Re: qname minimization: me too :(

2024-06-25 Thread Stephane Bortzmeyer
On Tue, Jun 25, 2024 at 04:22:40PM +0200, Peter wrote a message of 16 lines which said: > Jun 25 16:18:31 conr named[4725]: lame-servers: >info: success resolving 'bar.foo.isc.org/A' after disabling >qname minimization due to 'ncache nxdomain' I do not see how this is pos

Re: can I provide invalid HTTPS values for testing?

2024-06-25 Thread Stephane Bortzmeyer
On Thu, Jun 20, 2024 at 02:29:13PM +0100, Stephen Farrell wrote a message of 100 lines which said: > Actually, it may well be that bind allows me sufficient leeway to do > most of the tests I want, so this is just to check that there's no > imminent plan to have bind disallow the kind of rubbi

Re: qname minimization: me too :(

2024-06-25 Thread Stephane Bortzmeyer
On Mon, Jun 24, 2024 at 10:32:37PM +0200, Peter wrote a message of 40 lines which said: > In other words: why do You guys no longer talk to each other? We do but talking is one thing, convincing is another one, and making people act is a third :-( -- Visit https://lists.isc.org/mailman/listi

Re: qname minimization: me too :(

2024-06-21 Thread Stephane Bortzmeyer
On Fri, Jun 21, 2024 at 07:03:14AM +, 65;6800;1c Michael Batchelder wrote a message of 59 lines which said: > You'll need to fix these zones so that the response is NOERROR rather than > NXDOMAIN. Yes and, if you want the whole context, you can read RFC 8020

Re: qname minimization: me too :(

2024-06-19 Thread Stephane Bortzmeyer
On Wed, Jun 19, 2024 at 10:15:48PM +0200, Peter wrote a message of 32 lines which said: > today I happened to look into a named.log, and found it full of > qname minimization messages. Which message? Could you copy-and-paste it? -- Visit https://lists.isc.org/mailman/listinfo/bind-users t

Re: queries for "_.domain"

2024-05-17 Thread Stephane Bortzmeyer
On Fri, May 17, 2024 at 03:25:01PM +0200, Matus UHLAR - fantomas wrote a message of 43 lines which said: > I have noticed that BIND sends strange (for me) queries. > > 5 0.198221 192.168.0.1 → 193.108.88.128 DNS 105 Standard query 0x15a4 A > _.net.akadns.net OPT QNAME minimisation (RF

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

2023-12-13 Thread Stephane Bortzmeyer
On Wed, Dec 13, 2023 at 05:29:02PM +0100, Michel Diemer via bind-users wrote a message of 1723 lines which said: > another virtual machine that uses the first one as ics dhcp and dns > server. An important thing about DNS: there are two types of DNS servers, very different. Resolvers and auth

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Stephane Bortzmeyer
On Tue, Mar 14, 2023 at 11:35:38AM -0400, Alexandra Yang wrote a message of 183 lines which said: > I wonder if any of your nameserver resolve it just fine, like 8.8.8.8 > works Among RIPE Atlas probes, most succeed: % blaeu-resolve --displayvalidation -r 100 --type A gpo.gov [ (Authentic D

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Stephane Bortzmeyer
On Tue, Mar 14, 2023 at 11:08:28AM -0400, Alexandra Yang wrote a message of 154 lines which said: > I wonder if anyone can shed some light on this, our nameserver(BIND > 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov, > here are the > errors: "DS record for zone gpo.gov with

Re: Setting Up An Running Your Own Dmarc using Bind DNS

2022-06-27 Thread Stephane Bortzmeyer
On Mon, Jun 27, 2022 at 02:16:26PM -0400, daniel jay foran wrote a message of 370 lines which said: > I cant be the only one that has racked his brains and written > hundreds of lines of code trying to get ISC BIND 9 to authenticate > Dmarc records correctly. I'm not sure I understand you sin

Re: Supporting LOC RR's

2022-05-02 Thread Stephane Bortzmeyer
On Wed, Apr 13, 2022 at 03:39:33PM +0200, Bjørn Mork wrote a message of 14 lines which said: > Which problems do LOC solve? > > I remember adding LOC records for fun?() in the previous millennium when > RFC 1876 was fresh out of the press. But even back then paranoia > finally took over, and

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

2022-01-08 Thread Stephane Bortzmeyer
On Sat, Jan 08, 2022 at 06:10:26PM +, Jason Vas Dias wrote a message of 72 lines which said: > What are "RIPE Atlas Probes" ? Small boxes that volunteers from all over the world install in various networks to run active measurements (DNS, ping, traceroute, etc). Very handy to see the Inte

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

2022-01-08 Thread Stephane Bortzmeyer
On Sat, Jan 08, 2022 at 04:55:24PM +0100, Stephane Bortzmeyer wrote a message of 52 lines which said: > This domain name seems OK for me but I notice that a fair number of > RIPE Atlas probes in Ireland return a fake NXDOMAIN for this name: On Twitter, an Irish DNS expert said t

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

2022-01-08 Thread Stephane Bortzmeyer
On Sat, Jan 08, 2022 at 03:34:37PM +, Jason Vas Dias wrote a message of 146 lines which said: >"Book An Appointment": https://covid19booster.healthservice.ie/ > >to make an appointment, Firefox and Chrome both return >"Server Not Found" errors . This domain name seems OK for

Re: Getting the name of responding server(s)

2021-09-09 Thread Stephane Bortzmeyer
On Thu, Sep 09, 2021 at 12:33:22PM +0200, Matus UHLAR - fantomas wrote a message of 59 lines which said: > Note that some domains can be horribly broken and different > nameservers can send different NS, or no NS at all but SOA. Doing this sort of survey on the wild (and wide) Internet leads

Re: Getting the name of responding server(s)

2021-09-09 Thread Stephane Bortzmeyer
On Thu, Sep 09, 2021 at 03:20:14AM -0700, Ronald F. Guilmette wrote a message of 48 lines which said: > I don't want and don't need SOA records. I want and need only the > relevant NS records. The algorithm proposed by Matt Pounsett uses the SOA but only to find the NS (through the name of t

Re: Getting the name of responding server(s)

2021-09-09 Thread Stephane Bortzmeyer
On Tue, Sep 07, 2021 at 10:48:57AM -0400, Matthew Pounsett wrote a message of 32 lines which said: > Yeah, you can pretty reliably get the answer in one or two steps by > requesting the NS set for the FQDN. You'll either get your answer, or > get an SOA with the name of the enclosing zone. S

Re: Getting the name of responding server(s)

2021-09-07 Thread Stephane Bortzmeyer
On Tue, Sep 07, 2021 at 12:40:14PM -0700, Ronald F. Guilmette wrote a message of 36 lines which said: > >I'm not aware of a tool (free software or not) which does it. Some > >programming will be required. > > I was afraid of that, but thank you for confirming. Don't despair, see the other me

Re: Getting the name of responding server(s)

2021-09-07 Thread Stephane Bortzmeyer
On Tue, Sep 07, 2021 at 09:44:43AM +0200, Stephane Bortzmeyer wrote a message of 34 lines which said: > I'm not aware of a tool (free software or not) which does it. Some > programming will be required. Attached is an example program. Free software licence, whatever you prefe

Re: Getting the name of responding server(s)

2021-09-07 Thread Stephane Bortzmeyer
On Tue, Sep 07, 2021 at 12:33:59AM -0700, Ronald F. Guilmette wrote a message of 33 lines which said: > My question is rather a simple one. Given some FQDN `D' and given > some DNS record type 'T' (e.g. either A or or perhaps even PTR) > does there exist some open source command line too

Re: [External] Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Stephane Bortzmeyer
On Thu, Oct 15, 2020 at 02:03:52PM -0400, Kevin A. McGrail wrote a message of 8 lines which said: > Firewalls are cheap and the level of effort to run a bastion host are > significant. Firewalls are useful when you want to protect unamanaged printers and Windows boxes (or Web servers with a l

Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Stephane Bortzmeyer
On Thu, Oct 15, 2020 at 11:16:05AM -0700, Fred Morris wrote a message of 50 lines which said: > 2) If you want to run your own DNS nameservers, you will need to buy a >book, read the (BIND) Administrator's Reference Manual, and/or some >RFCs Very bad advice. RFCs are not for the faint

Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Stephane Bortzmeyer
On Thu, Oct 15, 2020 at 04:57:16PM +, Jason Long via bind-users wrote a message of 173 lines which said: > I have two static IP addresses. One is for DNS server and one is for > my website. Note that you can put the two servers on the same machine, using the same IP address, since the two

Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Stephane Bortzmeyer
On Thu, Oct 15, 2020 at 04:36:58PM +, Jason Long via bind-users wrote a message of 1594 lines which said: > in the panel of it, I can enter my DNS server IP addresses. I assume you refer to the panel of your domain name registrar. If so, it would be useful to know which is the label near

Re: How can I launch a private Internet DNS server?

2020-10-15 Thread Stephane Bortzmeyer
On Thu, Oct 15, 2020 at 06:45:01PM +0200, Michael De Roover wrote a message of 65 lines which said: > Your router can port forward traffic to port 53/udp to your local IP > that your DNS server is on. He said that the DNS server has a public IP address so port forwarding is probably not neces

Re: DNS security, amplification attacks and recursion

2020-07-07 Thread Stephane Bortzmeyer
On Tue, Jul 07, 2020 at 03:00:13PM +0200, Michael De Roover wrote a message of 46 lines which said: > The command used to test this was apparently "dig +short > test.openresolver.com TXT @your.name.server". ANY instead of TXT may be more efficient (specially with +dnssec), if the goal is to g

Re: Bind 9 not responding to queries

2020-04-12 Thread Stephane Bortzmeyer
On Sun, Apr 12, 2020 at 01:41:52AM +, sir izake wrote a message of 153 lines which said: > At specific times of day bind fails to respond to queries even > though service is shown to run (configured to respond to my network > IPs, this works fine till this time when service fails to answer

Re: Unable to completely transfer root zone

2020-02-11 Thread Stephane Bortzmeyer
On Mon, Feb 10, 2020 at 02:32:55PM -0500, Warren Kumari wrote a message of 70 lines which said: > Also, can you try: > dig +tcp . axfr @192.0.32.132 > dig +tcp . axfr @192.0.47.132 > dig +tcp . axfr @b.root-servers.net > > (no, I'm not really sure why trying with the first 2 IPs instead of >

Re: Strange DNS problem

2019-06-10 Thread Stephane Bortzmeyer
On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen wrote a message of 58 lines which said: > Then, unfortunately our nameservers won't resolve ns.kpk.fi either. Same authoritative name server, same problem. See my email. % dig @ns.datatower.fi. NS kpk.fi. ;; Warning: Client COOKIE mis

Re: Strange DNS problem

2019-06-10 Thread Stephane Bortzmeyer
On Mon, Jun 10, 2019 at 02:28:46PM +, Jukka Pakkanen wrote a message of 382 lines which said: > An example, the client domain is raimoasikainenoy.fi. dig clearly says it's a cookie issue: % dig @193.184.54.212 NS raimoasikainenoy.fi ;; Warning: Client COOKIE mismatch An DNSviz confirms

Re: cyberia.net.sa

2018-06-26 Thread Stephane Bortzmeyer
On Tue, Jun 26, 2018 at 03:36:25PM +0200, Matus UHLAR - fantomas wrote a message of 19 lines which said: > Some web DNS checkers do great job. And some are really bad and/or broken. Let's mention the right ones: https://dnsviz.net/ https://zonemaster.net/ ___

Re: My domain name name not propagating through the Internet.

2018-05-26 Thread Stephane Bortzmeyer
On Sat, May 26, 2018 at 12:57:26PM -0400, Rick Dicaire wrote a message of 276 lines which said: > Hi Thomas, obfuscating IP addresses doesn't help in the least. No problem, the IP address is known by the TLD name servers. % dig @a.gtld-servers.net ns1.sleepyvalley.net ; <<>> DiG 9.10.3-P4-U

Re: My domain name name not propagating through the Internet.

2018-05-26 Thread Stephane Bortzmeyer
On Sat, May 26, 2018 at 11:44:58AM -0500, Thomas Strike wrote a message of 269 lines which said: > they say that the problem is with my server. They were right. > I am here asking for fresh sets of eyes to look at my setup file and the > domain zone record that is at issue. My domain is slee

Re: TLD Registries supporting RFC 7344/8078

2018-03-13 Thread Stephane Bortzmeyer
On Tue, Mar 13, 2018 at 10:52:50AM +0100, Carsten Strotmann wrote a message of 19 lines which said: > is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078) > already support at the TLD level somewhere? I know it is implemented > in BIND 9.11+ and Knot, but can it be used in the real

Re: BIND9 and AS112

2018-03-09 Thread Stephane Bortzmeyer
On Fri, Mar 09, 2018 at 03:28:18PM +0300, Diarmuid O Briain wrote a message of 427 lines which said: > However quite frankly I do not get how the AS112 service is accessed via > anycast. Did you configure your routing as mentioned in section 3.4 of RFC 7534? > Another thing that is confusing

Re: BIND9 and AS112

2018-03-09 Thread Stephane Bortzmeyer
On Fri, Mar 09, 2018 at 12:32:41PM +0300, Diarmuid O Briain wrote a message of 122 lines which said: > Mar 09 08:11:43 as112 named[3787]: internal_send: 2620:4f:8000::42#53: > Invalid argument > Mar 09 08:11:43 as112 named[3787]: internal_send: 192.175.48.42#53: Invalid > argument I suspect t

Re: Suggestions for a distributed DNS zone hosting solution I'm designing

2018-03-09 Thread Stephane Bortzmeyer
On Thu, Mar 08, 2018 at 12:52:57PM +, Tony Finch wrote a message of 49 lines which said: > Best way to achieve this is with anycast, which can be pretty > time-consuming to set up - try searching for Nat Morris's > presentation "anycast on a shoestring" which he gave at several NOG > meeti

Re: dnssec validation issue

2017-08-30 Thread Stephane Bortzmeyer
On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote a message of 677 lines which said: > # dig @localhost www.icann.org A +dnssec When you suspect a DNSSEC issue, always retry dig with +cd (Checking Disabled). And post the result. ___

Re: Forward record for WWW

2016-05-05 Thread Stephane Bortzmeyer
On Thu, May 05, 2016 at 04:06:06PM +, Cuttler, Brian R. (HEALTH) wrote a message of 34 lines which said: > I configured the change for my external test server only > (199.184.16.7, which is _probably_ available for external query) No. % dig @199.184.16.7 A wadsworth.org ; <<>> DiG 9.9.5

Re: Forward record for WWW

2016-05-05 Thread Stephane Bortzmeyer
On Thu, May 05, 2016 at 03:42:24PM +, Cuttler, Brian R. (HEALTH) wrote a message of 29 lines which said: > External record in the zone file is actually > wadsworth.org. 300 IN A 199.184.16.22 None of the three name servers for wadsworth.org serve this A record. It seems the master was *n

Re: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread Stephane Bortzmeyer
On Wed, May 04, 2016 at 02:02:24PM -0400, Rob Heilman wrote a message of 305 lines which said: > We run BIND 9.9.5-9 on Debian x86_64 to support a moderately sized > email hosting system. System info listed at the end of this > message. We are seeing intermittent but frequent issues resolvin

Re: Monitor DNS queries toward Root severs

2016-05-04 Thread Stephane Bortzmeyer
On Wed, May 04, 2016 at 07:03:13PM +1000, Mark Andrews wrote a message of 15 lines which said: > fill in with the rest of the root servers names. And if you don't like to type, or if you use another root: sudo tcpdump -n -i ${INTERFACE} port 53 and \( $(for ns in $(dig +nodnssec +short NS .

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 07:32:48AM -0700, Matthew Pounsett wrote a message of 49 lines which said: > One of these days I'd like to lead a serious lobbying effort against > the browser developers at the W3C to have SRV records for HTTP > standardized. I fully agree and, if you're brave enough

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 10:23:19AM -0400, Barry Margolin wrote a message of 28 lines which said: > You would only be able to do this if you could put the CNAME record > in the parent domain, instead of delegating domain.com to your own > server. But do any domain registrars support that optio

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 05:26:53PM +0300, Daniel Dawalibi wrote a message of 50 lines which said: > DNS registrar that can offer this option by using apex/naked/root > domain redirection Sorry, but I cannot parse this sentence. Also, as I said, this is not about the root, it is about your ou

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 05:05:50PM +0300, Daniel Dawalibi wrote a message of 52 lines which said: > our setup requires a CNAME record. Bad setup. (And has always been bad.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubs

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 01:56:27PM -, John Levine wrote a message of 23 lines which said: > Assuming you mean this (notice the dots): > > Domain.com. CNAME x.y.com. > www CNAME x.y.com. > > it should work. I disagree. I have the same experience as Daniel Dawalibi, it does not wo

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 02:55:18PM +0300, Daniel Dawalibi wrote a message of 99 lines which said: > We are facing a resolving problem on BIND DNS when adding a CNAME RR > for root domain and other records. I don't think that you manage the root domain so you probably mean that you want to add

Re: named DNS resolution latency

2016-04-26 Thread Stephane Bortzmeyer
On Wed, Apr 27, 2016 at 02:33:26AM -0400, digen wrote a message of 169 lines which said: > Any inputs on debugging this problem will be much appreciated. The usual stuff: 1) Is the machine hosting the resolver overloaded? top, for instance 2) is the link to the Internet overloaded? Check yo

Re: g.root-servers.net not reachable anymore

2016-04-14 Thread &#x27;Stephane Bortzmeyer'
On Thu, Apr 14, 2016 at 11:55:04AM +0300, Daniel Dawalibi wrote a message of 22 lines which said: > Do you think it is better to remove it from named.root? Certainly not, your resolver removes it automatically from the list of authoritative servers for the zone. > Is there any impact on the

Re: g.root-servers.net not reachable anymore

2016-04-14 Thread Stephane Bortzmeyer
On Thu, Apr 14, 2016 at 08:35:00AM +0200, Daniel Stirnimann wrote a message of 14 lines which said: > Looks like you are not alone! > > https://atlas.ripe.net/dnsmon/group/g-root Only broken over UDP. Works on TCP and still replies to traceroute. _

Re: Resolution differences for getaddrinfo versus host/dig/delv

2015-11-18 Thread Stephane Bortzmeyer
On Wed, Nov 18, 2015 at 12:19:57PM +, Phil Mayers wrote a message of 44 lines which said: > I suspect getaddrinfo isn't parsing the DNS response for some reason. ... > Obviously the *.thing on the RHS of the first CNAME is weird, but is it > illegal? Yes, for a *host* name (no for a *doma

Re: How are DNS Records added dynamically in DNS Servers?

2015-09-07 Thread Stephane Bortzmeyer
On Mon, Sep 07, 2015 at 03:33:00PM +0530, Harshith Mulky wrote a message of 60 lines which said: > How do System administrators add DNS Zone records in DNS Servers? By not using outlook.com for email :-) No, I'm kidding, there are several ways: > Is there a specific way the records are added

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Stephane Bortzmeyer
On Tue, Feb 17, 2015 at 07:34:37AM +1100, Mark Andrews wrote a message of 171 lines which said: > The validator is *not* supposed to *check* if the zone has been > signed with all the alogorithms in the DS RRset. It is supposed to > keep trying all RRSIG/DS/DNSKEY combinations until it succee

[DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Stephane Bortzmeyer
[The domain has recently changed its configuration so do not test it.] With Unbound, I get a SERVFAIL: % dig DNSKEY cepn.asso.fr ; <<>> DiG 9.9.5-8-Debian <<>> DNSKEY cepn.asso.fr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62442 ;; flags: qr rd ra

SERVFAIL when increasing recursive-clients? (Was: bind-users Digest, Vol 1902, Issue 2

2014-08-01 Thread Stephane Bortzmeyer
On Fri, Aug 01, 2014 at 09:56:53AM +0700, Xuan Hung wrote a message of 298 lines which said: > I think this problem of me, need have version new of Bind. 9.9.5 is quite recent. Actually, it is the latest in 9.9 branch. What makes you think upgrading would change anything? > I think resolver

Re: problem registering DS records with EDUCAUSE, sanity check please

2014-07-15 Thread Stephane Bortzmeyer
On Mon, Jul 14, 2014 at 07:14:57PM -0700, Paul B. Henson wrote a message of 56 lines which said: > I also don't think this is what educause is doing, as I haven't had > any trouble entering DS records for published but not activated > KSK's in the past, You can also note that it is quite comm

Re: problem registering DS records with EDUCAUSE, sanity check please

2014-07-14 Thread Stephane Bortzmeyer
On Mon, Jul 14, 2014 at 10:40:19PM +0200, Stephane Bortzmeyer wrote a message of 19 lines which said: > So, I suspect a bug in EDUCAUSE. Your DNSKEY set being a little over 1500 bytes, you may suspect a MTU issue. ___ Please visit ht

Re: problem registering DS records with EDUCAUSE, sanity check please

2014-07-14 Thread Stephane Bortzmeyer
On Mon, Jul 14, 2014 at 01:24:38PM -0700, Paul B. Henson wrote a message of 135 lines which said: > And finally, the new key I just created, for which I'm trying to add DS > records. The dsset file created by dnssec-signzone says these records should > be: I find the same values as you, using

Re: Handling of expired RRSIG records - ise.gov

2014-05-21 Thread Stephane Bortzmeyer
On Wed, May 21, 2014 at 12:56:32PM +0100, Simon Waters wrote a message of 58 lines which said: > BIND 9 logs report: RRSIG has expired for "www.ise.gov" Indeed. www.ise.gov.43200 IN RRSIG CNAME 5 3 43200 ( 20140513120652 20140413120652

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Stephane Bortzmeyer
On Fri, Mar 14, 2014 at 12:33:47PM +, Phil Mayers wrote a message of 25 lines which said: > dig @server zone axfr >file > diff file file.real If you're really paranoid, it may not be sufficient since a server may reply differently to "normal" DNS queries and to zone file transfer requests

Re: Audit the consistency of zone files on DNS servers

2014-03-14 Thread Stephane Bortzmeyer
On Fri, Mar 14, 2014 at 12:33:47PM +, Phil Mayers wrote a message of 25 lines which said: > dig @server zone axfr >file > diff file file.real diff is not clever enough, you'll find many spurious differences. Try feeding the two files (the local one and the AXFRed one) through named-compil

Re: source address problem

2014-02-04 Thread Stephane Bortzmeyer
On Tue, Feb 04, 2014 at 10:40:46AM +0100, ro...@ip-plus.net wrote a message of 19 lines which said: > I use the options query-source, notify-source, and transfer-source. > Still I get outgoing queries with another source address. Are you sure they come from BIND and not from, say, a dig runni

Re: Rate-limiting - working? How to test?

2014-01-17 Thread Stephane Bortzmeyer
On Fri, Jan 17, 2014 at 01:34:00PM +, John Horne wrote a message of 40 lines which said: > log-only yes; >From the ARM: Use log-only yes to test rate limiting parameters without actually dropping any requests. > I get 10 correct responses. It makes sense.

Re: Does anyone have DNSSEC problem with uscg.mil

2013-11-15 Thread Stephane Bortzmeyer
These name servers have another interesting feature: the serial number is different depending on whether you set the DO bit or or: % dig +short +dnssec +bufsize=4096 @ns1.uscg.mil SOA uscg.mil osc-bloxmaster.iap.uscg.mil. hostmaster.uscg.mil. 2012079853 10800 1080 604800 900 ... % dig +short +nod

Re: Gi/Gn DNS for telecoms

2013-11-15 Thread Stephane Bortzmeyer
On Fri, Nov 15, 2013 at 02:47:10PM +0530, benjamin fernandis wrote a message of 50 lines which said: > Can we use bind DNS for Gi/Gn DNS? I have no idea what Gi/Gn is. Can anyone post an explanation? ___ Please visit https://lists.isc.org/mailman/li

Re: DNS 64 and the new domain ipv4only.arpa

2013-10-21 Thread Stephane Bortzmeyer
On Tue, Oct 22, 2013 at 12:47:38AM +1100, Mark Andrews wrote a message of 98 lines which said: > dns64 { > clients { me; }; > break-dnssec yes; > }; OK, it works without the DO bit ("dig +nodnssec", I had +dnssec in my ~/.digrc) or with "break-dnssec ye

DNS 64 and the new domain ipv4only.arpa

2013-10-21 Thread Stephane Bortzmeyer
I try to understand DNS64 and there is a problem I don't get. I have BIND configured with: dns64 2001:db8:1:64::/96 { // Network-Specific Prefix clients { me; }; }; and it works, synthesis happens when the domain name has no records: % dig +cd @localhost -p 90

Logging of rate-limited queries way too talkative

2013-09-29 Thread Stephane Bortzmeyer
I'm trying RRL on the new BIND 9.9.4. When RRL steps in, if I understand the documentation properly, two things are logged, a summary of the beginning and end of RRL, and one message per rejected query (!) Since RRL is used when there is an attack, there are *many* such messages. Worse, the defaul

SERVFAIL when two SOA in the domain

2013-08-29 Thread Stephane Bortzmeyer
One of my contacts noticed that you cannot query 42.fr's SOA with BIND: SERVFAIL. Querying other types, or using Unbound (or Google Public DNS) instead of BIND works. The only thing special he sees is the double SOA: % dig SOA 42.fr ; <<>> DiG 9.9.2-P1 <<>> SOA 42.fr ;; global options: +cmd ;; G

Re: How to get AD flag

2013-08-02 Thread Stephane Bortzmeyer
On Fri, Aug 02, 2013 at 10:49:22AM +0530, rams wrote a message of 41 lines which said: > I have 9.7 bind installed and configured recursive. When i query > against forwader i am not getting AD flag. Could you please guide me > how to get AD flag. Several possible reasons: 1) Unsigned domain

[auto-dnssec] Switching to NSEC3 leaves behind stale NSEC signatures?

2013-07-31 Thread Stephane Bortzmeyer
I have a zone maintained by: inline-signing yes; auto-dnssec maintain; update-policy local; I switched it from the default NSEC to NSEC3 with: rndc signing -nsec3param 1 0 10 68f499ee auto.rd.nic.fr It seems to work but the zone still contains NSEC signatures (but no N

Re: auto-dnssec maintain and no key: no error message?

2013-07-30 Thread Stephane Bortzmeyer
On Tue, Jul 30, 2013 at 09:50:46AM -0500, Jeremy C. Reed wrote a message of 7 lines which said: > > Of course, there is no signature: > > > > % dig +multi @localhost SOA auto.rd.nic.fr > > Add +dnssec [I thought it was in my .digrc.] It changes nothing. Without a key, BIND could not create

auto-dnssec maintain and no key: no error message?

2013-07-30 Thread Stephane Bortzmeyer
When I run a BIND with "auto-dnssec maintain" and "inline-signing yes", if I create no key, there is no error message and, worse, the log file says the zone is signed: Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (unsigned): loaded serial 2013073000 Jul 30 16:31:42 u12-33673 name

Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"

2013-07-29 Thread Stephane Bortzmeyer
On Fri, Jul 26, 2013 at 03:37:46PM +0200, Stephane Bortzmeyer wrote a message of 19 lines which said: > Apparently, it worked without it but, when you use it, there is no > longer this undecipherable warning. Actually, it reappeared: 28-Jul-2013 23:19:29.824 zone example/IN (signed

Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"

2013-07-26 Thread Stephane Bortzmeyer
On Fri, Jul 26, 2013 at 08:52:04AM +0200, Stephane Bortzmeyer wrote a message of 24 lines which said: > Yes. I tested with two keys, a KSK and a ZSK and the warning > disappears. Another solution, even if using only one key, is to add: update-policy local; # Necessary, says t

Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"

2013-07-26 Thread Stephane Bortzmeyer
On Fri, Jul 26, 2013 at 08:54:26AM +0200, Stephane Bortzmeyer wrote a message of 23 lines which said: > I just tried, and same warning: But only at startup and not afterwards so it is an improvment. ___ Please visit https://lists.isc.org/mail

Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"

2013-07-25 Thread Stephane Bortzmeyer
On Wed, Jul 24, 2013 at 09:58:08AM -0700, David Newman wrote a message of 89 lines which said: > Not sure if this is the problem, but have you tried with > "managed-keys-directory" in options instead of "key-directory"? I just tried, and same warning: 26-Jul-2013 08:53:43.637 running 26-Jul-

Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"

2013-07-25 Thread Stephane Bortzmeyer
On Thu, Jul 25, 2013 at 12:05:35AM +0100, Tony Finch wrote a message of 21 lines which said: > Obvious question: does BIND have permission to read the private key? Yes, it runs (it is an experimental setup) as the same user which owns the private key file. > I guess it does since it managed

Re: dns update issue

2013-07-24 Thread Stephane Bortzmeyer
On Wed, Jul 24, 2013 at 10:52:51AM -0400, James Chase wrote a message of 64 lines which said: > However if I try to ping dns3.mandala-designs.com from different > network locations it still returns the IP address of our old server, Probably the usual problem with in-zone name servers: glue no

Re: Can I change the zone file from command line?

2013-07-24 Thread Stephane Bortzmeyer
On Tue, Jul 23, 2013 at 02:30:49PM -0400, Kevin Darcy wrote a message of 565 lines which said: > When you dial a telephone number, do you worry that your dialing may > have "consequences" against telephone numbers that you *didn't* > dial? Seems very unlikely. OK, but switching from a static

Re: New warning message...

2013-07-24 Thread Stephane Bortzmeyer
On Mon, Jul 22, 2013 at 12:39:53PM +0200, Matus UHLAR - fantomas wrote a message of 28 lines which said: > This was discussed here already, and imho this is anti-spf bullshit > like all those "spf breaks forwarding" FUD. The SPF RR is already > here and is preferred over TXT that is generik RR

Re: New warning message...

2013-07-24 Thread Stephane Bortzmeyer
On Mon, Jul 22, 2013 at 03:01:47PM +1000, Mark Andrews wrote a message of 56 lines which said: > It SHOULD have record of type SPF as per RFC 4408. Named will > complain if both types are not present. Then, named is now wrong, since RFC 6686. ___

"auto-dnssec maintain;" and key "missing or inactive and has no replacement"

2013-07-24 Thread Stephane Bortzmeyer
I'm trying "auto-dnssec maintain;" with a BIND 9.9.3-P1. My configuration is: options { directory "/tmp/bind"; key-directory "/tmp/bind"; }; zone "example" { type master; file "example"; inline-signing yes; auto-dnssec maintain; }; Apparently, ev

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-19 Thread Stephane Bortzmeyer
On Wed, Jul 17, 2013 at 05:05:31PM -0700, Ray Van Dolson wrote a message of 36 lines which said: > Tried dns-ad...@fbi.gov but got a bounce. :( You want Sandra Bullock's, er, Sarah Ashburn's phone number? http://en.wikipedia.org/wiki/The_Heat_%28film%29 __

Re: Rate-Limit Question

2013-06-14 Thread Stephane Bortzmeyer
On Fri, Jun 14, 2013 at 02:27:50PM +, Manson, John wrote a message of 138 lines which said: > We are running Bind 9.9.2 and would like to invoke the rate-limit > option but named says 'unknown option'. RRL (Response Rate Limiting) is an unofficial patch. You'll have to patch the source fi

Re: querying TLD nameservers - limitations

2013-03-26 Thread Stephane Bortzmeyer
On Sun, Mar 24, 2013 at 04:55:13PM -0700, blrmaani wrote a message of 17 lines which said: > I am developing a monitoring script for internal use and this > requires extensive querying of TLD nameservers (a .. m).tld servers. [TLD operator hat on.] Hard to ansdwer without more details. Reall

Re: jabber.isc.org

2013-01-21 Thread Stephane Bortzmeyer
On Mon, Jan 21, 2013 at 04:17:40PM +0100, Stephane Bortzmeyer wrote a message of 19 lines which said: > 1) Choose a XMPP provider. I would recommend Google Talk (gratis, > very reliable) since this is the one I use. If you don't like/use > Google, jabber.org offers a gratis se

Re: jabber.isc.org

2013-01-21 Thread Stephane Bortzmeyer
On Mon, Jan 21, 2013 at 05:09:16PM +0200, Georg Kahest wrote a message of 20 lines which said: > I'm failing to understand how i should configure my xmpp client ( > pidgin ) without user credentials. Without entering > username/password i can't add the account, and with > username/password i g

Re: jabber.isc.org

2013-01-21 Thread Stephane Bortzmeyer
On Mon, Jan 21, 2013 at 04:44:53PM +0200, Georg Kahest wrote a message of 19 lines which said: > I was interested of idling in bind 10 dev channel. So? XMPP is federated, like any good system (like email). You don't need an account in the isc.org email server to use the bind-users mailing lis

Re: jabber.isc.org

2013-01-21 Thread Stephane Bortzmeyer
On Mon, Jan 21, 2013 at 04:35:39PM +0200, Georg Kahest wrote a message of 19 lines which said: > I'm unable to figure out where does one register for jabber.isc.org > account. I don't speak for ISC but may I ask why you need one? There are many XMPP providers in the world, several of them are

Re: How to Limit DNS Request per ip source ?

2013-01-14 Thread Stephane Bortzmeyer
On Mon, Jan 14, 2013 at 06:36:44PM +0530, Gaurav Kansal wrote a message of 156 lines which said: > I tried the following commands, but unfortunately didn't succeed. Why do you want to limit? If it is against a DoS attack, I warn you that most Netfilter modules (for instance, "state") require

Re: Caching name server - Choosing the root-servers

2012-12-14 Thread Stephane Bortzmeyer
On Fri, Dec 14, 2012 at 09:00:31AM +, Can Şirin wrote a message of 114 lines which said: > I mean, choosing the faster ones (root-servers) is gonna be better > for speed performans. Yes, but BIND does it (testing the fastest) and probably better than you. > Is there any way to configure

Re: multiple entries for TXT record

2012-10-26 Thread Stephane Bortzmeyer
On Fri, Oct 26, 2012 at 06:31:31AM -0700, enigmedia wrote a message of 34 lines which said: > I wasn't sure if I was "allowed" to have more than one TXT record in > a zone, and when I googled around the only references I saw were to > concatenating multiple name-value pairs into a single recor

Re: multiple entries for TXT record

2012-10-26 Thread Stephane Bortzmeyer
On Fri, Oct 26, 2012 at 06:08:32AM -0700, enigmedia wrote a message of 29 lines which said: > TXT IN ("v=spf1 a mx ptr ip4:65.49.39.152/29 ~all" >"DZC=DlaVBmG") This is *one* TXT record made of two strings. Whether or not the SPF standard mandates it, it would

Re: [DNSSEC] Dealing with an inconsistent NSEC

2012-10-23 Thread Stephane Bortzmeyer
On Tue, Oct 23, 2012 at 06:27:12AM -0700, Casey Deccio wrote a message of 88 lines which said: > The issue here is that no delegation NS records exist for > v1.pcextreme.nlin its parent zone, pcextreme.nl. Thus when any > server (authoritative for both zones) is queried for > v1.pcextreme.nl/

[DNSSEC] Dealing with an inconsistent NSEC

2012-10-23 Thread Stephane Bortzmeyer
It may be a bug in BIND and it is certainly a bug in the zone pcextreme.nl. BIND validating resolvers are unable to get the IP address of v1.pcextreme.nl. I believe this is because of the strange NSEC: tools-newerst.pcextreme.nl. 2315 IN NSECv2.pcextreme.nl. RRSIG NSEC which says t

Re: DNS software used by cloudflare

2012-09-18 Thread Stephane Bortzmeyer
On Tue, Sep 18, 2012 at 08:31:13PM +0800, pangj wrote a message of 12 lines which said: > do you know what dns software is used by cloudflare? I don't know. > and how they defend the DDoS against DNS? http://blog.cloudflare.com/65gbps-ddos-no-problem ___

Re: Glue from Root Servers returns wrong A record, why?

2012-09-11 Thread Stephane Bortzmeyer
On Mon, Sep 10, 2012 at 11:47:38AM -0700, Ponga wrote a message of 55 lines which said: > But if I ask any root server, [...] DiG 9.7.3 <<>> -t ns intaq.com > @192.42.93.30 192.42.93.30 is not a root name server. ___ Please visit https://lists.isc.o

Re: Root hints updates

2012-09-06 Thread Stephane Bortzmeyer
On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt wrote a message of 466 lines which said: > This is a script to automagically update the root hints file. Since the first thing BIND does at startup is to check the root NS set, and since DNSSEC guarantees that it is genuine, is there sti

  1   2   3   4   >