it. Along with fixing the
problem caused by upgrading to 9.9.7-P2where we had all the zones using
the same file between internal/external views
Which I had kluged a fix by having CFEngine copy from internal to external,
and "if repaired" do an 'rndc reload'
Su
it, it doing signing
of internal first...that way internal servers see the change sooner...
The only thing I haven't grasped is how to make DNSSEC work if my link goes
down.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
with LOPSA Pr
ways work
So, I'm considering trying to separate things again.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
with LOPSA Professional Recognition.
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
se multiple fields if there isn't space. The field are
concatenated together with no space to produce the full SPF entry.
e.g. "ab" "cd" -> "abcd"
Mark
I had thought that was the way...what I had forgotten were the parens...
so.... ("ab"
On 2015-08-13 18:47, Reindl Harald wrote:
Am 13.08.2015 um 23:15 schrieb Lawrence K. Chen, P.Eng.:
On 2015-08-10 17:12, Reindl Harald wrote:
well, when you can't say from where you send mail you should refrain from
setup SPF at all
Except there are external forces that demand an SPF
On 2015-08-10 17:12, Reindl Harald wrote:
truncated the long, hard to understand and unrelated stuff
Am 10.08.2015 um 23:49 schrieb Lawrence K. Chen, P.Eng.:
that above is pure nonsense - your DOMAIN has either a strict SPF
policy -
or a testing policy ~ and no mix of both
~ means
On 2015-08-10 16:49, Lawrence K. Chen, P.Eng. wrote:
Though I realize my error not recalling that there is a middle (neutral)
level, and which is more appropriate, since softfail is somewhere between
fail and neutral which is not where I had intended the servers to be.
Went to fix it, only to
On 2015-08-07 22:23, Reindl Harald wrote:
Am 08.08.2015 um 05:13 schrieb Lawrence K. Chen, P.Eng.:
So, when we were with this provider, our SPF had exclusive pool as good,
but included the other pool prefixed with '~'
can we stop that foolish discussion on the named list?
Ho
.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Ad
On 2015-08-07 07:34, wbr...@e1b.org wrote:
> From: "Lawrence K. Chen, P.Eng."
>
>> OTOH, we have caved on adding systems that aren't 'ours'...though how much
>> of
>> Office365 is actually 'ours'but I think we currently ha
On 2015-08-07 10:08, Heiko Richter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am 07.08.2015 um 08:52 schrieb Lawrence K. Chen, P.Eng.:
Gjust noticed that about 12 hours ago, the business office
person finally update our KSK with registrar. (where window was
last month
On 2015-08-07 09:50, Heiko Richter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am 07.08.2015 um 07:16 schrieb Lawrence K. Chen, P.Eng.:
On 2015-08-06 19:26, Heiko Richter wrote:
Though back then I was still building bind 32-bit, and the
hardware as much slower. A full signing
9.130.254.21 key external;
};
};
};
==========
I think that's what I'm thinkingthough been so long since I too break
from monitor that I can barely see now
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr.
email can't be replied to, etc.)
Though the frequency of complaints over this seems to have dropped off
here...though its summer and most people haven't noticed yet that the new
listserv did not go live on June 1st.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix
g outdated data out of any
resolver's cache.
Hopefully a solution will suddenly appear that can replace the scripts I've
mashed together over the years to do what we do now
I had thought I'd have solution to our current DNS problem in place by
now
--
Who: Lawrence
On 2015-08-06 17:54, Heiko Richter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am 07.08.2015 um 00:23 schrieb Lawrence K. Chen, P.Eng.:
On 2015-07-31 06:33, Tony Finch wrote:
Most zones have four authoritative nameservers, only one of
which I manage. Of the three I don't m
named builds...still using 0.9.8zlatest -
avoids figuring what else depended on itaside from clamav on our virus
filters.) Actually, I wonder if a transition to RSASHA512 on my nameservers
wouldn't be bad my bind builds are 64-bit.
--
Who: Lawrence K. Chen, P.
14-3508 CVE-2014-3511 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568
> CVE-2014-3569 CVE-2014-3570 CVE-2014-8275 CVE-2015-0204 CVE-2015-0286
> CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293
> CVE-2015-1789 CVE-2015-1790 CVE-2015-4000)
>
> linked to OpenSSL version: OpenSSL 0.9.7d 17
ually tried to release it twice, somehow I forgot why they wouldn't let
me the first time. They also won't let me remove the company info without
some kind of impossible proof...from the company to allow it. Wasn't until
their request for proof the companies existence that I remem
On 2015-08-04 07:14, /dev/rob0 wrote:
On Mon, Aug 03, 2015 at 10:36:25PM -0500,
Lawrence K. Chen, P.Eng. wrote:
This unfortunately looks like the thread for me to jump on to
I missed installing the last two 9.9...-p# patches, first time I
built everything and was pretty much ready to
were a couple of other interruptions in my upgrading my 20 servers, but
I don't recall what the issue was with those now.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
with LOPSA Professional Recognition.
For: Enterprise Server
n-v4' option. Though
someday they^H^H^H^H^H I might get ipv6 working.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
___
Please visit https://lists.isc.org
gt;
> Chief Technology Officer
Sure...
dnssec-signzone: error: dns_master_load: oeie.ksu.edu:16: oeie.ksu.edu: CNAME
and other data
dnssec-signzone: fatal: failed loading zone from 'ksu.edu': CNAME and other data
*** Error code 1
heh
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr
On 05/08/14 02:01, Dave Warren wrote:
> On 2014-05-07 15:54, Lawrence K. Chen, P.Eng. wrote:
>
>> Though it was just a minor delayfor them to revert back to the old site,
>> until they migrated their email accounts to the CNAME site as well
>
> You still can&#x
On 05/07/14 23:32, Barry Margolin wrote:
> In article ,
> "Lawrence K. Chen, P.Eng." wrote:
>
>> Oh...I misread the questionguess DNAME isn't what's wanted
>>
>> just the apex to somewhere else
>>
>> Yeah...I curr
it] #8 45bc3e in ??
> daemon.crit] #9 fd7ffef1a49f in ??
> daemon.crit] #10 fffffd7ffeacbfbb in ??
> daemon.crit] exiting (due to assertion failure)
On 05/02/14 23:34, Jeremy C. Reed wrote:
>
>> On 05/02/14 09:23, Jeremy C. Reed wrote:
>>> Only for the built-in Chaos
users keep thinking I can also create aliases to:
https://someCNAME/some/path
I can do http, by bouncing them off a redirector, https is harder (and require
me to pass it over to a WSE.)
On 05/07/14 17:10, Lawrence K. Chen, P.Eng. wrote:
> DNAME ?
>
> On 05/06/14 11:44, Rom, Gloria wrot
>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
>
>
> bind-users mailing list
>
> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
>
> https://lists.isc.org/m
stand that our whois record doesn't list our stealth/internal
nameservers...which is why they can't resolve any internal services and need
to track down somebody to give them the 10.x.x.x IP and having their users use
that, etc.
Wonder if they know about the change in forwarding on
Awww...I found messages about version.bind.
On 05/02/14 09:23, Jeremy C. Reed wrote:
> On Thu, 1 May 2014, Lawrence K. Chen, P.Eng. wrote:
>
>> Does compiling in RRL mean its active, even without a rate-limit {}
>> control block?
>
> Only for the built-in Chaos &qu
-limit {
exempt-clients { k-state; };
};
where "k-state" is the same acl used with allow-query {} and allow-recursion {}.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- &
On 04/01/14 19:49, Lawrence K. Chen, P.Eng. wrote:
> Having problems with a particular insecure delegation (most are) from our zone
> file, that is only not working for local users (our caching resolvers running
> BIND 9.9.4-P2 or 9.9.5)
>
> But, everybody else reports its
800: click.mail.nacada.ksu.edu A: can't validate existing
negative responses (no DS)
flushing the cache or restarting doesn't help.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
__
esponding.
I didn't think to see what the client counts were. Though another time when
the Procera had stopped passing any traffic, the counts did get really high
before they stopped working.
Need to work on figuring out how to have it resolve local domains when
Internet connection is
forward only;
> };
> Forwarding to opendns works, dig +short myip.opendns.com
> <http://myip.opendns.com> returns ip address correctly.
> Forwarding to local doesnt works, dig return nxdomain.
> Commenting zone "." leads to correct work of zone "local"
>>>>
>>>>
>>>> On 3/12/2014 11:07 AM, Peter wrote:
>>>>> Hi guys,
>>>>>
>>>>> I'm doing a virtual internet (internal net) for several VPS's. My
>>>>> goal is to simulate the Internet root se
On 03/12/14 06:50, Tony Finch wrote:
> Lawrence K. Chen, P.Eng. wrote:
>
>> If you have FQDN for machines, the problem might be that the domain
>> isn't set in resolv.conf?
>
> The machines are configured with a bare hostname. If there isn't a search
> or
internally used hostnames, both of which seems unnecessary and
>> possible dangerous.
>>
>> This doesn't seem like normal or healthy behaviour. What can we do to
>> stop it?
>
> Option 1: put the FQDN in /etc/hostname on each machine.
> Option 2: popula
rules be changed to adhere to the Best Practices
> while not breaking anything and still allowing the servers to do their
> own DNS lookups? I know theoretically how I would do this, but I'm
> looking for others' experiences.
>
> Thanks.
> _______
>
atelywe've had outages due to
mismatches.), but they keep saying some year (since summer 2011) they'll
come up with money to replace them with appliances.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- &
s typing out the added
zone entries completely by hand, instead of the normal copy-paste-modify
way I normally do things.
On 02/26/14 09:42, Phil Mayers wrote:
> On 26/02/14 14:57, Lawrence K. Chen, P.Eng. wrote:
>
>> How can I get an initial transfer of the zone from a stealth master? Or
&
h recursive caching query
resolver that only responds to localhost) I think there are 8 of these
still in existence. They were to be refreshed or eliminated in the near
future ~5 years ago (I did remove one or two from my pseudo-script to
update bind everywhere, last year...)
--
Who
end
>> the update.
>>
>> 2) the zone serial number is updated, even when there is no update to
>> the zone; this causes unnecessary zone transfers.
>>
>> --Barry Finkel
>> ___
>> Please visit https://l
recommendation:
>> The salt SHOULD be at least 64 bits long and unpredictable, so that
>> an attacker cannot anticipate the value of the salt and compute the
>> next set of dictionaries before the zone is published.
> In case it wasn't obvious, I should have noted that the
> Please visit https://lists.isc.org/mailman/listinfo/bind-users
> to unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
&
ck to this KB
article:
https://kb.isc.org/article/AA-00803/0/Why-are-queries-for-some-PTR-records-no-longer-forwarded-since-upgrading-to-BIND-9.9.0.html
Though, from 9.9.4 Release Notes, that's probably addressed by this bug fix:
Fix forwarding for forward only "zones" beneath a
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Who: Lawrence K. Chen, P.Eng. - W0LKC
__
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems A
lted in an SSL error. Including the
person that was just following policy
Seemed to me that there are mailservers that reject mail from domains
that claim to be localhost, (or perhaps its sites like these that result
in some sites rejecting such domains?)
What's p3net.net?
--
On 2013-12-19 14:54, /dev/rob0 wrote:
On Thu, Dec 19, 2013 at 02:48:59PM -0600,
Lawrence K. Chen, P.Eng. wrote:
Got reports that users are unable to send mail to usda.gov
sites using our campus SMTP server (where we have usda.gov
sites on campus.)
The users have said they were able to send
USDA lab here.
Would this be an error of no glue for ns1.usda.gov/ns2.usda.gov?
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
___
Please visit https://lists.isc
and suggestions first. Specifically, I
> suppose that whatever work that is done should be compatible with
> the DocBook source and other BIND9-ARM formats.
We'd certainly be glad to have help with it.
hehe, oops, I guess I'm committed now :)
--
Who: Lawrence K. Chen, P
On 2013-11-18 17:57, Lawrence K. Chen, P.Eng. wrote:
On 2013-11-14 17:04, Mark Andrews wrote:
In message
M>, vinny_abe...@dell.com writes:
Hi Everyone,
I recently had a recursive server running BIND 9.9.4 on FreeBSD 9.2
appear to wedge and stop responding to clients. I had a flurry of th
ACK_PERMIT)
named 1276 bind 23uIPv4 0xfe00a75223d0 0t0TCP
localhost:rndc (LISTEN QR=0 QS=0
SO=ACCEPTCONN,NOSIGPIPE,PQLEN=0,QLEN=0,QLIM=128,RCVBUF=524288,REUSEADDR,SNDBUF=524288
SS=NBIO TF=MSS=536,REQ_SCALE,REQ_TSTMP,SACK_PERMIT)
FWIW, the only socket with QLIM=16 on my syste
Well, drifting away from bind now
- Original Message -
>
> FWIW, you could also add -4 to ntpd args or use -4 prefix in
> ntpd.conf.
>
I was positive that I had that setbut I see now that somebody had made our
cfengine system force different options on ntpd, which doesn't inclu
system bind, so I'll have to switch to using ports.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
___
Please visit https://lists.isc.org/mailman/listin
- Original Message -
> On Fri, Sep 6, 2013 at 1:32 PM, Lawrence K. Chen, P.Eng. <
> lkc...@ksu.edu > wrote:
> > > So, can I just remove the Revoke line (is there an option in
> > > dnssec-settime to do this?) and have things fixed...
> >
>
> &
- Original Message -
> So, can I just remove the Revoke line (is there an option in
> dnssec-settime to do this?) and have things fixed...
guess dnssec-settime -A none -R none will remove itbut guessing there's
more to fixing my current mess?
--
Who: Lawrence K.
- Original Message -
> Lawrence K. Chen, P.Eng. wrote:
> >
> > And, the prior ZSK was 14565
> >
> > ; This is a zone-signing key, keyid 14565, for ksu.edu.
> > ; Created: 2013060109 (Sat Jun 1 04:00:00 2013)
> > ; Publish: 20130601090007 (S
- Original Message -
> On Fri, Sep 6, 2013 at 10:22 AM, Evan Hunt < e...@isc.org > wrote:
> > The revoke bit has no defined meaning for a ZSK.
>
> While it's true the revoke bit really has no use for a true ZSK
> (i.e., a key where there's another key, a KSK, that is used to
> authentica
e
Kk-state.edu.+008+43119.key Kk-state.edu.+008+43119.private
Kk-state.edu.+008+52261.key Kk-state.edu.+008+52261.private
The prior ZSK was 43119
None of the Alg 7 keys have these IDs as well.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enter
- Original Message -
> On 1 August 2013 18:58, Lawrence K. Chen, P.Eng.
> wrote:
> > Did I miss something... what does ICMP ping have anything to do
> > with bind?
>
> Yes, you missed the actual question. The use of the word 'ping' is a
> misnomer,
- Original Message -
> > Post your*full* config not half of it. How the hell do you expect
> > people to identify problems unless you give them the neccessary
> > details.
> >
> > Do you give you car mechanic only access to the boot when you have
> > a engine problem?
> >
> > You said y
re
working on a wildcard cert now as there are now more than two external
resources requiring SSL. And, that somebody that knows the cost of incommon
certs has started working for them
9.9.3 also marks the switch to compiling it 64-bit instead of 32-bit for
Solaris.
--
Who: Law
e 10.0.x.1 IPs are the addresses of the masters.
> On Tue, Jul 30, 2013 at 4:43 PM, Lawrence K. Chen, P.Eng. <
> lkc...@ksu.edu > wrote:
> > > I think that's what you asked for. In case I misunderstood,
> > > here's
> > > a
> > > zone entry
- Original Message -
> I think that's what you asked for. In case I misunderstood, here's a
> zone entry from the slave's named.conf (this immediately follows the
> options block in my first email:
> zone " example.com " {
> type slave;
> file "/var/named/slaves/example.com.db";
> masters
t https://lists.isc.org/mailman/listinfo/bind-users
> > > > to
>
> > > > unsubscribe from this list
>
> > > >
>
> > > > bind-users mailing list
>
> > > > bind-users@lists.isc.org
>
> > > > https://lists.is
file has changed, do rndc reload....)
Wonder what I'll have when we scrap some 400+ Solaris servers ... by year end?
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommun
- Original Message -
> I have just set up DNSSEC on bind 9.9.3. I had set up the zone and
> put a DS record out at the registrar. Several days later I found
> that I had set up the keys incorrectly using only NSEC verses NSEC3
> so i changed the keys. I deleted the old keys and DS reco
to fbi.gov that returns a
> > record
> > will be okay, anything that doesn't will end up with a SERVFAIL.
> >
> > Bill.
> >
>
> Thanks for the replies, all. Am trying to find a hostmaster contact
> at
> fbi.gov to make them aware.
>
> I
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> _
ote:
> >
> > > Getnameinfo and gethostbyaddr are supposed to lookup the
> > > in-addr.arpa recor
> > ds instead of ip6.arpa records for mapped addresses. If you only
> > have a limit
> > ed range of addresses one could use $generate to add cname records
>
get people to upgrade from these old forgotten servers.
Is there an easy way for me to provide reverse lookups for those?
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunicat
Oops, images were too bighere's links.
- Original Message -
> >> All very interesting, but I'm afraid at my level of expertise on
> >> DNS, I'm
> >> not following. If I'm broken, how do I attempt to fix? Someone
> >> mentioned
> >> that our ns1.starionhost.net was not authoritative.
___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> ___
>
ginal Message -
>
>
> 192.168.0.101 is in the non-routeable address block
>
>
> https://en.wikipedia.org/wiki/Private_network
>
>
>
>
> On Sat, Jun 22, 2013 at 2:00 PM, Lawrence K. Chen, P.Eng. <
> lkc...@ksu.edu > wrote:
>
>
> None of
None of what you've described seems to have anything to do with bind
But, if you are running bind... there are a number of ways that you could have
bind return the internal IP to internal users, and return the external IP to
everybody else. Can even do this if your internal DNS server is no
;m doing,
> > >but
> > >I just don't see it.
> > >
> > >Any suggestions would be appreciated.
> > >
> > > thank you,
> > >
> > > Brian
> > >
> > >---
>
to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZon
e used for specific applications rather
than for everything coming
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 1
gt;
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Who
- Original Message -
> Dear All,
>
> I was just thinking whether it is possible to have a some type of
> health checking of servers through BIND DNS Server and DNS Server
> should replied to clients based on that only.
>
>
>
> i.e., Suppose I have two entries of www record for domain
1 has DNS DDoS protections, but our current platform
is limited to 10.2.4 and we only have LTM.
Though if I did put the BigIP in front, would the DDoS traffic towards the
nameserver VIPs, impact other services on the BigIP?
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrat
omplaints
> before that.
>
> It appears to build with 'cc' if OpenSSL is disabled, which disables
> DNSSEC (OK for now as we don't use it, yet).
>
> Thanks,
> Mike
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Serve
ecords, and
> the
> students configure properly)
>
> This is the approach my girlfriend used with a WordPress course she
> taught since one of the goals was to allow students to experiment and
> play from home and it worked well, but it would just as well with NS
> delegations.
&g
That's kind of how we do our DR...
I have things scripted so that every update to our zone, results two versions
of the zone file...the master server signs the first one and does its usual
notifies, then the master signs the second and its scp'd to secondaries in
another network.
In the event
l can't
> perform Internet lookups.
> Thanks for any help,
> Jeremy
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/lis
- Original Message -
> > From: "Lawrence K. Chen, P.Eng."
>
> > So does rate limiting cover when the attacker walks my DNS zone to
> > attack an IP?
>
> that depends on what is meant by "rate limiting" and "walking a DNS
> zo
's)
To something all FreeBSD based.
In the meantimeI'm debating the impact of setting minimal responses on my
authoritative-only nameservers. 4 of the Solaris10-x64 servers are my
authorititative only nameservers... and one is my stealth master.
--
Who: Lawrence K. Chen, P
hadn't come up before. Suppose its something that 9.9.2-P2 does nowthat
9.9.2-P1 didn't? Though checkzone is something we have turned off and don't do
regularly, because there's a lot of stuff in our zone file it doesn't
like...like underscores in host names. Or no cl
assume that's the problem now...or is there something else on my end that I
should be looking at?
Meanwhileif things do start workingthe 'host.foo.example.com' that
started this problem will resolve to a 10.b.c.d address. Which is another
problem I've been tryin
- Original Message -
>
> In our case it would be impossible for the University's public web
> presence and the AD domain controllers to be the same machines. It
> is
> conceivable that we could do some magic in load balancers to divide
> traffic appropriately, but I'd rather not do that
- Original Message -
>
> On Apr 5, 2013, at 3:48 PM, wbr...@e1b.org wrote:
>
> >>> Incidentally, we have just been asked for an A record for
> >>> cam.ac.uk to
> >>> duplicate www.cam.ac.uk because, and I quote, "all the publicity
> > material
> >>> sent out by the nominator [for an awa
- Original Message -
> > From: "Lawrence K. Chen, P.Eng."
>
> > ... So, being able to filter out these 'bad' things when responding
> > queries against that data might be a good thing.
>
> RPZ might be used for such things. However, by
a correct from
address would still work. (sure I've told people they need to do this lots of
times...but then an important app was upgraded and the setting lostbut it
needed to work anyways.)
Though there were some issues the stub, that were helped by upgrading to bind
9.9 wildcards and
- Original Message -
>
> In message <22783305.318587.1364508740276.javamail.r...@k-state.edu>,
> "Lawrence
> K. Chen, P.Eng." writes:
> > Hmmm, I forget just what all I muttered when I upgraded from 9.7 to
> > 9.9.2-P1.
> > I think the
nt to remove the old slave zone files,
> either
> before upgrading (to avoid upsetting named) or afterwards (to keep
> things
> tidy).
>
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Sn
> [...]
> >;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> this is clearly a cached answer (aa flag is missing). How did you
> come to
> the conclusion that caching does not work?
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.f
engineering has most of the engineering related
3rd level domains). So, my authoritative servers are only slaves and possibly
the only ones that can be reached from the outside. So, being able to filter
out these 'bad' things when responding queries against that data might be a
goo
.x IPs with local caching DNS
servers configured to forward only to a pair of caching DNS servers with public
IPs.
So, how would I make forwarding not prevent resolution? Or can I get bind to
try both IPs in trying to do queries?
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems
1 - 100 of 108 matches
Mail list logo
