Re: 9.18 horrendous

2024-08-23 Thread Marco Moock 
Am Fri, 23 Aug 2024 16:28:22 -0400
schrieb David Farje :

> The whole point of open source software is that you as a user get
> software for free

You get certain freedoms because of the license. This doesn't mean it
needs to be provided for free. ISC also sells BIND9 together with a
support contract.

> and if something goes wrong you are free to
> collaborate to fix it or stop using it.  That's it.  There is no room
> for anything else.
> 
> Complaining about the quality of software you did not pay for or even
> test before putting it in production seems illogical to me especially
> if you are given the tools to fix it.

Complaining is a normal process and part of the development. If people
are dissatisfied and don't complain, nobody will notice it. Although,
complaining should be done in a rationale and non-aggressive way.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.18 horrendous

2024-08-23 Thread Marco Moock 
Am 23.08.2024 um 21:57:47 Uhr schrieb Edwardo Garcia:

> I've just updated 9.18 again, as recent update, and ever since using
> this 9.18 mess the load has been horrendous never ever have I
> experiemnce such a clusterfcsk of a release

I can understand your anger, but the first thing to notice is that not
everybody experienced that problem (I use 9.18 for more than a year
without that).

You have to specify your operating system and bind versions (also the
build source, OS repos often have some patches applied), so somebody
can reproduce the problem. If the problem can be reproduced, it can be
fixed.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1724443067mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: v6-bias

2024-08-18 Thread Marco Moock 
Am 18.08.2024 um 23:44:26 Uhr schrieb Mark Andrews:

> > On 18 Aug 2024, at 20:32, Marco Moock  wrote:

> It is.  Go to the product page.  Look at panel 3 “Configuration".
> Click on "Administrator Reference Manual (ARM)” then enter “v6-bias”
> in the search box.

https://bind9.readthedocs.io/en/v9.18.28/reference.html#namedconf-statement-v6-bias

As I searched on isc.org, I couldn't find it.

> > I've set it to 200ms and I still see outgoing queries to IPv4
> > destinations that are reachable via IPv6 and have a latency under
> > 20 ms.  
> 
> Named uses smooth measured RTT which means it still has to
> occasionally talk to servers over IPv4 to measure the RTT.

Can that be disabled, so IPv4 fallback will only be used when IPv6
query takes longer than the time set in v6-bias?

-- 
kind regards
Marco

Send unsolicited bulk mail to 1724017466mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

v6-bias

2024-08-18 Thread Marco Moock 
Hello!

I couldn't find anything else than https://kb.isc.org/docs/aa-01349
for v6-bias.

Is that still relevant for current versions?

Is there a reason that option isn't described in the normal
documentation?

I've set it to 200ms and I still see outgoing queries to IPv4
destinations that are reachable via IPv6 and have a latency under 20 ms.

-- 
kind regards
Marco
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

!AAAA in statistics

2024-08-15 Thread Marco Moock 
Hello!

named.stats includes that:

[...]
++ Cache DB RRsets ++
[View: default]
3184 A
1059 NS
 108 CNAME
   8 SOA
   6 PTR
   1 TXT
2739 
  75 DS
 378 RRSIG
   6 NSEC
  21 DNSKEY
   6 HTTPS
  12 !
  10 !DS
   4 !HTTPS
   6 NXDOMAIN
[View: _bind (Cache: _bind)]

What do the lines with the ! mean?

-- 
kind regards
Marco
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange reply dumped URGENT

2024-07-12 Thread Marco Moock 
Am Fri, 12 Jul 2024 22:44:38 -0400
schrieb Herman Brule :

> For now your method fail, include I try:
> 
> zone "ore.org.bo" {
>      type master;
>      file "/etc/bind/ore.org.bo.db";
> };

Only have one, exactly one master for a zone. Everything else will
create a big mess.

The other servers are slaves and will poll the zones from the master.

E.g.

ns1.example.org is IPv6 only and the master for example.org.
Glue records will only include the IPv6 address.
It will be listed as NS for example.org.

ns2.example.org is a slave and will poll the stuff from ns1, not
forward it to it.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange reply dumped URGENT

2024-07-12 Thread Marco Moock 
Am Fri, 12 Jul 2024 15:51:32 -0400
schrieb Herman Brule :

>   Loop detected! We were referred back to '45.225.75.8'

That's why I say:
Have real NS records that point to unique systems.
If you forward, make sure the other machine is the master.

I operate DNS with 2 NS records, one dual-stack, the other only IPv6.
No forwards, simply zone transfer.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange reply dumped URGENT

2024-07-12 Thread Marco Moock 
Am 12.07.2024 um 14:56:28 Uhr schrieb Herman Brule via bind-users:

> The edge router receive the query, should just forward to the IP into 
> the named.conf.rproxy (then IPv6 master)

So bind runs on this router?

What is the hostname of this router?
To which IP addresses does it point?

-- 
Gruß
Marco

Send unsolicited bulk mail to 1720788988mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange reply dumped URGENT

2024-07-12 Thread Marco Moock 
Am 12.07.2024 um 14:38:58 Uhr schrieb Herman Brule:

> Because the customer are into IPv6 zone

So the master DNS is IPv6 only?
No problem for the zone transfer.

> And the EDGE router connecting IPv4 and IPv6 is internal to the data 
> center company, not accessible for the customer.

In which way is this router involved in DNS resolution?

-- 
Gruß
Marco

Send unsolicited bulk mail to 1720787938mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange reply dumped URGENT

2024-07-12 Thread Marco Moock 
Am 12.07.2024 um 14:13:03 Uhr schrieb Herman Brule via bind-users:

> bind to my proxy from IPv4 to IPv6 zone

Why don't you simply run multiple authoritative servers, some only
accessible by IPv6, some dual-stack?

They are independent of each other and only the zone transfer need to
work.

I also see some strange things:

m@ryz:~$ host 811.vps.confiared.com.
811.vps.CONFIARED.com has address 45.225.75.8
811.vps.CONFIARED.com has IPv6 address 2803:1920::c:1963
m@ryz:~$ host 811b.vps.confiared.com.
811b.vps.CONFIARED.com is an alias for 811.vps.confiared.com.
811.vps.CONFIARED.com has address 45.225.75.8
811.vps.CONFIARED.com has IPv6 address 2803:1920::c:1963
m@ryz:~$ 

You should have redundant servers and not 2 NS records that point to
the same machine.

Please fix that first and update your glue records.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1720786383mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MDLZ user activation

2024-06-07 Thread Marco Moock 
Am 07.06.2024 um 10:58:27 Uhr schrieb G.W. Haywood:

> On the face of your description, this sounds like a spammer who has
> slightly more skill than usual.

The spammer simply used the name in From: after the Nick posted tothe
list) (Nick Tait via bind-users) and the mail address
(bind-users@lists.isc.org) as the recipient.

I assume this was accidentally sent to the list and not Nick himself,
but this is just a guess.

> I'd like to see the headers, or better the entire mail.  Please feel
> free to send privately.

They are publicly posted on the list.

Message-ID:
<6661e181d6fce_20e3f8fc856fcec65140...@sidekiq-frequent-fd-poduseast1-free-blue-fc47b6fff-n44lb.mail>

If you need it, I can forward it to you.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1717750707mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME and IPv6

2024-05-29 Thread Marco Moock 
Am 30.05.2024 um 00:47:56 Uhr schrieb Peter:

> On Wed, May 29, 2024 at 12:20:09PM +0200, Matus UHLAR - fantomas
> wrote: ! > On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock
> wrote: ! > > rinetd manages 2 separate connections and should work
> with PMTUD. ! 
> ! On 28.05.24 22:17, Peter wrote:
> ! > I'm wondering how it would. The connections are TCP, the PMTU
> works ! > via ICMP6.

Please stop using ! as a quoting character, it will break line wrapping
when replying and create a mess in the mailing list.

> ! No, Path MTU discovery works with TCPv4 using ICMPv4 as well.
> ! (although it was/is quite common to block ICMP packets which can
> make it not ! work properly)
> 
> That is a different matter, lots of people switch them off
> and things do still work, because we're in most cases allowed to
> defragment (firewalls do that) and refragment at any point on the
> way as needed.

That only applies if the router want to fragment it and if the DF bit
is NOT set by the sender.

> Blocking ICMPv4 a practise that is certainly annoying, but what
> can we do?

Telling those who do it that is is a really bad idea and don't
implement workarounds.

> ! > So I would assume, the ICMP "packet too big" message
> ! > reaches the host where rinetd runs, is swallowed by the kernel,
> and ! > the kernel sets the MTU in it's hostcache. Or something along
> that ! > line.
> ! 
> ! > The TCP traffic however gets forwarded by rinetd to the internal
> ! > appserver(s) - which never get the message that they should reduce
> ! > their MTU.
> ! 
> ! The data from one TCP connection are sent through another TCP
> connection, ! where both connections are separate with separate MTU
> and PMTUD.
> 
> A new quintuple, then. Hm. Not sure why I was unhappy with that...

Didn't you say you never tried rinetd?

> one reason was probably that a webserver would not be able to know the
> client address.

That is indeed the case and logging will be much more complicated,
including banning with fail2ban.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1717022876mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME and IPv6

2024-05-28 Thread Marco Moock 
Am 28.05.2024 um 18:48:38 Uhr schrieb Peter:

> On Tue, May 28, 2024 at 12:25:03PM +0200, Marco Moock wrote:

> ! > Now we add an IPv6 address for 'myhost'. But portforwarding
> ! > doesn't work for IPv6. Instead we are required to use different
> ! > addresses all over, like so:
> ! 
> ! port forwarding would work, but is nasty here. Redirectors like
> rinetd ! can handle that, but I recommend against in this case.
> 
> I tried it, and didn't get around the Path MTU discovery: Forward SNMP
> to one host, HTTP to another - which one then gets the ICMPv6 2.0
> "message too big"? 

rinetd manages 2 separate connections and should work with PMTUD. Did
you use that or another way?

PS: I still recommend pointing to the machines that host the stuff
instead of having a middlebox that might create additional headache
like improper logging, performance issues. :-)


-- 
Gruß
Marco

Send unsolicited bulk mail to 1716914918mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME and IPv6

2024-05-28 Thread Marco Moock 
Am 28.05.2024 um 12:00:09 Uhr schrieb Peter:

>   if I understand corrently, the use of CNAME is just a convenience
> and no technical feature, right?

It is technical because the query is redirected to the domain listed in
the CNAME.

> In lots of examples on the net, a zonefile for a domain might contain
> things similar to this:
> 
>   @ORIGIN example.com.
>   ..
>   myhost A1.2.3.4
>   wwwCNAMEmyhost.example.com.
>   www1   CNAMEmyhost.example.com.
>   someappCNAMEmyhost.example.com.
>   xyzCNAMEmyhost.example.com.
>   ...

That all points to this node, e.g. because multiple services are
running on the same machines, but it should be possible to separate
them when needed without changing domain names on other machines that
need to access them.
When the IP address changes, only the records of the machine listed in
CNAME need to be changed at one place.

> Often, the webserver and other applications are not actually
> running on node 1.2.3.4, but are internally portforwarded to
> some other node, for various reasons.

This is bad IPv4 stuff, you should get rid off that ASAP.
Use CNAMEs for each node that exists in reality and point to it with
CNAME.



> Now we add an IPv6 address for 'myhost'. But portforwarding
> doesn't work for IPv6. Instead we are required to use different
> addresses all over, like so:

port forwarding would work, but is nasty here. Redirectors like rinetd
can handle that, but I recommend against in this case.

> So, how would you do it? Is there a nice and elegant way?

www CNAME   webserver1
ftp CNAME   ftp2

webserver1  A   192.168.0.1
webserver1  2001:db8::1
ftp2A   172.16.0.1
ftp22001:db8:::1

That makes it possible to redirect it to the actual machines that runs
the service.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1716890409mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DoH credentials

2024-03-25 Thread Marco Moock 
Am 25.03.2024 um 17:09:43 Uhr schrieb Julien Salort:

> Because I am using an Apache proxy, bind9 sees the incoming requests
> as localhost, so allows all recursive requests from anybody.
> 
> Does it mean that credentials have to be implemented by the webserver
> ?

Yes, if you want to have a reverse proxy, this is a way to use auth.

If you don't want to have an open resolver, you have to control that at
the apache side.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1711382983mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: record PTR

2024-03-14 Thread Marco Moock 
Am 14.03.2024 schrieb sami.ra...@sofrecom.com:

> Hello, please, I want to know if I need to delegate a range of IP
> addresses to my authoritative DNS server with my registrar before
> creating a PTR record or not. In other words, if I want to create a
> PTR record on my authoritative server (ns1.mydomain.com) for
> mail.mydomain.com pointing to 41.226.22.50, should the range
> 41.226.22.0/24 be delegated to my authoritative DNS server
> ns1.mydomain.com?

The reverse zone for your net/IP needs to be delegated, nothing more.
That needs to be done by your ISP because not by your domain registrar.

If you only want to set some PTRs in your address range, the range will
be delegated and you only set the PTRs you need.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Upgrade

2024-02-15 Thread Marco Moock 
Am 15.02.2024 schrieb Semra Türkkal Nazlımoğlu
:

> Our bind version seems below. How can we upgrade bind version?

It comes from the OS you are using.
Upgrade to the current RHEL release.
If you prefer bleeding-edge versions, use Fedora instead.

> And if we upgrade bind version, is there any problem?

Install the new OS in a virtual machine and try running BIND there with
your configuration/zones and check for any errors.
In most cases, the upgrade works without any problems.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [Windows] [9.16.45] Missing IPv4 DNS prevents tools from working

2024-01-08 Thread Marco Moock 
Am 09.01.2024 um 01:41:46 Uhr schrieb Gentry Deng via bind-users:

> Due to an accident my local network is missing IPv4 DNS but has IPv6
> DNS so it has little impact on accessing the internet.
> 
> But I found that neither `dig `nor `nslookup` worked, and reported an
> error:

Windows Linux subsystem?

Does it have an IPv6 address?

Run ip a or ifconfig inside it.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: unable-resolve-bank=domain

2023-12-17 Thread Marco Moock 
Am 17.12.2023 um 10:21:05 Uhr schrieb MEjaz via bind-users:

> One of the banking domain www.services.online-banking.gslb.sabbnet.com
>   unable to
> resolve with  our primary namservers 212.119.64.2 whearas as my
> another server 212.119.64.3 is ok

Problem at their side:

gslb.sabbnet.com.   7200IN  NS  ns3.sabb.com.
gslb.sabbnet.com.   7200IN  NS  ns4.sabb.com.
;; Received 161 bytes from 108.59.173.0#53(ns21.hsbc.uk) in 67 ms

;; communications error to 37.76.254.149#53: timed out
;; communications error to 37.76.254.149#53: timed out
;; communications error to 37.76.254.149#53: timed out
www.services.online-banking.gslb.sabbnet.com. 900 IN A 193.27.7.78
;; Received 89 bytes from 193.27.7.38#53(ns3.sabb.com) in 119 ms

ns4.sabb.com. is unreachable and one of your resolvers picks that first.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I debug if the queries are not getting resolved?

2023-12-11 Thread Marco Moock 
Am 11.12.2023 um 23:37:36 Uhr schrieb Blason R:

> I require assistance in troubleshooting the resolution issue for
> specific domains that are not being resolved properly. The version of
> BIND I am currently using is BIND 9.18.20-1.

First, tell us if those queries are authoritative on that server or not.

Try using dig and post the output here.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

automatic reverse and forwarding zones

2022-10-27 Thread Marco Moock 
Hello,

how do ISPs automatically create the reverse and forwaring zones for
their customers IP pools?

For example one of their clients has the IP 2001:db::3.

Its reverse zone
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.d.0.0.1.0.0.2.ip6.arpa
includes a PTR pointing to
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.d.0.0.1.0.0.2.isp.example.org

This has an  record of 2001:db::3.

Is it possible to let bind create that automatically for certain zones?

-- 
kind regards
Marco

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users