On 02. 08. 24 0:52, Tim Daneliuk wrote:
On 8/1/24 17:14, John Thurston wrote:
After reading the CVE description, it isn't clear to me how the
degraded performance is manifest.
If 300 A-records exist for the name 'foo', do we expect:
1. queries for A-records for 'foo' will be slower than
On 8/1/24 17:14, John Thurston wrote:
After reading the CVE description, it isn't clear to me how the degraded
performance is manifest.
If 300 A-records exist for the name 'foo', do we expect:
1. queries for A-records for 'foo' will be slower than expected
2. all queries for 'foo' will be
After reading the CVE description, it isn't clear to me how the degraded
performance is manifest.
If 300 A-records exist for the name 'foo', do we expect:
1. queries for A-records for 'foo' will be slower than expected
2. all queries for 'foo' will be slower than expected
3. every query to the
J,
This issue has been covered by earlier threads, and is mentioned on the
BIND 9.18.28 release notes.
Starting with BIND 9.18.28 changes were made to mitigate performance
impact CVE-2024-1737 BIND database will be slow if if a very large
number of RRs exist at the same name.
If you find
Hi,
I run my own validating recursive resolver with BIND 9.18.28.
In the resolver logs I noticed:
01-Aug-2024 10:30:22.294 query-errors: info: client @0xec879280280
127.0.0.1#14435 (bf10x.hubspotemail.net): query failed (too many
records) for bf10x.hubspotemail.net/IN/A at
We have just upgraded the "bind-esv" repository from BIND 9.16.50 to
BIND 9.18.27, i.e. the same version as in the "bind" repository.
We will try to keep everyone informed about further major version
upgrades in our package repositories in the coming months.
--
Best regards,
Michał Kępień
--
Actually, now that we are polishing the last bits of 9.20.0 would be a good
time to start
9.16->9.18 transition.
The current plan is that on next Wednesday (next week), the bind-esv
repositories will
be bumped from 9.16 to 9.18, the 'bind' repository will stay on 9.18 until 9.20
is released,
> Have you considered scheduling the change in version published in each COPR
> repository so it doe /not/ coincide with the release of a new version of
> BIND?
>
> I have some hosts tied to the COPR for BIND-ESV, and some tied to BIND. I
> hit a stumbling block during the last "roll over" event,
Thurston
Sent: Monday, June 17, 2024 11:19 AM
To: bind-users@lists.isc.org
Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition
This email originated from outside of TESLA
Do not click links or open attachments unless you recognize the sender and know the cont
: bind-users@lists.isc.org
Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV
transition
This email originated from outside of TESLA
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
Have you considered scheduling t
Have you considered scheduling the change in version published in each
COPR repository so it doe /not/ coincide with the release of a new
version of BIND?
I have some hosts tied to the COPR for BIND-ESV, and some tied to BIND.
I hit a stumbling block during the last "roll over" event, and it
Hi Brian,
> We’ve been using the ISC BIND 9 COPR repositories at
> https://copr.fedorainfracloud.org/coprs/isc/ for a few years now, but I had a
> question – is there a planned date to update the “bind-esv” channel to
> provide BIND 9.18 rather than BIND 9.16? Since 9.16 is n
y
provided before executing `dnf upgrade` in the coming weeks.
Thank you,
Darren Ankney
On Fri, Jun 14, 2024 at 10:58 AM Sebby, Brian A. via bind-users
wrote:
>
> No, I haven’t run BIND on Solaris in years – this question is regarding the
> EPEL repos that ISC provides that can be used
No, I haven’t run BIND on Solaris in years – this question is regarding the
EPEL repos that ISC provides that can be used by CentOS and RHEL. I just
mentioned Solaris because there were no binary releases back then, and to thank
ISC since it’s a lot easier to install BIND from the EPEL
On 14 Jun 2024, at 0:32, Sebby, Brian A. via bind-users wrote:
> I spent years having to compile BIND myself on Solaris
Curious, Solaris 11.4 provides a recent 9.18 ESV release.
Though not the monthly drops that ISC have been providing for a while,
is that what you wanted?
Mr. Stacey Marshall
We’ve been using the ISC BIND 9 COPR repositories at
https://copr.fedorainfracloud.org/coprs/isc/ for a few years now, but I had a
question – is there a planned date to update the “bind-esv” channel to provide
BIND 9.18 rather than BIND 9.16? Since 9.16 is now EOL we’ve switched to using
In the dnssec.log file I only found references to normal key rotation.
Adding the section for update_security and running at trace 99 didn't
provide _any_ update_security log output, nor did it provide any extra
output to the update log.
even when running in single combined log format I
Please allow me to refocus this thread to the original question.
I'm asking about the logging facility with respect to the "update"
section of code in ISC's bind9 product.
Yes, I understand update-policy choices/errors will generate the REFUSED
response.
_I'm only asking about t
s: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 7b100d5f1abe6a330100662eea5988229ff2514536e1 (good)
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 274739 IN NS a.root-servers.net.
. 274739 IN NS g.roo
On 2024-04-26 16:45, Josh Kuo wrote:
In this particular case, isn't the resolver attempting to do a reverse
lookup of the IP address that's listed ?
You are right, I missed that this is a reverse-mapping zone. In that
case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa"
On 2024-04-26 16:28, Mark Andrews wrote:
DS records live in the parent zone and the RFC 1034 rules for serving zone
break down when a grandparent zone and child zone are served by the same
server. This is corrected be the client by looking for intermediate NS records
to find the hidden
>
> In this particular case, isn't the resolver attempting to do a reverse
> lookup of the IP address that's listed ?
>
>
You are right, I missed that this is a reverse-mapping zone. In that case,
run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa" and you'll see
the problem.
DS records live in the parent zone and the RFC 1034 rules for serving zone
break down when a grandparent zone and child zone are served by the same
server. This is corrected be the client by looking for intermediate NS records
to find the hidden delegations then resuming the DS lookup.
On 2024-04-25 08:55, Josh Kuo wrote:
DS = Delegation Signer, it is the record type that a signed child upload
to the parent zone. It's difficult to say for sure without more
information such as which domain name you are trying to resolve, but
looks like it is probably due to a mis-matching DS
DS = Delegation Signer, it is the record type that a signed child upload to
the parent zone. It's difficult to say for sure without more information
such as which domain name you are trying to resolve, but looks like it is
probably due to a mis-matching DS record between the child and the parent
Hello,
I run BIND 9.18.26 as a recursive, validating resolver. In my logs, I
noticed the following:
22-Apr-2024 19:25:59.614 lame-servers: info: chase DS servers
resolving '180.96.34.in-addr.arpa/DS/IN': 216.239.34.102#53
What does "chase DS servers" mean ?
Thanks,
- J
--
Visit
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Jan
> Schaumann via bind-users
> Gesendet: Dienstag, 26. März 2024 14:44
> An: bind-users@lists.isc.org
> Betreff: Re: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records
>
> Karl Auer
/docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
Simplified, the authoritative performs the "CNAME"
chain resolution (because it controls the zones in
question) and returns the final result so the client
doesn't have to chase CNAM
On Tue, 2024-03-26 at 08:00 -0400, Victoria Risk wrote:
> We have a knowledgebase article on the topic of ‘alias’ records:
> https://kb.isc.org/docs/aa-01640. The article is a bit out of date,
> but still basically valid. It is not specific to the implementation
> you mention however.
Thanks!
Karl,
We have a knowledgebase article on the topic of ‘alias’ records:
https://kb.isc.org/docs/aa-01640. The article is a bit out of date, but still
basically valid. It is not specific to the implementation you mention however.
Vicky
> On Mar 26, 2024, at 7:49 AM, Karl Auer wrote:
>
> I'm
I'm puzzled by the ClouDNS "ALIAS" record. I was wondering if anyone
knows how it is handled "under the hood"?
It seems to be a non-standard extension that some DNS providers
support. It seems to work similarly to, but not quite the same way as,
a CNAME. Its big advantage over a CNAME is that it
-users@lists.isc.org
Envoyé: mercredi 17 Janvier 2024 16:00
Objet : Re: Question about authoritative server and AA Authoritative Answer
Hi again.
Please start a packet capture on the auth server. This should do it:
sudo tcpdump -nvi any -c 1 -w mydns.pcap port 53
Then from pc1, please do
Michel Diemer via bind-users wrote:
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
This response message has the QR flag, the AA flag and the RD flag
turned on. The message contains 1 copy of the query, 0 answers to the
query, 1 reference to an authoritative nameserver
ngs (dynamic dns, fixed ip
> address, dhcp provided ip address, ...).
>
> For this specific question about authoritative server, pc1 has a fixed ip
> address. Ubuntu's networkd-resolved local dns caching and stub is disabled,
> (Cache=no, DNSStubListener=no). For this specific que
, ...).
For this specific question about authoritative server, pc1 has a fixed ip
address. Ubuntu's networkd-resolved local dns caching and stub is disabled,
(Cache=no, DNSStubListener=no). For this specific question, I have only two
computers, one authoritative non-recursive dns server and a generic computer
named pc1
answers ?
The ones where the answer count was zero (look for "ANSWER: 0,”).
> De : "Mark Andrews"
> A : pub.dieme...@laposte.net,"bind users"
> Envoyé: dimanche 14 Janvier 2024 23:54
> Objet : Re: Question about authoritative server and AA Authoritative
kd.
>
>
> Kind Regards,
>
> Michel Diemer.
>
>
>
> De : "Greg Choules"
> A : pub.dieme...@laposte.net,bind-users@lists.isc.org
> Envoyé: dimanche 14 Janvier 2024 23:28
> Objet : Re: Question about authoritative server and AA Authoritative Answer
>
> Hi
hel Diemer.
De : "Greg Choules"
A : pub.dieme...@laposte.net,bind-users@lists.isc.org
Envoyé: dimanche 14 Janvier 2024 23:28
Objet : Re: Question about authoritative server and AA Authoritative Answer
Hi Michel.
Please can you send the following information:
- name and IP address of the
and it answers
just A type queries itself, but forwards SOA and NS queries.
Cheers,
Petr
On 14. 01. 24 23:04, Michel Diemer via bind-users wrote:
Ders bind users,
I have already asked a similar question which was more about DNS in
general , this one is very specific about the AA bit.
Today's
> On 15 Jan 2024, at 09:04, Michel Diemer via bind-users
> wrote:
>
> Ders bind users,
>
> I have already asked a similar question which was more about DNS in general ,
> this one is very specific about the AA bit.
>
> Today's question is : « "dig pc1.r
org> wrote:
> Ders bind users,
>
> I have already asked a similar question which was more about DNS in
> general , this one is very specific about the AA bit.
>
> Today's question is : *« "dig pc1.reseau1.lan ns"** show AUTHORITY: 1 and
> "dig pc1.reseau1.lan
Ders bind users,
I have already asked a similar question which was more about DNS in general ,
this one is very specific about the AA bit.
Today's question is : « "dig pc1.reseau1.lan ns" show AUTHORITY: 1 and "dig
pc1.reseau1.lan" shows AUTHORITY: 0. Which setting or kn
Hi there,
On Wed, 13 Dec 2023, Greg Choules wrote:
If your server can reach the Internet it can recurse all on its own.
And for extra information, I recommend you give the '+trace' option to dig.
I hope that helps.
Ditto. :)
--
73,
Ged.
--
Visit
Hi Michel.
You will get an authoritative answer (AA bit = 1) if the server is either
primary (master) or secondary (slave) for the QNAME (query name); in this
case "reseau1.lan". From the config snip you provided this is because you
have the config:
zone "reseau1.lan" {
type master;
...
};
If
On Wed, Dec 13, 2023 at 05:29:02PM +0100,
Michel Diemer via bind-users wrote
a message of 1723 lines which said:
> another virtual machine that uses the first one as ics dhcp and dns
> server.
An important thing about DNS: there are two types of DNS servers, very
different. Resolvers and
Dear Bind user,
I am a teacher and trying to understand how dns works. I am spending hours
reading various sources without finding satisfying information. For teaching
purposes I have created a virtual machine with isc dhcp server and bind9 and
another virtual machine that uses the
an.
> >
> >Can I upgrade BIND DNS Server manually? Will it cause problems with
> >Virtualmin / Webmin?
>
>
> I think this is question for webmin/virtualmin, but from what I know about
> webmin it tends to edit local configuration, so I guess it will edit primary
>
think this is question for webmin/virtualmin, but from what I know about
webmin it tends to edit local configuration, so I guess it will edit primary
zone file.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising
Subject: Question on ISC BIND DNS Server
Good day from Singapore,
I have Virtualmin / Webmin web hosting server control panel. I have 2
Virtual Private Servers in Germany and 1 Virtual Private Server in
Japan.
Can I upgrade BIND DNS Server manually? Will it cause problems with
Virtualmin
It means something in your network sent a query containing the literal URL
below. The message is just misleading - the resolver tries to do QNAME
minimization on it, it fails, switches to full name which ends with NXDOMAIN
from root.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and
People accidentally enter urls as domain names into tools.
https://app-measurement.com/sdk-exp/A is
a legal, but unusual, domain name consisting of 3 labels
'https://app-measurement’, 'com/sdk-exp/A’ and ‘.’.
Mark
> On 4 Nov 2023, at 13:29, Nick Tait via bind-users
> wrote:
>
> Hi J.
>
>
Hi J.
I'm not sure what the cause of the URLs is, but I can confirm I'm seeing
the same URLs in my own logs. The queries originate from multiple
devices on my internal network - all Apple devices I think.
My advice: I wouldn't waste too much effort trying to solve this one, as
it is almost
Hello,
On a Bind 9.18.19 server configured as a recursive resolver, I sometimes
see URL's being noted in the log files.
One such example is:
02-Nov-2023 23:32:19.435 lame-servers: info: success resolving
'https://app-measurement.com/sdk-exp/A' after disabling qname
minimization due to
Hello,
I have a basic recursive resolver configuration with Bind 9.18.19 that
acts as the resolver for some VPN roadwarrior clients (a mix of Apple
iOS and macOS clients).
Periodically I will see the following in my logs:
02-Nov-2023 15:06:27.658 resolver: info: loop detected resolving
1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more
insecure to convert the key(s) from HSM to .private file with
dnssec-keyfromlabel ?
keys are not actually 'converted' with this utility; instead the .private file
links to the corresponding private (and typically
Hi,
The KB article was written before dnssec-policy. Unfortunately, OpenSSL
with engine_pkcs11 does not support creating keys. So if you want to use
an HSM with dnssec-policy, you will need to create the keys yourself and
you can then import them in the key-directory with dnssec-keyfromlabel.
hi,
I have tried the DNSSEC sign testing according the document,
https://kb.isc.org/docs/bind-9-pkcs11
(and section 5.5 of the Bv9ARM of version 9.18.16)
I have two questions about it,
1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more
insecure to convert the key(s) from
On Thu, Jun 08, 2023 at 07:57:12PM +, Evan Hunt wrote:
> So, I'm guessing systemd-resolved is choking on the EDNS COOKIE option.
> This needs to be reported as a bug to the systemd maintainers. And, maybe
> delv should have a +nocookie option.
Hmm, on further inspection, I was wrong about
t to 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7870
;; flags: rd cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 8e31ae172137a02f
;; QUESTIO
Hello,
I am trying to use delv (version 19.8.2 on Ubuntu 0.22.04) to troubleshoot
using a custom trust anchor. However, I am getting very strange results
from delv. The short of it is, I must point delv at another validating
resolver (such as @8.8.8.8) for the custom trust anchors (-a) to work.
Pirawat.
> -- Forwarded message --
> From: E R
> To: bind-users@lists.isc.org
> Cc:
> Bcc:
> Date: Tue, 17 Jan 2023 17:28:57 -0600
> Subject: DNSSEC With Primary Hidden - Clarifying Question from
> Documentation
> I am planning on implementing the
On Tue, Jan 17, 2023 at 05:28:57PM -0600, E R wrote:
! I am planning on implementing the current version of BIND to replace the
! aging, undocumented authoritative servers I inherited. I want to hide the
! primary server on our internal network and have two secondary servers be
! publicly
> On 18 Jan 2023, at 10:55, Grant Taylor via bind-users
> wrote:
>
> On 1/17/23 4:45 PM, Michael Richardson wrote:
>> Many people do exactly that.
>
> Sorry, I don't see that as an answer to -- my understanding of -- the OP's
> question of "Does the primar
On 1/17/23 4:45 PM, Michael Richardson wrote:
Many people do exactly that.
Sorry, I don't see that as an answer to -- my understanding of -- the
OP's question of "Does the primary server that handles the DNSSEC duties
need to be not hidden / publicly accessible?"
Specifically
E R wrote:
> I am planning on implementing the current version of BIND to replace the
> aging, undocumented authoritative servers I inherited. I want to hide the
> primary server on our internal network and have two secondary servers be
> publicly available. While reading the
I am planning on implementing the current version of BIND to replace the
aging, undocumented authoritative servers I inherited. I want to hide the
primary server on our internal network and have two secondary servers be
publicly available. While reading the DNSSEC Guide
Hi there,
On Mon, 9 Jan 2023, Michael Muller wrote:
Thanks for responding to my question. Again, if there's a better place
to ask this question, I can go there. ...
Taking this off list.
--
73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
Hi G,
Thanks for responding to my question. Again, if there's a better place
to ask this question, I can go there. I did not see an SPF list on the
community list sign-up page <https://www.isc.org/mailinglists/>.
I updated the SPF to include:_spf.google.com instead of include:gma
Hi there,
On Sun, 8 Jan 2023, Mark Andrews wrote:
Please don't hijack an existing thread by replying to an existing message for a
unrelated subject. It is bad form. Just create a new message and send it to
bind-us...@isc.org.
Oh, blast, I missed that, sorry.
--
73,
Ged.
--
Visit
Hi there,
On Sat, 7 Jan 2023, Michael Muller wrote:
This is my first time posting here, and I'm not sure if it's the
right place or not to ask my question. This is a general DNS
question, specifically, I think, SPF.
Probably not really the right place but the SPF users' list has been a
bit
Hello everyone,
>
> This is my first time posting here, and I'm not sure if it's the right place
> or not to ask my question. This is a general DNS question, specifically, I
> think, SPF.
>
> (Btw, I do use Bind in my system, so that's why I'm here.)
>
> I host email using Sma
Hello everyone,
This is my first time posting here, and I'm not sure if it's the right
place or not to ask my question. This is a general DNS question,
specifically, I think, SPF.
(Btw, I do use Bind in my system, so that's why I'm here.)
I host email using SmarterMail, and all 400
On 18.10.22 09:23, Bob McDonald wrote:
There are no outside clients. In this example, I'm only discussing inside
clients on inside DNS. The recursive resolvers that ALL inside clients
connect to will seek responses from the DNS root servers AFTER determining
that the response can not be
Let's not overthink this. I fear that I've activated a lot of creative
circuitry in individuals and provided flimsy details around my example.
There are no outside clients. In this example, I'm only discussing inside
clients on inside DNS. The recursive resolvers that ALL inside clients
connect
On 14. 10. 22 18:08, Bob McDonald wrote:
I'm thinking about redesigning an internal DNS environment. To begin
with, all internal DNS zones would reside on non-recursive servers
only. That said, all clients would connect to recursive resolvers.
The question is this; do I use an internal root
/should reside on the
recursive resolvers. The question of unknown client access to internal
DNS zones is resolved (no pun intended...).
bind supports views, which work like virtual DNS servers, you can define
some zones only in internal views.
you can even support multiple views for internal, wi
On 10/15/22 1:51 PM, Greg Choules via bind-users wrote:
Hi Grant.
Hi Gred,
I'm quickly replying to your message. I'll reply to Matus & Fred later
when I have more time for a proper reply.
My understanding is this, which is almost identical to what I did in a
former life:
client
. The question of unknown client access to internal
DNS zones is resolved (no pun intended...).
RPZ COULD be implemented on ANY of the recursive DNS resolvers.
The tsig key discussion is around its use as a method of allowing
updates to internal DNS zones. Strictly hypothetical. Don't get hung
up
Hi Grant.
My understanding is this, which is almost identical to what I did in a
former life:
client ---recursive_query---> recursive_DNS_server
---non_recursive_query---> internal_auth/Internet
where:
client == laptop/phone/server running stub resolver code
recursive_DNS_server == what Bob is
People do the funniest things with DNS. It's a pretty good key-value
store, especially for read-heavy workloads.
Maybe you update counters for "what clients in this OT environment are
posting telemetry to this web server"? DNS wouldn't be a good choice for
that, but Redis is. But maybe you
If you are an ISP/registry/DNS provider, it makes sense to separate
authoritative zones for your clients' domains, for all those cases
your client move their domains somewhere else without notifying you
(hell, they do that too often), or to be able to prepare moving
domains to your servers.
On 10/15/22 10:34 AM, Matus UHLAR - fantomas wrote:
If you are an ISP/registry/DNS provider, it makes sense to separate
authoritative zones for your clients' domains, for all those cases your
client move their domains somewhere else without notifying you (hell,
they do that too often), or to
On 10/15/22 10:03 AM, Bob McDonald wrote:
My understanding has always been that the recommendation is/was to
separate recursive and non-recursive servers.
I too (had) long shared -- what I'm going to retroactively call -- that
over simplification.
Now I understand I'm talking about an
/registry/DNS provider, it makes sense to separate
authoritative zones for your clients' domains, for all those cases your
client move their domains somewhere else without notifying you (hell, they
do that too often), or to be able to prepare moving domains to your servers.
The question
ecursive resolvers.
>don't they now?
They do. I'm talking about a situation where an edge layer can be
eliminated. Each recursive server would have access out to the
internet. No forwarding would be required.
>>The question is this; do I use an internal root with pointers to the
>>
On 14.10.22 12:08, Bob McDonald wrote:
I'm thinking about redesigning an internal DNS environment. To begin
with, all internal DNS zones would reside on non-recursive servers
only.
why?
That said, all clients would connect to recursive resolvers.
don't they now?
The question is this; do
question is this; do I use an internal root
with pointers to theinternal zones (as well as the outside DNS world) or do I
include stubzones to point at the non-recursive internal servers?Access to the
internal DNS zones would be controlled by location.(e.g. guest WiFi devices
would NOT have access
Bob McDonald
>
> I'm thinking about redesigning an internal DNS environment. To begin
> with, all internal DNS zones would reside on non-recursive servers
> only. That said, all clients would connect to recursive resolvers.
>
> The question is this; do I use an internal roo
-recursive serversonly. That said, all
clients would connect to recursive resolvers.The question is this; do I use an
internal root with pointers to theinternal zones (as well as the outside DNS
world) or do I include stubzones to point at the non-recursive internal
servers?Access to the internal
ts would connect to recursive resolvers.
>
> The question is this; do I use an internal root with pointers to the
> internal zones (as well as the outside DNS world) or do I include stub
> zones to point at the non-recursive internal servers?
>
> Access to the internal DNS zones would be controll
I'm thinking about redesigning an internal DNS environment. To begin
with, all internal DNS zones would reside on non-recursive servers
only. That said, all clients would connect to recursive resolvers.
The question is this; do I use an internal root with pointers to the
internal zones (as well
> On 13 Sep 2022, at 14:34, Peter wrote:
>
> Apparently, the first connect() happens (after chroot but) before
> droppings priviledges.
> (The FreeBSD integration script does set -u to UID "bind", by default.)
>
> So, apparently, fstrm_capture should also run as UID "bind" (and would
> then
On Tue, Sep 13, 2022 at 12:24:15PM +0200, Petr Špaček wrote:
! On 12. 09. 22 15:49, Peter wrote:
! > On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote:
! > ! My testing did not uncover anything problematic.
! > !
! > ! Versions:
! > ! fstrm 0.6.1-1
! > ! protobuf 21.5-1
! > ! protobuf-c
On 12. 09. 22 15:49, Peter wrote:
On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote:
! My testing did not uncover anything problematic.
!
! Versions:
! fstrm 0.6.1-1
! protobuf 21.5-1
! protobuf-c 1.4.1-1
!
!
! A procedure which works:
! - start BIND configured with
! options {
!
On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote:
! My testing did not uncover anything problematic.
!
! Versions:
! fstrm 0.6.1-1
! protobuf 21.5-1
! protobuf-c 1.4.1-1
!
!
! A procedure which works:
! - start BIND configured with
! options {
! dnstap { all; };
!
On Mon, Sep 12, 2022 at 12:27:25PM +0200, Borja Marcos wrote:
! I am not sure this is intended behavior, or maybe I should file a bug.
!
! I am doing some tests with dnstap and bind (9.18.6 now but I see the same
behavior with older 9.18 versions). I am using
! dnstap-go.
!
! I have configured
On 12. 09. 22 12:27, Borja Marcos wrote:
Hi,
I am not sure this is intended behavior, or maybe I should file a bug.
I am doing some tests with dnstap and bind (9.18.6 now but I see the same
behavior with older 9.18 versions). I am using
dnstap-go.
I have configured bind to use dnstap with
Hi,
I am not sure this is intended behavior, or maybe I should file a bug.
I am doing some tests with dnstap and bind (9.18.6 now but I see the same
behavior with older 9.18 versions). I am using
dnstap-go.
I have configured bind to use dnstap with no other options and using a Unix
domain
On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote:
Using BIND-9.18.5 as a recursive server:
What's the reason, that BIND answers with the additional section for the
the following query where for example Knot resolver and also PowerDNS
resolver doesn't add the additional section for the same
the specified log file is allowed to contain.
My question has to be, why?
Firstly, querylog is not an efficient way to record information about
what your clients are doing, dnstap is far more efficient if you want a
record of some or all information about queries and/or their responses.
If using files
1 - 100 of 1027 matches
Mail list logo
