RPZ wildcard domain passthru not effective in BIND 9.11.21

2020-07-28 Thread My Ocella
Hi all, BIND version: 9.11.21 OS: RHEL 7 Compile options: ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6 --enable-threads --enable-filter- I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2 are local ove

Calculate the size of a DNS record in the cache

2020-07-28 Thread Mik J via bind-users
Hello, My cache is 100MB and I'd like to know how many records can fit inside.I suppose that it depends on the record: isc.org is 7 characters and shorter than http://www.example.com And it probably depends on the type and adress. So which size would isc.org A 1.1.1.1 be ? I ask my question beca

broken trust chain

2020-07-28 Thread Youssef.FassiFihri
Hi All, I am using Bind as resolver for end users . At various time, bind logs show "broken trust chain" continuously , for about 20mn ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of "DNS sucess rate KPI" supervised from end users side. then t

RE: broken trust chain

2020-07-28 Thread John W. Blue via bind-users
What version of BIND are you using? John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of youssef.fassifi...@inwi.ma Sent: Tuesday, July 28, 2020 6:10 PM To: bind-users@lists.isc.org Subject: broken trust chain Hi All, I am using Bind as resolver for end users . A

Re: broken trust chain

2020-07-28 Thread Mark Andrews
A network link that is dropping packets can trigger EDNS failures in versions of BIND before 9.13.3. These versions have code to compensate for servers that fail to respond to EDNS queries or fail to respond to EDNS queries with DO=1 or fail to respond to queries with (particular) EDNS options set

nsupdate apparently not working for me. What am I overlooking / doing wrong?

2020-07-28 Thread Brett Delmage
nsupdate works according to updated contents of a dynamic zonefile but dig does not report the added A record. What am I doing stupidly here? BIND version 1:9.16.5-1+ubuntu18.04.1 - both authoritative and local recursive zone config: zone "ottawatch.ca" { type master; f

Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?

2020-07-28 Thread Mark Andrews
Make sure you are using the CORRECT name in the dig query. You used ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca. Also you can delete and add in the same UPDATE operation. Remove the first “send” in nsupdate.script. Also ottawatch.ca has DS records but the zone is not signed. You

Re: nsupdate apparently not working for me. What am I overlooking / doing wrong?

2020-07-28 Thread Brett Delmage
On Wed, 29 Jul 2020, Mark Andrews wrote: Make sure you are using the CORRECT name in the dig query. You used ddns-key.ottawatch.ca instead of ddns-update.ottawatch.ca. Thanks Mark... so tired I didn't see that when staring at it. (Blame grass allergies and terrible heat lately.) Also you