On Tue, Feb 23, 2010 at 07:28:48PM -0800,
Michael Sinatra mich...@rancid.berkeley.edu wrote
a message of 34 lines which said:
While I think the OpenDNS people (especially David U., their
founder) have a huge amount of clue, I think they're barking up the
wrong tree here.
On the other hand,
On Tue, Feb 23, 2010 at 09:56:55PM -0500,
Diosney Sarmiento Herrera diosne...@gmail.com wrote
a message of 20 lines which said:
Have any sense to blacklist the private address ranges on a server
that is facing Internet?
I am not sure I parse your sentence correctly but may be you refer to
On Feb 23 2010, Matus UHLAR - fantomas wrote:
since 9.5, the default for allow-recursion is { localhost; localnets;
}; previous versions used iirc { all; };
On 23.02.10 16:48, Chris Thompson wrote:
Actually, that change was made in 9.4. (Some of the cross-inheritance of
the different
On 23.02.10 23:01, sasa sasa wrote:
for a 192.168.199.64/26 in zone file to delegate to a customer;
should i put subnet number:
64/26 IN NS ns1.example.com.
64/26 IN NS ns2.example.com.
or host ranges:
64-126 IN NS ns1.example.com.
64-126 IN NS ns2.example.com.
.
.
$GENERATE
Hello, everybody.
Is it possible to modify responses on caching server side?
For example: if user asks for non-existent domain, caching server replies
with some address and no-error rcode.
___
bind-users mailing list
bind-users@lists.isc.org
On Wed, Feb 24, 2010 at 01:28:09PM +0300,
Peter Andreev andreev.pe...@gmail.com wrote
a message of 31 lines which said:
Is it possible to modify responses on caching server side?
Not with BIND (short of modifying the source code). Other name servers
may do it
In article mailman.575.1266994115.21153.bind-us...@lists.isc.org,
Michal Wesolowski gmic...@gmail.com wrote:
My server is caching only, I don't administer ns*.az.pl servers. I'm just
trying to understand if binds copes well with such an external error. As you
pointed out both servers fails in
In article mailman.564.1266963563.21153.bind-us...@lists.isc.org,
Mark Andrews ma...@isc.org wrote:
In message f677fefa1002230600n4694161cu315e5dd4beaaa...@mail.gmail.com,
Micha
l Wesolowski writes:
After some reading my present understanding is that correct response to
query
2010/2/24 Stephane Bortzmeyer bortzme...@nic.fr
On Wed, Feb 24, 2010 at 01:28:09PM +0300,
Peter Andreev andreev.pe...@gmail.com wrote
a message of 31 lines which said:
Is it possible to modify responses on caching server side?
Not with BIND (short of modifying the source code). Other
Peter Andreev wrote:
For example: if user asks for non-existent domain, caching server
replies with some address and no-error rcode.
_Extremely_ bad idea.
Yes, I know, but boss is boss and task is task :).
Thank you very much for your answer.
You might want to talk to
2010/2/24 Alan Clegg acl...@isc.org
Peter Andreev wrote:
For example: if user asks for non-existent domain, caching server
replies with some address and no-error rcode.
_Extremely_ bad idea.
Yes, I know, but boss is boss and task is task :).
Thank you very much
On Wed, Feb 24, 2010 at 10:18:31AM +0100,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 39 lines which said:
With 'severity debug 30', all I get is:
And, for a successful dynamic update (it works with A records):
24-Feb-2010 14:31:44.803 update: debug 8: client ::1#13202:
Nice write up. It explains WHY we had the weird delegation on switching
carriers a few years back and also explains why I had to put my kluge
in.
However, I wonder how easy it is in practice to get a company the size
of ATT to do individual delegations for dozens or hundreds of IPs?
You mention
On Wed, Feb 24, 2010 at 10:18:31AM +0100,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 39 lines which said:
24-Feb-2010 10:17:01.057 update: error: client ::1#45986: updating zone
'toto.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space
Adding a fair amount of debugging
On Wed, Feb 24, 2010 at 11:37:29AM +0100,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 18 lines which said:
Other name servers may do it
http://www.unbound.net/documentation/pythonmod/index.html
http://www.unbound.net/documentation/pythonmod/examples/example3.html
reply below
On Wed, Feb 24, 2010 at 1:06 AM, Evan Hunt e...@isc.org wrote:
I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is
full of wackos. So it is unlikely he will ever be bothered to dance the
IETF RFC jig.
Is there a requirement that Dr. Bernstein must
On Wed, Feb 24, 2010 at 1:13 AM, Michael Sinatra
mich...@rancid.berkeley.edu wrote:
As someone who both signs his production zones and does DNSSEC validation,
I can assure you that DNSSEC works. But you've done as good job as I can
imagine in making the case for DNScurve.
Done.
regards
On 02/24/10 01:25, Jonathan de Boyne Pollard wrote:
DNScurve advocates, on the other hand, point out that DNS isn't
encrypted. Well, neither is the phone book. So what?
So the protocol is vulnerable to both local and remote forgery attacks,
just like other unencrypted protocols
Joe Baptista wrote:
Thats not the case with DNScurve. Again I stress - over 20 billion
requests per day at OpenDNS are DNScurve compatible.The traffic in
DNSSEC is chicken feed compared to DNScurve.
Joe,
The fact that queries hit servers that are DNScurve capable does not
mean that they are
On 24.02.10 08:31, Lightner, Jeff wrote:
From: Lightner, Jeff jlight...@water.com
Date: Wed, 24 Feb 2010 08:31:44 -0500
Subject: RE: Query denied errors on PTR records for delegated zone
To: Jonathan de Boyne Pollard j.deboynepollard-newsgro...@ntlworld.com,
BIND users mailing list
sorry for the first post, accidentally hit send instead of drop...
On 24.02.10 08:31, Lightner, Jeff wrote:
Nice write up. It explains WHY we had the weird delegation on switching
carriers a few years back and also explains why I had to put my kluge
in.
However, I wonder how easy it is in
On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote:
On Tue, Feb 23, 2010 at 09:56:55PM -0500,
Diosney Sarmiento Herrera diosne...@gmail.com wrote:
Have any sense to blacklist the private address ranges on a server
that is facing Internet?
I am not sure I parse your sentence correctly but may
On Tue, 23 Feb 2010, Joe Baptista wrote:
Lets not forget the IETF has had 15 years to secure the DNS. The result is
the DNSSEC abortion. It has failed.
It looks pretty lively to me. DNSSEC has multiple interoperable
implementations, and it will be deployed in the most important zones this
Thats not the case with DNScurve. Again I stress - over 20 billion
requests per day at OpenDNS are DNScurve compatible. The traffic in
DNSSEC is chicken feed compared to DNScurve.
ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I
don't actually think it'd be much of a
On Wed, 24 Feb 2010, Tony Finch wrote:
On Tue, 23 Feb 2010, Joe Baptista wrote:
Lets not forget the IETF has had 15 years to secure the DNS. The result is
the DNSSEC abortion. It has failed.
It looks pretty lively to me. DNSSEC has multiple interoperable
implementations, and it will be
On Feb 24 2010, Evan Hunt wrote:
Thats not the case with DNScurve. Again I stress - over 20 billion
requests per day at OpenDNS are DNScurve compatible. The traffic in
DNSSEC is chicken feed compared to DNScurve.
ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I
don't
In article mailman.608.1267031100.21153.bind-us...@lists.isc.org,
Chris Thompson c...@cam.ac.uk wrote:
On Feb 24 2010, Evan Hunt wrote:
Thats not the case with DNScurve. Again I stress - over 20 billion
requests per day at OpenDNS are DNScurve compatible. The traffic in
DNSSEC is
On Feb 24, 2010, at 11:23 AM, Tony Finch wrote:
On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote:
On Tue, Feb 23, 2010 at 09:56:55PM -0500,
Diosney Sarmiento Herrera diosne...@gmail.com wrote:
Have any sense to blacklist the private address ranges on a server
that is facing Internet?
I am
Running Bind 9.6.1-P3
We run authorative DNS for 60k+ zones. One one network where we two dns
servers both running the same hardware on Centos 5.4
We see slow dns responses : example
for i in {1..250}; do dig example.com @localhost | grep Query time:; done;
Sometimes they'll all come back w/
Hello,
I think I have a configuration issue somewhere. It looks like from
the logs that my master server is notifying the slaves correctly, but
then the other slaves are also notifying the slaves as well.
172.16.0.100 is the master
172.16.0.101 is 1st slave
172.16.0.102 is 2nd slave
Here is a
Dan Letkeman wrote:
I think I have a configuration issue somewhere. It looks like from
the logs that my master server is notifying the slaves correctly, but
then the other slaves are also notifying the slaves as well.
172.16.0.100 is the master
172.16.0.101 is 1st slave
172.16.0.102 is
Joe Baptista bapti...@publicroot.org wrote:
Someone else has written the RFC draft - which see http://bit.ly/b5mFkV
That draft has this text, Expires: February 27, 2010 [3 days from
today]. I am not sure what an expiration date means officially on a
draft RFC.
Hi Stace,
Sorry, I didn't think this was necessarily a Solaris problem. I'm running this
on Solaris 10 (SPARC 64bit), built with Sun Studio 12.1. Why did it occur on
OpenSolaris?
Thanks.
-John
From: stacey.marsh...@sun.com
From the BCP79 referenced at top of the draft:
d. Internet-Draft: temporary documents used in the IETF and RFC
Editor processes. Internet-Drafts are posted on the IETF web site
by the IETF Secretariat and have a nominal maximum lifetime in the
Secretariat's public directory of
In message 20100224091831.ga3...@nic.fr, Stephane Bortzmeyer writes:
On Wed, Feb 24, 2010 at 11:32:35AM +1100,
Mark Andrews ma...@isc.org wrote
a message of 35 lines which said:
Turn the debugging up to 3.
With 'severity debug 30', all I get is:
24-Feb-2010 10:17:01.047 update:
In message 4b8586a0.2030...@isc.org, Alan Clegg writes:
Dan Letkeman wrote:
I think I have a configuration issue somewhere. It looks like from
the logs that my master server is notifying the slaves correctly, but
then the other slaves are also notifying the slaves as well.
=20
On Wed, Feb 24, 2010 at 11:33 AM, Evan Hunt e...@isc.org wrote:
Thats not the case with DNScurve. Again I stress - over 20 billion
requests per day at OpenDNS are DNScurve compatible. The traffic in
DNSSEC is chicken feed compared to DNScurve.
ORG and GOV and quite a lot of the ccTLD's
Joe Baptista wrote:
[] I guess that depends on if DNSSEC
is turned on by default in BIND. Incidentally - is it?
dnssec-enable yes;
and
dnssec-validation yes;
are the defaults since BIND 9.5
Serving signed zones requires signed zone data to serve.
Validation
On Wed, Feb 24, 2010 at 10:08 PM, Alan Clegg acl...@isc.org wrote:
dnssec-enable yes;
and
dnssec-validation yes;
are the defaults since BIND 9.5
How do I turn it off.
Thanks
joe
___
bind-users mailing list
bind-users@lists.isc.org
Joe Baptista wrote:
dnssec-enable yes;
and
dnssec-validation yes;
are the defaults since BIND 9.5
How do I turn it off.
Since you edited out the most important part of my post, I'll repeat it
here before I answer your question:
Serving signed zones requires
It's going to be interesting to watch. I guess that depends on if DNSSEC is
turned on by default in BIND. Incidentally - is it?
That depends on what you mean by turned on. The DNSSEC protocol is
enabled, and the DO bit is set in queries, so authoritative servers with
signed data will send it.
On Thu, 25 Feb 2010, Evan Hunt wrote:
It's going to be interesting to watch. I guess that depends on if DNSSEC is
turned on by default in BIND. Incidentally - is it?
That depends on what you mean by turned on. The DNSSEC protocol is
enabled, and the DO bit is set in queries, so authoritative
42 matches
Mail list logo