Re: error: 'allow-update' is not allowed in 'slave' zone
On 14.02.24 17:06, trgapp16 via bind-users wrote: I configured Bind 9.18.12 as slave DDNS with dynamic updates from DHCP (ISC DHCP 4.4) running on the same server (Ubuntu 22.04 server) When I run "named-checkconf named.conf", I get the following error "named.conf:2018: option 'allow-update' is not allowed in 'slave' zone 'zonename.com'" Following is the named.conf file (part) zone "zonename.com" { type slave; file "com/zonename/sec.zonename.com"; masters { IP address; }; allow-update { key rndc-key; }; allow-transfer { IP address; }; }; I am clueless what is going wrong. Any help is greatly appreciated your nameserver does not update secondary(slave) zones, therefore allow-update does not make sense. you should remove it or replace with allow-update-forwarding so all received updates are forwarded to primary(master) server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deprecation notice force BIND 9.20+: "rrset-order fixed" and "sortlist"
On 01.03.24 08:24, Ondřej Surý wrote: The "sortlist" option allows to define a complicated rules when and how to reorder the resource records in the responses. The same caveats as with the "rrset-order" apply - relying on any specific order of resource records in the DNS responses is wrong. We are not aware of any other (major) DNS server that would have similar behaviour as this was never specified in the DNS protocol. If you know of any software or hardware relying on any specific order of the resource records in the DNS messages, it needs to be reported as a bug to the respective vendor. I don't know about _requirement_, but I have used this option as poor man's way to implement geographically local IP addresses - to anyone return topologically closer IP addresses first, others next. I found it especially nice because it doesn't matter which service are we using - if there are multiple IP's for _anything_, return topologically closer first. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: occasional SERVFAIL error
On 29.02.24 15:20, Ludovit Koren wrote: occasionally I get the following SERVFAIL error: dig www.jiscd.sk ; <<>> DiG 9.18.24 <<>> www.jiscd.sk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12207 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 35fe56eb9b5f3f22010065df34b4c313eedf839eac9d (good) ;; QUESTION SECTION: ;www.jiscd.sk. IN A ;; Query time: 17 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Feb 28 14:27:16 CET 2024 ;; MSG SIZE rcvd: 69 I can get rid of it only after issuing: rndc flush Afterwards it works for uncertain time. Could it be I have a configuration problem of my server (I have prefetch 0 set in options section of my server)? Is it a problem of the authorized domain server? I have looked onto it manually, so far found nothing. rndc dumpdb could generate named output where you should be able to find out the culprit. the difference between current version of zone between ns1.gov.sk and ns2.gov.sk could affectg this problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question! -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transfert master slave
On 25.03.24 11:34, sami.ra...@sofrecom.com wrote: I'm trying to configure a DNS slave server (192.168.56.157) . I want to allow notifications only from the master (192.168.56.154). I added the directive "allow-notify {192.168.56.154;};" and it works. However, when I try to test the prohibition of notification by adding "allow-notify {none;};" at the slave, it still receives updates from the master. The transfer on the master is as follows: allow-notify will not stop the master to send notifies. They will just be ignored. allow-transfer {192.168.56.157;}; also-notify {192.168.56.157;}; notify explicit;" -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV on multiple subdomains
On 14.05.24 13:08, DEMBLANS Mathieu wrote: I have a question about configuration simplification for SRV configuration (maybe it can be applyed for other entries). We manage multiple subdomain of a main one (server1.example.com, server2.example.com,...). For A and MX entries, we use a general domain definitions with wildcard but is there a way to do so for SRV without having to define all subdomains (we have several dizains of it) ? We have to define some SRV entries with the same target like : _imap._tcp.server1.example.com IN SRV main.exemple.com _imap._tcp.server2.example.com IN SRV main.exemple.com I assume that _imap._tcp should be configurable per domain, so there should not be needed any need for things like _imap._tcp.server1.example.com - you should use _imap._tcp.example.com For example something like _imap._tcp.*.example.com IN SRV main.example.com. I read in a doc that the < * > can only be the leftmost label in the name. correct. Is there an other way to simplify or does I have to add each entry individually? no, but the question is if you really need this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV on multiple subdomains
On 14.05.24 14:20, DEMBLANS Mathieu wrote: A part of the subdomains are managed by us, others subdomains by an other entity. If you really have multiple subdomains for exanmle.com managed by different entities, then yes, wildcard is not good idea. This applies to A and MX records as well. So we can't configure a generic target for all subdomains as each entity has its own target for SRV entries. You can't even setup wildcard for *.example.com to provide server1.example.com A/MX record, because the _imap._tcp.server1.example.com would make the wildcard invalid for server1.example.com. Simply, wildcarding is not for case like this. -Message d'origine- De : bind-users De la part de Matus UHLAR - fantomas Envoyé : mardi 14 mai 2024 15:58 À : bind-users@lists.isc.org Objet : Re: SRV on multiple subdomains On 14.05.24 13:08, DEMBLANS Mathieu wrote: I have a question about configuration simplification for SRV configuration (maybe it can be applyed for other entries). We manage multiple subdomain of a main one (server1.example.com, server2.example.com,...). For A and MX entries, we use a general domain definitions with wildcard but is there a way to do so for SRV without having to define all subdomains (we have several dizains of it) ? We have to define some SRV entries with the same target like : _imap._tcp.server1.example.com IN SRV main.exemple.com _imap._tcp.server2.example.com IN SRV main.exemple.com I assume that _imap._tcp should be configurable per domain, so there should not be needed any need for things like _imap._tcp.server1.example.com - you should use _imap._tcp.example.com For example something like _imap._tcp.*.example.com IN SRV main.example.com. I read in a doc that the < * > can only be the leftmost label in the name. correct. Is there an other way to simplify or does I have to add each entry individually? no, but the question is if you really need this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
queries for "_.domain"
Hello, I have noticed that BIND sends strange (for me) queries. 5 0.198221 192.168.0.1 → 193.108.88.128 DNS 105 Standard query 0x15a4 A _.net.akadns.net OPT 8 0.204738 193.108.88.128 → 192.168.0.1 DNS 159 Standard query response 0x15a4 No such name A _.net.akadns.net SOA internal.akadns.net OPT 9 0.205400 192.168.0.1 → 193.108.88.128 DNS 112 Standard query 0x3413 A _.office.net.akadns.net OPT 10 0.211944 193.108.88.128 → 192.168.0.1 DNS 166 Standard query response 0x3413 No such name A _.office.net.akadns.net SOA internal.akadns.net OPT 11 0.212646 192.168.0.1 → 193.108.88.128 DNS 128 Standard query 0x70df A _.omexexternallfb.office.net.akadns.net OPT 12 0.218782 193.108.88.128 → 192.168.0.1 DNS 182 Standard query response 0x70df No such name A _.omexexternallfb.office.net.akadns.net SOA internal.akadns.net OPT Is this a known feature I have missed? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: queries for "_.domain"
On 18.05.24 07:10, Mark Andrews wrote: Correct. Later versions use NS queries as that allows named to cache the non-existence of the NS RRset. I see this happened since 9.18.17 Luckily Debian 11/backports and Debian 12 have incorporated this version. Using _.domain doesn’t allow that to happen. Which I guess caused my problem. Looking at the docs, I can only turn it off in previous versions. (QNAME minimization was added in 9.13.2) NS queries do however expose broken delegations. Make sure you have working NS records at the zone apex and at the delegation point. This is especially important when the server serves multiple levels in the zone hierarchy as intermediate delegations are often not seen without QNAME minimisation but are with QNAME minimisation. Luckily this is resolving-only server. We have had bug reports due to all delegating NS records referring to non-existing servers. We have had bug reports due to garbage records at the zone apex. I encountered problems like this in the past. And then people wonder they DNS work properly. The "google (8.8.8.8) works" argument is problematic because google violates DNS in cases like this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME and IPv6
On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock wrote: rinetd manages 2 separate connections and should work with PMTUD. On 28.05.24 22:17, Peter wrote: I'm wondering how it would. The connections are TCP, the PMTU works via ICMP6. No, Path MTU discovery works with TCPv4 using ICMPv4 as well. (although it was/is quite common to block ICMP packets which can make it not work properly) So I would assume, the ICMP "packet too big" message reaches the host where rinetd runs, is swallowed by the kernel, and the kernel sets the MTU in it's hostcache. Or something along that line. The TCP traffic however gets forwarded by rinetd to the internal appserver(s) - which never get the message that they should reduce their MTU. The data from one TCP connection are sent through another TCP connection, where both connections are separate with separate MTU and PMTUD. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with a certain domain
On 03.06.24 18:46, Thomas Barth via bind-users wrote: I cannot send them an email to inform about a dns problem. The mail gets stuck in the queue. postqueue -p (Host or domain name not found. Name service error for name=mx.renr.es type=A: Host not found, try again) r...@mallorcazeitung.es Bind reports a communication error. dig mx.renr.es ;; communications error to 127.0.0.1#53: timed out I could enable the bind logging: 03-Jun-2024 18:34:22.681 client @0x7f014c88ed68 127.0.0.1#54496 (mallorcazeitung.es): query: mallorcazeitung.es IN MX +E(0)K (127.0.0.1) 03-Jun-2024 18:34:36.098 client @0x7f014ef48168 127.0.0.1#59706 (mx.renr.es): query: mx.renr.es IN A +E(0)K (127.0.0.1) 03-Jun-2024 18:34:41.106 client @0x7f014dd71768 127.0.0.1#56423 (mx.renr.es): query: mx.renr.es IN A +E(0)K (127.0.0.1) Should I perhaps ask the mail user to unsubscribe from this website due to troubles of bad configuration? yeah I guess you should, their DNS servers are pretty much messed up: % dig ns epi.es @213.4.119.2 ; <<>> DiG 9.18.24-1-Debian <<>> ns epi.es @213.4.119.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42145 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;epi.es.IN NS ;; ANSWER SECTION: epi.es. 259200 IN NS ns3.epi.es. epi.es. 180 IN NS ns1.epi.es. epi.es. 300 IN NS ns1.epi.es. epi.es. 300 IN NS ns2.epi.es. epi.es. 3600IN NS ns2.epi.es. % dig ns1.epi.es @213.4.119.2 ; <<>> DiG 9.18.24-1-Debian <<>> ns1.epi.es @213.4.119.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57889 ;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 5, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ns1.epi.es.IN A ;; ANSWER SECTION: ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ;; AUTHORITY SECTION: epi.es. 259200 IN NS ns3.epi.es. epi.es. 180 IN NS ns1.epi.es. epi.es. 300 IN NS ns1.epi.es. epi.es. 300 IN NS ns2.epi.es. epi.es. 3600IN NS ns2.epi.es. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with a certain domain
Am 2024-06-04 15:28, schrieb Greg Choules: Firstly, I doubt you actually need to kill and restart `named`. Flushing the cache would probably work, either all of it or just selected names. Secondly, take a packet capture of this happening and analyse what BIND is really doing, in Wireshark. - If it shows up that certain NS are causing the problem you can avoid them, in config. - If it's a DNSSEC issue, you can get around that on a per-domain basis, if needed. - If it turns out that qname minimization is the issue, you can play with settings for that, too. In short, there are plenty of tools in the kit bag. But understand what the problem is first and to do that, gather data (pcaps and logs) that can be used to paint a picture of what's really happening. On 04.06.24 19:17, Thomas Barth via bind-users wrote: The newsletter is only sent out once a day, so I would have to wait until tomorrow. I'll record it then. I have already experimented with tshark and recorded port 53. What I noticed as a network layman is that a certain response takes much longer on server 1 with the problems than on server 2. if the problem happens again, you can call 'rndc dumpdb' to dump named's cache and see all records your named remembers about mallorcazeitung.es and epi.es perhaps they can help to explain why named can't resolve anything. It's the message: No such name NS _domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es SOA ns1.epi.es Here is a part of the recording of server 1 with the problem, almost a delay of 2 seconds! (tshark -w dns-mx1-l5.pcap -i eth0 -f "src port 53") [...] 6 18:35:38,719369034 216.239.32.106 213.136.83.xxx DNS 141 Standard query response 0x69ac A ns3.prensaiberica.net A 34.175.122.60 OPT 7 18:35:40,333128992 34.175.122.60 213.136.83.xxx DNS 162 Standard query response 0xf393 No such name NS _domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es SOA ns1.epi.es 8 18:35:40,370838540 194.69.254.1 213.136.83.xxx DNS 1219 Standard query response 0xaadc DS mallorcazeitung.es NSEC3 RRSIG SOA ns1.nic.es RRSIG NSEC3 RRSIG OPT 9 18:35:40,402465454 34.175.171.102 213.136.83.xxx DNS 165 Standard query response 0x7bfa A s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es SOA ns1.epi.es Here is the part of the recording of server 2 (tshark -w dns-mx2-l5.pcap -i eth0 -f "src port 53") 5 18:32:03,019743724 213.4.119.2 167.86.126.xxx DNS 139 Standard query response 0x36bf A ns4.prensaiberica.net A 34.175.171.102 NS ns1.epi.es NS ns2.epi.es 6 18:32:03,052680383 194.69.254.1 167.86.126.xxx DNS 1219 Standard query response 0x5643 DS mallorcazeitung.es NSEC3 RRSIG SOA ns1.nic.es RRSIG NSEC3 RRSIG OPT 7 18:32:03,087003657 34.175.122.60 167.86.126.xxx DNS 162 Standard query response 0x3d78 No such name NS _domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es SOA ns1.epi.es 8 18:32:03,120746561 34.175.171.102 167.86.126.xxx DNS 165 Standard query response 0x3a41 A s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es SOA ns1.epi.es I therefore suspect that the delay will be even greater tomorrow again when the newsletter arrives, so that the "communication error" will occur again. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
qname minimisation per domain
Hello, I have noticed that especially DNS blocklist cause errors like: Jul 14 01:41:28 fantomas named[1854]: success resolving 'D.C.B.A.zen.spamhaus.org/A' after disabling qname minimization due to 'ncache nxdomain' and blocklists like spamhaus are sensitive to too many queries. is it possible to disable query minimisation for particular domains? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: qname minimisation per domain
On 15 Jul 2024, at 23:27, Matus UHLAR - fantomas wrote: I have noticed that especially DNS blocklist cause errors like: Jul 14 01:41:28 fantomas named[1854]: success resolving 'D.C.B.A.zen.spamhaus.org/A' after disabling qname minimization due to 'ncache nxdomain' and blocklists like spamhaus are sensitive to too many queries. is it possible to disable query minimisation for particular domains? On 16.07.24 09:23, Mark Andrews wrote: Is it really too much effort for the servers to return NOERROR instead of an incorrect NXDOMAIN for the intermediate names? That would get rid of the log message. These seem to run rbldnsd which is optimised for memory usage and speed of response, and returning different replies would I guess affect speed. It’s changing 1 bit (0 vs 4 for the rcode) in the DNS header. They don’t even have to lookup if there are names below the query. The server can just assume that there are records there and return NOERROR for [0..255].zen.spamhaus.org, [0..255].[0..255].zen.spamhaus.org and [0..255].[0..255].[0..255].zen.spamhaus.org. Really we would like to be able to move to strict QNAME minimisation so we don’t need to make all the other queries after the first NXDOMAIN response but broken implementations like this are making that difficult. It’s not like this is a new requirement. A NOERROR response goes back the RFC 1034. I see there's issue and merge containing exactly this change: https://github.com/spamhaus/rbldnsd/issues/17 The discussion also mentions things like There is also quite a lot of consensus in the SMTP World that qname minimization shouldn't be used on the resolvers used by mail servers and For the IP(v4 and v6) datasets, all of them, we could implement a hackish solution so that when a query for a "partial" ip address is received, rbldnsd doesn't reply NXDOMAIN but NOERROR instead. Additionally Spamhaus controls how often resolvers re-query. 10 seconds is a very short negative response TTL. If they don’t like the query rate they can control it by returning longer negative cache responses. Named does check in the cache for negative cache entries to determine whether or not to make the intermediate QNAME minimisation queries. Lower negative TTLs allow for faster listing detection. I also believe that it is in Spamhaus interest to have more paying clients (although this may not be the primary reason for short negative TTLs). I guess for now, since the qname minimization increases number of queries sent and resolving time, I should disable qname-minimization on all named instances used by mail server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forwarding ".local" subdomains when "local" exist
Hello, our customer has private .local zone "example.local" (I know this should be used for multicast...) so I have configured forwarding queries for this domain to his servers: zone "example.local" { type forward; forward only; forwarders { 192.168.0.1; }; }; zone "168.192.in-addr.arpa" { type forward; forward only; forwarders { 192.168.0.1; }; }; Since some queries for ".local" zone were leaking out of their network, I have long ago locally configured empty zone "local": zone "local" { type master; file "/etc/bind/db.empty"; }; Now, the resolution od "example.local" does not work, named returns "nxdomain", doesn't forward the query. when I commented out the "local" zone, named started working, I just needed to add validate-except { "local"; }; guess I understand why. From the history I remember that defining zone (example.local) with no delegation in the parent zone (local) does not cause issues (locally). Is "type forward" special in this case? Debian 12, BIND 1:9.18.28-1~deb12u2 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding ".local" subdomains when "local" exist
On 16.08.24 19:55, Tim Maestas wrote: You need to have the delegation in the parent in order for the forwarding to kick in. It can be bogus, but it has to be there. You'll find the same behavior when you're authoritative for the root zone; any type forwarded zones will need to also have NS in the root ( or closest enclosing authoritative zone). Thanks, this worked. I created ".local" zone (copied from db.empty) with dummy NS for "example.local" and forwarding works, just as ".local" is resolved locally. On Fri, Aug 16, 2024, 7:13 AM Matus UHLAR - fantomas wrote: our customer has private .local zone "example.local" (I know this should be used for multicast...) so I have configured forwarding queries for this domain to his servers: zone "example.local" { type forward; forward only; forwarders { 192.168.0.1; }; }; zone "168.192.in-addr.arpa" { type forward; forward only; forwarders { 192.168.0.1; }; }; Since some queries for ".local" zone were leaking out of their network, I have long ago locally configured empty zone "local": zone "local" { type master; file "/etc/bind/db.empty"; }; Now, the resolution od "example.local" does not work, named returns "nxdomain", doesn't forward the query. when I commented out the "local" zone, named started working, I just needed to add validate-except { "local"; }; guess I understand why. From the history I remember that defining zone (example.local) with no delegation in the parent zone (local) does not cause issues (locally). Is "type forward" special in this case? Debian 12, BIND 1:9.18.28-1~deb12u2 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC launches new website and mailing list manager
On 17.11.08 05:10, Mark Andrews wrote: > https://www.isc.org/software/bind/documentation > which is in the bullet list as > Documentation and external links (Reference manuals, FAQ, etc) > on https://www.isc.org/software/bind - the HTML version of 9.5 ARM is said to be there, but I can't see the link (at least the "BIND 9.5" isn't a link while "BIND 9.4" is). - Why were HTML versions of previous ARM's removed? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just to make sure I have TTL's understood.
On 25.11.08 23:15, Scott Haneda wrote: > Based on your suggestions, I have made a template zone file to base > all new zones on, do you agree with this? > > * When I need to change to a low TTL for migration needs, what would > be the approach to that with this template format? I personally use default TTL 43200, and higher only for NS records (and apropriate A records) to have the same TTL as glue records in parent domains. > $TTL 1D > @ IN SOA ns1.hostwizard.com. scott.hostwizard.com. ( > 200810011 ; serial, todays date + todays serial # > 8H ; refresh > 2H ; retry > 4W ; expire > 1H ); minimum > @ IN NS ns1.hostwizard.com. > @ IN NS ns1.nacio.com. > @ IN MX 10 gonepostal.hostwizard.com. ; Primary Mail > Exchanger > > ; email server base > pop IN A 64.84.37.6 > smtpIN A 64.84.37.6 > imapIN A 64.84.37.6 > @ IN TXT "v=spf1 ip4:64.84.37.0/26 ?all" > > ; http website base > ;@ IN A 64.84.37.x > ;wwwIN A 64.84.37.x > ;ftpIN A 64.84.37.x those @'s are useless most of the time, if you don't provide name, the RR applies for the last name provided. Move TXT just after SOA and you can remove them all. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-confgen no response
> > /dev/random has run out of random bits. You need to make > > your machine > > generate more of them. On 29.11.08 14:12, Ken DBA wrote: > Could I clear /dev/random to zero by hand? why would you do that? if you run out of random bits, you need more entropy, not less of it... search for entropy gathering daemons, or look if your CPU/motherboard has hardware random number generator... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: resolving issue
On 06.12.08 06:51, Binmakhashen, Latif wrote: > # nslookup yahoo.com > ;; Got recursion not available from [IP Removed], trying next server > ;; connection timed out; no servers could be reached > > > I'm having trouble resolving internet queries from my server. > The next servers are in the DMZ zones and I can not reach so I already > know why the next server times out but I should be able to resolve > internet queries from my server. Apparently all of servers in yout /etc/resolv.conf are unreachable. That may be bad configuration (bad servers in resolv.conf ) a firewall problem and maybe something even different. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 50 million records under one domain using Bind
On 13.12.08 17:09, Vinay Y S wrote: > I am studying the scalability and performance characteristics of > different DNS servers. Goal is to find the best suitable server to > host a single domain with 50 million records. I am planning to install > Fedora 10 x86_64 on a 32GB RAM machine and use the Bind that comes > with it for this experiment. what kind of records do you want to store? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 50 million records under one domain using Bind
> > On 13.12.08 17:09, Vinay Y S wrote: > >> I am studying the scalability and performance characteristics of > >> different DNS servers. Goal is to find the best suitable server to > >> host a single domain with 50 million records. I am planning to install > >> Fedora 10 x86_64 on a 32GB RAM machine and use the Bind that comes > >> with it for this experiment. > 2008/12/13 Matus UHLAR - fantomas : > > what kind of records do you want to store? On 13.12.08 19:01, Vinay Y S wrote: > Mostly A, CNAME, MX and TXT records. so they're generic DNS data, nothing special like RBL ? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 50 million records under one domain using Bind
On 13.12.08 23:12, Vinay Y S wrote: > The record names and values could be any valid labels. All the record > names I plan to use for tests are of form sub.domain.tld and values > are IP addresses for A record and other suitable values for other > record types. Would the nature of record types and values have > significant effect on the result of this experiment? for example, rbldnsd supports only a few types of records, but can store them very effectively, e.g. IP addresses. For all types of DNS records and values, it's apparently not useful -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: is this a valid zone file?
On 21.12.08 03:54, Jack Tavares wrote: > Looking at rfc2317 > $ORIGIN 2.0.192.in-addr.arpa. >@ IN SOA my-ns.my.domain. hostmaster.my.domain. (...) >;... >; <<0-127>> /25 >0/25NS ns.A.domain. >0/25NS some.other.name.server. [...] > That has no NS server defined for the zone, just the ranges of the zone. > Is that valid? it is, but may cause problems. NS records for the zone itself should be defined. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: logs
> Chris Buxton says what?: > > /etc/default/sysklogd On 21.12.08 07:59, billious wrote: > Would that not be: > /etc/default/syslogd ? in debian, the package's name is sysklogd (although klogd was already split into another package). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: is this a valid zone file?
On 21.12.08 04:21, Jack Tavares wrote: > as specified, wouldn't this zone then be non-authoritative I believe BIND doesn't check NS Records when deciding if it should set the "AA" flag and only takes care about the records being from zone (master/slave) or authoritative source (for AA records) or cache. > > That has no NS server defined for the zone, just the ranges of the zone. > > Is that valid? > > it is, but may cause problems. NS records for the zone itself should be > defined. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache poisoning counter-measures
On 05.01.09 15:29, Chris Henderson wrote: > I'm trying to implement some basic counter-measures against the > Kaminsky bug. I have had to configure my switch to allow any incoming > query to TCP and UDP port 53 on my slave DNS server. I was wondering > if this is going to cause any problem as far as security is concerned. > > Bind version 9.4.1 running in chroot jail. The bug does not lie server operations. It lies in client operations. While people are querying your slave server, you have no problem. If you send recursive queries to the mentioned name server, and it sends queries out, that is a problem. It must send queries from randomised ports, which means, that not only packets to tcp/udp port 53 from outside must be allowed, but packets from any port on your server to tcp/udp 53 anywhere must be allowed and also packets from tcp/udp port 53 anywhere to any port on your server must be allowed. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Conflicting glue records?
> On Wed, Jan 7, 2009 at 6:29 PM, Milo Hyson wrote: > > If different registrars contain different host records for the same name > > server, what glue records are established in the root servers? Suppose two > > domains at different registrars both list ns1.mydomain.com as a nameserver > > but each gives a different IP. Are the results undefined? Is there some rule > > that is followed to resolve the conflict? On 07.01.09 19:14, Dawn Connelly wrote: > Each registrars push the information that they have. So if you have > apples.com with an NS record of ns1.dns.com==137.161.0.1 and > oranges.com with a NS record of ns1.dns.com=137.161.0.2 I think only the registrar of dns.com should provide glue records for anything below dns.com. If it happend this way, it's imho broken. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Conflicting glue records?
> > On 07.01.09 19:14, Dawn Connelly wrote: > >> Each registrars push the information that they have. So if you have > >> apples.com with an NS record of ns1.dns.com==137.161.0.1 and > >> oranges.com with a NS record of ns1.dns.com=137.161.0.2 > On Thu, Jan 8, 2009 at 12:31 AM, Matus UHLAR - fantomas > wrote: > > I think only the registrar of dns.com should provide glue records for > > anything below dns.com. If it happend this way, it's imho broken. On 08.01.09 00:41, Dawn Connelly wrote: > Right, but his question was regarding the host record for the name > server. You tell the registrar the name and IP address of the name > servers that are authoritative for the domain. The registrar then > pushes those glue records to the root servers. Root doesn't care what > the name and/or IP address of the name servers are. They are unrelated > across domains. There isn't any cross domain verification. If you say > that the FQDN and IP address of the authoritative name server is > something, the registrar believes you and tells root. Root believes > the registrar. The registrar and root don't do a lookup on the FQDN of > the name server that is provided- hence it being called a glue record. > You have to manually enter that data. At least that has been the case > with ever registrar I've dealt with. What I was trying to say it, that both registrat and root (if possible) should check if the glue belongs under registered domain. If not, the glue should not be accepted. If I register example.com, it's OK to register _anything_.example.com as glue. However, registering _anything_.example.net should not be accepted. I wonder how is it possible that anyone accepts that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issues in delegating to subdomain owned by other company
On 10.01.09 14:04, blrmaani wrote: > When we delegate a subdomain, should the nameserver to which we delegate > be AUTHORITATIVE? yes > What happens if the nameserver to which we delegate the subdomain is a > NON-AUTHORITATIVE nameserver (eg., cache-only name server ). ? Could this > be the reason for failure? yes -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple PTR records
> On Jan 15, 2009, at 6:33 AM, Halassy Zoltán wrote: > >I don't want to break forward <-> reverse mapping. > > > >www.example.com. A 1.2.3.4 > >mail.example.com. A 1.2.3.4 > >4.3.2.1.in-addr.arpa. PTR www.example.com. > >4.3.2.1.in-addr.arpa. PTR mail.example.com. > >Would this one break anything? Or anyone else have a better tip how > >could i handle this situation? Multiple PTRs in this case is really > >an issue? > On 15.01.09 10:19, Chris Buxton wrote: > Yes, it is an issue. Remove this record: > > 4.3.2.1.in-addr.arpa. PTR www.example.com. > > Your web server doesn't need a PTR record. > >The main thing i don't want to break forward <-> reverse symmetry > >cause there are some sanity checks about this (like in spamfiltering). > > Right, your mail server ought to have a PTR record. Your web server, > however, does not need it. Actually, it doesn't matter which PTR record will remain, unless there will be any SPF record pointing to it. And even a mail server does not need PTR record, if it only accepts mail, but does not send. The valid PTR is important when sending mail - many servers will refuse connections from IP's without valid PTR and A records. The contents of the record is not that much important (unless using SPF), although some servers refuse mail from generic-looking names (e.g. a-b-c-d.anything.example) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple PTR records
> On Jan 16, 2009, at 7:13 AM, Matus UHLAR - fantomas wrote: > >Actually, it doesn't matter which PTR record will remain, unless there > >will be any SPF record pointing to it. On 16.01.09 10:12, Chris Buxton wrote: > That is a common misconception. No, it is not. > I have seen mail bounced because of a > mismatch between SMTP greeting name and PTR record name. It's not as > common as the simple "is there any PTR record" check, but it does > happen. - it's clear violation of RFC 5321 (and former 2821, 821) - server MUST NOT reject connection because of that. - some (many?,most?) SMTP clients can resolve their local address and use it as HELO string. > The SMTP greeting name should also have an A record that resolves back > to the address used as the source address of the connection. There's "should" contrary to "MUST NOT" RFC section... > I once > saw an SMTP server used to send mail from several unrelated domains, > where each one was sent out through a different address. The mail > server used the same name in the SMTP greeting regardless of which > domain it was sending for, and this caused problems for all of the > other domains. This doesn't say anything about the source of the problem. If someone does not follow RFC's, I don't think we should "fix" the problem on our side. And, again - it does not matter which PTR record will be left. But it must point to hame that points back to the IP. And of course, if you send mail, your MTA should be smart enough (or configured) to know what to use in HELO. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
> > On 20.01.09 12:49, Dmitry Rybin wrote: > >> How to disable cache in bind-9.6? ttl=0 - bad idea. > Matus UHLAR - fantomas wrote: > > if you know that setting TTL to 0 is a bad idea, why do yuo think that > > disabling a cache in BIND is not a bad idea? On 20.01.09 18:39, Dmitry Rybin wrote: > Because under high load cache grows to maximum system size and stop > responding to queues. This is known problem. Did you set up maximum cache size to a sane value? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
> On Jan 20, 2009, at 4:49 AM, Dmitry Rybin wrote: > >How to disable cache in bind-9.6? ttl=0 - bad idea. On 20.01.09 14:44, John Wobus wrote: > Disabling the cache makes sense if the purpose of your > nameserver is to provide your authoritative zone data and you > have a different nameserver to handle your site's general > DNS queries. in such case it's much better to disable recursion and not use such server for resolution, unless it's a MUST (e.g. firewalls). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: denied NS/IN
On 20.01.09 17:52, Frank Bulk wrote: > That's being discussed on NANOG, here's one thread: > http://markmail.org/message/ydiqnztzmz5qmusf > > See here for more details in blocking them: > http://www.cymru.com/Documents/secure-bind-template.html > specifically: > > blackhole { > // Deny anything from the bogon networks as > // detailed in the "bogon" ACL. > bogon; > }; > > Note that isprime is suggesting an ACL on your firewall or router. Especially when in the article above they ask for NOT blackholing them :) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
> >>> On 20.01.09 12:49, Dmitry Rybin wrote: > >>>> How to disable cache in bind-9.6? ttl=0 - bad idea. > >> Matus UHLAR - fantomas wrote: > >>> if you know that setting TTL to 0 is a bad idea, why do yuo think that > >>> disabling a cache in BIND is not a bad idea? > > Dmitry Rybin wrote: > >> Because under high load cache grows to maximum system size and stop > >> responding to queues. This is known problem. > Alan Clegg wrote: > > This is NOT a "known problem" in 9.6. Please provide your configuration > > and logs that show the issue that you are having. On 21.01.09 12:10, Dmitry Rybin wrote: > this is known problem of all bind's. Bind grows up to 2Gb, become slowly > answer to queries and can't restart, only kill -9. FreeBSD 5.x7.1, > Linux 2.6. This is _NOT_ a problem of BIND. This is a problem of its admin who can't read the docs and set up max-cache-size, which does exactly what is needed in this case. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
> Matus UHLAR - fantomas wrote: > > This is _NOT_ a problem of BIND. This is a problem of its admin who can't > > read the docs and set up max-cache-size, which does exactly what is needed > > in this case. On 21.01.09 17:38, Dmitry Rybin wrote: > Hmm... And why bind allocate all system memory, if max-cache-size 16M? > And views... 50 views. 16*50=800M. Only 800M, this is not 3..4GB of > system memory. lower it down to e.g. 4-8MB to see if it helps a bit. But I'd think if 50 views is really needed here... and if you have 800 MB of cache and 4GB of used memory, I'd say that size of the cache is not the real problem btw is the max-cache-size really per-view? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
EDNS timeouts - log IP address
Hello, I see that logs of EDNS problems show the RR which was successfully resolved after changind packet size or disabling EDNS, but shouldn't they lot the IP which has this problem? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse lookup to CNAME
> In article , > John Bond wrote: > > My idea was to create records like the following > > > > zone for .local > > > > bob-www-sol-l01 IN A 1.1.1.1 > > metisIN CNAME bob-www-sol-l01 > > > > zone for 1.1.1 > > > > 1 IN CNAME metis.local. On 23.01.09 23:06, Barry Margolin wrote: > Why don't you just use normal reverse DNS: > > zone for 1.1.1.in-addr.arpa > > 1 IN PTR metis.local. > IN PTR bob-www-sol-l01.local. if metis.local is a CNAME, the PTR shouldn't point to it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse lookup to CNAME
> On Sat, Jan 24, 2009 at 9:21 PM, Matus UHLAR - fantomas > wrote: > > > > if metis.local is a CNAME, the PTR shouldn't point to it. On 25.01.09 10:14, John Bond wrote: > could you please explain this. Although it's good to remove irelevant part of the text you are replying to, this time you removed the relevant part. I'm pasting below... > When i tried this host did not resolve > the cname. i.e a host 1.1.1.1 returned metis.local. it did not know > to resolve metis.local as bob the host 1.1.1.1 returned that 1.1.1.1.in-addr.arpa is a CNAME to metis.local. It's not reverse record, the PTR is, and metis.local has no PTR. Even if it did, the PTR should be on 1.1.1.1.in-addr.arpa, you are putting one more unnecessary step into resolution. [pasted relevant text] > > bob-www-sol-l01 IN A 1.1.1.1 > > metisIN CNAME bob-www-sol-l01 > > > > zone for 1.1.1 > > > > 1 IN CNAME metis.local. On 23.01.09 23:06, Barry Margolin wrote: > Why don't you just use normal reverse DNS: > > zone for 1.1.1.in-addr.arpa > > 1 IN PTR metis.local. > IN PTR bob-www-sol-l01.local. accorging to the above, metis.local is a CNAME, so the reverse should point to bob-www-sol-l01.local. - pointing it to metis.local. would be incorrect. And although two or PTRs usually make no problems, it's recommended not to do that, because some SWs jsut can't handle that (even if they would all be correct). So, keep only PTR to bob-www-sol-l01.local. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
On 26.01.09 09:19, bsfin...@anl.gov wrote: > If I have in DNS > > cn IN CNAME realname > > and I query for cn, the DNS resolver will return "realname". > BIND also returns the "A" record for realname. Is this a requirement? > If not, then > > mx IN 10 MX cn > > will result in: > > 1) the MX query returning cn, > > 2) the cn query returning realname, > > 3) a third (and RFC-breaking) query to get the "A" for realname. > > There are only two queries if the resolver returns the "A" record along > with the realname of the CNAME record. according to RFC1035 sect. 3.3.9 "MX records cause type A additional section processing for the host specified by EXCHANGE." according to RFC2181 sect 10.3. "The domain name used as the value of a NS resource record, or part of the value of a MX resource record must not be an alias." "It can also have other RRs, but never a CNAME RR." "Additional section processing does not include CNAME records"... "Thus, if an alias is used as the value of an NS or MX record, no address will be returned with the NS or MX value." -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh". ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse lookup to CNAME
> > On 23.01.09 23:06, Barry Margolin wrote: > > > Why don't you just use normal reverse DNS: > > > > > > zone for 1.1.1.in-addr.arpa > > > > > > 1 IN PTR metis.local. > > > IN PTR bob-www-sol-l01.local. > > > > accorging to the above, metis.local is a CNAME, so the > > reverse should point to bob-www-sol-l01.local. - pointing it > > to metis.local. would be incorrect. > > And although two or PTRs usually make no problems, it's > > recommended not to do that, because some SWs jsut can't > > handle that (even if they would all be correct). So, keep > > only PTR to bob-www-sol-l01.local. On 26.01.09 08:20, Ben Bridges wrote: > Section 3.3.12 of RFC 1035 (PTR RDATA format) appears to say that no > constraints are placed upon a domain-name that is the RDATA of a PTR > record, that it is simple data and no special meaning or further > processing is associated with it (hence implying that it is ok if that > domain-name is defined as a CNAME somewhere else in the domain space). > Is that not the case? Is there some other part of the DNS specification > that forbids it? RFC 2181 sect. 10.2. mentions that "...the relevant section of RFC1034 (section 3.6.2) indicates that the value of a PTR record should be a canonical name." "Note that while the value of a PTR record must not be an alias"... I know about SWs that reject the PTR if it points to CNAME. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: delegation over authority?
On 26.01.09 17:09, Todd Snyder wrote: > I am trying to wrap my head around a weird configuration I ran across > today, and see if my assumptions are correct. > > Working with the TLD .testdomain. > > We have the record: > > test2.testdomain. IN NS ns01.blahblah.testdomain. > > > But, on the same server, we also have the zone configured: > > zone "test2.testdomain" in { > file "slave/test2.testdomain"; > type slave; > masters { all_masters; }; > }; > > > So, on the server, we have a delegation of test2.testdomain but we're > also authoritative for that domain. > > My testing seems to indicate that the authorty overrides the delegation, > but I wanted to see if I was correct. Will it always override? Is this > a bad configuration? Will it cause any problems along the way? yes, authority "overrides" delegation. However they should match because mismatch could lead to strange results. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
On 27.01.09 08:46, Al Stu wrote: > So then you disagree that the following example returns a valid address > record for srv1? > > srv1 300 IN A 1.2.3.4 > mx1 300 IN CNAME srv1.xyz.com. > @ 300 IN MX 1 mx1.xyz.com. > > 1) Select Target Host: > The MX query for xyz.com delivers mx1.xyz.com which is a CNAME. > > 2) Get Target Host Address: > The A query for mx1.xyz.com delivers the address (A) record of > srv1.xyz.com, 1.2.3.4, and also delivers the alias (CNAME) record of > "mx1.xyz.com". They are two queries. If mx1 would be an A, it would be returned in the first query. Since it's a CNAME, the IP is not returned in the MX query. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
> > On 27.01.09 08:46, Al Stu wrote: > > > So then you disagree that the following example returns a valid address > > > record for srv1? > > > > > > srv1 300 IN A 1.2.3.4 > > > mx1 300 IN CNAME srv1.xyz.com. > > > @ 300 IN MX 1 mx1.xyz.com. > > > > > > 1) Select Target Host: > > > The MX query for xyz.com delivers mx1.xyz.com which is a CNAME. > > > > > > 2) Get Target Host Address: > > > The A query for mx1.xyz.com delivers the address (A) record of > > > srv1.xyz.com, 1.2.3.4, and also delivers the alias (CNAME) record of > > > "mx1.xyz.com". > In article , > Matus UHLAR - fantomas wrote: > > They are two queries. If mx1 would be an A, it would be returned in the > > first query. Since it's a CNAME, the IP is not returned in the MX query. On 27.01.09 23:51, Barry Margolin wrote: > So what? If the IP isn't in the additional section, the client will do > its own A query. so the client has to do an A query, because A is not returned in the MX query. > There's no requirement that the response to the MX record include the A > record. It's nice if it does, since it saves a query, but this is just > an optimization. exactly. That's what I was trying to explain. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SPAM] Re: Split view multiple zones
> >Of course I could just copy and paste all the zones also in 'custom' view > >but it doubles the configuration size. On 27.01.09 17:26, Chris Burton wrote: > I've been using an include file for zones common between multiple views, it > might help in your case too. I'm afraid they won't eat the same memory, but each view its own memory. Can anyone confirm, and if I'm right, tell me that it will be better in next BIND releases? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: e: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
> > You say, "both the A record and the CNAME record are returned." > > We know that BIND does this. On 27.01.09 19:33, sth...@nethelp.no wrote: > No, not all BIND versions do this. I'm running BIND 9.5, and when > asking about the MX for nullmx.domainmanager.com I'm getting > > Answer: nullmx.domainmanager.com. CNAME mta.dewile.net. > Authority:dewile.net. SOA ... > > Even if my BIND 9.5 name server has the A record for mta.dewile.net > in the cache, it is not returned. What was te question? If it was "any" or "cname", the bind won't return that. If the question was "A", it should be returned, unless you have allow-recursion or allow-query-cache turned off -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
On 27.01.09 10:18, Al Stu wrote: > I not only say it, I have demonstrated it. But you have demonstrated something different than we're discussing all the time. > BIND is the DNS system we are discussing. > Have not looked to see if that specifically is spec'ed in an RFC. > Yes other DNS implementations do return both the A and CNAME. It depends on the query sent. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disableing EDNS messages bind-9.5.0
> Dean Clapper wrote: > >I'm trying to troubleshoot why we are getting a lot of disabling EDNS > >messages in /var/log/messages. > > > >We are running bind-9.5.0.P2 on a linux box. [...] > >Jan 27 11:43:39 ns0 named[27764]: too many timeouts resolving > >'196.198.117.216.zen.spamhaus.org/A' (in 'zen.spamhaus.org'?): > >disabling EDNS > > > >I started receiving these messages after updating from 9.4 -> 9.5. > >I've found a couple places to test packet sizes, but have not had any > >problem. The messages about zen.spamhaus.org leads me to possibly > >email related issues. On 28.01.09 08:04, Danny Thomas wrote: > add "category edns-disabled { null; };" > after verifying your nameserver(s) have an EDNS0 clear path > by trying the 2 tests mentioned below by Mark Andrews. I strongly recommend you upgrading the BIND first. Later versions issue that message much less often. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
> В Пнд, 26/01/2009 в 16:16 -0800, JINMEI Tatuya / 神明達哉 пишет: > > http://www.jinmei.org/patch/bind9-lrucache.diff > > (should be cleanly applicable to 9.6). > > and let me know if it mitigates the problem? On 29.01.09 22:50, Dmitry Rybin wrote: > Oh, great work. I'll try tomorrow. > > Other recommendations: > > - I previously suggested using a separate cache-only view and forward > > all recursive queries to that view. Have you tried that? If you > > have, didn't it work as I hoped? > Yes, I try it. But I can't set ttl to 0. It didn't work. Recursive query > fails, and authoritative query back to clients with ttl 0 :( Yes, that is what "Setting TTL to 0" means. > ~50 views, can't you really lower the views count? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
On 29.01.09 22:33, Al Stu wrote: > Analyze this. Why? > Query MX dns.com > > Response MX nullmx.domainmanager.com > > > > Query A nullmx.domainmanager.com > > Response CNAME mta.dewile.net, A 64.40.103.249 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
On 30.01.09 22:55, Al Stu wrote: > History is fraught with individuals or a few being ridiculed for putting > forth that which goes against the conventional wisdom of the masses and so > called experts, only to be vindicated once the masses and so called experts > get their head out where the sun is shining and exposed to the light of day. > > Once upon a time the world was 'flat'. For some of you, apparently is > still is 'flat'. Don Quijote -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Caching-only Name server does Zone Updates
On 02.02.09 17:25, Ashish wrote: > Our DNS is configured as Caching-only Name server. However, it's still > performing Zone updates like a Slave Name Server. > > Is it possible that a Caching-only Name server performs Zone updates, if yes > under what conditions is this possible. Zone updates work only if the zone is configured on the nameserver. Do you have any zones configured (other than ".")? How do you know that it's performing zone updates? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SPAM] Re: Split view multiple zones
> At Wed, 28 Jan 2009 08:59:42 +0100, > Matus UHLAR - fantomas wrote: > > > > >Of course I could just copy and paste all the zones also in 'custom' > > > >view > > > >but it doubles the configuration size. > > > > On 27.01.09 17:26, Chris Burton wrote: > > > I've been using an include file for zones common between multiple views, > > > it > > > might help in your case too. > > > > I'm afraid they won't eat the same memory, but each view its own memory. > > Correct. > > > Can anyone confirm, and if I'm right, tell me that it will be better in next > > BIND releases? On 28.01.09 11:16, JINMEI Tatuya / 神明達哉 wrote: > There's no plan to change this behavior (as far as I know). anything like attach-cache, hierarchical or shared views? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
> >> ~50 views, > Matus UHLAR - fantomas wrote: > > can't you really lower the views count? On 04.02.09 11:23, Dmitry Rybin wrote: > It's impossible, :-( over 500'000 client use bind and we must use views > to split load on another services. Pardon? Split load? Do you use views to point different clients to different server to lower load on them? If so, you better should use DNS load balancing or some kind of HW/SW load balancer -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
On 04.02.09 11:51, Dmitry Rybin wrote: > Matus UHLAR - fantomas wrote: > > > > > On 04.02.09 11:23, Dmitry Rybin wrote: > >> It's impossible, :-( over 500'000 client use bind and we must use views > >> to split load on another services. > > > > Named with JINMEI Tatuy patch: > > > max-cache-size 800M; > > > It's way too much, if this applies to all of the 50 views. > > Oh! I decrease memory to 16Mb. No, I did not write that. Please don't break quoting. > > Pardon? Split load? Do you use views to point different clients to different > > server to lower load on them? > > > > If so, you better should use DNS load balancing or some kind of HW/SW load > > balancer > > > > For first time was DNS load balancing. And after grow clients base we > can use only current scheme. We think about it, but only bind with > current configuration approach to us. Yes, but now it seems to reach its possibilities, so you should better think about changing your architecture... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NS validation?
On 07.02.09 20:58, Frank Bulk - iName.com wrote: > A business customer of ours could not change their DNS entry at Register.com > from ns1.mtcnet.net/ns1.netins.net. > > After 10 failed attempts thru register.com to register > to ns1.mtcnet.net and ns1.netins.net, I contacted Register.com > and escalated this call to their highest tech authority. I > found out that Register.com uses 'VeriSign' as its DNS > Registered Validator. Apparently when I transferred this domain > name from a different registrar I was supposed to use a > special DNS Registration thru VeriSign option (who knew?) then > transfer this to register.com > > For some reason VeriSign doesn't have NS1.MTCNET.NET on its > list as registered DNS. Go figure. > > Ever heard of this before? it probably means that ns1.mtcnet.net did not have its WHOIS record. Is does now. Some registrars require nameservers to have WHOIS records if you want to use them for registering domains. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: referral doubt
> > > Trying to resolve www.testing.server.com > > > When contacting "server.com" nameserver I receive in the answer 3 NS and > > > 1 A > > > Additional record: > > > testing.server.com NS ns1.testing.server.com > > > testing.server.com NS ns2.testing.server.com > > > testing.server.com NS ns3.testing.server.com > > > ns1.testing.server.com A 192.123.123.23 > > In this case BIND9 should immediately send a subsequent query to > > 192.123.123.23. On 19.02.09 12:02, Luis Silva wrote: > Tks a lot for the answer. It really helped understanding this process. But > just a simple question. What happens if the > "ns1.testing.server.com<http://ns1.testing.server.com/>A > 192.123.123.23" doesn't responds? will it try to get the others? yes, if it's able to find out their IPs. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query an external nameserver doubt
On 19.02.09 12:26, Nuno Ribeiro wrote: > To: comp-protocols-dns-b...@isc.org, bind-users@lists.isc.org Don't do this. The mailing list and newsgroup are connected. > There is a CNAME Record "www.example.test.com CNAME ts.example.test2.com" > in the "example.test.com" zone, which my nameserver is not authoritive. My > name server is authoritive for "example.test2.com" zone. > > I receive a A query for "www.example.test.com". I send this query to > external nameservers and discover the CNAME record target is in my zone. > Is this possible? Yes, it's possible. They will reply with www.example.test.com CNAME ts.example.test2.com If they have recursion or query-cache enabled, they may also respond with ts.example.test2.com A in answer section and example.test.com NS info in authority/additional sections -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone serial not being updated in statistics-channel view of zone
> In message , Chris > Thom > pson writes: > > I have a dynamically updated zone, dynamic.local.test, on my workstation > > testbed (BIND 9.6.0-P1, Solaris 10_x86) which has "zone-statistics yes" > > set. Viewing the statistics at http://localhost:8053 I see under > > "Zones for View _default" > > > > dynamic.local.test/IN IN 2008093007 ... > > ^^ > > > > But the current SOA serial is actually > > > > $ dig +short soa dynamic.local.test > > localhost. root.localhost. 2009022003 21600 3600 864000 10800 On 22.02.09 09:48, Mark Andrews wrote: > Chris when you see somthing that is obviously a bug in a > current release please log a bug report. If you see a bug > and you are not running a current release please upgrade > to see if it is fixed, then if it still there please log a > bug report. Sending things to bind-users then hoping a > developer will see the report and log the bug is not the > optimal way to do things. It apparently didn't seem obviously a bug to him :) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ARPA entries for a host with multiple IPs
On 25.02.09 00:31, shulkae wrote: > My customer requested to add multiple IPs to a single name so that he > can use the round-robin feature of BIND to load-balance the service. > > The entry we added looks something as below: > > # more db.myzone > .. > .. > ws What is this? some specialized format that is exported to BIND format? $ORIGIN myzone. ws A a1.b1.c1.d1 ws A a2.b2.c2.d2 ws A a3.b2.c3.d3 > So when my customer query the ws, he gets one of ipX any any given > time. they apparently get all entries but in different order... > They never requested anything for updating ARPA entries for the above. You apparently mean "reverse" entries. > What would be the ARPA entries for each of these? ip1, ip2 and ip3? > Can I add 'ws' for each of these? You can put records into reverse zones: $ORIGIN c1.b1.a1.in-addr.arpa. d1 PTR ws.myzone. $ORIGIN c2.b2.a2.in-addr.arpa. d2 PTR ws.myzone. $ORIGIN c3.b3.a3.in-addr.arpa. d3 PTR ws.myzone. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hostname Naming Compliance
> Mark Andrews wrote: > > When does it stop? What will be the next character you > > "just have to have"? At the moment you have 1 inter label > > seperator and 1 intra label seperator. That should be > > enough for anyone. On 25.02.09 08:49, Peter Laws wrote: > Like 640k of memory. the main effect of allowing underscores would be that some companies would want/need to buy much more domains, e.g. a-b a_b and a-b-c a_b_c a_b-c a-b_c I don't see any benefit in that. > Unicode is coming (as fast as IPv6, maybe faster :), so maybe it /is/ time > to update the naming standards. and maybe it is not. If people can't behave, adjusting standards may be the worst solution. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND logging
On 05.03.09 08:55, simian wrote: > I'm busy learning a bit more about DNS/BIND, but I seem to have run into > a problem. My server does not seem to propogate, so my questions are: > > Where does BIND log it's errors to? I see some named entries in my syslog, > is it the only place it logs to? > > If so, can I change the logfile where BIND logs it's errors? Get it to be a > bit > more verbose? Docs are available on https://www.isc.org/software/bind/documentation See the ARM (Administrator Reference Manual) for your version, section 6, the "logging statement definition and usage". There are some defaults, with configuring proper channels and categories you can define which log meesages go where. I e.g. have: channel nextra_syslog { syslog daemon; // syslog local0; severity info; print-category yes; print-severity yes; }; category default { nextra_syslog; default_debug; }; -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh". ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig error
On 10.03.09 08:55, Jeff Lightner wrote: > You'd prefer maybe "Dear Buttheads"? pure "hello" should be just enough. > "Dear Sir" (or "Dear Sirs") is considered standard business usage for > correspondence when one isn't sure who will be reading what was sent. > While it is certainly not usual to do it for an email (especially to a > list like this) I see no reason to chide someone for doing it. What about irony? Hello is shorter, simpler and more common on the net, expecially in mailing lists... and he -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone reload questions
On 20.03.09 16:23, Ralf Peng wrote: > Hmm! I was just thinking this is a BUG! > > I wrote a function in Perl to modify the serial number: > > sub increase_serial { [...] > } > > > I do below to execute the reload: > > increase_serial(); > system("/usr/local/bind/sbin/rndc reload"); why not "...rndc reload $zone" ? > OK I run two reload in a second, the serial number was increased > correctly, but bind only reload zones correctly for the first time. It mat need some time to reload _all_ zones. > This is the system log: > > [the first reload is successful]: [...] > Mar 20 16:08:46 localhost named[25599]: zone test.duxieweb.com/IN/cnc: > loaded serial 102502 > Mar 20 16:08:46 localhost named[25599]: zone my.test.com/IN/cnc: > loaded serial 101 > Mar 20 16:08:46 localhost named[25599]: zone test.duxieweb.com/IN/tel: > loaded serial 102502 > Mar 20 16:08:46 localhost named[25599]: zone my.test.com/IN/tel: > loaded serial 101 > > [the second time bind doesn't reload zones even zones db were changed]: > > Mar 20 16:08:46 localhost named[25599]: received control channel > command 'reload' > Mar 20 16:08:46 localhost named[25599]: loading configuration from > '/usr/local/bind9.6/etc/named.conf' > Mar 20 16:08:46 localhost named[25599]: using default UDP/IPv4 port > range: [1024, 65535] > Mar 20 16:08:46 localhost named[25599]: using default UDP/IPv6 port > range: [1024, 65535] > Mar 20 16:08:46 localhost named[25599]: reloading configuration succeeded > Mar 20 16:08:46 localhost named[25599]: reloading zones succeeded > > > Will bind only reload zone files based on the file's mtime by second? > That's will be a huge problem for some dynamic dns I may think. seems so. If you need to do that faster, you should try update or different mechanism -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone transfer from slave to master not working
On 20.03.09 09:56, John D. Vo wrote: > We have two name servers: ns1, ns2. > We have domain name: let's say abc.com > Management decided to have a dns hosting company hosts that domain. LOL. > Now they want to move that domain back to the ns1, ns2. ($$) > I have changed the dns entries at the registrar to point to ns1, ns2. > Now when I tried to do a zone transfer from ns2 to get the record from > ns1 it does not work. > I think because ns1 is still not yet authoritative for abc.com What do you mean authoritative here? That the zone is not on ns1 yet? (see below) > My questions: > > 1. If ns1 is not authoritative for abc.com, ns2 cannot do a zone > transfer from ns1, correct? please confirm. correct. > 2. If yes on number 1, then WHY? well, in addition to the requirement that the zone must reside on the server to be able to AXFR from it, the server must also allow transfer from the client you are transferring from. Check allow-transfer directive, globally for the nameserver and locally for the configured zone. I think the default is "none" (check the docs for sure) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Server names for query
> Casey Deccio wrote: > >RFC 1035 [1] (page 44) describes the use of a list of server names > >(SLIST) to query for a particular name. It is unclear to me from the > >RFC as to whether the server is selected by address or by name. In > >other words, all history (e.g., batting average and response time) > >being equal, if a name resolves to two IP addresses, is it twice as > >likely to be used in resolution for a name as that which resolves to > >only one--both according to the RFC, and as implemented in BIND? Example: > > > >example.com <http://example.com>. 3600 IN NS ns1.example.com > ><http://ns1.example.com>. > >example.com <http://example.com>. 3600 IN NS ns2.example.com > ><http://ns2.example.com>. > >ns1.example.com <http://ns1.example.com>. 3600 IN A 10.0.0.1 > >ns1.example.com <http://ns1.example.com>. 3600 IN A 10.0.0.2 > >ns2.example.com <http://ns2.example.com>. 3600 IN A 10.0.0.3 On 23.03.09 17:20, Kevin Darcy wrote: > For the *initial* NS query, I believe BIND will resolve those names down > to a flat set of addresses, all of which have equal chance of being > tried, so, yes, if a given NS name resolves to more addresses than other > names, it is more likely to be tried on the initial NS query. Btw how does BIND send notifies? does it send them to _any_ of those IP addresses? Some RFCs in the past iirc assumed that one name with multiple IPs is one multihomed host, which could lead to assumption that it's enough to query one of those IP's. I believe it's not true. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PTR for localhost
On 26.03.09 21:34, dev_n...@zoho.com wrote: > In recent version of Bind-9.6, is it needed for reverse parsing config of > localhost? for example, > > zone "0.0.127.IN-ADDR.ARPA" { > type master; > file "local.rev"; > }; I think it's not, but it's alwayt better to have it. However, the builtin default zone name is "127.in-addr.arpa" and I prefer creating this one. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: negative caching time and TTLs
On 14.04.09 14:22, Lena M wrote: > Which TTL value is supposed to be used for negative caching time? the one from SOA, apparently overriden by local max-ncache-ttl setting. > -We are running BIND 9.X as a caching server. We are seeing that NXDOMAIN > replies are being cached using $TTL time of a given zone instead of its SOA > min TTL time. What are those two? Note that there's no "min TTL" time, the value called "minimum" should not be uused that way anymore > -Is $TTL suppose to override SOA's min TTL for the negative caching? RFC > 2308 is not clear. I think RFC 2181 (which 2308 refers to) is clear enough. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Specific DNS configuration
> In article , Thomas Marteau > wrote: > > I would like to know if there is a mean to tell bind to give talways > > the same IP whatever the hostname asked for was. This was discussed many times in the past (iirc). Archives should mention this. On 15.04.09 20:43, Barry Margolin wrote: > Configure the server as a root server and put a wildcard A record in the > root zone. However you (Thomas) should know that this configuration may break many applications and cause much harm. The internet is not just HTTP. > > The idea behind this question is to redirect any browser when the > > computer is in a captive IP space like a zone receiving a guest before > > authenticating itself through a web site. This problem should not be solved at DNS level - maybe on the HTTP proxy level, or solve user authentication using WPA or similar methods on ethernet. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
match-recursive-only vs configured zones
Hello, I'd like to know how does match-recurtsive-only view interact with configured zones. When a zone is configured, clients accessing it are not recursive, unless it's forward (maybe stub?) zone... when I configure all zones in one view, and create other view using match-recursive-only, will clients fall into one view if recursive and into another when asking for configured zone? Does the order of views matter here? Thank you -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: match-recursive-only vs configured zones
> On May 19, 2009, at 9:45 AM, Matus UHLAR - fantomas wrote: >> I'd like to know how does match-recurtsive-only view interact with >> configured zones. On 19.05.09 10:25, Chris Buxton wrote: > The order of views matters. The first one matched, wins. > > Let's suppose you have a config along these lines: > > view "resolver" { > match-clients { local-clients-acl; }; > match-recursive-only yes; > allow-recursion { local-clients-acl; }; wouldn't "recursion yes;" have the same effect here? > }; > view "auth" { > recursion no; > zone "example.com" { > type master; > file "example.com"; > }; > }; > > There are three scenarios for queries: > > - If a query comes from the outside, it will hit the "auth" view, > regardless of wether it's recursive or iterative. It will always be > answered as an iterative query - that is, your server will not perform > recursion for outside clients, and the ra bit will always be turned off > in the response. That's the desired effect. > - If a recursive query comes from an authorized user, it will be > answered by the "resolver" view. If it is for one of your local zones, > the "resolver" will end up asking the "auth" view for the answer. So it will just use zones configured in "auth" as they were in "resolver" - if I hadn't views at all? > (If the server is behind a NAT server, you may need to configure something > specially to make this work.) It's not, but can you at least hint me so I could understand? > - If an iterative query comes from the internal network, it will be > handled by the "auth" view. This allows you to use other internal > resolving servers without having to special-case anything. > > One thing to note, for internal users who use nslookup (or dig, or host, > or whatever) to try to diagnose problems with the "auth" view: If they > send recursive queries, they will get non-authoritative responses. If > they send iterative queries, they will be told that recursion is not > available. This can be confusing. I think this won't confuse me. This is a server some people use for recursion and there are also some domains there, I want to move all services away and shut the server down. Now if I configured view "external" { match-clients { any; }; match-recursive-only yes; recursion no; } between "resolver" and "auth", that view would be used for all recursive queries from unauthorised sources, while iterative queries would still go to "auth", so I could provide special (no) service to unauthorised recursive clients, correct? Thank you. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: what to do after received multiple NS record?
On 20.05.09 06:53, MontyRee wrote: > If client executes recursive query, client will receive some NS records > like below. > > $ dig www.example.com > example.com.172800 IN NS a.iana-servers.net. > example.com.172800 IN NS b.iana-servers.net. > > if > a.iana-servers.net. is local network and fast > b.iana-servers.net. is remote network and very slow, > > 1. then, client querys most to a.iana-servers.net or randomly? the client may prefer server that is closer, but should remember other one, if the first fails. BIND does that afaik. I'm not sure what order does it process unknown servers in, I guess it's initially in the order responses were sent. Since BIND has options to sort responses, it would be good to use that, since the admin may know which server is topologically closer, although I'm not sure if this is used here and for NS records. > 2. if client received NS records(a.iana-servers.net and b.iana-servers.net) >from root servers, how to check which DNS is fast or slow? only by sending queries and seeing reply. >I can't find any icmp packets or related packets. I think bind queries servers it does not have RTT's for to find it out, then prefers servers with shorter RTT and ocasionaly checks others if anything changed. > 3. below is a cache_dump.db. >Anyone can explain what's the meaning of TTL and srtt? TTL is the time an entry will be valid. srtt is the response time, used for selection described above. > ; J.ROOT-SERVERS.NET [v4 TTL 86393] [v4 success] [v6 unexpected] > ; 192.58.128.30 [srtt 18] [flags ] [ttl 1793] > ; k.gtld-servers.net [v4 TTL 3] [v4 success] [v6 unexpected] > ; 192.52.178.30 [srtt 9] [flags ] [ttl 1793] > > If any RFC or related documents, please let me know. I'm not sure if any rfc requires -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Transfer delays
> I am experiencing a 15 min delay from the time a zone file is updated and > reloaded w/ rndc and transferred to the slave server. > From: Todd Snyder [mailto:tsny...@rim.com] > > Do you have "notify no;" in your config options? On 28.05.09 09:23, Michael Di Martino wrote: > No I do not. > > zone "222.206.66.in-addr.arpa" in { > type master; > file "data/in-addr.arpa/db.222.206.66.in-addr.arpa"; > notify yes; > allow-transfer {"slaves";}; > allow-update { none; }; > }; Do you have NS records for slaves in the zone? Do you have corerect "master" set up in the SOA? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: publish bind9 server
Hello, On 05.06.09 14:07, Javier Martinez wrote: > In my current project, we are using a bind9 server to assign web requests > to different amazon ec2 computers. When a request is incoming, bind server > (A) resolves the computer that has the specified subdomain and redirects > the request to that computer (B). please configure your mailer to wrap lines below 80 characters per line. 72 to 75 is usually OK. Thank you. > For example, we have a computer that host the domain "test.midomain.com". > The bind server is where the "midomain.com" goes. So, the service must > redirect the request "test.midomain.com" to another computer. > Now I don't know what I have to do to publish this server to work outside. > If I try to go in my local browser to "test.midomain.com" I don't get > response. There's nothing like "publish a server". You must delegate the test.midomain.com to your server in the midomain.com, which means, that a midomain.com maintainer must put there NS records for "test.midomain.com" pointing to your server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Single Zone Forwarding Dilema
On 06.06.09 01:10, Ben Croswell wrote: > If you want to force forwarding you will probably want to add the forward > only; directive. > By default your server will try to follow NS delegations and then forward if > it can't follow them I think it's the opposite - the server will try to query the configured forwarders first, then to continus in usual NS resolution. > Forward only; tells it to not even bother trying to follow NS delegations. and thus I recomment not to use this for public zones - if the forwarders are unavailable or from some reason can't answer, the classic resolution will be used. I guess the configured forwarders have one of these problems -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF/TXT records
On 17.06.09 10:46, Jeff Lightner wrote: > When one sets SPF/TXT record is it for the relay server/IP that sent the > email to the internet or the originating one? maybe even both. If the outgoing mail relay checks for SPF, and you don't use SMTP authentication (in which case relays may not check for SPF), you need SPF for originating server to, so the relay doesn't reject the mail imediately. If the relay sends such mail to other servers, its IP should be in SPF too. I have SPF for fantomas.sk: fantomas.sk.43200 IN SPF "v=spf1 mx -all" it should be checked when someone is trying to send mail with @fantomas.sk as envelope from address. > For example we have a server (atuprd01.water.com) that can not be > reached via the internet. Email originating there is relayed through > our MS-Exchange server (if sent with domain water.com) or a Linux > Sendmail server (if sent with domain waterinvoice.com). All email sent > via exchange goes out an IP separate from incoming mail (MX) IP. All > email sent via Sendmail has a separate IP from incoming mail (MX) IP. > > Should the SPF specify the outbound IP (e.g. 12.44.84.204 for > atlsnml2.waterinvoice.com) for the Sendmail server email or the IP/name > for atuprd01.water.com? water.com should have your ms exchange's IP and waterinvoice.com should have your linux servers' IP. Watch out if there is really no email going from water.com via your linux server and no mail coming from waterinvoice.com via your exchange server... I assume -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF/TXT records
On 17.06.09 11:19, Jeff Lightner wrote: > Right my relay might want it but if so that would be in my internal > view. The Exchange and Sendmail servers only allow relay from specific > locations and neither is using SPF to authenticate so far as I know. > > My question was more related to external view - what do people on the > internet expect to see defined as SFP/TXT record to verify it is a valid > email? People don't expect to see anything, machines even. But If you want others to be able to reject unauthorised messages from water.com and waterinvoice.com, put hostname/IP of your linux machine to SPF record for "waterinvoice.com" and exchange's into "water.com" as I have mentioned already. > I'm quite certain Sendmail is not sending any water.com email and that > Exchange is not sending any waterinvoice.com email based on the Sendmail > configuration of atuprd01.water.com - it uses a mailer table to > determine which host to relay through specifically based on the domain > of the email message "sender". Good for you. If waterinvoice.com mail origins on linux, and water.com on exchange, you are done. Otherwise, if other machines send the mail through these servers, make sure neither one will reject mail because if fails SPF check. SMTP Authentication should fix that. > > For example we have a server (atuprd01.water.com) that can not be > > reached via the internet. Email originating there is relayed through > > our MS-Exchange server (if sent with domain water.com) or a Linux > > Sendmail server (if sent with domain waterinvoice.com). All email sent > > via exchange goes out an IP separate from incoming mail (MX) IP. All > > email sent via Sendmail has a separate IP from incoming mail (MX) IP. > > Should the SPF specify the outbound IP (e.g. 12.44.84.204 for > > atlsnml2.waterinvoice.com) for the Sendmail server email or the IP/name > > for atuprd01.water.com? > > water.com should have your ms exchange's IP and waterinvoice.com should > have your linux servers' IP. Watch out if there is really no email going > from water.com via your linux server and no mail coming from > waterinvoice.com via your exchange server... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF/TXT records
On 18.06.09 16:22, Jeffrey Collyer wrote: > M$ has their own take on SPF called Sender ID, which uses a very similar > record - > > "v=spf2.0" rather than "v=spf1" > > so be sure to read up on them both before publishing records for one or > the other. It has downfalls so I recommend not even studying it, just remember that "spf2" is some M$ crap... v=spf1 is just enough for now. > http://www.openspf.org/SPF_vs_Sender_ID > > Hotmail in particular is picky about what it rejects and why. Yes, hotmail uses to reject mail for many strange reasons. But I don't recommend playing with spf2 just to get mail to hotmail, I think there are better ways to get your mail anywhere. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: control channel logging
On 21.06.09 13:37, R Dicaire wrote: > Hi folks, bind 9.6.1...I'm looking in the ARM but I dont see a logging > category specific to control channel communications. > In syslog I have (generated by an mrtg script): > > named[7837]: received control channel command 'stats' > > What category does this fall under? If in doubts and docs won't tell you, just enable "print-category yes;" -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
NS rr configuration: 1*NS + 4xA vs. 4xNS ?
Hello, I am planning to change NS records in our and our customers' zones. I'll have four nameservers on different networks, and I'd like to make configuration as easy as possible by using only one NS record for them all. What I currently have is similar to: domain.example.IN NS ns.domain.example. IN NS ns1.domain.example. IN NS ns2.domain.example. IN NS ns.example.com. ns.domain.example. IN A 10.0.0.1 ns1.domain.example. IN A 10.0.0.2 ns2.domain.example. IN A 10.0.0.3 ns.example.com. IN A 192.168.0.1 I would like to change it this way: domain.example.IN NS ns.domain.example. ns.domain.example. IN A 10.0.0.1 IN A 10.0.0.2 IN A 10.0.0.3 IN A 192.168.0.1 That way our customers for which we will configure slaves will only have to add one NS record instead of four (or less, which will currently put load on only some of our servers). customer.example. IN NS ns.customer.example. IN NS ns.domain.example. ns.customer.example. IN A 172.16.0.1 - when bind will access to servers for the customer.example., will it spread the load onto all ip addresses equally, will it send half of queries to ns.customer.example. and half to ns.domain.example. ? (I know this usually only happens for first lookup but anyway) I am also planning to use hidden master so another question is: - will BIND send NOTIFY to all IP addresses of 1 NS record? (multiple A's for one name can be understood as one multihomed host) The rest is not strictly BIND-related, but I hope it may be acceptable in this list. Does anyone know, if: - will registrars who require more nameservers in different subnets accept providing only "ns.domain.example." as a NS, or will they require other NS record? - if they require other NS record, will they accept "ns.isp.example." with the same set of A records? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NS rr configuration: 1*NS + 4xA vs. 4xNS ?
On 30.06.09 01:08, Mark Andrews wrote: > In message <20090629101834.ga31...@fantomas.sk>, Matus UHLAR - fantomas > writes: > > I am planning to change NS records in our and our customers' zones. > > > > I'll have four nameservers on different networks, and I'd like to make > > configuration as easy as possible by using only one NS record for them all. > > And harder to debug. 1 name to 1 machine is easy to debug. running either of them behind a L3 switch makes it hard to debug again, so I wouldn't take that as an issue. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NS rr configuration: 1*NS + 4xA vs. 4xNS ?
> In message <20090629200938.ga6...@fantomas.sk>, Matus UHLAR - fantomas writes: > > On 30.06.09 01:08, Mark Andrews wrote: > > > In message <20090629101834.ga31...@fantomas.sk>, Matus UHLAR - fantomas > > > wri > > tes: > > > > I am planning to change NS records in our and our customers' zones. > > > > > > > > I'll have four nameservers on different networks, and I'd like to make > > > > configuration as easy as possible by using only one NS record for them > > > > al > > l. > > > > > > And harder to debug. 1 name to 1 machine is easy to debug. > > > > running either of them behind a L3 switch makes it hard to debug again, > > so I wouldn't take that as an issue. On 30.06.09 10:01, Mark Andrews wrote: > A L3 switch is still one virtual machine with one routing > entry and one path from the customer to the L3 switch. the difficulty of debugging the case when one IP directs to L3 switch with more real machines behind is bigger than the difficvulty of debugging case where one A points to more real IPs... > There is no need to play this silly game. It just make > things harder. Some machines will make assumptions that > all the address refer to one machine and that some operations > shouldn't be retried because they won't get a different > response. This is just what I wanted to know. Is there any evidenve that any DNS resolvers have such behaviour? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host -t txt _domainkey.fakessh.eu. bitsy.mit.edu.
On 01.07.09 16:53, fake...@fakessh.eu wrote: > it would be possible to add this server bitsy.mit.edu. > in / etc / resolv.conf to increase the speed of propagation - /etc/resolv.conf can only contain IPs. - /etc/resolv.conf is not a BIND issue. - propagation of what? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Truncated, retrying in TCP on Reverse lookup
> On Thu, Jul 09, 2009 at 05:50:02AM -0700, > Fr34k wrote > a message of 119 lines which said: > > > There should be one and only one PTR for that IP. On 10.07.09 22:40, Stephane Bortzmeyer wrote: > No. No good reason for such restriction. While from DNS' point of view there is no reason to do that, many programs checking and/or validating reverse DNS may comply or give strange results (different hostname may appear in the logs). Also, validating (forward confirming) more reverse names takes much longer time than validating just one. Or, will you validate only one/few of them? So, I think that the recommendation above is good. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rDNS Round-Robin
> On Wed, Jul 8, 2009 at 5:08 PM, Mark Andrews wrote: > > RRsets are unordered. Software and configurations should > > be prepared for this. Where ordering is required it is > > built into the RR type. > > > > Mark On 14.07.09 14:02, Bryan Irvine wrote: > I've think I've found the confirmation I was looking for in RFC 2181 > section 10.2. > > Does this seem to confirm that round-robin PTR's are perfectly legal? yes, they are perfectly legal. However I don't know about any application that would require nor benefit of them, and I don't recommend using them. With most of applications doing reverse resolution and using its result anyhow it's still better to have always the same name... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV Record Priority set by IP Address
On 20.07.09 13:26, Lev Vanyan wrote: > i've stumbled into a question whether it is possible to configure BIND > in a way that it responds to DNS SRV requests with the priority flag > changed depending on the IP address of the requesting party. > For example, > there are two SRV records for _foobar._tcp. One points to 10.0.1.2 and > the other to 10.0.2.2. The requesting party has the ip address > 10.0.1.53. I would want to have the first one with the priority higher > than the second, which would allow me to split up the network by zones > each one having their own server with the rest of servers used only in > case of the prevalent zone server failure. Do you mean that bind could/should sort responses depending on source address of client requesting the data in the manner to the servers topologically closer to the client should precede others? The "sortlist" option should do that. However, to benefit of this sorting, all SRV records should have the same priority (so maybe you don't need SRV here at all). Also, the client (or intermediate relay, e.g. local DNS cache or nscd) must not re-sort responses, but has to use them in the order they came in. That may be problem in some libraries, some time ago I've been having similar problems, it seemed that nss_lwres was responsible for that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query (cache) denied (revisited)
> In message <8401907190740j6e04pc23316827fe0b...@mail.gmail.com>, > Bradle > y Caricofe writes: [...] > > 19-Jul-2009 10:34:29.635 client 84.235.6.53#1276: query (cache) ' > > 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied [...] > > There are a total of 26000 ip's hitting us daily and causing these queries. > > Of these, only a handful are sending a lot of traffic, maybe a few dozen. > > The worst sent 37000 queries yesterday. I'm trying to determine if this is > > reflector attack behavior or if some of these hosts were successfully using > > our servers for DNS in the past. Our server is refusing these queries and I > > believe the old servers did so as well. > > > > Is there anything I can do to filter or otherwise reduce these hits? Again, > > I'm sorry for rehashing an old subject, but I don't have this figured out. On 20.07.09 10:15, Mark Andrews wrote: > Take the addresses that are sending lots of queries and look up the > abuse contacts in whois and send them a report asking for the traffic > to be stopped. If it is a misconfiguration then it should stop. > If you are being used as a reflector you should also get feedback. > > You should also look at the names in the queries and make sure you > are not being delegated to but don't have the zone configured. You can also be bad on them and provide fake root zone with wildcard record returning localhost IP. However be very careful not to provide those to your own recursive clients. I ocasionally use that on biggest abusers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query (cache) denied (revisited)
> > In message <8401907190740j6e04pc23316827fe0b...@mail.gmail.com>, > > Bradle > > y Caricofe writes: > [...] > > > 19-Jul-2009 10:34:29.635 client 84.235.6.53#1276: query (cache) ' > > > 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied > [...] On 29.07.09 17:12, Matus UHLAR - fantomas wrote: > You can also be bad on them and provide fake root zone with wildcard record > returning localhost IP. However be very careful not to provide those to your > own recursive clients. I ocasionally use that on biggest abusers. yes, I'm aware that I can cause innocent victim to get flooded this way, and that this is BOFHish. However it helped me a few times against misconfigured hosts firing tens to hunderds of requeests per second. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SPAM] Win2k and bind
On 29.07.09 22:37, Abello, Vinny wrote: > Considering 2003, 2003 R2, 2008, and 2008 R2 (technically done, but will > officially release in October) have been released, I don't think dropping > support for an ancient operating system from 9.5 years ago and roughly 3 > prior generations that the vendor doesn't even support is a bad idea. :) > 2k boxes are time bombs, IMO. even if they were not (windows updates), there is a technical reason that prevents new bind from being compatible with it (new security features require that). Search web/archives for more info. Until M$ fixes that one (I doubt so), new BIND won't be compatible with w2k. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable automatic empty IPv6 zones (with -4 already specified)
On 30.07.09 10:35, Matthew Huff wrote: > Is there any way to disable BIND from loading the automatic empty zones > (D.F.IP6.APRA, etc...). They are being generated even with the -4 command > line. have you looked at the disable-empty-zone configuration directive? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
> In message <20090730141131.ga30...@nic.fr>, Stephane Bortzmeyer writes: > > On Thu, Jul 30, 2009 at 03:57:16PM +0200, > > JINMEI Tatuya / wrote > > a message of 25 lines which said: > > > > > I personally don't see a need for it (what's wrong with -4/-6?) > > > > -4 shuts down any v6 service. We would like BIND to be able to *reply* > > to v6 queries without *generating* them. (For the record, I have the > > same issue than Gilles.) On 31.07.09 00:32, Mark Andrews wrote: > Proper use of null routes will allow named to immediately detect > that a IPv6 site is not reachable. "default" is over used. oh, although it should work, it's a bit dirty workaround... it needs a statefull firewall allowing only replies to go out... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
> On Jul 30 2009, Stephane Bortzmeyer wrote: >> -4 shuts down any v6 service. We would like BIND to be able to *reply* >> to v6 queries without *generating* them. (For the record, I have the >> same issue than Gilles.) On 30.07.09 15:46, Chris Thompson wrote: > Would > > server ::/0 { bogus yes; }; > > work? no, it would prevent server from replying v6 requests -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: change NXDOMAIN to a A type response
On 03.08.09 13:59, Ryan Qian wrote: > some isp change NXDOMAIN to a A type response, I know this is can not be > realized by bind software by default source code, so is there anyone know > how do they realize this function? change the source code or use proxy > software upon DNS bind? Many people consider that a bad idea. the DNS is used by many applications in many manners and providing false answers can break them in many ways. You won't get different answer on this list, i guess. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with caching domain
> Kevin Darcy escreveu: >> Yes, ns1.geap.com.br and ns2.geap.com.br are both CNAMEs. Pointing NS >> records at CNAMEs is not only illegal, but causes real problems, as >> you can see. On 06.08.09 18:40, Breno Silveira Soares wrote: > Is there a solution to this? Or only correct external domain? if those records are meant to be used in NS records, yes, they must be changed. > This happen with your bind server? this happens with dns servers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problems in forwarding
On 07.08.09 10:50, Luis Silva wrote: > 1 - I need to be a slave for the zones "testing.es" and "testing2.es" but > everything else must be redirected to the 10.112.15.3 server. Do you think > the example bellow is correct? The problem is that everytime I send a > request to the forward zone, my server adds the root nameservers in the > authoritative and additions sections of the message, which i do not think is > correct. Is there a better alternative? your server? You apparently did not allow recursion from your IP addresses on it. > 2 - My second problem is that I have my BIND server forwarding all the > request to a name server, but I wanted to test another server in case of a > negative answer (for example, name error) with the exception of a certain > zone. > For example, I want to send all the requests for "es", but in case of a > negative answer and the zone domain name is not "test.es", I want to try > another server. Is that possible? you can configure zone "test.es" to be forwarded to different server. There is no functionality in BIND that would continue searching for a name when a server responds "the name does not exist". -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A very basic question...
On 09.08.09 20:15, E Johnson wrote: > From what I have read so far, I can see that this might be a very > flame-worthy question, so please don't hurt me, I'm just a beginner... > > I have read every howto that I can find on setting up a DNS server for a > very small, 12 seats, network. The DNS server just needs to be > authoritative for the internal network and then it should forward > external requests to the outside world. Here is the question... > > Most of the howtos say that I should setup a Root Zone so that I can > access the Internet. Then a small few of the howtos say that I should > use the forwarder option to be able to access the Internet and they say > that the Root Zone should not be used because the Root DNS servers > aren't meant for that. BIND does have default hint zone builtin by default. You can download current version from ftp.internic.net:/domain/named.root if you want, but that is not required for working DNS server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: does allow-transfer have cache
On 11.08.09 08:37, Nelson Serafica wrote: > Currently I have primary (ns1) and secondary (ns2) dns on the same > network. I'm now doing redundancy and planning to put secondary to > another isp. I have now setup the new secondary dns on the another > network. > > I change the allow-transfer { 1.2.3.4; localhost; }; to allow-transfer { > 5.6.7.8; localhost; }; on the named.conf of the ns1 assuming 1.2.3.4 is > ns2 old ip and 5.6.7.8 is ns2 new ip on the another network. > > However, ns1 still keeps on transferring to 1.2.3.4 but I can see it was > denied since I have already change it to 5.6.7.8. I do rndc reload and > /etc/init.d/named restart. > > My question is does allow-transfer has a cache that's why named keeps on > transferring the request to 1.2.3.4 and not on 5.6.7.8 Your named is clearly not transferring to 1.2.3.4, but you apparently did not move the ns2 to new IP so it still tries to fetch zone(s) from old IP. Move ns2 to 5.6.7.8 and it will ask fot transfers from that IP. allow-transfer only configures who (which IP) will be allowed to transfer a zone, but it has nothing to do with who will ask to fetch the zone. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache poisoning
On 11.08.09 13:27, Nelson Serafica wrote: > I need to set bind to listen to all address. I'm using AMAZON EC2 no, you don't. you configure listening IPs/ports by using listen-on and listen-on-v6. query-source only configures from which IP/port will your requests come from. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarders question
> > Michael Monnerie wrote: > > > We are having 2 sites at different locations now with a DNS resolver on > > > each site. Internet speed between those two different ISPs is very fast, > > > and the hosts to resolve will be about the same because of similar > > > services. > > > > > > My idea is to use > > > forward X; > > > on site Y and > > > forward Y; > > > on site X, but, as I couldn't find it in the documents, I believe this > > > could lead to a resolver loop between X and Y and therefore even slower > > > resolution. Or is BIND clever enough to only ask the other server once? On 11.08.09 11:13, Mark Andrews wrote: > The forwarding concept was developed when 48k external links > were *FAST* links and having everyone on a campus use one > or two machine as a super cache provided some real benefit. > > It still provides some benefit if you are dialing up over > the PSTN. However if you are using Cable/DSL or similar > technologies there is little benefit and huge negative > consequences in the case of the forwarder being down. We have small farm with more servers behind L3 switch, everything connected using 2 links... so I think this way of forwarding could help us a bit especially for domains with servers behind slow links... > Cross connecting caches is not part of the design strategy > and will not work well. It would take code changes to make > it work well. ... but it would require some tuning of forwarding code e.g. to set up maximum timeout for a forwarding server and to allow sending of non-recursive queries to a forwarding server. I think it would be interesting to know if this behaviour could bring us some benefits but apparently nobody's going to code this... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logwatch Unmatched Entries
On 15.08.09 18:13, Eric Paulsen wrote: > I've recently moved our DNS from FreeBSD 4 / Bind8 to CentOS 5.3 > Bind9.4.3. These are not authoritative for any routable domains but are > for my NAT'd school network. I have an AD server (10.1.60.11) that > forwards to my two Bind servers. I receive the logwatch each night and > have some questions. > > 1) Zone update refused from my windows workstations. > > Zone update refused: >10.1.60.11 (60.1.10.IN-ADDR.ARPA/IN): 24 Time(s) >10.1.60.11 (smls.org/IN): 48 Time(s) >10.1.60.122 (smls.org/IN): 4 Time(s) >10.1.60.82 (smls.org/IN): 8 Time(s) >10.1.60.84 (smls.org/IN): 12 Time(s) >10.1.60.85 (smls.org/IN): 15 Time(s) >10.1.60.89 (smls.org/IN): 1 Time(s) > > What are these machines trying to do? windows machines by default try to register their internet connection in DNS. That should be done by DHCP and similar servers but microsoft had a "genial" idea so they ask by themselves. it can be turned off but the default is on... sorry, I don't know about the rest... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users