Re: GeoIP in 9.10 RC2

2014-04-30 Thread Ali Jawad 
Hi Evan
You guys are doing a great  job. I did actually try before without acl
directly in view. The error was at the time No ACL geoip. Will retry with
patch. Thanks !
On May 1, 2014 6:38 AM, "Evan Hunt"  wrote:

> On Wed, Apr 30, 2014 at 11:33:06PM +0200, Ali Jawad wrote:
> > Any hints ?
>
> So, yeah, that's embarrassing.  It never crossed my mind to test geoip
> ACL elements by referencing them indirectly in named ACLs, as you did;
> I only referenced them directly. Apparently none of the folks who've
> been using the code in production ever tried that either. Kudos for
> your QA skills.  :)
>
> Thanks to you, I am now aware of the fact that, while the following
> configuration does work:
>
> match-clients { geoip country US; };
>
> ...this one doesn't:
>
> acl geoipUS { geoip country US; }
> ...
> match-clients { geoipUS; };
>
> The problem is that when the "geoipUS" ACL is merged into match-clients
> for the view, the geoip information doesn't get copied correctly.
>
> The attached patch should fix it.
>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: GeoIP in 9.10 RC2

2014-04-30 Thread Evan Hunt 
On Wed, Apr 30, 2014 at 11:33:06PM +0200, Ali Jawad wrote:
> Any hints ?

So, yeah, that's embarrassing.  It never crossed my mind to test geoip
ACL elements by referencing them indirectly in named ACLs, as you did;
I only referenced them directly. Apparently none of the folks who've
been using the code in production ever tried that either. Kudos for
your QA skills.  :)

Thanks to you, I am now aware of the fact that, while the following
configuration does work:

match-clients { geoip country US; };

...this one doesn't:

acl geoipUS { geoip country US; }
...
match-clients { geoipUS; };

The problem is that when the "geoipUS" ACL is merged into match-clients
for the view, the geoip information doesn't get copied correctly.

The attached patch should fix it.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index a2d0347..1064bce 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -337,6 +337,12 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos)
 return result;
 		}
 
+		/* copy the GeoIP data */
+		if (source->elements[i].type == dns_aclelementtype_geoip) {
+			dest->elements[nelem + i].geoip_elem =
+source->elements[i].geoip_elem;
+		}
+
 		/* reverse sense of positives if this is a negative acl */
 		if (!pos && source->elements[i].negative == ISC_FALSE) {
 			dest->elements[nelem + i].negative = ISC_TRUE;
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Chris Buxton 
Either do as Kevin Darcy said or else use separate names:

company.com
office1.company.com
office2.company.com

The admin in office 2 updates the office2 zone. The dynamic updates in office 1 
go to the office1 zone. The company.com zone delegates both. Everyone can find 
everything via that delegation, but each office has its own zone. Everyone is 
happy.

Chris

On Apr 30, 2014, at 4:36 PM, Jeronimo L. Cabral  wrote:

> DNS1 with dynamic update and DNS2 with manually update
> 
> 
> On Wed, Apr 30, 2014 at 8:11 PM, Kevin Darcy  wrote:
> I'm still not understanding your constraints. If *all* updates come in 
> through Dynamic Update, then you don't need freeze/unfreeze.
> 
> - 
> Kevin
> 
> 
> On 4/30/2014 6:47 PM, Jeronimo L. Cabral wrote:
>> In office #1, the "company.com" master zone is updated automatically from 
>> some Windows machines inn DNS1 and in office #2 the same zone is updated 
>> manually in DNS2 by the administrator who shouldn't update (using freeze and 
>> unfreeze) the master zone from office #1. This is the scenario, and we need 
>> that a simple query to DNS1 be responded with any record from both zones.
>> 
>> Thanks again
>> 
>> 
>> On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy  wrote:
>> Oh, I thought this was an external-versus-internal scenario. But, this is 
>> even easier.
>>  
>> A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the 
>> "stealth" variety, if you want) of the other
>> B) People use nsupdate to maintain the zone
>> 
>> For security, TSIG-sign the updates. For fast change propagation, set up 
>> NOTIFY if and as necessary.
>> 
>>  
>>- Kevin
>> 
>> 
>> On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:
>>> Dear John, this is my scenario:
>>> 
>>> 1) Office 1: people work with some machines and fill up a local master zone 
>>> "company.com" with records in DNS1
>>> 2) Office 2: people works with some others machines and fill up a local 
>>> master zone "company.com" with another records in DNS2
>>> 
>>> So both office have a different master zone.
>>> 
>>> Both offices belong to the same company, so I need that any client PC can 
>>> resolve a hostname from "company.com" domain, independently if this record 
>>> is in DNS1 or DNS2. 
>>> 
>>> Thanks again, regards.
>>> 
>>> JeLo
>>> 
>>> 
>>> 
>>> On Wed, Apr 30, 2014 at 5:21 PM, John Miller  wrote:
>>> Hi Jeronimo,
>>> 
>>> First of all, please just tell us the real domain.  Yes, we could try and 
>>> talk about a fictitious "example.com" or "company.com," but having the real 
>>> domain name lets us actually query your nameservers.
>>> 
>>> Let me be sure I understand: you have two DNS servers.  Each of them is 
>>> authoritative for the same domain.  Are both set as master?
>>> 
>>> The two servers have different copies of the zone--what's your reason for 
>>> that?
>>> 
>>> If both servers think they are authoritative for a zone, then they will 
>>> answer recursive queries for those zones themselves.  From the manual: 
>>> 
>>> "Forwarding occurs only on those queries for which the server is not 
>>> authoritative and does not have the answer in its cache."
>>> 
>>> What exactly are you trying to achieve?
>>> 
>>> John
>>> 
>>> 
>>> 
>>> On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral  
>>> wrote:
>>> Dear, I would like to ask for solution related with DNS (bind) 
>>> configuration to allow forward requests to another DNS but related with the 
>>> same domain.
>>> 
>>> I'm asking about two authoritative name servers serving the same domain but 
>>> with different zone file info on each and have one of them forward 
>>> recursive queries to another one if first one cannot find some particular 
>>> subdomain record that is missing in his version of zone file.
>>> 
>>> My named.conf.local is as follow, but it doesn't work:
>>> 
>>> zone "company.com" {
>>> type master;
>>> file "/etc/bind/zones/company.com.db";
>>> allow-transfer { key "company"; };
>>> check-names ignore;
>>> forward first;
>>> forwarders { 172.16.1.1; };
>>> };
>>> 
>>> Thanks a lot, 
>>> 
>>> JeLo
>>> 
>>> 
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list
>>> 
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>> 
>>> 
>>> 
>>> -- 
>>> John Miller
>>> Systems Engineer
>>> Brandeis University
>>> johnm...@brandeis.edu
>>> (781) 736-4619
>>> 
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list
>>> 
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>> 
>>> 
>>> 
>>> _

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Jeronimo L. Cabral 
DNS1 with dynamic update and DNS2 with manually update


On Wed, Apr 30, 2014 at 8:11 PM, Kevin Darcy  wrote:

>  I'm still not understanding your constraints. If *all* updates come in
> through Dynamic Update, then you don't need freeze/unfreeze.
>
> -
> Kevin
>
>
> On 4/30/2014 6:47 PM, Jeronimo L. Cabral wrote:
>
> In office #1, the "company.com" master zone is updated automatically from
> some Windows machines inn DNS1 and in office #2 the same zone is updated
> manually in DNS2 by the administrator who shouldn't update (using freeze
> and unfreeze) the master zone from office #1. This is the scenario, and we
> need that a simple query to DNS1 be responded with any record from both
> zones.
>
>  Thanks again
>
>
> On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy  wrote:
>
>>  Oh, I thought this was an external-versus-internal scenario. But, this
>> is even easier.
>>
>> A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the
>> "stealth" variety, if you want) of the other
>> B) People use nsupdate to maintain the zone
>>
>> For security, TSIG-sign the updates. For fast change propagation, set up
>> NOTIFY if and as necessary.
>>
>>
>> - Kevin
>>
>>
>> On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:
>>
>> Dear John, this is my scenario:
>>
>>  1) Office 1: people work with some machines and fill up a local master
>> zone "company.com" with records in DNS1
>> 2) Office 2: people works with some others machines and fill up a local
>> master zone "company.com" with another records in DNS2
>>
>>  So both office have a different master zone.
>>
>>  Both offices belong to the same company, so I need that any client PC
>> can resolve a hostname from "company.com" domain, independently if this
>> record is in DNS1 or DNS2.
>>
>>  Thanks again, regards.
>>
>>  JeLo
>>
>>
>>
>> On Wed, Apr 30, 2014 at 5:21 PM, John Miller wrote:
>>
>>>  Hi Jeronimo,
>>>
>>>  First of all, please just tell us the real domain.  Yes, we could try
>>> and talk about a fictitious "example.com" or "company.com," but having
>>> the real domain name lets us actually query your nameservers.
>>>
>>>  Let me be sure I understand: you have two DNS servers.  Each of them
>>> is authoritative for the same domain.  Are both set as master?
>>>
>>>  The two servers have different copies of the zone--what's your reason
>>> for that?
>>>
>>>  If both servers think they are authoritative for a zone, then they
>>> will answer recursive queries for those zones themselves.  From the manual:
>>>
>>> "Forwarding occurs only on those queries for which the server is not
>>> authoritative and does not have the answer in its cache."
>>>
>>>  What exactly are you trying to achieve?
>>>
>>>  John
>>>
>>>
>>>
>>>  On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral <
>>> jelocab...@gmail.com> wrote:
>>>
  Dear, I would like to ask for solution related with DNS (bind)
 configuration to allow forward requests to another DNS but related
 with the same domain.

 I'm asking about two authoritative name servers serving the same domain
 but with different zone file info on each and have one of them forward
 recursive queries to another one if first one cannot find some particular
 subdomain record that is missing in his version of zone file.

  My named.conf.local is as follow, but it doesn't work:

  zone "company.com" {
 type master;
 file "/etc/bind/zones/company.com.db";
 allow-transfer { key "company"; };
 check-names ignore;
 forward first;
 forwarders { 172.16.1.1; };
 };

  Thanks a lot,

  JeLo


  ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

>>>
>>>
>>>
>>> --
>>> John Miller
>>> Systems Engineer
>>> Brandeis University
>>> johnm...@brandeis.edu
>>> (781) 736-4619
>>>
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing 
>> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Kevin Darcy 
I'm still not understanding your constraints. If *all* updates come in 
through Dynamic Update, then you don't need freeze/unfreeze.


- Kevin

On 4/30/2014 6:47 PM, Jeronimo L. Cabral wrote:
In office #1, the "company.com " master zone is 
updated automatically from some Windows machines inn DNS1 and in 
office #2 the same zone is updated manually in DNS2 by the 
administrator who shouldn't update (using freeze and unfreeze) the 
master zone from office #1. This is the scenario, and we need that a 
simple query to DNS1 be responded with any record from both zones.


Thanks again


On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy > wrote:


Oh, I thought this was an external-versus-internal scenario. But,
this is even easier.

A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of
the "stealth" variety, if you want) of the other
B) People use nsupdate to maintain the zone

For security, TSIG-sign the updates. For fast change propagation,
set up NOTIFY if and as necessary.

- Kevin


On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:

Dear John, this is my scenario:

1) Office 1: people work with some machines and fill up a local
master zone "company.com " with records in DNS1
2) Office 2: people works with some others machines and fill up a
local master zone "company.com " with another
records in DNS2

So both office have a different master zone.

Both offices belong to the same company, so I need that any
client PC can resolve a hostname from "company.com
" domain, independently if this record is in
DNS1 or DNS2.

Thanks again, regards.

JeLo



On Wed, Apr 30, 2014 at 5:21 PM, John Miller
mailto:johnm...@brandeis.edu>> wrote:

Hi Jeronimo,

First of all, please just tell us the real domain.  Yes, we
could try and talk about a fictitious "example.com
" or "company.com ,"
but having the real domain name lets us actually query your
nameservers.

Let me be sure I understand: you have two DNS servers.  Each
of them is authoritative for the same domain.  Are both set
as master?

The two servers have different copies of the zone--what's
your reason for that?

If both servers think they are authoritative for a zone, then
they will answer recursive queries for those zones
themselves.  From the manual:

"Forwarding occurs only on those queries for which the server
is not authoritative and does not have the answer in its cache."

What exactly are you trying to achieve?

John



On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral
mailto:jelocab...@gmail.com>> wrote:

Dear, I would like to ask for solution related with DNS
(bind) configuration to allow forward requests to another
DNS but related with the same domain.

I'm asking about two authoritative name servers serving
the same domain but with different zone file info on each
and have one of them forward recursive queries to another
one if first one cannot find some particular subdomain
record that is missing in his version of zone file.

My named.conf.local is as follow, but it doesn't work:

zone "company.com " {
  type master;
  file "/etc/bind/zones/company.com.db";
  allow-transfer { key "company"; };
  check-names ignore;
  forward first;
  forwarders { 172.16.1.1; };
};

Thanks a lot,

JeLo


___
Please visit
https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users




-- 
John Miller

Systems Engineer
Brandeis University
johnm...@brandeis.edu 
(781) 736-4619

___
Please visit
https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users




___
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org

Re: a note on 9.10.0rc2: eleven, twelve; dig and delv(e)

2014-04-30 Thread /dev/rob0 
On Wed, Apr 30, 2014 at 01:22:24PM -0700, Doug Barton wrote:
> I mulled over your response and considered not pursuing this 
> further, but apparently I can't help myself. :)

It's okay, we can forgiv. :)

> On 04/27/2014 12:00 PM, Evan Hunt wrote:
> >On Sun, Apr 27, 2014 at 07:36:22PM +0100, Chris Thompson wrote:
> >>I rather liked "delve", but the truncation to "delv" does indeed 
> >>seem suboptimal in those respects, and quite ugly as well.
> >
> >I found that my initial "ugh, ugly" reaction wore off after I'd 
> >typed it the new way a couple of times.
> 
> Human beings' ability to adapt is remarkable. That doesn't mean 
> that every thing we adapt to is a good thing.
> 
> >But, indeed, if I'd known this was going to be a problem a month 
> >ago, I would have happily put it to discussion and a vote.  
> >Unfortunately the bug report came in only a couple of days before 
> >the originally- scheduled publication of 9.10.0, and I decided it 
> >would be better to live with an imperfect name than deal with the 
> >fallout of changing it after it was officially released.
> 
> I'm not seeing any official releases for 9.10, only release 
> candidates.

That was true. But look again. :)

> Apologies if I've missed something obvious here. If I'm right about
> this not being released yet, it means you still have plenty of time

It was not obvious; just released.

> to come up with another name. As much as the thing may seem to be 
> settled from your perspective (dealing with it day to day) the 
> exposure that 9.10 has received to date is only a tiny fraction of 
> what it will be after the official release.
> 
> I encourage you(pl.) to reconsider your decision to actually 
> release as is.
>
> >Anyway, now it can hang around and comiserate with resolv.conf.
> 
> Evidence of prior bad decisions does not provide justification
> for future bad decisions. :)

:)

There really was no perfect answer here.

Part of the legacy of GNU is that we have operating systems which 
consist of tools provided by various and sundry independent people 
and organizations. ISC and the Xapian project are two such groups. 
Each one has a userbase.

If ISC had stuck to the "dig and delve" idea, sure, there's a nice 
ring to it. And maybe there wouldn't be a lot of userbase overlap.

But there would be some overlap! And people who type "delve -h" who 
get Xapian delve's help when they wanted ISC's, or vice versa. Each 
project would be getting more cries for support.

Large distributors like Debian can't let this go. If they ship both 
BIND and Xapian-tools, they have to resolv ;) the name conflict. 
There can only be one /usr/bin/delve in their distribution.

What should Debian do? They think it's fair to leave the name with 
the one which has been using it longer. And while "Eleven, twelve; 
dig and delve" is a cool way to name the new tool, the name "delve" 
also seems to fit for a search engine's tool.

ISC might have the bigger userbase, but there it is. Released as 
"delv", the Domain Entity Lookup and Validation tool. And Unix 
continues to ... evolv ... while humor degrades. :)
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Jeronimo L. Cabral 
In office #1, the "company.com" master zone is updated automatically from
some Windows machines inn DNS1 and in office #2 the same zone is updated
manually in DNS2 by the administrator who shouldn't update (using freeze
and unfreeze) the master zone from office #1. This is the scenario, and we
need that a simple query to DNS1 be responded with any record from both
zones.

Thanks again


On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy  wrote:

>  Oh, I thought this was an external-versus-internal scenario. But, this
> is even easier.
>
> A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the
> "stealth" variety, if you want) of the other
> B) People use nsupdate to maintain the zone
>
> For security, TSIG-sign the updates. For fast change propagation, set up
> NOTIFY if and as necessary.
>
>
> - Kevin
>
>
> On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:
>
> Dear John, this is my scenario:
>
>  1) Office 1: people work with some machines and fill up a local master
> zone "company.com" with records in DNS1
> 2) Office 2: people works with some others machines and fill up a local
> master zone "company.com" with another records in DNS2
>
>  So both office have a different master zone.
>
>  Both offices belong to the same company, so I need that any client PC
> can resolve a hostname from "company.com" domain, independently if this
> record is in DNS1 or DNS2.
>
>  Thanks again, regards.
>
>  JeLo
>
>
>
> On Wed, Apr 30, 2014 at 5:21 PM, John Miller wrote:
>
>>  Hi Jeronimo,
>>
>>  First of all, please just tell us the real domain.  Yes, we could try
>> and talk about a fictitious "example.com" or "company.com," but having
>> the real domain name lets us actually query your nameservers.
>>
>>  Let me be sure I understand: you have two DNS servers.  Each of them is
>> authoritative for the same domain.  Are both set as master?
>>
>>  The two servers have different copies of the zone--what's your reason
>> for that?
>>
>>  If both servers think they are authoritative for a zone, then they will
>> answer recursive queries for those zones themselves.  From the manual:
>>
>> "Forwarding occurs only on those queries for which the server is not
>> authoritative and does not have the answer in its cache."
>>
>>  What exactly are you trying to achieve?
>>
>>  John
>>
>>
>>
>>  On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral <
>> jelocab...@gmail.com> wrote:
>>
>>>  Dear, I would like to ask for solution related with DNS (bind)
>>> configuration to allow forward requests to another DNS but related with
>>> the same domain.
>>>
>>> I'm asking about two authoritative name servers serving the same domain
>>> but with different zone file info on each and have one of them forward
>>> recursive queries to another one if first one cannot find some particular
>>> subdomain record that is missing in his version of zone file.
>>>
>>>  My named.conf.local is as follow, but it doesn't work:
>>>
>>>  zone "company.com" {
>>> type master;
>>> file "/etc/bind/zones/company.com.db";
>>> allow-transfer { key "company"; };
>>> check-names ignore;
>>> forward first;
>>> forwarders { 172.16.1.1; };
>>> };
>>>
>>>  Thanks a lot,
>>>
>>>  JeLo
>>>
>>>
>>>  ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>>
>>
>> --
>> John Miller
>> Systems Engineer
>> Brandeis University
>> johnm...@brandeis.edu
>> (781) 736-4619
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing 
> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: GeoIP in 9.10 RC2

2014-04-30 Thread Jeremy C. Reed 
On Wed, 30 Apr 2014, Ali Jawad wrote:

> view "US" {
> 
>        match-clients { US; };

For now please change to:

match-clients { geoip country US; };___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: GeoIP in 9.10 RC2

2014-04-30 Thread Ali Jawad 
Hi Jeremy
I did actually test with the online demo of maxmind, did redo the test with
geoiplookup ip.ip.ip.ip and it did return the correct info, so that does
not appear to be the issue.
Regards


On Wed, Apr 30, 2014 at 11:47 PM, Jeremy C. Reed  wrote:

> > So the the IPv4 Country DB is recognized and loaded, but digs from US to
> > that server still result in queries from the ALL view, which is the last
> > view in the config file and the test View above is the first View in teh
> > config file.
>
> You may want to try the geoiplookup (provided by GeoIP software) to
> confirm that the IPs are really matching the database.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: GeoIP in 9.10 RC2

2014-04-30 Thread Jeremy C. Reed 
> So the the IPv4 Country DB is recognized and loaded, but digs from US to
> that server still result in queries from the ALL view, which is the last
> view in the config file and the test View above is the first View in teh
> config file.

You may want to try the geoiplookup (provided by GeoIP software) to 
confirm that the IPs are really matching the database.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

GeoIP in 9.10 RC2

2014-04-30 Thread Ali Jawad 
Hi
I did compile 9.10 with GeoIP config is below :

in options

geoip-directory "/usr/share/GeoIP/";

Then

acl "US" {

  geoip country US;

};

view "US" {

   match-clients { US; };

   include "/etc/named.rfc1912.zones";

};

Start up log shows :


Apr 30 17:24:19 sj named[24407]: using "/usr/share/GeoIP/" as GeoIP
directory

Apr 30 17:24:19 sj named[24407]: initializing GeoIP Country (IPv4) (type 1)
DB

Apr 30 17:24:19 sj named[24407]: GEO-106FREE 20110601 Build 1 Copyright (c)
2011 MaxMind Inc All Rights Reserved


So the the IPv4 Country DB is recognized and loaded, but digs from US to
that server still result in queries from the ALL view, which is the last
view in the config file and the test View above is the first View in teh
config file.

Any hints ?


Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread John Miller 
First of all, unless you need separate views for each office, don't go down
that path.  Why are you attempting this as opposed to standard master-slave
replication?

There's something else I'm not understanding here: why would recursive
queries from one office go to the other office's nameservers?  What's
preventing you from setting up a second recursive nameserver in each office?

John



On Wed, Apr 30, 2014 at 4:32 PM, Jeronimo L. Cabral wrote:

> Dear John, this is my scenario:
>
> 1) Office 1: people work with some machines and fill up a local master
> zone "company.com" with records in DNS1
> 2) Office 2: people works with some others machines and fill up a local
> master zone "company.com" with another records in DNS2
>
> So both office have a different master zone.
>
> Both offices belong to the same company, so I need that any client PC can
> resolve a hostname from "company.com" domain, independently if this
> record is in DNS1 or DNS2.
>
> Thanks again, regards.
>
> JeLo
>
>
>
> On Wed, Apr 30, 2014 at 5:21 PM, John Miller wrote:
>
>> Hi Jeronimo,
>>
>> First of all, please just tell us the real domain.  Yes, we could try and
>> talk about a fictitious "example.com" or "company.com," but having the
>> real domain name lets us actually query your nameservers.
>>
>> Let me be sure I understand: you have two DNS servers.  Each of them is
>> authoritative for the same domain.  Are both set as master?
>>
>> The two servers have different copies of the zone--what's your reason for
>> that?
>>
>> If both servers think they are authoritative for a zone, then they will
>> answer recursive queries for those zones themselves.  From the manual:
>>
>> "Forwarding occurs only on those queries for which the server is not
>> authoritative and does not have the answer in its cache."
>>
>> What exactly are you trying to achieve?
>>
>> John
>>
>>
>>
>> On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral > > wrote:
>>
>>> Dear, I would like to ask for solution related with DNS (bind)
>>> configuration to allow forward requests to another DNS but related with
>>> the same domain.
>>>
>>> I'm asking about two authoritative name servers serving the same domain
>>> but with different zone file info on each and have one of them forward
>>> recursive queries to another one if first one cannot find some particular
>>> subdomain record that is missing in his version of zone file.
>>>
>>> My named.conf.local is as follow, but it doesn't work:
>>>
>>> zone "company.com" {
>>> type master;
>>> file "/etc/bind/zones/company.com.db";
>>> allow-transfer { key "company"; };
>>> check-names ignore;
>>> forward first;
>>> forwarders { 172.16.1.1; };
>>> };
>>>
>>> Thanks a lot,
>>>
>>> JeLo
>>>
>>>
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>>
>>
>> --
>> John Miller
>> Systems Engineer
>> Brandeis University
>> johnm...@brandeis.edu
>> (781) 736-4619
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>


-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Kevin Darcy 
Oh, I thought this was an external-versus-internal scenario. But, this 
is even easier.


A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the 
"stealth" variety, if you want) of the other

B) People use nsupdate to maintain the zone

For security, TSIG-sign the updates. For fast change propagation, set up 
NOTIFY if and as necessary.


- Kevin

On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:

Dear John, this is my scenario:

1) Office 1: people work with some machines and fill up a local master 
zone "company.com " with records in DNS1
2) Office 2: people works with some others machines and fill up a 
local master zone "company.com " with another 
records in DNS2


So both office have a different master zone.

Both offices belong to the same company, so I need that any client PC 
can resolve a hostname from "company.com " 
domain, independently if this record is in DNS1 or DNS2.


Thanks again, regards.

JeLo



On Wed, Apr 30, 2014 at 5:21 PM, John Miller > wrote:


Hi Jeronimo,

First of all, please just tell us the real domain. Yes, we could
try and talk about a fictitious "example.com "
or "company.com ," but having the real domain
name lets us actually query your nameservers.

Let me be sure I understand: you have two DNS servers.  Each of
them is authoritative for the same domain.  Are both set as master?

The two servers have different copies of the zone--what's your
reason for that?

If both servers think they are authoritative for a zone, then they
will answer recursive queries for those zones themselves.  From
the manual:

"Forwarding occurs only on those queries for which the server is
not authoritative and does not have the answer in its cache."

What exactly are you trying to achieve?

John



On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral
mailto:jelocab...@gmail.com>> wrote:

Dear, I would like to ask for solution related with DNS (bind)
configuration to allow forward requests to another DNS but
related with the same domain.

I'm asking about two authoritative name servers serving the
same domain but with different zone file info on each and have
one of them forward recursive queries to another one if first
one cannot find some particular subdomain record that is
missing in his version of zone file.

My named.conf.local is as follow, but it doesn't work:

zone "company.com " {
type master;
file "/etc/bind/zones/company.com.db";
allow-transfer { key "company"; };
check-names ignore;
forward first;
forwarders { 172.16.1.1; };
};

Thanks a lot,

JeLo


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
to unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users




-- 
John Miller

Systems Engineer
Brandeis University
johnm...@brandeis.edu 
(781) 736-4619

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: GeoIP Patch for 9.9.5

2014-04-30 Thread Ali Jawad 
That is actually great news, I prefer it to be built in, I think I did read
the wrong release notes in that case. I think I will give it a try.
Regards


On Wed, Apr 30, 2014 at 10:24 PM, Anand Buddhdev  wrote:

> On 30/04/2014 22:14, Ali Jawad wrote:
>
> > Hi All
> >
> > I did compile latest stable 9.9.5 on Centos 6 and it worked just fine.
> What
> > I need to do now is enable the geo ip patch.  I have done it before for
> > earlier versions, however for the latest Bind release the available patch
> > is failing. And 9.10 is still in Alpha 2.
>
> Hi Ali,
>
> Actually 9.10 is at rc2, and probably quite close to a final release. It
> compiles and works fine on CentOS 6, although I haven't tried the GeoIP
> feature.
>
> Regards,
>
> Anand
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Jeronimo L. Cabral 
Dear John, this is my scenario:

1) Office 1: people work with some machines and fill up a local master zone
"company.com" with records in DNS1
2) Office 2: people works with some others machines and fill up a local
master zone "company.com" with another records in DNS2

So both office have a different master zone.

Both offices belong to the same company, so I need that any client PC can
resolve a hostname from "company.com" domain, independently if this record
is in DNS1 or DNS2.

Thanks again, regards.

JeLo



On Wed, Apr 30, 2014 at 5:21 PM, John Miller  wrote:

> Hi Jeronimo,
>
> First of all, please just tell us the real domain.  Yes, we could try and
> talk about a fictitious "example.com" or "company.com," but having the
> real domain name lets us actually query your nameservers.
>
> Let me be sure I understand: you have two DNS servers.  Each of them is
> authoritative for the same domain.  Are both set as master?
>
> The two servers have different copies of the zone--what's your reason for
> that?
>
> If both servers think they are authoritative for a zone, then they will
> answer recursive queries for those zones themselves.  From the manual:
>
> "Forwarding occurs only on those queries for which the server is not
> authoritative and does not have the answer in its cache."
>
> What exactly are you trying to achieve?
>
> John
>
>
>
> On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral 
> wrote:
>
>> Dear, I would like to ask for solution related with DNS (bind)
>> configuration to allow forward requests to another DNS but related with
>> the same domain.
>>
>> I'm asking about two authoritative name servers serving the same domain
>> but with different zone file info on each and have one of them forward
>> recursive queries to another one if first one cannot find some particular
>> subdomain record that is missing in his version of zone file.
>>
>> My named.conf.local is as follow, but it doesn't work:
>>
>> zone "company.com" {
>> type master;
>> file "/etc/bind/zones/company.com.db";
>> allow-transfer { key "company"; };
>> check-names ignore;
>> forward first;
>> forwarders { 172.16.1.1; };
>> };
>>
>> Thanks a lot,
>>
>> JeLo
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
>
> --
> John Miller
> Systems Engineer
> Brandeis University
> johnm...@brandeis.edu
> (781) 736-4619
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: GeoIP Patch for 9.9.5

2014-04-30 Thread Anand Buddhdev 
On 30/04/2014 22:14, Ali Jawad wrote:

> Hi All
> 
> I did compile latest stable 9.9.5 on Centos 6 and it worked just fine. What
> I need to do now is enable the geo ip patch.  I have done it before for
> earlier versions, however for the latest Bind release the available patch
> is failing. And 9.10 is still in Alpha 2.

Hi Ali,

Actually 9.10 is at rc2, and probably quite close to a final release. It
compiles and works fine on CentOS 6, although I haven't tried the GeoIP
feature.

Regards,

Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: a note on 9.10.0rc2: eleven, twelve; dig and delv(e)

2014-04-30 Thread Doug Barton 

Evan,

I mulled over your response and considered not pursuing this further, 
but apparently I can't help myself. :)


On 04/27/2014 12:00 PM, Evan Hunt wrote:

On Sun, Apr 27, 2014 at 07:36:22PM +0100, Chris Thompson wrote:

I rather liked "delve", but the truncation to "delv" does indeed seem
suboptimal in those respects, and quite ugly as well.


I found that my initial "ugh, ugly" reaction wore off after I'd typed it
the new way a couple of times.


Human beings' ability to adapt is remarkable. That doesn't mean that 
every thing we adapt to is a good thing.



But, indeed, if I'd known this was going to be a problem a month ago,
I would have happily put it to discussion and a vote.  Unfortunately
the bug report came in only a couple of days before the originally-
scheduled publication of 9.10.0, and I decided it would be better to
live with an imperfect name than deal with the fallout of changing it
after it was officially released.


I'm not seeing any official releases for 9.10, only release candidates. 
Apologies if I've missed something obvious here. If I'm right about this 
not being released yet, it means you still have plenty of time to come 
up with another name. As much as the thing may seem to be settled from 
your perspective (dealing with it day to day) the exposure that 9.10 has 
received to date is only a tiny fraction of what it will be after the 
official release.


I encourage you(pl.) to reconsider your decision to actually release as is.


Anyway, now it can hang around and comiserate with resolv.conf.


Evidence of prior bad decisions does not provide justification for 
future bad decisions. :)


Doug


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread John Miller 
Hi Jeronimo,

First of all, please just tell us the real domain.  Yes, we could try and
talk about a fictitious "example.com" or "company.com," but having the real
domain name lets us actually query your nameservers.

Let me be sure I understand: you have two DNS servers.  Each of them is
authoritative for the same domain.  Are both set as master?

The two servers have different copies of the zone--what's your reason for
that?

If both servers think they are authoritative for a zone, then they will
answer recursive queries for those zones themselves.  From the manual:

"Forwarding occurs only on those queries for which the server is not
authoritative and does not have the answer in its cache."

What exactly are you trying to achieve?

John



On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral wrote:

> Dear, I would like to ask for solution related with DNS (bind)
> configuration to allow forward requests to another DNS but related with
> the same domain.
>
> I'm asking about two authoritative name servers serving the same domain
> but with different zone file info on each and have one of them forward
> recursive queries to another one if first one cannot find some particular
> subdomain record that is missing in his version of zone file.
>
> My named.conf.local is as follow, but it doesn't work:
>
> zone "company.com" {
> type master;
> file "/etc/bind/zones/company.com.db";
> allow-transfer { key "company"; };
> check-names ignore;
> forward first;
> forwarders { 172.16.1.1; };
> };
>
> Thanks a lot,
>
> JeLo
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Kevin Darcy 

Being authoritative means that you know everything about the zone.

If you know everything about a zone, why ask anyone else?

Split DNS does not follow the DNS paradigm, so there is no "standard" 
way to implement it, and despite many people asking over the years, 
there is no "NXDOMAIN failover forwarding" mechanism in BIND, nor is 
there any clear consensus that there *should* be (diatribe against forwarding in general>).


Bite the bullet: do parallel updates to both zones, for records that 
need to be present in both versions.


- Kevin

On 4/30/2014 3:55 PM, Jeronimo L. Cabral wrote:
Dear, I would like to ask for solution related with DNS (bind) 
configuration to allow forward requests to another DNS but related 
with the same domain.


I'm asking about two authoritative name servers serving the same 
domain but with different zone file info on each and have one of them 
forward recursive queries to another one if first one cannot find some 
particular subdomain record that is missing in his version of zone file.


My named.conf.local is as follow, but it doesn't work:

zone "company.com " {
type master;
file "/etc/bind/zones/company.com.db";
allow-transfer { key "company"; };
check-names ignore;
forward first;
forwarders { 172.16.1.1; };
};

Thanks a lot,

JeLo



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

GeoIP Patch for 9.9.5

2014-04-30 Thread Ali Jawad 
Hi All

I did compile latest stable 9.9.5 on Centos 6 and it worked just fine. What
I need to do now is enable the geo ip patch.  I have done it before for
earlier versions, however for the latest Bind release the available patch
is failing. And 9.10 is still in Alpha 2.

So does anybody know about a working patch to get GeoIP on 9.9.5

Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Forwarding request to another DNS server but the same domain

2014-04-30 Thread Jeronimo L. Cabral 
Dear, I would like to ask for solution related with DNS (bind)
configuration to allow forward requests to another DNS but related with the
same domain.

I'm asking about two authoritative name servers serving the same domain but
with different zone file info on each and have one of them forward
recursive queries to another one if first one cannot find some particular
subdomain record that is missing in his version of zone file.

My named.conf.local is as follow, but it doesn't work:

zone "company.com" {
type master;
file "/etc/bind/zones/company.com.db";
allow-transfer { key "company"; };
check-names ignore;
forward first;
forwarders { 172.16.1.1; };
};

Thanks a lot,

JeLo
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to setup a backup NameServer?

2014-04-30 Thread Matus UHLAR - fantomas 

On 29.04.14 10:24, houguanghua wrote:

I'm designing how to protect DNS for an ISP. The zones are not owned by the
ISP.  The ISP wants to proect the DNS query during attacking.



So it's not standard DNS solution.  During the attacking, the backup server
will provide the DNS query and it works even if it can't refresh zones
from primary NS.  Backup server is configured the private IP of this ISP. 
All local DNS servers of this ISP knows where is the backup server.


ISP should just run a few recursive DNS servers for its clients.

They do not need to be accessible from the internet, only from its
customers' IPs.

Simply run a few DNS servers for your (and your clients) DNS zones, that do
not provide recursive DNS (only zones) and a few DNS servers that only
server recursive DNS for ISP clients.

This is (or at least should be) standard DNS servers' configuration at any
ISP.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange validation failure for answers.ssh.com

2014-04-30 Thread Tony Finch 
Tony Finch  wrote:

> We have a couple of recursive servers running 9.9.5 which are persistently
> unable to validate answers.ssh.com, returning SERVFAIL.

Some days later one of our servers has been restarted and is successfully
resolving this name. The other is still persistently failing. Shouldn't
something have timed out or expired and allowed the server to recover?

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Forth, Tyne, Dogger: Variable 3, becoming east 4 or 5, occasionally 6 later.
Slight becoming moderate. Occasional rain, fog banks until later. Poor or very
poor, becoming moderate or good later.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to disable DNSSEC/EDNS for lwresd

2014-04-30 Thread Tomas Hozza 
- Original Message -
> 
> In message <483759859.6291670.1398781076480.javamail.zim...@redhat.com>,
> Tomas H
> ozza writes:
> > Hi.
> > 
> > I'm trying to disable DNSSEC/EDNS for the lwresd using the
> > following lwresd.conf:
> > 
> > options {
> > directory "/var/named/";
> > 
> > dnssec-enable no;
> > dnssec-validation no;
> > 
> > pid-file "/run/named/lwresd.pid";
> > session-keyfile "/run/named/session.key";
> > };
> > 
> > lwres {
> > search {example1.;};
> > ndots 1;
> > };
> > 
> > But it seems that the 'dnssec-enable no;' statement has no
> > influence on the EDNS usage in queries sent by lwresd.
> 
> "dnssec-enable no;" controls how named responds to DO=1 queries.
> It is a no-op to lwresd as it is not processing DNS requests.
>  
> > I was able to disable EDNS when lwres is run as named
> > using:
> > 
> > server 0.0.0.0/0 {
> > edns no;
> > };
> > 
> > server ::/0 {
> > edns no;
> > };
> 
> Just add the server clauses to lwresd.conf.
> 
> "lwresd -c lwresd.conf" is running as lwresd
> "lwresd -C resolv.conf" is running as lwresd
> "lwresd" is the same as "lwresd -C /etc/resolv.conf"
> 
> "named -c named.conf" (with a lwres clause) is running as both named and
> lwresd
> "named -c named.conf" (without a lwres clause) is running as just named

Thank you for the explanation. I was apparently running lwresd with pointing
it to resolv.conf instead of lwresd.conf. Everything works fine now.

Regards,
Tomas

> > in the configuration. However I was not able to disable EDNS
> > when running lwresd.
> > 
> > We have a user that would like to disable EDNS to reduce the
> > overhead it adds and improve the performance. The DNSSEC is
> > not a priority for them.
> > 
> > Is there way to disable DNSSEC/EDNS for lwresd?
> > 
> > Thank you in advance.
> > 
> > 
> > Regards,
> > --
> > Tomas Hozza
> > Software Engineer - EMEA ENG Developer Experience
> > 
> > PGP: 1D9F3C2D
> > Red Hat Inc.   http://cz.redhat.com
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe
> > from this list
> > 
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> 
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.   http://cz.redhat.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users