9.9.4 Bug Fixes - RT #34583

2013-09-21 Thread Steve Arntzen 
Good morning/day/evening.

What exactly does "beneath" mean in the following line from the 9.9.4
bug fixes?

"Fix forwarding for  forward only "zones" beneath automatic empty zones.
[RT #34583]"

Thanks in advance,

Steve.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.9.4 Bug Fixes - RT #34583

2013-09-21 Thread Evan Hunt 
> What exactly does "beneath" mean in the following line from the 9.9.4
> bug fixes?
> 
> "Fix forwarding for  forward only "zones" beneath automatic empty zones.
> [RT #34583]"

Named automatically sets up "empty" reverse zones for nonroutable
address spaces, to prevent your network sending PTR queries
out for things like 10.1.2.3, which can only be configured locally.

These zones were interacting badly forward-only zones.  For example,
if you set up a forward zone for 100.10.in-addr.arpa, which is beneath
the empty zone 10.in-addr.arpa, PTR queries for 10.100.*.* should be
forwarded while all other queries for 10.* should be answered from
the empty zone.  That wasn't working; now it is.

--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)

2013-09-21 Thread Noel Butler 
On Fri, 2013-09-20 at 14:12 +, Vernon Schryver wrote:

> > From: Shane Kerr 
> 
> > With a 50% packet loss and 3 retries you'll have about 1 in 16 lookups
> > fail, right? If you've got enough legitimate lookups going on to
> > trigger RRL then you're going to get lots of failures.
> 
> If 6% is "lots", then yes.
> 


it certainly is, I accept 1% error margins, anything more, then its too
high.
If I was still managing public ISP DNS, then 0.01% error margin would be
even a bit high, but then again, their I wouldnt be running views :)



> 
> > > limit NXDOMAIN responses to /24 for zen.spamhaus.org ,=20
> 
> > This doesn't indicate that anything actually failing for the querying
> > hosts, just that they are issuing a lot of queries.
> 
> indeed.
> 
> 


but the end result was, that RRL filtering was filytering, as per my
other message,  however, ns0 is now using RRL in a view  and has thus
far (just over 24 hours) not given us any problems,  NS 1 and 2 have
always been pure authoritative, so never effected.


> 
> The potential RRL problem is when you provide high volume DNSBL service


that problem is removed now since the internal view for caching wont be
filtered when querying them, and our internal dnsbl has never needed to
be RL'd since although public access is allowed, its volume is too low
to be measurable compared to the well known ones :)

Thanks for clearing up hte options, seems it should all be good now.


<>

signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users