Re: Slightly Off-Topic: Dealing with DNSSEC Bogus Data
Thanks Tony for the feedback. -- Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slightly Off-Topic: Dealing with DNSSEC Bogus Data
On 06/08/2014 01:59 PM, Evan Hunt wrote: > The answer is still no. We do have "negative trust anchors" on the > roadmap for 9.11, but that's not scheduled for release until 2015. Thank you Evan. I'm glad to know this is coming. Regards, Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Slightly Off-Topic: Dealing with DNSSEC Bogus Data
Hi everyone, I'm about to start DNSSEC validation on my resolvers (BIND 9.8) but wanted to know beforehand if there was a way to disable DNSSEC validation for particular domains. I searched the archives and found the answer to be "no" (at present time). This change is going to impact thousands of users for us and I'm a bit worried about it. How do you deal with DNSSEC bogus data? I know that one should inform the corresponding party (SOA email record perhaps?) and be a good netizen but, what if these efforts fail? Do you temporarily become "authoritative" for that zone? or do you tell your users: "sorry, it's not on us; it's their fault"? Thanks in advance. -- Jorge p.d. I know there are DNSSEC mailing lists out there but wanted to know about BIND admins (where you currently don't have the option to disable validation for given domains). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "clients-per-query" vs "max-clients-per-query"
On 06/07/2014 12:36 PM, Evan Hunt wrote: > Over time, as it runs, named tries to self-tune the clients-per-query > value. > > If you set clients-per-query to 10 and max-clients-per-query to 100 > (i.e., the default values), that means that the initial limit will be > 10, but if we ever actually hit the limit and drop a query, we try > adjusting the limit up to 15, then 20, and so on, until we can keep > up with the queries *or* until we reach 100. > > Once we get to a point where we're not spilling queries anymore, we > start experimentally adjusting the limit back downward -- reducing it > by 1 every 20 minutes, if I recall correctly. > > If clients-per-query is 0, that means we don't have a clients-per-query > limit at all. If max-clients-per-query is 0, that means there's no upper > bound on clients-per-query and it can grow as big as it needs to. Ah. Eureka! Thank you very much Evan. That was wonderful ! I finally got it :) Thanks, very much appreciated! All the best, Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
"clients-per-query" vs "max-clients-per-query"
Hi, I'm trying to understand the difference between clients-per-query & max-clients-per-query. I found a nice explanation by Mark Andrews here [1] but then I wondered about max-clients-per-query. Given a "clients-per-query" of 10, I assume that named will only queue up 10 clients before it starts dropping queries. As far as I understand, there would be one outstanding recursive-client (doing the actual recursion for a given name/type) and when it finally receives the answer it will give it to the other 9 clients that were waiting. For me, this "clients-per-query" of 10 is an upper limit (maximum number of clients before it starts dropping). So then, what's the purpose of "max-clients-per-query"? Thanks. -- Jorge [1]: https://lists.isc.org/pipermail/bind-users/2011-March/083330.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward Domain
On 01/15/2012 11:57 AM, Markus Braun wrote: > but what is the different between the DNSMASQ and bind9, that DNSMASQ run > correct and bind9 not? > I have the problem when halo.de is requestet that he only forward when i try > to access over my extern mobile device and when it is on the server the > script should take the request out. > I got now a loop. DNSMASQ is basically a DNS forwarder but it has a bunch of other features. Check the Wikipedia page on it and if you have questions please ask on their mailing list or forum. Regarding BIND, if you have issues with your server returning some results within your server and other results when queried from the outside you should take a look at BIND views. Please invest some time studying BIND, at least the basics to run a "caching nameservers". You'll need that. -- Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward Domain
On 01/15/2012 11:06 AM, Markus Braun wrote: > it shows my ip , but i think i must have the both nameserver from > my ISP in the resolv.conf because i have other domains? and > everything is now forwarded :(( No, you don't need your ISP's nameservers. It should work for other domains (if configured properly). It's just that, for your particular domain, it will ask the provided server for the info. For other domains, your bind server will perform full dns resolution (starting from the DNS root servers and so on). Did you try performing a query for other domains? -- Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward Domain
On 01/15/2012 10:20 AM, Markus Braun wrote: > in my resolv.conf are only the 2 nameserver of my ISP, nothing more. > what must i change here? but i also like that my other domains are working :) > marcus ok, one more test : Try: dig @localhost hallo.de If that works you now know that your local bind setup is working. If it works then change your /etc/resolv.conf. You need to remove your ISP's entries and leave your local bind setup like this: nameserver 127.0.0.1 .,..so that DNS resolution on your system goes thru this local bind instance. -- Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward Domain
On 01/15/2012 09:54 AM, Markus Braun wrote: > And when i put the my IP in my DNS setting from my handy, the handy should > send > the request to my server for this domain. e.g. google.de and give onother output. > I hope you understand what i mean :) Before using your local bind caching nameserver, you should first validate that your other DNS server is working properly. Try this on your machine: dig @IP-OF-YOUR-DNS-SERVER hallo.de If that works, then you can proceed with the forward zone stanza on your local bind. After that, you need to make sure your /etc/resolv.conf points to your local bind instance (and not your ISP's dns). -- Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward Domain
On 01/15/2012 09:27 AM, Markus Braun wrote: > i restart bind, but nothing works :( Hi, Can you be more specific? Do you get any error when restarting? Anything on syslog? What are you using to perform the tests? dig? Can you show us the output? Does resolution for other domains work? or is it the one for your domain that doesn't work? If you remove the forzard zone, does it work? -- Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Auth Section & Forwarders
On 01/13/2012 07:30 PM, Mark Andrews wrote: > The nameserver is returning "the closest available" nameservers. These > are usually the nameservers for the zone but not always. Got it now. Thanks for the help Mark. Best regards, Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Auth Section & Forwarders
Hello everyone, I recently disabled "minimal-responses" (by setting it to 'no') in our caching nameservers. As I'm now able to see the authority & additional sections I noticed something strange: whenever I query our caching nameservers for one of our domains we get our parent nameservers under the authority section (instead of our own authoritative nameservers). I soon realized that there might be some problem with our forward zones (since we have our domains defined as such). I disabled the forward zone stanza, reloaded the config, and the problem went away (I know get our authoritative nameservers within the authority section). Does anyone knows what may be happening? Thanks, Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Request Redirect
On Tuesday 15 June 2010 07:52:34 sasa sasa wrote: > we have 2 network, when network 1 request www.example.com i want to reply > with x.x.x.x A record, and when network 2 request www.example.com i want > to reply with y.y.y.y A record. is that possible in Bind configuration? Hi, Sure. Check out Bind Views: http://www.zytrax.com/books/dns/ch7/view.html HTH, Jorge ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Any way to query/list "Negative" Records
On Wednesday 10 February 2010 20:14:06 Mark Andrews wrote: > You can see a cached negative response by looking at the TTL of the SOA > record. When that hits zero the cached negative response will be removed. > See RFC 2308. Arrgh thanks Mark! I had no idead about this. It was in my face all the time and never noticed it. Thanks again! All the best, Jorge ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Any way to query/list "Negative" Records
Hello everyone, Today I had an issue with one of our caching nameservers (it wasn't presenting a recently created MX record). I didn't know whether the server had any problem requesting this record upstream or someone queried for this record before it was created causing the server to cache the 'negative' result. I presumed it was the latter and proceeded to manually flush the particular domain. After that it worked. But... I'm wondering: Is there a way (using dig or rndc) to list the "negative" records the server has in its cache? I guess I could dump the cache contents and see it there (haven't tried it) but was wondering if there's a proper way to do this (instead of just presuming "the server cached the negative answer..."). Best regards, Jorge ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can bind log the IP of clients requesting lookups to a domain?
On Friday 05 February 2010 19:16:12 Keith Christian wrote: > In other words, I'd like to know the IP of clients trying to resolve > app01.foocompany.net (for example.) I tried once to do this but couldn't find a any way to do it natively with Bind. It seems that, once you turn on query logging, you must take it or leave it; It's up to you to do the filtering on the log afterwards. Best regards, Jorge ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users