 
 eh

One could but, as was evident from the logs, it would cause
named to switch back to plain DNS more often when it didn't
need to.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to create a private test. zone?

[Mark Andrews]

:
  ;example.test.  IN  A
 
  ;; ANSWER SECTION:
  example.test.   86400   IN  A   192.168.2.10
 
  ;; AUTHORITY SECTION:
  example.test.   86400   IN  NS  plesk.test.
 
  ;; Query time: 2 msec
  ;; SERVER: 192.168.2.10#53(192.168.2.10)
  ;; WHEN: Sun Mar  1 10:41:43 2009
  ;; MSG SIZE  rcvd: 66
 
 
  What I'm doing wrong in the delegation, and how can I fix it?
 
 
  My network diagram is:
 
  +-+
  | isp |
  +-+ 10.0.2.3 (DNS)
 |
  ---+--- 10/24
 |
  +-+ 10.0.2.15 +-+
  | sun |   |plesk|
  +-+ 192.168.2.1   +-+ 192.168.2.10
 | |
  ---+-+- 192.168.2/24
 
  isp
  my ISP DNS server host.
  sun
  my local DNS server host that hosts the test. zone.
  NB: this is an recursive server.
  NB: it also forwards to isp dns server.
  NB: local resolv.conf points to 192.168.2.1
  plesk
  my other local DNS server host that hosts the example.test.
  zone.
  NB: this is an authoritative server only.
  NB: local resolv.conf points to 192.168.2.1
 
 
  This is what the Sun DNS server has about the test. zone:
 
  $TTL10m ; default TTL
  $ORIGIN test.   ; base domain-name
  @   IN  SOA sun hostmaster (
  2008042800 ; serial
  10m; refresh
  15m; retry
  3w ; expire
  10m; minimum
  )
 
  IN  NS  sun
 
  sun IN  A   192.168.2.1
  plesk   IN  A   192.168.2.10
 
  ; delegate example.test. to plesk.test.
  example IN  NS  plesk
  ;exampleIN  A   192.168.2.10
 
 
  And this is what the Plesk DNS server has about the example.test.
  zone:
 
  @   IN  SOA plesk.test. ironman.example.test. (
  1235830200  ; Serial
  10800   ; Refresh
  3600; Retry
  604800  ; Expire
  10800 ) ; Minimum
 
  example.test.IN NS   plesk.test.
  example.test.IN A192.168.2.10
 
 
 
  If you need more information, please let me known.
 
  Thanks!
 
 
  Best regards,
  Rui Lopes
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9 and BIND 8 issue

[Mark Andrews]

In message 397019c15b5a45899bb02b1b212e1...@bradon, bradonkuo writes:
 Dear all bind users,
 
 I am new to manage 3 BIND 9 servers, lately, I got some complains about =
 users cannot connect to=20
 
 some websites while they use our BIND 9 servers, this issue will be =
 solved if they use other
 
 ISP's BIND 8 servers, one example is as below. Can we modify any =
 configurations of BIND 9 server to
 
 solve this issue so that users don't need to change anything?
 
 Sincerly,
 
 Bradon Kuo from Taiwan, Taipei,
 
  lserver 168.95.1.1
 Default Server:  dns.hinet.net
 Address:  168.95.1.1
 
  www.hangan.org.tw
 Server:  dns.hinet.net
 Address:  168.95.1.1
 
 Non-authoritative answer:
 Name:www.hangan.org.tw
 Address:  211.21.92.25
 
  lserver 163.21.249.166
 Default Server:  dns.tp.edu.tw
 Address:  163.21.249.166
 
  www.hangan.org.tw
 Server:  dns.tp.edu.tw
 Address:  163.21.249.166
 
 DNS request timed out.
 timeout was 2 seconds.
 DNS request timed out.
 timeout was 2 seconds.
 *** Request to dns.tp.edu.tw timed-out
 

Depending apon how old the BIND 8 server is it may be
promoting the glue below to answer.  I can't get any reponse
out of the nameserver itself.  tcpdump shows queries going
out and no responses coming back.  Either the nameserver
is dead or it is firewalled off.

Try asking for the mx record at both servers and see if you
get a response.  This requires the other ISP to query the
nameserver rather than rely on glue.

Mark

;  DiG 9.7.0pre-alpha  www.hangan.org.tw @c.twnic.net.tw
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 34204
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.hangan.org.tw. IN  A

;; AUTHORITY SECTION:
hangan.org.tw.  86400   IN  NS  www.hangan.org.tw.
hangan.org.tw.  86400   IN  NS  mail.hangan.org.tw.

;; ADDITIONAL SECTION:
www.hangan.org.tw.  86400   IN  A   211.21.92.25
mail.hangan.org.tw. 86400   IN  A   211.21.92.25

;; Query time: 359 msec
;; SERVER: 168.95.192.10#53(168.95.192.10)
;; WHEN: Wed Mar  4 07:36:47 2009
;; MSG SIZE  rcvd: 100



;  DiG 9.3.6-P1  www.hangan.org.tw @211.21.92.25
;; global options:  printcmd
;; connection timed out; no servers could be reached


07:38:43.523517 211.30.172.21.62657  211.21.92.25.53:  27058+ A? 
www.hangan.org.tw. (35)
07:38:48.543936 211.30.172.21.62657  211.21.92.25.53:  27058+ A? 
www.hangan.org.tw. (35)
07:38:53.566828 211.30.172.21.62657  211.21.92.25.53:  27058+ A? 
www.hangan.org.tw. (35)

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to create a private test. zone?

[Mark Andrews]

In message 49ace778.6040...@ruilopes.com, Rui Lopes writes:
 Mark Andrews wrote:
  Mark Andrews writes:

  In message 49ac5d59.1010...@ruilopes.com, Rui Lopes writes:
  
  Hi,
 
  Ben Bridges wrote:

  [...]
  You could try creating example.test as a forward zone in named.conf on
  your sun server and specifying plesk as the forwarder for that zone.
  
  Indeed, adding a forward zone like bellow works!  but why does it work?
  or why is it needed?
 
  zone example.test {
  type forward;
  //  forward only;
  //  forwarders { 192.168.2.10; };
  };
 
  Note that I only needed to include the type forward line, the other
  lines do not seem to be needed.  I'm I missing something?  they aren't
  really needed?  By reading the bind manual it seems we have to include th
 em

  .
  
 You turned off forwarding for that namespace.
 It's the equivalent of:
 
 zone example.test {
 type forward;
 forwarders { /* empty */ };
 };
 
 
 You could have also added it to the test zones config.
 
 zone test {
 type master;  // or slave
  
// or stub

 ...
 forwarders { /* empty */ };
 };
 
 Mark
   
 Thanks!
 
 Why isn't bind just following the example.test. NS plesk.test. RR that
 is inside the test. zone without removing the forwarders?

Because you have a forwarding turned on at the options/view
level.  Unless you have a special reason (like you can't
reach the root servers) that requires forwarding I don't
recommend using it.

Mark
 
 Best regards,
 Rui Lopes
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dumping running config/named.conf

[Mark Andrews]

bin/tests/cfg_test --named /etc/named.conf

In message 1d8c9a4471119a40bd574f9d8d464ae304bd3...@xch60ykf.rim.net, Todd S
nyder writes:
 Good morning,
 
 We utilize a number of include files as part of our named.conf.  I am
 looking to see if there is a clever way to dump the entire named.conf
 (or, even better, the entire RUNNING named.conf), which includes all the
 include files.
 
 I say running config, because sometimes you do an rndc reconfig and it
 rejects some lines, but loads the ones that work.  I'd like to be able
 to dump the running config (like sh run).
 
 Cheers,
 
 Todd.
 
 -
 This transmission (including any attachments) may contain confidential inform
 ation, privileged material (including material protected by the solicitor-cli
 ent or other applicable privileges), or constitute non-public information. An
 y use of this information by anyone other than the intended recipient is proh
 ibited. If you have received this transmission in error, please immediately r
 eply to the sender and delete this information from your system. Use, dissemi
 nation, distribution, or reproduction of this transmission by unintended reci
 pients is not authorized and may be unlawful.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: $generate lhs problem. Manual needs to be updated.

[Mark Andrews]

In message 1e4079388e04544fa3ffa6a900d6fb65015d7...@exchange.vplsnet.net, Ta
kahiro Masuda writes:
 Hi I was trying to get the $generate directive to work like so=20
 
 11 IN PTR 14.cool.com.
 
 
 
 30 IN PTR 33.cool.com.
 
 $GENERATE 11-30  ${3,0,d} PTR $.COOL.COM.

Which doesn't match what you wanted to do.
 
 I've read the manual here =
 http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#id2566761---
 
 Syntax: $GENERATE range lhs [ttl] [class] type rhs [ comment ]
 
 lhs describes the owner name of the resource records to be created. Any =
 single $ symbols within the lhs side are replaced by the iterator value. =
 To get a $ in the output you need to escape the $ using a backslash \, =
 e.g. \$. The $ may optionally be followed by modifiers which change the =
 offset from the iterator, field width and base. Modifiers are introduced =
 by a { immediately following the $ as ${offset[,width[,base]]}. e.g. =
 ${-20,3,d} which subtracts 20 from the current value, prints the result =
 as a decimal in a zero padded field of with 3. Available output forms =
 are decimal (d), octal (o) and hexadecimal (x or X for uppercase). The =
 default modifier is ${0,0,d}. If the lhs is not absolute, the current =
 $ORIGIN is appended to the name.
 
 For compatibility with earlier versions $$ is still recognized a =
 indicating a literal $ in the output.
 
 ---
 
 The tricky part is ${3,0,d} waas not working. I bumped into a site that =
 stated $GENERATE range rhs type lhs
 
 I then tried $GENERATE 11-30  $ PTR ${3,0,d}.COOL.COM. and this worked.
 
 Hopefully this will help somebody.
 
 Anybody here have the ability to update the manual?

${3,0,d} works on both the left hand side and the right hand side.
The same code is called to process both the lhs and the rhs.

Mark
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: $generate lhs problem. Manual needs to be updated.

[Mark Andrews]

In message 49af42f8.9070...@chrysler.com, Kevin Darcy writes:
 Jeremy,
 I don't think the definitions of rhs and lhs are at issue. What 
 apparently led the original poster to the wrong solution initially was 
 the verbiage in the manual stating Any single *$* symbols within the 
 *lhs* side are replaced by the iterator value, which implies that $ 
 replacement _only_ occurs within the LHS. As Mark confirmed, $ can 
 also occur in the RHS, and in fact that's what was required for the 
 correct solution.
 
 Personally, I wouldn't remove within the LHS from the verbiage 
 completely, otherwise someone will undoubtedly complain about not being 
 able to perform a $ replacement in the class, type or TTL fields 
 (users being users :-)
 
 But, maybe it could be amended to within the LHS or RHS...

The quoted text was taken from a table describing all the
elements of a $GENERATE.  I don't see how anyone reading
the table could say that $ only is valid on the left hand
side especially when there are examples above the table
showing it on both sides.

Mark

range
This can be one of two forms: start-stop or start-stop/step.
If the first form is used, then step is set to 1. All of
start, stop and step must be positive.
lhs
This describes the owner name of the resource records to be
created.  Any single $ (dollar sign) symbols within the lhs
side are replaced by the iterator value. To get a $ in the
output, you need to escape the $ using a backslash \, e.g.
\$. The $ may optionally be followed by modifiers which
change the offset from the iterator, field width and base.
Modifiers are introduced by a { (left brace) immediately
following the $ as ${offset[,width[,base]]}. For example,
${-20,3,d} subtracts 20 from the current value, prints the
result as a decimal in a zeropadded field of width 3.
Available output forms are decimal (d), octal (o) and
hexadecimal (x or X for uppercase). The default modifier
is ${0,0,d}. If the lhs is not absolute, the current $ORIGIN
is appended to the name.  For compatibility with earlier
versions, $$ is still recognized as indicating a literal $
in the output.
ttl
Specifies the time-to-live of the generated records. If not
specified this will be inherited using the normal ttl
inheritance rules.  class and ttl can be entered in either
order.
class
Specifies the class of the generated records. This must
match the zone class if it is specified.  class and ttl can
be entered in either order.
type
At present the only supported types are PTR, CNAME, DNAME,
A,  and NS.
rhs
rhs is a domain name. It is processed similarly to lhs.

 
 Jeremy C. Reed wrote:
  On Wed, 4 Mar 2009, Takahiro Masuda wrote:
 

  The tricky part is ${3,0,d} waas not working. I bumped into a site
  that stated $GENERATE range rhs type lhs
  
 
  That is wrong.
 

  I then tried $GENERATE 11-30  $ PTR ${3,0,d}.COOL.COM. and this
  worked.
  
 
 

  Anybody here have the ability to update the manual?
  
 
  Yes.
 
  But it appears your second try is correct.
 
  I can improve the documentation to make sure that it explains the two 
  abbreviations:
 
  lhs is left hand side (the label).
 
  rhs is the right hand side (the RDATA).
 
  Will that work for you?
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 

 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.6.0-P1's nsupdate dumps core on NetBSD/i386 4.x

[Mark Andrews]

In message p05200f70c5d52b51d...@[130.102.20.138], Ray Phillips writes:
 I've built bind 9.6.0-P1 on NetBSD/i386 machines (versions 3.1, 4.0, 
 4.0.1 and 5.0_RC2) and discovered that nsupdate dumps core on the 4.x 
 ones.
 
 The build process was just:
 
 % sh -c './configure --disable-threads  configure.log 21'
 % sh -c 'make  make.log 21'
 % su
 Password:
 # sh -c 'make install  make-install.log 21'
 #
 
 I've also tried without  --disable-threads  but it made no difference.
 
 
 % ls -l /usr/local/bin/nsupdate
 -rwxr-xr-x  1 root  wheel  3517495 Mar  5 17:19 /usr/local/bin/nsupdate
 % file /usr/local/bin/nsupdate
 /usr/local/bin/nsupdate: ELF 32-bit LSB executable, Intel 80386, 
 version 1 (SYSV), for NetBSD 4.0, dynamically linked (uses shared 
 libs), not stripped
 % ldd /usr/local/bin/nsupdate
 /usr/local/bin/nsupdate:
  -lcrypt.0 = /lib/libcrypt.so.0
  -lcrypto.3 = /usr/lib/libcrypto.so.3
  -lc.12 = /usr/lib/libc.so.12
 % pwd
 /tmp
 % ls -l
 % /usr/local/bin/nsupdate
 Segmentation fault (core dumped)
 % ls -l
 total 3648
 -rw---  1 ray  wheel  1846100 Mar  5 17:21 nsupdate.core
 % file nsupdate.core
 nsupdate.core: ELF 32-bit LSB core file Intel 80386, version 1 
 (SYSV), NetBSD-style, from 'nsupdate' (signal 11)
 % gdb nsupdate.core

You need to call gdb correctly.

gdb /usr/local/bin/nsupdate nsupdate.core


 GNU gdb 6.5
 Copyright (C) 2006 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type show copying to see the conditions.
 There is absolutely no warranty for GDB.  Type show warranty for details.
 This GDB was configured as i386--netbsdelf.../tmp/nsupdate.core: 
 not in executable format: File format not recognized
 
 (gdb) quit
 %
 
 It would be nice if it worked on the 4.x versions.  Could you suggest 
 what I could do to troubleshoot it please?  bind9 9.5.0-P2's nsupdate 
 worked fine on them.
 
 
 Ray
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.6.0-P1's nsupdate dumps core on NetBSD/i386 4.x

[Mark Andrews]

In message p05200f72c5d61071b...@[130.102.20.138], Ray Phillips writes:
  You need to call gdb correctly.
 
  gdb /usr/local/bin/nsupdate nsupdate.core
 
 Thanks Mark.
 
 Sorry, I (obviously) don't have much of a clue about using gdb.

Looks like you have hit this bug.

2547.   [bug]   openssl_link.c:mem_realloc() could reference an
out-of-range area of the source buffer.  New public
function isc_mem_reallocate() was introduced to address
this bug. [RT #19313]

Mark


Index: bind9/CHANGES
diff -u bind9/CHANGES:1.2991 bind9/CHANGES:1.2992
--- bind9/CHANGES:1.2991Fri Feb  6 12:33:17 2009
+++ bind9/CHANGES   Wed Feb 11 03:04:18 2009
@@ -1,3 +1,8 @@
+2547.  [bug]   openssl_link.c:mem_realloc() could reference an
+   out-of-range area of the source buffer.  New public
+   function isc_mem_reallocate() was introduced to address
+   this bug. [RT #19313]
+
 2546.  [func]  Add --enable-openssl-hash configure flag to use
OpenSSL (in place of internal routine) for hash
functions (MD5, SHA[12] and HMAC). [RT #18815]
Index: bind9/lib/dns/openssl_link.c
diff -u bind9/lib/dns/openssl_link.c:1.24 bind9/lib/dns/openssl_link.c:1.25
--- bind9/lib/dns/openssl_link.c:1.24   Sat Jan 17 23:47:42 2009
+++ bind9/lib/dns/openssl_link.cWed Feb 11 03:04:18 2009
@@ -148,18 +148,8 @@
 
 static void *
 mem_realloc(void *ptr, size_t size) {
-   void *p;
-
INSIST(dst__memory_pool != NULL);
-   p = NULL;
-   if (size  0U) {
-   p = mem_alloc(size);
-   if (p != NULL  ptr != NULL)
-   memcpy(p, ptr, size);
-   }
-   if (ptr != NULL)
-   mem_free(ptr);
-   return (p);
+   return (isc_mem_reallocate(dst__memory_pool, ptr, size));
 }
 
 isc_result_t
Index: bind9/lib/isc/mem.c
diff -u bind9/lib/isc/mem.c:1.147 bind9/lib/isc/mem.c:1.148
--- bind9/lib/isc/mem.c:1.147   Thu Jan 22 23:47:54 2009
+++ bind9/lib/isc/mem.c Wed Feb 11 03:04:18 2009
@@ -1365,6 +1365,40 @@
return (si);
 }
 
+void *
+isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
+   void *new_ptr = NULL;
+   size_t oldsize, copysize;
+
+   REQUIRE(VALID_CONTEXT(ctx));
+
+   /*
+* This function emulates the realloc(3) standard library function:
+* - if size  0, allocate new memory; and if ptr is non NULL, copy
+*   as much of the old contents to the new buffer and free the old one.
+*   Note that when allocation fails the original pointer is intact;
+*   the caller must free it.
+* - if size is 0 and ptr is non NULL, simply free the given ptr.
+* - this function returns:
+* pointer to the newly allocated memory, or
+* NULL if allocation fails or doesn't happen.
+*/
+   if (size  0U) {
+   new_ptr = isc__mem_allocate(ctx, size FLARG_PASS);
+   if (new_ptr != NULL  ptr != NULL) {
+   oldsize = (((size_info *)ptr)[-1]).u.size;
+   INSIST(oldsize = ALIGNMENT_SIZE);
+   oldsize -= ALIGNMENT_SIZE;
+   copysize = oldsize  size ? size : oldsize;
+   memcpy(new_ptr, ptr, copysize);
+   isc__mem_free(ctx, ptr FLARG_PASS);
+   }
+   } else if (ptr != NULL)
+   isc__mem_free(ctx, ptr FLARG_PASS);
+
+   return (new_ptr);
+}
+
 void
 isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
size_info *si;
Index: bind9/lib/isc/include/isc/mem.h
diff -u bind9/lib/isc/include/isc/mem.h:1.80 
bind9/lib/isc/include/isc/mem.h:1.81
--- bind9/lib/isc/include/isc/mem.h:1.80Sat Jan 17 23:47:43 2009
+++ bind9/lib/isc/include/isc/mem.h Wed Feb 11 03:04:18 2009
@@ -154,6 +154,7 @@
 
 #define isc_mem_get(c, s)  isc__mem_get((c), (s) _ISC_MEM_FILELINE)
 #define isc_mem_allocate(c, s) isc__mem_allocate((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_reallocate(c, p, s) isc__mem_reallocate((c), (p), (s) 
_ISC_MEM_FILELINE)
 #define isc_mem_strdup(c, p)   isc__mem_strdup((c), (p) _ISC_MEM_FILELINE)
 #define isc_mempool_get(c) isc__mempool_get((c) _ISC_MEM_FILELINE)
 
@@ -612,6 +613,8 @@
 isc__mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void *
 isc__mem_allocate(isc_mem_t *, size_t _ISC_MEM_FLARG);
+void *
+isc__mem_reallocate(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void
 isc__mem_free(isc_mem_t *, void * _ISC_MEM_FLARG);
 char *
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: will blocking getting hammered by cache request do anything?

[Mark Andrews]

One thing I should add is that chasing down lack of BCP38 compliance
isn't wack-a-mole though it may feel like it.  This is a configuration
change and as such tends to be premanent especially once it get written
into the procedures documents.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: starting namd

[Mark Andrews]

In message 1236826414.19160.23.ca...@localhost.localdomain, Chris writes:
 
 --===4107670139043331750==
 Content-Type: multipart/signed; micalg=pgp-sha1;
   protocol=application/pgp-signature;
   boundary==-lXNGXJD0JCnKOzRI/kAz
 
 
 --=-lXNGXJD0JCnKOzRI/kAz
 Content-Type: text/plain
 Content-Transfer-Encoding: quoted-printable
 
 On Wed, 2009-03-11 at 21:29 -0500, Chris wrote:
  I've just recently upgraded from Mandrake 10.1 to Mandriva 2009. I had
  it running great before the upgrade. Tonight I installed BIND 9.5.0-P2
  via rpm and can't get it to start for some reason. named-checkconf gives
  me no errors and neither does named-checkconf -z.=20
 =20
 Adding a bit to this, syslog shows:
 
 Mar 11 21:43:02 localhost named[7290]: starting BIND 9.5.0-P2 -u named
 -t /var/lib/named
 Mar 11 21:43:02 localhost named[7290]: found 1 CPU, using 1 worker
 thread
 Mar 11 21:43:02 localhost named[7290]: loading configuration from
 '/etc/named.conf'
 Mar 11 21:43:02 localhost named[7290]: /etc/named.conf:9:
 open: /var/lib/named/etc/rndc.key: file not found
 Mar 11 21:43:02 localhost named[7290]: loading configuration: file not
 found
 Mar 11 21:43:02 localhost named[7290]: exiting (due to fatal error)
 
 The file is there:
 
 [r...@localhost etc]# cd /var/lib/named/etc
 [r...@localhost etc]# ls -l
 total 36
 -rw-r--r-- 1 root root  1966 2009-02-15 05:18 bogon_acl.conf
 -rw-r--r-- 1 root root   116 2009-03-11 21:46 hosts
 -rw-r--r-- 1 root root  3543 2009-03-11 21:47 localtime
 -rw-r--r-- 1 root root  2123 2009-02-15 05:18 logging.conf
 -rw-r--r-- 1 root root  4094 2009-03-11 21:09 named.conf
 -rw-r--r-- 1 root named  350 2009-03-11 21:01 rndc.conf
 -rw-r--r-- 1 root named  259 2009-03-11 20:22 rndc.key
 -rw-r--r-- 1 root root   627 2009-02-15 05:18 trusted_networks_acl.conf

Named is looking for /var/lib/named/var/lib/named/etc/rndc.key.
You arn't taking into account the choot() call.

Mark

 Don't know what the problem is
 
 
 --=20
 KeyID 0xE372A7DA98E6705C
 
 
 --=-lXNGXJD0JCnKOzRI/kAz
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Description: This is a digitally signed message part
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (GNU/Linux)
 
 iEYEABECAAYFAkm4eS4ACgkQ43Kn2pjmcFyusACgicHa7SRFgrN+jvUO+10JKuVa
 fbsAoIuIA4WDGw8+ZrM4E/gHS8km50Nb
 =b8pW
 -END PGP SIGNATURE-
 
 --=-lXNGXJD0JCnKOzRI/kAz--
 
 
 --===4107670139043331750==
 Content-Type: text/plain; charset=us-ascii
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 --===4107670139043331750==--
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Two outgoing queries for each incoming query

[Mark Andrews]

In message 200903121454.n2cesvel019...@metis.hicks-net.net, Gregory Hicks wri
tes:
 
  Date: Thu, 12 Mar 2009 13:43:44 +0200
  Subject: Two outgoing queries for each incoming query
  From: My Name mylistuser1...@gmail.com
  To: bind-users@lists.isc.org
  
  Is this possible with 9.6.0-P1 or do I need to change the code (all
  ideas where to start are welcome, I haven't looked at the code yet).
 
  I want to setup a forwarder and each incoming query (in fact only A
  or ) should be sent to two different upstream servers.
 
 Why?  Bind already does this.  If there are two (or more) servers
 serving a zone, it will already query all of them for the initial
 query.  However, it uses the answer from the server that has the
 fastest response time.

No.  It will query multiple servers in turn as needed to
satisfy queries.  RTT estimates are most effective with
infrastructure zones as those are the ones queried most
often.  Named tries to minimize the number of queries it
makes.
 
 Regards,
 Gregory Hicks
 -
 Gregory Hicks   | Principal Systems Engineer
 | Direct:   408.569.7928
 
 People sleep peaceably in their beds at night only because rough men
 stand ready to do violence on their behalf -- George Orwell
 
 The price of freedom is eternal vigilance.  -- Thomas Jefferson
 
 The best we can hope for concerning the people at large is that they
 be properly armed. --Alexander Hamilton
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Trouble publishing dkim via nsupdate

[Mark Andrews]

In message 20090313031347.ga19...@csy.ca, Shane W writes:
 Hey all,
 
 I am trying to publish a dkim record in a signed dynamic
 zone using nsupdate.  My query looks like the below but
 nsupdate is having none of it, giving formerr.  Can anyone
 see an obvious error with this query:  Pasting the entry
 directly into the zone (freeze/thaw) does work but then the
 record doesn't get signed.
 
 nsupdate:
 zone csy.ca
 update delete continuum._domainkey.csy.ca any
 update add continuum._domainkey.csy.ca 86400 txt k=rsa\; t=y\; p=MIGfMA0GCSq
 GSIb3DQEBAQUAA4GNADCBiQKBgQDGDqQOjvR2NkesUp+rMl164OdruvyT/hcvwWpPJVZZpYJ7C0rU
 FoZeGdIsi0Riv8wbMd0YspPEfXEslt+neNBTp+nGtkbzpV23PnVwxaqaCpUOZtc7LN2BTKLnpQATL
 30JJE6LwafHPmM5I9S6y1pBQBV9KLdBuxG4+xlIwQf6HwIDAQAB
 send

Remove the any from the delete command.
update delete continuum._domainkey.csy.ca


 output with -d
 Reply from SOA query:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id:  11757
 ;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
 ;; QUESTION SECTION:
 ;csy.ca.ANY SOA
 
 ;; ANSWER SECTION:
 csy.ca. 86400   IN  SOA continuum.ns.csy.ca. hostmast
 er.csy.ca. 207 14400 900 2419200 3600
 
 ;; AUTHORITY SECTION:
 csy.ca. 86400   IN  NS  dme6.ns.csy.ca.
 csy.ca. 86400   IN  NS  dme7.ns.csy.ca.
 csy.ca. 86400   IN  NS  continuum.ns.csy.ca.
 csy.ca. 86400   IN  NS  dme5.ns.csy.ca.
 
 ;; ADDITIONAL SECTION:
 dme5.ns.csy.ca. 86400   IN  A   63.219.151.12
 dme6.ns.csy.ca. 86400   IN  A   64.246.42.203
 dme7.ns.csy.ca. 86400   IN  A   205.234.170.139
 continuum.ns.csy.ca.3600IN  A   70.71.3.27
 
 Found zone name: csy.ca
 The master is: continuum.ns.csy.ca
 Sending update to 70.71.3.27#53
 Outgoing update query:
 ;; -HEADER- opcode: UPDATE, status: NOERROR, id:   2080
 ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 0
 ;; ZONE SECTION:
 ;csy.ca.ANY SOA
 
 ;; UPDATE SECTION:
 continuum._domainkey.csy.ca. 0  ANY ANY
 continuum._domainkey.csy.ca. 86400 ANY  TXT k=rsa\; t=y\; p=MIGfMA0GCSqG
 SIb3DQEBAQUAA4GNADCBiQKBgQDGDqQOjvR2NkesUp+rMl164OdruvyT/hcvwWpPJVZZpYJ7C0rUF
 oZeGdIsi0Riv8wbMd0YspPEfXEslt+neNBTp+nGtkbzpV23PnVwxaqaCpUOZtc7LN2BTKLnpQATL3
 0JJE6LwafHPmM5I9S6y1pBQBV9KLdBuxG4+xlIwQf6HwIDAQAB
 
 
 Reply from update query:
 ;; -HEADER- opcode: UPDATE, status: FORMERR, id:   2080
 ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 
 Thanks,
 Shane
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rDNS for /20

[Mark Andrews]

In message 200903122311.24920.bli...@nobaloney.net, Jeff Lasman writes:
 I've read the relevant parts of DNS and Bind over and over again, and 
 I'm still going crazy.  I've searched this list going back about three 
 years.  I've googled.  Each step confuses me more frown.
 
 I'm trying to set up a reverse delegation to two nameservers for a /20.
 
 Netmask is 255.255.240.0 (I think).
 
 Is there a cookbook somewhere?
 
 Thanks in advance for any possible help.

Just set up each of the /24's which make up the /20.
 
 Jeff
 -- 
 Jeff Lasman, Nobaloney Internet Services
 P.O. Box 52200, Riverside, CA  92517
 Our blists address used on lists is for list email only
 voice:  +1 951 643-5345, or see: 
 http://www.nobaloney.net/contactus.html;
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: number of zones not matching

[Mark Andrews]

 privileges), or constitute non-public information. Any 
 use of this information by anyone other than the intended recipient is prohib
 ited. If you have received this transmission in error, please immediately rep
 ly to the sender and delete this information from your system. Use, dissemina
 tion, distribution, or reproduction of this transmission by unintended recipi
 ents is not authorized and may be unlawful.
   /pre
 /blockquote
 br
 br
 pre class=moz-signature cols=72-- 
 
 
 Best Regards,
 
 John D. Vo
 Eagle Teleconferencing Services, Inc.
 Network-System Administrator
 a class=moz-txt-link-abbreviated 
 href=mailto:j...@eagle.net;j...@eagle.net
 /a
 Office: (212) 200-2000 Ext. 105
 Cell: (212) 200-3016
 
 ---
 
 /pre
 /body
 /html
 
 --===8258205717685425773==
 Content-Type: text/plain; charset=us-ascii
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 --===8258205717685425773==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ACL ?

[Mark Andrews]

In message 49c79d6b.7060...@eagle.net, John D. Vo writes:
 Greetings:
 
 Trying to implement acl in my named.conf... for Bind 9.2.2
 
 acl eagle { 192.168.1.0/24; localhost; };
 
 But when I issued an reload, I got:
 
 Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] 
 /etc/named.conf:2: unknown option 'acl'
 Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] reloading 
 configuration failed: failure

You have the acl in the wrong place in named.conf.  It should be
like:

acl {

};
options {

};

not

options {
acl { ... };
...
};

Mark
 
 
 Help?
 
 Thanks.
 
 -- 
 
 
 Best Regards,
 
 John D. Vo
 Eagle Teleconferencing Services, Inc.
 Network-System Administrator
 j...@eagle.net
 Office: (212) 200-2000 Ext. 105
 Cell: (212) 200-3016
 
 ---
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange DNS Behaviour

[Mark Andrews]

 c1 t2 (x0)
 nslookup: 3 ns addrs
 nslookup: 3 ns addrs total
 forw: forw - 137.33.1.2 7 (53) nsid=7 id=4 0ms retry 4 sec
 
 datagram from 137.33.1.2 port 53, fd 7, len 92
 USER response nsid=7 id=4
 stime 712944912/917744  now 712944912/967742 rtt 49
 NS #0 addr 137.33.1.2 used, rtt 49
 NS #1 128.214.4.29 rtt now 0
 NS #2 137.33.1.9 rtt now 0
 resp: ancount 0, aucount 1, arcount 0
 doupdate(zone 0, savens f7ffe9d0, flags 19)
 doupdate: dname kemira.com type 6 class 1 ttl 3600
 db_update(kemira.com, 0x556f8, 0x556f8, 031, 0x44ca0)
 db_update: adding 556f8
 resp: leaving auth NO
 send_msg - 130.230.1.1 (UDP 9 1539) id=4
 
 =
 
 Kindly advice!
 
 Many Thanks,
 Ashish
 
 
 
 Please do not print this email unless it is absolutely necessary. 
 
 The information contained in this electronic message and any attachments to t
 his message are intended for the exclusive use of the addressee(s) and may co
 ntain proprietary, confidential or privileged information. If you are not the
  intended recipient, you should not disseminate, distribute or copy this e-ma
 il. Please notify the sender immediately and destroy all copies of this messa
 ge and any attachments. 
 
 WARNING: Computer viruses can be transmitted via email. The recipient should 
 check this email and any attachments for the presence of viruses. The company
  accepts no liability for any damage caused by any virus transmitted by this 
 email. 
 
 www.wipro.com
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: FORMERR resolving AAAA/IN records

[Mark Andrews]

In message 20090326141903.1917917...@britaine.cis.anl.gov, b19...@anl.gov writ
es:
 Oliver Henriot oliver.henr...@imag.fr wrote:
 
 dnsserver% !! 
 dig auniarael.com @216.69.185.38 
 
 ;  DiG 8.3  auniarael.com @216.69.185.38  
 ; (1 server found)
 ;; res options: init recurs defnam dnsrch
 ;; got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4
 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
 ;; QUERY SECTION:
 ;;  auniarael.com, type = , class = IN
 
 ;; AUTHORITY SECTION:
 .   1D IN SOA   cpns01.secureserver.net. dns.jomax.net
 . (
 20080922; serial
 8H  ; refresh
 2H  ; retry
 1W  ; expiry
 1D ); minimum
 
 auniarael.com.  1H IN NScpns01.secureserver.net.
 auniarael.com.  1H IN NScpns02.secureserver.net.
 
 ;; Total query time: 62 msec
 ;; FROM: dnsserver.anl.gov to SERVER: 216.69.185.38  216.69.185.38
 ;; WHEN: Thu Mar 26 09:06:02 2009
 ;; MSG SIZE  sent: 31  rcvd: 157

Note this answer is internally self inconsistant.  AA=1
which indicates the answer is authoritative yet the authority
section contains SOA and NS RRsets with different owners
with the SOA being higher in the namespace than the NS
RRset.

Even if AA=0 it would still be self inconsistant and the
relationship between the SOA and NS RRsets is impossible
in a well formed response.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dhcp options 226 and 227

[Mark Andrews]

Try the next list over, dhcp-us...@isc.org.

Also see https://www.isc.org/software/dhcp/documentation

In message 20090330124035.7mp9s88srossk...@mail.harrisonburg.k12.va.us, 
dhottin...@harrisonburg.k12.va.us writes:
 Im trying to figure out how to add options 226 and 227 to my dhcp  
 server.  I have not been able to find much about this through google.   
 Has anyone implemented these options for their dhcp server?  I added  
 the following to my dhcpd.conf (main file)
 
 option option-226 code 226 = array of integer 8;
 option option-227 code 227 = ip-address;
 
 
  option option-226   10,40,0,29;
  option option-227   10.40.0.29;
 
 Im not sure what the array of integer 8 is at all, but the only  
 example I could find had that in the main options area.
 
 thanks,
 ddh
 
 
 -- 
 Dwayne Hottinger
 Network Administrator
 Harrisonburg City Public Schools
 
 Everything should be made as simple as possible, but not simpler.
 -- Albert Einstein
 
 The hottest places in Hell are reserved for those who, in times of moral
 crisis, preserved their neutrality.
 -- Dante
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minor query (cache) denied Logging Bug?

[Mark Andrews]

:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 13081
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cname.dv.isc.org.  IN  A

;; ANSWER SECTION:
cname.dv.isc.org.   86400   IN  CNAME   ftp.uu.net.

;; Query time: 0 msec
;; SERVER: 192.168.191.236#53(192.168.191.236)
;; WHEN: Thu Apr  2 12:11:09 2009
;; MSG SIZE  rcvd: 58

drugs# dig cname.dv.isc.org @192.168.191.236
Apr  2 12:11:50 drugs named[896]: client 192.168.191.236#60255: view default: 
query (cache) 'ftp.uu.net/A/IN' denied

;  DiG 9.3.6-P1  cname.dv.isc.org @192.168.191.236
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 24655
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cname.dv.isc.org.  IN  A

;; ANSWER SECTION:
cname.dv.isc.org.   86400   IN  CNAME   ftp.uu.net.

;; Query time: 1 msec
;; SERVER: 192.168.191.236#53(192.168.191.236)
;; WHEN: Thu Apr  2 12:11:50 2009
;; MSG SIZE  rcvd: 58

drugs# dig ftp.uu.net @192.168.191.236 
Apr  2 12:20:47 drugs named[896]: client 192.168.191.236#58715: view default: 
query (cache) 'ftp.uu.net/A/IN' denied

;  DiG 9.3.6-P1  ftp.uu.net @192.168.191.236
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: REFUSED, id: 61980
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.uu.net.IN  A

;; Query time: 0 msec
;; SERVER: 192.168.191.236#53(192.168.191.236)
;; WHEN: Thu Apr  2 12:20:47 2009
;; MSG SIZE  rcvd: 28

drugs# 
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC DLV dnssec

[Mark Andrews]

In message e754e90904051051i60b347b6paf44a833c02a8...@mail.gmail.com, R Dicai
re writes:
 Hi folks, last night the ISC server responsible for responding to DLV
 lookups was apparently down. Since all lookups were failing due to a
 lack of response from this server, bind couldn't resolve anything at
 all. I had to comment out a couple lines in named.conf to restore
 function.
 
 bind-9.4.3-P2
 
 Here's the dnssec configuration lines used in named.conf:
 
 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside . trust-anchor dlv.isc.org.;
 
 trusted-keys {
 dlv.isc.org. 257 3 5
 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
 brhQv5rN32RKtMzX6Mj70jdzeN
 D4XknW58dnJNPCxn8+jAGl2FZLK8t+
 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
 ymX4BI/oQ+cAK50/xvJv00Frf
 8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
 Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
 QKtUdvNXDrYJDSHZws3xiRXF
 1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh;
 };
 
 I'm not sure, but if a lookup fails dnssec auth, shouldn't bind treat
 the answer as insecure, and return said answer?

No.  Otherwise you could cause the nameserver to accept a
bogus answer when it shouldn't.  
 
 In the scenario described above, I wasn't even able to get answers,
 let alone whether said answers could be authenticated.
 Bv9ARM.pdf is unclear regarding how bind should behave regarding use
 of dnssec-validation directive.
 
 Shouldn't the behaviour for DLV lookups be such that if the query
 can't be answered by the DLV server, then fall back to a non-dnssec
 lookup?

No.
 
 Perhaps there's a configuration issue I'm using that caused this
 unexpected behaviour I describe?

There was a fault which caused RRSIG of the key signing key
to be missing.  The key signing key is the one listed in
the trusted-keys clause above.  This caused a break in the
chain of trust as the DNSKEY RRset could not be validated
which meant named could not determine if the answers to the
DLV queries were valid or not and in turn the answers to
all other queries.
 
Mark

 Thanks
 
 -- 
 aRDy Music and Rick Dicaire present:
 http://www.ardynet.com
 http://www.ardynet.com:9000/ardymusic.ogg.m3u
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC DLV dnssec

[Mark Andrews]

In message e754e90904051454m8a240cbh17a177a069455...@mail.gmail.com, R Dicair
e writes:
 On Sun, Apr 5, 2009 at 5:40 PM, Mark Andrews mark_andr...@isc.org wrote:
  Shouldn't the behaviour for DLV lookups be such that if the query
  can't be answered by the DLV server, then fall back to a non-dnssec
  lookup?
 
  =A0 =A0 =A0 =A0No.
 
 May I ask why?

You enable DNSSEC and DLV to prevent the nameserver from
accepting forged answers from secured zones.  DLV tells
named which zones are secured or not.  This needs to be
secured to prevent named accepting forged answers from
secured zones.

B.T.W.  The servers did answer the queries.  The resolver
just wasn't able to validate them as a signature was missing.

 I'm sure something was learned from whatever caused the DLV server to
 malfunction, but was that kind of malfunction something we can look
 forward to when . and TLDs are signed?

Signing errors will happen.  Hopefully not too often.

 If that kind of breakage in lookups can occur, should there not be a
 contingency to be able to continue to use the Internet when such
 breakage occurs?

Named is still able to return answers if you tell it not to
validate the answers by setting CD=1 in the query.  This flag
is usually used when you have a validating resolver using another
validating resolver to get its answers.

When the lookups were failing answers like this were returned.

;  DiG 9.3.6-P1  dnskey dlv.isc.org +dnssec +cd +multi
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 4255
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org.   IN DNSKEY

;; ANSWER SECTION:
dlv.isc.org.6518 IN DNSKEY 256 3 5 (
BEOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAa
GPT+Q0kpiN+7GviFh+nIazoB8e2Yv7mupgqkmIjObdcb
GstYpUltdECdNpNmBvASKB9SBdtGeRvXXpORi3Qyxb9k
HGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBFtCibp/mk
hw==
) ; key id = 64263
dlv.isc.org.6518 IN DNSKEY 256 3 5 (
BEPGBAwVFzuE6r0zjxHMug8if94gouJXT4xnKqOt
BRNJ9KmIvHVh97hn5VN2T9z0SZ3Y2nPxTyksoX+X7L62
QveGvHzHSEuo8iYq6INevwFTX1beCj/dhk9ZfEYkleoB
4NUlHcam7juJWncRi/Vz/BpF2ec9fLqaAaP15AojoIoa
Aw==
) ; key id = 49899
dlv.isc.org.6518 IN DNSKEY 257 3 5 (
BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn
4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW
58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6B
D4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/o
Q+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte
/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw
/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+
al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh
) ; key id = 19297
dlv.isc.org.6518 IN RRSIG DNSKEY 5 3 7200 20090504233310 (
20090404233310 64263 dlv.isc.org.
VXvnxUqXwPWDRL0eN3AW5obDm+8h/X+DbvqF/MPaD9NO
1SYO6tcPvs+Ih3+kQQ/7PZxWHJjGpvIz/sSGWPUbqzyr
LJBTq90+jUbIuCX0KYb4PAT1l5zhjC5UvOKY1Va4NoI7
J/jGrE1hb6C/ZOlDuQR7mXTn/KwkkxK+JzpxT+0= )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr  5 15:21:28 2009
;; MSG SIZE  rcvd: 786

The trusted key entered into named.conf has key id 19297.
There was not a signature for the DNSKEYs using this key.
The only signature available was generated using key id 6426
(7th field in the RRSIG record).

Mark

 I could see online businesses panicking when something like this happens.
 
  =A0 =A0 =A0 =A0There was a fault which caused RRSIG of the key signing key
  =A0 =A0 =A0 =A0to be missing. =A0The key signing key is the one listed in
  =A0 =A0 =A0 =A0the trusted-keys clause above. =A0This caused a break in t=
 he
  =A0 =A0 =A0 =A0chain of trust as the DNSKEY RRset could not be validated
  =A0 =A0 =A0 =A0which meant named could not determine if the answers to the
  =A0 =A0 =A0 =A0DLV queries were valid or not and in turn the answers to
  =A0 =A0 =A0 =A0all other queries.
 
 Could you provide more details as to what specifically caused the fault?
 Perhaps then other dns admins may learn something new to look

Re: ISC DLV dnssec

[Mark Andrews]

In message e754e90904051805i6ac1dda6k57f78be2cf00a...@mail.gmail.com, R Dicai
re writes:
 On Sun, Apr 5, 2009 at 8:48 PM, Mark Andrews mark_andr...@isc.org wrote:
 Named is still able to return answers if you tell it not to
 validate the answers by setting CD=1 in the query.  This flag
 is usually used when you have a validating resolver using another
 validating resolver to get its answers.
 
 When the lookups were failing answers like this were returned.
 
 The one thing I didn't do was a direct dig itself. I was tailing
 dnssec.log and watching the DLV lookups failing, and my web browser
 was failing to load any site, reporting the hostname couldn't be
 resolved.
 
 Above, you mention setting CD=1 in the query. How is this done by
 applications trying to resolve hostnames
 when there's a problem like last nights?

Only DNSSEC aware validating applications should do this.

 Would setting the named.conf
 directive dnssec-validation no;
 do this? (as I mentioned previously, I had to comment out
 dnssec-validation and the trust anchor directive that points to ISC so
 I could resolve queries)

Which is a reasonable response.

DNSSEC is a bit like digital TV it's all or nothing.  Zones
will work or not if there are operator errors.  DLV is just
a very critical zone in that it works out which zone are
secure or not so it is involved in every lookup which is
not part of a seperately configured island of trust. 

When the root is signed and you have a trust anchor for the
root configured DLV will be used to bridge the gaps in the
delegation chains.  Lookups in secure zones for which there
is a theoretical secure path won't use DLV.
 
Mark

 -- =
 
 aRDy Music and Rick Dicaire present:
 http://www.ardynet.com
 http://www.ardynet.com:9000/ardymusic.ogg.m3u
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: I:Couldn't start server ns1

[Mark Andrews]

In message 49da221b020100045...@gwiasmtp.uct.ac.za, Erisan Nyamutenha w
rites:
 Hi,
 
 I'm installing Bind 9.6.0 on Suse Enterprise Linux 10 and I get this error me
 ssage when iI do a make test
 
 I:Couldn't start server ns1

Have you set up the test interfaces?

10.53.0.1 ... 10.53.0.7

This is from my FreeBSD box where I run make test pretty
reqularly.

lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384
inet6 ::1 prefixlen 128 
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
inet 127.0.0.1 netmask 0xff00 
inet 10.53.0.1 netmask 0x 
inet 10.53.0.2 netmask 0x 
inet 10.53.0.3 netmask 0x 
inet 10.53.0.4 netmask 0x 
inet 10.53.0.5 netmask 0x 
inet 10.53.0.6 netmask 0x 
inet 10.53.0.7 netmask 0x 
inet 127.0.0.2 netmask 0x 
inet 127.0.0.3 netmask 0x 

 Any ideas what I should do before I can install bind?
 
 Regards
 
 Erisan
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fwd: ip forwarding DNS 9.6.0

[Mark Andrews]

 size=3D3 style=3Dfont: 12.0px =
 Helveticamyron lt;a =
 href=3Dmailto:kowal...@cs.moravian.edu;kowal...@cs.moravian.edu/a/fo=
 nt/divdiv style=3Dmargin-top: 0px; margin-right: 0px; =
 margin-bottom: 0px; margin-left: 0px; font face=3DHelvetica =
 size=3D3 color=3D#00 style=3Dfont: 12.0px Helvetica; color: =
 #00bDate: /b/fontfont face=3DHelvetica size=3D3 =
 style=3Dfont: 12.0px HelveticaApril 6, 2009 12:00:55 PM =
 EDT/font/divdiv style=3Dmargin-top: 0px; margin-right: 0px; =
 margin-bottom: 0px; margin-left: 0px; font face=3DHelvetica =
 size=3D3 color=3D#00 style=3Dfont: 12.0px Helvetica; color: =
 #00bTo: /b/fontfont face=3DHelvetica size=3D3 =
 style=3Dfont: 12.0px Helveticaa =
 href=3Dmailto:bind-users@lists.isc.org;bind-users@lists.isc.org/a/fon=
 t/divdiv style=3Dmargin-top: 0px; margin-right: 0px; margin-bottom: =
 0px; margin-left: 0px; font face=3DHelvetica size=3D3 =
 color=3D#00 style=3Dfont: 12.0px Helvetica; color: =
 #00bSubject: /b/fontfont face=3DHelvetica size=3D3 =
 style=3Dfont: 12.0px Helveticabip forwarding DNS =
 9.6.0/b/font/divdiv style=3Dmargin-top: 0px; margin-right: 0px; =
 margin-bottom: 0px; margin-left: 0px; min-height: 14px; br/div =
 /divdivI upgraded from 9.2.3.brbrI can't seem to do forwarding =
 from a browser.brbrEverything works from 9.2.3. When I swap out to =
 9.6.0, from a command line Ibrcan do: nslookup; ping outside the =
 domain; traceroute outside the domain.brbr=46rom a web browser I can =
 get out if I use the ip address. However, when Ibrput in a canonical =
 name get an rcode 5.brbrThere's a barracuda spam firewall in the =
 path. If I take it out, then everything works.brThere's really nothing =
 to change on the barracuda as far as dns is concerned, otherbrthan =
 pointing to a dns server.brbrsnoop on the =
 wire:br9.6.0brbarracuda - ns nbsp;nbsp;nbsp;nbsp;DNS C =
 www22.verizon.com. Internet Addr ?br nbsp;nbsp;ns - barracuda DNS R =
 nbsp;Error: 5(Refused)brbr9.2.3brbarracuda - ns =
 nbsp;nbsp;nbsp;nbsp;DNS C www22.verizon.com. Internet Addr ?br =
 nbsp;nbsp;ns - barracuda DNS R www22.verizon.com. Internet CNAME =
 www22.verizon.com.edgekey.net.brbrI glanced through the archives and =
 found some suggestions about recursions to ip forwarding. I think =
 thebrconf is set up correctly. At least, it works fine with =
 9.2.3.brbrHere's some of my named.conf edited.brbracl mylab =
 {br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;10.0.0.0/8;br};broptions =
 {br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;directory =
 nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;/etc/dns;br =
 nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;auth-nxdomain =
 nbsp;nbsp;yes;br};brview trusted {br match-clients { mylab; =
 };br recursion yes;br zone moravian.edu in {br =
 nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;type forward;br =
 nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;forwarders { 10.22.5.32; 10.22.5.38; =
 };br };brbrAny help =
 appreciated.brbr--myronbr=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DbrMyron =
 KowalskibrMoCoSIN Network/Systems AdministratorbrMoravian =
 Collegebra =
 href=3Dmailto:my...@cs.moravian.edu;my...@cs.moravian.edu/abrbrbr=
 br___brbind-users =
 mailing =
 listbrbind-users@lists.isc.orgbrhttps://lists.isc.org/mailman/listinfo=
 /bind-usersbr/div/blockquote/divbr/body/html=
 
 --Apple-Mail-233-881694232--
 
 --===0424927304202673050==
 Content-Type: text/plain; charset=us-ascii
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 --===0424927304202673050==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] zonedit.com and changing DNS servers from current provider

[Mark Andrews]

In message c8e4fbfa-e27c-4b25-9af5-541413950...@newgeo.com, Scott Haneda 
writes:
 On Apr 6, 2009, at 3:30 PM, Michelle Konzack wrote:
 
  My hosting contract is running out on 2009-04-16 and now I like  to   
  use
  zonedit.com to host my zones.  Unfortunately  I  have  not  found   
  the
  answer to my qustion on there help page and they  do  not  reply   
  to  my
  question per mail except an autoreply.
 
 Maybe you should reconsider using them if you are already having  
 support issues before you even use their services.
 
  So does someone know, if I setup Zonedit how to eliminate the ZONE  
  at my
  current ISP and HOW to change the WHOIS record?
 
 You should email your current ISP and ask them to delete the zone,  
 unless you have a control panel in which you an do so yourself.  I can  
 say, as a small ISP, this never happens, and we have developed tools  
 to run on a schedule to let us know when a domain has been moved.
 
 To update the WHOIS, you just login to the registrar (the place you  
 purchased the domain for) and make a update in the NS section.

If you want a smooth transition, the ISP should slave the
new zone content until the caches are cleared of the old
NS RRsets (parent and zone).

Mark
 --
 Scott * If you contact me off list replace talklists@ with scott@ *
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Round robin load distribution among servers does not work properly

[Mark Andrews]

 will never get x.y.z.2 and x.y.z.4 as top entries
  in this response.
 
  Can anybody tell me why this limitation and is there any sollution to
  resove this problem?
 
  Thanks in advance.
 
  Mallappa
 
 
  Not sure what version of BIND you are using, but here I am using 9.5.1-P2.
   I just loaded a zone with 10 www records and different IP's and they are
  handed out round robin just fine.
 
  The idea of using DNS for load balancing has been brought up here so many
  times its hard to count.  The answer is always the same. DNS was *never*
  meant to provide this functionality.  Spend the big bucks and get a device
  meant to do *load balancing*.
 
  Search the archive for previous threads on this subject.
  http://marc.info/?l=bind9-usersw=2r=1s=load+balancingq=b
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Round robin load distribution among servers does not work properly

[Mark Andrews]

In message 96c8e9660904071112p557840a4kfd85120d7c275...@mail.gmail.com, 
Mallappa Pallakke
 writes:
 Hi Mark/Kevin,
 
 I did the changes you suggested and it worked fine.
 
 Thanks a lot for all your help.
 
 Regarding round-robin load sharing instead of random, I have
 planned to have a dynamic update (nsupdate) triggered at realtime when
 ever a server goes down or comes up so that there will not be any
 possibility of putting double load on any server.
 
My only challenge is to load the traffic on newly coming up server
 equal to other servers during high traffic. I need to do some
 controlled distribution of load (more on new server than others untill
 it comes close to other servers!).
 
Please tell me if it has got any problem.

If you need that much control you really need something
other than named or you need a extra server.  The DNS really
isn't designed to, nor is it capable of, distributing load
so precisely.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 53/TCP port unresponsive

[Mark Andrews]

In message 
7caf9cc3b3625c46adb0a816877f5916f89...@a1dal1swpes16mb.ams.acs-inc.net, 
Deslatte, Curtis writes:
 This problem is very very similar to the one I posted a couple of months
 ago on the list.
 
 Since then I have found that the couple of servers where this was
 frequently occurring, were misconfigured.
 
 (I admit it, NOT proudly though; I'm only proud anymore on Saturday
 afternoons, once I've caught up on my sleep from the previous week, and
 then just barely...)
 
 
 The misconfiguration was related to the use of a second master that
 another admin had removed and I had not caught the deferrals that were
 piling up.  I had thought that each zone was going to choose the first
 master listed, in my case the local primary, the failover was listed
 second.  It would appear that is not always the case as the master which
 had been removed was the second one listed in the master ACL that was
 being referenced by many of the PTR zones being differed!
 
 I had been troubleshooting another issue and noticed deferrals logging
 fairly regularly.  I started looking into the deferred zones (i.e.
 allowed myself to be rabbit trailed) and found that the zones being
 deferred, were being sought out at the second listed master, not the
 first where I could actually pull any of the zones manually.=20
 
 In any case, I edited the master ACL, removing the MIA server, and
 zapped it.  The deferrals stopped (naturally) as the remaining master,
 the primary, was working correctly.
 
 I haven't experienced a TCP seizure since =20
 
 I now think...  The cyclic nature of the seizures was related to the
 backing up of deferrals, perhaps a constrained resource under the hood
 somewhere?  I don't know that for a fact though.
 
 
 A would assume it's going to be a different cycle based on the
 differences between configurations (zones, or whatever) and servers
 where the presumed resource is concerned.  So manifestations would be
 significantly different from victim to victim.  If it's actually a
 resource, application or server, it may actually manifest with totally
 different symptoms.

Setting try-tcp-refresh no; would have most probably fixed
it.

 This was 9.5.0-P1, BTW.
 =20
 =20
 Thanks,
 CJD
 =20
 
 Curt Deslatte
 curtis.desla...@acs-inc.com
 
 =20
 
 
 -Original Message-
 From: bind-users-boun...@lists.isc.org
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Andrews
 Sent: Friday, April 03, 2009 1:08 PM
 To: Chris Buxton
 Cc: bind-users@lists.isc.org; bind-work...@lists.isc.org
 Subject: Re: 53/TCP port unresponsive=20
 
 
   There is no such version as BIND 9.5P1.
   There are both BIND 9.5.0-P1 and BIND 9.5.1-P1.
 
   If Mark is using BIND 9.5.0-P1 then I would recommend upgrading.
 
   Mark
 
 In message fd6f686b-c502-4166-8a46-3d547c3ea...@menandmice.com, Chris
 Buxton writes:
  We've seen this repeatedly with our customers, usually evidenced by=20
  slaves that stop refreshing and eventually expire the zone. It seems=20
  to happen most on Mac OS X and Solaris, and less often (or perhaps
  never) on Linux.
 =20
  named just stops listening on the TCP port. If you execute lsof -i:=20
  53, you'll see that it's still listening on 127.0.0.1:53/TCP, but not
 
  on some other interface. UDP seems to be unaffected by this.
 =20
  The only solution we've found is to stop and restart named.
 =20
  Chris Buxton
  Professional Services
  Men  Mice
 =20
  On Apr 2, 2009, at 5:26 PM, Mark Koehler wrote:
 =20
   Greetings.
  
   We have 4 masters (rsync'd together) and a pair of load balancers=20
   each of which distributes queries to any of the 4.  On the masters,=20
   we run Solaris 10 with BIND 9.5P1.  Recently, one of the 4 stopped=20
   using TCP on port 53, but UDP traffic continued unaffected.  What=20
   would cause the TCP port to stop?  The port was unresponsive from=20
   the backside of the load balancers, and no DNS TCP packets came from
 
   the server either.  Is there anything in BIND which would detect and
 
   block a potential DOS attack?
  
   Thanx,
   mrak
   ___
   bind-users mailing list
   bind-users@lists.isc.org
   https://lists.isc.org/mailman/listinfo/bind-users
 =20
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind

Re: ADDITIONAL Section Contains Wrong Data

[Mark Andrews]

In message 3d0aa5df-c7ce-4f43-ab30-bbf97f220...@roadrunner.com, Merton 
Campbell Crockett writes:
 Under what conditions would a response to a DNS query return a correct  
 answer but have the AUTHORITY and ADDITIONAL sections the names and  
 addresses of the gTLD root servers?

If the answer was from a cache and the NS RRset for the
zone has timed out.
 
 I would have expected to see the domain names and addresses of the  
 UltraDNS name servers as they are the Registrar for the domain name  
 being queried.
 
 The query was part of the data captured on 06 April 2009 when  
 investigating a problem with Microsoft's Office Communicator.
 
 
 Merton Campbell Crockett
 m.c.crock...@roadrunner.com
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ip forwarding DNS 9.6.0

[Mark Andrews]

In message 83f1e37b-72bd-4454-8c2d-4fa91d5fc...@cs.moravian.edu, myron writes
:
 On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote:
 
 
  In message d7656c59-094f-4b37-b3cc-4496db3af...@cs.moravian.edu,  
  myron writes:
  I started reading up on Kirk's suggestions of the allow-*** settings.
  In the global options level
  I put
  options {
  directory   /etc/dns;
  allow-query-cache { any; };
  allow-query { any; };
  auth-nxdomain   yes;
  };
 
  and that definitely worked. By no means do I understand the paragraph
  below from the README.
  I need to mull over it for a while and determine where the options
  should go, whether globally or in a view
  and whether any is the right setting.
 
  Basically there are people using recursive DNS servers as
  amplifiers in DoS attacks by sending forged UDP queries.
  By restricting who can get access to the cache you reduce
  the effect of such queries to just anonymising the original
  query source.
 
  The defaults were changed so that only locally connected
  nets get recursive service and access to the cache.  This
  default is right for a large majority of the users of named.
  You should expand allow-query-cache to include all the
  networks you want to offer recursive service to.
 
  Mark
 
 I think I got it right. I just changed any to my network. It works.
 
 options {
  directory   /etc/dns;
  allow-query-cache { int-net; };
  allow-query { int-net; };

allow-query would normally be any; as you are normally
publishing zones to the world.

  auth-nxdomain   yes;
 };
 
 
 
  Thanks for all the help.
 
  --myron
  =
  Myron Kowalski
  MoCoSIN Network/Systems Administrator
  Moravian College
  my...@cs.moravian.edu
  -- 
  Mark Andrews, ISC
  1 Seymour St., Dundas Valley, NSW 2117, Australia
  PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Necessity of DNSSEC Lookaside Validation(DLV)

[Mark Andrews]

In message 
ofd3c12b6c.284d328a-on65257592.005ec291-65257593.002c4...@itc.co.in, Chandan 
Laskar writes:

 Thanks Bill.
 
 We have authoritative Name Server. Caching is not enable in the Name 
 Server.
 
 Also based on website 
 (http://www.netwidget.net/books/apress/dns/info/dlv.html), DLV is not an 
 IETF standarized feature and BIND 9.3.2 (We have 9.6.0.-P1) is the current 
 recommended implementation Version. 

DLV fits into this section of RFC 4035.

5.  Authenticating DNS Responses

  The process for obtaining and authenticating this initial
   trust anchor is achieved via some external mechanism.  For example, a
   resolver could use some off-line authenticated exchange to obtain a
   zone's DNSKEY RR or to obtain a DS RR that identifies and
   authenticates a zone's DNSKEY RR.  

 So I am still not convince about the necessity of DLV incorporation in our 
 Setup.

For an authoritative only setup I would be using TSIG to validate
the zone transfers as you have a existing trust relationship.

If you want other people to be able to validate the data
you publish you need to sign your zone and publish your
SEP's.  If you parent zone is not signed you can use DLV
as a substitute for the parent zone.
 
Mark
 Will grateful if you provide me more suggestion.
 
 Thanks and regards, 
 Chandan Laskar 
 2nd Floor Data Center, ITC Center, 
 4, Russel Street, Kolkata - 700 016 
 Phone:(033)-22889900 Extn.: 3944 
  (0)-9830057396 (M) 
 
 
 
 Bill Larson wlla...@swcp.com 
 04/07/2009 09:30 PM
 
 To
 Chandan Laskar chandan.las...@itc.in
 cc
 bind-users@lists.isc.org
 Subject
 Re: Necessity of DNSSEC Lookaside Validation(DLV)
 
 
 
 
 
 
 On Apr 7, 2009, at 9:43 AM, Chandan Laskar wrote:
 
 Hi, 
 We have deployed DNS  on RHEL 5 Update 1. Below are feature of our DNS. 
 
1. Implemented OS Security Best Practice ( e.g. Enable MD5 and shadow 
 passwords, Root Login Console Restricted, Configure SSH as an alternative 
 of Telnet e.t.c.). 
 2. Configured Openssl Version 0.9.8j. 
 3. Configured BIND 9.6.0-P1 with CHROOT Environment. So BIND is not 
 running as root user. 
 4. IPTABLES has been configured to block all the irrelevant ports.
 5. Allow Update Feature in named.conf is not changed. So, by default it is 
 'NO' 
  
 After all the above mentioned protection do we really need to incorporate 
 DNSSEC Lookaside Validation(DLV) in our DNS? 
 
 Suggestion Please. 
 
 Your implementation is protecting the DNS server itself - very good.  The 
 purpose of DLV is to insure that the DNS data that your server provides, 
 and all DNSSEC data your server processes, is valid. 
 
 The DNSSEC/DLV configuration protects your DNS data from being spoofed 
 on another DNS server.  It also insures that the DNS data that your server 
 may be handing out recursively from being compromised.  Protecting both 
 sides of the DNS service for your users is necessary (at least important).
 
 
 Can you avoid printing this?
 Think of the environment before printing the email.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fix bind 9.4.3_p2 cross-compilation

[Mark Andrews]

In message 20090418113920.2acbb...@jojo.scabb, Beber writes:
 exporting enable_epoll=3D make bind-tools build, but this bypass epoll
 test
 running with configure with --enable-epoll doesn't change anything, it
 still fail on :
 ./configure --prefix=3D/usr --build=3Dx86_64-pc-linux-gnu --host=3Di586-geo=
 de-linux-uclibc --mandir=3D/usr/share/man --infodir=3D/usr/share/info --dat=
 adir=3D/usr/share --sysconfdir=3D/etc --localstatedir=3D/var/lib --enable-i=
 pv6 --with-iconv --enable-epoll
 checking for kqueue... no
 checking epoll support... configure: error: cannot run test program while c=
 ross compiling
 See `config.log' for more details.
 
 --=20
 Beber

This is in the next maintenance release, yet to be released.
It's also in 9.6.1.

2521.   [bug]   Improve epoll cross compilation support. [RT #19047]

Index: configure.in
===
RCS file: /proj/cvs/prod/bind9/configure.in,v
retrieving revision 1.355.18.85
retrieving revision 1.355.18.94
diff -u -r1.355.18.85 -r1.355.18.94
--- configure.in21 Oct 2008 02:47:02 -  1.355.18.85
+++ configure.in15 Feb 2009 22:57:42 -  1.355.18.94
@@ -355,10 +355,10 @@
 # so we need to try running the code, not just test its existence.
 #
 AC_ARG_ENABLE(epoll,
-   [  --enable-epoll  use Linux epoll when available 
[[default=yes]]],
- want_epoll=$enableval,  want_epoll=yes)
+[  --enable-epoll  use Linux epoll when available [[default=auto]]],
+ want_epoll=$enableval,  want_epoll=auto)
 case $want_epoll in
-yes)
+auto)
AC_MSG_CHECKING(epoll support)
AC_TRY_RUN([
 #include sys/epoll.h
@@ -373,6 +373,9 @@
[AC_MSG_RESULT(no)
ISC_PLATFORM_HAVEEPOLL=#undef ISC_PLATFORM_HAVEEPOLL])
;;
+yes)
+   ISC_PLATFORM_HAVEEPOLL=#define ISC_PLATFORM_HAVEEPOLL 1
+   ;;
 *)
ISC_PLATFORM_HAVEEPOLL=#undef ISC_PLATFORM_HAVEEPOLL
;;
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users