Re: compile flag to disable AAAA responses is unrecognized

2021-07-06 Thread Rick Dicaire 
On Tue, Jul 6, 2021 at 3:06 PM Scott Strattner  wrote:

> I successfully built 9.16.18 on my RH8.4 ppc64el VM. But after doing so I
> wanted to set it up so that if it receives a query over IPv4 it will not
> return any  records in the reply
>

Hi Scott, just curious, why do you need this?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Fwd: Problems with compiling BIND 9.17.10 or above ...

2021-05-27 Thread Rick Dicaire 
Now another problem comes up and I hope someone here can help me. The
Configure process now produces the message:

checking for OPENSSL... yes

checking for OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0... yes

checking for OPENSSL_init_ssl... no

checking for OPENSSL_init_crypto... no

checking for CRYPTO_zalloc... no

checking for EVP_CIPHER_CTX_new... no

checking for EVP_CIPHER_CTX_free... no

checking for EVP_MD_CTX_new... no

checking for EVP_MD_CTX_free... no

checking for EVP_MD_CTX_reset... no

checking for HMAC_CTX_new... no

checking for HMAC_CTX_free... no

checking for HMAC_CTX_reset... no

checking for HMAC_CTX_get_md... no

checking for SSL_read_ex... no

checking for SSL_peek_ex... no

checking for SSL_write_ex... no

checking for BIO_read_ex... no

checking for BIO_write_ex... no

checking for SSL_CTX_up_ref... no

checking for SSL_CTX_set_min_proto_version... no

checking for ECDSA_sign... no

configure: error: in `/root/tools/software/bind-9.17.13':

configure: error: ECDSA support in OpenSSL is mandatory.



But with the command "openssl ciphers -v 'ALL:COMPLEMENTOFALL' | grep
ECDSA" I get several lines with ECDSA. What could be the reason for this?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with compiling BIND 9.17.10 or above ...

2021-05-26 Thread Rick Dicaire 
On Wed, May 26, 2021 at 1:07 PM Zhéxué M. @SysAdmin <
sys.admin@zhéxué-cloud.eu> wrote:

> The path of the library is set correctly...
>

How are you setting it?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Possibly stupid Q

2021-01-20 Thread Rick Dicaire 
On Wed, Jan 20, 2021 at 2:19 PM Bruce Johnson 
wrote:

> channel default_log {
> file "/var/named/log/default" versions 3 size 20m;
>   print-time  yes;
>   print-category yes;
>   print-severity yes;
>   severity info;
> };
>
> in named-chroot do these go to the actual system /var/named/log or does
> the named-chroot process put them in /var/named/chroot/var directory?
>
>
The path should be inside the chroot.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging on a Bind server

2020-10-20 Thread Rick Dicaire 
On Tue, Oct 20, 2020 at 10:17 AM  wrote:

> Dear BIND-Users,
>
> Does someone has an idea, which log I have to activate.
>

Do you have querylog enabled?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

9.16 on older platforms

2020-03-19 Thread Rick Dicaire 
Hi folks, I have found that new dependencies for 9.16 prevent it being able
to build on Slackware linux 14.2 (no ply or libuv).
(Yes I'm aware I can do the additional steps of downloading, compiling,
installing the deps, but that's not the point)

It got me thinking, are there other platforms where 9.16 will no longer
build due to those missing  deps?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ip6 reverse delegation

2020-01-16 Thread Rick Dicaire 
On Thu, Jan 16, 2020 at 8:29 PM Alan Batie  wrote:The zone
file is:

>
> $ORIGIN .
> $TTL 300; 5 minutes
> 0.1.0.1.8.7.6.f.7.0.6.2.ip6.arpa IN SOA ns1.peak.org. hostmaster.peak.org.
> (
> 2020011606 ; serial
> 3600   ; refresh (1 hour)
> 3600   ; retry (1 hour)
> 86400  ; expire (1 day)
> 300; minimum (5 minutes)
> )
> NS  ns1.rdrop.com.
> NS  ns2.rdrop.com.
>
>
Shouldn't you also have an NS record that points to the upstream NS thats
subdelegating  0.1.0.1.8.7.6.f.7.0.6.2.ip6.arpa to rdrop.com NSes?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging of notify sending

2019-05-26 Thread Rick Dicaire 
On Sun, May 26, 2019 at 6:05 PM Rick Dicaire  wrote:

>  dns2 named[23971]: client @0x7fa83ce341c0 192.168.15.1#37178/key
> gw-zones: received notify for zone 'ldev': TSIG 'gw-zones'
>
> Seems I got it to work. Thanks Axel, and list.
>

While I see the receiving slave show TSIG in log message, doesn't appear
the send notify log message shows if TSIG is used.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging of notify sending

2019-05-26 Thread Rick Dicaire 
 dns2 named[23971]: client @0x7fa83ce341c0 192.168.15.1#37178/key gw-zones:
received notify for zone 'ldev': TSIG 'gw-zones'

Seems I got it to work. Thanks Axel, and list.

On Sun, May 26, 2019 at 4:37 PM Greg Rivers 
wrote:

> On Sunday, May 26, 2019 11:51:38 AM CDT Axel Rau wrote:
> >
> > > Am 26.05.2019 um 18:38 schrieb Rick Dicaire :
> >
> > > A quick google search of "bind also-notify key" returns:
> > >
> > > https://kb.isc.org/docs/aa-00851
> > > https://kb.isc.org/docs/aa-00296
> > >
> > > Looks like keys provide a means to differentiate views.
> >
> > ARM for bind 9.14.1 says on page 24:
> >
> > For example, a key may be specified for each server in the masters
> statement in
> > the definition of a slave zone; in this case, all SOA QUERY messages,
> NOTIFY
> > messages, and zone transfer requests (AXFR or IXFR) will be signed using
> the
> > specified key. Keys may also be specified in the also-notify statement
> of a
> > master or slave zone, causing NOTIFY messages to be signed using the
> specified
> > key.
> >
> So it does. Seems my knowledge of this was either outdated or just plain
> wrong. Thanks for pointing this out.
>
> --
> Greg
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging of notify sending

2019-05-26 Thread Rick Dicaire 
> On Sun, May 26, 2019 at 3:43 AM Axel Rau  wrote:

> So what for is the optional key in the also-notify statement?

A quick google search of "bind also-notify key" returns:

https://kb.isc.org/docs/aa-00851
https://kb.isc.org/docs/aa-00296

Looks like keys provide a means to differentiate views.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging of notify sending

2019-05-25 Thread Rick Dicaire 
If you've configured TSIG, syslog will show it as I have indicated
previously.
Notifications themselves don't use TSIG:

May 25 13:46:32 dns1 named[28905]: zone dhcp.ldev/IN: sending notifies
(serial 2017051322)
May 25 13:46:32 dns2 named[23971]: client @0x7fa834ee9ee0
192.168.15.1#63456: received notify for zone 'dhcp.ldev'



On Sat, May 25, 2019 at 4:17 PM Axel Rau  wrote:

>
>
> Am 25.05.2019 um 21:02 schrieb Rick Dicaire :
>
>
>
> On Sat, May 25, 2019 at 12:27 PM Axel Rau  wrote:
>
>> Hi all,
>>
>> category notify seems to cover reception of notifies.
>> How can I log sending of notifies?
>> I want to check, if the TSIG key is being used for the notify.
>>
>>
> Have you looked at syslog?
>
> You should see similar to:
>
> May 25 13:04:28 dns1 named[28905]: client @0x7f205c0f2ef0
> 192.168.15.13#52447/key gw-zones (dhcp.ldev): transfer of 'dhcp.ldev/IN':
> IXFR started: TSIG gw-zones (serial 2017051319 -> 2017051320)
> May 25 13:04:28 dns2 named[23971]: zone dhcp.ldev/IN: transferred serial
> 2017051320: TSIG 'gw-zones‘
>
>
> This is logging of zone transfer, not sending of notify.
>
> Axel
> ---
> PGP-Key:29E99DD6  ☀  computing @ chaos claudius
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging of notify sending

2019-05-25 Thread Rick Dicaire 
On Sat, May 25, 2019 at 12:27 PM Axel Rau  wrote:

> Hi all,
>
> category notify seems to cover reception of notifies.
> How can I log sending of notifies?
> I want to check, if the TSIG key is being used for the notify.
>
>
Have you looked at syslog?

You should see similar to:

May 25 13:04:28 dns1 named[28905]: client @0x7f205c0f2ef0
192.168.15.13#52447/key gw-zones (dhcp.ldev): transfer of 'dhcp.ldev/IN':
IXFR started: TSIG gw-zones (serial 2017051319 -> 2017051320)
May 25 13:04:28 dns2 named[23971]: zone dhcp.ldev/IN: transferred serial
2017051320: TSIG 'gw-zones'
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind9 forward/reverse zones with multiple TSIG keys

2019-01-29 Thread Rick Dicaire 
On Tue, Jan 29, 2019 at 1:02 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> Are you referring to the catalog zone itself allowing dynamic updates?
> Or allowing dynamic updates to the zones that are listed in the catalog
> zone(s)?
>

Either...

I don't see any reason why you can't use DDNS to update the catalog

> zone.  The systems consuming the catalog zone will continue to do zone
> transfers for the zones listed in the catalog, including when they get a
> notify of a change to the catalog zone.


 Regardless how the change is stored, journal or zone file?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind9 forward/reverse zones with multiple TSIG keys

2019-01-29 Thread Rick Dicaire 
Wonder if you can use ddns zones with catalog zones, haven't tried it
myself...

On Tue, Jan 29, 2019 at 11:27 AM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> On 01/29/2019 01:19 AM, ObNox wrote:
> > Hi,
>
> Hi ObNox,
>
> > For that to work, I need to make sure every separated component works as
> > expected when configured separately.
>
> Ah, yes.  The joys / perils of testing discrete units individually and
> then start pugging them together like Legos and making sure that things
> still work.
>
> > Now, the trouble really begins :
> >
> > 1/ I update the zones files to uncomment the "test" record and update
> > the serial number
> >
> > 2/ I update "named.conf" to uncomment the "allow-update" statement using
> > "key-dhcp"
> >
> > 3/ "named-checkconf" does not complain so "rndc reload"!
> >
> > Problem : The syslog messages don't show the lines indicating that the
> > zones have been reloaded, here's an extract :
> >
> > …
> >
> > I was expecting the usual messages after a zone change, like previously:
> >
> > …
> >
> > So now, with the new "allow-update" statement, the zones are not
> > reloaded and this is confirmed by "dig" :
> >
> > …
> >
> > The new record "test.domain.tld" is not found and the serial is not the
> > new one!
>
> I'm wondering if you're being bitten by something that got me years ago
> when I first started messing with dynamic zones that allowed updates.
>
> In short, when dynamic updates are enabled, BIND will make changes to a
> journal file (which I think is binary).  You have to "freeze" and
> "flush" the zone to be able to make to text file.
>
> So I'm guessing that your change wasn't detected because you
> transitioned to dynamic updates ~> journal file at the same time (or
> apparently) before BIND loaded the new zone.  Thus the journal ~> BIND
> was using the old version of the zone file.
>
> I've found that I do most of my zone administration via nsupdate on the
> DNS server using the local key & socket.
>
> I only go through the "freeze" & "flush", edit, and "thaw" (& "sign" for
> DNSSEC) cycle when I have more (complex) edits than I want to make via
> nsupdate.  (I've also wrapped nsupdate with rlwrap so that I have some
> (readline) history and better nsupdate command line editing.)
>
> > I've tested dozens of combinations with both "allow-transfer" and
> > "allow-update" by putting them at the "view" level, "options" level,
> > "global" level, etc. and nothing changed.
>
> If BIND did do what I'm thinking, then your edits were functionally
> lost.  (Technically they may still be in the text file.)
>
> > So for now I'm lost and I need an expert's PoV to point what I'm doing
> > wrong and/or what I missed!
>
> I'm far from an expert.  But hopefully you can benefit from my toe
> stubbing / razor cuts.
>
> > Thank you for any useful clue.
>
> Good luck.
>
>
>
> --
> Grant. . . .
> unix || die
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind has a database option instead of zone files?

2019-01-27 Thread Rick Dicaire 
I'm going to go out on a limb and say yes, databases are supported. I see
this in ./configure --help:

  --with-dlz-postgres=PATH
  Build with Postgres DLZ driver [yes|no|path].
  (Required to use Postgres with DLZ)
  --with-dlz-mysql=PATH   Build with MySQL DLZ driver [yes|no|path].
(Required
  to use MySQL with DLZ)
  --with-dlz-bdb=PATH Build with Berkeley DB DLZ driver [yes|no|path].
  (Required to use Berkeley DB with DLZ)
  --with-dlz-filesystem=ARG
  Build with filesystem DLZ driver [yes|no].
(Required
  to use file system driver with DLZ)
  --with-dlz-ldap=PATHBuild with LDAP DLZ driver [yes|no|path].
(Required
  to use LDAP with DLZ)
  --with-dlz-odbc=PATHBuild with ODBC DLZ driver [yes|no|path].
(Required
  to use ODBC with DLZ)
  --with-dlz-stub=ARG Build with stub DLZ driver [yes|no]. (Required to
  use stub driver with DLZ)

A look at Bind 9.12 ARM
https://ftp.isc.org/isc/bind9/9.12.0/doc/arm/Bv9ARM.pdf
shows in section 4.12:

4.12 DLZ (Dynamically Loadable Zones) . . . . . . . . . . . . . . . . . . .
. . . . . . . 41
Configuring DLZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 41
Sample DLZ Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 42

Curious, I used to use the sdb interface to postgres a number of years ago,
but I don't see any reference to sdb in ./configure anymore, guess its been
removed, deprecated in favor of dlz?

@bramesh See https://nlnet.nl/project/bind-dlz/200205-sane/paper.html

On Sun, Jan 27, 2019 at 10:58 AM John Levine  wrote:

> In article  you write:
> >-=-=-=-=-=-
> >
> >Greetings!!
> >Does Bind has a database option to read zones [if zones are in database]
> >instead  of zone files? if yes , how to setup? can someone help me.
>
> No.  If that's what you want to do, I'd suggest looking at PowerDNS.
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Should we bundle the MaxMind GeoIP db?

2018-05-30 Thread Rick Dicaire 
Hi, would this conflict with any similar pkg installed by an OS's pkg
management system?

On Wed, May 30, 2018 at 5:27 PM, Victoria Risk  wrote:

> Hello GeoIP users,
>
> We are aware that Maxmind is discontinuing their older free GeoLite
> location database and replacing it with a new database with a new format
> (GeoLite2). https://dev.maxmind.com/geoip/geoip2/geolite2/
>
> We have an issue open in the BIND gitlab to update our Geo-IP support to
> use the new database api.  https://gitlab.isc.org/isc-
> projects/bind9/issues/182
>
> The question is, would it be useful if we included the GeoLite2 database
> with the BIND distribution? Since we update at least twice a year, we could
> keep it fairly well up to date, and it would save users having to go get
> and update the db themselves. It would add about 1.5MB to
> the BIND distribution (depending on whether we use the country or city
> level).
>
> Votes, comments welcome.
>
> Thank you,
>
> Vicky
> -
> Product Manager
> Internet Systems Consortium
> vi...@isc.org
>
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: My domain name name not propagating through the Internet.

2018-05-26 Thread Rick Dicaire 
Hi Thomas, obfuscating IP addresses doesn't help in the least.
ns1.sleepyvalley.net cannot be resolved, nor can we query it directly due
to that.

Did you register the nameserver ns1.sleepyvalley.net with your domain
registrar?

On Sat, May 26, 2018 at 12:44 PM, Thomas Strike 
wrote:

> I have been fighting a problem of setting up a new Bind9.9 primary
> authoritative server on the Internet for over 2 weeks now. My hosted
> secondary server cannot be set up until my primary server comes alive on
> the Internet. I have fought my domain name provider for over 2 weeks trying
> to get my new server propagated throwout the Internet and they say that the
> problem is with my server. This is very perplexing because there are at
> least 4 DNS servers out there that see my server and respond to all queries
> successfully that land on my server but no other server can see mine. It's
> hard to believe that the problem is on my end.
>
> I am here asking for fresh sets of eyes to look at my setup file and the
> domain zone record that is at issue. My domain is sleepyvalley.net and my
> primary dns server is ns1.sleepyvalley.net. Standard A records that
> should resolve are www., ftp., and mail.sleepyvalley.net.
>
> 
> --
>
> *named.conf:*
>
> acl trusted-servers  {
> 144.x.x.x.; // ns1.sleepyvalley.net
> 8..x.x.x;   // sdns1.ovh.ca
> };
>
> options {
> listen-on port 53 { any; };
> listen-on-v6 port 53 { any; };
>
> // I have IPv6 implemented on my server but could it be an IPv6 issue?
>
> allow-query { any; };
>
> recursion yes;
> allow-recursion {
> any;
> };
> allow-transfer {
> trusted-servers;
> };
>
> directory "/var/named";
> dump-file "/var/log/named/data/cache_dump.db";
> statistics-file "/var/log/named/data/named_stats.txt";
> memstatistics-file "/var/log/named/data/named_mem_stats.txt";
>
> notify yes;
>
>
> // I am not familiar with what dnssec does. Is it necessary for a primary
> DNS server to run properly?
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
>
> // Could this be a security key management issue?
>
> bindkeys-file "/etc/named.iscdlv.key";
> managed-keys-directory "/var/named/dynamic";
>
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> };include "/etc/named.logging";
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> zone "sleepyvalley.net" {
> type master;
> file "/var/named/sleepyvalley.net.hosts";
> allow-transfer { trusted-servers; };
> };
> key rndc-key {
> algorithm hmac-md5;
> secret "";
> };
> controls {
> inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
> };
> 
> --
>
> *sleepyvalley.net.hosts:*
>
> */*
> */ I am a little confused about the Time-To-Live in this record. *
>
> *// Which of these 2 ttls do resolvers use to cache their answers for?*
>
> $ttl 38400
> sleepyvalley.net.INSOAns1.sleepyvalley.net.
> administrator.sleepyvalley.net. (
> 1526060969
> 1H
> 3600
> 5M
> 300 )// short 5 min. ttl for testing.
> sleepyvalley.net.INA144.x.x.x.x
> mail.sleepyvalley.net.INMX10 mail.sleepyvalley.net.
> mail.sleepyvalley.net.INA144.x.x.x.x
> www.sleepyvalley.net.INA144.x.x.x.x
> ftp.sleepyvalley.net.INA144.x.x.x.x
> ns1.sleepyvalley.net.INA144.x.x.x.x
> sleepyvalley.net.INNSns1.sleepyvalley.net. // Primary DNS
> service
> sleepyvalley.net.INNSsdns1.ovh.ca.//
> Secondary externally hosted DNS service.
> 
> 
> 
>
> Any insights would be gratefully appreciated. Thanks in advance.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root hints

2018-05-02 Thread Rick Dicaire 
Thanks for the responses folks...so if I don't need to manage root.hints,
can I remove the line:

zone "." IN {type hint;file "root.cache";};

from named.conf?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

root hints

2018-05-02 Thread Rick Dicaire 
Hi, used to be you could
dig > root.hints
and use this file in named.conf for root.hints configuration.
Some time around 9.11? the output of dig with no arguments stopped
reporting the ADDITIONAL section that shows the IPs of the root servers.

I've moved on to 9.12 and the dig behaviour is same as above, so for the
time being I'm using:
dig @a.root-servers.net.
to get an output usable for root.hints.

While the above works, what is the official/best practise/recommended way
to update root.hints?

Thanks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

2018-03-20 Thread Rick Dicaire 
For libbind9, https://packages.ubuntu.com/trusty/libbind9-90

On Tue, Mar 20, 2018 at 4:02 PM, Ronald F. Guilmette 
wrote:

>
> In message <20180320193041.d2bwvgkgyvqem...@mycre.ws>,
> Robert Edmonds  wrote:
>
> >> I am porting some code of mine from FreeBSD to this Ubuntu system
> >> and I'm getting the following unresolved symbols at link time:
> >>
> >> __res_query
> >> __res_mkquery
> >> __res_send
> >>
> >> It seems apparent that this is caused by the fact that FreeBSD has
> >> the resolver routines integrated into libc, whereas Linux systems
> >> don't.
> >
> >For glibc versions that are less than about ten years old, these should
> >be available in libresolv, which is part of glibc.
>
> Thanks Robert!  I added -lresolv to the link and now the link step is
> succeding.
>
> >See the resolver(3) manpage, which is probably in the manpages-dev
> >package on Ubuntu 14.
>
> For the record, I *did* look over that man page, and several others,
> before I posted my question.  But neither that man page nor any of the
> several others I looked at ever said a word about the necessary extra
> -l option needed in order to drag in the needed resolver routines.
>
> >This is unrelated to libbind9, which is a different API.
>
> Well, see, and -that- may perhaps be a problem.  I dunno yet.  My hope,
> of course, is that I have not relied on any of the finer subtleties or
> more obscure aspects of libbind in any of my coding, but it may come to
> light that I have, and I may in fact end up needing to link to the
> real libbind9.  I would still like to know how to do that, just in case,
> and I am still utterly perplexed and mystified about why the linker
> couldn't seem to find libbind9, even when I gave it the explicit path
> to the thing via an appropriate -L option.
>
> I hope somebody will explain to that to me still, because whatever the
> answer is to that mystery, it is sure to be highly educational, for me
> anyway.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SOA settings

2018-02-05 Thread Rick Dicaire 
Что такое

Re: Stop Reverse resolution query Logging

2017-06-01 Thread Rick Dicaire 
Tried empty-zones-enable yes; in named.conf?

On Thu, Jun 1, 2017 at 10:28 AM, Job  wrote:
> Dear guys,
>
> is there a way in Bind 9 to stop logging (to bind.log standard file) all the 
> in-addr.arpa queries?
> We would like to log everything else but not the reverse resolution queries.
>
> Thank you!
> F
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface

2015-09-27 Thread Rick Dicaire 
Unless something has changed, root is required to bind to ports below 1024
before privilege separation can begin.

On Sun, Sep 27, 2015 at 11:59 AM, Gordon Lang <gl...@goalex.com> wrote:

> Here is the file info:
>
> glang@nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin
> bind-9.10.3/sbin/named
> drwxrwsr-x. 2 incadmin network 4096 Sep 26 10:39 bind-9.10.3/sbin
> -rwsr-xr-x. 2 root network 10095219 Sep 26 09:16 bind-9.10.3/sbin/named
> glang@nstv1:/export/local/ISC>
>
>
> If I run "named" as user 'glang' without the "-u" option, it works fine --
> "named" runs as root (due to the suid file bit) and it listens on port 53
> of the configured ip addresses.
>
> If I run "named" as user 'glang' with the "-u incadmin" option, it does
> not work fine -- it runs with the change of process owner to 'incadmin',
> but it does not listen on any ip addresses.
>
> If I run "named" as user 'root' with the "-u incadmin" option, it works
> fine -- it listens on the configured ip's and it changes the owner of the
> process to 'incadmin'.
>
> --
> Gordon A. Lang
>
>
> On Sun, Sep 27, 2015 at 9:09 AM, Niall O'Reilly <niall.orei...@ucd.ie>
> wrote:
>
>> On Sat, 26 Sep 2015 17:27:56 +0100,
>> Gordon Lang wrote:
>> >
>> > CHANGE: I did not properly characterized the problem in my original
>> > post, so here is the real situation.
>> >
>> > If the bash shell from which I launch "named" is owned by root, then
>> > "named" runs perfectly using the "-u" option, even listening on the
>> > tun/tap interfaces.
>> > But if I run "named" as a regular user, relying on the SUID file
>> > setting to elevate privileges, then named fails to listen on any
>> > addresses.
>> > I believe the differences I saw before related to tun/tap interfaces
>> > were due to testing on different RedHat platforms, but this revised
>> > problem statement describes what is happening on both platforms.
>> >
>> > So the real problem is this: It seems I can use the SUID file bit to
>> > allow a regular user to launch named, OR I can use the "-u" option of
>> > "named" to lower the privileges after launch (requiring native root
>> > privileges to launch), but I can't use both at the same time.
>> >
>> > Can anyone shed any light on this scenario?
>>
>>   I'm missing some information which might help me understand the
>>   problem: the user and group to which your named belong.
>>
>>   Best regards,
>>   Niall O'Reilly
>>
>>
>
>
> --
>
> --
> Gordon A. Lang
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NO_PIE bind port build fail

2014-06-07 Thread Rick Dicaire 
Noel, no I am not.


On Fri, Jun 6, 2014 at 11:57 PM, Noel Butler noel.but...@ausics.net wrote:

  Not a BSD user, but are you running any sort of extra security
 enforcement toolsets?
 PIE is IIRC, Position Independent Executable.


 On Fri, 2014-06-06 at 19:27 -0400, Rick Dicaire wrote:

 Hi folks, in trying to update bind 9.8.7_15 on freebsd 8.4, I get the
 following:



  ...

  

  Configuration summary:

  

  Optional features enabled:

  Multiprocessing support (--enable-threads)

  Print backtrace on crash (--enable-backtrace)

  Dynamically loadable zone (DLZ) drivers:

  None



  Features disabled or unavailable on this platform:

  GSS-API (--with-gssapi)

  PKCS#11/Cryptoki support (--with-pkcs11)

  Allow 'fixed' rrset-order (--enable-fixed-rrset)

  Automated Testing Framework (--with-atf)

  GOST algorithm support (--with-gost)

  

  ===  Building for bind98-9.8.7_15

  env: NO_PIE: No such file or directory

  *** Error code 1



  Stop in /usr/ports/dns/bind98.

  *** Error code 1



  Stop in /usr/ports/dns/bind98.



  === make failed for dns/bind98

  === Aborting update



  === Update for bind98-9.8.7_14 failed

  === Aborting update





  === You can restart from the point of failure with this command line:

 portmaster flags dns/bind98 databases/db48 irc/weechat





  What is NO_PIE?



  ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing 
 listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NO_PIE bind port build fail

2014-06-07 Thread Rick Dicaire 
Indeed, its fixed, thanks.


On Sat, Jun 7, 2014 at 9:00 AM, Gardner Bell gardnerb...@gmail.com wrote:

 It looks as though a fix for this was committed to the ports tree about 13
 hours ago.  Update your ports and try again.


 On 7 June 2014 08:35, Rick Dicaire kri...@gmail.com wrote:

 Noel, no I am not.


 On Fri, Jun 6, 2014 at 11:57 PM, Noel Butler noel.but...@ausics.net
 wrote:

  Not a BSD user, but are you running any sort of extra security
 enforcement toolsets?
 PIE is IIRC, Position Independent Executable.


 On Fri, 2014-06-06 at 19:27 -0400, Rick Dicaire wrote:

 Hi folks, in trying to update bind 9.8.7_15 on freebsd 8.4, I get the
 following:



  ...


 

  Configuration summary:


 

  Optional features enabled:

  Multiprocessing support (--enable-threads)

  Print backtrace on crash (--enable-backtrace)

  Dynamically loadable zone (DLZ) drivers:

  None



  Features disabled or unavailable on this platform:

  GSS-API (--with-gssapi)

  PKCS#11/Cryptoki support (--with-pkcs11)

  Allow 'fixed' rrset-order (--enable-fixed-rrset)

  Automated Testing Framework (--with-atf)

  GOST algorithm support (--with-gost)


 

  ===  Building for bind98-9.8.7_15

  env: NO_PIE: No such file or directory

  *** Error code 1



  Stop in /usr/ports/dns/bind98.

  *** Error code 1



  Stop in /usr/ports/dns/bind98.



  === make failed for dns/bind98

  === Aborting update



  === Update for bind98-9.8.7_14 failed

  === Aborting update





  === You can restart from the point of failure with this command
 line:

 portmaster flags dns/bind98 databases/db48 irc/weechat





  What is NO_PIE?



  ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list

 bind-users mailing 
 listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 --
 aRDy Music and Rick Dicaire present:
 http://www.ardynet.com
 http://www.ardynet.com:9000/ardymusic.ogg.m3u

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 --
 Gardner Bell




-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv4 IPv6 Queries

2012-01-06 Thread Rick Dicaire 
On Fri, Jan 6, 2012 at 8:05 AM, Brian Hamacher bhamac...@westianet.com wrote:
 I would like to configure my DNS Server to respond with A and  records
 when someone queries for a specific site.  I don’t know if this
 functionality is even available but if it is would someone mind pointing me
 in the right direction to get this configured.

Just add an  record that points to the corresponding IPv6 IP in
the zone file where your existing A record is.

hostname IN A xxx.xxx.xxx.xxx
hostname IN  ::::etc


-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: multiple `zone' clauses for a single domain?

2011-11-25 Thread Rick Dicaire 
On Fri, Nov 25, 2011 at 11:59 AM, Marek Kozlowski
kozlo...@mini.pw.edu.pl wrote:

 Do I *have* to use views to deal with such distinction or can I specify
 it just as above without views?

Pretty sure you have to use views, in the least doing so would likely
be the best good practice to follow.


-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Port number in A record in zone file

2011-11-17 Thread Rick Dicaire 
On Thu, Nov 17, 2011 at 8:46 AM, Aleksander Kurczyk
aleksanderkurc...@o2.pl wrote:
 Hello,
 Yesterday I asked here how can I run multiple named processes on different 
 ports in one OS. Now I have some troubles with that. How can I specify the 
 port number in zone file A record?

You can't.

Why would you run a dns server on a non standard port? There's no way
for clients to query via non standard ports.

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME record for the root of the domain

2011-10-12 Thread Rick Dicaire 
2011/10/12 Niccolò Belli darkba...@linuxsystems.it:
 How to set it?
 I know there is a workaround, but I hadn't been able to make it work...

What have you tried so far?


-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ddns and subdomains

2011-01-30 Thread Rick Dicaire 
Hi folks,
I have ddns setup in a testing env, its working.
ddns-domainname is dhcp6.example.com. Clients get assigned
host.dhcp6.example.com

My question is, is it correct to create a separate subdomain zone
specifically for dhcp6.example.com so example.com zone itself doesn't
have to be updated, and if so, how would example.com zone have to be
configured to point to zone dhcp6.example.com?

Thanks

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Further Question about query-source

2010-09-08 Thread Rick Dicaire 
On Wed, Sep 8, 2010 at 12:13 PM, Barry Finkel b19...@anl.gov wrote:
 Yesterday on the box I issued

     dig example.com @someserver.example.com

From the dig man page:

OPTIONS
   The -b option sets the source IP address of the query to
address. This must be a valid address
   on one of the host's network interfaces or 0.0.0.0 or ::.
An optional port may be
   specified by appending #port

As far as I know dig doesn't rely on named.conf.
Hope that helps.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dlz/sdb backends and dnssec

2010-08-01 Thread Rick Dicaire 
I've seen no mention of this, but is it possible to implement dnssec
while using one of dlz or sdb backends that contain zone data?

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reject or drop AAAA queries

2010-07-22 Thread Rick Dicaire 
On Thu, Jul 22, 2010 at 9:24 AM, Rock July headgea...@yahoo.com wrote:
 I just want to know if I put listen--on-v4 {yes;}; on opetions of
 named.conf, will my DNS drop or reject all  queries by IPv4 clients?

Why do you think you want to know this? It was recommended in another
listmail on this list that you fix the underlying problem of
potentially having ipv6 enabled clients on the network.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-lookaside auto and managed-keys-zone problem with certain views

2010-07-18 Thread Rick Dicaire 
On Sun, Jul 18, 2010 at 3:28 PM, Matthew Seaman
m.sea...@infracaninophile.co.uk wrote:
 Think I'll just drop the external-chaos view.  Some script kiddie
 working out I'm running the latest version of bind is likely to be lower
 risk and a lot less harmful than dealing with broken dnssec chains of trust.

version none;
in global options...

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

recursive aaaa lookup errors?

2010-06-19 Thread Rick Dicaire 
Hi folks, bind 9.7.1, dnssec enabled and using dlv, bind built with

./configure \
  --prefix=/usr \
  --sysconfdir=/etc \
  --localstatedir=/var \
  --mandir=/usr/man \
  --enable-threads \
  --enable-ipv6 \
  --build=$ARCH-slackware-linux

on a Slackware 13.0 32 bit machine. This servers use is recursive/cache only.

I'm getting the following in syslog, only appears to be happening with
 lookups:

Jun 19 10:58:23 vai named[6508]: error (no more) resolving
'sports.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:24 vai named[6508]: error (no more) resolving
'espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:25 vai named[6508]: error (no more) resolving
'log.wip.go.com//IN': 198.105.192.254#53
Jun 19 10:58:25 vai named[6508]: error (no more) resolving
'espndeportes.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:25 vai named[6508]: error (no more) resolving
'insider.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:25 vai named[6508]: error (no more) resolving
'r.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:26 vai named[6508]: error (no more) resolving
'sports.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:26 vai named[6508]: error (no more) resolving
'games.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:26 vai named[6508]: error (no more) resolving
'proxy.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:26 vai named[6508]: error (no more) resolving
'search.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:26 vai named[6508]: error (no more) resolving
'soccernet.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:26 vai named[6508]: error (no more) resolving
'streak.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:26 vai named[6508]: error (no more) resolving
'proxy.espn.go.com//IN': 198.105.192.254#53
Jun 19 10:58:26 vai named[6508]: error (no more) resolving
'view.atdmt.com//IN': 206.16.21.22#53
Jun 19 10:58:26 vai named[6508]: error (no more) resolving
'view.atdmt.com//IN': 65.55.116.166#53
Jun 19 10:58:26 vai named[6508]: error (no more) resolving
'view.atdmt.com//IN': 65.203.229.15#53
Jun 19 10:58:38 vai named[6508]: error (no more) resolving
'broadband.espn.go.com//IN': 198.105.192.254#53
Jun 19 11:02:44 vai named[6508]: error (no more) resolving
'mail.g.comcast.net//IN': 76.96.53.47#53
Jun 19 11:02:44 vai named[6508]: error (no more) resolving
'mail.g.comcast.net//IN': 68.87.66.201#53
Jun 19 11:02:44 vai named[6508]: error (no more) resolving
'mail.g.comcast.net//IN': 76.96.40.18#53


named.conf global options:

options {
directory /etc;
listen-on { 192.168.20.2; 127.0.0.1; };
empty-zones-enable no;
edns-udp-size 4096;
server-id none;
version none;
hostname none;
allow-recursion { 192.168.20.1; 192.168.20.2; 192.168.1.0/24;
127.0.0.1; };
zone-statistics yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
};

trusted-keys {

dlv.isc.org. 257 3 5
BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh;

};

-snip-

What is the cause for these errors?

Thanks

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master slave configuration of DNSSEC

2010-05-01 Thread Rick Dicaire 
On Sat, May 1, 2010 at 11:32 AM, Sajeev Ramakrishnan
kalpesh.l...@gmail.com wrote:
 I have a question regarding configuration of DNSSEC. If I intend to sign a
 particular zone which has master and a slave, would I have to sign both?

No.

Assuming you've correctly setup zone xfers from master to slave, the
actual zone contents the slave posesses is dependent on what the
master gives it. If the master has dnssec data in the zone file, then
this is what the slave will get.

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different handling of referrals by dig and nslookup

2010-02-13 Thread Rick Dicaire 
On Sat, Feb 13, 2010 at 12:07 PM, kalpesh varyani
kalpesh.l...@gmail.com wrote:
 From a third linux system, I try name resolution using dig or nslookup.
 In this system, I have resolv.conf as:

 nameserver A
 nameserver B

Just out of curiosity, why do you have a non recursing name server in
resolv.conf?

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Script to delete zone from named.conf

2010-02-04 Thread Rick Dicaire 
On Thu, Feb 4, 2010 at 12:12 PM, bsd b...@todoo.biz wrote:
 zone abc.com {
       type slave;
       masters  { 213.14.17.2 ; };
       file hosts.abc.com;
 };

You could put the whole statement on one line, then use grep or sed
based on the zone name.
Operationally, it'd work, and no doubt others will argue aesthetic
reasons not to do this. Alternately
a more complicated script could be written to handle the format as you
currently have it.

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc stalls on any command -- maybe because 127.0.0.1 is not in routing table?

2010-01-24 Thread Rick Dicaire 
Is lo up?
Is named actually listening on 127.0.0.1:953?
Is there a firewall?

On Sun, Jan 24, 2010 at 1:29 PM, Nicholas Tung nt...@ntung.com wrote:
 Hi all,

    The rndc tool, which is used for all BIND configuration (yast,
 /etc/init.d/named stop), appears to stall on any command. See [Listing
 1] for output before it stalls (freezes not in the DNS zone sense)
 and [Listing 2] for afterwards.

    I used lsof to show the open files [Listing 3]. The last line
 doesn't appear to say it's a localhost source, and localhost
 doesn't seem to be in the routing tables [Listing 4]. Could this be
 the problem? If it is, could anyone consider adding a warning (or
 maybe even failing if an override option isn't set)?

 Thanks very much,
 Nicholas — ntung at ntung —  https://ntung.com




 === Listing 1 -- output of command, process waits after last line ===
 rndc -V stop
 create memory context
 create socket manager
 create task manager
 create task
 create logging context
 setting log tag
 creating log channel
 enabling log channel
 create parser
 get key
 decode base64 secret
 stop
 post event
 using server 127.0.0.1 (127.0.0.1#953)
 create socket
 bind socket
 connect

 === Listing 2 -- message after wait ===
 rndc: connect failed: 127.0.0.1#953: timed out

 === Listing 3 -- open files when rndc is frozen ===
 lsof -p $(ps -C rndc -o pid=) +L
 COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NLINK    NODE NAME
 rndc    19939 root  cwd    DIR   8,18    12288   108    8193 /etc
 rndc    19939 root  rtd    DIR   8,18     4096    23       2 /
 rndc    19939 root  txt    REG   8,18    31800     1 1055141 /usr/sbin/rndc
 rndc    19939 root  mem    REG   8,18   346560     1  786938
 /lib64/libm-2.10.1.so
 rndc    19939 root  mem    REG   8,18    88640     1  786849
 /lib64/libz.so.1.2.3
 rndc    19939 root  mem    REG   8,18    14872     1  786933
 /lib64/libdl-2.10.1.so
 rndc    19939 root  mem    REG   8,18  1360392     1 7471871
 /usr/lib64/libxml2.so.2.7.3
 rndc    19939 root  mem    REG   8,18  1605840     1 7472655
 /usr/lib64/libcrypto.so.0.9.8
 rndc    19939 root  mem    REG   8,18   131260     1  786809
 /lib64/libpthread-2.10.1.so
 rndc    19939 root  mem    REG   8,18  1408560     1  786838
 /lib64/libc-2.10.1.so
 rndc    19939 root  mem    REG   8,18   354120     1 7471241
 /usr/lib64/libisc.so.50.1.1
 rndc    19939 root  mem    REG   8,18  1497256     1 7471310
 /usr/lib64/libdns.so.53.0.0
 rndc    19939 root  mem    REG   8,18    43680     1 7475078
 /usr/lib64/libbind9.so.50.0.3
 rndc    19939 root  mem    REG   8,18    35616     1 7471143
 /usr/lib64/libisccc.so.50.0.0
 rndc    19939 root  mem    REG   8,18   120168     1 7471234
 /usr/lib64/libisccfg.so.50.0.0
 rndc    19939 root  mem    REG   8,18   127680     1  786832 
 /lib64/ld-2.10.1.so
 rndc    19939 root    0u   CHR  136,3      0t0     1       6 /dev/pts/3
 rndc    19939 root    1u   CHR  136,3      0t0     1       6 /dev/pts/3
 rndc    19939 root    2u   CHR  136,3      0t0     1       6 /dev/pts/3
 rndc    19939 root    3r  FIFO    0,8      0t0     1   84973 pipe
 rndc    19939 root    4w  FIFO    0,8      0t0     1   84973 pipe
 rndc    19939 root    5u      0,9        0     1     679 anon_inode
 rndc    19939 root    7r   REG    0,3        0     1   10516 /proc/2283/status
 rndc    19939 root   20u  IPv4  84977      0t0           TCP
 c-98-207-60-37.hsd1.ca.comcast.net:55316-localhost:953 (SYN_SENT)

 === Listing 4 -- route configuration ===
 ip route show
 98.207.60.0/22 dev eth-inet  proto kernel  scope link  src 98.207.60.37
 169.254.0.0/16 dev eth0  scope link
 192.168.0.0/16 dev eth0  proto kernel  scope link  src 192.168.2.1
 192.168.0.0/16 dev eth1  proto kernel  scope link  src 192.168.2.2
 default via 98.207.60.1 dev eth-inet
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is an IPv6-only glue/delegation record a problem in a world of IPv4?

2010-01-11 Thread Rick Dicaire 
On Mon, Jan 11, 2010 at 12:29 PM, Mathew J. Newton
bind-us...@newtonnet.co.uk wrote:
 The same delegation records are present as glue in the .org nameservers.

While this is not in response to your original question, I am curious.
I'm not sure if you were part of the discussion we just had on IRC
freenode #ipv6, but querying a .org TLD NS for  records for ns1
and ns2.v6ns.org return no actual  records, no errors reported,
but there seem to be  records shown in the ADDITIONAL section of
the query response.

If I understand this correctly, the lack of an ANSWER section for 
query would denote there is no ipv6 glue at the TLD?

2001:500:e::1 being a0.org.afilias-nst.info, a .org TLD NS

;  DiG 9.6.1-P2-RedHat-9.6.1-13.P2.fc12   ns1.v6ns.org
@2001:500:e::1
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 38080
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns1.v6ns.org.  IN  

;; AUTHORITY SECTION:
v6ns.org.   86400   IN  NS  ns1.v6ns.org.
v6ns.org.   86400   IN  NS  ns2.v6ns.org.

;; ADDITIONAL SECTION:
ns1.v6ns.org.   86400   IN  A   77.103.161.36
ns2.v6ns.org.   86400   IN  A   77.103.161.36
ns1.v6ns.org.   86400   IN  2a01:348:133::a1
ns2.v6ns.org.   86400   IN  2a01:348:6:a1::2

;; Query time: 102 msec
;; SERVER: 2001:500:e::1#53(2001:500:e::1)
;; WHEN: Mon Jan 11 12:44:13 2010
;; MSG SIZE  rcvd: 150



;  DiG 9.6.1-P2-RedHat-9.6.1-13.P2.fc12   ns2.v6ns.org
@2001:500:e::1
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 377
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns2.v6ns.org.  IN  

;; AUTHORITY SECTION:
v6ns.org.   86400   IN  NS  ns2.v6ns.org.
v6ns.org.   86400   IN  NS  ns1.v6ns.org.

;; ADDITIONAL SECTION:
ns2.v6ns.org.   86400   IN  2a01:348:6:a1::2
ns2.v6ns.org.   86400   IN  A   77.103.161.36
ns1.v6ns.org.   86400   IN  A   77.103.161.36
ns1.v6ns.org.   86400   IN  2a01:348:133::a1

;; Query time: 719 msec
;; SERVER: 2001:500:e::1#53(2001:500:e::1)
;; WHEN: Mon Jan 11 12:44:23 2010
;; MSG SIZE  rcvd: 150

An example showing glue in .com/.net:

;  DiG 9.6.1-P2-RedHat-9.6.1-13.P2.fc12   ns2.he.net
@G.GTLD-SERVERS.net
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 25892
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns2.he.net.IN  

;; ANSWER SECTION:
ns2.he.net. 172800  IN  2001:470:200::2

;; AUTHORITY SECTION:
he.net. 172800  IN  NS  ns1.he.net.
he.net. 172800  IN  NS  ns2.he.net.
he.net. 172800  IN  NS  ns3.he.net.
he.net. 172800  IN  NS  ns4.he.net.
he.net. 172800  IN  NS  ns5.he.net.

;; ADDITIONAL SECTION:
ns1.he.net. 172800  IN  A   216.218.130.2
ns2.he.net. 172800  IN  A   216.218.131.2
ns2.he.net. 172800  IN  2001:470:200::2
ns3.he.net. 172800  IN  A   216.218.132.2
ns3.he.net. 172800  IN  2001:470:300::2
ns4.he.net. 172800  IN  A   216.66.1.2
ns4.he.net. 172800  IN  2001:470:400::2
ns5.he.net. 172800  IN  A   216.66.80.18
ns5.he.net. 172800  IN  2001:470:500::2

;; Query time: 100 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Mon Jan 11 12:54:02 2010
;; MSG SIZE  rcvd: 334


-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

recursion confusion

2010-01-07 Thread Rick Dicaire 
Hi folks, whats the difference between recursion no; and
allow-recursion {none;};

Thanks
-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 TCP

2009-12-28 Thread Rick Dicaire 
On Mon, Dec 28, 2009 at 10:56 AM, Pamela Rock prock...@yahoo.com wrote:
 When I query TCP with IPv6 I get the following error:

Check client machine firewall.

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Remove/add [A] records based upon server availability

2009-12-27 Thread Rick Dicaire 
On Sun, Dec 27, 2009 at 3:16 AM, Ryan S ryan332...@hotmail.com wrote:
 Some web browers and applications will fail in a round-robin A record
 configuration such that if the first A record returned is unavailable, then
 the browser will not bring up the page.

So fix the application instead of bending the protocol to suit a
broken applications need?
Specifically, what web browsers and applications are you referring to?
On what OS's?

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Remove/add [A] records based upon server availability

2009-12-26 Thread Rick Dicaire 
On Sat, Dec 26, 2009 at 3:14 PM, Ryan S ryan332...@hotmail.com wrote:
 Is there a method in BIND to add/remove A records based upon server
 availability?

Just curious, but why do you think you want this? What problem does
such an implementation address?

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New BIND server

2009-10-28 Thread Rick Dicaire 
On Wed, Oct 28, 2009 at 11:27 AM, NéoSynergix | Martin Dubreuil
martin.dubre...@neosynergix.com wrote:
 but would like to get your tips and tricks to secure your BIND servers
 before putting it into production.

A little vague here. You haven't defined what your intentions are. Is
this an authoritative only server for zones? Recursive server for
clients? Other questions I can't think of at the moment?

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root and in-addr.arpa zone transfers

2009-09-09 Thread Rick Dicaire 
On Wed, Sep 9, 2009 at 10:51 AM, Rich Goodson rgood...@gronkulator.com wrote:
 zone . {
        type slave;
        file slave/root.slave;
        masters {
                192.33.4.12;    // C.ROOT-SERVERS.NET.
                192.112.36.4;   // G.ROOT-SERVERS.NET.
                193.0.14.129;   // K.ROOT-SERVERS.NET.
        };
        notify no;
 };

Interestingcan any of the root servers be used, or must it be just
these three?

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig +trace failure

2009-09-02 Thread Rick Dicaire 
On Wed, Sep 2, 2009 at 8:37 PM, Andris Kalnozolsand...@hpl.hp.com wrote:
 My 9.6.1-P1 dig programs (HP-UX and Linux) rather consistently fail
 when trying to trace the delegation of 231.84.192.IN-ADDR.ARPA.
 Out of curiousity, are others from different places on the Internet
 able to duplicate the failure?

Same here, bind 9.6.1_P1

snip

;; Received 196 bytes from 2001:503:ba3e::2:30#53(A.ROOT-SERVERS.NET) in 150 ms

231.84.192.in-addr.arpa. 86400  IN  NS  ns1.accrue.com.
231.84.192.in-addr.arpa. 86400  IN  NS  mail.boston.accrue.com.
;; Received 95 bytes from 192.26.92.32#53(HENNA.ARIN.NET) in 62 ms

;; Truncated, retrying in TCP mode.
socket.c:2486: REQUIREsock) != ((void *)0))  (((const
isc__magic_t *)(sock))-magic == ((('I')  24 | ('O')  16 | ('i')
 8 | ('o')) failed.
Aborted


-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: stats brainteaser

2009-07-31 Thread Rick Dicaire 
On Fri, Jul 31, 2009 at 10:58 AM, Toddcanada...@gmail.com wrote:
 I've got a monitoring script in place that does an rndc stats and
 parses the output, then graphs it for me nicely.

How is this being monitored?

Are you sure its not an artifact of your monitoring software?

I see this behaviour in mrtg/rrdtool when monitoring various dns stats.

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users