Re: Providing AD flag for authoritative domains

[Ray Bellis]

On 22/12/2022 13:30, Jesus Cea wrote:
I have a validating DNSSEC bind server. I get AD (Authenticated Data) 
flag when requesting details from a DNSSEC protected domain. Good.


The point is that when the requested DNS name belongs to a domain with 
this server is authoritative and that domain is DNSSEC enabled, no AD 
flag is provided in the answer. I guess this is because bind is replying 
with DNSSEC data but it doesn't follow that DNSSEC delegation tree in 
order to verify that everything is OK and so it doesn't signal safety 
with the AD flag.


Is there any way to configure bind to verify DNSSEC integrity and signal 
the AD flag for authoritative domains?. Views (it would lose the AA 
flag, then)?


What would be the best practice for dnssec verification? To use a fully 
validating local resolver? Any other choice? I am currently using a 
local "bind" as a resolver and it works fine for DNSSEC verification, 
except for my authoritative domains.


You can achieve this by using a hidden-primary and then using "mirror 
zones" on the secondaries.  They will return +AD, but not AA.


FWIW, adding your own auth data to a recursive server is this manner is 
IMHO completely fine - it's what we do at ISC for our own internal 
recursors.


On the other hand, having recursive lookups happen on a server that is a 
designated authoritative server (in the NS set) is regarded as bad practise.


cheers,

Ray

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CH/TXT/VERSION.SERVER queries

[Ray Bellis]

On 21/11/2022 17:26, Petr Špaček wrote:

Speaking of default CHAOS zones, I have another idea:

Do we need them after NSID was standardized?


Yes.


There is a lot of special code just for built-in CH zones, and IIRC
we have had at least one CVE which affected default config only
because of default CH usage.

Anand, what would be missing if special magic for CH is removed and
you are left with standard NSID?


We'd need to retool every system that relies on hostname.bind queries
working on the root system, for a start.  RIPE Atlas probes use these
queries, and there are several systems (our own included) that work off
this data.

For other researchers, automated queries for hostname.bind (or
hostname.server) are trivially excluded from analysis of query data
based on the QNAME, whereas any query might include an NSID option.

Also, *.server CH TXT is actually in an RFC (4892).  Nothing has 
obsoleted that, and I'd object loudly if anyone tried ;-


Ray
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: all resource record types and examples

[Ray Bellis]

On 12/04/2022 13:43, rams wrote:


Could someone please share all supported DNS RRs and examples of each RR.


That's a *very* big ask.

IANA maintains a list of all RRs and pointers to the documentation for 
each of them:




Ray

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS cache poisoning - am I safe if I limit recursion to trusted local networks?

[Ray Bellis]

On 04/01/2022 21:12, Grant Taylor via bind-users wrote:


Yep.  This is where I have settled.  But I don't feel I can defend
it when asked.  Hence my seeking to better understand.


There are categories of bugs that specifically affect recursion, and in
BIND these are _much_ more common than those that affect authoritative
service.   Adding auth service barely touches the attack surface.

And with BIND's separation between authoritative and recursively cached
trees there is (AFAIK) no risk of cache pollution affecting the
authoritative data.

Furthermore, having the auth data for your own zones present there 
actually ensures that your own zones' data:


1.  will always be served in preference to cached data

2.  will be fresher (i.e. not subject to TTLs) assuming that
NOTIFYs and/or a short SOA refresh is in place

3.  will be present if access to the authoritatives is lost
for some period of time (/me waves at Facebook!)

I really can't see any downside.

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to show run the active configuration on bind

[Ray Bellis]

On 04/01/2022 16:53, Mik J via bind-users wrote:

Hello,

How can I check which variables are loaded in memory and considered as 
active.


For example, I would like to check that the value of lame-ttl is 0
In my named.conf configuration file I have
include "myconf.conf";
lame-ttl 600;

And in the myconf.conf file I have
lame-ttl 0;

So how can I make sure which value is used ?


You can't do that - BIND prohibits redeclaration of individual options,

It also prohibits the presence of more than one "options { }" block.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS cache poisoning - am I safe if I limit recursion to trusted local networks?

[Ray Bellis]

On 04/01/2022 03:52, Grant Taylor via bind-users wrote:

If I'm allowing recursion and authoritative on the same server, I'd have 
the recursive + authoritative server do secondary zone transfers off of 
the internal MS-DNS / AD server.  That way the clients can get the info 
off of the first server they talk to.


To me, the secondary copy of the zone is a form of authoritative 
information on the otherwise recursive server.


Better yet, use BIND's mirror zones feature so that the zone is also 
DNSSEC validated.


IMHO, the strictures against running authoritative and recursive on the 
same server seem to get mis-applied a lot of the time.  I think it's 
perfectly fine for an *internal* recursive server to also hold 
authoritative copies of your own zones.


Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DLV issue 2020/03/25

[Ray Bellis]

The issue with the dlv.isc.org DNSSEC signatures yesterday (2020/03/25)
was caused by an undetected failure to restore the virtual machine that
runs the hidden master for that zone following a failed upgrade to the
underlying hypervisor.

As a result of this issue the internet facing servers were unable to
fetch the zone from the hidden master and eventually started serving
expired signatures.

The ensuing storm of queries to those servers from resolvers with
outdated configurations and/or software then impeded our ability to
diagnose and correct the issue as quickly as we would have liked.

At some future point ISC would like to completely decommision this zone,
but the number of clients still configured to use it currently makes
that impractical.

Per our announcements and presentations in 2015 through 2017 [1], we
would urge all resolver operators and software packagers to ensure that
DLV is disabled in all configurations.  We have provided some additional
guidance for this on our Knowledge Base.[2]

We apologise for any disruption caused, and will be taking steps to try
to ensure that this does not recur, including improvements to our
monitoring systems.

Ray Bellis
Director of DNS Operations, ISC.

[1] https://www.isc.org/blogs/dlv/
https://www.isc.org/blogs/dlv-replaced-with-signed-empty-zone/

[2] https://kb.isc.org/docs/disable-dnssec-lookaside-dlv-now-heres-how
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig Hangs during axfr request when not on localhost.

[Ray Bellis]

On 14/06/2019 09:38, Pete Fry via bind-users wrote:
Interestinly as we have the same problem on our dev box (running the 
same versions)


I took the decision to install the ISC-BIND following 
(https://copr.fedorainfracloud.org/coprs/isc/bind/)


running 9.14.2 and repeated the tests and it works, however the config 
will need work to have no errors and as we generally deploy via puppet 
rework will be required.


We generally use the REDHAT approved bind for support reasons.

if it was a network issue just upgrading bind shouldn't effect it should it?


Somewhere about BIND 9.11 the default size of AXFR message was reduced 
from the maximum of 65535 bytes down to 16384 because that allows for 
optimal DNS message compression.


I also suspect a network level issue such as MTU, but it's feasible that 
the above change may be allowing the packets to slip through.


kind regards,

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Root zone DNSSEC KSK rollover event - 2018/10/11, 16:00 UTC

[Ray Bellis]

On 28/09/2018 10:55, Anand Buddhdev wrote:

> On 11 October, the old key won't be removed. On that day, the new key
> will start signing the DNSKEY RRset. The old key (id 19036), will remain
> in the root zone; it just won't sign the DNSKEY RRset. Eventually, in
> the first quarter of 2019, it will be revoked, and then removed *after*
> the hold-down period.

My apologies to the list, Anand is correct!  I had misremembered which
phase of the roll we were in, getting confused by just how long KSK2017
has already been in the root zone for.

The guidance in our KB articles still stands, though. :)

kind regards,

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Root zone DNSSEC KSK rollover event - 2018/10/11, 16:00 UTC

[Ray Bellis]

This is a reminder for users of BIND that the most critical phase of the
rollover of the root zone's DNSSEC KSK is scheduled to happen at 16:00
UTC on Thursday 11th October.

At this time the old key will be removed from the root zone leaving only
the new key (id 20326) in the zone.  If your DNS servers don't know and
trust the new key at that point then DNSSEC validation errors will occur.

ISC has written two KB articles with information on how to check that
your BIND recursive DNS server is ready for the key roll.

The first is a short Operational Notification document which is ideal
for experienced BIND administrators with good familiarity with DNSSEC:

  <https://kb.isc.org/docs/aa-01529>

The second is a much more detailed document with more DNSSEC background
material and an overview of the entire key roll process:

  <https://kb.isc.org/docs/aa-01525>

Ray Bellis
ISC Research Fellow
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Ray Bellis]

On 22/09/2018 02:39, Danny Mayer wrote:

> No, that's not true. Consider what you are doing. You are substituting
> SRV records for CNAME records. There is nothing magical here. NTP can
> use the CNAME records. Either way the records have to be configured.
> What do you think you are discovering? SRV records aren't magic.

SRV records aren't magic, but they are an "approved" way of discovering
services.

We've all seen what happened with the convention of "www." to "discover"
the HTTP service on a domain and how the (marketing folks) desire to
drop that has caused no end of CNAME related issues...

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Ray Bellis]

On 21/09/2018 12:47, Danny Mayer wrote:

> Putting on both my BIND9 and NTP hats for a moment:
> 
> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
> references to NTP servers whether it's using pool, server or peer. I
> have no idea where the reverse zone comes in though I haven't read the
> whole thread. the NTP service all belong to domains, whether internal or
> external. There is a DHCP option that we have seen but it seems to cause
> more confusion that anything.
> 
> You can create a DNS A or  or even a CNAME in your local DNS that
> the NTP server can use and it all works.
> 
> Let me know if I misunderstood what this is really about.

I believe you have.

The discussion was about automated _discovery_ of the DNS name of your
NTP server using an additional level of indirection so that it can be
automatically configured without using DHCP.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Ray Bellis]

On 19/09/2018 15:59, Mauricio Tavares wrote:

>> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>> one off my mind).
>>
>   Not necessarily; I can name a few universities and business who
> offer their own NTP servers to their internal systems. AFAIK, this is
> considered good practice.

That's not the point that Mukund was making.

An NTP server is part of your local network configuration.   Your domain
name is also part of your local network configuration.  As such, these
two values are often served by DHCP.

That does not mean, though, that there is a one-to-one mapping from your
domain name to your preferred set of NTP servers.

One could have numerous subnets located all over the planet with
different NTP servers, but all sharing the same domain name.

If it were feasible to store an NTP server address in the DNS it would
more logically fit in the in-addr.arpa zone, and not in a forward zone.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC will eventually generate Identical Key ID's

[Ray Bellis]

On 09/09/2018 18:51, Mark Elkins wrote:
> Just for the record, although I do look from a curiosity point of view
> for Identical Key ID's once every few month - I've never seen them -
> until now.
> 
> Now I have them - generated by BIND within a few days of each other...
>
> I've been running DNSSEC for 7 years and have around 400 DNSSEC keys for
> 133 signed Domains.
> I'm a smallish Registrar for ZA domains.
> 
> Never assume a KeyID is unique.  :-)

It's inevitable that they won't be.

With only a 16 bit key tag space (and in 2016 Roy Arends discovered that
the effective space is only 15 bits) then due to the birthday collision
paradox you only need of the order of sqrt(32k) different keys to get a
50% chance of a collision.

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to verify Pipelined TCP and DNSCOOKIE

[Ray Bellis]

On 04/09/2018 15:13, Tony Finch wrote:

> `mdig` comes with BIND and does multiple concurrent queries, so you can
> check pipelining behaviour like this:
> 
> ...
> 
> A good selection of sites near and far should nicely demonstrate
> out-of-order replies. If you don't flush the cache first then you'll get
> the answers in an effectively random order.

Technically, pipelining is not the same thing as "out of order replies",
although the former is required for the latter to work.

Pipelining just means that you can submit multiple queries over the same
socket without having to wait for any answers at all, and without the
server flushing its input queue.

AFAIK BIND was always capable of this - the new bit is that BIND will
consume the queries and start processing them (and send the responses
back in whatever order they become available) rather than processing
them strictly in order with each query and response proceeding in
lock-step mode.

This is a distinction that I still have to explain to my RFC 7766
co-authors on occasion :)

kind regards,

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: v9.12.1-P2 changed files

[Ray Bellis]

On 18/05/2018 21:28, Jim Popovitch via bind-users wrote:
> Honest question Why are there so many sourcecode
> modifications/additions/deletions between v9.12.1 and v9.12.1-P2?  Some 
> files should obviously change between minor versions, but ~1300 ?
> 
> Bin9 v9.12.1-P2 changed files:
> http://paste.debian.net/plainh/470058dd

The vast majority of those changes are due to a change to the standard
copyright template at the top of each source file.

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Administrivia.

[Ray Bellis]

On 23/04/2018 16:34, Chris Thompson wrote:

> To further increase our Schadenfreude, please do let the list know just
> how ISC managed to let that happen! Or will you be able to blame ARIN?

We're blaming ARIN :p

149.20/16 was previously delegated to us with its own DNSKEY / DS, and
then we used a separate DNSKEY / DS for the indivdual child /24's below
that.

The /16 got split (by ARIN) into individual /24 delegations, and they
copied the existing DS that covered the /16 into the new records...

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Administrivia.

[Ray Bellis]

On 23/04/2018 14:18, Anand Buddhdev wrote:

> If you repeat your query with the +cd option, you'll get a response.
> 
> DNSViz shows problems with the DNSSEC setup of this zone. The DS and
> DNSKEY records don't match:
> 
> http://dnsviz.net/d/1.20.149.in-addr.arpa/dnssec/

Thanks for the heads up - I'll make sure our Ops team is aware.

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Maximum zone file size

[Ray Bellis]

On 14/03/2018 12:08, Anand Buddhdev wrote:

> Not that I know of. The amount of RAM in a server is probably the most
> significant limit for loading zones into BIND.

Anand is correct - there's no intrinsic limit other than RAM.

I personally know of BIND instances running with in the region of 25 -
30M RRs in them.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND9 and AS112

[Ray Bellis]

On 09/03/2018 05:32, Diarmuid O Briain wrote:
> Hi,
> 
> I have been following RFC7534 to setup an AS112 Service. I am getting
> the following errors from /*systemctl*/ status, what do they mean ?
> 
> Mar 09 08:11:43 as112 named[3787]:
> ../../../../lib/isc/unix/socket.c:2104: unexpected error:
> Mar 09 08:11:43 as112 named[3787]: internal_send: 2620:4f:8000::42#53:
> Invalid argument

Do you have functioning IPv6 connectivity?

The errors suggest that you don't, but that your named.conf is expecting
that you do.

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: disable dnssec for particular domain

[Ray Bellis]

On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:

> what's the difference, when the domain doesn't exist?
> 
> is it because .eu is signed?

Perhaps, although I'm not sure why given that .eu is signed with NSEC3
and opt-out.

Are you *sure* that the domain doesn't now actually exist in the DNS?

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: disable dnssec for particular domain

[Ray Bellis]

On 06/02/2018 16:00, Matus UHLAR - fantomas wrote:
> Hello,
> 
> our customer uses a domain that is registered, but hidden
> (doesn't exist in DNS).
> 
> The domain is used by multiple organizations and we are required to forward
> lookups for the domain to foreign internal servers.
> 
> The problem is, that parent domain (.eu) indicates that the domain is to be
> signed and since default bind installation validates DNSSEC, lookups are
> refused:

The statements above are mutually contradictory.

If the domain is in use by multiple organisations, which of them put the
DS record in the .eu zone?  If it doesn't exist in the DNS then there
can be no DS record.

Or is it the case that perhaps that the parent .eu zone is actually
denying the existence of that zone?

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11.2, named-checkconf barfs on cookie-secret

[Ray Bellis]

On 03/01/2018 12:48, Ingeborg Hellemo wrote:

> What am I missing?  Bug in named-checkconf?

Yes, it's a known bug, fixed in the forthcoming 9.11.3 release:

4695. [bug] cookie-secrets were not being properly checked by
named-checkconf. [RT #45886]

kind regards,

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RNDC client protocol mode for NodeJS

[Ray Bellis]

For those of you that like Javascript, and like it server side, there's
now an implementation of the RNDC protocol available for NodeJS:

<https://www.npmjs.com/package/bind9-rndc>

We hope people may find this useful.

Please note that this is not officially supported ISC software.

Ray Bellis
ISC Research Fellow
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse Zone, Can It Be One Big Class B?

[Ray Bellis]

On 30/11/2017 22:13, Reineman, Rick wrote:
> The subject is a little off, I have a Class B network masked down to
> a bunch of Class C networks.
> 
> I am replacing an old DNS service where they configured it as one
> might expect with one reverse mapping file per network.  So we have
> many of these files.
> 
> I don't see any reason why I can't treat my reverse mapping file as
> if it were all Class B addresses.  So one big reverse mapping  file
> just like my forward mapping file.  This would make management of the
> reverse mapping file much easier.
> 
> This is a smallish internal network, about 900 hosts or so.  We're
> doing no delegation.
> 
> So my question is, is there a good reason why I should not do this?
> It's been awhile since I had a DNS project and have never managed it
> on a Class B with Class C masked networks before.

The main thing you may wish to consider is whether you ever wish to
DNSSEC sign your reverse zones.

If you do, the zone cut on the parent name servers (which is where the
DS records would be) must match the zone cut on your own servers, which
would contain the DNSKEY records.

So, if your RIR has delegated a single /16 part of .in-addr.arpa to you,
and you currently split that into /24 zones yourself, you'd be fine.

If, OTOH, your RIR can only delegate at the /24 boundary, you'd have to
maintain your zone cuts at that boundary too.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS0 client subnet in BIND 9.10

[Ray Bellis]

On 11/11/2017 19:46, Ben Croswell wrote:
> The use case i am looking at is using ECS or some other mechanism to
> pass the IP of client making the query to the global load-balancer. This
> information could then be used by the global load-balancer in making
> proximity decisions when crafting its response.
> I.e. GLB sees 10.1.1.1 and returns a given IP but if it sees 10.2.2.2
> the answer is different. 

Thanks for the clarification, that is indeed a typical use case for ECS,
rather than for my XPF draft.

kind regards,

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS0 client subnet in BIND 9.10

[Ray Bellis]

On 11/11/2017 04:50, Mukund Sivaraman wrote:
> I'm not sure how ECS would be useful for load-balancing, as in the best
> case scenario it would require one to control every client side to send
> the client-subnet option.

It would help if Ben provided more details about what he's trying to
achieve.

I do have a draft that I'm trying to get adopted at IETF to allow
client-related information to be carried from load balancer to back-end
server.  It's not yet implemented in BIND, though:



Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Secure Cert for lists web site expired?

[Ray Bellis]

On 11/10/2017 16:12, MURTARI, JOHN wrote:

> lists.isc.org uses an invalid security certificate. The certificate
> expired on Sunday, October 08, 2017 3:09 AM. The current time is
> Wednesday, October 11, 2017 11:08 AM.

Our Ops team is already aware.

Thanks for the report!

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange recursor response time pattern

[Ray Bellis]

On 05/09/2017 16:56, Havard Eidnes wrote:
> Hmm...
> 
> some further local discussion has made me aware that us running
> "collectd" for monitoring BIND may be contributing to the
> problem; collectd fetches data each 10s by using the BIND-
> configured statistics-channel, thus BIND is processing a TCP
> connection to deliver the statistics data.
> 
> It's still somewhat surprising and disappointing that this should
> interfere this much with DNS query processing...

There are various URLs (see the BIND 9 ARM) that provide a subset of the
full statistics.

The stats channel output relating to running tasks and memory contexts
is very extensive.

If collectd doesn't need the full set, you may be able to ask for just
the traffic-volume related subset(s).

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind DNS servers: can they coexist with httpd and mail servers?

[Ray Bellis]

On 19/07/2017 11:53, Tony Finch wrote:

> It's how we did things in the 1990s :-)

Yup - in '96 I was running the entire set of customer-facing services
for a newly-formed ISP on a single Alpha workstation :)

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: designing the DNS from the scratch

[Ray Bellis]

On 10/07/2017 14:02, wbr...@e1b.org wrote:

> ~3 x 10**8 m/s
> 
> More importantly, what is the speed of light in a fiberoptic connection? 

~0.66c

> Speed of electrons in copper wire?

Individual electrons move *very* slowly - it's the electric *field* that
moves at between 0.5c and 1c.

https://en.wikipedia.org/wiki/Velocity_factor

cheers,

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Tuning suggestions for high-core-count Linux servers

[Ray Bellis]

On 01/06/2017 23:26, Mathew Ian Eis wrote:

> … and for one last really crazy idea, you could try running a pair of
> named instances on the machine and fronting them with nginx’s
> supposedly scalable UDP load balancer. (As long as you don’t get a
> performance hit, it also opens up other interesting possibilities
> like being able to shift production load for maintenance on the named
> backends).

It's relatively trivial to patch the BIND source to enable SO_REUSEPORT
on the more recent Linux kernels that support it (3.8+, ISTR?) so that
you can just start two BIND instances listening on the exact same ports
and the kernel will do the load balancing for you.

For a NUMA system, make sure each instance is locked to one die, but
beware of NUMA bus transfers caused by incoming packet buffers being
handled by a kernel task running on one die but then delivered to a BIND
instance running on another.

In the meantime we're also looking at SO_REUSEPORT even for single
instance installations because it appears to offer an advantage over
letting multiple threads all fight over one shared file descriptor.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Tuning suggestions for high-core-count Linux servers

[Ray Bellis]

On 02/06/2017 08:12, Browne, Stuart wrote:

> Query rate thus far reached (on 24 cores, numa node restricted): 426k qps
> Query rate thus far reached (on 48 cores, numa nodes unrestricted): 321k qps

In our internal Performance Lab I've achieved nearly 900 kqps on small
authoritative zones when we had hyperthreading enabled, and 700 kqps
without.

The lab uses Dell R430s running Fedora Core 23 with Intel X710 10GB NICs
and each populated with a single Xeon E5-2680 v3 2.5 GHz 12-core CPU.

These systems have had *negligible* tuning applied - the vast majority
of the system settings changes I've made have been to improve the
repeatability of results, not the absolute performance.

The only major setting I've found which both helps performance and
improves consistency is to ensure that each NIC rx/tx queue IRQ is
assigned to a specific CPU core, with irqbalance disabled.

This is with a _single_ dnsperf client, too.  The settings I use are
-c24 -q82 -T6 -x2048.   However I do use a tweaked version of dnsperf
which assigns each thread pair (it uses separate threads for rx and tx)
to its own core.

You may find the presentation I made at the recent DNS-OARC workshop of
interest:

<https://indico.dns-oarc.net/event/26/session/3/contribution/18>

You didn't mention precisely which 9.10 series version you're running.
Note that versions prior to 9.10.4 defaulted to a -U value of ncores/2,
but investigation showed that on modern systems this was sub-optimal so
it was changed to ncores-1.  This makes a *very* big difference.

kind regards,

Ray Bellis
ISC Research Fellow
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind failing to start on new 9.9.4 server

[Ray Bellis]

On 09/02/2017 15:32, Robert Moskowitz wrote:

> Now doing it 'right' and seeing:
> 
> 09-Feb-2017 09:59:52.191 could not open file '/run/named/named.pid':
> Permission denied
> 09-Feb-2017 09:59:52.192 generating session key for dynamic DNS
> 09-Feb-2017 09:59:52.192 could not open file '/run/named/session.key':
> Permission denied
> 09-Feb-2017 09:59:52.193 could not create /run/named/session.key
> 09-Feb-2017 09:59:52.193 failed to generate session key for dynamic DNS:
> permission denied
> 09-Feb-2017 09:59:52.193 sizing zone task pool based on 21 zones
> 
> so perhaps some permissions problems?  I am su as root.

Are you specifying the '-u ' flag to named, and does that user
have read / write permissions to /run/named ?

[ also, does the config specify use of chroot? ]

> then after all the auto zones:
> 
> ...
> 
> Now why am I getting network unreachable?  I can ping out to a lot of
> addrs.

The errors all relate to IPv6 ...

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind failing to start on new 9.9.4 server

[Ray Bellis]

On 09/02/2017 14:28, Robert Moskowitz wrote:
> I am migrating to Centos7 from Centos6.  Going from Bind 9.8.2 to 9.9.4,
> I am building this on a new server.  I currently do not have DNSSEC
> enabled, and not enabling it for the initial migration work.
> 
> I have looked over changes in named.conf and believe I have made the
> necessary changes.  My named.conf is  loading as are the zone files. 
> This is what 'systemctl -l status named' shows:

I'd suggest that you try starting named manually with the '-g' flag so
that it sends all output to stderr without forking.

This should hopefully reveal why it's failing to start.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need of 2 $ORIGIN Directives

[Ray Bellis]

On 21/12/2016 12:57, Harshith Mulky wrote:

> So I wanted to understand some things about this Domain
> 
> A. Why are there 2 $ORIGIN directives?

Because someone thought they were being clever? :)
> 
> B. Can the above be replaced as below

Yes, and you could even remove the trailing `atlanta.com.` on some of
those records.

> $ORIGIN atlanta.com.
> $TTL 86400  ; 1 day
> @ IN SOA  local.atlanta.com. master.atlanta.com. (
> 2001062522 ; serial
> 21600  ; refresh (6 hours)
> 3600   ; retry (1 hour)
> 604800 ; expire (1 week)
> 86400  ; minimum (1 day)
> )
> NS  local.atlanta.com.
> NS  kabulvm8.atlanta.com.
> ;A Records
> local   A   127.0.0.1
> kabulvm8A   10.54.49.43

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-query does not seem to be working

[Ray Bellis]

On 08/08/2016 20:59, Frank Even wrote:
> Thanks for the info.  Also I'll have to note that I completely missed
> that the "offending IP" is one of the .uk root servers so the next
> logical conclusion is I've probably got a box in one of my environments
> driving an amplification attack of some sort or something at those IPs
> that I need to figure out.  Sorry for the bother and thanks for the
> feedback.  Much appreciated.

The host in question (156.154.100.3) is nsa.nic.uk, but is actually
operated by UltraDNS / Neustar.

However to me it looks like _you're_ the one sending the queries, as
evidenced by the 'A?' in your tcpdump log (where the ? indicates query,
and 'A' on its own would be the response) and also the destination port
of 53.

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-query does not seem to be working

[Ray Bellis]

On 08/08/2016 18:43, Darcy Kevin (FCA) wrote:
> As already noted, allow-query will cause you to send back a REFUSED
> response. That’s sort of the whole point of the REFUSED RCODE.
> 
>  
> 
> If you want to not send back any response **whatsoever**, then take a
> look at the “blackhole” statement, but, honestly, this kind of “drop”
> function may, depending on network topology, be more efficiently
> performed in your firewall or IDS/IPS.
> 
>  
> 
> Be aware that a client that doesn’t get a response may retry the query,
> so simply “dropping” queries may ultimately prove counter-productive.

and also see Mark Andrew's Internet Draft on this very topic:

https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-03

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and use of resolv.conf? - how to "learn" this

[Ray Bellis]

On 02/08/2016 22:04, Matthew Pounsett wrote:

> Yes it will.  But, as far as I understand, it uses the recursive code
> paths to do that, and won't consult resolv.conf.  Yes?

I believe that's correct, yes.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and use of resolv.conf? - how to "learn" this

[Ray Bellis]

On 02/08/2016 19:47, Matthew Pounsett wrote:

> In the authoritative configuration, BIND has no need to do DNS lookups
> of its own, so it wouldn't be any use there.

That's not strictly true - BIND will in some circumstances use its own
internal resolver to handle the host lookups for NOTIFYs and XFRs if
they're using hostnames instead of IP lists.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Resend: ISC Dig for iOS

[Ray Bellis]

[apologies if you did get this last week, it seemed to go
 missing during our mailman rebuild]

For those that haven't heard via social media, I've built a port of
"dig" for iPhone and iPad.

The code is based on dig from BIND 9.10.4, and supports most of the
usual command line options, as well as having a UI settings page for
non-expert users for some common settings.

<https://itunes.apple.com/us/app/isc-dig/id1115648880?mt=8>

You can bookmark commonly used queries, and there's also a standard
"share" button for sending query results via email, etc.

This isn't an officially supported ISC product, it's more of a "skunk
works" project, so if you try it and have feedback please either post
here on bind-users or get back to me directly.

Ray Bellis
ISC Research Fellow
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: writeable file 'domain.com': already in use

[Ray Bellis]

On 16/06/2016 09:01, Evan Hunt wrote:

> Use the "in-view" statement so that there's only one copy of the zone
> shared by both views.

Yes, or that, if they really are the same zone contents in both views.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: writeable file 'domain.com': already in use

[Ray Bellis]

On 16/06/2016 07:53, Daniel Dawalibi wrote:

> We are upgrading our DNS authoritative BIND version 9.10.4-P1 but we are
> facing “writing errors” on the slave zone files that are transferred
> from other Master DNS servers.
> 
> Our configuration consists of two views  (local and inter) and the
> domain is configured in both views sections.
> 
> The problem was solved after removing the zone from one VIEW but is
> there any workaround for this issue without removing the zone from the
> view section (either Local or Inter)?

BIND 9.10.4 doesn't allow you to use the same filename for the same zone
in different views (since the content should be different).

Simply change the "file" directive in one of the views and you should be
fine.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enabling edns on Bind 9.9

[Ray Bellis]

On 15/06/2016 12:31, Harshith Mulky wrote:
> How can I enable EDNS on the bind server?
> 
> 
> Will just enabling this
> 
> edns-udp-size size_in_bytes ;
> 
> set the EDNS on the bind server?
> 
> 
> Or is EDNS Client specfic feature?

EDNS is always enabled on a BIND 9.9 server, but it's only permitted
(per the RFCs) if the client sent an OPT RR in the request.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

[Ray Bellis]

On 24/03/2016 16:41, Tony Finch wrote:

> When I changed our TTLs from 24h to 1h last year, it didn't have a visible
> effect on authoritative server query load, much to my surprise.

I'm not that surprised - there's definitely not a linear correlation
between the TTL of an RRset and how frequently it's queried.

Unless your TTL is very short, forced expulsion from cache (due to
cache-size limits) would cause many clients to re-query for a record far
more frequently than once-per-TTL.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

[Ray Bellis]

On 24/03/2016 14:47, Ben Bridges wrote:
> Greetings.
> 
>  
> 
> Is it possible in BIND to configure multiple resource records for the
> same domain name, TYPE, and CLASS with different TTL values?  For example:
>
> ...
>
> I tried it, and BIND set the TTL for all five records to 300 (or more
> specifically, the TTL of the first one of the RRs in the file).  I
> looked for a BIND directive in the manual to change this behavior but
> could find no obvious candidate.

Doing so would be contrary to §5.2 of RFC 2181:

   Resource Records also have a time to live (TTL).  It is possible for
   the RRs in an RRSet to have different TTLs.  No uses for this have
   been found that cannot be better accomplished in other ways.  This
   can, however, cause partial replies (not marked "truncated") from a
   caching server, where the TTLs for some but not all the RRs in the
   RRSet have expired.

   Consequently the use of differing TTLs in an RRSet is hereby
   deprecated, the TTLs of all RRs in an RRSet must be the same.

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Service Discovery

[Ray Bellis]

On 14/03/2016 12:23, Phil Mayers wrote:

> Stack overflow or similar may be a better place to start.

Definitely not stackoverflow - unless the question is clearly
programming related it would be closed with extreme prejudice.

I'd suggest the OP should investigate further what's happening in the
IETF DNS-SD working group, and particularly the "hybrid proxy zeroconf"
work that's split between there and the Homenet WG.   That latter work
is intended to allow inter-segment service discovery without resorting
to site-scoped multicast.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS BIND traffic capture ICMP/UDP

[Ray Bellis]

On 15/01/2016 13:48, Daniel Dawalibi wrote:
> Hello
> 
>  
> 
> We observed an unusual traffic combining ICMP and UDP packets while
> running the tcpdump command on the DNS caching server
> 
> Kindly note that only UDP DNS traffic is allowed on this server (ICMP is
> not allowed from outside to DNS server)
> 
> Any help regarding this issue? Why we are getting ICMP and UDP requests?
> Could it be an attack?

The far end is complaining that responses that your server has sent
cannot be delivered to the originator because there's no longer anything
listening at the source port from which the DNS request came.

This could be for several reasons:

1.  the far end's stateful firewall has "timed out" the state it was
maintaining for its own outgoing UDP query

2.  the far end ran out of state memory (similar to 1)

3.  the packet didn't really come from there in the first place (i.e.
the source was spoofed)

Your own firewall is likely permitting the inbound ICMP (despite rules
prohibiting unsolicited inbound ICMP) because as far as it's concerned,
these are *not* unsolicited ICMP packets - they relate to an existing flow.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind9 on VMWare

[Ray Bellis]

On 13/01/2016 12:44, Reindl Harald wrote:

> where did you read that?
> 
> we don't run *anything* on physical machines and all our nameservers
> (auth, caching with a mix of bind/unbound/rbldnsd) as anything else runs
> on top of VMware vSphere 5.5, previously 4.1/5.0 since 2008

ISTR that some of the Dyn guys presented at DNS-OARC in Warsaw that they
found substantially worse behaviour running this sort of traffic using
virtualisation when compared to light-weight containers.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

[Ray Bellis]

On 05/01/2016 17:03, Barry Margolin wrote:

> The in-memory copy is likely to end up in the swap partition.

A swap partition?   I don't think I've seen one of those for years...

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is there other methods or APIs to monitor qps?

[Ray Bellis]

On 27/11/2015 13:02, Tony Finch wrote:
> Use the statistics channel, e.g.
> 
> curl --silent http://nameserver:853/json/v1/server | jq -r .opcodes.QUERY

Note that this gives you the absolute total since startup - you need to
take two measurements and divide by the time between them to convert
that into something like QPS.

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root hints operation

[Ray Bellis]

On 17/11/2015 02:09, Grant Taylor wrote:
> On 11/16/2015 06:56 PM, /dev/rob0 wrote:
>> You either specify a hints file to use, or use the compiled-in root
>> hints.
> 
> Interesting.  I was not aware that it was an exclusive or type situation.

It's important that they're exclusive - it would be very much harder to
build an isolated test bed (with "fake" root hints) if BIND insisted on
always trying to reach all of the compiled-in root hints.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SRV Request to DNS

[Ray Bellis]

On 29/09/2015 07:37, Harshith Mulky wrote:
> Hi all,
> 
> I had a query
> 
> Let us say we are having a FQDN and we need to Resolve it. It goes
> through the procedure of determining the IP and Port using NAPTR/SRV/A
> query mechanisms
> 
> The question I have is if I have a FQDN with a Port Number already
> determined, will it go through the Procedure of NAPTR/SRV/A query (or)
> simply do a A query (or) Is this left to the client to apply the Logic?

NAPTR / SRV are most commonly used when all you have is a "domain name"
and you need to determine the hostname and port associated with a
particular service at that domain (e.g. a SIP server)

I would therefore expect that given a specific hostname and port that
those would be used directly, rather than using NAPTR / SRV.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: E164 Number Mapping

[Ray Bellis]

On 24/09/2015 15:26, Harshith Mulky wrote:
> Hello,
> 
> I have a question on E164 Number Mapping: 
> 
> Lets say I have a number as "9986012345" with Country Code as  "1"
> 
> For E164 Number to be mapped and to be queried from DNS, it should be
> converted into ENUM domain like,
> 
> 5.4.3.2.1.0.6.8.9.9.1.e164.arpa. [e164.arpa being the Public domain]
> 
> I assume adding 1 after 5.4.3.2.1.0.6.8.9.9 is based on the Country Code.
> 
> 
> 
> So will there be an issue if by any chance this 1 is not attached in
> converted ENUM domain and queried as 5.4.3.2.1.0.6.8.9.9.e164.arpa.

Yes, there'll be an issue.

The query would go to whatever ENUM registry (if any) is responsible for
+998 (Uzbekistan) and get the wrong answer.

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Understanding different service fields in DNS Records

[Ray Bellis]

On 27/08/2015 13:53, Harshith Mulky wrote:
 Hi,

 Needed to understand the different Service fields used in ENUM/DNS Records

 specifically,

 E2U+sip, E2U+pstn, E2U+sip:pstn, E2U+pstn:sip and other supporting formats

 Is there any RFC/documents/Links which helps in understanding this
 various formats with examples.

Your best bet is probably to start at the IANA registry of ENUM services:

http://www.iana.org/assignments/enum-services/

The registry contains links to the various RFCs that define each service.

kind regards,

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to compile bind 9.10 with --with-libjson option

[Ray Bellis]

On 10/08/2015 04:18, Leandro wrote:
 Thanks !!! it compliled now ...
 still trying to get the json output.
 http://10.0.0.250:8080
 works, but:
 http://10.0.0.250:8080/json

Try http://10.0.255:8080/json/v1

[also /json/v1/mem, /json/v1/server, etc.]

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Order and Preference Priority in DNS Responses

[Ray Bellis]

On 03/08/2015 12:38, Harshith Mulky wrote:

 I am expecting to receive the answer as _sip._udp.carrier1.com but i
 receive _sip._tcp.carrier1.com
 
 How could I change this?

For applications that use NAPTR records it's the job of the client
application to process and sort the entire set of NAPTR records based on
the Order and Preference fields.

The order of the records as sent back in the DNS packet is therefore
irrelevant.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users