Re: compile flag to disable AAAA responses is unrecognized
On Tue, Jul 6, 2021 at 3:06 PM Scott Strattner wrote: > I successfully built 9.16.18 on my RH8.4 ppc64el VM. But after doing so I > wanted to set it up so that if it receives a query over IPv4 it will not > return any records in the reply > Hi Scott, just curious, why do you need this? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fwd: Problems with compiling BIND 9.17.10 or above ...
Now another problem comes up and I hope someone here can help me. The Configure process now produces the message: checking for OPENSSL... yes checking for OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0... yes checking for OPENSSL_init_ssl... no checking for OPENSSL_init_crypto... no checking for CRYPTO_zalloc... no checking for EVP_CIPHER_CTX_new... no checking for EVP_CIPHER_CTX_free... no checking for EVP_MD_CTX_new... no checking for EVP_MD_CTX_free... no checking for EVP_MD_CTX_reset... no checking for HMAC_CTX_new... no checking for HMAC_CTX_free... no checking for HMAC_CTX_reset... no checking for HMAC_CTX_get_md... no checking for SSL_read_ex... no checking for SSL_peek_ex... no checking for SSL_write_ex... no checking for BIO_read_ex... no checking for BIO_write_ex... no checking for SSL_CTX_up_ref... no checking for SSL_CTX_set_min_proto_version... no checking for ECDSA_sign... no configure: error: in `/root/tools/software/bind-9.17.13': configure: error: ECDSA support in OpenSSL is mandatory. But with the command "openssl ciphers -v 'ALL:COMPLEMENTOFALL' | grep ECDSA" I get several lines with ECDSA. What could be the reason for this? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with compiling BIND 9.17.10 or above ...
On Wed, May 26, 2021 at 1:07 PM Zhéxué M. @SysAdmin < sys.admin@zhéxué-cloud.eu> wrote: > The path of the library is set correctly... > How are you setting it? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possibly stupid Q
On Wed, Jan 20, 2021 at 2:19 PM Bruce Johnson wrote: > channel default_log { > file "/var/named/log/default" versions 3 size 20m; > print-time yes; > print-category yes; > print-severity yes; > severity info; > }; > > in named-chroot do these go to the actual system /var/named/log or does > the named-chroot process put them in /var/named/chroot/var directory? > > The path should be inside the chroot. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging on a Bind server
On Tue, Oct 20, 2020 at 10:17 AM wrote: > Dear BIND-Users, > > Does someone has an idea, which log I have to activate. > Do you have querylog enabled? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
9.16 on older platforms
Hi folks, I have found that new dependencies for 9.16 prevent it being able to build on Slackware linux 14.2 (no ply or libuv). (Yes I'm aware I can do the additional steps of downloading, compiling, installing the deps, but that's not the point) It got me thinking, are there other platforms where 9.16 will no longer build due to those missing deps? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ip6 reverse delegation
On Thu, Jan 16, 2020 at 8:29 PM Alan Batie wrote:The zone file is: > > $ORIGIN . > $TTL 300; 5 minutes > 0.1.0.1.8.7.6.f.7.0.6.2.ip6.arpa IN SOA ns1.peak.org. hostmaster.peak.org. > ( > 2020011606 ; serial > 3600 ; refresh (1 hour) > 3600 ; retry (1 hour) > 86400 ; expire (1 day) > 300; minimum (5 minutes) > ) > NS ns1.rdrop.com. > NS ns2.rdrop.com. > > Shouldn't you also have an NS record that points to the upstream NS thats subdelegating 0.1.0.1.8.7.6.f.7.0.6.2.ip6.arpa to rdrop.com NSes? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging of notify sending
On Sun, May 26, 2019 at 6:05 PM Rick Dicaire wrote: > dns2 named[23971]: client @0x7fa83ce341c0 192.168.15.1#37178/key > gw-zones: received notify for zone 'ldev': TSIG 'gw-zones' > > Seems I got it to work. Thanks Axel, and list. > While I see the receiving slave show TSIG in log message, doesn't appear the send notify log message shows if TSIG is used. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging of notify sending
dns2 named[23971]: client @0x7fa83ce341c0 192.168.15.1#37178/key gw-zones: received notify for zone 'ldev': TSIG 'gw-zones' Seems I got it to work. Thanks Axel, and list. On Sun, May 26, 2019 at 4:37 PM Greg Rivers wrote: > On Sunday, May 26, 2019 11:51:38 AM CDT Axel Rau wrote: > > > > > Am 26.05.2019 um 18:38 schrieb Rick Dicaire : > > > > > A quick google search of "bind also-notify key" returns: > > > > > > https://kb.isc.org/docs/aa-00851 > > > https://kb.isc.org/docs/aa-00296 > > > > > > Looks like keys provide a means to differentiate views. > > > > ARM for bind 9.14.1 says on page 24: > > > > For example, a key may be specified for each server in the masters > statement in > > the definition of a slave zone; in this case, all SOA QUERY messages, > NOTIFY > > messages, and zone transfer requests (AXFR or IXFR) will be signed using > the > > specified key. Keys may also be specified in the also-notify statement > of a > > master or slave zone, causing NOTIFY messages to be signed using the > specified > > key. > > > So it does. Seems my knowledge of this was either outdated or just plain > wrong. Thanks for pointing this out. > > -- > Greg > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging of notify sending
> On Sun, May 26, 2019 at 3:43 AM Axel Rau wrote: > So what for is the optional key in the also-notify statement? A quick google search of "bind also-notify key" returns: https://kb.isc.org/docs/aa-00851 https://kb.isc.org/docs/aa-00296 Looks like keys provide a means to differentiate views. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging of notify sending
If you've configured TSIG, syslog will show it as I have indicated previously. Notifications themselves don't use TSIG: May 25 13:46:32 dns1 named[28905]: zone dhcp.ldev/IN: sending notifies (serial 2017051322) May 25 13:46:32 dns2 named[23971]: client @0x7fa834ee9ee0 192.168.15.1#63456: received notify for zone 'dhcp.ldev' On Sat, May 25, 2019 at 4:17 PM Axel Rau wrote: > > > Am 25.05.2019 um 21:02 schrieb Rick Dicaire : > > > > On Sat, May 25, 2019 at 12:27 PM Axel Rau wrote: > >> Hi all, >> >> category notify seems to cover reception of notifies. >> How can I log sending of notifies? >> I want to check, if the TSIG key is being used for the notify. >> >> > Have you looked at syslog? > > You should see similar to: > > May 25 13:04:28 dns1 named[28905]: client @0x7f205c0f2ef0 > 192.168.15.13#52447/key gw-zones (dhcp.ldev): transfer of 'dhcp.ldev/IN': > IXFR started: TSIG gw-zones (serial 2017051319 -> 2017051320) > May 25 13:04:28 dns2 named[23971]: zone dhcp.ldev/IN: transferred serial > 2017051320: TSIG 'gw-zones‘ > > > This is logging of zone transfer, not sending of notify. > > Axel > --- > PGP-Key:29E99DD6 ☀ computing @ chaos claudius > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging of notify sending
On Sat, May 25, 2019 at 12:27 PM Axel Rau wrote: > Hi all, > > category notify seems to cover reception of notifies. > How can I log sending of notifies? > I want to check, if the TSIG key is being used for the notify. > > Have you looked at syslog? You should see similar to: May 25 13:04:28 dns1 named[28905]: client @0x7f205c0f2ef0 192.168.15.13#52447/key gw-zones (dhcp.ldev): transfer of 'dhcp.ldev/IN': IXFR started: TSIG gw-zones (serial 2017051319 -> 2017051320) May 25 13:04:28 dns2 named[23971]: zone dhcp.ldev/IN: transferred serial 2017051320: TSIG 'gw-zones' ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 forward/reverse zones with multiple TSIG keys
On Tue, Jan 29, 2019 at 1:02 PM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > Are you referring to the catalog zone itself allowing dynamic updates? > Or allowing dynamic updates to the zones that are listed in the catalog > zone(s)? > Either... I don't see any reason why you can't use DDNS to update the catalog > zone. The systems consuming the catalog zone will continue to do zone > transfers for the zones listed in the catalog, including when they get a > notify of a change to the catalog zone. Regardless how the change is stored, journal or zone file? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 forward/reverse zones with multiple TSIG keys
Wonder if you can use ddns zones with catalog zones, haven't tried it myself... On Tue, Jan 29, 2019 at 11:27 AM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 01/29/2019 01:19 AM, ObNox wrote: > > Hi, > > Hi ObNox, > > > For that to work, I need to make sure every separated component works as > > expected when configured separately. > > Ah, yes. The joys / perils of testing discrete units individually and > then start pugging them together like Legos and making sure that things > still work. > > > Now, the trouble really begins : > > > > 1/ I update the zones files to uncomment the "test" record and update > > the serial number > > > > 2/ I update "named.conf" to uncomment the "allow-update" statement using > > "key-dhcp" > > > > 3/ "named-checkconf" does not complain so "rndc reload"! > > > > Problem : The syslog messages don't show the lines indicating that the > > zones have been reloaded, here's an extract : > > > > … > > > > I was expecting the usual messages after a zone change, like previously: > > > > … > > > > So now, with the new "allow-update" statement, the zones are not > > reloaded and this is confirmed by "dig" : > > > > … > > > > The new record "test.domain.tld" is not found and the serial is not the > > new one! > > I'm wondering if you're being bitten by something that got me years ago > when I first started messing with dynamic zones that allowed updates. > > In short, when dynamic updates are enabled, BIND will make changes to a > journal file (which I think is binary). You have to "freeze" and > "flush" the zone to be able to make to text file. > > So I'm guessing that your change wasn't detected because you > transitioned to dynamic updates ~> journal file at the same time (or > apparently) before BIND loaded the new zone. Thus the journal ~> BIND > was using the old version of the zone file. > > I've found that I do most of my zone administration via nsupdate on the > DNS server using the local key & socket. > > I only go through the "freeze" & "flush", edit, and "thaw" (& "sign" for > DNSSEC) cycle when I have more (complex) edits than I want to make via > nsupdate. (I've also wrapped nsupdate with rlwrap so that I have some > (readline) history and better nsupdate command line editing.) > > > I've tested dozens of combinations with both "allow-transfer" and > > "allow-update" by putting them at the "view" level, "options" level, > > "global" level, etc. and nothing changed. > > If BIND did do what I'm thinking, then your edits were functionally > lost. (Technically they may still be in the text file.) > > > So for now I'm lost and I need an expert's PoV to point what I'm doing > > wrong and/or what I missed! > > I'm far from an expert. But hopefully you can benefit from my toe > stubbing / razor cuts. > > > Thank you for any useful clue. > > Good luck. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind has a database option instead of zone files?
I'm going to go out on a limb and say yes, databases are supported. I see this in ./configure --help: --with-dlz-postgres=PATH Build with Postgres DLZ driver [yes|no|path]. (Required to use Postgres with DLZ) --with-dlz-mysql=PATH Build with MySQL DLZ driver [yes|no|path]. (Required to use MySQL with DLZ) --with-dlz-bdb=PATH Build with Berkeley DB DLZ driver [yes|no|path]. (Required to use Berkeley DB with DLZ) --with-dlz-filesystem=ARG Build with filesystem DLZ driver [yes|no]. (Required to use file system driver with DLZ) --with-dlz-ldap=PATHBuild with LDAP DLZ driver [yes|no|path]. (Required to use LDAP with DLZ) --with-dlz-odbc=PATHBuild with ODBC DLZ driver [yes|no|path]. (Required to use ODBC with DLZ) --with-dlz-stub=ARG Build with stub DLZ driver [yes|no]. (Required to use stub driver with DLZ) A look at Bind 9.12 ARM https://ftp.isc.org/isc/bind9/9.12.0/doc/arm/Bv9ARM.pdf shows in section 4.12: 4.12 DLZ (Dynamically Loadable Zones) . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Configuring DLZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Sample DLZ Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Curious, I used to use the sdb interface to postgres a number of years ago, but I don't see any reference to sdb in ./configure anymore, guess its been removed, deprecated in favor of dlz? @bramesh See https://nlnet.nl/project/bind-dlz/200205-sane/paper.html On Sun, Jan 27, 2019 at 10:58 AM John Levine wrote: > In article you write: > >-=-=-=-=-=- > > > >Greetings!! > >Does Bind has a database option to read zones [if zones are in database] > >instead of zone files? if yes , how to setup? can someone help me. > > No. If that's what you want to do, I'd suggest looking at PowerDNS. > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Should we bundle the MaxMind GeoIP db?
Hi, would this conflict with any similar pkg installed by an OS's pkg management system? On Wed, May 30, 2018 at 5:27 PM, Victoria Risk wrote: > Hello GeoIP users, > > We are aware that Maxmind is discontinuing their older free GeoLite > location database and replacing it with a new database with a new format > (GeoLite2). https://dev.maxmind.com/geoip/geoip2/geolite2/ > > We have an issue open in the BIND gitlab to update our Geo-IP support to > use the new database api. https://gitlab.isc.org/isc- > projects/bind9/issues/182 > > The question is, would it be useful if we included the GeoLite2 database > with the BIND distribution? Since we update at least twice a year, we could > keep it fairly well up to date, and it would save users having to go get > and update the db themselves. It would add about 1.5MB to > the BIND distribution (depending on whether we use the country or city > level). > > Votes, comments welcome. > > Thank you, > > Vicky > - > Product Manager > Internet Systems Consortium > vi...@isc.org > > > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My domain name name not propagating through the Internet.
Hi Thomas, obfuscating IP addresses doesn't help in the least. ns1.sleepyvalley.net cannot be resolved, nor can we query it directly due to that. Did you register the nameserver ns1.sleepyvalley.net with your domain registrar? On Sat, May 26, 2018 at 12:44 PM, Thomas Strikewrote: > I have been fighting a problem of setting up a new Bind9.9 primary > authoritative server on the Internet for over 2 weeks now. My hosted > secondary server cannot be set up until my primary server comes alive on > the Internet. I have fought my domain name provider for over 2 weeks trying > to get my new server propagated throwout the Internet and they say that the > problem is with my server. This is very perplexing because there are at > least 4 DNS servers out there that see my server and respond to all queries > successfully that land on my server but no other server can see mine. It's > hard to believe that the problem is on my end. > > I am here asking for fresh sets of eyes to look at my setup file and the > domain zone record that is at issue. My domain is sleepyvalley.net and my > primary dns server is ns1.sleepyvalley.net. Standard A records that > should resolve are www., ftp., and mail.sleepyvalley.net. > > > -- > > *named.conf:* > > acl trusted-servers { > 144.x.x.x.; // ns1.sleepyvalley.net > 8..x.x.x; // sdns1.ovh.ca > }; > > options { > listen-on port 53 { any; }; > listen-on-v6 port 53 { any; }; > > // I have IPv6 implemented on my server but could it be an IPv6 issue? > > allow-query { any; }; > > recursion yes; > allow-recursion { > any; > }; > allow-transfer { > trusted-servers; > }; > > directory "/var/named"; > dump-file "/var/log/named/data/cache_dump.db"; > statistics-file "/var/log/named/data/named_stats.txt"; > memstatistics-file "/var/log/named/data/named_mem_stats.txt"; > > notify yes; > > > // I am not familiar with what dnssec does. Is it necessary for a primary > DNS server to run properly? > > dnssec-enable yes; > dnssec-validation yes; > dnssec-lookaside auto; > > // Could this be a security key management issue? > > bindkeys-file "/etc/named.iscdlv.key"; > managed-keys-directory "/var/named/dynamic"; > > pid-file "/run/named/named.pid"; > session-keyfile "/run/named/session.key"; > };include "/etc/named.logging"; > > zone "." IN { > type hint; > file "named.ca"; > }; > > include "/etc/named.rfc1912.zones"; > include "/etc/named.root.key"; > > zone "sleepyvalley.net" { > type master; > file "/var/named/sleepyvalley.net.hosts"; > allow-transfer { trusted-servers; }; > }; > key rndc-key { > algorithm hmac-md5; > secret ""; > }; > controls { > inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; > }; > > -- > > *sleepyvalley.net.hosts:* > > */* > */ I am a little confused about the Time-To-Live in this record. * > > *// Which of these 2 ttls do resolvers use to cache their answers for?* > > $ttl 38400 > sleepyvalley.net.INSOAns1.sleepyvalley.net. > administrator.sleepyvalley.net. ( > 1526060969 > 1H > 3600 > 5M > 300 )// short 5 min. ttl for testing. > sleepyvalley.net.INA144.x.x.x.x > mail.sleepyvalley.net.INMX10 mail.sleepyvalley.net. > mail.sleepyvalley.net.INA144.x.x.x.x > www.sleepyvalley.net.INA144.x.x.x.x > ftp.sleepyvalley.net.INA144.x.x.x.x > ns1.sleepyvalley.net.INA144.x.x.x.x > sleepyvalley.net.INNSns1.sleepyvalley.net. // Primary DNS > service > sleepyvalley.net.INNSsdns1.ovh.ca.// > Secondary externally hosted DNS service. > > > > > Any insights would be gratefully appreciated. Thanks in advance. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: root hints
Thanks for the responses folks...so if I don't need to manage root.hints, can I remove the line: zone "." IN {type hint;file "root.cache";}; from named.conf? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
root hints
Hi, used to be you could dig > root.hints and use this file in named.conf for root.hints configuration. Some time around 9.11? the output of dig with no arguments stopped reporting the ADDITIONAL section that shows the IPs of the root servers. I've moved on to 9.12 and the dig behaviour is same as above, so for the time being I'm using: dig @a.root-servers.net. to get an output usable for root.hints. While the above works, what is the official/best practise/recommended way to update root.hints? Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help wanted: Linking to libbind9 on Ubuntu Linux
For libbind9, https://packages.ubuntu.com/trusty/libbind9-90 On Tue, Mar 20, 2018 at 4:02 PM, Ronald F. Guilmettewrote: > > In message <20180320193041.d2bwvgkgyvqem...@mycre.ws>, > Robert Edmonds wrote: > > >> I am porting some code of mine from FreeBSD to this Ubuntu system > >> and I'm getting the following unresolved symbols at link time: > >> > >> __res_query > >> __res_mkquery > >> __res_send > >> > >> It seems apparent that this is caused by the fact that FreeBSD has > >> the resolver routines integrated into libc, whereas Linux systems > >> don't. > > > >For glibc versions that are less than about ten years old, these should > >be available in libresolv, which is part of glibc. > > Thanks Robert! I added -lresolv to the link and now the link step is > succeding. > > >See the resolver(3) manpage, which is probably in the manpages-dev > >package on Ubuntu 14. > > For the record, I *did* look over that man page, and several others, > before I posted my question. But neither that man page nor any of the > several others I looked at ever said a word about the necessary extra > -l option needed in order to drag in the needed resolver routines. > > >This is unrelated to libbind9, which is a different API. > > Well, see, and -that- may perhaps be a problem. I dunno yet. My hope, > of course, is that I have not relied on any of the finer subtleties or > more obscure aspects of libbind in any of my coding, but it may come to > light that I have, and I may in fact end up needing to link to the > real libbind9. I would still like to know how to do that, just in case, > and I am still utterly perplexed and mystified about why the linker > couldn't seem to find libbind9, even when I gave it the explicit path > to the thing via an appropriate -L option. > > I hope somebody will explain to that to me still, because whatever the > answer is to that mystery, it is sure to be highly educational, for me > anyway. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SOA settings
Что такое
Re: Stop Reverse resolution query Logging
Tried empty-zones-enable yes; in named.conf? On Thu, Jun 1, 2017 at 10:28 AM, Jobwrote: > Dear guys, > > is there a way in Bind 9 to stop logging (to bind.log standard file) all the > in-addr.arpa queries? > We would like to log everything else but not the reverse resolution queries. > > Thank you! > F > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface
Unless something has changed, root is required to bind to ports below 1024 before privilege separation can begin. On Sun, Sep 27, 2015 at 11:59 AM, Gordon Lang <gl...@goalex.com> wrote: > Here is the file info: > > glang@nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin > bind-9.10.3/sbin/named > drwxrwsr-x. 2 incadmin network 4096 Sep 26 10:39 bind-9.10.3/sbin > -rwsr-xr-x. 2 root network 10095219 Sep 26 09:16 bind-9.10.3/sbin/named > glang@nstv1:/export/local/ISC> > > > If I run "named" as user 'glang' without the "-u" option, it works fine -- > "named" runs as root (due to the suid file bit) and it listens on port 53 > of the configured ip addresses. > > If I run "named" as user 'glang' with the "-u incadmin" option, it does > not work fine -- it runs with the change of process owner to 'incadmin', > but it does not listen on any ip addresses. > > If I run "named" as user 'root' with the "-u incadmin" option, it works > fine -- it listens on the configured ip's and it changes the owner of the > process to 'incadmin'. > > -- > Gordon A. Lang > > > On Sun, Sep 27, 2015 at 9:09 AM, Niall O'Reilly <niall.orei...@ucd.ie> > wrote: > >> On Sat, 26 Sep 2015 17:27:56 +0100, >> Gordon Lang wrote: >> > >> > CHANGE: I did not properly characterized the problem in my original >> > post, so here is the real situation. >> > >> > If the bash shell from which I launch "named" is owned by root, then >> > "named" runs perfectly using the "-u" option, even listening on the >> > tun/tap interfaces. >> > But if I run "named" as a regular user, relying on the SUID file >> > setting to elevate privileges, then named fails to listen on any >> > addresses. >> > I believe the differences I saw before related to tun/tap interfaces >> > were due to testing on different RedHat platforms, but this revised >> > problem statement describes what is happening on both platforms. >> > >> > So the real problem is this: It seems I can use the SUID file bit to >> > allow a regular user to launch named, OR I can use the "-u" option of >> > "named" to lower the privileges after launch (requiring native root >> > privileges to launch), but I can't use both at the same time. >> > >> > Can anyone shed any light on this scenario? >> >> I'm missing some information which might help me understand the >> problem: the user and group to which your named belong. >> >> Best regards, >> Niall O'Reilly >> >> > > > -- > > -- > Gordon A. Lang > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NO_PIE bind port build fail
Noel, no I am not. On Fri, Jun 6, 2014 at 11:57 PM, Noel Butler noel.but...@ausics.net wrote: Not a BSD user, but are you running any sort of extra security enforcement toolsets? PIE is IIRC, Position Independent Executable. On Fri, 2014-06-06 at 19:27 -0400, Rick Dicaire wrote: Hi folks, in trying to update bind 9.8.7_15 on freebsd 8.4, I get the following: ... Configuration summary: Optional features enabled: Multiprocessing support (--enable-threads) Print backtrace on crash (--enable-backtrace) Dynamically loadable zone (DLZ) drivers: None Features disabled or unavailable on this platform: GSS-API (--with-gssapi) PKCS#11/Cryptoki support (--with-pkcs11) Allow 'fixed' rrset-order (--enable-fixed-rrset) Automated Testing Framework (--with-atf) GOST algorithm support (--with-gost) === Building for bind98-9.8.7_15 env: NO_PIE: No such file or directory *** Error code 1 Stop in /usr/ports/dns/bind98. *** Error code 1 Stop in /usr/ports/dns/bind98. === make failed for dns/bind98 === Aborting update === Update for bind98-9.8.7_14 failed === Aborting update === You can restart from the point of failure with this command line: portmaster flags dns/bind98 databases/db48 irc/weechat What is NO_PIE? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NO_PIE bind port build fail
Indeed, its fixed, thanks. On Sat, Jun 7, 2014 at 9:00 AM, Gardner Bell gardnerb...@gmail.com wrote: It looks as though a fix for this was committed to the ports tree about 13 hours ago. Update your ports and try again. On 7 June 2014 08:35, Rick Dicaire kri...@gmail.com wrote: Noel, no I am not. On Fri, Jun 6, 2014 at 11:57 PM, Noel Butler noel.but...@ausics.net wrote: Not a BSD user, but are you running any sort of extra security enforcement toolsets? PIE is IIRC, Position Independent Executable. On Fri, 2014-06-06 at 19:27 -0400, Rick Dicaire wrote: Hi folks, in trying to update bind 9.8.7_15 on freebsd 8.4, I get the following: ... Configuration summary: Optional features enabled: Multiprocessing support (--enable-threads) Print backtrace on crash (--enable-backtrace) Dynamically loadable zone (DLZ) drivers: None Features disabled or unavailable on this platform: GSS-API (--with-gssapi) PKCS#11/Cryptoki support (--with-pkcs11) Allow 'fixed' rrset-order (--enable-fixed-rrset) Automated Testing Framework (--with-atf) GOST algorithm support (--with-gost) === Building for bind98-9.8.7_15 env: NO_PIE: No such file or directory *** Error code 1 Stop in /usr/ports/dns/bind98. *** Error code 1 Stop in /usr/ports/dns/bind98. === make failed for dns/bind98 === Aborting update === Update for bind98-9.8.7_14 failed === Aborting update === You can restart from the point of failure with this command line: portmaster flags dns/bind98 databases/db48 irc/weechat What is NO_PIE? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Gardner Bell -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv4 IPv6 Queries
On Fri, Jan 6, 2012 at 8:05 AM, Brian Hamacher bhamac...@westianet.com wrote: I would like to configure my DNS Server to respond with A and records when someone queries for a specific site. I don’t know if this functionality is even available but if it is would someone mind pointing me in the right direction to get this configured. Just add an record that points to the corresponding IPv6 IP in the zone file where your existing A record is. hostname IN A xxx.xxx.xxx.xxx hostname IN ::::etc -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multiple `zone' clauses for a single domain?
On Fri, Nov 25, 2011 at 11:59 AM, Marek Kozlowski kozlo...@mini.pw.edu.pl wrote: Do I *have* to use views to deal with such distinction or can I specify it just as above without views? Pretty sure you have to use views, in the least doing so would likely be the best good practice to follow. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Port number in A record in zone file
On Thu, Nov 17, 2011 at 8:46 AM, Aleksander Kurczyk aleksanderkurc...@o2.pl wrote: Hello, Yesterday I asked here how can I run multiple named processes on different ports in one OS. Now I have some troubles with that. How can I specify the port number in zone file A record? You can't. Why would you run a dns server on a non standard port? There's no way for clients to query via non standard ports. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME record for the root of the domain
2011/10/12 Niccolò Belli darkba...@linuxsystems.it: How to set it? I know there is a workaround, but I hadn't been able to make it work... What have you tried so far? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ddns and subdomains
Hi folks, I have ddns setup in a testing env, its working. ddns-domainname is dhcp6.example.com. Clients get assigned host.dhcp6.example.com My question is, is it correct to create a separate subdomain zone specifically for dhcp6.example.com so example.com zone itself doesn't have to be updated, and if so, how would example.com zone have to be configured to point to zone dhcp6.example.com? Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A Further Question about query-source
On Wed, Sep 8, 2010 at 12:13 PM, Barry Finkel b19...@anl.gov wrote: Yesterday on the box I issued dig example.com @someserver.example.com From the dig man page: OPTIONS The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or 0.0.0.0 or ::. An optional port may be specified by appending #port As far as I know dig doesn't rely on named.conf. Hope that helps. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dlz/sdb backends and dnssec
I've seen no mention of this, but is it possible to implement dnssec while using one of dlz or sdb backends that contain zone data? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reject or drop AAAA queries
On Thu, Jul 22, 2010 at 9:24 AM, Rock July headgea...@yahoo.com wrote: I just want to know if I put listen--on-v4 {yes;}; on opetions of named.conf, will my DNS drop or reject all queries by IPv4 clients? Why do you think you want to know this? It was recommended in another listmail on this list that you fix the underlying problem of potentially having ipv6 enabled clients on the network. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-lookaside auto and managed-keys-zone problem with certain views
On Sun, Jul 18, 2010 at 3:28 PM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: Think I'll just drop the external-chaos view. Some script kiddie working out I'm running the latest version of bind is likely to be lower risk and a lot less harmful than dealing with broken dnssec chains of trust. version none; in global options... -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
recursive aaaa lookup errors?
Hi folks, bind 9.7.1, dnssec enabled and using dlv, bind built with ./configure \ --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --mandir=/usr/man \ --enable-threads \ --enable-ipv6 \ --build=$ARCH-slackware-linux on a Slackware 13.0 32 bit machine. This servers use is recursive/cache only. I'm getting the following in syslog, only appears to be happening with lookups: Jun 19 10:58:23 vai named[6508]: error (no more) resolving 'sports.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:24 vai named[6508]: error (no more) resolving 'espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:25 vai named[6508]: error (no more) resolving 'log.wip.go.com//IN': 198.105.192.254#53 Jun 19 10:58:25 vai named[6508]: error (no more) resolving 'espndeportes.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:25 vai named[6508]: error (no more) resolving 'insider.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:25 vai named[6508]: error (no more) resolving 'r.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:26 vai named[6508]: error (no more) resolving 'sports.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:26 vai named[6508]: error (no more) resolving 'games.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:26 vai named[6508]: error (no more) resolving 'proxy.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:26 vai named[6508]: error (no more) resolving 'search.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:26 vai named[6508]: error (no more) resolving 'soccernet.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:26 vai named[6508]: error (no more) resolving 'streak.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:26 vai named[6508]: error (no more) resolving 'proxy.espn.go.com//IN': 198.105.192.254#53 Jun 19 10:58:26 vai named[6508]: error (no more) resolving 'view.atdmt.com//IN': 206.16.21.22#53 Jun 19 10:58:26 vai named[6508]: error (no more) resolving 'view.atdmt.com//IN': 65.55.116.166#53 Jun 19 10:58:26 vai named[6508]: error (no more) resolving 'view.atdmt.com//IN': 65.203.229.15#53 Jun 19 10:58:38 vai named[6508]: error (no more) resolving 'broadband.espn.go.com//IN': 198.105.192.254#53 Jun 19 11:02:44 vai named[6508]: error (no more) resolving 'mail.g.comcast.net//IN': 76.96.53.47#53 Jun 19 11:02:44 vai named[6508]: error (no more) resolving 'mail.g.comcast.net//IN': 68.87.66.201#53 Jun 19 11:02:44 vai named[6508]: error (no more) resolving 'mail.g.comcast.net//IN': 76.96.40.18#53 named.conf global options: options { directory /etc; listen-on { 192.168.20.2; 127.0.0.1; }; empty-zones-enable no; edns-udp-size 4096; server-id none; version none; hostname none; allow-recursion { 192.168.20.1; 192.168.20.2; 192.168.1.0/24; 127.0.0.1; }; zone-statistics yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; }; trusted-keys { dlv.isc.org. 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh; }; -snip- What is the cause for these errors? Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Master slave configuration of DNSSEC
On Sat, May 1, 2010 at 11:32 AM, Sajeev Ramakrishnan kalpesh.l...@gmail.com wrote: I have a question regarding configuration of DNSSEC. If I intend to sign a particular zone which has master and a slave, would I have to sign both? No. Assuming you've correctly setup zone xfers from master to slave, the actual zone contents the slave posesses is dependent on what the master gives it. If the master has dnssec data in the zone file, then this is what the slave will get. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Different handling of referrals by dig and nslookup
On Sat, Feb 13, 2010 at 12:07 PM, kalpesh varyani kalpesh.l...@gmail.com wrote: From a third linux system, I try name resolution using dig or nslookup. In this system, I have resolv.conf as: nameserver A nameserver B Just out of curiosity, why do you have a non recursing name server in resolv.conf? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script to delete zone from named.conf
On Thu, Feb 4, 2010 at 12:12 PM, bsd b...@todoo.biz wrote: zone abc.com { type slave; masters { 213.14.17.2 ; }; file hosts.abc.com; }; You could put the whole statement on one line, then use grep or sed based on the zone name. Operationally, it'd work, and no doubt others will argue aesthetic reasons not to do this. Alternately a more complicated script could be written to handle the format as you currently have it. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc stalls on any command -- maybe because 127.0.0.1 is not in routing table?
Is lo up? Is named actually listening on 127.0.0.1:953? Is there a firewall? On Sun, Jan 24, 2010 at 1:29 PM, Nicholas Tung nt...@ntung.com wrote: Hi all, The rndc tool, which is used for all BIND configuration (yast, /etc/init.d/named stop), appears to stall on any command. See [Listing 1] for output before it stalls (freezes not in the DNS zone sense) and [Listing 2] for afterwards. I used lsof to show the open files [Listing 3]. The last line doesn't appear to say it's a localhost source, and localhost doesn't seem to be in the routing tables [Listing 4]. Could this be the problem? If it is, could anyone consider adding a warning (or maybe even failing if an override option isn't set)? Thanks very much, Nicholas — ntung at ntung — https://ntung.com === Listing 1 -- output of command, process waits after last line === rndc -V stop create memory context create socket manager create task manager create task create logging context setting log tag creating log channel enabling log channel create parser get key decode base64 secret stop post event using server 127.0.0.1 (127.0.0.1#953) create socket bind socket connect === Listing 2 -- message after wait === rndc: connect failed: 127.0.0.1#953: timed out === Listing 3 -- open files when rndc is frozen === lsof -p $(ps -C rndc -o pid=) +L COMMAND PID USER FD TYPE DEVICE SIZE/OFF NLINK NODE NAME rndc 19939 root cwd DIR 8,18 12288 108 8193 /etc rndc 19939 root rtd DIR 8,18 4096 23 2 / rndc 19939 root txt REG 8,18 31800 1 1055141 /usr/sbin/rndc rndc 19939 root mem REG 8,18 346560 1 786938 /lib64/libm-2.10.1.so rndc 19939 root mem REG 8,18 88640 1 786849 /lib64/libz.so.1.2.3 rndc 19939 root mem REG 8,18 14872 1 786933 /lib64/libdl-2.10.1.so rndc 19939 root mem REG 8,18 1360392 1 7471871 /usr/lib64/libxml2.so.2.7.3 rndc 19939 root mem REG 8,18 1605840 1 7472655 /usr/lib64/libcrypto.so.0.9.8 rndc 19939 root mem REG 8,18 131260 1 786809 /lib64/libpthread-2.10.1.so rndc 19939 root mem REG 8,18 1408560 1 786838 /lib64/libc-2.10.1.so rndc 19939 root mem REG 8,18 354120 1 7471241 /usr/lib64/libisc.so.50.1.1 rndc 19939 root mem REG 8,18 1497256 1 7471310 /usr/lib64/libdns.so.53.0.0 rndc 19939 root mem REG 8,18 43680 1 7475078 /usr/lib64/libbind9.so.50.0.3 rndc 19939 root mem REG 8,18 35616 1 7471143 /usr/lib64/libisccc.so.50.0.0 rndc 19939 root mem REG 8,18 120168 1 7471234 /usr/lib64/libisccfg.so.50.0.0 rndc 19939 root mem REG 8,18 127680 1 786832 /lib64/ld-2.10.1.so rndc 19939 root 0u CHR 136,3 0t0 1 6 /dev/pts/3 rndc 19939 root 1u CHR 136,3 0t0 1 6 /dev/pts/3 rndc 19939 root 2u CHR 136,3 0t0 1 6 /dev/pts/3 rndc 19939 root 3r FIFO 0,8 0t0 1 84973 pipe rndc 19939 root 4w FIFO 0,8 0t0 1 84973 pipe rndc 19939 root 5u 0,9 0 1 679 anon_inode rndc 19939 root 7r REG 0,3 0 1 10516 /proc/2283/status rndc 19939 root 20u IPv4 84977 0t0 TCP c-98-207-60-37.hsd1.ca.comcast.net:55316-localhost:953 (SYN_SENT) === Listing 4 -- route configuration === ip route show 98.207.60.0/22 dev eth-inet proto kernel scope link src 98.207.60.37 169.254.0.0/16 dev eth0 scope link 192.168.0.0/16 dev eth0 proto kernel scope link src 192.168.2.1 192.168.0.0/16 dev eth1 proto kernel scope link src 192.168.2.2 default via 98.207.60.1 dev eth-inet ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is an IPv6-only glue/delegation record a problem in a world of IPv4?
On Mon, Jan 11, 2010 at 12:29 PM, Mathew J. Newton bind-us...@newtonnet.co.uk wrote: The same delegation records are present as glue in the .org nameservers. While this is not in response to your original question, I am curious. I'm not sure if you were part of the discussion we just had on IRC freenode #ipv6, but querying a .org TLD NS for records for ns1 and ns2.v6ns.org return no actual records, no errors reported, but there seem to be records shown in the ADDITIONAL section of the query response. If I understand this correctly, the lack of an ANSWER section for query would denote there is no ipv6 glue at the TLD? 2001:500:e::1 being a0.org.afilias-nst.info, a .org TLD NS ; DiG 9.6.1-P2-RedHat-9.6.1-13.P2.fc12 ns1.v6ns.org @2001:500:e::1 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 38080 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ns1.v6ns.org. IN ;; AUTHORITY SECTION: v6ns.org. 86400 IN NS ns1.v6ns.org. v6ns.org. 86400 IN NS ns2.v6ns.org. ;; ADDITIONAL SECTION: ns1.v6ns.org. 86400 IN A 77.103.161.36 ns2.v6ns.org. 86400 IN A 77.103.161.36 ns1.v6ns.org. 86400 IN 2a01:348:133::a1 ns2.v6ns.org. 86400 IN 2a01:348:6:a1::2 ;; Query time: 102 msec ;; SERVER: 2001:500:e::1#53(2001:500:e::1) ;; WHEN: Mon Jan 11 12:44:13 2010 ;; MSG SIZE rcvd: 150 ; DiG 9.6.1-P2-RedHat-9.6.1-13.P2.fc12 ns2.v6ns.org @2001:500:e::1 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 377 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ns2.v6ns.org. IN ;; AUTHORITY SECTION: v6ns.org. 86400 IN NS ns2.v6ns.org. v6ns.org. 86400 IN NS ns1.v6ns.org. ;; ADDITIONAL SECTION: ns2.v6ns.org. 86400 IN 2a01:348:6:a1::2 ns2.v6ns.org. 86400 IN A 77.103.161.36 ns1.v6ns.org. 86400 IN A 77.103.161.36 ns1.v6ns.org. 86400 IN 2a01:348:133::a1 ;; Query time: 719 msec ;; SERVER: 2001:500:e::1#53(2001:500:e::1) ;; WHEN: Mon Jan 11 12:44:23 2010 ;; MSG SIZE rcvd: 150 An example showing glue in .com/.net: ; DiG 9.6.1-P2-RedHat-9.6.1-13.P2.fc12 ns2.he.net @G.GTLD-SERVERS.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 25892 ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ns2.he.net.IN ;; ANSWER SECTION: ns2.he.net. 172800 IN 2001:470:200::2 ;; AUTHORITY SECTION: he.net. 172800 IN NS ns1.he.net. he.net. 172800 IN NS ns2.he.net. he.net. 172800 IN NS ns3.he.net. he.net. 172800 IN NS ns4.he.net. he.net. 172800 IN NS ns5.he.net. ;; ADDITIONAL SECTION: ns1.he.net. 172800 IN A 216.218.130.2 ns2.he.net. 172800 IN A 216.218.131.2 ns2.he.net. 172800 IN 2001:470:200::2 ns3.he.net. 172800 IN A 216.218.132.2 ns3.he.net. 172800 IN 2001:470:300::2 ns4.he.net. 172800 IN A 216.66.1.2 ns4.he.net. 172800 IN 2001:470:400::2 ns5.he.net. 172800 IN A 216.66.80.18 ns5.he.net. 172800 IN 2001:470:500::2 ;; Query time: 100 msec ;; SERVER: 192.42.93.30#53(192.42.93.30) ;; WHEN: Mon Jan 11 12:54:02 2010 ;; MSG SIZE rcvd: 334 -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
recursion confusion
Hi folks, whats the difference between recursion no; and allow-recursion {none;}; Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 TCP
On Mon, Dec 28, 2009 at 10:56 AM, Pamela Rock prock...@yahoo.com wrote: When I query TCP with IPv6 I get the following error: Check client machine firewall. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Remove/add [A] records based upon server availability
On Sun, Dec 27, 2009 at 3:16 AM, Ryan S ryan332...@hotmail.com wrote: Some web browers and applications will fail in a round-robin A record configuration such that if the first A record returned is unavailable, then the browser will not bring up the page. So fix the application instead of bending the protocol to suit a broken applications need? Specifically, what web browsers and applications are you referring to? On what OS's? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Remove/add [A] records based upon server availability
On Sat, Dec 26, 2009 at 3:14 PM, Ryan S ryan332...@hotmail.com wrote: Is there a method in BIND to add/remove A records based upon server availability? Just curious, but why do you think you want this? What problem does such an implementation address? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New BIND server
On Wed, Oct 28, 2009 at 11:27 AM, NéoSynergix | Martin Dubreuil martin.dubre...@neosynergix.com wrote: but would like to get your tips and tricks to secure your BIND servers before putting it into production. A little vague here. You haven't defined what your intentions are. Is this an authoritative only server for zones? Recursive server for clients? Other questions I can't think of at the moment? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: root and in-addr.arpa zone transfers
On Wed, Sep 9, 2009 at 10:51 AM, Rich Goodson rgood...@gronkulator.com wrote: zone . { type slave; file slave/root.slave; masters { 192.33.4.12; // C.ROOT-SERVERS.NET. 192.112.36.4; // G.ROOT-SERVERS.NET. 193.0.14.129; // K.ROOT-SERVERS.NET. }; notify no; }; Interestingcan any of the root servers be used, or must it be just these three? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig +trace failure
On Wed, Sep 2, 2009 at 8:37 PM, Andris Kalnozolsand...@hpl.hp.com wrote: My 9.6.1-P1 dig programs (HP-UX and Linux) rather consistently fail when trying to trace the delegation of 231.84.192.IN-ADDR.ARPA. Out of curiousity, are others from different places on the Internet able to duplicate the failure? Same here, bind 9.6.1_P1 snip ;; Received 196 bytes from 2001:503:ba3e::2:30#53(A.ROOT-SERVERS.NET) in 150 ms 231.84.192.in-addr.arpa. 86400 IN NS ns1.accrue.com. 231.84.192.in-addr.arpa. 86400 IN NS mail.boston.accrue.com. ;; Received 95 bytes from 192.26.92.32#53(HENNA.ARIN.NET) in 62 ms ;; Truncated, retrying in TCP mode. socket.c:2486: REQUIREsock) != ((void *)0)) (((const isc__magic_t *)(sock))-magic == ((('I') 24 | ('O') 16 | ('i') 8 | ('o')) failed. Aborted -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: stats brainteaser
On Fri, Jul 31, 2009 at 10:58 AM, Toddcanada...@gmail.com wrote: I've got a monitoring script in place that does an rndc stats and parses the output, then graphs it for me nicely. How is this being monitored? Are you sure its not an artifact of your monitoring software? I see this behaviour in mrtg/rrdtool when monitoring various dns stats. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users