Re: Breaking up RFC 1918 reverse space
On 07/23/11 22:08, Karl Auer wrote:
Maybe this is an overly naive approach, but can't you set up one zone
for 10.0.0.0/8 and delegate as necessary from that single zone file?
Anything that you don't have an answer for will get NXDOMAIN, which is
presumably what you want.
So:
zone "10.IN-ADDR.ARPA" {
type master;
file "internal/db.10.rev";
allow-query { network_internal; };
};
Then in the zone file internal/db.0.rev:
$ORIGIN 10.in-addr.arpa.
[...]
0 3600 IN NS ns00.mydomain.
1 3600 IN NS ns01.mydomain.
... etc
I thought of that, too. Were I delegating all slivers of the 10/8 space
(it's actually 4 10/10 spaces), then I'd have done it long ago and not
asked the question. I'm more confused than that - read on. :-)
What I think I didn't make clear in my first post was that I actually want
to do two things:
1) I want to break 10/8 space into 4 10/10 zones (actual, independent zones).
10.0.0.0/10
10.64.0.0/10
10.128.0.0/10
10.192.0.0/10
2) Serve one resulting zone myself, delegate all of two others, then
delegate parts of the last one.
So my initial question was incomplete.
I've read about $GENERATEing CNAME records for chunks and then delegating
the chunks, for example
0 IN CNAME 0-63.10.in-addr.arpa.
1 IN CNAME 0-63.10.in-addr.arpa.
2 IN CNAME 0-63.10.in-addr.arpa.
etc
but done with $GENERATE and then actually delegating with
0-63.10.in-addr.arpa. IN NS ns1.edu.
64-127.10.in-addr.arpa. IN NS ns2.edu.
etc
Where I'm confused (or have confused myself) is the part about wanting to
actually break the zone up (I want to break it up for the usual reasons -
size and limiting damage)
--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
-
Feedback? Contact my director, Eddie Huebsch, ehueb...@ou.edu. Thank you!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
\On 07/26/10 23:02, Barry Margolin wrote: In article, "Laws, Peter C." wrote: Understood, but what I'm asking about is that the slave does not appear to be losing contact with the first-listed master. In fact, from the logs, it appears to be flipping back and forth (though not round-robinning). Multiple masters is not about losing contact, it's about getting the most up-to-date version of the zone. There's no reason for the slave to A HA! So the answer to my original question, after all this, is "Yes" (this is expected behavior). Thanks. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
On 07/22/10 19:57, Barry Margolin wrote: In article, Peter Laws wrote: I have multiple interfaces on my master and multiple interfaces on most of my slaves. Is that expected behavior? Yes. What if the first server stops getting updates, but the second one does and has a higher serial number? Don't you want the slaves to check the SOA record on it to pick up these changes? Except that the 2 "masters" are simply different interfaces on the same master ... so the serial number *better* always be the same! Looking at the logs, it appears that the choice of masters is a second-to-second thing because what I'm seeing is that one zone goes via one interface and then the next zone, perhaps only a few 10s of ms later, goes via the other interface. I would have expected that it would only ask the second-listed master if the first didn't answer ... but I didn't write the code (and haven't read it either! -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Multiple masters expected behavior?
I have multiple interfaces on my master and multiple interfaces on most of
my slaves.
I've got one of the slaves set up so that its masters {}; statement has two
of the master's interfaces in it. The preferred is first, with the
non-preferred second. I was contemplating using this on all slaves to
guard against a network path failure.
Note that I also have both of the slave's interfaces in the also-notify
statement on the master (it's an unpublished slave).
I would have thought that BIND would always hit the first and never the
second. That doesn't seem to be the case however. In fact, in a few cases
I've seen it seems to use both, though not round-robinning that I can see
from the logs.
Is that expected behavior?
BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't get hints or outside resolution.
Hey! A firewall setting was wrong! Imagine that! Thanks, all. :-) On 07/09/10 14:18, Peter Laws wrote: On 07/09/10 02:23, Matus UHLAR - fantomas wrote: On 08.07.10 14:42, Peter Laws wrote: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 From the host itself, a slave for all my zones, I can resolve all my zones. I cannot, however, resolve anything else. For example, if I dig google.com I get a timeout. Further, if I do a blank dig, I don't get the root servers even though the hints zone is set up correctly. recursion is not allowed for you. In such case, you can't resolve foreign zones and even "hint" zone. I thought "Oh, I bet that's it!" Sadly, allow-recursion is set globally and I'm in the list of those allowed to (curse) and recurse. allow-query is set correctly as well. No views on this system, either. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't get hints or outside resolution.
On 07/09/10 02:23, Matus UHLAR - fantomas wrote: On 08.07.10 14:42, Peter Laws wrote: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 From the host itself, a slave for all my zones, I can resolve all my zones. I cannot, however, resolve anything else. For example, if I dig google.com I get a timeout. Further, if I do a blank dig, I don't get the root servers even though the hints zone is set up correctly. recursion is not allowed for you. In such case, you can't resolve foreign zones and even "hint" zone. I thought "Oh, I bet that's it!" Sadly, allow-recursion is set globally and I'm in the list of those allowed to (curse) and recurse. allow-query is set correctly as well. No views on this system, either. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't get hints or outside resolution.
Yep, zone for hint is right. No interesting messages "service named
checkconfig" (which RH has helpfully set up to run named-checkconf and
named-checkzone) shows that all is well.
:-(
On 07/08/10 15:55, Warren Kumari wrote:
On Jul 8, 2010, at 3:42 PM, Peter Laws wrote:
BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
From the host itself, a slave for all my zones, I can resolve all my
zones. I cannot, however, resolve anything else.
For example, if I dig google.com I get a timeout.
Further, if I do a blank dig, I don't get the root servers even though
the hints zone is set up correctly.
Sure? Are you loading it?
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/namedb/db.root";
};
Do you have any interesting log messages at startup? Is the hints inna
view maybe?
w
The same is true if I try to resolve from a different host against
this host.
I thought of iptables and dumped those, but disabling iptables doesn't
change anything. In fact, if I look up the IP (of the google, say) on
another host I can ping that IP.
There are query ACLs set up, but I have confirmed that RFC 1918 space,
127/8, and our public IP range are all allowed to query the internal
stuff. The external zones are, of course, set to "any". (default, in
options, is internal-only, but the public zones all have any as
over-rides).
SELinux is set to enforcing, but no messages are showing up and based
on my experience, if SELinux is going to prevent BIND from working
it's going to COMPLETELY prevent it from working, not pick certain zones.
resolv.conf on the slave itself has 127.0.0.1 on the nameserver line.
The only thing different on this host vs my other slaves is some extra
notifies and allow-transfers from when this was still a master for
some zones (some other slaves *still* get a few zones from this host).
Missing something easy, I'm sure. But what?
--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
For every complex problem, there is a solution that is simple, neat, and
wrong.
-- H. L. Mencken
--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Can't get hints or outside resolution.
BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 From the host itself, a slave for all my zones, I can resolve all my zones. I cannot, however, resolve anything else. For example, if I dig google.com I get a timeout. Further, if I do a blank dig, I don't get the root servers even though the hints zone is set up correctly. The same is true if I try to resolve from a different host against this host. I thought of iptables and dumped those, but disabling iptables doesn't change anything. In fact, if I look up the IP (of the google, say) on another host I can ping that IP. There are query ACLs set up, but I have confirmed that RFC 1918 space, 127/8, and our public IP range are all allowed to query the internal stuff. The external zones are, of course, set to "any". (default, in options, is internal-only, but the public zones all have any as over-rides). SELinux is set to enforcing, but no messages are showing up and based on my experience, if SELinux is going to prevent BIND from working it's going to COMPLETELY prevent it from working, not pick certain zones. resolv.conf on the slave itself has 127.0.0.1 on the nameserver line. The only thing different on this host vs my other slaves is some extra notifies and allow-transfers from when this was still a master for some zones (some other slaves *still* get a few zones from this host). Missing something easy, I'm sure. But what? -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: +, -, -E
On 06/21/10 14:06, Justin T Pryzby wrote: On Mon, Jun 21, 2010 at 01:46:55PM -0500, Peter Laws wrote: What do they mean? I can't find them and yes, I've googled and also grepped the docs on isc.org ... Googling for symbols isn't easy.. http://www.isc.org/files/arm96.html#the_category_phrase That's what I needed - thanks, all! -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
+, -, -E
What do they mean? I can't find them and yes, I've googled and also grepped the docs on isc.org ... I'm assuming it's some way of telling if the query was serviced or not ... -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Running both a cache-only and an authoritative server on the same server
On 06/17/10 08:36, Torsten wrote:
Am Thu, 17 Jun 2010 13:35:38 +0100
schrieb Phil Mayers:
On 17/06/10 12:39, Jørn Skjerven wrote:
Is it possible to achieve this in a single named.conf, or is it
recommended to run two instances of bind, each with a different
listen-on statement?
Sure. Use views:
view authoritative {
recursion no;
match-destinations { mycurrentip; };
zone ...
};
view authoritative {
recursion yes;
match-destinations { myrecurseip; };
};
The important part seems to be "on a secondary IP" and afaik listen-on
statements don't work inside of view statements.
Why not just have named run on as many interfaces as needed and let views
sort it out? Views don't need to care which physical interface traffic is
on.
--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: using TXT fields
On 05/18/10 06:16, Chris Thompson wrote: On May 18 2010, fddi wrote: I wanted to ask if using TXT fields can have some bad implication security issues It rather depends what you put in them, doesn't it? hostname TXT "Root password is AndyPandy" mc-room TXT "Entacode is 2038" Post-Its are great, but they often fall off the monitor. This is a superior solution and has the benefit of being remotely accessible. Thanks for the "pro tip"! -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Master server offline
On 05/08/10 17:36, Chris Thompson as IP Register wrote: On May 7 2010, Peter Laws wrote: If he has a small number of slaves, the OP may not need a Tardis. It's If you do this, you need to restart BIND on the slave to have it notice the change. Similarly you can "touch" the zone file to make BIND think it has verified up-to-dateness of the zone more recently than it actually has, but the same caveat applies. BIND thinks that it is in total control of the zone files for type slave zones, so it doesn't look at them except at startup. Yep. It's ugly, but the OP seemed to be having trouble getting his master fixed so I can't think of another (bad) bandaid. Having a Tardis *would* be cool though. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [OT] MSDN use google apps for email hosting
On 05/07/10 09:22, Jeff Pang wrote: Though this is offtopic, but I'm surprised that msdn.net (microsoft developer networks) has been using google's apps for email hosting. It is not commercial for MS, isn't it? msdn.netMX preference = 30, mail exchanger = aspmx4.googlemail.com Funny, yes, but whois doesn't seem to point to M$ in any way. Independent? -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Master server offline
On 05/07/10 06:49, Chris Thompson wrote: Sure - just step into your time machine, go back to before the master server died, and increase the SOA.expire value there so that it gets propagated to the slave(s) in time. If he has a small number of slaves, the OP may not need a Tardis. It's possible to just edit the cache files. It's UGLY, you need to make sure you hit all the slaves, and they will get overwritten the instant your master returns from the dead ... but that latter's a good thing. About this master being offline for some time due to a disk failure ... that policy may need review. If the OP serves his organization's DNS, it's pretty darn critical that customers be able to resolv their DNS info. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ftp.isc.org back up
On 05/06/10 13:27, Lightner, Jeff wrote: They can't fool us - we know it was caused by the J server DNSSEC issue. Damn that DNSSEC!!! :-D -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Preparing for upcoming DNSSEC changes on 5/5
On 05/03/10 16:19, Mark Andrews wrote: The test is a rough guide to the maximum packet size supported by the path. So what would be the point of using edns-udp-size to something even smaller? None I can see ... What am I missing? -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Preparing for upcoming DNSSEC changes on 5/5
On 05/03/10 15:55, Lightner, Jeff wrote: Also one of the links I sent earlier had a similar comment about less than 300 bytes difference not being a problem. I had missed that. 4096 - 3843 = 153 It seems if I'd paid attention I'd not have posted my follow up questions. It's not on the dns-oarc.net page either, but I'm glad you mentioned it. Back to explicitly setting edns-udp-size to something smaller than the default, which seems to be 4096. Still not convinced this is necessary. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Preparing for upcoming DNSSEC changes on 5/5
On 05/03/10 14:56, Kalman Feher wrote: You probably should. Your resolver is saying its capable of handling 4096, but apparently your network path may not support that. The changes on the The network path to dns-oarc.net doesn't, but that doesn't really mean anything. To some resolvers, the path may support 4096 while to others it is 591. Who knows where the constriction is? I still don't see the point of setting it to something *smaller* than the default unless I knew for certain that MY stuff couldn't handle a larger size. 12 of the 16 hops twixt here and there are far beyond my control (and the other 4 only marginally :-). Besides, we've seen one example where setting it smaller results in yet a smaller result. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Preparing for upcoming DNSSEC changes on 5/5
On 01/-10/37 13:59, Kalman Feher wrote: Second, make sure the tested effective size appears in your named.conf in the options statement "edns-udp-size" on your resolver. In your case: edns-udp-size 3843; Mine are all saying "x.x.x.x sent EDNS buffer size 4096" when I run the dns-oarc.net test, which I assume is the default. I, too, get the 3843 "at least" value. Why would I set it to 3843? Wouldn't I want it to be set to 4096 even if *some* device between here and dns-oarc.net only allows that smaller value? I just woke up to this issue, sorry to say. Interestingly, it didn't come up (directly) during the Educause webinar about DNSSEC last week (.edu will be signed in July). -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: Delegation - what needs to be there?
On 01/-10/37 13:59, Barry Margolin wrote: Or do I need to provide glue records in the delegated zone ... probably not, but thought I'd better ask. The only time you're required to provide glue is when a subzone is delegated to a nameserver whose name is in the subzone, to prevent a chicken-and-egg problem. This is what I thought but thought I'd make doubly certain. Thanks! Peter -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Delegation - what needs to be there?
Delegating a zone to a server that has views. Internal view will allow any query. External view will only allow resolution of the MX record for that zone. The MX points to hosts in another zone (which is also publicly-accessible). When I query from an address that matches the ACL for the external view, I get the MX records back OK, but no A record. Is that right? Would a client just go and try to resolve the name on it's own? Or do I need to provide glue records in the delegated zone ... probably not, but thought I'd better ask. Version: 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 if it matters. Peter -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters?
Chris Buxton wrote:
Every slave server needs the following from its masters (whether that's the
primary master and/or one or more slaves):
- zone transfer access
- notifications of zone updates
OK.
Unless you put in some special and usually unnecessary (and useless)
configuration, the notification message has to come from the slave's master,
not from the primary master (unless they are the same).
No, no useless configs I'm aware of. Just trying to give the "outlying
slaves" a second place to go, should the real master be busy, i.e.
masters { IPofserver1;
IPofserver2;
};
Our architecture is sub-optimal (among other things, hardest hit of all
public servers is the master) and this is one more step towards getting out
from under that.
I'd love to have a master that wasn't even a published DNS server, but
we're not there quite yet.
Thanks!
--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters?
Chris Buxton wrote: On Jan 14, 2010, at 5:04 PM, Peter Laws wrote: And I right in thinking that, on a slave, I can have multiple masters designated for a particular zone? I just have to make sure that the slave that is pretending to be the master allows transfers, right? Don't forget about the notify mechanism. Make sure it's properly configured and tuned. Glad you brought that up. Should the real master be the only one sending out notifies or should the fake master do it as well? Thanks, Peter -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Multiple masters?
And I right in thinking that, on a slave, I can have multiple masters designated for a particular zone? I just have to make sure that the slave that is pretending to be the master allows transfers, right? All but two of the slaves are BIND, the other two are Evil Empire servers. Still no problem? -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: Can I have a *.domain.com A record
Hey! RTFRFC! :-) Except a scanning of that RFC doesn't say anything about not using them, only in clarifying RFC 1034's intentions regarding wildcards. So, why is it a "very bad idea"? Peter Mike Ragusa wrote: http://www.rfc-archive.org/getrfc.php?rfc=4592 This link should help you. On Mon, Oct 26, 2009 at 8:17 AM, ram <mailto:r...@netcore.co.in>> wrote: On Mon, 2009-10-26 at 11:39 +0100, Stephane Bortzmeyer wrote: > On Mon, Oct 26, 2009 at 04:01:31PM +0530, > ram mailto:r...@netcore.co.in>> wrote > a message of 10 lines which said: > > > Is it possible to have a A record for *.domain.com <http://domain.com> > > Technically, yes. It is a very bad idea, but it works. > Can you elobarate on that please. If wildcard DNS is a bad idea, then I need to tell my clients why ? Thanks Ram ___ bind-users mailing list bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about $GENERATE Directive
刘强 wrote: hi, I want to know if the $GENERATE Directive support type NAPTR. You know,type NAPTR is used to ENUM dns. There are large amount of NAPTR resource records in ENUM dns;and the NAPTR resource records are very similar.It is great if the $GENERATE Directive support type NAPTR!!! As far as I know, $GENERATE supports only A, PTR, CNAME. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Peaceful coexistence with Windows domain
Our environment includes a couple of AD servers. They serve DNS to PCs using AD (but not all PCs). They allow DDNS for clients and slave the rest of our environment's zones. For some reason, they *forward* every other query to us, but never mind that. Look it up your own damn ... well, never mind. At any rate, we don't actually delegate "their" zone to them. This causes problems, as you can imagine. I'm told that the reason we're doing things this way is that we don't want any of those "internal addresses" to be queried by the unwashed masses lurking outside our perimeter. So my thought was, well, let's delegate the zone to the AD servers. Since they are already ACLed (or whatever MS calls it), no one will be able to see "their" records off-campus but on-campus folks will be able to (finally) resolv addresses in that zone regardless of where they point (internally) for DNS. Except that they need an MX record for that zone. So adding the NS record to delegate the zone to them properly meant that no one could see the MX from the outside (since the MS-DNS is ACLed). If I dump the delegation and make an MX record in the master, mail will be OK, but then no one can query records in that zone because it's not actually delegated unless they point at MS-DNS. We thought of slaving that zone on the master, but then we run into security, who doesn't want any of that "internal information" leaked out. No problem, since we're slaving the zone, we'll pop an ACL on it. Problem solved! Hurray. Except for that MX record. Once you delegate a zone, you *delegate* the zone. The MX is invisible. So my requirements are to 1) allow that MX record to be seen "outside", 2) allow any host in our environment to be able to query names in any zone regardless of which system they point at for DNS, and 3) not have any records in that zone be visible "outside" save for that MX. I'm assuming that switching our configuration to use views would help, but we'd like to avoid that, at least for now. Any quick fixes? I checked, and per the MS-People, MS-DNS cannot put ACLs on particular records. Neither can BIND, so no surprise there. Which rock do I need to look under? -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: XFR quota setting?
Chris Thompson wrote: If it's occurring a lot, you could have stuck or nearly-stuck transfers going on. "rndc status" will tell you how many. You may need to adjust "max-transfer-time-out"/"max-transfer-idle-out" rather than "transfers-out". Fiddled with the transfer-* settings and made the quota errors go away. Underlying issue seems to be traffic being intermittently blocked between the master and the slaves. Not really a BIND issue. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: XFR quota setting?
Niall O'Reilly wrote: On Wed, 2009-03-11 at 15:58 -0500, Peter Laws wrote: Looked in the docs but find no mention of how to set a quota (would like it to be infinite). Be careful what you wish for ... You may not need it any greater than it is. In my experience, the transfer is requeued and succeeds after a couple of seconds. But it's fun to wish! I'm not seeing what you are seeing, so I've bumped my xfer logging channel to debug. We'll see if that helps me see what you think I should see (based on what you see). You see? Seriously, though, what is the default quota and is it actually configurable? Thanks! -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
XFR quota setting?
Looked in the docs but find no mention of how to set a quota (would like it to be infinite). Mar 11 15:53:57.103 xfer-out: IXFR request denied: quota reached Assume there is a default quota of some sort that can be overridden? -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hostname Naming Compliance
Mark Andrews wrote: When does it stop? What will be the next character you "just have to have"? At the moment you have 1 inter label seperator and 1 intra label seperator. That should be enough for anyone. Like 640k of memory. Unicode is coming (as fast as IPv6, maybe faster :), so maybe it /is/ time to update the naming standards. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hostname Naming Compliance
Jeff Lightner wrote: And of course you can legitimately say it is a "Standard" even if it isn't enforced by the software. Your argument would be that people implementing new servers or attempting to access the systems wouldn't be able to do so because they wouldn't have added the "exception to Standard" that your PHBs are requiring. I've been telling folks that request _ in a name that they can no longer do that and change it to a -. I tell them that it *works*, but it violates the standards. No pushback yet. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RHEL-specific named/SElinux query
Not ISC BIND specific, but if someone could point me at the magic incantations to get RHEL 5.2's SELinux to play nice with named's logs (daemon is serving names fine), I'd be appreciative. Off-list would be best as this isn't really an ISC BIND issue. Thanks. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology [EMAIL PROTECTED] --- Feedback? Contact my director, Craig Cochell, [EMAIL PROTECTED] Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Avoiding duplicate PTR records when using $GENERATE
Mark Andrews wrote: Mark Andrews writes: In message <[EMAIL PROTECTED] co .nz>, "Steve Brorens" writes: I've got range of 256 addresses, where I have valid PTRs for all addresses generated by: $GENERATE 0-255 $ PTR 123-123.123-66-$.acme.co.nz. My problem is that there are a dozen or so addresses scattered through this range where I want to define specific PTR records like this: 203PTRftp.acme.co.nz. 4 PTRwww.acme.co.nz. 105PTRsmtp.acme.co.nz. However, this means that these addresses get two PTR records - generally A Bad Thing, especially for mailservers. Is there a way to use $GENERATE to just "fill the gaps"? No. Go look at your slave cache. The dupes pop right out since they have a tab at the beginning (since first few fields are the same). That's how I identified ours. Well, most of ours. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology [EMAIL PROTECTED] --- Feedback? Contact my director, Craig Cochell, [EMAIL PROTECTED] Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
