RE: Regarding EDNS Responses.

2009-10-28 Thread Ashwin 

In message <001501ca5785$257c7220$21011...@china.huawei.com>, Ashwin writes:
> 
> Hi All,
> 
>  RFC 2671 mentions in Section 5.3
> 
> Responders who do not understand these protocol extensions are
> expected to send a response with RCODE NOTIMPL, FORMERR, or
> SERVFAIL.
> 
> However the above mentioned error codes are shared [SERVFAIL, NOTIMPL] are
> shared, so how do we ascertain that the error code returned is an
indication
> that a particular server is non-EDNS, since the error might be returned
due
> to some other reason also.
> 
> So essentially my query is how do we decide that a particular server is
EDNS
> or not? Can it be assumed that each time the above three error codes are
> returned , it signifies that the DNS server is not EDNS capable?


Hi Mark,
>> You assume it is EDNS if it is in response to a EDNS query and retry
>> w/o EDNS.  It the problem is EDNS the plain DNS query will succeed.
>> If it is not EDNS the plain EDNS query will fail.
  
Thanks for you response. I have a doubt though.

  I send out an EDNS query, for the response the following possibilities
a) Success, with OPT RR, I assume server is EDNS capable
b) Failure with RCODE NOTIMPL, FORMERR, or SERVFAIL with or without
OPT RR.

In b) I do not know whether server is EDNS or not, since server might return
NOTIMPL & SERVFAIL error codes for some other reason also. If I consider the
case that retry with plain DNS query is success and assume EDNS was problem,
I think maybe its not correct because SERVFAIL might happen for some other
reason at the time EDNS query is sent, but that error is resolved by the
time the plain DNS query is sent. So even though server is EDNS i would
assume it is non-EDNS.

The idea is to identify whether a server supports EDNS through a first
query, and then subsequent requests we send based on this identification.
One could call it a pseudo-caching of the EDNS feature for servers.

I hope I made myself clear :(

> Regards
> 
> Ashwin

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Regarding EDNS Responses.

2009-10-28 Thread Mark Andrews 

It's not a perfect world.  Even getting back a EDNS response does not
indicate that the server understands EDNS.

In message <002301ca579c$56deb0f0$21011...@china.huawei.com>, Ashwin writes:
> 
> In message <001501ca5785$257c7220$21011...@china.huawei.com>, Ashwin writes:
> > 
> > Hi All,
> > 
> >  RFC 2671 mentions in Section 5.3
> > 
> > Responders who do not understand these protocol extensions are
> > expected to send a response with RCODE NOTIMPL, FORMERR, or
> > SERVFAIL.
> > 
> > However the above mentioned error codes are shared [SERVFAIL, NOTIMPL] are
> > shared, so how do we ascertain that the error code returned is an
> indication
> > that a particular server is non-EDNS, since the error might be returned
> due
> > to some other reason also.
> > 
> > So essentially my query is how do we decide that a particular server is
> EDNS
> > or not? Can it be assumed that each time the above three error codes are
> > returned , it signifies that the DNS server is not EDNS capable?
> 
> 
> Hi Mark,
> >> You assume it is EDNS if it is in response to a EDNS query and retry
> >> w/o EDNS.  It the problem is EDNS the plain DNS query will succeed.
> >> If it is not EDNS the plain EDNS query will fail.
>   
> Thanks for you response. I have a doubt though.
> 
>   I send out an EDNS query, for the response the following possibilities
>   a) Success, with OPT RR, I assume server is EDNS capable
>   b) Failure with RCODE NOTIMPL, FORMERR, or SERVFAIL with or without
> OPT RR.
> 
> In b) I do not know whether server is EDNS or not, since server might return
> NOTIMPL & SERVFAIL error codes for some other reason also. If I consider the
> case that retry with plain DNS query is success and assume EDNS was problem,
> I think maybe its not correct because SERVFAIL might happen for some other
> reason at the time EDNS query is sent, but that error is resolved by the
> time the plain DNS query is sent. So even though server is EDNS i would
> assume it is non-EDNS.
> 
> The idea is to identify whether a server supports EDNS through a first
> query, and then subsequent requests we send based on this identification.
> One could call it a pseudo-caching of the EDNS feature for servers.
> 
> I hope I made myself clear :(
> 
> > Regards
> > 
> > Ashwin
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: 2 simultaneous hung Bind boxes

2009-10-28 Thread Nikkilä , Tommi 
Hi!

On some of our (linux based) DNS server's the BIND just hangs; the combination 
was fairly old hardware and fairly new OS/BIND. Couldn't figure it out either 
until I came up with https://www.isc.org/node/302.

At least you could try it, I found no harm on setting the 
/proc/sys/net/core/xfrm_larval_drop to 1 just to be on the safe side...

--
Tommi Nikkilä
System Specialist

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Justin Shore
Sent: 28. lokakuuta 2009 7:30
To: bind-users@lists.isc.org
Subject: 2 simultaneous hung Bind boxes

I got a call from a remote tech earlier this evening.  He was at home on our 
service and couldn't get on the Internet.  His IP connectivity was fine and 
could hit my NOC website via IP only.  DNS however was hosed. 
About the time I got in a position to check the bind logs and sniff his traffic 
the problem went away.  We chocked it up to a local problem until a few minutes 
later across the SP network I too experienced the same thing.  My DNS requests 
simply timed out.  I turned on querylog on our boxes and could see what 
appeared to be successful hits and replies. 
  The boxes were just not replying to queries.  Traffic on our main upstream 
dropped by about 90% within a few short minutes (users' DNS stopped and 
outbound usage ground to a halt basically).  Not knowing what else to try I 
restart bind on both NSs.  That fixed it.

The boxes are running fairly old Bind code, 9.5.1b2.  Tomorrow I will upgrade 
to 9.6.1rc1 (unless people believe 9.7.0b1 is ready for use). 
My question is are there any known ways for a crafted query or crafted reply to 
cause what I've described on that old release of Bind?  I recall hearing about 
assorted things over the past couple of years though I thought that they were 
things that would cause actual crashing, not the mentally hosing my boxes 
appeared to take this evening.  Does anything else come to mind?  The views on 
the servers only permit recursive lookups internally from our customer 
prefixes.  Externally you can only get responses for things that we have 
authority over.  Thoughts?

Thanks
  Justin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reasons for not resolving

2009-10-28 Thread Alans 
Hello,

 

There are few websites that our DNS (BIND 9.4.2 on CentOS 5) is not
resolving while others like 4.2.2.2 does, I wonder what could be the reasons
for this?

 

Regards,

Alans

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Reasons for not resolving

2009-10-28 Thread Alans 
I looked more and I figure out that we can't ping or browse any of these
hosts http://www.ip-adress.com/reverse_ip/96.31.75.113 (they all are on one
IP) it's confusing because when I search in google for host names it appears
in the result which means it's not down fir everyone!! Any ideas?

 

Kind regards,

Alans

 

From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alans
Sent: Wednesday, October 28, 2009 10:47 AM
To: bind-users@lists.isc.org
Subject: Reasons for not resolving

 

Hello,

 

There are few websites that our DNS (BIND 9.4.2 on CentOS 5) is not
resolving while others like 4.2.2.2 does, I wonder what could be the reasons
for this?

 

Regards,

Alans

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reverse DNS & slave server

2009-10-28 Thread アルベルト 

Just simple question.

I'm setting up slave dns server, my question, is do I need to transfer Reverse 
zone
too ? or just domain zone is enough?

thank you for any help

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 2 simultaneous hung Bind boxes

2009-10-28 Thread Alan Clegg 
Justin Shore wrote:

> The boxes are running fairly old Bind code, 9.5.1b2.  Tomorrow I will
> upgrade to 9.6.1rc1 (unless people believe 9.7.0b1 is ready for use).

I would recommend not using beta or release candidate code in your
deployment.  If you want something that will stand up to customer needs
(and not cause your pager to go off and oh-dark-thirty), try 9.6.1-P1.

For further information on naming, take a look at:

https://www.isc.org/software/bind/versions

AlanC
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND 9.7.0b1 is now available

2009-10-28 Thread Stephane Bortzmeyer 
On Tue, Oct 20, 2009 at 08:29:20PM +,
 Evan Hunt  wrote 
 a message of 836 lines which said:

>BIND 9.7.0b1 is now available.

Apparently, support for the new algorithms RSASHA256 and RSASHA512 is
not included? Is it planned for 9.7 or shall I wait 9.8?

% bind/bin/dnssec/dnssec-keygen  -a RSASHA256 -b 2048 -r /dev/urandom 
example.net 
dnssec-keygen: fatal: unknown algorithm RSASHA256

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 2 simultaneous hung Bind boxes

2009-10-28 Thread Justin Shore 

Nikkilä wrote:

Hi!

On some of our (linux based) DNS server's the BIND just hangs; the combination 
was fairly old hardware and fairly new OS/BIND. Couldn't figure it out either 
until I came up with https://www.isc.org/node/302.

At least you could try it, I found no harm on setting the 
/proc/sys/net/core/xfrm_larval_drop to 1 just to be on the safe side...


Tommi,

Thanks for the reply.  The boxes are fairly old Dells (1650s) running 
FC5.  I'm rebuilding them in 2010.  I'll take a look at that doc and 
see.  These servers have generally been rock solid.  The only problem 
I've had is with my split view configuration when I update a zone on the 
master.  The zone is copied to the slave but only 1 view on each box 
gets the updated zone.  I have to restart the named process to make it 
re-read the local copy of the zone to get both views on the same serial. 
 But I've never had any stability issues to date.  I'll upgrade to 9.6 
too just to be safe.


Thanks
 Justin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND 9.7.0b1 is now available

2009-10-28 Thread Evan Hunt 
> Apparently, support for the new algorithms RSASHA256 and RSASHA512 is
> not included? Is it planned for 9.7 or shall I wait 9.8?

That will be in 9.7.0b2.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND 9.7.0b1 is now available

2009-10-28 Thread Chris Thompson 

On Oct 28 2009, Evan Hunt wrote:


Apparently, support for the new algorithms RSASHA256 and RSASHA512 is
not included? Is it planned for 9.7 or shall I wait 9.8?


That will be in 9.7.0b2.


You aren't going to wait for the RFC? - it doesn't seem to be out yet.
Or maybe you are predicting that it will be out before 9.7.0b2 is...

--
Chris Thompson
Email: c...@cam.ac.uk

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND 9.7.0b1 is now available

2009-10-28 Thread Stephane Bortzmeyer 
On Wed, Oct 28, 2009 at 03:17:54PM +,
 Chris Thompson  wrote 
 a message of 13 lines which said:

> You aren't going to wait for the RFC? 

It is in AUTH48 (the last step before publication, theoretically
meaning that the people involved have 48 h to make remarks).

After all, ldns already has it :-)

% ldns-keygen -a RSASHA256 vachement-secure.example
Kvachement-secure.example.+008+23094

% cat Kvachement-secure.example.+008+23094.key 
vachement-secure.example.   3600IN  DNSKEY  256 3 8 \
  AwEAAc87fkhQ3RehZ9AWUtataphm6Ku+DLKgtUPp/Zi0mwhtDN36oWBhzUt5a82Zeat4zsbC6W
jIDWWqOx33cWh3ISMKDK0cOu1kMRCZTXS98WoSA0TgfMBdGdaK/Z+yLX+COq8HL72gBDG/RuDqIOwdtC
BhbDluIwafzPAw3l2rIEiR \
  ;{id = 23094 (zsk), size = 1024b}
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

New BIND server

2009-10-28 Thread NéoSynergix | Martin Dubreuil 
Hello BIND users,

 

I have setup a new Ubuntu 9.04 server with BIND9.

 

I have looked at a few tutorial and how to’s like this one:

https://help.ubuntu.com/community/BIND9ServerHowto

 

but would like to get your tips and tricks to secure your BIND servers
before putting it into production.

 

Thanks,

 

Neosys

 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New BIND server

2009-10-28 Thread Rick Dicaire 
On Wed, Oct 28, 2009 at 11:27 AM, NéoSynergix | Martin Dubreuil
 wrote:
> but would like to get your tips and tricks to secure your BIND servers
> before putting it into production.

A little vague here. You haven't defined what your intentions are. Is
this an authoritative only server for zones? Recursive server for
clients? Other questions I can't think of at the moment?

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: New BIND server

2009-10-28 Thread NéoSynergix | Martin Dubreuil 
Yes sorry,

This DNS server is only to resolve our local hosted domain names -
authoritative only server 
- WITH no recursion



-Original Message-
From: Rick Dicaire [mailto:kri...@gmail.com] 
Sent: 28 octobre 2009 12:01
To: martin.dubre...@neosynergix.com
Cc: bind-users@lists.isc.org
Subject: Re: New BIND server

On Wed, Oct 28, 2009 at 11:27 AM, NéoSynergix | Martin Dubreuil
 wrote:
> but would like to get your tips and tricks to secure your BIND servers
> before putting it into production.

A little vague here. You haven't defined what your intentions are. Is
this an authoritative only server for zones? Recursive server for
clients? Other questions I can't think of at the moment?

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reasons for not resolving

2009-10-28 Thread Kevin Darcy 

Alans,
Why would you use Google to determine whether a web site is up or not?

It's not even clear to me that you're having a DNS problem. It's rather 
bad practice to have lots of reverse-records in the DNS for a given 
address (e.g. 96.31.75.113), and can even cause problems with oversized 
responses to reverse lookups being dropped by firewalls, but it 
shouldn't cause any *forward* (name-to-address) lookups to fail.


Can you resolve a name like yarnandwaste.com or can't you? Please follow 
normal diagnostic procedures and try to determine what actual problem 
you are having. "Can't ping or browse" is only the start of the 
diagnostic process, and might not be caused by DNS at all.


Once you've determined that you can't resolve a particular name, then 
something you might try is a "dig +trace" on the name, from your 
nameserver. That will show you the sequence of queries that will be 
followed by a resolver to try and resolve the name, and might help 
pinpoint the source of the problem. It will not, however, exactly match 
what your nameserver is doing unless you have a completely "vanilla", 
iterative-resolving configuration (i.e. Internet root hints and nothing 
else). If you have other elements of your config that affect resolution, 
e.g. zones of type stub/forward/master/slave anywhere in the hierarchy 
of the name you're looking up, or "forwarders" in your "options" clause, 
then "dig +trace" won't know about those "specials" and can't match 
exactly what your nameserver would do. Also, it's possible that your 
nameserver has cached data that might cause it to resolve differently 
than "dig +trace", which always starts with no cache at all.


- Kevin

Alans wrote:


I looked more and I figure out that we can’t ping or browse any of 
these hosts http://www.ip-adress.com/reverse_ip/96.31.75.113 (they all 
are on one IP) it’s confusing because when I search in google for host 
names it appears in the result which means it’s not down fir 
everyone!! Any ideas?


Kind regards,

Alans

*From:* bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Alans

*Sent:* Wednesday, October 28, 2009 10:47 AM
*To:* bind-users@lists.isc.org
*Subject:* Reasons for not resolving

Hello,

There are few websites that our DNS (BIND 9.4.2 on CentOS 5) is not 
resolving while others like 4.2.2.2 does, I wonder what could be the 
reasons for this?


Regards,

Alans



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse DNS & slave server

2009-10-28 Thread Kevin Darcy 

アルベルト wrote:

Just simple question.

I'm setting up slave dns server, my question, is do I need to transfer Reverse 
zone
too ? or just domain zone is enough?

  

Sort of impossible to answer, without more information.

Why did you set up a slave server in the first place? Redundancy? 
Performance? Because it was required by your registrar?


Some or all of those same reasons might apply to the reverse zone as well.

- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New BIND server

2009-10-28 Thread Matus UHLAR - fantomas 
On 28.10.09 11:27, NéoSynergix | Martin Dubreuil wrote:
> I have setup a new Ubuntu 9.04 server with BIND9.
> 
> but would like to get your tips and tricks to secure your BIND servers
> before putting it into production.

What do you mean secure?
Default installation should not allowanything that might be unsecure.

Only take care about allow-recursion setting if you plan to use it as
recursive (if not, "recursion no" should be in the config)) and that should
be enough for now.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: New BIND server

2009-10-28 Thread Dixon, Justin 
> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

Hello BIND users,

 

I have setup a new Ubuntu 9.04 server with BIND9.

 

I have looked at a few tutorial and how to's like this one:

https://help.ubuntu.com/community/BIND9ServerHowto

 

but would like to get your tips and tricks to secure your BIND servers
before putting it into production.

 

Thanks,

 

Neosys

 

 

 

Aside from standard OS level hardening that should have already been
done, I would recommend looking over the following:

 

http://www.cymru.com/Documents/secure-bind-template.html

 

Thanks...

Justin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New BIND server

2009-10-28 Thread Kevin Darcy 
Yeah, look it over, but take the zone-transfer restrictions and 
version-obfuscation stuff with a bit of a grain of salt. Those parts are 
a little too PHSCSE (Pointy-Haired So-Called Security Expert)-ish for my 
tastes, verging on Theater. At least they finally got rid of the "bogon" 
stuff.


Chroot and unprivileged, on the other hand, are _de_rigeur_ for anything 
facing the Internet directly, as is view separation (or, to be more 
hardcore, process-instance/listen-on or machine separation) between 
recursive-resolver and non-recursive/authoritative roles.


If you're slaving, you'd also want to set up TSIG-authentication between 
masters and slaves. That's not shown in the template.


- Kevin

Dixon, Justin wrote:


>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>



Hello BIND users,

I have setup a new Ubuntu 9.04 server with BIND9.

I have looked at a few tutorial and how to’s like this one:

https://help.ubuntu.com/community/BIND9ServerHowto

but would like to get your tips and tricks to secure your BIND servers 
before putting it into production.


Thanks,

Neosys

Aside from standard OS level hardening that should have already been 
done, I would recommend looking over the following:


http://www.cymru.com/Documents/secure-bind-template.html

Thanks…

Justin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND 9.7.0b1 is now available

2009-10-28 Thread Evan Hunt 
> You aren't going to wait for the RFC? - it doesn't seem to be out yet.
> Or maybe you are predicting that it will be out before 9.7.0b2 is...

It's out now (RFC 5702), so this is a moot point--but we were mainly
waiting for IANA to pick the final codepoints, not so much for the
RFC to be finalized.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse DNS & slave server

2009-10-28 Thread Barry Margolin 
In article ,
 $B%"%k%Y%k%H(B  wrote:

> Just simple question.
> 
> I'm setting up slave dns server, my question, is do I need to transfer 
> Reverse zone
> too ? or just domain zone is enough?
> 
> thank you for any help

You need to transfer any zones that are delegated to the slave server.  
There's nothing special about forward versus reverse zones in this 
regard.

Forward and reverse zones don't have to be hosted on the same servers, 
although most organizations use the same servers for all their zones for 
simplicity.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND 9.7.0b1 is now available

2009-10-28 Thread Chris Thompson 

On Oct 28 2009, Evan Hunt wrote:


You aren't going to wait for the RFC? - it doesn't seem to be out yet.
Or maybe you are predicting that it will be out before 9.7.0b2 is...


It's out now (RFC 5702), so this is a moot point--but we were mainly
waiting for IANA to pick the final codepoints, not so much for the
RFC to be finalized.


Will you be adding RSASHA256 support in the 9.5.x and 9.6.x series? It
might be a bit optimistic to expect everyone to move to 9.7.x by 2010-07-01,
if that's when the root zone is going to be *really* signed (with RSASHA256,
according to current reports).

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND 9.7.0b1 is now available

2009-10-28 Thread Evan Hunt 

> Will you be adding RSASHA256 support in the 9.5.x and 9.6.x series? It
> might be a bit optimistic to expect everyone to move to 9.7.x by 2010-07-01,
> if that's when the root zone is going to be *really* signed (with RSASHA256,
> according to current reports).

Not 9.5.x, as it lacks NSEC3 support.

Adding SHA-2 to 9.6.x would violate our policy of making major
functional changes only in major releases, so I don't expect we'll
do that.  Given the odd circumstances you mentioned, I won't say for
certain that we won't--but I doubt it.

9.7.0 is going to be final in a little over a month, which is fortunate
timing.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

how to debug

2009-10-28 Thread aihua zhang 
HI,

  I  have already analysis where to add new RR,and how to make it works.
 But i don't contact  automake tool before, so reading so large configure
and makefiles make me feel so bad. I try to understand ,but it just myself
alone to do this , so anyone can give some guide how to debug the source
code 、 how to modify makefile and test result!

 Thanks very much!

-- 
Best regards!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to debug

2009-10-28 Thread Mark Andrews 

In message , aihua
 zhang writes:
> 
> HI,
> 
>   I  have already analysis where to add new RR,and how to make it works.
>  But i don't contact  automake tool before, so reading so large configure
> and makefiles make me feel so bad. I try to understand ,but it just myself
> alone to do this , so anyone can give some guide how to debug the source
> code =A1=A2 how to modify makefile and test result!

I'll repeat what I said before "make clean" then "make".  You don't
need to touch configure or the Makefiles.  You just need to do a
clean build.  The process will look in lib/dns/rdata and find the
files there.

Mark

>  Thanks very much=A3=A1
> 
> --=20
> Best regards!
> 
> --001485354cc2c8f4fa0477099043
> Content-Type: text/html; charset=GB2312
> Content-Transfer-Encoding: quoted-printable
> 
> HI,
>     
>   I  have already analysis where to add new RR,and how to ma=
> ke it works.
>  But i don't contact  automake tool before, so read=
> ing so large configure and makefiles make me feel so bad. I try to und=
> erstand ,but it just myself alone to do this , so anyone can give some=
>  guide how to debug the source code =A1=A2 how to modif=
> y makefile and test result!
> 
>  
>  Thanks very much=A3=A1-- Best regards!=
> 
> 
> --001485354cc2c8f4fa0477099043--
> 
> --===8156758388202099534==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===8156758388202099534==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Reasons for not resolving

2009-10-28 Thread Alans 
Kevin,

Thanks for your explanation, yarnandwaste.com cannot be resolved, below is
dig +trace result:
[r...@ns2 ~]# dig yarnandwaste.com +trace

; <<>> DiG 9.4.2 <<>> yarnandwaste.com +trace
;; global options:  printcmd
.   437569  IN  NS  B.ROOT-SERVERS.NET.
.   437569  IN  NS  C.ROOT-SERVERS.NET.
.   437569  IN  NS  D.ROOT-SERVERS.NET.
.   437569  IN  NS  E.ROOT-SERVERS.NET.
.   437569  IN  NS  F.ROOT-SERVERS.NET.
.   437569  IN  NS  G.ROOT-SERVERS.NET.
.   437569  IN  NS  H.ROOT-SERVERS.NET.
.   437569  IN  NS  I.ROOT-SERVERS.NET.
.   437569  IN  NS  J.ROOT-SERVERS.NET.
.   437569  IN  NS  K.ROOT-SERVERS.NET.
.   437569  IN  NS  L.ROOT-SERVERS.NET.
.   437569  IN  NS  M.ROOT-SERVERS.NET.
.   437569  IN  NS  A.ROOT-SERVERS.NET.
;; Received 500 bytes from xx.xx.xx.xx #53(xx.xx.xx.xx) in 0 ms

com.172800  IN  NS  F.GTLD-SERVERS.NET.
com.172800  IN  NS  M.GTLD-SERVERS.NET.
com.172800  IN  NS  H.GTLD-SERVERS.NET.
com.172800  IN  NS  A.GTLD-SERVERS.NET.
com.172800  IN  NS  L.GTLD-SERVERS.NET.
com.172800  IN  NS  B.GTLD-SERVERS.NET.
com.172800  IN  NS  D.GTLD-SERVERS.NET.
com.172800  IN  NS  G.GTLD-SERVERS.NET.
com.172800  IN  NS  E.GTLD-SERVERS.NET.
com.172800  IN  NS  J.GTLD-SERVERS.NET.
com.172800  IN  NS  C.GTLD-SERVERS.NET.
com.172800  IN  NS  K.GTLD-SERVERS.NET.
com.172800  IN  NS  I.GTLD-SERVERS.NET.
;; Received 506 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 158 ms

yarnandwaste.com.   172800  IN  NS  maa.durgamatamandir.com.
yarnandwaste.com.   172800  IN  NS  mata.durgamatamandir.com.
;; Received 119 bytes from 192.42.93.30#53(G.GTLD-SERVERS.NET) in 225 ms

;; connection timed out; no servers could be reached


Does that mean it's a connectivity problem?


Also another issue is with gegreklam.com which have different results when
dig +trace and without +trace, kindly check below results:

- without +trace
[r...@ns2 ~]# dig gegreklam.com

; <<>> DiG 9.4.2 <<>> gegreklam.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2418
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;gegreklam.com. IN  A

;; ANSWER SECTION:
gegreklam.com.  13940   IN  A   208.43.100.50

;; AUTHORITY SECTION:
gegreklam.com.  85940   IN  NS  dns4.rawshen.com.
gegreklam.com.  85940   IN  NS  dns3.rawshen.com.

;; Query time: 0 msec
;; SERVER: xx.xx.xx.xx#53(xx.xx.xx.xx)
;; WHEN: Thu Oct 29 08:07:01 2009
;; MSG SIZE  rcvd: 93

- with +trace


[r...@ns2 ~]# dig gegreklam.com +trace

; <<>> DiG 9.4.2 <<>> gegreklam.com +trace
;; global options:  printcmd
.   436613  IN  NS  E.ROOT-SERVERS.NET.
.   436613  IN  NS  F.ROOT-SERVERS.NET.
.   436613  IN  NS  G.ROOT-SERVERS.NET.
.   436613  IN  NS  H.ROOT-SERVERS.NET.
.   436613  IN  NS  I.ROOT-SERVERS.NET.
.   436613  IN  NS  J.ROOT-SERVERS.NET.
.   436613  IN  NS  K.ROOT-SERVERS.NET.
.   436613  IN  NS  L.ROOT-SERVERS.NET.
.   436613  IN  NS  M.ROOT-SERVERS.NET.
.   436613  IN  NS  A.ROOT-SERVERS.NET.
.   436613  IN  NS  B.ROOT-SERVERS.NET.
.   436613  IN  NS  C.ROOT-SERVERS.NET.
.   436613  IN  NS  D.ROOT-SERVERS.NET.
;; Received 500 bytes from xx.xx.xx.xx #53(xx.xx.xx.xx) in 0 ms

com.172800  IN  NS  H.GTLD-SERVERS.NET.
com.172800  IN  NS  E.GTLD-SERVERS.NET.
com.172800  IN  NS  C.GTLD-SERVERS.NET.
com.172800  IN  NS  D.GTLD-SERVERS.NET.
com.172800  IN  NS  G.GTLD-SERVERS.NET.
com.172800  IN  NS  L.GTLD-SERVERS.NET.
com.172800  IN  NS  F.GTLD-SERVERS.NET.
com.172800  IN  NS  I.GTLD-SERVERS.NET.
com.172800  IN  NS  M.GTLD-SERVERS.NET.
com.172800  IN  NS  B.GT