Re: [SPAM] Re: Split view multiple zones
Of course I could just copy and paste all the zones also in 'custom' view but it doubles the configuration size. On 27.01.09 17:26, Chris Burton wrote: I've been using an include file for zones common between multiple views, it might help in your case too. I'm afraid they won't eat the same memory, but each view its own memory. Can anyone confirm, and if I'm right, tell me that it will be better in next BIND releases? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split view multiple zones
In message 49800cfd.nihabiqjcalhfl+u%akos...@andykosela.com, Andy Kosela writ es: Reinis Rozitis r...@roze.lv wrote: I've been using an include file for zones common between multiple views, might help in your case too. Thanks somehow didnt think about this way. Pretty much takes to acceptable solution :) Yes, include statement is the best option especially if you have a lot of zones. That aproach also works great if you need to provide recursion for some of your clients *and* serve authoritative records for the rest of the world. By creating multiple views you can also easily disable answering queries for . to unknown clients. view internal { match-clients { LAN; }; recursion yes; include zones; }; view external { match-clients { any; }; recursion no; additional-from-cache no; include zones; }; Or just run a currently supported version and specify options { allow-recursion { LAN; }; }; include zones; and achieve the same thing for half the memory footprint and not have to worry about different views clobbering the same masterfiles. Mark --Andy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
On 27.01.09 10:18, Al Stu wrote: I not only say it, I have demonstrated it. But you have demonstrated something different than we're discussing all the time. BIND is the DNS system we are discussing. Have not looked to see if that specifically is spec'ed in an RFC. Yes other DNS implementations do return both the A and CNAME. It depends on the query sent. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disableing EDNS messages bind-9.5.0
Dean Clapper wrote: I'm trying to troubleshoot why we are getting a lot of disabling EDNS messages in /var/log/messages. We are running bind-9.5.0.P2 on a linux box. [...] Jan 27 11:43:39 ns0 named[27764]: too many timeouts resolving '196.198.117.216.zen.spamhaus.org/A' (in 'zen.spamhaus.org'?): disabling EDNS I started receiving these messages after updating from 9.4 - 9.5. I've found a couple places to test packet sizes, but have not had any problem. The messages about zen.spamhaus.org leads me to possibly email related issues. On 28.01.09 08:04, Danny Thomas wrote: add category edns-disabled { null; }; after verifying your nameserver(s) have an EDNS0 clear path by trying the 2 tests mentioned below by Mark Andrews. I strongly recommend you upgrading the BIND first. Later versions issue that message much less often. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: contacting a external nameserver
In that case you can use either views or a split dns Regards. Serge Fonville On Wed, Jan 28, 2009 at 12:44 AM, Luis Silva luisfilsi...@gmail.com wrote: Yes, basically what I need is a forwarder. Basically I want an internal network but external queries must be handled by another server. Thanks a lot for the quick reply. Kind Regards, Luis On Tue, Jan 27, 2009 at 6:51 PM, Serge Fonville serge.fonvi...@gmail.comwrote: I should have sent this to the list On Tue, Jan 27, 2009 at 11:42 AM, Serge Fonville serge.fonvi...@gmail.com wrote: Hi, Not sure what your endgoal is, but... If you want a specific zone to be queried on the external nameserver, you can create a forward zone. If you want all unresolvable queries to be forwarded to a specific nameserver, you can define forwarders. Perhaps some information about what your end result should be instead of suggesting solutions up front can be of use. Hope this helps. Regards, Serge Fonville On 1/27/09, Luis Silva luisfilsi...@gmail.com wrote: Hi all, I'm having a question related to querying external servers that hope you could answer me. I'm sending a iterative query for an external server and the server is sending a referral answer but only with the authoritive name servers. After that, i send a query A asking the nameservers ip addresses. This A query is supposed to be a recursive query or must be a iterative one? Is there a standard that talks about this? thanks in advance. Kind regards, Luis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Sorry remembered wrong, it's not free. But not that expensive either. Yeah now I remember, I browsed for a free firewall for server platform for days, but didn't find any. But have been very happy with the Net Firewall. Jukka Tony Toews [MVP] tto...@telusplanet.net kirjoitti viestissä:p3evn4t6r9spme6ardiqbohjvlt99vt...@4ax.com... Jukka Pakkanen jukka.pakka...@qnet.fi wrote: There are many free third party firewall packages that can be run in Window= s = 2003 Server, we use the Net Firewall. Do you have a URL? I found http://www.ntkernel.com/wp.php?id=18 but it's not free. I'm also going to ask my fellow MVPs as well. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
wildcarding everything
Hello, I am wondering the technical possibility of a DNS change. Even if it is technically possible, I also want to make sure it is compliant as well. I would like to resolve any and all requests to a fixed IP, if there is no zone in place. While I understand I can create a zone for *.example.com and resolve all of the * portion to an A record and further have a web server take over... What I am looking to do now, is have the very act of having my two NS's listed as NS's with their domain, resolve to an A record. Essentially, wildcard the entire DNS machine. There may be cases where a real zone is put in place, to a different A record, and that would need to take priority, but if it does not, I would like to resolve it. The NS's in question will not be answering for recursive queries, so I am not worried about local requests getting hijacked or mis-routed. An example would be: some-domain-foo.com is registered. My NS of ns-me.example.com is set up and working, but does not have some-domain-foo.com entered as a zone. When a request comes in for some-domain-foo.com I want an A record for an IP of my choice, also for www.some-domain-foo.com as well. Possible? Acceptable? Thanks. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
reg - BIND 9.3.0 - CVE-2009-0025
Hi Folks, This is regarding the recent security threat CVE-2009-0025. We are using DNS 9.3.0 and unfortunately, we cannot upgrade (management issues) to 9.3.6 (As suggested in ISC website) ISC's website suggests to Upgrade OpenSSL to at least OpenSSL 0.9.8j and then to upgrade to 9.3.6-P1. Could you please advice how can I upgrade OpenSSL? Since we could not upgrade DNS is there any other alternative for us. Could we apply the same patch of 9.3.6-P1 on 9.3.0? Will it help resolving this issue? Do I need to change code somewhere? Kindly suggest what exactly I could do and what options I have to resolve this issue. Thank you in advance for all your help. Ashish Rao Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4.x vs 9.6.x - pid-file check and creation
In article glp3rc$23p...@sf1.isc.org, Jan Arild =?iso-8859-1?Q?Lindstr=F8m?= j...@telenor.net wrote: Hi, ah, of course. I did not think about it as a Solaris bug. I patched BIND 9.6.0-P1 os.c code so it first checks for the diretory before it tries the fast approach of just running mkdir. And that of course works fine. But, since I do not want to run a self-patch BIND in production, I will instead run with pid-file /var/run/named/named/named.pid and be happy with that. Just wondering. Since /var/run is a swap (memory) based file system, do you have to recreate those directories on each reboot? Thanks Jan Arild Lindstr At 15:35 27/01/2009, Mark Andrews wrote: Looking at the publically available parts of SunSolve there are at least bug reports about it. Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with oth= er xxxfs_mkdir() functions. | Open in a new window bug 6253984 http://sunsolve.sun.com/search/document.do?assetkey=3D1-1-6253984-1 - Sep = 10, 2007 = Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with oth= er xxxfs_mkdir() functions. | Open in a new window bug 2152581 http://sunsolve.sun.com/search/document.do?assetkey=3D1-1-2152581-1 - Sep = 10, 2007 = I don't have a copy of the POSIX standard that covers mkdir(2) to see what it has to say about it. Historically however EACCES on search failure, EEXIST if the file/directory exists, then EACCES on parent directory write permissions was the error determination order. Mark -- = Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Tom Schulz sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: wildcarding everything
What specifically are you intending to wildcard? com.? net.? .? If so, then you would be implicitly making your name servers authoritative for domains for which your servers are not supposed to be authoritative. Ben Bridges -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Scott Haneda Sent: Wednesday, January 28, 2009 3:31 AM To: bind-users@lists.isc.org Subject: wildcarding everything Hello, I am wondering the technical possibility of a DNS change. Even if it is technically possible, I also want to make sure it is compliant as well. I would like to resolve any and all requests to a fixed IP, if there is no zone in place. While I understand I can create a zone for *.example.com and resolve all of the * portion to an A record and further have a web server take over... What I am looking to do now, is have the very act of having my two NS's listed as NS's with their domain, resolve to an A record. Essentially, wildcard the entire DNS machine. There may be cases where a real zone is put in place, to a different A record, and that would need to take priority, but if it does not, I would like to resolve it. The NS's in question will not be answering for recursive queries, so I am not worried about local requests getting hijacked or mis-routed. An example would be: some-domain-foo.com is registered. My NS of ns-me.example.com is set up and working, but does not have some-domain-foo.com entered as a zone. When a request comes in for some-domain-foo.com I want an A record for an IP of my choice, also for www.some-domain-foo.com as well. Possible? Acceptable? Thanks. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In message fl82o4hqjudbc65bkfk08ilg3lmk4hq...@4ax.com, Tony Toews [MVP] wri tes: Tony Toews [MVP] tto...@telusplanet.net wrote: FWIW In the last 28 hours I have the following alleged IP addresses and coun t in my log file. Real lookups 1665 204.15.80.50 4 3.217.28.226 1144 4.57.246.146 9541 6.9.16.171 577 63.217.28.2261463 64.57.246.14635163 65.173.218.961 67.192.144.0 1488 7.192.144.0 12054 76.9.16.171 1033 FWIW in the last 26 hours. Real Lookups 1673 0.86.80.9814051 So who isn't doing even loose URPF? 0/8 is totally bogus and is a attack directed at you. 4.57.246.123 4425 4.57.246.146 22719 6.9.16.171419 64.57.246.123 4885 64.57.246.146 25023 67.192.144.0 825 7.192.144.0 696 70.86.80.98 9317 76.9.16.171 295 So some have disappeared and new ones added. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named and database backed systems
Hello, my past post about wildcarding the . in a named server seems it may be wrought with issues in the long term. In short, my issues is a auto website creation tool that needs to be simple for users to change their registrar data, and have their site be served up. The old method works, but is being outgrown, I can come in and try to solve it with scripts to sync the website to local named files, but it will always be a battle. I am coming up short on finding any database backed store for named. I think sqllite would be the best for raw performance, but then again, even a million records in mysql is trivial. I am just worried about volume of selects. Can anyone point me to any info on database backed named solutions? Thank you named users, you are all very helpful. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcarding everything
On Jan 28, 2009, at 3:34 PM, Mark Andrews wrote: In message 30e0039f-b0fd-4322-b0e0-52eeefa76...@newgeo.com, Scott Haneda writ es: I can remove the entire DNS management, zone creation, and deltion if I wildcard. Any domain in which they enter in my clients ns's will resolve automatically as soon as the whois updates. Actually you can't. You will end up returning answers that will be rejected. If the registrar does any sort of checking the registration will also be rejected. Ok, thanks. So with this, it is a safe estimation, all these domain parking systems actually create DNS records on the fly for their users? I can not imagine someone as large as godaddy with such inferior support, and a rather terrible web interface, actually getting this right most of the time. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named and database backed systems
Use the DLZ extension. It's been around for a while. I.e. put the following in your named.conf and use whatever interface you wish. I use Ant with a few modifications. I don't have nearly the number of domains that you do so my simple system works fine. dlz postgres zone { database postgres 2 {host=localhost dbname=dns_data user=bind password=xx} {SELECT 'TRUE' FROM canonical WHERE lower(content) = lower('%zone%') limit 1} {SELECT ttl, type, priority, data FROM record, canonical WHERE lower(content) = lower('%zone%') AND host = '%record%' AND zone = domain} {} {SELECT ttl, type, host, priority, data FROM record, canonical WHERE zone = domain AND lower(content) = lower('%zone%')} {SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND lower(content) = lower('%zone%') AND client = inet '%client%'}; }; Rather spiffy for centralizing your record store with immediate change visibility. -david Scott Haneda wrote: Hello, my past post about wildcarding the . in a named server seems it may be wrought with issues in the long term. In short, my issues is a auto website creation tool that needs to be simple for users to change their registrar data, and have their site be served up. The old method works, but is being outgrown, I can come in and try to solve it with scripts to sync the website to local named files, but it will always be a battle. I am coming up short on finding any database backed store for named. I think sqllite would be the best for raw performance, but then again, even a million records in mysql is trivial. I am just worried about volume of selects. Can anyone point me to any info on database backed named solutions? Thank you named users, you are all very helpful. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. VERY NOT-IMPORTANT NOT-LEGAL NOTICES: Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience. Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your legal advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email. Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites. --Thomas Jefferson This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s) and may or may not contain confidential, proprietary and privileged information. It may include sarcastic holier than tho content. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient: (a) any dissemination or copying of this message is strictly prohibited unless you feel otherwise; and (b) immediately notify the sender by return message (but only if the sun has gone black) and de stroy any copies of this message in any form (electronic, paper or carved in stone) that you have. Please destroy by smashing your computer with a 21lb sledge hammer approximately 17 times to ensure destruction of your system. Any unauthorized review, use, disclosure or distribution is most assuredly not prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or emptiest ... extent of the law. If you are not the intended recipient, please immediately notify some random person of your age, sex, and location and your undying desire to fornicate with them by email and destroy all copies of the original message if you sent it to an underage person. Oh, and definitely don't tell me about it. The delivery of this message and its information is neither intended to be nor
Re: named and database backed systems
Damnit, ever time I search this stuff out, I search for named something-or-other and should use BIND in my search :) I am going to test deploy on my worksation on OS X. Named comes up with relative ease, just add a key and I am pretty much up and running, albeit out of date, but for testing, I am ok with that. Are you telling me I need not even build named to get DLZ support? It is just there already? I see you are using postgress, mysql or sqllite should not be an issue either? Zones are backed in DB, but not queried in real time are there? If they are, I can see, sub 50ms return times going way up. Thanks for pointing me in the right direction, I will go read the DLZ pages now. On Jan 28, 2009, at 10:25 PM, David Ford wrote: Use the DLZ extension. It's been around for a while. I.e. put the following in your named.conf and use whatever interface you wish. I use Ant with a few modifications. I don't have nearly the number of domains that you do so my simple system works fine. dlz postgres zone { database postgres 2 {host=localhost dbname=dns_data user=bind password=xx} {SELECT 'TRUE' FROM canonical WHERE lower(content) = lower('%zone%') limit 1} {SELECT ttl, type, priority, data FROM record, canonical WHERE lower(content) = lower('%zone%') AND host = '%record%' AND zone = domain} {} {SELECT ttl, type, host, priority, data FROM record, canonical WHERE zone = domain AND lower(content) = lower('%zone%')} {SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND lower(content) = lower('%zone%') AND client = inet '%client%'}; }; Rather spiffy for centralizing your record store with immediate change visibility. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named and database backed systems
In message 29c7b7bc-f017-4404-b011-8b50206c7...@newgeo.com, Scott Haneda writ es: Damnit, ever time I search this stuff out, I search for named something-or-other and should use BIND in my search :) I am going to test deploy on my worksation on OS X. Named comes up with relative ease, just add a key and I am pretty much up and running, albeit out of date, but for testing, I am ok with that. Are you telling me I need not even build named to get DLZ support? It is just there already? You have to tell configure that you want it. It's still contributed code. I see you are using postgress, mysql or sqllite should not be an issue either? Zones are backed in DB, but not queried in real time are there? If they are, I can see, sub 50ms return times going way up. Thanks for pointing me in the right direction, I will go read the DLZ pages now. On Jan 28, 2009, at 10:25 PM, David Ford wrote: Use the DLZ extension. It's been around for a while. I.e. put the following in your named.conf and use whatever interface you wish. I use Ant with a few modifications. I don't have nearly the number of domains that you do so my simple system works fine. dlz postgres zone { database postgres 2 {host=localhost dbname=dns_data user=bind password=xx} {SELECT 'TRUE' FROM canonical WHERE lower(content) = lower('%zone%') limit 1} {SELECT ttl, type, priority, data FROM record, canonical WHERE lower(content) = lower('%zone%') AND host = '%record%' AND zone = domain} {} {SELECT ttl, type, host, priority, data FROM record, canonical WHERE zone = domain AND lower(content) = lower('%zone%')} {SELECT 'TRUE' FROM xfr, canonical WHERE zone = domain AND lower(content) = lower('%zone%') AND client = inet '%client%'}; }; Rather spiffy for centralizing your record store with immediate change visibility. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users