Re: How to generate authoritative DNS64 reverse zone

2017-05-19 Thread Mark Andrews 

In message <57bf558b-f4eb-f2e4-c27c-9447ff4dd...@axu.tm>, Aleksi Suhonen writes:
> Hello,
> 
> Suppose that I have a NAT64 prefix 2001:67c:2b0:db32:0:1::/96 and a
> couple of DNS64 resolvers that use it. The resolvers will also generate
> nice CNAMEs that point to in-addr.arpa for that prefix. This is nice.
> 
> But other resolvers in the world won't do that, so I'd need to have a
> real reverse zone for this fantastical NAT64 prefix for their benefit.
> But if I configure a DNS64 prefix on an authoritative server, it will
> start messing with my normal zones too, won't it?
> 
> So how do I configure Bind9 to generate one authoritative DNS64 reverse
> zone that contains CNAMEs to in-addr.arpa, but otherwise not mess with
> anything?
> 
> Yours,

You should delegate
1.0.0.0.0.0.0.0.2.3.B.D.0.B.2.0.C.7.6.0.1.0.0.2.IP6.ARPA normally.
This will let everyone in the world find the CNAME records.  This
should be done even if you are just doing it for your recursive
clients.

If you don't want A to  mappings to happen then turn off the
DNS64 mapping for everyone on the server.

dns64 2001:67c:2b0:db32:0:1::/96 {
clients { none; }
};

Mark

> -- 
> Aleksi Suhonen / Axu TM Oy
> Internetworking Consulting
> Cellular: +358 44 975 6548
> World Wide Web: www.axu.tm
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to generate authoritative DNS64 reverse zone

2017-05-19 Thread Alberto Colosi 
Hi, is hard an ISP give to you a reverse lookup zone


first of all , is needed you to "own" all zone (ipv4 , all C class) for example.

as second thing, is really hard to move definitions on TLD like ripe , arin, 
apnic or others 

is more possible ISP give to you (if first line is true)  controll of reverse 
zone and ISP transfer from you reverse zone definitions without involving 
ripe/arin/apnic/...


I spoke as I was in the need with an ipv4 reverse zone and ISP only accepted on 
that way.


if you don't "own" entire zone , is no way to have this from your ISP.


Remember ipv6 or ipv4 reverse zones are queried only if right referenced on 
ripe/arin/apnic/... or your ISP transfer from you the ipv6 zone.


repeating if you not "own" entire zone , ISP never will accept to move to you 
or to transfer from you the zone as other IP don't belong to you






From: bind-users  on behalf of Aleksi Suhonen 

Sent: Friday, May 19, 2017 3:24 PM
To: bind-users@lists.isc.org
Subject: How to generate authoritative DNS64 reverse zone

Hello,

Suppose that I have a NAT64 prefix 2001:67c:2b0:db32:0:1::/96 and a
couple of DNS64 resolvers that use it. The resolvers will also generate
nice CNAMEs that point to in-addr.arpa for that prefix. This is nice.

But other resolvers in the world won't do that, so I'd need to have a
real reverse zone for this fantastical NAT64 prefix for their benefit.
But if I configure a DNS64 prefix on an authoritative server, it will
start messing with my normal zones too, won't it?

So how do I configure Bind9 to generate one authoritative DNS64 reverse
zone that contains CNAMEs to in-addr.arpa, but otherwise not mess with
anything?

Yours,

--
Aleksi Suhonen / Axu TM Oy
Internetworking Consulting
Cellular: +358 44 975 6548
World Wide Web: www.axu.tm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: are you using lwres?

2017-05-19 Thread Reindl Harald 



Am 19.05.2017 um 14:26 schrieb G.W. Haywood:

On Fri, 19 May 2017, Evan Hunt wrote:


Do you run lwresd or named-with-lwres?  Do you have code that
links with liblwres?  If so, please let me know.


8<--
mail6:~# >>> cat /etc/debian_version
8.7
mail6:~# >>> apt-get remove liblwres90
...
The following packages will be REMOVED:
bind9-host dnsutils host liblwres90
...
8<--

Perhaps I'd better not do that then... :)


well that don't mean much - if a package is linked that way it has the 
deps but the main question is "does it really be needed to built that 
way and would no longer doing so break any real world usecase"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How to generate authoritative DNS64 reverse zone

2017-05-19 Thread Aleksi Suhonen 
Hello,

Suppose that I have a NAT64 prefix 2001:67c:2b0:db32:0:1::/96 and a
couple of DNS64 resolvers that use it. The resolvers will also generate
nice CNAMEs that point to in-addr.arpa for that prefix. This is nice.

But other resolvers in the world won't do that, so I'd need to have a
real reverse zone for this fantastical NAT64 prefix for their benefit.
But if I configure a DNS64 prefix on an authoritative server, it will
start messing with my normal zones too, won't it?

So how do I configure Bind9 to generate one authoritative DNS64 reverse
zone that contains CNAMEs to in-addr.arpa, but otherwise not mess with
anything?

Yours,

-- 
Aleksi Suhonen / Axu TM Oy
Internetworking Consulting
Cellular: +358 44 975 6548
World Wide Web: www.axu.tm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing a zone that exists in two views

2017-05-19 Thread Bob Harold 
On Fri, May 19, 2017 at 8:56 AM, Matus UHLAR - fantomas 
wrote:

> Gordon Messmer  wrote:
>>> > Is it considered best-practice (or just normal) for authoritative
>>> > servers to just not use the local server for resolution?
>>>
>>
> On Wed, May 10, 2017 at 5:56 AM, Tony Finch  wrote:
>>
>>> Mine don't :-)
>>>
>>
> On 18.05.17 16:38, Bob Harold wrote:
>
>> My authoritative servers are non-recursive.  They use the same DNS
>> resolvers that any other server uses, and not themselves.
>>
>
> this configuration will make your recursive servers provide correct data
> when your customers move their domains out without telling you so (which
> happend quite often)...
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/


Very true, and I use that fact when I know a zone is in transition.  But
most of the time I have stealth slave copies (meaning not listed in NS
records) on my resolvers.
That is more complicated, and has the problem you mention, which happens
often.
But it has some advantages:
Updates reaching my users more quickly, no waiting for cache timeout on the
resolvers (there are still other caches, but it helps)
Cache poisoning attacks don't work against my zones on my resolvers, since
they are authoritative and not cached.

I hope sometime to automate monitoring for zones moving without warning me
in advance.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: are you using lwres?

2017-05-19 Thread Matus UHLAR - fantomas 

On 18.05.17 21:13, Evan Hunt wrote:

At ISC we've recently been discussing the idea of deprecating the
lightweight resolver interface as of BIND 9.12. This means removing lwresd
and liblwres, and deprecating the lwres statement in named.conf.  (Note
that they would remain available in earlier releases; BIND 9.11 will be
supported for several years yet.)

Before we decide to do this, it would be helpful to know whether there are
any legacy applications depending on it. Based on the number of support
questions we get about lwresd (i.e., pretty close to none) there aren't
many, but perhaps they're just quiet.  Do you run lwresd or named-with-
lwres?  Do you have code that links with liblwres?  If so, please let me
know.


I tried using it some 10 years ago. I had strange results related to rrset
ordering (with nss_dns the bind-provided ordering worked, with ndd_lwres I
got re-sorted IPs) so I disabled it.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing a zone that exists in two views

2017-05-19 Thread Matus UHLAR - fantomas 

Gordon Messmer  wrote:
> Is it considered best-practice (or just normal) for authoritative
> servers to just not use the local server for resolution?



On Wed, May 10, 2017 at 5:56 AM, Tony Finch  wrote:

Mine don't :-)


On 18.05.17 16:38, Bob Harold wrote:

My authoritative servers are non-recursive.  They use the same DNS
resolvers that any other server uses, and not themselves.


this configuration will make your recursive servers provide correct data
when your customers move their domains out without telling you so (which
happend quite often)...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: are you using lwres?

2017-05-19 Thread G.W. Haywood 

Hi there,

On Fri, 19 May 2017, Evan Hunt wrote:


Do you run lwresd or named-with-lwres?  Do you have code that
links with liblwres?  If so, please let me know.


8<--
mail6:~# >>> cat /etc/debian_version
8.7
mail6:~# >>> apt-get remove liblwres90
...
The following packages will be REMOVED:
bind9-host dnsutils host liblwres90
...
8<--

Perhaps I'd better not do that then... :)

8<--
Do you want to continue? [Y/n] n
Abort.
8<--

It doesn't seem to rate a mention in the Debian Popularity Contest.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users