o with the environment in which you have BIND
installed, or the particular build parameters.
Cheers, Greg
On Mon, 26 Aug 2024 at 07:49, Havard Eidnes wrote:
> >> Hi Håvard.
> >> Have you tried a different browser?
> >
> > Not yet. Will do tomorrow.
>
> Latest Chrom
Firefox.
I can't reproduce your issue, sorry.
Cheers, Greg
On Sun, 25 Aug 2024 at 21:06, Havard Eidnes via bind-users <
bind-users@lists.isc.org> wrote:
> Hi,
>
> I'm mostly running BIND 9.18.x, and have configured statistics
> publishing via
>
> statistics-channe
view selection, I don't know exactly how the code works or how
efficient it is. But certainly I have seen some configs with a lot of views
and they seem to function OK.
What sort of QPS are each of your servers handling?
Cheers, Greg
On Sun, 25 Aug 2024 at 05:27, Grant Taylor via bin
w has its own cache, hence the need
for a lot of RAM.
I would try it out on a lab server first.
Hope that helps.
Cheers, Greg
On Fri, 23 Aug 2024 at 20:43, Carlos Horowicz via bind-users <
bind-users@lists.isc.org> wrote:
> Hello List,
>
> an ISP has brought a case where several cu
nt of that domain to
another resolver that can get the answer for it?
Hope that helps.
Cheers, Greg
On Tue, 20 Aug 2024 at 21:28, John Thurston
wrote:
> We are asked to forward queries for foo.example.com to a set of private
> resolvers. So we have something like this in ou
/bind9/
When you are on current code, see if you need to ask the question again. I
think you won't.
Cheers, Greg
On Mon, 19 Aug 2024 at 09:45, 秋林峻祐 wrote:
>
> ***
> このメールの添
Hi Gabe.
Prefetch still exists; reference here:
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-prefetch
Hope that helps.
Greg
On Tue, 23 Jul 2024 at 17:36, Gabe Loyer wrote:
> In searching for documentation I can only find something for prefetch in
> 9.10,
best to ignore it. We will document this properly!
-n sets the number of event loops. You can tweak this manually if you find that
the autodetected value is not suitable for your environment and usage.
I hope that helps.
Greg
> On 10 Jul 2024, at 15:43, Thomas Hungenberg via bind-us
its files?
- How much RAM does the server have and how much of that is BIND using?
I would recommend reading the ARM section on the journal. The log message
itself comes from "zone.c"
Cheers, Greg
On Mon, 8 Jul 2024 at 12:18, Kees Bakker via bind-users <
bind-users@lists.isc.org>
I have a similar setup, and I do it the way that Greg Choules suggests.
I could probably dig up the exact way I have BIND configured, but the
function is like this:
Clients query the non-AD BIND servers, for *all* queries. For the AD zone,
we use something like this; Our first level domain, lets
t zone.
Compare this with how it's done in the Internet hints file:
.360 IN NSA.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 360 A 198.41.0.4
A.ROOT-SERVERS.NET. 360 2001:503:BA3E::2:30
Hope that helps.
Greg
On Mon, 1 Jul 20
;
> Thanks again
>
> Il giorno ven 28 giu 2024 alle ore 13:10 Greg Choules <
> gregchoules+bindus...@googlemail.com> ha scritto:
>
>> Hi again Renzo.
>>
>> In general, BIND (and other resolvers) make non-recursives (aka
>> iterative) queries to authoritative
ftware.
Cheers, Greg
On Fri, 28 Jun 2024 at 11:58, Renzo Marengo wrote:
> Hi Greg again! :)
>
> > 1) This should help you understand the difference between recursive and
> non-recursive queries.
> I read about recursive and iterative query but I think A.B.C.D server
> shou
s have and only move them
to production when you are certain.
Cheers, Greg
On Fri, 28 Jun 2024 at 07:14, Renzo Marengo wrote:
> Hi greg,
> I thank you again for your suggestions.
>
> >A.B.C.D is the address of this server?
> yes, It's the Bind server
>
> I read severa
ache so that it
doesn't have to make them again for some time.
There are many good books and articles available online to explain the
basics of DNS. The BIND ARM (distributed with BIND and also available
online) is the reference manual for BIND itself.
I hope that helps.
Greg
On Fri, 28 Jun
ot;?
For a long time (which is why I need to know the version) BIND has had the
Internet root hints built in, so you don't need a hint zone anymore. Unless
you are defining different roots for some reason. Hence why I need to know
the contents of that file.
Thanks, Greg
On Thu, 27 Jun 202
using non-recursive queries - and using that data to construct answers for
its clients.
I hope that helps.
Cheers, Greg
On Thu, 27 Jun 2024 at 12:02, Renzo Marengo wrote:
> I have Active Directory domain ( 'mydomain.it' ) with 8 domain
> controllers to manage 8000 computers. Every Dom
.readthedocs.io/en/latest/reference.html#namedconf-statement-minimal-responses
Cheers, Greg
On Wed, 26 Jun 2024 at 17:55, Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov> wrote:
>
>
> Greg, David,
>
>
>
> Thanks, much easier than what I thought it would be.
>
> I have
is
the same name and its IP is 127.0.0.3, which happens to be another instance
of BIND I have running. Your file would contain the names and IPs of your
internal roots.
In the config, define the hint zone like this:
zone "." {
type hint;
file "db.root";
};
That should be al
better which domains are the problematic ones.
Packet captures are always good for showing exactly what servers send and
what they get back. There's no hiding in Wireshark!
Cheers, Greg
On Wed, 26 Jun 2024 at 07:45, wrote:
> Hello
> Thank you for your response. I have configur
stand what the
problem is first and to do that, gather data (pcaps and logs) that can be
used to paint a picture of what's really happening.
Cheers, Greg
On Tue, 4 Jun 2024 at 13:01, Thomas Barth via bind-users <
bind-users@lists.isc.org> wrote:
> Am 2024-06-04 09:50, schrieb Mat
shot) from
your BIND server showing both client->server and server->forwarder DNS
traffic, crucially capturing the moment this issue occurs.
- dig results from your making test queries.
It may sound like a lot of detail, but the devil... as they say.
Cheers, Greg
On Wed, 29 May 2024 at 21
Odd numbers (9.17, 9.19…) are the development versions. Even numbers (9.18,
9.20 - soon…) are the production versions, based on the odd-numbered version
before.
So 9.18.27 (currently) would be the one to go for.
Cheers, Greg
> On 22 May 2024, at 16:53, Robert Wagner wrote:
>
&
om. CNAME imap-tcp-service.example.com.
and so on.
Cheers, Greg
On Thu, 16 May 2024 at 11:43, Niall O'Reilly wrote:
> On 14 May 2024, at 15:20, DEMBLANS Mathieu wrote:
>
> A part of the subdomains are managed by us, others subdomains by an other
> entity.
> So we can't
latest
version, which is 9.18.26 (you can see in your screenshot).
I hope that helps.
Greg
> On 28 Apr 2024, at 08:42, Yang <395096...@qq.com> wrote:
>
>
>
> is v.9.18.21 below this reference
>

>
>
>
> Yang
> 395096...@qq.com
>
Hello.
Do you mean 9.18-S1?
> On 28 Apr 2024, at 08:06, Yang via bind-users
> wrote:
>
>
> dear admin:
> now, i use bind-9.18-21, i want to use ecs client subnet function; but i
> don't know how to configure it, and i don't get method from google
> please give me some example,or document
Hi.
In BIND, since 9.11, there is an option/view statement called
"minimal-any", which defaults to "no". That might be what you're after.
Cheers, Greg
On Sat, 20 Apr 2024 at 17:29, Amaury Van Pevenaeyge <
avanpevenae...@outlook.fr> wrote:
> Hello everyone,
validation
will hurt you in future, or maybe even right now. My advice would be to
enable it, look at packet captures, ask questions and understand it, rather
than disable it because you don't think you need it.
Cheers, Greg.
On Sun, 31 Mar 2024 at 08:07, Crist Clark wrote:
> Thanks so
quot;, which requires some
thinking about the intent. Whereas "I would like to permit none" (for me
anyway) is clearer and less ambiguous.
As for why authoritative servers need to make queries at all, please take a
look at this article.
https://kb.isc.org/docs/why-does-my-authoritative-se
y.
You probably also don't need also-notify {192.168.56.157;}; if the
secondary has an NS record in the zones it will be transferring, which it
should.
Hope that helps.
Greg
On Mon, 25 Mar 2024 at 11:34, wrote:
> Hello community,
>
> I'm trying to configure a DNS slave serv
Hi Amaury.
You should be able to do this by defining your own trust anchors. This
should explain what you need:
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#trusted-keys-and-managed-keys
Have fun.
Greg
On Sat, 16 Mar 2024 at 13:38, Amaury Van Pevenaeyge <
avanpevenae...@outlook
ers" statement because "
sub.example.com" has been delegated away.
- Do you really want to be forwarding to your hidden primary anyway?
- Why are two different servers both authoritative for
"100.168.192.in-addr.arpa"? That's asking for trouble.
Hope that he
Please don't encourage using "search" in resolv.conf or the Windows
equivalent. Search domains make queries take longer, impose unnecessary
load on resolvers and make diagnosis of issues harder because, when users
say "it doesn't work" you have no idea what it was that didn't work.
I tried using s
2nd $beverage consumed.
I have never liked sortlist since I inherited it 16 years ago in my
previous job.
For me it suffers from at least one fundamental problem:
- If a client, say at location "1", is given a bunch of sorted A records
with the server at location "1" first, what does the client do
r manufacturers are available), match all port 53, set DSCP to an
appropriate value for *your* network and prioritise/police as appropriate
in the core.
Cheers, Greg
On Thu, 29 Feb 2024 at 09:00, Wolfgang Riedel via bind-users <
bind-users@lists.isc.org> wrote:
> Hi Folks,
>
> OK
need.
primaries also-notified {a.b.c.d; e.f.g.h;};
...
zone "example.com {
type primary;
file "db.example.com";
# apply the primaries list (or lists) to the also-notify statement.
also-notify {also-notified;};
};
I hope that helps.
Cheers, Greg
On Thu, 8 Feb 2024 at 21:55,
+norecurse
dig @172.16.0.254 pc1.reseau1.lan A +norecurse
dig @172.16.0.254 pc1.reseau1.lan +norecurse
Now stop the packet capture on the auth server and send all the information.
The reason for using @ with dig is to eliminate the stub
resolver on pc1 itself.
Thanks, Greg
On Wed, 17 Jan
DER<<- opcode: QUERY, status: NOERROR, id: 2379
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
==
So unless I'm missing something I don't see your problem.
Cheers, Greg
On Mon, 15 Jan 2024 at 15:24, wrote:
&g
are running the digs?
- the file "/etc/resolv.conf" on "pc1"
Please also re-send the digs with full output.
When you send information, please send it as text, not screenshots.
Thanks, Greg
On Sun, 14 Jan 2024 at 22:04, Michel Diemer via bind-users <
bind-users@lists.isc.
amed' processes running that they were
not aware of, which *might* cause problems if they are trying to use the
same data files.
Cheers, Greg
On Tue, 19 Dec 2023 at 08:26, wrote:
> I found there was a db.ynu.edu.cn.intranet.jnl beside db.ynu.edu.cn.intranet,
> I tried to remove it, then
neath this
point will be swallowed by the server, e.g. "a.b.c.d.e.f.reseau1.lan" will
all return NXDOMAIN +AA=1
What behaviour do you think you would like to see?
Looking at another part of your config, you should not need this at all:
options {
forwarders {8.8.8.8;};
...
};
If your
I really wouldn't recommend that.
If you have to, create exceptions for domains that won't validate correctly
by using the "validate-except {..." statement.
In parallel with that, encourage people with broken domains to fix them,
which makes life better for all of us.
Cheers,
ith your
own problem.
Cheers, Greg
On Tue, 12 Dec 2023 at 00:48, Blason R wrote:
> Oh I forgot to tell you that. This is BIND RPZ and all the queries are
> recursive.
>
> Dig output just dies out and does not spit anything.
>
> And this specifically i noticed with .gov and .gov.in d
first. I see no reason to
suspect BIND at the moment.
Cheers, Greg
On Mon, 20 Nov 2023 at 17:40, legacyone via bind-users <
bind-users@lists.isc.org> wrote:
> This might show the problem even more on two interfaces WAN side and LAN
> you can see 192.168.53.19 ask for routerp
em is difficult if you only have snippets of information
to work from.
Cheers, Greg
On Mon, 20 Nov 2023 at 13:48, legacyone via bind-users <
bind-users@lists.isc.org> wrote:
> Now its not working fast again! I don't know now must be Teamviewer DNS
> delaying replies causing windows bi
ely. Zones like "
internal-www.example.com", "internal-mail.example.com" and what have you
are fine because they are more specific than the general "example.com",
queries for which will just fall through to the outide world along with any
other name.
That was a bit of
some nicer wording, or any other changes
you think would be beneficial.
Hope that helps.
Cheers, Greg
> On 21 Sep 2023, at 17:22, John Thurston wrote:
>
> I just spent 4 hours* of my life trying to figure out why BIND 9.16
> complained on startup:
>
>
>> rpz '
Hi Prashasti.
I'm on my phone, so I'll keep it brief.
- ditch both 9.8 and 9.11; install 9.18
- why are you forwarding to yourself? 127.0.0.1
- get binary packet captures and look at them in Wireshark to see what's
actually going on.
- real IPs please.
- why use "port xxx&quo
>From the correct mail alias!
On Sat, 16 Sept 2023 at 21:50, Greg Choules
wrote:
> Hi Ged.
> 172.16/12 is not a special case. The whole problem (IMHO) stems from how
> humans have chosen to represent both IP addresses (v4; v6 are different and
> actually a little easier) AND D
Hi.
Although it is technically possible to do reverses on non-octet boundaries
(for example, see https://www.ietf.org/rfc/rfc2317.txt) it is a
complete pita, in my experience. Personally I would not head down that
path. Stick to /8, /16 or /24.
Cheers, Greg
On Sat, 16 Sept 2023 at 09:20, G.W
knows who is responsible for all addresses starting 10.1
or 10.2
Long-winded, I know. But I think it's important to understand your end goal
before configuration.
Cheers, Greg
On Sat, 16 Sept 2023 at 01:16, John Thurston
wrote:
> A host which auto-registers in MS DNS, creates an A in fo
trying to understand just what is the problem.
- How much of 10 do you use?
- What do you mean by "...can be published from two different DNS
services."? Could you expand on that please?
- Is there any zone transfer between BIND and MS DNS?
Thanks, Greg
On Fri, 15 Sept 2023 at 21:00, John Thur
for a couple of
zones you are having trouble with, as examples. Not the whole config.
- "rndc zonestatus ". Use the same zones you chose from above.
Let’s see what we see.
Cheers, Greg
> On 8 Sep 2023, at 01:24, Leroy Tennison via bind-users
> wrote:
>
> Just to clarify,
primary because it
already has the zone file stored locally. Just change the "type", leave the
"file" statement alone and delete (or comment) the "primaries".
Does that help?
Greg
On Thu, 7 Sept 2023 at 19:31, Fred Morris wrote:
> Re-reading the KB article refe
t which a given client will be sent
responses.
It's all in the ARM :) https://bind9.readthedocs.io/en/latest/index.html
Cheers, Greg
On Wed, 30 Aug 2023 at 18:42, Ben Bridges wrote:
> Hi,
>
> Is there a BIND configuration option that would limit the number of
> recursive clien
rally: see below.
DNSSEC validation is on ("auto") by default these days. Please don't turn
it off for everything.
options {
...
validate-except {
incometax.gov.in;
...
};
...
};
Hope this helps.
Greg
On Wed, 30 Aug 2023 at 14:20, Blason R wrote:
> Hi all,
>
> I have bind
You may already have BIND installed; most distros do. If not, it's easy.
You don't *have* to run named, but tools like this (and dig, particularly)
are very useful to have.
Do "which arpaname" to see if you have it already.
Cheers, Greg
On Thu, 24 Aug 2023 at 08:00,
Please raise a beverage of choice and celebrate the 25th birthday of BIND9:
commit 7ee52cc7d195433bb8f55972e2a8ab29668f7bce
Date: Mon Aug 17 22:05:58 1998 +
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software wi
This time from the correct email alias!
On Mon, 17 Jul 2023 at 22:58, Greg Choules
wrote:
> Hi.
> Some observations:
> - Please don't use nslookup. Please use dig, it is much more versatile and
> gives much more information with which to try and interpret what might be
> goi
Real data please:
- example queries (genuine, not invented for illustration)
- real domains
- real IP addresses
- packet captures
- both BIND server configs
- zone file contents
- startup logs
There are so many things it *could* be, the more information the better.
Cheers, Greg
On Sun, 16 Jul
IL.
It looks like your server cannot resolve cadyst.com/A for some reason,
which would explain what gets sent back to the client.
However, it resolves fine for me:
cadyst.com. 908 IN A 146.59.209.152
Maybe you have some other issue with your resolver?
Cheers, Greg
On Wed, 12 Jul 2023 at 09:26, wrote:
r
primary zones in one place (or two for resilience). It makes it easier to
administer and to understand which way data is flowing.
Cheers, Greg
On Thu, 29 Jun 2023 at 16:14, Ubence Quevedo wrote:
> Hi,
>
> Actually, that config was from the primary at 192.168.10.3.
>
> B
t;net5.domain.com" {
# 10.32.30.0/24
etc...
zone "net6.domain.com" {
# ?.?.?.?
etc...
"system" has A records in all of these, with the relevant interface address
for the network. Clients lookup the FQDN of interest to them at the time.
This way there is guaranteed no ambig
Note that this requires clients to use FQDNs, which IMHO is a good thing. I
always try to avoid "search" in resolv.conf because it leaves the OS
stub resolver guessing what the user actually wants.
Hope that helps. But as i said, configs please and then *we* don't have to
guess :
Hi Sami.
Let me ask you a question.
How would you define the terms "latency" and "response time"?
Greg
On Tue, 27 Jun 2023 at 17:23, wrote:
> Hello In DNS benchmarking which is more important latency or response
> time? for a DNS server what is the differe
>From the correct email alias this time!
On Mon, 19 Jun 2023 at 16:50, Greg Choules
wrote:
> Hi Lee/Sami.
> `break-dnssec yes;` *may* also be needed in some cases. But not here as
> the zone isn't signed anyway.
>
> The reason that "example.com" works but "
Hi Sami.
That's not what I said.
Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but
it's not something I would do.
Cheers, Greg
On Mon, 19 Jun 2023 at 12:40, wrote:
> Thank you Greg
>
> So if I understand correctly if we receive a servfail
to be authoritative for "antlauncher.com".
Personally I would live with the SERVFAIL because it tells you that
something is wrong, not just that it doesn't exist. Then try to contact the
people who own this domain and tell them it is broken.
Cheers, Greg
On Mon, 19 Jun 2023 at 10:
es to the server and any
queries the server makes to try and get answers, plus all the responses.
Please do that and share the results, using real domains, not examples.
Hope that helps, Greg
On Mon, 19 Jun 2023 at 09:39, wrote:
> Hello Thank you for your feedback,
> yes it works like tha
You are most welcome, I'm glad you got it running. Now the fun starts! :D
Greg
On Tue, 30 May 2023 at 21:02, Pacific wrote:
> Thank you and to everyone who took the time to respond. Your collective
> input did the trick and I now have bind running successfully through a brew
>
esn't know
what to do with. Either way, it should be fixed.
Hope that helps.
Greg
On Tue, 16 May 2023 at 15:53, Alex wrote:
> Hi,
> I have a bind-9.18.7 system on fedora37 and having some strange errors
> with some queries.
>
> $ host info.apr.gov.rs
> Host info.apr.gov.rs
e /usr/local/sbin/named
/usr/local/sbin/named: Mach-O 64-bit executable x86_64
If you find an executable, do /named -V (uppercase V), which will
print a summary of how it was built.
Similarly /named -C (uppercase) will print the defaults.
Hope this helps.
Greg
On Wed, 10 May 2023 at 05:55, Paci
that helps.
Greg
On Tue, 9 May 2023 at 21:43, Pacific wrote:
> Installing bind9 (9.18.14) on macOS Ventura (13.3.1) — install is not
> creating a namedb directory nor can I find a boilerplate named.conf.
>
> Steps taken:
>
> Downloaded tar directly from isc, saved to a local d
or very little - benefit. Just my
2p.
Cheers, Greg
On Fri, 21 Apr 2023 at 15:41, Jiaming Zhang wrote:
> Hi Greg,
>
> Thanks for the example given. I was trying to digest your answer, it seems
> it would be better to have intermediate subdomain for the purpose. So it
> will be sit
DNSSEC
validation to work internally.
Hope that helps.
Greg
On Wed, 19 Apr 2023 at 18:20, Jiaming Zhang wrote:
> Dear Greg,
>
> That’s what I thought, of each individual zone must have NS record point
> to it. But my point is not hiding NS record (or which server handles it)
>
Hi Håvard
Odd, it works for me. Try a literal copy/paste of the link below. Or go to
https://kb.isc.org and search for packages:
https://kb.isc.org/docs/isc-packages-for-bind-9
Cheers, Greg
On Wed, 19 Apr 2023 at 12:03, Havard Eidnes via bind-users <
bind-users@lists.isc.org>
making queries for NS records normally.
But what if they do? Why does it matter if clients find out the NS names
for the internal zones?
Cheers, Greg
On Tue, 18 Apr 2023 at 13:27, Jiaming Zhang wrote:
> Dear Greg,
>
> I agree using child zones is a better idea, and I'm actually usin
internally with different answers.
Cheers, Greg
On Tue, 18 Apr 2023 at 12:59, Jiaming Zhang wrote:
> Dear Greg,
>
> The initiative was that we have certain records that wish to be view only
> internally and may resolve to private address (e.g. insite A 10.1.1.1).
>
> Kind Regard
iple zones of the
same name but different contents caused me problems daily. I would
recommend having internal zones be proper delegations from external zones.
e.g.:
external "example.com"
internal "internal.example.com"
Cheers, Greg
On Mon, 17 Apr 2023 at 14:41, Jiam
170.141.168.22
QM can't be disabled per destination server, only globally.
I would recommend you contact the NS administrators and inform them they
have a problem. According to the SOA the RNAME is
named-...@wannms.state.tn.us
Cheers, Greg
On Mon, 27 Mar 2023 at 18:54, wrote:
> Hi,
>
Hi Nath.
What have you got on SrvB for biopyrenees.net, or net?
On SrvB, please do "dig @127.0.0.1 sri.biopyrenees.net" (please use the
actual address rather than "localhost") and paste the full result here. I
am interested in flags and the query time right now.
Cheers, Greg
apabilities enabled. 'named' starts as root, but immediately drops to a
lower-priviliged user, which can prevent it from discovering new addresses
unless it has the necessary linux-caps.
Cheers, Greg
On Mon, 13 Mar 2023 at 09:16, Serg via bind-users
wrote:
> The problem is I have l
TSIG tsig-key.movie.edu: tsig verify failure
(BADKEY)
I'd take packet captures of both cases and compare them, see what the
differences are.
Hope that helps.
Greg
On Tue, 21 Feb 2023 at 16:06, Patrik.Graser--- via bind-users <
bind-users@lists.isc.org> wrote:
> Hi all
>
>
>
> Due
much RAM as you can afford. That way you minimise the frequency of cache
cleaning, which is an overhead.
Greg
On Wed, 15 Feb 2023 at 19:45, Jan Schaumann via bind-users <
bind-users@lists.isc.org> wrote:
> Greg Choules wrote:
>
> > Since the queries are unique the responses
lt) called "named_dump.db" in named's working
directory. Grep for NXDOMAIN in that file.
Cheers, Greg
On Tue, 14 Feb 2023 at 15:29, Jan Schaumann via bind-users <
bind-users@lists.isc.org> wrote:
> Jan Schaumann via bind-users wrote:
> > Greg Choules wrote:
>
>
sending it any queries at all. Just sit and
watch it, monitor the system and process memory use. etc.
That turned into a bit more than a few! I hope some of that helps a bit.
Cheers, Greg
On Sun, 12 Feb 2023 at 01:14, Jan Schaumann via bind-users <
bind-users@lists.isc.org> wrote:
> Hi,
ctually doing.
I hope that helps, Greg
On Thu, 2 Feb 2023 at 23:43, Bhangui, Sandeep - BLS CTR via bind-users <
bind-users@lists.isc.org> wrote:
> Hi
>
> We are running ISC DNS Bind Version 9.18.10 ( will soon be moving to
> 9.18.11) on our Linux Servers.
>
> DNS resoluti
-F text -o junk.raw.txt junk junk.raw
Is that what you're after? Or is it specifically whether 9.18's
interpretation of "raw" is different to 9.16's? (I don't know at the moment
and I don't have a raw file generated with 9.16 to test it).
Cheers, Greg
On Mon,
done. But if it's
only you looking at them, drop the "x")
- pcaps on a working and the troublesome box (and on the primary) and a
lot of time in Wireshark. There *must* be *something* different going on.
*If* it turns out that 9.18.11 is behaving incorrectly, ISC will wa
esn't need to, just like real users. If you
*want* to see all the Authority and Additional data then add "+norecurse"
to your dig command, which causes it to set RD=0. Your server is then not
being asked to do recursion, so it will just reply with everything (if
anything) it has.
Hope
;"?
- Do Akamai have any knobs you can tweak (I believe they have a customer
web portal for viewing/changing settings?) that would make them behave like
an RFC compliant DNS server?
Cheers, Greg
On Tue, 24 Jan 2023 at 21:17, John Thurston
wrote:
> My "resolvers" running BIND 9
rvers make queries out
to other places? If so, recursion must be enabled.
Secondly, do you have "minimal-responses" configured on either/both
servers? If so, what is it set to? There were changes in 9.16 so maybe
these explain your observations.
Cheers, Greg
On Tue, 24 Jan 2023 at 1
ou see the SERVFAIL and have fun in Wireshark.
If you can afford to put up with the noise, turn debugging up to the max -
rndc trace 99 - and see if anything pops out.
Also, when you say "even with dnssec turned off.." what do you mean,
exactly?
HTH
Greg
On Wed, 18 Jan 2023 at 12:
x27;s not worth worrying about.
Cheers, Greg
On Fri, 13 Jan 2023 at 06:19, Jesus Cea wrote:
> On 13/1/23 7:12, Greg Choules via bind-users wrote:
> > Hi Jesus.
> > No. Zone Transfer always uses TCP. Is it really that much of an overhead
> > for you?
>
> Not now
Hi Jesus.
No. Zone Transfer always uses TCP. Is it really that much of an overhead
for you?
Cheers, Greg
On Fri, 13 Jan 2023 at 05:56, Jesus Cea wrote:
> I have a dns zone with many dns updates per minute. The updates are
> tiny, like 2-3 records, <500 bytes in total.
>
&g
Hi Jeff.
Query logging is quite an overhead and very heavy on writing to storage, so
use it sparingly as it can have a detrimental impact on performance. For
any moderately loaded server I would not have it enabled by default.
Cheers, Greg
On Thu, 12 Jan 2023 at 18:22, Jeff Sumner wrote
structure of your config day one. It's a bit like configuring an Ethernet
switch: do I configure VLANs even though (today) it's one flat network?
Hope that helps.
Greg
On Wed, 4 Jan 2023 at 01:15, E R wrote:
> New to BIND and just starting to read the 5th edition from O'Reilly af
Hello.
What exact version of BIND are you running? "named -V" From dig it *looks*
like you are running 9.18.9.
ECS support only exists in the subscription editions of BIND (-S suffix)
and to get that you need to be an eligible ISC support customer.
Thanks, Greg
On Tue, 13 Dec 2022 at
prefix length to whatever has been configured; in this case /24. But
they MUST set the scope prefix length to zero because this field is
intended for use by an ECS enabled authoritative server to signal (in its
response) the prefix to which it applies.
I hope that helps.
Cheers, Greg
On Thu, 8 Dec 2022
short, this example does not help to explain what you are seeing.
Greg
On Thu, 27 Oct 2022 at 13:28, Veronique Lefebure
wrote:
> Well,
>
> So here a bit more details.
> Sorry, I cannot take an example with a DNS server accessible to you (*)
> because they have all been upgraded t
1 - 100 of 174 matches
Mail list logo