Re: id.server on 9.18.24

2024-02-14 Thread Marco Davids (SIDN) via bind-users
Solved by adding 'server-id' to named.conf.options. Thank you Petr Špaček for the suggestion. Op 14/02/2024 om 10:23 schreef Marco Davids (SIDN): I have upgraded two servers to 9.18.24 and the funny thing is that on one server id.servers works well: ;; ANSWER SECTION: id.server

id.server on 9.18.24

2024-02-14 Thread Marco Davids (SIDN) via bind-users
CH NS id.server. Other queries, like authors.bind, hostname.bind, version.bind, seem to work fine. -- Marco Davids Research Engineer SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM T +31 (0)26 352 55 00 | www.sidnlabs.nl | Twitter: @marcodavids https://mastodo

feature request for improving named-compilezone

2024-01-18 Thread Marco Davids (SIDN) via bind-users
Hi, How hard would it be to let named-compilezone keep any remarks that are present in the source file? Because now it strips them and that is problematic. -- Marco OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to un

Re: Intent and implementation of dig's +crypto option

2023-09-22 Thread Marco Davids (SIDN) via bind-users
+multi -t It serves me well, mostly. Sometimes it bites me as well. In general I'm happy with it. Best regards, -- Marco Davids Research Engineer SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM T +31 (0)26 352 55 00 | www.sidnlabs.nl | Twitter: @marcodavids https://masto

DoH GET not working for me

2022-08-16 Thread Marco Davids (SIDN) via bind-users
So, I was trying to enforce a GET with DiG 9.18.1, but according to the pcap it is still a POST. I did this: dig +http-plain-get @doh.example.nl TXT example.com What am I doing wrong? -- Marco smime.p7s Description: S/MIME-cryptografische ondertekening -- Visit https://lists.isc.org/mailma

BIND9.18.4 won't compile on my Ubuntu 18.04

2022-06-17 Thread Marco Davids (SIDN) via bind-users
It stops with messages such as: ../../bin/delv/delv.rst:109:unknown option: +root Is this a known issue already? It compiled fine on a newer Ubuntu 22.04. -- Marco OpenPGP_signature Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc

Re: Proper Way to Configure a Domain which never sends emails

2019-08-20 Thread Marco Davids via bind-users
A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful. -- Marco On 19/08/2019 23:31, Kevin Darcy wrote: > [ Classification Level: PUBLIC ] > > MXes are for *receiving* mail of course. The request is about *sending* > mail. > > Setting the SPF record to "-all" is probably about the b

make AAAA type the default for dig

2017-06-14 Thread Marco Davids (SIDN)
Hi, Not sure if this has been proposed before, but I am wondering: Has ISC ever considered to change the default 'dig -t' option from A to ? -- Marco signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/

Re: DNAME + DNSSEC

2016-10-20 Thread Marco Davids (SIDN)
On 20/10/2016 14:41, Marco Davids (SIDN) wrote: > For testing-purposes I tried to simulate the situation in sidnlabs.nl: > > dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.sidnlabs.nl ERROR! That should be: dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.dname.si

DNAME + DNSSEC

2016-10-20 Thread Marco Davids (SIDN)
Hi, I noticed some inconsistent behavior in a particular setup where a DNAME is involved and I am trying to figure out who is right and who is wrong. Players involved on the resolving side are: Google Public DNS (resolves without an error) BIND (often results in a timeout and a log-rule saying:

Re: [OT] Re: configuration error in lists.isc.org

2015-08-07 Thread Marco Davids (SIDN)
On 07/08/15 02:03, Charles Swiger wrote: >> So ISC: please fix your list servers, let them rewrite the From headers! > > How would this help? Changing the From header breaks your domain's DKIM > signing; are you asking them to take ownership of your messages and then DKIM > sign > them on beha

DNSSE logging and parsing it

2015-03-05 Thread Marco Davids (SIDN)
Hi, What would be a good way to configure BIND-logging, or rather to filter DNSSEC-validation errors from that logging? Unbound logs stuff like this: Mar 5 12:58:47 xs unbound: [16331:0] info: validation failure : No DNSKEY record from 203.0.113.5 for key example.nl.nl. while building chain o

Re: DNS weirdness

2015-01-06 Thread Marco Davids (SIDN)
Darcy Kevin (FCA) schreef op 06-01-15 om 19:56: > This nameserver is forwarding to 208.67.222.222 and 208.67.220.220. Are those > valid and working? OpenDNS, right? -- Marco smime.p7s Description: S/MIME-cryptografische ondertekening ___ Please vi

Re: localhoast A record?

2014-03-21 Thread Marco Davids (SIDN)
On 21-03-14 14:03, Casey Deccio wrote: > I've adopted a number of zones and most of them contain "localhost in > a 127.0.0.1" records. I'm curious what current RFC standards state and > what the community considers best practice. > I would take a look at the query logs for the zones

Re: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND

2014-03-05 Thread Marco Davids (SIDN)
On 05/03/14 15:15, Klaus Darilion wrote: > Does it only happen for IPv6 DNS requests? Maybe it is related to this: > https://open.nlnetlabs.nl/pipermail/nsd-users/2014-January/001783.html Or, less likely, this: http://marc.info/?l=linux-netdev&m=139352943109400&w=2 -- Marco ___

Who is right?

2013-09-06 Thread Marco Davids (SIDN)
dig ANY example.org @.. Google Public DNS: -- returns DS: no BIND 9.9.3-P2: -- returns DS: yes Unbound 1.4.20: --- returns DS: no Personally I don't care much, but perhaps someone on this list has a strong opinion about these differences that I should

Re: Configuring DNSSEC for child domains

2013-05-06 Thread Marco Davids (SIDN)
Hi Jaap, On 05/06/13 16:09, Jaap Winius wrote: > 2.) http://dnsviz.net/d/zuid.dapadam.nl/dnssec/ > > This shows two DS records in the parent zone, one not secure and one > bogus, and three DNSKEY records in the child zone, none of which are > secure. Perhaps you could remove ns[12].transip

Dig 9.9.1 AD-bit

2012-08-02 Thread Marco Davids (SIDN)
Hi, Dig 9.9.1 is setting the AD-bit in queries by default. Does anyone know why? Took me a while to figure out, among other things because Wireshark has a little bug that prevents the AD-bit being shown in queries. (reported as bug 2472 and 7555 on https://bugs.wireshark.org/bugzilla/) Thanks.

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

2012-03-07 Thread Marco Davids (SIDN)
On 03-07-12 18:08, Evan Hunt wrote: >> I also find it a bit strange that BIND decides to go for NSEC, even when >> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1). > > There's no difference between algorithm 7 and algorithm 5 (RSASHA1). > The use of a new algorithm number for a pre

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

2012-03-07 Thread Marco Davids (SIDN)
Phil, On 03/07/12 10:27, Phil Mayers wrote: > On 03/07/2012 08:50 AM, Marco Davids (SIDN) wrote: > >> I also find it a bit strange that BIND decides to go for NSEC, even when >> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1). >> > AS I understand i

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

2012-03-07 Thread Marco Davids (SIDN)
Hi, It is not possible to configure NSEC3 as a default in named.conf (on a per zone basis), is it? I would welcome such a feature. I also find it a bit strange that BIND decides to go for NSEC, even when the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1). Thanks. -- Marco On 03/0

Re: Query Regarding NSEC RR in DNSSEC

2012-02-14 Thread Marco Davids
Hello Gaurav, You might want to have a look at our whitepaper on 'authenticated denial of existence' to gain better understanding of this somewhat complicated aspect of the DNSSEC specification: https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf Regards, -- Marco On 02/14/20

Re: AW: ipv6 PTR in zone file

2011-04-12 Thread Marco Davids (SIDN)
On 04/12/11 11:49, Michel de Nostredame wrote: >>> you could use ipv6calc (ftp://ftp.bieringer.de/pub/linux/ipv6/ipv6calc) to >>> calculate the reverse strings. >> Yes. >> Or do it 'the BIND way': >> dig -x 2001:7b8:c05::80:1 | grep ip6.arpa | tail -1 | awk '{print $1}' > Beside them, is any p

Re: AW: ipv6 PTR in zone file

2011-04-12 Thread Marco Davids (SIDN)
On 04/12/11 10:50, walter.jontofs...@t-systems.com wrote: > you could use ipv6calc (ftp://ftp.bieringer.de/pub/linux/ipv6/ipv6calc) to > calculate the reverse strings. Yes. Or do it 'the BIND way': dig -x 2001:7b8:c05::80:1 | grep ip6.arpa | tail -1 | awk '{print $1}' -- Marco > Im Auftrag

Re: Bind 9.8 with dlz and dnssec

2011-03-10 Thread Marco Davids (SIDN)
Op 10-03-11 18:26, Christian Laursen schreef: > On 03/10/11 17:05, Evan Hunt wrote: >> and hadn't even given any thought to to the problem of supporting DNSSEC, >> but we can add those features to the roadmap as well if there's user demand. > > I just want to throw my vote for having DLZ support

Re: ad flag for RRSIG queries

2010-07-14 Thread Marco Davids (SIDN)
On 07/14/10 00:43, Doug Barton wrote: Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org >>> >> I use BIND 9.7.0rc1, configured to work with the IANA testbed. > I'd be interested to see what happens if you upgrade to the latest

Re: ad flag for RRSIG queries

2010-07-13 Thread Marco Davids (SIDN)
On 07/13/10 23:58, Doug Barton wrote: >> Can anyone explain to me why the 'ad'-flag is set for this query? >> >> dig +dnssec -t RRSIG www.forfunsec.org > > I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What > version of BIND are you using? > Hi Doug, I use BIND 9.7.0rc1,

ad flag for RRSIG queries

2010-07-13 Thread Marco Davids (SIDN)
Hi, Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org How does a validating resolver determine that such an answer is secure? Thank you. -- Marco Davids ___ bind-users mailing list

Re: bind multi-threaded question

2010-04-28 Thread Marco Davids (SIDN)
7;proc'-directory in your chroot jail. Something like: mkdir /chroot/bind/proc mount --bind /proc /chroot/bind/proc and then in your /etc/fstab add something like this: /proc /chroot/bind/proc none bind,ro 0 0 Regards, -- Marco Davids Technical Advisor SIDN __

Strange issue - please enlighten me

2010-02-19 Thread Marco Davids (SIDN)
while BIND 9.7.x returns a SERVFAIL. dig +trace www.airfrance.fr works as expected. logging says: lame-servers: info: lame server resolving 'www.airfrance.fr' (in 'www.airfrance.fr'?): 193.57.219.253#53 Thank you. Regards, -- Marco Davids ___

Re: multithreading for dnssec-signzone

2009-12-23 Thread Marco Davids
On 12-23-2009 15:33, Marco Davids wrote: >>> It seems as if my 'dnssec-signzone' runs on one CPU-core only, where as >>> I would have expected it to run on all four. >> >> dnssec-signzone first does a lot of preprocessing on one core, before >> it f

Re: multithreading for dnssec-signzone

2009-12-23 Thread Marco Davids
Op 23-12-2009 15:14, schreef Paul Wouters: > On Wed, 23 Dec 2009, Marco Davids wrote: > >> It seems as if my 'dnssec-signzone' runs on one CPU-core only, where as >> I would have expected it to run on all four. > > dnssec-signzone first does a lot of prep

multithreading for dnssec-signzone

2009-12-23 Thread Marco Davids
I tried 'configure' with and without '--enable-threads', but there is no notable difference. I also tried 'dnssec-signzone' with and without the '-n' option. No difference either. Can anyone point me in the right direction please? Thank you so much. -- Ma

Re: DNSSEC closed environment

2009-07-08 Thread Marco Davids
projects/ldns/ (sorry, for being a bit off-topic here) Regards, -- Marco Davids SIDN ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users