Re: Useful tip on nsupdate -- readline support.

Hi Ondrej On Wed, Jun 12, 2019 at 04:08:20PM +0200, Ondřej Surý wrote: > Hey list, > > I believe this needs addressing from the BIND team. > > > * readline is GPL > > BIND 9 supports compilation with libedit which is 99% drop-in replacement > since 2015 (017cbd44). I had mentioned libedit in m

Re: Useful tip on nsupdate -- readline support.

On Tue, Jun 11, 2019 at 10:03:30AM -0400, Warren Kumari wrote: > Hi there all, > > I manually use nsupdate to make some changes to some of my zones - > most recently I had to add a bunch of reverse DNS records. These are > all very similar - the first octet changes, and then the target name > chan

Re: What is maximum size BIND can accept in A Record?>

On Wed, Jun 05, 2019 at 02:57:41PM +0100, Tony Finch wrote: > Mukund Sivaraman wrote: > > > On Wed, Jun 05, 2019 at 12:07:56PM +0100, Tony Finch wrote: > > > The maximum length is 254 including the terminating dot. The maximum > > > > 254 excluding the ter

Re: What is maximum size BIND can accept in A Record?>

On Wed, Jun 05, 2019 at 12:07:56PM +0100, Tony Finch wrote: > The maximum length is 254 including the terminating dot. The maximum 254 excluding the terminating dot or 255 including the terminating dot. Mukund ___ Please visit https://li

Re: A little baffled by bind 9.14.2 wanting some special python?

On Wed, May 29, 2019 at 11:09:45AM -0400, Dennis Clarke wrote: > On 5/29/19 2:22 AM, Michał Kępień wrote: > > > For reasons unknown the configure process blows up even if I specify > > > the option --disable-python and in the config.log I see : > > > > The option is actually called --without-pytho

Re: Bind max socket/query per IP

On Wed, May 22, 2019 at 11:39:04PM +0200, Ict Security wrote: > Dear Klaus, > > >>btw - how high is the "extremely load"? > Without old DLZ module, Bind 9.12 scales to thousands and thousands of > queries. > If i include old DLZ module, with postgres, over about 1000 Qps Bind > start to slow down

Re: High load on BIND DNS and query timeouts after RPZ XFR retrieve

On Sun, May 19, 2019 at 10:55:53PM +0200, Peter V wrote: > Hi all, > > I would like to get opinion on issue I was involved over weekend. > Customer utilizes RPZ feed from spamhaus and worked pretty OK for some > months after initial deployment. > They reported issue with wrong performance of BIND

Re: BIND 9.10 fast only on alias IP

On Mon, May 20, 2019 at 10:06:09AM +0200, Ict Security wrote: > Dear guys, > > i am experiencing a very strange beahviour of Bind under busy peak time. > > With a quite important number of incoming DNS queries, response are > really, really slow; > sometimes they even stuck. > > If i try to quer

Re: bind resolver zone delegation

On Wed, May 15, 2019 at 03:27:14PM +0200, Frank Patzig wrote: > In my log > > DNS format error from 64.7.11.138#53 resolving vpn.smiths.com/MX for client > 127.0.0.1#47512: Name smiths.com (SOA) not subdomain of zone vpn.smiths.com > -- invalid response > > What is the problem. > ;; AUTHORITY SE

Re: Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing"

On Fri, Apr 26, 2019 at 10:08:43PM +0200, Havard Eidnes via bind-users wrote: > > (2) We'll look at tweaking this log message, but if you want to just not > > see this log message, just recompile after removing the offending CTRACE > > statement from bin/named/query.c. In fact, this code is normall

Re: max-cache-size

On Thu, Apr 18, 2019 at 04:02:27PM +0200, Jakob Dhondt wrote: > Hi everyone, > > just a quick question about the max-cache-size option in bind. I > couldn't find any details online. > > > I was wondering if this option only includes DNS queries/responses > getting cached or anything else as well,

Re: Fwd: SSHFP observation

On Thu, Jan 31, 2019 at 10:30:30AM -0500, Jim Popovitch via bind-users wrote: > On Thu, 2019-01-31 at 19:14 +0530, rams wrote: > > Hi, > > I have setup sshfp records as follows in bind zone file: > > > > test1.ramesh-sshfp.com. 86400   IN  SSHFP 1 1 aa > > test2.ramesh-sshfp.com. 86400   IN  SSHFP

Re: 0-TTL when querying "invalid" soa

On Tue, Jan 29, 2019 at 04:23:56PM +0100, Tom wrote: > We're running BIND-9.12.3-P1 on our authoritative servers and we have the > same behavior with 0-ttl with a invalid soa-query. Is this bind-specific? > Why does an invalid soa-record responds with 0-ttl in the authority-section? It appears to

Re: dig empty question section

On Mon, Jan 21, 2019 at 04:55:54PM +0100, Egon Kocjan wrote: > Hello > > Is it possible to send a DNS request packet with zero QDCOUNT using dig? See dig +header-only in its manpage. Mukund ___ Please visit https://lists.isc.org/mailman

Re: rbtdb.c:1497: fatal error

On Tue, Dec 04, 2018 at 08:21:26AM +1100, Mark Andrews wrote: > Add ‘database “rbt64”;’ to the dynamic zone configurations. It looks like > you are > overflowing the 32 bit serial number. This was thought of as highly improbable when rbt64 was removed and uint32_t was settled on for the type of

Re: showzone/modzone with catalog zone

On Wed, Nov 21, 2018 at 04:48:03PM +0530, Mukund Sivaraman wrote: > > Then I wanted to modify the zone config: > > rndc modzone '{ type slave; file > > “__catz___default_catalog_.db"; masters { ; }; allow-transfer { > > ; }; also-notify { }; };' > &g

Re: showzone/modzone with catalog zone

On Wed, Nov 21, 2018 at 10:08:23AM +, BÖSCH Christian wrote: > Hi, > > I have bind9.12.2 running. > I populate zones with a catalog zone, which is fine. > > But if I do a ‘rndc showzone ’ on a slave server, I get: > rndc: 'showzone' failed: failure rndc showzone works only for NZF/NZD (dynam

Re: RSASHA3 in DNSSEC

On Tue, Nov 13, 2018 at 02:06:24PM +0700, Mukund Sivaraman wrote: > There is a draft and BIND 9 implementation of SHA-3 in DNSSEC: > > https://tools.ietf.org/html/draft-muks-dnsop-dnssec-sha3-01 The draft is currently expired. I'll update it before the next IETF meeting to scal

Re: RSASHA3 in DNSSEC

On Tue, Nov 13, 2018 at 12:48:04PM +0600, Hasibuzzaman Gazi wrote: > hello there, > i am a student and currently working on a class project where i am using > DNSSEC to secure the DNS records. i want to use RSASHA3 encryption method. > i have haveged installed and latest bind package, the problem i

Re: odd failures from 9.12.2-P2

On Thu, Oct 18, 2018 at 07:21:49PM -0400, Dennis Clarke wrote: > I see these results : > > I:System test result summary: > I: 7 FAIL > I: 69 PASS > I: 4 SKIPPED > I: 12 UNTESTED > I:The following system tests failed: > I: autosign > I: catz > I: dnssec > I: filter- >

Re: BIND and UDP tuning

On Thu, Sep 27, 2018 at 10:53:25AM -0400, Alex wrote: > Many of these values I've already tweaked and have had no effect on my > SERVFAIL issues :-( If you are getting SERVFAILs from a BIND resolver you administer, then it has responded to your query. If you turn up the log level to something like

Re: BIND DNS problem (?)

On Wed, Sep 26, 2018 at 07:45:46AM +, Jukka Pakkanen wrote: > > Answer authenticated: Answer/authority portion was not authenticated by the > server > Non-authenticated data: Unacceptable > This is wireshark's packet parsing output. It is not related to the SERVFAIL. > Sooo, any id

Re: NTP through DNS?

Hi Danny On Fri, Sep 21, 2018 at 07:47:46AM -0400, Danny Mayer wrote: > You can create a DNS A or or even a CNAME in your local DNS that > the NTP server can use and it all works. The original poster asked "can I publish/query the NTP server through DNS the same way I can ask who is doing LD

Re: Operational Notification: Some releases of BIND are too strict when handling referrals containing non-empty answer sections

On Thu, Sep 20, 2018 at 09:48:08AM +0100, G.W. Haywood via bind-users wrote: > Hi there, > > On Wed, 19 Sep 2018, Michael McNally wrote: > > > ... code refactoring ... > > That phrase always sends shudders through my corpus. Some functions in the reply handling in the resolver, e.g., answer_r

Re: Operational Notification: Some releases of BIND are too strict when handling referrals containing non-empty answer sections

On Thu, Sep 20, 2018 at 11:28:46AM +0100, Tony Finch wrote: > G.W. Haywood via bind-users wrote: > > On Wed, 19 Sep 2018, Michael McNally wrote: > > > > > ... code refactoring ... > > > > That phrase always sends shudders through my corpus. > > I recommend having a read through query_find() fro

Re: NTP through DNS?

On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote: > Stupid question: can I publish/query the NTP server through DNS the > same way I can ask who is doing LDAP? An NTP serice doesn't belong to a domain, so maybe not (I don't know of one off my mind). For provisioning, there are DHC

Re: Stopping name server abuse

On Sun, Jun 24, 2018 at 04:30:08PM -0400, Alex wrote: > Hi, > We had a former customer who parked about 300 domains with his > registry on our server but is no longer a customer and hasn't moved > his domains. There aren't any hosts behind the domains. > > Is there anything more I can do to block/

Re: How to implement DNS RPZ with Domain Based Reputation Data

On Sun, Apr 29, 2018 at 08:27:34AM +0530, Blason R wrote: > Hi Team, > Can someone please confirm if below stuff I found pertaining to BIND can be > implemented with DNS RPZ? If yes can someone please point me to the > appropriate document? > Domain Based Reputational Data > > With the release of

Re: Fwd: Facing weird issue with DNS-RPZ

On Tue, Apr 24, 2018 at 07:25:45PM -0700, Ray Van Dolson wrote: > On Tue, Apr 24, 2018 at 07:21:34PM -0700, Mukund Sivaraman wrote: > > On Tue, Apr 24, 2018 at 06:03:43PM +0530, Blason R wrote: > > > I am building DNS RPZ on named BIND 9.9.4-RedHat-9.9.4-51.el7_4.2 > > >

Re: Fwd: Facing weird issue with DNS-RPZ

On Tue, Apr 24, 2018 at 06:03:43PM +0530, Blason R wrote: > I am building DNS RPZ on named BIND 9.9.4-RedHat-9.9.4-51.el7_4.2 > (Extended Support Version). RPZ in BIND 9.9 is experimental and unsupported (except for the subscription branch). Please use at least BIND 9.10 for RPZ.

Re: v9.12.1 RPZ 'map' format returns fatal error: incompatible masterfile-format or database for a response policy zone

On Sun, Apr 22, 2018 at 05:26:13PM -0700, acl...@yepmail.net wrote: > When I restart my server, for each of the 2 rpz 'map' zones, I see in log > > Apr 22 16:45:06 katana named[42520]: 22-Apr-2018 16:45:06.504 general: > error: zone 'rpz.blacklist.perm.local': incompatible masterfile-format

Re: dig warns that some TSIG could not be validated

On Fri, Apr 06, 2018 at 02:05:39PM +0200, Anand Buddhdev wrote: > On 06/04/2018 12:38, Tony Finch wrote: > > Hi Tony, > > > There is a weird bit in the TSIG spec, RFC 2845: > > > >4.4. TSIG on TCP connection > > > >A DNS TCP session can include multiple DNS envelopes. This is, for > >

Re: dig warns that some TSIG could not be validated

Hi Anand On Fri, Apr 06, 2018 at 12:21:49PM +0200, Anand Buddhdev wrote: > Hello folks, > > I'm on CentOS 7, which has an older version of dig from this package: > > # rpm -qf /usr/bin/dig > bind-utils-9.9.4-51.el7_4.2.x86_64 > > When I use this dig to AXFR a zone from a Secure64 DNSSEC signer

Re: Suggestions for a distributed DNS zone hosting solution I'm designing

Hi On Tue, Mar 06, 2018 at 11:10:35PM -0700, Latitude wrote: > I would like to solicit constructive feedback in regards to a distributed DNS > zone hosting proof of concept I'd like to design and establish. > > I must deploy a DNS system with the following requirements: > - single master server,

Re: Minimum TTL?

On Thu, Feb 08, 2018 at 05:05:51PM +0100, Reindl Harald wrote: > > I doubt the zone owner is forcing you to use their zone. You can nix > > fetches to it. If you want the zone data, then follow what the zone > > owner requires. > > does not matter It matters to us. Mukund ___

Re: Minimum TTL?

On Thu, Feb 08, 2018 at 04:39:36PM +0100, Reindl Harald wrote: > > > Am 08.02.2018 um 16:34 schrieb Mukund Sivaraman: > > On Thu, Feb 08, 2018 at 01:30:04PM +0200, Michelle Konzack wrote: > > > Hello Harald, > > > Am 2018-02-08 hackte Reindl Harald in die T

Re: Minimum TTL?

On Thu, Feb 08, 2018 at 01:30:04PM +0200, Michelle Konzack wrote: > Hello Harald, > Am 2018-02-08 hackte Reindl Harald in die Tasten: > > you miss the topic > > > > many DNSBL's have a very short TTL and at the same time a limit of > > queries froma single IP until you need to pay for the service >

Re: option 'lmdb-mapsize' was not enabled at compile time

On Sun, Jan 14, 2018 at 07:43:27AM -0700, russellb...@gmail.com wrote: > Beginning with bind-9.11.2-i586-1 I've gotten this message on > boot: > > named[1094]: ./config.c: option 'lmdb-mapsize' was not enabled at > compile time (ignored) > > named works - this is just noise in

Re: DDNS - limitation and excluding updates from certain networks

On Wed, Dec 20, 2017 at 10:40:31AM -0700, Grant Taylor via bind-users wrote: > On 12/20/2017 06:27 AM, MAYER Hans wrote: > > And I don’t wont that this static names can by changed by someone out of > > an IP range, where it is allowed. I didn’t find any hint to block > > certain IP ranges to be up

Re: DDNS - limitation and excluding updates from certain networks

On Wed, Dec 20, 2017 at 01:27:17PM +, MAYER Hans wrote: > > Dear Mukund, > > Many thanks for coming back. > > > You'll have to explain what you mean better for a more specific answer, > > but see the manual for the "allow-update" ACL config option > > In my zone configuration I have an “a

Re: DDNS - limitation and excluding updates from certain networks

On Wed, Dec 20, 2017 at 12:39:33PM +, MAYER Hans wrote: > > > Dear All, > > My environment: We are using the latest version of BIND and DHCP from ISC. > Our workstations ( mostly Windows and some Mac ) are in certain networks. > Only these networks are allowed to do dynamic DNS updates. So

Re: DNSSEC validation without current time

On Fri, Dec 15, 2017 at 12:45:11PM +0100, Petr Menšík wrote: > Hi folks. > > I am looking for a way to validate name also on systems, where current > time is not available or can be inaccurate. I use a Garmin 18x LVC 1pps GPS receiver device connected to RS-232 serial port. The device plus cables

Re: EDNS0 client subnet in BIND 9.10

I'm not sure how ECS would be useful for load-balancing, as in the best case scenario it would require one to control every client side to send the client-subnet option. On Fri, Nov 10, 2017 at 04:44:10PM +, Tony Finch wrote: > Ben Croswell wrote: > > > > I have looked through the ARM and fou

Re: Differences Between Recursion Desired and Recursion Available

On Fri, Oct 06, 2017 at 08:11:56AM +, Harshith Mulky wrote: > What I am not able to understand is, What would happen when resolver > does not set Recursion Desired bit in the query it sends? > > If Recursion is supported on the server, Would the server do the > Referral Queries and set the RA

Re: SOA serial increment when we update SOA RR

On Wed, Oct 04, 2017 at 11:43:18AM +0100, Tony Finch wrote: > rams wrote: > > > > When we change any resource record like A or , then SOA serial number > > gets incremented. But If we update only SOA record ,Is serial number of SOA > > remain same as before or serial number of SOA will increme

Re: Logging resolved IP

On Tue, Sep 19, 2017 at 05:16:36PM +0200, Job wrote: > Hi guys, > > is there a way to log resolved IP in Bind log files? > Example: > www.google.com 4.3.2.1 > > I am able to do it with tcpdump, but i do not like a "sniffering" solution! Turn up logging level to over 10, such as named -d 11. It w

Re: What is wrong with my second $ORIGIN

On Thu, Sep 14, 2017 at 07:02:52AM +, Harshith Mulky wrote: > Whats wrong with my second $ORIGIN here: > > > $ORIGIN lab.example.com. > $TTL 1d > @ IN SOA colombo root.lab.example.com. ( > 2003022720 ; Serial >

Re: dnssec validation issue

Hi Ganga On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote: > With dnssec-validation turned on, resolving sites like www.icann.org > fails. The alternative is to remove validation > which of course is not the desired solution. Are you able to reproduce the

Re: BIND 9.11.1-P3 revives expired zones briefly during reconfig

On Sun, Aug 06, 2017 at 08:07:51PM +0200, Anand Buddhdev wrote: > On 06/08/2017 13:49, Mukund Sivaraman wrote: > > Hi Mukund, > > > Which exact version of 9.11 is this? Is their master NSD or some 3rd > > party signer? Can you create a bug ticket with your named config

Re: BIND 9.11.1-P3 revives expired zones briefly during reconfig

Hi Anand On Sun, Aug 06, 2017 at 09:30:01AM +0200, Anand Buddhdev wrote: > Hello BIND developers, > > I've updated from BIND 9.10 to 9.11, and noticed the following happening > whenever "rndc reconfig" is run: > > 05-Aug-2017 11:11:42.066 general: received control channel command > 'reconfig' >

Re: HELP - Domain resolution failed

> root@recursivo-a:~# dig icap-to.com.br > > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> icap-to.com.br > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32316 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ;

Re: RPZ zone name label length limit

Hi Jim On Thu, Jun 29, 2017 at 01:57:16PM +, Jim Yang wrote: > Hi, > > What is the DNS name label length limit? As per RFC 1035, it is 63 > characters. I tested a few DNS names that contains a label that is > longer than 63 characters, and found that these records were > successfully loaded

Re: Can a NAPTR query over TCP contain OPT section in Additional Records

Hi Harshith On Thu, Jun 22, 2017 at 05:36:12AM -0700, Harshith Mulky wrote: > Client > DNS > EDNS query, buffer size=4096 > ---> > >DNS Response, Tr

Re: Slow zone signing with ECDSA

On Thu, Apr 20, 2017 at 04:03:21PM +0100, Chris Thompson wrote: > On Apr 20 2017, Tony Finch wrote: > > > Mark Andrews wrote: > > > > > > DSA requires random values as part of the signing process. > > > > Traditionally, yes, but it isn't actually required - > > https://tools.ietf.org/html/rfc69

Re: Latest BIND on Debian 8.7 (jessie) crashed due to assertion failure

Hi Carlos On Thu, Apr 20, 2017 at 12:54:47AM -0300, Carlos Pizarro wrote: > Today the bind9 service crashed and this were the last few log lines when > it happened: > > Apr 19 20:46:23 host named[32115]: error (unexpected RCODE REFUSED) > resolving 'heroditus.touchtype-systems.com/A/IN': > 2400:c

Re: NTA (Negative Trust Anchor) lifetime

Hi Miguel On Tue, Feb 14, 2017 at 01:17:00PM -0200, Miguel Mucio Santos Moreira wrote: > Hi folks > > > I'd like to know if it's possible to use NTA (Negative Trust Anchor) in a way > I can set it's lifetime as unlimited for a specific domain. > I have a situation that will be necessary to keep

Re: bind 9 goes rogue and revert zone information

Hi Raul On Tue, Feb 07, 2017 at 12:03:40PM -0200, Raul Dias wrote: > Hello, > > I have a very strange behavior that I am failing to understand. > > 2 to 5 times a week, a named server revert back to a previous version os a > master zone. > This happens during the night, usually around 20h EST. >

Re: Bind Queries log file format

On Fri, Feb 03, 2017 at 08:51:01AM -0600, Alan Clegg wrote: > On 2/3/17 8:01 AM, Mukund Sivaraman wrote: > > > We have the debug log level, but consider the case when an operator has > > a non-deterministic or rare crash that isn't reproducible because the > > oper

Re: Bind Queries log file format

Hi John On Fri, Feb 03, 2017 at 01:43:50PM +, MURTARI, JOHN wrote: > Folks at ISC, > > > I agree, there are an awful lot of systems and SIEM products that > > process querylogs. This one change will require a huge amount > of > > re-engineering work in customer environments. > > You kn

Re: DNS RPZ triggers

Hi ard On Fri, Jan 27, 2017 at 08:51:14PM +, der...@mskcc.org wrote: > Hi All, > > Back in December 2016, I worked on a problem in which a particular hostname > (a website) would not resolve from our DNS servers, but Level3, Google DNS, > and OpenDNS resolved it. It was clear that somewher

Re: Bind Queries log file format

Hi Michael On Wed, Jan 25, 2017 at 09:11:41AM -0500, Michael Dahlberg wrote: > Mukund: > > Yea, I can respect that. However, I'm not confident that dropping it right > in the middle of the log entry was the best place for it. I have a number > of processes that monitor the query logs (it seems

Re: Bind Queries log file format

On Wed, Jan 25, 2017 at 08:37:45AM -0500, Alan Clegg wrote: > On 1/25/17 7:44 AM, Steven Carr wrote: > > On 25 January 2017 at 10:59, Tony Finch wrote: > >> It's the address in memory of the data structure representing the client. > >> It is mentioned in the CHANGES file (#4471) and in the release

Re: Bind Queries log file format

On Wed, Jan 25, 2017 at 12:44:21PM +, Steven Carr wrote: > On 25 January 2017 at 10:59, Tony Finch wrote: > > It's the address in memory of the data structure representing the client. > > It is mentioned in the CHANGES file (#4471) and in the release notes - see > > https://source.isc.org/cgi-

Re: Reasons to upgrade?

On Wed, Jan 18, 2017 at 08:02:04AM -0700, lbutlr wrote: > It looks like there are three version of Bindcurrently supported, > 9.9.9, 9.10, and 9.11. > > Are there specific reasons to move from 9.9 to 9.10 or 9.11 other than > the usual "it's newer and you're going to have to move at some point > a

Re: BIND 9.11.0 RPZ performance issue

Hi Bob On Tue, Oct 18, 2016 at 03:26:00PM -0400, Bob Harold wrote: > On Tue, Oct 18, 2016 at 3:26 AM, Mukund Sivaraman wrote: > > > > > Firstly, RPZ in BIND 9.9 (vanilla) is broken, unmaintained and should > > not be used by anyone. If you know people using BIND 9

Re: BIND 9.11.0 RPZ performance issue

Hi Phil On Tue, Oct 18, 2016 at 09:15:45AM +0100, Phil Mayers wrote: > On 18/10/16 08:26, Mukund Sivaraman wrote: > > > We know that IXFR with RPZ policy zones (esp. this DBL zone) causes some > > trouble due to a less than desirable design / implementation of RPZ in > >

Re: BIND 9.11.0 RPZ performance issue

Hi Daniel On Tue, Oct 18, 2016 at 09:08:37AM +0200, Daniel Stirnimann wrote: > It currently looks like that only having the spamhaus rpz zones active > causes the occasional timeouts. Maybe it's related to the zone size as > dbl.rpz.spamhaus.org is quite large. If i/o performance on the virtual >

Re: Master/Slave communication not working if I use HMAC-SHA* algorithms when views are implemented

Hi Nagesh On Fri, Oct 14, 2016 at 11:00:24AM +0530, Nagesh Thati wrote: > Hi, > > Can anybody implemented master/slave communication with views and algorithm > HMAC-SHA* algorithms. I tried with all the HMAC-SHA* algorithms it didn't > work for me, only HMAC-MD5 algorithm worked for communication.

Re: replicate a whole master

On Mon, Sep 19, 2016 at 04:40:17PM +0100, Tony Finch wrote: > /dev/rob0 wrote: > > > > If you're thinking that you can do this replication to improve DNS > > performance, you're right, it will do that. But it certainly will > > not scale (if it's even possible to get axfr/ixfr), and it won't > >

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

On Sat, Sep 17, 2016 at 03:51:00PM +, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registere

Re: Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing"

Hi Tom On Tue, Sep 06, 2016 at 07:37:50AM +0200, Tom wrote: > Is there a workaround/configuration-directive not to log every request with > this "error"? One way would be using BIND 9.9.9-P2 (because this code was > added in 9.10.x...), but I would prefer 9.10.x. (1) Don't use regular BIND 9.9 fo

Re: Error running Configure with OpenSSL 1.1.0 and BIND 9.11.0rc1

On Wed, Aug 31, 2016 at 02:02:45PM +1000, James Brown via bind-users wrote: > System is a Mac mini (late-2009) running a new install of Mac OS X 10.11.6. > > Installed OpenSSL 1.1.0 using: > ./Configure --prefix=/usr/local shared darwin64-x86_64-cc > enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3 > m

Re: Need of caching on bind server

Hi Harshith On Thu, Aug 25, 2016 at 04:47:03AM +, Harshith Mulky wrote: > Hello, > > > I am trying to understand why caching is required on the bind server, > when the client receiving the responses would be caching based on TTL > values. > > > So, > > Is caching required on the server, i

Re: creating IPv6 interface eth0 failed; interface ignored

On Fri, Aug 19, 2016 at 11:46:36AM +0200, Wolfgang Riedel wrote: > Hi Mukund, > > yes this had been my fist assumption also but WHY should/would the > statement "empty-zones-enable” within named.conf change the bring > process of the network interface process? > > It’s courios, right? I suspect

Re: creating IPv6 interface eth0 failed; interface ignored

On Fri, Aug 19, 2016 at 11:32:43AM +0200, Wolfgang Riedel wrote: > ### bootup with: empty-zones-enable no; > > [root@ns1 ~]# systemctl status named-chroot.service > ● named-chroot.service - Berkeley Internet Name Domain (DNS) >Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabl

Re: bind used as resolver: matching the source ip

On Thu, Aug 18, 2016 at 11:27:01AM +0200, pm8...@t-online.de wrote: > Dear all, > > As far as I understand, BIND is not only used for authoritative name > servers, but is also often used as a (recursive) resolver. > When receiving a response to a DNS query, does BIND match the source ip of > th

Re: Problem looking up domain dryfire.com

On Tue, Aug 16, 2016 at 11:04:14AM +0200, Eivind Olsen wrote: > Hello. > > I'm seeing some odd problems where BIND (9.10.4-P2) has issues resolving > getsurfed.com. This is when using the "510 Software Group" BIND 9.10 for > RHEL/CentOS/Fedora. > > I can do manual lookups of the domain with "dig"

Re: Sending extra info in bind dns query packet

On Thu, Jul 14, 2016 at 11:15:03PM +1000, Karl Auer wrote: > On Thu, 2016-07-14 at 11:19 +0530, Sachin Patil wrote: > > I am just looking into bind and want to send extra information while > > querying dns bind server. This information will be used at the bind > > server side to return the resolve

Re: bind-users Digest, Vol 2427, Issue 1

On Mon, Jul 04, 2016 at 05:18:27PM +0530, Amit Kumar Gupta wrote: > Dear All, > Please find the desired o/ps. > > bash-3.2# dig dropbox.com @203.94.243.70 > > ; <<>> DiG 9.6-ESV-R4-P2 <<>> dropbox.com @203.94.243.70 > ;; global options: +cmd > ;; connection timed out; no servers could be reached

Re: bind-users Digest, Vol 1727, Issue 1

Hi Amit On Mon, Jul 04, 2016 at 04:32:07PM +0530, Amit Kumar Gupta wrote: > Dear All, > > We are Tier 2 ISP in Delhi. Our subscribers are not able to open dropbox.com > using our DNS IPs. > BIND version is 9.8.0. > > Regards > Manager(Internet-Systems) > MTNL Delhi As an internet user, I'd exp

Re: Adding rdataset to a List

Hi Jun On Fri, Jul 01, 2016 at 02:56:48AM +, Jun Xiang X Tee wrote: > Dear all, > > > I set up named server, and my dig client can connect to the server > successfully. For a UDP packet, I wish to add an artificial rdataset > to name list of Additional Section. Note that this question

Re: ISC considering a change to the BIND open source license

On Tue, Jun 14, 2016 at 08:06:55PM +, Evan Hunt wrote: > On Tue, Jun 14, 2016 at 12:38:14PM -0700, Ted Mittelstaedt wrote: > > In reality, there IS no "middle ground" If you truly believe a > > piece of software SHOULD be freely licensed, then that includes the > > idea that commercial entiti

Re: ISC considering a change to the BIND open source license

Hi Evan On Tue, Jun 14, 2016 at 05:45:59PM +, Evan Hunt wrote: > May I ask you to expand on why the MPL is a problem? So far the distros > have all been supportive. The BSD camp dislikes copyleft because copyleft prevents exactly what we're trying to stop: the ability to ship a closed-source

Re: Assertion failure when RPZ zone returns NS records?

On Sat, Jun 11, 2016 at 11:40:17PM +0530, Mukund Sivaraman wrote: > On Sat, Jun 11, 2016 at 05:19:41PM +, McDonald, Daniel (Dan) wrote: > > Apparently it’s not the way to do what I needed, but I created an RPZ > > record like this: > > foo.example.com IN

Re: Assertion failure when RPZ zone returns NS records?

On Sat, Jun 11, 2016 at 05:19:41PM +, McDonald, Daniel (Dan) wrote: > Apparently it’s not the way to do what I needed, but I created an RPZ record > like this: > foo.example.com IN NS ns1.example.org > IN NS

Re: RPZ logging

On Fri, May 20, 2016 at 01:36:42PM +0200, Job wrote: > Hello, > > is it possible to log, regarding the RPZ responce policy, everything > EXPECT the CLIENT PASS THROUGH events? I would like to log only what > is matched. 9.11 (alpha release) has a "log" clause to enable/disable logging per indivi

Re: Problems after upgrade to 9.10.4

Hi Michael On Fri, May 06, 2016 at 02:57:59PM +0200, Michael Brunnbauer wrote: > I tried running bind with dnssec-enable no and still the exchanges with > tld nameservers involved many packets and TCP sessions. Why? See below: > > 07:25:08.157974 IP (tos 0x0, ttl 64, id 22351, offset 0, flags [n

Re: REG: configuring BIND to respond with EDNS client subnet option

Hi Ramachandra On Tue, Mar 29, 2016 at 02:32:28PM -0700, Ramachandra Kasyap Marmavula wrote: > Request for some help with configuring a BIND DNS server to respond with > EDNS0 client subnet option. I am using the enhanced 'dig' utility available > with the BIND distribution to generate DNS queries

Re: pre heat cache

On Wed, Feb 17, 2016 at 11:31:54AM -0800, William Taylor wrote: > Is there anyway to pre-heat the cache in bind on startup besides having > a custom script that did a bunch of queries on top hosts? > I know you can dump it with rndc but can you load it back ? It used to be possible to load the cac

Re: Complete DNS fake root setup example

Hi John On Wed, Jan 20, 2016 at 05:12:44PM +, MURTARI, JOHN wrote: > Folks, > Had to do some testing where we wanted our own > insulated fake root environment. We wanted to start > from simulated root name servers. I was surprised I >

Re: Mitigation of server's load by queries for non-existing domains

Hi Tomas On Tue, Jan 12, 2016 at 05:53:20PM +0100, Tomas Hozza wrote: > Hello all. > > Recently I was trying to find a mechanism in BIND that could prevent > the server from processing a recursive query for non-existing > domains. The issue I was trying to solve was that when server was > getting

Re: Does EDNS0 work with bind-9.10.3-P2?

Hi Sury On Wed, Jan 06, 2016 at 02:35:37PM +0800, Sury Bu wrote: > Hi Mukund, > > Thanks for your reply, and do you know what bind version will support > ECS option? BIND 9.11 will introduce authoritative support for ECS. Mukund signature.asc Description: PGP signature ___

Re: Does EDNS0 work with bind-9.10.3-P2?

Hi Sury On Tue, Jan 05, 2016 at 10:50:39PM +0800, Sury Bu wrote: > I installed the latest version of bind-9.10.3-P2 but when I using dig > EDNS feature with +subnet, I found my local DNS can not carry client > subnet, does this version support EDNS0 now? 9.10 branch as no support for ECS except d

Re: How is a $ORIGIN directive used inside a DNS Zone File

On Mon, Dec 14, 2015 at 11:18:08AM +, Tony Finch wrote: > Mukund Sivaraman wrote: > > > > Zone files do not require use of $ORIGIN. It is in fact an extension to > > the master format in RFC 1035. > > No, it is specified in RFC 1035 section 5.1: I'm gett

Re: Bind 9.10.3 on CentOS 7.1 - Recv-q on vmware

Hi Rasmus On Tue, Dec 15, 2015 at 03:20:05PM +0100, Rasmus Edgar wrote: > We started noticing 1s+ latency problems on clients resolving using the > vmware guest at a load around 6000 qps. > > Test setup: > > 1 x x86_64 vmware guest on Esx 5.5 > 8xVCPU > 8G RAM > vmxnet3 10Gb virtual interface >

Re: How is a $ORIGIN directive used inside a DNS Zone File

Hi Harshith On Mon, Dec 14, 2015 at 07:36:15AM +, Harshith Mulky wrote: > Why is a $ORIGIN directive used in DNS Zone Files? $ORIGIN directive sets a name to be appended to relative names in the zone file so that they can be made into absolute names. The current origin is appended to such rel

Re: RPZ - override TXT records

Hi Wolfgang On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote: > Hi Folks, > > I am currently struggling with using RPZ for inserting or overriding TXT > resource records. > > This is my goal: > >; do not rewrite www.cisco.com (so, PASSTHRU) and add or override >mi

Re: logging bug for rpz at load-time?

Hi Phil On Thu, Sep 03, 2015 at 01:22:48PM +0100, Phil Mayers wrote: > Minor cosmetic bug, but we're seeing logs like: > > 03-Sep-2015 12:18:50.751 (re)loading policy zone 'rpz.' changed from > 0 to 77406 qname, 0 to 0 nsdname, 769 to 771 IP, 0 to 0 NSIP, 0 to 0 > CLIENTIP entries > > 03-Sep-201

Re: Order and Preference Priority in DNS Responses

Hi Harshith On Mon, Aug 03, 2015 at 05:08:50PM +0530, Harshith Mulky wrote: > I wanted to understand how Order and Preference Values have an impact on the > answers Received from the DNS Server > > I am asking because, I have 4 records for NAPTR Query, as below > > carrier1.com 86400 IN NAPTR

Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure

Hi Prakash On Mon, Aug 03, 2015 at 10:14:50AM +0530, prakash wrote: > Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15424: > writeable file 'data/udalgurijudiciarygov.hosts': already in use: > /etc/nicnet2007.govdomain:15424 > Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicn

  1   2   >