Re: Dig gives ;; connection timed out; no servers could be reached
As others have already commented, it could mean either, there isn't enough information provided to try to identify where the fault lies. Are these systems accessible from the Internet? if so then please provide the correct names so we can also run tests from our locations to see if we get the same results. If you can't provide this information then you are on your own to solve your own problem. Steve On 3 October 2013 05:56, Balanagaraju Munukutla 9ba...@sg.ibm.com wrote: Hi All To explain more on the below. We are trying to do a query on MX record for abcd.com.sg. domain to the Authoritative nameserver .com from my pc. You can see the reply as below. Done this mean that the Authoritative nameserver .com failure or this PC where I am doing the query is blocking to communicate that local DNS server configured on it. Please help. Thanks Regards Nagaraj *Kevin Oberman rkober...@gmail.com* Sent by: kob6...@gmail.com 10/03/2013 12:47 PM To Balanagaraju Munukutla/Singapore/ATT/IDE@IBMSG cc bind-users bind-us...@isc.org, Subramaniam Raju subrr...@in.ibm.com Subject Re: Dig gives ;; connection timed out; no servers could be reached On Wed, Oct 2, 2013 at 9:18 PM, Balanagaraju Munukutla *9ba...@sg.ibm.com * 9ba...@sg.ibm.com wrote: Hi Any one could help on the error below. [andrew@oc8163211842 ~] $ dig @*.com* http://.com/ *abcd.com.sg*http://abcd.com.sg/mx ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 @*x.com*http://x.com/ *abcd.com.sg* http://abcd.com.sg/ mx ; (1 server found) ;; global options: printcmd ;;* connection timed out; no servers could be reached* [andrew@oc8163211842 ~]$ dig @*.com* http://.com/ *abcd.com.sg*http://abcd.com.sg/mx ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 @*x.com*http://x.com/ *abcd.com.sg* http://abcd.com.sg/ mx ; (1 server found) ;; global options: printcmd ;; *connection timed out; no servers could be reached* --- Thanks Regards Nagaraj This message is virtually content free. You basically said Something in DNS failed at a very basic level, but I will remove any information that might provide even a slight clue to determine why. You hide the query and the server. All that can really be said is that your client failed to get a response from the specified server. Is the specified system even running DNS? Is a firewall blocking the query? The response? Is the server yours or someone else's? Is routing allowing bi-directional communication? Is these an outage that is blocking communication? The list of possibilities just goes on and on. If you want help, you have to tell us something more than that it failed. -- R. Kevin Oberman, Network Engineer E-mail: *rkober...@gmail.com* rkober...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursive server forwarding dynamic updates
As others have pointed out, allow-update-forwarding only works for slaves. Yet another reason to go with a large-authoritative-core approach, instead of stringing stuff together with recursive arrangements. Would you rather build an enterprise-strength DNS infrastructure from fragile filaments (forwarding) or solid bonds (replication)? OK, I'll get off my infrastructure architect soapbox now... - Kevin On 10/2/2013 4:41 AM, Bojan Tomic wrote: Thanks Phil! I've tried allow-update-forwarding, but my understanding is that this option only works for slave servers!? What i'm looking for is dynamic update forwarding from non-authoritative server. Can allow-update-forwarding also work with non-authoritative server?We are building an internal closed solution so source IP checking is not necessary. On Wed, Oct 2, 2013 at 8:56 AM, Phil Mayers p.may...@imperial.ac.uk mailto:p.may...@imperial.ac.uk wrote: On 10/02/2013 07:51 AM, Bojan Tomic wrote: Hi, I'm looking for a way to setup a recursive/forwarding named server to forward dynamic updates See allow-update-forwarding in the ARM. Obviously you will lose source IP / TSIG key info, so will need to perform access checks at the forwarding server, and allow everything you need at the target server from the source/key of the forwarder. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig gives ;; connection timed out; no servers could be reached
On Wed, Oct 2, 2013 at 9:56 PM, Balanagaraju Munukutla 9ba...@sg.ibm.comwrote: Hi All To explain more on the below. We are trying to do a query on MX record for abcd.com.sg. domain to the Authoritative nameserver .com from my pc. You can see the reply as below. Done this mean that the Authoritative nameserver .com failure or this PC where I am doing the query is blocking to communicate that local DNS server configured on it. Please help. Thanks Regards Nagaraj Again, all that can be determined is that your PC is not getting a response to it query. There is no information to provide any clue as to whether the PC or the server is at fault. I would suggest packet capture. On a Windows system, I suggest wireshark. The same for the server, if it is yours. If the server is Unix and you have access to do so, just simple tcpdump will work well. -- R. Kevin Oberman, Network Engineer E-mail: rkober...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Synthesized CNAME from NXDOMAIN
Hi all, I'm looking to get RPZ-like behavior in a non-RPZ context. From the BIND9 ARM (9.9.4), this is a snippet from an RPZ zone: ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com *.bzone.domain.com CNAME *.garden.example.com. I would like to apply something similar to a redirect zone (for NXDOMAIN responses), but it doesn't appear to be supported. Can this be confirmed? Does anyone recommend any alternatives? Thanks, Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
view
Hi list I have problem with views in bind9 on debian 6. I configured server like here https://wiki.debian.org/Bind9 and it works. When i add entry: view dmz { match-clients { 10.0.0.0/24; }; }; bind9 can't start. What I can do to solve problem? Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig gives ;; connection timed out; no servers could be reached
On Oct 3, 2013, at 12:47 AM, Kevin Oberman rkober...@gmail.com wrote: On Wed, Oct 2, 2013 at 9:18 PM, Balanagaraju Munukutla 9ba...@sg.ibm.com wrote: Hi Any one could help on the error below. [andrew@oc8163211842 ~] $ dig @.com abcd.com.sg mx ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 @x.com abcd.com.sg mx ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached [andrew@oc8163211842 ~]$ dig @.com abcd.com.sg mx ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 @x.com abcd.com.sg mx ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached --- Thanks Regards Nagaraj This message is virtually content free. You basically said Something in DNS failed at a very basic level, but I will remove any information that might provide even a slight clue to determine why. You hide the query and the server. All that can really be said is that your client failed to get a response from the specified server. Unless, maybe, he did and doesn't know how to use dig? wkumari$ dig +norec +nocomment +nostats MX abcd.com.sg @.com ; DiG 9.8.5-P1 +norec +nocomment +nostats MX abcd.com.sg @.com ;; global options: +cmd ;; connection timed out; no servers could be reached OK, fair enough, .com is not a name server, but: wkumari$ dig +norec +nocomment +nostats NS .com ; DiG 9.8.5-P1 +norec +nocomment +nostats NS .com ;; global options: +cmd ;.com. IN NS .com. 3348IN NS dns4.name-services.com. .com. 3348IN NS dns2.name-services.com. .com. 3348IN NS dns1.name-services.com. .com. 3348IN NS dns3.name-services.com. .com. 3348IN NS dns5.name-services.com. ; DiG 9.8.5-P1 +norec +nocomment +nostats MX abcd.com.sg @dns1.name-services.com. ;; global options: +cmd ;abcd.com.sg. IN MX abcd.com.sg.3600IN MX 10 p.nsm.ctmail.com. runs away, giggling like a maniac… W Is the specified system even running DNS? Is a firewall blocking the query? The response? Is the server yours or someone else's? Is routing allowing bi-directional communication? Is these an outage that is blocking communication? The list of possibilities just goes on and on. If you want help, you have to tell us something more than that it failed. -- R. Kevin Oberman, Network Engineer E-mail: rkober...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Don't be impressed with unintelligible stuff said condescendingly. -- Radia Perlman. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: view
When I copy named.conf.default-zones inside dmz view in named.conf.local then named started but is problem with requested other zone than authoritative for this server: Served by: - M.ROOT-SERVERS.NET - A.ROOT-SERVERS.NET . . it is ok? My conf file are: # cat named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include /etc/bind/named.conf.options; include /etc/bind/named.conf.local; include /etc/bind/named.conf.default-zones; -- # cat named.conf.options acl dmz { 10.0.0.0/24; }; options { allow-query { any; }; allow-query-cache { any; }; directory /var/cache/bind; notify no; recursion no; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; auth-nxdomain no;# conform to RFC1035 listen-on-v6 { any; }; rrset-order { class IN type A name a order fixed; class IN type A name a order fixed; class IN type A name a order fixed; class IN type A name a order fixed; }; }; logging { channel update_debug { file /var/log/update_debug.log versions 3 size 100k; severity debug; print-severity yes; print-time yes; }; channel security_info { file /var/log/security_info.log versions 1 size 100k; severity info; print-severity yes; print-time yes; }; channel bind_log { file /var/log/bind.log versions 3 size 1m; severity info; print-category yes; print-severity yes; print-time yes; }; category default { bind_log; }; category lame-servers { null; }; category update { update_debug; }; category update-security { update_debug; }; category security { security_info; }; }; -- # cat named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include /etc/bind/zones.rfc1918; view dmz { zone a { type master; file /etc/bind/db.a; allow-query { any; }; allow-transfer { a.a.a.a; a.a.a.a; }; }; . . output ommited . . zone a { type master; file /etc/bind/db.a; allow-query { any; }; allow-transfer { a.a.a.a; a.a.a.a; }; }; }; -- # cat named.conf.default-zones // prime the server with knowledge of the root servers zone . { type hint; file /etc/bind/db.root; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone localhost { type master; file /etc/bind/db.local; }; zone 127.in-addr.arpa { type master; file /etc/bind/db.127; }; zone 0.in-addr.arpa { type master; file /etc/bind/db.0; }; zone 255.in-addr.arpa { type master; file /etc/bind/db.255; }; On 3 October 2013 19:55, Steven Carr sjc...@gmail.com wrote: Please post your full named.conf config file (you can obfuscate any sensitive information). Steve On 3 October 2013 18:53, Paweł Ch. pch0...@gmail.com wrote: Hi list I have problem with views in bind9 on debian 6. I configured server like here https://wiki.debian.org/Bind9 and it works. When i add entry: view dmz { match-clients { 10.0.0.0/24; }; }; bind9 can't start. What I can do to solve problem? Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list
Re: view
So the reason it's failing is because you don't have a view configured for the zones contained in /etc/bind/named.conf.default- zones. If you implement views then all zones must be added to a view. Edit the /etc/bind/named.conf.default-zones file and insert in the view statements e.g. view internal { at the top of the file and an extra closing bracket at the bottom }; Steve On 3 October 2013 22:06, Paweł Ch. pch0...@gmail.com wrote: When I copy named.conf.default-zones inside dmz view in named.conf.local then named started but is problem with requested other zone than authoritative for this server: Served by: - M.ROOT-SERVERS.NET - A.ROOT-SERVERS.NET . . it is ok? My conf file are: # cat named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include /etc/bind/named.conf.options; include /etc/bind/named.conf.local; include /etc/bind/named.conf.default-zones; -- # cat named.conf.options acl dmz { 10.0.0.0/24; }; options { allow-query { any; }; allow-query-cache { any; }; directory /var/cache/bind; notify no; recursion no; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; auth-nxdomain no;# conform to RFC1035 listen-on-v6 { any; }; rrset-order { class IN type A name a order fixed; class IN type A name a order fixed; class IN type A name a order fixed; class IN type A name a order fixed; }; }; logging { channel update_debug { file /var/log/update_debug.log versions 3 size 100k; severity debug; print-severity yes; print-time yes; }; channel security_info { file /var/log/security_info.log versions 1 size 100k; severity info; print-severity yes; print-time yes; }; channel bind_log { file /var/log/bind.log versions 3 size 1m; severity info; print-category yes; print-severity yes; print-time yes; }; category default { bind_log; }; category lame-servers { null; }; category update { update_debug; }; category update-security { update_debug; }; category security { security_info; }; }; -- # cat named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include /etc/bind/zones.rfc1918; view dmz { zone a { type master; file /etc/bind/db.a; allow-query { any; }; allow-transfer { a.a.a.a; a.a.a.a; }; }; . . output ommited . . zone a { type master; file /etc/bind/db.a; allow-query { any; }; allow-transfer { a.a.a.a; a.a.a.a; }; }; }; -- # cat named.conf.default-zones // prime the server with knowledge of the root servers zone . { type hint; file /etc/bind/db.root; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone localhost { type master; file /etc/bind/db.local; }; zone 127.in-addr.arpa { type master; file /etc/bind/db.127; }; zone 0.in-addr.arpa { type master; file /etc/bind/db.0; }; zone 255.in-addr.arpa { type master; file /etc/bind/db.255; }; On 3 October 2013 19:55, Steven Carr sjc...@gmail.com wrote: Please post your full named.conf config file (you can obfuscate any sensitive information). Steve On 3 October 2013 18:53, Paweł Ch. pch0...@gmail.com wrote: Hi list I have problem with views in bind9 on debian 6. I configured server like here https://wiki.debian.org/Bind9 and
Re: weird perfmonce BIND version 9.6
Hi Mathus one thing more. I´m little bit lost in bind9. Can you tell me which one those files where is defined the internal o external host? If is in mydomain.com.hosts.lan for internal and mydomain.com.hosts for external I already put them in each configuration file. But I´m still getting the IP Private address answer when i try to pinging for example ping mydomain.com -t I got the 192.168.1.3 answer. you said Check their match-* directives, post them here if possible. -which one is that configuration file? Thanks in advance On 26/09/2013 12:54 PM, Matus UHLAR - fantomas wrote: On 26.09.13 10:52, IT Support wrote: Hi Matus thanks for your answer, can you do me a favor? can you tell me how to looking for that configuration? only clients that are supposed to get internal private addresses should be in internal view. ...You mean, that I should to create a internal and external record in each view? if this is the case I already added those records. ¿Is there another thing that I´m forgetting to do?... check your view definition and which hosts fall into which view. Check their match-* directives, post them here if possible. No, you definitely should NOT mention both IPs in any view. hosts from internal view should get internal IP and hosts from external view should get external IP. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Synthesized CNAME from NXDOMAIN
On Thu, 3 Oct 2013, Casey Deccio wrote: I would like to apply something similar to a redirect zone (for NXDOMAIN responses) You are why we can't have nice things :P We had enough Sitewinders. With DNSSEC on the endnode, your lies won't be believed anway. What you are trying is wrong, bad and broken. My laptop with unbound+dnssec-trigger would detect an attack and warn me. Paul ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Synthesized CNAME from NXDOMAIN
On Thu, Oct 3, 2013 at 2:54 PM, Paul Wouters p...@cypherpunks.ca wrote: You are why we can't have nice things :P We had enough Sitewinders. With DNSSEC on the endnode, your lies won't be believed anway. What you are trying is wrong, bad and broken. This might be a fair statement in the right context. But it was taken out of context--because I really didn't provide any. Not that I need to justify my question, but since you brought it up, what I am looking to do is decrease the risk of DNS resolution failures resulting from a namespace transition by creating a fallback from the old to the new namespace. For some definite period of time after the change, an NXDOMAIN in the old namespace would result in a synthesized CNAME pointing to the same name in the new namespace. Anyway, there might not be an easy way to to do it, and we might just have to lose our safety net, but I wanted to ask users on the list if there's some obscure configuration that might be helpful. If it's not already clear from my development of DNSSEC helper tools (e.g., DNSViz), I'm an advocate of secure DNS. :) Cheers, Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: moving DNSSEC to a hidden master
Thanks all for your responses. On 10/1/13 6:42 PM, Mark Andrews wrote: As Alan said copy the .key and .private files over. Disable updating on the old master. Transfer the zone contents by setting up as a slave using masterfile-format text; or using by using dig. This will give you the most up to date version of the zone. dig axfr zone +onesoa @oldmaster Check that the new server is working Converting the new secondary to a new master worked. But incrementing the zone's serial number did not, producing an error after 'rndc reload' like this: Oct 3 16:00:29 host named[35249]: malformed transaction: dynamic/mydomain.com/mydomain.com.db.jnl last serial 2013092701 != transaction first serial 2013092700 and you can update the zone by using nsupdate. Although the zone file lives under dynamic/mydomain.com so DNSSEC updates can happen, I don't have dynamic updates configured, so nsupdate won't work. This arrangement -- with static zone files under the dynamic directory -- worked OK on the old master. Permissions are the same on both. This thread suggested the journal issue was separate views pointing to the same zone file: https://lists.isc.org/pipermail/bind-users/2008-June/070807.html Indeed I had pointers to the same zone file in separate views, but removing them and restarting named did not clear the issue. Now I have the zone in just one view, and still can't manually increment the serial number without that journal complaint. Thanks in advance for clues on resolving the journal version issue. dn Convert the old master server into a slave. Update the other slaves to talk to a new master. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: moving DNSSEC to a hidden master
This works for me and is the standard method: rndc freeze update serial rndc thaw Rndc freeze merges the .jnl files into the zone files and stops dynamic updates. Thaw allows dynamic updates to resume. On 04/10/13 02.12, David Newman wrote: Thanks all for your responses. On 10/1/13 6:42 PM, Mark Andrews wrote: As Alan said copy the .key and .private files over. Disable updating on the old master. Transfer the zone contents by setting up as a slave using masterfile-format text; or using by using dig. This will give you the most up to date version of the zone. dig axfr zone +onesoa @oldmaster Check that the new server is working Converting the new secondary to a new master worked. But incrementing the zone's serial number did not, producing an error after 'rndc reload' like this: Oct 3 16:00:29 host named[35249]: malformed transaction: dynamic/mydomain.com/mydomain.com.db.jnl last serial 2013092701 != transaction first serial 2013092700 and you can update the zone by using nsupdate. Although the zone file lives under dynamic/mydomain.com so DNSSEC updates can happen, I don't have dynamic updates configured, so nsupdate won't work. This arrangement -- with static zone files under the dynamic directory -- worked OK on the old master. Permissions are the same on both. This thread suggested the journal issue was separate views pointing to the same zone file: https://lists.isc.org/pipermail/bind-users/2008-June/070807.html Indeed I had pointers to the same zone file in separate views, but removing them and restarting named did not clear the issue. Now I have the zone in just one view, and still can't manually increment the serial number without that journal complaint. Thanks in advance for clues on resolving the journal version issue. dn Convert the old master server into a slave. Update the other slaves to talk to a new master. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Synthesized CNAME from NXDOMAIN
Use a DNAME record. That works with DNSSEC. e.g. oldzone.com SOA . oldzone.com NSns1.newzone.com oldzone.com NSns2.newzone.com oldzone.com MX0 mail.newzone.com oldzone.com A ... oldzone.com ... oldzone.com DNAME newzone.com Mark In message CAEKtLiR=1jeKEaUw+74TMBVMtKy7HRHgYkaS3_mix59dXNz_=w...@mail.gmail.com , Casey Deccio writes: --===3720066438239880950== Content-Type: multipart/alternative; boundary=90e6ba6e89ce47e69d04e7de3b53 --90e6ba6e89ce47e69d04e7de3b53 Content-Type: text/plain; charset=ISO-8859-1 On Thu, Oct 3, 2013 at 2:54 PM, Paul Wouters p...@cypherpunks.ca wrote: You are why we can't have nice things :P We had enough Sitewinders. With DNSSEC on the endnode, your lies won't be believed anway. What you are trying is wrong, bad and broken. This might be a fair statement in the right context. But it was taken out of context--because I really didn't provide any. Not that I need to justify my question, but since you brought it up, what I am looking to do is decrease the risk of DNS resolution failures resulting from a namespace transition by creating a fallback from the old to the new namespace. For some definite period of time after the change, an NXDOMAIN in the old namespace would result in a synthesized CNAME pointing to the same name in the new namespace. Anyway, there might not be an easy way to to do it, and we might just have to lose our safety net, but I wanted to ask users on the list if there's some obscure configuration that might be helpful. If it's not already clear from my development of DNSSEC helper tools (e.g., DNSViz), I'm an advocate of secure DNS. :) Cheers, Casey --90e6ba6e89ce47e69d04e7de3b53 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable div dir=3DltrOn Thu, Oct 3, 2013 at 2:54 PM, Paul Wouters span dir=3D= ltrlt;a href=3Dmailto:p...@cypherpunks.ca; target=3D_blankpaul@cyph= erpunks.ca/agt;/span wrote:brdiv class=3Dgmail_extradiv class= =3Dgmail_quote blockquote class=3Dgmail_quote style=3Dmargin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1exYou are why we can#39;t have nice things :P= br br/blockquoteblockquote class=3Dgmail_quote style=3Dmargin:0 0 0 .8= ex;border-left:1px #ccc solid;padding-left:1ex We had enough Sitewinders. With DNSSEC on the endnode, your lies won#39;t= br be believed anway. What you are trying is wrong, bad and broken.br br/blockquotebrThis might be a fair statement in the right context.= =A0 But it was taken out of context--because I really didn#39;t provide an= y.=A0 Not that I need to justify my question, but since you brought it up, = what I am looking to do is decrease the risk of DNS resolution failures res= ulting from a namespace transition by creating a fallback from the old to t= he new namespace.=A0 For some definite period of time after the change, an = NXDOMAIN in the old namespace would result in a synthesized CNAME pointing = to the same name in the new namespace.=A0 Anyway, there might not be an eas= y way to to do it, and we might just have to lose our safety net, but I wan= ted to ask users on the list if there#39;s some obscure configuration that= might be helpful.br brIf it#39;s not already clear from my development of DNSSEC helper tool= s (e.g., DNSViz), I#39;m an advocate of secure DNS. :)brbr/divdiv c= lass=3Dgmail_quoteCheers,br/divdiv class=3Dgmail_quotedivCasey= br /div/div/div/div --90e6ba6e89ce47e69d04e7de3b53-- --===3720066438239880950== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===3720066438239880950==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Synthesized CNAME from NXDOMAIN
On Thu, Oct 3, 2013 at 5:42 PM, Mark Andrews ma...@isc.org wrote: Use a DNAME record. That works with DNSSEC. Thanks for the suggestion. I would use DNAME, except the old namespace will still have names under it, and names are not allowed to exist below a DNAME. In other words, we're not replacing the old namespace, we're just minimizing its scope and use. Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Synthesized CNAME from NXDOMAIN
In message caektlisj_2j-rtot_2gtixn6hl4pbkjswdw3yogfl1djfc2...@mail.gmail.com, Casey Deccio writes: On Thu, Oct 3, 2013 at 5:42 PM, Mark Andrews ma...@isc.org wrote: Use a DNAME record. That works with DNSSEC. Thanks for the suggestion. I would use DNAME, except the old namespace will still have names under it, and names are not allowed to exist below a DNAME. In other words, we're not replacing the old namespace, we're just minimizing its scope and use. Then I suggest that you just add CNAMEs whenever you remove other record. Once a part of the namespace only have CNAME/DNAME below it replace it with a DNAME. You will converge on the earlier example. Casey -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Synthesized CNAME from NXDOMAIN
On Thu, Oct 3, 2013 at 5:52 PM, Mark Andrews ma...@isc.org wrote: Then I suggest that you just add CNAMEs whenever you remove other record. Once a part of the namespace only have CNAME/DNAME below it replace it with a DNAME. You will converge on the earlier example. Thanks - I'll start there. Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users