Re: [SPAM] Re: Split view multiple zones
Of course I could just copy and paste all the zones also in 'custom' view but it doubles the configuration size. On 27.01.09 17:26, Chris Burton wrote: I've been using an include file for zones common between multiple views, it might help in your case too. I'm afraid they won't eat the same memory, but each view its own memory. Can anyone confirm, and if I'm right, tell me that it will be better in next BIND releases? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split view multiple zones
In message 49800cfd.nihabiqjcalhfl+u%akos...@andykosela.com, Andy Kosela writ
es:
Reinis Rozitis r...@roze.lv wrote:
I've been using an include file for zones common between multiple
views, might help in your case too.
Thanks somehow didnt think about this way. Pretty much takes to
acceptable solution :)
Yes, include statement is the best option especially if you have a lot
of zones. That aproach also works great if you need to provide
recursion for some of your clients *and* serve authoritative records for
the rest of the world. By creating multiple views you can also easily
disable answering queries for . to unknown clients.
view internal {
match-clients { LAN; };
recursion yes;
include zones;
};
view external {
match-clients { any; };
recursion no;
additional-from-cache no;
include zones;
};
Or just run a currently supported version and specify
options {
allow-recursion { LAN; };
};
include zones;
and achieve the same thing for half the memory footprint and
not have to worry about different views clobbering the same
masterfiles.
Mark
--Andy
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
On 27.01.09 10:18, Al Stu wrote: I not only say it, I have demonstrated it. But you have demonstrated something different than we're discussing all the time. BIND is the DNS system we are discussing. Have not looked to see if that specifically is spec'ed in an RFC. Yes other DNS implementations do return both the A and CNAME. It depends on the query sent. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disableing EDNS messages bind-9.5.0
Dean Clapper wrote:
I'm trying to troubleshoot why we are getting a lot of disabling EDNS
messages in /var/log/messages.
We are running bind-9.5.0.P2 on a linux box.
[...]
Jan 27 11:43:39 ns0 named[27764]: too many timeouts resolving
'196.198.117.216.zen.spamhaus.org/A' (in 'zen.spamhaus.org'?):
disabling EDNS
I started receiving these messages after updating from 9.4 - 9.5.
I've found a couple places to test packet sizes, but have not had any
problem. The messages about zen.spamhaus.org leads me to possibly
email related issues.
On 28.01.09 08:04, Danny Thomas wrote:
add category edns-disabled { null; };
after verifying your nameserver(s) have an EDNS0 clear path
by trying the 2 tests mentioned below by Mark Andrews.
I strongly recommend you upgrading the BIND first. Later versions issue that
message much less often.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: contacting a external nameserver
In that case you can use either views or a split dns Regards. Serge Fonville On Wed, Jan 28, 2009 at 12:44 AM, Luis Silva luisfilsi...@gmail.com wrote: Yes, basically what I need is a forwarder. Basically I want an internal network but external queries must be handled by another server. Thanks a lot for the quick reply. Kind Regards, Luis On Tue, Jan 27, 2009 at 6:51 PM, Serge Fonville serge.fonvi...@gmail.comwrote: I should have sent this to the list On Tue, Jan 27, 2009 at 11:42 AM, Serge Fonville serge.fonvi...@gmail.com wrote: Hi, Not sure what your endgoal is, but... If you want a specific zone to be queried on the external nameserver, you can create a forward zone. If you want all unresolvable queries to be forwarded to a specific nameserver, you can define forwarders. Perhaps some information about what your end result should be instead of suggesting solutions up front can be of use. Hope this helps. Regards, Serge Fonville On 1/27/09, Luis Silva luisfilsi...@gmail.com wrote: Hi all, I'm having a question related to querying external servers that hope you could answer me. I'm sending a iterative query for an external server and the server is sending a referral answer but only with the authoritive name servers. After that, i send a query A asking the nameservers ip addresses. This A query is supposed to be a recursive query or must be a iterative one? Is there a standard that talks about this? thanks in advance. Kind regards, Luis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Sorry remembered wrong, it's not free. But not that expensive either. Yeah now I remember, I browsed for a free firewall for server platform for days, but didn't find any. But have been very happy with the Net Firewall. Jukka Tony Toews [MVP] tto...@telusplanet.net kirjoitti viestissä:p3evn4t6r9spme6ardiqbohjvlt99vt...@4ax.com... Jukka Pakkanen jukka.pakka...@qnet.fi wrote: There are many free third party firewall packages that can be run in Window= s = 2003 Server, we use the Net Firewall. Do you have a URL? I found http://www.ntkernel.com/wp.php?id=18 but it's not free. I'm also going to ask my fellow MVPs as well. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
wildcarding everything
Hello, I am wondering the technical possibility of a DNS change. Even if it is technically possible, I also want to make sure it is compliant as well. I would like to resolve any and all requests to a fixed IP, if there is no zone in place. While I understand I can create a zone for *.example.com and resolve all of the * portion to an A record and further have a web server take over... What I am looking to do now, is have the very act of having my two NS's listed as NS's with their domain, resolve to an A record. Essentially, wildcard the entire DNS machine. There may be cases where a real zone is put in place, to a different A record, and that would need to take priority, but if it does not, I would like to resolve it. The NS's in question will not be answering for recursive queries, so I am not worried about local requests getting hijacked or mis-routed. An example would be: some-domain-foo.com is registered. My NS of ns-me.example.com is set up and working, but does not have some-domain-foo.com entered as a zone. When a request comes in for some-domain-foo.com I want an A record for an IP of my choice, also for www.some-domain-foo.com as well. Possible? Acceptable? Thanks. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
reg - BIND 9.3.0 - CVE-2009-0025
Hi Folks, This is regarding the recent security threat CVE-2009-0025. We are using DNS 9.3.0 and unfortunately, we cannot upgrade (management issues) to 9.3.6 (As suggested in ISC website) ISC's website suggests to Upgrade OpenSSL to at least OpenSSL 0.9.8j and then to upgrade to 9.3.6-P1. Could you please advice how can I upgrade OpenSSL? Since we could not upgrade DNS is there any other alternative for us. Could we apply the same patch of 9.3.6-P1 on 9.3.0? Will it help resolving this issue? Do I need to change code somewhere? Kindly suggest what exactly I could do and what options I have to resolve this issue. Thank you in advance for all your help. Ashish Rao Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4.x vs 9.6.x - pid-file check and creation
In article glp3rc$23p...@sf1.isc.org, Jan Arild =?iso-8859-1?Q?Lindstr=F8m?= j...@telenor.net wrote: Hi, ah, of course. I did not think about it as a Solaris bug. I patched BIND 9.6.0-P1 os.c code so it first checks for the diretory before it tries the fast approach of just running mkdir. And that of course works fine. But, since I do not want to run a self-patch BIND in production, I will instead run with pid-file /var/run/named/named/named.pid and be happy with that. Just wondering. Since /var/run is a swap (memory) based file system, do you have to recreate those directories on each reboot? Thanks Jan Arild Lindstr At 15:35 27/01/2009, Mark Andrews wrote: Looking at the publically available parts of SunSolve there are at least bug reports about it. Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with oth= er xxxfs_mkdir() functions. | Open in a new window bug 6253984 http://sunsolve.sun.com/search/document.do?assetkey=3D1-1-6253984-1 - Sep = 10, 2007 = Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with oth= er xxxfs_mkdir() functions. | Open in a new window bug 2152581 http://sunsolve.sun.com/search/document.do?assetkey=3D1-1-2152581-1 - Sep = 10, 2007 = I don't have a copy of the POSIX standard that covers mkdir(2) to see what it has to say about it. Historically however EACCES on search failure, EEXIST if the file/directory exists, then EACCES on parent directory write permissions was the error determination order. Mark -- = Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Tom Schulz sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: wildcarding everything
What specifically are you intending to wildcard? com.? net.? .? If so, then you would be implicitly making your name servers authoritative for domains for which your servers are not supposed to be authoritative. Ben Bridges -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Scott Haneda Sent: Wednesday, January 28, 2009 3:31 AM To: bind-users@lists.isc.org Subject: wildcarding everything Hello, I am wondering the technical possibility of a DNS change. Even if it is technically possible, I also want to make sure it is compliant as well. I would like to resolve any and all requests to a fixed IP, if there is no zone in place. While I understand I can create a zone for *.example.com and resolve all of the * portion to an A record and further have a web server take over... What I am looking to do now, is have the very act of having my two NS's listed as NS's with their domain, resolve to an A record. Essentially, wildcard the entire DNS machine. There may be cases where a real zone is put in place, to a different A record, and that would need to take priority, but if it does not, I would like to resolve it. The NS's in question will not be answering for recursive queries, so I am not worried about local requests getting hijacked or mis-routed. An example would be: some-domain-foo.com is registered. My NS of ns-me.example.com is set up and working, but does not have some-domain-foo.com entered as a zone. When a request comes in for some-domain-foo.com I want an A record for an IP of my choice, also for www.some-domain-foo.com as well. Possible? Acceptable? Thanks. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In message fl82o4hqjudbc65bkfk08ilg3lmk4hq...@4ax.com, Tony Toews [MVP] wri tes: Tony Toews [MVP] tto...@telusplanet.net wrote: FWIW In the last 28 hours I have the following alleged IP addresses and coun t in my log file. Real lookups 1665 204.15.80.50 4 3.217.28.226 1144 4.57.246.146 9541 6.9.16.171 577 63.217.28.2261463 64.57.246.14635163 65.173.218.961 67.192.144.0 1488 7.192.144.0 12054 76.9.16.171 1033 FWIW in the last 26 hours. Real Lookups 1673 0.86.80.9814051 So who isn't doing even loose URPF? 0/8 is totally bogus and is a attack directed at you. 4.57.246.123 4425 4.57.246.146 22719 6.9.16.171419 64.57.246.123 4885 64.57.246.146 25023 67.192.144.0 825 7.192.144.0 696 70.86.80.98 9317 76.9.16.171 295 So some have disappeared and new ones added. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named and database backed systems
Hello, my past post about wildcarding the . in a named server seems it may be wrought with issues in the long term. In short, my issues is a auto website creation tool that needs to be simple for users to change their registrar data, and have their site be served up. The old method works, but is being outgrown, I can come in and try to solve it with scripts to sync the website to local named files, but it will always be a battle. I am coming up short on finding any database backed store for named. I think sqllite would be the best for raw performance, but then again, even a million records in mysql is trivial. I am just worried about volume of selects. Can anyone point me to any info on database backed named solutions? Thank you named users, you are all very helpful. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcarding everything
On Jan 28, 2009, at 3:34 PM, Mark Andrews wrote: In message 30e0039f-b0fd-4322-b0e0-52eeefa76...@newgeo.com, Scott Haneda writ es: I can remove the entire DNS management, zone creation, and deltion if I wildcard. Any domain in which they enter in my clients ns's will resolve automatically as soon as the whois updates. Actually you can't. You will end up returning answers that will be rejected. If the registrar does any sort of checking the registration will also be rejected. Ok, thanks. So with this, it is a safe estimation, all these domain parking systems actually create DNS records on the fly for their users? I can not imagine someone as large as godaddy with such inferior support, and a rather terrible web interface, actually getting this right most of the time. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named and database backed systems
Use the DLZ extension. It's been around for a while.
I.e. put the following in your named.conf and use whatever interface you
wish. I use Ant with a few modifications. I don't have nearly the
number of domains that you do so my simple system works fine.
dlz postgres zone {
database postgres 2
{host=localhost dbname=dns_data user=bind password=xx}
{SELECT 'TRUE' FROM canonical WHERE lower(content) =
lower('%zone%') limit 1}
{SELECT ttl, type, priority, data FROM record, canonical WHERE
lower(content) = lower('%zone%') AND host = '%record%' AND zone = domain}
{}
{SELECT ttl, type, host, priority, data FROM record, canonical
WHERE zone = domain AND lower(content) = lower('%zone%')}
{SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND
lower(content) = lower('%zone%') AND client = inet '%client%'};
};
Rather spiffy for centralizing your record store with immediate change
visibility.
-david
Scott Haneda wrote:
Hello, my past post about wildcarding the . in a named server seems
it may be wrought with issues in the long term.
In short, my issues is a auto website creation tool that needs to be
simple for users to change their registrar data, and have their site
be served up.
The old method works, but is being outgrown, I can come in and try to
solve it with scripts to sync the website to local named files, but it
will always be a battle.
I am coming up short on finding any database backed store for named.
I think sqllite would be the best for raw performance, but then again,
even a million records in mysql is trivial. I am just worried about
volume of selects.
Can anyone point me to any info on database backed named solutions?
Thank you named users, you are all very helpful.
--
Scott
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Linux: freedom to build is good
Please top-post and trim when replying to my messages. I most often read mail
on a small device.
VERY NOT-IMPORTANT NOT-LEGAL NOTICES:
Recalling a message does in no way delete it from my computer. Rather, it
brings attention to your original email and recalling it causes me to search
for a reason to find embarrassment. Please don't send message recall messages.
It's silly and obnoxious and wastes even more bandwidth and patience.
Regardless of what legal message you append to your email message, I am not
obligated or constrained in any way shape or form. If I feel like printing it
outand taping it up at the local gym, or mass mailing it to 15,000 people, I
will. I feel especially inclined to do so the longer your legal advisory is.
Such notices are unenforceable and do not protect you or your company from
things you say, or things others do with the email.
Millions of innocent men, women and children, since the introduction of
Christianity, have been burnt, tortured, fined, imprisoned; yet we have not
advancedone inch towards uniformity. What has been the effect of coercion? To
make half the world fools, and the other half hypocrites. --Thomas Jefferson
This message is confidential to the Internet at large, unless otherwise
indicated or apparent from its nature. It may not be reproduced on Mars unless
it has previously been printed on Uranus. This message is directed to the
intended recipient only (usually everyone, but sometimes nobody and once in a
blue moon, just somebody), who may be readily determined by the sender of this
message and its contents. This email message (including any attachments) is not
for the sole use of the intended recipient(s) and may or may not contain
confidential, proprietary and privileged information. It may include sarcastic
holier than tho content. If the reader of this message is not the intended
recipient, or an employee or agent responsible for delivering this message to
the intended recipient: (a) any dissemination or copying of this message is
strictly prohibited unless you feel otherwise; and (b) immediately notify the
sender by return message (but only if the sun has gone black) and de
stroy any copies of this message in any form (electronic, paper or carved in
stone) that you have. Please destroy by smashing your computer with a 21lb
sledge hammer approximately 17 times to ensure destruction of your system. Any
unauthorized review, use, disclosure or distribution is most assuredly not
prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or
emptiest ... extent of the law. If you are not the intended recipient, please
immediately notify some random person of your age, sex, and location and your
undying desire to fornicate with them by email and destroy all copies of the
original message if you sent it to an underage person. Oh, and definitely
don't tell me about it. The delivery of this message and its information is
neither intended to be nor
Re: named and database backed systems
Damnit, ever time I search this stuff out, I search for named
something-or-other and should use BIND in my search :)
I am going to test deploy on my worksation on OS X. Named comes up
with relative ease, just add a key and I am pretty much up and
running, albeit out of date, but for testing, I am ok with that.
Are you telling me I need not even build named to get DLZ support? It
is just there already?
I see you are using postgress, mysql or sqllite should not be an issue
either?
Zones are backed in DB, but not queried in real time are there? If
they are, I can see, sub 50ms return times going way up.
Thanks for pointing me in the right direction, I will go read the DLZ
pages now.
On Jan 28, 2009, at 10:25 PM, David Ford wrote:
Use the DLZ extension. It's been around for a while.
I.e. put the following in your named.conf and use whatever interface
you
wish. I use Ant with a few modifications. I don't have nearly the
number of domains that you do so my simple system works fine.
dlz postgres zone {
database postgres 2
{host=localhost dbname=dns_data user=bind
password=xx}
{SELECT 'TRUE' FROM canonical WHERE lower(content) =
lower('%zone%') limit 1}
{SELECT ttl, type, priority, data FROM record, canonical WHERE
lower(content) = lower('%zone%') AND host = '%record%' AND zone =
domain}
{}
{SELECT ttl, type, host, priority, data FROM record, canonical
WHERE zone = domain AND lower(content) = lower('%zone%')}
{SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND
lower(content) = lower('%zone%') AND client = inet '%client%'};
};
Rather spiffy for centralizing your record store with immediate change
visibility.
--
Scott
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: named and database backed systems
In message 29c7b7bc-f017-4404-b011-8b50206c7...@newgeo.com, Scott Haneda writ
es:
Damnit, ever time I search this stuff out, I search for named
something-or-other and should use BIND in my search :)
I am going to test deploy on my worksation on OS X. Named comes up
with relative ease, just add a key and I am pretty much up and
running, albeit out of date, but for testing, I am ok with that.
Are you telling me I need not even build named to get DLZ support? It
is just there already?
You have to tell configure that you want it. It's still
contributed code.
I see you are using postgress, mysql or sqllite should not be an issue
either?
Zones are backed in DB, but not queried in real time are there? If
they are, I can see, sub 50ms return times going way up.
Thanks for pointing me in the right direction, I will go read the DLZ
pages now.
On Jan 28, 2009, at 10:25 PM, David Ford wrote:
Use the DLZ extension. It's been around for a while.
I.e. put the following in your named.conf and use whatever interface
you
wish. I use Ant with a few modifications. I don't have nearly the
number of domains that you do so my simple system works fine.
dlz postgres zone {
database postgres 2
{host=localhost dbname=dns_data user=bind
password=xx}
{SELECT 'TRUE' FROM canonical WHERE lower(content) =
lower('%zone%') limit 1}
{SELECT ttl, type, priority, data FROM record, canonical WHERE
lower(content) = lower('%zone%') AND host = '%record%' AND zone =
domain}
{}
{SELECT ttl, type, host, priority, data FROM record, canonical
WHERE zone = domain AND lower(content) = lower('%zone%')}
{SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND
lower(content) = lower('%zone%') AND client = inet '%client%'};
};
Rather spiffy for centralizing your record store with immediate change
visibility.
--
Scott
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
