Re: How to update zone with dnssec-policy

On 03/07/2023 19:36, Matthias Fechner wrote: What I understood from the documentation: *-s* /server/[#/port/] I can maintain e.g. my zones from my local computer at home inside a git repository and use nsdiff and nspatch to push the changes to the server in the internet? Correct. Does the s

Re: How to update zone with dnssec-policy

On 02/07/2023 12:27, Matthias Fechner wrote: I have the following problem that changes in a zone file do not get active, no matter if I reload the zone using rndc or restarting bind 9.16.42 on FreeBSD. If I update a zone I edit the zone file, adapt the serial in the SOA and normally do a rndc r

Re: DNS traffic accounting

On 07/18/17 16:09, Abi Askushi wrote: > I am trying to figure out how could I account the DNS traffic generated > from clients in terms of bytes. My setup is a simple caching DNS with > several clients querying the DNS server. I can measure the DNS traffic > that is generated from the DNS server o

Re: "spare hosts" as personal DNS nameservers for 'mynew.org'

On 2017/07/11 14:57, b...@zq3q.org wrote: > I have several linux VMs, that are under used, so I want to use them > for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; > is that going to work?** Yes, that will work. There is no requirement for any of the NSes for a zone to be part

Re: designing the DNS from the scratch

On 2017/07/10 14:16, Matus UHLAR - fantomas wrote: >>> But you do know the approximate speed of light in a vacuum? > > there's always dark in my vacuum, so the speed of light doesn't apply > there. > > On 10.07.17 09:02, wbr...@e1b.org wrote: >> More importantly, what is the speed of light in a f

Re: The DDOS attack on DYN & RRL ?

On 2016/11/01 14:45, Ben Croswell wrote: > The other option being having a master owned by your company and then > setting both external providers to secondary from your master. You to > maintain control over data and hqve diversity. Agreed. This works well -- it's what we do. Cheers,

Re: The DDOS attack on DYN & RRL ?

On 2016/10/31 16:09, Barry Margolin wrote: > I heard that the impact of the attack was even narrower than just the > US, it was mostly eastern US. That suggests some things about the > granularity of Dyn's anycast network and the distribution of the Mirai > botnet. There were actually three att

Re: The DDOS attack on DYN & RRL ?

On 2016/10/31 14:53, Jim Popovitch wrote: > On Mon, Oct 31, 2016 at 10:25 AM, Matthew Seaman > wrote: >> This despite the fact that Dyn has a global anycast network with >> plenty of bandwidth, points of presence all round the world and >> each POP contains a bunch of

Re: The DDOS attack on DYN & RRL ?

On 10/31/16 12:41, MURTARI, JOHN wrote: > God only knows, the DDOS hackers are probably on this listbut I > have to ask what protections DYN had in place before the attack > occurred. RRL has been promoted as some protection against these > types of attacks. If they had it in place, did it he

Re: compile and install from source

On 31/03/2015 02:32, @lbutlr wrote: >> Can you start the named process "by hand" -- the command line should be >> > something like: >> > >> > # /usr/local/sbin/named -u bind -c /etc/namedb/named.conf \ >> >-t /var/named > Yes, that works without reporting any errors, so the issue appears to >

Re: compile and install from source

On 03/30/15 00:35, @lbutlr wrote: > Downloaded and compiled bind-9.9.7 (FreeBSD 8.4-RELEASE) and it built fine > (./configure && make && make install). On FreeBSD, building software out of the ports is definitely recommended. It does the usual configure and make dance, but you also get the benef

Re: OpenSSL problem: bind98-base FreeBSD port

On 09/07/2012 01:40, Doug Barton wrote: > On 07/08/2012 17:33, Matthew Pounsett wrote: >> >> On 2012/07/08, at 20:29, Matthew Pounsett wrote: >> >>> >>> On 2012/07/08, at 20:26, Mark Andrews wrote: >>> One can also build named w/o GOST support if one wants. We statically link all th

Re: bind caching dns

On 08/05/2012 10:09, Ben wrote: > I am new with bind.I am trying to configure bind as caching server for > our network.I configure it and it works successfully. > > Can we get report or statistics something which shows which queries > resolved from cache and which resolved from internet? Yes. Add

Re: rndc status number of zones

On 01/03/2012 12:10, Emil Natan wrote: > On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman < > m.sea...@infracaninophile.co.uk> wrote: > >> > On 01/03/2012 11:20, Emil Natan wrote: >>> > > Do any of you experience the same issue? Any ideas w

Re: rndc status number of zones

On 01/03/2012 11:20, Emil Natan wrote: > Do any of you experience the same issue? Any ideas what I'm missing or > what's wrong? Automatic empty zones? Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard

Re: forwarding "@" to a different domain?

On 08/01/2012 17:09, enigmedia (onl) wrote: > How do I point requests for "http://mydomain.com"; and > "http://www.mydomain.com"; to "http://mydomain.myshopify.com";? Look up an A record (or ) for mydomain.myshopify.com, then create a similar A (or ) record pointing to the same address in

Re: multiple `zone' clauses for a single domain?

On 25/11/2011 16:59, Marek Kozlowski wrote: > Is it allowed to use a few `zone' clauses for a single domain? Is > something like this correct: > > zone "mickey.mouse.com" in { > type master; > file "pri/mickey-public.zone"; > allow-query { any; }; > allow-transfer {

Re: Puzzeling about IPv6

On 19/11/2011 18:47, 夜神　岩男 wrote: >> Oh, and given you've got 64bits to play with, so long as your random >> numbers are up to scratch no need to worry about collisions. You'ld >> need to be assigning millions of addresses before you ran into that >> problem. > > Not to be an ass and this is like

Re: Puzzeling about IPv6

On 17/11/2011 15:13, Michelle Konzack wrote: > my ISP is now offering an IPv6 /64 subnet for > free for each Server. Not only Root-Servers but for realy ALL! > > OK, however, I like to setup my VHosts to use it, but I am puzzling > around how to do this with bind9

Re: Port number in A record in zone file

On 17/11/2011 14:41, Aleksander Kurczyk wrote: > If not, it is possible to map traffic from 127.0.0.11:53, > 127.0.0.12:53 and 127.0.0.13:53 to 127.0.0.1:2001, 127.0.0.1:2002 and > 127.0.0.1:2003 or to setup new loopback interfaces for 127.0.0.11, > 127.0.0.12 and 127.0.0.13 on Mac OS X or somehow

Re: [Best practice] Internal zone

On 15/11/2011 12:50, Jeremy MAURO wrote: > I asking you all for you best practice regarding your internal DNS and > zones. > > I have a 2 DNS servers used as Internal DNS and Resolvers, here is the > dilemma, should I declare in each internal zone my NS with a glue record: > > $ORIGIN example.int

Re: Syncing DNS zones with different names

On 15/11/2011 07:19, Chris Balmain wrote: > Let's say I have two domain names, d1.com and d2.com, and I want to > synchronise all records underneath them (one-way sync, that is). So if I > create an A record www.d1.com pointing at 1.2.3.4, www.d2.com is also > automatically created, with the same v

Re: How to show the Recursion behaviour of DNS Servers

On 05/11/2011 19:37, Gaurav Kansal wrote: > Is there any way in dig or nslookup utility to see the whole path which a > DNS Server follows for giving me the answer. dig +trace www.nkn.in is pretty close to what you ask. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil.

Re: Blocking malware URL lookup using BIND

On 25/10/2011 10:03, babu dheen wrote: > We are seeing huge number of malware request going to malware domains > performed by some malware infected clients. > > All malware infected clients are trying to reach below URL . We would like > to know how we can block if any dns query come to > *

Re: Mixing Algorithms for DNSSEC

On 15/10/2011 20:32, Mark Elkins wrote: > So what you are saying in practical terms is in order to migrate from > RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which > cycle once a year) and then at exactly the same time start using > RSASHA256 on the KSK's (which cycle every mo

Re: changing ttl of mx record

On 10/10/2011 15:42, enigmedia wrote: > Hi All: If I need to set a short TTL prior to an MX IP change, do I need to > modify the TTL of the MX record, or just the A record the MX points to? > (There's just a single A record for the MX). You want to drop the TTL on the RR where the data -- the RHS

Re: ZSK pre-publish

On 03/10/2011 13:45, Torinthiel wrote: > On 2011-10-01 11:40, Matthew Seaman wrote: >> dnssec-signzone will grok all the built-in dates and do the right thing >> when you sign the zone. > BTW, how does dnssec-signzone behave when you pass -s option? Does it > take into a

Re: ZSK pre-publish

On 01/10/2011 09:25, CT wrote: > >> I have a few static zones that I sign via script >> keydir = directory for both KSK and ZSK >> $zone = zone file >> /usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone >> >> >> Fetching KSK 4054/RSASHA256 from key repository. >> Fetching ZSK

Re: "if exists host-name" for IPv6 DDNS?

On 23/09/2011 00:39, Joachim Tingvold wrote: > Or replace :: with _, '_' is an illegal character in hostnames in the DNS... Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: htt

Re: Delegation check failed

On 20/09/2011 14:25, Lightner, Jeff wrote: > On going there and testing water.com domain I see: > Delegation > > · Nameserver dswadns1.water.com is listed for zone water.com without > address information. > > · Nameserver dswadns2.water.com is listed for zone water.com without >

Re: Problems with nic.it

On 20/09/2011 08:20, Lucio Crusca wrote: > Hence I wonder if there existed any public DNS checker that could > check a DNS which is not the NS pointed server yet, http://dnscheck.iis.se/ has an 'undelegated domain test' Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil.

Re: Weird IPv6 issue?

On 11/09/2011 21:00, m...@smtp.fakessh.eu wrote: > I also think the creation of the reverse zone ipv6 > > i dont know how to IPv6 reverse zones work in very much the same way as IPv4 reverse zones. So, for an address 2001:8b0:151:1:e2cb:4eff:fe26:6481 you would generate the LHS of a PTR record l

Re: Bind time up.

On 23/07/2011 09:22, Vbvbrj wrote: > How to tell BIND to not stop listening on cable disconnected adapters? Add to the options {} section of named.conf: interface-interval 0; Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard

Re: I can't resolve one domain: nhs.uk

Spam detection software, running on the system "lucid-nonsense.infracaninophile.co.uk", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see The admi

Re: IPv4 & IPv6 named processes on a dual stack host

On 24/05/2011 19:22, Timothy Stoddard wrote: > Has any one run into a issue with two named processes running on the same > host. We want to begin serving up DNS on our IPv6 address space and do not > want to duplicate each of our DNS servers. We have started two named > processes one with "-6" op

Re: strange queries in my DNS

On 25/04/2011 13:30, Victor Hugo dos Santos wrote: > Yes.. I already readed about DNS amplifier attack.. but in > amplification attack, the query is about ".", but in my case, the > queries isn't by the "root", but for "unused type" No -- confusion of terms: '.' is the *root* of the DNS hiera

Re: strange queries in my DNS

On 21/04/2011 19:54, Victor Hugo dos Santos wrote: > Hello masters. > > the last week I had a strange queries logged in my DNS. In this > momment I only block the IP (77.204.11.139) source and forguet of this > theme. > > but, today.. I have the same query registered in my logs and from > other s

Re: incorrect dns returned by public servers for our domain

On 24/02/2011 04:14, Noel Butler wrote: > You can pretty much remove the entire statement now, as all /8's are > issued as of about two weeks ago. This works for me: lucid-nonsense:~/src/namedb:% cat acl-ipv4-bogons.conf // @(#) $Id: acl-ipv4-bogons.conf 800 2011-02-03 20:22:12Z matthew $ // // N

Re: can @ be CNAME?

On 23/11/2010 08:07, Tech W. wrote: > --- On Tue, 23/11/10, Matus UHLAR - fantomas wrote: >> From: Matus UHLAR - fantomas >>> can I set @ to a cname type? like: >>> >>> @ IN CNAME www.example.com. >> >> Certainly not. for a domain you have you need SOA and NS >> records, and CNAME >> is incom

Re: Reverse Configuration

On 16/10/2010 21:48, Kevin Oberman wrote: > To be completely clear, unless there is special software on the client > to deal with PTRs, you really only want ONE PTR for each address. Most > standard network tools tend to assume only one PTR per address and some > get very confused when multiple PTR

Re: Protecting bind from DNS cache poisoning!!!

On 08/08/2010 11:29:52, Shiva Raman wrote: >I am running Bind caching and bind authoritative servers with current > 9.7 version. I would like > to know the steps to be followed to protect bind from DNS Cache poisoning. > The bind DNS server > is running behind the firewall which allows onl

Re: zone syntax question

On 24/07/2010 16:17:13, Joseph S D Yao wrote: > Quick, knee-jerk, which of these is > one day? > 86300 > 68300 > 863000 It's a trick question, right? Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard

Re: dnssec-lookaside auto and managed-keys-zone problem with certain views

On 18/07/2010 17:58:15, Evan Hunt wrote: >> Is there a way of using dnssec-lookaside and forcing bind not to >> maintain a managed-keys-zone for certain views? > > Sure, just do it the old way, without "dnssec-lookaside auto". > Put these in the view statement: > > dnssec-lookaside . trus

dnssec-lookaside auto and managed-keys-zone problem with certain views

Dear list, Is there a way of using dnssec-lookaside and forcing bind not to maintain a managed-keys-zone for certain views? Or allowing it to start up if the files are missing for some views? I have within my named.conf this view, designed to hide bind.version and so forth from the world at lar

Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/06/2010 18:49:44, Casey Deccio wrote: > This has been fixed. The problem had to do with establishing a canonical > ordering of RRs within an RRset for the purposes of verifying an RRSIG. > dnspython's default comparison operators don't follow ca

DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm DNSSEC enabling the .ip6.arpa zone for my IPv6 allocation and registering it with dlv.isc.org. Using bind-9.7.0-p2 dnssec tools. Everything seems to be working well, but when I test using the Sandia Labs dnsviz.net tool I get inconsistent result

Re: IPv6 reverse zones advise

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/05/2010 12:44:32, a.sm...@ukgrid.net wrote: > we will shortly start using IPv6 reverse DNS, and having never used it > before I thought Id ask those with some experience if they have any > words of wisdom before I make any horrible mistakes ;)

Re: Bind crashs sometimes.

Cathy Almond wrote: If you're running a BIND 9,6,1~ variant (I don't recognise "bind96-9.6.1.2" as an ISC version string), the assert line number does not tally with the source code for bind9/lib/isc/unix/socket.c. That's the FreeBSD package name & version for bind-9.6.1-P2 but... That assert

$GENERATE and IPv6

Is anyone out there using $GENERATE to create blocks of and PTR records for IPv6? Particularly PTR records? It seems easy enough to create records automatically: $ORIGIN infracaninophile.co.uk. $GENERATE 0-255 2001-8b0-151-1-240-0-1234-${0,0,x} 2001:8b0:151:1:240:0:1234:${0,0,x}