Re: BIND 9.11.6-P1 build fails on Solaris
lots of things failing in recent times, even with CentOS, mostly because of openssl min version changes, and most recently even latest releases wont build now because of a change in min python versions *sigh*, i'm just going to leave it as is, thats all we can do. On Fri, Apr 26, 2019 at 5:05 AM wrote: > BIND 9.11.5-P4 built fine on this Solaris 10 environment with same > configure settings: > > > > --enable-ipv6 \ > > --enable-filter- \ > > --enable-largefile \ > > --enable-fixed-rrset \ > > --enable-threads \ > > --disable-shared \ > > --with-dlopen=no \ > > --with-openssl=/opt/bind911/openssl \ > > --with-geoip=/opt/bind911/geoip \ > > --without-gssapi --without-python \ > > --prefix=/opt/bind911 > > > > However, now the build fails for BIND 9.11.6-P1 with the following: > > > > Undefined first referenced > > symbolin file > > isc_atomic_xadd client.o > > ld: fatal: symbol referencing errors. No output written to namedtmp0 > > *** Error code 1 > > make: Fatal error: Command failed for target `named' > > > > > > Thanks, > > Greg > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: authority
On Tue, Oct 25, 2016 at 7:14 AM, Reindl Haraldwrote: > > > > this is a public mailing list - so what! > > when someone don't yet get the connection between nameservers, webserver > and ip-addresses he is not ready to connect public servers and that's > completly independent of the fact you ra elike a statement or not - so get > out of my sigt and keep your persnaol attacks for yourself, epsecially when > you are *that* slow with your poisioning responses > > Thats right, when someone calls you out for what you really are, you try turn it around. truth hurts Reindl you obviously did not know or understand the question, this does not mean nobody else does, so you should shut your trolling trap and ignore the post, and let someone who does know what they mean answer it. Its why youve been kicked off just about every other technical/ASP lists on this planet. and as slow for responses? I have a life, I enjoy weekends, I do not sit on internet 20 hours a day like you try to because no one in their sane mind could put up with you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: authority
On Tue, Oct 25, 2016 at 7:11 AM, Reindl Haraldwrote: > > i don't understand your question >> >> >> Since you have NOTHING to do with ISC or even remotely with bind, if you >> dont understand , LEAVE IT TO SOMEONE WHO DOES >> > > and YOU have something to do with ISC? > i doubt! > > since i maintain hundrets of domains and wrote admin-backends for BIDN i > pretend to have more than remotely to do with bind for many many years > > PRETEND is the key operative word here, you have ZERO to do with ISC Bind, you are not a member of the consortium, yes, that I know! I'll leave it for a list moderator to cane your arse for trying to imply you are associated with bind project. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: authority
On Tue, Oct 25, 2016 at 12:42 AM, Reindl Haraldwrote: > > > >> > don't get me wrong but that question shows that you are not ready to run a > public dns server - there is no "local" or > when you make statements like that to be sure you include the fact you have NOTHING to do with ISC or bind. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: authority
On Tue, Oct 25, 2016 at 12:11 AM, Reindl Haraldwrote: > identical like the first one > > Which IP should be use? >> > > i don't understand your question > > Since you have NOTHING to do with ISC or even remotely with bind, if you dont understand , LEAVE IT TO SOMEONE WHO DOES but you just cant help yourself can you, damn troll ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
lookout timesouts
Hi, We have a customer who has their own cache server, but in the afternoons before they close up for the day, they commit off-site backups, this process takes them about 90 mins, anyone trying to use the internet in this time fails 99.9% of the time due to DNS lookup errors, but if they use an external DNS server, such as ours, it works - albeit slow but it does get a response. The local DNS cache server operates fine and instant for their private LAN, and pinging around their LAN is sub 1ms so the problem exists when bind tries to go out to get answers for real hostnames. When their internet link is not fully utilized there is no problems. The problem arose again today before the off-site backups when just one PC got its message from Microsoft to grab the anniversary update, at 11 o'clock in the morning, strangely it did not fill their link, but the pps must have been rampant because the DNS errors again failed when using their local cache resolver server. Is there a named.conf setting we can suggest they use on their cache server that perseveres and waits a little longer for answers to send to their client machines? They are using bind 9.10.4-p2 with default settings from source package along with options of - directory "/opt/named"; allow-query { x; }; allow-query-cache { x; }; allow-transfer { xx; }; Thanks for any advice. Nik ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
shutting up logs
skipping nameserver 'ns5.concord.org' because it is a CNAME, while resolving '210.128-25.119.138.63.in-addr.arpa/PTR' I have logs grow by about 30 megs a day with pretty much only this in it (of course not always same remote server), how do I shut this up ? My logging statments are logging { category lame-servers { null; }; category edns-disabled { null; }; category client { null; }; category dnssec { null; }; // channel log_queries { file /tmp/debug_query.log; print-category yes; }; // category queries { log_queries; }; }; TIA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logs problem with Bind 9.9.4
bugger off with your dictatorship do not bring it here like you take it every list you go to, well, those that you have not been kicked off of that is On 8/2/14, Reindl Harald h.rei...@thelounge.net wrote: why do you reply off-list, in HTML and top-posting? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logs problem with Bind 9.9.4
maybe he will, when you learn to stop being so offensive and abusive on every list you decide to join, and to tink a cvertain blacklsit operator on this list a few days ago said you were well behaved, hrmmm are you paying him you off so he wont list you again in his rbl On 8/3/14, Reindl Harald h.rei...@thelounge.net wrote: jesus christ learn to use mailing-lists, stop to reply in private and strip your qutes Am 02.08.2014 um 10:29 schrieb ahmed salim: On Sat, Aug 2, 2014 at 10:24 AM, Reindl Harald h.rei...@thelounge.net mailto:h.rei...@thelounge.net wrote: why do you reply off-list, in HTML and top-posting? Am 02.08.2014 um 08:09 schrieb ahmed salim: the logging is (syslog) so you can filter in rsyslog.conf https://www.google.at/search?q=rsyslog+filter+messages now your configuration block is working fine I'm just wondering how to disable IPv6 logs??? what about show us what you are talking about? nobody but you knows what you see on your screen http://www.catb.org/esr/faqs/smart-questions.html#beprecise I tried is to disable it by editing /etc/sysconfig/named and make (OPTIONS=-4) but I still getting them in my logs thank you for your help stripped full quote OK, sorry for not being precise the IPv6 logs is some thing like this: error (network unreachable) resolving 'videolan.org/DS/IN http://videolan.org/DS/IN': 2001:500:b::1#53 error (network unreachable) resolving 'px.owneriq.net/A/IN http://px.owneriq.net/A/IN': 2600:1401:2::1#53 is there any solution to stop these logs ??? if you don't have working ipv6 just disable the stack /etc/sysctl.conf: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 after reboot you should no longer have ipv6 link local addresses and so BIND realizes at startup that ipv6 is not supported ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nxdomain
Hi, In just testing a few things with our authoritative server, I made a typo, and, much to my surprise the server responds NXDOMAIN to requests from unauthed requesters, this used to return REFUSED, when did this error change? (bind 9.9.3-P2) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nxdomain
The typos was more of how I came about my request, forget the typo as such, it the actual answer, to use a more common well known name, if I type ~$ host www.undernet.org ns1 Using domain server: Name: ns1 Host www.undernet.org not found: 3(NXDOMAIN) Above should be, and I'm darn sure used to be, REFUSED - not NXDOMAIN perhaps I should also include my options in my original post, that was remiss of me acl trust contains localhost and the servers actual IP addresses, nowhere does it permit the IP range I tried from options { directory /var/named; allow-query { trust; }; allow-transfer { localhost; }; blackhole { bogon; }; recursive-clients 2000; clients-per-query 40; tcp-clients 100; recursion no; additional-from-cache no; transfer-format many-answers; masterfile-format text; interface-interval 0; dnssec-enable yes; dnssec-validation yes; }; On 8/28/13, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 28.08.13 23:13, Nick Edwards wrote: In just testing a few things with our authoritative server, I made a typo, and, much to my surprise the server responds NXDOMAIN to requests from unauthed requesters, this used to return REFUSED, when did this error change? (bind 9.9.3-P2) what typo? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nxdomain
Mark, On 8/29/13, Mark Andrews ma...@isc.org wrote: In message CAMD-=VKA_dftLRqtJMs=egmepzhu82q06+p_j8rmbgzxvvg...@mail.gmail.com , Nick Edwards writes: The typos was more of how I came about my request, forget the typo as such, it the actual answer, to use a more common well known name, if I type ~$ host www.undernet.org ns1 Using domain server: Name: ns1 Host www.undernet.org not found: 3(NXDOMAIN) Above should be, and I'm darn sure used to be, REFUSED - not NXDOMAIN perhaps I should also include my options in my original post, that was remiss of me acl trust contains localhost and the servers actual IP addresses, nowhere does it permit the IP range I tried from options { directory /var/named; allow-query { trust; }; allow-transfer { localhost; }; blackhole { bogon; }; recursive-clients 2000; clients-per-query 40; tcp-clients 100; recursion no; additional-from-cache no; transfer-format many-answers; masterfile-format text; interface-interval 0; dnssec-enable yes; dnssec-validation yes; }; Given www.undernet.org exists on the Internet (so you wouldn't be getting NXDOMAIN if it was recursing to the Internet) and you havn't shown the entire configuration we can't tell if it is a lack of understanding about your configuration or a bug. The only other components to our pure authoratitive only server configuration are The bogon acl from team cymru include /var/named/root_trusted_key; logging { category lame-servers { null; }; category edns-disabled { null; }; category client { null; }; }; zone . { type hint; file root.hints; }; zone 127.in-addr.arpa { type master; file localhost.rev; notify no; }; zone localhost { type master; file localhost.zone; notify no; }; zone somedomain.org { type master; allow-transfer { slave.ip; }; file somedomain.org.signed; allow-query { any; }; allow-update { none; }; }; zone .in-addr.arpa { type master; allow-transfer { sec.IP; }; file 00v4.zone; allow-query { any; }; allow-update { none; }; } zone xxx.ip6.arpa { type master; allow-transfer { sec.IP; }; file 00v6.zone; allow-query { any; }; allow-update { none; }; }; zone { type slave; masters { x.x.x.x; }; file xx.signed; allow-query { any; }; }; there are 27 more master/slave zones, but they all are in identical format as above and we certainly do not host undernet :-) and with no customer IP ranges included in any ACL since these are not caching servers), and, having friends trying from different ISP's, we get NXDOMAIN, be it undernet, or google Host www.google.com not found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it does respond correctly to domains it is supposed too in the end because of this config, I expect to see REFUSED here, like we have in the past, not sure when this changed. Both our ns1 ans ns2 respond in same ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Blackholing
Hi All, Is there a way for RPZ zone file to act on domain AND subdomains without using two separate entries? At present I can only get them to match on one or the other unless I do example.comblah *.example.com blah I'm sure I've missed the obvious, but thought I'd ask ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
Thanks, that did the trick! On 3/8/12, Mark Andrews ma...@isc.org wrote: In message CAMD-=VKxKssRXfD4XSgPua-v6=ooazylgc3yb3cy51ihopw...@mail.gmail.com , Nick Edwards writes: On 3/8/12, Nick Edwards nick.z.edwa...@gmail.com wrote: On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. Hrmm, is thatreally the correct command? dnssec-signzone -f xx.org.signed -a -e +15724800 -K keys/ -N INCREMENT xx.org.signed fatal: failed loading zone from 'xxx.org.signed': not at top of zone -o xxx.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC and slaves error
I am an old hand at bind, but - DNSSEC Newbie alert :- I am after clarification on how slaves handle DNSSEC. I have two slaves, both were stale, like since Feb 9 ! One I directly control, the second, I do not, so I can not provide details on how that one is configured, but given it is a reputable provider, I assume setup is as good or better than mine. The zone was resigned 3 weeks ago as 30 days, but one week ago I resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here After all this time, still no change on slaves, I had to edit the zone (inserted a dummy TXT entry) then resign the zone, and then they both picked up changes. Shouldn't they detect the change from the increment and update? I checked my controlled slave and it was stale RRSIGs until I altered the actual zone, then RRSIG updated. my controlled servers: Linux Slackware (x2) Bind 9.9.0 uncontrolled server Bind 9.9.0, RedHat (release unknown) /options master dnssec-enable yes; dnssec-validation yes; zone type master; allow-transfer { lan; slavedns; }; file xx.org.signed; allow-query { any; }; allow-update { none; }; /options slave dnssec-enable yes; zone type slave; masters { x.x.x.x; }; file xx.org; allow-query { any; }; Am I doing something wrong? thanks Nik ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
On 3/8/12, Nick Edwards nick.z.edwa...@gmail.com wrote: On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. Hrmm, is thatreally the correct command? dnssec-signzone -f xx.org.signed -a -e +15724800 -K keys/ -N INCREMENT xx.org.signed fatal: failed loading zone from 'xxx.org.signed': not at top of zone ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named.conf splitting
Hi, In a recent discussion on another list, it was discussed the pros and cons of splitting the main conf file to a per domain. In binds case it would be to /etc/named.d/*.conf So each zone would have a file in that directory containing only the relevant info eg: zone example.com { type master; allow-transfer { slavesdns; }; file example.com.signed; allow-query { any; }; allow-update { none; }; }; thats it, nothing more, rather than having 2000 entries in named.conf, we would have 2000 conf file to be read (yes in addition to the 2000 actual zone files. with apache it takes only 2 or so more seconds to start and reload doing it this way, so I know that bind will take longer, it has to with all those open/read/close files, at present bind starts up in about 9 seconds due 17K zones, so I'd imagine this would take even up to 15 seconds. My question is, has anyone done this with success or failure? Would a named developer know if its safe or detrimental to do this? or would it simply make no difference apart from the extra time for starts/reloads? (This came about on another list, because we load all hosts on apache in one file (2000 per box) recently something went wrong with sshfs during a transaction, and in deleting a vhost block it took out about 100 of them :) so we are looking at making things a bit more failsafe, my opinion is, if it can happen once, it can happen again, it could have happened to a zone file, but luckily only the web conf file. Thoughts anyone? Thanks Niki ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users