Re: Need feedback on RPZ service setup

2017-01-05 Thread Tony Finch
> On 5 Jan 2017, at 22:09, Lars Kulseng wrote: > > Any other thoughts on the naming of the zone? If I wanted to obfuscate the > name, I could use a reserved TLD like .test or .invalid. This would never > appear in the wild. Ah. Well. You explained your reason for

Re: real BIND start time

2017-01-05 Thread Mark Andrews
Personally I'd just ask named. % rndc status version: BIND 9.11.0 running on rock.dv.isc.org: Darwin x86_64 12.6.0 Darwin Kernel Version 12.6.0: Wed Mar 18 16:23:48 PDT 2015; root:xnu-2050.48.19~1/RELEASE_X86_64 boot time: Fri, 30 Dec 2016 04:42:08 GMT last configured: Fri, 30 Dec 2016

Re: real BIND start time

2017-01-05 Thread Evan Hunt
Server boot time is reported in the HTTP statistics channel. For example, with this in named.conf: statistics-channels { inet * port allow { localhost; }; }; $ curl http://localhost:/json/v1/status { "json-stats-version":"1.2", "boot-time":"2017-01-05T22:01:35.313Z",

Re: Fwd: Need feedback on RPZ service setup

2017-01-05 Thread Lars Kulseng
tor. 5. jan. 2017 kl. 16:54 skrev Tony Finch : > Lars Kulseng wrote: > > > > I wasn't aware that the ACL-clause could include TSIG-keys as well as > > IP-addresses. So far I've been using the masters-clause to make the > actual > > list of servers and keys,

Re: real BIND start time

2017-01-05 Thread Mathew Ian Eis
ps -C named -o start,lstart is the time since the process was started. One can also force BIND to “reset” with a SIGHUP without actually stopping and starting the daemon. This will cause (among many other things) the pid file to be reset. (You can also find a “general: notice: running” about

Re: real BIND start time

2017-01-05 Thread Ryan Pavely
I don't know the official answer, but I can tell you the PS method reports to me November, which is the last time named was started; whereas the pid file date shows noon today, a few hours ago. Ryan Pavely Cologix http://www.cologix.com/ On 1/5/2017 3:54 PM, Jonathan Reed wrote:

real BIND start time

2017-01-05 Thread Jonathan Reed
Hi, I'm running rndc stats and trying to determine how long the stats are good for. I'm querying the server start time by a couple methods but they're not the same. Which one should I rely on? $ date -r /var/run/named/named.pid Sun Jan 1 03:38:04 EST 2017 $ ps -C named -o lstart= Sat Dec 24

Re: Need feedback on RPZ service setup

2017-01-05 Thread Paul Seward
On 5 January 2017 at 14:36, Lars Kulseng wrote: > > I wasn't aware that the ACL-clause could include TSIG-keys as well as > IP-addresses. > As I understand it, you have to be careful mixing TSIG keys and IP addresses within an ACL, as it's "first match wins" So if you

Re: Fwd: Need feedback on RPZ service setup

2017-01-05 Thread Tony Finch
Lars Kulseng wrote: > > I wasn't aware that the ACL-clause could include TSIG-keys as well as > IP-addresses. So far I've been using the masters-clause to make the actual > list of servers and keys, but also using the server-clause. Perhaps the > server-clause is

Re: Few questions on Bind

2017-01-05 Thread John Miller
On Thu, Jan 5, 2017 at 6:11 AM, Tony Finch wrote: > Debarghya Mandal wrote: >> > do, you'll have to write a custom back-end, or use some other more > scriptable DNS software such as PowerDNS. > Thanks, Tony - I didn't quite have the guts to recommend

Fwd: Need feedback on RPZ service setup

2017-01-05 Thread Lars Kulseng
-- Forwarded message - From: Lars Kulseng Date: tor. 5. jan. 2017 kl. 15:34 Subject: Re: Need feedback on RPZ service setup To: Tony Finch tor. 5. jan. 2017 kl. 14:24 skrev Tony Finch : Lars Kulseng

Re: Need feedback on RPZ service setup

2017-01-05 Thread wbrown
From: Tony Finch > BIND will only send NOTIFY to a zone's advertised name servers - "stealth > slaves" like your consumers have to rely on the SOA refresh timer. Why not use also-notify to specify client servers? Confidentiality Notice: This electronic message and any

Re: Need feedback on RPZ service setup

2017-01-05 Thread Tony Finch
Lars Kulseng wrote: > I am setting up BIND to be used as a way to disseminate RPZ-zones for use > by third parties. I would like some feedback on my setup. Overall it sounds very sensible to me. A few notes... > Access control is done by using TSIG-keys, with separate

Need feedback on RPZ service setup

2017-01-05 Thread Lars Kulseng
I am setting up BIND to be used as a way to disseminate RPZ-zones for use by third parties. I would like some feedback on my setup. Any pitfalls I may encounter would be great to hear about. The system will only serve up RPZ-zones to external parties that will zone-transfer the RPZ-zone to use in

Re: Few questions on Bind

2017-01-05 Thread Tony Finch
Debarghya Mandal wrote: > > 1. Is there a way to load custom DNS record from zone file? https://tools.ietf.org/html/rfc3597 Handling of Unknown DNS Resource Record (RR) Types It isn't very pretty, though :-) > 2. Once bind loads that data, for certain zones, for