Re: Help on DNSSEC
DNSSEC Mastery https://www.michaelwlucas.com/nonfiction/dnssec-mastery On Wed, Nov 6, 2013 at 12:54 AM, babu dheen wrote: > Dear All, > > I would like to understand DNSSEC on BIND Recusive DNS server running in > RHEL 5.0. Can you please let me know resource or reference to understand > the DNSSEC and implement it? > > Regards > Babu > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operating system recommendation
On Wed, Mar 9, 2011 at 11:52 AM, pollex wrote: > Hi, I want to know in your experience what is the best operating > system to run bind for an ISP. We currently have Debian for the 5 > Cache servers and for the 2 Authoritative servers. > We have around 111851 success querys in the cache servers and around > 7267 zones created in the authoritative servers. > We are doing a major re analysis for all the arquitecture and Debian > is changing to soon their versions and only have support for 1 version > before so I dont know if this is best option If we're only talking based on experience everyone will have their own opinion. My personal experience I love OpenBSD for DNS servers. But only because I've gotten to the point where I can drop a new slave in about 20 minutes including install. Certainly others are the same with Debian, RHEL, and anything else. Just go with what you know. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Web forwarding in BIND
On Thu, May 20, 2010 at 5:18 PM, Hoover Chan wrote: > I'm new to this list but have been having trouble looking for information on > this topic. > > A pointer please to information on how to use BIND to "translate" a domain > name to a target URL. For example, www.domain -> > http://www.someother.domain/folder1/folder2/index.html. You'll have better luck looking for information on how to spin straw into gold. What you want will need to be handled within the webserver itself. -B ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Implementing the bogon list
I think that's really designed for router ACL's. Most reliable method might be to subscribe to their BGP feed. I'm not sure what you'd do with regards to BIND or even why you'd want to handle it there. . On Fri, Apr 9, 2010 at 1:27 PM, Alex wrote: > Hi, > > I'm interested in implementing an updated Cymru bogon list, but would > like some examples on how best to do this. Much of my searching has > resulted in old configurations that weren't complete and seemed to > contain errors. > > Where is the best place to go to find a template on how best to do > this? I understand it's a combination of creating a zone with the IP > ranges in an ACL, but which IPs should actually go in that ACL? There > is a list of four or five different sets here: > > http://www.cymru.com/Documents/bogon-dd.html > > Is there an actual zone file with the contents of these IPs, or is it > all implemented by listing them in the ACL in named.conf? > > Once I've implemented it in bind, could it then be used somehow at > smtp connect time to reject spoofed connections? How exactly do you > use it? > > Thanks, > Alex > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Notify "storms"
On Mon, Jan 18, 2010 at 1:27 PM, Todd wrote: > Good day all, > > We've run into a problem with our DNS servers. The way we update our > masters is via a CVS Checkout and reload of the zones modified. > Sometimes though, we need to reload the whole config for big > changs/etc. When that happens, all 6 masters (I know, we're getting > rid of some) send notifies to all 80+ (I know, we're getting rid of > some) slaves for all 1800 zones. This causes all the slaves to verify > all 1800 zones on 6 masters, which then delays the changes we made > from actually getting to the slaves. Right now it's about 2.5 hours > for all slaves to do all zones. > > We would like to make this better. We're trying to figure out what > mechanism might be limiting the rate at which the slave does SOA > checks against the master so it can perform that step quicker. We > have looked at the zone transfer limits on the master/slave, but that > is related to the transfer mechanism, not the SOA query. > > Can anyone help with ideas on this? Are we missing something obvious? Might not be what you are looking for but sounds like some of the ideas presented at infrastructures.org might help. -B ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to defense against ddos attack to dns?
Basically, you have to have a big enough server/cluster of servers, to absorb an attack. No real defense from distributed dos. 2009/11/16 MontyRee : > > Hello, all. > > > I have operated some dns servers and I'm curious what should I do if > ddos attck to my dns servers. > > So do you know how to defense against dns dddos attack like root server? > > Surely, various ddos attack may be occurred. > > My idea is.. > > > -. filtering 53/udp traffic that the byte is over 512 byte > -. rate-limit against 53/udp queries > (but useless if the attack spoof the source ip) > -. deny recursion > -. anycast? > > > Is ther any comments or proposal? > > > Thanks in advance. > > > > > _ > 새로운 Windows 7: 일상 작업을 단순화하세요. 여러분에게 맞는 최상의 PC를 찾으세요. > http://windows.microsoft.com/shop > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rDNS Round-Robin
On Wed, Jul 8, 2009 at 5:08 PM, Mark Andrews wrote: > > In message <53d706300907081412r191946eeo5c9a66657bf8e...@mail.gmail.com>, > Bryan > Irvine writes: >> On Mon, Jul 6, 2009 at 4:08 PM, Kevin Darcy wrote: >> > Bryan Irvine wrote: >> >> >> >> Other than to really annoy me; =A0is there a valid reason for rr rDNS? >> >> >> >> >> > >> > Once upon a time, BIND specifically *disabled* round-robin behavior for >> > non-address (A/) record types. PTR RRsets, among other types, were >> > always given in a "fixed" order. >> > >> > But, I just tried a quick test, and it appears that round-robin has been >> > re-enabled for PTRs. Accident? I have no idea why anyone would want this >> > behavior, except perhaps to deliberately make things annoying and the que= >> ry >> > results inconsistent, in the hopes that people will prevent the creation = >> of >> > round-robin PTRs in the first place. >> >> Yes but is it explicitely forbidden anywhere? RFC's maybe? I can't >> find anything that says you shouldn't other than the majority of >> people say it's dumb. (Sometimes you need an RFC to point to in order >> to get someone to fix something that is clearly not working >> correctly). >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > RRsets are unordered. Software and configurations should > be prepared for this. Where ordering is required it is > built into the RR type. > > Mark I've think I've found the confirmation I was looking for in RFC 2181 section 10.2. Does this seem to confirm that round-robin PTR's are perfectly legal? 10.2. PTR records Confusion about canonical names has lead to a belief that a PTR record should have exactly one RR in its RRSet. This is incorrect, the relevant section of RFC1034 (section 3.6.2) indicates that the value of a PTR record should be a canonical name. That is, it should not be an alias. There is no implication in that section that only one PTR record is permitted for a name. No such restriction should be inferred. Note that while the value of a PTR record must not be an alias, there is no requirement that the process of resolving a PTR record not encounter any aliases. The label that is being looked up for a PTR value might have a CNAME record. That is, it might be an alias. The value of that CNAME RR, if not another alias, which it should not be, will give the location where the PTR record is found. That record gives the result of the PTR type lookup. This final result, the value of the PTR RR, is the label which must not be an alias. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rDNS Round-Robin
On Mon, Jul 6, 2009 at 4:08 PM, Kevin Darcy wrote: > Bryan Irvine wrote: >> >> Other than to really annoy me; is there a valid reason for rr rDNS? >> >> > > Once upon a time, BIND specifically *disabled* round-robin behavior for > non-address (A/) record types. PTR RRsets, among other types, were > always given in a "fixed" order. > > But, I just tried a quick test, and it appears that round-robin has been > re-enabled for PTRs. Accident? I have no idea why anyone would want this > behavior, except perhaps to deliberately make things annoying and the query > results inconsistent, in the hopes that people will prevent the creation of > round-robin PTRs in the first place. Yes but is it explicitely forbidden anywhere? RFC's maybe? I can't find anything that says you shouldn't other than the majority of people say it's dumb. (Sometimes you need an RFC to point to in order to get someone to fix something that is clearly not working correctly). ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rDNS Round-Robin
Other than to really annoy me; is there a valid reason for rr rDNS? -Bryan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: C/C++ version Load balancer DNS
> Using DNS, I want to do load balancing of client requests among my > available servers dynamically. > In realtime requirements, any/many servers among the configured me be > down or overloaded. > > I want to have control over distribution of load to these servers. I > want to have a common FQDN to the clients and they know only FQDN. I > would like to have 10/20 servers handling the client requests. When > ever a server goes down, all the requests (thousands) it was handling, > should come to remaining available servers quickly (assume within few > seconds). > > I feel we can use DNS for this purpose, but doing load balance in > realtime? I think you are looking the wrong way. DNS doesn't change as quickly as you are hoping it does. There's ISP caches, OS caches, and application caches. Most of these even cache failed lookups and a lot of times they also ignore TTL's. I've done what you are thinking of (with the exception of the 10 idle servers (which makes no sense to me)) with OpenBSD's relayd. If you want to spend lots of money then an F5 solution would do the trick as well. -Bryan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
