Re: Intermittent NXDOMAIN, Bind 9.2.3 config and PowerDNS problem?
On Tue, Jul 28, 2009 at 10:40:53AM -0400, Richard Michael rmichael-bi...@edgeofthenet.org wrote a message of 60 lines which said: Indeed, lastminute.com's name servers are severely broken. By this, do you mean the SOA record in the response is incorrect? Yes. the SOA for their own domain Yes. The authority section can be empty, also. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
On Tue, Jul 28, 2009 at 09:05:44PM +0100, Chris Thompson c...@cam.ac.uk wrote a message of 24 lines which said: This is the wretched glue promoted to answer bug (we can call it a bug by now, surely?) which we are assured that the GTLD servers will be cured of this year, next year, sometime, or ... Not all the GTLD servers, only .com and .net. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnstop
Hi, I'm new to dnstop, what is really matter, is it new queries or total? And in the table the first record in both Source and Destination is the local ip of the DNS server itself, is it fine? Also, what is there any monitoring tools beside dnstop? Regards, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind9.6.0 Statistics Output
I collect statistics data via the http interface and parse the XML file. There are some differences of the layout of the XML result between Bind9.5 and Bind9.6. Is there an option or configuration parameter that allows to control the XML format? The resstat counters are no longer in the server section of the XML, but they occur in each view. There are 2 views found in the XML file named _default and bind. Is there a view - or rather one of these views - that is included in each XML statistics result that contains the total of the counter across all views? Or is it necessary to parse across all views and calculate the sum? Maybe there is some link to a description that you could provide. Thanks a lot in advance ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
Gilles Massen gilles.mas...@restena.lu writes: Hello, Is there a way to prevent Bind (9.6) from using ipv6 transport for making queries, by an entry in the config file rather than by 'named -4'? I wasn't able to find anything in the ARM, but maybe I missed something... Well, i think that is OS-specific issue than bind issue. At once, that was discussed in here, i remember. Ask to Mark. -- You sure you want to be a Corleone? Yes. -- Michael Corleone and Kay Adams, Chapter 2, page 77 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SPAM] Win2k and bind
On 29.07.09 22:37, Abello, Vinny wrote: Considering 2003, 2003 R2, 2008, and 2008 R2 (technically done, but will officially release in October) have been released, I don't think dropping support for an ancient operating system from 9.5 years ago and roughly 3 prior generations that the vendor doesn't even support is a bad idea. :) 2k boxes are time bombs, IMO. even if they were not (windows updates), there is a technical reason that prevents new bind from being compatible with it (new security features require that). Search web/archives for more info. Until M$ fixes that one (I doubt so), new BIND won't be compatible with w2k. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disable ipv6 in config?
Is there a way to prevent Bind (9.6) from using ipv6 transport for making queries, by an entry in the config file rather than by 'named -4'? Well, i think that is OS-specific issue than bind issue. At once, that was discussed in here, i remember. Ask to Mark. I don't think it's OS specific: the OS has no way to know that Bind should not use the (otherwise potentially valid) IPv6 address. Besides, the -4 flag already does the job, it only that I'd prefer that in the config file rather than on the command line. Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Correction to signatures on yesterday's BIND 9 releases
In message 20090730070805.ga1...@nic.fr, Stephane Bortzmeyer writes: On Wed, Jul 29, 2009 at 04:25:18PM +, Evan Hunt e...@isc.org wrote a message of 16 lines which said: Due to a combination of circumstances, including extreme rush and the usual signer of our releases being away at IETF, we accidentally signed yesterday's BIND 9 patch releases (9.4.3-P3, 9.5.1-P3, and 9.6.1-P1) with the expired 2006 ISC signing key How many people checked them? Probably not a lot since I did not saw reports BIND releases corrupted!. It tells a lot about Internet security. And makes me seriously worry for the future when DNSSEC will be deployed... It also depended apon whether you had refreshed the keys on your keyring recently or not as to whether it is reported as expired or not. Most users do indirect verification by having just a hash which the maintainer for the package creates. The end user assumes the maintainer checks the validity before creating the hash. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
At Thu, 30 Jul 2009 09:02:51 +0200, Gilles Massen gilles.mas...@restena.lu wrote: Is there a way to prevent Bind (9.6) from using ipv6 transport for making queries, by an entry in the config file rather than by 'named -4'? No. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
JINMEI Tatuya / 神明達哉 wrote: Is there a way to prevent Bind (9.6) from using ipv6 transport for making queries, by an entry in the config file rather than by 'named -4'? No. Ok, thanks. In that case I would humbly suggest to enhance the syntax of query-source[-6v] and transfer-source[-v6] to accept 'none' as argument, in some future release. Best, Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnstop
On Thu, Jul 30, 2009 at 10:15:42AM +0300, Alans batpowe...@yahoo.co.uk wrote a message of 141 lines which said: And in the table the first record in both Source and Destination is the local ip of the DNS server itself, is it fine? Yes, if you use both -Q and -R. If you use -Q (the default), your name server will always be the top destination and, if you use -R, the top source. Also, what is there any monitoring tools beside dnstop? https://www.dns-oarc.net/oarc/tools http://www.dns.net/dnsrd/tools.html (Not up to date, dnstop is not there) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
At Thu, 30 Jul 2009 12:10:14 +0200, Gilles Massen gilles.mas...@restena.lu wrote: Is there a way to prevent Bind (9.6) from using ipv6 transport for making queries, by an entry in the config file rather than by 'named -4'? No. Ok, thanks. In that case I would humbly suggest to enhance the syntax of query-source[-6v] and transfer-source[-v6] to accept 'none' as argument, in some future release. I personally don't see a need for it (what's wrong with -4/-6?)...but if that's so important to you, you can always promote the future request as a funded project:-) --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
JINMEI Tatuya / 神明達哉 wrote: Is there a way to prevent Bind (9.6) from using ipv6 transport for making queries, by an entry in the config file rather than by 'named -4'? No. Ok, thanks. In that case I would humbly suggest to enhance the syntax of query-source[-6v] and transfer-source[-v6] to accept 'none' as argument, in some future release. I personally don't see a need for it (what's wrong with -4/-6?) Nothing is 'wrong' (it works after all). But I find it easier and cleaner to put all (or at least as many as possible) config options in the config file, rather than have them in the command-line as well. It makes a service easier to move, and it's less error prone (because you don't 'forget' about things you don't see). On the long run it would be nicer if e.g. query-source address could take parameters in a form similar to listen-on. Disabling ipv4/6 in config would then be a sideeffect. And yes, I know that has a much larger impact than a simple transport selection. ...but if that's so important to you, you can always promote the future request as a funded project:-) Well, operationally it's probably worth around 50 bugs to me, but that doesn't seem enough? :) Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
In message 20090730141131.ga30...@nic.fr, Stephane Bortzmeyer writes: On Thu, Jul 30, 2009 at 03:57:16PM +0200, JINMEI Tatuya / jin...@isc.org wrote a message of 25 lines which said: I personally don't see a need for it (what's wrong with -4/-6?) -4 shuts down any v6 service. We would like BIND to be able to *reply* to v6 queries without *generating* them. (For the record, I have the same issue than Gilles.) Proper use of null routes will allow named to immediately detect that a IPv6 site is not reachable. default is over used. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable automatic empty IPv6 zones (with -4 already specified)
On 30.07.09 10:35, Matthew Huff wrote: Is there any way to disable BIND from loading the automatic empty zones (D.F.IP6.APRA, etc...). They are being generated even with the -4 command line. have you looked at the disable-empty-zone configuration directive? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
In message 20090730141131.ga30...@nic.fr, Stephane Bortzmeyer writes: On Thu, Jul 30, 2009 at 03:57:16PM +0200, JINMEI Tatuya / jin...@isc.org wrote a message of 25 lines which said: I personally don't see a need for it (what's wrong with -4/-6?) -4 shuts down any v6 service. We would like BIND to be able to *reply* to v6 queries without *generating* them. (For the record, I have the same issue than Gilles.) On 31.07.09 00:32, Mark Andrews wrote: Proper use of null routes will allow named to immediately detect that a IPv6 site is not reachable. default is over used. oh, although it should work, it's a bit dirty workaround... it needs a statefull firewall allowing only replies to go out... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
On Jul 30 2009, Stephane Bortzmeyer wrote: On Thu, Jul 30, 2009 at 03:57:16PM +0200, JINMEI Tatuya / jin...@isc.org wrote a message of 25 lines which said: I personally don't see a need for it (what's wrong with -4/-6?) -4 shuts down any v6 service. We would like BIND to be able to *reply* to v6 queries without *generating* them. (For the record, I have the same issue than Gilles.) Would server ::/0 { bogus yes; }; work? -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
On Jul 30 2009, Stephane Bortzmeyer wrote: -4 shuts down any v6 service. We would like BIND to be able to *reply* to v6 queries without *generating* them. (For the record, I have the same issue than Gilles.) On 30.07.09 15:46, Chris Thompson wrote: Would server ::/0 { bogus yes; }; work? no, it would prevent server from replying v6 requests -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
In message 20090730144610.gb22...@fantomas.sk, Matus UHLAR - fantomas writes: In message 20090730141131.ga30...@nic.fr, Stephane Bortzmeyer writes: On Thu, Jul 30, 2009 at 03:57:16PM +0200, JINMEI Tatuya / jin...@isc.org wrote a message of 25 lines which said: I personally don't see a need for it (what's wrong with -4/-6?) -4 shuts down any v6 service. We would like BIND to be able to *reply* to v6 queries without *generating* them. (For the record, I have the same issue than Gilles.) On 31.07.09 00:32, Mark Andrews wrote: Proper use of null routes will allow named to immediately detect that a IPv6 site is not reachable. default is over used. oh, although it should work, it's a bit dirty workaround... it needs a statefull firewall allowing only replies to go out... ::/0 - NULL ULA::/48 - default router Would allow ula local traffic but catch the rest. this is a example only. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnstop
Alans escreveu: Hi, I'm new to dnstop, what is really matter, is it *new queries* or *total*? The *total* is the counter of queries since you start dnstop. The *new queries* is the counter after you refresh with other option. -- Ats, Breno S. Soares Analista de Redes SERPRO/SUPRE/REBHE Tel: (31) 3311-6825 Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco. This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
socket.c:4524: unexpected error in BIND 9.4.3 P3
Hi, I have updated BIND from 9.4.2-P2 to 9.4.3-P3 to mitigate the Dynamic Update DOS attack. I have noted a lot of errors from socket.c (which I have never seen before with v9.4.2) Jul 30 06:25:18 DNS1 named[2]: socket.c:4524: unexpected error: Jul 30 06:25:18 DNS1 named[2]: 22/Invalid argument There are also some of these errors: Jul 30 07:26:17 DNS1 named[2]: sockmgr 0xb7f05008: maximum number of FD events (64) received BIND is compiled with following option on Centos 5.3 (another machine with RHEL 4.4 has these error too): ./configure --disable-openssl-version-check --with-openssl=no What should I do: - go back to 9.4.2-P2 and use iptables to filter DNS update packet - use another version of BIND - ignore the error Is anybody else experiencing this problem? Many thanks, Vu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
The Year of the Sevenfold Increase
[You'll find a mighty strange web page if you google for that subject, but I couldn't resist...] On 30 July 2008, dlv.isc.org had 113 DLV RRsets On 30 July 2009, dlv.isc.org had 791 DLV RRsets (and I didn't cheat! it came out exactly 7x) So, will we see another 7x increase by 30 July 2010, or will the numbers start dropping as higher-level domains get their signed delegation procedures going? Anyway, congratulations and thanks to ISC for providing this service. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Correction to signatures on yesterday's BIND 9 releases
How many people checked them? Probably not a lot since I did not saw reports BIND releases corrupted!. It tells a lot about Internet security. And makes me seriously worry for the future when DNSSEC will be deployed... We received several private reports of the error. I checked them myself before sending the announcement, but I still had the old signing key on my keyring, and after it had said Good signature from Internet Systems Consortium, Inc., I didn't keep reading carefully to the end of the line and notice that the 2006 in column 80 should've been a 2009. Perhaps some people who did validate the files were similarly incautious. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Correction to signatures on yesterday's BIND 9 releases
[In a message on Thu, 30 Jul 2009 09:08:05 +0200, Stephane Bortzmeyer wrote:] How many people checked them? Probably not a lot since I did not saw reports BIND releases corrupted!. It tells a lot about Internet security. And makes me seriously worry for the future when DNSSEC will be deployed... More likely it says Folks don't grab patches nearly as quickly as we'd hope. If signatures are provided I ususally use them. A bit more problematic is the verification that the signature is in fact the most current signature.. So.. what I suspect you get more of is the signature is verified... but I have no idea who signed it! CPAN's implementation of signature validation is probably an indication of the way things like this need to work, if the chain is going to be trusted from end to end. Steve ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The Year of the Sevenfold Increase
You guys get excited over small potatoes. There are hundreds of millions of potential DLV RRsets. This is not even a drop in the bucket. cheers joe baptista p.s. this message does not imply i support dnssec deployment. dnscurve is the solution to our woes http://bit.ly/pJVq4 On Thu, Jul 30, 2009 at 11:37 AM, Chris Thompson c...@cam.ac.uk wrote: [You'll find a mighty strange web page if you google for that subject, but I couldn't resist...] On 30 July 2008, dlv.isc.org had 113 DLV RRsets On 30 July 2009, dlv.isc.org had 791 DLV RRsets (and I didn't cheat! it came out exactly 7x) So, will we see another 7x increase by 30 July 2010, or will the numbers start dropping as higher-level domains get their signed delegation procedures going? Anyway, congratulations and thanks to ISC for providing this service. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Joe Baptista www.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084 Personal: www.joebaptista.wordpress.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
Mark Andrews wrote: -4 shuts down any v6 service. We would like BIND to be able to *reply* to v6 queries without *generating* them. (For the record, I have the same issue than Gilles.) ::/0 - NULL ULA::/48 - default router Would allow ula local traffic but catch the rest. this is a example only. Yes, but it also applies to the entire server, and doesn't differentiate between locally initiated queries and answer. BTW, it seems like a waste of resources if bind has to try to send a packet first (and I suppose at least for each server once?) rather than doing the right thing (i.e. what the config says) straight away. Best, Gilles ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Format of 'dig -k' TSIG key file?
I assume someone can answer this; but Google has not been able to be my friend on this one. In dig(1), the '-k' option is said to require a TSIG key file as an option. I have a TSIG file with a comment header and the following: key mynet. { algorithm hmac-md5; secret Ain/tGonnaTellNoWay==; }; [OK, so I changed the secret! and flattened it to one line.] Running dig -k mynet.key axfr example.zone @other.example.zone gives me, Couldn't read key from mynet.key: label too long /// // Hmmm. The first line of the comment is 71 characters (like this), // and it must not like the comment. /// Removing the comment header gives me, Couldn't read key from mynet.key: unexpected token OK. Maybe 'dig' wants a KEY resource record file that looks like it came out of 'dnssec-keygen'. I changed it to: mynet. IN KEY 512 3 157 Ain/tGonnaTellNoWay== and the same command line, on a perfectly readable file, says: Couldn't read key from mynet.key: file not found What does work is: dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone @other.example.zone but I really, really find this not altogether pleasant. Plus, I'm curious to know what 'dig -k' really wants to see. Possibly irrelevant, but the real key is 88 characters long (including '=' pads). It was sent me by the owners of the other.example.zone name server. Thanks in advance! -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
the working directory is not writable
Mandriva 2009.1 Bind 9.6.0-P1. Mandriva downloaded a security update this morning for Bind. When restarting I noticed the above line in my syslog. Running [r...@localhost ~]# named-checkconf -z /etc/named.conf:17: open: /etc/bogon_acl.conf: file not found The permissions for the files in /var/lib/named/etc are: -rw-r--r-- 1 root root 1966 2009-07-29 07:57 bogon_acl.conf -rw-r--r-- 1 root root42 2009-07-29 07:57 hosts -rw-r--r-- 1 root root 3543 2009-07-30 17:09 localtime -rw-r--r-- 1 root root 2165 2009-05-13 20:44 logging.conf -rw-r--r-- 1 root root 2123 2009-03-08 09:11 logging.conf~ -rw-r--r-- 1 root root 2165 2009-05-03 19:03 logging.conf.rpmsave -rw-r--r-- 1 root root 3950 2009-05-09 20:06 named.conf -rw-r--r-- 1 root root 4125 2009-05-09 19:38 named.conf.rpmsave -rw-r- 1 root named 350 2009-05-09 19:56 rndc.conf -rw-r- 1 root named 350 2009-05-03 15:31 rndc.conf.rpmsave -rw-r- 1 root named 259 2009-05-09 19:56 rndc.key -rw-r- 1 root named 259 2009-05-03 15:31 rndc.key.rpmsave -rw-r--r-- 1 root root 627 2009-07-29 07:57 trusted_networks_acl.conf Permissions for /var/lib/named [ch...@localhost named]$ ls -l total 16 drwxr-xr-x 2 root root 4096 2009-07-29 07:57 dev/ drwxr-xr-x 2 root root 4096 2009-07-30 17:09 etc/ -rw-r--r-- 1 root root 2954 2009-02-15 05:18 named.ca dr-xr-xr-x 173 root root0 2009-07-08 19:44 proc/ drwxr-xr-x 6 root root 4096 2009-07-29 07:57 var/ Permissions for /var/lib/named/var [ch...@localhost var]$ ls -l total 16 drwxr-xr-x 3 named named 4096 2009-07-29 07:57 log/ drwxr-xr-x 5 root root 4096 2009-07-30 06:11 named/ drwxr-xr-x 2 named named 4096 2009-07-30 17:09 run/ drwxr-xr-x 2 named named 4096 2009-07-29 07:57 tmp/ File permissions in /var/lib/named/var/named: [ch...@localhost named]$ ls -l total 16 drwxr-xr-x 2 named named 4096 2009-07-30 06:11 master/ -rw-r--r-- 1 root root 2954 2009-07-29 07:57 named.ca drwxr-xr-x 2 named named 4096 2009-07-30 06:11 reverse/ drwxr-xr-x 2 named named 4096 2009-07-29 07:57 slaves/ Or is everything ok and the the line in the subject can be ignored? Thanks Chris Note - I'm only using bind as a local caching name server on my stand alone, single user box to speed up spam processing. -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The Year of the Sevenfold Increase
I don't think buddha cares much for bind. cheers joe baptista On Thu, Jul 30, 2009 at 2:26 PM, fakessh fake...@fakessh.eu wrote: nb : Buddha peace themselve On Thu, 30 Jul 2009 13:41:17 -0400, Joe Baptista bapti...@publicroot.org wrote: You guys get excited over small potatoes. There are hundreds of millions of potential DLV RRsets. This is not even a drop in the bucket. cheers joe baptista p.s. this message does not imply i support dnssec deployment. dnscurve is the solution to our woes http://bit.ly/pJVq4 On Thu, Jul 30, 2009 at 11:37 AM, Chris Thompson c...@cam.ac.uk wrote: [You'll find a mighty strange web page if you google for that subject, but I couldn't resist...] On 30 July 2008, dlv.isc.org had 113 DLV RRsets On 30 July 2009, dlv.isc.org had 791 DLV RRsets (and I didn't cheat! it came out exactly 7x) So, will we see another 7x increase by 30 July 2010, or will the numbers start dropping as higher-level domains get their signed delegation procedures going? Anyway, congratulations and thanks to ISC for providing this service. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Joe Baptista www.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084 Personal: www.joebaptista.wordpress.com -- Joe Baptista www.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084 Personal: www.joebaptista.wordpress.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.4.3-P3 os.c prctl.h PR_SET_KEEPCAPS undeclared Compile Problem
Hello, I'm having a problem with bind 9.4.3-P3 . The last version I built on this system was 9.4.2-P2 and that still builds ok. System info [root unix]# rpm -qf /usr/include/linux/prctl.h kernel-headers-2.2.16C37_III-1 glibc-2.1.3 gcc-2.95 The Error make[3]: Entering directory `/home/redhat/BUILD/bind-9.4.3-P3/bin/named/unix' /bin/sh /home/redhat/BUILD/bind-9.4.3-P3/libtool --mode=compile cc -I/home/redhat/BUILD/bind-9.4.3-P3 -I./include -I./../include -I/home/redhat/BUILD/bind-9.4.3-P3/lib/dns/include -I../../../lib/dns/include -I/home/redhat/BUILD/bind-9.4.3-P3/lib/isc/include -I../../../lib/isc -I../../../lib/isc/include -I../../../lib/isc/unix/include -I../../../lib/isc/nothreads/include -I../../../lib/isc/x86_32/include-D_GNU_SOURCE -O2 -m486 -fno-strength-reduce -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -c os.c mkdir .libs gcc -I/home/redhat/BUILD/bind-9.4.3-P3 -I./include -I./../include -I/home/redhat/BUILD/bind-9.4.3-P3/lib/dns/include -I../../../lib/dns/include -I/home/redhat/BUILD/bind-9.4.3-P3/lib/isc/include -I../../../lib/isc -I../../../lib/isc/include -I../../../lib/isc/unix/include -I../../../lib/isc/nothreads/include -I../../../lib/isc/x86_32/include -D_GNU_SOURCE -O2 -m486 -fno-strength-reduce -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -c os.c -fPIC -DPIC -o .libs/os.o os.c: In function `linux_keepcaps': os.c:290: `PR_SET_KEEPCAPS' undeclared (first use in this function) os.c:290: (Each undeclared identifier is reported only once os.c:290: for each function it appears in.) make[3]: *** [os.lo] Error 1 make[3]: Leaving directory `/home/redhat/BUILD/bind-9.4.3-P3/bin/named/unix' make[2]: *** [subdirs] Error 1 make[2]: Leaving directory `/home/redhat/BUILD/bind-9.4.3-P3/bin/named' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/home/redhat/BUILD/bind-9.4.3-P3/bin' make: *** [subdirs] Error 1 Bad exit status from /var/tmp/rpm-tmp.94548 (%build) and PR_SET_KEEPCAPS is not found in /usr/include/linux/prctl.h in fact it's pretty empty. (or found anywhere else. while it is in the rh5 version of prctl.h) now I could just #define PR_SET_KEEPCAPS 8 in /usr/include/linux/prctl.h but I'm not sure that would be the greatest idea. I can also make a devel system available if it helps keep bind running for these old systems that are still in use all over the world. -- Jeff # Configure Info Only Below. # [root redhat]# rpm -ba SPECS/bind-9.4.3-P3.spec Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.18295 + umask 022 + cd /usr/src/redhat/BUILD + cd /usr/src/redhat/BUILD + rm -rf bind-9.4.3-P3 + /bin/gzip -dc /usr/src/redhat/SOURCES/bind-9.4.3-P3.tar.gz + tar -xf - + STATUS=0 + [ 0 -ne 0 ] + cd bind-9.4.3-P3 ++ /usr/bin/id -u + [ 0 = 0 ] + /bin/chown -Rhf root . ++ /usr/bin/id -u + [ 0 = 0 ] + /bin/chgrp -Rhf root . + /bin/chmod -Rf a+rX,g-w,o-w . + echo Patch #0 (bind-9.2.0rc3-varrun.patch): Patch #0 (bind-9.2.0rc3-varrun.patch): + patch -p1 -b --suffix .varrun -s + echo Patch #1 (bind-9.4.1-P1-key.patch): Patch #1 (bind-9.4.1-P1-key.patch): + patch -p1 -b --suffix .key -s + exit 0 Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.25330 + umask 022 + cd /usr/src/redhat/BUILD + cd bind-9.4.3-P3 + CFLAGS=-O2 -m486 -fno-strength-reduce + CXXFLAGS=-O2 -m486 -fno-strength-reduce + ./configure --with-libtool --with-openssl=/usr --prefix=/usr --sysconfdir=/etc --localstatedir=/var --mandir=/usr/man checking build system type... i586-pc-linux-gnu checking host system type... i586-pc-linux-gnu checking whether make sets $(MAKE)... yes checking for ranlib... ranlib checking for a BSD-compatible install... /usr/bin/install -c checking whether ln -s works... yes checking for ar... /usr/bin/ar checking for etags... /usr/bin/etags checking for Exuberant Ctags etags... no checking for perl5... no checking for perl... /usr/bin/perl checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for fcntl.h... yes checking for sys/time.h... yes checking for unistd.h... yes checking for sys/sockio.h... no checking for sys/select.h... yes checking for sys/param.h... yes checking for sys/sysctl.h... yes checking for net/if6.h... no checking for an ANSI C-conforming const... yes checking for inline...