Right now we have our external view for adi.com set up to use
inline-signing with the following entries in our named.conf file;
inline-signing yes;
key-directory "dnssec";
auto-dnssec maintain;
I now need to allow dynamic updates to support letsencrypt which needs
to add txt records when the c
> Just wonder if there is some agreed guidance on what steps I SHOULD take =
> to get bind-9.11.0-P2 successfully build on Debian 9.0?
>
>
> /usr/bin/ld: //lib64/libcrypto.a(a_object.o):
> relocation R_X86_64_PC32 against symbol `ASN1_OBJECT_free'
> can not be used when making a shared object;
>
In the following I ment to say 'dnssec-validation' instead of 'dnssec-enable'.
> > https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin
> > d-users/
> >
> > Towards the end of the blog, there is a short list of possible corner
> > cases that could trip people up during the
> https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin
> d-users/
>
> Towards the end of the blog, there is a short list of possible corner
> cases that could trip people up during the rollover. If
> you folks can think of others, please do share them.
I found a case where
> In message
>
> , =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCe0YHRgtCw0L/QtdC90LrQvg==?= writes:
> > Hello.
> >
> > I'm using BIND 9.9.5.
> > My steps:
> >
> >1. Sign zone using one 1 ZSK and 2 KSK: a) adding "*auto-dnssec
> >maintain;*" and "*inline-signing yes;*" directive into zone secti
colostate.edu. 172800 IN NS dns1.colostate.edu.
colostate.edu. 172800 IN NS dns3.colostate.edu.
;; Received 119 bytes from 192.41.162.30#53(l.edu-servers.net) in 78 ms
www.cloudsat.cira.colostate.edu. 3600 IN CNAME dpc.cira.colostate.edu
> > That is mostly how I thought it worked. What I had in mind more
> > specifically was:
> >
> > adi.com zone:
> > mackerel.adi.com. IN A 75.100.245.141
> > mackerel.adi.com. IN A 96.85.104.76
> >
> > reverse zones:
> > 141.245.100.75.in-addr.arpa. IN PTR mackerel.adi.com
> > 76.104.85.
rel.adi.com
76.104.85.96.in-addr.arpa.(not yet set up)
With mail going out on only 75.100.245.141 but receiving mail on both.
But receiving mail on both was more work than I had expected, so I am
not going to set that up. When reverse for 96.85.104.76 is finally set
up I will just do a late
This is not a BIND question but I hope people here will know the answer.
We are switching service providers and I understand that many email SPAM
prevention systems insist on the reverse DNS matching the forward DNS.
If I have two A records for our mail server and the reverse record matches
one of
> Am 17.03.2016 um 14:53 schrieb Thomas Schulz:
>> This is not a BIND question but I hope people here will know the answer
>> We are switching service providers and I understand that many email
>> SPAM prevention systems insist on the reverse DNS matching the forward
&g
We currently have adi.com signed using options:
inline-signing yes;
auto-dnssec maintain;
If I change an A record or add a new A record, will the signing be
automatically updated or do I have to do an rndc sign zone?
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
_
> On Mon, Feb 22, 2016 at 10:52:25AM -0500, Thomas Schulz wrote:
> > rndc signing -list adi.com in external
> >
> > I get 'No signing records found'
> >
> > Note that we use views and view external is what the world sees. I expected
> > that the
This may be a case of my not understanding what this command should do.
Our domain, adi.com, is signed. But when I issue the following command:
rndc signing -list adi.com in external
I get 'No signing records found'
Note that we use views and view external is what the world sees. I expected
tha
A recommended way to set up a ZSK rollover is to set the inactive date of
the current key one month later than the publish date of the replacement key.
This makes sense as the RRSIG records are created to last one month from
their creation date.
Now if I try to speed up the ZSK rollover to make the
> Looked at the config.log fileand see the following messages which to me=
> look like linker errorsis that the reason for the compile failure?
>
> Few weeks back I was able to successfully compile 9.9.7 on the same machine=
> so not sure what is changed or broken on the system. Thi
As of the time I am sending this, you can point your browser to
http://com.google and get a web page. How did they get com.google
to resolve?
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-us
This last week we had a sudden large increase in the size of the named
process resulting in the machine running out of memory and hanging.
This is with bind 9.9.6 on a Solaris 10 Sparc machine.
I have posted in the past about a steady continuous growth in the
size of the named process. The Subject
I have been asked to dump the statistics to help document a suspected
memory leak in named. When I look at the statistics with Firefox, I see
a nicely formatted set of statistics. If I then dump the statistics to
a file with wget and then use Firefox to view the file, I see data but
there is no for
> On Mon, 13 Oct 2014, Thomas Schulz wrote:
>
> > I restarted bind 9.9.6 with a max-cache-size of 30M. We have 3 views.
> > The inital process size was 36 MB. The process grew to 184 MB. It grew
> > to 596 MB without the max-cache-size being set and was still growing
>
>> ...
>>> Heh thanks, yeah...initially I was erring on the side of caution and using
>>> 9.9.x because it's served us well (~20k recursive clients without any
>>> significant problems). Meanwhile we've been keeping a close eye on
>>> community comments, and to be honest opinions wax and wane. Ju
> Hi,
>
> After reinitialising the inline-signing process (for example by
> removing the journal files or redeploying the master server) the
> freshly signed zone's serial number will usually be behind the
> authoritative version on the slaves causing transfers to fail
> possibly leading to expir
> ...
> > Heh thanks, yeah...initially I was erring on the side of caution and using
> > 9.9.x because it's served us well (~20k recursive clients without any
> > significant problems). Meanwhile we've been keeping a close eye on
> > community comments, and to be honest opinions wax and wane. Jus
> > Can you copy and paste the "out of memory error" you are seeing? Is it
> > still growing? Does it appear to work?
>
> I see your other thread answers some.
> https://lists.isc.org/pipermail/bind-users/2014-July/093618.html
Unfortunately the logs containing the out of memory errors have been
o
> Date: Tuesday, September 9, 2014 at 10:17 AM
> To: Thomas Schulz
> Cc: "bind-us...@isc.org"
> Subject: Re: bind-9.10.0-P2 memory leak?
>
>>I'm having the exactly same issue. Take a look at my post @ServerFault:
>>http://serverfault.com/questio
> On 9/11/2014 11:51 AM, Mark Elkins wrote:
>> On Thu, 2014-09-11 at 11:27 -0400, Kevin Darcy wrote:
>>> Mark,
>>> Depending on implementation, a PTR RRset with multiple
>>> records either
>>>
>>> -- only ever gets answered with the "first" record of the set (in
>>> which case the seco
> Hi,
>
> xxx.com and IP address 192.168.1.100 is just a example domain name and IP
> address. Our boss want everybody access our domain example.com through
> browser, then it will redirect to our web site www.example.com. So I want
> to get more information about unexpected impact when we changed
> Hello
>
> I recently upgraded my authoritative nameservers to bind-9.10.0-P2 and
> after a while one of them ended up using all its swap and the named
> process got killed. The other servers are seeing similar behaviour, but
> I restarted named on all of them to postpone further crashes.
>
>
>>>On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote:
>>>> In investigating an out of memory error on a Solaris 8 Sparc
>>>> machine (compiled as a 32 bit executable), I find that the process
>>>> size increase due to the cache does no
> On Thu, Aug 14, 2014 at 02:26:54PM -0500, Bill Christensen wrote:
> > I'm seeing some root server errors on startup:
> >
> > 14-Aug-2014 13:14:08.142 info: host unreachable resolving
> > 'd.gtld-servers.net//IN': 2001:503:ba3e::2:30#53
> > 14-Aug-2014 13:14:08.215 info: host unreachable res
>>On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote:
>>> In investigating an out of memory error on a Solaris 8 Sparc
>>> machine (compiled as a 32 bit executable), I find that the process
>>> size increase due to the cache does not make sense.
>
> On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote:
> > In investigating an out of memory error on a Solaris 8 Sparc
> > machine (compiled as a 32 bit executable), I find that the process
> > size increase due to the cache does not make sense.
> >
> &
In investigating an out of memory error on a Solaris 8 Sparc
machine (compiled as a 32 bit executable), I find that the process
size increase due to the cache does not make sense.
Over about a week the process size had grown to 257 MB, up from an
initial size of 36 MB. But when I dumped the cache
> You'll want to use max-cache-size to enforce a hard limit on the size
> of your cache.
> http://www.zytrax.com/books/dns/ch7/hkpng.html#max-cache-size
>
> /Tim
>
> ---
> Tim Krzywonos
> e:: t...@krzywonos.ca
Thanks for reminding me of that. Now that I have some confidence
that the problem i
> > Have you tried an rndc flush? You can also dump the contents of the
> > cache to find the (approximate) size of the cache. If related to cache,
> > you can tweak parameters to cache, most namely max-cache-size. IIRC,
> > the cache doesn't have a size limit by default.
> >
> > /Tim
> >
>
> Have you tried an rndc flush? You can also dump the contents of the
> cache to find the (approximate) size of the cache. If related to cache,
> you can tweak parameters to cache, most namely max-cache-size. IIRC,
> the cache doesn't have a size limit by default.
>
> /Tim
>
I did an rndc d
We are running Bind on a Sun Sparc machine running Solairs 8. Bind is
built as a 32 bit executable as that is the default and is the way
libcrypto and libxml2 are built. We have been running Bind 9.9.5.
I am now trying Bind 9.9.6b1 as that claims to have fixed some memory
leaks.
For some time now
> Asking again, in a different and more generic form: When rebuilding a
> bind 9.9.4 server running DNSSEC with auto maintain, are there any steps
> I need to take beyond just backing up /var/named/etc/namedb (this is on
> FreeBSD) and restoring?
>
> This server is authoritative and primary, and h
> I just remembered there was also the change to the db file
> having a default raw format on slaves unless specified.
Interesting. I did not notice that when it happened, but now that I
look, I see that my slaves indeed have raw format files. Apparently
the switch over did not require me to do an
>
> Once the DS record is removed from the .edu zone, queriers won't
> expect your zone to be signed any more. At that point, you can leave
> it signed or remove the signatures, and it won't make any difference.
> You just need to wait at least 24 hours from the time the record
> disappears from t
> Views have been in bind "for all recent history".
>
> I've watched this thread and have been biting my tongue as long as I
> could.
>
> I'm a proponent of separating servers and NOT using views, as any of
> you that have taken a class that I've taught will attest.
>
> I've seen too many proble
> > gandi.net +1
> >
> > I transferred from NS to Gandhi in December 1998. I don't know about their
> > hosting of primary DNS but they do host a secondary of mine and it seems to
> > resolve there with an aa flag:
>
> Yep, secondary works, but they can't be a DNSSEC primary.
>
> Steve
We host t
> >> If I was a NetSol customer, I would ask them, "Why not?"
> >
> >And if I were a NetSol customer, I would ask myself, Why?
>
> If I were a capitalist, I'd vote with my wallet and go somewhere with the
> features I want.
Well, we started with them back when they were the only company registeri
Has anyone been able to get Network Solutions to add DS records for
their domain? I am trying to get DS records added for my domain and
so far it looks like Network Solutions can not do that.
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please vi
> You can look at the sequence of changes to the signed zone by using
>
> dig ixfr=2013120400 adi.com @[yourauthserver]
>
> or by applying named-journalprint to the .signed.jnl file, unless the
> journal has been pruned as a result of exceeding the max-journal-size
> setting. But this won't te
I have a question about the serial number as modified by inline signing.
I have a static zone, adi.com, that I am setting up for dnssec. I added
inline-signing yes;
key-directory "dnssec";
auto-dnssec maintain;
to my named.conf file after generating the keys and then did a r
Sorry for the bad advice.
Am I correct in thinking that in the case of a hidden master and a chain
of slaves, that the first publicly acessable slave would do the signing
and that in any case only one instance of bind should do the signing?
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
> Hi!
>
> # named -V
> BIND 9.9.3-rl.13204.02-P2
>
> I have configured slave zones with inline signing:
>
> zone "mydomain.at" {
> type slave;
> file "/etc/bind/mydomain.at";
> masters { 1.2.3.4; };
> key-directory "/etc/bind/keys";
> auto-dnssec main
> On Wed, Nov 27, 2013 at 01:30:37PM -0500, Thomas Schulz wrote:
> > Acording to the book Dnssec Mastery, I should be able to test if my
> > Bind is correctly set up to use the DLV with the command:
> >
> > dig +dnssec nsec3.dlvtest.dns-orac.net
>
> "dns-oar
Acording to the book Dnssec Mastery, I should be able to test if my
Bind is correctly set up to use the DLV with the command:
dig +dnssec nsec3.dlvtest.dns-orac.net
And I should expect expect to see the RRSIG records and see the AD
flag set. I do get the RRSIG records but I do not see the AD flag
> From: Casey Deccio
>
> Before checking the signature, you need to import ISC's public key
> into your key ring. Something like this will work:
>
> curl https://www.isc.org/files/pgpkey2009.txt | gpg --import
>
> Then you can run gpg --verify.
>
> Casey
That is the final piece of information
>
> At Tue, 28 Dec 2010 15:50:23 -0500 (EST), Thomas Schulz wrote:
> >
> > It looks like I am a little dim today. Given gpg and the key, what steps
> > do I do to verify a source package?
>
> General case:
>
> $ gpg --verify sigfile tarball
>
> On 12/23/2010 4:09 PM, Casey Deccio wrote:
> > On Thu, Dec 23, 2010 at 12:49 PM, Oisin McGuinness
> > wrote:
> >
> >> But I can't find any reference to current PGP or other signing keys; does
> >> anyone know where to find
> >> them on the www.isc.org web site or where to obtain them otherwise?
When I copied the key for root from
http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers
I ended up with spaces in the key. I assumed that they should not be there
and removed them. I since noticed that the key in /etc/bind.keys supplied
with the bind distribution has spa
Now that the root is signed, is DLV still usefull? Will there be any
clash if I add the managed-keys statement without removing the DLV setup?
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
bind-users mailing list
bind-users@lists.isc.org
https://l
In article ,
Cihan Subasi \(Garanti Teknoloji\) wrote:
>#/usr/local/sbin/named -v
>BIND 9.5.0-P2
> /var/named
>#which named
>/usr/local/sbin/named
> /var/named
>#which rndc
>/usr/local/sbin/rndc
> /var/named
Try 'rndc status' and see what version is reported in that output.
>-Original Mess
In article ,
Andre LeClaire wrote:
>Mark Andrews wrote:
>> In message <497caef2.80...@yahoo.com>, Andre LeClaire writes:
>>> Hello everyone,
>>> I've been seeing these syslog messages for about a week on a FreeBSD
>>> server running BIND 9.4.3-P1:
>>>
>>> Jan 25 02:35:21 asimov named[145]: clien
In article ,
Jan Arild =?iso-8859-1?Q?Lindstr=F8m?= wrote:
>
>Hi,
>
>ah, of course. I did not think about it as a Solaris bug.
>
>I patched BIND 9.6.0-P1 os.c code so it first checks for the diretory
>before it tries the fast approach of just running mkdir. And that of
>course works fine.
>
>But,
In article ,
Frank Bulk - iName.com wrote:
>Yes, I read that last night before posting. I changed it to "256M". Is
>there a way using rndc to see if that "took"?
Note that 9.5.1 reverts the limit to unlimited AND fixes the bug causing
the failure. You should not be running 9.5.0 at all.
>
>
In article ,
David Porsche' wrote:
>All,
>
>I have installed a caching only instance of BIND (9.2.4) on a CentOS
>machine on my internal network. I have noticed that initial DNS requests
>against the server take a rather large amount of time (usually around 7
>seconds). I have done some basic t
In article ,
=?UTF-8?B?TGVvbmFyZG8gUm9kcmlndWVzIE1hZ2FsaMOjZXM=?=
wrote:
>CgpQZXRlciBEYW1iaWVyIGVzY3JldmV1Ogo+IEkgY2FuIGNvbmZpcm0gYmluZCA5LjQgZG9lcyBy
>dW4gb24gYW4gKElCTSwgbm90IEludGVsKSA0ODYtU0NMLzIgd2l0aCAxNiBNQi4KPiBUaGF0IGNw
>dSBjYW4gYWRkcmVzcyBubyBtb3JlIHRoYW4gMTYgTUIuCj4KPiAkIGNhdCA
In article ,
Sam Wilson wrote:
>In article ,
> Barry Margolin wrote:
>
>> Does anyone still read this list via the comp.protocols.dns.bind Usenet
>> gateway? I do, and ever since the web site and mailing list revamp last
>> month, it has been a real PITA. About 1/3 of the messages in the gro
Change 2489 says to define ISC_SOCKET_USE_POLLWATCH to workaround a
Solaris kernel bug about /dev/poll. How do I know if I should define
this? Should I just assume that if I am running Sloaris 8 then I need
to define ISC_SOCKET_USE_POLLWATCH? Is there any down side to defining
this if it is not
In article <[EMAIL PROTECTED]>,
Torsten Segner <[EMAIL PROTECTED]> wrote:
>Have you set the max-cache-size variable to a reasonable value other than the
>default 32MB?
If you can stand to use a version of bind officially listed as beta, you
might try 9.5.1b3. It fixes a bug in the cache cleani
63 matches
Mail list logo