Re: Disable Refused answer

2009-12-05 Thread Barry Margolin 
In article mailman.1194.1259925918.14796.bind-us...@lists.isc.org,
 Chris Thompson c...@cam.ac.uk wrote:

 On Dec 3 2009, Bill Larson wrote:
 
 [...]
 Then again, I've never been sure what the original requester was asking 
 for.  If he didn't want to give an answer out to someone on a particular 
 network, then the blackhole option would seem to be a perfect solution in 
 the first place.
 
 | blackhole
 |
 |Specifies a list of addresses that the server will not accept
 | queries from or use to resolve a query. [...] 
^
 
 So it's not suitable for blocking out large chunks of the external world 
 which may contain nameservers you need to to do recursive lookups.
 
 [It's never been entirely clear to me why these functions have to be
 combined, especially given that server [ipaddr/len] {bogus yes;};
 can be used to block outgoing queries.]

I think it's for backwards compatibility with the old BIND 4.x blackhole 
option.  I don't think 4.x had anything analogous to the bogus server 
option, all you could do was blackhole individual IPs in both directions.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode nslookup

2009-12-05 Thread Kai Szymanski 
Hi Chris,
hi joe,

ok..i will compile bind (resp. the libs) by myself and try it out. Thanks!

What is the way for the future: Should the browser encode idn's into
punycode and send it to the nameserver (like example below) or should
the browser send the un-encoded idn to the nameserver and the nameserver
have to do the encoding-stuff ? Or both ?

When i use tcpdump tomonitor the traffic on port 53 and i enter for
example www.wüstchen.de i see:

13:16:32.856370 IP kshome-desktop.53700  speedport.ip.domain: 60227+ A?
mail.xx.de. (33)
13:16:32.857902 IP speedport.ip.domain  kshome-desktop.53700: 60227
1/0/0 A[|domain]
13:16:57.404713 IP kshome-desktop.55215  speedport.ip.domain: 13265+ A?
www.xn--wrstchen-65a.de. (41)
13:16:57.459098 IP speedport.ip.domain  kshome-desktop.55215: 13265
3/0/0[|domain]
13:16:57.601032 IP kshome-desktop.37413  speedport.ip.domain: 790+ A?
www.xx.de. (34)
13:16:57.626011 IP speedport.ip.domain  kshome-desktop.37413: 790 1/0/0
A[|domain]

The browser (Firefox 3.0/Linux) seems to encode the entered Domain into
punycode.

When i enter ping www.würstchen.de i get:

13:19:35.835977 IP kshome-desktop.58121  speedport.ip.domain: 10129+ A?
www.wM-CM-rstchen.de. (35)

Look funny, not puny ;)

@joe: Here some idn's:

www.würstchen.de   (Like Bratwurst ;)
www.tür.de (Door)
www.bügeleisen.de  (flat iron)

Best regards,
  Kai.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode nslookup

2009-12-05 Thread Joseph S D Yao 
On Sat, Dec 05, 2009 at 02:04:18PM +0100, Kai Szymanski wrote:
 Hi Chris,
 hi joe,
 
 ok..i will compile bind (resp. the libs) by myself and try it out. Thanks!
 
 What is the way for the future: Should the browser encode idn's into
 punycode and send it to the nameserver (like example below) or should
 the browser send the un-encoded idn to the nameserver and the nameserver
 have to do the encoding-stuff ? Or both ?


My preference would be to have what is entered on the address line and
seen by the human be also what is sent to the resolver.  This would
require more changes, though.  Second preference would be to have the
standard subroutines that the browser calls do it.

Under no circumstances should either the name server or the browser
proper have to worry about details such as how to encode or decode
different character formats.

Isn't one of Alan Perlis' quotes about, a high-level language is one
where you don't have to worry about unnecessary detail?


-- 
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode nslookup

2009-12-05 Thread JFC Morfin 



Hi! Kay,
I take back the entire thread since this is something which really 
match what is under warm discussion at the IETF WG/IDNSBIS.


Kai Szymanski k...@codebiz.de 4 décembre 2009 15:41
One of our customers wan't a Domain with Umlaute (german special 
characters like ä).

Is it correct when i have configured the zone like

zone http://xn--umlauttest-z5a0tyc.dexn--umlauttest-z5a0tyc.de {
  type master;
  file master/umlauttestäöü.de.hosts;
  allow-transfer { can_transfer; };
  # allow-update { can_update; };
};

and the record like

http://xn--umlauttest-z5a0tyc.dexn--umlauttest-z5a0tyc.de. 
IN  SOA http://ns.foobar.dens.foobar.de. 
http://hostmaster.foobar.dehostmaster.foobar.de. (

  2009120401  ; Serial
  8H  ; refresh
  4H  ; retry
  5w6d16h ; expiry
  1D ); minimum

  IN NS http://ns.foobar.dens.foobar.de.
  IN NS http://ns2.foobar.dens2.foobar.de.

If so: When you enter the Domainname in a Browser: Did the Browser 
also encode the url to punycode before asking a nameserver ?


bapti...@publicroot.org 4 décembre 2009 16:05
As for you question concerning the browser converting the domain to 
punycode before asking a nameserver - yes that is what some browsers 
do. I'm not sure why because it must confuse some users when that happens.


This is the IDNA concept. Conversion is to happen in Applications.



Kai Szymanski k...@codebiz.de 4 décembre 2009 16:23
my problem is: I can't test the zone with nslookup (only when i 
use the puny-encoded domainname). Also other tools who uses dns to 
resolv the entered domainname (like ping 
http://www.xn--umlauttest-z5a0tyc.dewww.umlauttestäöü.de) did'nt work.


So i thought that

1. The User enters a url with Umlauts in browser
2. Browser examine url, see that there is umlaut in the 
domainname, an encoded it (internal, so the user did'nt see it) to 
puny code and ask the default nameserver for the domainname in punycode

Is this correct ?



Chris Buxton cbux...@menandmice.com 4 décembre 2009 18:26
À: Bind Mailing bind-users@lists.isc.org
On Dec 4, 2009, at 7:23 AM, Kai Szymanski wrote:
 Hi Joe,

 my problem is: I can't test the zone with nslookup (only when i 
use the puny-encoded domainname).


nslookup will only understand IDN if BIND is compiled with that 
option in the ./configure step.


 Also other tools who uses dns to resolv the entered domainname 
(like ping 
http://www.xn--umlauttest-z5a0tyc.dewww.umlauttestäöü.de) did'nt work.


Other CLI tools will not work.

 So i thought that

 1. The User enters a url with Umlauts in browser
 2. Browser examine url, see that there is umlaut in the 
domainname, an encoded it (internal, so the user did'nt see it) to 
puny code and ask the default nameserver for the domainname in punycode


The browser has to understand IDN. Most current browsers do, 
including (I believe) IE 7 and later, Firefox 2 and later, and 
Safari 3 and later.


This is correct. However, beware: since you talk of test. The coming 
Fast Track ICANN project should use IDNA2008 (more versatile but 
restrict A-labels (xn--) to lower cases). The question is when is 
IDNA2008 to be released. We hoped this month or January. The present 
debate on Eszett that raised again at the WG may delay this.


To better understand I started looking in the code where the punycode 
routine is. Has someone a file name for it?



bapti...@publicroot.org 4 décembre 2009 19:12
might be a good idea if it was the default option. as idn becomes 
popular the lack of idn support for the tools will result in confusion.


Yes. But IDNA2008 is going to be much more complex to support for 
this kind of tool since zone managers may impose their own rules. So, 
in addition to know if an IDN works, it would be great to know if it 
is legitimate (TLD zone managers may decide rules, but higher level 
zone managers to disregard them).



Does anyone have a list of idn domains? I'd like to try it out.


Just try http://jean-françois.jefsey.com - a very old introduction 
page. But that is simple (in roman script).



Chris Buxton cbux...@menandmice.com 4 décembre 2009 20:29
The reason IDN support in the BIND query tools (dig, host, nslookup) 
is not the default is because it relies on a 3rd party library, 
which must be installed and configured by the package builder 
beforehand. This is just like SSL support, needed for DNSSEC and 
TSIG, except that most operating systems don't already ship with libidnkit.


Do you know the hook? I am just starting investigating the code, and 
I have C only as a minor :-)



Kai Szymanski k...@codebiz.de 5 décembre 2009 14:04
What is the way for the future: Should the browser encode idn's into
punycode and send it to the nameserver (like example below) or should
the browser send the

Re: Mailing to bind

2009-12-05 Thread Danny Mayer 
JFC Morfin wrote:
 I wish to set-up my BIND DNS server on window XP as a service. I checked
 the automatic start-up. Unfortunately it did not work. The readme1st
 guide only says that the way to do it is as usual, what does not help me
 since I never did it. When I try using mmc there is no way I find to
 declare named as a service.
 
 Would there be a dedicated Windows/BIND internet user oriented site
 which explains how to install BIND on windows?

Did you actually read the readme? Did you run BINDInstall? Did you
create an named.conf file? Did you check your application event log?

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users