Re: Option in named to turn off EDNS Globally

2016-08-04 Thread Mark Andrews
In message , Harshith Mulky writes: > Hello, > > Is there a option in named to turn off EDNS Responses(not Requests) Globally > > I have tried with this Option on named > > server 0.0.0.0 > { > edns no; > }; You

Option in named to turn off EDNS Globally

2016-08-04 Thread Harshith Mulky
Hello, Is there a option in named to turn off EDNS Responses(not Requests) Globally I have tried with this Option on named server 0.0.0.0 { edns no; }; But does not seem to work Any other options? Thanks Harshith ___ Please visit

RE: change response cache ttl (--enable-cache-ttl)

2016-08-04 Thread SUKMOON LEE
> > In message , "Darcy > Kevin (FCA)" > writes: > > That's only a problem if the clients are constantly looking up the > > name, right? If they're looking it up only _occasionally_, with some > > degree of entropy, then the query load gets

Re: change response cache ttl (--enable-cache-ttl)

2016-08-04 Thread Mark Andrews
In message , "Darcy Kevin (FCA)" writes: > That's only a problem if the clients are constantly looking up the name, > right? If they're looking it up only _occasionally_, with some degree of > entropy, then the query load gets spread out.

RE: change response cache ttl (--enable-cache-ttl)

2016-08-04 Thread Darcy Kevin (FCA)
That's only a problem if the clients are constantly looking up the name, right? If they're looking it up only _occasionally_, with some degree of entropy, then the query load gets spread out. So, in those cases, implement something on the client side that pre-expires the cache entry with some

Re: change response cache ttl (--enable-cache-ttl)

2016-08-04 Thread Mark Andrews
In message , "Darcy Kevin (FCA)" writes: > "many client have caused a burst DNS traffic" is not much of a problem > statement, honestly. > > What does this patch add, of value, that isn't already covered by > "max-cache-ttl"? > > If you're

RE: change response cache ttl (--enable-cache-ttl)

2016-08-04 Thread Darcy Kevin (FCA)
So, fix the TTLs on the RBLs, sheesh! Pathological use cases don't warrant deviation from standard. - Kevin -Original Message- From: Reindl Harald [mailto:h.rei...@thelounge.net] Sent: Thursday, August 04, 2016

RE: change response cache ttl (--enable-cache-ttl)

2016-08-04 Thread Darcy Kevin (FCA)
"many client have caused a burst DNS traffic" is not much of a problem statement, honestly. What does this patch add, of value, that isn't already covered by "max-cache-ttl"? If you're trying to allow the operators of intermediate resolvers to override the intentions of the data owner, by

RE: a question about denied queries

2016-08-04 Thread Darcy Kevin (FCA)
Most likely, it has to do with recursion settings, yes, but indirectly. When recursion is not honored for a client, the next thing that named does is check whether the answer, or anything relevant to the answer, is in cache. But access to the cache, these days, defaults to being as restrictive

a question about denied queries

2016-08-04 Thread Andreas Meyer
Hello! When I see this in the log, does this mean it is because the server does not allow recursion? Aug 4 18:52:19 bitmachine1 named[26142]: client 127.0.0.1#52733 (c303.cloudmark.com): query (cache) 'c303.cloudmark.com/A/IN' denied Aug 4 18:56:08 bitmachine1 named[26142]: client

change response cache ttl (--enable-cache-ttl)

2016-08-04 Thread SUKMOON LEE
Hello Sirs, I am Sukmoon Lee, a software developer and network engineer in South Korea. Recently, most clients(smart phone) have a local DNS cache. The Cache DNS TTL affects the client cache expiration time domain. So many clients have caused a burst DNS traffic. In order to solve this issue

Re: named is not finding the keys for DNSSEC

2016-08-04 Thread Andreas Meyer
Hi! > Tony Finch schrieb am 04.08.16 um 09:21:36 Uhr: > > The error suggests to me that you have a key-directory mismatch, but you > > seem to have that under control. That was the right hint! I had no key-directory "/var/lib/named/keys"; specified in named.conf. There also is

Re: named is not finding the keys for DNSSEC

2016-08-04 Thread Tony Finch
Andreas Meyer wrote: > Tony Finch schrieb am 04.08.16 um 09:21:36 Uhr: > > > > The error message refers to the key ID rather than the filename - in more > > recent versions it has been clarified to use the actual filename. > > Is it possible to look for the

Re: named is not finding the keys for DNSSEC

2016-08-04 Thread Andreas Meyer
Hello! Tony Finch schrieb am 04.08.16 um 09:21:36 Uhr: > > The key is named Kbitcorner.de.+005+16938.private but named is looking for > > a key named bitcorner.de/RSASHA1/16938 or is it just substituting? > > The error message refers to the key ID rather than the filename - in

Re: named is not finding the keys for DNSSEC

2016-08-04 Thread Tony Finch
Andreas Meyer wrote: > > dns_dnssec_keylistfromrdataset: error reading private key file > bitcorner.de/RSASHA1/16938: file not found > > I think it must have something to do with the name itself, could it be? > > The key is named Kbitcorner.de.+005+16938.private but named is