Re: bind dies with assertion failure
On 07/03/2012 01:16 AM, Oscar Ricardo Silva wrote: I *THINK* I found the reason for why we're exposed to this bug ... It would appear that Redhat based their BIND package on 9.8.2rc1. Guess where the patch for this bug was applied? 9.8.2rc2. Are you sure about this? From what I can see in our local yum repo of the RHEL6 ISOs, it shipped with bind 9.7. Sure that isn't a local package, or you're joined into a non-production channel? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.8.1-P1 is crashing again and again
On 02/07/12 14:32, Gaurav Kansal wrote: > Dear Team, > > > > My BIND DNS Server is crashing again and again. > > > > I am getting these logs: > > > > Jul 2 12:03:33 gaurav named[30523]: query.c:5379: INSIST(!is_zone) failed, > back trace > > Jul 2 12:03:33 gaurav named[30523]: #0 0x805a7a5 in assertion_failed()+0x45 > > Jul 2 12:03:33 gaurav named[30523]: #1 0x81cd8b7 in > isc_assertion_failed()+0x27 > > Jul 2 12:03:33 gaurav named[30523]: #2 0x8067dac in query_find()+0x561c > > Jul 2 12:03:33 gaurav named[30523]: #3 0x8068cdf in query_resume()+0x1ef > > Jul 2 12:03:33 gaurav named[30523]: #4 0x81ea103 in > isc__taskmgr_dispatch()+0x1c3 > > Jul 2 12:03:33 gaurav named[30523]: #5 0x81ed6f3 in evloop()+0x73 > > Jul 2 12:03:33 gaurav named[30523]: #6 0x81ed958 in isc__app_ctxrun()+0x138 > > Jul 2 12:03:33 gaurav named[30523]: #7 0x81eda02 in isc__app_run()+0x12 > > Jul 2 12:03:33 gaurav named[30523]: #8 0x805b886 in main()+0x606 > > Jul 2 12:03:33 gaurav named[30523]: #9 0xc24dec in ?? > > Jul 2 12:03:33 gaurav named[30523]: #10 0x804bfa1 in _start()+0x21 > > Jul 2 12:03:33 gaurav named[30523]: exiting (due to assertion failure) > > Jul 2 13:49:20 gaurav avahi-daemon[2656]: Invalid query packet. > > > > Why I am getting these errors and what should I do? Firstly, I'd strongly recommend upgrading to 9.8.3-P1 on account of this security issue (and other fixes): https://www.isc.org/software/bind/advisories/cve-2012-1667 Then, if the problems still persists, please can you run through the troubleshooting steps and collect the data listed in this knowledge base article: https://deepthought.isc.org/article/AA-00340/0/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html And then submit the problem to us directly via a bug report. Thanks Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind dies with assertion failure
As mentioned more than once on this list. Redhat starts with an upstream version of a given package (say BIND 9.7) then backports security and bug fixes from later upstream versions into theirs and add extended versioning (say 9.7-2.3.1). One would have to check Redhat's version to see what fixes it actually contains. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil Mayers Sent: Tuesday, July 03, 2012 3:47 AM To: bind-users@lists.isc.org Subject: Re: bind dies with assertion failure On 07/03/2012 01:16 AM, Oscar Ricardo Silva wrote: > I *THINK* I found the reason for why we're exposed to this bug ... It > would appear that Redhat based their BIND package on 9.8.2rc1. Guess > where the patch for this bug was applied? 9.8.2rc2. Are you sure about this? From what I can see in our local yum repo of the RHEL6 ISOs, it shipped with bind 9.7. Sure that isn't a local package, or you're joined into a non-production channel? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind dies with assertion failure
Oscar Ricardo Silva wrote on 07/02/2012 06:40:51 PM: > The reason I'm running is that we're currently running the stock version > of BIND available with RHEL6. It's their policy to backport patches and > if there's a patch available then they may apply it faster rather than > deploying a new version. At an ISC Intro to DNS and BIND class, the instructor pointed out that if you rely on the distro provided version of BIND, you are at the mercy of the package maintainers to upgrade/patch versions of BIND. With Ubuntu LTS (not sure about other distros), you are stuck at the same version of bind until you upgrade your distro. For Ubuntu 8.04LTS which is still supported, BIND is stuck at 9.4, which is no longer supported by ISC. I am building/redesinging our DNS infrastructure and I am building BIND from tarball. It's really quite easy. Plus, I can run the latest and greatest version to get the best DNSSEC features. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
getting edns disabling message in logs
Hi, We run bind as caching only dns server for our customers.In logs, i can see so many entries which tells success resolving 'malayalam.samachar.com/A' (in '.'?) after disabling EDNS success resolving 'm.sify.com/A' (in '.'?) after disabling EDNS success resolving 'planetradiocity.com/A' (in '.'?) after disabling EDNS success resolving 'ns-3.2o7.net/A' (in '.'?) after disabling EDNS success resolving 'ns-2.2o7.net/A' (in '.'?) after disabling EDNS success resolving 'sifycorp.com/A' (in '.'?) after disabling EDNS How to check that current bind installation has EDNS enabled or ? what could be reason behind it? we do not disable any EDNS in named.conf. Please suggest me to resolve it. Bind version : BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting edns disabling message in logs
Ben wrote: > > We run bind as caching only dns server for our customers. In logs, i can > see so many entries which tells > > success resolving 'x.y.z/A' (in '.'?) after disabling EDNS > > How to check that current bind installation has EDNS enabled or ? > what could be reason behind it? BIND has EDNS enabled by default. These log messages indicate that BIND is trying and failing to make EDNS queries. This is usually caused by a misconfigured firewall between the name server and the rest of the Internet. Tony. -- f.anthony.n.finchhttp://dotat.at/ FitzRoy: Southwesterly veering northwesterly 4 or 5, occasionally 6 later in northwest. Moderate, becoming rough in northwest. Rain then showers. Moderate or good, occasionally poor at first in north. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind dies with assertion failure
07/03/2012 01:16 AM, Oscar Ricardo Silva wrote: >> I *THINK* I found the reason for why we're exposed to this bug ... >> It would appear that Redhat based their BIND package on 9.8.2rc1. >> Guess where the patch for this bug was applied? 9.8.2rc2. > Are you sure about this? > From what I can see in our local yum repo of the RHEL6 ISOs, it > shipped with bind 9.7. > Sure that isn't a local package, or you're joined into a > non-production channel? Nope, not 100% sure of this but I strongly suspect this is the case. We recently had to update the BIND package on RHEL6 to address this vulnerability: CVE-2012-1667 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1667 and in the process of upgrading, were given bind-9.8.2-0.10.rc1.el6:32.i686. It was while looking at the source for that package (bind-9.8.2-0.10.rc1.el6.src.rpm) that I found the file bind-9.8.2rc1.tar.gz According to the changelog on that package, they changed the numbering from 9.7 to 9.8 starting in February of this year: ** 2012-02-15 12:00:00 32:9.8.2-0.3.rc1: 2011-12-20 12:00:00 32:9.7.3-10.P3: ** Oscar Oscar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1247, Issue 1
Message: 1 Date: Mon, 02 Jul 2012 17:40:51 -0500 From: Oscar Ricardo Silva To: bind-users@lists.isc.org Subject: Re: bind dies with assertion failure Message-ID: <4ff22373.2000...@mail.utexas.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I may have missed something but has this been patched in a 9.8.x version of BIND? According to the 9.9.0 release notes this has been addressed but just wondering about the availability for other vulnerable versions. Also, is there a known trigger? The reason I'm running is that we're currently running the stock version of BIND available with RHEL6. It's their policy to backport patches and if there's a patch available then they may apply it faster rather than deploying a new version. Oscar Since this problem is likely being caused by the version of BIND provided by Redhat and not with the release version, this issue is not pertinent to the list. I don't want to clutter up the list with off-topic conversations. If anyone is interested in Redhat's response we can take the conversation offlist but I'm not hopeful they'll do anything about it. While it's always better to compile and install from the latest stable version, it's also nice to use their package management system especially when you have to deal with multiple systems. Oscar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind dies with assertion failure
(Sorry, forgot to include the right Subject line so re-sending) > Message: 1 > Date: Mon, 02 Jul 2012 17:40:51 -0500 > From: Oscar Ricardo Silva > To: bind-users@lists.isc.org > Subject: Re: bind dies with assertion failure > Message-ID: <4ff22373.2000...@mail.utexas.edu> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > I may have missed something but has this been patched in a 9.8.x version > of BIND? According to the 9.9.0 release notes this has been addressed > but just wondering about the availability for other vulnerable versions. > Also, is there a known trigger? > > The reason I'm running is that we're currently running the stock version > of BIND available with RHEL6. It's their policy to backport patches and > if there's a patch available then they may apply it faster rather than > deploying a new version. > > > > Oscar Since this problem is likely being caused by the version of BIND provided by Redhat and not with the release version, this issue is not pertinent to the list. I don't want to clutter up the list with off-topic conversations. If anyone is interested in Redhat's response we can take the conversation offlist but I'm not hopeful they'll do anything about it. While it's always better to compile and install from the latest stable version, it's also nice to use their package management system especially when you have to deal with multiple systems. Oscar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind dies with assertion failure
I disagree about this being off topic. It IS in fact a BIND question but like many BIND implementations is specific to the user's setup. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Oscar Ricardo Silva Sent: Tuesday, July 03, 2012 10:33 AM To: bind-users@lists.isc.org Subject: Re: bind dies with assertion failure (Sorry, forgot to include the right Subject line so re-sending) > Message: 1 > Date: Mon, 02 Jul 2012 17:40:51 -0500 > From: Oscar Ricardo Silva > > To: bind-users@lists.isc.org > Subject: Re: > bind dies with assertion failure > Message-ID: > <4ff22373.2000...@mail.utexas.edu> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > I may have > missed something but has this been patched in a 9.8.x version > of BIND? > According to the 9.9.0 release notes this has been addressed > but just > wondering about the availability for other vulnerable versions. > Also, is there a known trigger? > > The reason I'm running is that we're currently running the stock version > > of BIND available with RHEL6. It's their policy to backport patches and > > if there's a patch available then they may apply it faster rather than > > deploying a new version. > > > > Oscar Since this problem is likely being caused by the version of BIND provided by Redhat and not with the release version, this issue is not pertinent to the list. I don't want to clutter up the list with off-topic conversations. If anyone is interested in Redhat's response we can take the conversation offlist but I'm not hopeful they'll do anything about it. While it's always better to compile and install from the latest stable version, it's also nice to use their package management system especially when you have to deal with multiple systems. Oscar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPM [was: Re: bind dies with assertion failure]
> While it's always better to compile and install from the latest > stable version, it's also nice to use their package management > system especially when you have to deal with multiple systems. Building BIND is easy; turning it into an installable RPM not so. I highly recommend fpm [1] which makes building an RPM trivial. :) -JP [1] https://github.com/jordansissel/fpm/wiki/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPM [was: Re: bind dies with assertion failure]
Jan-Piet wrote on 07/03/2012 10:41:20 AM: > Building BIND is easy; turning it into an installable RPM not so. > I highly recommend fpm [1] which makes building an RPM trivial. :) Any advice or tricks for making a DEB for Ubuntu? So far my plan was to copy the source directory to each server and just run "make install" on each. I'm only looking at 8 to 10 servers. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPM [was: Re: bind dies with assertion failure]
> > Building BIND is easy; turning it into an installable RPM not so. > > I highly recommend fpm [1] which makes building an RPM trivial. :) > > Any advice or tricks for making a DEB for Ubuntu? Yes: use fpm. :) > So far my plan was to copy the source directory to each server and just > run "make install" on each. I'm only looking at 8 to 10 servers. fpm makes rpm, dep, solaris, puppet modules, and a couple others, IIRC. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPM [was: Re: bind dies with assertion failure]
On Jul 3, 2012, at 10:58 AM, wbr...@e1b.org wrote: > Jan-Piet wrote on 07/03/2012 10:41:20 AM: > >> Building BIND is easy; turning it into an installable RPM not so. >> I highly recommend fpm [1] which makes building an RPM trivial. :) > > Any advice or tricks for making a DEB for Ubuntu? > > So far my plan was to copy the source directory to each server and just > run "make install" on each. I'm only looking at 8 to 10 servers. > This got old for me really fast, so I ended up writing a small script to do this for me… WARNING: This works for me, but doesn't do a huge amount of error checking, may completely trash your machine, cause male pattern baldness, etc. It is in: http://www.auth-servers.net/files/named/upgrade_bind_unattended.sh I run this out of cron every few minutes. It downloads a file called bind_versions.txt (from INSTRUCT_URL). This file contains key value pairs specifying the hostname and version of BIND that that host should be running, something like: ns1: 9.9.1 ns2: 9.8.0 If the hostname is not running the specified version it will: 1: Delete everything in /usr/local/src/bind/ (!) 2: Download the source from ftp://ftp.isc.org/isc/bind9/$BIND_VER/ 3: Check the GPG signature. 4: Build the new BIND and install it. 5: Restart BIND 6: Send mail saying that it is done… I use puppet to push to install this script, and to setup a cronjob to run it (I could have done most of this in puppet itself, but that seems hard :-P) Feel free to update / modify the script to make it work in your environment… W > > > Confidentiality Notice: > This electronic message and any attachments may contain confidential or > privileged information, and is intended only for the individual or entity > identified above as the addressee. If you are not the addressee (or the > employee or agent responsible to deliver it to the addressee), or if this > message has been addressed to you in error, you are hereby notified that > you may not copy, forward, disclose or use any part of this message or any > attachments. Please notify the sender immediately by return e-mail or > telephone and delete this message from your system. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- She'd even given herself a middle initial - X - which stood for "someone who has a cool and exciting middle name". -- (Terry Pratchett, Maskerade) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND, DNSSEC & AD
Thanks to all that replied. I think the solution I want to pursue is to integrate AD 2012 DNS with BIND. Talk about bleeding edge huh?? From: Tony Finch To: Marc Lampo Cc: John Williams ; bind-users@lists.isc.org Sent: Monday, July 2, 2012 11:10 AM Subject: RE: BIND, DNSSEC & AD Marc Lampo wrote: > > you are aware that Windows DNS service understands DNSSEC algorithm 5 > (RSA/SHA-1 – NSEC) at most ? Carsten Strotmann's post says Windows Server 2012 fixes this limitation http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns Tony. -- f.anthony.n.finch http://dotat.at/ Viking, North Utsire, South Utsire: Southwesterly, backing southeasterly 4 or 5, occasionally 6 at first in Viking. Moderate. Rain or showers. Moderate or good.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Several (>2) different views [SOLVED]
Just giving a feedback, this method worked great, but in my case, didn't have no negate the keys in the ACL (like the example below), I created one key for each ACL in my configuration and used that ACL for the "match-clients" directive in the view. So, when the slave tried to sync the zone, the matched the key, not the IP address, that way every zone was sync correctly. Thanks for your help! 2012/6/15 Niall O'Reilly > > On 15 Jun 2012, at 01:14, Rodrigo Renie Braga wrote: > > > I've been trying to find examples on how to use TSIG to replicate > several differents views to a slave server, but I could only find with two > views, and I just couldn't figure out how to adapt that example to 3 or > more views. > > > > Could you send me example on how to accomplish that? > > Something like what follows below may be what you need. > This supports 3 views, keyed on TSIG or by default on > client address. For more views, no new ideas are needed. > > include "/etc/select-tsig.keys";// keep keys in protected file > > acl captive-clients { > // Purpose: triage for "captive" view > key select-captive.ucd.ie.; // select on this key > ! key select-internal.ucd.ie.;// by-pass > ! key select-general.ucd.ie.; // by-pass > > 10.137.0.0/16;// Target networks > 10.193.128.0/19; > 10.193.160.0/20; > }; > > acl internal-clients { > // Purpose: triage for "internal" view > key select-internal.ucd.ie.; // select on this key > ! key select-captive.ucd.ie.; // by-pass (redundant) > ! key select-general.ucd.ie.; // by-pass > localhost; > > 172.16.0.0/16;// Special networks > 10.224.0.0/16; > }; > > // Clients not otherwise selected are offered "general" view > > // special-purpose view: 'captive' > view "captive" { > > match-clients { captive-clients; }; > > // view details go here ... > > }; // End view "captive" > > view "internal" { > > match-clients { internal-clients; }; > > // view details go here ... > > }; > > // standard view: 'general' > view "general" { > > match-clients { any; }; > > // view details go here ... > > }; > > I hope this helps. > > Niall O'Reilly > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkconf view in error message?
If I run named-checkconf -z to check zones in my config, it will report on success or failure of each zone, but will not specify which view. If a zone name exists in more than one view, it will not indicate in which view the failing zone is in. This seems like this would be good information to have. Can I make a request to add that info to the output if possible. Thank you Not that it matters but bind9.8.1-P1 build from the source. -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkconf view in error message?
On Tue, Jul 03, 2012 at 10:54:19PM +, Jack Tavares wrote: > If I run named-checkconf -z to check zones in my config, it will > report on success or failure of each zone, but will not specify which view. > > If a zone name exists in more than one view, it will not indicate in which > view > the failing zone is in. > > This seems like this would be good information to have. > Can I make a request to add that info to the output if possible. The best place for this kind of suggestion is bind-sugg...@isc.org, but don't worry about it, I'll forward this along for you. It's a good idea. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting edns disabling message in logs
Hi Tony, Thanks for your kind response. Disabling EDNS due to firewall misconfiguration, raise any problem to DNS activity.? I mean my users face any name resolution problesms or ...? Is there any way that we can show that current disabling EDNS happens by firewall issue ? Regards, Ben Ben wrote: We run bind as caching only dns server for our customers. In logs, i can see so many entries which tells success resolving 'x.y.z/A' (in '.'?) after disabling EDNS How to check that current bind installation has EDNS enabled or ? what could be reason behind it? BIND has EDNS enabled by default. These log messages indicate that BIND is trying and failing to make EDNS queries. This is usually caused by a misconfigured firewall between the name server and the rest of the Internet. Tony. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users