Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Joe Baptista bapti...@publicroot.org wrote: Someone else has written the RFC draft - which see http://bit.ly/b5mFkV That draft has this text, Expires: February 27, 2010 [3 days from today]. I am not sure what an expiration date means officially on a draft RFC. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
`named' uses 32-bit capabilities
In production I am running BIND 9.6.1-P3 on Solaris 9, sun4u sparc SUNW,Sun-Fire-V240. When I start BIND I get this message: Jan 25 11:03:17 dns1 named[9673]: [ID 873579 daemon.notice] built with '--prefix=/export/home/named/bind' '--with-openssl=/krb5' '--sysconfdir=/export/home/named' '--enable-threads' '--localstatedir=/var' I am testing the same version of BIND on an Ubuntu Karmic system, x86_64 GNU/Linux. Both are built from the ISC source. When I start BIND I get these messages: Feb 19 10:08:01 karmic kernel: [146949.294524] warning: `named' uses 32-bit capabilities (legacy support in use) Feb 19 10:08:01 karmic named[22678]: starting BIND 9.6.1-P3 -c /etc/iscbind/named.conf Feb 19 10:08:01 karmic named[22678]: built with '--prefix=/etc/iscbind/bind/' '--sysconfdir=/etc/iscbind' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-gssapi=/usr' What is causing the `named' uses 32-bit capabilities (legacy support in use) message on this Ubuntu karmic build? What do I need to specify to avoid the 32-bit code? Thanks. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about rndc flushname
On a mail machine I am running a cache-only DNS - BIND 9.6.1-P3. When I dump the cache I see two lines: ; answer brainpower-austria.at. 6622MX 5 mx1.bon.at. I then enter ./rndc flushname brainpower-austria.at But when I then look at the cache, I still see the MX record (with a shorter TTL). Why is the flushname command not flushing this MX record from the cache? Thanks. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Secondaries of MS AD Integrated Zones
jim.siffe...@tektronix.com wrote: Most of our internal DNS zones are mastered in Microsoft DNS (2k3 R2) as AD Integrated zones. Currently, those zones are slaved from a single MS DNS server to our BIND 9 servers that handle recursion. Is there a reliable way to use multiple masters when slaving AD Integrated zones to BIND? In the O'Reilly book DNS on Windows Server 2003 a section on p. 324 called BIND Secondaries for Active Directory-Integrated Zones says serial numbers can vary on otherwise synchronized MS DNS Servers, potentially causing a server to respond with an incorrect lower serial number. Thanks, Jim Sifferle Tektronix / Fluke Network Services I have seen the replies to this mail, and I have something else to add. See MS 282826. Assume that you have a zone that is AD-integerated, and you have the zone on two DCs, DC1 and DC2 - both are running the MS DNS Service. Assume that both copies of the zone are identical and have serial number, say, 1. Now two machines send DDNS updates for the same zone at the same time; one sends to DC1 and one sends to DC2. After each DC has processed the update, the DCs now have serial number 2, but the zones have different content. Somehow (under the covers of AD), the two zones are synchronized. I do not know the algorithm, nor do I know how much time elapses before the synchronization. With the synchronized zone, what is the proper serial number? It can not be 2, as there could be another DDNS packet for the same zone sent to DC1, and this results (before the synchronization) to DC1 having serial number 2 and DC2 having serial number 1. Article 282826 describes what the MS code does; it depends upon what MS DNS Servers are treated as masters for BIND. With my setup, I run only ONE MS DNS Server, even though I have four DCs. My Windows group wants two MS DNS Servers, and I will list only] one as the master for the zone on my BIND servers. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave to Win2003 DNS
Jukka Pakkanen jukka.pakka...@qnet.fi wrote: Our Bind 9.6.1-P1 Windows servers are slaves to a Windows 2003 DNS server, zone company.local. For some reason t he slaves don't update the zone unless I restart the BIND service in the server, and after a while, fail to respond to queries. Example, after a couple of days since the last restart, the BIND servers stops responding to queries to company.local (SERVFAIL), at the server I can see that the cache file is not updated since the service was previously started. I restart BIND service, and immediately the cache file is updated, server again responses to queries etc. I suspect this is not a problem in the BIND, but in the Windows 2003 DNS, but any ideas anyway, what to look in the server? Haven't been playing with the Windows DNS a lot... I have seen the three replies to this, and I will add the following: Is the W2003 DNS Server sending NOTIFY packets to the BIND slaves when a zone is updated? One of the problems with the Windows DNS Server is that it logs only successful zone transfers. Unsuccessful zone transfers are not logged because the MS Developers did not want to fill the EventLog with these entries. A number of years ago, when we installed AD and put the AD zones on a MS W2000 DNS Server, we formally requested that MS log unsuccessful zone transfers along with some information as to why the transfer was rejected. Do you have DNS logging enabled on the MS DNS Server? I suggest that full logging be enabled, and the dns.log file be made sufficiently large so that you will be able to see what may be happening. Note that the dns.log file increases in size until it reaches its max size; then it is cleared, and new entries are added. The dns.log file is NOT a syslog file, as we in the Unix community are used to using. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME for MX Record?
Bradley Caricofe wrote: Hey list, I have the following issue. A customer hosts a domain with me, facplus.com. Her primary email account is on that domain, we'll call it her at facplus.com. She has also registered another name through Dotster, meetingtoolsandjewels.com. Dotster provides her with URL redirection and email forwarding for that domain. She has setup an email address, we'll call it her at meetingtoolsandjewels.com, which should forward to her at facplus.com. We've been having a problem where not all senders are being received when mail is sent to the her at meetingtoolsandjewels.com account. I've sent her test emails from gmail, yahoo and my own server (sendmail) and all were received. When I send emails from systems using exchange, I eventually get a bounce that the message has been delayed...it's never received. When I do digs for the MX record for meetingtoolsandjewels.com I get a CNAME: [root at jump1 ~]# dig meetingtoolsandjewels.com MX ; DiG 9.3.4-P1 meetingtoolsandjewels.com MX ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 5373 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;meetingtoolsandjewels.com. IN MX ;; ANSWER SECTION: meetingtoolsandjewels.com. 3600 IN CNAME meetingsmaven.typepad.com. ;; AUTHORITY SECTION: typepad.com.600 IN SOA ns1.sixapart.com. hostmaster.sixapart.com. 2009051400 10800 3600 604800 600 ;; Query time: 233 msec ;; SERVER: 192.168.75.1#53(192.168.75.1) ;; WHEN: Wed Aug 19 04:44:21 2009 ;; MSG SIZE rcvd: 139 --- If I do digs against her actual nameservers, I get a correct MX record. What the heck am I seeing here and is this the likely cause of the delayed emails? and Kevin Darcy replied: What I see is: meetingtoolsandjewels.com/MX resolves to m1.dnsix.com with preference 0. meetingsmaven.typepad.com/MX doesn't resolve at all from typepad.com's nameservers, but meetingsmaven.typepad.com/A does. Maybe it was just a poorly-executed migration? - Kevin What I see is this: dns% dig meetingtoolsandjewels.com. mx ; DiG 8.3 meetingtoolsandjewels.com. mx ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUERY SECTION: ;; meetingtoolsandjewels.com, type = MX, class = IN ;; ANSWER SECTION: meetingtoolsandjewels.com. 30M IN MX 0 m1.dnsix.com. ;; AUTHORITY SECTION: meetingtoolsandjewels.com. 1D IN NS ns2.nameresolve.com. meetingtoolsandjewels.com. 1D IN NS ns4.nameresolve.com. meetingtoolsandjewels.com. 1D IN NS ns1.nameresolve.com. meetingtoolsandjewels.com. 1D IN NS ns3.nameresolve.com. ;; ADDITIONAL SECTION: ns1.nameresolve.com.1d6h16m1s IN A 64.94.117.199 ns2.nameresolve.com.1d6h16m1s IN A 63.251.83.88 ns3.nameresolve.com.1d6h16m1s IN A 66.150.161.151 ns4.nameresolve.com.1d6h16m1s IN A 64.94.31.66 ;; Total query time: 192 msec ;; FROM: dns.anl.gov to SERVER: default -- 146.139.254.3 ;; WHEN: Wed Aug 19 12:53:37 2009 ;; MSG SIZE sent: 43 rcvd: 216 dns% dig meetingtoolsandjewels.com. mx @ns3.nameresolve.com ; DiG 8.3 meetingtoolsandjewels.com. mx @ns3.nameresolve.com ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4 ;; QUERY SECTION: ;; meetingtoolsandjewels.com, type = MX, class = IN ;; ANSWER SECTION: meetingtoolsandjewels.com. 30M IN MX 0 m1.dnsix.com. meetingtoolsandjewels.com. 1H IN CNAME meetingsmaven.typepad.com. ;; AUTHORITY SECTION: meetingtoolsandjewels.com. 1D IN NS ns1.nameresolve.com. meetingtoolsandjewels.com. 1D IN NS ns2.nameresolve.com. meetingtoolsandjewels.com. 1D IN NS ns3.nameresolve.com. meetingtoolsandjewels.com. 1D IN NS ns4.nameresolve.com. ;; ADDITIONAL SECTION: ns1.nameresolve.com.1D IN A 64.94.117.199 ns2.nameresolve.com.1D IN A 63.251.83.88 ns3.nameresolve.com.1D IN A 66.150.161.151 ns4.nameresolve.com.1D IN A 64.94.31.66 ;; Total query time: 62 msec ;; FROM: dns.anl.gov to SERVER: ns3.nameresolve.com 66.150.161.151 ;; WHEN: Wed Aug 19 12:54:10 2009 ;; MSG SIZE sent: 43 rcvd: 252 dns% dig meetingtoolsandjewels.com soa @ns3.nameresolve.com. ; DiG 8.3 meetingtoolsandjewels.com soa @ns3.nameresolve.com. ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4 ;; QUERY SECTION: ;; meetingtoolsandjewels.com, type = SOA, class = IN ;; ANSWER SECTION: meetingtoolsandjewels.com. 1D IN SOA ns1.nameresolve.com. hostmaster.meetingtoolsandjewels.com. (
FW: Delegating reverse DNS to a customer
On Tue, Aug 18, 2009 at 8:31 AM, Tim Huffmant...@bobbroadband.com wrote: Guys, We're a smallish (but growing) ISP, and we've been asked by one of our customers to delegate reverse DNS for 63.250.251.0/24 to their DNS servers, ns1.emns.com - ns4.emns.com. Unfortunately, we've never had to delegate DNS to a customer before, and we're having problems getting it to work. We're running BIND 9.5.1 on Fedora. In your zone 251.250.63.in-addr.arpa (If you do not have a zone, create it.) place the following four NS records as delegation records: @IN NS ns1.emns.com. IN NS ns2.emns.com. IN NS ns3.emns.com. IN NS ns4.emns.com. I believe that that will delegate the /24 to those servers from your servers. The delegation could occur at the parent level, but you do not control the parent 250.63.in-addr.arpa zone. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.5.1-P3 compilation problems.
Emery emery.rudo...@gmail.com wrote: I've conducted two maintenance windows to upgrade our BIND primary server to the new code to address the recent security vulnerability, but cannot get past the error below. I have Openssl 9.8.0k installed. I have no problems running tests from the openssl prompt. I have tried exporting the LD_LIBRARY_PATH to include the /usr/local/ssl directory and have run the compilation with the --with-openssl=/usr/local/ssl switch to no avail. I am running Solaris 10 Sparc - I know that there is a precompiled version of this BIND release on Sunfreeware, but I am trying to upgrade our primary nameserver and would rather to this than a clean uninstall/install. Is there any insight into what wall I'm running into? checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... (cached) yes checking for size_t... yes checking for ssize_t... yes checking for uintptr_t... yes checking for socklen_t... yes checking whether time.h and sys/time.h may both be included... yes checking for long long... yes checking for struct lifconf... no checking for kqueue... no checking epoll support... no checking sys/devpoll.h usability... yes checking sys/devpoll.h presence... yes checking for sys/devpoll.h... yes checking if unistd.h or sys/types.h defines fd_set... yes checking whether byte ordering is bigendian... yes checking for OpenSSL library... using OpenSSL from /usr/local/ssl/lib and /usr/local/ssl/include checking whether linking with OpenSSL works... no configure: error: Could not run test program using OpenSSL from /usr/local/ssl/lib and /usr/local/ssl/include. Please check the argument to --with-openssl and your shared library configuration (e.g., LD_LIBRARY_PATH). When I built BIND 9.6.1-P1 on Solaris 10 I used the following commands: unsetenv LD_LIBRARY_PATH set path=(/usr/sfw/bin/ /usr/sbin /usr/bin /usr/etc /usr/ccs/bin \ /usr/afsws/local/bin) ./configure --prefix=/export/home/named/bind \ --sysconfdir=/export/home/named --enable-threads --localstatedir=/var \ --with-gssapi=/usr --with-libxml2=/usr I am not sure what we have in /usr/afsws/local/bin (if anything) that I need. After the build I ran strings /usr/sfw/lib/libcrypto.so.0.9.7 | grep SSL and I get, in part, OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2007-5135 CVE-2008-5077 CVE-2009-0590) I did this because I got a warning message about a back-level OpenSSL Crypto library. The file name has 0.9.7, but that file does contain fixes for vulnerabilities. This is on a SunOS ... 5.10 Generic_141414-02 sun4u sparc SUNW,Sun-Fire-V240 system. Note that I used different commands when building this BIND on a Solaris 9 system. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 problem with delegation
gui gco...@gmail.com wrote: hello, i have s strange probleme with my bind server, and i hope someone could point out the problem, here is the description, i have two bind servers (replication, multi-master), bind 9.3.4, same version, same configuration (normally). I tried to do some PTR delegation, so for example, i have a 104.10.in- addr.arpa zone, the master of the zone is my bind server, in this zone file i have this : 0.104.10.in-addr.arpa.INNS otherDNSserver.fqdn on the first server, when i check with dig : i get nothing : dig 0.104.10.in-addr.arpa : ; DiG 9.3.4-P1.1 0.104.10.in-addr.arpa ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 60811 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;0.104.10.in-addr.arpa. IN A ;; Query time: 108 msec ;; SERVER: 10.x.x.x#53(10.x.x.x) ;; WHEN: Fri Jul 10 17:17:52 2009 ;; MSG SIZE rcvd: 39 on the other one, it works : ; DiG 9.3.4-P1.1 0.104.10.in-addr.arpa ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 58295 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;0.104.10.in-addr.arpa. IN A ;; AUTHORITY SECTION: 0.104.10.in-addr.arpa. 3600IN SOA myotherdnsserver.fqdn. hostmaster.myotherserver.fqdn. 310 900 600 86400 3600 ;; Query time: 4005 msec ;; SERVER: 10.2.129.9#53(10.2.129.9) ;; WHEN: Thu Jul 23 09:03:51 2009 ;; MSG SIZE rcvd: 113 and i can't find what to do to make this work correctly on the first server hope you'll have more ideas than me :-)) thank you ! The first query does not produce nothing; it tells you via these lines: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 60811 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;0.104.10.in-addr.arpa. IN A The return code is NXDOMAIN. There is no aa in the flags, so the response is not authoritative. The server knows nothing about this domain. Note that you are querying for the address of a class-c subnet, and that subnet has no address. The second query works; it gives you more information than the first query: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 58295 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;0.104.10.in-addr.arpa. IN A ;; AUTHORITY SECTION: 0.104.10.in-addr.arpa. 3600IN SOA myotherdnsserver.fqdn. The return code is NOERROR. There are 0 answer sections in the response. The response is not authoritative. But the server knows (and gives) the SOA for the zone. I am assuming that this server had the SOA record in its cache. As to why these two DNS servers do not know about the zone, I cannot tell. This is a 10-subnet, so we would not be able to query it. We would have to see the config files from the two servers to see how they define the zone. Here is a query I made for the address of one of our Class-B subnets: solaris% dig 139.146.in-addr.arpa ; DiG 8.3 139.146.in-addr.arpa ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; 139.146.in-addr.arpa, type = A, class = IN ;; AUTHORITY SECTION: 139.146.in-addr.arpa. 2H IN SOA dns0.anl.gov. hostmaster.anl.gov. ( 2009072402 ; serial 2H ; refresh 1H ; retry 2W ; expiry 2H ); minimum ... solaris% Note that the answer has NOERROR, aa, and 0 answer sections. The response is authoritative, as the server I queried is a slave for this zone. The query was for an A record that does not exist. A query for NS records might give you the NS record set for the zone, depending upon your BIND configuration. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Moving an AD Zone from Windows to BIND
This is not really a BIND-related question, but I thought that maybe some people on this list can point me in the right direction. Maybe someone has already done what I need to do. I have one zone xxx.yyy.example.com that is on a Windows DNS server, completely under the control of Windows. This zone is slaved on my BIND servers. Within these zones are the AD records ForestDNSZones.xxx.yyy.example.com DomainDNSZones.xxx.yyy.example.com _msdcs.xxx.yyy.example.com _sites.xxx.yyy.example.com _tcp.xxx.yyy.example.com _udp.xxx.yyy.example.com What I need is a procedure that I can use to move the base zone xxx.yyy.example.com to BIND, while keeping the six AD zones on the Windows DNS Server. If I were to define the six AD zones on the Windows DNS Server, would the SRV, CNAME, and other AD records move to the new zones automatically? I have no problem taking the zone file on one of my BIND slaves, removing the AD records, adding delegations for the six AD zones, and making this file into a master. The reason I need this is DNSSEC, which will not work on MS dynamic zones. If I can split the non-AD piece of the zone into BIND, I will have solved my problem, as the six AD zones do not have to be accessible from off-site, and thus I will not have to sign them. Thanks. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Trouble With One Domain
Frank Bulk wrote: If you change the nameservers for IllinoisAcceleratorInstitute.org at its registrar to point to t1dns1.anl.gov and t1dns2.anl.gov you should be good to go. and Andy Shellam andy-li...@networkmail.eu replied: And not forgetting to change the master server in the SOA record from oxygen, as that server doesn't appear to be accepting DNS requests, which I believe is what's causing the Zone Check tool to fail. Why should we change the master server in the SOA record from oxygen, when oxygen is the real master? It is a hidden master. I believe that it is the CNAME that is causing zonecheck.fr to fail. The zonecheck.fr utility does not fail on our other zones that have a hidden master. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Trouble With One Domain
Stephane Bortzmeyer bortzme...@nic.fr wrote, in part: The problem (NS going to CNAME) was properly identified by Hauke Lampe very soon in the thread. Read it. Unable to find primary nameserver (SOA) Well, the error message could be better, that's sure... There are a number of reasons why the SOA could not be located: NS pointing to a CNAME, incorrect NS delegation from the parent, lame server, name server not accessible from the Internet, etc. If the zonecheck code is able to determine what the reason is, then it should give the reason. I was looking for incorrect delegation or inaccessible name server. I did not notice the CNAME. This zone is maintained by a different group here; all I do is slave the zone. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Trouble With One Domain
We own the domain IllinoisAcceleratorInstitute.org There are problems accessing this domain from the Internet, and I cannot determine what the problem is. I have no trouble from Argonne, as the domain is slaved on all of my servers. I do not see any problem with the delegations, but I may be missing something. When I go to http://www.zonecheck.fr it can't find the SOA. There must be something simple that I am overlooking. Thanks. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Minor query (cache) denied Logging Bug?
I have a name server that is authoritative for the zone tlh.fl.us. In that zone is a record freenet.tlh.fl.us. IN CNAME tfn.net. My server is not authoritative for tfn.net. Some external client sends a request: What is the MX for freenet.tlh.fl.us.? My server responds (this is from a snoop trace): DNS: Response ID = 61546 DNS: AA (Authoritative Answer) DNS: Response Code: 0 (OK) DNS: Reply to 1 question(s) DNS: Domain Name: freenet.tlh.fl.us. DNS: Class: 1 (Internet) DNS: Type: 15 (Mail Exchange) DNS: DNS: 1 answer(s) DNS: Domain Name: freenet.tlh.fl.us. DNS: Class: 1 (Internet) DNS: Type: 5 (Canonical Name) DNS: TTL (Time To Live): 86400 DNS: Canonical Name: tfn.net. DNS: DNS: 0 name server resource(s) DNS: 0 additional record(s) This is a correct answer. Note that there are no authority nor additional sections. But I also see in /var/adm/messages: Apr 1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info] client 217.232.216.120#1: query (cache) 'tfn.net/MX/IN' denied I assume that in the process of getting more information about tfn.net to give the authority section and the additional section (this is from an query I made to an internal BIND server, where queries are not denied): ;; AUTHORITY SECTION: tfn.net.1d23h59m59s IN NS ns92.worldnic.com. tfn.net.1d23h59m59s IN NS ns91.worldnic.com. ;; ADDITIONAL SECTION: freenet.tfn.net.2H IN A 199.44.235.10 ns91.worldnic.com. 1d6h26m5s IN A 205.178.190.46 ns92.worldnic.com. 1d6h26m5s IN A 205.178.144.46 BIND 9.6.0-P1 determines that although it may have this information about tfn.net in its cache, it cannot give the information to the requester because I have not configured BIND to allow external users to query the cache. If BIND did not have the information about tfn.net in its cache, would it go and retrieve the information and then decide that it was unable to give the cached information to the requester? Should the query (cache) denied message be produced? We were confused because we did not see any queries for tfn.net in the named.querylog file, where we log all DNS queries. I had to run a snoop trace to see what was happening. In this case, should BIND give the information about tfn.net in its cache back to the requester? -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc reconfig issue
Ronni Jensen r...@mvb.dk wrote: Hi, Every night I have a perl script generate a config file which contains approximately 5000 zones at the moment, but this will vary in size as zones are added/removed. However, when I put include /etc/special-zones.conf; into named.conf and do rndc reconfig, the named service is not answering DNS queries while it is loading the config, which takes a really long time :-/ I was under the impression that rndc reconfig would not affect the service as such, but apparently it does. Does anyone have a qualified suggestion on how to reload configuration (load the new zones and unload the ones that are not in the config file anymore) without stalling the DNS service so it does not affect the user experience? Thank you.. We load a 38,000+ domain malware/spyware zone file, and rndc reconfig takes a while to load. I have not timed it on my BIND 9.6.0-P1 systems, but I guess about 20-30 seconds - during which time the server does not answer queries. We were re-loading the file at the same time on our servers, and while debugging an EDNS message on a web server behind an F5 load balancer (and with a post within the past week from Mark Andrews), I realized that it was not a good idea to reload all of the servers at the same time, as all were inaccessible at the same time. I changed the cron job on two of the servers so that it would still check for an updates zone file every five minutes, but one minute after the cron on the other server in the pair (we have two internal and two external name servers). -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.60p1 on solaris 10
In gnkslg$3u...@sf1.isc.org Mark Andrews mark_andr...@isc.org writes: In message 937393c4-77a8-4dba-8a4f-14560c25c...@o11g2000yql.googlegroups.com, SN writes: libcrypto.so.0.9.8 is not being found as a link library. Trying to run as in a chroot'ed environment on solaris 10 (core install). Kindly advise. Install the package that includes OpenSSL. and Gary Mills mi...@cc.umanitoba.ca replied: The Solaris 10 package is SUNWopenssl-libraries, but that provides only /usr/sfw/lib/libcrypto.so.0.9.7. If bind requires On a Solaris 10 Sparc system: solaris% strings /usr/sfw/lib/libcrypto.so.0.9.7 | grep security OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) AES part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) ASN.1 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) Blowfish part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) Big Number part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) CAST part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) CONF part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) CONF_def part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) libdes part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) DES part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) Diffie-Hellman part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) DSA part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) EVP part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) lhash part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) MD2 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) MD4 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) MD5 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) id-smime-aa-securityLabel id-smime-aa-securityLabel security PEM part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) RAND part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) RC2 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) RC4 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) RIPE-MD160 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) RSA part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) SHA part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) SHA1 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) Stack part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) TXT_DB part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) X.509 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) solaris% The filename contains 0.9.7 but the file itself contains security patches which, I believe, makes it equivalent to 0.9.8. That is what my libcrypto expert told me. I have built 9.6.0-P1 on Solaris 10, and I am running it as a cacheing- only name server. My production name servers are also 9.6.0-P1, but those computers are still running Solaris 9. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query an external nameserver doubt
On 19.02.09 12:26, Nuno Ribeiro wrote: There is a CNAME Record www.example.test.com CNAME ts.example.test2.com in the example.test.com zone, which my nameserver is not authoritive. My name server is authoritive for example.test2.com zone. I receive a A query for www.example.test.com. I send this query to external nameservers and discover the CNAME record target is in my zone. Is this possible? And Matus UHLAR - fantomas uh...@fantomas.sk replied: Yes, it's possible. They will reply with www.example.test.com CNAME ts.example.test2.com If they have recursion or query-cache enabled, they may also respond with ts.example.test2.com A in answer section and example.test.com NS info in authority/additional sections I am not sure exactly what the OP wanted. If he wants to be able to send a query to find all of the DNS CNAME records that point to his server, there is no way of doing this, as any domain could conceivably contain such a CNAME record, and he would have to query every name server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
e: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
Al Stu al_...@verizon.net wrote: How about these two? nullmx.domainmanager.com Non-authoritative answer: Name:mta.dewile.net Address: 69.59.189.80 Aliases: nullmx.domainmanager.com smtp.secureserver.net Non-authoritative answer: Name:smtp.where.secureserver.net Address: 208.109.80.149 Aliases: smtp.secureserver.net There are two reasons it does not blow up in peoples face. 1) If it is in the CNAME RR points to an A record in the same zone, both the A record and the CNAME record are returned, thus meeting the A record requirement. 2) SMTP servers are required to accept an alias and look it up. Thus there is no need for this. And no it does not matter if there are multiple MX records with different preferences values. You say, both the A record and the CNAME record are returned. We know that BIND does this. Is this part of the RFC? Do other DNS implementation return both the A and the CNAME? -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
I have not copied the entire thread. You've added an additional step in your second paragraph that is prohibited by the section you quoted in the first. The section from the RFC describes a situation where A is queried for and an MX record pointing to B is returned. When B is queried for, an address record MUST be the answer. The situation you have described is that A is queried for resulting in an MX record pointing to B. When B is queried for, a CNAME pointing to C is returned, and that when C is queried an address record is returned. Do you see the difference? The RFCs are quite clear that CNAMEs are not permitted in the RDATA for an MX. If I have in DNS cn IN CNAME realname and I query for cn, the DNS resolver will return realname. BIND also returns the A record for realname. Is this a requirement? If not, then mx IN 10 MX cn will result in: 1) the MX query returning cn, 2) the cn query returning realname, 3) a third (and RFC-breaking) query to get the A for realname. There are only two queries if the resolver returns the A record along with the realname of the CNAME record. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: delegating to 3rd Windows nameserver
Davenport, Steve M sdave...@mc.utmck.edu wrote, in part, Hello, We have nameservers supporting utmck.edu and delegate the zones used by Windows to Windows nameservers as follows: ... When I do a nslookup or dig I only see the first two servers and not sec2: -- ns-1: nslookup set type=ns _tcp.utmck.edu Non-authoritative answer: _tcp.utmck.edu nameserver = pri1.utmck.edu _tcp.utmck.edu nameserver = sec1.utmck.edu Authoritative answers can be found from: pri1.utmck.edu internet address = 165.6.12.12 sec1.utmck.edu internet address = 165.6.14.13 -- Is there anything wrong with this configuration? Why is the sec2 server not seen in the query for nameservers? Thanks very much for your assistance. I am not sure which DNS server you queried. The server returned a result from its cache: Non-authoritative answer: ... and it told you what the authoritative servers are: Authoritative answers can be found from: ... You added the server sec2.utmck.edu but that information has not yet gotten to the cache on the DNS server to which you sent your query. The rold informaition will remain in the cache until its TTL expires. Then the next query for those data will result in fresh information being retrieved from one of the authoritative servers into the cache. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
Nicholas F Miller [EMAIL PROTECTED] wrote: I have a couple of questions regarding how a Microsoft domain controller updates a dynamic zone. 1 ) When a domain controller tries to update the zone does it try the DNS servers it has listed in its network settings or does it follow the SOA for the zone? 2) In the configs below does the slave server's IP need to be listed in the allow-update declaration on the master zone server? Master Server - 1.2.3.4 zone actived.example.com { type master; file named.ad; allow-update { 1.2.3.4;// master DNS server 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { 5.6.7.8 // slave DNS server; }; }; Slave Server - 5.6.7.8 zone actived.example.com { type slave; file named.ad; allow-update-forwarding { 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { none; }; masters { 1.2.3.4 // master DNS server }; }; 1) All updates for a zone need to be sent to the master server for that zone, as only the master can perform updates. And one cannot assume that updates sent to a slave server will be forwarded to the master. And the only place in DNS where the master server is listed is in the SOA record. 2) I am not sure of the answer. If a DNS update is sent to a slave server and then forwarded to the master, I assume that the master will see the request as coming from the real source and not from the forwarding slave server. So, I assume that the slave server is not updating the master, and thus does not need to be listed in the allow-update declaration. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users