from:"Andrew Latham"

Re: dnssec-policy default - where/how to determine what all its settings are?

2024-06-06 Thread Andrew Latham

Link for the Debian packaged version you mentioned is at
https://bind9.readthedocs.io/en/v9.18.24/reference.html#namedconf-statement-dnssec-policy


On Thu, Jun 6, 2024 at 9:31 AM Andrew Latham  wrote:

> I took a quick look
>
> *
> https://github.com/isc-projects/bind9/blob/main/doc/misc/dnssec-policy.default.conf
> *
> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/misc/dnssec-policy.default.conf
>
> On Thu, Jun 6, 2024 at 8:19 AM Michael Paoli via bind-users <
> bind-users@lists.isc.org> wrote:
>
>> dnssec-policy default - where/how to determine what all its settings are?
>> Documentation
>> doc/bind9-doc/arm/reference.html#dnssec-policy-default
>>
>> https://bind9.readthedocs.io/en/v9.18.27/reference.html#dnssec-policy-default
>> says:
>> A verbose copy of this policy may be found in the source tree, in the
>> file doc/misc/dnssec-policy.default.conf
>> But I'm not finding that in source nor elsewhere.
>> There doesn't even seem to be an rndc command that can list
>> defined dnssec-policy sets that are in place, nor that
>> can list how they're configured.  This information should be much more
>> visible/findable, so ... where is it?  I'm sure it must be present
>> somewhere in the source, but haven't easily located it by searching.
>> Shouldn't be necessary to run debugging to track down where this is
>> and where in the source it comes from.  So ... where does one find it?
>>
>> I've been looking at Debian BIND9 packages:
>> bind9  1:9.18.24-1
>> bind9-doc  1:9.18.24-1
>> and also ISC BIND 9.18.24 source and 9.18.27 source and documentation.
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
> --
> - Andrew "lathama" Latham -
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-policy default - where/how to determine what all its settings are?

2024-06-06 Thread Andrew Latham

I took a quick look

*
https://github.com/isc-projects/bind9/blob/main/doc/misc/dnssec-policy.default.conf
*
https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/misc/dnssec-policy.default.conf

On Thu, Jun 6, 2024 at 8:19 AM Michael Paoli via bind-users <
bind-users@lists.isc.org> wrote:

> dnssec-policy default - where/how to determine what all its settings are?
> Documentation
> doc/bind9-doc/arm/reference.html#dnssec-policy-default
>
> https://bind9.readthedocs.io/en/v9.18.27/reference.html#dnssec-policy-default
> says:
> A verbose copy of this policy may be found in the source tree, in the
> file doc/misc/dnssec-policy.default.conf
> But I'm not finding that in source nor elsewhere.
> There doesn't even seem to be an rndc command that can list
> defined dnssec-policy sets that are in place, nor that
> can list how they're configured.  This information should be much more
> visible/findable, so ... where is it?  I'm sure it must be present
> somewhere in the source, but haven't easily located it by searching.
> Shouldn't be necessary to run debugging to track down where this is
> and where in the source it comes from.  So ... where does one find it?
>
> I've been looking at Debian BIND9 packages:
> bind9  1:9.18.24-1
> bind9-doc  1:9.18.24-1
> and also ISC BIND 9.18.24 source and 9.18.27 source and documentation.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: feature request for improving named-compilezone

2024-02-11 Thread Andrew Latham

If you are using a version control system like GIT then I would suggest you
have a zonefile.md next to the zone with any specific notes and maybe a
history/changelog. This may not answer your problem case but documentation
as markdown or even just a TXT next to the zone is handy.

On Thu, Jan 18, 2024 at 11:17 AM Marco Davids (SIDN) via bind-users <
bind-users@lists.isc.org> wrote:

> Hi,
>
> How hard would it be to let named-compilezone keep any remarks that are
> present in the source file? Because now it strips them and that is
> problematic.
>
> --
> Marco
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: secure statistics page

2024-02-11 Thread Andrew Latham

I have seen this question a few times so would a note or example in
https://kb.isc.org/docs/aa-01123 (or other related documentation) be a good
idea?

On Thu, Jan 18, 2024 at 7:36 AM Ondřej Surý  wrote:

> Hi,
>
> put a real webserver in front of it. Both Apache and Nginx can work as
> proxy.
>
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
> > On 18. 1. 2024, at 15:12, Eric Dewitte  wrote:
> >
> > 
> > Hello,
> > I'm looking for help here because I haven't found any information in the
> documentation (or I haven't).
> >
> > I've activated Bind's statistics, to test I've set port 8080.
> > So I can make http requests on port 8080, it works.
> >
> > but i'd like to secure the page, is it possible to switch to https and
> therefore use an SSL certificate?
> >
> > Thank you for your help.
> >
> > OS: Debian 12, BIND: 9.18
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help about DNS documentation

2023-11-05 Thread Andrew Latham

* Commonly when an answer to a query is larger than UDP should handle, a
switch to TCP is required. This can be configurable and done in unexpected
ways to thwart DDOS
* I do not know of any laws specifically mentioning DNS. General computer
system/network laws could apply.
* I think there would be some demonstrations out there. I searched for
`github dns amplification attack` and saw many.

On Fri, Nov 3, 2023 at 9:21 AM Amaury Van Pevenaeyge <
avanpevenae...@outlook.fr> wrote:

> Hello everyone,
>
>
>
> I'm currently a final year Master's student at the Free University of
> Brussels. As part of my Master's thesis, I have to implement a DNS
> amplification scenario within a Cyber Range. However, before achieving this
> final goal, I first need to make amplification rate measurements within a
> virtual machine system. I therefore have a few questions about the DNS
> protocol and DNS servers.
>
>
>
>- Why do some DNS servers respond via TCP to an ANY query made under
>UDP? I have read in RFC8482 that modern DNS servers try to limit responses
>to ANY queries in order to limit the impact of their use in DNS
>amplification attack but I would like to learn more about the security
>measures/best practices currently in place for this type of query and for
>big TXT responses. Does anyone have any sources or other RFCs that might be
>useful?
>
>
>
>- Would you have any advice/recommendations or sources on the legal
>Framework to be respected for my Master’s thésis, so that I can carry out
>my various measures without being illegal or alerting certain entities?
>
>
>
>- Would you have some articles and researches or others about DNS
>protocol, DNS protocol security or good research practices for DNS
>amplification attacks?
>
>
>
> Thank you in advance for your help. I remain at your disposal should you
> have any questions.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

2023-11-04 Thread Andrew Latham

* That sounds like a sadly normal implementation but yes you can do better
* Views is a good place to look https://kb.isc.org/docs/aa-00851
* Make sure to investigate how the company VPN services handle DNS as it
may surprise you

On Fri, Nov 3, 2023 at 9:52 AM Nick Howitt via bind-users <
bind-users@lists.isc.org> wrote:

> Hi,
>
> I am fairly new to bind but I am thinking my company's use of it is
> sub-optimal. We have two bind masters (and a few slaves), one for
> internal use so all our internal servers point to it or its slaves as
> their DNS resolvers. I will call the internal one bind-internal and the
> external one bind-external.
>
> Bind-internal is set up as authoritative for the domain example.com.
> Bind-external is also set up as authoritative for example.com.
>
> Bind-internal has all sorts of entries resolving in the 10.30, 10.40 and
> other private ranges, but it also has entries resolving to our public
> IP's e.g. demo.example.com resolves to 1.2.3.4 (terminated by an F5),
> which is one of our public ips (munged). As this site is externally
> accessible as well, we also have to put an identical entry in
> bind-external so we end up having many identical entries in
> bind-internal and bind-external. We also have some other domains covered
> by bind-internal with external IPs, but externally they are covered by
> the domain host's DNS and they have the same issue where in
> bind-internal we have some public IP's which are also in the domain
> host's DNS for external access.
>
> I have a feeling this is a sub-optimal setup, having to maintain
> external IPs in both bind-internal and bind-external. Does it make sense
> to stop bind-internal from being authoritative and make it a
> resolver/caching name server? This way, if it does not find an entry in
> bind-internal it will then go out to either bind-external or the domain
> host's DNS to get the answer from the authoritative servers and then
> there is no need to maintain external IPs in bind internal.
>
> TIA,
>
> Nick
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: monitoring BIND

2023-08-03 Thread Andrew Latham

Maybe start with
https://kb.isc.org/docs/monitoring-recommendations-for-bind-9

On Thu, Aug 3, 2023 at 9:07 AM  wrote:

>
>
> Hello comunity
>
> please what is the most recommended tool for BIND monitoring and
> especially display response time and latency thank you in advance.
>
> Regards Sami
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Documentation on readthedocs - links to older releases return 404 errors

2023-05-31 Thread Andrew Latham

Issues can be tracked at https://gitlab.isc.org/isc-projects/bind9/-/issues
if it helps

On Wed, May 31, 2023 at 3:46 PM Dan Mahoney  wrote:

>
>
> > On May 31, 2023, at 12:25 PM, Petr Špaček  wrote:
> >
> > On 31. 05. 23 18:08, E R wrote:
> >> If you visit https://bind9.readthedocs.io/en/v9.18.15/ <
> https://bind9.readthedocs.io/en/v9.18.15/> you will see a menu in the
> lower left corner where you can select older releases of the bind ARM
> manual.  But those links do not work and return a 404.  Should those links
> work?  Or do they need to be removed?
> >
> > The links from the menu I tried at random work for me. Which particular
> version is giving you trouble?
> >
> >> In my case I visited https://kb.isc.org/docs/aa-01031 <
> https://kb.isc.org/docs/aa-01031> which pointed me to the right location
> to get a PDF copy of other releases and pointed me to the sources location
> where I can get the PDF that matches my distribution's version.
> >
> > While reading you message I realized that we messed it up and old links
> with underscore (e.g. v9_18_10 as opposed to v9.18.10) indeed do not work.
> >
> > I'll see if we can restore the old links, but I cannot promise any
> specific timeline.
>
> Hey there FastEddie, I’m Dan with ISC’s SysAdmin team.  I normally work on
> the F-root side of the house and don’t usually chime in on bind-users,
> unless I’m working on mailman itself.
>
> There are actually a couple of problems here, and I’d like to ask for your
> help, and that of the community.
>
> First, there is the fact that (as Petr points out) at one point we had
> links with underscores versus dots.  We can fix those (when we know about
> them) by adding redirects inside ReadTheDocs (RTD, hereafter).  It’s
> tedious to create them for every iteration where vx_y_z does not exist but
> vx.y.z does, but that’s what might be necessary.  RTD is not smart enough
> to be told to “on 404, just jump to this version”, we have to create it for
> every version where this breakage happens.  We can create a custom 404
> page, but not classic apache-style mod-rewrite redirects with wildcarding.
>
> Second, I tried this with a version I had found on google: /en/v9_16_12/
> and created a redirect to /en/v9.16.12/, which did exist inside
> ReadTheDocs, but that url was also 404ing because of a bad build due to a
> bad requirements.txt file.  So in that case, the best thing I could do was
> point the redirect at the oldest known *working* version of the docs
> (/en/v9.16.16/ in that case).  You’ll notice 9.12.16 doesn’t show up in the
> list of available doc trees on RTD.  Now, is there a lot of change delta
> between 9.16.12 and 9.16.16?  Probably not.  It’s better than handing out a
> 404.  This feels reasonable.
>
> Finally, I realized that we’d like to be able to see what things out there
> in the world (and in Google’s caches) are referring to us, but because we
> don’t control the bind9.readthedocs.io domain, it’s a little harder to
> add it to our Google search console.  (Can’t put a CNAME record in, can’t
> upload an arbitrary .html file — and to add Meta tags, we’d have to do
> something “special” without adding that meta tag to ALL our docs).  RTD
> also doesn’t seem to give us server logs of what queries we’ve served up
> 404’s to.  We hope to fix that soon, but it’s not going to be instant.
>
> ===
>
> I’m not sure if it’s a good use of engineer time to constantly be fixing
> failing-to-build versions of old documentation (like #2,  the 9.16.12
> problem, above).  Creating the redirect solves the problem today, albeit in
> a slightly imperfect way, and we may be pushing fixes and/or creating
> redirects for stuff nobody’s actually linking to/reading.  (We’ll know that
> more when we solve #3)
>
> So here’s where you (and others) can help with problem #3:  Please do
> report these if you see them!  I’m not sure if it’ll drive the bind9 folks
> crazy if you create gitlab issues, but do know we’ve seen this and we’re
> working on it.
>
> Best,
>
> -Dan
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.16.1 crash

2022-12-07 Thread Andrew Latham

I see https://gitlab.isc.org/isc-projects/bind9/-/issues/3020 and
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5998 which might
help

I did not see a CVE but only did a quick search


On Wed, Dec 7, 2022 at 12:33 PM Ben Bridges  wrote:

> Greetings.
>
>
>
> This morning one of our BIND daemons crashed.  The following messages were
> logged in named.run at the time:
>
>
>
> 07-Dec-2022 11:58:37.097 general: critical: netmgr.c:687:
> REQUIRE((__builtin_expect(!!((sock) != ((void *)0)), 1) &&
> __builtin_expect(!!(((const isc__magic_t *)(sock))->magic == ((('N') << 24
> | ('M') << 16 | ('S') << 8 | ('K', 1))) failed, back trace
>
> 07-Dec-2022 11:58:37.097 general: critical: #0 0x56508c798e43 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #1 0x7fa72e881ac0 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #2 0x7fa72e89978a in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #3 0x7fa72e89a240 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #4 0x7fa72e89e18b in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #5 0x7fa72eb67707 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #6 0x7fa72eb68fe9 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #7 0x7fa72eb779b0 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #8 0x7fa72eb7f9a7 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #9 0x7fa72eb8116e in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #10 0x7fa72eb816cd in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #11 0x7fa72eb823c9 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #12 0x7fa72eb884c6 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #13 0x7fa72e8a8fa1 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #14 0x7fa72e370609 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: #15 0x7fa72e28f133 in ??
>
> 07-Dec-2022 11:58:37.097 general: critical: exiting (due to assertion
> failure)
>
>
>
> I did some googling and was unable to find this specific “netmgr.c:687”
> message.  Is this assertion failure due to a known CVE (perhaps recently
> discovered and not yet patched)?  We’ve had no issues with this server up
> to this point.  The BIND version is 9.16.1 running on a fully patched
> Ubuntu 20.04.5 server.  This server does nothing other than run BIND.  Any
> assistance determining what happened and how to prevent it from happening
> again would be much appreciated.  If this is not the proper forum for this
> posting, please point me in the right direction.
>
>
>
> Thanks,
>
> Ben Bridges
>
>
>
>
> [image: City Utilities]
>
> [image: SpringNet] 
>
> Sales 417.575.7000 | Support 417.874.8000 | springnet.net
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: automatic reverse and forwarding zones

2022-10-27 Thread Andrew Latham

IRC for example will check for PTR and gate login. I know there are others
but that came to mind quickly. In some regions having PTRs was a
requirement. It has been years but I recall LACNIC required/desired PTRs be
set.

On Thu, Oct 27, 2022 at 2:47 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> On 10/27/22 1:24 PM, Marco wrote:
> > At least for IPv4, there are servers that reject connections from
> > IPs that don't have a reverse zone with PTR record.
>
> Please elaborate.
>
> I've not heard of (unspecified type of) servers rejecting connections
> because of the lack of a PTR record.
>
> I have heard of mail servers /accepting/ a /TCP/ /transport/ connection
> layer but /rejecting/ email at the /SMTP/ /application/ layer for the
> lack of a PTR record.
>
> IMHO mail servers are not in scope for a $GENERATE style flood filling
> of a zone.  Rather they are in scope for very specifically generated
>  records.
>
> > That is the only reason that I see for that.
> > Most ISPs do it.
>
> I'd say that /many/ ISPs populate in-addr.arpa zone(s) for IPv4.  --  I
> still run across IPv4 addresses that don't have PTR records way more
> often than I think is reasonable.
>
> I've seen no evidence that ISPs also populate ip6.arpa zone(s) for IPv6
> in a similar way.  Not the least of which are some of the reasons called
> out in this thread.
>
>
>
> --
> Grant. . . .
> unix || die
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig +norecurse behaviour changed with 9.16.33

2022-10-26 Thread Andrew Latham

I am unable to reproduce this. Please share some examples like this:


dig +norecurse @216.239.34.110 www.lathama.org

```
; <<>> DiG 9.11.5-P4-5.1+deb10u8-Debian <<>> +norecurse @216.239.34.110
www.lathama.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28525
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.lathama.org.   IN  A

;; ANSWER SECTION:
www.lathama.org.3600IN  CNAME   lathama.net.

;; Query time: 58 msec
;; SERVER: 216.239.34.110#53(216.239.34.110)
;; WHEN: Wed Oct 26 18:02:45 UTC 2022
;; MSG SIZE  rcvd: 69
```

```
dig +norecurse @216.239.36.110 www.lathama.org

; <<>> DiG 9.16.33-Debian <<>> +norecurse @216.239.34.110 www.lathama.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25859
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.lathama.org.   IN  A

;; ANSWER SECTION:
www.lathama.org.3600IN  CNAME   lathama.net.

;; Query time: 48 msec
;; SERVER: 216.239.36.110#53(216.239.36.110)
;; WHEN: Wed Oct 26 12:03:51 MDT 2022
;; MSG SIZE  rcvd: 69
```

On Wed, Oct 26, 2022 at 10:07 AM Ondřej Surý  wrote:

> You need to be more specific with real examples.
>
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
> > On 26. 10. 2022, at 17:41, Veronique Lefebure <
> veronique.lefeb...@cern.ch> wrote:
> >
> > 
> > Hi,
> >
> > dig answer is different between BIND 9.11 and BIND 9.16(.33) when
> +norecurse option is used.
> > Is this documented somewhere ?
> >
> > Is there an option that needs to be set so that the behaviour of 9.16 is
> the same as the one in 9.11.
> >
> > The change is that with 9.16, if the requested name is a CNAME, only the
> CNAME value is returned by dig, while with 9.11 dig would return both the
> CNAME value and the IP of the CNAME.
> >
> > Thanks,
> > Veronique
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig -x +trace?

2022-09-29 Thread Andrew Latham

Mike

1. You can set the server with @ so in your case `dig @1.1.1.1 -x 208.x.x.x
+trace`
2. Test with an IP that you know should work `$ dig +short @8.8.4.4 -x
8.8.8.8` answers `dns.google.` for example
3. Confirm your RIR or provider has working NS set for the range. Query
directly the NS you think should be working.
4. `+[no]trace This option toggles tracing of the delegation path from the
root name servers for the name being looked up.`
5. It sounds like your dig is answering correctly.
`

On Thu, Sep 29, 2022 at 3:51 PM Mike Hodson  wrote:

> I'm attempting to figure out how/why my reverse DNS delegation is broken.
> I've already deleted systemd-resolved's temporary resolv.conf and added in
> an immutable single line
> nameserver 1.1.1.1
> resolv.conf.
>
> I can dig +trace forward hostnames fine.
> I cannot dig -x an ip +trace.
> All I get is the root-servers instead of any sort of reverse looking up
> happening at all.
> What am I doing wrong?
>
> Thanks,
>
> Mike
>
> $ dig -x 208.x.x.x +trace
>
> ; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> -x 208.x.x.x +trace
> ;; global options: +cmd
> .   509855  IN  NS  a.root-servers.net.
> .   509855  IN  NS  b.root-servers.net.
> .   509855  IN  NS  c.root-servers.net.
> .   509855  IN  NS  d.root-servers.net.
> .   509855  IN  NS  e.root-servers.net.
> .   509855  IN  NS  f.root-servers.net.
> .   509855  IN  NS  g.root-servers.net.
> .   509855  IN  NS  h.root-servers.net.
> .   509855  IN  NS  i.root-servers.net.
> .   509855  IN  NS  j.root-servers.net.
> .   509855  IN  NS  k.root-servers.net.
> .   509855  IN  NS  l.root-servers.net.
> .   509855  IN  NS  m.root-servers.net.
> .   509855  IN  RRSIG   NS 8 0 518400
> 2022101217 2022092916 20826 .
> FkcsBmNz2oK02ARhYfNSfxbnEL93RITDteQtHQoPn8zHZg9B6BRXqkH9
> +UpAEViDraX+4l8YJiUvYzrHh9twpQry0vv7xgDLoDdU9kRqokG5DEoq
> Ueqph6qleC6Vylga4f1MzW
> N+Dh9zK9/eCSp6WxwgbnW53a9GMDbI5KWZ
> WkcWw3IPHVvVwDZfWhrKJtKZ3hafsGgmigm9F01Xk17prOAS6jBbvYjT
> jCUyTl3UZJ+bAKS4tkpFdjp78raxBKBQPN6TzdLjtxYQrhriZZ3Gjdcg
> dT+WQkLGYuyeakm2JqVe9vXGMGn0XkZEGMYnh7iW80N1XHyBMfhzGO+s 61zvWA==
> ;; Received 1097 bytes from 1.1.1.1#53(1.1.1.1) in 12 ms
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: --without-python does not work for 9.11.13

2019-12-01 Thread Andrew Latham

I just did a quick code search and while --without-python is mentioned I
can not see it used anywhere.

Have a look at random search
https://gitlab.isc.org/search?utf8=%E2%9C%93=without-python_id=_id=1_code=true_ref=master_source=navbar


On Sun, Dec 1, 2019 at 2:09 PM Dennis Clarke  wrote:
>
>
>
> If one tries to build 9.11.13 with ( or without ) --without-python then
> the build fails in multiple ways :
>
> .
> .
> .
> gmake[2]: Leaving directory
> '/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/confgen'
> making all in
> /usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python
> gmake[2]: Entering directory
> '/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python'
> making all in
> /usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc
> gmake[3]: Entering directory
> '/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc'
> making all in
> /usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc/tests
> gmake[4]: Entering directory
>
'/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc/tests'
> gmake[4]: Leaving directory
>
'/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc/tests'
> /usr/local/bin/python3.7 policy.py parse /dev/null > /dev/null
> Fatal Python error: initfsencoding: unable to load the file system codec
> ModuleNotFoundError: No module named 'encodings'
>
> Current thread 0x0001 (most recent call first):
> /usr/local/bin/bash: line 1: 15637 Abort   (core dumped)
> /usr/local/bin/python3.7 policy.py parse /dev/null > /dev/null
> gmake[3]: *** [Makefile:441: parsetab.py] Error 134
> gmake[3]: Leaving directory
> '/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc'
> gmake[2]: *** [Makefile:132: subdirs] Error 1
> gmake[2]: Leaving directory
> '/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python'
> gmake[1]: *** [Makefile:79: subdirs] Error 1
> gmake[1]: Leaving directory
> '/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin'
> gmake: *** [Makefile:88: subdirs] Error 1
>
>
> The above happens regardless which direction you choose.
>
> Yes Python is available.  Yes it is in the path.
>
> beta$ $PYTHON --version
> Python 3.7.4
> beta$ echo $PYTHON
> /usr/local/bin/python3.7
> beta$
>
> Regardless which direction a person jumps this python trash gets created
>   during configure :
>
> config.status: creating bin/python/Makefile
> config.status: creating bin/python/isc/Makefile
> config.status: creating bin/python/isc/utils.py
> config.status: creating bin/python/isc/tests/Makefile
> config.status: creating bin/python/dnssec-checkds.py
> config.status: creating bin/python/dnssec-coverage.py
> config.status: creating bin/python/dnssec-keymgr.py
> config.status: creating bin/python/isc/__init__.py
> config.status: creating bin/python/isc/checkds.py
> config.status: creating bin/python/isc/coverage.py
> config.status: creating bin/python/isc/dnskey.py
> config.status: creating bin/python/isc/eventlist.py
> config.status: creating bin/python/isc/keydict.py
> config.status: creating bin/python/isc/keyevent.py
> config.status: creating bin/python/isc/keymgr.py
> config.status: creating bin/python/isc/keyseries.py
> config.status: creating bin/python/isc/keyzone.py
> config.status: creating bin/python/isc/policy.py
> config.status: creating bin/python/isc/rndc.py
> config.status: creating bin/python/isc/tests/dnskey_test.py
> config.status: creating bin/python/isc/tests/policy_test.py
>
> Whomever came up with the idea to embed python inside ISC Bind is
> someones cousin that can't find a job elsewhere? Who let this happen?
> To pure beautiful cross platform clean C code someone allowed python
> in the door?
>
> Has anyone tested this "--without-python" option ?
>
>
>
>
> --
> Dennis Clarke
> RISC-V/SPARC/PPC/ARM/CISC
> UNIX and Linux spoken
> GreyBeard and suspenders optional
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



--
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-22 Thread Andrew Latham

chrony does today btw

   - debian/chrony-helper:
  - New helper script to make use of NTP servers obtained from DHCP and
   _ntp._udp DNS SRV records.


On Sat, Sep 22, 2018 at 8:31 AM Matus UHLAR - fantomas 
wrote:

> >>> On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
>    But that is not, as Ray said, automated discovery. You are
>  asking the computer to make assumptions, i.e. "if I am in domain
>  hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
>  domain thingie. You know where a lot of your basic network resources
>  are. If you have a ntp server do you know where it is just like you
>  know where your mail, LDAP, and kerbie servers are hiding?"
>
> >> Am 21.09.18 um 22:19 schrieb Danny Mayer:
> >>> That's not what I wrote. Someone needs to maintain an SRV record. It's
> >>> not a good idea for domains to announce their NTP servers since they
> can
> >>> be abused by others not authorized to use them. We've had plenty of
> >>> abuse along those lines along with DDOS attacks. What the ntp CNAME
> >>> would do is point to a number of other servers to use and you don't
> need
> >>> to call it ntp, it's just a string.
>
> >On 9/21/2018 6:33 PM, Reindl Harald wrote:
> >> but *nobody* cares about what is a good idea when the question was
> >> simply "does ntp discovery work" where the answer is simply no
>
> On 21.09.18 21:39, Danny Mayer wrote:
> >No, that's not true. Consider what you are doing. You are substituting
> >SRV records for CNAME records. There is nothing magical here. NTP can
> >use the CNAME records. Either way the records have to be configured.
> >What do you think you are discovering? SRV records aren't magic.
>
> The OP request indicated that they wish for ntp autoconfiguration.  There
> is
> no autoconfiguration we know of, unless DHCP that was reported often not to
> work.
>
> using either CNAME or SRV records won't change the fact that ntp server
> does
> not autoconfigure itself.
>
> Neither of them also changes the fact that the NTP configuration is not
> related to domain, but to the local network.
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Chernobyl was an Windows 95 beta test site.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-19 Thread Andrew Latham

On Wed, Sep 19, 2018 at 10:19 AM Ray Bellis  wrote:

> On 19/09/2018 15:59, Mauricio Tavares wrote:
>
> >> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
> >> one off my mind).
> >>
> >   Not necessarily; I can name a few universities and business who
> > offer their own NTP servers to their internal systems. AFAIK, this is
> > considered good practice.
>
> That's not the point that Mukund was making.
>
> An NTP server is part of your local network configuration.   Your domain
> name is also part of your local network configuration.  As such, these
> two values are often served by DHCP.
>
> That does not mean, though, that there is a one-to-one mapping from your
> domain name to your preferred set of NTP servers.
>
> One could have numerous subnets located all over the planet with
> different NTP servers, but all sharing the same domain name.
>
> If it were feasible to store an NTP server address in the DNS it would
> more logically fit in the in-addr.arpa zone, and not in a forward zone.
>

Many organizations have per site "views" of the zone so it actually works
out well. There are many ways of building functional infrastructure. I
agree there are many applications where this setup would not be useful,
just addressing OP.


>
> Ray
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-19 Thread Andrew Latham

Additionally you may route all outbound requests for NTP to a local source
found from an DNS lookup.

Benefits could be:
* Control of time sources (correct a hardcoded address that is no longer
valid)
* Mitigate attack vectors
* Mitigate bufferbloat

DNS is an important piece to this puzzle and SRV records can be useful when
devices support them. It does not hurt to add the SRV records for common
services.

On Wed, Sep 19, 2018 at 9:59 AM Mauricio Tavares 
wrote:

> On Wed, Sep 19, 2018 at 10:12 AM, Andrew Latham  wrote:
> > You can add SRV records for NTP to your domain if that is what you are
> > asking.
> >
>   Thanks. I was trying to query for it using dig and then realized
> I did not know if that is doable.
>
> On Wed, Sep 19, 2018 at 10:16 AM, Mukund Sivaraman 
> wrote:
> > On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
> >> Stupid question: can I publish/query the NTP server through DNS the
> >> same way I can ask who is doing LDAP?
> >
> > An NTP serice doesn't belong to a domain, so maybe not (I don't know of
> > one off my mind).
> >
>   Not necessarily; I can name a few universities and business who
> offer their own NTP servers to their internal systems. AFAIK, this is
> considered good practice.
>
> > For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
> > and 10.98.0.5 as the NTP server:
> >
> > subnet 10.98.0.0 netmask 255.255.0.0 {
> >...
> >option ntp-servers 10.98.0.5;
> > }
> >
> > and perhaps also use "tcode" and "time-offset" options to set the
> > timezone.
> >
> > But a real bummer is that some DHCP clients (e.g., Android phones) do
> > not make use of this option, and don't even provide a config setting to
> > do so. IIRC they synchronize time via the cell phone signal.
> >
>   Add Windows devices to the list.
>
> > Mukund
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-19 Thread Andrew Latham

You can add SRV records for NTP to your domain if that is what you are
asking.

On Wed, Sep 19, 2018 at 9:09 AM Mauricio Tavares 
wrote:

> Stupid question: can I publish/query the NTP server through DNS the
> same way I can ask who is doing LDAP?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Wildcard prefix

2018-04-12 Thread Andrew Latham

Matus

You are correct, I am coffee deprived. That direction was for an internal
testing only/development goal.


On Thu, Apr 12, 2018 at 12:18 PM, Matus UHLAR - fantomas <uh...@fantomas.sk>
wrote:
>
> On 12.04.18 12:14, Andrew Latham wrote:
>>
>> As long as your zone file is correct you can use *. (Note: Asterisk and
>> Dot) to match all entries. I would put this below any other required
>> entries.
>> Example:
>> """
>> $ORIGIN mydomain.com.
>> *.  IN  A   192.168.12.12
>> """
>
>
> this should complain about out of zone data.
> why do you say there's a dot needed?
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I feel like I'm diagonally parked in a parallel universe.
___
>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




--
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Wildcard prefix

2018-04-12 Thread Andrew Latham

Andrew

As long as your zone file is correct you can use *. (Note: Asterisk and
Dot) to match all entries. I would put this below any other required
entries.
Example:
"""
$ORIGIN mydomain.com.
*.  IN  A   192.168.12.12
"""


On Thu, Apr 12, 2018 at 10:49 AM, Hardy, Andrew 
wrote:
>
> Does bind support wildcard prefix
>
> I want to install bind DNS server on my LAN to locally test a web
application that is designed to support receiving requests on different url
domain prefixes.
>
> Map *.mydomain.com to
> For example 192.168.12.12
>
> Use
> abc.mydomain.com
> def.mydomain.com
> www.mydomain.com
> etc
>
> All arrive at http server on 192.168.12.12
>
> Hope that makes sense
>
> This is my primary need so I don't want to install if this is not my best
option.
>
> Many thanks.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



--
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind works without defining root servers

2017-08-15 Thread Andrew Latham

Read about it at
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=lib/dns/rootns.c;h=d86d0172d10625050ff1938c1869ce28921a1226;hb=HEAD

On Tue, Aug 15, 2017 at 10:29 AM, King, Harold Clyde (Hal) 
wrote:

> How does Bind update the root servers? Does it go out and check, or is a
> release made for each change?
>
>
> --
> Hal King  - h...@utk.edu
> Systems Administrator
> Office of Information Technology
> Shared Systems Services
>
> The University of Tennessee
> 103C5 Kingston Pike Building
> 2309 Kingston Pk. Knoxville, TN 37996
> Phone : 974-1599
> Helpdesk 24/7 : 974-9900
>
> On 8/15/17, 11:02, "bind-users on behalf of Alan Clegg" <
> bind-users-boun...@lists.isc.org on behalf of a...@clegg.com> wrote:
>
> Root hints have been built in forever.  (and that's "forever" in
> Internet years)
>
> On 8/15/17 10:58 AM, Duleep Thilakarathne wrote:
> > Hi,
> >
> > I can observe, bind can resolve host names without following entry
> in
> > named.conf. could anyone help me to understand this default behavior.
> >
> >
> > zone "." {
> >   type hint;
> >   file "root.servers";
> > };
> >
> > regards
> > DT
> >
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
- Andrew "lathama" Latham lath...@gmail.com http://lathama.com
 -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Book recomendations?

2014-05-27 Thread Andrew Latham

Sort of comes with a book
https://kb.isc.org/article/AA-00845/0/BIND-9.9-Administrator-Reference-Manual-ARM.html
which is quite good. For newbs in the field I say two or more of
everything and at least one hidden master.  Use views internally and
IPv6 better be on your roadmap.

On Tue, May 27, 2014 at 5:51 PM, Baird, Josh jba...@follett.com wrote:
 Hi,

 Can someone recommend a modern/new-ish book on DNS (specifically BIND)?  I 
 know there have been several O'Reily books throughout the years, but haven't 
 kept up on anything in the past few years.  I'm looking for architecture 
 design, best practices in designing enterprise and service provider DNS 
 architectures, etc.

 Thanks!

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



-- 
~ Andrew lathama Latham lath...@lathama.com http://lathama.net ~
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to minimize the downtime in my case

2013-03-14 Thread Andrew Latham

Manish

That is a perfectly good plan.  One note is to study your TTL.  If
your ISP has set a longer TTL on your NS records then you would need
to first ask for a shorter TTL and wait until the time has passed.

Example: if TTL is set to one week, ask for change to shorter period
and then wait for 1.5(or more) times the old TTL to pass before you
begin your process.



On Thu, Mar 14, 2013 at 3:04 PM, Manish Rane manish...@gmail.com wrote:
 Hey Folks,

 I right now have NS server hosted with ISP and I am planning to set up my
 own BIND servers. Now I would like to understand that I need to ask my
 Registrar to populate the entry of my new NS server which would take 4-6
 hours to propagate over the internet.

 To reduce the downtime, can I not add those two new NS servers along with my
 old DNS server with exact zone? once all the NS entries populate over the
 internet I can have my ISP's DNS removed and have one of my DNS server as
 Master?


 Current Scenario
 

 ns1.example.com1.2.3.4
 ns2.example.com 5.6.7.8


 I am thnking of below scenario

 ns1.example.com1.2.3.4
 ns2.example.com 5.6.7.8
 mynewns1.example.com   20.20.20.20
 mynewns2.example.com   30.30.30.30

 Then after few days

 mynewns1.example.com   20.20.20.20
 mynewns2.example.com   30.30.30.30

 Which eventually should have all the records.

 Please advise!!



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



-- 
~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: adding DS record via nsupdate

2013-02-05 Thread Andrew Latham

On Tue, Feb 5, 2013 at 6:30 PM, Jack Tavares j.tava...@f5.com wrote:
 Hello -

 I am trying to add a DS record via nsupdate and I can't get it to succeed.

 It does not generate an error, but when I dig for the DS record I get 
 NXDOMAIN.

 What I edit the zone file and add the same DS record  and reload, I can query 
 it
 just fine.

 I do the following as an example:

 nsupdate -d
 server ip addr
 zone test.net
 update add subzone.test.net  IN DS 34845 7 1 
 325AA7B83FAC7DB621678EB2FB9035B51A0A504F
 send

 The output is
 Sending update to ip#53
 Outgoing update query:
 ;; -HEADER- opcode: UPDATE, status: NOERROR, id:  45236
 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
 ;; ZONE SECTION:
 ;test.net.  IN  SOA

 ;; UPDATE SECTION:
 subzone.test.net.   IN  DS  34845 7 1 
 325AA7B83FAC7DB621678EB2FB9035B51A0A504F


 Reply from update query:
 ;; -HEADER- opcode: UPDATE, status: NOERROR, id:  45236
 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 ;; ZONE SECTION:
 ;test.net.  IN  SOA

 end

 Dig results

  dig @ip +noadflag +nocdflag -t ds subzone.test.net.

 ;  DiG 9.8.4-P1  @ip -t ds subzone.test.net.
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21747
 ;; flags: qr aa rd cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 ;; WARNING: recursion requested but not available

 ;; QUESTION SECTION:
 ;subzone.test.net.  IN  DS

 ;; AUTHORITY SECTION:
 test.net.   500 IN  SOA .test.net. 
 hostmaster..test.net. 2013010938 10800 3600 604800 86400


 When I put the DS record in the zone manually:

 tail zonefile:
 subzone.test.net.   IN  DS  34845 7 1 
 325AA7B83FAC7DB621678EB2FB9035B51A0A504F

 and do a dig, it works:
 dig @ip -t ds subzone.test.net.

 ;  DiG 9.8.4-P1  @ip -t ds subzone.test.net.
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21326
 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 ;; WARNING: recursion requested but not available

 ;; QUESTION SECTION:
 ;subzone.test.net.  IN  DS

 ;; ANSWER SECTION:
 subzone.test.net.   IN  DS  34845 7 1 
 325AA7B83FAC7DB621678EB2FB9035B51A0A504F

 ;; Query time: 0 msec

 Should this work?
 Thank you

 --
 Jack Tavares


First guess is that the Serial is not getting updated correctly.

-- 
~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-policy default - where/how to determine what all its settings are?

Re: dnssec-policy default - where/how to determine what all its settings are?

Re: feature request for improving named-compilezone

Re: secure statistics page

Re: Help about DNS documentation

Re: How should I configure internal and external DNS servers

Re: monitoring BIND

Re: Documentation on readthedocs - links to older releases return 404 errors

Re: Bind 9.16.1 crash

Re: automatic reverse and forwarding zones

Re: dig +norecurse behaviour changed with 9.16.33

Re: Dig -x +trace?

Re: --without-python does not work for 9.11.13

Re: NTP through DNS?

Re: NTP through DNS?

Re: NTP through DNS?

Re: NTP through DNS?

Re: Wildcard prefix

Re: Wildcard prefix

Re: Can bind works without defining root servers

Re: Book recomendations?

Re: How to minimize the downtime in my case

Re: adding DS record via nsupdate

23 matches

Site Navigation

Mail list logo

Footer information