Re: Disable Refused answer
In article mailman.1194.1259925918.14796.bind-us...@lists.isc.org, Chris Thompson c...@cam.ac.uk wrote: On Dec 3 2009, Bill Larson wrote: [...] Then again, I've never been sure what the original requester was asking for. If he didn't want to give an answer out to someone on a particular network, then the blackhole option would seem to be a perfect solution in the first place. | blackhole | |Specifies a list of addresses that the server will not accept | queries from or use to resolve a query. [...] ^ So it's not suitable for blocking out large chunks of the external world which may contain nameservers you need to to do recursive lookups. [It's never been entirely clear to me why these functions have to be combined, especially given that server [ipaddr/len] {bogus yes;}; can be used to block outgoing queries.] I think it's for backwards compatibility with the old BIND 4.x blackhole option. I don't think 4.x had anything analogous to the bogus server option, all you could do was blackhole individual IPs in both directions. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Punycode nslookup
Hi Chris, hi joe, ok..i will compile bind (resp. the libs) by myself and try it out. Thanks! What is the way for the future: Should the browser encode idn's into punycode and send it to the nameserver (like example below) or should the browser send the un-encoded idn to the nameserver and the nameserver have to do the encoding-stuff ? Or both ? When i use tcpdump tomonitor the traffic on port 53 and i enter for example www.wüstchen.de i see: 13:16:32.856370 IP kshome-desktop.53700 speedport.ip.domain: 60227+ A? mail.xx.de. (33) 13:16:32.857902 IP speedport.ip.domain kshome-desktop.53700: 60227 1/0/0 A[|domain] 13:16:57.404713 IP kshome-desktop.55215 speedport.ip.domain: 13265+ A? www.xn--wrstchen-65a.de. (41) 13:16:57.459098 IP speedport.ip.domain kshome-desktop.55215: 13265 3/0/0[|domain] 13:16:57.601032 IP kshome-desktop.37413 speedport.ip.domain: 790+ A? www.xx.de. (34) 13:16:57.626011 IP speedport.ip.domain kshome-desktop.37413: 790 1/0/0 A[|domain] The browser (Firefox 3.0/Linux) seems to encode the entered Domain into punycode. When i enter ping www.würstchen.de i get: 13:19:35.835977 IP kshome-desktop.58121 speedport.ip.domain: 10129+ A? www.wM-CM-rstchen.de. (35) Look funny, not puny ;) @joe: Here some idn's: www.würstchen.de (Like Bratwurst ;) www.tür.de (Door) www.bügeleisen.de (flat iron) Best regards, Kai. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Punycode nslookup
On Sat, Dec 05, 2009 at 02:04:18PM +0100, Kai Szymanski wrote: Hi Chris, hi joe, ok..i will compile bind (resp. the libs) by myself and try it out. Thanks! What is the way for the future: Should the browser encode idn's into punycode and send it to the nameserver (like example below) or should the browser send the un-encoded idn to the nameserver and the nameserver have to do the encoding-stuff ? Or both ? My preference would be to have what is entered on the address line and seen by the human be also what is sent to the resolver. This would require more changes, though. Second preference would be to have the standard subroutines that the browser calls do it. Under no circumstances should either the name server or the browser proper have to worry about details such as how to encode or decode different character formats. Isn't one of Alan Perlis' quotes about, a high-level language is one where you don't have to worry about unnecessary detail? -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Punycode nslookup
Hi! Kay, I take back the entire thread since this is something which really match what is under warm discussion at the IETF WG/IDNSBIS. Kai Szymanski k...@codebiz.de 4 décembre 2009 15:41 One of our customers wan't a Domain with Umlaute (german special characters like ä). Is it correct when i have configured the zone like zone http://xn--umlauttest-z5a0tyc.dexn--umlauttest-z5a0tyc.de { type master; file master/umlauttestäöü.de.hosts; allow-transfer { can_transfer; }; # allow-update { can_update; }; }; and the record like http://xn--umlauttest-z5a0tyc.dexn--umlauttest-z5a0tyc.de. IN SOA http://ns.foobar.dens.foobar.de. http://hostmaster.foobar.dehostmaster.foobar.de. ( 2009120401 ; Serial 8H ; refresh 4H ; retry 5w6d16h ; expiry 1D ); minimum IN NS http://ns.foobar.dens.foobar.de. IN NS http://ns2.foobar.dens2.foobar.de. If so: When you enter the Domainname in a Browser: Did the Browser also encode the url to punycode before asking a nameserver ? bapti...@publicroot.org 4 décembre 2009 16:05 As for you question concerning the browser converting the domain to punycode before asking a nameserver - yes that is what some browsers do. I'm not sure why because it must confuse some users when that happens. This is the IDNA concept. Conversion is to happen in Applications. Kai Szymanski k...@codebiz.de 4 décembre 2009 16:23 my problem is: I can't test the zone with nslookup (only when i use the puny-encoded domainname). Also other tools who uses dns to resolv the entered domainname (like ping http://www.xn--umlauttest-z5a0tyc.dewww.umlauttestäöü.de) did'nt work. So i thought that 1. The User enters a url with Umlauts in browser 2. Browser examine url, see that there is umlaut in the domainname, an encoded it (internal, so the user did'nt see it) to puny code and ask the default nameserver for the domainname in punycode Is this correct ? Chris Buxton cbux...@menandmice.com 4 décembre 2009 18:26 À: Bind Mailing bind-users@lists.isc.org On Dec 4, 2009, at 7:23 AM, Kai Szymanski wrote: Hi Joe, my problem is: I can't test the zone with nslookup (only when i use the puny-encoded domainname). nslookup will only understand IDN if BIND is compiled with that option in the ./configure step. Also other tools who uses dns to resolv the entered domainname (like ping http://www.xn--umlauttest-z5a0tyc.dewww.umlauttestäöü.de) did'nt work. Other CLI tools will not work. So i thought that 1. The User enters a url with Umlauts in browser 2. Browser examine url, see that there is umlaut in the domainname, an encoded it (internal, so the user did'nt see it) to puny code and ask the default nameserver for the domainname in punycode The browser has to understand IDN. Most current browsers do, including (I believe) IE 7 and later, Firefox 2 and later, and Safari 3 and later. This is correct. However, beware: since you talk of test. The coming Fast Track ICANN project should use IDNA2008 (more versatile but restrict A-labels (xn--) to lower cases). The question is when is IDNA2008 to be released. We hoped this month or January. The present debate on Eszett that raised again at the WG may delay this. To better understand I started looking in the code where the punycode routine is. Has someone a file name for it? bapti...@publicroot.org 4 décembre 2009 19:12 might be a good idea if it was the default option. as idn becomes popular the lack of idn support for the tools will result in confusion. Yes. But IDNA2008 is going to be much more complex to support for this kind of tool since zone managers may impose their own rules. So, in addition to know if an IDN works, it would be great to know if it is legitimate (TLD zone managers may decide rules, but higher level zone managers to disregard them). Does anyone have a list of idn domains? I'd like to try it out. Just try http://jean-françois.jefsey.com - a very old introduction page. But that is simple (in roman script). Chris Buxton cbux...@menandmice.com 4 décembre 2009 20:29 The reason IDN support in the BIND query tools (dig, host, nslookup) is not the default is because it relies on a 3rd party library, which must be installed and configured by the package builder beforehand. This is just like SSL support, needed for DNSSEC and TSIG, except that most operating systems don't already ship with libidnkit. Do you know the hook? I am just starting investigating the code, and I have C only as a minor :-) Kai Szymanski k...@codebiz.de 5 décembre 2009 14:04 What is the way for the future: Should the browser encode idn's into punycode and send it to the nameserver (like example below) or should the browser send the
Re: Mailing to bind
JFC Morfin wrote: I wish to set-up my BIND DNS server on window XP as a service. I checked the automatic start-up. Unfortunately it did not work. The readme1st guide only says that the way to do it is as usual, what does not help me since I never did it. When I try using mmc there is no way I find to declare named as a service. Would there be a dedicated Windows/BIND internet user oriented site which explains how to install BIND on windows? Did you actually read the readme? Did you run BINDInstall? Did you create an named.conf file? Did you check your application event log? Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users