Folks,
This has been a real mystery and haven't been able to find a good
explanation for the behavior. For a simple example I have two views setup and I
want to differentiate access based on queries originating from 127.0.0.1.
In my FIRST ATTEMPT I just negated the IP address, b
Folks,
Our normal procedure when changing the IP address of a TLD name
server is to get the new server responding properly and then update the glue
records with the Registrar to reflect the new address, normally 1-2 days apart
for two nameservers. We monitor query traffic on e
Tony,
Didn't see this mentioned in the other thread messages, but depending
on what version of BIND you are using you may find a lot of benefit in using
the Response Rate Limiting (RRL) feature.
https://www.isc.org/blogs/bind-9-9-4-released/
We have found it to be VERY effective
-Original Message-
From: Harshith Mulky
To: "bind-users@lists.isc.org"
Subject: What is the use of having a chroot path during installation
of Bind
When installing bind, the following 2 are installed
bind-9.8.2-0.17.rc1.el6.x86_64
bind-chroot-9.8.2-0.17.rc1.el6.x86_64
What is t
--- Original Msg -
From: "RunxiaWan"
Subject: Problem in Performance test
Hi all,
I am doing performance test for my company's resolver with BIND 9.10.3 and
find something weird. The test client and resolver are in the same LAN. When
I use a small set of domain as an input with a 1 pe
Folks,
Had to do some testing where we wanted our own insulated fake
root environment. We wanted to start from simulated root name servers. I was
surprised I couldn't find a complete example even after some extensive searches.
The concepts are easy, but the devil
--- Original msg
On Wed, Jan 20, 2016 at 05:12:44PM +, MURTARI, JOHN wrote:
> Folks,
> Had to do some testing where we wanted our own
> insulated fake root environment. We wanted to start
> from simulated root name servers. I was
Folks,
Just trying to settle a question on BIND based resolver
operation. When given multiple authoritative servers for a zone, does it
optimize selection based on auth server response times? For example:
---
I'm located in Sydney, Australia and my ISP has a
Folks,
Never has so little been said by so many? The OP asked:
==
man pages for named.conf says "max-ncache-ttl " and only talks about
default values and max values - no mention of minimum-value.
Does "max-ncache-ttl 0;" mean never cache negative queries (queries resulting
Folks,
Recently been looking at servers that host almost 200K ARPA
zones and load about 80 million resource records. They run on good hardware
and take only a few minutes to load the zones on a clean start. The issue is
memory utilization of about 23 Gig in RAM.
Folks,
From some lab testing it appears the answer to the above
question is NO but hope springs eternal!
We'd like to limit RAM usage by BIND (9.9.8/RHEL) on some
authoritative test servers. A load of configured zones would require over 10
Gig of RAM, but t
Blr,
We do run RRL on some of our servers, example option clause below that
activates the feature. Two suggestions:
1. You mention you 'inherited' the server and looked at /etc/named.conf --
verify that it is not running chroot to another directory and using another
config file (I kn
Folks,
God only knows, the DDOS hackers are probably on this
listbut I have to ask what protections DYN had in place before the attack
occurred. RRL has been promoted as some protection against these types of
attacks. If they had it in place, did it help or was the pure vol
Folks,
Saw something in a previous posting that should be corrected:
> The sticking point seems to be that most DNS providers don't allow zone
> transfers from
> their servers The customers of Dyn are in the same situation.
Actually from personal experience just a few day
Eric,
Thanks for the complete example below, but I'm not sure what you are
trying to solve?
It looks like the netregistry.net servers don't have zone data loaded
even though they are supposed to be authoritative. Your best bet would be to
contact them and point out it appears s
Folks at ISC,
> I agree, there are an awful lot of systems and SIEM products that process
> querylogs. This one change will require a huge amount > of re-engineering
> work in customer environments.
You know we love you and the work you do! But changing that log format
was really a ba
> We may move it to the end of the log message (bugs ticket #44606 has
> been created for looking at it). Maybe its location was poor.. please
> can everyone who participated in this thread say whether having it at
> the end will be ok?
It's really only for code debug. I'd say give the admin a me
> From: Warren Kumari [mailto:war...@kumari.net]
> Customer: "My BIND went Boom! It's been running fine for many years,
> and then for no reason at all it went Boom. Here are my log files..."
> ISC: "Doh. Sorry. Unfortunately the log file doesn't have sufficient
> debug info. Can you please turn o
Johannes,
Noted your message below. I might suggest you check out the 'views'
feature of BIND. You may find it a lot easier to setup/manage. Some starting
info:
https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html
Best regards!
John
Folks,
Recently had an issue with someone who wanted this for a TXT
record:
murt2 IN TXT "path=\";
Now, not sure wny they wanted it - maybe the root directory in
Windows??? But anyway, BIND does not like it.
zone example.com/IN: loading from master file db.ex
Stuart,
You didn't mention what OS you are using, I assume some version of
Linux. What you are seeing may not be a BIND limit, but the OS. One thing we
noted with Redhat is that the kernel just couldn't keep up with the inbound UDP
packets (queue overflow).The kernel does keep a co
Folks,
We'd had a discussion back in February (Bind query log format)
about the perils of changes to the log formats.
Just got bit by an earlier change used for logging notify
messages. Had to run some regression tests. Looks like it occurred between
9.9.8 an
Folks,
Was in the middle of reading some list articles and Firefox
locked me out with the message below:
Your connection is not secure
The owner of lists.isc.org has configured their website improperly. To protect
your information from being stolen, Firefox has not connected to
Folks,
Came across usage of a keyid as an address list in a
allow-transfer option on a older server site. Didn't really know that was
legal. It seemed an easier way to allow zone transfers without constantly
updating a list of IP addresses on a master server. The only trouble
Folks,
Thinking of using Ansible to help with standardized bind installations & auto
setup. Searched the list Archives/ISC website and didn't see much. Found a
variety of Ansible roles/playbooks on Google, but nothing seemed to be the
clear preferred favorite?Any recommendations are wel
> Ansible's template module is what you'd probably use for #1, the service
> module (with handlers) for #2, and #3 comes out of the box when you use
> Ansible.
> While you might find existing roles and playbooks on the internets, I would
> strongly recommend to vet them carefully in a test en
Folks, let me add my desire for a quick download dig supporting DoH. It could
really help with some testing, some ready stuff for Ubuntu 18/20,
Redhat/CentOS, could make a lot of people happy. Maybe the libs included and
we set the LD_LIBRARY_PATH, or a 'static' link?
It only takes a 'few
. Please do not feel
obligated to reply outside your normal working hours.
On 6. 7. 2021, at 14:44, MURTARI, JOHN wrote:
Folks, let me add my desire for a quick download dig supporting DoH. It could
really help with some testing, some ready stuff for Ubuntu 18/20,
Redhat/CentOS, could ma
28 matches
Mail list logo