What new DS record? The KSKs aren’t changing, are they? Why would they?
All that is changing is the NS RRset (and maybe SOA if you’re changing the
MNAME).
If the NS glue in the parent doesn’t agree with the canonical NS RRset in
the child, this is not a DNSSEC fail. This is as easy as changing an
rndc dumpdb
rndc flushtree gov
Did that help? Going back to the dumped cache, what do the relevant names
have in there?
On Tue, Mar 14, 2023 at 5:46 PM Alexandra Yang wrote:
> Hi Mark,
>
> We noticed the problem because client can't resolve
> www.federalregister.gov, hosted by ns3.gpo.gov and
That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ
action. Something is wrong with your configuration.
On Fri, Jun 16, 2023 at 1:39 PM wrote:
>
>
> Hello
>
> For monitoring reasons I try to change the return code of a domain name
> from "SERVFAIL" to "NXDOMAIN" with the rpz
Pretty much a precise use case for RPZ (Response Policy Zones). Google it
or search the BIND docs for RPZ.
On Sun, Jun 18, 2023 at 8:37 PM public1020 via bind-users <
bind-users@lists.isc.org> wrote:
> I need to hijack certain domains and not its subdomains, so I use dnsmasq
> to achieve it:
>
>
Ancient BIND version, but won’t mention it beyond that. Others are going to.
This should work fine. Having multiple levels of labels in the zone
shouldn’t be a problem. But you’re not providing enough detail to
troubleshoot. You’re going to have to show the config and zone files to
really get any
Preface: Please don’t read any judgement of DNSSEC’s value into this
question. Just looking for the opportunity to understand DNSSEC better from
some world-class experts if any care to respond.
When a client (or any DNS-speaker) is doing validation, doesn’t it set CD
on queries through a forwarder
https://bind.readthedocs.io/_/downloads/en/v9.18.21/pdf/
On Thu, Dec 21, 2023 at 9:59 AM Fred Morris wrote:
> (Intentionally posting to the mailing list with that string since that
> was the commit message where it occurred. Hopefully this will improve
> findability.)
>
> So, yeah.
>
> I'll tak
I am upgrading and redeploying some authoritative-only BIND servers. Two
questions about some fine points:
What to set 'dnssec-validation'? Just let it default to 'auto?' There is no
need or opportunity for an authoritative-only server to validate (right?).
Should we actively switch it off, set it
es at all, please
take a
look at this article.
https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries
Hope that helps.
Greg
On Thu, 28 Mar 2024 at 06:15, Crist Clark
wrote:
I am upgrading and redeploying some authoritative-only BIND servers.
Two
questions about some
First, yes, I know. Their DNS is broken. They should fix their DNS. We
shouldn't need to make QNAME-minimization work around broken DNS.
Name and shame a domain name in question,
e1083.d.akamaiedge.akamai.csd.disa.mil
The problem I see: akamai.csd.disa.mil is a delegated zone. All four name
I've just set up an RPZ using a third party feed. I am getting lots and
lots of "info" and "warning" messages in the logs. However, I am not sure
whether they actually are indicative of a problem I that may be impacting
operations or just a "nice to know" about something over which I have no
contro
>From the initial mail: "This is BIND 9.9.2 (Infoblox 6.7.3)."
No huge increase in resource usage noted.
On Mon, Nov 11, 2013 at 1:47 AM, Phil Mayers wrote:
> On 08/11/13 23:52, Crist Clark wrote:
>
>> I've just set up an RPZ using a third party feed. I am getting
On Tue, Nov 12, 2013 at 09:14:24AM -0500, Alan Clegg wrote:
>
> On Nov 12, 2013, at 12:13 AM, Crist Clark wrote:
>
> > From the initial mail: "This is BIND 9.9.2 (Infoblox 6.7.3)."
> >
> > No huge increase in resource usage noted.
>
> Has
I am seeing that even with a zone included in an RPZ, the BIND server is
still going out to the Internet to resolve the name. I was hoping the RPZ
entry would stop processing short of that.
I have "some.bad.domain.tld" returning NODATA. The client is getting the
response I expect. The SOA is for t
It looks like it worked. Your test is asking for A records, not the TXT
records for the name. Try,
$ dig _acme-challenge.imap.lrau.net. txt @localhost
On Sat, Mar 14, 2020 at 10:31 AM Axel Rau wrote:
>
>
> Am 14.03.2020 um 18:14 schrieb Chuck Aurora :
>
> it seems, the dynamic update protocol
Not sure I understand why you need to do anything except change the
authoritative NS records in the zone and in the delegation at the
registrar. You also only really need to decrease the TTL on the NS
records, not all of the records in the zone. Why touch any keys and
the corresponding DS records?
>From release notes:
Notes for BIND 9.16.1
Known Issues
UDP network ports used for listening can no longer simultaneously be used
for sending traffic. An example configuration which triggers this issue
would be one which uses the same address:port pair for listen-on(-v6)
statements as for notify-
forward only;
On Fri, Mar 5, 2021 at 5:19 PM Marki wrote:
> Hello,
>
> I am seeking a combination of either a combined configuration on one, or
> a config of several different DNS servers together to achieve the
> following:
> * Some clients should be able to resolve authoritative local zones as
forward everything else somewhere else. The
> requirement is to _only_ resolve local stuff for some clients.
> On 3/6/2021 8:48 PM, Crist Clark wrote:
>
> forward only;
>
> On Fri, Mar 5, 2021 at 5:19 PM Marki wrote:
>
>> Hello,
>>
>> I am seeking a combination of eith
e to specify a fake global forwarder which looks
> like a hack.
>
>
> On March 7, 2021 10:09:49 AM GMT+01:00, Crist Clark <
> cjc+bind-us...@pumpky.net> wrote:
>>
>> Two views. The view that does not do internet DNS claims authority for
>> the root and
So why doesn’t it work to make your limited server authoritative for the
root and only forward the zones you want? Anything that isn’t in a
forwarded zone does not exist (except the root itself).
On Sat, Apr 17, 2021 at 11:07 PM Marki wrote:
>
> On 4/14/2021 12:44 AM, Sebby, Brian A. via bind-us
Maybe a little confused here, but BIND won’t try another server if it gets
an answer. It will only try another forwarder if the query fails.
On Wed, Sep 29, 2021 at 12:21 AM Sonal Pahuja
wrote:
> Hi All,
>
>
>
> Is there any option to set recursion =1 in named.conf file for the zone. I
> just wa
No idea if this is the best way. It is a way.
Do you control any other zone? Let’s say you own “example.com.” You can
tell ISC DHCP to build the reverse zone at an arbitrary base name instead
of in-addr.arpa.
Configure DHCP to put the reverse records at say, “rev.example.com.” So
you’ll get recor
127.0.0.1;
>key DDNS_UPDATE;
> }
> zone 186.198.193.dhcp. {
>primary 127.0.0.1;
>key DDNS_UPDATE;
> }
>
> However, don't I have to convince people managing bjesomar.srce.hr to be
> a slave server for the "186.198.193.dhcp" zone? Or the dy
w the
system will behave without testing it with real life production load
on Monday :-)
On 12/11/2021 11:18 PM, Crist Clark wrote:
Looks like you're trying to use the setup in that serverfault link.
That example only works on an internal network. I thought the
186.198.193. part was enough
You didn’t share much of your configuration except the one forwarded zone,
not a lot to go on.
But one thing to check, you do have recursion enabled on the server?
On Mon, Feb 28, 2022 at 6:34 PM Gregory Sloop wrote:
> Wow. I hate to be the guy who looks the gift horse in the mouth - but that
>
Probably.
Maybe check for any log messages from BIND. Do packet capture to see
exactly what's happening to the TCP.
On Tue, Apr 19, 2022 at 10:12 PM rams wrote:
> Hi,
> We are getting the following error when we query for the 25M zone with
> axfr .
>
> ]# dig @localhost 25million.com axfr |tail
Anyone out there trying to dump dnstap data into Splunk in
real-time or near-real-time?
I was frankly kind of surprised when I searched the Splunk docs
site and got "No results. We did not find any pages on Splunk.com
that matched dnstap."
Googling didn't fare a whole lot better. But this must b
As far as I know, GSS-TSIG is only used for DNS updates, not zone transfers.
https://bind9.readthedocs.io/en/v9_16_5/advanced.html#dynamic-update
Sorry, don't know what capabilities AD has for securing zone transfers
beyond IP ACLs, which of course is not much security at all. I've never had
luck
DNSViz is usually the go-to tool when trouble shooting
is-it-me-or-is-it-them DNSSEC issues, but it’s thorough enough to help for
a lot more general problems too.
Someone else has been using it to check that name,
https://dnsviz.net/d/www.ecb.europa.eu/dnssec/
The only thing that pops up that mi
As far as BIND is concerned, this is arbitrary text in a TXT record. It
doesn’t know or care about SPF syntax within it.
It sounds like you’re having webmin problems, not BIND.
On Fri, Jul 8, 2022 at 9:08 AM Ondřej Surý wrote:
>
> > On 8. 7. 2022, at 18:05, Roberto Carna wrote:
> >
> > using t
Windows Subsystem for Linux (WSL) is easy enough to install. BIND, tools
included, will run just fine in there.
On Fri, Sep 9, 2022 at 7:35 AM Brown, William wrote:
> After I hit send, I thought I should add this request to ISC:
>
>
>
> Can you keep supporting dig (and perhaps other select tools
Also should point out that when you do a +trace, your /etc/resolv.conf is
irrelevant since dig is going to try to figure things out from the root on
its own.
The fact you were careful to talk about your resolv.conf signals that you
may not be troubleshooting whatever you think you are.
What is th
On Sat, Oct 22, 2022 at 3:20 PM Sandro wrote:
[snip]
> Doing favors for the better good does not seem to be in their
> dictionary. Look at DNSSEC.
>
Do you mean signing their domains or their public resolver services?
https://developers.google.com/speed/public-dns/faq
Does Google Public DNS su
The statement that a BIND secondary only uses one file is incorrect. A
secondary will write IXFR data to a journal file, a jnl file.
But as has been stated earlier in the thread, a secondary is not involved
in anyway in signing a zone. One way to possibly make more sense of this is
to consider how
Not exactly sure what you are doning since we don’t see what records you’re
trying to add, but it sounds like you are “attempting to add a CNAME
alongside a non-CNAME” which doesn’t make sense and will fail.
A CNAME means "use the records for this other name whenever this name is
queried.” It does
On Thu, Oct 25, 2018 at 2:57 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:
> On 10/25/18 2:34 PM, N6Ghost wrote:
>
[snip]
>
> > next, we where a bind shop but switched to infoblox for some stuff and
> > now out grew it. and are going back to bind.
> >
> > but we started using
In SRX speak:
# set security alg dns disable
To verify status of DNS and other ALGs:
show security alg status
The DNS ALG is one of those enabled by default and must be explicitly
disabled to turn it off.
On Fri, Jan 18, 2019 at 1:14 PM N. Max Pierson
wrote:
> The 2 servers that pass th
You need to explicitly define the root zone. Last I knew, BIND still
gets the root zone hardcoded into the executable and will try to Do
the Right Thing and find the root on its own even if the administrator
does not define one or provide hints.
You need something like,
zone "." {
type master
Local firewall rules on the server? Did you have to make any firewall
changes for IPv4? Did you do the same for IPv6?
On Mon, Mar 18, 2019 at 10:20 PM Mark Andrews wrote:
>
> On the server run "dig version.bind txt ch @::1”. This should get a response
> and
> work from there. e.g. "dig version
In order to make the determination whether to apply an rpz-nsip rule,
the DNS server must have the NS records and their corresponding A
records. In a recursive resolver, it would have had to lookup said NS
and A records to find the answer to the query, so they are cached and
available. In a forward
This isn’t really a BIND or DNS problem. There is not a standard way to do
this.
If you’re going for some kind of automation or orchestration of these
services, there are a bunch of different places to build this in, depending
on the tools you are using.
You did mention ISC DHCP. One approach wou
We have a service vendor with broken DNS. It looks like a well known
problem of F5 load balancers. For the name,
efederation.wip.ceridian.com (you get redirected there from
https://iam.ceridian.com)
The DNS "servers" return an answer for a A request, but when you ask
for any other record typ
If you want it to chase down the CNAME target data from another zone,
you're asking for recursion, not authoritative-only, so those results make
perfect sense.
Think of it this way. The fact both zones happen to be served by the same
name server is irrelevant. You should get the same authoritative
44 matches
Mail list logo