Re: BIND 9.11.6-P1 build fails on Solaris

2019-05-01 Thread Nick Edwards 
lots of things failing in recent times, even with CentOS, mostly because of
openssl min version changes, and most recently even latest releases wont
build now because of a change in min python versions *sigh*, i'm just going
to leave it as is, thats all we can do.


On Fri, Apr 26, 2019 at 5:05 AM  wrote:

> BIND 9.11.5-P4 built fine on this Solaris 10 environment with same
> configure settings:
>
>
>
> --enable-ipv6 \
>
> --enable-filter- \
>
> --enable-largefile \
>
> --enable-fixed-rrset \
>
> --enable-threads \
>
> --disable-shared \
>
> --with-dlopen=no \
>
> --with-openssl=/opt/bind911/openssl \
>
> --with-geoip=/opt/bind911/geoip \
>
> --without-gssapi --without-python \
>
> --prefix=/opt/bind911
>
>
>
> However, now the build fails for BIND 9.11.6-P1 with the following:
>
>
>
> Undefined  first referenced
>
> symbolin file
>
> isc_atomic_xadd client.o
>
> ld: fatal: symbol referencing errors. No output written to namedtmp0
>
> *** Error code 1
>
> make: Fatal error: Command failed for target `named'
>
>
>
>
>
> Thanks,
>
> Greg
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: authority

2016-10-24 Thread Nick Edwards 
On Tue, Oct 25, 2016 at 7:14 AM, Reindl Harald 
wrote:

>
>
>
> this is a public mailing list - so what!
>
> when someone don't yet get the connection between nameservers, webserver
> and ip-addresses he is not ready to connect public servers and that's
> completly independent of the fact you ra elike a statement or not - so get
> out of my sigt and keep your persnaol attacks for yourself, epsecially when
> you are *that* slow with your poisioning responses
>
>

Thats right, when someone calls you out for what you really are, you try
turn it around. truth hurts Reindl

you obviously did not know or understand the question, this does not mean
nobody else does, so you should shut your trolling trap and ignore the
post, and let someone who does know what they mean answer it. Its why youve
been kicked off just about every other technical/ASP lists on this planet.

and as slow for responses? I have a life, I enjoy weekends, I do not sit on
internet 20 hours a day like you try to because no one in their sane mind
could put up with you.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: authority

2016-10-24 Thread Nick Edwards 
On Tue, Oct 25, 2016 at 7:11 AM, Reindl Harald 
wrote:

>
> i don't understand your question
>>
>>
>> Since you have NOTHING to do with ISC or even remotely with bind, if you
>> dont understand , LEAVE IT TO SOMEONE WHO DOES
>>
>
> and YOU have something to do with ISC?
> i doubt!
>
> since i maintain hundrets of domains and wrote admin-backends for BIDN i
> pretend to have more than remotely to do with bind for many many years
>
>


PRETEND is the key operative word here, you have  ZERO to do with ISC Bind,
you are not a member of the consortium, yes, that I know!

I'll leave it for a list moderator to cane your arse for trying to imply
you are associated with bind project.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: authority

2016-10-24 Thread Nick Edwards 
On Tue, Oct 25, 2016 at 12:42 AM, Reindl Harald 
wrote:


>
>
>
>>
> don't get me wrong but that question shows that you are not ready to run a
> public dns server - there is no "local" or
>

when you make statements like that to be sure you include the fact you have
NOTHING to do with ISC or bind.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: authority

2016-10-24 Thread Nick Edwards 
On Tue, Oct 25, 2016 at 12:11 AM, Reindl Harald 
wrote:


> identical like the first one
>
> Which IP should be use?
>>
>
> i don't understand your question
>
>
Since you have NOTHING to do with ISC or even remotely with bind, if you
dont understand , LEAVE IT TO SOMEONE WHO DOES

but you just cant help yourself can you, damn troll
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

lookout timesouts

2016-09-19 Thread Nick Edwards 
Hi,

We have a customer who has their own cache server, but in the afternoons
before they close up for the day, they commit off-site backups, this
process takes them about 90 mins, anyone trying to use the internet in this
time fails 99.9% of the time due to DNS lookup errors, but if they use an
external DNS server, such as ours, it works - albeit slow but it does get a
response. The local DNS cache server operates fine and instant for their
private LAN, and pinging around their LAN is sub 1ms so the problem exists
when bind tries to go out to get answers for real hostnames. When  their
internet link is not fully utilized there is no problems.

The problem arose again today before the off-site backups when just one PC
got its message from Microsoft to grab the anniversary update, at 11
o'clock in the morning, strangely it did not fill their link, but the pps
must have been rampant because the DNS errors again failed when using their
local cache resolver server.

Is there a named.conf setting we can suggest they use on their cache server
that perseveres and waits a little longer for answers to send to their
client machines?
They are using bind 9.10.4-p2 with default settings from source package
along with options of -

directory "/opt/named";
allow-query { x; };
allow-query-cache { x; };
allow-transfer { xx; };


Thanks for any advice.
Nik
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

shutting up logs

2015-05-14 Thread Nick Edwards 
 skipping nameserver 'ns5.concord.org' because it is a CNAME, while
resolving '210.128-25.119.138.63.in-addr.arpa/PTR'

I have logs grow by about 30 megs a day with pretty much only this in
it (of course not always same remote server), how do I shut this up ?

My logging statments are

logging {
category lame-servers { null; };
category edns-disabled { null; };
category client { null; };
category dnssec { null; };
//  channel log_queries { file /tmp/debug_query.log;
print-category yes; };
//  category queries { log_queries; };
};

TIA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logs problem with Bind 9.9.4

2014-08-08 Thread Nick Edwards 
bugger off with your dictatorship
do not bring it here like you take it every list you go to, well,
those that you have not been kicked off of that is


On 8/2/14, Reindl Harald h.rei...@thelounge.net wrote:
 why do you reply off-list, in HTML and top-posting?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logs problem with Bind 9.9.4

2014-08-08 Thread Nick Edwards 
maybe he will, when you learn  to stop being so offensive and abusive
on every list you decide to join, and to tink  a cvertain blacklsit
operator on this list a few days ago said you were well behaved, hrmmm
are you paying him you off so he wont list you again in his rbl


On 8/3/14, Reindl Harald h.rei...@thelounge.net wrote:
 jesus christ learn to use mailing-lists, stop to reply
 in private and strip your qutes

 Am 02.08.2014 um 10:29 schrieb ahmed salim:
 On Sat, Aug 2, 2014 at 10:24 AM, Reindl Harald h.rei...@thelounge.net
 mailto:h.rei...@thelounge.net wrote:

 why do you reply off-list, in HTML and top-posting?

 Am 02.08.2014 um 08:09 schrieb ahmed salim:
  the logging is (syslog)

 so you can filter in rsyslog.conf
 https://www.google.at/search?q=rsyslog+filter+messages

  now your configuration block is working

 fine

  I'm just wondering how to disable IPv6 logs???

 what about show us what you are talking about?
 nobody but you knows what you see on your screen

 http://www.catb.org/esr/faqs/smart-questions.html#beprecise

  I tried is to disable it by editing /etc/sysconfig/named and make
 (OPTIONS=-4)
  but I still getting them in my logs
 
  thank you for your help

 stripped full quote

 OK, sorry for not being precise

 the IPv6 logs is some thing like this:
   error (network unreachable) resolving 'videolan.org/DS/IN
 http://videolan.org/DS/IN': 2001:500:b::1#53
   error (network unreachable) resolving 'px.owneriq.net/A/IN
 http://px.owneriq.net/A/IN': 2600:1401:2::1#53

 is there any solution to stop these logs ???

 if you don't have working ipv6 just disable the stack

 /etc/sysctl.conf:
 net.ipv6.conf.all.disable_ipv6=1
 net.ipv6.conf.default.disable_ipv6=1

 after reboot you should no longer have ipv6 link local addresses
 and so BIND realizes at startup that ipv6 is not supported


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

nxdomain

2013-08-28 Thread Nick Edwards 
Hi,
In just testing a few things with our authoritative server, I made a
typo, and, much to my surprise the server responds NXDOMAIN to
requests from unauthed requesters, this used to return  REFUSED, when
did this error change?

(bind 9.9.3-P2)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nxdomain

2013-08-28 Thread Nick Edwards 
The typos was more of how I came about my request, forget the typo as
such, it the actual answer,  to use a more common well known name, if
I type

~$ host www.undernet.org ns1
Using domain server:
Name: ns1

Host www.undernet.org not found: 3(NXDOMAIN)

Above should be, and I'm darn sure used to be, REFUSED -  not NXDOMAIN

perhaps I should also include my options in my original post, that was
remiss of me

acl trust contains localhost and the servers actual IP addresses,
nowhere does it permit the IP range I tried from

options {
directory /var/named;
allow-query { trust; };
allow-transfer { localhost; };
blackhole { bogon; };
recursive-clients 2000;
clients-per-query 40;
tcp-clients 100;
recursion no;
additional-from-cache no;
transfer-format many-answers;
masterfile-format text;
interface-interval 0;
dnssec-enable yes;
dnssec-validation yes;
};




On 8/28/13, Matus UHLAR - fantomas uh...@fantomas.sk wrote:
 On 28.08.13 23:13, Nick Edwards wrote:
In just testing a few things with our authoritative server, I made a
typo, and, much to my surprise the server responds NXDOMAIN to
requests from unauthed requesters, this used to return  REFUSED, when
did this error change?

(bind 9.9.3-P2)

 what typo?
 --
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 I'm not interested in your website anymore.
 If you need cookies, bake them yourself.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nxdomain

2013-08-28 Thread Nick Edwards 
Mark,

On 8/29/13, Mark Andrews ma...@isc.org wrote:

 In message
 CAMD-=VKA_dftLRqtJMs=egmepzhu82q06+p_j8rmbgzxvvg...@mail.gmail.com
 , Nick Edwards writes:
 The typos was more of how I came about my request, forget the typo as
 such, it the actual answer,  to use a more common well known name, if
 I type

 ~$ host www.undernet.org ns1
 Using domain server:
 Name: ns1

 Host www.undernet.org not found: 3(NXDOMAIN)

 Above should be, and I'm darn sure used to be, REFUSED -  not NXDOMAIN

 perhaps I should also include my options in my original post, that was
 remiss of me

 acl trust contains localhost and the servers actual IP addresses,
 nowhere does it permit the IP range I tried from

 options {
 directory /var/named;
 allow-query { trust; };
 allow-transfer { localhost; };
 blackhole { bogon; };
 recursive-clients 2000;
 clients-per-query 40;
 tcp-clients 100;
 recursion no;
 additional-from-cache no;
 transfer-format many-answers;
 masterfile-format text;
 interface-interval 0;
 dnssec-enable yes;
 dnssec-validation yes;
 };

 Given www.undernet.org exists on the Internet (so you wouldn't be
 getting NXDOMAIN if it was recursing to the Internet) and you havn't
 shown the entire configuration we can't tell if it is a lack of
 understanding about your configuration or a bug.


The only other components to our pure authoratitive only server
configuration  are

The bogon acl from team cymru

include /var/named/root_trusted_key;

logging {
category lame-servers { null; };
category edns-disabled { null; };
category client { null; };
};

zone . {
type hint;
file root.hints;
};


zone 127.in-addr.arpa {
type master;
file localhost.rev;
notify no;
};

zone localhost {
type master;
file localhost.zone;
notify no;
};

zone somedomain.org {
type master;
allow-transfer { slave.ip; };
file somedomain.org.signed;
allow-query { any; };
allow-update { none; };
};


zone .in-addr.arpa {
type master;
allow-transfer { sec.IP; };
file 00v4.zone;
allow-query { any; };
allow-update { none; };
}

zone xxx.ip6.arpa {
type master;
allow-transfer { sec.IP; };
file 00v6.zone;
allow-query { any; };
allow-update { none; };
};

zone  {
type slave;
masters { x.x.x.x; };
file xx.signed;
allow-query { any; };
};


there are 27 more master/slave zones, but they all are in identical
format as above and
we certainly do not host undernet :-)

and with no customer IP ranges  included in any ACL since these are
not caching servers), and, having friends trying from different ISP's,
we get NXDOMAIN, be it undernet, or google  Host www.google.com not
found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it
does respond correctly to domains it is supposed too

in the end because of this config, I expect to see REFUSED here, like
we have in the past, not sure when this changed.

Both our ns1 ans ns2 respond in same
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Blackholing

2012-12-04 Thread Nick Edwards 
Hi All,

Is there a way for RPZ zone file to act on  domain AND subdomains
without using two separate entries?

At present I can only get them to match on one or the other unless I do
example.comblah
*.example.com  blah

I'm sure I've missed the obvious, but thought I'd ask
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and slaves error

2012-03-08 Thread Nick Edwards 
Thanks, that did the trick!


On 3/8/12, Mark Andrews ma...@isc.org wrote:

 In message
 CAMD-=VKxKssRXfD4XSgPua-v6=ooazylgc3yb3cy51ihopw...@mail.gmail.com
 , Nick Edwards writes:
 On 3/8/12, Nick Edwards nick.z.edwa...@gmail.com wrote:
  On 3/7/12, Mark Andrews  wrote:
 
  resigned it again as about 3 months using:dnssec-signzone -a -e
  +15724800 -K keys/ -N INCREMENT guilty_domain.here
 
  You should have fed dnssec-signzone the old signed zone not the
  unsigned
  zone.
 
  dnssec-signzone -f guilty_domain.here.signed  -N INCREMENT
  guilty_domain.here.signed
 
 
  Thank you Mark, in all of the so called howto's I've read, I recall
  none of them mentioning resigning the signed file.
  I've changed my cheat sheet to reflect above is only useful for
  initial signing, and your example as all subsequent signings
 
  Thanks again.
 

 Hrmm, is thatreally the correct command?

 dnssec-signzone  -f xx.org.signed -a -e +15724800 -K keys/ -N
 INCREMENT xx.org.signed

 fatal: failed loading zone from 'xxx.org.signed': not at top of zone

 -o xxx.org

 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC and slaves error

2012-03-07 Thread Nick Edwards 
I am an old hand at bind, but -  DNSSEC Newbie alert :-

I am after clarification on how slaves handle DNSSEC.

I have two slaves, both were stale, like since Feb 9 ! One I directly
control, the second, I do not, so I can not provide details on how
that one is configured, but given it is a reputable provider, I assume
setup is as good or better than mine.

The zone was resigned 3 weeks ago as 30 days, but one week ago I
resigned it again as about 3 months using:dnssec-signzone -a -e
+15724800 -K keys/ -N INCREMENT guilty_domain.here

After all this time, still no change on slaves, I had to edit the zone
(inserted a dummy TXT entry)   then resign the zone, and then  they
both picked up changes.

Shouldn't they detect the change from the increment  and update? I
checked my controlled slave and it was stale RRSIGs until I altered
the actual zone, then RRSIG updated.

my controlled servers:
Linux Slackware (x2)
Bind 9.9.0

uncontrolled server Bind 9.9.0,  RedHat (release unknown)

/options master
dnssec-enable yes;
dnssec-validation yes;

zone
type master;
allow-transfer { lan; slavedns; };
file xx.org.signed;
allow-query { any; };
allow-update { none; };

/options slave
dnssec-enable yes;

zone
  type slave;
  masters { x.x.x.x; };
  file xx.org;
  allow-query { any; };


Am I doing something wrong?

thanks
Nik
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and slaves error

2012-03-07 Thread Nick Edwards 
On 3/7/12, Mark Andrews  wrote:

 resigned it again as about 3 months using:dnssec-signzone -a -e
 +15724800 -K keys/ -N INCREMENT guilty_domain.here

 You should have fed dnssec-signzone the old signed zone not the unsigned
 zone.

 dnssec-signzone -f guilty_domain.here.signed  -N INCREMENT
 guilty_domain.here.signed


Thank you Mark, in all of the so called howto's I've read, I recall
none of them mentioning resigning the signed file.
I've changed my cheat sheet to reflect above is only useful for
initial signing, and your example as all subsequent signings

Thanks again.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and slaves error

2012-03-07 Thread Nick Edwards 
On 3/8/12, Nick Edwards nick.z.edwa...@gmail.com wrote:
 On 3/7/12, Mark Andrews  wrote:

 resigned it again as about 3 months using:dnssec-signzone -a -e
 +15724800 -K keys/ -N INCREMENT guilty_domain.here

 You should have fed dnssec-signzone the old signed zone not the unsigned
 zone.

 dnssec-signzone -f guilty_domain.here.signed  -N INCREMENT
 guilty_domain.here.signed


 Thank you Mark, in all of the so called howto's I've read, I recall
 none of them mentioning resigning the signed file.
 I've changed my cheat sheet to reflect above is only useful for
 initial signing, and your example as all subsequent signings

 Thanks again.


Hrmm, is thatreally the correct command?

dnssec-signzone  -f xx.org.signed -a -e +15724800 -K keys/ -N
INCREMENT xx.org.signed

fatal: failed loading zone from 'xxx.org.signed': not at top of zone
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named.conf splitting

2012-02-17 Thread Nick Edwards 
Hi,
In a recent discussion on another list, it was discussed the pros and
cons of splitting the main conf file to a per domain.

In binds case it would be  to /etc/named.d/*.conf
So each zone would have a file in that directory containing only the
relevant info
 eg:

zone example.com {
type master;
allow-transfer { slavesdns; };
file example.com.signed;
allow-query { any; };
allow-update { none; };
};

thats it, nothing more, rather than having 2000 entries in named.conf,
we would have 2000 conf file to be read (yes in addition to the 2000
actual zone files.

with apache it takes only 2 or so more seconds to start and reload
doing it this way, so I know that bind will take longer, it has to
with all those  open/read/close files, at present bind starts up in
about 9 seconds due 17K zones, so I'd imagine this would take even up
to 15 seconds.

My question is, has anyone done this with success or failure?
Would a named developer know if its safe or detrimental to do this?
or would it simply make no difference apart from the extra time for
starts/reloads?


(This came about on another list, because we load all hosts  on apache
in one file (2000 per box)  recently something went wrong with sshfs
during a transaction, and in  deleting a vhost block it took out about
100 of them :)  so we are looking at making things a bit more
failsafe, my opinion is, if it can happen once, it can happen again,
it could have happened to a zone file, but luckily only the web conf
file.

Thoughts anyone?

Thanks
Niki
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users