Re: Problem with zone delegation with private gTLD
Matthew Pounsett wrote: > > RFC2606 reserves test, example, invalid, and localhost, for "testing > and documentation," However you must either disable validation or set up your own root zone to use them. [ RFC 6761 has more details than RCF 2606 about how to use these names. ] Tony. -- f.anthony.n.finchhttp://dotat.at/ Shannon, Rockall: East or southeast 3 or 4, occasionally 5 in Rockall and later also in Shannon. Moderate, occasionally rough at first and later in far west Shannon. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dynamic DNS Updates fail once in a while against AD DNS
Hi folks, we experience sporadic failures in DNS updates with nsupdate 9.11.6 against Active Directory with GSS-TSIG. The input is: $ less /usr/local/etc/register-hostnames.in zone ad001.siemens.net update add deblndw011x1j.ad001.siemens.net 3600 A 147.54.64.149 send update add sitex-ldadw.ad001.siemens.net 3600 A 147.54.64.149 send The update runs a crontab with @daily on FreeBSD 12.0-RELEASE: in a negative case we see: ;; UPDATE SECTION: deblndw011x1j.ad001.siemens.net. 3600 IN A 147.54.64.149 ;; TSIG PSEUDOSECTION: 2194433436.sig-demchadc02a.ad001.siemens.net. 0 ANY TSIG gss-tsig. 1554588001 300 28 BAQE//8AH1sNRDyJ/ysz/YCKzFftFw== 45424 NOERROR 0 07-Apr-2019 00:00:01.897 dns_request_destroy: request 0x8010d3bc0 07-Apr-2019 00:00:01.897 req_destroy: request 0x8010d3bc0 07-Apr-2019 00:00:01.897 requestmgr_detach: 0x8010c7a40: eref 1 iref 1 07-Apr-2019 00:00:01.913 req_connected: request 0x8010d3a40 07-Apr-2019 00:00:01.913 req_send: request 0x8010d3a40 07-Apr-2019 00:00:01.913 req_senddone: request 0x8010d3a40 07-Apr-2019 00:00:01.930 req_response: request 0x8010d3a40: success 07-Apr-2019 00:00:01.930 req_cancel: request 0x8010d3a40 07-Apr-2019 00:00:01.930 req_sendevent: request 0x8010d3a40 07-Apr-2019 00:00:01.930 dns_request_getresponse: request 0x8010d3a40 07-Apr-2019 00:00:01.930 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Unknown code 0. 07-Apr-2019 00:00:01.930 tsig key '2194433436.sig-demchadc02a.ad001.siemens.net' (): signature failed to verify(1) ; TSIG error with server: tsig verify failure If necessary, I can provide both (positive and negative) output from cron and pcap files. Is there anything I can do to solve this issue or is this another Microsoft DNS quirk (domain name compression or alike) I have to live with? Is issue #45854 back in the game? Regards, Michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
On Tue, 9 Apr 2019 at 06:32, Tony Finch wrote: > > Matthew Pounsett wrote: > > > > RFC2606 reserves test, example, invalid, and localhost, for "testing > > and documentation," > > However you must either disable validation or set up your own root zone to > use them. [ RFC 6761 has more details than RCF 2606 about how to use these > names. ] Yes, that's right. The reason I referenced 2606 is that the subject under discussion was the reason for the reservation, and 6761 defers to 2606 for that. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
When to use the "invalid" TLD
On Apr 8 2019, Matthew Pounsett wrote, in another thread: RFC2606 reserves test, example, invalid, and localhost, for "testing and documentation," which seems to fit this use-case. 'invalid' doesn't seem to me to be intended for use as a generic private TLD though, as was suggested up-thread. This reminded me of one use I did make of "invalid". The IPv4 addresses 192.153.213.[249-251] were reserved for a web probing service for which it was desired to make them appear not to be on the university network (although they were) to see whether the web sites responded differently in that case. Partly this was done by using an unusual /24, but also by supressing DNS entries for them. Originally this was done by tagging them in the database with a "visibility" option that supressed inclusion of both forward and reverse entries in the DNS. I was quite keen to get rid of this option, which messed up the database semantics in other ways, and they were the only remaining cases of its use. So instead I attached them to a database object with a name under "invalid". Reverse lookup on the IPv4 addresses then gave that name (indeed, it still does). That still made them appear to be "not in cam.ac.uk", and forward lookup on the name would be guaranteed to give NXDOMAIN. Well, unless we ever generated a forward zone for "invalid" from the database, which obviously was not going to happen... I still think this was a reasonable use of "invalid", and consistent with the remarks in section 6.4 of RFC 6761 (also dating from 2013, incidentally). -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding named related issue observed with bind 9.11.5-P4 version
Hi Niall O'Reilly, Thanks for the response. Still we are facing the same issue even after trying with the suggested usage of the command. # ps -eaf | grep -i named root 32198 32197 0 04:59 ?00:00:00 sudo /usr/sbin/named -u named -c /etc/ClusterDNS.conf -f named32199 32198 5 04:59 ?00:00:00 /usr/sbin/named -u named -c /etc/ClusterDNS.conf -f root 32284 21885 0 04:59 pts/000:00:00 grep -i named # cd /var/run/named -bash: cd: /var/run/named: No such file or directory Kindly let us know if there is any other possible solution for this issue. Thanks & Regards, Chandra M On Thu, Apr 4, 2019 at 7:37 PM Niall O'Reilly wrote: > On 3 Apr 2019, at 10:26, Chandra Rao wrote: > > exec /usr/sbin/named -u named -c "/etc/ClusterDNS.conf" -f > > You may need to use > > sudo /usr/sbin/named -u named ... > > or, if you prefer > > exec sudo /usr/sbin/named -u named ... > > Best regards, > Niall O'Reilly > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
