Re: incorrect section name: $ORIGIN

On 4 Feb 2019, at 05:34, Tony Finch wrote: > nsupdate doesn't take zone files as input; OK, then how do I get Bind9.122 to update the .signed files? -- Can't seem to face up to the facts Tense and nervous and I can't relax Can't sleep, bed's on fire Don't touch me I'm a real live wire

incorrect section name: $ORIGIN

Here is a domain zone file for example.com which is hosted by covisp.net: $ORIGIN . $TTL 86400 ; 1 day example.com. IN SOA ns1.covisp.net. admin.example.com. ( 2019020100 ; serial 300; refresh (5 minutes)

Re: Refresh of the .signed DNSSEC file?

On 02 Feb 2019, at 06:34, Alan Clegg wrote: > when you make changes with "nsupdate -l", does the right thing happen? Hmm. I don’t know, I’ve never done that. Trundles off to read the nsupdate man page. -- W is for WINNIE embedded in ice X is for XERXES devoured by mice

Refresh of the .signed DNSSEC file?

Based having update-policy local; auto-dnssec maintain; in the zone, when I make changed to example.com I was expecting that example.com.signed will be refreshed. This doesn’t seem to be happening. I just went through several domains and changed the serial number and removed an old subdomain

DNSSEC setup hint

This may be obvious to everyone else, and it may be documented somewhere in large letters with circles and arrows, but it was a surprise to me. key-directory in named.conf refers to the location for the .private key files, the .key files need to go with the domain conf files. (At least if there

Re: Dnssec setting resolving weird

On 30 Jan 2019, at 14:21, Ismael Suarez wrote: > This is puzzling me big time. Maybe I’m missing something obvious. Don’t know. There must be something in the logs? -- 'I don't see why everyone depends on me. I'm not dependable. Even I don't depend on me, and I'm me.’

Re: Selective forwarding?

> On 29 Jan 2019, at 00:25, ObNox wrote: > > On 24/01/2019 10:26, Sam Wilson wrote: > Note: I'm assuming a zone expiry of a week to a month. I think that would accommodate most outages. >>> >>> I thought of that too :-) A week would be far enough in my case. >> Be careful of

Re: DNSEC and Bin 9.12

On 21 Jan 2019, at 12:32, @lbutlr wrote: > A couple of questions I’d like to thank everyone who helped out on this, got it all sorted, added to the registrar, and it is all working, Now to do it for all the other domains. :) -- The most perfidious way of harming a cause consists of defend

Re: DNSEC and Bin 9.12

On 26 Jan 2019, at 12:55, Alan Clegg wrote: > With the appropriate trust anchors in place, data in the zone validates. Everything appears to be working locally at this point, including with "auto-dnssec maintain;" which I swear was not working a few hours ago. Perhaps I tyoped. > Does this

Re: DNSEC and Bin 9.12

On 26 Jan 2019, at 12:20, @lbutlr wrote: > I then removed "auto-dnssec maintain" and "inline-signing yes" from the zone > record in name.conf and now everything is behaving as expected when I query > localhost for the DNSSEC info. I should have said, I have upd

Re: DNSEC and Bin 9.12

On 21 Jan 2019, at 13:49, Mark Andrews wrote: Thanks for the info on the first two questions. >> Third, what does “not at top of zone” mean in dnssec-verify? > > Some record that should have been at the zone’s apex (name) wasn’t. Either > you passed the wrong > zone name to dnssec-verify or

DNSEC and Bin 9.12

A couple of questions First, guides on setting up DNSSEC say to add dnssec-lookaside auto; in the options, but bind repots an error: /usr/local/etc/namedb/named.conf:35: dnssec-lookaside 'auto' is no longer supported Does this mean the entire declaration is not supported, or that auto should

Re: BIND and UDP tuning

On 30 Sep 2018, at 09:59, Alex wrote: > It also tends to happen in bulk - there may be 25 SERVFAILs within the > same second, then nothing for another few minutes. That really makes it seem like either you modem or you ISP is interfering somehow, or is simply not able to keep up. -- 'Who's

Re: DNSSEC and secondary DNS servers

On 9 Sep 2018, at 14:58, Mark Elkins wrote: > Umm... this initially looks great but something is seriously strange. The > first numerical value after DS should be the Key ID (or Key Tag). I really > doubt that you would (randomly) create two different DNSKEY records with > sequential Key-ID's

Re: DNSSEC and secondary DNS servers

On 08 Sep 2018, at 10:21, Mark Elkins wrote: > Have you DNSSEC Signed your Domain - that is "covisp.net" because I > don't see any DS records for it in the "net" zone. Not yet, I want to have everything working on my side before I go upstream. Hover is pretty simple to setup the DNSSEC but I

Re: DNSSEC and secondary DNS servers

On 08 Sep 2018, at 11:46, @lbutlr wrote: > I need to check that I am supposed to generate the digest. to check *HOW* I am supposed to generate the digest. -- Ille Qui Nos Omnes Servabit ___ Please visit https://lists.isc.org/mailman/listinfo/b

Re: DNSSEC and secondary DNS servers

On 08 Sep 2018, at 09:59, Niall O'Reilly wrote: > On 8 Sep 2018, at 14:58, @lbutlr wrote: > >> so I think there must be something else. > > You might need to so some other housekeeping: > > https://zonemaster.net/domain_check > http://dnsviz.net/d/c

DNSSEC and secondary DNS servers

So, I setup up DNSSEC on my authoritative bind 9.12 server, which was very straightforward and works fine: dig covisp.net +dnssec +short @8.8.8.8 65.121.55.42 A 7 2 86400 20181008122535 20180908122535 17363 covisp.net. pkpVdFONJ2dYN+7wQ4pVcQTlWIThY3+mbNdXsE8p5uWiLNvIefVT32JE

Re: Cause BIND 9.10.6-P1 running dnssec to update zone A record

On 2018-03-29 (11:58 MDT), Kim Culhan wrote: > > Made a change to an ip address in an A record and bind is still showing the > old > address. > Updated the serial and it doesn't show the new serial either. > > How can I get bind to update from the data in the zone file? > >

Re: Odd behavior on a secondary server

On 2018-03-22 (08:13 MDT), John Miller wrote: > > Is this normal or am I missing something. It is normal. It is confusing, but it is normal. -- Traveling through hyperspace ain't like dusting crops, boy. ___ Please visit

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

On Feb 28, 2018, at 09:57, G.W. Haywood via bind-users wrote: > On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote: >> Good morning, I'm trying to make it more difficult for an attacker to >> get my DNS server version. > > Waste of time. The attacks are

questions on allow-query

If I set allow-query { 127.0.0.1; [myipblock]; } Then my DNS doesn't respond to any other servers, right? This would be bad for being authoritative. so, should I set that and then set allow-query { any; }; in each zone? Is that better than simply setting the IPs that are allowed recursion?

Re: DNS not resolving on google, but is on other services

On Feb 17, 2018, at 06:04, Reindl Harald wrote: > "Is google just b0rked?" is mostly wrong to start with As I said, that seems unlikely. But the different behavior from multiple large DNS services was odd. > Delegation > > Failed to find name servers of

Re: DNS not resolving on google, but is on other services

On 2018-02-17 (02:48 MST), Niall O'Reilly wrote: > > In my not-very-extensive experience, Google's 8.8.8.8 service seems to have > limited tolerance of badly-behaving authority servers; in such a case, it > seems to give up early and report SERVFAIL. > > As it happens,

Re: Minimum TTL?

On 2018-02-10 (12:15 MST), Barry Margolin wrote: > > Just because you have the right to do something doesn't mean it's a > reasonable thing to do. No one has made an argument that would imply this is not reasonable. > And if you're offering a service, you have

Re: Minimum TTL?

On 2018-02-09 (21:11 MST), John Levine wrote: > > In article you write: >> For the record, the issue is not RBLs or legitimate domains, it is = >> spammer scum that set super-low DNS because they are shotgunning spam = >> from

Re: Minimum TTL?

On 2018-02-08 (08:51 MST), Mukund Sivaraman wrote: > > Also, just for argument's sake, one user wants to extend TTLs to > 5s. Another wants 60s TTLs. What is OK and what is going too far? For the record, the issue is not RBLs or legitimate domains, it is spammer scum that set

Re: Minimum TTL?

On 2018-02-08 (03:10 MST), Michelle Konzack wrote: > > Hi, > > Am 2018-02-08 hackte LuKreme in die Tasten: >> Is it possible to tell bind to ignore very short TTLs and enforce >> a...say... 5 second minimum TTL? > > VERY SHORT TTL? YEs. > 5 sec minimum? Yes.

Re: SOA settings

On 2 Feb 2018, at 12:57, Warren Kumari war...@kumari.net> wrote: > > ) yes, that is 15 seconds, and is almost definitely not what > you want. That's what I figured. I suspect, based on the spacing in the file, someone<1> inadvertently deleted the 'm'. Thanks all (and yes, that was /PART/ of an

SOA settings

I am looking at a config file and seeing: 2017112100 ; serial 1H ; refresh 15 ; retry 1w ; expire 1H ; minimum Is that 15 15 seconds? I'm guess ion it should be 15m? -- ADVANCE TO THE REAR! ___ Please visit

Bind with dnscrypt-proxy

Running bind 9.9.9 and am interested in setting up dnscrypt to go with it. Is dnscrypt-proxy the right way to go, or encrypt-wrapper? (it looks like wrapper is a client tool and that -proxy is what actually talks to the clients). If anyone has done this is it reasonably simple to setup and

Re: Reasons to upgrade?

On 2017-01-18 (09:07 MST), Mukund Sivaraman <m...@isc.org> wrote: > > On Wed, Jan 18, 2017 at 08:02:04AM -0700, lbutlr wrote: >> It looks like there are three version of Bindcurrently supported, >> 9.9.9, 9.10, and 9.11. >> >> Are there specific reasons to

Reasons to upgrade?

It looks like there are three version of Bindcurrently supported, 9.9.9, 9.10, and 9.11. Are there specific reasons to move from 9.9 to 9.10 or 9.11 other than the usual "it's newer and you're going to have to move at some point anyway"? Any gotchas? -- Apple broke AppleScripting signatures

Re: base domain doesn't respond with an IP

On Nov 2, 2016, at 3:24 AM, Alberto wrote: > @INAip.ip.ip.ip Ah, of course! Thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list

Re: compile and install from source

On Mar 31, 2015, at 02:46, Mathieu Arnold m...@freebsd.org wrote: +--On 30 mars 2015 19:32:09 -0600 @lbutlr krem...@kreme.com wrote: | # /usr/local/sbin/named -u bind -c /etc/namedb/named.conf \ |-t /var/named | | Yes, that works without reporting any errors, so the issue appears

Re: compile and install from source

On Mar 30, 2015, at 2:30 AM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 03/30/15 00:35, @lbutlr wrote: Downloaded and compiled bind-9.9.7 (FreeBSD 8.4-RELEASE) and it built fine (./configure make make install). On FreeBSD, building software out of the ports is definitely

<    1   2