Re: DNS Blackholing
On 12/05/2012 06:10 AM, Nick Edwards wrote: Hi All, Is there a way for RPZ zone file to act on domain AND subdomains without using two separate entries? At present I can only get them to match on one or the other unless I do example.comblah *.example.com blah I'm sure I've missed the obvious, but thought I'd ask I don't think so. I think you need two entries. AFAICT the expectation is that (much) higher-level tooling will be used to generate and update the RPZ zonefile, and handle the expansion of name-or-suffix into two entries. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Blackholing
On 12/04/2012 06:35 PM, Barry S. Finkel wrote: A question from the OP that has not yet been answered - Make the zones masters on all servers. Surely not for RPZ? The whole point with RPZ is that you have one zone containing all the blacklists, master in one place, and slave it in all the others. For traditional DNS blacklisting (one zone per blacklisted name/suffix) sure, but I'm honestly not sure why anyone would start out down that road today with RPZ available. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Blackholing
On Wed, 2012-12-05 at 09:13 +, Phil Mayers wrote: On 12/04/2012 06:35 PM, Barry S. Finkel wrote: A question from the OP that has not yet been answered - Make the zones masters on all servers. Surely not for RPZ? The whole point with RPZ is that you have one zone containing all the blacklists, master in one place, and slave it in all the others. For traditional DNS blacklisting (one zone per blacklisted name/suffix) sure, but I'm honestly not sure why anyone would start out down that road today with RPZ available. _ response times would be a good reason an RPZ zone still goes through the motions forged (local empty) zone: dig .xxxtoolbar.com snip ;; Query time: 0 msec (all local zones hte same , 0 msec) RPZ: dig bobi.at ;; Query time: 996 msec (avg response time it seems for RPZ'd zones) So it sure as hell doesnt work the same as a forged empty zones RPZ is awesome if you want to wallgarden a hostname, but for just speedy dropping, empty zone beats it hands down even if it is messier requiring its own zone. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Querying directly a nameserver works, while forwarding not
On Wed, 2012-12-05 at 10:23 +0100, Daniele Imbrogino wrote: /etc/bind/named.conf.option WTF is that file? it certainly is not an ISC named file. if you are using some butchered to buggery distros file, please ask on your distros mailing list we are not to know what that file contains, or expects signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Querying directly a nameserver works, while forwarding not
On 05.12.2012 10:23, Daniele Imbrogino wrote: I restarted BIND9 and then I tried, for example, 'dig www.apple.com' obtaining connection timed out; no servers could be reached. But if I try 'dig @10.0.2.3 www.apple.com' it works correctly and I obtain the correct answer. Why? How can I resolve this problem? Look at your resolv.conf and make sure that it actually directs queries to your newly installed BIND. Check the log for mentions of rejected queries, even though those shouldn't result in a timeout. The default configuration allows recursive queries from localhost and your local network. If all else fails, trace the query packets with tcpdump and find out where they end up. Hauke. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Blackholing
On 12/05/2012 11:45 AM, Noel Butler wrote: RPZ: dig bobi.at ;; Query time: 996 msec You're correct that blackhole zones and RPZ have different performance characteristics. For others reading, this is because with RPZ, the real name is queried first, then RPZ applies to the answers, so if the real name is slow, you'll see slowness until it's in-cache. However, once the real name is cached, 2nd and subsequent queries are fast. So, querying an RPZ-blocked name is at worst as slow as the unblocked name, and fast once it's in-cache. Clearly a blackhole zone won't trigger a recursive query and will always answer immediately. (avg response time it seems for RPZ'd zones) So it sure as hell doesnt work the same as a forged empty zones Sure. RPZ is awesome if you want to wallgarden a hostname, but for just speedy dropping, empty zone beats it hands down even if it is messier requiring its own zone. I gues this depends on your query pattern. I observe fast queries on 2nd access to RPZ blocked names, and we see a lot of hits to a small percentage of the names. Obviously if people want to use blackholed zones, they can. In our case, the value of RPZ is that we can slave a feed from a trusted provider, which is far harder to manage if you're having to generate 675,000 blackhole zones and run rndc reconfig every few minutes to catch fast-flux DNS for botnet control channels. But I take your point - people need to understand the characteristics of the feature before deciding what's appropriate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: truncated responses vs. minimal-responses?
On 28.11.12 18:38, Tony Finch wrote: Yes it does. For example, have a look at responses to queries for dotat.at in mx for various buffer sizes and observe that RRsets are dropped but the TC bit is not set. On 11/30/2012 01:30 PM, Matus UHLAR - fantomas wrote: Nice to see. I'm seeing recommendations to set minimal-responses to avoid truncation problem anywhere and I'd like to have documented somewhere that it just won't help... On 03.12.12 09:41, Gilles Massen wrote: Truncation happens only if the ANSWER section is too large, and as minimal-responses only affects AUTHORITY and ADDITIONAL the effect on truncation should be null. I'm curious if there's any case where the AUTHORITY section is needed to proper function of DNS. I think I've seen reports about truncaetd responses with AUTHORITY section added ... maybe intermediate firewall or loadbalancer truncating them... For UPD fragmentation it is an entirely different matter, of course. But should default settings really be optimized to accomodate broken firewalls? default or non-default, if weare behind firewall or loadbalancer, we should know when they cause troubles. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Expiration TTLs
On 02.12.12 18:10, Paul Romano wrote: Thanks for the correction on the term TTL instead of timer. The engineer I inherited this environment from has the refresh set to 40 minutes and the zone expiration set to 2 hours. The explanation I got was that since we are authoritative for AD we want ensure that some kind of scavenging is in place. ... and if your primary server(s) fill fail for 2 hours, your zone will stop working. Your explanation suggests that the refresh time is strictly survivability and will not force an update if the serial numbers do not increment enough to implement the refresh. that is how DNS works. The problem with microsoft DNS servers and AD is that they do not follow this standard. Am I stating this correctly? Any suggestions? according to what I know, use 2-3 AD servers and keep DNS on them. Just make sure they will not fail at the same time... If anyone has better info on how do microsoft AD sevrers work with DNS, just let us know... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't find named_dump.db
On 03.12.12 21:32, Daniele Imbrogino wrote: I edited the working directory to /etc/bind because this is the directory where I have all the zone data files. If I use the default /var/cache/bind do I have to move also the zone data files no, you will just have to provide full path in zones' filename statements (or, at least, create an alias)? you can make symlinks from /vat/cache/bind pointing to /etc/bind if you need I'm saying this because even if the default configuration has /var/cache/bind as default working directory, all the files are in /etc/bind by default. it's done this way just to have dumps and core files in /var/cache/bind where named usually can write, instead of /etc where it usually can't (and shouldn't). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: truncated responses vs. minimal-responses?
In message 20121205125024.gc11...@fantomas.sk, Matus UHLAR - fantomas writes: On 28.11.12 18:38, Tony Finch wrote: Yes it does. For example, have a look at responses to queries for dotat.at in mx for various buffer sizes and observe that RRsets are dropped but the TC bit is not set. On 11/30/2012 01:30 PM, Matus UHLAR - fantomas wrote: Nice to see. I'm seeing recommendations to set minimal-responses to avoid truncation problem anywhere and I'd like to have documented somewhere that it just won't help... On 03.12.12 09:41, Gilles Massen wrote: Truncation happens only if the ANSWER section is too large, and as minimal-responses only affects AUTHORITY and ADDITIONAL the effect on truncation should be null. I'm curious if there's any case where the AUTHORITY section is needed to proper function of DNS. I think I've seen reports about truncaetd responses with AUTHORITY section added ... maybe intermediate firewall or loadbalancer truncating them... Yes. Referrals. Additionally the additional section records are not optional in a referral. Records added at step 6 of Section 4.3.2. of RFC 1034 are optional. Records added to the additional section at other steps are not optional. There have been demonstated cases of referrals failing due to not adding glue records in a referral. Named will produce responses with TC=1 as a result of not being able to add records to the additional section. Every referral from the root servers to COM or NET using plain DNS should result in TC=1 being set. For UPD fragmentation it is an entirely different matter, of course. But should default settings really be optimized to accomodate broken firewalls? default or non-default, if weare behind firewall or loadbalancer, we should know when they cause troubles. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT - Dns test Q/A
On 29.11.12 11:44, Chiesa Stefano wrote: I created an application to delegate zone management to collegues that are used to ask changes to that zones. I would set up a small zone administration test to verify a minimal dns knowledge (right use of main RR such A-CNAME-MX.) Can you suggest me a document from which I can extract few questions? Sorry for the OT and thanks in advance. Sorry for not responding sooner, but I have not idea where you could find such informations. I can only recommend you to search the net for already existing dns knowledge tests... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT - Dns test Q/A
I don't have any source of a a DNS exam, but since you seem to be expecting a limited set of skills, how about a few questions of the sort What is an A record? What is an MX record? What does the SOA record contain What does the serial number control Think about what they will be working with and make up simple questions about it. Perhaps come up with a few questions on what could happen if they see certain behaviors and how they would troubleshoot. Years ago, I was told that you can either spend time creating an exam or you can spend time grading it. Creating short answer or essay questions is quick and easy. Grading them takes time. Creating a good true/false or multiple choice test is very difficult and time consuming. Grading it is a snap. Good luck. -- Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Querying directly a nameserver works, while forwarding not
On Wed, 2012-12-05 at 10:23 +0100, Daniele Imbrogino wrote: /etc/bind/named.conf.option On 05.12.12 21:47, Noel Butler wrote: WTF is that file? it certainly is not an ISC named file. It's file containing the options section, installed by default in debian. From the changelog: * Do options definitions in /etc/bind/named.conf.options, makes life easier in the face of named.conf changes from upstream. if you are using some butchered to buggery distros file, please ask on your distros mailing list we are not to know what that file contains, or expects it should only contain the options { }; directive with included options. The bad part is when someone maintains multiple servers with similar settings, only the differing options should be included in external file, with common options in main config file. debian uses: - named.conf // no host-specific options include named.conf.options - named.conf.options options { listen-on ...; }; I used instead: - named.conf: options { // common.options ... include named.conf.options; }; - named.conf.options: // host-specific options listen-on ...; -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Querying directly a nameserver works, while forwarding not
resolv.conf contains only 127.0.0.1 as nameserver. The syslog contains a lot of errors as insecurity proof failed, no valid RRSIG, got insecure response that I don't understand. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't find named_dump.db
Finally I solved it! The problem was in the write permission of /etc, while in /var/cache/bind it works perfectly! Thank you for the assistance! 2012/12/5 Matus UHLAR - fantomas uh...@fantomas.sk On 03.12.12 21:32, Daniele Imbrogino wrote: I edited the working directory to /etc/bind because this is the directory where I have all the zone data files. If I use the default /var/cache/bind do I have to move also the zone data files no, you will just have to provide full path in zones' filename statements (or, at least, create an alias)? you can make symlinks from /vat/cache/bind pointing to /etc/bind if you need I'm saying this because even if the default configuration has /var/cache/bind as default working directory, all the files are in /etc/bind by default. it's done this way just to have dumps and core files in /var/cache/bind where named usually can write, instead of /etc where it usually can't (and shouldn't). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. __**_ Please visit https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Linux issue with make test failures, 9.9.2-P1
Hi, The make test stuff is failing miserably for me on Linux (Redhat 6.3, x64) with 9.9.2-P1: if test -f ./runall.sh; then sh ./runall.sh; fi S:acl:Wed Dec 5 08:10:01 EST 2012 T:acl:1:A A:System test acl I:Couldn't start server ns2 (pid=7621) R:FAIL S:allow_query:Wed Dec 5 08:10:15 EST 2012 T:allow_query:1:A A:System test allow_query I:Couldn't start server ns2 (pid=7684) R:FAIL S:addzone:Wed Dec 5 08:10:29 EST 2012 T:addzone:1:A A:System test addzone I:Couldn't start server ns2 (pid=7735) R:FAIL (etc) I:System test result summary: I:43 FAIL I: 6 PASS I: 3 SKIPPED The same make test worked perfectly on Solaris SPARC. I ran bin/tests/systems/ifconfig.sh up as root, then ran make test (tried both as me and as root) -- failure. This happened on both a vmware virtual server and a physical server. Any ideas? What changed? A bug? Jeff Earickson Colby College ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Querying directly a nameserver works, while forwarding not
On 05.12.2012 14:59, Daniele Imbrogino wrote: resolv.conf contains only 127.0.0.1 as nameserver. The syslog contains a lot of errors as insecurity proof failed, no valid RRSIG, got insecure response that I don't understand. Your forwarder probably doesn't handle DNSSEC responses well. Therefore your BIND cannot validate the answers and returns a failure code. Either update the forwarder/enable DNSSEC (older versions of BIND 9 require dnssec-enable yes; in the options clause), or disable DNSSEC validation in your local BIND (set dnssec-validation no;). Hauke ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: truncated responses vs. minimal-responses?
Mark Andrews ma...@isc.org wrote: In message 20121205125024.gc11...@fantomas.sk, Matus UHLAR - fantomas writes: I'm curious if there's any case where the AUTHORITY section is needed to proper function of DNS. Yes. Referrals. And, (to a lesser extent) negative answers, since the negative cache TTL comes from the SOA record in the authoruty section. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how t orestrict nsupdate to a single A or PTR record ?
Hello, I have a domain called mydomain.org I would need a way to allow access with nsupdate not to the entire domain mydomain.org but only to specific hosts and specific IP Address do be modified using nsupdate. here is my config zone mydomain.org IN { type master; allow-query { any; }; file mydomain.org.db; update-policy { grant mykey. subdomain mydomain.org. A TXT CNAME; }; }; but in this way anyone can modify any hosts in the domain. How can I restrict and allow to modify only specific hosts ? for example I would like to restrict to modify only host1.mydomain.org with a given key. is it possibile ? thank you Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how t orestrict nsupdate to a single A or PTR record ?
On 12/05/2012 11:29 AM, fddi wrote: Hello, I have a domain called mydomain.org I would need a way to allow access with nsupdate not to the entire domain mydomain.org but only to specific hosts and specific IP Address do be modified using nsupdate. here is my config zone mydomain.org IN { type master; allow-query { any; }; file mydomain.org.db; update-policy { grant mykey. subdomain mydomain.org. A TXT CNAME; }; }; but in this way anyone can modify any hosts in the domain. How can I restrict and allow to modify only specific hosts ? for example I would like to restrict to modify only host1.mydomain.org with a given key. is it possibile ? make the records you want to be modifiable into their own zones. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how t orestrict nsupdate to a single A or PTR record ?
In message 50bfaba3.5040...@dougbarton.us, Doug Barton writes: On 12/05/2012 11:29 AM, fddi wrote: Hello, I have a domain called mydomain.org I would need a way to allow access with nsupdate not to the entire domain mydomain.org but only to specific hosts and specific IP Address do be modified using nsupdate. here is my config zone mydomain.org IN { type master; allow-query { any; }; file mydomain.org.db; update-policy { grant mykey. subdomain mydomain.org. A TXT CNAME; }; }; but in this way anyone can modify any hosts in the domain. How can I restrict and allow to modify only specific hosts ? for example I would like to restrict to modify only host1.mydomain.org with a given key. is it possibile ? make the records you want to be modifiable into their own zones. grant mykey. name host1.mydomain.org. A or grant host1.mydomain.org. self . A or grant local:/path/to/socket external * A or grant local:/path/to/socket external * ANY The last two require a external tool to make the decision. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how t orestrict nsupdate to a single A or PTR record ?
On 12/05/2012 07:29 PM, fddi wrote: Hello, I have a domain called mydomain.org I would need a way to allow access with nsupdate not to the entire domain mydomain.org but only to specific hosts and specific IP Address do be modified using nsupdate. here is my config zone mydomain.org IN { type master; allow-query { any; }; file mydomain.org.db; update-policy { grant mykey. subdomain mydomain.org. A TXT CNAME; }; }; but in this way anyone can modify any hosts in the domain. No - people with mykey. can update any A/TXT/CNAME records at or under mydomain.org. Subtle difference. How can I restrict and allow to modify only specific hosts ? Name them in the policy. for example I would like to restrict to modify only host1.mydomain.org with a given key. is it possibile ? Erm, yes. Just use name rather than subdomain, and specify the name you want. Have you *read* the section on update-policy in the ARM? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL, Centos, Fedora rpm 9.9.2-p1
On 12/05/2012 04:46 AM, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.five-ten-sg.com/util/bind-9.9.2-0.2.P1.fc18.src.rpm Carl, Thanks for this. One minor thing - the -P1 is missing from the embedded tarball. I think there might be something going on with the %{VERSION} macro? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how t orestrict nsupdate to a single A or PTR record ?
On 12/05/2012 12:30 PM, Mark Andrews wrote: grant mykey. name host1.mydomain.org. A Ah, cool ... learned something new today. :) Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Preference of Master Name Servers
I have some questions and would really appreciate if someone would be able to assist. I just started a new job at a hosting company and am in a little bit over my head. Question 1: In our secondary / slave name servers we specify the master name servers in the normal manner: zone mysample.me.uk { type slave; file m/y/db.mysample.me.uk; masters { 10.10.100.12; 10.10.101.12; 10.10.102.5; }; }; What I have found is that the order of the master name servers does not matter and one is used at random. That name server is tried for all AXFR / IXFR attempts until it is unreachable. Is there a way to set a dedicated preference of which name servers to use first? Question 2: I am also seeing many entries in our logs that look like: Dec 4 10:28:49 mysys named[28103]: zone mysample.me.uk/IN: refresh: retry limit for master 10.10.101.12#53 exceeded (source 10.10.100.25#0) Does this mean that the master name server is unreachable? I have confirmed that it is reachable by UDP and TCP. Or does it mean that we are hitting one of our limits? Our current values are: serial-query-rate 500; transfers-out 300; transfers-in 300; transfers-per-ns 100; Question 3: We have over 100,000 domains on the name servers. What we see is that once we start seeing many of these exceeded messages in the logs then our soa queries in progress will go up significantly and never goes back down. We have to shut down the name server and restart it, and then the soa queries in progress goes down to 0 or 1 and he exceeded messages go away. Has anyone had a similar problem? If so, how did you resolve this? Sure hope someone out there can help, thank you in advance! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL, Centos, Fedora rpm 9.9.2-p1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2012-12-05 at 21:04 +, Phil Mayers wrote: Thanks for this. One minor thing - the -P1 is missing from the embedded tarball. I think there might be something going on with the %{VERSION} macro? major - that version was actually 9.9.2, NOT 9.9.2-P1. Sorry about that - - I failed to follow my own written build directions. Fixed in http://www.five-ten-sg.com/util/bind-9.9.2-0.3.P1.fc18.src.rpm -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlC/18kACgkQL6j7milTFsHGUACfXRICwAb50Kv8ikReeL8LwDcL x7EAnjb1dOOsA8FPA4bjq+98OF/FDLAx =WxJK -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
SPF records in reverse zones?
This may be a silly question, but are SPF records supposed to be supported in reverse zones? I'm thinking of a mail server that has no entry in the DNS. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer http://www.biplane.com.au/blog GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF records in reverse zones?
On Thu, 6 Dec 2012, Karl Auer wrote: This may be a silly question, but are SPF records supposed to be supported in reverse zones? I'm thinking of a mail server that has no entry in the DNS. Well, most mail servers will reject such a server (i.e. one with NO rdns). However, there's another possible interpretation of your request. SPF records go in the zone of the envelope-sender. So if your server's ip is 72.9.101.130, and your mail address REALLY is b...@130.101.9.72.in-addr.arpa, then the reverse zone would also need to have an MX and possibly an A record, in order to route mail to it, which goes a far cry from being a server that has no entry in the DNS. I can't even imagine what spamfilters would think of such an address. :) -Dan Mahoney ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF records in reverse zones?
In article mailman.818.1354751059.11945.bind-us...@lists.isc.org, Karl Auer ka...@biplane.com.au wrote: This may be a silly question, but are SPF records supposed to be supported in reverse zones? I'm thinking of a mail server that has no entry in the DNS. Many anti-spam rules block mail from servers with no reverse DNS, so it seems pointless to have SPF records to support them. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF records in reverse zones?
In message alpine.bsf.2.00.1212052345240.58...@bikeshed.isc.org, Dan Mahoney w rites: On Thu, 6 Dec 2012, Karl Auer wrote: This may be a silly question, but are SPF records supposed to be supported in reverse zones? I'm thinking of a mail server that has no entry in the DNS. Well, most mail servers will reject such a server (i.e. one with NO rdns). However, there's another possible interpretation of your request. SPF records go in the zone of the envelope-sender. So if your server's ip is 72.9.101.130, and your mail address REALLY is b...@130.101.9.72.in-addr.arpa, then the reverse zone would also need to have an MX and possibly an A record, in order to route mail to it, which goes a far cry from being a server that has no entry in the DNS. I can't even imagine what spamfilters would think of such an address. :) There are some people who actually do that. -Dan Mahoney ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
Hi Shane, Mark, Evan On Tue, 2012-10-16 at 08:22 +0200, Shane Kerr wrote: Noel, These changes are in our review queue now, so will go in future releases. Cheers, I guess this was not pushed in? After update to 9.9.2-p1 the old logging returned, eg: huge snip Dec 6 10:47:30 ns1 named[9671]: RSA_verify failed Dec 6 10:47:30 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:47:30 ns1 named[9671]: sucessfully validated after lower casing signer 'US' Dec 6 10:47:30 ns1 named[9671]: RSA_verify failed Dec 6 10:47:30 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:47:30 ns1 named[9671]: sucessfully validated after lower casing signer 'US' Dec 6 10:50:09 ns1 named[9671]: RSA_verify failed Dec 6 10:50:09 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:50:09 ns1 named[9671]: sucessfully validated after lower casing signer 'CO' Dec 6 10:50:09 ns1 named[9671]: RSA_verify failed Dec 6 10:50:09 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:50:09 ns1 named[9671]: sucessfully validated after lower casing signer 'CO' snip -- Shane Kerr ISC On Saturday, 2012-10-13 11:07:01 +1000, Noel Butler noel.but...@ausics.net wrote: Thanks Mark, These changes have been committed for future patch releases? Cheers On Fri, 2012-10-12 at 12:16 +1100, Mark Andrews wrote: Just drop the log level to ISC_LOG_DEBUG(1) and recompile. Search for sucessfully validated after lower casing in lib/dns/dnssec.c signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users