RE: Bind 9.9.0b2 inline signing...
Spain, Dr. Jeffry A. spa...@countryday.net wrote: From time to time I want to review the current state of the zone files. I have been accustomed with v9.8 to taking a copy of a signed zone file and stripping out the DNSSEC-related records in a text editor for easy review. I use `dig axfr dotat.at | grep -v RRSIG`. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Faeroes: Southwest 6 to gale 8, becoming cyclonic severe gale 9 to violent storm 11, perhaps hurricane force 12 later. High or very high, occasionally phenomenal. Rain or squally showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote: I use `dig axfr dotat.at | grep -v RRSIG` ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM hoping, of course, that no owner name is called 'RRSIG' et. al. ;-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
Jan-Piet Mens jpmens@gmail.com wrote: On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote: I use `dig axfr dotat.at | grep -v RRSIG` ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM I think it is more useful to see those records than to spend effort stripping them out. hoping, of course, that no owner name is called 'RRSIG' et. al. ;-) Knowing rather than hoping, but yes, it is good enough for the command line but not safe to embed in a script. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Biscay: Southerly 4 or 5 occasional 6 in north, veering westerly 3 or 4. Rough. Mainly fair. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On Thu, Nov 24, 2011 at 02:29:05PM +0100, Jan-Piet Mens wrote: On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote: I use `dig axfr dotat.at | grep -v RRSIG` ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM hoping, of course, that no owner name is called 'RRSIG' et. al. ;-) -JP How about something like: dig axfr zone | awk '$4 !~ ^NSEC$|^NSEC3$|^RRSIG$ {print}' awk requires a tiny bit more typing, but the result is much more precise .. -- Shumon Huque University of Pennsylvania. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On Nov 24 2011, Shumon Huque wrote: On Thu, Nov 24, 2011 at 02:29:05PM +0100, Jan-Piet Mens wrote: On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote: I use `dig axfr dotat.at | grep -v RRSIG` ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM hoping, of course, that no owner name is called 'RRSIG' et. al. ;-) -JP How about something like: dig axfr zone | awk '$4 !~ ^NSEC$|^NSEC3$|^RRSIG$ {print}' awk requires a tiny bit more typing, but the result is much more precise .. If we are trying to turn Tony's ad hoc command into something publishable, it would be better to use dig +nocmd +nostats +onesoa AXFR zone | awk ... (although for +onesoa you need the dig from BIND 9.8 or later). -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
dig axfr dotat.at | grep -v RRSIG. Tony. dig axfr dotat.at | grep -v RRSIG | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM. JP. dig axfr zone | awk '$4 !~ ^NSEC$|^NSEC3$|^RRSIG$ {print}'. Shumon. Thank you, gentlemen. These are very helpful. As we are primarily Windows users, I have had a tendency to dig axfr from my Windows workstation and remove the DNSSEC-related records with a regular expression search in my text editor. I really should take the time to learn more about grep and awk. Happy Thanksgiving to all. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
Jeffry, I have had a tendency to dig axfr from my Windows workstation +1 to you for using `dig' on Windows; most don't even know it exists and suffer the `nslookup' pain. ;-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
Chris Thompson c...@cam.ac.uk wrote: If we are trying to turn Tony's ad hoc command into something publishable, See the loadzone, axfrzone, and cleanzone functions in http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff Writing code to process arbitrary zones is a rather different job from a quick command line to make it easier to eyeball a simple zone you know well. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Northwest Hebrides, Bailey: Southerly veering southwesterly storm 10 to hurricane force 12, veering westerly 7 to severe gale 9 later. Very high. Rain then squally showers. Moderate or good occasional poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
I have had a tendency to dig axfr from my Windows workstation +1 to you for using `dig' on Windows; most don't even know it exists and suffer the `nslookup' pain. ;-) First thing I do on a new windows box is download the BIND package and throw dig on the box ... well, right after I get FF/Chrome. I don't understand why Windows doesn't include dig by default, even now. Free software hate? t. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
I don't understand why Windows doesn't include dig by default, even now. Free software hate? I wonder if it some kind of intellectual property issue. Microsoft has to be able to sell Windows and therefore must consider any added costs related to including a component that they do not own and would have to license. I suppose they could develop a similar application themselves, but I think they tend to focus more on end-user rather than administrative functionality in their development efforts. This is certainly not Microsoft's only issue with DNS. They have pretty much developed their own DNS ecosystem over the years, starting with Active Directory for Windows 2000, and they have not kept up with the functionality in bind. For example, the current iteration of Microsoft DNS in Windows Server 2008 R2 has a faulty implementation of DNSSEC -- you can't enter the root zone trust anchor. I have set up my Windows domain controllers (DNS servers) to forward to a DNSSEC-enabled bind recursive resolver. Even that turned out to be a challenge because of the way Windows uses the CD and DO flags in DNS queries. Supposedly DNS in Windows 8 server is going to fix these issues. We shall see. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: pns nxdomain equivelent
I am giving you more details with the hope that maybe someone will give me a hint. In named.conf (bind 9.9b2) I have: # for NXDOMAIN Redirection zone . { type redirect; file /etc/bind/zones/redirect.db; }; redirect.db file contains: $TTL 300 @ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0 @ IN NS ns.example.net ; suffix matches ; the following line is working *.youtube.com. cname . ; prefix matches are not working mail*. cname . ads*. cname . ; full match is not working too *fulldomain*. cname . ; default behaviour in the case that it is not previously matched *. IN A 74.125.39.104___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[no subject]
Hello All, We have our slave servers running compiled Bind 9.6.1-P3 on CentOS 5.4. Can I upgrade to 9.8.1-P1 directly from the current version 9.6.1-P3? Or It has to be on the same 9.6.ESV-R5-P1 latest version? Master is in internal running on Bind 9.2.1, doing only pusing the config/zones to slaves. With the current setup we don't face any problem to push the config/zones from master to slaves. Plan to upgrade slaves first to patch for eve-2011-4313 as they are in public and doing both authoritative and recursive.Will it create any problem if i patch the slaves to latest version? FYI, We are not using dnssec currently. Thanks in advance Thiru___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users