Difference between query hung and timeout

[J Doe]

Hi list,

I run a BIND 9.18.27 resolver on a small mail server.

Sometimes in the logs I will see entries similar to the following:

04-Jul-2024 12:20:48.048 query-errors: info: client @0x3777f6412b0
127.0.0.1#48123 (bras-base-toroon0964w-
grc-41-142-198-14-9.dsl.bell.ca): query failed (timed out) for
bras-base-toroon0964w-grc-41-142-198-14-9.dsl.bell.ca/IN/A at
query.c:7843

04-Jul-2024 20:07:35.308 resolver: info: shut down hung fetch
while resolving '164.212.87.77.in-addr.arpa/PTR'

My question is: what is the difference between a query that times out
versus a query that hangs ?

In both cases, I would think these queries are hitting a time limit and
are stopped by BIND, but  the fact that there are two different log
entries makes me wonder if there's more to this.

Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CIDR notation for RPZ rpz-ip ?

[J Doe]

On 2024-05-17 19:37, Nick Tait via bind-users wrote:


On 18/05/2024 09:11, J Doe wrote:

Hello,

When using RPZ with BIND 9.18.27 and rpz-ip, can any CIDR prefix be used
or must they be either: /8, /16, /24, /32 for IPv4 ?

For example, if I want to block records with an A address of
192.168.10.1, I know I can write:

    32.1.10.168.192.rpz-ip    IN    CNAME .

... and records like A, MX, etc. that have an A value of: 192.168.10.1
will receive a NXDOMAIN response.

But am I able to block any CIDR ?  For instance, if I wanted to block
records like A, MX, etc. that have A values in: 192.168.10.1/22 can I
use the following:

    22.1.10.168.192.rpz-ip    IN    CNAME .


Thanks,

- J


Hi J.

Yes you can specify a CIDR network length that isn't on an 8-bit boundary.

In your example the /22 network address for 192.168.10.1 is actually
192.168.8.0, so you'd specify:

22.0.8.168.192.rpz-ip IN CNAME .

Nick.


Hi Nick,

Thanks for your reply and thanks for catching my network error!

- J

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Missing cookie

[J Doe]

Hi list,

I run a validating recursive resolver with BIND 9.18.27.  Over the
course of many days, I have noted the following warning about a missing
cookie from a particular server:

09-May-2024 20:09:22.277 resolver: info: missing expected cookie
from 192.5.5.241#53

This server runs in the cloud with excellent connectivity, I don't do
anything special with my firewall and I do not run any software that
would mutate the DNS data over port 53.

What could be causing the cookie to not be received from this particular
server over a number of days ?

Thanks,

- J

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

CIDR notation for RPZ rpz-ip ?

[J Doe]

Hello,

When using RPZ with BIND 9.18.27 and rpz-ip, can any CIDR prefix be used
or must they be either: /8, /16, /24, /32 for IPv4 ?

For example, if I want to block records with an A address of
192.168.10.1, I know I can write:

32.1.10.168.192.rpz-ipINCNAME .

... and records like A, MX, etc. that have an A value of: 192.168.10.1
will receive a NXDOMAIN response.

But am I able to block any CIDR ?  For instance, if I wanted to block
records like A, MX, etc. that have A values in: 192.168.10.1/22 can I
use the following:

22.1.10.168.192.rpz-ipINCNAME .


Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Truncated TCP ?

[J Doe]

On 2024-05-05 20:47, Mark Andrews wrote:





On 6 May 2024, at 07:38, J Doe  wrote:

Hello,

I run BIND 9.18.26 as a recursive, validating resolver.  In my logs, I
noticed the following:

01-May-2024 00:52:49.689 lame-servers: info: truncated TCP response
resolving 'www.ipfire.org/A/IN': 74.113.60.134#53

I am aware that there are issues with DNS UDP traffic being truncated
and/or rejected via firewalls or middle-boxes that enforce limits on
expected packet size (I believe one of the goals of a recent Flag Day
was to address these configs), but what would lead to truncated TCP
traffic in the context of DNS ?


Usually it is a software bug in the server where it doesn’t support 65535 byte
responses or incorrectly applies UDP limits to TCP.  Very occasionally the
response actually won’t fit in 65535 bytes.

Whatever it was I’m not seeing it now.

Mark


Thanks,

- J


Hi Mark,

When you say "server" do you mean my server (which implies that there is
a TCP/IP stack issue on my end), or the remote server (in this case the
authoritative DNS Server for: www.ipfire.org) ?

Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Truncated TCP ?

[J Doe]

Hello,

I run BIND 9.18.26 as a recursive, validating resolver.  In my logs, I
noticed the following:

01-May-2024 00:52:49.689 lame-servers: info: truncated TCP response
resolving 'www.ipfire.org/A/IN': 74.113.60.134#53

I am aware that there are issues with DNS UDP traffic being truncated
and/or rejected via firewalls or middle-boxes that enforce limits on
expected packet size (I believe one of the goals of a recent Flag Day
was to address these configs), but what would lead to truncated TCP
traffic in the context of DNS ?

Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about resolver

[J Doe]

On 2024-04-26 16:45, Josh Kuo wrote:


In this particular case, isn't the resolver attempting to do a reverse
lookup of the IP address that's listed ?


You are right, I missed that this is a reverse-mapping zone. In that
case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa" and
you'll see the problem. Reverse-mapping zones work the same as
forward-mapping zones, they also need to be delegated properly.

If you prefer a more visual output, try DNSViz:
https://dnsviz.net/d/180.96.34.in-addr.arpa/dnssec/
<https://dnsviz.net/d/180.96.34.in-addr.arpa/dnssec/>


Hi Josh,

Ok, sounds good!

- J

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about resolver

[J Doe]

On 2024-04-26 16:28, Mark Andrews wrote:


DS records live in the parent zone and the RFC 1034 rules for serving zone 
break down when a grandparent zone and child zone are served by the same 
server.  This is corrected be the client by looking for intermediate NS records 
to find the hidden delegations then resuming the DS lookup.

Named was looking up theses NS records I.e. chasing the DS servers.   This can 
result in named finding delegation errors.  QNAME minimisation also exposes 
these errors as it also does NS queries.  Garbage in breakage out.


Hi Mark,

Ah, ok, I believe I've got it now - thanks for you explanation!

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about resolver

[J Doe]

On 2024-04-25 08:55, Josh Kuo wrote:


DS = Delegation Signer, it is the record type that a signed child upload
to the parent zone. It's difficult to say for sure without more
information such as which domain name you are trying to resolve, but
looks like it is probably due to a mis-matching DS record between the
child and the parent (security lameness).

You can use tools such as
https://dnssec-analyzer.verisignlabs.com/online
<https://dnssec-analyzer.verisignlabs.com/online> to help you analyze
further. If you need to refresh your knowledge on how DNSSEC works, see
the ISC DNSSEC Guide:
https://bind9.readthedocs.io/en/v9.18.14/dnssec-guide.html
<https://bind9.readthedocs.io/en/v9.18.14/dnssec-guide.html>

-Josh


Hi Josh,

Thank you for your prompt reply!

In this particular case, isn't the resolver attempting to do a reverse
lookup of the IP address that's listed ?

Secondly, I'm still not entirely sure what the phrasing "chase DS
servers" means.  I am aware of the DS RR type.

As a side-note:  I believe the "lame-servers" here is a function of me
configuring QNAME minimization to "relaxed".

Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about resolver

[J Doe]

Hello,

I run BIND 9.18.26 as a recursive, validating resolver.  In my logs, I
noticed the following:

22-Apr-2024 19:25:59.614 lame-servers: info: chase DS servers
resolving '180.96.34.in-addr.arpa/DS/IN': 216.239.34.102#53

What does "chase DS servers" mean ?

Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about URL being logged by resolver

[J Doe]

Hello,

On a Bind 9.18.19 server configured as a recursive resolver, I sometimes 
see URL's being noted in the log files.


One such example is:

02-Nov-2023 23:32:19.435 lame-servers: info: success resolving 
'https://app-measurement.com/sdk-exp/A' after disabling qname 
minimization due to 'ncache nxdomain'


This seems unusual to me because Bind usually notes the domain name it 
is attempting to resolve, not an URL.  In this particular case, I would 
expect to see a notation about "app-measurement.com" and not "http://etc;.


What is the significance of logging the URL and why does this happen in 
only some cases ?


Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about Google domain with recursive resolver

[J Doe]

Hello,

I have a basic recursive resolver configuration with Bind 9.18.19 that 
acts as the resolver for some VPN roadwarrior clients (a mix of Apple 
iOS and macOS clients).


Periodically I will see the following in my logs:

02-Nov-2023 15:06:27.658 resolver: info: loop detected resolving 
'ns1.zdns.google/A'


As this is logged at "info" level, I presume it doesn't do any harm, but 
has anyone run into this with this particular Google domain ?  I have 
seen it over a number of weeks.


Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: HTTP API for bind

[Brian J. Murrell]

On Fri, 2023-05-26 at 16:51 +0530, Shailendra Gautam wrote:
> Does bind provide any way to manage(add,update,delete) resource
> records
> with HTTP API, like powerdns?

Not TTBOMK.  It does have an API for managing RRs but that is using RFC
2136 and not HTTP.

> I currently use zonefiles to store DNS data
> and have been planning to switch to an API to add/remove records. Is
> there
> any way to do that with bind?

Sounds like you want a tool which has an HTTP API and can translate
those calls into the RFC 2136 update protocol.

Or you could just use the RFC 2136 update protocol directly.

Or you could use CLI tools supplied with BIND even, such as "nsupdate"
that can do updates.

If you really want an HTTP API, I guess you could start doing searches
for "RFC2136 HTTP" and see if anyone has implemented such a thing.

Maybe https://github.com/frillip/noip-rfc2136 does what you want.

Perhaps there are others.  I will leave that search as an exercise for
the reader.

Or you could even write your own.  I have a faint recollection of
writing such a thing as a CGI script in the past.  It should not be
terribly difficult.  Yeah.  I found it:

#!/bin/bash

key_name="put your key name here"

args_string=${REQUEST_URI##*\?}
eval "${args_string//\&/ }"

# undo url encoding
pass=${pass//\%2F/\/}
pass=${pass//\%3D/=}

cat &2

rm -f /tmp/kfile.*

echo "Content-type: text/html

good $REMOTE_ADDR"


But most likely you will want to use that GitHub project I pointed out
above rather than my Q hack above.  Above is just to illustrate how
basic and simple it could be.

Cheers,
b.



signature.asc
Description: This is a digitally signed message part
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the meaning of an ecs log

[Mik J via bind-users]

Thank you for your answer and pointing out this information.

When I showed you this message
client @0x53eda9122d0 172.16.11.2#48171 (example.org): query: example.org IN A 
-E(0)DC (1.2.3.4) [ECS 192.168.2.0/24/0

This query was to my authoritative server which holds example.org
The client IP is a Google DNS public IP (I had changed the IP to 172.16.11.2)
And the 192.168.2.0/24 prefix is a prefix from a hosting company in Turkey (I 
had changed the IP)

So I suppose that a machine hosted in that 192.168.2.0/24 subnet use google DNS 
as a resolver. And that resolver is quering my authoritative DNS.

I had read the documentation and this /0 is noted as a scope
"a statement which appears in a zone block has scope only for that zone"
I understand this sentence but I don't understand this /0

In my logs it's always a /0
I'm wondering in which case it could be different that a /0




Le jeudi 8 décembre 2022 à 02:36:40 UTC+1, Darren Ankney 
 a écrit : 





Found the answer in the manual:

"Finally, if any CLIENT-SUBNET option was present in the client query,
it is included in square brackets in the format [ECS
address/source/scope]."
https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-category

On Wed, Dec 7, 2022 at 8:25 PM Mik J via bind-users
 wrote:
>
> Hello Daren,
>
> The entire message is
> client @0x53eda9122d0 172.16.11.2#48171 (example.org): query: example.org IN 
> A -E(0)DC (1.2.3.4) [ECS 192.168.2.0/24/0]
>
> The version is: 9.18.7
> It's both autoritative and recursive
>
>
>
>
> Le jeudi 8 décembre 2022 à 01:56:57 UTC+1, Darren Ankney 
>  a écrit :
>
>
>
>
>
> Is that the entire log message or just part of it?  Is this a
> recursive or authoritative name server?  What version of bind?
>
> Logging is covered in the manual though I don't really see a
> comprehensive explanation of message format (maybe it's there and I'm
> just not seeing it).
> https://bind9.readthedocs.io/en/v9_18_9/reference.html#logging-block-grammar
>
> On Wed, Dec 7, 2022 at 7:42 PM Mik J via bind-users
>  wrote:
> >
> > Hello,
> > I see logs like [ECS 192.168.2.0/24/0] but I don't understand what is the 
> > last /0 part.
> > Where can I get an explanation ?
> > Regards
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the meaning of an ecs log

[Mik J via bind-users]

Hello Daren,

The entire message is
client @0x53eda9122d0 172.16.11.2#48171 (example.org): query: example.org IN A 
-E(0)DC (1.2.3.4) [ECS 192.168.2.0/24/0]

The version is: 9.18.7
It's both autoritative and recursive




Le jeudi 8 décembre 2022 à 01:56:57 UTC+1, Darren Ankney 
 a écrit : 





Is that the entire log message or just part of it?  Is this a
recursive or authoritative name server?  What version of bind?

Logging is covered in the manual though I don't really see a
comprehensive explanation of message format (maybe it's there and I'm
just not seeing it).
https://bind9.readthedocs.io/en/v9_18_9/reference.html#logging-block-grammar

On Wed, Dec 7, 2022 at 7:42 PM Mik J via bind-users
 wrote:
>
> Hello,
> I see logs like [ECS 192.168.2.0/24/0] but I don't understand what is the 
> last /0 part.
> Where can I get an explanation ?
> Regards
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

What is the meaning of an ecs log

[Mik J via bind-users]

Hello,
I see logs like [ECS 192.168.2.0/24/0] but I don't understand what is the last 
/0 part.
Where can I get an explanation ?
Regards
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question regarding newsyslog.conf and Bind logs

[J Doe]

On 2022-08-25 18:04, Greg Choules wrote:

Hi again J.
If I understand correctly, you want to enable querylog on a busy 
recursive server permanently, rotate the files once a day and don't care 
if you lose some logs because the number of queries on a busy day 
generates more data than the specified log file is allowed to contain.


My question has to be, why?

Firstly, querylog is not an efficient way to record information about 
what your clients are doing, dnstap is far more efficient if you want a 
record of some or all information about queries and/or their responses. 
If using files to retain this information, the rotation choices are the 
same as for channels. If your server is only handling a few 10s or 100s 
QPS, querylog will do. But if it's handling 1000s times more than that 
you will cause it unnecessary extra stress and dnstap is your friend.


Secondly, if you insist on using querylog (actually, this also applies 
to dnstap), why not just leave named to rotate the files based on size 
and number, allowing for the set of files to be easily large enough to 
contain (say) a week's worth of data. Then you could run a cron job to 
grep today's logs and do what you want with them. You don't have to 
worry about other processes sending commands to named to cause something 
to happen, it just gets on with it.


/soapbox.


Hi Greg,

Yes, that's correct.  The size limit for the busy day is actually much 
larger than I think it would ever get.  I want a size limit to ensure 
that the query logs are not eating up too much disk space.  The size 
limit of a days' log will never get that high, but if it does, the disk 
is not filled up.  In that case, I understand logging for that day may 
be incomplete because Bind would stop logging if I it did get to 1 G, 
but for this server and the purpose it serves, it's never going to reach 
1 G.


I like to have an upper bound on logs to prevent disk from being filled up.

I am familiar with dnstap but am looking for a more simple solution at 
this time.  I agree it is probably the most correct tool for most jobs, 
but in this case text logs for queries are fine.


I could also do as you suggest with cron and grep, but I'm not concerned 
with sending commands via a separate process (rndc) as that is the 
current method of sending commands to Bind.  The big goal is to have 
compressed logs for 24 hours of queries, holding onto that data for a 
week.  I think that's achievable by newsyslog.


It would be great to know if:

/usr/sbin/rndc reconfig > /dev/null 2>/dev/null || true

...is the correct trigger for named to open a new log.  Can anyone 
provide feedback on that ?


Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question regarding newsyslog.conf and Bind logs

[J Doe]

On 2022-08-25 16:46, Richard T.A. Neal wrote:


Hi J,

I'm coming a little late to the party on this one and I think you might 
struggle to do rotation based on both date/time *and* file size, but I use 
logrotate to rotate all of my BIND logs daily, keeping 31 days of logs. And 
you'll see that one of the last things that logrotate does is to call [rndc 
reconfig] which causes BIND to generate fresh log files in place of the rotated 
ones.

My BIND logging itself is setup based largely on the configuration described 
here:
https://kb.isc.org/docs/aa-01526

My logrotate.conf file then looks like this the following, which itself is 
based on this:
https://ixnfo.com/en/logrotate-bind9.html

#-
# RTAN BIND 9 daily log rotation
#
# Note that the log file won't rotate until at least one day AFTER you set this 
for the first time.
# Eg if you create this file on a Wednesday then they won't rotate for the 
first time until THURSDAY night:
# https://serverfault.com/questions/375004/logrotate-not-rotating-the-logs
#-

/var/log/named/*.log
{
   olddir /var/log/named/archived
   compress
   create 0644 bind bind
   daily
   dateext
   missingok
   notifempty
   rotate 31
   sharedscripts
   postrotate
 /usr/sbin/rndc reconfig > /dev/null 2>/dev/null || true
   endscript
}
#-

Best,
Richard.


Hi Richard,

Thank you for your reply.  I am not attempting to configure the server 
so that rotation is based on size *and* time.  The size configuration in 
the logging stanza was more to put an upper limit on a log *before* it 
is rotated.  I could drop the parts that mention 2 versions and 
incrementing the filename and just keep: size 1G.


Let's say it's an extremely busy day and my Bind recursive resolver logs 
are getting really big.  I want the maximum size a day's logs can be 
*before* they are compressed to be 1G.  I am aware that if the server is 
still under heavy load that queries past that point will not be logged.


Then, at the end of the day, newsyslog compresses the logs and rotates 
them so that I keep 7 days worth of compressed logs.


The logrotate your example uses looks good, but I'm on a very minimal 
OpenBSD 7.1 host.  I could add the logrotate package, but newsyslog is 
in the base system and I already use it for doing the same kind of log 
rotation for my firewall logs, so I was hoping to stick to newsyslog.


The postrotate directive in the logrotate example you sent me was what I 
was basing my newsyslog config on, as it uses rndc and not pkill SIGHUP.


I am assuming it would work with newsyslog, or am I incorrect about that ?

Thanks again,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question regarding newsyslog.conf and Bind logs

[J Doe]

On 2022-08-25 04:52, Anand Buddhdev wrote:


On 25/08/2022 05:23, J Doe wrote:

Hello J Doe,

I was wondering if anyone could provide feedback on whether the 
following: newsyslog.conf file is correct to allow for daily log 
rotation for my Bind 9.16.30 logs ?


My currently logging settings in: named.conf are:

 ...
 logging {
 channel chn_file_queries {
 buffered no;
 file "/var/queries.log"
 versions 2 size 1g suffix increment;


This configuration makes BIND rotate the file by itself, when it grows 
bigger than 1 GB. You do NOT need any external tool like newsyslog to do 
log file rotation.


Regards,
Anand


Hi Anand,

Yes, I am aware that the logging stanza I listed for the query log will 
do the rotation when the log reaches 1 GB and then it will rotate it and 
store two logs in total.


What I would like to introduce is rotation based on time.  So after 24 
hours, newsyslog would compress and rotate the logs and keep them for 7 
days before removing the oldest.  That way I always have a week's worth 
of query data in separate logs by day.


Was my newsyslog.conf file correct for that ?

Thanks,

- J

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question regarding newsyslog.conf and Bind logs

[J Doe]

On 2022-08-25 03:05, Greg Choules wrote:


Hello J
What is it you're actually trying to achieve here?

Cheers, Greg


Hi Greg,

I'm looking to have my: queries.log (which logs all the queries my Bind 
9.16.30 recursive resolver resolves), rotated at the end of the day and 
I'd like to keep 7 days worth of those logs.


I didn't see anywhere in the log rotation options for: named.conf that 
mentioned rotation based on *time*.  I saw I can configure rotations 
based on the size of the file, but I'd like rotation to happen once 
every 24 hours.


With that in mind, I believe I could change the logging stanza from:

file "/var/queries.log"
versions 2 size 1G suffix increment;

to (syntax might be incorrect):

file "/var/queries.log"
size 1G;

I still want any daily log *before* it's being rotated to be a maximum 
size of 1 GB.


I believe my: newsyslog.conf line to rotate the logs daily is correct, 
except I wasn't entirely sure what the: rndc equivalent of sending 
SIGHUP to Bind was, as the ARM and man note that sending signals to 
control Bind is deprecated.


Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question regarding newsyslog.conf and Bind logs

[J Doe]

Hello,

I was wondering if anyone could provide feedback on whether the 
following: newsyslog.conf file is correct to allow for daily log 
rotation for my Bind 9.16.30 logs ?


My currently logging settings in: named.conf are:

...
logging {
channel chn_file_queries {
buffered no;
file "/var/queries.log"
versions 2 size 1g suffix increment;
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
...
};
...

newsyslog.conf examples tend to make use of: pkill but I note in the 
Bind ARM and man page that signals are deprecated in favor of: rndc.


I am *thinking* the following should work for newsyslog.conf

/var/named/var/queries.log6407 *$D0  Z 
"/usr/sbin/rndc reconfig > /dev/null 2>/dev/null || true"


So settings:

Log path: My Bind is running in chroot
File mode:0640
Log count:7 (1 per day)
Size limit:   none
Frequency:$D0 (daily)
Flags:z to compress
Binary:   rndc (instead of pkill)

Is this correct ?

Thank you,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.18.2 break-dnssec question

[J Doe]

On 2022-04-29 01:18, Mark Andrews wrote:


break-dnssec is about if the client could detect the re-write or not using 
DNSSEC.  If the client has DO=1 in the request and the normal response is 
signed then rewrites can be detected. If break-dnssec is ’no’ the rewrite will 
be prevented.  If break-dnssec is ‘yes’ then the rewrite will occur.


the world <-> recursive server rpz w/ break-dnssec no <-> recursive server rpz 
w/ break-dnssec no or yes;
 ||
   non dnssec clientnon dnssec 
client

You don’t want the second recursive server to spend all its time re-asking 
queries that will fail validation


On 29 Apr 2022, at 11:24, J Doe  wrote:

Hi,

I am configuring an RPZ for a validating resolver.  I read in the BIND 9.18.2 
ARM that there is a boolean option for RPZ zones called: break-dnssec.

The ARM states:

...In that case, RPZ actions are applied regardless of DNSSEC.
The name of the clause option reflects the fact that results
rewritten by RPZ actions cannot verify.

In my particular scenario, I want to use RPZ to give NXDOMAIN results for 
certain domain names that I don't want accessible.  So for normal queries 
without DNSSEC validation requested and for queries with DNSSEC validation 
requested for a domain name I am _not_ blocking, I want the lookups to work 
(ie: don't validate when validation not requested, validate when validation 
requested).

When a client attempts to lookup a domain name that _is_ blocked by RPZ, I want 
the domain name blocked ... whether or not they requested DNSSEC validation.

Am I correct that: break-dnssec yes comes into play only if a client attempts 
to resolve a DNSSEC secured domain name I _am_ blocking in RPZ ?

So for instance...

1. Client requests no validation for example.com which is not in RPZ and gets 
normal result.

2. Client requests validation for example.com which is not in RPZ and gets 
validated result.

3. Client requests no validation for evil.com which is in RPZ and gets NXDOMAIN 
result.

4. Client requests validation for evil.com which is in RPZ and gets NXDOMAIN 
result with broken DNSSEC validation due to rewrite.

This would mean that: break-dnssec yes:

...only breaks DNSSEC validation for evil.com because it is re-written
...does NOT break DNSSEC validation for sites _NOT_ in RPZ that use DNSSEC (ie: 
ietf.org).

Is that correct ?

Thanks,

- J


Hi Mark,

Thanks for your reply!  I think I might have done a poor job asking my 
questions, which may have introduced some confusion - apologies.  My 
brain is still chewing on this!


In this particular scenario, I have one validating resolver.  The 
diagram would be:


Client (PC, mail server, etc.) -> My resolver -> The world

What I was wondering is if I configure my validating resolver to use: 
break-dnssec yes, does that mean that DNSSEC validation is broken for 
_ALL_ queries ?


I am thinking that this applies only when a client computer queries my 
validating resolver and wants to know if DNSSEC is valid on a query that 
my resolver has changed via RPZ.  Because RPZ modified the data it can 
no longer validate.


So the client queries my resolver for DNSSEC validity for a server that 
is _NOT_ covered by my RPZ policy ... validation should _NOT_ break in 
that circumstance, right ?


Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.18.2 break-dnssec question

[J Doe]

Hi,

I am configuring an RPZ for a validating resolver.  I read in the BIND 
9.18.2 ARM that there is a boolean option for RPZ zones called: 
break-dnssec.


The ARM states:

...In that case, RPZ actions are applied regardless of DNSSEC.
The name of the clause option reflects the fact that results
rewritten by RPZ actions cannot verify.

In my particular scenario, I want to use RPZ to give NXDOMAIN results 
for certain domain names that I don't want accessible.  So for normal 
queries without DNSSEC validation requested and for queries with DNSSEC 
validation requested for a domain name I am _not_ blocking, I want the 
lookups to work (ie: don't validate when validation not requested, 
validate when validation requested).


When a client attempts to lookup a domain name that _is_ blocked by RPZ, 
I want the domain name blocked ... whether or not they requested DNSSEC 
validation.


Am I correct that: break-dnssec yes comes into play only if a client 
attempts to resolve a DNSSEC secured domain name I _am_ blocking in RPZ ?


So for instance...

1. Client requests no validation for example.com which is not in RPZ and 
gets normal result.


2. Client requests validation for example.com which is not in RPZ and 
gets validated result.


3. Client requests no validation for evil.com which is in RPZ and gets 
NXDOMAIN result.


4. Client requests validation for evil.com which is in RPZ and gets 
NXDOMAIN result with broken DNSSEC validation due to rewrite.


This would mean that: break-dnssec yes:

...only breaks DNSSEC validation for evil.com because it is re-written
...does NOT break DNSSEC validation for sites _NOT_ in RPZ that use 
DNSSEC (ie: ietf.org).


Is that correct ?

Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and forwarding

[Duchscher, Dave J via bind-users]

On Apr 13, 2022, at 10:08 AM, Nicholas Miller  
wrote:
> 
> I believe this is the option you are looking for:
> 
>   validate-except { domain.example; };

Thanks but that doesn't fix our problem. We use it to fix the
problematic domains for now but that is a temporary solution. There
is always another domain that crops up and will need to be exempted.

The option I was looking for, which doesn't seem to exist is turning
off named setting the check disable flag when forwarding to another
system. With that ability, we could have moved DNSSEC validation
to the cache systems.

--
Dave

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and forwarding

[Duchscher, Dave J via bind-users]

> On Apr 13, 2022, at 12:00 AM, Grant Taylor via bind-users 
>  wrote:
> 
> This Message Is From an External Sender
> This message came from outside your organization.
> On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote:
> > We are dropping this configuration and looking at doing something else.
> 
> I'm sorry to hear that.
> 
> > We have had intermittent issues with Slack, Microsoft, and a growing 
> > list of domains. Even have one that consistently fails.
> 
> Are you able to share any specific details / examples so that others can 
> see an example of what to loo out for?

Sure.

Just to clear, the setup looks like this:

  Internal DNS --> DMZ DNS Cache -> World

Internal DNS is forward only.  Only internal DNS allowed on the DNS
cache systems.  DNSSEC validation can be enabled or disabled on the
cache systems since named always sets the check disabled flag when
forwarding. This also means that you can't forward to an upstream
DNS system and have it do the DNSSEC validation. Wish there was a
way to turn this off or if it would only set the check disabled
flag when DNSSEC validation is enabled.

Failures mode is that everything looks to work and then a domain
will stop resolving.  Sometimes we get timeouts, sometimes SERVFAIL,
and other times NXDOMAIN.

On a test setup with fresh restart, these domains always fail.

cybr.club
am-explorer.com
simutext.com
simutext2.com

These domains fail randomly and we have not been able to produce
the failure.

a.slack-edge.com
portal.azure.com
rex-sftp.bncollege.com

There is also our teams and sharepoint domains but rather not put
them here.

I hope this helps. Needless to say, it has been a frustration
situation.
--
Dave

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about missing bind.keys

[J Doe]

On 2022-03-30 02:23, Evan Hunt wrote:


On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote:

I have a question about the bind.keys file and what happens when it is
not available.

[...]

** If I don't have bind.keys in my BIND directory but have:
dnssec-validation auto in my named.conf, is BIND automatically getting
the trust anchor and storing it in managed-keys.bind so that when my
recursive resolver does a lookup and performs DNSSEC validation,
validation works ?  Or do I still need to download bind.keys from [1] ?


There's a copy of bind.keys that's compiled directly in named. If
the file isn't there, named will just use its own internal copy.

The first time named starts up with 'dnssec-validation' set to 'auto',
it fetches the current root key, validates it against its local
copy (either from bind.keys or from its own built-in copy), and then
keeps the key up to date according to the RFC 5011 protocol from
then on.

The recommendation to use bind.keys and not rely on the built-in
version was based on some assumptions that are no longer true. First,
`dnssec-validation auto` is now the default, so unless you disabled it on
purpose, you've been validating and keeping the root key up to date since
the first time you ran your server.  Second, back in those days it was
harder to get hold of regularly-updated packages for BIND, and scads
of people were running outdated code.

We were concerned that someone would be running an old version of named,
the root key would change, and *then* they'd decide to turn validation on
for the first time, and it wouldn't work. To smooth that out a bit, we
added the bind.keys file to the release tarball, and when giving tutorials
about turning on DNSSEC validation, we included a note that you should
always check whether bind.keys needed to be updated.

In today's world, I don't think it's inmportant anymore.



Hi Evan,

Apologies for my late reply.  Thank you so much for the detailed 
explanation of: dnssec-validation auto and what happens when: bind.keys 
doesn't exist.


With this setting in place in my: named.conf I then restarted BIND, gave 
it a second to pull the trust information and then used: delv to test 
verification.


The first test for unverified/unsigned was:

$ delv google.com
; unsigned answer
. . .

... and the second test for verified/signed was:

$ delv ietf.org
; fully validated
. . .

... which wouldn't have worked if: dnssec-validation auto failed in 
getting the same information as: bind.keys


- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and forwarding

[Duchscher, Dave J via bind-users]

On Mar 30, 2022, at 4:43 PM, Tony Finch  wrote:
> 
> > We have an internal DNS server that we would like to forward its
> > outgoing queries to a main DNS server that connects to the outside world
> > and is doing DNSSEC validation.  The problem is that the DNSSEC
> > validation doesn't work for queries from the internal DNS server.
> > Doing DNSSEC validation on the internal DNS server that is forwarding to
> > the main DNS server has been problematic with some domain failing
> > intermittently and others just not working at all. Is there a way to
> > allow the main DNS server handle DNSSEC validation?
> 
> In this situation, with multiple tiers of caches, if you want DNSSEC
> validation, you should turn it on everywhere you can.
> 
> It sounds to me like your outer server has somehow got data in its cache
> that can't be validated by the inner server (though I'm not entirely sure
> how that might happen). If they both validate then I would expect the
> problems to go away.

We are dropping this configuration and looking at doing something else. It
has come very clear after much testing with different DNS services,
unbound, and named that forwarding with named with DNSSEC validation
turned on to another named server has problems with the DNS data out in
the world. For us, this shows up with cloud based services that play fast
and loose with the DNS specifications. We have had intermittent issues
with Slack, Microsoft, and a growing list of domains. Even have one that
consistently fails. I am just posting this as a caution to others that
you may have problems with DNSSEC validation in this configuration.

--
Dave


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC and forwarding

[Duchscher, Dave J via bind-users]

We have an internal DNS server that we would like to forward its outgoing 
queries to a main DNS server that connects to the outside world and is doing 
DNSSEC validation.  The problem is that the DNSSEC validation doesn't work for 
queries from the internal DNS server.  Doing DNSSEC validation on the internal 
DNS server that is forwarding to the main DNS server has been problematic with 
some domain failing intermittently and others just not working at all. Is there 
a way to allow the main DNS server handle DNSSEC validation?

Here is my test setup on my laptop:

First named config running on port 1:

logging {
category default {
_default_log;
};
channel _default_log {
file "/var/log/named/named-1.log" versions 10 size 1m;
severity info;
print-time yes;
};
};

options {
directory "/var/named-1";
listen-on port 1 { any; };
allow-query { any; };
allow-recursion { any; };
allow-query-cache { any; };
dnssec-validation no;
forwarders {
127.0.0.1 port 11000;
};
forward only;
};

Second named config running on port 11000:

logging {
category default {
_default_log;
};
channel _default_log {
file "/var/log/named/named-2.log" versions 10 size 1m;
severity info;
print-time yes;
};
};

options {
directory "/var/named-2";
listen-on port 11000 { any; };
allow-query { any; };
allow-recursion { any; };
allow-query-cache { any; };
dnssec-validation auto;
};

--
Dave

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about missing bind.keys

[J Doe]

Hello,

I have a question about the bind.keys file and what happens when it is 
not available.


According to the ARM:

dnssec-validation  This option enables DNSSEC validation in named.
. . .

(To prevent problems if bind.keys is not found, the current trust
 anchor is also compiled in named. Relying on this is not
 recommended, however, as it requires named to be recompiled with a
 new key when the root key expires.)

I note the part towards the bottom where it says _not_ to rely on the 
compiled in option when bind.keys is not found.


With the packaged version of BIND that I am using (BIND 9.16.27), no 
bind.keys file was provided.  I then enabled DNSSEC validation by 
adding: dnssec-validation auto in my named.conf file and restarted BIND.


I now see I have managed-keys.bind file in my BIND directory.  To find 
out more about that I went to [1] which states:


For Current Releases (BIND 9.11 and higher)
. . .
Once named is managing the keys, the current keys will be
in managed-keys.bind or *.mkeys, if you use views.

In my case, I have BIND configured as a recursive resolver.  I have an 
ACL section and an Options section but no views . . . but I still get 
managed-keys.bind.


My question is:

** If I don't have bind.keys in my BIND directory but have: 
dnssec-validation auto in my named.conf, is BIND automatically getting 
the trust anchor and storing it in managed-keys.bind so that when my 
recursive resolver does a lookup and performs DNSSEC validation, 
validation works ?  Or do I still need to download bind.keys from [1] ?



Thanks for your help,

- J


Sources:

[1] https://www.isc.org/bind-keys/
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

filter queries for A records from some clients

[Brian J. Murrell]

I am trying to do some testing of an IPv6-only network here using some
nat64 to reach the "legacy" :-) IPv4 Internet.  My network is currently
dual-stack.

I have dns64 query mapping working, but I am still seeing some clients
that I am trying to test with (that still have IPv4 addresses until the
test proves successful) using IPv4 to the Internet.  I can only surmise
that this is a case where the client did a happy-eyeballs query for
both A and  records and got an A record back first.

To that effort, I want to try filtering out A record queries (or
responses) from those clients so that they only get the  results
back whether those are real IPv6 addresses or dns64 mapped addresses.

Is there any way to filter A queries or replies to achieve this goal?

I am noticing the .rpz-ip trigger, but being pretty green at RPZ policy
writing, it's not clear to me if that can be used to filter just A
records.

Cheers,
b.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: copy EDNS options to resolver response

[Brian J. Murrell]

On Sun, 2022-02-20 at 08:16 +1100, Mark Andrews wrote:
> 
> EDNS is hop by hop. There is no copying by any compliant server. 

Fair enough.  I thought it was a long shot.

Cheers,
b.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: copy EDNS options to resolver response

[Brian J. Murrell]

On Sat, 2022-02-19 at 19:02 +0100, Matus UHLAR - fantomas wrote:
> 
> what's the point of this setup?
> BIND can resolve by itself perfectly and you wouldn't rely on 3rd
> party 
> service

Except that it cannot do EDE, as I already said in my original message.


Cheers,
b.




signature.asc
Description: This is a digitally signed message part
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

copy EDNS options to resolver response

[Brian J. Murrell]

I have a BIND9 server configured as a resolver for the local network to
forward all requests to 1.1.1.1.  Given that that 1.1.1.1 includes
(RFC8914) EDE EDNS options in it's responses, can I configure the BIND
resolver to forward those EDNS options in it's response to the client?

While I know BIND9 doesn't yet do EDE itself, I am hoping for an option
in BIND to just blindly copy whatever EDNS options it receives to it's
client.

Cheers,
b.



signature.asc
Description: This is a digitally signed message part
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How to show run the active configuration on bind

[Mik J via bind-users]

Hello,
How can I check which variables are loaded in memory and considered as active.
For example, I would like to check that the value of lame-ttl is 0In my 
named.conf configuration file I haveinclude "myconf.conf";
lame-ttl 600;
And in the myconf.conf file I havelame-ttl 0;

So how can I make sure which value is used ?

Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Trying again on SERVFAIL

[J Doe]

On 2021-02-10 3:05 a.m., Alessandro Vesely wrote:

Hi Havard,







That's what I've been doing.  For an incoming message, a temporary 
failure means replying a 4xx code.  The sender keeps the message in its 
queue, and eventually gives up.  Once upon a time, MTAs used to retry 
sending for five days.  Nowadays, several servers don't let queued 
messages grow older than one day.


In the most severe case, a failed DKIM signature might entail a reject.  
So the best course of action seems to be to reserve temporary failures 
to this case.


Still, being able to differentiate a local network congestion from a 
remote bad configuration would help.



Best
Ale


Hi Ale and list,

This isn't an answer to your original question, but I was curious about 
something you mentioned near the end of your message, where you wrote: 
"Once upon a time . . . Nowadays, several servers don't let queued 
messages grow older than one day".


Out of curiosity, what servers have you encountered that no longer use 
the five day cutoff ?


Thanks,

- J
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND through COPR after CentOS

[Tom J. Marcoen]

Hey all,

Just wondering here, why switching from CentOS to Debian or building BIND
from sources? What is wrong with migrating to CentOS Stream? Why would that
be so much worse than using Debian?

Regards,
Tom

On Sat, 19 Dec 2020 at 00:25, G.W. Haywood via bind-users <
bind-users@lists.isc.org> wrote:

> Hi there,
>
> On Fri, 18 Dec 2020, Leroy Tennison wrote:
>
> > ... switching from an rpm world to a deb world
> > ... Not an enormous change but significant.
>
> Indeed.  I'd suggest that if it's just about BIND, it's easier to grab
> the source and build it.  That way you don't ever have to wait for the
> package maintainer (not that you'll usually have to wait long), you do
> get to make your own decisions, and there'll be fewer nasty surprises.
>
> This has been my routine for more than a decade - I just did it this
> evening on our primary.  The secondaries are somebody else's problem.
>
> $ wget https://downloads.isc.org/isc/bind9/9.11.26/bind-9.11.26.tar.gz
> $ tar xzvf bind-9.11.26.tar.gz
> $ cd bind-9.11.26/
> $ ./configure --enable-ipv6 --prefix=/usr/local --sysconfdir=/etc
> --with-openssl ...
> $ make
> # make install
> # kill $(pidof /usr/local/sbin/named) ; sleep 2 ; /usr/local/sbin/named -u
> named
>
> I don't think 'apt-get update/upgrade' would have been any quicker.
>
> You might want to check signatures etc., but it is an 'https' download
> link.  If you have a lot of machines and no Puppet, you can of course
> make your own package in a few minutes.
>
> You'll want to subscribe to the announce@ list.  If there's no CVE, I
> usually wait for a couple of days after the announcement...
>
> --
>
> 73,
> Ged.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Abour RRL and Best Practise

[Tom J. Marcoen]

Hey Onur,

I would guess it depends on your setup and how many traffic you
receive.  [1] gives
as an example a value of 10 responses per second, which I would say is
a good place
to start.  [5] gives a value of 5 responses per second and I get the
impression that
that is the value used by the F root servers.  You can always
implement RRL on one
of your authoritative name servers with a value of 10 and try lower
values if all
seems to be ok.

Both resources are from ISC so I would say they are good advice to start with.

PS: RRL is disabled by default so the default value is "0", meaning
"no limit" (see
the ARM for version 9.16.8 on page 73).

[1]: https://kb.isc.org/docs/aa-00994
[2]: https://conference.apnic.net/data/37/apricot-2014-rrl_1393309768.pdf

Best regards,
Tom

On Fri, 27 Nov 2020 at 08:00, Onur GURSOY  wrote:
>
> Hello Everyone,
>
> Bind9 is a good product and benchmark.
> It has good documentation especially about vulnerabilities.
> I wonder one thing, nowadays,
>
> For brute force, reflection, ampliciation and etc. attacks, there is 
> prevention which is name response rate limit (RRL).
> Question:
> What is the default value rate-limit ?
> What is the best practise, best value for rate-limit clause .
>
> Thanks in advance.
> Have nice day and healthy day,
> With best regards
>
> --
> Onur GÜRSOY
> R Engineer in Embedded Systems
> Master Student at Gebze Institute Of Technology
> Department Of Electronic Engineering
> GSM : 0(545) 764 7653
> e-mail: onurgursoyg...@gmail.com
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Tom J. Marcoen]

Thank you for your valuable feedback. It is much appreciated.

On Fri, 20 Nov 2020 at 19:37, Reindl Harald  wrote:

>
> Am 08.11.20 um 14:44 schrieb Timothe Litt:
>
>
> I'm amazed that this thread has persisted for so long on this list of
> knowledgeable people
>
>
> me too, i would understand that on the spamassassin list but not here and
> what i *really* don't understand is jumping into the thread with "I just
> wanted to comment that there is no requirement to run a secondary DNS
> server"
>
> even if it would not be a requirement (but it is) it's common sense not to
> contradict best practices everyone running critical services is following
>
> there are enough beginners which don't follow best practices anyways, no
> need to encourage them
>
> RFC1034 , one of the two
> foundational RFCs for the DNS:
>
> P.18 in section 4.1 (NAME SERVERS => Introduction):
>
> A given zone will be available from several name servers to insure its
> availability in spite of host or communication link failure.  By
> administrative fiat, we require every zone to be available on at least
> two servers, and many zones have more redundancy than that.
>
> In case the font is too small, the key phrase is:
>
> "we require every zone to be available on at least two servers"
>
> That's "REQUIRE" at least TWO SERVERS
>
> i heard of registries whcih require even 3 and when they say they require
> it means you have them or you can't register a domain, no RFC needed to
> begin with
>
> https://tools.ietf.org/html/rfc1537 documents common misconfigurations -
> that is, cases of non-conformance to the RFCs that the author encountered
> circa 1993.  It was superseded in 1993 by RFC 1912
> , where section 2.8 starts with "You
> are required to have at least two nameservers for every domain".  Neither
> document supersedes RFC1034; rather they attempt to help with interpreting
> it.
>
> https://www.iana.org/help/nameserver-requirements  consolidates
> information from several RFCs, since the DNS has evolved over time.  It is
> not an RFC, but a convenient summary.  It primarily documents the tests
> performed by IANA when it processes a delegation change to the root, .INT,
> and .ARPA zones.  These tests validate conformance to the RFCs.  As the
> introduction says, "These tests do not measure against best practices or
> comprehensively measure protocol conformance. They are a practical set of
> baseline requirements that catch common misconfiguration errors that impact
> stable operations of the DNS."
>
> Bottom line: two servers per zone are required by the DNS architecture.
> It's not folklore.  It's not optional.
>
> yes
>
> It is true that the DNS is robust enough to function with a number of
> misconfigurations (including just one server for a zone, since in practice
> this is almost indistinguishable from transient conditions.)
>
> Nonetheless, the goal of the DNS architecture (and most of its operators)
> is to have a stable and robust name service.  Misconfigurations, such as
> those documented in rfc1527, make the DNS unstable and fragile.  The
> architecture tends to contain the effects of many misconfigurations, but
> that doesn't make them wise.
>
> As I noted earlier: "DNS appears deceptively simple at first blush.
> Setting up a serviceable infrastructure requires an investment of thought
> and on-going maintenance.  You will not be happy if you skimp on that
> investment, since broken DNS is externally visible - and frequently
> catastrophic."
>
> I'll finish with a 1987 quote from Leslie Lamport on distributed systems,
> which the DNS most certainly is:
>
> "A distributed system is one in which the failure of a computer you didn't
> even know existed can render your own computer  unusable."
>
> Can the quibbling stop now?
>
>
> thank you
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Tom J. Marcoen]

Having at least two name servers is not a requirement by the RFC standards
but which TLD allows for only one NS server to be given when hou register a
domain?

On Sat, 7 Nov 2020 at 16:53, Kevin A. McGrail  wrote:

> On 11/7/2020 10:15 AM, Reindl Harald wrote:
>
>
> https://tools.ietf.org/html/rfc1537
> Common DNS Data File Configuration Errors
>
> 6. Missing secondary servers
>
> > It is required that there be a least 2 nameservers
> > for a domain.
>
> -
>
> that above is common knowledge virtually forever and the difference of
> "must" and "should" in IETF wordings is also very clear
>
> While I agree this is common knowledge as a best practice, this rfc is a
> memo NOT a standard from my reading:
>
>   This memo provides information for the Internet community.  It does
>not specify an Internet standard.  Distribution of this memo is
>unlimited.
>
> Regards,
> KAM
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Tom J. Marcoen]

First of all, sorry that I cannot reply within the thread, I was not
yet a member of the mailing list when those emails were sent.

> On Thu 15/Oct/2020 18:57:16 +0200 Jason Long via bind-users wrote:
> >
> > Excuse me, I just have one server for DNS and that tutorial is about 
> > secondary
> > DNS server too.
>
> Just skip the chapter about the secondary.  You're better off buying secondary
> DNS services externally.  A good secondary offloads your server noticeably, 
> and
> keeps the domain alive in case of temporary failures.
>
> Best
> Ale

Is it not a requirement to have at least two authoritative name
servers? I believe all TLDs require at least two name servers but I
must be mistaking as no one pointed this out yet.

Regards,
Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Calculate the size of a DNS record in the cache

[Mik J via bind-users]

Hello,
My cache is 100MB and I'd like to know how many records can fit inside.I 
suppose that it depends on the record: isc.org is 7 characters and shorter than 
http://www.example.com
And it probably depends on the type and adress.
So which size would isc.org A 1.1.1.1 be ?

I ask my question because I was wondering how many 
nxdomainattack1.example.com, nxdomainattack2.example.com...can 
I generate before fil in the cache of my recursive server
According to the RFC, if my example.com SOA TTL is 86400, the NXDOMAIN entry 
would remain in the cache for 1 day.
Thank you for sharing your thoughts


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

"overlay" views

[Brian J. Murrell]

I'm really not sure about what the name of this feature I am going to
describe would be.  I would probably call it an "overlay view".  But I
am sure there are better names.

Imagine I have a BIND 9 server for the following network topology:


Network 1
192.168.1.0/24   
-|.254  |
 |   Router |
Network 2|  |
192.168.2.0/24   |  |
-|.254  |
 |  |
Network 3|  |
192.168.3.0/24   |  |
-|.254  |
 

There are a few dozen hosts/services on Network 3 which hosts from
Network 1 and Network 2 need to resolve names of.  All pretty
straightforward.

But the hosts on Network 1 and Network 2 need to resolve the same name
(let's call it "gateway") to the address of their interface on Router. 
So that is, hosts on Network 1 want a query of "gateway." to resolve to
192.168.1.254 and hosts on Network 2 want a query of "gateway." to
resolve to  192.168.2.254.

So this is currently all achievable through "views" in BIND 9, but
requires that the zone data for each view be 98% duplicate (Network 3
resources) and continually copy-n-paste updated whenever names on
Network 3 are added.

What I am looking for is a way to save the duplicate copying of Network
3 resources to the views for Network 1 and Network 2.  This is where
the term "overlay" comes in.  What I'd like to do is reference a single
copy of data from Network 3 in Network 1 and 2's views but "overlay"
some view-specific resources on top of that, namely the "gateway."
name, with it's per-view specific value.

Thoughts?

b.



signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem building BIND 9.11.14 on SPARC Solaris 10

[Wieland, Jeffrey J.]

Jaco,
I've been running it built that way for more than a week without apparent 
problems.
--
Jeff Wieland, UNIX/Network Systems Administrator
Purdue University IT Infrastructure Services UNIX Platforms

On December 30, 2019 7:21:43 AM EST, Jaco Lesch  wrote:

Jeff

Picking up a similar error when compiling on Solaris 11.4 with Oracle
Studio 12.6:

libtool: compile:
/opt/SunStudio/OracleDeveloperStudio12.6-solaris-sparc-bin/developerstudio12.6/bin/cc
-mt -I/usr/local/src/bind-9.11.14 -I../.. -I./unix/include
-I./pthreads/include -I./noatomic/include -I./include -I./include
-I/usr/local/src/bind-9.11.14/lib/dns/include -I../../lib/dns/include
-D_REENTRANT -DOPENSSL "-DPK11_LIB_LOCATION=\"undefined\"" -D_XPG4_2
-D__EXTENSIONS__ -m64 -fast -Qoption cg -xregs=no%appl -W2,-xwrap_int
-xmemalign=16s -mt -xatomic=none -I/usr/include/libxml2 -c stats.c
-KPIC -DPIC -o .libs/stats.o
"stats.c", line 300: undefined symbol: val
cc: acomp failed for stats.c
*** Error code 1

Changing line 300 to "value", it then compiles just fine.

Regards



On 12/21/19 08:35, Wieland, Jeffrey J. wrote:
 Compiling with Solaris Studio 12.2 and Oracle Studio 12.4, I get
 the following error:

 libtool: compile:  /opt/solstudio12.2/bin/cc -m32 -L/opt/openssl-1.1/lib
 -R/opt/openssl-1.1/lib -D_STDC_C99= -mt
 -I/opt/src/sys/bind/sun4u/bind-9.11.14 -I../.. -I./unix/include
 -I./pthreads/include -I./noatomic/include -I./include -I./include
 -I/opt/src/sys/bind/sun4u/bind-9.11.14/lib/dns/include
 -I../../lib/dns/include -I/opt/openssl-1.1/include -D_REENTRANT
 -DOPENSSL -DPK11_LIB_LOCATION=\"undefined\" -D_XPG4_2 -D__EXTENSIONS__
 -m32 -xtarget=ultra -xarch=sparcvis -xO0 -I/usr/include/libxml2 -KPIC -c
 stats.c  -KPIC -DPIC -o .libs/stats.o
 "stats.c", line 300: undefined symbol: val
 cc: acomp failed for stats.c

 line 300 is:

   stats->counters[counter] = val;

 I'm pretty sure that val should be value, since there is no "val"
 anywhere in that file.  At least it compiles that way; I haven't
 tested it yet.


--

Jaco Lesch
SAIX HLS
Email: ja...@saix.net

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Problem building BIND 9.11.14 on SPARC Solaris 10

[Wieland, Jeffrey J.]

Compiling with Solaris Studio 12.2 and Oracle Studio 12.4, I get
the following error:

libtool: compile:  /opt/solstudio12.2/bin/cc -m32 -L/opt/openssl-1.1/lib 
-R/opt/openssl-1.1/lib -D_STDC_C99= -mt 
-I/opt/src/sys/bind/sun4u/bind-9.11.14 -I../.. -I./unix/include 
-I./pthreads/include -I./noatomic/include -I./include -I./include 
-I/opt/src/sys/bind/sun4u/bind-9.11.14/lib/dns/include 
-I../../lib/dns/include -I/opt/openssl-1.1/include -D_REENTRANT 
-DOPENSSL -DPK11_LIB_LOCATION=\"undefined\" -D_XPG4_2 -D__EXTENSIONS__ 
-m32 -xtarget=ultra -xarch=sparcvis -xO0 -I/usr/include/libxml2 -KPIC -c 
stats.c  -KPIC -DPIC -o .libs/stats.o
"stats.c", line 300: undefined symbol: val
cc: acomp failed for stats.c

line 300 is:

     stats->counters[counter] = val;

I'm pretty sure that val should be value, since there is no "val"
anywhere in that file.  At least it compiles that way; I haven't
tested it yet.

-- 
Jeff Wieland, UNIX/Network Systems Administrator
Purdue University IT Infrastructure Services UNIX Platforms

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ behavior for authoritative servers

[Mik J via bind-users]

 Hello Chuck,Thank you for this clarification.I get your point and it makes 
sense.Regards

Le jeudi 24 octobre 2019 à 05:38:03 UTC+2, Chuck Aurora  a 
écrit :  
 
 On 2019-10-23 18:14, Mik J via bind-users wrote:
Hi,

> I know that the RPZ functionality aims to block/redirect/log DNS
> queries from the inner network.
> 
> What about the authoritative DNS facing the Internet ?
> 
> I receive some spam, I get probed on my webservers etc.
> Many of these annoiyances start with a DNS query.
> 
> What is mydomain.org ? My DNS answers 1.2.3.4
> Then the annoyances starts on port 25 or 80 or 443...
> 
> So my question is this one.
> Is it possible to load a list of IP clients and/or networks that can
> be called the "zombie list"
> If a computer from the zombie list wants to resolve mydomain.org, my

Here is where you err.  You're assuming that you will know the source
of the query and be able to associate a certain query with an attack.
That's highly improbable.

Most [probably all] of these annoyances are malware running on
compromised machines.  Malware usually makes an effort to stay small,
and as such, it's likely to offload as much as it can to the system
libraries.  Name resolution is a good candidate for offloading.

The system library will send DNS queries to the nameserver[s] as
received from DHCP.  Those nameservers will do the recursion, and you
will see the queries coming from ISP resolvers and open resolvers like
Google's.

> DNS replies 127.0.0.1 or some IP that are allocated to an antartic
> network.
> Then, I never get annoyed.

Even if you DO correctly pin the query to the attack, you do NOT want
to poison Google's cache with misinformation.

Sorry.

Also, if you were to do something like this, please do NOT abuse real
IP address holders, especially not our .AQ friends.  I'm sure network
lag there is bad enough without us making it worse.

-CA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RPZ behavior for authoritative servers

[Mik J via bind-users]

Hello,
I know that the RPZ functionality aims to block/redirect/log DNS queries from 
the inner network.
What about the authoritative DNS facing the Internet ?
I receive some spam, I get probed on my webservers etc.Many of these 
annoiyances start with a DNS query.
What is mydomain.org ? My DNS answers 1.2.3.4Then the annoyances starts on port 
25 or 80 or 443...
So my question is this one.Is it possible to load a list of IP clients and/or 
networks that can be called the "zombie list"If a computer from the zombie list 
wants to resolve mydomain.org, my DNS replies 127.0.0.1 or some IP that are 
allocated to an antartic network.Then, I never get annoyed.
Something like a mix between RPZ and views on my authoritative DNS servers 
sitting on Internet.
Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind-Efficientip

[Mik J via bind-users]

 You won't do it within a night that's for sure.But yes the vendors assemble 
components with a web interface and database.But now it seems to me that all 
products add more intelligence.
For my own needs bind alone is all fine because I'm root.But for 500+ users 
that need to view, modify some zones, import, export I'm not sure that would be 
possible.

Le jeudi 24 octobre 2019 à 00:44:36 UTC+2, Reindl Harald 
 a écrit :  
 
 

Am 24.10.19 um 00:35 schrieb Mik J via bind-users:
> Efficient IP uses bind (+ nsd/unbound) as the DNS server.
> 
> One major difference between Efficient IP and bind is when you want to
> delegate the zone configuration to users and groups. I think it's called
> role based management.
> So let's say you want team1 to have read/write access to the zone
> team1.cyberia.net.sa, team2 to team2.cyberia.net.sa... on one server.
> You can have team2 to be able to view all the content of the zone 
> team1.cyberia.net.sa and so on.
> I don't think it's possible to do this on bind only / unix
> There are granular rights.
> 
> The second thing it that DHCP, DNS, IPAM work together. You can automate
> the IP reservation and the DNS record creation for example.
> 
> The ability to import/export data from csv or API SOAP/Rest
> 
> Infoblox and Bluecat are other similar products along with a few others.

at the end of the day it's just some interface utilizing the underlying
tools - i don't see why i couldn't expand my webinterface generating
zonefiles since 11 years now with some permission delegation within a
night if needed
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ for reverse lookups ?

[J Doe]

Hi Noel and Fred,

Thank you for your replies.  I probably should have provided a bit of context 
about my situation.

I manage a small e-mail server for a client.  While setting up support for the 
SpamHaus DNSBL, I read that SpamHaus prefers that people use a non-public (ie: 
not 8.8.8.8 / large cloud host DNS server) recursive resolver.  I configured 
Bind 9.11.x to be a recursive resolver and got SpamHaus working with my MTA.  I 
then learned about RPZ.

I configured RPZ to block forward lookup of known bad domains - for instance, 
malware C2 servers and so forth, with the idea being that if the e-mail server 
was infected with malware it would fail forward resolution.  I then wondered if 
I could configure RPZ to “work in reverse” - that is, to specify a DNS name 
that results after reverse lookup should result in functionality similar to 
NXDOMAIN.

The idea behind this was that if a had a domain name or a TLD that I didn’t 
want to receive connections from, when the server performed the reverse lookup 
if it resulted in a domain with that TLD it would break, which would then cause 
my MTA to refuse delivery.  Currently, my MTA will happily allow a connection 
if the reverse resolution to any name works.

The reason I wanted this on the DNS name was that I then do not have to know 
all the IP addresses associated with that domain.  So, if I receive a 
connection from: 1.2.3.4 when the MTA does a reverse lookup and it matches 
“example.org <http://example.org/>” the DNS server doesn’t complete the name 
lookup.  In this case I am then specifying that anything that resolves to 
“example.org <http://example.org/>” should fail.  With the example you provided 
with a PTR record, I would still have to know the IP addresses owned by a 
particular domain, which may change over time.

I’ve been able to approach this in a different way.  Instead of having 
everything break at the DNS level, I’ve configured a right-hand side block list 
(RHSBL), with the MTA.  Now, when a reverse resolution is done if that domain 
name or TLD is found in the RHSBL, the connection is blocked.  I have that 
applied to connections to the server as well as the envelope from address, so 
if someone connects from: banned.example.com <http://banned.example.com/> OR 
states the e-mail is from: some...@banned.example.com 
<mailto:some...@banned.example.com>, the e-mail is rejected.

I think the major difficulty I was running into was trying to have DNS RPZ do 
everything.

Thank you for the pointer to the RPZ mailing list - I will be joining that 
shortly

Regards,

- J



> On Aug 25, 2019, at 12:54 PM, m3047  wrote:
> 
> Clarification on what DNS is...
> 
> On Sun, 25 Aug 2019, m3047 wrote:
>> On Sat, 24 Aug 2019, J Doe wrote:
>>> [...] Is it possible to re-write a response on a reverse lookup ?  For
>>> instance, if I considered example.com a “bad domain”, can I write a RPZ
>>> policy so that a reverse lookup of IP’s that map to example.com fails or
>   
>>> is blocked ?
>>> [...]
>> proposed actions local in scope? Do you run a local passive DNS oracle?)
> 
> Strictly speaking, in DNS-speak the "reverse lookup of an IP..." is a PTR 
> lookup. The "reverse lookup of an IP mapping to example.com" is doing a PTR 
> lookup and matching it against example.com. I could be wrong generally, but 
> at least none of the RPZ features which I use generate additional DNS 
> traffic; an RPZ implementation which did would exceed my personal threshold 
> of least surprise.
> 
> You might consider taking discussion of this to the RPZ interest list or 
> searching the archives: http://lists.redbarn.org/mailman/listinfo/dnsfirewalls
> 
> --
> 
> Fred Morris

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RPZ for reverse lookups ?

[J Doe]

Hello,

I have a basic question regarding RPZ on Bind 9.11.x.

Is it possible to re-write a response on a reverse lookup ?  For instance, if I 
considered example.com a “bad domain”, can I write a RPZ policy so that a 
reverse lookup of IP’s that map to example.com fails or is blocked ?

I know I can do this with a forward lookup to generate NXDOMAIN:

; Forward resolution of: example.com and subdomains generates: NXDOMAIN

example.comIN CNAME .
*.example.com  IN CNAME .

…but can this also be done on reverse lookups ?

Thanks,

- J___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RPZ with Spamhaus

[Mik J via bind-users]

Hello,

I tried to understand how to use Spamhaus as a RPZ provider but without any 
success.
I'll use the non commercial service at least for some time because I have a few 
servers and one or two users, the trafic is very low.

What I thought I should do first is be able to dig axfr the spamhaus rpz
$ dig axfr rpz.spamhaus.org @ns3.spamhaus.org
Of course I see a failed transfer

I registered in spamhaus but don't know how to be able to axfr the content of 
the zone

Regards

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.14.1 will not build on OpenBSD 6.5 (amd64)

[Mik J via bind-users]

 Hello,

I'm also an Openbsd user
I see you used CC can you try with GCC ?

I hope that will help
Le samedi 27 avril 2019 à 22:56:25 UTC+2, paranoid sysadmin 
 a écrit :  
 
 I have begun work on upgrading a group of OpenBSD boxes that are used at a 
bunch of small sites as a "network services" processor and gateway.. The 
existing boxes are mostly running some version of 9.12, though one is running a 
9.11.Aside from the usual "version-ites" problems, this has been a largely 
mechanical "turn the crank and let the scripts run" process.

EXCEPT for Bind. The biuld process keeps failing when it gets down far enough 
to trying to compile isc/lib/rwlock.c which fails miserably.. Using the "out of 
the box" gcc compiler generates the following:

--- snip ---
gcc -std=gnu99  -I/opt/src/bind-9.14.1 -I../.. -I./unix/include  
-I./pthreads/include  -I./include  -I./include 
-I/opt/src/bind-9.14.1/lib/dns/include  -I../../lib/dns/include -I/usr/include  
    -g -O2 -pthread -I /usr/local/include -I/usr/local/include/libxml2 
-I/usr/local/include -I /usr/local/include -W -Wall -Wmissing-prototypes 
-Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing 
-fno-delete-null-pointer-checks  -c rwlock.c
rwlock.c:51:24: error: immintrin.h: No such file or directory
rwlock.c: In function 'isc__rwlock_lock':
rwlock.c:302: warning: cast to pointer from integer of different size
rwlock.c:302: warning: cast to pointer from integer of different size
rwlock.c:302: warning: assignment makes integer from pointer without a cast
rwlock.c: In function 'isc_rwlock_lock':
rwlock.c:342: warning: implicit declaration of function '_mm_pause'
rwlock.c: In function 'isc_rwlock_trylock':
rwlock.c:395: warning: cast to pointer from integer of different size
rwlock.c:395: warning: cast to pointer from integer of different size
rwlock.c:395: warning: assignment makes integer from pointer without a cast
rwlock.c: In function 'isc_rwlock_tryupgrade':
rwlock.c:427: warning: cast to pointer from integer of different size
rwlock.c:427: warning: cast to pointer from integer of different size
rwlock.c:427: warning: assignment makes integer from pointer without a cast
*** Error 1 in lib/isc (Makefile:273 'rwlock.o')
*** Error 1 in lib (Makefile:89 'subdirs')
*** Error 1 in /opt/src/bind-9.14.1 (Makefile:96 'subdirs')
--- snip ---

After looking, I found that the ./configure had selected the default gcc ( 
4.2.1 ) which is old. I have since retried this with both clang (7.0.1) and 
egcc (8.3.0) with similar, but slightly more illuminating results.

While I'm not much of a C programmer, the problem appears to be in the "new 
code" that was added between 9.12.4-P1 (which  builds fine on this same 
platform) and the 9.14 version. 

--- snip from rwlock.c ---
#if defined(_MSC_VER)
# include 
# define isc_rwlock_pause() YieldProcessor()
#elif defined(__x86_64__)
# include 
# define isc_rwlock_pause() _mm_pause()
#elif defined(__i386__)
--- snip ---

Since I know you are going to ask, I'm trying to use the following configure:

CC=/usr/bin/cc ./configure --prefix=/usr/local \
--sbindir=/usr/local/sbin \
--bindir=/usr/local/sbin \
--libdir=/usr/local/lib \
--includedir=/usr/local/include \
--mandir=/usr/local/share/man \
--sysconfdir=/etc \
--enable-shared \
--enable-static  \
--with-openssl=/usr \
--with-python=/usr/local/bin/python \
--with-libxml2 \
--with-libjson \
--without-readline \
--without-protobuf-c \
--without-libfstrm \
--with-lmdb \
--disable-dnstap \
--with-dlopen=no

I have tried this with variations on this theme ( with libtool, etc.).

Your thoughts will be appreciated.

Attachments area
    
    
    


-- 
  paranoid sysadmin___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11.6-P1 build fails on Solaris

[Wieland, Jeffrey J.]

Jaco Lesch via bind-users wrote:
>
>
> Both BIND 9.11.5-P4 and 9.11.6 build fine with the following configure 
> settings:
> ./configure --prefix=/opt/local --libdir=/opt/local/lib/dns/sparcv9 \
>     --sysconfdir=/etc \
>     --localstatedir=/var \
>     --with-randomdev=/dev/random \
>     --with-tuning=large \
>     --with-gssapi=krb5-config \
>     --with-libtool \
>     --with-openssl \
>     --without-pkcs11 \
>     --without-dlopen \
>     --enable-full-report \
>     --with-python=/usr/bin/python3.5 \
> --with-python-install-dir=/usr/lib/python3.5/vendor-packages \
>     --enable-threads --enable-ipv6 --enable-devpoll
>
> Compiled with both Studio 12.6 and GCC 7.3.0.
>
> Thanks
>
> -- 
> ---
> Jaco Lesch
> SAIX HLS
> Email:ja...@saix.net
>

Jaco, what version of Solaris did you build this on?

-- 
Jeff Wieland, UNIX/Network Systems Administrator
Purdue University IT Infrastructure Services UNIX Platforms

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Advice for DNS reverse zones

[Mik J via bind-users]

 Hello Bob, Tony,
Thank you for your answers, I'm going to study this topic.
Regards

Le mercredi 6 février 2019 à 21:11:59 UTC+1, Bob Harold 
 a écrit :  
 
 
On Wed, Feb 6, 2019 at 1:03 PM Mik J via bind-users  
wrote:

Hello,
I would like to know how do you manage reverse zones and the 10.x.x.x zone 
particularly.
I can see three choices:- One global 10.in-addr.arpa zone- Many /24 zones 
1.1.10.in-addr.arpa zone- Something in between
One global zone:The problem is that I end having a very populated zone and if 
someone asks me to setup an acl or anything like that it has to be global.This 
solution might be the easiest but definatly not the best in terms of scalability
Many /24 zones:The problem is that I end creating zones all the time or make 
them first in one go, so 65536 zones...And when someone has a /16 network I 
need to delete the 256 x /24 zones to make one single.
What do you people do on your DNS servers ?

And is it possible to make a 1.1.10.in-addr.arpa for the 16 first adresses (a 
/28 network) ?
Regards

For ranges with few records, that don't need to be acl'ed or delegated, put 
them in the 10.in-addr.arpa zone.Any /16 that has a lot of records can be split 
off into its own 2.10.in-addr.arpa.An if a /24 gets really busy, you can split 
it out 5.1.10.in-addr.arpa
There is no need to create all 256 /16's or all the /24's, just create them as 
needed.
If having different sizes is too confusing, I suggest all /16's.
-- Bob Harold
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Advice for DNS reverse zones

[Mik J via bind-users]

Hello,
I would like to know how do you manage reverse zones and the 10.x.x.x zone 
particularly.
I can see three choices:- One global 10.in-addr.arpa zone- Many /24 zones 
1.1.10.in-addr.arpa zone- Something in between
One global zone:The problem is that I end having a very populated zone and if 
someone asks me to setup an acl or anything like that it has to be global.This 
solution might be the easiest but definatly not the best in terms of scalability
Many /24 zones:The problem is that I end creating zones all the time or make 
them first in one go, so 65536 zones...And when someone has a /16 network I 
need to delete the 256 x /24 zones to make one single.
What do you people do on your DNS servers ?

And is it possible to make a 1.1.10.in-addr.arpa for the 16 first adresses (a 
/28 network) ?
Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RPZ question autoritative/recursive servers

[Mik J via bind-users]

Hello,
I tried to dissociate roles and have:- 1 set of authoritative master/slave 
server- 1 set of recursive servers
For a zone that I owned, the "recursive" servers forwards the request to the 
authoritative server. Otherwise the server resolves the query directly on the 
Internet.The authoritative servers hold my zones and recursion is disabled.
I was reading about RPZ zones but it seems to me these are implemented on 
authoritative servers ?I'm interested in RPZ zone in order to intercept some 
queries aiming to the internet youp*rn or wannacry.
As I explained, my authoritative servers are not on the path to Internet, only 
my forward servers are, should I implement the RPZ functionality on these 
forward only servers ?

Any thoughts on this ?
Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

rndc reconfig: Unexpected end of input

[J David]

After recently improving the tracking of errors coming from commands
running from scripts, we found that a large number of “rndc reconfig”
requests (about 15-20% of all requests) error out with exit status 1
and the message:

rndc: ‘reconfig' failed: unexpected end of input

The “unexpected end of input” error is one that rndc usually issues if
a parameter is missing.  For example, “rndc refresh” without providing
a zone name on the command line.  But “rndc reconfig” doesn’t have any
additional command line parameters.

In this case, the rndc reconfig is issued after adding a zone file to
the configuration.

This is on BIND 9.12.2-P1 on FreeBSD 11.2, if that’s relevant.

Does anyone know what might be causing this error message?

Thanks for any advice!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Stealth NS records

[PANG J.]

I saw a zone check on intodns.com shows,

Stealth NS records were sent:
ns2.xxx.com
ns1.xxx.com

So what's a stealth NS record?

thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server sizing guide?

[PANG J.]

My server once ran about 200,000 zones on a VPS with 4GB RAM, 2 vCores, 
BIND powered.


Running tests against them is good.
https://www.nominum.com/measurement-tools/


On 2018/3/28 星期三 AM 10:54, Blason R wrote:

Hi,

Is there any DNS sizing guide available? I have created a sinkhole 
server which is catering around 25 - 30 zones loaded with 4 CPU 
and 8 GB RAM. I am daily adding around 1-5k of zones.


I need to know how do I calculate the resources consumed by BIND server? 
I mean if this DNS server is catering to 500 users and to amy be 5000 
users how much RAM/CPU should be allocated?


TIA


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Wed, 2018-01-17 at 10:45 -0500, Brian J. Murrell wrote:
> I have a BIND (9.9.4)[1] server that runs well most of the time, but
> periodically it will start returning SERVFAIL for very high-level
> domains such as *.google.com, *.gstatic.com, *.github.com, etc.  It
> seems to happen most frequently with Google domains, but I wonder if
> that is just a reflection on the percentage of queries I have for
> those
> here.

The culprit here is the DDNS processing.  Once I moved the DDNS
processing (that is coming from the DHCP server) off onto a separate
server the problem server stopped having SERVFAIL for names that it
should just not happen for, like www.google.com.

So, now I just have to chase down why DDNS is causing this.

This BIND server is from the FreeIPA project so it's an LDAP-backed
BIND so perhaps (probably?) that has something to do with it.  I will
take it up with the FreeIPA folks since it's their build of BIND that
is causing the problems.

Much much thanks for the help and patience here while I got to the root
cause.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Tue, 2018-01-23 at 09:53 -0700, Grant Taylor via bind-users wrote:
> 
> Could you try disabling DDNS updates for a little while?

That's effectively what I have done.

I set up a second server configuration running new zone on a different
IP address and pointed the DHCP server at it so that the DHCP server is
no longer sending DDNS updates to the server that is having these
intermittent outages.

I've set up CNAME pointers from the main server to the new server for
the names (of DHCP clients) that need to be resolvable as well as for a
reverse zone on the new server.

> Maybe you'll 
> get lucky (for a given value of luck) and find that the problem 
> continues happening even with DDNS updates disabled.  Thus you will
> have 
> a reasonable idea that the issue is not related to DDNS updates.

Exactly my goal.  I'm fairly sure that the problem is going to stop
happening now that the server is no longer processing DDNS updates.

Unfortunately it's impractical to run like this for the long term as
any DHCP client that comes into the network ought to be able to be
resolvable by it's name in the main zone, but that would require CNAMEs
for any and every possible name that could show up in a DHCP client.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Tue, 2018-01-23 at 13:38 +0100, Reindl Harald wrote:
> 
> pretty sure it's possible and likely not much different than the 
> unbound-sample below which asks a rbldnsd on port 1043 on the same
> machine
> 
> stub-zone:
>   name: "zone-name."
>   stub-addr: 127.0.0.1@1053

This all falls apart because you cannot instruct the ISC DHCP server to
send DDNS updates to a non-standard (!53) port.  :-(

I seem to have no choice but to run the isolated server on a different
IP address and then have to start managing the listen-on directive in
the main server to list all addresses other than the isolated server's
address.  :-(

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Tue, 2018-01-23 at 13:38 +0100, Reindl Harald wrote:
> 
> pretty sure it's possible and likely not much different than the 
> unbound-sample below which asks a rbldnsd on port 1043 on the same
> machine
> 
> stub-zone:
>   name: "zone-name."
>   stub-addr: 127.0.0.1@1053

That's the sort of path I was going to take with a forward zone in the
main server to my DHCP-DDNS-isolation server, but in the new zone I
create on the isolation server I have to list NS(es) for the new zone
and while those will be on the (IP address of the) main server they
will be on a different port.

Of course anything doing an NS query for that new zone on that server
will just get an IP address for the NS and not the port also.  Maybe in
such an isolated environment that doesn't matter since the only thing
doing an queries to that isolated server on the alternate port will be
the main server on behalf of the clients in the local network.

I'll give it a shot.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

Here's a new most interesting data point.

All of these outages happen right after a DHCP client connect and sends
a DDNS update to BIND.

It would be an interesting experiment to isolate the zone that receives
DDNS updates for the DHCP clients onto a separate server to see if that
makes this problem go away for the main server, but I don't have
another machine to run another BIND on and I don't think it's possible
to run two BINDs on the same machine on different ports and have one
(on port 53) delegate a zone to another running on some other port.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Mon, 2018-01-22 at 12:45 +, Tony Finch wrote:
> 
> lame-servers is also a log category, and tends to be quite noisy
> about
> various problems :-)

Turns out I do already have lame server logging enabled.  I.e.:

20-Jan-2018 12:01:37.053 lame server resolving 'backup-ns.yn.cninfo.net' (in 
'yn.cninfo.net'?): 202.98.160.68#53
20-Jan-2018 12:01:37.054 lame server resolving 'backup-ns.yn.cninfo.net' (in 
'yn.cninfo.net'?): 202.98.160.68#53

But there isn't a single lame server message with "google" anywhere in
it.

This problem is really not looking like a lame delegation issue,
wouldn't you agree?

Any further ideas?

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Mon, 2018-01-22 at 16:10 +, Tony Finch wrote:
> 
> You should make sure it is enabled, because there are vital clues in
> those
> log lines :-)

But they will only occur if there is some lameness with the ns[1-
4].google.com records and that will already be reported with lame:n in
the "fetch completed at resolver.c" lines won't they, or am I
completely misunderstanding something here?

> Yes, and you should track down when they occur and look for other
> error
> indications areound that time.

So, over the last week of tracing I have only these lines which match
"fetch completed at resolver.c:[0-9]* for ns[1-4].google.com":

19-Jan-2018 09:41:53.347 fetch completed at resolver.c:7492 for 
ns4.google.com/ in 0.042154: success/success 
[domain:google.com,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
19-Jan-2018 09:41:53.350 fetch completed at resolver.c:7492 for 
ns2.google.com/ in 0.042019: success/success 
[domain:google.com,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
19-Jan-2018 09:41:53.356 fetch completed at resolver.c:7492 for 
ns3.google.com/ in 0.043881: success/success 
[domain:google.com,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
19-Jan-2018 09:41:53.362 fetch completed at resolver.c:7492 for 
ns1.google.com/ in 0.047039: success/success 
[domain:google.com,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

None of them show any lame servers.

Wouldn't I see occurrences of those with lame:n if I there were any
lameness?

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Mon, 2018-01-22 at 12:04 +, Tony Finch wrote:
> 
> The thing to look out for is the minutes before the outage starts -
> see
> what kind of failures you get.

So, taking this approach, looking for the first occurrence of just any
one of the names ns[1-4].google.com prior to the A/ queries that
are in http://brian.interlinx.bc.ca/named.run.log starting at:

19-Jan-2018 18:04:50.785 createfetch: ns1.google.com A

(which end up resulting in the SERVFAIL for www.google.com/IN/A) the
first previous occurrence of just any one of those names is:

19-Jan-2018 17:48:59.122 resquery 0x7f10102ecd50 (fctx 
0x7f10102e5dc0(lh4.ggpht.com/)): response
19-Jan-2018 17:48:59.122 received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   3024
;; flags: qr cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lh4.ggpht.com. IN  

;; AUTHORITY SECTION:
ggpht.com.  172800  IN  NS  ns2.google.com.
ggpht.com.  172800  IN  NS  ns1.google.com.
ggpht.com.  172800  IN  NS  ns3.google.com.
ggpht.com.  172800  IN  NS  ns4.google.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - 
CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 
20180124054922 20180117043922 46967 com. 
pjslTFtda4UfkpJtO9rbVmzSRQ+JslWRuBl/r0tkeyX4nBA8wjOIQjCH DJl+C6CA8TMW
lO9dfx5ZHM2s59N/XfQG3fp2N68bf3rhSp5OwUEVy205 
6LMbiiW7wjp0MEQOGorvf29kS6ApuZHGOseP5HQrAIBO4XxZvomAPME+ Q1c=
FGFB71PIIJ5JUGA7GFUQ06ANFUVDRKBA.com. 86400 IN NSEC3 1 1 0 - 
FGFGQ2SH7LNK03PV0R76S8B47TPVJK59 NS DS RRSIG
FGFB71PIIJ5JUGA7GFUQ06ANFUVDRKBA.com. 86400 IN RRSIG NSEC3 8 2 86400 
20180125052147 20180118041147 46967 com. 
DkAophVbTjntmUtcj2HIiigTv5yxlNuTIAGWgXY+W9QhAJp4UUYpqxOe jmyxVEUtfYqS
3ANVWz7EI+ucYS1CE8UKuWUx4eGAz8F/YbN/KA5cvxWO 
SEqri5Lg3W2MjiB/DXXFI/WrnmuLPNIQdDZD2H1lQ56CTUAL0pPpDby9 788=

;; ADDITIONAL SECTION:
ns2.google.com. 172800  IN  A   216.239.34.10
ns1.google.com. 172800  IN  A   216.239.32.10
ns3.google.com. 172800  IN  A   216.239.36.10
ns4.google.com. 172800  IN  A   216.239.38.10

I realize this query result has nothing to do with www,google.com, but
it is the first occurrence of just any of the names ns[1-4].google.com
prior to the start of the subsequent SERFAIL processing that starts at
18:04:50.785 and it's more than 10 minutes prior to the SERVFAIL.

That seems to indicate that nothing at all to do with any of the names
ns[1-4].google.com happens for more than 10 minutes before a SERVFAIL
is returned for www.google.com right?  Nothing at all happens that
could result in a any of those names being lame, right?

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Mon, 2018-01-22 at 12:45 +, Tony Finch wrote:
> 
> They'll have a log category of edns-disabled.

But if the problem were EDNS, would it be so intermittent and always
fixable by rndc reload?

> But, looking through the
> code, if this is leading to lameness you will also get lame-servers
> log
> messages.

So just looking for lame servers will cover EDNS issues also then,
right?

> lame-servers is also a log category, and tends to be quite noisy
> about
> various problems :-)

Yeah.  Must be disabled by default on EL7 I would guess, just because
it's so noisy.

> The tagged values there are various kinds of things that happened
> when
> resolving; the lame: tag is a count of the lame servers that were
> encountered, including both newly discovered lame servers and cached
> lame
> servers.

So, if lame servers were a problem with resolving ns[1-4].google.com,
then I would see messages like in my previous message with a lame:n tag
where n > 0, yes?

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Mon, 2018-01-22 at 12:04 +, Tony Finch wrote:
> 
> That indicates that it has already marked the servers as lame, so the
> packet trace isn't going to tell you what caused the lameness.

OK.

> The thing to look out for is the minutes before the outage starts -
> see
> what kind of failures you get.
> 
> Also, check the logs for EDNS

What do EDNS problem messages look like?  Just something to grep for I
mean.

> or lame-servers complaints

Does the "lame:1" in this message indicate lameness:

18-Jan-2018 11:12:47.103 fetch completed at resolver.c:3074 for 
149.243.194.103.in-addr.arpa/PTR in 0.000744: failure/success 
[domain:243.194.103.in-addr.arpa,referral:0,restart:1,qrysent:0,timeout:0,lame:1,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

Of course, that one is irrelevant to my situation, I'm just using it as
an example of how to find lame delegations.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

OK.  I now have named trace logging

http://brian.interlinx.bc.ca/named.run.log

and a packet dump:

http://brian.interlinx.bc.ca/dns-packets.txt

that demonstrates how BIND is getting .com referrals from the root
servers when doing a query for www.google.com and then doing nothing
with those referrals before returning a SERVFAIL.

The packet trace also shows that BIND queried ns2.google.com for an RR:

18:04:42.444669 IP server.interlinx.bc.ca.8727 > ns2.google.com.domain: 4359% 
[1au] ? playatoms-pa.googleapis.com. (56)
18:04:42.491612 IP ns2.google.com.domain > server.interlinx.bc.ca.8727: 4359*- 
2/0/0 CNAME googleapis.l.google.com.,  2607:f8b0:400b:80e::200a (107)
18:04:42.494681 IP server.interlinx.bc.ca.21592 > ns2.google.com.domain: 50060% 
[1au] ? googleapis.l.google.com. (52)
18:04:42.541496 IP ns2.google.com.domain > server.interlinx.bc.ca.21592: 
50060*- 1/0/0  2607:f8b0:400b:808::200a (69)

only 9 seconds before returning a SERVFAIL on another name that same
server is authoritative for so it had data for at least one of the
servers that are authoritative for the domain.  Yet only 8 seconds
later it starts looking for it's IP address again.

At 18:04:50.805 it started the A and  queries for ns2.google.com:

19-Jan-2018 18:04:50.805 fctx 0x7f10230b1950(ns2.google.com/A): start
19-Jan-2018 18:04:50.805 fctx 0x7f10230b1950(ns2.google.com/A): try
19-Jan-2018 18:04:50.805 fctx 0x7f10230b1950(ns2.google.com/A): cancelqueries
19-Jan-2018 18:04:50.805 fctx 0x7f10230b1950(ns2.google.com/A): getaddresses
19-Jan-2018 18:04:50.805 fctx 0x7f10230b1950(ns2.google.com/A): query
19-Jan-2018 18:04:50.805 resquery 0x7f10230b60d0 (fctx 
0x7f10230b1950(ns2.google.com/A)): send
19-Jan-2018 18:04:50.806 resquery 0x7f10230b60d0 (fctx 
0x7f10230b1950(ns2.google.com/A)): sent
19-Jan-2018 18:04:50.807 fctx 0x7f102309d0d0(ns2.google.com/): start
19-Jan-2018 18:04:50.807 fctx 0x7f102309d0d0(ns2.google.com/): try
19-Jan-2018 18:04:50.807 fctx 0x7f102309d0d0(ns2.google.com/): cancelqueries
19-Jan-2018 18:04:50.807 fctx 0x7f102309d0d0(ns2.google.com/): getaddresses
19-Jan-2018 18:04:50.807 fctx 0x7f102309d0d0(ns2.google.com/): query
19-Jan-2018 18:04:50.807 resquery 0x7f10230b68e0 (fctx 
0x7f102309d0d0(ns2.google.com/)): send
19-Jan-2018 18:04:50.807 resquery 0x7f10230b68e0 (fctx 
0x7f102309d0d0(ns2.google.com/)): sent
19-Jan-2018 18:04:50.808 resquery 0x7f10230b60d0 (fctx 
0x7f10230b1950(ns2.google.com/A)): udpconnected
19-Jan-2018 18:04:50.808 resquery 0x7f10230b60d0 (fctx 
0x7f10230b1950(ns2.google.com/A)): senddone
19-Jan-2018 18:04:50.808 resquery 0x7f10230b68e0 (fctx 
0x7f102309d0d0(ns2.google.com/)): udpconnected

At 18:04:51.236 it got the referral to the .com servers:

19-Jan-2018 18:04:51.236 fctx 0x7f102309d0d0(ns2.google.com/): sendevents
19-Jan-2018 18:04:51.236 resquery 0x7f10230b60d0 (fctx
0x7f10230b1950(ns2.google.com/A)): response
19-Jan-2018 18:04:51.236 received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   9693
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns2.google.com.IN  A

;; AUTHORITY SECTION:
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.86400   IN  DS  30909 8 2 
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.86400   IN  RRSIG   DS 8 1 86400 2018020120 
2018011919 41824 . kw9YN9f0zLsasR4xqRWC5zNwOlfhY7/1WwhfHnJpqpUpZok9MPefvv8q 
JpAG4ZVed57r4oZzv0dB1l3fu+dEZi7UFS1xX6H0GFxGDYrpLuXR4Emn 
+1ih6zIM/iWE0O6H7ElgTvgs4tZNJ7n2BX4keEAtCCSa0j9OtEYAlxHx 
SZumcmDxb/btwTmuT9BfxXj0UeJ/96rud5jfuz+fi6cF8fuiy728262G 
FjjzjjO8T1qqPcRlDDm41JXe5D0XmKV13T+I2bSaRHp5HSp0TV2p3mGH 
2UobkPZ9pUpGvCwgsNaxjyCBVosnOUbQJ2uKQUQlkrMqQakDjvvPcT1h OgqYMA==

;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800  IN  A   192.5.6.30
a.gtld-servers.net. 172800  IN  2001:503:a83e::2:30
b.gtld-servers.net. 172800  IN  A   192.33.14.30
b.gtld-servers.net. 172800  IN  

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Fri, 2018-01-19 at 15:22 +, Tony Finch wrote:
> 
> You don't have any weird middleboxes between your resolver and the
> Internet, do you?

I don't believe so.  Not entirely sure what "weird middleboxes" refers
to in this context though.  And by resolver are you referring to my
BIND9 server or the resolvers on the clients of that server?

I've added packet capturing to the debug collection so that I can see
what my BIND9 server is sending and receiving in the way of queries and
responses when this happens again.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Fri, 2018-01-19 at 14:54 +, Tony Finch wrote:
> 
> Those responses look like referrals from the root servers to the .com
> servers;

Ahhh.  Right.  That makes sense.

> I would expect you to see `named` repeating the queries as it
> follows the iterative resolution algorithm.

Indeed.  I will looking further down the log then...

So, between that initial:

19-Jan-2018 09:06:18.893 resquery 0x7f1010f3bd90 (fctx 
0x7f1010f23d90(www.google.com/A)): response

is just the referrals to .com for that query and the referrals to .com
for the subsequent ns[1-4].google.com queries before we get to:

19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): query 
failed (SERVFAIL) for www.google.com/IN/A at query.c:7007
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): error
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): send
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): sendto
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): senddone
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): next
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): 
ns_client_detach: ref = 0
19-Jan-2018 09:06:18.967 client 10.75.22.32#21585 (www.google.com): endrequest
19-Jan-2018 09:06:18.967 fetch completed at resolver.c:7415 for 
www.google.com/A in 0.547099: SERVFAIL/success 
[domain:com,referral:1,restart:0,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
19-Jan-2018 09:06:18.967 fetch 0x7f1012541cd0 (fctx 
0x7f1010f23d90(www.google.com/A)): destroyfetch
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): query failed 
(SERVFAIL) for www.google.com/IN/A at query.c:7007
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): error
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): send
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): sendto
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): senddone
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): next
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): 
ns_client_detach: ref = 0
19-Jan-2018 09:06:18.967 client 10.75.22.32#1145 (www.google.com): endrequest
19-Jan-2018 09:06:18.968 fetch 0x7f102c5def88 (fctx 
0x7f1010f23d90(www.google.com/A)): destroyfetch
19-Jan-2018 09:06:18.968 fctx 0x7f1010f23d90(www.google.com/A): shutdown
19-Jan-2018 09:06:18.968 fetch 0x7f10125423f0 (fctx 
0x7f1010d86e80(ns1.google.com/A)): destroyfetch
19-Jan-2018 09:06:18.968 fctx 0x7f1010d86e80(ns1.google.com/A): shutdown
19-Jan-2018 09:06:18.968 adb: fetch of 'ns1.google.com' A failed: SERVFAIL
19-Jan-2018 09:06:18.968 DNS_EVENT_ADBNOMOREADDRESSES
19-Jan-2018 09:06:18.968 cfan: skipping find 0x7f10228d7630
19-Jan-2018 09:06:18.968 fetch 0x7f10191e91e8 (fctx 
0x7f1010d88a40(ns1.google.com/)): destroyfetch
19-Jan-2018 09:06:18.968 fctx 0x7f1010d88a40(ns1.google.com/): shutdown
19-Jan-2018 09:06:18.968 adb: fetch of 'ns1.google.com'  failed: SERVFAIL
19-Jan-2018 09:06:18.968 DNS_EVENT_ADBNOMOREADDRESSES
19-Jan-2018 09:06:18.968 cfan: processing find 0x7f10228d7630
19-Jan-2018 09:06:18.968 sending event 0x7f10228d76b8 to task 0x7f10247a2f10 
for find 0x7f10228d7630
19-Jan-2018 09:06:18.968 fetch 0x7f102069a2d0 (fctx 
0x7f1010a83a60(ns2.google.com/A)): destroyfetch
19-Jan-2018 09:06:18.968 fctx 0x7f1010a83a60(ns2.google.com/A): shutdown
19-Jan-2018 09:06:18.968 adb: fetch of 'ns2.google.com' A failed: SERVFAIL
19-Jan-2018 09:06:18.968 DNS_EVENT_ADBNOMOREADDRESSES
19-Jan-2018 09:06:18.968 cfan: skipping find 0x7f10208679e0
19-Jan-2018 09:06:18.968 fetch 0x7f10206998b0 (fctx 
0x7f1010a83ea0(ns2.google.com/)): destroyfetch
19-Jan-2018 09:06:18.968 fctx 0x7f1010a83ea0(ns2.google.com/): shutdown
19-Jan-2018 09:06:18.968 adb: fetch of 'ns2.google.com'  failed: SERVFAIL
19-Jan-2018 09:06:18.968 DNS_EVENT_ADBNOMOREADDRESSES
19-Jan-2018 09:06:18.968 cfan: processing find 0x7f10208679e0
19-Jan-2018 09:06:18.968 sending event 0x7f1020867a68 to task 0x7f10247a2f10 
for find 0x7f10208679e0
19-Jan-2018 09:06:18.968 fetch 0x7f102112d400 (fctx 
0x7f1010b6bee0(ns3.google.com/)): destroyfetch
19-Jan-2018 09:06:18.970 fctx 0x7f1010b6bee0(ns3.google.com/): shutdown
19-Jan-2018 09:06:18.970 adb: fetch of 'ns3.google.com'  failed: SERVFAIL
19-Jan-2018 09:06:18.970 DNS_EVENT_ADBNOMOREADDRESSES
19-Jan-2018 09:06:18.970 cfan: skipping find 0x7f102309fc10
19-Jan-2018 09:06:18.971 client fd31:aeb1:48df:0:e5f4:253a:6c1f:b73d#16975 
(wifi-test.mobidia.com): query failed (SERVFAIL) for wifi-test.mobidia.com/IN/A 
at query.c:7007
19-Jan-2018 09:06:18.971 client fd31:aeb1:48df:0:e5f4:253a:6c1f:b73d#16975 
(wifi-test.mobidia.com): error
19-Jan-2018 09:06:18.971 client fd31:aeb1:48df:0:e5f4:253a:6c1f:b73d#16975 
(wifi-test.mobidia.com): send
19-Jan-2018 09:06:18.971 client fd31:aeb1:48df:0:e5f4:253a:6c1f:b73d#16975 
(wifi-test.mobidia.com): sendto

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Thu, 2018-01-18 at 17:46 +, Tony Finch wrote:
> Brian J. Murrell <br...@interlinx.bc.ca> wrote:
> > On Thu, 2018-01-18 at 15:41 +, Tony Finch wrote:
> > >
> > > The default is 10 minutes - try reducing it and see if the outage
> > > becomes shorter.
> >
> > If it does, what is that telling me?
> 
> My hypothesis here is that `named` has marked all the nameservers for
> the
> domain that is failing as lame, so it no longer has anywhere to send
> queries for the domain, so it returns a SERVFAIL.

Seems this might be the case.  Using a trace level of 11, when a
failure starts this seems to be the trail...

19-Jan-2018 09:06:18.893 resquery 0x7f1010f3bd90 (fctx 
0x7f1010f23d90(www.google.com/A)): response
19-Jan-2018 09:06:18.893 received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  25156
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;www.google.com.IN  A

;; AUTHORITY SECTION:
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.86400   IN  DS  30909 8 2 
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.86400   IN  RRSIG   DS 8 1 86400 2018020105 
2018011904 41824 . IwT0e9jOKKgASgCQXGsryxFFeN5R0e/HPGCzQuD7rhtCYg4UywLcJ9A1 
Ftn0drh2mggBE5wWX90dc5u26P8Gt1jkJ8XbxyjNHA5uTmakjVnGGOZ+ 
9N/6JMtDApT4F6q/3EN8dkctxWvEe9uph8dFR1Uj0aqCNS3aQ0ge4LkS 
JPfRQ2FIQCQxsh+Ts2hdiC6mThpWoFmwmfBxGPu/NsS92/iA5EaP4ZOK 
oIRqrvgyV4PrTDJM8StJJk9qw7z78RC+3/RfEsnwICXKptIGE4AekqIa 
RiVhkTrXhCZAibab5gtqkCkWZ6kF1/6Xbcjexj4VHL+FxqlQCec6CUcz Wpt/DA==

;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800  IN  A   192.5.6.30
a.gtld-servers.net. 172800  IN  2001:503:a83e::2:30
b.gtld-servers.net. 172800  IN  A   192.33.14.30
b.gtld-servers.net. 172800  IN  2001:503:231d::2:30
c.gtld-servers.net. 172800  IN  A   192.26.92.30
c.gtld-servers.net. 172800  IN  2001:503:83eb::30
d.gtld-servers.net. 172800  IN  A   192.31.80.30
d.gtld-servers.net. 172800  IN  2001:500:856e::30
e.gtld-servers.net. 172800  IN  A   192.12.94.30
e.gtld-servers.net. 172800  IN  2001:502:1ca1::30
f.gtld-servers.net. 172800  IN  A   192.35.51.30
f.gtld-servers.net. 172800  IN  2001:503:d414::30
g.gtld-servers.net. 172800  IN  A   192.42.93.30
g.gtld-servers.net. 172800  IN  2001:503:eea3::30
h.gtld-servers.net. 172800  IN  A   192.54.112.30
h.gtld-servers.net. 172800  IN  2001:502:8cc::30
i.gtld-servers.net. 172800  IN  A   192.43.172.30
i.gtld-servers.net. 172800  IN  2001:503:39c1::30
j.gtld-servers.net. 172800  IN  A   192.48.79.30
j.gtld-servers.net. 172800  IN  2001:502:7094::30
k.gtld-servers.net. 172800  IN  A   192.52.178.30
k.gtld-servers.net. 172800  IN  2001:503:d2d::30
l.gtld-servers.net. 172800  IN  A   192.41.162.30
l.gtld-servers.net. 172800  IN  2001:500:d937::30
m.gtld-servers.net. 172800  IN  A   192.55.83.30
m.gtld-servers.net. 172800  IN  2001:501:b1f9::30


19-Jan-2018 09:06:18.894 fctx 0x7f1010f23d90(www.google.com/A): 
noanswer_response
19-Jan-2018 09:06:18.894 log_ns_ttl: fctx 0x7f1010f23d90: noanswer_response: 
www.google.com (in '.'?): 1 518400
19-Jan-2018 09:06:18.894 log_ns_ttl: fctx 0x7f1010f23d90: DELEGATION: 
www.google.com (in 'com'?): 0 518400
19-Jan-2018 09:06:18.895 fctx 0x7f1010f23d90(www.google.com/A): cache_message
19-Jan-2018 09:06:18.895 fctx 0x7f1010f23d90(www.google.com/A): cancelquery
19-Jan-2018 09:06:18.895 fctx 0x7f1010f23d90(www.google.com/A): nameservers now 
above QDOMAIN
19-Jan-2018 09:06:18.895 fctx 0x7f1010f23d90(www.google.com/A): done
19-Jan-2018 09:06:18.896 fctx 0x7f1010f23d90(www.google.com/A): stopeverything
19-Jan-2018 09:

Re: intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

On Thu, 2018-01-18 at 15:41 +, Tony Finch wrote:
> 
> Does the time to recovery correspond to the lame-ttl setting?

I am not sure.  I'm not always aware of when it starts.  I guess if I
am running a trace level permanently the log would tell me though.

> The default
> is 10 minutes - try reducing it and see if the outage becomes
> shorter.

If it does, what is that telling me?  The problem domains are listing
NSes that don't actually host the zone?  I thought named normally
logged lame delegations but I don't see a single one in the last few
days.

That said, if such a high-visibility domain as googles were
misconfigured, it would be wreaking havoc all over the Internet, and
drawing lots of attention wouldn't it?

> When you have a failure, try `rndc flushtree` to more selectively
> drop
> problematic state - you might have to find out the nameservers of the
> broken domain and flush them. (The google.com nameservers are under
> google.com; GitHub's are under dynect.net and a bunch of awsdns
> domains.)

rndc flushtree takes a domain name though doesn't it?  In what case
would I need to find nameservers?

So, when I do rndc reload am I flushing the cache?  :-(

> Look at the end of the dump - the address database,

; Address database dump
...
; ns3.google.com [v4 TTL 7] [v6 TTL 7] [v4
failure] [v6 failure]
; ns2.google.com [v4 TTL 7] [v6 TTL 7] [v4
failure] [v6 failure]
; ns1.google.com [v4 TTL 7] [v6 TTL 7] [v4
failure] [v6 failure]
; ns4.google.com [v4 TTL 7] [v6 TTL 7] [v4
failure] [v6 failure]

> bad cache,

Empty.

> and
> servfail cache.

Non-existent section in my database dump.

> > Do I need tracing enabled before the situation happens?
> 
> That will make it a lot easier, yes :-)
> 
> > What level (how many "rndc trace"s should I run)?
> 
> You can specify a number directly, like `rndc trace 11` - level 11 is
> handy because it includes query and response packet dumps (er, but
> that
> is a 9.11 feature - in 9.9 you'll only get the response packets).

I'll set that trace now and hope to hit the problem again soon --
before I fill up my filesystem.  :-)

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

intermittent SERVFAIL for high visible domains such as *.google.com

[Brian J. Murrell]

I have a BIND (9.9.4)[1] server that runs well most of the time, but
periodically it will start returning SERVFAIL for very high-level
domains such as *.google.com, *.gstatic.com, *.github.com, etc.  It
seems to happen most frequently with Google domains, but I wonder if
that is just a reflection on the percentage of queries I have for those
here.

In any case when this happens, it will last a few minutes until it
resolves itself and/or I issue an "rndc reload".  That always seems to
correct it if I don't care to wait it out.

I'm wondering what the steps are to try to get to the bottom of this.

I have a db dump (rndc dumpdb) as well as some trace (rndc trace x10)
while this is happening.  Is this enough?  If so, what should I look
for as a cause of the SERVFAILs?

If not, what more do I need to collect?  Do I need tracing enabled
before the situation happens?  What level (how many "rndc trace"s
should I run)?

Very greatful for any help.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recommended values for a zone

[Mik J via bind-users]

Thank you Bob for your answer.I continued to search and saw rfc1912 page 4It's 
much higher than I first thought

 

Le mercredi 3 janvier 2018 à 20:05:57 UTC+1, Bob Harold 
<rharo...@umich.edu> a écrit :  
 
 
On Wed, Jan 3, 2018 at 1:57 PM, Mik J via bind-users <bind-users@lists.isc.org> 
wrote:

Hello,
I would like to have your thoughts about what should be the best values for 
refresh, retry, expire and negative cache.
In my case I have 2 DNS which are hosted in 2 different locations. These 
location are near one another (100km). The latency is very low and packet is 
0.I configured a lot of zones on my DNS and they not master for someone 
else.This is a very simple setup in termes of master/slave.
I would be tempted to* configure a high refresh period since I have notify 
configured on the master. What about 7200s ?* Configure a high retry period 
because I don't expect the master to be offline, what about 3600 ?* configure a 
expire very high like 2 days so that the DNS service would work even if the 
master is down* I don't have any opinion about the negative ttl yet but any 
advices are welcomed.
What about your setups if it looks like mine ?
Regards


I typically use an expire time of 14 days or a month.  But that said, you need 
some way to get notified that zone transfers are failing.The refresh and retry 
are ok, but personally I would set them lower because they don't generate a lot 
of traffic, and a notify could get lost.  It depends on how sensitive you are 
to extra traffic.
Negative TTL depends partly on how fast you want new (or accidentally deleted) 
records to be usable.  I use 10 minutes.
-- Bob Harold
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Recommended values for a zone

[Mik J via bind-users]

Hello,
I would like to have your thoughts about what should be the best values for 
refresh, retry, expire and negative cache.
In my case I have 2 DNS which are hosted in 2 different locations. These 
location are near one another (100km). The latency is very low and packet is 
0.I configured a lot of zones on my DNS and they not master for someone 
else.This is a very simple setup in termes of master/slave.
I would be tempted to* configure a high refresh period since I have notify 
configured on the master. What about 7200s ?* Configure a high retry period 
because I don't expect the master to be offline, what about 3600 ?* configure a 
expire very high like 2 days so that the DNS service would work even if the 
master is down* I don't have any opinion about the negative ttl yet but any 
advices are welcomed.
What about your setups if it looks like mine ?
Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Flag signification in Syslog

[Mik J via bind-users]

Thank you very much Mark for your quick answer
 

Le Vendredi 18 août 2017 13h46, Mark Andrews <ma...@isc.org> a écrit :
 

 
In message <1744062904.346000.1503053675...@mail.yahoo.com>, Mik J via 
bind-users writes:
> Hello,
> Do you know where I can find the signification of DNS syslog messages ?

In the Administrators Reference Manual

https://ftp.isc.org/isc/bind9/9.11.2/doc/arm/Bv9ARM.pdf

Search for querylog

> client x.x.x.x#64111 (webmail.google.NET): query: webmail.google.NET
> IN  + (y.y.y.y)=> I'm looking for the signification of the +
> client z.z.z.z#39953 (www.mydomain.org): query: www.mydomain.org IN
> A -ED (y.y.y.y)=> I'm looking for the signification of the -EC
> Thank you

The query log entry first reports a client object identifier in
@0x format. Next, it reports the client’s IP
address and port number, and the query name, class and type. Next,
it reports whether the Recursion Desired flag was set (+ if set, -
if not set), if the query was signed (S), EDNS was in used along
with the EDNS version number (E(#)), if TCP was used (T), if DO
(DNSSEC Ok) was set (D), if CD (Checking Disabled) was set (C), if
a valid DNS Server COOKIE was received (V), or if a DNS COOKIE
option without a valid Server COOKIE was present (K). After this
the destination address the query was sent to is reported.

client 127.0.0.1#62536 (www.example. com):query:www.example.com IN
 +SE client ::1#62537 (www.example.net): query:www.example.net
IN  -SE

(The first part of this log message, showing the client address/port
number and query name, is repeated in all subsequent log messages
related to the same query.)

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                INTERNET: ma...@isc.org


   ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS Flag signification in Syslog

[Mik J via bind-users]

Hello,
Do you know where I can find the signification of DNS syslog messages ?
client x.x.x.x#64111 (webmail.google.NET): query: webmail.google.NET IN  + 
(y.y.y.y)=> I'm looking for the signification of the +
client z.z.z.z#39953 (www.mydomain.org): query: www.mydomain.org IN A -ED 
(y.y.y.y)=> I'm looking for the signification of the -EC
Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why would a master zone use forwarders ?

[Mik J via bind-users]

Thank you Ben,"With no forward {} the path for blah.bar.foo.com directed at 
server A will be A > C > B"Do you see any reason why I would use this non 
optimal path ?
 In your example, how would C contact B, there would be a zone forward ?Regards

Le Vendredi 12 mai 2017 18h10, Ben Croswell <ben.crosw...@gmail.com> a 
écrit :
 

 If you load foo.com on server A and delegate bar.foo.com to server B with a 
global forwarder of server C you resolution will vary depending on forward 
first vs forward only and forwarders {}.
With no forward {} the path for blah.bar.foo.com directed at server A will be A 
> C > BWith forward {} the global forward will be short circuited for foo.com 
and below resulting in a path of A > B
On May 12, 2017 11:56 AM, "Mik J" <mikyde...@yahoo.fr> wrote:

Thank you Ben for your answer
My server uses a global forwarding
I don't understand what you wrote"If it is master for a foo.com and also has 
global forwarding it will use the global forward for any delegated child 
domains under foo.com unless they are also loaded locally."
If my DNS is autoritative, why would I use a forwarding ?
For my sub domains I use delegationssub.mydomain.com NS 
ns.sub.mydomain.comns.sub.mydomain.com A 1.1.1.1
What's the difference between the global forward for delegated child domains 
and the delegation I do ?
Thank you

 

Le Vendredi 12 mai 2017 15h34, Ben Croswell <ben.crosw...@gmail.com> a 
écrit :
 

 This would only change behavior if the server has global forwarding. 
If it is master for a foo.com and also has global forwarding it will use the 
global forward for any delegated child domains under foo.com unless they are 
also loaded locally.  The forward{} turns off global forwarding for that branch 
of the tree.
On May 12, 2017 9:27 AM, "Mik J via bind-users" <bind-users@lists.isc.org> 
wrote:

Hello,
If my DNS is master/slave for a zone, why would I want it to use forwarders.
In other terms why would I wantzone "mydomain.com"
{
    type master;
    file "zones/master/com/mydomain.com ";
    allow-update { acl; };
};

Instead of (forwarders {};)zone "mydomain.com"
{
    type master;
    file "zones/master/com/mydomain.com ";
    allow-update { acl; };    forwarders {};};
Why would I want to forward requests if I'm autoritative for the zone ?
Thank you for those who can hightligh this point.

__ _
Please visit https://lists.isc.org/mailman/ listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/ listinfo/bind-users



   



   ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why would a master zone use forwarders ?

[Mik J via bind-users]

Thank you Ben for your answer
My server uses a global forwarding
I don't understand what you wrote"If it is master for a foo.com and also has 
global forwarding it will use the global forward for any delegated child 
domains under foo.com unless they are also loaded locally."
If my DNS is autoritative, why would I use a forwarding ?
For my sub domains I use delegationssub.mydomain.com NS 
ns.sub.mydomain.comns.sub.mydomain.com A 1.1.1.1
What's the difference between the global forward for delegated child domains 
and the delegation I do ?
Thank you

 

Le Vendredi 12 mai 2017 15h34, Ben Croswell <ben.crosw...@gmail.com> a 
écrit :
 

 This would only change behavior if the server has global forwarding. 
If it is master for a foo.com and also has global forwarding it will use the 
global forward for any delegated child domains under foo.com unless they are 
also loaded locally.  The forward{} turns off global forwarding for that branch 
of the tree.
On May 12, 2017 9:27 AM, "Mik J via bind-users" <bind-users@lists.isc.org> 
wrote:

Hello,
If my DNS is master/slave for a zone, why would I want it to use forwarders.
In other terms why would I wantzone "mydomain.com"
{
    type master;
    file "zones/master/com/mydomain.com ";
    allow-update { acl; };
};

Instead of (forwarders {};)zone "mydomain.com"
{
    type master;
    file "zones/master/com/mydomain.com ";
    allow-update { acl; };    forwarders {};};
Why would I want to forward requests if I'm autoritative for the zone ?
Thank you for those who can hightligh this point.

__ _
Please visit https://lists.isc.org/mailman/ listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/ listinfo/bind-users



   ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Why would a master zone use forwarders ?

[Mik J via bind-users]

Hello,
If my DNS is master/slave for a zone, why would I want it to use forwarders.
In other terms why would I wantzone "mydomain.com"
{
    type master;
    file "zones/master/com/mydomain.com";
    allow-update { acl; };
};

Instead of (forwarders {};)zone "mydomain.com"
{
    type master;
    file "zones/master/com/mydomain.com";
    allow-update { acl; };    forwarders {};};
Why would I want to forward requests if I'm autoritative for the zone ?
Thank you for those who can hightligh this point.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zones not being recognised as Signed

[J T]

Hi Mark,

I think I found the problem. Seems Webmins code for handling the signing
was't dealing with NSEC3PARAM records properly. Essentially when merging
the signed records back in to the original host file it was only putting
NSEC, NSEC3 and RRSIG. It wasnt handling NSEC3PARAM at all. The zones that
were "working" were using a different algorithm and so it didn't mismanage
those.

Sorry for troubling you. However your information did help me locate the
problem.

Thanks

Jay

On 31 March 2017 at 00:17, J T <jt4websi...@gmail.com> wrote:

> Please ignore the * in the copy pasted records. It seems the list converts
> color text to be *TEXT* hehe
>
> On 31 March 2017 at 00:11, J T <jt4websi...@gmail.com> wrote:
>
>> Hi Mark,
>>
>> Thank you for responding. What do you mean by zone apex?
>>
>> If we assume one of the domains that fails to be seen as signed is "
>> example.co.uk" then would the apex be the domain name with no prefixes ?
>>
>> I've changed the domain name but this is part of what I have in my signed
>> zone file for one of the zones that fails to be recognised as signed (
>> after the signing process).
>>
>> example.co.uk. IN RRSIG *NSEC*3PARAM 7 3 0 20170429213251 20170330213251
>> 39233 example.co.uk.  T1VK1lrlk+4++3Nr7WlS3CeJISCPofUuo799
>> S8wKrLG5UngbzRty1DQ2q6uPkiIVoqtuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90dvYQtY
>> UkViTVIqX15bcY/rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxnP94Ke7
>> VkxCsdpIT98WMrk6eBEtL76VTm855O2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9ktB9DnK
>> ugTJmZVIeF/IPcJzeOpNUHA8QkS/dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiPaIHIkE
>> 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILiT95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWwOji3HG
>> +oLdGdRSwO+1ySyN4XyY2yIfAF+8oKsjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW7reIa+
>> XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyhX2iBQT
>> jb9omapnn6YBSN0xNnFwBZ5UqBNAkuOH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsLeBQI36
>> ABsH1DQtxFqCjCdGK5gFmeKNGvzJPnNlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9ObLxWKI=
>>
>> and
>>
>> example.co.uk.   IN  DNSKEY  257 3 7 
>> AwEAAbZFkjq1Q+7Z67VNF3DkvwZTFFK+sgM+2H+xFqkpyeHQoLmsSAWj
>> BoulxcEIVenvY/X8fFvHk4yemA0z9DWpVEL9//zGtIVInJqRzzVlx7QQ
>> RWDuYqya+U6YpzYkYX0DspOyzFFswtMclF0ktmFB7XOSEmy70OfJL4Oy
>> p4GI5wT8M26bQmDQ6w+UcHUO7M8ciF6qJ5JP68O34BlmUq7gGm1DlqVK
>> o1puldx22djX8GqvqhJjPaV5OHOXn4C5axR0IXiz9C39t1mjAkfxlHJW
>> kshl+ENmdyyI6hw1vOqLHRmGlDQnL2wdvwerYGfLUAAEYx7+n9v+Ubec
>> J83SBt90g5OGyT0JH2BTe5IaQeU8+OwQ97P0dRc3yIbGI9e0RSQuE1Zy
>> 0YUHsIiHpTXrr16vBV97FPLzKGxV0i7AM15JoSCauUyr0DNA391pxVDd
>> HOeyqpxxV69jNWKcdPV7KJFBSEGI3Uthp8uzNRepdJolg0qxNZy8n5tx
>> 4sWIGAF2pqLFPZDLPa6yrFazq85JwhYmeqtiR1YXdsxHnR+My714mApl
>> TiUD4EPP2ylbXeKvsOEWU0NwoAXf92uaSj9C8hH/JIboPDSk1/Y6uv5l
>> YufyA6f3UFbZPAeqlp2OifE9t0nCqfi43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9
>>
>> example.co.uk.   IN  DNSKEY  256 3 7 
>> AwEAAcqXsmOpeTwLI6ikMgz8JZWddUaKjcX+BpCtbkB9pmngl2JugzoQ
>> iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l+htYyi6tudAjlNOju+tvMDB4VC
>> 86aC100XcSF/h1eSqPxPZz4CjdeBI8x/ahbh7bKHILnokb2mK9CLpZ2w
>> j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8HHxf86S5ev0e+bSm+JTkJVdk12
>> 8iIBu6t9lWpYeSemtxHfLhK0Pm1evnHFpr17Sk9/yt5gUZkTd0d9nazT
>> GsUNjbgdyr943K05wAs5EEgqEIp5eI9zcJ1QeeXBG+co5grBa6Leq3Pm
>> zcqxwtzuB2VDRKr9P34tT5n5OY2jg+B98ERd3TiLJTF+wd5Pa5n+lVXt
>> nkAODvfYv+xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25aobsXJ+vrdhE+sqd
>> Jbzjr8p+EG8ZS8gJ9c4B+snMOYwns7hVAATX/3K3XwJUcdGQoynm20iV
>> acDErzZRzHqW+XNtU5EnBjpdzK+Lz0wH63yXRIOd09ap6XACkRH1ApNo
>> syOFdEVwEgTJEPvavu6FH6YR6iHmVR+YqblSBOCP5jfdIVmHm+MfihJs
>> 3whGNAo9XPFEYg+M6vJ8e04zMD17mWL4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn
>>
>> I compared it with the one of the zones that is recognised as signed and
>> I see the following there:
>>
>> workingexample.email. 38400 *IN NSEC* _dmarc.workingexample.email. A NS
>> SOA MX TXT  SSHFP RRSIG NSEC DNSKEY SPF
>>
>> workingexample.email. *IN DNSKEY* 257 3 8 
>> AwEAAeLetJzQo74Zi/qXJjF4JoF37qu0rXTWQzn7yUC058w76SrPVV4a
>> hZIPI9oBNcWn5yeP6qR/bIkBM1OKfP0qGgLRyLAZPdsB36q1BnEfLrbi
>> trZmlGY8+AnUxjpPbEscT/g47UJiN9exBs0wAPdwwTRypYwBOVzP7cRP
>> TiPf0QlMslMrgd9lpFhFQblj97sZiVTZCyJM2FhKo3bdwDpde6fkJV0I
>> Ilrj3X47hJMFwW3UbA+H8UE/8jWrhrmSPi5b/uxbMY9qkOeaFm/LexC6
>> tr89pCesYrnIqceQTsvJl7+HOB1WNzW4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc=
>>
>> workingexample.email. *IN DNSKEY* 256 3 8 
>> AwEAAbCKGjHIFvhlPpVeReXSDymlwlyeHwejRF0vBp7GTdFv2qCRI1Wc
>> 9GDhVuUWmBv9gxynqQgf4K460RMia1ElZjOFQUZwB4i/OgvfAedEdjov
>> r+G7fHt45FShmR5WLuPOP1EGvJAki18rJgZL99PY4bAqq+s7Ut/SCmAs
>> gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZUZfO7nzmjuvIY+rlGEC00=
>>
>> So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added
>> when the 'example.co.uk' is signed.
>>
>> As far as I can tell no error was reported during the signing process for
>> example.co.uk  - do you have any suggestions as to what might stop the
>> signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ?
>>
>> Jay
>>
>> On 30 March 2017 at 23:02, Mark Andrews <ma...@isc.org> wrote:
>>
>>>
>>> In message 

Re: Zones not being recognised as Signed

[J T]

Please ignore the * in the copy pasted records. It seems the list converts
color text to be *TEXT* hehe

On 31 March 2017 at 00:11, J T <jt4websi...@gmail.com> wrote:

> Hi Mark,
>
> Thank you for responding. What do you mean by zone apex?
>
> If we assume one of the domains that fails to be seen as signed is "
> example.co.uk" then would the apex be the domain name with no prefixes ?
>
> I've changed the domain name but this is part of what I have in my signed
> zone file for one of the zones that fails to be recognised as signed (
> after the signing process).
>
> example.co.uk. IN RRSIG *NSEC*3PARAM 7 3 0 20170429213251 20170330213251
> 39233 example.co.uk.  T1VK1lrlk+4++3Nr7WlS3CeJISCPofUuo799
> S8wKrLG5UngbzRty1DQ2q6uPkiIVoqtuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90dvYQtY
> UkViTVIqX15bcY/rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxnP94Ke7
> VkxCsdpIT98WMrk6eBEtL76VTm855O2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9ktB9DnK
> ugTJmZVIeF/IPcJzeOpNUHA8QkS/dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiPaIHIkE
> 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILiT95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWwOji3HG
> +oLdGdRSwO+1ySyN4XyY2yIfAF+8oKsjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW7reIa+
> XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyhX2iBQT
> jb9omapnn6YBSN0xNnFwBZ5UqBNAkuOH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsLeBQI36
> ABsH1DQtxFqCjCdGK5gFmeKNGvzJPnNlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9ObLxWKI=
>
> and
>
> example.co.uk.   IN  DNSKEY  257 3 7 AwEAAbZFkjq1Q+
> 7Z67VNF3DkvwZTFFK+sgM+2H+xFqkpyeHQoLmsSAWj BoulxcEIVenvY/
> X8fFvHk4yemA0z9DWpVEL9//zGtIVInJqRzzVlx7QQ RWDuYqya+
> U6YpzYkYX0DspOyzFFswtMclF0ktmFB7XOSEmy70OfJL4Oy p4GI5wT8M26bQmDQ6w+
> UcHUO7M8ciF6qJ5JP68O34BlmUq7gGm1DlqVK 
> o1puldx22djX8GqvqhJjPaV5OHOXn4C5axR0IXiz9C39t1mjAkfxlHJW
> kshl+ENmdyyI6hw1vOqLHRmGlDQnL2wdvwerYGfLUAAEYx7+n9v+Ubec
> J83SBt90g5OGyT0JH2BTe5IaQeU8+OwQ97P0dRc3yIbGI9e0RSQuE1Zy
> 0YUHsIiHpTXrr16vBV97FPLzKGxV0i7AM15JoSCauUyr0DNA391pxVDd
> HOeyqpxxV69jNWKcdPV7KJFBSEGI3Uthp8uzNRepdJolg0qxNZy8n5tx
> 4sWIGAF2pqLFPZDLPa6yrFazq85JwhYmeqtiR1YXdsxHnR+My714mApl
> TiUD4EPP2ylbXeKvsOEWU0NwoAXf92uaSj9C8hH/JIboPDSk1/Y6uv5l
> YufyA6f3UFbZPAeqlp2OifE9t0nCqfi43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9
>
> example.co.uk.   IN  DNSKEY  256 3 7 
> AwEAAcqXsmOpeTwLI6ikMgz8JZWddUaKjcX+BpCtbkB9pmngl2JugzoQ
> iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l+htYyi6tudAjlNOju+tvMDB4VC 86aC100XcSF/
> h1eSqPxPZz4CjdeBI8x/ahbh7bKHILnokb2mK9CLpZ2w
> j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8HHxf86S5ev0e+bSm+JTkJVdk12
> 8iIBu6t9lWpYeSemtxHfLhK0Pm1evnHFpr17Sk9/yt5gUZkTd0d9nazT
> GsUNjbgdyr943K05wAs5EEgqEIp5eI9zcJ1QeeXBG+co5grBa6Leq3Pm
> zcqxwtzuB2VDRKr9P34tT5n5OY2jg+B98ERd3TiLJTF+wd5Pa5n+lVXt nkAODvfYv+
> xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25aobsXJ+vrdhE+sqd Jbzjr8p+EG8ZS8gJ9c4B+
> snMOYwns7hVAATX/3K3XwJUcdGQoynm20iV 
> acDErzZRzHqW+XNtU5EnBjpdzK+Lz0wH63yXRIOd09ap6XACkRH1ApNo
> syOFdEVwEgTJEPvavu6FH6YR6iHmVR+YqblSBOCP5jfdIVmHm+MfihJs 3whGNAo9XPFEYg+
> M6vJ8e04zMD17mWL4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn
>
> I compared it with the one of the zones that is recognised as signed and I
> see the following there:
>
> workingexample.email. 38400 *IN NSEC* _dmarc.workingexample.email. A NS
> SOA MX TXT  SSHFP RRSIG NSEC DNSKEY SPF
>
> workingexample.email. *IN DNSKEY* 257 3 8 AwEAAeLetJzQo74Zi/
> qXJjF4JoF37qu0rXTWQzn7yUC058w76SrPVV4a hZIPI9oBNcWn5yeP6qR/
> bIkBM1OKfP0qGgLRyLAZPdsB36q1BnEfLrbi trZmlGY8+AnUxjpPbEscT/
> g47UJiN9exBs0wAPdwwTRypYwBOVzP7cRP 
> TiPf0QlMslMrgd9lpFhFQblj97sZiVTZCyJM2FhKo3bdwDpde6fkJV0I
> Ilrj3X47hJMFwW3UbA+H8UE/8jWrhrmSPi5b/uxbMY9qkOeaFm/LexC6
> tr89pCesYrnIqceQTsvJl7+HOB1WNzW4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc=
>
> workingexample.email. *IN DNSKEY* 256 3 8 
> AwEAAbCKGjHIFvhlPpVeReXSDymlwlyeHwejRF0vBp7GTdFv2qCRI1Wc
> 9GDhVuUWmBv9gxynqQgf4K460RMia1ElZjOFQUZwB4i/OgvfAedEdjov r+
> G7fHt45FShmR5WLuPOP1EGvJAki18rJgZL99PY4bAqq+s7Ut/SCmAs
> gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZUZfO7nzmjuvIY+rlGEC00=
>
> So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added
> when the 'example.co.uk' is signed.
>
> As far as I can tell no error was reported during the signing process for
> example.co.uk  - do you have any suggestions as to what might stop the
> signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ?
>
> Jay
>
> On 30 March 2017 at 23:02, Mark Andrews <ma...@isc.org> wrote:
>
>>
>> In message 

Re: Zones not being recognised as Signed

[J T]

Hi Mark,

Thank you for responding. What do you mean by zone apex?

If we assume one of the domains that fails to be seen as signed is "
example.co.uk" then would the apex be the domain name with no prefixes ?

I've changed the domain name but this is part of what I have in my signed
zone file for one of the zones that fails to be recognised as signed (
after the signing process).

example.co.uk. IN RRSIG *NSEC*3PARAM 7 3 0 20170429213251 20170330213251
39233 example.co.uk.  T1VK1lrlk+4++3Nr7WlS3CeJISCPofUuo799
S8wKrLG5UngbzRty1DQ2q6uPkiIVoqtuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90dvYQtY
UkViTVIqX15bcY/rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxnP94Ke7
VkxCsdpIT98WMrk6eBEtL76VTm855O2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9ktB9DnK
ugTJmZVIeF/IPcJzeOpNUHA8QkS/dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiPaIHIkE
0C1LgiBLv7e4Hiejq2ZOrIiJAtMILiT95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWwOji3HG
+oLdGdRSwO+1ySyN4XyY2yIfAF+8oKsjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW7reIa+
XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyhX2iBQT
jb9omapnn6YBSN0xNnFwBZ5UqBNAkuOH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsLeBQI36
ABsH1DQtxFqCjCdGK5gFmeKNGvzJPnNlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9ObLxWKI=

and

example.co.uk.   IN  DNSKEY  257 3 7
AwEAAbZFkjq1Q+7Z67VNF3DkvwZTFFK+sgM+2H+xFqkpyeHQoLmsSAWj
BoulxcEIVenvY/X8fFvHk4yemA0z9DWpVEL9//zGtIVInJqRzzVlx7QQ
RWDuYqya+U6YpzYkYX0DspOyzFFswtMclF0ktmFB7XOSEmy70OfJL4Oy
p4GI5wT8M26bQmDQ6w+UcHUO7M8ciF6qJ5JP68O34BlmUq7gGm1DlqVK
o1puldx22djX8GqvqhJjPaV5OHOXn4C5axR0IXiz9C39t1mjAkfxlHJW
kshl+ENmdyyI6hw1vOqLHRmGlDQnL2wdvwerYGfLUAAEYx7+n9v+Ubec
J83SBt90g5OGyT0JH2BTe5IaQeU8+OwQ97P0dRc3yIbGI9e0RSQuE1Zy
0YUHsIiHpTXrr16vBV97FPLzKGxV0i7AM15JoSCauUyr0DNA391pxVDd
HOeyqpxxV69jNWKcdPV7KJFBSEGI3Uthp8uzNRepdJolg0qxNZy8n5tx
4sWIGAF2pqLFPZDLPa6yrFazq85JwhYmeqtiR1YXdsxHnR+My714mApl
TiUD4EPP2ylbXeKvsOEWU0NwoAXf92uaSj9C8hH/JIboPDSk1/Y6uv5l
YufyA6f3UFbZPAeqlp2OifE9t0nCqfi43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9

example.co.uk.   IN  DNSKEY  256 3 7
AwEAAcqXsmOpeTwLI6ikMgz8JZWddUaKjcX+BpCtbkB9pmngl2JugzoQ
iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l+htYyi6tudAjlNOju+tvMDB4VC
86aC100XcSF/h1eSqPxPZz4CjdeBI8x/ahbh7bKHILnokb2mK9CLpZ2w
j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8HHxf86S5ev0e+bSm+JTkJVdk12
8iIBu6t9lWpYeSemtxHfLhK0Pm1evnHFpr17Sk9/yt5gUZkTd0d9nazT
GsUNjbgdyr943K05wAs5EEgqEIp5eI9zcJ1QeeXBG+co5grBa6Leq3Pm
zcqxwtzuB2VDRKr9P34tT5n5OY2jg+B98ERd3TiLJTF+wd5Pa5n+lVXt
nkAODvfYv+xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25aobsXJ+vrdhE+sqd
Jbzjr8p+EG8ZS8gJ9c4B+snMOYwns7hVAATX/3K3XwJUcdGQoynm20iV
acDErzZRzHqW+XNtU5EnBjpdzK+Lz0wH63yXRIOd09ap6XACkRH1ApNo
syOFdEVwEgTJEPvavu6FH6YR6iHmVR+YqblSBOCP5jfdIVmHm+MfihJs
3whGNAo9XPFEYg+M6vJ8e04zMD17mWL4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn

I compared it with the one of the zones that is recognised as signed and I
see the following there:

workingexample.email. 38400 *IN NSEC* _dmarc.workingexample.email. A NS SOA
MX TXT  SSHFP RRSIG NSEC DNSKEY SPF

workingexample.email. *IN DNSKEY* 257 3 8
AwEAAeLetJzQo74Zi/qXJjF4JoF37qu0rXTWQzn7yUC058w76SrPVV4a
hZIPI9oBNcWn5yeP6qR/bIkBM1OKfP0qGgLRyLAZPdsB36q1BnEfLrbi
trZmlGY8+AnUxjpPbEscT/g47UJiN9exBs0wAPdwwTRypYwBOVzP7cRP
TiPf0QlMslMrgd9lpFhFQblj97sZiVTZCyJM2FhKo3bdwDpde6fkJV0I
Ilrj3X47hJMFwW3UbA+H8UE/8jWrhrmSPi5b/uxbMY9qkOeaFm/LexC6
tr89pCesYrnIqceQTsvJl7+HOB1WNzW4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc=

workingexample.email. *IN DNSKEY* 256 3 8
AwEAAbCKGjHIFvhlPpVeReXSDymlwlyeHwejRF0vBp7GTdFv2qCRI1Wc
9GDhVuUWmBv9gxynqQgf4K460RMia1ElZjOFQUZwB4i/OgvfAedEdjov
r+G7fHt45FShmR5WLuPOP1EGvJAki18rJgZL99PY4bAqq+s7Ut/SCmAs
gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZUZfO7nzmjuvIY+rlGEC00=

So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added
when the 'example.co.uk' is signed.

As far as I can tell no error was reported during the signing process for
example.co.uk  - do you have any suggestions as to what might stop the
signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ?

Jay

On 30 March 2017 at 23:02, Mark Andrews  wrote:

>
> In message 

Zones not being recognised as Signed

[J T]

Hi,

I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ).

I used Webmin to do the heavy lifting of signing/resigning etc.

Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on
restart/zone application and that fact is reported in the system logs.

I’m trying to work out why 3 are failing to be recognised as Signed.

No errors are reported as part of the signing process. The zonefiles appear
to have loads of DNSSEC related resource records.

e.g.

   - RRSIG (digital signature)
   - DNSKEY (public key)
   - DS (parent-child)
   - NSEC (proof of nonexistence)
   - NSEC3 (proof of nonexistence)
   - NSEC3PARAM (proof of nonexistence)

and the parent registrar has had DS records added.

As bind is not flagging the zone as signed its not returning RRSIGs in the
Answer section of a query ( although they are provided in the Additional
section ).

I’m not really sure what the criteria is for bind to decide a zone is
signed.

The same process is being used to sign/resign the 5 zones but only 2 are
flagged as signed.

Any tips on how to debug this would be appreciated.

Thanks,

Jay
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Difference between delegation and forward zone

[Mik J via bind-users]

Barry: "Also, if there are no delegation records for the subdomain, the parent 
server believes it's authoritative for them, despite having forwarders 
configured." 
I don't understand what you just wrote above. Are you saying I need to do both 
delegation and forwarding on my authoritative server on the parent domain ?
So yes the case is load balancers or other devices that are not real DNS, they 
behave in funny way.




   ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Difference between delegation and forward zone

[Mik J via bind-users]

Hello,
I would like to check if my understanding is correct regarding delegation and 
forward
Delegation: I want to delegate the administrative tasks to someone else for one 
subdomainsubdomain1.mydomain.orgI'll specify the NS of that 
subdomain1.mydomain.org in my mydomain.org zone fileThe other person will be 
able to create rr1.subdomain1.mydomain.org
Forward zone: I can forward a specific zone to a DNS that is different from the 
default fowarders or I won't attempt to do an iterative lookup.
=> Question 1: Can I have a forward zone that is a subdomain 
subdomain1.mydomain.org ? Or when the zone is a subdomain of mydomain (I'm 
athoritative) it's always a delegation ?
=> Question 2: When I do a delegation, is it correct that the remote DNS server 
holding subdomain1.mydomain.org must always answer the SOA with SOA records and 
NS records (RFC 2181 chapter 6.1)
Regards

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: switching entire DNS system to new servers and IP addresses

[Mik J via bind-users]

Hello,

From my personnal experience I would add
* Check if you have monitoring in place, you might want to monitor all types of 
queries and error messages.
* Since you have external and internal DNS then there might be firewalls 
between them, check if the flows are opened and prepare a test plan with many 
cases long queries, tcp etc.

* Don't do everything at once, do external DNS first, then internal DNS, then 
DHCP

* Check if your bind version and Infoblox bind versions are roughly the same, 
if your bind version is really old it might tolerate things that newer bind 
version won't

* Take care about your ACLs, you might want to do some cleaning and you also 
might want to make sure you don't have any security holes
* If you delegate zones or zones are delegated to you or another university is 
slave for your zones or some of you zones is slave of other servers that don't 
belong to you, check with them to update firewalls rules and ACLs

* Make sure your new IP adresses are routed :D
* Prepare your rollback



I would really pay attention to the cleaning and everything that goes around 
this swap (my points above) because in my opinion failure is often because of 
these things more than upgrading bind or changing vendor



Le Vendredi 24 février 2017 11h57, Phil Mayers  a 
écrit :
On 23/02/17 20:21, Mitchell Kuch wrote:

> In practice, we have encountered caching resolvers that provide
> non-decrementing TTL values to downstream resolvers and clients. Even

That is a depressingly common residential ISP trick :o(

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How can I log only autorized queries

[Mik J via bind-users]

Hello,
I'm logging queries
    channel queries_file {
    file "/var/log/queries.log" versions 3 size 5m;
    severity dynamic;
    print-time yes;
    };
    category queries { queries_file; };

And queries that are not allowed
    channel "dns_secu" {
    file "/var/log/dnssecurity" versions 2 size 10485760;
    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    category "update-security" { "dns_secu"; };
In the file queries.log I can see the queries but I would like to have it only 
for valid queries (not REFUSED)
How can I do this ?
Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Guidelines for role separations forwarding vs authoritative

[Mik J]

Hello,
I have a bind DNS that is authoritative for many zones and that same system is 
also forwarding.I plan to split these two functions on two different systems.
Have some of you done this task ? Do you have any guidelines or advices ?
I'm thinking about migrating the forwarding functionality to a new system with 
a new IP.This will avoid changing the IP of the authoritative server on the DNS 
at a higher level.
Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple SERVFAIL/REFUSED unexpected RCODE

[Mik J]

Thank you guys for your answers.
 

Le Mardi 3 mai 2016 16h09, Barry Margolin <bar...@alum.mit.edu> a écrit :
 
 

 In article <mailman.701.1462281968.73610.bind-us...@lists.isc.org>,
 Mik J <mikyde...@yahoo.fr> wrote:

> Hello Mark,
> Thank you for your answer. I'm not sure I've understood everything but I'll 
> read it numerous times if necessary.I have ACLs so I'm not surprised to see 
> these REFUSED, I also understand the SERVFAIL meaning.

Your ACL is not relevant. The REFUSED response is coming from the server 
the reverse zone is delegated to.

> I'm just trying to figure out where the problem comes from.You seem to point 
> out a device which should be on my network and who queries a PTR (something 
> like a mail server which want to check the domain of the user who sent the 
> email)

The problem comes from bad reverse DNS delegations of remote addresses. 
Unfortunately, this has always been very common.

> 
> What I didn't understand is"You could use whois to try to contact the 
> administrators of these zones to correct the servers or remove the 
> delegations."You mean this one "x.204.99.116.in-addr.arpa" which appeared in 
> my logs ?
> Regards 

whois -h whois.apnic.net 116.99.204.0

role:          VIETEL IPADMIN GROUP
address:        1 Tran Huu Duc, My Dinh, Tu Liem, Hanoi
country:        VN
phone:          +84-9-83000456
fax-no:        +84-4-38460486
e-mail:        tie...@viettel.com.vn
remarks:        send spam and abuse report to tie...@viettel.com.vn

whois 88.165.16.0

role:          Administrative Contact for ProXad
address:        Free SAS / ProXad
address:        8, rue de la Ville L'Eveque
address:        75008 Paris
phone:          +33 1 73 50 20 00
fax-no:        +33 1 73 92 25 69
remarks:        trouble:      Information: http://www.proxad.net/
remarks:        trouble:      Spam/Abuse requests: 
mailto:ab...@proxad.net
admin-c:        APfP1-RIPE
tech-c:        TPfP1-RIPE
nic-hdl:        ACP23-RIPE
mnt-by:        PROXAD-MNT
abuse-mailbox:  ab...@proxad.net
created:        2002-06-26T12:46:56Z
last-modified:  2013-08-01T12:16:00Z
source:        RIPE # Filtered


> 
>    Le Mardi 3 mai 2016 13h30, Mark Andrews <ma...@isc.org> a écrit :
>  
>  
> 
>  
> In message <353379836.10168122.1462272936427.javamail.ya...@mail.yahoo.com>, 
> Mi
> k J writes:
> >
> > Hello,
> > In my named.log I can see a lot of SERVFAIL/REFUSED unexpected RCODE
> > messages. Most of the time someone tries to resolve a PTR
> > I can see an average of 10 messages per second like these
> > May  3 10:46:26 dns named[7228]: REFUSED unexpected RCODE resolving
> > 'x.204.99.116.in-addr.arpa/PTR/IN': 203.113.131.x#53
> > May  3 10:46:26 dns named[7228]: SERVFAIL unexpected RCODE resolving
> > 'x.16.165.88.in-addr.arpa/PTR/IN': 193.0.9.x#53
> >
> > The PTR records don't belong to me and the remote DNS servers are located
> > around the world.
> > Does anyone has an understanding of why I receive these type of requests
> > ? Why do they query my DNS servers ?
> > Thank you
> 
> Something on your network is trying to convert 116.00.204.x and
> 88.165.16.x addresses to names, presumably because they are seeing
> traffic from those addresses.  In both cases there appears to be
> broken delegations involved.
> 
> REFUSED usually means that the server is not configured for the
> zone.
> 
> SERVFAIL usually means that the server is configured for the zone
> but doesn't have a current copy.
> 
> You could use whois to try to contact the administrators of these
> zones to correct the servers or remove the delegations.
> 
> Mark

-- 
Barry Margolin
Arlington, MA

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

 
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple SERVFAIL/REFUSED unexpected RCODE

[Mik J]

Hello Mark,
Thank you for your answer. I'm not sure I've understood everything but I'll 
read it numerous times if necessary.I have ACLs so I'm not surprised to see 
these REFUSED, I also understand the SERVFAIL meaning.
I'm just trying to figure out where the problem comes from.You seem to point 
out a device which should be on my network and who queries a PTR (something 
like a mail server which want to check the domain of the user who sent the 
email)

What I didn't understand is"You could use whois to try to contact the 
administrators of these zones to correct the servers or remove the 
delegations."You mean this one "x.204.99.116.in-addr.arpa" which appeared in my 
logs ?
Regards 

Le Mardi 3 mai 2016 13h30, Mark Andrews <ma...@isc.org> a écrit :
 
 

 
In message <353379836.10168122.1462272936427.javamail.ya...@mail.yahoo.com>, Mi
k J writes:
>
> Hello,
> In my named.log I can see a lot of SERVFAIL/REFUSED unexpected RCODE
> messages. Most of the time someone tries to resolve a PTR
> I can see an average of 10 messages per second like these
> May  3 10:46:26 dns named[7228]: REFUSED unexpected RCODE resolving
> 'x.204.99.116.in-addr.arpa/PTR/IN': 203.113.131.x#53
> May  3 10:46:26 dns named[7228]: SERVFAIL unexpected RCODE resolving
> 'x.16.165.88.in-addr.arpa/PTR/IN': 193.0.9.x#53
>
> The PTR records don't belong to me and the remote DNS servers are located
> around the world.
> Does anyone has an understanding of why I receive these type of requests
> ? Why do they query my DNS servers ?
> Thank you

Something on your network is trying to convert 116.00.204.x and
88.165.16.x addresses to names, presumably because they are seeing
traffic from those addresses.  In both cases there appears to be
broken delegations involved.

REFUSED usually means that the server is not configured for the
zone.

SERVFAIL usually means that the server is configured for the zone
but doesn't have a current copy.

You could use whois to try to contact the administrators of these
zones to correct the servers or remove the delegations.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                INTERNET: ma...@isc.org


 
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Multiple SERVFAIL/REFUSED unexpected RCODE

[Mik J]

Hello,
In my named.log I can see a lot of SERVFAIL/REFUSED unexpected RCODE messages. 
Most of the time someone tries to resolve a PTR
I can see an average of 10 messages per second like these
May  3 10:46:26 dns named[7228]: REFUSED unexpected RCODE resolving 
'x.204.99.116.in-addr.arpa/PTR/IN': 203.113.131.x#53
May  3 10:46:26 dns named[7228]: SERVFAIL unexpected RCODE resolving 
'x.16.165.88.in-addr.arpa/PTR/IN': 193.0.9.x#53

The PTR records don't belong to me and the remote DNS servers are located 
around the world.
Does anyone has an understanding of why I receive these type of requests ? Why 
do they query my DNS servers ?
Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Public DNS

[Heamnath J]

Hi

How to configure a DNS server as public DNS server like google's 8.8.8.8 server
Help me to clear out these problem

Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

error (insecurity proof failed) resolving './DS/IN'

[Brian J. Murrell]

Trying to follow an example I found of manually verifying a name's
DNSSEC records I did the following:

# dig . DNSKEY | grep -Ev '^($|;)'  root.keys
# dig +sigchase +trusted-key=./root.keys www.eurid.eu. A

That resulted in some errors but more importantly the following in my
syslog:

Mar 23 08:11:15 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.33.4.12#53
Mar 23 08:11:15 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.203.230.10#53
Mar 23 08:11:15 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.58.128.30#53
Mar 23 08:11:15 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.112.36.4#53
Mar 23 08:11:15 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.228.79.201#53
Mar 23 08:11:16 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 193.0.14.129#53
Mar 23 08:11:16 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.5.5.241#53
Mar 23 08:11:16 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:503:ba3e::2:30#53
Mar 23 08:11:16 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 128.63.2.53#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 192.36.148.17#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:500:3::42#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:dc3::35#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:503:c27::2:30#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:7fd::1#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:500:2f::f#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 198.41.0.4#53
Mar 23 08:11:17 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:500:1::803f:235#53
Mar 23 08:11:18 linux named[19256]: error (insecurity proof failed) resolving 
'./DS/IN': 2001:500:84::b#53

I'm really not sure why though.

I'm using

BIND 9.8.1-P1

built with '--prefix=/usr' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' 
'--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' 
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' 
'--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE 
-O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2'

Any ideas on what this is or what more information I can provide to help
chase it down?

Cheers,
b.



signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ideas for cloud server

[Heamnath J]

How to change centos server as real time cloud server ?..
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

New ideas about DNS

[Heamnath J]

Hi their i need an new ideas for securing the bind dns server for centos 6.6
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Guidlines

[Heamnath J]

Hello their,
 I am new to bind dns i would like to configure a public
dns . I need to know what is the procedure to configure bind dns
server in cento os 6 and how to increase the performance of the bind
server . I am waiting for your answer

Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Possible memory leak on BIND 9.10.1-P1 running on FreeBSD 10.1-RELEASE-p4 - part 2

[J. Thomsen]

On Tue, 27 Jan 2015 11:16:04 +0530,Mukund Sivaraman m...@isc.org wrote:


Meanwhile, please can you enable statistics-channels in named.conf and
send us a dump of the XML statistics along with process sizes reported
by ps when named grows very large?


I run the small script below every 5 minutes in a cron job

The result can be seen at http://ns4.jth.net/bind

There is no extreme memory leak running since Jan. 7th, but memory usage is 
slowly increasing from
70 MB till now 161 MB.
In any case using 161 MB RAM serving 623 small authoritative zones and rarely 
any recursive lookups
seems to me wildly out of proportion.
Disk space of zone files is 5,4 MB.
The developers of BIND ought to revisit the memory usage of BIND.   


#!/bin/sh
# extracts the memory usage of named into a file

touch /var/www/html/jth.net/bind/bind_rss_history.txt
RSS=`ps -aux | awk '/^named.*named/{print $6   $5}'`
NOW=`date +%Y-%m-%d %H:%M:%S`
echo $NOW $RSS | awk '{printf %10s%10s RSS %11sKb VSZ 
%11sKb\n,$1,$2,$3,$4}' 
/var/www/html/jth.net/bind/bind_rss_history.txt
GET http://127.0.0.1:8053; /var/www/html/jth.net/bind/s`date +%F-%H-%M.xml`
exit 0

In named.conf the configuration is


statistics-channels {
  inet *  port 8053 allow { verytrusted; };
  inet ::  port 8053 allow { verytrusted; };
};

options {

zone-statistics yes;
};
 
- Jørgen Thomsen

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF RR type

[J. Thomsen]

On Fri, 06 Jun 2014 09:45:56 +1000,Mark Andrews ma...@isc.org wrote:


It takes years to do transitions like this.  TXT to SPF was actually
ramping up but that is now water under the bridge. 


In that case named-compilezone should no longer emit 

found SPF/TXT record but no SPF/SPF record found, add matching type SPF record

from lib/dns/zone.c


- Jørgen Thomsen
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users