Re: how to read and answer to this mailing list
On 30/03/2010 23:43, Markus Feldmann wrote: > normally i am using the gmane mailing list server to post and read mails > from mailing lists, but this mailing list doesn't appear in gmane. The group you are looking for is gmane.network.dns.bind.user. Posted through gmane. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem with notifies
On 30.03.10 23:23, fddi wrote: > CentOS 5.4 has bind version 9.3.6 and that's it. > Before I had a CentOS 4.0 which was still using 9.2.x oh. Is there any possibility to upgrade centos? And are you sure there is no possibility in upgrading BIND within centos? Otherwise I'm afraid I can recommend you - live with it - globally allow-notify from your IP (and add your IP to each allow-notify statement) - get different distro - run with self-compiled BIND > if you want to stick up with a distribution, you are almost forced to > use what the distribution provides for you. > anyway in version 9.2.x I did not have the problem I reported. > Everything started migrating from 9.2 to 9.3 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: problem with notifies
The CentOS stuff is built from RHEL sources so the basic repositories wouldn't have a newer BIND base package than RHEL. However, as noted previously the RHEL provided package includes backports of later BIND base versions for bug and security fixes. Of course you can always install a later BIND by getting the source and configuring/compiling your own. On RHEL one might resist this since RedHat's support is for the one they provide but on CentOS there's no support so no reason not to go ahead and move to the later version of BIND. I'd recommend you uninstall the existing BIND rpms before doing that though so that a future yum update doesn't overwrite your build. (Of course you'd also want to save your named.conf, zone files etc... before doing such a removal so they don't get deleted.) -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: Thursday, April 01, 2010 6:53 AM To: bind-users@lists.isc.org Subject: Re: problem with notifies On 30.03.10 23:23, fddi wrote: > CentOS 5.4 has bind version 9.3.6 and that's it. > Before I had a CentOS 4.0 which was still using 9.2.x oh. Is there any possibility to upgrade centos? And are you sure there is no possibility in upgrading BIND within centos? Otherwise I'm afraid I can recommend you - live with it - globally allow-notify from your IP (and add your IP to each allow-notify statement) - get different distro - run with self-compiled BIND > if you want to stick up with a distribution, you are almost forced to > use what the distribution provides for you. > anyway in version 9.2.x I did not have the problem I reported. > Everything started migrating from 9.2 to 9.3 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MX records for new additional domain on existing authoritative name servers
In message <2aa71bedebcf80449e35b7b640700be42f8513a...@email4.uspto.gov>, "Lear , Karen (Evolver)" writes: > I'm adding a new domain to my existing authoritative name servers, and need t > o add an MX record for a device on the existing domain. That device will ser > ve both domains until we get a new box in and then we will have separate MX r > ecords/devices for each domain. I have created a new zone file and modified > named.conf to include the new zone. When I run named-checkzone, I get a mess > age about the MX record being out of zone and not having an A record. Howeve > r, at the end of my named-checkzone output, I get "OK." Can I restart named > as is without causing problems or do I need to address these messages? > > Thx, > > [kl...@mynameserver]$ sudo named-checkzone -t /dns/chroot/conf -D NEWDOMAIN.g > ov MYNEWZONEFILE > zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX1.OLDDOMAIN.gov' (out of zone) has > no addresses records (A or ) > zone NEWDOMAIN.gov/IN: NEWDOMAIN.gov/MX 'MX2.OLDDOMAIN.gov' (out of zone) has > no addresses records (A or ) > OK You really should address the messages by adding the referenced addresses records. Mark > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Same source port queries dropped by ServerIron load balancer
On 4/1/2010 12:37 AM, Mark Andrews wrote: In message<4bb1c63b.30...@ies.etisalat.ae>, Abdulla Bushlaibi writes: We are facing query drops by using dnsperf tool from ISC testing the DNS service via load balancer. Multiple queries from the same source port are being dropped partially by the load balancer and as per the load balancer vendor feed back, this is a security feature and this situation doesn't happen in real life scenarios. Most of the cases, clients are generating unique random source ports for each DNS query, however we are not sure about the option of reusing the same source port for multiple queries and how does it apply in real life scenarios. Appreciate your comment on this subject. -- Abdulla Ahmad Bushlaibi ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users A load balancer that cannot cope with multiple outstanding queries that have the same source port is broken. A server (and that includes any load balancer in front of it) should not care about the source port. Re-use of source ports for DNS queries is a bad security practice. I cast my vote in favor of penalizing it, in the default configuration of any device that responds to DNS requests. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Same source port queries dropped by ServerIron load balancer
On 3/30/2010 5:36 AM, Abdulla Bushlaibi wrote: We are facing query drops by using dnsperf tool from ISC testing the DNS service via load balancer. Multiple queries from the same source port are being dropped partially by the load balancer and as per the load balancer vendor feed back, this is a security feature and this situation doesn't happen in real life scenarios. What do you mean by "dropped partially"? Is it responding or not? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to read and answer to this mailing list
On 2010/03/31, at 04:08, Markus Feldmann wrote: > Matthew Pounsett schrieb: >> On 2010/03/30, at 19:04, Markus Feldmann wrote: >>> Warren Kumari schrieb: In the footer of every message lurks the following link: https://lists.isc.org/mailman/listinfo/bind-users >>> Yes ... i read this but you can not answer a mail this way. >> You can answer an email this way. I'm not sure if the list is open-post or >> not.. but if it is then you can get the posting address from there and send >> email to it. If it isn't, then from that page you can subscribe to the >> list, and then send email to it. > Thanks Matthew it works, but it is not very comfortable. therefore i need 2 > programs. first to read and the second to write/answer. The modern computer > technique says hello. :-) I read and post from the same program. You asked about mail, so I assumed you meant mail. On 2010/03/30, at 18:43, Markus Feldmann wrote: > normally i am using the gmane mailing list server to post and read mails from > mailing lists, but this mailing list doesn't appear in gmane. Matt ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Same source port queries dropped by ServerIron load balancer
In message <4bb4ed5a.20...@chrysler.com>, Kevin Darcy writes: > On 4/1/2010 12:37 AM, Mark Andrews wrote: > > In message<4bb1c63b.30...@ies.etisalat.ae>, Abdulla Bushlaibi writes: > > > >> We are facing query drops by using dnsperf tool from ISC testing the DNS > >> service via load balancer. Multiple queries from the same source port > >> are being dropped partially by the load balancer and as per the load > >> balancer vendor feed back, this is a security feature and this situation > >> doesn't happen in real life scenarios. > >> > >> Most of the cases, clients are generating unique random source ports for > >> each DNS query, however we are not sure about the option of reusing the > >> same source port for multiple queries and how does it apply in real life > >> scenarios. > >> > >> Appreciate your comment on this subject. > >> > >> -- > >> Abdulla Ahmad Bushlaibi > >> > >> ___ > >> bind-users mailing list > >> bind-users@lists.isc.org > >> https://lists.isc.org/mailman/listinfo/bind-users > >> > > A load balancer that cannot cope with multiple outstanding queries > > that have the same source port is broken. A server (and that > > includes any load balancer in front of it) should not care about > > the source port. It's only "bad practice" if you are not using other methods to prevent spoofing attacks succeeding. A load balance should work with all traffic paterns. > Re-use of source ports for DNS queries is a bad security practice. I > cast my vote in favor of penalizing it, in the default configuration of > any device that responds to DNS requests. > > > - Kevin > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Same source port queries dropped by ServerIron load balancer
In article , Kevin Darcy wrote: > Re-use of source ports for DNS queries is a bad security practice. I > cast my vote in favor of penalizing it, in the default configuration of > any device that responds to DNS requests. It's really not the job of a load balancer or server to force clients to use good security practices. I suspect this is actually a bug, but the vendor is using the security value of it as an excuse to lower its priority. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
