Re: Sites that points their A Record to localhost

On Tue, Jan 14, 2014 at 07:55:44PM -0500, Kevin Darcy wrote: > If the domain owner *really* feels that they have to publish *some* > address record for a particular name, but there is no available > service at that name, then the null or "unspecified" address (IPv4 = > 0.0.0.0, IPv6 = ::0) is the a

Re: Disable DNSSEC

On Tue, Jan 07, 2014 at 04:34:27PM +, Eric Davis wrote: > Duh...silly mistake...I did a DIG on the NS record..Once the DS record is > removed DNS queries should work fine right? Thanks Bill. Once the DS record is removed from the .edu zone, queriers won't expect your zone to be signed any m

Re: Disable DNSSEC

On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote: > So I guess my DS record has the same TTL as my default TTL for my records? > My default is 8 hours, so if I wait 8 hours after I remove the DS from my > parent zone then I should be ok? My parent zone is a TLD(.edu). The DS record i

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote: > Hello; > > Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version -- > bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving > ic.fbi.gov that seems to be DNSSEC related. > > Am fairly certain of this becau

Re: Question about KSK

On Fri, Apr 27, 2012 at 08:40:54AM -0400, wbr...@e1b.org wrote: > We are authoritative for a few dozen small zones. Is it possible to use > the same KSK for all of them? I can see where if it gets compromised we > would need to resign all zones using the KSK at once. How much effort > would I

Re: DNSSEC Generating Zone Key hanging

On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote: >Hello, >I was setting up BIND DNSSEC and when I issue the following command the >process never finishes. >dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com >I straced the process and noticed the following mes

Re:

On Tue, Mar 13, 2012 at 01:42:00PM +, hugo hugoo wrote: > > Thanks for the feedback. > Is this a glue record? I do not have any IP defined in the NS record. No, a glue record is an address record (A or ) for an NS record in the parent zone, to avoid the problem of having the child zone n

Re: NS records

On Tue, Mar 13, 2012 at 08:26:02AM -0500, Daniel McDonald wrote: > > On 3/13/12 8:20 AM, "hugo hugoo" wrote: > > > ==> do I have to create in zone "toto.be" the following NS record: > > > > titi.toto.be. TTL IN NSns1.xxx.be > > > > > > I have found cases where th

Re: fermat primes and dnssec-keygen bug?

On Wed, Mar 07, 2012 at 03:35:25PM +, Spain, Dr. Jeffry A. wrote: > Please post any additional evidence you may have that would further the > discussion. Thanks. Jeff. There's quite a bit about choosing e in this presentation: http://www.esiea-recherche.eu/Slides09/slides_iAWACS09_Erra-Grenie

Re: fermat primes and dnssec-keygen bug?

On Wed, Mar 07, 2012 at 02:43:01PM +, Chris Thompson wrote: > You can see the BE (2^30+3) ones in the DNSKEYs for dlv.isc.org as > well as in a number of our own zones (which says either that the keys > are oldish or that the versions of OpenSSL used are not as up to date > as they probably

Re: fermat primes and dnssec-keygen bug?

On Wed, Mar 07, 2012 at 02:43:01PM +, Chris Thompson wrote: > Oh, damn. I have to retract. Or indeed, grovel. It all depends on which > version of OpenSSL it is linked with, not on the code in dnssec-keygen > itself. Older versions do indeed generate 2^30+3, but newer ones 2^32+1. > > You can

Re: fermat primes and dnssec-keygen bug?

On Wed, Mar 07, 2012 at 12:13:35PM +, Chris Thompson wrote: > This is wrong (although I have seen the same thing stated in a number > of other places). When the default public exponent was changed from > 3 to 2^16+1 (change 2088) the one selected by -e was changed from > 2^16+1 to 2^30+3 ... *n

Re: BIND 9.9.0 is now available

On Fri, Mar 02, 2012 at 11:13:06AM +0100, Matus UHLAR - fantomas wrote: > On 29.02.12 17:53, Michael McNally wrote: > > NXDOMAIN redirection is now possible. This enables a resolver > > to respond to a client with locally-configured information > > when a query would otherwise have gotten an ans

Re: rndc flush /recursive ?

On Mon, Feb 27, 2012 at 02:32:31PM +0100, Stephane Bortzmeyer wrote: > With Unbound, there are two commands to clear the cache, one which > deletes only the records with the exact name and one which is > recursive (deletes everything under the name). > > With BIND, I find only the first one, "rndc

Re: Adding DS record to parent

On Fri, Feb 24, 2012 at 10:31:24AM -0500, wbr...@e1b.org wrote: > Does anyone know how to register a DS record for domains registered > through Network Solutions? I submitted a query through their website and > got this response below. I find the copyright on the canned response an > amusing t

Re: dig -- only RRSIG present.

On Sun, Feb 12, 2012 at 10:22:22AM -0800, Michael Sinatra wrote: > On 02/12/12 09:40, dE . wrote: > >I'm trying to see DNSSEC response of various sites; my DNS server is > >8.8.8.8 (google's public DNS service) . . . > >As we can see, the DNSKEY and DS RR is missing which's mandatory for > >this t

Re: cannot resolve oppedahl.com from uspto.gov domain

On Fri, Feb 03, 2012 at 10:04:19AM -0500, Lear, Karen (Evolver) wrote: > Who would be responsible for opening a trouble report to GoDaddy? I don't > understand exactly what the problem is here. It looks, from the outside, as though the Oppedahl Patent Law Firm LLC uses GoDaddy for DNS registrat

Re: cannot resolve oppedahl.com from uspto.gov domain

On Fri, Feb 03, 2012 at 02:12:43PM +, Florian Weimer wrote: > * Bill Owens: > > > On Fri, Feb 03, 2012 at 01:55:12PM +, Florian Weimer wrote: > >> These nameservers: > >> > >> dns2.oppedahl.com. 172800 IN A 208.109.255.50 > &g

Re: cannot resolve oppedahl.com from uspto.gov domain

On Fri, Feb 03, 2012 at 01:55:12PM +, Florian Weimer wrote: > These nameservers: > > dns2.oppedahl.com. 172800 IN A 208.109.255.50 > dns1.oppedahl.com. 172800 IN A 216.69.185.50 > > return SERVFAIL for EDNS0 queries. COM contains a signed delegation. > This

Re: cannot resolve oppedahl.com from uspto.gov domain

On Fri, Feb 03, 2012 at 08:37:04AM -0500, Lear, Karen (Evolver) wrote: > Beginning sometime within the past few days, uspto.gov domain cannot resolve > oppedahl.com domain, but can resolve it from almost everywhere else. Some > free websites (http://centralops.net/co/) cannot resolve it as well.

Re: BIND trying to use IPv6 for recursion

On Fri, Jan 13, 2012 at 11:20:39AM -0600, Ian Pilcher wrote: > I am a relative newbie to running BIND in "production". I have recently > set up BIND 9.7 (on CentOS 6.2) as the nameserver for my home network. > I am using Google's public DNS servers (8.8.8.8 and 8.8.4.4 as my > forwarders). > > My

Re: Bind 9.9.0b2 inline signing...

On Mon, Nov 28, 2011 at 01:03:15PM -0500, wbr...@e1b.org wrote: > Todd wrote on 11/24/2011 11:29:14 AM: > > > I don't understand why Windows doesn't include dig by default, even > > now. Free software hate? > > And grep and logrotate! At least the GnuWin32 project has a good version > of grep

Re: Port number in A record in zone file

On Thu, Nov 17, 2011 at 03:41:54PM +0100, Aleksander Kurczyk wrote: > > Why would you run a dns server on a non standard port? There's no way > > for clients to query via non standard ports. > > I would like to make a experimental configuration simulating a few BIND > servers on one PC (PowerMac

Re: All Bind servers crashed

On Wed, Nov 16, 2011 at 07:59:10AM -0600, b...@namor.ca wrote: > On Wed, 16 Nov 2011, Bill Owens wrote: > >This behavior makes me bet that the trigger is a name in an incoming > >email message, being resolved by an anti-spam filter. > > We had the same thing ha

Re: All Bind servers crashed

On Wed, Nov 16, 2011 at 09:57:18AM +0100, Stephane Bortzmeyer wrote: > On Wed, Nov 16, 2011 at 09:47:48AM +0100, > Magnus Schmidt wrote > a message of 49 lines which said: > > > Nov 16 05:30:41 xxx named[1326]: critical: query.c:1781: INSIST(! > > dns_rdataset_isassociated(sigrdataset)) failed

Re: DNSSEC and forward zones

On Wed, Nov 02, 2011 at 10:02:45AM -0400, wbr...@e1b.org wrote: > But it does provide some alternatives: > > .intranet > .internal > .private > .corp > .home > .lan > > But can we guarantee that they won't be approved as new public TLDs per > the new rules adopted this summer where anything can

Re: DNSSEC and forward zones

On Wed, Nov 02, 2011 at 08:45:31AM -0400, wbr...@e1b.org wrote: > Lyle wrote on 11/01/2011 04:19:18 PM: > > > Again, this has a disadvantage if they ever decide to make .internal a > > real internet domain name and some people frown upon this practice. Be > > sure you know what can go wrong. >

Re: zone before delegation?

On Fri, Oct 28, 2011 at 05:39:05PM +, Laws, Peter C. wrote: > OK, so simply putting the NS records in the parent zone is sufficient to make > it a separate zone. No need to put stuff in named.conf unless I want to or > until I actually delegate to a different set of nameservers. Actually, t

Re: zone before delegation?

On Fri, Oct 28, 2011 at 04:48:10PM +, Laws, Peter C. wrote: > It seems like there are two ways I could delegate a zone. > > I could, in the zone file for the parent, simply list the name of the zone > and a number of NS records to which the zone has been delegated. > > Or, I could create a zo

Re: DNSSEC not populating parent zone files with DS records

On Tue, Oct 04, 2011 at 06:31:03PM +, Raymond Drew Walker wrote: > I have been unable to determine the correct method to add a DS record by > hand. The ultimate goal would be the automation of this process. Generate the DS record with dnssec-dsfromkey, cut and paste it into the zone file, the

Re: DNSSEC not populating parent zone files with DS records

On Fri, Sep 30, 2011 at 10:26:34PM +, Raymond Drew Walker wrote: > In our initial implementation of DNSSEC, we chose to try out the "auto" > functionalities in version 9.8.0 P4 ie. using "auto-dnssec maintain" in > all master zones. > > When going live, we found that though all zones that we a

Re: DNSSEC not populating parent zone files with DS records

On Fri, Sep 30, 2011 at 08:48:56PM -0400, Jeff Reasoner wrote: > Hmm, I see an A record using the same query: Interesting. . . my validating resolver (also 9.8.1) will only give me an A if I ask with +cd. And if I follow that query with another, without the +cd, I get SERVFAIL; then re-querying

Re: DNSSEC not populating parent zone files with DS records

On Fri, Sep 30, 2011 at 10:26:34PM +, Raymond Drew Walker wrote: > In our initial implementation of DNSSEC, we chose to try out the "auto" > functionalities in version 9.8.0 P4 ie. using "auto-dnssec maintain" in > all master zones. > > When going live, we found that though all zones that we a

Re: NXDOMAIN redirection in BIND 9.9

On Thu, Sep 29, 2011 at 04:52:10PM -0500, Michael Graff wrote: > I'm happy you read it, and hope to see you at the forum/customer webinar next > week! I'll be speaking, and will bring my fireproof undies. I'm already signed up, but no worries about flaming - at least not from me ;) > We came to

NXDOMAIN redirection in BIND 9.9

I've obviously been asleep and not following along with the announcements of new features in BIND 9.9 until today. . . both Evan's blog post and the announcement of next week's webinar include NXDOMAIN redirection as the

Re: couldn't add command channel 127.0.0.1#54 error

On Wed, Sep 07, 2011 at 10:39:30AM -0600, Norman Fournier wrote: > Hello, > > I was running BIND successfully on OS X 10.4 Tiger. That webserver crashed > and I replaced it with a new cpu and installed OS X 10.5 Leopard and have > encountered a number of errors in my configuration. This is the l

Re: Clients get DNS timeouts because ipv6 means more queries for each lookup

On Mon, Jul 11, 2011 at 04:06:42PM -0400, Bill Owens wrote: > On Mon, Jul 11, 2011 at 02:11:57PM -0400, Jonathan Kamens wrote: > > The number of DNS queries required for each address lookup requested by > > a client has gone up considerably because of IPV6. The problem is being

Re: AAAA type query invalidates A records in name server cache

On Tue, Jul 19, 2011 at 04:58:53PM +0200, mailsecurity wrote: > All, > > anyone experiencing the same behavior? I hope so, because that's the correct behavior. Dell's nameserver is broken: http://tools.ietf.org/html/rfc4074 Common Misbehavior Against DNS Queries for IPv6 Addresses - May 2005 4.2

Re: Clients get DNS timeouts because ipv6 means more queries for each lookup

On Mon, Jul 11, 2011 at 04:25:59PM -0400, Jonathan Kamens wrote: > On 7/11/2011 4:06 PM, Bill Owens wrote: > >https://lists.isc.org/pipermail/bind-users/2011-March/083109.html > > in which the first sentence says it all: "The nameservers for > > wikipedia.org ar

Re: Clients get DNS timeouts because ipv6 means more queries for each lookup

On Mon, Jul 11, 2011 at 02:11:57PM -0400, Jonathan Kamens wrote: > The number of DNS queries required for each address lookup requested by > a client has gone up considerably because of IPV6. The problem is being > exacerbated by the fact that many DNS servers on the net don't yet > support IPV6