date:20180808

Re: Queries regarding forwarders

2018-08-08 Thread Grant Taylor via bind-users


On 08/08/2018 10:02 PM, Blason R wrote:
Due to the architecture since I have my internal DNS RPZ built I wanted 
my other internal  DNS servers should send traffic to RPZ server and 
then RPZ would resolve on behalf of client.


Speaking of PRZ and forwarding…

Does anyone know off hand if BIND, with RPZ configured to filter answers 
that resolve to private IPs, can actually respond with private answers 
from a local authoritative zone?


My long standing fear is that RPZ would filter replies from local 
authoritative zones.  Thus I would want my recursive resolver, hosting 
zones with private IPs, to forward to an RPZ server.  Thus allowing me 
to return private IPs from authoritative zones while filtering private 
IPs from other external queries.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries regarding forwarders

2018-08-08 Thread Blason R

Hi there,

Due to the architecture since I have my internal DNS RPZ built I wanted my
other internal  DNS servers should send traffic to RPZ server and then RPZ
would resolve on behalf of client.

Client --->DNS AUTH Server for xyz.com===> Fporwarder ==> 192.168.3.44===>
INTERNET

On Wed, Aug 8, 2018 at 10:26 PM Matus UHLAR - fantomas 
wrote:

> On 08.08.18 19:32, Blason R wrote:
> >I am bit confused about DNS forwarders. I have two BIND Servers one is
> >being used as Authoritative DNS server which has forwarder set
>
> why?
>
> > to other
> >server like this
> >
> >Auth Server  for xvyz.com 192.168.3.15
> >Recursive Server 192.168.3.44
> >
> >Now if I am debugging from client side using -debug option I see
> >192.168.3.15 is directly resolving with ROOT DNS Servers though I have
> >recursive no; option set in my BIND config.
>
> BIND has internal list of root servers.
>
> > Ideally the query should have
> >gone to 192.168.3.44 but in debug I am seeing the below output.
>
> ideally you would not use forwarder on BIND, unless you really must.
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> If Barbie is so popular, why do you have to buy her friends?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RHEL, Centos, Fedora rpm 9.12.2-P1

2018-08-08 Thread Carl Byington

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

http://www.five-ten-sg.com/mapper/bind contains links to the source
rpms, and build instructions.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltrXDoACgkQL6j7milTFsFHjwCeIIzxI2y9ih+Y7rJ2diq75m5Y
6uUAn13zQVUd1rFlT0b3UtFj/auFYp22
=SuIf
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries regarding forwarders

2018-08-08 Thread Matus UHLAR - fantomas


On 08.08.18 19:32, Blason R wrote:

I am bit confused about DNS forwarders. I have two BIND Servers one is
being used as Authoritative DNS server which has forwarder set


why?


to other
server like this

Auth Server  for xvyz.com 192.168.3.15
Recursive Server 192.168.3.44

Now if I am debugging from client side using -debug option I see
192.168.3.15 is directly resolving with ROOT DNS Servers though I have
recursive no; option set in my BIND config.


BIND has internal list of root servers.


Ideally the query should have
gone to 192.168.3.44 but in debug I am seeing the below output.


ideally you would not use forwarder on BIND, unless you really must.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends? 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries regarding forwarders

2018-08-08 Thread Barry Margolin

In article ,
 Blason R  wrote:

> Hi there,
> 
> I am bit confused about DNS forwarders. I have two BIND Servers one is
> being used as Authoritative DNS server which has forwarder set to other
> server like this
> 
> Auth Server  for xvyz.com 192.168.3.15
> Recursive Server 192.168.3.44
> 
> Now if I am debugging from client side using -debug option I see
> 192.168.3.15 is directly resolving with ROOT DNS Servers though I have
> recursive no; option set in my BIND config. Ideally the query should have
> gone to 192.168.3.44 but in debug I am seeing the below output.

The response says "recursion available". Are you sure you disabled 
recursion?

Note that if you want to use forwarders, you have to enable recursion. 
Forwarding is only done when the server is recursing, it tells it to 
send to the forwarder instead of the servers named in the NS records.

What makes you think the server is directly resolving instead of going 
to the forwarder? There's nothing in the response that tells you where 
it got the answer from.

> 
> Well how do I trace if forwarding is happening?
> 
> 
> C:\Users\Administrator>nslookup -type=a -debug www.cisco.com
> 
> Got answer:
> HEADER:
> opcode = QUERY, id = 1, rcode = NOERROR
> header flags:  response, auth. answer, want recursion, recursion
> questions = 1,  answers = 1,  authority records = 2,  additional
> 
> QUESTIONS:
> 15.3.168.192.in-addr.arpa, type = PTR, class = IN
> ANSWERS:
> ->  15.3.168.192.in-addr.arpa
> name = dns.xyz.com
> ttl = 10800 (3 hours)
> AUTHORITY RECORDS:
> ->  3.168.192.in-addr.arpa
> nameserver = dns02.xyz.com
> ttl = 10800 (3 hours)
> ->  3.168.192.in-addr.arpa
> nameserver = dns.xyz.com
> ttl = 10800 (3 hours)
> ADDITIONAL RECORDS:
> ->  dns.xyz.com
> internet address = 192.168.3.15
> ttl = 10800 (3 hours)
> ->  dns02.xyz.com
> internet address = 192.168.3.14
> ttl = 10800 (3 hours)
> 
> 
> Server:  dns.xyz.com
> Address:  192.168.3.15
> 
> 
> Got answer:
> HEADER:
> opcode = QUERY, id = 2, rcode = NOERROR
> header flags:  response, want recursion, recursion avail.
> questions = 1,  answers = 5,  authority records = 13,  additiona
> 
> QUESTIONS:
> www.cisco.com, type = A, class = IN
> ANSWERS:
> ->  www.cisco.com
> canonical name = www.cisco.com.akadns.net
> ttl = 838 (13 mins 58 secs)
> ->  www.cisco.com.akadns.net
> canonical name = wwwds.cisco.com.edgekey.net
> ttl = 299 (4 mins 59 secs)
> ->  wwwds.cisco.com.edgekey.net
> canonical name = wwwds.cisco.com.edgekey.net.globalredir.akadns.
> ttl = 14531 (4 hours 2 mins 11 secs)
> ->  wwwds.cisco.com.edgekey.net.globalredir.akadns.net
> canonical name = e2867.dsca.akamaiedge.net
> ttl = 3599 (59 mins 59 secs)
> ->  e2867.dsca.akamaiedge.net
> internet address = 23.57.126.108
> ttl = 19 (19 secs)
> AUTHORITY RECORDS:
> ->  net
> nameserver = a.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = l.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = e.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = i.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = d.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = f.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = b.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = h.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = g.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = c.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = k.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = j.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ->  net
> nameserver = m.gtld-servers.net
> ttl = 4663 (1 hour 17 mins 43 secs)
> ADDITIONAL RECORDS:
> ->  m.gtld-servers.net
> internet address = 192.55.83.30
> ttl = 103500 (1 day 4 hours 45 mins)
> ->  m.gtld-servers.net
>  IPv6 address = 2001:501:b1f9::30
> ttl = 163960 (1 day 21 hours 32 mins 40 secs)
> ->  d.gtld-servers.net
> internet address = 192.31.80.30
> ttl = 77579 (21 hours 32 mins 59 secs)
> 
> 
> Non-authoritative answer:
> Name:e2867.dsca.akamaiedge.net
> Address:  23.57.126.108
> Aliases:  www.cisco.com
>

Re: Removing an NS server

2018-08-08 Thread John Miller

On Wed, Aug 8, 2018 at 9:10 AM, Bob Harold  wrote:
>
> On Tue, Aug 7, 2018 at 5:01 PM John Miller  wrote:
>>
>> Hal, we've done this before - it's not particularly hard, just takes a
>> bit for everyone to pick up the new set of NS records.  You just make
>> the change upstream and also remove the NS records that reference the
>> system.  It's kind of weird: during the interim, you'll have a running
>> nameserver that doesn't return itself in its NS records.  If the same
>> set of servers also serves your reverse zones, don't forget to update
>> ARIN as well as Educause.
>>
>> Educause sets their upstream TTLs to two days (ARIN's 1 day), but
>> people shouldn't be caching the referral, only your actual NS records.
>> If you're at all concerned, you can always set a low TTL ahead of time
>> on your NS records, so everyone will pull the updated records
>> relatively quickly once you make your changes.
>>
>> John
>>
>> On Tue, Aug 7, 2018 at 4:46 PM, King, Harold Clyde (Hal) 
>> wrote:
>> > I don't think I made my point. I need to pull/remove a DNS nameserver
>> > from my set of nameservers.
>> > My plan was to put the reference to it from our domain name provider.
>> > Then pull it from the list of NS records. I am not changing my SOA record.
>> > Just the nameserver. Did I make a mistake? Did you mean pull the NS reord
>> > for that server, then pull it from the name provider. I'll still have 4
>> > servers running the SOA, and I don't plan to stop the old nameserver until
>> > well after a week of running.
>> >
>> >
>> > --
>> > Hal King  - h...@utk.edu
>> > Systems Administrator
>> > Office of Information Technology
>> > Shared Systems Services
>
>
> If I remember correctly, setting my NS ttl lower than my parent caused a
> problem when one of my servers failed and I took it out of the NS record
> set.  I think it went something like this:
>
> resolver asks tld (before the change) and gets:
> example.com 2d NS dns1.example.com
> example.com 2d NS dns2.example.com
> example.com 2d NS dns3.example.com
>
> dns3 fails and I remove it from the NS records, both locally and at the
> parent TLD.
>
> Resolver talks to my servers (a few hours later, after the change) and gets:
> example.com 1h NS dns1.example.com
> example.com 1h NS dns2.example.com
>
> Resolver cache now has:
> example.com 1h NS dns1.example.com
> example.com 1h NS dns2.example.com
> example.com 2d NS dns3.example.com
>
> An hour later the two shorter NS records expire and the resolver is left
> with:
> example.com 2d NS dns3.example.com
>
> If dns3.example.com is down, the resolver will fail to reach my zone, and
> will not ask the TLD until that record expires.
>
> So I think the TTL on NS records needs to match the parent zone, whether I
> like that ttl or not.
>
> In your case, removing the NS records from both your zone and the parent
> zone, two days (or whatever the ttl) before you turn off the server, should
> be fine.
>
> --
> Bob Harold
>

Oh wow - I hadn't thought about that one, Bob: I was assuming that the
upstream records wouldn't be cached, but if they are, you're
absolutely right - zero fun trying to troubleshoot a problem like
that.

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Queries regarding forwarders

2018-08-08 Thread Blason R

Hi there,

I am bit confused about DNS forwarders. I have two BIND Servers one is
being used as Authoritative DNS server which has forwarder set to other
server like this

Auth Server  for xvyz.com 192.168.3.15
Recursive Server 192.168.3.44

Now if I am debugging from client side using -debug option I see
192.168.3.15 is directly resolving with ROOT DNS Servers though I have
recursive no; option set in my BIND config. Ideally the query should have
gone to 192.168.3.44 but in debug I am seeing the below output.

Well how do I trace if forwarding is happening?


C:\Users\Administrator>nslookup -type=a -debug www.cisco.com

Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags:  response, auth. answer, want recursion, recursion
questions = 1,  answers = 1,  authority records = 2,  additional

QUESTIONS:
15.3.168.192.in-addr.arpa, type = PTR, class = IN
ANSWERS:
->  15.3.168.192.in-addr.arpa
name = dns.xyz.com
ttl = 10800 (3 hours)
AUTHORITY RECORDS:
->  3.168.192.in-addr.arpa
nameserver = dns02.xyz.com
ttl = 10800 (3 hours)
->  3.168.192.in-addr.arpa
nameserver = dns.xyz.com
ttl = 10800 (3 hours)
ADDITIONAL RECORDS:
->  dns.xyz.com
internet address = 192.168.3.15
ttl = 10800 (3 hours)
->  dns02.xyz.com
internet address = 192.168.3.14
ttl = 10800 (3 hours)


Server:  dns.xyz.com
Address:  192.168.3.15


Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 5,  authority records = 13,  additiona

QUESTIONS:
www.cisco.com, type = A, class = IN
ANSWERS:
->  www.cisco.com
canonical name = www.cisco.com.akadns.net
ttl = 838 (13 mins 58 secs)
->  www.cisco.com.akadns.net
canonical name = wwwds.cisco.com.edgekey.net
ttl = 299 (4 mins 59 secs)
->  wwwds.cisco.com.edgekey.net
canonical name = wwwds.cisco.com.edgekey.net.globalredir.akadns.
ttl = 14531 (4 hours 2 mins 11 secs)
->  wwwds.cisco.com.edgekey.net.globalredir.akadns.net
canonical name = e2867.dsca.akamaiedge.net
ttl = 3599 (59 mins 59 secs)
->  e2867.dsca.akamaiedge.net
internet address = 23.57.126.108
ttl = 19 (19 secs)
AUTHORITY RECORDS:
->  net
nameserver = a.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = l.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = e.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = i.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = d.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = f.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = b.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = h.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = g.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = c.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = k.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = j.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
->  net
nameserver = m.gtld-servers.net
ttl = 4663 (1 hour 17 mins 43 secs)
ADDITIONAL RECORDS:
->  m.gtld-servers.net
internet address = 192.55.83.30
ttl = 103500 (1 day 4 hours 45 mins)
->  m.gtld-servers.net
 IPv6 address = 2001:501:b1f9::30
ttl = 163960 (1 day 21 hours 32 mins 40 secs)
->  d.gtld-servers.net
internet address = 192.31.80.30
ttl = 77579 (21 hours 32 mins 59 secs)


Non-authoritative answer:
Name:e2867.dsca.akamaiedge.net
Address:  23.57.126.108
Aliases:  www.cisco.com
  www.cisco.com.akadns.net
  wwwds.cisco.com.edgekey.net
  wwwds.cisco.com.edgekey.net.globalredir.akadns.net


C:\Users\Administrator>
**
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Creating CNAME Resource Records (RR) to Redirect Readers to My Wordpress and Blogspot Blogs Don't Work

2018-08-08 Thread Matus UHLAR - fantomas


On 08.08.18 08:28, Turritopsis Dohrnii Teo En Ming wrote:

I have 2 redundant blogs, one at wordpress.com (example.wordpress.com) and 
another at blogspot.sg (example.blogspot.sg).

I have a Domain Name Service (DNS) server (ns1 and ns2) at home in Singapore.

I would like to create two CNAME resource records to redirect readers to my 
wordpress and blogspot blogs respectively.

For example,

CNAME: wordpress.mydomain.com REDIRECT to example.wordpress.com

CNAME: blogspot.mydomain.com REDIRECT to example.blogspot.sg

But the CNAME records I have created and redirection don't work at all. Did I 
miss out anything?


what do you mean they do not work?

Note that the web server handling example.wordpress.com MUST know that the
wordpress.mydomain.com is alternative name to example.wordpress.com,
OR you must configure http server for wordpress.mydomain.com anywhere just to
send HTTP redirect to example.wordpress.com.

CNAME does not cause HTTP redirects and no HTTP server I know parses CNAME
just to know which site you mean.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Removing an NS server

2018-08-08 Thread Matus UHLAR - fantomas


On 07.08.18 20:46, King, Harold Clyde (Hal) wrote:

I don't think I made my point. I need to pull/remove a DNS nameserver from
my set of nameservers.
My plan was to put the reference to it from our domain name provider.


Yes, to be more precise, you must pull the name out of all domains delegated
to the server.


Then pull it from the list of NS records.


correct - in all zones that contain NS records pointing to the server.

I am not changing my SOA record. 


you must increase the serial number in SOA, so all slaves will fetch new
versions without NS for proper server.


Just the nameserver.  Did I make a mistake?  Did you mean pull the NS
reord for that server, then pull it from the name provider.  I'll still
have 4 servers running the SOA, and I don't plan to stop the old
nameserver until well after a week of running.


you should keep the server running at leasr for "expire" seconds in those zones.
the expire is (or should be) usually a week or two.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Removing an NS server

2018-08-08 Thread King, Harold Clyde (Hal)

I want to thank you all for the recommendations. I’m having a bit of mail list 
troubles so I don’t know Alberto’s email but thanks to you all!

--
Hal King  - h...@utk.edu
Systems Administrator
Office of Information Technology
Shared Systems Services

The University of Tennessee
103C5 Kingston Pike Building
2309 Kingston Pk. Knoxville, TN 37996
Phone : 974-1599
Helpdesk 24/7 : 974-9900

From: Bob Harold 
Date: Wednesday, August 8, 2018 at 09:10
To: John Miller , Hal King 
Cc: Bind Users 
Subject: Re: Removing an NS server

On Tue, Aug 7, 2018 at 5:01 PM John Miller 
mailto:johnm...@brandeis.edu>> wrote:
Hal, we've done this before - it's not particularly hard, just takes a
bit for everyone to pick up the new set of NS records.  You just make
the change upstream and also remove the NS records that reference the
system.  It's kind of weird: during the interim, you'll have a running
nameserver that doesn't return itself in its NS records.  If the same
set of servers also serves your reverse zones, don't forget to update
ARIN as well as Educause.

Educause sets their upstream TTLs to two days (ARIN's 1 day), but
people shouldn't be caching the referral, only your actual NS records.
If you're at all concerned, you can always set a low TTL ahead of time
on your NS records, so everyone will pull the updated records
relatively quickly once you make your changes.

John

On Tue, Aug 7, 2018 at 4:46 PM, King, Harold Clyde (Hal) 
mailto:h...@utk.edu>> wrote:
> I don't think I made my point. I need to pull/remove a DNS nameserver from my 
> set of nameservers.
> My plan was to put the reference to it from our domain name provider. Then 
> pull it from the list of NS records. I am not changing my SOA record. Just 
> the nameserver. Did I make a mistake? Did you mean pull the NS reord for that 
> server, then pull it from the name provider. I'll still have 4 servers 
> running the SOA, and I don't plan to stop the old nameserver until well after 
> a week of running.
>
>
> --
> Hal King  - h...@utk.edu
> Systems Administrator
> Office of Information Technology
> Shared Systems Services

If I remember correctly, setting my NS ttl lower than my parent caused a 
problem when one of my servers failed and I took it out of the NS record set.  
I think it went something like this:

resolver asks tld (before the change) and gets:
example.com 2d NS dns1.example.com
example.com 2d NS dns2.example.com
example.com 2d NS dns3.example.com

dns3 fails and I remove it from the NS records, both locally and at the parent 
TLD.

Resolver talks to my servers (a few hours later, after the change) and gets:
example.com 1h NS dns1.example.com
example.com 1h NS dns2.example.com

Resolver cache now has:
example.com 1h NS dns1.example.com
example.com 1h NS dns2.example.com
example.com 2d NS dns3.example.com

An hour later the two shorter NS records expire and the resolver is left with:
example.com 2d NS dns3.example.com

If dns3.example.com is down, the resolver will fail to 
reach my zone, and will not ask the TLD until that record expires.

So I think the TTL on NS records needs to match the parent zone, whether I like 
that ttl or not.

In your case, removing the NS records from both your zone and the parent zone, 
two days (or whatever the ttl) before you turn off the server, should be fine.

--
Bob Harold

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Removing an NS server

2018-08-08 Thread Bob Harold

On Tue, Aug 7, 2018 at 5:01 PM John Miller  wrote:

> Hal, we've done this before - it's not particularly hard, just takes a
> bit for everyone to pick up the new set of NS records.  You just make
> the change upstream and also remove the NS records that reference the
> system.  It's kind of weird: during the interim, you'll have a running
> nameserver that doesn't return itself in its NS records.  If the same
> set of servers also serves your reverse zones, don't forget to update
> ARIN as well as Educause.
>
> Educause sets their upstream TTLs to two days (ARIN's 1 day), but
> people shouldn't be caching the referral, only your actual NS records.
> If you're at all concerned, you can always set a low TTL ahead of time
> on your NS records, so everyone will pull the updated records
> relatively quickly once you make your changes.
>
> John
>
> On Tue, Aug 7, 2018 at 4:46 PM, King, Harold Clyde (Hal) 
> wrote:
> > I don't think I made my point. I need to pull/remove a DNS nameserver
> from my set of nameservers.
> > My plan was to put the reference to it from our domain name provider.
> Then pull it from the list of NS records. I am not changing my SOA record.
> Just the nameserver. Did I make a mistake? Did you mean pull the NS reord
> for that server, then pull it from the name provider. I'll still have 4
> servers running the SOA, and I don't plan to stop the old nameserver until
> well after a week of running.
> >
> >
> > --
> > Hal King  - h...@utk.edu
> > Systems Administrator
> > Office of Information Technology
> > Shared Systems Services
>

If I remember correctly, setting my NS ttl lower than my parent caused a
problem when one of my servers failed and I took it out of the NS record
set.  I think it went something like this:

resolver asks tld (before the change) and gets:
example.com 2d NS dns1.example.com
example.com 2d NS dns2.example.com
example.com 2d NS dns3.example.com

dns3 fails and I remove it from the NS records, both locally and at the
parent TLD.

Resolver talks to my servers (a few hours later, after the change) and gets:
example.com 1h NS dns1.example.com
example.com 1h NS dns2.example.com

Resolver cache now has:
example.com 1h NS dns1.example.com
example.com 1h NS dns2.example.com
example.com 2d NS dns3.example.com

An hour later the two shorter NS records expire and the resolver is left
with:
example.com 2d NS dns3.example.com

If dns3.example.com is down, the resolver will fail to reach my zone, and
will not ask the TLD until that record expires.

So I think the TTL on NS records needs to match the parent zone, whether I
like that ttl or not.

In your case, removing the NS records from both your zone and the parent
zone, two days (or whatever the ttl) before you turn off the server, should
be fine.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Creating CNAME Resource Records (RR) to Redirect Readers to My Wordpress and Blogspot Blogs Don't Work

2018-08-08 Thread Sten Carlsen



On 08/08/2018 10.28, Turritopsis Dohrnii Teo En Ming wrote:
> Good afternoon from Singapore,
>
> I have 2 redundant blogs, one at wordpress.com (example.wordpress.com) and 
> another at blogspot.sg (example.blogspot.sg).
>
> I have a Domain Name Service (DNS) server (ns1 and ns2) at home in Singapore.
>
> I would like to create two CNAME resource records to redirect readers to my 
> wordpress and blogspot blogs respectively.
>
> For example,
>
> CNAME: wordpress.mydomain.com REDIRECT to example.wordpress.com
>
> CNAME: blogspot.mydomain.com REDIRECT to example.blogspot.sg
>
> But the CNAME records I have created and redirection don't work at all. Did I 
> miss out anything?
The CNAME RRs do work:

; <<>> DiG 9.10.6 <<>> blogspot.teo-en-ming.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22888
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blogspot.teo-en-ming.com.    IN    A

;; ANSWER SECTION:
blogspot.teo-en-ming.com. 3600    IN    CNAME    tdtemcerts.blogspot.sg.
tdtemcerts.blogspot.sg.    600    IN    CNAME   
blogspot.l.googleusercontent.com.
blogspot.l.googleusercontent.com. 300 IN A    216.58.213.193

;; AUTHORITY SECTION:
googleusercontent.com.    66612    IN    NS    ns1.google.com.
googleusercontent.com.    66612    IN    NS    ns4.google.com.
googleusercontent.com.    66612    IN    NS    ns2.google.com.
googleusercontent.com.    66612    IN    NS    ns3.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.        18596    IN    A    216.239.34.10
ns2.google.com.        18596    IN        2001:4860:4802:34::a
ns1.google.com.        18596    IN    A    216.239.32.10
ns1.google.com.        18596    IN        2001:4860:4802:32::a
ns3.google.com.        18596    IN    A    216.239.36.10
ns3.google.com.        18596    IN        2001:4860:4802:36::a
ns4.google.com.        18596    IN    A    216.239.38.10
ns4.google.com.        18596    IN        2001:4860:4802:38::a

;; Query time: 1900 msec
;; SERVER: 192.168.16.20#53(192.168.16.20)
;; WHEN: Wed Aug 08 14:58:27 CEST 2018
;; MSG SIZE  rcvd: 403


The problem you experience is that Google sees the original request:
http://blogspot.teo-en-ming.com/

and respond:

*404.* That’s an error.

The requested URL |/| was not found on this server. That’s all we know.


You probably have to make a redirect from a web server that you own so
the request can be corrected to the appropriate address (header
information) to show Google.
>
> Please advise.
>
> Thank you very much. 
>  
>  ===BEGIN SIGNATURE=== 
> Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017 
> [1] https://tdtemcerts.wordpress.com/ 
> [2] http://tdtemcerts.blogspot.sg/ 
> [3] https://www.scribd.com/user/270125049/Teo-En-Ming 
> ===END SIGNATURE=== 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Creating CNAME Resource Records (RR) to Redirect Readers to My Wordpress and Blogspot Blogs Don't Work

2018-08-08 Thread Turritopsis Dohrnii Teo En Ming

Good afternoon from Singapore,

I have 2 redundant blogs, one at wordpress.com (example.wordpress.com) and 
another at blogspot.sg (example.blogspot.sg).

I have a Domain Name Service (DNS) server (ns1 and ns2) at home in Singapore.

I would like to create two CNAME resource records to redirect readers to my 
wordpress and blogspot blogs respectively.

For example,

CNAME: wordpress.mydomain.com REDIRECT to example.wordpress.com

CNAME: blogspot.mydomain.com REDIRECT to example.blogspot.sg

But the CNAME records I have created and redirection don't work at all. Did I 
miss out anything?

Please advise.

Thank you very much. 
 
 ===BEGIN SIGNATURE=== 
Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017 
[1] https://tdtemcerts.wordpress.com/ 
[2] http://tdtemcerts.blogspot.sg/ 
[3] https://www.scribd.com/user/270125049/Teo-En-Ming 
===END SIGNATURE=== 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries regarding forwarders

Re: Queries regarding forwarders

RHEL, Centos, Fedora rpm 9.12.2-P1

Re: Queries regarding forwarders

Re: Queries regarding forwarders

Re: Removing an NS server

Queries regarding forwarders

Re: Creating CNAME Resource Records (RR) to Redirect Readers to My Wordpress and Blogspot Blogs Don't Work

Re: Removing an NS server

Re: Removing an NS server

Re: Removing an NS server

Re: Creating CNAME Resource Records (RR) to Redirect Readers to My Wordpress and Blogspot Blogs Don't Work

Creating CNAME Resource Records (RR) to Redirect Readers to My Wordpress and Blogspot Blogs Don't Work

13 matches

Site Navigation

Mail list logo

Footer information