Re: DNSSEC upgrade
Edwardo Garcia wrote: > > Many year ago we set up DNSSEC, our key were generated with sha1 as was > recommended way back all them years. We too are not DNSSEC guru, so some > answer may be simple Well, you are going to do an algorithm rollover, which is one of the more tricky things you can do with DNSSEC. So, plan to do some testing, a trial run, with a spare zone that you can break without worrying. If you like to understand things by getting an idea of the wider context then there are a couple of RFCs on the general subject of key rollovers. The parts that are most relevant are the algorithm rollover section in RFC 6781 and the double-KSK section in RFC 7583. https://tools.ietf.org/html/rfc6781 https://tools.ietf.org/html/rfc7583 DNSSEC has got easier since those RFCs were written, so you might as well just skip to the howto bits below :-) It turns out, I wrote most of this reply over a year ago... > Also we use ZSK -b 1024 and KSK -b 4096 > even modern google from apnic show example ZSK of only 1024? is this still > secure? The current recommendation for DNSSEC algorithms is: * you already know you want to choose something based on sha256 - it's secure enough, so there's no need for bigger hashes * ecdsa-p256-sha256 (13) is the best choice, because it is widely supported and produces small signatures * if you must use RSA, use 2048 bit keys for both zsk and ksk. 1024 bits is not secure; 2048 has a roughly comparable security level to sha256 (112ish bits vs 128 bits); 4096 is big and slow and probably not worth the cost * I would like to be able to deploy ed25519 (a better elliptic curve than p256) but it is not yet supported well enough > Is best practise for doing this, replacing the keys completely, more or > less like start fresh again? > > We do use inline signing and automatic maintain. I did a wholesale algorithm rollover from RSASHA1 to p256 around the end of 2019 and I wrote an algorithm rollover guide for colleagues in other parts of our university who run their own DNS. It's basically three steps with lots of waiting in between: https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html The "Semi-automated DS updates" section probably isn't relevant to you, and the "Future" section has been made obsolete by dnssec-policy. But the rest of it should guide you through the essentials. (Also, the RIPE NCC does now support CDS records.) And use these DNS checking services to verify that it is working as expected: https://dnsviz.net/ https://zonemaster.net/ Tony. -- f.anthony.n.finchhttps://dotat.at/ Rattray Head to Berwick upon Tweed: North or northeast 4 or 5, occasionally 3 later. Slight or moderate. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC upgrade
Halo all, Many year ago we set up DNSSEC, our key were generated with sha1 as was recommended way back all them years. We too are not DNSSEC guru, so some answer may be simple Now we want to upsecure this to sha256. Also we use ZSK -b 1024 and KSK -b 4096 even modern google from apnic show example ZSK of only 1024? is this still secure? Is best practise for doing this, replacing the keys completely, more or less like start fresh again? We do use inline signing and automatic maintain. I see 9.16 make it easy by not needing do anything but set policy, but we are stuck on 9.14 for time being. I am ok with wiping DS, keys everything and start fresh if that is easiest, unless there is another simple way? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Per server instance vs central / shared / redundant instances of BIND
Grant Taylor via bind-users wrote: > > Do you think that per (mail) server instances of BIND are worth the additional > administrative overhead as compared to more central shared instances? Yes, that's what I did when I was doing mail things. There are a few reasons: reduce load on the shared central resolvers; reduce the latency of anti-spam blocklist lookups; better fate-sharing between the SMTP and DNS parts of the mail service. There's not much overlap between the kinds of queries done by mail servers and other DNS users, so there's limited benefit from sharing a single cache. There probably is benefit from sharing a DNS cache between multiple mail servers, but from my point of view it was easier to have one kind of machine that does SMTP + DNS than two different flavours of machine. (The admin effort is per flavour, not per server.) Tony. -- f.anthony.n.finchhttps://dotat.at/ Cape Wrath to Rattray Head including Orkney: Northeast 3 to 5 backing north 3 or 4. Slight or moderate. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: Per server instance vs central / shared / redundant instances of BIND
For me, I run one locally per data center with forwarders, etc. defined but for a "How to spin up your own mail server", I would likely just keep it to one per mail server. For someone more advanced, DNS is lightweight and anti-spam is very heavy. So anything you can save on anti-spam processing will likely save more resources. On 4/27/2021 12:46 PM, Grant Taylor via bind-users wrote: E.g. if you had 29 mail servers, would you run BIND on each of their lo's? Or would you use a small number of central / shared / redundant servers? -- *Kevin A. McGrail* /CEO Emeritus/ *Peregrine Computer Consultants Corporation* +1.703.798.0171 kmcgr...@pccc.com https://pccc.com/ https://raptoremailsecurity.com 10311 Cascade Lane, Fairfax, Virginia 22032-2357 USA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Per server instance vs central / shared / redundant instances of BIND
On 4/27/21 10:24 AM, Kevin A. McGrail wrote: Agreed on the OT and good subject change. :-) For me, I wouldn't bind DNS to the eth0, just another attack surface hence I would use local loopback. I think the main reason to bind to eth0 / LAN is for when there are multiple (mail) servers that can benefit from a common instance of BIND. As opposed to having a dedicated instance of BIND on lo per (mail) server. Having a DNS on the lan is good too but caching on any mail server is good. Do you think that per (mail) server instances of BIND are worth the additional administrative overhead as compared to more central shared instances? E.g. if you had 29 mail servers, would you run BIND on each of their lo's? Or would you use a small number of central / shared / redundant servers? There are a lot of DNS queries for email and anti-spam. Yep. But the key takeaway is don't use something like quad-8. }:-) -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] OT: How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0
On 4/27/2021 12:14 PM, Grant Taylor via bind-users wrote: and change resolve.conf to 127.0.0.1 for the best RBL performance. How much effective performance difference does the loopback interface (lo) vs the local LAN interface (eth0) make? Similarly, how much effective performance difference does an on host instance of BIND make vs across the LAN to another host in the same site make? I absolutely agree that a /local/ /to/ /the/ /network/ caching DNS server is a boon for email. -- Definitely avoid simply relying on big 3rd party resolvers across the Internet. Agreed on the OT and good subject change. For me, I wouldn't bind DNS to the eth0, just another attack surface hence I would use local loopback. Having a DNS on the lan is good too but caching on any mail server is good. There are a lot of DNS queries for email and anti-spam. But the key takeaway is don't use something like quad-8. Regards, KAM -- *Kevin A. McGrail* /CEO Emeritus/ *Peregrine Computer Consultants Corporation* +1.703.798.0171 kmcgr...@pccc.com https://pccc.com/ https://raptoremailsecurity.com 10311 Cascade Lane, Fairfax, Virginia 22032-2357 USA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
OT: How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0
BIND-Users on topic content first: #1 bind for a local caching DNS query server I absolutely agree. and change resolve.conf to 127.0.0.1 for the best RBL performance. How much effective performance difference does the loopback interface (lo) vs the local LAN interface (eth0) make? Similarly, how much effective performance difference does an on host instance of BIND make vs across the LAN to another host in the same site make? I absolutely agree that a /local/ /to/ /the/ /network/ caching DNS server is a boon for email. -- Definitely avoid simply relying on big 3rd party resolvers across the Internet. Aside: The rest of my reply gets to ride along and would not have been sufficient for a reply in and of itself because I believe it's off topic for BIND-Users. On 4/27/21 7:55 AM, Kevin A. McGrail wrote: Very nice. It's interesting. It's a recent take on one of many ways to host your own email. This was also posted on Postfix's list but nice to hear firsthand reports as I just read it. I saw this message splattered to a number of mailing lists, many of which I think the message (content) was rather off topic for the list. E.g. what does it have to do with the BIND DNS server installation, configuration, and operation, other than the fact that email usually relies heavily on DNS service (implementation independent). Two minor notes to continue the project that you might consider: #1 bind for a local caching DNS query server (See above.) #2 add the KAM ruleset: https://mcgrail.com/template/projects#KAM1 To each their own. Email administration is a massive topic in and of itself, which is probably better discussed elsewhere. I appreciate the recent, as in not months ~> years old article encouraging people to host their own email. Though I personally disagree with it or would do things a fair bit differently. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NXDOMAIN processing
On 4/26/21 2:45 PM, bamberg2000 via bind-users wrote: Hi! Hi, BIND 9.11.5, I forward the request ("forward zone" or global "forward first") to another server and I get NXDOMAIN. Is it possible to process NXDOMAIN other than "redirect zone"? I just want to repeat the request to another forwarder. I'm not sure what your actual use case is or if what I did will work. I wrote a quick overview article about something I did years ago that /might/ help with what you /may/ be doing. Link - Duplicate authoritative DNS zones ... on purpose - https://dotfiles.tnetconsulting.net/blog/2013/0610/Duplicate-authoritative-DNS-zones-on-purpose.html TL;DR: Two BIND servers worked in concert with each other such that the master / authoritative zone in the D.R. environment could be a subset of the production environment to override things while still falling back to the full prod environment for records that weren't overridden. It's a bit of a hack, but it allowed us to enter the ~100 names specific to the D.R. environment and leverage the other thousands of names from prod without needing to import / merge records in D.R. I don't remember why simply using RPZ to override wasn't sufficient. I think it had to do with the infrastructure / configuration I was working with. Maybe this will give you some ideas. Or maybe it wasted some bandwidth and 30 seconds of people's time. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re[2]: Configuring the location of named .jnl files
Anders Löwinger wrote: > Ivan Avery Frey wrote: > > > >We are only using update to provision the acme challenge as described > >by RFC 8555 8.4. Nothing else. > > Acme follows CNAMEs. I've redirected all challenges to my domains to a > separate subdomain, which allows dynamic updates. Works great! Yes, there's an item about this on the EFF blog: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation I wrote a followup which might be of interest on this list even though it isn't relevant to this specific problem: https://fanf.dreamwidth.org/123294.html Tony. -- f.anthony.n.finchhttps://dotat.at/ fight poverty, oppression, hunger, ignorance, disease, and aggression ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] [UPDATE 1] How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0
Very nice. This was also posted on Postfix's list but nice to hear firsthand reports as I just read it. Two minor notes to continue the project that you might consider: #1 bind for a local caching DNS query server and change resolve.conf to 127.0.0.1 for the best RBL performance. #2 add the KAM ruleset: https://mcgrail.com/template/projects#KAM1 Regards, KAM On 4/27/2021 9:47 AM, Turritopsis Dohrnii Teo En Ming wrote: Subject: [UPDATE 1] How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0 Good day from Singapore, I followed linuxbabe.com's Xiao Guoan's guide and successfully setup a full featured Linux mail server on Ubuntu 18.04.5 LTS with IRedMail 1.4.0. Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL) Country: Singapore Date: 25 April 2021 Sunday Type of Publication: PDF Manual Document Version: 20210425.01 (1st release) ***IMPORTANT NOTICE*** Please note that Turritopsis Dohrnii Teo En Ming’s guide is based on Xiao Guoan’s guide at linuxbabe.com. Reference Guide Used by Teo En Ming: How to Easily Set Up a Full-Featured Mail Server on Ubuntu 18.04 with iRedMail Link: https://www.linuxbabe.com/mail-server/ubuntu-18-04-iredmail-email-server Original Author: Xiao Guoan The following is a list of open-source software that will be automatically installed and configured by iRedMail. • Postfix SMTP server • Dovecot IMAP server • Nginx web server to serve the admin panel and webmail • OpenLDAP, MySQL/MariaDB, or PostgreSQL for storing user information • Amavised-new for DKIM signing and verification • SpamAssassin for anti-spam • ClamAV for anti-virus • Roundcube webmail • SOGo groupware, providing webmail, calendar (CalDAV), contacts (CardDAV), tasks and ActiveSync services. • Fail2ban for protecting SSH • mlmmj mailing list manager • Netdata server monitoring • iRedAPD Postfix policy server for greylisting In addition, you need to add MX, A and TXT records to your ISC BIND DNS domain name server. Redundant Download Links for Teo En Ming's PDF Manual: [1] https://drive.google.com/file/d/1un8sLLmNSMIt7V6blWCvJEgwGvxMbd4B/view?usp=sharing [2] https://drive.google.com/file/d/1i0vY7kfYkobu563qoI3_qCZg7G7BFoYR/view?usp=sharing [3] https://drive.google.com/file/d/1U9MFN1EklLbA8TMweLV5ntiSJuBBVkpQ/view?usp=sharing [4] https://www.docdroid.net/dW70KtS/iredmail-setup-1st-release-pdf [5] https://www.mediafire.com/file/evar7j28knqyoj6/IRedMail+Setup+1st+Release.pdf/file [6] https://www.scribd.com/document/504932780/IRedMail-Setup-1st-Release Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 27 April 2021, is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant with a System Integrator (SI)/computer firm in Singapore. He is an IT enthusiast. -BEGIN EMAIL SIGNATURE- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -END EMAIL SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- *Kevin A. McGrail* /CEO Emeritus/ *Peregrine Computer Consultants Corporation* +1.703.798.0171 kmcgr...@pccc.com https://pccc.com/ https://raptoremailsecurity.com 10311 Cascade Lane, Fairfax, Virginia 22032-2357 USA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[UPDATE 1] How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0
Subject: [UPDATE 1] How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0 Good day from Singapore, I followed linuxbabe.com's Xiao Guoan's guide and successfully setup a full featured Linux mail server on Ubuntu 18.04.5 LTS with IRedMail 1.4.0. Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL) Country: Singapore Date: 25 April 2021 Sunday Type of Publication: PDF Manual Document Version: 20210425.01 (1st release) ***IMPORTANT NOTICE*** Please note that Turritopsis Dohrnii Teo En Ming’s guide is based on Xiao Guoan’s guide at linuxbabe.com. Reference Guide Used by Teo En Ming: How to Easily Set Up a Full-Featured Mail Server on Ubuntu 18.04 with iRedMail Link: https://www.linuxbabe.com/mail-server/ubuntu-18-04-iredmail-email-server Original Author: Xiao Guoan The following is a list of open-source software that will be automatically installed and configured by iRedMail. • Postfix SMTP server • Dovecot IMAP server • Nginx web server to serve the admin panel and webmail • OpenLDAP, MySQL/MariaDB, or PostgreSQL for storing user information • Amavised-new for DKIM signing and verification • SpamAssassin for anti-spam • ClamAV for anti-virus • Roundcube webmail • SOGo groupware, providing webmail, calendar (CalDAV), contacts (CardDAV), tasks and ActiveSync services. • Fail2ban for protecting SSH • mlmmj mailing list manager • Netdata server monitoring • iRedAPD Postfix policy server for greylisting In addition, you need to add MX, A and TXT records to your ISC BIND DNS domain name server. Redundant Download Links for Teo En Ming's PDF Manual: [1] https://drive.google.com/file/d/1un8sLLmNSMIt7V6blWCvJEgwGvxMbd4B/view?usp=sharing [2] https://drive.google.com/file/d/1i0vY7kfYkobu563qoI3_qCZg7G7BFoYR/view?usp=sharing [3] https://drive.google.com/file/d/1U9MFN1EklLbA8TMweLV5ntiSJuBBVkpQ/view?usp=sharing [4] https://www.docdroid.net/dW70KtS/iredmail-setup-1st-release-pdf [5] https://www.mediafire.com/file/evar7j28knqyoj6/IRedMail+Setup+1st+Release.pdf/file [6] https://www.scribd.com/document/504932780/IRedMail-Setup-1st-Release Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 27 April 2021, is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant with a System Integrator (SI)/computer firm in Singapore. He is an IT enthusiast. -BEGIN EMAIL SIGNATURE- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -END EMAIL SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using RNDC to control remote access to my BIND server
Hi Greg, Read the "ddns-confgen" man page. And then read all the material here: https://bind9.readthedocs.io/en/v9_16_13/advanced.html Regards, Anand On 27/04/2021 11:27, Greg Donohoe wrote: > Thank you for the excellent advise, it is a lot clearer to me now. > I am checking the nsupdate & TSIG man pages for additional knowledge. > Outside of these man pages , are there any other references > (tutorials/videos) that you would recommend? > Particularly around the area of TSIG key generation & management best > practices? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using RNDC to control remote access to my BIND server
Thank you for the excellent advise, it is a lot clearer to me now. I am checking the nsupdate & TSIG man pages for additional knowledge. Outside of these man pages , are there any other references (tutorials/videos) that you would recommend? Particularly around the area of TSIG key generation & management best practices? Rgds, Greg. On Mon, Apr 26, 2021 at 4:16 PM Tony Finch wrote: > Anand Buddhdev wrote: > > > > Anand's advice is good, as usual :-) > > But a small pedantic point: > > > The DNS protocol itself has recently been updated to allow for > > encryption, using DTLS (DNS-over-TLS). > > DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a > spec for DNS-over-DTLS (RFC 8094) but I have not seen much enthusiasm for > deploying it: DTLS combines all the disadvantages of UDP with all the > disadvantages of TLS. (Or worse: DTLS has a more complicated state machine > than normal TLS so there have been a bunch of DTLS-specific > vulnerabilities which makes me very reluctant to deploy it.) > > There is a lot more enthusiasm for DNS-over-TLS (aka DoT) and > DNS-over-HTTPS (aka DoH), and maybe in the future DNS-over-QUIC. > > But right now, none of these are particularly easy to get working as > transports for UPDATE, and as Anand said, it usually isn't necessary. > > I'm looking forward to zone transfers over TLS, because public key > authentication (with client certificates) is a bit easier to deploy > between different organizations than TSIG secret key authentication. > There's not such a clear benefit for UPDATE-over-TLS where I'm sitting, > apart from the neatness of having all authenticated traffic over TLS. > > Tony. > -- > f.anthony.n.finchhttps://dotat.at/ > Bailey: Northeast 5 to 7. Moderate or rough. Showers at first. Good. > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NXDOMAIN processing
On 26.04.21 20:45, bamberg2000 via bind-users wrote: BIND 9.11.5, I forward the request ("forward zone" or global "forward first") to another server and I get NXDOMAIN. Is it possible to process NXDOMAIN other than "redirect zone"? I just want to repeat the request to another forwarder. It's not possible. the NXDOMAIN response means that the rquested domain definitely does not exist, so there's no logical need to verify this from another source. maybe if you explained us what you're trying to do, we could give you better advice. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re[2]: Configuring the location of named .jnl files
-- Originalmeddelande -- Från: "Ivan Avery Frey" Till: "ML BIND Users" Skickat: 2021-04-27 02:13:02 Ämne: Re: Configuring the location of named .jnl files Hi Mark, We are only using update to provision the acme challenge as described by RFC 8555 8.4. Nothing else. Acme follows CNAMEs. I've redirected all challenges to my domains to a separate subdomain, which allows dynamic updates. Works great! Regards Anders Löwinger ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users