Re: how to disable v6 lookup
In message , balk ris...@subisu.net.np writes: > Dear All, > > Please help me out for disable v6 recursive lookup from my server with > bind 9.6.1-P3. > As my server is not enabled for IPv6, it always gives warning like > "network unreachable resolving .. " log. >From the man page for named. -4 Use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive. > > Regards, > > Bal Krishna > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to disable v6 lookup
Dear All, Please help me out for disable v6 recursive lookup from my server with bind 9.6.1-P3. As my server is not enabled for IPv6, it always gives warning like "network unreachable resolving .. " log. Regards, Bal Krishna ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named and dhcpd warnings and errors questions
In message <4c90847e.4000...@powercraft.nl>, Jelle de Jong writes: > Hello everybody, > > bind9 1:9.6.ESV.R1+dfsg-0+lenny2 > dhcp3-server 3.1.1-6+lenny4 > > I am having a lot of "timed out" errors in my syslogs, that I want to > solve. Below is the output of egrep 'named|dhcpd' /var/log/syslog > > http://debian.pastebin.com/hyD915BA > > I know the _ character is giving time-outs, so please ignore those. (If > there is a way to fix them without changing the dhcp host name of the > client I am open for suggestions) zone "..." { check-names ignore; }; > Also ignore the errors from clients from vlan6, it tried to setup my > /etc/dhcp3/dhcpd.conf so it would only use the reverse dns zone for > vlan4 but I can't seem to get that working. My /etc/dhcp3/dhcpd.conf is > posted here: http://debian.pastebin.com/xWC1V55z > > I would appreciate anyhelp in getting my setup cleaned up so it does not > genereate so many errors. > > With kind regards, > > Jelle de Jong > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Second dig lookup not the same as the first
Hi, No, I am not running any firewall on the client side at all. I can perform lookups elsewhere that behave as I would expect. I also performed these tests on another machine that has a more current and non Apple dig as well. The server is RHEL, not Mac OS X. I have deployed many named servers on Mac OS X, but I do not use the Apple supplied version, and always either go to the source for a more current version, or lately, I have been using MacPorts to aid in that installation process. I don't think this question is as much of a platform issue as it is one of my lack of understanding in what causes the additional and authority sections to change on a subsequent request. -- Scott (* For off-list contact, replace talklists@ with scott@ *) On Sep 15, 2010, at 1:45 PM, wllarso wrote: > From the output of your dig command you show that you are running a MacOSX > system. Are you running the firewall on this system also? That may be > dropping the TCP communication. > > Be aware that Apple's DNS server configrration throws every bell and whistle > into the config. If you really are serious about running a DNS server under > MacOSX, then make a post on the MacOSX-server list and step back for all of > the reasons this isn't a good idea, at least not using what Apple give you. > > Bill Larson > > and sorry about the top posting, but this was ... > Sent from Garminfone by T-Mobile. > > Scott Haneda wrote: > >> Hello, I have set up a new BIND/named server, being backed by DLZ in this >> case, though I don't think that will have any bearing on my question. >> >> This NS is not publicly known or listed as an NS anywhere as of yet, so it >> is only my own testing that has hit the machine. If I perform a dig >> request, the first request returns additional data, any subsequent lookups >> return no additional data. Does anyone know why this is? >> >> I also seem to have issues when forcing tcp, does anyone have any ideas what >> that could be caused by? Is there a setting in named.conf that controls >> udp/tcp or should I be talking to the network admin about this? >> >> I have to obfuscate this data, I apologize for that... >> >> == First dig request, never been looked up before >> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @63.251.yyy.yy example.com >> ; (1 server found) >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41088 >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 >> ;; WARNING: recursion requested but not available >> >> ;; QUESTION SECTION: >> ;example.com. IN A >> >> ;; ANSWER SECTION: >> example.com. 3600IN A 208.122.xxx.xx >> >> ;; AUTHORITY SECTION: >> example.com. 86400 IN NS ns2.some-nameserver.com. >> example.com. 86400 IN NS ns1.some-nameserver.com. >> >> ;; ADDITIONAL SECTION: >> ns1.some-nameserver.com. 86400 IN A 208.122.xxx.xx >> ns2.some-nameserver.com. 86400 IN A 208.122.226.214 >> >> == Second dig request, moments after the first >> ;; Query time: 41 msec >> ;; SERVER: 63.251.yyy.yy#53(63.251.yyy.yy) >> ;; WHEN: Wed Sep 15 12:15:48 2010 >> ;; MSG SIZE rcvd: 136 >> >> >> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @63.251.yyy.yy example.com >> ; (1 server found) >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20029 >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >> ;; WARNING: recursion requested but not available >> >> ;; QUESTION SECTION: >> ;example.com. IN A >> >> ;; ANSWER SECTION: >> example.com. 3600IN A 208.122.xxx.xx >> >> ;; Query time: 37 msec >> ;; SERVER: 63.251.yyy.yy#53(63.251.yyy.yy) >> ;; WHEN: Wed Sep 15 12:15:50 2010 >> ;; MSG SIZE rcvd: 55 >> >> And trying to see what is going on with tcp or udp... >> >> $dig @63.251.yyy.yy example.com +tcp >> ;; Connection to 63.251.yyy.yy#53(63.251.yyy.yy) for example.com failed: >> connection refused. >> >> If I do the same thing with +notcp, I get the result in example #2 above, >> where there is no additional section. >> >> Thank you for any assistance, I appreciate it. >> >> -- >> Scott (* For off-list contact, replace talklists@ with scott@ *) >> >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Caching nameservers dealing with dead authoritative servers
Hi, I'm having a problem with my caching DNS servers. I'm on bind 9.4.3-p5, threads enabled (4), running gentoo 64 bits. For 2 days, I have some clients (mail servers receiving spams) issuing a lot of requests on zone hosted on dead dns server. For example : 'uewchcvqhvnavkevhavecvbcvxevudvr.herojvesterna.com' requesttime 1284583508 'mcacghdhcdb.herojvesterna.com' requesttime 1284583515 'cacghdhcdb.herojvesterna.com' requesttime 1284583515 'lbnsxhnlpgdafmpdneieb.herojvesterna.com' requesttime 1284583521 'uewchcvqhvnavkevhavecvbcvxevudvr.herojvesterna.com' requesttime 1284583528 'obqtujppeofqwpcoeqqbbocqvphpvfo.herojvesterna.com' requesttime 1284583534 'mcacghdhcdb.herojvesterna.com' requesttime 1284583535 'cacghdhcdb.herojvesterna.com' requesttime 1284583535 ;'mgjnmcoxgfmfnifmebm.herojvesterna.com' requesttime 1284583537 As the authoritative nameserver for this zone is dead, the answer is send after some seconds to the clients. During this time the clients could do perharps about 1000 queries on the same zone but different records. After a moment, it's like a DoS attack, my cache only DNS server doesn't answer to any query. What could I do to limit this? Is there something to "cache" that an authoritative DNS server doesn't answer?? Regards David ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Second dig lookup not the same as the first
From the output of your dig command you show that you are running a MacOSX system. Are you running the firewall on this system also? That may be dropping the TCP communication. Be aware that Apple's DNS server configrration throws every bell and whistle into the config. If you really are serious about running a DNS server under MacOSX, then make a post on the MacOSX-server list and step back for all of the reasons this isn't a good idea, at least not using what Apple give you. Bill Larson and sorry about the top posting, but this was ... Sent from Garminfone by T-Mobile. Scott Haneda wrote: >Hello, I have set up a new BIND/named server, being backed by DLZ in this >case, though I don't think that will have any bearing on my question. > >This NS is not publicly known or listed as an NS anywhere as of yet, so it is >only my own testing that has hit the machine. If I perform a dig request, the >first request returns additional data, any subsequent lookups return no >additional data. Does anyone know why this is? > >I also seem to have issues when forcing tcp, does anyone have any ideas what >that could be caused by? Is there a setting in named.conf that controls >udp/tcp or should I be talking to the network admin about this? > >I have to obfuscate this data, I apologize for that... > >== First dig request, never been looked up before >; <<>> DiG 9.6.0-APPLE-P2 <<>> @63.251.yyy.yy example.com >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41088 >;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 >;; WARNING: recursion requested but not available > >;; QUESTION SECTION: >;example.com. IN A > >;; ANSWER SECTION: >example.com. 3600IN A 208.122.xxx.xx > >;; AUTHORITY SECTION: >example.com. 86400 IN NS ns2.some-nameserver.com. >example.com. 86400 IN NS ns1.some-nameserver.com. > >;; ADDITIONAL SECTION: >ns1.some-nameserver.com. 86400 IN A 208.122.xxx.xx >ns2.some-nameserver.com. 86400 IN A 208.122.226.214 > >== Second dig request, moments after the first >;; Query time: 41 msec >;; SERVER: 63.251.yyy.yy#53(63.251.yyy.yy) >;; WHEN: Wed Sep 15 12:15:48 2010 >;; MSG SIZE rcvd: 136 > > >; <<>> DiG 9.6.0-APPLE-P2 <<>> @63.251.yyy.yy example.com >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20029 >;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >;; WARNING: recursion requested but not available > >;; QUESTION SECTION: >;example.com. IN A > >;; ANSWER SECTION: >example.com. 3600IN A 208.122.xxx.xx > >;; Query time: 37 msec >;; SERVER: 63.251.yyy.yy#53(63.251.yyy.yy) >;; WHEN: Wed Sep 15 12:15:50 2010 >;; MSG SIZE rcvd: 55 > >And trying to see what is going on with tcp or udp... > >$dig @63.251.yyy.yy example.com +tcp >;; Connection to 63.251.yyy.yy#53(63.251.yyy.yy) for example.com failed: >connection refused. > >If I do the same thing with +notcp, I get the result in example #2 above, >where there is no additional section. > >Thank you for any assistance, I appreciate it. > >-- >Scott (* For off-list contact, replace talklists@ with scott@ *) > >___ >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Second dig lookup not the same as the first
Hello, I have set up a new BIND/named server, being backed by DLZ in this case, though I don't think that will have any bearing on my question. This NS is not publicly known or listed as an NS anywhere as of yet, so it is only my own testing that has hit the machine. If I perform a dig request, the first request returns additional data, any subsequent lookups return no additional data. Does anyone know why this is? I also seem to have issues when forcing tcp, does anyone have any ideas what that could be caused by? Is there a setting in named.conf that controls udp/tcp or should I be talking to the network admin about this? I have to obfuscate this data, I apologize for that... == First dig request, never been looked up before ; <<>> DiG 9.6.0-APPLE-P2 <<>> @63.251.yyy.yy example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41088 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com.3600IN A 208.122.xxx.xx ;; AUTHORITY SECTION: example.com.86400 IN NS ns2.some-nameserver.com. example.com.86400 IN NS ns1.some-nameserver.com. ;; ADDITIONAL SECTION: ns1.some-nameserver.com.86400 IN A 208.122.xxx.xx ns2.some-nameserver.com.86400 IN A 208.122.226.214 == Second dig request, moments after the first ;; Query time: 41 msec ;; SERVER: 63.251.yyy.yy#53(63.251.yyy.yy) ;; WHEN: Wed Sep 15 12:15:48 2010 ;; MSG SIZE rcvd: 136 ; <<>> DiG 9.6.0-APPLE-P2 <<>> @63.251.yyy.yy example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20029 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com.3600IN A 208.122.xxx.xx ;; Query time: 37 msec ;; SERVER: 63.251.yyy.yy#53(63.251.yyy.yy) ;; WHEN: Wed Sep 15 12:15:50 2010 ;; MSG SIZE rcvd: 55 And trying to see what is going on with tcp or udp... $dig @63.251.yyy.yy example.com +tcp ;; Connection to 63.251.yyy.yy#53(63.251.yyy.yy) for example.com failed: connection refused. If I do the same thing with +notcp, I get the result in example #2 above, where there is no additional section. Thank you for any assistance, I appreciate it. -- Scott (* For off-list contact, replace talklists@ with scott@ *) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Name server selection in Bind >=9.6
Hello, A question about ns selection in bind. It seems up to bind 9.5, it selects the ns with the lowest rtt, but there were some changes in bind 9.6 that makes it doing random selection, from https://www.isc.org/software/bind/new-features/9.6 : "As a security improvement to make forgery a little more difficult, BIND 9.6 now attempts to make the order of the server selection for queries less predictable. Previously, BIND would prefer to query the server with the lowest round trip time (RTT). Now servers that haven't been tried yet have their RTT set to a random value between 0 ms and 7 ms. And the RTT values of servers which have been tried are now randomly changed up to 128 ms." Does anyone in this list knows more details about this change short of looking at the source code? How often are RTTs randomly changed, on every query? Is the value picked randomly between 0 and 128ms? Thanks, --Ricardo ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Trouble with host and DNSSEC
Thanks Casey! The link to dnsviz.net also explains part of why I was getting confused. It appears that there are not any DS records at the root (yet?) for the .gov level. This explains why when I did a dig with +sigchase +topdown options it was failing to validate way earlier in the chain. I was only using the root trusted key in my /etc/trusted-key.key file for dig while the server itself is using DLV to validate down the chain until it gets to the missing DNSKEY record. On 09/15/2010 10:05 AM, Casey Deccio wrote: > On Wed, Sep 15, 2010 at 7:34 AM, Timothy Holtzen > wrote: >> I am having trouble resolving the host name cod.ed.gov which I believe >> may be dnssec related > ... > >> in my logs I am getting the messages: >> >> validating @0x2ab727eb5810: cod.ed.gov A: got insecure response; parent >> indicates it should be secure >> dnssec: info: validating @0x2ab727eb5810: cod.ed.gov A: got insecure >> response; parent indicates it should be secure >> error (insecurity proof failed) resolving 'cod.ed.gov/A/IN': 63.150.74.34#53 >> > There are DS RRs for cod.ed.gov in the parent zone (ed.gov), > indicating that cod.ed.gov should be signed with a DNSKEY > corresponding to the existing DS RR. However, cod.ed.gov is not > signed, particularly not with the DNSKEY corresponding to the DS RR, > which DNSKEY doesn't seem to exist in the zone at all. > http://dnsviz.net/d/cod.ed.gov/dnssec/ > > To remedy the issue, the ed.gov administrators should remove the DS RR > for cod.ed.gov from the ed.gov zone, which will make cod.ed.gov an > insecure delegation (meaning that it can continue to be unsigned). If > desired, the zone can then be resigned, and the appropriate DS RRs > added to the parent. > > I can send them a note off-list. > > Regards, > Casey > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Timothy A. Holtzen Campus Network Administrator Nebraska Wesleyan University ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: isc trust anchor
On Wed, 15 Sep 2010, sami's strat wrote: > > a.us is (dnssec) signed and the parent domain has a copy of the DS keys. > Is there a way to have host.b.com run dnssec aware queries against a.us? You don't need or want the ISC DLV trust anchor for that, since there is a chain of trust to the root and it's better to use the root trust anchor when you can. The DLV should be used to fill the gaps where it isn't possible to form a chain of trust to the root (e.g. an unsigned parent or a parent that doesn't yet accept DS records.) Here's a quick guide to setting up DNSSEC validation with bind-9.7: http://fanf.livejournal.com/107310.html Tony. -- f.anthony.n.finchhttp://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Trouble with host and DNSSEC
On Wed, Sep 15, 2010 at 7:34 AM, Timothy Holtzen wrote: > I am having trouble resolving the host name cod.ed.gov which I believe > may be dnssec related ... > in my logs I am getting the messages: > > validating @0x2ab727eb5810: cod.ed.gov A: got insecure response; parent > indicates it should be secure > dnssec: info: validating @0x2ab727eb5810: cod.ed.gov A: got insecure > response; parent indicates it should be secure > error (insecurity proof failed) resolving 'cod.ed.gov/A/IN': 63.150.74.34#53 > There are DS RRs for cod.ed.gov in the parent zone (ed.gov), indicating that cod.ed.gov should be signed with a DNSKEY corresponding to the existing DS RR. However, cod.ed.gov is not signed, particularly not with the DNSKEY corresponding to the DS RR, which DNSKEY doesn't seem to exist in the zone at all. http://dnsviz.net/d/cod.ed.gov/dnssec/ To remedy the issue, the ed.gov administrators should remove the DS RR for cod.ed.gov from the ed.gov zone, which will make cod.ed.gov an insecure delegation (meaning that it can continue to be unsigned). If desired, the zone can then be resigned, and the appropriate DS RRs added to the parent. I can send them a note off-list. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Trouble with host and DNSSEC
I am having trouble resolving the host name cod.ed.gov which I believe may be dnssec related. If I run dig with the +cdflag option I get what appears to be a proper response: ; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2 <<>> +cdflag cod.ed.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43205 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;cod.ed.gov.IN A ;; ANSWER SECTION: cod.ed.gov. 30 IN A 12.198.185.50 ;; AUTHORITY SECTION: cod.ed.gov. 2948IN NS ns2.dotsconnecthosting.com. cod.ed.gov. 2948IN NS ns1.dotsconnecthosting.com. but a normal query returns a SERVFAIL response: ; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2 <<>> cod.ed.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61516 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cod.ed.gov.IN A in my logs I am getting the messages: validating @0x2ab727eb5810: cod.ed.gov A: got insecure response; parent indicates it should be secure dnssec: info: validating @0x2ab727eb5810: cod.ed.gov A: got insecure response; parent indicates it should be secure error (insecurity proof failed) resolving 'cod.ed.gov/A/IN': 63.150.74.34#53 Which would seem to indicate that the chain or trust has been broken. My server is running bind 9.7.1-P2 on RHEL 5.5 and is configured with both the signed root key and the DLV key. We have been running DNSSEC validation for some time and this problem didn't appear until Monday afternoon. Is anyone else able to get a DNSSEC validated response for this site? I admit I'm a bit of a novice when it comes to DNSSEC. I'm having some trouble figuring out exactly where along the chain things are broken if that is indeed the problem. Then if it is the problem how do I resolve it. -- Timothy A. Holtzen Campus Network Administrator Nebraska Wesleyan University ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
isc trust anchor
If I have two domains, say a.us and b.com a.us is (dnssec) signed and the parent domain has a copy of the DS keys. Is there a way to have host.b.com run dnssec aware queries against a.us? I was thinking of setting up and using the ISC trust anchor with both domains. Would that work? Are there better ways to have a .com domain query a fully signed and operational .us domain? Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named and dhcpd warnings and errors questions
Hello everybody, bind9 1:9.6.ESV.R1+dfsg-0+lenny2 dhcp3-server3.1.1-6+lenny4 I am having a lot of "timed out" errors in my syslogs, that I want to solve. Below is the output of egrep 'named|dhcpd' /var/log/syslog http://debian.pastebin.com/hyD915BA I know the _ character is giving time-outs, so please ignore those. (If there is a way to fix them without changing the dhcp host name of the client I am open for suggestions) Also ignore the errors from clients from vlan6, it tried to setup my /etc/dhcp3/dhcpd.conf so it would only use the reverse dns zone for vlan4 but I can't seem to get that working. My /etc/dhcp3/dhcpd.conf is posted here: http://debian.pastebin.com/xWC1V55z I would appreciate anyhelp in getting my setup cleaned up so it does not genereate so many errors. With kind regards, Jelle de Jong ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users