Re: Multiple A records and reverse DNS

[John Miller]

Which FQDN does your mail server use for its EHLO?  It should use the
same name that's listed in reverse DNS.

John

On Thu, Mar 17, 2016 at 9:53 AM, Thomas Schulz  wrote:
> This is not a BIND question but I hope people here will know the answer.
> We are switching service providers and I understand that many email SPAM
> prevention systems insist on the reverse DNS matching the forward DNS.
> If I have two A records for our mail server and the reverse record matches
> one of them, will that be good enough. Or will the fact that the other A
> record does not match cause trouble.
>
> Tom Schulz
> Applied Dynamics Intl.
> sch...@adi.com
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: PCS, Corosync, Pacemaker, and Bind

[Tony Finch]

Mike Bernhardt  wrote:

> Please confirm that if a DNS query is sent to the virtual address, the reply
> will be sourced from the virtual address.

Yes.

(query-source doesn't affect replies.)

> The documentation for keepalived isn't very good, but as near as I can tell
> it does not support bringing up an application like BIND along with a VRRP
> address.

I leave named permanently running on my servers. It listens on the routing
socket so it knows when keepalived changes the interface addresses.
Keepalived runs health checks so it knows when to fail over and which
standby servers are able to take over.

More details at http://fanf.livejournal.com/133294.html

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Dover, Wight, Portland, Plymouth: East or northeast 5 to 7, decreasing 4 at
times in shelter. Slight or moderate, occasionally rough later in Plymouth.
Fair. Moderate or good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Multiple A records and reverse DNS

[Thomas Schulz]

This is not a BIND question but I hope people here will know the answer.
We are switching service providers and I understand that many email SPAM
prevention systems insist on the reverse DNS matching the forward DNS.
If I have two A records for our mail server and the reverse record matches
one of them, will that be good enough. Or will the fact that the other A
record does not match cause trouble.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Majid Mir]

Thank you for your response.. I thought of that earlier, but when I run the
exact same configure options on an older machine of ours (for 9.10.1) it
creates the output files just fine.. That is where it confused me.

Thanks


On Thu, Mar 17, 2016 at 5:18 PM, Mark Andrews  wrote:

>
> *Think* about the arguments you are passing to configure.  You told
> configue
> to NOT CREATE the makefiles.
>
> Mark
>
> In message  n04fgwsxyatzh5a7f...@mail.gmail.com>
> , Majid Mir writes:
> >
> > Hello all
> >
> > I am trying to compile Bind 9.10.3-P4 from source and whenever I try to
> run
> > the following:
> >
> > ./configure --sbindir=/usr/sbin --sysconfdir=/etc/bind --with-openssl
> > --disable-openssl-version-check --no-create --no-recursion
> >
> >
> > I receive the following error after the configuration script is fully
> > executed:
> >
> > configure: creating ./config.status
> > make: *** No rule to make target `clean'.  Stop.
> >
> > When I try to run make, I get:
> >
> > make: *** No targets specified and no makefile found.  Stop.
> >
> > Yet in both the untarred source code directory as well as the make
> > directory within it, both have a Makefile.in file.
> >
> > I have absolutely no idea how to get this configure script to create the
> > makefile!  I have to use those configuration options because that is what
> > we used on our previous installs (Bind 9.10.1)  on other servers. Also
> when
> > I run ./configure without any options, the make file is created with no
> > issues!  I am totally confused
> >
> > All help is greatly appreciated!
> >
> >
> > Thank you!
> >
> > --001a1147eda27e191b052e4512e3
> > Content-Type: text/html; charset=UTF-8
> > Content-Transfer-Encoding: quoted-printable
> >
> > Hello
> all=
> > I am trying to compile Bind 9.10.3-P4 from source and whenever I try to
> run=
> >  the following:./configure --sbindir=3D/usr/sbin
> --sysconfdir=3D/et=
> > c/bind --with-openssl --disable-openssl-version-check --no-create
> --no-recu=
> > rsionI receive the following error after the
> configuratio=
> > n script is fully executed:configure: creating
> ./config.statusm=
> > ake: *** No rule to make target `clean'.=C2=A0
> Stop.When =
> > I try to run make, I get:make: *** No targets specified and no
> make=
> > file found.=C2=A0 Stop.Yet in both the untarred source
> code d=
> > irectory as well as the make directory within it, both have a
> Makefile.in f=
> > ile. I have absolutely no idea how to get this configure
> scri=
> > pt to create the makefile!=C2=A0 I have to use those configuration
> options =
> > because that is what we used on our previous installs (Bind
> 9.10.1)=C2=A0 o=
> > n other servers. Also when I run ./configure without any options, the
> make =
> > file is created with no issues!=C2=A0 I am totally
> confusedAl=
> > l help is greatly appreciated!Thank
> you! > >
> >
> > --001a1147eda27e191b052e4512e3--
> >
> > --===2376527110176558913==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe
> >  from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> > --===2376527110176558913==--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: PCS, Corosync, Pacemaker, and Bind

[Mike Bernhardt]

Please confirm that if a DNS query is sent to the virtual address, the reply
will be sourced from the virtual address. The reason for restricting BIND to
a single address was mostly for firewall and administrative simplicity, but
that's not a big deal as long as the same address is used both directions.

The documentation for keepalived isn't very good, but as near as I can tell
it does not support bringing up an application like BIND along with a VRRP
address. Maybe I'm wrong? The cluster.org package works great except for the
lack of an interface, so I've posted over there also to see if it's possible
to build a virtual interface for the IP, but I doubt it.

-Original Message-
From: Tony Finch [mailto:d...@dotat.at] 
Sent: Tuesday, March 15, 2016 5:40 PM
To: Mike Bernhardt
Cc: bind-users@lists.isc.org
Subject: Re: PCS, Corosync, Pacemaker, and Bind

Mike Bernhardt  wrote:
>
> I'm setting up a new CentOS 7 DNS server cluster to replace our very 
> old CentOS 4 cluster. The old one uses heartbeat which is no longer 
> supported, so I'm now using pcs, corosync, and pacemaker.

I suggest having a look at keepalived: it's significantly simpler.

> I want BIND to listen on, query from, etc on a particular IP address, 
> which is virtualized. The options currently used are:
> query-source address
> listen-on
> notify-source
>
> listen-on isn't a big deal, but the source address options are.

Why do you care about the query source address?

I don't set any of those options and just let BIND pick whatever source
address it wants; it might choose the server admin address or the advertised
service address, and that doesn't matter because everything else is
configured to accommodate this.

Tony.
--
f.anthony.n.finchhttp://dotat.at/ Shannon, Rockall:
Southeast 4 or 5, increasing 6 at times in Shannon. Moderate or rough. Fair.
Mainly good.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Ron]

I did not mean forwarders, but I had a case where the authoritative name
servers for a domain were down
for an extended period of time, exceeding the ttl for their records. I was
curious if I could tell my DNS servers
to serve these records for longer than the registered ttl. And I wanted to
automate that.

But I'm afraid that's not gonna fly.

Ron



On Thu, Mar 17, 2016 at 4:27 PM, Darcy Kevin (FCA)  wrote:

> By “upstream” I assume you’re talking about forwarders. If your forwarders
> are flakey, have you ever considered simply **not*forwarding**? That
> would seem to be a better, structural solution to your problem, than
> holding DNS data beyond its cache-expiration time (a really BAD idea).
>
>
>
>
> - Kevin
>
> [image: FCA_Pantone_email]
>
> *--*
>
> Kevin Darcy
> NAFTA Information Security Projects
>
>
>
> FCA US LLC
>
> 1075 W Entrance Dr,
>
> Auburn Hills, MI 48326
>
> USA
>
>
>
> Telephone: +1 (248) 838-6601
> Mobile: +1 (810) 397-0103
>
> Email: kevin.da...@fcagroup.com
>
>
>
> *From:* bind-users-boun...@lists.isc.org [mailto:
> bind-users-boun...@lists.isc.org] *On Behalf Of *Ron
> *Sent:* Thursday, March 17, 2016 7:37 AM
> *To:* bind-users@lists.isc.org
> *Subject:* Can bind be configured to not drop RR's from the cache when
> the upstream DNS server is unresponsive
>
>
>
> Hi,
>
>
>
> subject says all. Read manpages, could not find this in the FAQ's.
>
> Hope this is possible. If not does anyone know of other name servers
>
> that offer this option?
>
>
>
> Thanks,
>
> Ron Arts
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Barry Margolin]

In article ,
 Dave Warren  wrote:

> My current logic is that I do a SOA query and check the serial number, 
> if it has changed, I query every needed hostname into a temp file, and 
> if every single query was successful, check the SOA again, and if it 
> still matches, update the /etc/hosts. If anything goes wrong (including 
> a mismatch between the SOA), dump the temp file and try again.

That's feasible if you can reconfigure all the client machines to do 
this. It's not very scalable if you have a network of machines running 
different operating systems, and you'd like to have your central 
resolver take care of all the caching.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: PCS, Corosync, Pacemaker, and Bind

[Lightner, Jeff]

You might want to try "ip a" vs ifconfig.   RHEL7 uses Network Manager and in 
the past I've found some things don't show up in ifconfig output when doing 
alias/virtual interfaces.  

Usually even when other products (e.g. Oracle RAC/GRID) create virtual 
interfaces they still show up as valid interfaces at host level.   I've not 
tried PCS/Corosync.

You might also look at arp output to see if it shows any traffic on a specific 
MAC.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Phil Mayers
Sent: Wednesday, March 16, 2016 5:14 AM
To: bind-users@lists.isc.org
Subject: Re: PCS, Corosync, Pacemaker, and Bind

On 15/03/16 23:06, Mike Bernhardt wrote:

> So, I'm hoping that either
> 1) There is a way to tell BIND to use an IP address that is not on an 
> interface, or

I don't think there is.

I can think of all kinds of horrible workarounds - iptables SNAT, shell script 
doing a config-change & rndc reconfig on pcs failover.

But in general I'd agree with what Tony Finch said - give some thought to why 
you're caring about these source IPs.

TBH having used pcs/corosync I'm really curious what your use-case is. 
It seems massive overkill for having highly-available DNS.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Mark Andrews]

How do you actually expect this to ever work in real life?

If a service knows it is going to be disconnected for a extended
period of time there are plenty of third party DNS providers that
can serve the zone and be delegated to.  If it happens after the
fact then they should spin up new servers and populate the zone and
redelegate to these.

Caches will generally have expired / not learnt the records by the
time you realise that you want to keep records longer so there is
no point even coding support for this into caches.  We don't have
time machines.

If you are desperate configure the zones locally on your servers
and populate the content.  Just don't forget to undo this once the
official servers are working.

Mark


In message 
, Ron writes:
> 
> In general you're right of course,
> 
> but in this case it's a supplier who is unable to keeps his DNS servers
> working, and we just want to keep the connectivity.
> 
> For various reasons it's not that easy to switch to a new supplier,
> and in any case we need an intermediate solution.
> 
> Ron
> 
> 
> On Thu, Mar 17, 2016 at 11:17 PM, Darcy Kevin (FCA) <
> kevin.da...@fcagroup.com> wrote:
> 
> > Using DNS records beyond the owner-published TTL is risky business. You
> > can=E2=80=99t even know if the same legal entity is providing the content=
>  or
> > services previously published at that address/endpoint, and this
> > uncertainty raises security and/or liability concerns.
> >
> >
> >
> >
> > - Kevin
> >
> >
> >
> >
> >
> > *From:* Ron [mailto:ron.a...@gmail.com]
> > *Sent:* Thursday, March 17, 2016 11:46 AM
> > *To:* Darcy Kevin (FCA)
> > *Cc:* bind-users@lists.isc.org
> > *Subject:* Re: Can bind be configured to not drop RR's from the cache
> > when the upstream DNS server is unresponsive
> >
> >
> >
> > I did not mean forwarders, but I had a case where the authoritative name
> > servers for a domain were down
> >
> > for an extended period of time, exceeding the ttl for their records. I wa=
> s
> > curious if I could tell my DNS servers
> >
> > to serve these records for longer than the registered ttl. And I wanted t=
> o
> > automate that.
> >
> >
> >
> > But I'm afraid that's not gonna fly.
> >
> >
> >
> > Ron
> >
> >
> >
> >
> >
> >
> >
> > On Thu, Mar 17, 2016 at 4:27 PM, Darcy Kevin (FCA) <
> > kevin.da...@fcagroup.com> wrote:
> >
> > By =E2=80=9Cupstream=E2=80=9D I assume you=E2=80=99re talking about forwa=
> rders. If your forwarders
> > are flakey, have you ever considered simply **not*forwarding**? That
> > would seem to be a better, structural solution to your problem, than
> > holding DNS data beyond its cache-expiration time (a really BAD idea).
> >
> >
> >
> >
> > - Kevin
> >
> > [image: FCA_Pantone_email]
> >
> > *--*
> >
> > Kevin Darcy
> > NAFTA Information Security Projects
> >
> >
> >
> > FCA US LLC
> >
> > 1075 W Entrance Dr,
> >
> > Auburn Hills, MI 48326
> >
> > USA
> >
> >
> >
> > Telephone: +1 (248) 838-6601
> > Mobile: +1 (810) 397-0103
> >
> > Email: kevin.da...@fcagroup.com
> >
> >
> >
> > *From:* bind-users-boun...@lists.isc.org [mailto:
> > bind-users-boun...@lists.isc.org] *On Behalf Of *Ron
> > *Sent:* Thursday, March 17, 2016 7:37 AM
> > *To:* bind-users@lists.isc.org
> > *Subject:* Can bind be configured to not drop RR's from the cache when
> > the upstream DNS server is unresponsive
> >
> >
> >
> > Hi,
> >
> >
> >
> > subject says all. Read manpages, could not find this in the FAQ's.
> >
> > Hope this is possible. If not does anyone know of other name servers
> >
> > that offer this option?
> >
> >
> >
> > Thanks,
> >
> > Ron Arts
> >
> >
> >
> >
> >
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
> >
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
> 
> --001a11402670ce538b052e466a2e
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> In general you're right of course,=
> but in this case it's a supplier who is unable to keeps his DNS servers=
> working, and we just want to keep the connectivity. r>For various reasons it's not that easy to switch to a new =
> supplier,and in any case we need an intermediate solution.=
> Ron ">On Thu, Mar 17, 2016 at 11:17 PM, Darcy Ke=
> vin (FCA)   target=3D"_blank">kevin.da...@fcagroup.com> wrote: quote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc=
>  solid;padding-left:1ex">
> 
> 
> 
> 
> 
> 
> 
>  libri","sans-serif";color:black">Using DNS records beyond th=
> e own

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Anders Löwinger]

On 2016-03-18 00:12, G.W. Haywood wrote:


I'd just put something in /etc/hosts and send myself an email every
month or so to remind me I'd done that. 


I once wrote a script that periodically did zonetransfer, parsed output 
and updated the /etc/hosts file.



/Anders

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Alan Clegg]

On 3/17/16, 10:15 AM, "Ron"  wrote:

> According to the BIND9 docs:
> 
> cleaning-interval This interval is effectively obsolete. Previously, the
>server would remove
> expired resource records from the cache every cleaning-interval minutes.
>BIND 9 now
> manages cache memory in a more sophisticated manner and does not rely on
>the periodic
> cleaning any more. Specifying this option therefore has no effect on the
>server¹s behavior.

This is about data in cache that is expired.  BIND never served expired
data to query requests.

I can definitely see how this could be confused, however.  Good catch.

AlanC


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Ron]

On Fri, Mar 18, 2016 at 9:43 AM, Ron  wrote:
>
> How about a list of domains for which cached RRs will not be purged
> _unless_ a different RR is supplied by the 'upstream' server?
>

Or, with Barry Margolin's comments in mind, a dynamic list, which is
compiled from the domains that are accessed, say, at least once a day
(or some other configurable timeframe).

Ron
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[G.W. Haywood]

Hi there,

On Thu, 17 Mar 2016, Ron wrote:


... in this case it's a supplier who is unable to keeps his DNS servers
working, and we just want to keep the connectivity.


I'd just put something in /etc/hosts and send myself an email every
month or so to remind me I'd done that.

--

73,
Ged.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple A records and reverse DNS

[Blake Hudson]

Tom, when your mail server establishes a connection to another host, the 
receiving host will likely automatically check the PTR record of the IP 
address your server used as it's source address. This PTR record should 
have a corresponding A record that points to the same IP address that 
was looked up in the PTR record. This is sometimes referred to as a 
"verified" hostname. Without this, receiving mail servers may sometimes 
log your rDNS as unknown, which can look spammy to subsequent spam 
filters. You can have any number of other A records that point to your 
server, they are irrelevant to PTR verification.


Example:

Your reverse zone:
1.1.1.1.in-addr.arpa.INPTRmail.adi.com.

Your adi.com zone:
mail.adi.com.INA1.1.1.1
smtp.adi.com.INA1.1.1.1
www.adi.com.INA1.1.1.1
foo.adi.com.INCNAMEwww.adi.com.

All the matters to PTR verification is that 1.1.1.1 has a PTR record and 
that PTR record exists as an A or CNAME that eventually points back to 
1.1.1.1


As others have pointed out, this is best common practice for outgoing 
mail servers aka mail relays; However, I generally recommend having 
valid PTR records and having matching forward records for any servers. 
Maybe it's just me, but most of my server's send email - even MX servers 
(they do create NDR notices from time to time).


--Blake


Thomas Schulz wrote on 3/17/2016 8:53 AM:

This is not a BIND question but I hope people here will know the answer.
We are switching service providers and I understand that many email SPAM
prevention systems insist on the reverse DNS matching the forward DNS.
If I have two A records for our mail server and the reverse record matches
one of them, will that be good enough. Or will the fact that the other A
record does not match cause trouble.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PCS, Corosync, Pacemaker, and Bind

[Graham Clinch]

> Please confirm that if a DNS query is sent to the virtual address, the reply
> will be sourced from the virtual address. The reason for restricting BIND to
> a single address was mostly for firewall and administrative simplicity, but
> that's not a big deal as long as the same address is used both directions.

Yes, the correct source address is used (the source of a response is the
destination of the inbound query).  However, onward queries that bind
makes on behalf of a client (eg if recursing) will use whatever address
(or presumably query-source/query-source-v6).  The default query source
always seems to be the primary address of an interface, as far as I've seen.

> The documentation for keepalived isn't very good, but as near as I can tell
> it does not support bringing up an application like BIND along with a VRRP
> address. Maybe I'm wrong? The cluster.org package works great except for the
> lack of an interface, so I've posted over there also to see if it's possible
> to build a virtual interface for the IP, but I doubt it.

Our recursive servers run keepalived to juggle the two service addresses
that we advertise, and we don't set query-source, listen-on or
notify-source.  I don't see any benefit in moving the query/notify
source addresses between hosts, especially since it makes it hard to
test/monitor a host that isn't in service at the moment.

Keepalived calls 'rndc scan' to nudge the already-running named when
addresses appear/disappear, but I think this might be a historical thing
now that bind can watch the routing socket.

Graham



> 
> -Original Message-
> From: Tony Finch [mailto:d...@dotat.at] 
> Sent: Tuesday, March 15, 2016 5:40 PM
> To: Mike Bernhardt
> Cc: bind-users@lists.isc.org
> Subject: Re: PCS, Corosync, Pacemaker, and Bind
> 
> Mike Bernhardt  wrote:
>>
>> I'm setting up a new CentOS 7 DNS server cluster to replace our very 
>> old CentOS 4 cluster. The old one uses heartbeat which is no longer 
>> supported, so I'm now using pcs, corosync, and pacemaker.
> 
> I suggest having a look at keepalived: it's significantly simpler.
> 
>> I want BIND to listen on, query from, etc on a particular IP address, 
>> which is virtualized. The options currently used are:
>> query-source address
>> listen-on
>> notify-source
>>
>> listen-on isn't a big deal, but the source address options are.
> 
> Why do you care about the query source address?
> 
> I don't set any of those options and just let BIND pick whatever source
> address it wants; it might choose the server admin address or the advertised
> service address, and that doesn't matter because everything else is
> configured to accommodate this.
> 
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/ Shannon, Rockall:
> Southeast 4 or 5, increasing 6 at times in Shannon. Moderate or rough. Fair.
> Mainly good.
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Barry S. Finkel]

On 3/17/2016  12:36:31 +0100 Ron wrote:


Can bind be configured to not drop RR's from the cache when
the upstream DNS server is unresponsive?



Hi,

subject says all. Read manpages, could not find this in the FAQ's.
Hope this is possible. If not does anyone know of other name servers
that offer this option?

Thanks,
Ron Arts


It seems to me that one task of the BIND process is periodically
to scan the cache to find entries whose TTL has expired.  That
process, per the DNS RFCs, will remove all entries whose TTL has
expired.  The process should not check to ensure that at least
one of the upstream DNS servers is responsive, as by definition
the record has expired and should not remain in DNS.  It is the
owner of the record who sets the TTL, and if the TTL is too short
AND all of the DNS servers that serve that record are inaccessible,
then the owner of the record has a problem.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Majid Mir]

I think I Know why it worked on the old server.. it is because there is an
existing Makefile already.. I am going to rename the existing makefile and
see if it creates one. If it doesnt, then I will know that the no-create
option is the culprit!

Thanks for your help.. I will report back with what I find.

On Thu, Mar 17, 2016 at 5:20 PM, Majid Mir 
wrote:

>
> Thank you for your response.. I thought of that earlier, but when I run
> the exact same configure options on an older machine of ours (for 9.10.1)
> it creates the output files just fine.. That is where it confused me.
>
> Thanks
>
>
> On Thu, Mar 17, 2016 at 5:18 PM, Mark Andrews  wrote:
>
>>
>> *Think* about the arguments you are passing to configure.  You told
>> configue
>> to NOT CREATE the makefiles.
>>
>> Mark
>>
>> In message > n04fgwsxyatzh5a7f...@mail.gmail.com>
>> , Majid Mir writes:
>> >
>> > Hello all
>> >
>> > I am trying to compile Bind 9.10.3-P4 from source and whenever I try to
>> run
>> > the following:
>> >
>> > ./configure --sbindir=/usr/sbin --sysconfdir=/etc/bind --with-openssl
>> > --disable-openssl-version-check --no-create --no-recursion
>> >
>> >
>> > I receive the following error after the configuration script is fully
>> > executed:
>> >
>> > configure: creating ./config.status
>> > make: *** No rule to make target `clean'.  Stop.
>> >
>> > When I try to run make, I get:
>> >
>> > make: *** No targets specified and no makefile found.  Stop.
>> >
>> > Yet in both the untarred source code directory as well as the make
>> > directory within it, both have a Makefile.in file.
>> >
>> > I have absolutely no idea how to get this configure script to create the
>> > makefile!  I have to use those configuration options because that is
>> what
>> > we used on our previous installs (Bind 9.10.1)  on other servers. Also
>> when
>> > I run ./configure without any options, the make file is created with no
>> > issues!  I am totally confused
>> >
>> > All help is greatly appreciated!
>> >
>> >
>> > Thank you!
>> >
>> > --001a1147eda27e191b052e4512e3
>> > Content-Type: text/html; charset=UTF-8
>> > Content-Transfer-Encoding: quoted-printable
>> >
>> > Hello
>> all=
>> > I am trying to compile Bind 9.10.3-P4 from source and whenever I try to
>> run=
>> >  the following:./configure --sbindir=3D/usr/sbin
>> --sysconfdir=3D/et=
>> > c/bind --with-openssl --disable-openssl-version-check --no-create
>> --no-recu=
>> > rsionI receive the following error after the
>> configuratio=
>> > n script is fully executed:configure: creating
>> ./config.statusm=
>> > ake: *** No rule to make target `clean'.=C2=A0
>> Stop.When =
>> > I try to run make, I get:make: *** No targets specified and no
>> make=
>> > file found.=C2=A0 Stop.Yet in both the untarred source
>> code d=
>> > irectory as well as the make directory within it, both have a
>> Makefile.in f=
>> > ile. I have absolutely no idea how to get this configure
>> scri=
>> > pt to create the makefile!=C2=A0 I have to use those configuration
>> options =
>> > because that is what we used on our previous installs (Bind
>> 9.10.1)=C2=A0 o=
>> > n other servers. Also when I run ./configure without any options, the
>> make =
>> > file is created with no issues!=C2=A0 I am totally
>> confusedAl=
>> > l help is greatly appreciated!Thank
>> you!> > >
>> >
>> > --001a1147eda27e191b052e4512e3--
>> >
>> > --===2376527110176558913==
>> > Content-Type: text/plain; charset="us-ascii"
>> > MIME-Version: 1.0
>> > Content-Transfer-Encoding: 7bit
>> > Content-Disposition: inline
>> >
>> > ___
>> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe
>> >  from this list
>> >
>> > bind-users mailing list
>> > bind-users@lists.isc.org
>> > https://lists.isc.org/mailman/listinfo/bind-users
>> > --===2376527110176558913==--
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Majid Mir]

Hello all

I am trying to compile Bind 9.10.3-P4 from source and whenever I try to run
the following:

./configure --sbindir=/usr/sbin --sysconfdir=/etc/bind --with-openssl
--disable-openssl-version-check --no-create --no-recursion


I receive the following error after the configuration script is fully
executed:

configure: creating ./config.status
make: *** No rule to make target `clean'.  Stop.

When I try to run make, I get:

make: *** No targets specified and no makefile found.  Stop.

Yet in both the untarred source code directory as well as the make
directory within it, both have a Makefile.in file.

I have absolutely no idea how to get this configure script to create the
makefile!  I have to use those configuration options because that is what
we used on our previous installs (Bind 9.10.1)  on other servers. Also when
I run ./configure without any options, the make file is created with no
issues!  I am totally confused

All help is greatly appreciated!


Thank you!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Ron]

In general you're right of course,

but in this case it's a supplier who is unable to keeps his DNS servers
working, and we just want to keep the connectivity.

For various reasons it's not that easy to switch to a new supplier,
and in any case we need an intermediate solution.

Ron


On Thu, Mar 17, 2016 at 11:17 PM, Darcy Kevin (FCA) <
kevin.da...@fcagroup.com> wrote:

> Using DNS records beyond the owner-published TTL is risky business. You
> can’t even know if the same legal entity is providing the content or
> services previously published at that address/endpoint, and this
> uncertainty raises security and/or liability concerns.
>
>
>
>
> - Kevin
>
>
>
>
>
> *From:* Ron [mailto:ron.a...@gmail.com]
> *Sent:* Thursday, March 17, 2016 11:46 AM
> *To:* Darcy Kevin (FCA)
> *Cc:* bind-users@lists.isc.org
> *Subject:* Re: Can bind be configured to not drop RR's from the cache
> when the upstream DNS server is unresponsive
>
>
>
> I did not mean forwarders, but I had a case where the authoritative name
> servers for a domain were down
>
> for an extended period of time, exceeding the ttl for their records. I was
> curious if I could tell my DNS servers
>
> to serve these records for longer than the registered ttl. And I wanted to
> automate that.
>
>
>
> But I'm afraid that's not gonna fly.
>
>
>
> Ron
>
>
>
>
>
>
>
> On Thu, Mar 17, 2016 at 4:27 PM, Darcy Kevin (FCA) <
> kevin.da...@fcagroup.com> wrote:
>
> By “upstream” I assume you’re talking about forwarders. If your forwarders
> are flakey, have you ever considered simply **not*forwarding**? That
> would seem to be a better, structural solution to your problem, than
> holding DNS data beyond its cache-expiration time (a really BAD idea).
>
>
>
>
> - Kevin
>
> [image: FCA_Pantone_email]
>
> *--*
>
> Kevin Darcy
> NAFTA Information Security Projects
>
>
>
> FCA US LLC
>
> 1075 W Entrance Dr,
>
> Auburn Hills, MI 48326
>
> USA
>
>
>
> Telephone: +1 (248) 838-6601
> Mobile: +1 (810) 397-0103
>
> Email: kevin.da...@fcagroup.com
>
>
>
> *From:* bind-users-boun...@lists.isc.org [mailto:
> bind-users-boun...@lists.isc.org] *On Behalf Of *Ron
> *Sent:* Thursday, March 17, 2016 7:37 AM
> *To:* bind-users@lists.isc.org
> *Subject:* Can bind be configured to not drop RR's from the cache when
> the upstream DNS server is unresponsive
>
>
>
> Hi,
>
>
>
> subject says all. Read manpages, could not find this in the FAQ's.
>
> Hope this is possible. If not does anyone know of other name servers
>
> that offer this option?
>
>
>
> Thanks,
>
> Ron Arts
>
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Ron]

Hi,

subject says all. Read manpages, could not find this in the FAQ's.
Hope this is possible. If not does anyone know of other name servers
that offer this option?

Thanks,
Ron Arts
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Ron]

On Thu, Mar 17, 2016 at 2:51 PM, Barry S. Finkel  wrote:

> On 3/17/2016  12:36:31 +0100 Ron wrote:
>
> Can bind be configured to not drop RR's from the cache when
>>> the upstream DNS server is unresponsive?
>>>
>>
> Hi,
>>
>> subject says all. Read manpages, could not find this in the FAQ's.
>> Hope this is possible. If not does anyone know of other name servers
>> that offer this option?
>>
>> Thanks,
>> Ron Arts
>>
>
> It seems to me that one task of the BIND process is periodically
> to scan the cache to find entries whose TTL has expired.  That
> process, per the DNS RFCs, will remove all entries whose TTL has
> expired.  The process should not check to ensure that at least
> one of the upstream DNS servers is responsive, as by definition
> the record has expired and should not remain in DNS.  It is the
> owner of the record who sets the TTL, and if the TTL is too short
> AND all of the DNS servers that serve that record are inaccessible,
> then the owner of the record has a problem.
>
> --Barry Finkel
>

According to the BIND9 docs:

cleaning-interval This interval is effectively obsolete. Previously, the
server would remove expired resource records from the cache every
cleaning-interval minutes. BIND 9 now manages cache memory in a more
sophisticated manner and does not rely on the periodic cleaning any more.
Specifying this option therefore has no effect on the server’s behavior.

 But you might still be right that my question goes against the principle
of caching.

-- Ron


> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: PCS, Corosync, Pacemaker, and Bind

[Mike Bernhardt]

My apologies, never mind :-{

I don't know what the problem was, BIND seems to load up just fine today,
even when the option addresses don't match the virtual address. I must have
screwed up something else.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Mark Andrews]

--no-create is for when you want to tinker with the final results built
into config.status prior to building the Makefiles.

I've committed changes to no run "make clean" if --no-create is set.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PCS, Corosync, Pacemaker, and Bind

[Phil Mayers]

On 16/03/16 12:48, Lightner, Jeff wrote:

You might want to try "ip a" vs ifconfig.   RHEL7 uses Network
Manager and in the past I've found some things don't show up in
ifconfig output when doing alias/virtual interfaces.

Usually even when other products (e.g. Oracle RAC/GRID) create
virtual interfaces they still show up as valid interfaces at host
level.   I've not tried PCS/Corosync.


That's not how pcs/corosync does it IIRC. They're active on one node 
only, usually as secondary IPs on the physical ethernets; dual active 
doesn't work properly in that situation anyway due to ARP fighting and 
other issues.


OP will need to use a different approach to make bind work in this kind 
of setup.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple A records and reverse DNS

[Matus UHLAR - fantomas]

On 17.03.16 09:53, Thomas Schulz wrote:

This is not a BIND question but I hope people here will know the answer.
We are switching service providers and I understand that many email SPAM
prevention systems insist on the reverse DNS matching the forward DNS.
If I have two A records for our mail server and the reverse record matches
one of them, will that be good enough. Or will the fact that the other A
record does not match cause trouble.


Reverse DNS is only important for mailserver that connects to outside, no
for receiving servers or MX records.

If the mail server connects outside, it's IP address is checked by many
receiving mailservers or spam filters for reverse DNS and the resolved name
has to point to that IP address

Invalid reverse DNS is often worse than no reverse at all...


... I have met complaints noting that recipients mail servers' IP is
checked, or that rDNS must point to the MX content. They were all wrong, the
problem usually lied in blacklist, invalid mailserver configuration etc...

No sane admin or software will check reverse DNS of mailserver they are
connecting to or MX records they send mail to. 
They would block out services like gmail, yahoo, aol, without any valid

reason.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Ron]

Dave,

On Sat, Mar 19, 2016 at 6:02 AM, Dave Warren  wrote:
> On 2016-03-18 01:46, Ron wrote:
>
>
> On Fri, Mar 18, 2016 at 12:12 AM, G.W. Haywood 
> wrote:
>>
>> Hi there,
>>
>> On Thu, 17 Mar 2016, Ron wrote:
>>
>>> ... in this case it's a supplier who is unable to keeps his DNS servers
>>> working, and we just want to keep the connectivity.
>>
>>
>> I'd just put something in /etc/hosts and send myself an email every
>> month or so to remind me I'd done that.
>
>
>
> This is what we're currently using, but it has the downside of not picking
> up ip address changes.
>
>
> If you want to reinvent caching, why not go a step further, periodically
> query the records and build a local /etc/hosts
>
> I've done this in a couple places where I need certain records to work even
> if DNS is broken. For example, it's just not worth having a NFS or Gluster
> filesystem mount fail because DNS happens to be down. If DNS is down, I'm
> probably already mid-panic, I don't need to worry about whether or remote
> file systems will come back up if I need to reboot a thing.
>
> My current logic is that I do a SOA query and check the serial number, if it
> has changed, I query every needed hostname into a temp file, and if every
> single query was successful, check the SOA again, and if it still matches,
> update the /etc/hosts. If anything goes wrong (including a mismatch between
> the SOA), dump the temp file and try again.
>
> Slaving the zones would be better, but some machines have a resolver
> already, sometimes with unique configuration that I couldn't bulldoze (and
> I'm too lazy to manually review the configuration of every machine) and
> sometimes the local resolver was Unbound, and also the master DNS server
> doesn't have a list of every machine that needs a NOTIFY, or a way to keep
> that list up to date. It was just faster to code up a sloppy /etc/hosts
> script to update a handful of critical records. Lame reasons, but it works
> well enough and hasn't blown up in my face yet.
>

I was hoping bind could take this work out of my hands, but this is probably
what we'll end up doing.

Thanks,
Ron
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple A records and reverse DNS

[Thomas Schulz]

> Am 17.03.2016 um 14:53 schrieb Thomas Schulz:
>> This is not a BIND question but I hope people here will know the answer
>> We are switching service providers and I understand that many email
>> SPAM prevention systems insist on the reverse DNS matching the forward
>> DNS. If I have two A records for our mail server and the reverse record
>> matches one of them, will that be good enough. Or will the fact that
>> the other A record does not match cause trouble
> 
> when you have two A-recods then you have two IP's
> each of them should have a PTR with *only* the name of the A-record
> and in a good setup "smtp_helo_name" matchs too

Thanks to everyone for their answers. In switching service providers we
have arranged for both providers to be active at the same time for a few
weeks. The old provider has reverse DNS set up but the new provider does
not yet have that set up. I was thinking of allowing incomming email from
both by having two A records but alowing outgoing email only through the
old provider that has the working reverse DNS. When the new provider also
has reverse DNS set up then I can switch outgoing email and close down the
old connection.

I turns out that it is harder than I thought to allow incomming
connections from both providers at the same time, so I may not do
that after all.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Ron]

On Fri, Mar 18, 2016 at 12:12 AM, G.W. Haywood 
wrote:

> Hi there,
>
> On Thu, 17 Mar 2016, Ron wrote:
>
> ... in this case it's a supplier who is unable to keeps his DNS servers
>> working, and we just want to keep the connectivity.
>>
>
> I'd just put something in /etc/hosts and send myself an email every
> month or so to remind me I'd done that.



This is what we're currently using, but it has the downside of not picking
up ip address changes.

Ron


>
>
> --
>
> 73,
> Ged.
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Mark Andrews]

*Think* about the arguments you are passing to configure.  You told configue
to NOT CREATE the makefiles.

Mark

In message 
, Majid Mir writes:
> 
> Hello all
> 
> I am trying to compile Bind 9.10.3-P4 from source and whenever I try to run
> the following:
> 
> ./configure --sbindir=/usr/sbin --sysconfdir=/etc/bind --with-openssl
> --disable-openssl-version-check --no-create --no-recursion
> 
> 
> I receive the following error after the configuration script is fully
> executed:
> 
> configure: creating ./config.status
> make: *** No rule to make target `clean'.  Stop.
> 
> When I try to run make, I get:
> 
> make: *** No targets specified and no makefile found.  Stop.
> 
> Yet in both the untarred source code directory as well as the make
> directory within it, both have a Makefile.in file.
> 
> I have absolutely no idea how to get this configure script to create the
> makefile!  I have to use those configuration options because that is what
> we used on our previous installs (Bind 9.10.1)  on other servers. Also when
> I run ./configure without any options, the make file is created with no
> issues!  I am totally confused
> 
> All help is greatly appreciated!
> 
> 
> Thank you!
> 
> --001a1147eda27e191b052e4512e3
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> Hello all=
> I am trying to compile Bind 9.10.3-P4 from source and whenever I try to run=
>  the following:./configure --sbindir=3D/usr/sbin --sysconfdir=3D/et=
> c/bind --with-openssl --disable-openssl-version-check --no-create --no-recu=
> rsionI receive the following error after the configuratio=
> n script is fully executed:configure: creating ./config.statusm=
> ake: *** No rule to make target `clean'.=C2=A0 Stop.When =
> I try to run make, I get:make: *** No targets specified and no make=
> file found.=C2=A0 Stop.Yet in both the untarred source code d=
> irectory as well as the make directory within it, both have a Makefile.in f=
> ile. I have absolutely no idea how to get this configure scri=
> pt to create the makefile!=C2=A0 I have to use those configuration options =
> because that is what we used on our previous installs (Bind 9.10.1)=C2=A0 o=
> n other servers. Also when I run ./configure without any options, the make =
> file is created with no issues!=C2=A0 I am totally confusedAl=
> l help is greatly appreciated!Thank you! >
> 
> --001a1147eda27e191b052e4512e3--
> 
> --===2376527110176558913==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===2376527110176558913==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Changing records with inline-signing

[Tony Finch]

Thomas Schulz  wrote:

> We currently have adi.com signed using options:
>
> inline-signing yes;
> auto-dnssec maintain;
>
> If I change an A record or add a new A record, will the signing be
> automatically updated or do I have to do an rndc sign zone?

It's automatic :-)

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
North Fitzroy, Sole: Easterly or southeasterly 5 to 7. Moderate or rough.
Showers. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Changing records with inline-signing

[Thomas Schulz]

We currently have adi.com signed using options:

inline-signing yes;
auto-dnssec maintain;

If I change an A record or add a new A record, will the signing be
automatically updated or do I have to do an rndc sign zone?


Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Ron]

Slave the zone? Oh, run secondary. Fat chance.

Ron

On Fri, Mar 18, 2016 at 5:03 PM, Darcy Kevin (FCA)  wrote:

> Would they be receptive to letting you slave the zone? At least then you’d
> have the whole EXPIRE time before the names stopped resolving.
>
>
>
> If they’re concerned about security, then the transfers could be locked
> down by source IP address, or, if their software supports it, TSIG key.
>
>
>
> One of the downsides of slaving, of course, is that changes might take a
> while to replicate, unless NOTIFY is set up.
>
>
>
>
> - Kevin
>
>
>
> [image: FCA_Pantone_email]
>
> *--*
>
> Kevin Darcy
> NAFTA Information Security Projects
>
>
>
> FCA US LLC
>
> 1075 W Entrance Dr,
>
> Auburn Hills, MI 48326
>
> USA
>
>
>
> Telephone: +1 (248) 838-6601
> Mobile: +1 (810) 397-0103
>
> Email: kevin.da...@fcagroup.com
>
>
>
> *From:* bind-users-boun...@lists.isc.org [mailto:
> bind-users-boun...@lists.isc.org] *On Behalf Of *Ron
> *Sent:* Friday, March 18, 2016 4:46 AM
> *To:* G.W. Haywood
> *Cc:* bind-users@lists.isc.org
> *Subject:* Re: Can bind be configured to not drop RR's from the cache
> when the upstream DNS server is unresponsive
>
>
>
>
>
>
>
> On Fri, Mar 18, 2016 at 12:12 AM, G.W. Haywood 
> wrote:
>
> Hi there,
>
> On Thu, 17 Mar 2016, Ron wrote:
>
> ... in this case it's a supplier who is unable to keeps his DNS servers
> working, and we just want to keep the connectivity.
>
>
> I'd just put something in /etc/hosts and send myself an email every
> month or so to remind me I'd done that.
>
>
>
>
>
> This is what we're currently using, but it has the downside of not picking
> up ip address changes.
>
>
>
> Ron
>
>
>
>
>
> --
>
> 73,
> Ged.
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple A records and reverse DNS

[Barry Margolin]

In article ,
 sch...@adi.com (Thomas Schulz) wrote:

> This is not a BIND question but I hope people here will know the answer.
> We are switching service providers and I understand that many email SPAM
> prevention systems insist on the reverse DNS matching the forward DNS.
> If I have two A records for our mail server and the reverse record matches
> one of them, will that be good enough. Or will the fact that the other A
> record does not match cause trouble.

It should be OK. This is a fairly common situation for redundancy.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users