Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

[Danny Mayer]

On 6/7/23 12:17 AM, Jesus Cea wrote:
The list is quite long, in a few minutes I have a 859 unique requests 
with the same configuration error. Interestingly, quite a few from 
"ntp.org". For example:


resolver: notice: DNS format error from 102.130.49.148#53 resolving 
0.centos.pool.ntp.org/ for #YYY Name pool.ntp.org (SOA) not 
subdomain of zone centos.pool.ntp.org -- invalid response


resolver: notice: DNS format error from 102.130.49.148#53 resolving 
0.debian.pool.ntp.org/ for #YYY Name pool.ntp.org (SOA) not 
subdomain of zone debian.pool.ntp.org -- invalid response


I just sent an email to NTP mailing list.

That looks like a pool issue. You should send an email to the NTP pool 
mailing list rather than the NTP mailing list. They are different.


Danny

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "an error occurred while creating registry keys" - BIND 9 installer

[Danny Mayer]

You need to be an administrator to do this as it's a privileged operation.


Danny

On 6/7/23 5:53 AM, Bozhidar Petrov wrote:

Hi,
Please pardon the amateur question but I'm getting "an error occurred 
while creating registry keys" from the BIND 9 installer.

How can I resolve this?
Thank you.
Boz
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Installing bind on Windows 10

[Danny Mayer]

I wrote the Windows BIND installer to install the BIND daemon (named) as 
a service with minimum privileges. It creates a service account with 
minimum privileges if the service account does not already exist. It was 
never intended to install tools. You don't need the installer if you 
only want dig. Just copy the dig.exe and the library files (including 
OpenSSL) to a folder and add the folder to your PATH environmental 
variable. You don't need a service account to run any of the tools.


Danny

On 9/8/22 11:31 PM, Ahmad Ibrahim wrote:


/Hello I'm working installing an equivalent to dig on windows and 
stumbled upon the following site: https://phoenixnap.com/kb/dig-windows/



/During the installation I'm asked for a service account - I don't 
believe I have any additional accounts on the computer - will I be 
required to create another one as a service account? Additionally I am 
unable to install due to the Visual C++ 2017 requirement. I have a 
number of different Visual Studio Redistributables installed (I am 
unable to upload an image as part of this support request). I do not 
feel comfortable uninstalling them randomly but I do have one 
(2015-2022 x64 14.32.31332) that seems to be more current than the one 
bundled with the installation./



-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Windows 9.16.25 fails to start (1067 Terminated unexpectedly)

[Danny Mayer]

You have to run the debug-enabled code as a service otherwise you will 
get nowhere. It's complicated and it's time consuming to set up right.


Danny

On 2/17/22 12:30 PM, Jakob Bohm via bind-users wrote:
I know this, and I am quite familiar with low level debugging 
techniques on Windows, though my favorite tool for the job was ruined 
by unfortunate business decisions to bundle it with irrelevant 
software that would be needed only in a completely different license 
count, if at all.


I could probably set up a debugging scenario with a private 
compilation (to get debug symbols) and an artificial installation of 
more recent toolchain to work with the official ISC build 
instructions, though I strongly suspect a clean process exit with a 
return code of 0 (Depending, how good Windows is at capturing the 
return code of the exited product).  But I was hoping there was a way 
to find out directly,
such as an option to make the entire startup sequence non-parallel and 
verbose, thus revealing the exact point of failure.


On 2022-02-17 17:15, Danny Mayer wrote:
I can short-cut that a little! :) A 1067 error is always the Windows 
named service failing to start. The reasons behind it are much harder 
to figure out. I've seen these over the years but I don't know off 
the top of my head why.


Danny

On 2/17/22 9:26 AM, Ondřej Surý wrote:
Log isn’t going to help here if named is crashing. Getting a 
backtrace or anything that closely resembles one would help. Running 
debug build under MSVS would help. Or doing git bisect and pinpoint 
the breakage to a commit or at least Merge commit would help.


This is part of the problem - debugging on Windows is extremely 
painful and requires expertise with extremely high learning curve.


--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do 
not feel obligated to reply outside your normal working hours.


On 17. 2. 2022, at 15:08, Jakob Bohm via bind-users 
 wrote:




On 2022-02-12 01:06, Richard T.A. Neal wrote:

I run BIND on Windows as well but I've been unable to upgrade to 
9.16.25 - I get an error stating "Error Validating Account. Unable 
to install service using this account.". So I'm presently running 
9.16.21.


What are the last few things in the Application Event Log (Source: 
named) before it terminates?


Richard.

-Original Message-
From: bind-users On Behalf Of 
Jakob Bohm via bind-users

Sent: 11 February 2022 12:19 pm
To: bind-users
Subject: Windows 9.16.25 fails to start (1067 Terminated 
unexpectedly)


Dear list,

When recently trying to upgrade some secondary-only authoritative 
servers running on Windows machines, I found that Bind 9.16.25 
(x86_64) binaries from isc.org failed to completely startup, 
causing Windows to report that "1067 The process terminated 
unexpectedly.", with 0 process exit code.  Attempting to up the 
debug level all the way to "-d 100"
failed to log a reason, but downgrading to the 9.16.21 binaries 
resumed operation.


Is there a known issue and workaround for this, or is there any 
additional information to extract?



The latest in the log (I directed it to a file, as the Event Viewer 
wrapping in the port was badly done) were the mentioned fetch of 
./NS etc. interspersed with zone loading messages for default zones 
(I temporarily commented out the real zones to shorten the config, 
but it still failed).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





Enjoy

Jakob

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Windows 9.16.25 fails to start (1067 Terminated unexpectedly)

[Danny Mayer]

I can short-cut that a little! :) A 1067 error is always the Windows 
named service failing to start. The reasons behind it are much harder to 
figure out. I've seen these over the years but I don't know off the top 
of my head why.


Danny

On 2/17/22 9:26 AM, Ondřej Surý wrote:
Log isn’t going to help here if named is crashing. Getting a backtrace 
or anything that closely resembles one would help. Running debug build 
under MSVS would help. Or doing git bisect and pinpoint the breakage 
to a commit or at least Merge commit would help.


This is part of the problem - debugging on Windows is extremely 
painful and requires expertise with extremely high learning curve.


--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do 
not feel obligated to reply outside your normal working hours.


On 17. 2. 2022, at 15:08, Jakob Bohm via bind-users 
 wrote:




On 2022-02-12 01:06, Richard T.A. Neal wrote:


I run BIND on Windows as well but I've been unable to upgrade to 9.16.25 - I get an error 
stating "Error Validating Account. Unable to install service using this 
account.". So I'm presently running 9.16.21.

What are the last few things in the Application Event Log (Source: named) 
before it terminates?

Richard.

-Original Message-
From: bind-users  On Behalf Of Jakob Bohm via 
bind-users
Sent: 11 February 2022 12:19 pm
To: bind-users
Subject: Windows 9.16.25 fails to start (1067 Terminated unexpectedly)

Dear list,

When recently trying to upgrade some secondary-only authoritative servers running on Windows 
machines, I found that Bind 9.16.25 (x86_64) binaries from isc.org failed to completely startup, 
causing Windows to report that "1067 The process terminated unexpectedly.", with 0 
process exit code.  Attempting to up the debug level all the way to "-d 100"
failed to log a reason, but downgrading to the 9.16.21 binaries resumed 
operation.

Is there a known issue and workaround for this, or is there any additional 
information to extract?


The latest in the log (I directed it to a file, as the Event Viewer 
wrapping in the port was badly done) were the mentioned fetch of ./NS 
etc. interspersed with zone loading messages for default zones (I 
temporarily commented out the real zones to shorten the config, but 
it still failed).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is there a community product maintaining Windows support?

[Danny Mayer via bind-users]

As the original developer of the Windows version of bind9, I can tell 
you that ISC has removed support for the WIndows version from their 
newer versions of the code and there are other changes that would need a 
lot of work to catch back up. Since BIND9 is under continuous 
development you'd be in a constant race to keep up. It's not worth the 
effort. I have recommended that you use the docker image version of 
BIND9 and run that on your Windows box.


Danny

On 2/17/22 7:42 AM, Jakob Bohm via bind-users wrote:
Fortunately (or unfortunately), the existing port of the 9.16.x bind 
code to Windows is built with Microsoft tools (MSVC2019) and contains 
its own handling of differences between Windows and Unix.


If a maintainer stepped up to maintain the source for a port, I could 
compile it locally for our own systems, as I happen to also be a 
software developer using bind to support that activity.


I know that there is a project that builds a 3rd party installer for 
the Windows port (I currently use the simple upstream install utility 
that is included in the ISC binary download), and I was hoping that 
maybe someone from that installer project could extend it to also 
maintain the port itself.


On 2022-02-11 18:02, Ted Mittelstaedt wrote:

I just became a maintainer on the apcupsd project.

I don't know if bind for windows is built like apcupsd is, by using 
mingw32 but unfortunately there's problems with the mingw32 project 
these days, it's gone through a lot of transitions.


Getting a working build environment for apcupsd at least, requires
using pretty old versions of mingw.

No doubt I'm going to be jumped on for saying so but I know for
apcupsd I've got a -lot- of work to do to get it up to speed.

There are some people out there who have built their own mingw32/mingw64
binaries that are separate from the ones "officially" distributed which
might be an avenue.  My guess the ISC developer who was spearheading
this port moved on to other things and ISC can't find someone who
wants to get involved in this and I can understand why.

There is an interesting article on this problem here:

https://increment.com/open-source/the-rise-of-few-maintainer-projects/

I would ask you this Jakob - would you trust a windows binary of
bind that you compiled?

I've got years of history participating on the apcupsd project. When
I start submitting changes to it, the users of it have that trust 
automatically from that history.  They won't worry if they download a
binary from sourceforge that I built that it's going to gun their 
system.  I'm a public figure in OSS besides that - people may like me

or think I'm an asshole - but they know I'm a real person who has a
rep. to maintain.  I've got a business, federal and state tax ID's,
a published phone number, multiple domain names I've owned for 
years.  I can't run and hide.


You can probably review the bind mailing list and dig out less than
100 names of people who have been on it, regularly posting, for the last
decade.

If none of those people step up to create a fork - then the windows 
port  is effectively going to be dead I'm afraid. Nobody is going to 
trust "some dude" with zero history who sets up on github and forks 
bind and posts a windows binary for downloading just because he says 
it's gold.

Would you?  Trust a production system to that?

OSS got it's start by making the CODE available, NOT BINARIES. Users
like you were expected to be completely happy with the fact that the 
code was even there at all and it compiled.   You do your own building.

Not knowing how to run a compiler is no excuse.  The Internet has tons
of tutorials on it.

You want a bind for windows - build it yourself.  That's the can-do 
attitude that OSS started with.  I remember the first time I ever 
downloaded an real OSS code and built it myself.  It was rzsz - zmodem

code for windows.  Back in the BBS days, really.  That's the only way
you got that binary.  It was a total gas and I was hooked. Don't deny
yourself the same pleasure.

Ted


On 2/11/2022 8:24 AM, Jakob Bohm via bind-users wrote:
As ISC has apparently announced that it will no longer maintain the 
code for running bind on Windows operating systems, and that this is 
now up to the community, is there a community group that has stepped 
up to the task?



Enjoy

Jakob

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND & Windows

[Danny Mayer via bind-users]

On 2/1/22 11:14 AM, jukka.pakka...@qnet.fi wrote:

Just read from the 9.18.0 release notes that Windows is not supported.

Since don't remember reading expressly stated that Windows support 
would end with 9.16.x branch, inquiring if there is more information 
about future Windows compatibility available... is the plan to include 
support to Windows at some point, to some current or future Windows 
Server version, or is it a fact already, that no more Windows past 
9.16.x?



Just run it as a docker image. Docker runs on Windows.

Danny

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No more support for windows

[Danny Mayer via bind-users]

You might want to consider using the BIND9 docker image. With docker and 
kubernetes which has an internal load balancer you can run this on any 
Windows platform and don't need anything special. You point to the IP 
address of the kubernetes load balancer and it takes care of where to 
find the docker named image. This is separate from the utilities like 
dig. Setting up the configuration and the zones is a little more work 
but you won't need to worry about keeping uptodate on the Windows images.


Danny

On 6/10/21 10:19 AM, Timothe Litt wrote:

On 09-Jun-21 18:46, Richard T.A. Neal wrote:

Evan Hunt wrote:


My understanding is BIND will still run fine under WSL; it's only the native 
Visual Studio builds that we're removing.
For people who want to run named on windows, WSL seems like the best way to go.

Sadly no. To quote myself from an earlier email on this topic:

There are two versions of WSL: WSL1 and WSL2. Development has all but ceased on 
WSL1, but WSL1 is the only version that can be installed on Windows Server 2019.

Microsoft have not yet confirmed whether WSL2 will be available for Windows 
Server vNext (Windows Server 2022, or whatever they name it).

Even if WSL2 is made available for Windows Server 2022 it has some serious 
networking limitations: it uses NAT from the host, so your Linux instance gets 
a private 172.x.y.z style IP address, and that IP address is different every 
reboot. Proxy port forwarding must therefore be reconfigured on every reboot as 
well.

Personally I'm comfortable with the decision that's been made and I understand 
the logic. Saddened, like saying goodbye to an old friend, but comfortable.

Richard.


As I suggested early on, it would be great if the tools could somehow 
be available as native binaries.  Sounds like there's progress there - 
thanks Evan!


As for running a BIND server, all things considered it seems to me 
that the simplest approach is to create a bare-bones VM running 
Linux.  Run that on the windows server (use VMware, VirtualBox)  If 
the only things running in that machine are named, a firewall, a text 
editor, logwatch, and backups, there's really not much effort in 
keeping that machine running.  Just remember to do a distribution 
update once in a while (e.g. dnf update/apt-get, etc).  You might want 
to keep SeLinux/Apparmor, but with no other services, it may not be 
worth the effort.  You can tailor Linux distributions down to a very 
minimal set of services.  It's often done for embedded applications.  
You can even do the backups by snapshoting the VM.


You can update the zone files via UPDATE.  You can update the config 
(and zone files if you like) in the VM, or via an exported directory 
from the Windoze host.  (E.g. VirtualBox does this trivially.)


This would completely eliminate the complexity of dealing with the 
Windows networking stack - the Linux machine (and named) just see an 
ethernet adapter (or two, or...) on the host's network.  
(Mechanically, the VM's "adapter"  injects and retrieves raw ethernet 
packets into the driver stack very close to the wire.)  No NAT or 
proxy (unless you want it, in which case it can be static.)  And 
whatever kernel features/networking libraries ISC uses are just there 
- no porting.


I haven't measured performance, but I do run my Linux machines in 
VirtualBox VMs (mostly hosted on a Linux server, but some on 
Windows).  I haven't run into issues - but then I'm not a big 
operator.  I do use CPUs (and IO) with hardware virtualization support.


In any case, the workload on ISC would be zero - unless they choose to 
provide the VM (there are portable formats).  That work might be 
something that someone who wants a Windows solution could afford to 
sponsor.  The biggest part would be scripting packaging from the 
selected distro and a test system. Plus a bit of keeping it 
up-to-date.  And documentation. Optionally, someone might want to do 
some configuration/performance tuning - but most of that is what ISC 
does anyway inside the VM.  Again, the work would seem to be something 
that the Windows community could donate and/or sponsor.


It might even be the case that ISC could use the same VM as part of 
its test suite - many CI engines are using that approach to get wide 
coverage with minimal hardware.  (The CI folks, like GitHub Actions, 
GitLab, etc spin up a VM, install the OS and minimal packages, then 
run your tests.)


I confess that this is a practical approach - it won't satisfy those 
who insist on a "pure" windows solution. (Though I bet if you looked 
inside their routers, storage, phone systems, and certainly cars 
there'd be Linux purring away under the hood...) Nor anyone who thinks 
that the status quo is ideal or that only a "no effort" solution is 
acceptable.  Anyhow, it's not an attempt to start a religious war or 
to prolong the debate on what ISC does.  It assumes BIND won't support 
windows, that WSL is imperfect, and that an alternative to complaining 
mi

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported

[Danny Mayer via bind-users]

On 6/3/21 7:05 PM, Peter via bind-users wrote:


Guess not even a subscription will not happen too.

I'm having to try and do Bind on ubuntu and it just will not let me 
edit files like named.conf unless you do some vodoo that I don't 
understand and even updating the bind like how? Windows no problem you 
want to edit a file no problem can't edit a file/folder because of 
permissions your a admin you can do that too. Bind is easy on windows.


That's because I didn't get to add the required security permissions to 
the Windows implementation for the file/folders that it used. It was an 
open item on the list to be addressed when I stopped working on it. 
General users should not be able to edit the files. That's an admin role.


On another note when you stop the bind service you get “windows could 
not stop ISC BIND service on local computer. Error 1067 the process 
terminated unexpectedly.” wonder if that be the last fix for 9.17.14.


I remember that from day 1. I'm not sure if we fixed that on ntpd. How 
are you stopping named?


Danny


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported

[Danny Mayer via bind-users]

On 6/3/21 2:17 PM, Reindl Harald wrote:



Am 03.06.21 um 20:12 schrieb Danny Mayer via bind-users:
I don't speak for ISC but it's important to understand that support 
of an operating system costs money and unless a company or 
organization is willing to step up with money it cannot be expected 
to continue support. There was originally a need and the money for 
BIND9 on Windows which is why the effort was made.


that's an unproven claim
Sorry but I was talking about a specific customer who needed it and paid 
for it.


Danny

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported

[Danny Mayer via bind-users]

I don't speak for ISC but it's important to understand that support of 
an operating system costs money and unless a company or organization is 
willing to step up with money it cannot be expected to continue support. 
There was originally a need and the money for BIND9 on Windows which is 
why the effort was made.


FWIW.

Danny

On 6/3/21 4:03 AM, Richard T.A. Neal wrote:

Thanks Vicky and Ondrej for providing clarity. I'll be sad to see it when this 
happens but as I said in my original post I don't underestimate the sheer 
amount of effort required to maintain BIND for Windows going forwards so it's 
completely understandable that you want to focus on platforms that are the most 
widely used and best understood by ISC. The retention of the dig client for 
Windows, even if unsupported, will indeed be welcomed by some.

I'll shift my own focus back to BIND on Linux now as well, but I'll retain a 
tertiary BIND server running 9.16 for Windows just so that I can help out 
anyone who subsequently downloads and installs BIND for Windows between now and 
its end-of-support date.

Best,

Richard.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported)

[Danny Mayer]

I didn't think you were blaming anyone. I was just explaining the 
history though my work on it largely stopped after 2008-9.


Danny

On 5/13/21 1:14 PM, Ondřej Surý wrote:

Danny,

I didn’t write the email to put the blame anywhere or point fingers. I am just 
describing the situation.

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


On 13. 5. 2021, at 17:29, Danny Mayer  wrote:



On 5/13/21 9:45 AM, Ondřej Surý wrote:
Hey,

just a follow-up with a recent real life example.

I’ve spent few days hunting a problem on Windows that got introduced by a fix 
to outgoing UDP selection code.  While having bugs in normal (and this was 
really one-liner), it’s abnormal to not have tools for debugging the problem.  
Here’s the (incomplete) list of things that would have to be fixed:

1. Automatic crashdump collection in our CI - it should work, but it simply 
doesn’t and it also ignores the crashdump collection on the Hyper-V Windows 
Server 2016 I am using for building and debugging Windows binaries

If you build the binaries in debug mode does it give you the crashdump 
collection? Hard to know without looking at the sources.

2. Automatic crashdump processing - we need full backtrace printed for all the 
threads, both in the CI and as a “cookbook” for developers.

What happens on Unix? If this is not out-of-the-box then you have to use the 
microsoft tools to do that.

3. The build system rewrite - currently, the build system is this horrible 
hybrid of Perl that generated MSVC solution files (ninja-build or cmake would 
be sane alternatives)

When the build system was written, around 2001, there were not a lot of 
alternatives. I was used to writing TCL but not a lot of people knew that 
language. Perl was the popular choice. Today that would need to be worth 
revisiting.

4. Improvements like this: 
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5020 <— the new 
networking stack uses libuv where we setup listening on each netmgr thread, on 
Windows, we currently limit this to **single thread**. This branch is an attempt 
to use WS2 API to make Windows work same as the rest of platforms, but it fails 
horribly.  It’s beyond our capacity to pursue this any further.

Why is this single-threaded? The Windows code handling the incoming and 
outgoing requests was always multithreaded. There was handling within the 
Windows code to properly deal with the threads and locking that was necessary.

Currently, working on Windows feels like landing on an alien planet with 
failing lifesupport and finding these strange large eggs in the cavern while 
having Sigourney Weaver on the team.

Well I had warned that there needed to be someone on the team to properly deal 
with the Windows side.


Danny






___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported)

[Danny Mayer via bind-users]

On 5/13/21 9:45 AM, Ondřej Surý wrote:

Hey,

just a follow-up with a recent real life example.

I’ve spent few days hunting a problem on Windows that got introduced by a fix 
to outgoing UDP selection code.  While having bugs in normal (and this was 
really one-liner), it’s abnormal to not have tools for debugging the problem.  
Here’s the (incomplete) list of things that would have to be fixed:

1. Automatic crashdump collection in our CI - it should work, but it simply 
doesn’t and it also ignores the crashdump collection on the Hyper-V Windows 
Server 2016 I am using for building and debugging Windows binaries
If you build the binaries in debug mode does it give you the crashdump 
collection? Hard to know without looking at the sources.

2. Automatic crashdump processing - we need full backtrace printed for all the 
threads, both in the CI and as a “cookbook” for developers.
What happens on Unix? If this is not out-of-the-box then you have to use 
the microsoft tools to do that.

3. The build system rewrite - currently, the build system is this horrible 
hybrid of Perl that generated MSVC solution files (ninja-build or cmake would 
be sane alternatives)
When the build system was written, around 2001, there were not a lot of 
alternatives. I was used to writing TCL but not a lot of people knew 
that language. Perl was the popular choice. Today that would need to be 
worth revisiting.

4. Improvements like this: 
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5020 <— the new 
networking stack uses libuv where we setup listening on each netmgr thread, on 
Windows, we currently limit this to **single thread**. This branch is an attempt 
to use WS2 API to make Windows work same as the rest of platforms, but it fails 
horribly.  It’s beyond our capacity to pursue this any further.
Why is this single-threaded? The Windows code handling the incoming and 
outgoing requests was always multithreaded. There was handling within 
the Windows code to properly deal with the threads and locking that was 
necessary.

Currently, working on Windows feels like landing on an alien planet with 
failing lifesupport and finding these strange large eggs in the cavern while 
having Sigourney Weaver on the team.
Well I had warned that there needed to be someone on the team to 
properly deal with the Windows side.



Danny


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported)

[Danny Mayer via bind-users]

On 5/10/21 5:11 AM, Ondřej Surý wrote:

On 10. 5. 2021, at 10:29, Richard T.A. Neal  wrote:

At this time I don't therefore believe that running BIND via WSL or WSL2 on 
Windows Server is a viable reliable solution.

Thanks for the analysis.

The alternative is as I outlined in the first email, somebody needs to step up
and start maintaining the BIND 9.18+ Windows version properly. FTR the
“somebody” doesn’t have to do it with their own hands.

Using mingw-w64 to compile BIND 9.18+ instead of using MSVC would be also
accepted as a contribution.

As original developer of the Windows implementation I'd be happy to help 
out and take this on. However, I would not be able to do this without 
funding. If people want me to pursue this please let me know.


Danny

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Method of writing zone files

[Danny Mayer]

If you are talking about BIND9 atomic replacement on Windows then it
does, at least when I wrote that piece of code. It very carefully makes
sure it doesn't lose the file.

Danny

On 11/12/18 6:21 PM, Mark Andrews wrote:
> It really depends on the platform.
>
> Windows doesn’t support atomic replacement via rename.
>
> On platforms where atomic replacement via rename is supported it is used.
>
> Mark
>
>> On 13 Nov 2018, at 6:39 am, Marcus Frenkel  wrote:
>>
>> Thank you for the quick reply Tony!
>>
>> Follow-up questions just to be sure:
>> 1. The new zone file is renamed in the placed of the old one, only after all 
>> changes to the new file are written?
>> 2. Is the zone file atomically replaced during the renaming process, in a 
>> sense that there is no window in which the file is empty or non-existent?
>>
>> I'm running BIND on Debian 9. Based on this Linux man page, the rename 
>> function should be atomic. I would not imagine that BIND does it in 
>> different way, like the worst case scenario to first remove the current file 
>> and then move the new one to the same path. I know I'm too cautious, I'm 
>> just trying to avoid any chance for rsync to transfer incomplete or empty 
>> zone file, or maybe delete the file at the destination if it does not exist 
>> at the source for a short moment.
>>
>> Marcus
>>
>> On Mon, Nov 12, 2018 at 7:19 PM Tony Finch  wrote:
>> Marcus Frenkel  wrote:
>>> I need to know how BIND writes to slave zone files after zone has been
>>> updated. Does it modify the file in place or it replaces the file with
>>> new one at once?
>> Changes are written to a journal append-only style. Every so often the
>> master file is rewritten to incorporate the contents of the journal; this
>> is done by writing to a new file and renaming it in place of the old one.
>>
>> Tony.
>> -- 
>> f.anthony.n.finchhttp://dotat.at/
>> sovereignty rests with the people and authority
>> in a democracy derives from the people
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users


pEpkey.asc
Description: application/pgp-keys
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/22/2018 9:30 AM, Matus UHLAR - fantomas wrote:
>>>> On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
>>>>>   But that is not, as Ray said, automated discovery. You are
>>>>> asking the computer to make assumptions, i.e. "if I am in domain
>>>>> hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
>>>>> domain thingie. You know where a lot of your basic network resources
>>>>> are. If you have a ntp server do you know where it is just like you
>>>>> know where your mail, LDAP, and kerbie servers are hiding?"
> 
>>> Am 21.09.18 um 22:19 schrieb Danny Mayer:
>>>> That's not what I wrote. Someone needs to maintain an SRV record. It's
>>>> not a good idea for domains to announce their NTP servers since they
>>>> can
>>>> be abused by others not authorized to use them. We've had plenty of
>>>> abuse along those lines along with DDOS attacks. What the ntp CNAME
>>>> would do is point to a number of other servers to use and you don't
>>>> need
>>>> to call it ntp, it's just a string.
> 
>> On 9/21/2018 6:33 PM, Reindl Harald wrote:
>>> but *nobody* cares about what is a good idea when the question was
>>> simply "does ntp discovery work" where the answer is simply no
> 
> On 21.09.18 21:39, Danny Mayer wrote:
>> No, that's not true. Consider what you are doing. You are substituting
>> SRV records for CNAME records. There is nothing magical here. NTP can
>> use the CNAME records. Either way the records have to be configured.
>> What do you think you are discovering? SRV records aren't magic.
> 
> The OP request indicated that they wish for ntp autoconfiguration. 
> There is
> no autoconfiguration we know of, unless DHCP that was reported often not to
> work.
> 

I worked with the DHCP working group a number of years ago to add
options for ntp configuration. The RFC has been released but I don't
have that ID handy. I have no idea whether any DHCP implementation is
using it today.

> using either CNAME or SRV records won't change the fact that ntp server
> does
> not autoconfigure itself.
> 
> Neither of them also changes the fact that the NTP configuration is not
> related to domain, but to the local network.
>

Doesn't matter. The pool configuration option works like the server
option but sets up all of the servers that it finds rather than just
taking the first one on the list.

pool ntplist.yourdomain iburst

in your ntp.conf file works really well.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/22/2018 9:50 AM, Reindl Harald wrote:
> 
> 
> Am 22.09.18 um 03:39 schrieb Danny Mayer:
>>> but *nobody* cares about what is a good idea when the question was
>>> simply "does ntp discovery work" where the answer is simply no
>>
>> No, that's not true. Consider what you are doing. You are substituting
>> SRV records for CNAME records. There is nothing magical here. NTP can
>> use the CNAME records. Either way the records have to be configured.
>> What do you think you are discovering? SRV records aren't magic
> 
> * hell, the topic is "is ntp autodiscovery possible?"
> * that's done with SRV records for supported services
> * but nothing is using them in case of NTP
> * so the whole answer to the thread is simply "no"
> 
> "NTP can use the CNAME records" makes no sense at all in this topic
> 
> the topic is not about what NTP can use, the topic is about unconfigured
> machines *finding* the NTP server in the local network without any
> manually configuration - not more, mot less

This is very simple to do. It does not require SRV records to implement.
Note that I am only answering for the ntp reference implementation.

In your domain file add entries like this:

locationntp CNAME ntp1.yourdomain
CNAME ntp2.yourdomain
CNAME externalntp.otherdomain
CNAME externalntp.someotherdomain

In your ntp.conf file put the following line:
pool locationntp.yourdomain

This will cause it to use ALL of the entries listed. You can have as
many as 10 entries in your DNS and it will use all of them. Don't use
less than 3, 4 is better.

Simple enough?

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/21/2018 6:33 PM, Reindl Harald wrote:
> 
> 
> Am 21.09.18 um 22:19 schrieb Danny Mayer:
>> On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
>>>>> The discussion was about automated _discovery_ of the DNS name of your
>>>>> NTP server using an additional level of indirection so that it can be
>>>>> automatically configured without using DHCP.
>>>>
>>>> That's easy. Create a FQDN called ntp in your domain and have it be a
>>>> set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
>>>> option will take care of setting the multiple servers. You don't need
>>>> the complexity of SRV records.
>>>>
>>>   But that is not, as Ray said, automated discovery. You are
>>> asking the computer to make assumptions, i.e. "if I am in domain
>>> hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
>>> domain thingie. You know where a lot of your basic network resources
>>> are. If you have a ntp server do you know where it is just like you
>>> know where your mail, LDAP, and kerbie servers are hiding?"
>>
>> That's not what I wrote. Someone needs to maintain an SRV record. It's
>> not a good idea for domains to announce their NTP servers since they can
>> be abused by others not authorized to use them. We've had plenty of
>> abuse along those lines along with DDOS attacks. What the ntp CNAME
>> would do is point to a number of other servers to use and you don't need
>> to call it ntp, it's just a string.
> 
> but *nobody* cares about what is a good idea when the question was
> simply "does ntp discovery work" where the answer is simply no

No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
> On Fri, Sep 21, 2018 at 3:14 PM, Danny Mayer  wrote:
>> On 9/21/2018 7:56 AM, Ray Bellis wrote:
>>> On 21/09/2018 12:47, Danny Mayer wrote:
>>>
>>>> Putting on both my BIND9 and NTP hats for a moment:
>>>>
>>>> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
>>>> references to NTP servers whether it's using pool, server or peer. I
>>>> have no idea where the reverse zone comes in though I haven't read the
>>>> whole thread. the NTP service all belong to domains, whether internal or
>>>> external. There is a DHCP option that we have seen but it seems to cause
>>>> more confusion that anything.
>>>>
>>>> You can create a DNS A or  or even a CNAME in your local DNS that
>>>> the NTP server can use and it all works.
>>>>
>>>> Let me know if I misunderstood what this is really about.
>>>
>>> I believe you have.
>>>
>>> The discussion was about automated _discovery_ of the DNS name of your
>>> NTP server using an additional level of indirection so that it can be
>>> automatically configured without using DHCP.
>>
>> That's easy. Create a FQDN called ntp in your domain and have it be a
>> set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
>> option will take care of setting the multiple servers. You don't need
>> the complexity of SRV records.
>>
>   But that is not, as Ray said, automated discovery. You are
> asking the computer to make assumptions, i.e. "if I am in domain
> hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
> domain thingie. You know where a lot of your basic network resources
> are. If you have a ntp server do you know where it is just like you
> know where your mail, LDAP, and kerbie servers are hiding?"

That's not what I wrote. Someone needs to maintain an SRV record. It's
not a good idea for domains to announce their NTP servers since they can
be abused by others not authorized to use them. We've had plenty of
abuse along those lines along with DDOS attacks. What the ntp CNAME
would do is point to a number of other servers to use and you don't need
to call it ntp, it's just a string.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/21/2018 7:56 AM, Ray Bellis wrote:
> On 21/09/2018 12:47, Danny Mayer wrote:
> 
>> Putting on both my BIND9 and NTP hats for a moment:
>>
>> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
>> references to NTP servers whether it's using pool, server or peer. I
>> have no idea where the reverse zone comes in though I haven't read the
>> whole thread. the NTP service all belong to domains, whether internal or
>> external. There is a DHCP option that we have seen but it seems to cause
>> more confusion that anything.
>>
>> You can create a DNS A or  or even a CNAME in your local DNS that
>> the NTP server can use and it all works.
>>
>> Let me know if I misunderstood what this is really about.
> 
> I believe you have.
> 
> The discussion was about automated _discovery_ of the DNS name of your
> NTP server using an additional level of indirection so that it can be
> automatically configured without using DHCP.

That's easy. Create a FQDN called ntp in your domain and have it be a
set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
option will take care of setting the multiple servers. You don't need
the complexity of SRV records.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/19/2018 10:12 AM, Andrew Latham wrote:
> You can add SRV records for NTP to your domain if that is what you are
> asking.
> 

NTP doesn't use SRV records and I don't see a use case to do so.
Therefore I have no idea why this would be any benefit. You can add NTP
specific FQDN's as A or  or CNAME records if that would be helpful.

Danny

> On Wed, Sep 19, 2018 at 9:09 AM Mauricio Tavares  > wrote:
> 
> Stupid question: can I publish/query the NTP server through DNS the
> same way I can ask who is doing LDAP?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/19/2018 11:19 AM, Ray Bellis wrote:
> On 19/09/2018 15:59, Mauricio Tavares wrote:
> 
>>> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>>> one off my mind).
>>>
>>   Not necessarily; I can name a few universities and business who
>> offer their own NTP servers to their internal systems. AFAIK, this is
>> considered good practice.
> 
> That's not the point that Mukund was making.
> 
> An NTP server is part of your local network configuration.   Your domain
> name is also part of your local network configuration.  As such, these
> two values are often served by DHCP.
> 
> That does not mean, though, that there is a one-to-one mapping from your
> domain name to your preferred set of NTP servers.
> 
> One could have numerous subnets located all over the planet with
> different NTP servers, but all sharing the same domain name.
> 
> If it were feasible to store an NTP server address in the DNS it would
> more logically fit in the in-addr.arpa zone, and not in a forward zone.
> 

Putting on both my BIND9 and NTP hats for a moment:

This answer makes no sense. NTP uses standard DNS FQDN's for all of its
references to NTP servers whether it's using pool, server or peer. I
have no idea where the reverse zone comes in though I haven't read the
whole thread. the NTP service all belong to domains, whether internal or
external. There is a DHCP option that we have seen but it seems to cause
more confusion that anything.

You can create a DNS A or  or even a CNAME in your local DNS that
the NTP server can use and it all works.

Let me know if I misunderstood what this is really about.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.9.0rc2 Windows Installer Tools Only Installation Issues

[Danny Mayer]

On 2/4/2012 12:36 PM, Spain, Dr. Jeffry A. wrote:
> The BIND9.9.0rc2.zip Windows installer allows for a “Tools Only”
> installation. With this you can avoid having to enter the service
> account information that will not be needed. However, the only tools you
> get are dig.exe, nslookup.exe, and a couple of others.
> 
>  
> 
> It would be nice to also include dnssec-*.exe and named-*.exe to
> facilitate DNSSEC key management and zone troubleshooting without having
> to do the full named service installation. As it stands, if you want
> these tools but don’t want to run the named service on Windows, you do
> have to do the full service installation. This includes specifying a
> service account name and password, and then unchecking “Automatic
> Startup” and “Start BIND Service After Install.”
> 
>  

You don't need to do an install at all for the binaries if you aren't
going to run named. You might need to run the vcredist_x86.exe to get
the Microsoft redistributable binaries for the compiler but that's all
that is really needed. Running the installer is a waste of time for
this. If it requires the service install just for the tools then that's
a bug.

Danny

> 
> With the 9.9.0 release just around the corner, perhaps this could be
> considered for 9.9.1.
> 
>  
> 
> Jeffry A. Spain
> Network Administrator
> Cincinnati Country Day School
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [patch] UNIX sockets support for lwresd

[Danny Mayer]

On 1/17/2012 5:57 AM, Ben Laurie wrote:
> 
> 
> On 17 January 2012 04:31, Danny Mayer  <mailto:ma...@gis.net>> wrote:
> 
> This breaks O/S's that don't support Unix sockets, specifically Windows.
> Please explain why Unix domain sockets are more effective and secure
> rather than using localhost with standard sockets.
> 
> 
> It is a common misconception that using localhost provides locality -
> this is only true in the strong host model. So, "more secure" is easy to
> explain: only local processes can connect to unix domain sockets, even
> in the weak host model. This point is independent of Capsicum, of course.
> 

It's a common misconception that using 127.0.0.1 and ::1 is somehow
insecure. Any system allowing packets with those addresses out on the
network would cause havoc and you'd have far bigger problems than this
application.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [patch] UNIX sockets support for lwresd

[Danny Mayer]

This really belongs in bind-workers rather than bind-users. See also below.

On 1/16/2012 9:19 AM, Ilya Bakulin wrote:
> Hi list,
> I'm working on Capsicum security framework [1] for the FreeBSD Project.
> While implementing sandbox mode for some applications like tcpdump, we
> have noticed that sandboxed applications are no longer able to resolve DNS
> names. This happens because each DNS resolving is done by making a
> connection to upstream DNS server.
> So we decided to use lwresd and corresponding library (liblwres) so an
> application will talk only with lwresd daemon on localhost, and lwresd
> will upstream DNS query to another server. This worked better, because now
> an application has to maintain only one opened socket to lwresd daemon,
> instead of opening new one each time DNS resolving happens.
> But this also was not enough. We wanted lwresd to use UNIX domain sockets
> instead of TCP/UDP, this is more effective and secure as long as all
> communication happens on one host.
> Another problem is that original liblwres closes socket after each query
> and recreates it when needed. This is impossible when an application is
> sandboxed, because sockets cannot be created in this state.
> 
> To get rid of these problems, I have modified lwresd, liblwres and also
> libisc:
> 1.1) libisc seems to have basic UNIX stream sockets support, but seems it
> was not finished, because many if() statements only checked if the
> connection type is TCP or UDP. I have added handling of UNIX *datagram*
> sockets to all (I hope so) nessesary places. I needed only datagram
> sockets, not stream, but since UNIX sockets support in libisc seems to be
> unusable anyway, I decided to change the type of socket that is created if
> LWRES_ADDRTYPE_UNIXSOCK is requested.

This breaks O/S's that don't support Unix sockets, specifically Windows.
Please explain why Unix domain sockets are more effective and secure
rather than using localhost with standard sockets. The closing of the
socket and creation of a new one is due the fix for the Kaminsky attack
which presumably is not a problem here if the lightweight resolver is
only used locally.

> 1.2) A socket is not closed after a connection was made and data is
> received. Instead, its descriptor is saved and used later when making
> subsequent queries.
> 1.3) New function lwres_socket_init() that tries to open a connection to
> lwresd daemon. This function is called by an application just before it
> enters sandboxed mode. So later, when it makes a DNS query, it reuses
> existing socket.
> 
> There are still some problems that I wanted to fix after receiving initial
> feedback about my patch.
> 2.1) The library is modified to use UNIX socket _by_default_. As I
> understand it's better to add a support for reading UNIX socket path from
> configuration file. Or at least add such command-line option.

No, please don't do that. At best you should make it a buildable option
but there really should be no need for Unix sockets at all.

> 2.2) When using UNIX datagram sockets, one should create a "client" socket
> to receive replies from server (lib/lwres/context.c, near line 349). I
> wonder where this socket should be closed. What I think is that a context
> structure should be modified to include client socket descriptor, so we
> will be able to close it if we don't need it any more.

As usual with the things like this you should be making calls into the
module to create, update and delete the socket and structure. That's the
standard way we implemented these kinds of structures and methods.

> 2.3) Maybe add a config file switch to prevent lwresd from closing
> communication socket after each use? I.e. make a behaviour described in
> 1.2 optional.

This seems to need overall architectural review rather than just hacking
the code for your specific purpose. I don't have solutions, just questions.

> 
> Thank you in advance for reviewing this work, hope you'll find it useful.
> I'm also CC'ing Robert Watson, Jonathan Anderson and Ben Laurie, who work
> on Capsicum implementation.
> 

I'm not convinced that this is the right approach but I'm sure Michael
or Mark will chime in with their own opinions.

Danny
> [1] http://www.cl.cam.ac.uk/research/security/capsicum/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind as a service on windows "-c" option not working

[Danny Mayer]

On 12/15/2011 11:43 AM, Vbvbrj wrote:
> On 15.12.2011 15:39, Danny Mayer wrote:
> 
> Thanks for answering.
>>> I want to keep all the files related to bind in one folder, not across
>>> the system folder. And keeping the named.conf in the system32 folder may
>>> be lost when the system is reinstalled and in a hurry the file is
>>> forgotten to be copied.
>> If you install the software in D:\bind9 then the binaries will be in
>> D:\bind9\bin and the config file named.conf will be in D:\bind9\etc. I
>> don't think you need anything else.
> The production I use for now is configured like you wrote^ all files
> under the install directory.
> 
>> And the other thing is keeping the system's registry as simple and clean
>> as possible, by not using registry for start-up arguments and indicating
>> them in the command line for the service. This I managed to do for most
>> of the services I use.
>> If you do the above then you don't need to change anything in the
>> registry. That's the default behavior. If there are changes you want to
>> have added send a message to bind9-bugs.
> This is the problem. If the "InstallDir" key is deleted from the
> registry, the bind at start searches for the named.conf in the
> system32\etc folder and falls with an error. That's why I asked about
> the "-c" option that is not taken. If without that regystry key, the
> bind service will try to find a named.conf under the etc folder from
> where the executable resides - will be easier. For example PHP is
> searching for the ini file in systme32 folder, then in the executable
> folder, then in paths.
> 

InstallDir is required in the registry for proper administration of BIND9.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND for Active directory with secure update

[Danny Mayer]

On 12/14/2011 2:36 PM, Vbvbrj wrote:
> Hello.
> 
> I've setup BIND to serve the requests to lan instead of Microsoft DNS by
> first setting bind as a secondary dns server for Microsoft DNS, copy the
> zones, and making the BIND the master. In order for domain member hosts
> to update the records of the their names in dns, I allow unsecure
> updates from the lan computers. It's a security thread of poisoning the
> dns. I would like to setup up a secure by the domain servers. On the
> internet I read about using "allow-update" with a key file. But I didn't
> found a page on how to get the key from the Active Directory kerberos
> system. Could any one point on setting the secure update to bind with
> key from the already deployed Active Directory?
> 
> The BIND is running under the windows.

GSS-TSIG is not implemented for BIND9 on Windows.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind as a service on windows "-c" option not working

[Danny Mayer]

On 12/15/2011 5:52 AM, Vbvbrj wrote:
> On 15.12.2011 03:11, Danny Mayer wrote:
>> On 12/14/2011 2:35 PM, Vbvbrj wrote:
>>> Bind 9.8.1 P1 installed in D:\bind9.
>>> Config files and other zone files and log files in D:\bind_config
>>> Service configuration: Path to executable"
>>> "D:\bind9\bin\named.exe" -c "D:\bind_config\etc\named.conf"
>> I haven't looked at this part of the code in a long time but it should
>> work. Though the registry key should be ImagePath. Did you use
>> BINDInstall to install it?
> Yes I used BINDInstall to install the service, and then modified the
> service to add the "-c"option.

That's fine. This was one unimplemented feature for BINDInstall.

>>> named.conf has the line:
>>> directory "D:\named.conf";
>>>
>> Unless you actually have a folder called D:\named.conf\ then I suspect
>> this is wrong. It should be the directory containing your files not the
>> name of the config file.
> Oh, this is my error. The line is:
> directory "D:\bind_config"
>> Is there a reason that you want to look for it in a different place
>> from where it is currently looking? What's the real issue behind your
>> question. Danny 
> I want to keep all the files related to bind in one folder, not across
> the system folder. And keeping the named.conf in the system32 folder may
> be lost when the system is reinstalled and in a hurry the file is
> forgotten to be copied.

If you install the software in D:\bind9 then the binaries will be in
D:\bind9\bin and the config file named.conf will be in D:\bind9\etc. I
don't think you need anything else.

> And the other thing is keeping the system's registry as simple and clean
> as possible, by not using registry for start-up arguments and indicating
> them in the command line for the service. This I managed to do for most
> of the services I use.

If you do the above then you don't need to change anything in the
registry. That's the default behavior. If there are changes you want to
have added send a message to bind9-bugs.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind as a service on windows "-c" option not working

[Danny Mayer]

On 12/14/2011 2:35 PM, Vbvbrj wrote:
> Bind 9.8.1 P1 installed in D:\bind9.
> Config files and other zone files and log files in D:\bind_config
> Service configuration: Path to executable"
> "D:\bind9\bin\named.exe" -c "D:\bind_config\etc\named.conf"

I haven't looked at this part of the code in a long time but it should
work. Though the registry key should be ImagePath. Did you use
BINDInstall to install it?

> 
> named.conf has the line:
> directory "D:\named.conf";
> 

Unless you actually have a folder called D:\named.conf\ then I suspect
this is wrong. It should be the directory containing your files not the
name of the config file.

> If the registry key HKEY_LOCAL_MACHINE\SOFTWARE\ISC\BIND\"InstallDir" is
> present, then at the start the named.conf is searched under the folder
> "etc" of "InstallDir" folder.
> If I delete this key, the the named.conf file is searched in
> system32/etc folder or something under system32 folder.

Yes. that's what it's designed to do.

> 
> In both cases the "-c" option is not taken by the service.

Debugging this is not easy but having the arguments on the ImagePath
registry should be okay.

 As starting
> bind from command line, the "-c" option is taken in account and
> named.conf is read from the specified path.
> 

That's expected.

> How to tell the named running as a service to read the config file from
> the path specified with "-c" option?
> Some one please.

Is there a reason that you want to look for it in a different place from
where it is currently looking? What's the real issue behind your question.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.9.0b2 inline signing...

[Danny Mayer]

On 11/28/2011 4:33 PM, Bill Owens wrote:

> 
> I think that if I had to use a Windows workstation my first installs
would be the ISC binary kit and wireshark, since AFAIK Windows doesn't
come with a packet capture program either. . .
> 

There is one. I forget what it's called. I think it's in one of the
resource kits. I prefer wireshark (ethereal as it used to be called).
For most problems with BIND9 you should run it in debug mode. For that
you need to build it yourself because ISC doesn't make a debug version
available. Mostly it's hard to understand what is happening unless you
run it from VS which is about the only reason to want wireshark.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.9.0b2 inline signing...

[Danny Mayer]

On 11/28/2011 1:03 PM, wbr...@e1b.org wrote:
> Todd wrote on 11/24/2011 11:29:14 AM:
> 
>> I don't understand why Windows doesn't include dig by default, even 
>> now.  Free software hate?
> 
> And grep and logrotate!  At least the GnuWin32 project has a good version 
> of grep.
> 

I have a good version of grep and it's not gnu or cywin

> 
> 
> Confidentiality Notice: 

There's nothing confidential about these messages regardless of these
nonsense disclaimers.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.9.0b2 inline signing...

[Danny Mayer]

On 11/24/2011 11:21 AM, Jan-Piet Mens wrote:
> Jeffry,
> 
>> I have had a tendency to dig axfr from my Windows workstation
> 
> +1 to you for using `dig' on Windows; most don't even know it exists
> and suffer the `nslookup' pain. ;-)
>

It comes with the Windows version of BIND9.

Danny

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: socket.c error in bind 9.9.0b2

[Danny Mayer]

On 11/22/2011 11:17 AM, Spain, Dr. Jeffry A. wrote:
> When bind 9.9.0b2 starts up, the syslog shows the following messages:
> 
> Nov 22 10:18:19 nstest2 named[17190]: using default UDP/IPv6 port range: 
> [1024, 65535]
> Nov 22 10:18:19 nstest2 named[17190]: listening on IPv6 interfaces, port 53
> Nov 22 10:18:19 nstest2 named[17190]: socket.c:5728: unexpected error:
> Nov 22 10:18:19 nstest2 named[17190]: setsockopt(513, IPV6_V6ONLY) failed: 
> Invalid argument
> 

I suspect you ran out of available file descriptors. 513 is a suspicious
number. Look to see what your file descriptor limit is. This version may
be leaking file descriptors.

Danny

> The section of bind-9.9.0b2/lib/isc/unix/socket.c referenced in the error 
> message is:
> #ifdef IPV6_V6ONLY
> if (sock->pf == AF_INET6) {
> if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY,
>(void *)&onoff, sizeof(int)) < 0) {
> char strbuf[ISC_STRERRORSIZE];
> isc__strerror(errno, strbuf, sizeof(strbuf));
> UNEXPECTED_ERROR(__FILE__, __LINE__,
>  "setsockopt(%d, IPV6_V6ONLY) "
>  "%s: %s", sock->fd,
>  isc_msgcat_get(isc_msgcat,
> ISC_MSGSET_GENERAL,
> ISC_MSG_FAILED,
> "failed"),
>  strbuf);
> }
> }
> FIX_IPV6_RECVPKTINFO(sock); /* AIX */
> #endif
> 
> I have reproduced this on Ubuntu 11.04 (Natty) and 11.10 (Oneiric) amd64. The 
> error does not occur with bind 9.8.1-P1. This same section of code appears in 
> bind-9.8.0-P1/lib/isc/unix/socket.c and is identical to the above. My systems 
> are operating in an IPv6/IPv4 dual-stack environment. The configuration file 
> named.conf.options contains "listen-on-v6 { any; };". These systems seem to 
> respond normally to IPv6 queries. Thanks for any advice you may have about 
> how to troubleshoot further. Thanks.
> 
> Jeffry A. Spain
> Network Administrator
> Cincinnati Country Day School
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
>>
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: trigger point for new bug

[Danny Mayer]

On 11/16/2011 5:35 PM, Michael McNally wrote:
> No.  You can see all versions of ISC BIND 9 that we have released,
> going back to 9.0.0 in 2004, at ftp://ftp.isc.org/isc/bind9/

9.0.0 was released well before that. 9.2.1 was released in 2001 when I
completed the first release of the Windows version. You are being fooled
by the dates on the subdirectories.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND/named on VM

[Danny Mayer]

On 10/14/2011 1:49 PM, Walter Smith wrote:
> Hello folks,
> 
> I would like to setup latest BIND/named [slaves] within VMware
> environment - is there any implications I should be aware of?
> Since I saw some issues running NTPd on VMware - thinking may be 'named'
> might have similar issues...

Nameservers are not that sensitive to time even with DNSSEC. TSIG, for
example, only requires you to be within 5 minutes. As long as you are
keeping your clock synchronized withing reasonable limits you should
have no problems with BIND. As others have recommended, VMware has
published guidelines on running NTPd on various host platforms running
on top of VMware and you should review these for your specific
configurations.

Danny
NTP Development
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.8.0 in 2008 R2 x64 server

[Danny Mayer]

On 4/5/2011 8:05 PM, Mark Andrews wrote:
> 
> In message , Dan Mahoney 
> w
> rites:
>>
>>
>> On Tue, 5 Apr 2011, Jukka Pakkanen wrote:
>>
>>> I'm moving one of our DNS servers (Win 2003 R2, v9.7.0) to a new 2008 R2 x6
>> 4
>>> server.
>>>
>>> After installing v9.8.0 I copied the /etc directory & subdirectories, the
>>> named user has full rights in relevant directories and "log on as a service
>> "
>>> rights... still I get the following error in eventviewer when trying to sta
>> rt
>>> the service:
>>>
>>> "none:0: open: C:\Windows\system32\dns\etc\named.conf: file not found"
>>>
>>> Any ideas?  The named.conf file IS there, and the directories/datafiles are
>>> identical to our old, working server.  Tested with "administator" as the us
>> er
>>> as well, same problem.
> 
> Windows Vista and Windows 2008 maps system32 filenames to a different
> location that I can't remember off the top of my head.
> 
> I would uninstall named and then re-install it in "C:\Program Files\ISC\BIND9"
> or similar to avoid the mapping.  The location of the configuration files
> are stored in the registry so everything should work if you do this.
>  

I install my named to use d:/named/etc and avoid putting anything in
system directories. It's a bad idea. You also need to make sure that you
define the directory option in named.conf to point to this directory:

options
{
directory "d:\named\etc";
 notify no;
 recursion yes;
}

The BINDInstall installer should take care of this. I had made changes
to the installer to avoid using system32/etc for just this reason though
I don't think it's made it into the cvs head.

You can run BINDInstall and click the Uninstall button to uninstall it
there and then click on the Install button to put it in the right place.
I put my named binaries in d:/named/bin, it's safer that way.

Danny

>> Start a command shell as that user and try to more the file?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reason for separate libdns and libisc "export libraries"

[Danny Mayer]

On 10/11/2010 8:01 AM, Adam Tkac wrote:
> Hello all,
> 
> I would like to ask you for the reason why there are separate versions
> of libdns, libisc & friends, called "export libraries" in BIND 9.7
> series.
> 
> If I understand correctly those export libs are supposed to be used
> from non-BIND9 applications and some methods are lightweight compared
> to full-featured BIND9 versions. In my opinion it's good idea to offer
> two versions of certain methods. However I don't understand why those
> methods need to be in separate library and, which is even worse, this
> library has the same name as full featured BIND9 lib. It is the best
> way to various run-time issues, like unresolved symbols. Another issue
> is that isc-config.sh utility (which is used to determine CFLAGS,
> LDFLAGS etc) has no support for this dual-library setup.
> 
> In my opinion export libs and standard libs should be merged together
> or should be renamed (for example to libdns-export.so). I must note
> rename is probably worse case because dynamic linker can randomly
> pick methods with same name from libdns.so or from libdns-export.so.
> I think the best solution is to merge two libs into one and select
> methods via preprocessor flag (-DBIND9). The merged library will
> look like:
> 
> isc/namespace.h:
> 
> #ifdef BIND9
> #define isc_something isc__something
> #endif
> 
> libisc.so:
> isc_something
> isc__something
> 
> So there will be no runtime issues. May I ask you if you can change
> current dynamic libraries setup somehow? I can prepare the patches,
> if you are interested.
> 
> Regards, Adam
> 

Noone seems to have responded to you on this, so I thought I should.

Contrary to what you think, these libraries are really designed for
BIND9 usage. The libraries are designed to separate different functional
areas. The libisc library are basically a generic set of functions which
operate as a layer between BIND9 and the O/S and allow almost all of the
O/S specific behaviors to reside there but are not meant to have
anything to do with handling dns-specific areas. That's in the libdns
library and is specifically designed to deal with managing dns. The only
library that might be used with a non-BIND9 implementation is the
liblwres library but that's the only one. We have pulled some of the
libisc library into NTP because it's helpful in a number of areas. The
libraries are pulled into building different binaries, named, dig,
dnssec-keygen, etc. as needed. It would be a really bad idea to merge
everything in one library.

I really don't expect the libraries to be used outside of BIND9 with the
possible exception of libisc and liblwres. What would you expect to use
them for? The library that is usually used for linking with external
applications is libbind and that has now been packaged separately.

BTW, this question really belongs in bind-workers rather than bind-users.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error after upgrading to 9.7.1-p2 windows 2k3 VMWare ESX

[Danny Mayer]

On 8/13/2010 3:25 AM, Chiesa Stefano wrote:
> Hello all.
> Our Bind installaton is on a virtual VMWare ESX W2k3 server.
> I've just upgraded our public primary dns server from 9.6.0-p1 to
> 9.7.1-p2.
> After more or less 15 minutes of work the following messages appear in
> the log:
> 
> 13-Aug-2010 9:09:39.305 general: error: .\socket.c:2444: unexpected
> error:
> 13-Aug-2010 9:09:39.305 general: error: SOCKET_RECV: Windows error code:
> 1236, returning ISC error 54
> 13-Aug-2010 9:09:39.430 general: error: .\socket.c:2444: unexpected
> error:
> 13-Aug-2010 9:09:39.430 general: error: SOCKET_RECV: Windows error code:
> 1236, returning ISC error 54
> 
> I read around that it could be a BIND bug, or a problem in the Windows
> registry.
> Can some of you tell me something more certain and, if it is possible,
> how to solve it?
> 

It's a bug in the BIND code. It's a nuisance more than a problem since
it appears to not affect the running of the code. There is a fix in
process of being reviewed for this. BIND 9.7.x appears to have become
much more aggressive with issuing cancels which is why you are seeing
this error show up in the logs.

Danny

> Thanks in advance.
> Have a nice day.
> 
> Stefano Chiesa.
> 
> 
> Stefano Chiesa
> Wolters Kluwer Italia
> Strada 1, Palazzo F6
> 20090 Milanofiori Assago (Mi) - Italia
> Phone +39 0282476279 (20279 Voip)
> Fax +39 0282476633
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Unable Create Account for the Service" on Windows 2008

[Danny Mayer]

On 8/11/2010 3:32 PM, Gary Gladney wrote:
> Are you using a domain admin account or local admin account? If you
using a domain admin account the system you are doing the install on has
be part of the windows domain that you are adding the account to. If
it's a local account then the problem maybe with SAM file for that
system. A service account is like any other user account, typically the
password does not expire and depending on what the account needs to
access is what groups its a member of.
> 

No, that's not correct. It does not matter if you are using a domain
account or a local account as long as you are an administrator on the
system. The installer tries to create a local account on the system
which has just one privilege: the ability to run as a service. The
created account is not a member of any group by design. This becomes a
problem if it is being installed on a domain controller since it has to
be created as an account in the domain and the code does not handle that
situation.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Unable Create Account for the Service" on Windows 2008

[Danny Mayer]

On 8/11/2010 1:13 PM, HelixGalaxy wrote:
> Hello all,
>  
> I have a fresh installation of Windows Server 2008 (not R2).
>  
> Trying to install BIND 9.7.1-P2 ver and when runing the installer,
> putting in the password, I get this error:
>  
> "Unable Create Account for the Service"
>  
> The installer just stops on this error and nothing is done.
>  
> I'm runing in Administration account, so I should have all permissions.
> I have tried to figure this out, but I'm lost. Haven't found any solution.
>  
> Maybe you have some for me???
>  
> Regards,
> Martin

It may work if you include the domain name as well as the name of the
account. I assume that you are installing on a domain controller which
has some other requirements when creating accounts. I never did get
around to looking at this issue.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.7.1-P1 ISC error 54

[Danny Mayer]

On 8/1/2010 1:22 PM, Jukka Pakkanen wrote:
> Lately have seen in our 9.7.1-P1 server following errors:
> 
> SOCKET_RECV: Windows error code: 1236, returning ISC error 54
> 
> And this warning:
> 
> *** POKED TIMER ***
> 
> Browsing the net told that this is/was a a common problem to even
> earlier Bind 9.x.x versions, but couldn't find any explanation or fix
> for it?
> 
> Jukka

I put in a fix for this problem. Cancels that were being signaled were
not being properly recognized on Windows. The error is actually fairly
innocuous but it does fill up the log. The newer versions of BIND are
much more aggressive in canceling requests that are not getting
responses which is why they were not being seen before. I'm hoping it
will get into 9.7.2 since it is a one-line fix but I don't control the
releases so I don't know.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: USADOTGOV.NET Root Problems?

[Danny Mayer]

On 7/26/2010 9:50 AM, Merton Campbell Crockett wrote:
> 
> On Jul 25, 2010, at 3:34 PM, Kevin Oberman wrote:
>>
>> And, as tests start to include DNSSEC (and EDNS0) tests, the vendors will
>> likely adjust defaults. Tests for DNSSEC are already appearing on
>> federal systems (not a trivial part of the business) and will likely
>> become general test in the procurement process in the next year.
>>
>> Of course, changing defaults will take longer to change.
>>
>> Now to a more basic question...why the ^...@#$ does everyone put STATEFUL
>> firewalls in front of servers. They are a denial of service attack
>> waiting to happen. I don't know of any highly regarded security expert
>> who recommends them and most object to them rather strongly.
>>
>> I will admit to once having stateful firewalls in front of my DNS
>> servers, but after an unfortunate case of a badly written application
>> DOSing ourselves, stateful firewalls have been removed. Yes, the software
>> needed fixing, but the software was not enough to cause any problem for
>> the servers...just the firewall. And, yes, we still have stateless
>> firewalls in front of our DNS servers and other public servers as well
>> as an aggressive IDS/IPS system.
> 
> Here!  Here!  I much prefer using "packet filter" firewalls at the outer
> markers but haven't been able to sway security or my network colleagues.

Just tell them that you need to deploy DNSSEC which will improve
security but cannot do so without fixing the firewall...

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: USADOTGOV.NET Root Problems?

[Danny Mayer]

On 7/24/2010 5:10 AM, Warren Kumari wrote:
> 
> On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote:
> 
>> On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote:
>>> Thanks for the confirmation that the problem was related to DNSSEC.
>>>
>>> I didn't see your message until I got home from work; however, I did
>>> find the root of the problem late this afternoon.  At each of our
>>> Internet egress and ingress points, we have Cisco ASA devices sitting in
>>> front of a pair of redundant firewalls.  Each ASA is configured with the
>>> default DNS inspect policy that doesn't accept fragmented UDP packets.
>>
>> Why would any inspection policy not allow fragmented UDP packets?
>> There's nothing wrong with that.
> 
> 
> Because it's "hard" The issue is that then you need to buffer
fragments until you get a full packet -- which leaves you open to
attacks that send a bunch of fragments but leave one of them out.
> 
> Vendors like to avoid reassembling fragments by default, because it
makes their performance numbers better

At the expense of correct behavior and loss of real performance.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 Records on an IPv4 Network

[Danny Mayer]

On 7/23/2010 8:50 AM, Phil Mayers wrote:
> On 23/07/10 13:23, Danny Mayer wrote:
>> On 7/22/2010 11:33 AM, Phil Mayers wrote:
>>> On 22/07/10 12:19, Rock July wrote:
>>>> Windows Vista and 7 clients will query both type A and  query even
>>>
>>> The OS might make the query, but the application will (should) be using
>>> getaddrinfo, and this will return the IPv4 addresses first, so it
>>> doesn't matter.
>>
>> This is untrue. IPv6 addresses are normally returned first though the
>> ordering depends on a) the order returned by the authorative nameserver
>> and b) by the resolving server and if it reorders the list returned.
>> There is no specific ordering of resource records specified in the
>> protocol and servers are free to order them in any way they want. It is
>> up to the application to specify what they need and to make decisions on
>> which ones they will use.
> 
> 
> Perhaps we are talking about two different things here?
> 
No.

> Certainly there is no defined ordering of A versus  records in DNS
> replies.
> 
> However, on Linux and Windows at least, the getaddrinfo C library call
> defaults to AI_ADDRCONFIG and RFC3484 address ordering rules; it does
> sort the results, and will present IPv4 results first if there is no
> local IPv6 global address present.
> 

Applications that depend on specific behaviors are broken. You should
always code your applications to handle whatever gets returned. "Be
conservative in what you send and be liberal in what you accept".
Otherwise it will break in unexpected ways. The fact that an
implementation orders results in some way under one condition and a
different way under some other condition is not a reason to believe that
this is safe. Furthermore, provisioning of an IPv6 global address is no
indication of IPv6 network connectivity. The ideas in RFC3484 and usage
of AI_ADDRCONFIG are interesting but don't necessarily result in better
behavior.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: USADOTGOV.NET Root Problems?

[Danny Mayer]

On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote:
> Thanks for the confirmation that the problem was related to DNSSEC.
> 
> I didn't see your message until I got home from work; however, I did
> find the root of the problem late this afternoon.  At each of our
> Internet egress and ingress points, we have Cisco ASA devices sitting in
> front of a pair of redundant firewalls.  Each ASA is configured with the
> default DNS inspect policy that doesn't accept fragmented UDP packets.

Why would any inspection policy not allow fragmented UDP packets?
There's nothing wrong with that.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 Records on an IPv4 Network

[Danny Mayer]

On 7/22/2010 11:33 AM, Phil Mayers wrote:
> On 22/07/10 12:19, Rock July wrote:
>> Windows Vista and 7 clients will query both type A and  query even
> 
> The OS might make the query, but the application will (should) be using
> getaddrinfo, and this will return the IPv4 addresses first, so it
> doesn't matter.

This is untrue. IPv6 addresses are normally returned first though the
ordering depends on a) the order returned by the authorative nameserver
and b) by the resolving server and if it reorders the list returned.
There is no specific ordering of resource records specified in the
protocol and servers are free to order them in any way they want. It is
up to the application to specify what they need and to make decisions on
which ones they will use.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC to be at OSCON next week...

[Danny Mayer]

On 7/16/2010 8:59 AM, Alan Clegg wrote:
> With the signing of the root and all of the related activities, I
> thought I'd take this opportunity to let you know that I'll be giving a
> presentation at OSCON (O'Reilly's Open Source Convention) next week in
> Portland.
> 
>http://www.oscon.com/oscon2010/public/schedule/detail/14112
> 
> I'm not sure why they gave me the slot at 11:50 (lunch time) on Friday
> (last day), but I'm sure that it was all done with the best intentions.
> 
> For some reason, silly (flash in the pan) stuff like "cloud computing"
> and "android programming" got the earlier in the week and less
> lunch-like slots.
> 
> ISC will have a booth at the show as well, so even if you plan to be
> eating lunch on Friday while I'm presenting, please do stop by and say
> "hello" to us!
> 

Will you be sharing your slides or video? Put it on YouTube and it will
be sure to go viral! :)

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind says 'clocks are unsynchronized' but they are not

[Danny Mayer]

On 7/7/2010 12:57 PM, Kalman Feher wrote:
> 
> If you really do have such a small pipe (with your email address I assume
> Sweden. I didn't think Swedes even knew there were link types other than
> fibre ;) )then perhaps you're throttling it to the point where your NTP sync
> drops off. 


That is most unlikely. NTP is designed to take account of that and since
it was originally designed over 25 years ago when that was more of the
norm, NTP won't drop synch that easily and even if it does it will keep
the clock disciplined until it gets new packets from its specified
servers. NTP packets are only about 68 bytes of payload which is not a
lot for even a loaded link. The biggest issue for NTP is *not* the
latency, ie the time to send a packet and receive a response, but how
much jitter there is, ie how much that latency varies with each request.


Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help me- Bind9.71 service not start on Windows XP

[Danny Mayer]

On 7/4/2010 12:37 AM, Vasant Srisanan wrote:
> I install at c:\Servers\named
> 
> But can't start it.
> 
> How I do,for start it.
> 
> Thank you.

C:>net start named

However I suspect that you don't have a named.conf file and that is
required to start named. Check your event log for named errors.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issues following 9.3.5-p1 upgrade to 9.7.0-p1 Windows VMware environment

[Danny Mayer]

rsm...@osc.gov.on.ca wrote:
> We have been running Bind 9.3.5-P1 on Windows 2003 guest in VMware ESX
> 3.5 environment for many years with no issues. Following an upgrade to
> Bind 9.7.0-p1 we are experiencing a couple of issues. No Bind
> configuration changes were made to config files other than the
> allow-query-cache, additional-from-auth and additional-from-cache
> statements so that queries worked in the new version. The errors are
> occurring on multiple Bind servers on different Vmware ESX hosts.
> 
> On a regular but random basis we are getting the 2 socket error messages
> logged. I have not been able to determine what is causing this to occur
> nor reproduce at will.
> 
> .\socket.c:2444: unexpected error:
> SOCKET_RECV: Windows error code: 1236, returning ISC error 54
> 
> We are also getting a poked timer error logged consistently soon after
> Bind service start and infrequently after that.
> 
> *** POKED TIMER ***
> 
> Any suggestions / solutions would be greatly appreciated.

This looks like a bug in the code. ISC error 54 means that it got a
connection reset on the receive for the packet and Windows error code
indicates that "The network connection was aborted by the local system"
which means that BIND canceled the receive and this is the tail end of
handling the cancellation. Unlike Unix, Windows handles all of this
asynchronously, so it's not completed until it reaches this set of code.

This looks and smells like a bug to me. Please file a bug report by
sending email to bind9-b...@isc.org with these details.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

[Danny Mayer]

Kevin Oberman wrote:
>> Date: Mon, 08 Mar 2010 10:03:26 -0800
>> From: Michael Sinatra 
>> Sender: bind-users-bounces+oberman=es@lists.isc.org
>>
>> On 3/7/10 10:46 AM, Danny Mayer wrote:
>>
>>> Autokey is not a cryptographic signature protocol. It *is* a
>>> authentication protocol for the server only and there are a number of
>>> exchanges that need to be done to complete the authentication of the
>>> server. You cannot compare this with DNSSEC and nothing in NTP is encrypted.
>> Correct, the comparison was only to point out that Autokey, like DNSSEC, 
>> doesn't encrypt payload because it doesn't need to.
> 
> More specifically, I don't WANT to encrypt the data for either DNS or
> NTP. In both cases I want the data to always be signed clear-text and
> that is what DNSSEC does.

I'll put it stronger than that. DNSSEC authenticates the server's
*response* and does it in one packet while autokey authenticates the
*server* itself and it takes a number of exchanges of packets before the
client will consider the server as authenticated and it can rely on the
authenticated packets after that.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND doesn't run on XP

[Danny Mayer]

Pedro Rafael Sánchez Aranda wrote:
> **Hello,
> 
> I'm new on BIND, and I tried to install and configure both 9.7.0-P1 and
> 9.6.2-P1 versions on a Windows XP SP3. In both cases they were correct
> installations but they produce the same error:
> starting BIND 9.x.x-P1 -g
> built with default
> found 1 CPU, using 1 worker thread
> .\socket.c:639: INSIST(err == 0) failed
> exiting (due to assertion failure)
> 
> I used 'netstat' command to see if 53 and 953 ports are in use but there
> aren`t.

Are you sure you are running Windows XP? It's looking for the
ConnectEx() function and it's failing. That function first was available
on Windows XP and failure to find that is an indication that you are not
running XP.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

[Danny Mayer]

Michael Sinatra wrote:
> On 02/24/10 01:25, Jonathan de Boyne Pollard wrote:
>>>
>>>
>>> DNScurve advocates, on the other hand, point out that DNS isn't
>>> encrypted. Well, neither is the phone book. So what?
>>>
>> So the protocol is vulnerable to both local and remote forgery attacks,
>> just like other unencrypted protocols
>> .
>>
>> For any that don't understand this point, there's a simple thought to
>> prod them in the right direction: Do you remember why SSH and SSL were
>> invented?
> 
> Do you understand the difference between encryption and authentication?
>  SSH and SSL do both because they protect the payload, which may be
> sensitive, AND they want to verify that the server you're talking to is
> really the one you want.  DNS only needs authentication.  DNSSEC
> prevents forgery without encrypting the payload.
> 
>> Do you remember, say, the forgery problems with TELNET and
>> HTTP?
> 
> The bigger problems with TELNET and HTTP were that they could be sniffed
> on the wire to get confidential information like passwords.  Forgery was
> conveniently solved by cryptography along the way, but confidentiality
> was in issue with these protocols, unlike with DNS.
> 
>> The /very same problems exist/ for unencrypted UDP/IP protocols
>> such as DNS and NTP. And the solution is the same, too.
> 
> Yes, cryptographic signatures, not full encryption.  Just like NTP with
> Autokey.

Autokey is not a cryptographic signature protocol. It *is* a
authentication protocol for the server only and there are a number of
exchanges that need to be done to complete the authentication of the
server. You cannot compare this with DNSSEC and nothing in NTP is encrypted.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named.exe terminated unexpectedly in Bind 9.5.0 for Windows 2000 server

[Danny Mayer]

Chandan Laskar wrote:
> 
> Dear All,
>  
> We are using ISC Bind 9.5.0 in Windows 2000 server with SP4 environment
> for one of our DNS. After installation initially it was working fine but
> last few days in a interval of 48 hours (approx) ISC Bind service
> terminated unexpectedly. After observing the system log I found the
> below mentioned error/warning messages:
>  
> /"Application Popup: named.exe -Application error: The exception unknown
> software exception (0xc017) occurred in the application at location
> 0x77fac57c" /
>  
> and
>  
> /" The ISC Bind service terminated unexpectedly" /
>  
> I have also checked the application log, security log and DNS log of the
> server but no error/warning has been observed.
>  
> Anybody please suggest me how to troubleshoot the issue as I am not
> able to find any way to troubleshoot the problem. Is there any bug with
> the mentioned Bind version???
>  

You need to upgrade both your operating system and BIND9. Neither is any
longer supported. Without an entry in the event logs or bind logs you
may have set up or a crash dump, it's impossible to know why it failed.
It's impossible to guess what the problem was.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Remove/add [A] records based upon server availability

[Danny Mayer]

Mark Andrews wrote:
> In message <12831c89-2438-4a84-b81f-14a2ed000...@menandmice.com>, Chris 
> Buxton 
> writes:
>> On Dec 27, 2009, at 7:16 AM, Rick Dicaire wrote:
>>> On Sun, Dec 27, 2009 at 3:16 AM, Ryan S  wrote:
 Some web browers and applications will fail in a round-robin A record
 configuration such that if the first A record returned is unavailable, the
>> n
 the browser will not bring up the page.
>>> So fix the application instead of bending the protocol to suit a
>>> broken applications need?
>>> Specifically, what web browsers and applications are you referring to?
>>> On what OS's?
>> All web browsers, pretty much. Round robin does not provide failover except f
>> or protocols and applications that specifically make it work, such as the DNS
>>  and SMTP protocols (only between servers, in each case).
>>
>> Using DDNS to remove unresponsive or overloaded web servers from the rrset wo
>> rks OK in situations where solutions at the HTTP and routing layers are not a
>> ppropriate, such as web servers in different physical locations; there are ap
>> pliance vendors out there offering such solutions. This is also similar to on
>> e part of the Akamai solution for global traffic management.
>>
>> However, this strategy should be avoided when possible, and buffered with hig
>> hly available solutions at each point to minimize the use.
>>
>> Chris Buxton
>> Professional Services
>> Men & Mice
> 
> Applications that fail to try multiple address are broken.  RFC 1123
> said as much back in October 1989 (over twenty years ago now).  With
> IPv6 coming along almost every host will be multihomed and if a
> application doesn't cope then you should report it to the vendor now.

While I agree with you in principal, this is almost universally ignored
by just about every internet application that I've ever used including
every one of the web browsers I use.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Remove/add [A] records based upon server availability

[Danny Mayer]

Михаил Фёдоров wrote:
> Hello.
> 
> This has been discussed million times.
> 
> DNS Round Robin A-records are NOT for implementing fail-safe structure
> in such way.
> Most browsers will fail when they get not-responding IP from round
> robin record and will not try to get another one.
> And some of clients will cache this IP, so deleting it upon death will not 
> help.

I would add that the number of applications (never mind just browsers)
that will look at more than one A record response in order to try the
next answer if the first fails to respond can be counted on one hand.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hi

[Danny Mayer]

supriya samanta wrote:
> Hello All,
>
> As per ISC security bulletin *CVE-2009-4022* There is a problem with
> BIND 9 Cache Update From Additional Section
>
> *Problem Description:* A Nameserver with DNSSEC validation enabled may
> incorrectly add records to its cache from the additional section of
> responses received during resolution of a recursive client query.This
> behavior only occurs when processing client queries with checking disabled
> (CD).It may occur both when requesting,and not when requesting,DNSSEC
> records(DO).If the nameserver is authoritative-only this will not occur.
>  
> We have some business requirement where we need to reproduce the problem.
>  
> Could anyone advice a test case which I may use or direct me to some
> website which could be useful for this purpose.
>  

You should contact ISC directly about this rather than the mailing list.

Danny


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bonjour! I wish to compile 9.7.0b3

[Danny Mayer]

jv wrote:
> Thank you! Evan,
> 
> I have not VisualStudio which is commercial. Do you think I can use an
> other compiler or do you think VisualStudio light is enough (Version
> 2008 seems available).
> 
> Best

It should work fine.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bonjour! I wish to compile 9.7.0b3

[Danny Mayer]

jv wrote:
> This is my first mail on this list. I hope I am at the right place. I
> have loaded BIND 9.7.0b3 under Windows. Now I would like to compile it.
> Could someone help me with what is exactly to be done (and if I should
> install a special compiler). 
> Thank you for your help!
> 
> -- 
> Joel Verdon

Just follow the instructions in the win32-build.txt file. You need to
build OpenSSL and libxml2 first. That file contains instructions on
those as well. Almost any MSVC compiler will work.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Windows : compilation options

[Danny Mayer]

Romain De Rasse wrote:
> Hi,
> 
> I succeeded in compile ISC Bind for Windows. I'm now trying to enable
> "fixed rrset" (--enable-fixed-rrset for the configure file). But I
> did'nt find how to change options for a Windows compilation.
> 
> Can anyone help me ?

#define DNS_RDATASET_FIXED 1

in config.h

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing to bind

[Danny Mayer]

jefsey wrote:
> At 06:36 06/12/2009, Danny Mayer wrote:
>> JFC Morfin wrote:
>> > I wish to set-up my BIND DNS server on window XP as a service. I
>> checked
>> > the "automatic start-up". Unfortunately it did not work. The readme1st
>> > guide only says that the way to do it is as usual, what does not
>> help me
>> > since I never did it. When I try using mmc there is no way I find to
>> > declare named as a service.
>> >
>> > Would there be a dedicated Windows/BIND internet user oriented site
>> > which explains how to install BIND on windows?
>>
>> Did you actually read the readme? Did you run BINDInstall? Did you
>> create an named.conf file? Did you check your application event log?
> 
> Dear Danny,
> My questions were basic questions of a basic user, i.e. what I either to
> answer or to solve for him, as part of a complete support of IDNA. I
> therefore understand that BINDInstall is the tool to start from, i.e.
> study and extend as per the new requirements I may perceive. And that a
> dedicated (IDNA/)BIND(/Windows) support solution is to be explored if it
> appears necessary, none existing yet.
> Best.
> jfc

No, BINDInstall is just an install tool. You need to start with
readme1st.txt, named.conf and the ARM, the same as Unix.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode & nslookup

[Danny Mayer]

jefsey wrote:
> At 11:06 06/12/2009, Chris Buxton wrote:
>> On Dec 5, 2009, at 6:34 AM, JFC Morfin wrote:
>> > Chris Buxton  4 décembre 2009 20:29
>> >> The reason IDN support in the BIND query tools (dig, host,
>> nslookup) is not the default is because it relies on a 3rd party
>> library, which must be installed and configured by the package builder
>> beforehand. This is just like SSL support, needed for DNSSEC and TSIG,
>> except that most operating systems don't already ship with libidnkit.
>> >
>> > Do you know the hook? I am just starting investigating the code, and
>> I have C only as a minor :-)
>>
>> All I know is what you find in the BIND source code directory. For
>> example, with BIND 9.7.0b2:
>>
>> $ ./configure --help | grep idn
>>   --with-idn=MPREFIX  enable IDN support using idnkit default PREFIX
>>   --with-idnlib=ARG   specify libidnkit
>>
>> $ less README.idnkit
> 
> Due to my lack of time and because at the same time I use BIND/Windows
> on my XP machine to test my own way to use the DNS in the IDNA suggested
> context; I selected 9.5.2.
> 

Which means spending even more time since BIND/Windows does not yet
support the IDN libs.

Danny

> I understand from quick digging that the IDN libs are of 2003. Since I
> mainly want to work on them, I feel this os OK. Except if they have been
> updated?
> Best.
> jfc

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode & nslookup

[Danny Mayer]

Chris Buxton wrote:
> On Dec 4, 2009, at 10:12 AM, Joe Baptista wrote:
> 
>> On Fri, Dec 4, 2009 at 12:26 PM, Chris Buxton  wrote:
>>  
>>> nslookup will only understand IDN if BIND is compiled with that
option in the ./configure step.
>> might be a good idea if it was the default option. as idn becomes
popular the lack of idn support for the tools will result in confusion.
> 
> The reason IDN support in the BIND query tools (dig, host, nslookup)
is not the default is because it relies on a 3rd party library, which
must be installed and configured by the package builder beforehand. This
is just like SSL support, needed for DNSSEC and TSIG, except that most
operating systems don't already ship with libidnkit.
> 

And I haven't looked for one for Windows so it probably won't work with
Windows.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing to bind

[Danny Mayer]

JFC Morfin wrote:
> I wish to set-up my BIND DNS server on window XP as a service. I checked
> the "automatic start-up". Unfortunately it did not work. The readme1st
> guide only says that the way to do it is as usual, what does not help me
> since I never did it. When I try using mmc there is no way I find to
> declare named as a service.
> 
> Would there be a dedicated Windows/BIND internet user oriented site
> which explains how to install BIND on windows?

Did you actually read the readme? Did you run BINDInstall? Did you
create an named.conf file? Did you check your application event log?

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DIG -6 +TCP

[Danny Mayer]

Cathy Almond wrote:
> Doug Barton wrote:
>> Pamela Rock wrote:
>>> For all it's worth, using wireshark, I can see IPv6 UDP queries 
>>> successfully traversing in/out.  Ping6 works successfully.  There is no 
>>> firewall running anywhere(IPv4 or 6).  Still get 
>>>
>>> [r...@dig-client ~]# dig -6 a test.domain @bindserver6 +tcp
>>> socket.c:4922: 22/Invalid argument
>>> dig: isc_socket_connect: unexpected error
>> Ok, when you're using wireshark do you ever see TCP6 packets leaving
>> the box? Can you connect between machines using TCP6 for anything
>> else? And, what OS(es) are you using?
> 
> And, just in case you're not running what you expected...
> 
> dig -v

dig always prints its version when you run it unless you use +short!

Danny


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DIG -6 +TCP

[Danny Mayer]

Doug Barton wrote:
> Pamela Rock wrote:
>> For all it's worth, using wireshark, I can see IPv6 UDP queries successfully 
>> traversing in/out.  Ping6 works successfully.  There is no firewall running 
>> anywhere(IPv4 or 6).  Still get 
>>
>> [r...@dig-client ~]# dig -6 a test.domain @bindserver6 +tcp
>> socket.c:4922: 22/Invalid argument
>> dig: isc_socket_connect: unexpected error
> 
> Ok, when you're using wireshark do you ever see TCP6 packets leaving
> the box? Can you connect between machines using TCP6 for anything
> else? And, what OS(es) are you using?

You won't get much from wireshark, dig is complaining about the
connect() function and there being something wrong with one of the
arguments. The 22 is the error code and the part after the slash is the
error message matching 22. It is possible that the socket being used is
of the wrong type for the address being connected to. If the socket
opened is an IPv6 socket and the obtained address for the nameserver
being queried happens to be an IPv4 address you could get this behavior.
Does bindserver6 have an A address as well as an  address for the
nameserver?

Danny


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions: BIND Dynamic Update DoS

[Danny Mayer]

ato...@people.net.au wrote:
> According to this link: https://www.isc.org/node/474
> 
> The dynamic update vulnerability affects all BIND 9 versions, but what
> about BIND 8? Is it not affected or not tested?
> 
> As we are running BIND 8 (can't upgrade to BIND 9 due to restricted to
> Windows2000), how can we test if dynamic update is a problem for us?
> 

Well BIND8 is very badly broken on Windows so you shouldn't use it
either. It is not only well past it's end-of-life, there are major
architectural issues with the Windows port of BIND8. You should not be
using ANY version of BIND8 on Windows.

Danny

> TIA.
> Peter


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: looking for libbind 6.0 prebuild for windows

[Danny Mayer]

dong wrote:
> Hi All,
> 
> I am working on a project need libresolv support on windows, and I tried
> to build libbind 6.0 using mingw but failed.
> So anyone know where to find a libbind 6.0 prebuild for windows? Or give
> me some hints how to build libbind on windows.

The last time I built this library was for BIND 8. I'd start with the
last version of BIND 8 and build from there. There may even be a
prebuilt binary. I suspect the dsp file for libbind in BIND 8 would be
sufficient to build the newer library you'd probably need to make
changes to it.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

[Danny Mayer]

Chris Thompson wrote:
> On Jul 30 2009, Danny Mayer wrote:
> 
>> Chris Thompson wrote:
>>> On Jul 28 2009, sth...@nethelp.no wrote:
>>>
>>>> % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net
>>>> 216.250.243.230
>>>>
>>>> As long as that host record exists, with an IP different from what
>>>> your authoritative servers reply with, you are going to have problems,
>>>> because queries will be answered by the GTLD servers and not your own
>>>> authoritative servers.
>>>
>>> This is the wretched "glue promoted to answer" bug (we can call it a
>>> bug by now, surely?) which we are assured that the GTLD servers will
>>> be cured of this year, next year, sometime, or ...
>>>
>>> ... well, they will have to fix it before they can roll out DNSSEC,
>>> won't they? 
>>
>> No. The op always needs to notify the Registrar of their domain when the
>> address of any of their nameservers changes. That has always been a
>> requirement.
> 
> You are misinterpreting what I said. Of course erroneous glue needs to be
> corrected. But there is no need for the servers to return IP addresses
> provided for glue as an *answer* to a query, as the *.gtld-servers.net ones
> do, rather than giving a proper referral. (At least their answers are not
> marked authoritative, unlike those from some other nameservers.)

It needs to be part of the answer if the nameserver is in the same
domain as the FQDN otherwise it won't know where to go for the answers.
That's the point of the glue.

Danny


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [SPAM] Win2k and bind

[Danny Mayer]

Matus UHLAR - fantomas wrote:
> On 29.07.09 22:37, Abello, Vinny wrote:
>> Considering 2003, 2003 R2, 2008, and 2008 R2 (technically done, but will
>> officially release in October) have been released, I don't think dropping
>> support for an ancient operating system from 9.5 years ago and roughly 3
>> prior generations that the vendor doesn't even support is a bad idea. :)
>> 2k boxes are time bombs, IMO.
> 
> even if they were not (windows updates), there is a technical reason that
> prevents new bind from being compatible with it (new security features
> require that). Search web/archives for more info.

That's not exactly true. The security fixes did not require any
Windows-specific changes. However the fixes did provoke an existing bug
in the Windows code that needed to be fixed. To fix that the accept and
connect code needed to be revamped (among other areas) and the best way
to do that required changes to clean up the implementation. Functions
only available with Windows XP and later were needed to do this.
> 
> Until M$ fixes that one (I doubt so), new BIND won't be compatible with w2k.
> 

No, they'd have to add the API functions to an obsolete version of Windows.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [SPAM] Win2k and bind

[Danny Mayer]

Jukka Pakkanen wrote:
> Unfortunately W2K was dropped a while ago, no safe version available for it.
> 

Actually, less than a year ago. It became necessary.

Danny
> 
>> I know this is a very lame question, But I have been out of the Bind loop
>> for a number of years ( yes I went over to the dark side ...MS DNS) but I
>> want to come back.  My question is this I have win2K servers what version
>> of
>> bind will run on this?

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Creating a CNAME to another domain.

[Danny Mayer]

Kevin Darcy wrote:
> Danny Mayer wrote:
>> Kevin Darcy wrote:
>>  
>>> Ezra Taylor wrote:
>>>
>>>> Hello All:
>>>>How can I create a CNAME that points to another
>>>> domain.  Example below.  Is the below example possible?
>>>>
>>>>
>>>>
>>>> stars.mydomain.com <http://stars.mydomain.com> INCNAME
>>>> stars.otherdomain.com <http://stars.otherdomain.com>.
>>>>
>>>>   
>>> If stars.mydomain.com is just an ordinary name in the mydomain.com zone,
>>> then there is no problem with what you show above (except,
>>> syntactically, you need the trailing dot, as was already pointed out).
>>>
>>> If, on the other hand, stars.mydomain.com is a *zone*, then it's not
>>> possible, because in that case there would be "apex" records (records
>>> whose name is the same as that of the zone); at a minimum, an SOA and at
>>> least 2 NS records, which are required for each and every zone. When a
>>> particular name owns a CNAME record, it cannot also own SOA or NS
>>> records.
>>> 
>>
>> Not true. For a Domain alias use a DNAME:
>>
>> mydomain.com.IN DNAMEotherdomain.com.
>>   
> Bearing in mind that the OP asked specifically about creation of CNAMEs,
> which part is "not true"?

Aliasing domain names.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

[Danny Mayer]

Chris Thompson wrote:
> On Jul 28 2009, sth...@nethelp.no wrote:
> 
>> % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net
>> 216.250.243.230
>>
>> As long as that host record exists, with an IP different from what
>> your authoritative servers reply with, you are going to have problems,
>> because queries will be answered by the GTLD servers and not your own
>> authoritative servers.
> 
> This is the wretched "glue promoted to answer" bug (we can call it a
> bug by now, surely?) which we are assured that the GTLD servers will
> be cured of this year, next year, sometime, or ...
> 
> ... well, they will have to fix it before they can roll out DNSSEC,
> won't they?
> 

No. The op always needs to notify the Registrar of their domain when the
address of any of their nameservers changes. That has always been a
requirement.

Danny


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Creating a CNAME to another domain.

[Danny Mayer]

Kevin Darcy wrote:
> Ezra Taylor wrote:
>> Hello All:
>>How can I create a CNAME that points to another
>> domain.  Example below.  Is the below example possible?
>>
>>
>>
>> stars.mydomain.com  INCNAME 
>> stars.otherdomain.com .
>>
> If stars.mydomain.com is just an ordinary name in the mydomain.com zone,
> then there is no problem with what you show above (except,
> syntactically, you need the trailing dot, as was already pointed out).
> 
> If, on the other hand, stars.mydomain.com is a *zone*, then it's not
> possible, because in that case there would be "apex" records (records
> whose name is the same as that of the zone); at a minimum, an SOA and at
> least 2 NS records, which are required for each and every zone. When a
> particular name owns a CNAME record, it cannot also own SOA or NS records.

Not true. For a Domain alias use a DNAME:

mydomain.com.   IN  DNAME   otherdomain.com.

Danny


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.6.1: skipping zone transfer, but why ?

[Danny Mayer]

Chris Buxton wrote:
> On Jun 30, 2009, at 6:15 AM, bind9 wrote:
>> 1) "skipping zone transfer as master 213.173.250.146#53 (source
>> 0.0.0.0#0) is unreachable
>> (cached)" seem to indicate that the slave has cached a knowledge about
>> the master being
>> unreachable. It isn't. I can nslookup on the master from the slave
>> just fine. What is wrong?
> 
> The slave is caching, for some length of time set in the source code (an
> hour? something like that), that the master is unreachable for zone
> transfers.
> 
>> 2) what causes "transfer of '3yhta.dk/IN' from 213.173.250.146#53:
>> failed to connect:
>> connection refused" ? There is no evidence of "connection refused" in
>> the masters log, so where
>> could this come from?
> 

The connection refused error means that nothing is listening at that
port on that addresses. That means that either that address was not
configured to listen on that address or the server has gone down.

> 
> The master is unreachable over TCP. The port has gone deaf. We see this
> on some operating systems and not others. (We don't work much with BIND
> on Windows, so we hadn't seen the issue on that OS.) Basically, when the
> port is not used for a while, it looks like the OS shuts down the
> listener without telling the service.
> 

No, Windows doesn't do that. It is no different from a Unix O/S. I have
no idea what you mean by the listener here or the service, but on
Windows the service is only involved with getting the server running and
does not know or care about what IP addresses and ports get used if they
get used at all. This is no different from Unix.

Danny




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSKEY Validation

[Danny Mayer]

Stephane Bortzmeyer wrote:
> On Sun, Jul 12, 2009 at 08:42:27PM +0200,
>  Mark Elkins  wrote 
>  a message of 31 lines which said:
> 
>> Arg 3 should be 5 (or maybe 3) - the algorithm.
> 
> No, you must bnot use a hard-wired list in your code, because the list
> of algorithmps registered at IANA can change.

It better not otherwise you would have horrendous interoperability problems.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone transfer failing

[Danny Mayer]

Scott Haneda wrote:
> On Jun 23, 2009, at 3:01 PM, Hauke Lampe wrote:
> 
>> Scott Haneda wrote:
>>
>>> $dig sugardimplesdesigns.com SOA @ns1.hostwizard.com +short
>>
>> Do you block 53/tcp anywhere on the path to your nameserver?
>> It rejects TCP queries:
>>
>> | dig +tcp sugardimplesdesigns.com SOA @ns1.hostwizard.com +short
>> | ;; Connection to 64.84.37.14#53(64.84.37.14) for
>> sugardimplesdesigns.com failed: connection refused.
>>
>> This matches the error log from your secondary:
>>
>>>Description:
>>>transfer of 'sugardimplesdesigns.com/IN' from 64.84.37.14#53:
>>> failed to
>>>connect: connection refused
>>
>> You must allow TCP to port 53 for DNS to function properly.
>>
>>> Appears to me I am refusing them, I do not see it in my logs, what logs
>>> would be it in, or what logging statements would I turn on to be able to
>>> diagnose this?
>>
>> I would probably first check if the server actually listens on 53/tcp
>> (with fuser, netstat or similar) and then use tcpdump.
> 
> 
> Good observation.  This is a long standing issue that I assumed was
> solved.  Named on OS X will go deaf on port 53 tcp for some reason.  I
> just kicked it, and now I can tcp dig it.
> 
> $dig +tcp sugardimplesdesigns.com SOA @ns1.hostwizard.com +short
> ns1.hostwizard.com. scott.hostwizard.com. 2009062206 28800 7200 2419200
> 3600
> 
> I now the men and mice guys are familiar with this, if you guys are
> reading, have you ever pinned this down, or found a solution to it?

You should upgrade to the latest version of BIND9. You didn't mention
the version of BIND9. A connection refused means that it is not
listening at all on that IPaddress/TCP port. If it still fails from time
to time with the latest release version file a bug report with
bind9-b...@isc.org.

Between NTP and BIND9 you seem to be having quite a few problems! :)

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tcp versus udp

[Danny Mayer]

Peter Dambier wrote:
> Hello Martin,
> 
> since a major outage at my provider, dtag.de or Deutsche Telecom AG, I have 
> trouble
> with f.root-servers.net. Sometimes "dig ... +vc" does help me to see 
> f.root-servers.net.
> 
> The real problem is anycast. With udp it behaves different than with tcp.

That's nonsense. anycast is invisible to this. anycast doesn't care if
it's udp or tcp, it only deals with the routing tables to determine
where to send the request packet.

> 
> When querying servers that are difficult to reach, sometimes you are more 
> lucky with
> tcp than with udp.

Only if they are misconfigured.

> 
> Amplification attacks using nameservers don't work with tcp.
> 
> Sometimes bugs in resolvers sometimes in clients cause failover to tcp.
> 
> With DNSSEC tcp is almost a must. Same with IPv6.
> 

This is also untrue. DNSSEC has EDNS0 as a prerequisite and IPv6 fits
into any EDNS0 packet unless there's too much for even for the larger
EDNS0 packets. TCP is only required if the answer doesn't fit in the
packet. There are lots of firewalls, etc. that do not handle EDNS0 but
that is a different question.

Danny


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: request timeout

[Danny Mayer]

Except that if it fails to get an answer it will try a different
authorative nameserver.

Danny
Jonathan Petersson wrote:
> IIRC it's 3 seconds.
> 
> On Tue, Apr 28, 2009 at 12:42 AM, Jeff Pang  wrote:
>> When a Bind requests another Bind for a name resolving, what's the
>> timeout value for this resuest?
>> I mean, within how many seconds peer Bind doesn't answer it, this Bind
>> will give up the query?
>>
>> Thanks.
>> Regards.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind for Windows - supports IPv6 or not?

[Danny Mayer]

Karl Auer wrote:
> Hi there.
> 
> I want to work around the "XP won't use IPv6 as a DNS transport" issue.
> So I downloaded the latest precompiled BIND (9.6.0-P1) for Windows from
> the ISC site, and read the following in the "readme first" file:
> 
> "This is a release of BIND 9.5 for Window 2000/XP/2003.
> Only IPv4 stacks are supported on the box running this version of BIND.
> IPv6 stacks will be supported in a future release."
> 
> Hm! The download was 9.6.0-P1, the readme refers to 9.5. Could it be
> that the downloaded version *does* now support IPv6?
> 
> If not, are there precompiled binaries with IPv6 support anywhere else,
> or do I have to compile it myself to get IPv6 support? I haven't
> compiled anything on a Windows platform since about Windows 3.11...
> 
> Regards, K.

It does support IPv6. I fixed that note but it's not yet been pulled
into the branch.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DLZ Binary for Windows

[Danny Mayer]

Hal Dell wrote:
> Hello... Anyone know of a place to download a Windows Binary
> Installation Kit for recent version of Bind with DLZ option enabled. As
> I understand it -- this feature is a compile time option. If not -- is
> it easy to compile with this option on?
> 

If you are asking about a backend interface into a database then the
work has not been done for windows. If you want it done then there is a
cost involved in getting the work done and ISC will be happy to provide
you a quote.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6.0-P1

[Danny Mayer]

Carl Fretwell wrote:
> Hi Everyone
> 
>  
> 
> I have installed BIND 9.6.0-P1 on a Windows Server 2003 x64 system but
> when I come to start the “ISC BIND” service I always get a 1067 error
> which I read somewhere was due to permissions so made sure the user
> account password etc was correct still didn’t fix the issue.
> 
>  

Did you read the readme1st.txt file that comes with the binaries?

Did you include a directory directive in named.conf?

> 
> Sometimes the exe actually crashes and I get an “unknown exception”
> 

Is there something in the event log which shows where the error is?

Danny

>  
> 
> The only way I can get bind to start successfully is with named.exe –f
> –c c:\bind9\etc\named.conf
> 
>  
> 
> Could anyone tell me what this could be? It works fine on 32 bit systems
> but I’ve had bind running before on x64.
> 
>  
> 
> Regards


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

[Danny Mayer]

Kevin Darcy wrote:

> But, as far as I can tell, there's no *practical* reason to disallow
> underscores, other than the fact that it may trip the standards-checking
> code of some _other_ piece of software. So, piece of software A
> disallows underscores because it's worried about causing a problem for
> piece of software B, and piece of software B keeps the restriction
> because it's worried about about causing a problem for piece of software
> C, and piece of software C keeps the restriction because it's worried
> about causing a problem for piece of software A.
> 

I had a case a year or two ago where a system had a host name with an
underscore in it and as a result it was unable to make a number of
connections. I don't remember the details any more but removing the
underscore solved the problem. It was running Windows which is why it
was allowed to get that hostname in the first place. It was easier for
me to point to the RFC's to get the sysadmins to change it than to
figure out what was causing it to trip up and fail. There are too many
failure paths.

Danny


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

[Danny Mayer]

Michael Milligan wrote:
> hongyi.z...@gmail.com wrote:
>>> You *must* reference the location using the same URI if you expect to
>>> see the same expected results.
>> Thanks  for  your  detailed  explanations.  Another issue: what do you
>> mean by saying URI?  What's the differences between URI and URL?
> 
> Just being more general.  A URL is a HTTP URI... Google has plenty of
> explanations.
> 

That's nonsense. A URL was never just an HTTP URI. It's one example of
one but there have always been more than one type.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: .\socket.c:633: INSIST(err == 0) failed

[Danny Mayer]

kenk...@yahoo.com wrote:
> Anyone ever see this error with Bind running on Windows?
> I only could find one reference to this in Google and it looks like he never 
> got an answer :-P
> 
> [d:\bind\bin]named -g
> 13-Feb-2009 22:16:57.082 starting BIND 9.6.0-P1 -g
> 13-Feb-2009 22:16:57.102 built with default
> 13-Feb-2009 22:16:57.102 found 1 CPU, using 1 worker thread
> 13-Feb-2009 22:16:57.152 .\socket.c:633: INSIST(err == 0) failed
> 13-Feb-2009 22:16:57.162 exiting (due to assertion failure)
> 
> Nothing is written in the log files (I have logging setup in my bind.conf 
> file.
> I've been running 9.2 for a while and decided to upgrade to 9.6 but it looks 
> like I'll have to go back to my previous version :-P
> 
>  ken

What version of Windows are you using? It looks like you are using an
unsupported version of Windows. The minimum version is Windows XP.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting

[Danny Mayer]

Vinny Abello wrote:
>> -Original Message-
>> From: Danny Mayer [mailto:ma...@gis.net]
>> Sent: Sunday, February 08, 2009 8:32 PM
>> To: Vinny Abello
>> Cc: Baird, Josh; bind-users@lists.isc.org
>> Subject: Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices
>> ForCoexisting
>>
>> Vinny Abello wrote:
>>>> Baird, Josh wrote:
>>>>> Actually, yes, if you have dynamic DNS registration enabled on the
>>>> client/host and server, an 'A' record will automatically be created
>> in
>>>> the AD zone.
>>>> It needs to be registered in the domain first. Otherwise any system
>>>> could mascarade as another system.
>>>>
>>>> Danny
>>> And they can if the administrator mistakenly allows unsecure dynamic
>> updates.
>> Registration of the system in ADS has nothing to do with dynamic
>> updates
>> of the DNS records.
> 
> Right. We're talking about dynamic updates in DNS, not the creation
> of
computer accounts in AD. That was my point. If the allow dynamic updates
setting is not set to secure only, anybody that can send a DDNS update
to the server can update a record.
> 

Microsoft's implementation of dynamic DNS requires that the client use
the GSS-TSIG protocol and the prerequisite for that is that the client
system is registered with ADS. After that it makes use of the GUID in
the GSS-TSIG protocol to register the DNS records for the system. If the
system is not registered it cannot use GSS-TSIG.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting

[Danny Mayer]

Vinny Abello wrote:
>> Baird, Josh wrote:
>>> Actually, yes, if you have dynamic DNS registration enabled on the
>> client/host and server, an 'A' record will automatically be created in
>> the AD zone.
>> It needs to be registered in the domain first. Otherwise any system
>> could mascarade as another system.
>>
>> Danny
> 
> And they can if the administrator mistakenly allows unsecure dynamic updates.
> 

Registration of the system in ADS has nothing to do with dynamic updates
of the DNS records.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting

[Danny Mayer]

Baird, Josh wrote:
> Actually, yes, if you have dynamic DNS registration enabled on the
client/host and server, an 'A' record will automatically be created in
the AD zone.
>  

It needs to be registered in the domain first. Otherwise any system
could mascarade as another system.

Danny
> Josh
> 
> 
> 
> From: bind-users-boun...@lists.isc.org on behalf of Danny Mayer
> Sent: Sat 2/7/2009 2:29 PM
> To: wiskbr...@hotmail.com
> Cc: bind-users@lists.isc.org
> Subject: Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices 
> ForCoexisting
> 
> 
> 
> wiskbr...@hotmail.com wrote:
>> The case the windows team made was ease of adding entries, you simply
>> add into the MMC, or even easier, when you join a host into a domain, it
>> adds itself.
>>
> 
> This is not even true. To add a host to a domain you have to register it
> manually, either by going into ADS and adding it or a Domain
> Adminstrator has to enter it on the machine using his/her adminstrator
> password. There's nothing automatic about this.
> 
> Danny
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices For Coexisting

[Danny Mayer]

wiskbr...@hotmail.com wrote:
> The case the windows team made was ease of adding entries, you simply
> add into the MMC, or even easier, when you join a host into a domain, it
> adds itself.
> 

This is not even true. To add a host to a domain you have to register it
manually, either by going into ADS and adding it or a Domain
Adminstrator has to enter it on the machine using his/her adminstrator
password. There's nothing automatic about this.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How many nameservers?

[Danny Mayer]

Ben Croswell wrote:
> I have never heard of there being any downside to a large number of NS
> records for a domain.
> I know internally to my company we have large numbers of NS records for
> the internal domains.
> 

There is one. A large number of NS records won't fit into a UDP packet
and you get TC flag and you have to retry with TCP. This gets worse if
one side does not support EDNS which would allow a larger packet.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How many nameservers?

[Danny Mayer]

Ben Croswell wrote:
> I have never heard of there being any downside to a large number of NS
> records for a domain.
> I know internally to my company we have large numbers of NS records for
> the internal domains.
> 

There is one. A large number of NS records won't fit into a UDP packet
and you get TC flag and you have to retry with TCP. This gets worse if
one side does not support EDNS which would allow a larger packet.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6.0-P1 on windows server 2008 32 bit hangs

[Danny Mayer]

Kobi Shachar wrote:
> Yes, I tried to downgrade to 9.50 p2 and the problem was there to.
> It's is looks like a bug on windows 2008 machine, isn’t it?
> Also, you can see that there is 8 lines of the same messages. Each for 1
> core CPU.
> 
That might take some time to track down. In the meantime, please file a
bug report on this with bind9-b...@isc.org.

Danny
> 
> -Original Message-
> From: Danny Mayer [mailto:ma...@gis.net] 
> Sent: Monday, January 26, 2009 4:49 AM
> To: Kobi Shachar
> Cc: bind-users@lists.isc.org
> Subject: Re: BIND 9.6.0-P1 on windows server 2008 32 bit hangs
> 
> Kobi Shachar wrote:
>> Recently I upgraded my bind machine to a new windows 2008 server web
>> edition 32 bit with 2 E5420 quad core CPU's.
>>
>> The server is configured with about 7000 master zone files.
>>
>>  
>>
>> Since the upgrade, BIND hangs every 5-10 hours.
>>
>> I checked the logs and I saw these lines on the default log:
>>
>>  
>>
>> 5-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.833 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.833 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>>  
>>
>> After the service hangs, all the queries returned time out and there is
>> no answers anymore from the dns server.
>>
>> "rndc status" tells me that the service is up and running and zone
>> transfers are continued as usual.
>>
>> Only the DNS queries are stopped working and returning time out.
>>
>>  
>>
>> Any idea?
> 
> Upgrade. There were bugs in that version that were only fixed in the
> P1-W2 version. Either to 9.5.0-P2-W2, 9.5.1-P1 ot 9.6.0-P1.
> 
> Danny
> 
> 
> 
> 
> 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6.0-P1 on windows server 2008 32 bit hangs

[Danny Mayer]

Danny Mayer wrote:
> Kobi Shachar wrote:
>> Recently I upgraded my bind machine to a new windows 2008 server web
>> edition 32 bit with 2 E5420 quad core CPU's.
>>
>> The server is configured with about 7000 master zone files.
>>
>>  
>>
>> Since the upgrade, BIND hangs every 5-10 hours.
>>
>> I checked the logs and I saw these lines on the default log:
>>
>>  
>>
>> 5-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.833 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.833 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>>  
>>
>> After the service hangs, all the queries returned time out and there is
>> no answers anymore from the dns server.
>>
>> "rndc status" tells me that the service is up and running and zone
>> transfers are continued as usual.
>>
>> Only the DNS queries are stopped working and returning time out.
>>
>>  
>>
>> Any idea?
> 
> Upgrade. There were bugs in that version that were only fixed in the
> P1-W2 version. Either to 9.5.0-P2-W2, 9.5.1-P1 ot 9.6.0-P1.
> 
> Danny

Sorry, I misread the subject line. Does this work with the BIND
9.5.0-P2-W2, 9.5.1-P1?

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6.0-P1 on windows server 2008 32 bit hangs

[Danny Mayer]

Danny Mayer wrote:
> Kobi Shachar wrote:
>> Recently I upgraded my bind machine to a new windows 2008 server web
>> edition 32 bit with 2 E5420 quad core CPU's.
>>
>> The server is configured with about 7000 master zone files.
>>
>>  
>>
>> Since the upgrade, BIND hangs every 5-10 hours.
>>
>> I checked the logs and I saw these lines on the default log:
>>
>>  
>>
>> 5-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.833 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>> 25-éðå-2009 07:20:03.833 client: error: UDP client handler shutting down
>> due to fatal receive error: host unreachable
>>
>>  
>>
>> After the service hangs, all the queries returned time out and there is
>> no answers anymore from the dns server.
>>
>> "rndc status" tells me that the service is up and running and zone
>> transfers are continued as usual.
>>
>> Only the DNS queries are stopped working and returning time out.
>>
>>  
>>
>> Any idea?
> 
> Upgrade. There were bugs in that version that were only fixed in the
> P1-W2 version. Either to 9.5.0-P2-W2, 9.5.1-P1 ot 9.6.0-P1.
> 
> Danny

Sorry, I misread the subject line. Does this work with the BIND
9.5.0-P2-W2, 9.5.1-P1?

Danny



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6.0-P1 on windows server 2008 32 bit hangs

[Danny Mayer]

Kobi Shachar wrote:
> Recently I upgraded my bind machine to a new windows 2008 server web
> edition 32 bit with 2 E5420 quad core CPU's.
> 
> The server is configured with about 7000 master zone files.
> 
>  
> 
> Since the upgrade, BIND hangs every 5-10 hours.
> 
> I checked the logs and I saw these lines on the default log:
> 
>  
> 
> 5-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
> due to fatal receive error: host unreachable
> 
> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
> due to fatal receive error: host unreachable
> 
> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
> due to fatal receive error: host unreachable
> 
> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
> due to fatal receive error: host unreachable
> 
> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
> due to fatal receive error: host unreachable
> 
> 25-éðå-2009 07:20:03.832 client: error: UDP client handler shutting down
> due to fatal receive error: host unreachable
> 
> 25-éðå-2009 07:20:03.833 client: error: UDP client handler shutting down
> due to fatal receive error: host unreachable
> 
> 25-éðå-2009 07:20:03.833 client: error: UDP client handler shutting down
> due to fatal receive error: host unreachable
> 
>  
> 
> After the service hangs, all the queries returned time out and there is
> no answers anymore from the dns server.
> 
> "rndc status" tells me that the service is up and running and zone
> transfers are continued as usual.
> 
> Only the DNS queries are stopped working and returning time out.
> 
>  
> 
> Any idea?

Upgrade. There were bugs in that version that were only fixed in the
P1-W2 version. Either to 9.5.0-P2-W2, 9.5.1-P1 ot 9.6.0-P1.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ipv6 BIND reverse lookup question/problem

[Danny Mayer]

Bryce Burgess (bburgess) wrote:
> I don't get an "ANSWER SECTION" part of the response to a 'dig -x' cmd
> for the reverse lookup for IPV6 addresses. I do for IPV4.
> Is the format of the reverse ipv6 not correct?
> Webmin automatically gen's the green and will not allow the blue data
> below to be entered (complains of invalid data when attempting to save).
> I'd assume this green  format is correct (since the webmin util gen'd
> it), but the 'dig -x' does not return an "ANSWER" section. Shouldn't it?
> or is this normal?
> The green  seems to be a mix of two formats, the full fwd ipv6 address
> and appended with the partial reverse arpa data)
>  

I don't see any colors since I make sure I only read plaintext messages.
You should not assume that people have anything else. Why don't you send
your message and properly indicate what you want people to look at.

Danny
> all the forward lookups seem to be fine (for both ipv4 and ipv6).
>  
> Should I direct my questions to webmin community?
>  
> thx,
> ice.burge
>  
> Shouldn't the reverse table entry contain the following:
> [ 
> 2.5.0.0.1.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.0.0.0.6.d.f.0.ip6.arpa  ]
> and not the following:
> [ 
> :0fd6:000a:::::0011:0052.0.0.0.0.0.0.0.0.a.0.0.0.6.d.f.0.ip6.arpa.
>  
> ]
>  
> from Fedore Linux 7 install and webmin 1.441
> BIND version 9.4.0,
>  
> from "BIND DNS Server" within Webmin, went to "module config" and set
> IPV6 to yes, applied changes.
> created (fwd) domain se070.com
> created (rev) domain 10.11.11.0
> created (rev) domain  fd6:a::/64
> assigned dns address 10.11.11.52 and 'yes' to rev update. noted new
> entry in reverse table
> [  52.11.11.10.in-addr.arpa.  ]
>  
> assigned dns address 10.11.11.52 and 'yes' to rev update. noted new
> entry in reverse table
> [ 
> :0fd6:000a:::::0011:0052.0.0.0.0.0.0.0.0.a.0.0.0.6.d.f.0.ip6.arpa.
>  
> ]
>  
> from root, I type in:
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
> [r...@a024 bryce]# dig -x fd6:a::11:52
>  
> ; <<>> DiG 9.4.0 <<>> -x fd6:a::11:52
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1342
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;2.5.0.0.1.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.0.0.0.6.d.f.0.ip6.arpa.
> IN PTR
>  
> ;; AUTHORITY SECTION:
> 0.0.0.0.0.0.0.0.a.0.0.0.6.d.f.0.ip6.arpa. 38400 IN SOA a024.se070.com.
> bburgess.cisco.com. 1232145084 10800 3600 604800 38400
>  
> ;; Query time: 0 msec
> ;; SERVER: 10.11.11.24#53(10.11.11.24)
> ;; WHEN: Fri Jan 16 16:53:38 2009
> ;; MSG SIZE  rcvd: 155
>  
> [r...@a024 bryce]# dig -x 10.11.11.52
>  
> ; <<>> DiG 9.4.0 <<>> -x 10.11.11.52
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9534
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;52.11.11.10.in-addr.arpa.  IN  PTR
>  
> ;; ANSWER SECTION:
> 52.11.11.10.in-addr.arpa. 3600  IN  PTR se070-cm13-02.se070.com.
>  
> ;; Query time: 0 msec
> ;; SERVER: 10.89.114.40#53(10.89.114.40)
> ;; WHEN: Fri Jan 16 16:53:50 2009
> ;; MSG SIZE  rcvd: 79
>  
> [r...@a024 bryce]#
>  
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
>  
> [r...@a024 bryce]# dig se070-cm13-02.se070.com 
>  
> ; <<>> DiG 9.4.0 <<>> se070-cm13-02.se070.com 
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51165
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;se070-cm13-04.se070.com.   IN  
>  
> ;; ANSWER SECTION:
> se070-cm13-02.se070.com. 38400  IN  fd6:a::11:52
>  
> ;; AUTHORITY SECTION:
> se070.com.  38400   IN  NS  a024.se070.com.
>  
> ;; Query time: 0 msec
> ;; SERVER: 10.11.11.24#53(10.11.11.24)
> ;; WHEN: Fri Jan 16 16:39:33 2009
> ;; MSG SIZE  rcvd: 88
>  
> [r...@a024 bryce]#
>  
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
> 
> 
> 
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: FIX for BIND-9.2

[Danny Mayer]

Lalvani, Hiro wrote:
> Hi ,
> 
> I need small help regarding this issue.
> 
> I have looked at the file " openssldsa_link.c  " under the BIND-9.3 and found 
> below code snapshot where the problem occured.
> 
> 
> status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
> DSA_SIG_free(dsasig);
> if (status == 0)   (status 
> =0,1 & -1)
> return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
> return (ISC_R_SUCCESS);
> 
> 
> Could any one of help me, regarding this fix in BIND 9.2. I am unable to find 
> function same function in BIND 9.2 or could any one just share the 
> corresponding related the code architecture  between BIND9.2 and BIND 9.3.
> 

Why don't you just upgrade to the latest release of BIND? You shouldn't
be trying to make changes to 9.2.x which was obsolete years ago. HP will
thank you for it.

Danny
> 
> thanks
> Hiro Lalwani
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS forwarders

[Danny Mayer]

Thilanka Samarasekera wrote:
> Can someone tell me how a BIND 9 server selects what forwarder its going
> to use? I read that BIND 8 used roundtrip time through a ping but I
> cannot find how BIND 9 does that. Does it round-robin between the
> forwarders that are set? Thanks in advance.
> 
> T

You configure it in the named.conf. However, it is strongly recommended
that you don't use them unless you absolutely have to.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.6.0p1- Windows - The service did not respond to the startor control request in a timely fashion.

[Danny Mayer]

Jukka Pakkanen wrote:
> Jukka Pakkanen wrote:
>>> Chiesa Stefano wrote:
 Hi all.
 Maybe it's not a new issue, but...

 I have a Windows 2003 SP2 with a 9.4.2 release that worked fine for
 years.
 Today I wanted to upgrade my release to 9.6.
 I installed it but when I try to start the service the system says:

 Event Type: Error
 Event Source: Service Control Manager
 Event Category: None
 Event ID: 7000
 Date: 1/8/2009
 Time: 1:45:55 PM
 User: N/A
 Computer: S-MI-DNS
 Description:
 The ISC BIND service failed to start due to the following error:
 The service did not respond to the start or control request in a timely
 fashion.

 No other messages in Event Viewer. I reinstalled the 9.4.2 version and
 everything returned to work...
> Does someone know why (and the solution)?
 Run named from the command line: named -g
 and see what the output looks like. It sounds like a configuration
 problem but it's hard to tell.
>>> When I upgraded 9.5.1 -> 9.6 I manually had to add user rights to the
>>> named directory, even they were there earlier.
>> Can you include details of what appears to have changed?
> 
> The assigned user doesn't have any rights in the named directory, also
> happens often when installing to a clean machine. I don't know if the
> install process is even supposed to grant rights but at least it often
> (always?) is like that. This time it looks like the 9.6.0 install process
> even removed the rights from the assigned user :o
> 
> I'm not 100% sure of that, but at least after the update there were no any
> rights for the user, and it only started to working after manually adding
> them (full rights for the named dir & subdirs).

Unless someone changed the install code, no it doesn't touch the rights
of the service account to the directory and subdirectories. It has been
on my list of things to change about the installer but it's way down on
the list. I cannot imagine what is different. At some point I'll take a
look.

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.6.0p1- Windows - The service did not respond to the startor control request in a timely fashion.

[Danny Mayer]

Jukka Pakkanen wrote:
>> Chiesa Stefano wrote:
>>> Hi all.
>>> Maybe it's not a new issue, but...
>>>
>>> I have a Windows 2003 SP2 with a 9.4.2 release that worked fine for
>>> years.
>>> Today I wanted to upgrade my release to 9.6.
>>> I installed it but when I try to start the service the system says:
>>>
>>> Event Type: Error
>>> Event Source: Service Control Manager
>>> Event Category: None
>>> Event ID: 7000
>>> Date: 1/8/2009
>>> Time: 1:45:55 PM
>>> User: N/A
>>> Computer: S-MI-DNS
>>> Description:
>>> The ISC BIND service failed to start due to the following error:
>>> The service did not respond to the start or control request in a timely
>>> fashion.
>>>
>>> No other messages in Event Viewer. I reinstalled the 9.4.2 version and
>>> everything returned to work...
>>> Does someone know why (and the solution)?
>>
>> Run named from the command line: named -g
>> and see what the output looks like. It sounds like a configuration
>> problem but it's hard to tell.
> 
> When I upgraded 9.5.1 -> 9.6 I manually had to add user rights to the
> named directory, even they were there earlier.

Can you include details of what appears to have changed?

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users