Re: incorrect dns returned by public servers for our domain

2011-02-23 Thread David Miller
On 2/24/2011 1:19 AM, Matthew Seaman wrote: On 24/02/2011 04:14, Noel Butler wrote: You can pretty much remove the entire statement now, as all /8's are issued as of about two weeks ago. This works for me: lucid-nonsense:~/src/namedb:% cat acl-ipv4-bogons.conf // @(#) $Id: acl-ipv4-bogons.conf

Re: incorrect dns returned by public servers for our domain

2011-02-23 Thread Matthew Seaman
On 24/02/2011 04:14, Noel Butler wrote: > You can pretty much remove the entire statement now, as all /8's are > issued as of about two weeks ago. This works for me: lucid-nonsense:~/src/namedb:% cat acl-ipv4-bogons.conf // @(#) $Id: acl-ipv4-bogons.conf 800 2011-02-03 20:22:12Z matthew $ // // N

Re: incorrect dns returned by public servers for our domain

2011-02-23 Thread David Ford
https://blue-labs.org/software/dns/bogon-update.py -david On 02/23/11 23:04, Gregory Machin wrote: > Hi. > Thanks for the support and assitance. I see that the issue is related > to the "bogon" filter in bind configuration. > > Where can I get a valid bogon list . > Thanks __

Re: incorrect dns returned by public servers for our domain

2011-02-23 Thread Noel Butler
Hi, You can pretty much remove the entire statement now, as all /8's are issued as of about two weeks ago. (Confirming, with my 27.x IP I can now get answers from your local NS's so all looks good) Cheers On Thu, 2011-02-24 at 17:04 +1300, Gregory Machin wrote: > Hi. > Thanks for the support a

Re: incorrect dns returned by public servers for our domain

2011-02-23 Thread Gregory Machin
Hi. Thanks for the support and assitance. I see that the issue is related to the "bogon" filter in bind configuration. Where can I get a valid bogon list . Thanks On Thu, Feb 24, 2011 at 3:45 PM, Noel Butler wrote: > Further to my private message, is your border router using bogon filters? > > I

Re: incorrect dns returned by public servers for our domain

2011-02-23 Thread Noel Butler
Further to my private message, is your border router using bogon filters? I can actually get your local NS's using a U.S host on an old IP, but not from my connection, this suggests an outdated bogon filter since i'm on 27.x IP range. On Thu, 2011-02-24 at 15:00 +1300, Gregory Machin wrote: > H

Re: incorrect dns returned by public servers for our domain

2011-02-23 Thread Gregory Machin
Hi. Thanks for the feedback. I was warned not to provide to much info by the security guy. The domain name in question is openpolytechnic.ac.nz Thanks On Thu, Feb 24, 2011 at 12:36 PM, Anand Buddhdev wrote: > On 23/02/2011 23:53, Gregory Machin wrote: > > Hi Gregory, > >> why are >> >> ;; AUTH

Re: incorrect dns returned by public servers for our domain

2011-02-23 Thread Anand Buddhdev
On 23/02/2011 23:53, Gregory Machin wrote: Hi Gregory, > why are > > ;; AUTHORITY SECTION: > mydomain.nz. 86400 IN NS mcvpdns01.mydomain.nz. > mydomain.nz. 86400 IN NS drvpdns01.mydomain.nz. > > missing ? Google DNS and OpenDNS are meant to be used by end-users, who d

incorrect dns returned by public servers for our domain

2011-02-23 Thread Gregory Machin
Hi. When I query my dns servers internally and directly from outside I get [macgre@topnz15209-linux ~]$ dig @202.a.x.y mydomain.nz ; <<>> DiG 9.7.2-P3-RedHat-9.7.2-1.P3.fc13 <<>> @202.a.x.y mydomain.nz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, statu

Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

2011-02-23 Thread Ryan Novosielski
There was also a message-length client auto or something like that too for some versions of some Cisco HW, but if memory serves, the version that introduced it is broken. :) On 02/23/2011 04:54 PM, Warren Kumari wrote: In PIX versions 6.3.2 and below you had to do: fixup protocol dns maximum-l

Re: Help on recursive set up

2011-02-23 Thread Kevin Darcy
There are multiple ways to interpret that question. Normally, a resolver either uses recursion (with a preconfigured set of forwarders) at a given point in resolving a particular name, or it follows the NS records in a delegation chain, non-recursively, in order to find the answer. It wouldn

Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

2011-02-23 Thread Warren Kumari
In PIX versions 6.3.2 and below you had to do: fixup protocol dns maximum-length 4096 In later versions you need: policy-map type inspect dns preset_dns_map parameters message-length maximum 4096 or to increase the response size length: policy-map global_policy class inspection_default inspect

Re: mx selection order

2011-02-23 Thread David Sparro
On 2/23/2011 4:56 AM, Stephane Bortzmeyer wrote: On Tue, Feb 22, 2011 at 04:37:03PM -0500, David Sparro wrote a message of 24 lines which said: it is up to the application how it will use the data. MX records are only used by MTA and, no, it is NOT up to the MTA to decide how to handle M

Re: How to allow set Host file dns query priorities in BIND

2011-02-23 Thread David Sparro
On 2/23/2011 12:19 PM, Kevin Darcy wrote: On 2/23/2011 4:57 AM, Eivind Olsen wrote: reason. And if your Internet connection goes down, does it really matter whether you can do lookups, if you can't make the connections anyway? I hear that reasoning a lot, but it's actually a fallacy. Some appli

Re: How to allow set Host file dns query priorities in BIND

2011-02-23 Thread Eivind Olsen
Den 23. feb. 2011 kl. 18:19 skrev Kevin Darcy : > One should also bear in mind that DNS isn't only used for obtaining address > records for purposes of immediate client/server connection. ...etc... Fair enough. I didn't see any mention of that in the original posting, and I don't think the host

Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

2011-02-23 Thread Ryan Novosielski
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A couple more gems: https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf (really anything at dnssec-deployment.org) There was another table that I found someplace and cannot find now that listed Cisco PIX and mentioned w

Re: root zone initial key in bind.keys

2011-02-23 Thread Kevin Oberman
> Date: Wed, 23 Feb 2011 17:32:44 + > From: Evan Hunt > Sender: bind-users-bounces+oberman=es@lists.isc.org > > > That may have been the intent, but I can assure you that it isn't what > > actually happens! > > Whoops. You're right, and it's a bug. The keys aren't read without > "dnsse

Re: How to allow set Host file dns query priorities in BIND

2011-02-23 Thread Kevin Darcy
On 2/23/2011 4:57 AM, Eivind Olsen wrote: is there any option in BIND to give priority to HOST file before connecting it to internet ISP or local zone? No. BIND doesn't read/use the hosts file. What you _can_ do is configure BIND to believe it's authoritative for those zones, but I'd not recomme

[SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

2011-02-23 Thread Christopher Cain
[forgot to change the digest subject before sending - sorry folks] On Wed, Feb 23, 2011 at 12:30, Christopher Cain wrote: > Ryan - thanks for the link. This would have saved me quite a bit of > troubleshooting time a few weeks back. > > Christopher Cain > E: ch...@christophercain.ca > > > >> ---

Re: How to allow set Host file dns query priorities in BIND

2011-02-23 Thread Kevin Darcy
On 2/23/2011 4:08 AM, babu dheen wrote: Hi, Our setup is; We have internal DNS server wherein BIND is configured in RHEL 5 and many internal zones are configured. if Internet connection is down, our Internal DNS severs are not able to get the DNS query from ISP DNS server. Because of this, al

Re: bind-users Digest, Vol 782, Issue 5

2011-02-23 Thread Christopher Cain
Ryan - thanks for the link. This would have saved me quite a bit of troubleshooting time a few weeks back. Christopher Cain E: ch...@christophercain.ca > -- Forwarded message -- > From: Ryan Novosielski > To: bind-users@lists.isc.org > Date: Wed, 23 Feb 2011 11:39:41 -0500 > S

Re: root zone initial key in bind.keys

2011-02-23 Thread Evan Hunt
> That may have been the intent, but I can assure you that it isn't what > actually happens! Whoops. You're right, and it's a bug. The keys aren't read without "dnssec-lookaside auto" being turned on, but if it is, then both keys are loaded. This works correctly in 9.8, but a little piece of co

Re: root zone initial key in bind.keys

2011-02-23 Thread Chris Thompson
On Feb 23 2011, Evan Hunt wrote: # This file also contains a copy of the trust anchor for the DNS root zone # ("."). However, named does not use it; it is provided here for # informational purposes only. To switch on DNSSEC validation at the # root, the root key below can be copied into named.

Re: root zone initial key in bind.keys

2011-02-23 Thread Chris Thompson
On Feb 23 2011, Matus UHLAR - fantomas wrote: Hello, after downloading and unpacking bind9.7.3, there's bind.keys file that contains this comment: # This file also contains a copy of the trust anchor for the DNS root zone # ("."). However, named does not use it; it is provided here for # info

Re: Security Advisory: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

2011-02-23 Thread Paul Ebersman
larissas> When an authoritative server processes a successful IXFR larissas> transfer or a dynamic update, there is a small window of time larissas> during which the IXFR/update coupled with a query may cause a larissas> deadlock to occur. The issue is a write lock. The bug can be triggered by an

Re: root zone initial key in bind.keys

2011-02-23 Thread Evan Hunt
> # This file also contains a copy of the trust anchor for the DNS root zone > # ("."). However, named does not use it; it is provided here for > # informational purposes only. To switch on DNSSEC validation at the > # root, the root key below can be copied into named.conf. > > Does this still a

Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

2011-02-23 Thread Ryan Novosielski
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Take a look at this. It is somewhat confusing, but it is helpful and should tell you right away if you definitely have a firewall issue (and frankly there's little else it could be). https://www.dns-oarc.net/oarc/services/replysizetest On 02/23/2011

Re: Security Advisory: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

2011-02-23 Thread David Coulthart
On Feb 22, 2011, at 3:55 PM, Larissa Shapiro wrote: > Description and Impact: > > When an authoritative server processes a successful IXFR transfer or a > dynamic update, there is a small window of time during which the IXFR/update > coupled with a query may cause a deadlock to occur. This deadl

Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

2011-02-23 Thread Shaoquan Lin
Thanks, Mark, Last June I asked our firewall person to make sure our firewall not blocking DNS packets over 512 bytes. He told me our firewall was not blocking. I guess that might be some default setting of the firewall and he does not really know. I did two digs here one with +dnssec and

root zone initial key in bind.keys

2011-02-23 Thread Matus UHLAR - fantomas
Hello, after downloading and unpacking bind9.7.3, there's bind.keys file that contains this comment: # This file also contains a copy of the trust anchor for the DNS root zone # ("."). However, named does not use it; it is provided here for # informational purposes only. To switch on DNSSEC val

Re: Help on recursive set up

2011-02-23 Thread Stephane Bortzmeyer
On Wed, Feb 23, 2011 at 06:45:11PM +0530, rams wrote a message of 104 lines which said: > I have configuered recursion yes in named.conf and i queried for NS > delegated records against bind. Actually that domain is not exist in > my system. Here how bind will work. To tell the truth, I do no

Re: Help on recursive set up

2011-02-23 Thread rams
I have configuered recursion yes in named.conf and i queried for NS delegated records against bind. Actually that domain is not exist in my system. Here how bind will work. On Wed, Feb 23, 2011 at 6:20 PM, rams wrote: > I have configuered recursion yes in named.conf and i queried for NS > delega

Re: Help on recursive set up

2011-02-23 Thread Torinthiel
Dnia 2011-02-23 17:59 rams napisał(a): >Hi, >Could you please tell me how to set up for recursive server for NS >delegation records. I know what a recursive nameserver is. I know what NS delegation record is. I have no idea what a recursive nameserver for NS delegation records is. Recursive nam

Re: Help on recursive set up

2011-02-23 Thread Stephane Bortzmeyer
On Wed, Feb 23, 2011 at 05:59:06PM +0530, rams wrote a message of 33 lines which said: > Could you please tell me how to set up for recursive server for NS > delegation records. > > It would be great if you give named.conf It would be great if you rewrite your requirments because I simply ca

Re: Help on recursive set up

2011-02-23 Thread Matus UHLAR - fantomas
On 23.02.11 17:59, rams wrote: > Could you please tell me how to set up for recursive server for NS > delegation records. for recursive server or for NS delegation? > It would be great if you give named.conf there's at least one default named.conf provided within bind installation in any package

Help on recursive set up

2011-02-23 Thread rams
Hi, Could you please tell me how to set up for recursive server for NS delegation records. It would be great if you give named.conf Thanks & Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind

Re: How to allow set Host file dns query priorities in BIND

2011-02-23 Thread Eivind Olsen
> is there any option in BIND to give priority to HOST file before > connecting it to internet ISP or local zone? No. BIND doesn't read/use the hosts file. What you _can_ do is configure BIND to believe it's authoritative for those zones, but I'd not recommend doing this unless you have a very goo

Re: mx selection order

2011-02-23 Thread Stephane Bortzmeyer
On Tue, Feb 22, 2011 at 04:37:03PM -0500, David Sparro wrote a message of 24 lines which said: > it is up to the application how it will use the data. MX records are only used by MTA and, no, it is NOT up to the MTA to decide how to handle MX records, there is a standard for that, RFC 5321, s

Re: How to allow set Host file dns query priorities in BIND

2011-02-23 Thread Stephane Bortzmeyer
On Wed, Feb 23, 2011 at 02:38:19PM +0530, babu dheen wrote a message of 61 lines which said: > if Internet connection is down, our Internal DNS severs are not able > to get the DNS query from ISP DNS server. Because of this, all users > are not able to access many critical application hosted i

Re: Multi language support in BIND

2011-02-23 Thread Eivind Olsen
>  Can anyone tell me how to enable Arabic domain name query in BIND running > Redhat RHEL 5.  >  Actually we have many internal domain name zone configured in BIND > running in Redhat 5 OS. Since i am from Middle east, users in my company > wants to access their internal domain name through arabic

Re: How to allow set Host file dns query priorities in BIND

2011-02-23 Thread Terry.
I was thinking this is most likely the network problem, so you'd better setup a good network with redundancy and high availability. 2011/2/23 babu dheen > > is there any option in BIND to give priority to HOST file before connecting > it to internet ISP or local zone? > > -- Free SmartDNS Hosti

Re: Multi script support in BIND

2011-02-23 Thread Stephane Bortzmeyer
[I changed the subject, which seemed wrong to me.] On Wed, Feb 23, 2011 at 02:33:56PM +0530, babu dheen wrote a message of 56 lines which said: >  Can anyone tell me how to enable Arabic domain name query in BIND > running Redhat RHEL 5.  You have absolutely nothing to do. Read

How to allow set Host file dns query priorities in BIND

2011-02-23 Thread babu dheen
Hi,    Our setup is; We have internal DNS server wherein BIND is configured in RHEL 5 and many internal zones are configured. if Internet connection is down, our Internal DNS severs are not able to get the DNS query from ISP DNS server. Because of this, all users are not able to access many crit

Multi language support in BIND

2011-02-23 Thread babu dheen
Hi,    Can anyone tell me how to enable Arabic domain name query in BIND running Redhat RHEL 5.     Actually we have many internal domain name zone configured in BIND running in Redhat 5 OS. Since i am from Middle east, users in my company wants to access their internal domain name through arab