Re: rndc on local host: need named running?

2016-08-27 Thread Lyle

Use any in the allow stanza.


On 08/27/16 19:54, Tom Browder wrote:
On Saturday, August 27, 2016, Lyle > wrote:


On 08/27/16 10:54, Tom Browder wrote:

https://calomel.org/dynamic_dns_ddns.htmlMy plan is to have two
2. Can I use rndc from my local host which doesn't have a fixed
ip address?


...

Let me Google that for you and the answer is:

https://www.safaribooksonline.com/library/view/dns-bind/0596004109/ch03s04.html




Thanks, Lyle. I've seen that, I have the book. But it's not real clear 
to a novice that it works without the remote host knowing the incoming 
ip address.




But I have enough info now to risk putting my name servers on line 
without fear of destroying the dns system of the internet!


Best regards,

-Tom



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

2016-08-27 Thread Tom Browder
On Saturday, August 27, 2016, Lyle  wrote:

> On 08/27/16 10:54, Tom Browder wrote:
>
> https://calomel.org/dynamic_dns_ddns.htmlMy plan is to have two
>
> 2. Can I use rndc from my local host which doesn't have a fixed ip address?
>
> ...

> Let me Google that for you and the answer is:
> https://www.safaribooksonline.com/library/view/dns-bind/
> 0596004109/ch03s04.html
>

Thanks, Lyle. I've seen that, I have the book. But it's not real clear to a
novice that it works without the remote host knowing the incoming ip
address.

But I have enough info now to risk putting my name servers on line without
fear of destroying the dns system of the internet!

Best regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Allowable reverse mapping zone file names

2016-08-27 Thread Tom Browder
On Saturday, August 27, 2016, Lyle  wrote:
...

> As far as question 2, depends on if the reverse zones were delegated to
> you or not. It depends on your ISP.  Many do not delegate reverse lookup
> zones to the end user.  In that case, you have to ask them to insert the
> records you think necessary including your mail server's host name.
>
Thanks, Lyle!

Best regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

2016-08-27 Thread Lyle



On 08/27/16 10:54, Tom Browder wrote:
My plan is to have two remote, authoritative name servers (master and 
slave) for my owned domains.  I would like to use rndc to control them 
from my local host.


A couple of questions:

1. Does named need to be running on the local host?

No.


2. Can I use rndc from my local host which doesn't have a fixed ip 
address?


Let me Google that for you and the answer is:

https://www.safaribooksonline.com/library/view/dns-bind/0596004109/ch03s04.html


Thanks.

Best regards,

-Tom


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Allowable reverse mapping zone file names

2016-08-27 Thread Lyle
File names?   The file name is up to you.  How you reference it in your 
DNS server is something else.  That depends on your name server software.


As far as question 2, depends on if the reverse zones were delegated to 
you or not. It depends on your ISP.  Many do not delegate reverse lookup 
zones to the end user.  In that case, you have to ask them to insert the 
records you think necessary including your mail server's host name.


Lyle Giese
LCR Computer Services, Inc.

On 08/27/16 10:47, Tom Browder wrote:
I do not control 3-octet networks but need reverse mapping for my mail 
server.


Two questions:

1. Where is the doc that completely describes the allowable reverse 
mapping zone file names?


2. When running my own authoritative name servers, do I need reverse 
mapping for anything other than my single mail server?


Thanks.

Best regards,

-Tom


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread Woodworth, John R
Apologies for the double post, I was not finished with edits in my
previous post:

> John Levine wrote:
> > >It is true at first glance the regex-esque syntax in our I-D may seem
> > >a bit complex but I don't believe anywhere near the complexity of
> > >NAPTR
> >
> > None of the complexity of NAPTR is in the DNS or the DNS servers; it's
> > all in the applications that use NAPTR.  For DNS servers, NAPTR is
> > just a record it handles the way it does any other normal record, like
> > A or HINFO.

Apologies for the confusion.  I was under the impression there was concern
about the syntax using regex and being complicated.  My point was the
syntax "borrows" concepts from regex but precise regex patterns for numeric
ranges is too much effort to accomplish for the casual zone admin.

As far as NAPTR pushing the effort to the client, this is true but it
*has* patterns that are very complicated to the casual zone admin and
NAPTR records already exist.

Creating a protocol around use of generated records kind of defeats one
of our primary objectives which is to make this feature as transparent to
clients as possible.  For example, clients do not need to care whether
$GENERATE was used for their records, why not carry this logic over to
the the next phase?  Most of the embedded devices (IOT, etc.) will not
be updating their libraries to support a "how do I find an A record"
logic, and why should they?


> Or the URI RR, which requires authoritative nameservers to know absolutely
> nothing about the encoding of URIs.

Auth nameservers do have to know things about certain record types; NS,
CNAME and RRSIG RRs for example so this is not a completely new concept.

In fact, all the precedence for this I-D already exists:
  * $GENERATE: Pattern based record generation
   (bind proprietary, others may exist)
  * NAPTR: Complex RDATA pattern substitution syntax
  * RRSIG: Additional computational burden to authoritative nameserver
   and client implementations (change to existing DNS semantics)
   (record specific "awareness")
  * Wildcard:  Automatic wildcard record namespace identification
   and NXDOMAIN substitution (superimposed records)

Wouldn't you agree based on the above logic this looks to be the natural
progression of the art?  It's not always about doing what was already done
but building on what has been done and trying not to break anything along
the way.


Regards,
John

> --
> Robert Edmonds
>

-- THESE ARE THE DROIDS TO WHOM I REFER:

This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread Woodworth, John R
> John Levine wrote:
> > >It is true at first glance the regex-esque syntax in our I-D may seem
> > >a bit complex but I don't believe anywhere near the complexity of
> > >NAPTR
> >
> > None of the complexity of NAPTR is in the DNS or the DNS servers; it's
> > all in the applications that use NAPTR.  For DNS servers, NAPTR is
> > just a record it handles the way it does any other normal record, like
> > A or HINFO.

Apologies for the confusion.  I was under the impression there was concern
about the syntax using regex and being complicated.  My point was the
syntax "borrows" concepts from regex but precise regex patterns for numeric
ranges is too much effort to accomplish for the casual zone admin.

As far as NAPTR pushing the effort to the client, this is true but it
*has* patterns that are very complicated to the casual zone admin.

Creating a protocol around use of generated records kind of defeats one
of our primary objectives which is to make this feature as transparent to
clients as possible.  For example, clients do not need to care whether
$GENERATE was used for their records, why not carry this logic over to
the the next phase?  Most of the embedded devices (IOT, etc.) will not
be updating their libraries to support a "how do I find an A record"
logic, and why should they?


> Or the URI RR, which requires authoritative nameservers to know absolutely
> nothing about the encoding of URIs.


All the precedence for this I-D is already here:
  * $GENERATE: Pattern based record generation
   (bind proprietary, others may exist)
  * NAPTR: Complex RDATA pattern substitution syntax
  * RRSIG: Additional computational burden to Authoritative nameserver
   and client implementations (change to existing DNS semantics)
  * Wildcard:  Automatic wildcard record namespace identification
   and NXDOMAIN substitution (superimposed records)

Wouldn't you agree based on the above logic this looks to be the natural
progression of the art?  It's not always about doing what was already done
but building on what has been done and trying not to break anything along
the way.


Regards,
John

> --
> Robert Edmonds
>

-- THESE ARE THE DROIDS TO WHOM I REFER:

This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread Robert Edmonds
John Levine wrote:
> >It is true at first glance the regex-esque syntax in our I-D may seem a
> >bit complex but I don't believe anywhere near the complexity of NAPTR
> 
> None of the complexity of NAPTR is in the DNS or the DNS servers; it's
> all in the applications that use NAPTR.  For DNS servers, NAPTR is
> just a record it handles the way it does any other normal record, like
> A or HINFO.

Or the URI RR, which requires authoritative nameservers to know
absolutely nothing about the encoding of URIs.

-- 
Robert Edmonds
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread John Levine
>It is true at first glance the regex-esque syntax in our I-D may seem a
>bit complex but I don't believe anywhere near the complexity of NAPTR

None of the complexity of NAPTR is in the DNS or the DNS servers; it's
all in the applications that use NAPTR.  For DNS servers, NAPTR is
just a record it handles the way it does any other normal record, like
A or HINFO.  

This draft requires every DNS server to change the semantics of
wildcards, change the way DNSSEC signatures are computed, and
introduces new RRTYPEs that don't work in existing servers the way RFC
3597 says they should.  Ain't gonna happen.

Really, if you want to do generic rDNS for IPv6, use a specialized
server like we do for DNSBLs.  rbldnsd is open source, everyone uses
it, so you can start with that.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread Robert Edmonds
Woodworth, John R wrote:
> I respectfully disagree.  I, although naturally biased, feel
> strongly our I-D is something which should have existed since the
> beginning of DNS.  It allows address space to be "tagged" and
> organized in a manner that just makes sense.
> 
> Imagine if you will a class-A (borrowing from legacy terminology)
> being assigned to ARIN.  This block is "tagged" as ARIN's IP space
> in its entirety.  A smaller block gets assigned to ISP-1 and it
> gets "tagged" as ISP-1's, again in its entirety.

Those "tags" are intelligence *about* the address space, which is
primarily valuable to people other than the end user. (The end user
already knows that he or she has a particular type of connection from a
particular ISP in a particular place.)

The only benefit *to the end user* I can think of is that it might,
indirectly, somehow lead to vendors of proprietary geoip databases
having marginally more accurate intelligence, which might lead to
slightly better performance from CDNs, or search engine results not
being presented in the wrong language, or (insert your favorite geoip
foible here).

But I don't see how you get from those marginal benefits to: DNS should
have had regex-driven template engines (!) in authoritative nameservers
from the beginning.

-- 
Robert Edmonds
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread Woodworth, John R
> John R. Levine wrote:
> > > Just curious, is there a fundamental reason you have to oppose this
> > > beyond simply the scale?
> >
> > It's a cargo cult style extension of a not particularly useful IPv4
> > convention to IPv6.  A much more useful convention that happens to be
> > easier to implement is that hosts with static addresses have rDNS and
> > hosts without do not.  That would be a lot more useful to all involved.
>
> Though, if you want to participate in the cargo cult of generic PTRs,
> you don't need the complexity of draft-woodworth-bulk-rr's regex-driven
> templates in your nameserver. Knot DNS's "minimal viable product"
> implementation is ~300 SLOC and uses a hardcoded template.
>

Robert,

Thanks for this information, it could really help the original poster.

It is true at first glance the regex-esque syntax in our I-D may seem a
bit complex but I don't believe anywhere near the complexity of NAPTR
and with adoption as a standard would not require the vendor-lock-in
of any proprietary solution.  This is also huge if zone transfers are
important in your environment and you do not own/ manage all nameservers
involved.


Regards,
John

> --
> Robert Edmonds
>
>

-- THESE ARE THE DROIDS TO WHOM I REFER:

This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread John Levine
PS:

>I understand rwhois exists but it is much more complicated to manage
>than DNS and for the most part is only used at the RIR level for
>reverse IP namespace.

This would probably be a good time to read up on RDAP.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread John Levine
>beginning of DNS.  It allows address space to be "tagged" and
>organized in a manner that just makes sense.

We'll have to agree to violently disagree at this point.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread John Levine
>Though, if you want to participate in the cargo cult of generic PTRs,
>you don't need the complexity of draft-woodworth-bulk-rr's regex-driven
>templates in your nameserver. Knot DNS's "minimal viable product"
>implementation is ~300 SLOC and uses a hardcoded template.

Having looked at the draft, I agree that its complexity and the multiple
changes it makes to exisitng DNS semantics make it dead on arrival.

My suggestion if you really want to do this is to use a specialized
server.  People who serve DNSBLs use a specialized server called
rbldnsd.  You give it CIDR ranges of addresses and it synthesizes
DNSBL records, including patching the addresses into TXT records so
they can return stuff like this:

4.3.2.1.bl.bad.example TXT "Blocked -- see http://www.bad.example?ip=1.2.3.4;

where the 1.2.3.4 was plugged in on the fly.

rDNS and DNSBLs are quite similar in DNS function, so you could
probably modify rbldnsd to generate PTR records with patterns in the
same way.  Then just delegate your rDNS zones to it. Since v6 rDNS
breaks names on 4-bit boundaries, even if your delegations are rather
irregular, it's not all that many delegations.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread Woodworth, John R
> > Just curious, is there a fundamental reason you have to oppose this
> > beyond simply the scale?
>
> It's a cargo cult style extension of a not particularly useful IPv4
> convention to IPv6.  A much more useful convention that happens to
> be easier to implement is that hosts with static addresses have rDNS
> and hosts without do not.  That would be a lot more useful to
> all involved.

I respectfully disagree.  I, although naturally biased, feel
strongly our I-D is something which should have existed since the
beginning of DNS.  It allows address space to be "tagged" and
organized in a manner that just makes sense.

Imagine if you will a class-A (borrowing from legacy terminology)
being assigned to ARIN.  This block is "tagged" as ARIN's IP space
in its entirety.  A smaller block gets assigned to ISP-1 and it
gets "tagged" as ISP-1's, again in its entirety.

I understand rwhois exists but it is much more complicated to manage
than DNS and for the most part is only used at the RIR level for
reverse IP namespace.


>
> But again, at M3AAWG, this seems to be a settled topic.  Anyone
> who expects rDNS for dynamic IPv6 addresses is an outlier.
>

Again, although I cannot speak on behalf of M3AAWG I respectfully
disagree with this being a problem only for outliers.

I think since a lot of the numbers in the IPv6 network ranges seem
close enough to infinity they scare people and it is simply easier
to pretend none of it is real.  I can see this topic circling back
until a solution can be adopted.


> R's,
> John
>
> PS: Have you figured out how to do DNSSEC on dynamically generated
> reverse zones, both for results that return PTR and results that
> return NXDOMAIN?
> It's possible but it's not trivial.
>

Yes, and "it's not trivial" is quite the understatement :)


Regards,
John

-- THESE ARE THE DROIDS TO WHOM I REFER:

This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread Robert Edmonds
John R. Levine wrote:
> > Just curious, is there a fundamental reason you have to oppose this
> > beyond simply the scale?
> 
> It's a cargo cult style extension of a not particularly useful IPv4
> convention to IPv6.  A much more useful convention that happens to be easier
> to implement is that hosts with static addresses have rDNS and hosts without
> do not.  That would be a lot more useful to all involved.

Though, if you want to participate in the cargo cult of generic PTRs,
you don't need the complexity of draft-woodworth-bulk-rr's regex-driven
templates in your nameserver. Knot DNS's "minimal viable product"
implementation is ~300 SLOC and uses a hardcoded template.

-- 
Robert Edmonds
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: rndc on local host: need named running?

2016-08-27 Thread Tom Browder
On Saturday, August 27, 2016, Warren Kumari  wrote:

> On Saturday, August 27, 2016, Tom Browder  > wrote:
>
>> My plan is to have two remote, authoritative name servers (master and
>> slave) for my owned domains.  I would like to use rndc to control them from
>> my local host.
>> A couple of questions:
>>
>  ...

Thanks, Warren!

Best regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Allowable reverse mapping zone file names

2016-08-27 Thread Tom Browder
On Saturday, August 27, 2016, /dev/rob0  wrote:

> On Sat, Aug 27, 2016 at 10:47:36AM -0500, Tom Browder wrote:
> > I do not control 3-octet networks but need reverse mapping for my
> > mail server.
>
> Discuss that with your ISP or netblock owner.

...

Thanks for the good advice, "/dev/robo."

Best regards.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread John R. Levine

Just curious, is there a fundamental reason you have to oppose this
beyond simply the scale?


It's a cargo cult style extension of a not particularly useful IPv4 
convention to IPv6.  A much more useful convention that happens to be 
easier to implement is that hosts with static addresses have rDNS and 
hosts without do not.  That would be a lot more useful to all involved.


But again, at M3AAWG, this seems to be a settled topic.  Anyone who 
expects rDNS for dynamic IPv6 addresses is an outlier.


R's,
John

PS: Have you figured out how to do DNSSEC on dynamically generated reverse 
zones, both for results that return PTR and results that return NXDOMAIN? 
It's possible but it's not trivial.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Forwarding via different external networks

2016-08-27 Thread /dev/rob0
On Sat, Aug 27, 2016 at 02:32:42PM -0400, Paul Kosinski wrote:
> Currently, I forward all outbound DNS via the DSL to the ISP's
> DNS servers. (I have more confidence in the DSL provider not 
> interfering with DNS than in Comcast.)

FWIW, it has been many years since I have dealt with Comcast as a 
customer, but I can tell you for sure that Comcast employs some very 
clueful DNS experts.

> However, there have been a couple of cases recently when the DSL 
> was not getting beyond their gateway router, which meant that DNS 
> would fail, causing much HTTP(S) to fail even though the cable 
> network was working quite nicely.
> 
> So my question is, is it possible to configure my forwarding BIND 
> to have a primary and *secondary* path for sending out DNS queries?

Your better bet is surely to dump the forwarders and to do your own 
recursion.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Allowable reverse mapping zone file names

2016-08-27 Thread /dev/rob0
On Sat, Aug 27, 2016 at 10:47:36AM -0500, Tom Browder wrote:
> I do not control 3-octet networks but need reverse mapping for my 
> mail server.

Discuss that with your ISP or netblock owner.

> Two questions:
> 
> 1. Where is the doc that completely describes the allowable reverse 
> mapping zone file names?

There is no limit within BIND on what you name a zone file.  I 
suspect you might be wondering about the names of in-addr.arpa. 
*zones* instead?

To use an example, 127.0.0.2, a resolver would request a PTR record 
named "2.0.0.127.in-addr.arpa".  That is the reversed octets of the 
dotted-quad IPv4 address with ".in-addr.arpa" appended.

A zone could exist at any of these names:
* 127.in-addr.arpa
* 0.127.in-addr.arpa
* 0.0.127.in-addr.arpa
* 2.0.0.127.in-addr.arpa

(See also RFC 2317 for "classless" reverse DNS delegation, but no,
DO NOT read that: I only mention it for completeness, as we have 
pedantic posters on this list ... myself included. ;) )

> 2. When running my own authoritative name servers, do I need 
> reverse mapping for anything other than my single mail server?

You only need an in-addr.arpa zone IF that zone has been delegated to 
your nameserver[s] by a netblock owner or by your RIR (such as RIPE 
for Europe, ARIN for North America, et c.)

If the zone has not been delegated to you, ^^ go back to the top and 
talk to your ISP or netblock owner.

If you're still confused, tell us what your IP address is and we 
might be able to tell you who to contact.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread Woodworth, John R
> I'll let the market decide. For now, such a requirement isn't even
> a blip on the horizon as far as I can see.

Understood.  I guess we all have our own perspective and priorities.

There are, however, several popular commercial DNS vendors I know
first hand which are offering their own proprietary solutions as
marketing features.

This coupled with our own customer requests leads me to believe the
issue is a lot blippier than one might think.  Even _this_ email
thread started with a real-world need seeking a solution.

Our proposed solution (I-D) is not IPv6 specific and would be a
standards based approach allowing the "intent" of generated DNS
records to be transferred regardless of vendor.  Think of it more
as an extension to the wonderful $GENERATE we all love and adore.


Just curious, is there a fundamental reason you have to oppose this
beyond simply the scale?


Regards,
John

> Steinar Haug, Nethelp consulting, sth...@nethelp.no

-- THESE ARE THE DROIDS TO WHOM I REFER:

This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: rndc on local host: need named running?

2016-08-27 Thread Warren Kumari
On Saturday, August 27, 2016, Tom Browder  wrote:

> My plan is to have two remote, authoritative name servers (master and
> slave) for my owned domains.  I would like to use rndc to control them from
> my local host.
>
> A couple of questions:
>
> 1. Does named need to be running on the local host?
>


 Nope.



> 2. Can I use rndc from my local host which doesn't have a fixed ip address?
>
>
Yup.

W


> Thanks.
>
> Best regards,
>
> -Tom
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Forwarding via different external networks

2016-08-27 Thread Paul Kosinski
I have a rather unusual network with a gateway machine that connects to
two ISPs: a slower DSL with a static IP and a faster cable (Comcast)
with a DHCP IP. The gateway machine runs two instances of BIND (plus
the usual firewalling): an authoritative one for a couple of domains
(and only those domains!), and a forwarding-only one for use by internal
clients (to reduce external DNS requests via the usual caching that
BIND provides).

Currently, I forward all outbound DNS via the DSL to the ISP's DNS
servers. (I have more confidence in the DSL provider not interfering
with DNS than in Comcast.) However, there have been a couple of cases
recently when the DSL was not getting beyond their gateway router,
which meant that DNS would fail, causing much HTTP(S) to fail even
though the cable network was working quite nicely.

So my question is, is it possible to configure my forwarding BIND to
have a primary and *secondary* path for sending out DNS queries? As far
as I can tell, the "query-source address" option in named.conf only
allows one outbound interface to be (implicitly) specified, and I don't
want to leave the outbound interface unspecified as that would defeat
monitoring and logging on the specific interface. The "forwarders"
option *does* allow multiple DNS servers to be specified, but that
doesn't help if the network path is down.

P.S. I suppose I might try something with policy routing, but that was
already a nightmare to set up, since I use DSL vs cable based on the
source and type (e.g. HTTP, SSH) of the traffic rather than the more
common destination.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


rndc on local host: need named running?

2016-08-27 Thread Tom Browder
My plan is to have two remote, authoritative name servers (master and
slave) for my owned domains.  I would like to use rndc to control them from
my local host.

A couple of questions:

1. Does named need to be running on the local host?

2. Can I use rndc from my local host which doesn't have a fixed ip address?

Thanks.

Best regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Allowable reverse mapping zone file names

2016-08-27 Thread Tom Browder
I do not control 3-octet networks but need reverse mapping for my mail
server.

Two questions:

1. Where is the doc that completely describes the allowable reverse mapping
zone file names?

2. When running my own authoritative name servers, do I need reverse
mapping for anything other than my single mail server?

Thanks.

Best regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread sthaug
> > We're still in the early phases of IPv6. If sufficient ISPs drop PTR
> > for dynamic IPv6 addresses, email providers and others who base some
> > sort of "reputation" on IPv4 PTRs today will simply have to adapt.
> 
> 
> Steinar,
> 
> I think this is bigger than anti-spam logic.  Simply put: Customers
> pay for the Internet.  If customers want to "tag" an IPv6 block as
> their own as they do with IPv4, why can't they?  Please don't
> answer me as if I am a peer, answer as if I am a paying customer
> asking "why not?"

Customers with *static* IPv6 addresses will certainly be able to get
the desired PTR records for their IPv6 addresses. This is the same
as for IPv4.

The difference for customers with *dynamic* IPv6 addresses is that the
size of the IP6 space makes it infeasible to pre-generate PTR recrds,
and I see no good reason to dynamically generate these records just
because parts of the IPv4 world expects them.

> Simply deciding a request is silly (even with peer support) won't
> make it go away, it will only make your _problem_ become a source
> of _revenue_for_your_competitor_ and eventually putting you behind
> what _everyone_else_is_already_doing_.

I'll let the market decide. For now, such a requirement isn't even a
blip on the horizon as far as I can see.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread Woodworth, John R
> > Simply pretending a shark doesn't exist offers very little in shark
> > protection.  While I understand this school of thought I don't believe
> > it will solve the problem or remove the need.
>
> We're still in the early phases of IPv6. If sufficient ISPs drop PTR
> for dynamic IPv6 addresses, email providers and others who base some
> sort of "reputation" on IPv4 PTRs today will simply have to adapt.


Steinar,

I think this is bigger than anti-spam logic.  Simply put: Customers
pay for the Internet.  If customers want to "tag" an IPv6 block as
their own as they do with IPv4, why can't they?  Please don't
answer me as if I am a peer, answer as if I am a paying customer
asking "why not?"

Simply deciding a request is silly (even with peer support) won't
make it go away, it will only make your _problem_ become a source
of _revenue_for_your_competitor_ and eventually putting you behind
what _everyone_else_is_already_doing_.

Just my $.02


Regards,
John


>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
>

-- THESE ARE THE DROIDS TO WHOM I REFER:

This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread sthaug
> > >A very popular option is to only create or delegate IPv6 PTR entries
> > >for hosts with static address assignments, and to return NXDOMAIN for
> > >address space used for dynamic address assignments.
> >
> > I talk to a lot of large providers at M3AAWG and that's the consensus
> > about what to do.  If it doesn't have a static address, it's not a
> > server and it doesn't need rDNS.
> 
> 
> Simply pretending a shark doesn't exist offers very little in shark
> protection.  While I understand this school of thought I don't believe
> it will solve the problem or remove the need.

We're still in the early phases of IPv6. If sufficient ISPs drop PTR
for dynamic IPv6 addresses, email providers and others who base some
sort of "reputation" on IPv4 PTRs today will simply have to adapt.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Question about dynamic IPv6-PTR-Generation

2016-08-27 Thread Woodworth, John R
>
> >A very popular option is to only create or delegate IPv6 PTR entries
> >for hosts with static address assignments, and to return NXDOMAIN for
> >address space used for dynamic address assignments.
>
> I talk to a lot of large providers at M3AAWG and that's the consensus
> about what to do.  If it doesn't have a static address, it's not a
> server and it doesn't need rDNS.


Simply pretending a shark doesn't exist offers very little in shark
protection.  While I understand this school of thought I don't believe
it will solve the problem or remove the need.


/John


>
> R's,
> John
>
>

-- THESE ARE THE DROIDS TO WHOM I REFER:


This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users