Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

2010-03-30 Thread Matus UHLAR - fantomas 
> > I have seen this happen when bind for some reason (eg mtu issues with
> > vpn) cannot query for the DLV key at dlv.isc.org. I have not figured
> > out the exact failure mode there. Check the logs to see errors for DNSKEY
> > queries for dlv.isc.org to see if this is happening here too. However in
> > that case, no queries at all make it.

On 29.03.10 18:35, Roy Badami wrote:
> Hmm, I wonder whether it could be related to my tunnelled IPv6
> connectivity.  I still don't see why, though.

MTU problem?

> Resolution definitely works sometimes.  When it starts failing
> 'rndc flush' has fixed it for me.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: invalid requests for dns_registration.*

2010-03-30 Thread Matus UHLAR - fantomas 
> In article ,
>  Matus UHLAR - fantomas  wrote:
> > on one of my nameservers I see many of these messages in log files:
> > 
> > Mar 29 07:59:07 gtssk1 named[5012]: security: error: client
> > 195.168.29.200#65293: view gtsi: check-names failure
> > dns_registration.in.nextra.sk/A/IN
> > 
> > I'm curious of the reason because they are going to sevrer authoritative for
> > nextra.sk, but not for in.nextra.sk, so I think there's a broken DNS
> > resolver/updater somewhere.

On 29.03.10 21:55, Barry Margolin wrote:
> If the client doesn't have NS records cached for in.nextra.sk, it will 
> ask the servers for nextra.sk, which should return a delegation.

yes, apparently something like that.

> > Has anyone an idea what kind of devices or cofnigurations can issue these
> > requests?

> Any properly functioning DNS resolver.  There's nothing wrong with the 
> requests.  What's wrong is that your subdomain has a hostname with an 
> underscore in its name.

There is no such subdomain and I do not have any record containing
underscores in my domains.

The issue is exactly that someone/something is requesting a hostname that
does not exist and is invalid. I don't know who or why.

Has anyone seen a case where the "dns_registration" prefix would be special?
Any kind of device/service/protocol that would prepend this to domain in
domain search list to get any informations?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Subdomain delegation only returns SOA on dig

2010-03-30 Thread Matus UHLAR - fantomas 
On 29.03.10 12:34, Prabhat Rana wrote:
> I'm running BIND 9.6.1-P1 on a Solaris box. This DNS (ns1.spx.net) is
> authoritative to domain spx.net (this is just example). And I'm trying to
> delegate nse.spx.net to ns1.nse.spx.net. I think I have configured
> correctly but when I run a dig from a different DNS node for a subdoamin
> within nse.spx.net like mil.nse.spx.net, it responds only SOA in the Auth
> section. Its missing the NS from the zone files. The snapshot of my
> named.conf file
> 
> zone "spx.net" {
> type master;
> file "/opt/named/db.spx.net";
> };
> 
> zone "nse.spx.net" {
> type master;
> file "/opt/named/db.nse.spx.net";
> };
> 
> 
> Here are the snapshot of consecutive zone files

> $ttl 38400
> spx.net. IN  SOA ns1.spx.net. ns2.spx.net. (
> 1189784076
> 86400
> 3600
> 604800
> 38400 )
> spx.net. IN  NS  ns1
> spx.net. IN  NS  ns2

> ns2.spxdns.net. IN  A   10.1.2.3
> ns1.spxdns.net. IN  A   10.4.5.6
- out of zone data, shouldn't they be ns2.spx.net. and ns1.spx.net. ?

> ns1.nse.spx.net. INA10.7.8.9
- this address is different from the one below

> ;there are other entries here
> $ORIGIN nse.spx.net.
> @  IN  NS  ns1.nse.spx.net.

> And the 2nd zone file for submdomain nse.spx.net
> $TTL 3600   ; 1 hour
> @   IN SOA  ns1.nse.spx.net  (
> 2008081812 ; serial
> 1800   ; refresh (30 minutes)
> 900; retry (15 minutes)
> 604800 ; expire (1 week)
> 3600   ; minimum (1 hour)
> )
> ;
> nse.spx.net. IN  NS  ns1.nse.spx.net.
> ns1.nse.spx.net.   IN  A   10.25.130.75
- this address is different from the one above.

> Now when I run a dig for say mml.nse.spx.net I get only the SOA of the above 
> zone file and no NS information that the query is being delegated to.
> #dig @ns1.spx.net mil.nse.spx.net
> ; <<>> DiG 9.6.1-P1 <<>> @ns1.spx.net mil.nse.spxdns.net
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1717
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;mil.nse.spxdns.net.IN  A
> 
> ;; AUTHORITY SECTION:
> nse.spx.net. 3600IN  SOA  ns1.nse.spx.net. 
> 2008081812 1800 900 604800 3600
> 
> ;; Query time: 3 msec
> ;; SERVER: ns1.spx.net#53(10.1.2.3)
> ;; WHEN: Mon Mar 29 19:26:45 2010
> ;; MSG SIZE  rcvd: 108

I think this is correct answer saying that the requested hostname does not
exist. 

> How would the querying DNS find out about the nameserver that this
> subdomain is being delegated to? Why the query answer doesn't include NS
> sections. I've tried to change few things but nothing works. The only
> information I get is SOA and no NS in the AUTHORITY SECTION.

did you try querying for NS records of nse.spx.net.?
Maybe you have minimal-responses turned on?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Same source port queries dropped by ServerIron load balancer

2010-03-30 Thread Abdulla Bushlaibi 
We are facing query drops by using dnsperf tool from ISC testing the DNS 
service via load balancer. Multiple queries from the same source port 
are being dropped partially by the load balancer and as per the load 
balancer vendor feed back, this is a security feature and this situation 
doesn't happen in real life scenarios.


Most of the cases, clients are generating unique random source ports for 
each DNS query, however we are not sure about the option of reusing the 
same source port for multiple queries and how does it apply in real life 
scenarios.


Appreciate your comment on this subject.

--
Abdulla Ahmad Bushlaibi

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

2010-03-30 Thread Sam Wilson 
In article ,
 Roy Badami  wrote:

> > I have seen this happen when bind for some reason (eg mtu issues with
> > vpn) cannot query for the DLV key at dlv.isc.org. I have not figured
> > out the exact failure mode there. Check the logs to see errors for DNSKEY
> > queries for dlv.isc.org to see if this is happening here too. However in
> > that case, no queries at all make it.
> 
> Hmm, I wonder whether it could be related to my tunnelled IPv6
> connectivity.  I still don't see why, though.
> 
> Resolution definitely works sometimes.  When it starts failing
> 'rndc flush' has fixed it for me.

... thus removing a cached and broken resolution chain and starting 
again from fresh?

Sam
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

problem with notifies

2010-03-30 Thread fddi 


Hello I have a name server which is slave for many other zones.
The problem is that I upgraded to bind 9.3.x and now I have plenty of 
messages like:


IN: refused notify from non-master: itselfIPaddress

how can I avoid this ?

Do I ahev to insert

notify no

for every zone in which it is slave nameserver ?

thanks

Rick

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Same source port queries dropped by ServerIron load balancer

2010-03-30 Thread Tony Finch 
On Tue, 30 Mar 2010, Abdulla Bushlaibi wrote:

> We are facing query drops by using dnsperf tool from ISC testing the DNS
> service via load balancer. Multiple queries from the same source port are
> being dropped partially by the load balancer and as per the load balancer
> vendor feed back, this is a security feature and this situation doesn't happen
> in real life scenarios.

High performance stub resolvers like adns use the same UDP port for many
queries.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

"any IPv6" ACL for BIND

2010-03-30 Thread ivan jr sy 
hi all,

is there a built-in ACL that represents "any" IPv6 connection?

I have some experiment with allow-query { aclhere; };

where aclhere represents any IPv6 network, anywhere from the Internet.

If there's no built-in, what is the best way to come up with an equivalent?

Thanks!


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "any IPv6" ACL for BIND

2010-03-30 Thread Evan Hunt 
> If there's no built-in, what is the best way to come up with an equivalent?

I think this will work:

acl any6 { ::0/0; };
acl any4 { 0.0.0.0/0; };

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem with notifies

2010-03-30 Thread Matus UHLAR - fantomas 
On 30.03.10 13:56, fddi wrote:
> Hello I have a name server which is slave for many other zones.
> The problem is that I upgraded to bind 9.3.x and now I have plenty of  
> messages like:

upgraded _to_ 9.3 ? 9.3 is obsolete for some time.

> IN: refused notify from non-master: itselfIPaddress
> how can I avoid this ?

does the "itselfIPaddress" mean that the server receives notifies from its
own IP address?
Is the server behind NAT or load balancer?

> Do I ahev to insert
>
> notify no
>
> for every zone in which it is slave nameserver ?

if you don't behave as master to others, you can.
But I'd better find out why it sends notify to itself..

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem with notifies

2010-03-30 Thread Chris Thompson 

On Mar 30 2010, Matus UHLAR - fantomas wrote:


On 30.03.10 13:56, fddi wrote:

Hello I have a name server which is slave for many other zones.
The problem is that I upgraded to bind 9.3.x and now I have plenty of  
messages like:


upgraded _to_ 9.3 ? 9.3 is obsolete for some time.


IN: refused notify from non-master: itselfIPaddress
how can I avoid this ?


does the "itselfIPaddress" mean that the server receives notifies from its
own IP address?
Is the server behind NAT or load balancer?


Do I ahev to insert

notify no

for every zone in which it is slave nameserver ?


if you don't behave as master to others, you can.
But I'd better find out why it sends notify to itself..


BIND 9.3 *did* send NOTIFYs to itself, if the NS records so indicated.

1758.   [func]  Don't send notify messages to self. [RT #12933]

was first fixed in BIND 9.4.0.

If the OP has only just started seeing these messages, I suppose the
question is what he has upgraded *from*. If we want to indulge in
archaeological research, that is ...

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Hello, problems with BInd 9.x in windows 2003 and 2000

2010-03-30 Thread Albert Molina 

Hello

First, Sorry for my english.

I have a tho servers with Bind 9.7 and 9.3, but i activated the 
recursive and log show this errors:


30-mar-2010 17:55:37.092 general: error: .\socket.c:2444: unexpected error:
30-mar-2010 17:55:37.092 general: error: SOCKET_RECV: Windows error 
code: 1236, returning ISC error 54

30-mar-2010 17:56:39.560 general: error: .\socket.c:2408: unexpected error:
30-mar-2010 17:56:39.560 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.


30-mar-2010 17:56:40.373 general: error: .\socket.c:2408: unexpected error:
30-mar-2010 17:56:40.373 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.


30-mar-2010 17:56:41.029 general: error: .\socket.c:2408: unexpected error:
30-mar-2010 17:56:41.029 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.


30-mar-2010 17:56:41.029 general: error: .\socket.c:2408: unexpected error:
30-mar-2010 17:56:41.029 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.


30-mar-2010 17:56:41.185 general: error: .\socket.c:2408: unexpected error:
30-mar-2010 17:56:41.185 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.


And continue...

I search in google and bind mailing, but i not find any person with this 
problem..


Any idea?

TX

--

Albert Molina
Platform Maintenance Manager

amol...@atlasit.com


Atlas Information Technology

BARCELONA
Balmes, 114, 5ª-6ª Planta
08008 Barcelona
Tel.: +34 93 445 24 61
Fax: +34 93 445 21 45

i...@atlasit.com
www.atlasit.com
24/7: +34 93 445 24 07
24/7 (ES): 902 887 348

*Advertencia legal: En virtud de lo establecido en la Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal, le informamos que los datos personales que nos pueda facilitar se incorporarán en un fichero automatizado titularidad de Atlas Internet Solutions, S.A. Podrá ejercer sus derechos de acceso, rectificación, cancelación u oposición, dirigiéndose por escrito a Atlas Internet Solutions, S.A., domiciliada en lacalle Balmes 114 5ª planta, c.p.08008 Barcelona. Este mensaje y, en su caso, los ficheros anexos que contenga son confidenciales, pueden contener información sometida a secreto profesional (especialmente en lo que respecta a los datos personales) y se dirige exclusivamente a su destinatario. Si ha recibido este mensaje por error o tiene conocimiento del mismo por cualquier motivo, le rogamos que nos lo comunique inmediatamente por este mismo medio y se abstenga de utilizarlo, reproducirlo, alterarlo, archivarlo o comunicarlo a terceros. El emisor 
no se responsabiliza de posibles perjuicios derivados de la captura, incorporaciones de virus o cualesquiera otras manipulaciones efectuadas por terceros. Salvo que usted nos indique lo contrario, la remisión de sus datos supone la prestación del consentimiento para el tratamiento de los mismos en los términos establecidos por la Ley 34/2002, de Servicios de la Sociedad de la Información y de comercio Electrónico.


*Disclaimer: Under the provisions of the spanish law 15/1999 on the Protection 
of Personal Data, we inform you that the personal data you provide may be 
incorporated into an automated file owned by Atlas Internet Solutions, S.A. You 
are able to exercise your rights of access, rectification, cancellation or 
opposition by writing to Atlas Internet Solutions, SA, domiciled in Balmes 114 
5th, Barcelona CP.08008. This message and, if appropriate, the containing 
attachments are confidential and may contain information subject to 
professional secrecy (particularly with respect to personal data) and are 
directed exclusively to its addressee. If you have received this message by 
error or you are aware of it for any reason, please notify us immediately by 
the same media and not to use it, reproduce it, alter it, stored it or 
communicate it to others. The sender is not liable for any damages resulting 
from capture, entry of viruses or any other operations performed by third 
parties. Unl
ess you notify us the opposite, sending us your data involves the consent for 
processing them in terms of the established by Law 34/2002, of Services of the 
Information Society and Electronic Commerce.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hello, problems with BInd 9.x in windows 2003 and 2000

2010-03-30 Thread Chandan Laskar 

Hi,

Can you please try with Windows 2003 server Standard Edition with SP2 and 
Bind 9.6.0-P3?



Thanks and Regards, 
Chandan Laskar 
2nd Floor Data Center, ITC Center, 
4, Russel Street, Kolkata - 700 016 
Phone:(033)-40029000 Extn.: 3944 
 (0)-9830057396 (M) 



Albert Molina  
Sent by: bind-users-bounces+chandan.laskar=itc...@lists.isc.org
03/30/2010 09:37 PM

To
bind-users@lists.isc.org
cc

Subject
Hello, problems with BInd 9.x in windows 2003 and 2000






Hello

First, Sorry for my english.

I have a tho servers with Bind 9.7 and 9.3, but i activated the recursive 
and log show this errors:

30-mar-2010 17:55:37.092 general: error: .\socket.c:2444: unexpected 
error:
30-mar-2010 17:55:37.092 general: error: SOCKET_RECV: Windows error code: 
1236, returning ISC error 54
30-mar-2010 17:56:39.560 general: error: .\socket.c:2408: unexpected 
error:
30-mar-2010 17:56:39.560 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.

30-mar-2010 17:56:40.373 general: error: .\socket.c:2408: unexpected 
error:
30-mar-2010 17:56:40.373 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.

30-mar-2010 17:56:41.029 general: error: .\socket.c:2408: unexpected 
error:
30-mar-2010 17:56:41.029 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.

30-mar-2010 17:56:41.029 general: error: .\socket.c:2408: unexpected 
error:
30-mar-2010 17:56:41.029 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.

30-mar-2010 17:56:41.185 general: error: .\socket.c:2408: unexpected 
error:
30-mar-2010 17:56:41.185 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.

And continue...

I search in google and bind mailing, but i not find any person with this 
problem..

Any idea?

TX

-- 

Albert Molina
Platform Maintenance Manager

amol...@atlasit.com



BARCELONA
Balmes, 114, 5ª-6ª Planta
08008 Barcelona
Tel.: +34 93 445 24 61
Fax: +34 93 445 21 45
i...@atlasit.com
www.atlasit.com
24/7: +34 93 445 24 07
24/7 (ES): 902 887 348

*Advertencia legal: En virtud de lo establecido en la Ley Orgánica 15/1999 
de Protección de Datos de Carácter Personal, le informamos que los datos 
personales que nos pueda facilitar se incorporarán en un fichero 
automatizado titularidad de Atlas Internet Solutions, S.A. Podrá ejercer 
sus derechos de acceso, rectificación, cancelación u oposición, 
dirigiéndose por escrito a Atlas Internet Solutions, S.A., domiciliada en 
la calle Balmes 114 5 planta, c.p.08008 Barcelona. Este mensaje y, en su 
caso, los ficheros anexos que contenga son confidenciales, pueden contener 
información sometida a secreto profesional (especialmente en lo que 
respecta a los datos personales) y se dirige exclusivamente a su 
destinatario. Si ha recibido este mensaje por error o tiene conocimiento 
del mismo por cualquier motivo, le rogamos que nos lo comunique 
inmediatamente por este mismo medio y se abstenga de utilizarlo, 
reproducirlo, alterarlo, archivarlo o comunicarlo a terceros. El emisor no 
se responsabiliza de posibles perjuicios derivados de la captura, 
incorporaciones de virus o cualesquiera otras manipulaciones efectuadas 
por terceros. Salvo que usted nos indique lo contrario, la remisión de sus 
datos supone la prestación del consentimiento para el tratamiento de los 
mismos en los términos establecidos por la Ley 34/2002, de Servicios de la 
Sociedad de la Información y de comercio Electrónico. 
*Disclaimer: Under the provisions of the Spanish Law 15/1999 on the 
Protection of Personal Data, we inform you that the personal data you 
provide may be incorporated into an automated file owned by Atlas Internet 
Solutions, S.A. You are able to exercise your rights of access, 
rectification, cancellation or opposition by writing to Atlas Internet 
Solutions, SA, domiciled in Balmes 114 5th, Barcelona CP.08008. This 
message and, if appropriate, the containing attachments are confidential 
and may contain information subject to professional secrecy (particularly 
with respect to personal data) and are directed exclusively to its 
addressee. If you have received this message by error or you are aware of 
it for any reason, please notify us immediately by the same media and not 
to use it, reproduce it, alter it, stored it or communicate it to 
others.The sender is not liable for any damages resulting from capture, 
entry of viruses or any other operations performed by third parties. 
Unless you notify us the opposite, sending us your data involves the 
consent for processing them in terms of the established by Law 34/2002, of 
Services of the Information Society and Electronic Commerce.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org

Re: Hello, problems with BInd 9.x in windows 2003 and 2000

2010-03-30 Thread Albert Molina 

Hello

Not exist , only exist 9.6.1-p3 and not work

Chandan Laskar wrote:

Hi,

Can you please try with *Windows 2003 server* *Standard Edition* with 
*SP2 *and *Bind 9.6.0-P3?*




Thanks and Regards,
Chandan Laskar
2nd Floor Data Center, ITC Center,
4, Russel Street, Kolkata - 700 016
Phone:(033)-40029000 Extn.: 3944
(0)-9830057396 (M)


*Albert Molina *
Sent by: bind-users-bounces+chandan.laskar=itc...@lists.isc.org

03/30/2010 09:37 PM


To
bind-users@lists.isc.org
cc

Subject
Hello, problems with BInd 9.x in windows 2003 and 2000









Hello

First, Sorry for my english.

I have a tho servers with Bind 9.7 and 9.3, but i activated the 
recursive and log show this errors:


30-mar-2010 17:55:37.092 general: error: .\socket.c:2444: unexpected 
error:
30-mar-2010 17:55:37.092 general: error: SOCKET_RECV: Windows error 
code: 1236, returning ISC error 54
30-mar-2010 17:56:39.560 general: error: .\socket.c:2408: unexpected 
error:
30-mar-2010 17:56:39.560 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.


30-mar-2010 17:56:40.373 general: error: .\socket.c:2408: unexpected 
error:
30-mar-2010 17:56:40.373 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.


30-mar-2010 17:56:41.029 general: error: .\socket.c:2408: unexpected 
error:
30-mar-2010 17:56:41.029 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.


30-mar-2010 17:56:41.029 general: error: .\socket.c:2408: unexpected 
error:
30-mar-2010 17:56:41.029 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.


30-mar-2010 17:56:41.185 general: error: .\socket.c:2408: unexpected 
error:
30-mar-2010 17:56:41.185 general: error: unable to convert errno to 
isc_result: 1214: The format of the specified network name is invalid.


And continue...

I search in google and bind mailing, but i not find any person with 
this problem..


Any idea?

TX

--

Albert Molina
Platform Maintenance Manager
_
__amol...@atlasit.com_ _
_

BARCELONA
Balmes, 114, 5ª-6ª Planta
08008 Barcelona
Tel.: +34 93 445 24 61
Fax: +34 93 445 21 45   _i...@atlasit.com_ _
__www.atlasit.com_ 
24/7: +34 93 445 24 07
24/7 (ES): 902 887 348


*Advertencia legal: En virtud de lo establecido en la Ley Orgánica 
15/1999 de Protección de Datos de Carácter Personal, le informamos que 
los datos personales que nos pueda facilitar se incorporarán en un 
fichero automatizado titularidad de Atlas Internet Solutions, S.A. 
Podrá ejercer sus derechos de acceso, rectificación, cancelación u 
oposición, dirigiéndose por escrito a Atlas Internet Solutions, S.A., 
domiciliada en la calle Balmes 114 5 planta, c.p.08008 Barcelona. Este 
mensaje y, en su caso, los ficheros anexos que contenga son 
confidenciales, pueden contener información sometida a secreto 
profesional (especialmente en lo que respecta a los datos personales) 
y se dirige exclusivamente a su destinatario. Si ha recibido este 
mensaje por error o tiene conocimiento del mismo por cualquier motivo, 
le rogamos que nos lo comunique inmediatamente por este mismo medio y 
se abstenga de utilizarlo, reproducirlo, alterarlo, archivarlo o 
comunicarlo a terceros. El emisor no se responsabiliza de posibles 
perjuicios derivados de la captura, incorporaciones de virus o 
cualesquiera otras manipulaciones efectuadas por terceros. Salvo que 
usted nos indique lo contrario, la remisión de sus datos supone la 
prestación del consentimiento para el tratamiento de los mismos en los 
términos establecidos por la Ley 34/2002, de Servicios de la Sociedad 
de la Información y de comercio Electrónico.


*Disclaimer: Under the provisions of the Spanish Law 15/1999 on the 
Protection of Personal Data, we inform you that the personal data you 
provide may be incorporated into an automated file owned by Atlas 
Internet Solutions, S.A. You are able to exercise your rights of 
access, rectification, cancellation or opposition by writing to Atlas 
Internet Solutions, SA, domiciled in Balmes 114 5th, Barcelona 
CP.08008. This message and, if appropriate, the containing attachments 
are confidential and may contain information subject to professional 
secrecy (particularly with respect to personal data) and are directed 
exclusively to its addressee. If you have received this message by 
error or you are aware of it for any reason, please notify us 
immediately by the same media and not to use it, reproduce it, alter 
it, stored it or communicate it to others.The sender is not liable for 
any damages resulting from capture, entry of viruses or any other 
operations performed by third parties. Unless you notify us the 
opposite, sending us your data involves the consent for processin

rndc: unsupported algorithm:

2010-03-30 Thread Markus Feldmann 

Hi All,

i tried to reload my config and zones with rndc. My Bind version is BIND 
9.5.1-P3. My rndc.key looks like this.

key feld-server.feldland.lan. {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret TNCrihQV8NjY6bzA5GMJIg==;
};

This is what i also got from creating the sig-key. I still included this 
key into my named.conf and into dhcpd.conf.


But i get this message.
rndc: unsupported algorithm: HMAC-MD5.SIG-ALG.REG.INT

What is the Problem?

regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Same source port queries dropped by ServerIron load balancer

2010-03-30 Thread Kevin Darcy 

On 3/30/2010 8:00 AM, Tony Finch wrote:

On Tue, 30 Mar 2010, Abdulla Bushlaibi wrote:

   

We are facing query drops by using dnsperf tool from ISC testing the DNS
service via load balancer. Multiple queries from the same source port are
being dropped partially by the load balancer and as per the load balancer
vendor feed back, this is a security feature and this situation doesn't happen
in real life scenarios.
 

High performance stub resolvers like adns use the same UDP port for many
queries.

   
Thus reducing entropy and commensurately increasing the chance of 
accepting a spoofed response as genuine.


I think the load-balancer vendor has the right default here, and adns 
should re-think their methodology.



- Kevin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc: unsupported algorithm:

2010-03-30 Thread Markus Feldmann 

I changed my key to

key feld-server.feldland.lan. {
algorithm hmac-md5;
secret TNCrihQV8NjY6bzA5GMJIg==;
};


and executed the command

feld-server:/etc/bind# rndc -s feld-server -k rndc.key reload
rndc: connect failed: 192.168.0.186#953: connection refused


Without the explicit -s argument he doesn't find the DNS-Server... ??? 
However it seems that i have a Problem with some of my statements in 
/etc/bind/named.conf.options


controls {inet 127.0.0.1 port 953 allow { localhost; } keys { 
feld-server.feldland.lan.; }; };


What to do? I executed rndc in the server.

regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc: unsupported algorithm:

2010-03-30 Thread Warren Kumari 

Hi,

I believe you need: "hmac-md5;", and not "HMAC-MD5.SIG-ALG.REG.INT;"

W



On Mar 30, 2010, at 3:53 PM, Markus Feldmann wrote:


Hi All,

i tried to reload my config and zones with rndc. My Bind version is  
BIND 9.5.1-P3. My rndc.key looks like this.

key feld-server.feldland.lan. {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret TNCrihQV8NjY6bzA5GMJIg==;
};

This is what i also got from creating the sig-key. I still included  
this key into my named.conf and into dhcpd.conf.


But i get this message.
rndc: unsupported algorithm: HMAC-MD5.SIG-ALG.REG.INT

What is the Problem?

regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc: unsupported algorithm:

2010-03-30 Thread Warren Kumari 


Try add this:

options {
default-key "feld-server.feldland.lan.";
default-server 127.0.0.1;
default-port 953;
};



On Mar 30, 2010, at 4:05 PM, Markus Feldmann wrote:


I changed my key to

key feld-server.feldland.lan. {
algorithm hmac-md5;
secret TNCrihQV8NjY6bzA5GMJIg==;
};


and executed the command

feld-server:/etc/bind# rndc -s feld-server -k rndc.key reload
rndc: connect failed: 192.168.0.186#953: connection refused


Without the explicit -s argument he doesn't find the DNS- 
Server... ??? However it seems that i have a Problem with some of my  
statements in /etc/bind/named.conf.options


controls {inet 127.0.0.1 port 953 allow { localhost; } keys { feld- 
server.feldland.lan.; }; };


What to do? I executed rndc in the server.

regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc: unsupported algorithm:

2010-03-30 Thread Kevin Darcy 

On 3/30/2010 3:53 PM, Markus Feldmann wrote:

Hi All,

i tried to reload my config and zones with rndc. My Bind version is 
BIND 9.5.1-P3. My rndc.key looks like this.

key feld-server.feldland.lan. {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret TNCrihQV8NjY6bzA5GMJIg==;
};

This is what i also got from creating the sig-key. I still included 
this key into my named.conf and into dhcpd.conf.


But i get this message.
rndc: unsupported algorithm: HMAC-MD5.SIG-ALG.REG.INT

What is the Problem?



AFAIK, the only algorithm supported by rndc is "hmac-md5".


- Kevin


P.S. Why would you copy an rndc key into dhcpd.conf?

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc: unsupported algorithm:

2010-03-30 Thread Kevin Darcy 

On 3/30/2010 4:05 PM, Markus Feldmann wrote:

I changed my key to

key feld-server.feldland.lan. {
algorithm hmac-md5;
secret TNCrihQV8NjY6bzA5GMJIg==;
};


and executed the command

feld-server:/etc/bind# rndc -s feld-server -k rndc.key reload
rndc: connect failed: 192.168.0.186#953: connection refused


Without the explicit -s argument he doesn't find the DNS-Server... ??? 
However it seems that i have a Problem with some of my statements in 
/etc/bind/named.conf.options


controls {inet 127.0.0.1 port 953 allow { localhost; } keys { 
feld-server.feldland.lan.; }; };


What to do? I executed rndc in the server.


You're listening on 127.0.0.1 but trying to connect on 192.168.0.186.


- Kevin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

MX records for new additional domain on existing authoritative name servers

2010-03-30 Thread Lear, Karen (Evolver) 
I'm adding a new domain to my existing authoritative name servers, and need to 
add an MX record for a device on the existing domain.  That device will serve 
both domains until we get a new box in and then we will have separate MX 
records/devices for each domain.  I have created a new zone file and modified 
named.conf to include the new zone.  When I run named-checkzone, I get a 
message about the MX record being out of zone and not having an A record.  
However, at the end of my named-checkzone output, I get "OK."  Can I restart 
named as is without causing problems or do I need to address these messages?

Thx,

[kl...@mynameserver]$ sudo named-checkzone -t /dns/chroot/conf -D NEWDOMAIN.gov 
MYNEWZONEFILE
zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX1.OLDDOMAIN.gov' (out of zone) has 
no addresses records (A or )
zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX2.OLDDOMAIN.gov' (out of zone) has 
no addresses records (A or )
OK
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc: unsupported algorithm:

2010-03-30 Thread Markus Feldmann 

Kevin Darcy schrieb:

On 3/30/2010 3:53 PM, Markus Feldmann wrote:

Hi All,

i tried to reload my config and zones with rndc. My Bind version is 
BIND 9.5.1-P3. My rndc.key looks like this.

key feld-server.feldland.lan. {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret TNCrihQV8NjY6bzA5GMJIg==;
};

This is what i also got from creating the sig-key. I still included 
this key into my named.conf and into dhcpd.conf.


But i get this message.
rndc: unsupported algorithm: HMAC-MD5.SIG-ALG.REG.INT

What is the Problem?



AFAIK, the only algorithm supported by rndc is "hmac-md5".


- Kevin


P.S. Why would you copy an rndc key into dhcpd.conf?

I need a key for my DHCP-Server to make Zone-Updates (DDNS). And the key 
looks like the key in my file rndc.key but the algorithm is named 
HMAC-MD5.SIG-ALG.REG.INT


I am not sure whether i can use another key for rndc?

regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MX records for new additional domain on existing authoritative name servers

2010-03-30 Thread Matthew Pounsett 
Hi Karen.

Please don't start a new thread by replying to an email in an existing 
discussion -- your message can get lost in that other discussion, rather than 
appearing as a new topic for anyone who threads their email.


On 2010/03/30, at 16:30, Lear, Karen (Evolver) wrote:

> I'm adding a new domain to my existing authoritative name servers, and need 
> to add an MX record for a device on the existing domain.  That device will 
> serve both domains until we get a new box in and then we will have separate 
> MX records/devices for each domain.  I have created a new zone file and 
> modified named.conf to include the new zone.  When I run named-checkzone, I 
> get a message about the MX record being out of zone and not having an A 
> record.  However, at the end of my named-checkzone output, I get "OK."  Can I 
> restart named as is without causing problems or do I need to address these 
> messages?

It sounds like you're including a record for mx1.olddomain.gov in the 
newdomain.gov zone.  It's hard to be sure without seeing specifics from your 
configuration though.



> 
> Thx,
> 
> [kl...@mynameserver]$ sudo named-checkzone -t /dns/chroot/conf -D 
> NEWDOMAIN.gov MYNEWZONEFILE
> zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX1.OLDDOMAIN.gov' (out of zone) has 
> no addresses records (A or )
> zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX2.OLDDOMAIN.gov' (out of zone) has 
> no addresses records (A or )
> OK
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Comprehension question to DDNS

2010-03-30 Thread Markus Feldmann 

Hi Mark,

i changed some configs and got on.

Mar 30 22:50:45 feld-server dhcpd: DHCPRELEASE of 192.168.0.196 from 
00:1d:92:ab:35:9f (feld-bert.feldland.lan) via br0 (found)
Mar 30 22:50:50 feld-server dhcpd: DHCPDISCOVER from 00:1d:92:ab:35:9f 
via br0
Mar 30 22:50:51 feld-server dhcpd: DHCPOFFER on 192.168.0.196 to 
00:1d:92:ab:35:9f (feld-bert.feldland.lan) via br0
Mar 30 22:50:51 feld-server dhcpd: Unable to add forward map from 
feld-bert.feldland.lan.feldland.lan to 192.168.0.196: connection refused




On the client side i add some statement to send the host-name and 
mac-address.

/etc/dhcp3/dhclient.conf
http://nopaste.debianforum.de/34469

And on the server side.
/etc/bind/named.conf.options
http://nopaste.debianforum.de/34470

/etc/dhcp3/dhcpd.conf
http://nopaste.debianforum.de/34471

As i played around with the rndc program i recognised an error.

feld-server:/etc/bind# rndc -s feld-server -k rndc.key reload
rndc: connect failed: 192.168.0.186#953: connection refused

this let me think about my update problem at the top of this mail. 
CONNECTION REFUSED !!!


The problem with rndc was fast solved. I had to set correct server with 
the -s argument.


rndc -s localhost -k rndc.key reload

and it worked...

Could it be that i can not update because my control statement, in my 
/etc/bind/named.conf.options, is limited on localhost and not on 
192.168.0.186 or feld-server.feldland.lan ???


regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Using an MX record from a different domain

2010-03-30 Thread Lear, Karen (Evolver) 


I'm adding a new domain to my existing authoritative name servers, and need to 
add an MX record for a device residing on existing domain.  When I run 
named-checkzone, I get a message about the MX record being out of zone and not 
having an A record.  However, at the end of my named-checkzone output, I get 
"OK."  Can I restart named as is without causing problems or do I need to 
address these messages?



[kl...@dns1 conf]$ sudo named-checkzone -t /dns/chroot/conf -D usptoenews.gov 
db.usptoenews

zone usptoenews.gov/IN: usptoenews.gov/MX 'smtpedge1.uspto.gov' (out of zone) 
has no addresses records (A or )

zone usptoenews.gov/IN: usptoenews.gov/MX 'smtpedge2.uspto.gov' (out of zone) 
has no addresses records (A or )

zone usptoenews.gov/IN: loaded serial 2010033000

usptoenews.gov.   7200 IN SOA   dns1.uspto.gov. 
nmb.uspto.gov. 2010033000 10800 3600 604800 86400

usptoenews.gov.   7200 IN NSdns1.uspto.gov.

usptoenews.gov.   7200 IN NSdns2.uspto.gov.

usptoenews.gov.   7200 IN MX5 
smtpedge1.uspto.gov.

usptoenews.gov.   7200 IN MX5 
smtpedge2.uspto.gov.

dns1.usptoenews.gov.  7200 IN A 151.207.240.50

dns2.usptoenews.gov.  7200 IN A 151.207.246.51

enews.usptoenews.gov. 7200 IN A 151.207.244.68

localhost.usptoenews.gov. 7200 IN A 127.0.0.1

OK


Karen Lear
Evolver EUS - Network Operations
Phone:  571-272-5314
email:   karen.l...@uspto.gov

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using an MX record from a different domain

2010-03-30 Thread Fr34k 
Hello,

named-checkzone is warning you that the MX has a different FQDN than the zone 
it is in.
This is fine so long as the "out of zone" MX record is valid, but 
named-checkzone wants you to know that it can't verify for sure.
So, it is a heads up message and why the ultimate response is "OK".

I could be missing something else, but it looks okay to me.

It might make sense to lower the TTL test, verify, then restore the TTL once 
the change has been blessed.
The intent here being that with a sufficiently low TTL, one could make 
adjustments without waiting 7200 each time.

Hope this helps.





From: "Lear, Karen (Evolver)" 
To: "bind-users@lists.isc.org" 
Sent: Tue, March 30, 2010 4:57:58 PM
Subject: Using an MX record from a different domain 

  
 
I'm adding a new domain to my existing authoritative name
servers, and need to add an MX record for a device residing on existing
domain.  When I run named-checkzone, I get a message about the MX record
being out of zone and not having an A record.  However, at the end of my
named-checkzone output, I get "OK."  Can I restart named as is
without causing problems or do I need to address these messages?
 
[kl...@dns1 conf]$ sudo named-checkzone -t /dns/chroot/conf
-D usptoenews.gov db.usptoenews
zone usptoenews.gov/IN: usptoenews.gov/MX
'smtpedge1.uspto.gov' (out of zone) has no addresses records (A or )
zone usptoenews.gov/IN: usptoenews.gov/MX
'smtpedge2.uspto.gov' (out of zone) has no addresses records (A or )
zone usptoenews.gov/IN: loaded serial 2010033000
usptoenews.gov.  
7200 IN SOA   dns1.uspto.gov. nmb.uspto.gov.
2010033000 10800 3600 604800 86400
usptoenews.gov.  
7200 IN NSdns1.uspto.gov.
usptoenews.gov.  
7200 IN NSdns2.uspto.gov.
usptoenews.gov.  
7200 IN MX5 smtpedge1.uspto.gov.
usptoenews.gov.  
7200 IN MX5 smtpedge2.uspto.gov.
dns1.usptoenews.gov. 
7200 IN A 151.207.240.50
dns2.usptoenews.gov. 
7200 IN A 151.207.246.51
enews.usptoenews.gov.
7200 IN A 151.207.244.68
localhost.usptoenews.gov.
7200 IN A 127.0.0.1
OK
 
 
Karen Lear
Evolver EUS - Network Operations
Phone:  571-272-5314
email:   karen.l...@uspto.gov___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using an MX record from a different domain

2010-03-30 Thread Matthew Pounsett 

On 2010/03/30, at 16:57, Lear, Karen (Evolver) wrote:

>  
> I'm adding a new domain to my existing authoritative name servers, and need 
> to add an MX record for a device residing on existing domain.  When I run 
> named-checkzone, I get a message about the MX record being out of zone and 
> not having an A record.  However, at the end of my named-checkzone output, I 
> get "OK."  Can I restart named as is without causing problems or do I need to 
> address these messages?
>  
> [kl...@dns1 conf]$ sudo named-checkzone -t /dns/chroot/conf -D usptoenews.gov 
> db.usptoenews
> zone usptoenews.gov/IN: usptoenews.gov/MX 'smtpedge1.uspto.gov' (out of zone) 
> has no addresses records (A or )
> zone usptoenews.gov/IN: usptoenews.gov/MX 'smtpedge2.uspto.gov' (out of zone) 
> has no addresses records (A or )

Ah, I see.  On my previous read I mistook this for complaining that there was a 
uspto.gov owner name in the usptonews.gov zone.  

named-checkzone doesn't only check the internal consistency of a zone, it also 
tries to see that it is externally consistent.  e.g. that names referred to in 
other zones also exist.  If for some reason it can't resolve 
smtpedge1.uspto.gov and smtpedge2.uspto.gov it will give you the above errors. 

Since I can resolve those names from here, I suspect there's some problem with 
the resolver on the host where you're running named-checkzone.  Perhaps 
uspto.gov zone is only visible on a view on the outside of the network, and 
you're inside?  

What happens if you try to resolve those two names by hand on that server using 
'host' or 'dig'?

I see this:
> host smtpedge1.uspto.gov
smtpedge1.uspto.gov has address 151.207.243.76
smtpedge1.uspto.gov mail is handled by 5 smtpedge1.uspto.gov.

> host smtpedge2.uspto.gov
smtpedge2.uspto.gov has address 151.207.247.81
smtpedge2.uspto.gov mail is handled by 5 smtpedge2.uspto.gov.

If those are the only errors you're seeing, then the zone is internally 
consistent, and BIND will load it.  However, it's probably worth investigating 
why named-checkzone can't resolve those names, so that you can make sure that 
anyone who needs to reach those MX servers will be able to.

Matt


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem with notifies

2010-03-30 Thread fddi 

CentOS 5.4 has bind version 9.3.6 and that's it.
Before I had a CentOS 4.0 which was still using 9.2.x

if you want to stick up with a distribution, you are almost forced to 
use what the distribution provides for you.
anyway in version 9.2.x I did not have the problem I reported. 
Everything started migrating from 9.2 to 9.3


thanks

Rick


Chris Thompson wrote:

On Mar 30 2010, Matus UHLAR - fantomas wrote:


On 30.03.10 13:56, fddi wrote:

Hello I have a name server which is slave for many other zones.
The problem is that I upgraded to bind 9.3.x and now I have plenty 
of  messages like:


upgraded _to_ 9.3 ? 9.3 is obsolete for some time.


IN: refused notify from non-master: itselfIPaddress
how can I avoid this ?


does the "itselfIPaddress" mean that the server receives notifies 
from its

own IP address?
Is the server behind NAT or load balancer?


Do I ahev to insert

notify no

for every zone in which it is slave nameserver ?


if you don't behave as master to others, you can.
But I'd better find out why it sends notify to itself..


BIND 9.3 *did* send NOTIFYs to itself, if the NS records so indicated.

1758.   [func]  Don't send notify messages to self. [RT #12933]

was first fixed in BIND 9.4.0.

If the OP has only just started seeing these messages, I suppose the
question is what he has upgraded *from*. If we want to indulge in
archaeological research, that is ...



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Using an MX record from a different domain

2010-03-30 Thread Lear, Karen (Evolver) 
Dig or host returns the internal IP address of smtpedge1 and smtpedge2, as the 
name server by default points to the recursive name name server.  If I specify 
localhost, it resolves to the external IP address:

[kl...@dns1 conf]$ dig smtpedge1.uspto.gov @localhost

; <<>> DiG 9.6.1-P3 <<>> smtpedge1.uspto.gov @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7811
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;smtpedge1.uspto.gov.   IN  A

;; ANSWER SECTION:
smtpedge1.uspto.gov.7200IN  A   151.207.243.76


-Original Message-
From: Matthew Pounsett [mailto:m...@conundrum.com]
Sent: Tuesday, March 30, 2010 5:15 PM
To: Lear, Karen (Evolver)
Cc: 'bind-users@lists.isc.org'
Subject: Re: Using an MX record from a different domain


On 2010/03/30, at 16:57, Lear, Karen (Evolver) wrote:

>
> I'm adding a new domain to my existing authoritative name servers, and need 
> to add an MX record for a device residing on existing domain.  When I run 
> named-checkzone, I get a message about the MX record being out of zone and 
> not having an A record.  However, at the end of my named-checkzone output, I 
> get "OK."  Can I restart named as is without causing problems or do I need to 
> address these messages?
>
> [kl...@dns1 conf]$ sudo named-checkzone -t /dns/chroot/conf -D usptoenews.gov 
> db.usptoenews
> zone usptoenews.gov/IN: usptoenews.gov/MX 'smtpedge1.uspto.gov' (out of zone) 
> has no addresses records (A or )
> zone usptoenews.gov/IN: usptoenews.gov/MX 'smtpedge2.uspto.gov' (out of zone) 
> has no addresses records (A or )

Ah, I see.  On my previous read I mistook this for complaining that there was a 
uspto.gov owner name in the usptonews.gov zone.

named-checkzone doesn't only check the internal consistency of a zone, it also 
tries to see that it is externally consistent.  e.g. that names referred to in 
other zones also exist.  If for some reason it can't resolve 
smtpedge1.uspto.gov and smtpedge2.uspto.gov it will give you the above errors.

Since I can resolve those names from here, I suspect there's some problem with 
the resolver on the host where you're running named-checkzone.  Perhaps 
uspto.gov zone is only visible on a view on the outside of the network, and 
you're inside?

What happens if you try to resolve those two names by hand on that server using 
'host' or 'dig'?

I see this:
> host smtpedge1.uspto.gov
smtpedge1.uspto.gov has address 151.207.243.76
smtpedge1.uspto.gov mail is handled by 5 smtpedge1.uspto.gov.

> host smtpedge2.uspto.gov
smtpedge2.uspto.gov has address 151.207.247.81
smtpedge2.uspto.gov mail is handled by 5 smtpedge2.uspto.gov.

If those are the only errors you're seeing, then the zone is internally 
consistent, and BIND will load it.  However, it's probably worth investigating 
why named-checkzone can't resolve those names, so that you can make sure that 
anyone who needs to reach those MX servers will be able to.

Matt



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using an MX record from a different domain

2010-03-30 Thread Paul Wouters 

On Tue, 30 Mar 2010, Matthew Pounsett wrote:


named-checkzone doesn't only check the internal consistency of a zone, it also 
tries to see that it is externally consistent.  e.g. that names referred to in 
other zones also exist.


I was amused the day that feature came in without me realising it, when running
named-checkzone against 1.2M TLD zone and pondering what took so long.

For those scenarios, call named-checkzone with "-i local" :)

Paul
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

how to read and answer to this mailing list

2010-03-30 Thread Markus Feldmann 

Hi All,

normally i am using the gmane mailing list server to post and read mails 
from mailing lists, but this mailing list doesn't appear in gmane.


How to? Which newsgroupserver do use for this list?

regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Subdomain delegation only returns SOA on dig

2010-03-30 Thread Matthew Pounsett 

On 2010/03/29, at 15:34, Prabhat Rana wrote:

> 
> Hello all,
> I'm running BIND 9.6.1-P1 on a Solaris box. This DNS (ns1.spx.net) is 
> authoritative to domain spx.net (this is just example). And I'm trying to 
> delegate nse.spx.net to ns1.nse.spx.net. I think I have configured correctly 
> but when I run a dig from a different DNS node for a subdoamin within 
> nse.spx.net like mil.nse.spx.net, it responds only SOA in the Auth section. 
> Its missing the NS from the zone files. The snapshot of my named.conf file
> 
> zone "spx.net" {
>type master;
>file "/opt/named/db.spx.net";
> };
> 
> zone "nse.spx.net" {
>type master;
>file "/opt/named/db.nse.spx.net";
> };

Do these both appear on the same name server (ns1.spx.net)?  If so, then 
ns1.spx.net thinks it is authoritative for nse.spx.net, and isn't going to hand 
out a referral.

If you want ns1.spx.net to refer queries for nse.spx.net to ns1.nse.spx.net, 
then you need to add this record to the spx.net zone, and remove the 
nse.spx.net zone from ns1.spx.net:
nse IN NS ns1.nse.spx.net

Matt


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to read and answer to this mailing list

2010-03-30 Thread Warren Kumari 

In the footer of every message lurks the following link:

https://lists.isc.org/mailman/listinfo/bind-users


W
On Mar 30, 2010, at 6:43 PM, Markus Feldmann wrote:


Hi All,

normally i am using the gmane mailing list server to post and read  
mails from mailing lists, but this mailing list doesn't appear in  
gmane.


How to? Which newsgroupserver do use for this list?

regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
"I try to be good hard-worker-man, but refrigemater so messy, so so  
messy."

-- NewsRadio.



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to read and answer to this mailing list

2010-03-30 Thread Markus Feldmann 

Warren Kumari schrieb:

In the footer of every message lurks the following link:

https://lists.isc.org/mailman/listinfo/bind-users


Yes ... i read this but you can not answer a mail this way.

regards Markus

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to read and answer to this mailing list

2010-03-30 Thread Markus Feldmann 

Warren Kumari schrieb:

In the footer of every message lurks the following link:

https://lists.isc.org/mailman/listinfo/bind-users


And i mean not this mailing list but the dhcp-users mailing list.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to read and answer to this mailing list

2010-03-30 Thread Matthew Pounsett 

On 2010/03/30, at 19:04, Markus Feldmann wrote:

> Warren Kumari schrieb:
>> In the footer of every message lurks the following link:
>> https://lists.isc.org/mailman/listinfo/bind-users
> Yes ... i read this but you can not answer a mail this way.

You can answer an email this way.  I'm not sure if the list is open-post or 
not.. but if it is then you can get the posting address from there and send 
email to it.  If it isn't, then from that page you can subscribe to the list, 
and then send email to it.

> And i mean not this mailing list but the dhcp-users mailing list.

Then you're probably looking for 
.

Matt


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Zone transfer issues on new domain

2010-03-30 Thread Lear, Karen (Evolver) 
Can you tell me why I'm getting the message below on my slave server after 
adding a master zone on the master server for usptoenews.gov:

[kl...@dns2 logs]$ grep enews activity.log
30-Mar-2010 17:17:45.484 notify: notice: client 10.240.6.50#10738: received 
notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov': not authoritative
30-Mar-2010 17:22:47.335 notify: notice: client 10.240.6.50#62593: received 
notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov': not authoritative

email:   karen.l...@uspto.gov

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone transfer issues on new domain

2010-03-30 Thread Sten Carlsen 
Did you add it to the slaves configuration? It does not get
automagically added; so the slave gets a notify on a zone it can not
serve as it is not in its config.

On 31/03/10 2:14, Lear, Karen (Evolver) wrote:
>
> Can you tell me why I'm getting the message below on my slave server
> after adding a master zone on the master server for usptoenews.gov:
>
>  
>
> [kl...@dns2 logs]$ grep enews activity.log
>
> 30-Mar-2010 17:17:45.484 notify: notice: client 10.240.6.50#10738:
> received notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov':
> not authoritative
>
> 30-Mar-2010 17:22:47.335 notify: notice: client 10.240.6.50#62593:
> received notify for zone 'usptoenews.gov': TSIG 'ns1-ns2.uspto.gov':
> not authoritative
>
>  
>
> email:   karen.l...@uspto.gov
>
>  
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to read and answer to this mailing list

2010-03-30 Thread Sten Carlsen 
If you follow the link at the bottom of this mail, there is a link that
will display all lists served by this mail list server.

There are links to some dhcp lists also, if you need that. Select one of
those and join the list.

On 31/03/10 1:20, Matthew Pounsett wrote:
> On 2010/03/30, at 19:04, Markus Feldmann wrote:
>
>   
>> Warren Kumari schrieb:
>> 
>>> In the footer of every message lurks the following link:
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>   
>> Yes ... i read this but you can not answer a mail this way.
>> 
> You can answer an email this way.  I'm not sure if the list is open-post or 
> not.. but if it is then you can get the posting address from there and send 
> email to it.  If it isn't, then from that page you can subscribe to the list, 
> and then send email to it.
>
>   
>> And i mean not this mailing list but the dhcp-users mailing list.
>> 
> Then you're probably looking for 
> .
>
> Matt
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>   

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Same source port queries dropped by ServerIron load balancer

2010-03-30 Thread Abdulla Bushlaibi 
The tool queryperf is a useful tool and it gives you details about a DNS 
server performance. However, it would be useful to have an option in 
queryperf to use random source ports to test real life scenarios.


--
Abdulla Ahmad Bushlaibi



On 3/31/2010 12:07 AM, Kevin Darcy wrote:

On 3/30/2010 8:00 AM, Tony Finch wrote:

On Tue, 30 Mar 2010, Abdulla Bushlaibi wrote:

We are facing query drops by using dnsperf tool from ISC testing the 
DNS
service via load balancer. Multiple queries from the same source 
port are
being dropped partially by the load balancer and as per the load 
balancer
vendor feed back, this is a security feature and this situation 
doesn't happen

in real life scenarios.

High performance stub resolvers like adns use the same UDP port for many
queries.

Thus reducing entropy and commensurately increasing the chance of 
accepting a spoofed response as genuine.


I think the load-balancer vendor has the right default here, and adns 
should re-think their methodology.



- Kevin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users