ACL list we'll call it "trusted".
> We have an allow query statement in the global options to only allow
> queries from IP's in the trusted ACL. However every one of our zone entries
> in the conf file also has an "allow-query { any; }; statement. Doesn't that
> defeat th
"named.ca";
>> };
>>
>> zone"externalzone1.com" IN {
>> type master;
>> file "externalzone1";
>> allow-transfer { key tsigkeyext; };
>>
>> zone"sharedzone.com" IN {
>> type m
other than the master, but renumbering the master without any other
> changes is also moderately trivial as updating the slaves can (and is)
> scripted.
>
> --
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
>
>
I agree, it i
;
> Thanks in advance!
>
>
>
> --
> View this message in context:
> http://bind-users-forum.2342410.n4.nabble.com/Automatic-DNSSEC-signing-workflow-tp2333.html
> Sent from the Bind-Users forum mailing list archive at Nabble.com.
>
>
I am not using DNSSEC yet, but I would
ugly, but it's straightforward and a whole lot of DNS operators (including
> me) do it.
>
> R's,
> john
>
>
I realize that ANAME seems like a kludge, but if we could make it a
standard, and get the various DNS software (auth, resolvers, and clients)
to understand it, it would solve a
just want to speed up the process. But not recommended.)
--
Bob Harold
> On Wed, Apr 27, 2016 at 11:50 AM, Reindl Harald <h.rei...@thelounge.net>
> wrote:
>
>>
>>
>> Am 27.04.2016 um 17:45 schrieb Matthew Pounsett:
>>
>>> rndc is the command lin
es for faster changes, would you please elaborate ?
>
You are correct, my mistake. Looks like you can only block the client
completely, and not change just one answer for the client, so that will not
work for you.
--
Bob Harold
> On Tue, Apr 26, 2016 at 4:46 PM, Bob Harold <rharo...@um
;
>
>
You might be able to use RPZ to give a list of users a different answer for
certain queries, and that can be dynamically updated quickly, if I
understand it correctly. That might work better than ACLs and views for a
fast-changing list of users.
--
Bob Harold
__
n and
> the slaves non-authoritative?
>
> Thanks again,
>
> -Mathew Eis
>
>
A slave server has a copy of the zone, so it is by definition
"authoritative". I think what you mean by "non-authoritative slave" is
"hidden slave" - not listed in NS rec
could
be spoofed. It's not that I don't trust you, but someone could spoof your
email.
So I am waiting for the new IP to show up in the root zone or some other
trusted place. Has it already been published in some place that can be
verified? (I should have asked
,7,12, and 13 should all
be non-recursive authoritative servers. There should be a separate
resolver.
Looks like the contents of "db.bongo.com" were not fully anonymized.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-u
On Sat, Oct 17, 2015 at 12:48 AM, Woodworth, John R <
john.woodwo...@centurylink.com> wrote:
> > -Original Message-
> > From: Mark Andrews [mailto:ma...@isc.org]
> > Sent: Friday, October 16, 2015 7:08 PM
> > To: Woodworth, John R
> > Cc: 'bind-users@lists.isc.org'
> > Subject: Re: Best
rb5-admin.html#Hostnames-for-KDCs
--- But not sure if the 'port' is actually used, since it can also be
defined in the conf file.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-us
two zone transfers, but the second zone transfer can be between
the two views on the same slave server, and not hit the master server or
the network again.
--
Bob Harold
> You will be able to update both views with one zone transfer after
> upgrading to 9.10 by using the in-view option, but
term) ahead of time (by at least
the current TTL), then the change would reach all users quickly, without
you or anyone else having to do any work. Once everything is verified
working (could wait for the next business day), then the TTL can be changed
back to 'norma
"pool.ntp.org" and hence any other box needs just an IP
> address for doing "ntpdate xx.xx.xx.xx" *before* it's own ntpd starts
>
> so you just need to make sure the correct order
>
> * ntpdate xx.xx.xx.xx
> * start ntpd
> * start named
>
> Can I
https://kb.isc.org/article/AA-00296/0/My-slave-server-for-both-an-internal-and-an-external-view-has-both-views-transferred-from-the-same-master-view-how-to-resolve-.html
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk
packet size, then I would avoid doing it. Also, it
adds more steps to the process. So it takes a little longer but is a
little less risk. Your choice.
-- Bob Harold
Thanks!
John Murtari – jm5...@att.com
Ciberspring
On Wed, Jul 8, 2015 at 11:55 PM, John Miller johnm...@brandeis.edu wrote:
...
dig @8.8.8.8 trombone.org +showsearch
; DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 @8.8.8.8
trombone.org +showsearch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY,
On Mon, Jun 8, 2015 at 5:38 AM, Anand Buddhdev ana...@ripe.net wrote:
Hi BIND users and developers,
I'm trying to figure out how BIND 9.10.2 refreshes slave zones. I've
looked for this information in the ARM, but can't find it.
Assuming that there are no NOTIFY messages coming in, and it is
config. (Do not
allow 'all', please.)
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk
On Wed, Jun 3, 2015 at 3:34 PM, Samad Agha samad.agha2...@gmail.com wrote:
I put together a simple working DNS server and called it new
devices. Routing
protocols can use BFD state to rapidly ( 1 second) withdraw routes in the
event of a failure, without having to wait for a routing protocol timeout
(3 minutes by default for BGP).
Seems to work well.
--
Bob Harold
___
Please visit https
Jeff,
That only works on the master zone server, without dynamic updates. Any
slave zones or zones with dynamic updates will have problems because the
zone file will be overwritten with one zone each time it is updated.
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology
On Thu, Apr 2, 2015 at 4:05 PM, Jan-Piet Mens jpmens@gmail.com wrote:
2001:67c:2e8:5::c100:c6#53: Transfer completed: 0 messages, 0 records, 0
Is there any logic to this that I'm missing?
s/completed/failed/ on error cannot be particularly difficult to
implement.
-JP
+1
; next} {print $0 named-queries-other}'
(not tested, but have used similar before)
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk
On Mon, Mar 9, 2015 at 9:55 PM, Alan Clegg a...@clegg.com wrote:
-BEGIN PGP SIGNED
system update a hidden master DNS server, and
have the DNS server that others see be a slave. Only valid zones will
transfer to the slave.
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk
On Tue, Feb 3, 2015 at 8:43 AM, hugo
. I wish the entries had dates, even if just as a comment -
it would be a good log of changes, and I would be able to see how far back
in history the journal went.
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk
On Wed, Jan
On Wed, Dec 10, 2014 at 3:36 AM, Matus UHLAR - fantomas uh...@fantomas.sk
wrote:
On 09.12.14 21:36, Frank Bulk wrote:
Perhaps it wasn't NXDOMAIN -- I didn't capture the output. But there
definitely was not answer. The institution only has two authoritative
nameserver entries, both pointing
]/ {print $NF}'
23.24.150.141
$ dig +noall +answer dave.knig.ht in a | awk '/[\t ]A[\t ]/ {print $NF}'
216.235.14.46
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk
On Wed, Oct 22, 2014 at 6:58 PM, LuKreme krem...@kreme.com
/#Supported_DNS_record_types
http://blog.andrewallen.co.uk/2012/06/27/cname-is-out-hello-aname/
(This last one points out a problem with the current implementations - I
think proper support in the DNS protocol would solve this.)
--
Bob Harold
DNS and DHCP
University of Michigan
to filter on just allow-query-on as a complete string.
Has anyone even used that option?
--
Bob Harold
DNS hostmaster
University of Michigan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
,
not involved in this.
--
Bob Harold
DNS Hostmaster
University of Michigan
On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald h.rei...@thelounge.net
wrote:
Am 02.07.2014 17:08, schrieb Bob Harold:
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1
listen-on defaults to all the computer's IPv4 addresses, including the
loopback, so I did not put an explicit listen-on statement. It answers
queries to both the loopback and other addresses.
--
Bob Harold
DNS hostmaster
University of Michigan
On Wed, Jul 2, 2014 at 1:06 PM, Bob McDonald
101 - 133 of 133 matches
Mail list logo