Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

We have just upgraded the "bind-esv" repository from BIND 9.16.50 to BIND 9.18.27, i.e. the same version as in the "bind" repository. We will try to keep everyone informed about further major version upgrades in our package repositories in the coming months. -- Best regards, Michał Kępień --

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

Actually, now that we are polishing the last bits of 9.20.0 would be a good time to start 9.16->9.18 transition. The current plan is that on next Wednesday (next week), the bind-esv repositories will be bumped from 9.16 to 9.18, the 'bind' repository will stay on 9.18 until 9.20 is released,

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

> Have you considered scheduling the change in version published in each COPR > repository so it doe /not/ coincide with the release of a new version of > BIND? > > I have some hosts tied to the COPR for BIND-ESV, and some tied to BIND. I > hit a stumbling block during the last "roll over" event,

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

Thurston Sent: Monday, June 17, 2024 11:19 AM To: bind-users@lists.isc.org Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition   This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know the cont

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

: bind-users@lists.isc.org Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition This email originated from outside of TESLA Do not click links or open attachments unless you recognize the sender and know the content is safe. Have you considered scheduling t

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

Have you considered scheduling the change in version published in each COPR repository so it doe /not/ coincide with the release of a new version of BIND? I have some hosts tied to the COPR for BIND-ESV, and some tied to BIND. I hit a stumbling block during the last "roll over" event, and it

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

Hi Brian, > We’ve been using the ISC BIND 9 COPR repositories at > https://copr.fedorainfracloud.org/coprs/isc/ for a few years now, but I had a > question – is there a planned date to update the “bind-esv” channel to > provide BIND 9.18 rather than BIND 9.16? Since 9.16 is now EOL we’ve >

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

m: Stacey Marshall > Date: Friday, June 14, 2024 at 4:09 AM > To: Sebby, Brian A. > Cc: bind-users@lists.isc.org > Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV > transition > > On 14 Jun 2024, at 0: 32, Sebby, Brian A. via bind-users wrote: >

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

1.4305| Argonne National Laboratory From: Stacey Marshall Date: Friday, June 14, 2024 at 4:09 AM To: Sebby, Brian A. Cc: bind-users@lists.isc.org Subject: Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition On 14 Jun 2024, at 0: 32, Sebby, Brian A. via bind-users wrote:

Re: Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

On 14 Jun 2024, at 0:32, Sebby, Brian A. via bind-users wrote: > I spent years having to compile BIND myself on Solaris Curious, Solaris 11.4 provides a recent 9.18 ESV release. Though not the monthly drops that ISC have been providing for a while, is that what you wanted? Mr. Stacey Marshall

Re: Question about resolver

This looks like Google has forgotten to create the zone 96.34.in-addr.arpa but have created 180.96.34.in-addr.arpa resulting in answers that should come from 96.34.in-addr.arpa getting REFUSED returned. DNSSEC validation and QNAME minimisation find these sorts of configuration errors.

Re: Question about resolver

On 2024-04-26 16:45, Josh Kuo wrote: In this particular case, isn't the resolver attempting to do a reverse lookup of the IP address that's listed ? You are right, I missed that this is a reverse-mapping zone. In that case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa"

Re: Question about resolver

On 2024-04-26 16:28, Mark Andrews wrote: DS records live in the parent zone and the RFC 1034 rules for serving zone break down when a grandparent zone and child zone are served by the same server. This is corrected be the client by looking for intermediate NS records to find the hidden

Re: Question about resolver

> > In this particular case, isn't the resolver attempting to do a reverse > lookup of the IP address that's listed ? > > You are right, I missed that this is a reverse-mapping zone. In that case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa" and you'll see the problem.

Re: Question about resolver

DS records live in the parent zone and the RFC 1034 rules for serving zone break down when a grandparent zone and child zone are served by the same server. This is corrected be the client by looking for intermediate NS records to find the hidden delegations then resuming the DS lookup.

Re: Question about resolver

On 2024-04-25 08:55, Josh Kuo wrote: DS = Delegation Signer, it is the record type that a signed child upload to the parent zone. It's difficult to say for sure without more information such as which domain name you are trying to resolve, but looks like it is probably due to a mis-matching DS

Re: Question about resolver

DS = Delegation Signer, it is the record type that a signed child upload to the parent zone. It's difficult to say for sure without more information such as which domain name you are trying to resolve, but looks like it is probably due to a mis-matching DS record between the child and the parent

Re: Question about authoritative server and AA Authoritative Answer

-users@lists.isc.org Envoyé: mercredi 17 Janvier 2024 16:00 Objet : Re: Question about authoritative server and AA Authoritative Answer   Hi again. Please start a packet capture on the auth server. This should do it:    sudo tcpdump -nvi any -c 1 -w mydns.pcap port 53 Then from pc1, please do

Re: Question about authoritative server and AA Authoritative Answer

Michel Diemer via bind-users wrote: > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 This response message has the QR flag, the AA flag and the RD flag turned on. The message contains 1 copy of the query, 0 answers to the query, 1 reference to an authoritative nameserver

Re: Question about authoritative server and AA Authoritative Answer

lags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > *Why AUTHORITY: 0 and not AUTHORITY: 1 ???* > > De : "Greg Choules" > A : pub.dieme...@laposte.net,bind-users@lists.isc.org > Envoyé: lundi 15 Janvier 2024 18:27 > Objet : Re: Question about authoritative se

Re: Question about authoritative server and AA Authoritative Answer

.org Envoyé: lundi 15 Janvier 2024 18:27 Objet : Re: Question about authoritative server and AA Authoritative Answer   Hi again and thanks for that. I'm still not exactly clear on the setup. I think the auth server is 172.16.0.254 (I don't know what pc1 is). But anyway, looking at your resul

Re: Question about authoritative server and AA Authoritative Answer

answers ? The ones where the answer count was zero (look for "ANSWER: 0,”). > De : "Mark Andrews" > A : pub.dieme...@laposte.net,"bind users" > Envoyé: dimanche 14 Janvier 2024 23:54 > Objet : Re: Question about authoritative server and AA Authoritative

Re: Question about authoritative server and AA Authoritative Answer

kd. > > > Kind Regards, > > Michel Diemer. > > > > De : "Greg Choules" > A : pub.dieme...@laposte.net,bind-users@lists.isc.org > Envoyé: dimanche 14 Janvier 2024 23:28 > Objet : Re: Question about authoritative server and AA Authoritative Answer > > Hi

Re: Question about authoritative server and AA Authoritative Answer

hel Diemer.     De : "Greg Choules" A : pub.dieme...@laposte.net,bind-users@lists.isc.org Envoyé: dimanche 14 Janvier 2024 23:28 Objet : Re: Question about authoritative server and AA Authoritative Answer   Hi Michel. Please can you send the following information: - name and IP address of the

Re: Question about authoritative server and AA Authoritative Answer

Please use home.arpa, as defined by RFC 8375. Or better use existing and registered domain of you or your organization. What kind of resolver is running on DNS server? Which version? I would guess dnsmasq or similar. That is willing and able to forward just queries of selected types, while

Re: Question about authoritative server and AA Authoritative Answer

> On 15 Jan 2024, at 09:04, Michel Diemer via bind-users > wrote: > > ‌Ders bind users, > > I have already asked a similar question which was more about DNS in general , > this one is very specific about the AA bit. > > Today's question is : « "dig pc1.reseau1.lan ns" show AUTHORITY: 1 and

Re: Question about authoritative server and AA Authoritative Answer

Hi Michel. Please can you send the following information: - name and IP address of the authoritative server - the full contents of the zone file for "reseau1.lan" - name and IP address of the other server - what does this server do? - What is the machine "pc1", on which you are running the digs? -

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

Hi there, On Wed, 13 Dec 2023, Greg Choules wrote: If your server can reach the Internet it can recurse all on its own. And for extra information, I recommend you give the '+trace' option to dig. I hope that helps. Ditto. :) -- 73, Ged. -- Visit

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

Hi Michel. You will get an authoritative answer (AA bit = 1) if the server is either primary (master) or secondary (slave) for the QNAME (query name); in this case "reseau1.lan". From the config snip you provided this is because you have the config: zone "reseau1.lan" { type master; ... }; If

Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

On Wed, Dec 13, 2023 at 05:29:02PM +0100, Michel Diemer via bind-users wrote a message of 1723 lines which said: > another virtual machine that uses the first one as ics dhcp and dns > server. An important thing about DNS: there are two types of DNS servers, very different. Resolvers and

Re: Question on ISC BIND DNS Server

On Thu, 23 Nov 2023 at 00:07, Matus UHLAR - fantomas wrote: > > On 22.11.23 23:44, Turritopsis Dohrnii Teo En Ming wrote: > >I have Virtualmin / Webmin web hosting server control panel. I have 2 > >Virtual Private Servers in Germany and 1 Virtual Private Server in > >Japan. > > > >Can I upgrade

Re: Question on ISC BIND DNS Server

On 22.11.23 23:44, Turritopsis Dohrnii Teo En Ming wrote: I have Virtualmin / Webmin web hosting server control panel. I have 2 Virtual Private Servers in Germany and 1 Virtual Private Server in Japan. Can I upgrade BIND DNS Server manually? Will it cause problems with Virtualmin / Webmin? I

Re: Question about URL being logged by resolver

It means something in your network sent a query containing the literal URL below. The message is just misleading - the resolver tries to do QNAME minimization on it, it fails, switches to full name which ends with NXDOMAIN from root. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and

Re: Question about URL being logged by resolver

People accidentally enter urls as domain names into tools. https://app-measurement.com/sdk-exp/A is a legal, but unusual, domain name consisting of 3 labels 'https://app-measurement’, 'com/sdk-exp/A’ and ‘.’. Mark > On 4 Nov 2023, at 13:29, Nick Tait via bind-users > wrote: > > Hi J. > >

Re: Question about URL being logged by resolver

Hi J. I'm not sure what the cause of the URLs is, but I can confirm I'm seeing the same URLs in my own logs. The queries originate from multiple devices on my internal network - all Apple devices I think. My advice: I wouldn't waste too much effort trying to solve this one, as it is almost

Re: question about DNSSEC with PKCS11

1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more insecure to convert the key(s) from HSM to .private file with dnssec-keyfromlabel ? keys are not actually 'converted' with this utility; instead the .private file links to the corresponding private (and typically

Re: question about DNSSEC with PKCS11

Hi, The KB article was written before dnssec-policy. Unfortunately, OpenSSL with engine_pkcs11 does not support creating keys. So if you want to use an HSM with dnssec-policy, you will need to create the keys yourself and you can then import them in the key-directory with dnssec-keyfromlabel.

Re: Question regarding delv and custom local trust anchor

On Thu, Jun 08, 2023 at 07:57:12PM +, Evan Hunt wrote: > So, I'm guessing systemd-resolved is choking on the EDNS COOKIE option. > This needs to be reported as a bug to the systemd maintainers. And, maybe > delv should have a +nocookie option. Hmm, on further inspection, I was wrong about

Re: Question regarding delv and custom local trust anchor

On Thu, Jun 08, 2023 at 09:54:15AM -0400, Josh Kuo wrote: > *$ delv -a right.key www.example.com . A*;; broken > trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53 > ;; resolution failed: broken trust chain The address 127.0.0.53 was the clue I needed to figure

Re: Question About Internal Recursive Resolvers

On 18.10.22 09:23, Bob McDonald wrote: There are no outside clients. In this example, I'm only discussing inside clients on inside DNS. The recursive resolvers that ALL inside clients connect to will seek responses from the DNS root servers AFTER determining that the response can not be

Re: Question About Internal Recursive Resolvers

Let's not overthink this. I fear that I've activated a lot of creative circuitry in individuals and provided flimsy details around my example. There are no outside clients. In this example, I'm only discussing inside clients on inside DNS. The recursive resolvers that ALL inside clients connect

Re: Question About Internal Recursive Resolvers

On 14. 10. 22 18:08, Bob McDonald wrote: I'm thinking about redesigning an internal DNS environment. To begin with, all internal DNS zones would reside on non-recursive servers only. That said, all clients would connect to recursive resolvers. The question is this; do I use an internal root

Re: Question About Internal Recursive Resolvers

On 15.10.22 16:03, Bob McDonald wrote: OK, if a known client accesses DNS on the internal network, that client is pointed at a recursive resolver (e.g by DHCP). That resolver either provides access to the internal DNS zones (e.g. via stub zones) or sends the client query to the root servers on

Re: Question About Internal Recursive Resolvers

On 10/15/22 1:51 PM, Greg Choules via bind-users wrote: Hi Grant. Hi Gred, I'm quickly replying to your message. I'll reply to Matus & Fred later when I have more time for a proper reply. My understanding is this, which is almost identical to what I did in a former life: client

Re: Question About Internal Recursive Resolvers

OK, if a known client accesses DNS on the internal network, that client is pointed at a recursive resolver (e.g by DHCP). That resolver either provides access to the internal DNS zones (e.g. via stub zones) or sends the client query to the root servers on the internet. An unknown client (e.g.

Re: Question About Internal Recursive Resolvers

Hi Grant. My understanding is this, which is almost identical to what I did in a former life: client ---recursive_query---> recursive_DNS_server ---non_recursive_query---> internal_auth/Internet where: client == laptop/phone/server running stub resolver code recursive_DNS_server == what Bob is

Re: Question About Internal Recursive Resolvers

People do the funniest things with DNS. It's a pretty good key-value store, especially for read-heavy workloads. Maybe you update counters for "what clients in this OT environment are posting telemetry to this web server"? DNS wouldn't be a good choice for that, but Redis is. But maybe you

Re: Question About Internal Recursive Resolvers

If you are an ISP/registry/DNS provider, it makes sense to separate authoritative zones for your clients' domains, for all those cases your client move their domains somewhere else without notifying you (hell, they do that too often), or to be able to prepare moving domains to your servers.

Re: Question About Internal Recursive Resolvers

On 10/15/22 10:34 AM, Matus UHLAR - fantomas wrote: If you are an ISP/registry/DNS provider, it makes sense to separate authoritative zones for your clients' domains, for all those cases your client move their domains somewhere else without notifying you (hell, they do that too often), or to

Re: Question About Internal Recursive Resolvers

On 10/15/22 10:03 AM, Bob McDonald wrote: My understanding has always been that the recommendation is/was to separate recursive and non-recursive servers. I too (had) long shared -- what I'm going to retroactively call -- that over simplification. Now I understand I'm talking about an

Re: Question About Internal Recursive Resolvers

I'm thinking about redesigning an internal DNS environment. To begin with, all internal DNS zones would reside on non-recursive servers only. why? On 15.10.22 12:03, Bob McDonald wrote: My understanding has always been that the recommendation is/was to separate recursive and non-recursive

Re: Question About Internal Recursive Resolvers

>>I'm thinking about redesigning an internal DNS environment. To begin >>with, all internal DNS zones would reside on non-recursive servers >>only. >why? My understanding has always been that the recommendation is/was to separate recursive and non-recursive servers. Now I understand I'm talking

Re: Question About Internal Recursive Resolvers

On 14.10.22 12:08, Bob McDonald wrote: I'm thinking about redesigning an internal DNS environment. To begin with, all internal DNS zones would reside on non-recursive servers only. why? That said, all clients would connect to recursive resolvers. don't they now? The question is this; do

Re: Question About Internal Recursive Resolvers

Hi Greg,Great points!  I must have forgotten how messy this got :) ./John Original message From: Greg Choules Hi John.Yes, you *could* forward and that was a setup I inherited a good few years ago. The appeal is obvious: it's easy to do; just chuck queries over there and get

Re: Question About Internal Recursive Resolvers

Hi John. Yes, you *could* forward and that was a setup I inherited a good few years ago. The appeal is obvious: it's easy to do; just chuck queries over there and get answers. But forwarding keeps the RD bit set, meaning that the server being forwarded to should a) have recursion enabled (though

RE: Question About Internal Recursive Resolvers

Hi Bob,I've been able to do this with 'forward' zones.  The config would go in the resolver but the files would not./John Original message From: Bob McDonald I'm thinking about redesigning an internal DNS environment. To beginwith, all internal DNS zones would reside on

Re: Question About Internal Recursive Resolvers

Hi Bob. In a previous life I did just this. Large resolvers for customers and internal users, defaulting to the Internet but with specific configuration to internal auth-only servers for private zones (I used stub but static-stub and mirror are alternatives - they each behave slightly

Re: Question about dnstap

> On 13 Sep 2022, at 14:34, Peter wrote: > > Apparently, the first connect() happens (after chroot but) before > droppings priviledges. > (The FreeBSD integration script does set -u to UID "bind", by default.) > > So, apparently, fstrm_capture should also run as UID "bind" (and would > then

Re: Question about dnstap

On Tue, Sep 13, 2022 at 12:24:15PM +0200, Petr Špaček wrote: ! On 12. 09. 22 15:49, Peter wrote: ! > On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! > ! My testing did not uncover anything problematic. ! > ! ! > ! Versions: ! > ! fstrm 0.6.1-1 ! > ! protobuf 21.5-1 ! > ! protobuf-c

Re: Question about dnstap

On 12. 09. 22 15:49, Peter wrote: On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! My testing did not uncover anything problematic. ! ! Versions: ! fstrm 0.6.1-1 ! protobuf 21.5-1 ! protobuf-c 1.4.1-1 ! ! ! A procedure which works: ! - start BIND configured with ! options { !

Re: Question about dnstap

On Mon, Sep 12, 2022 at 03:01:38PM +0200, Petr Špaček wrote: ! My testing did not uncover anything problematic. ! ! Versions: ! fstrm 0.6.1-1 ! protobuf 21.5-1 ! protobuf-c 1.4.1-1 ! ! ! A procedure which works: ! - start BIND configured with ! options { ! dnstap { all; }; !

Re: Question about dnstap

On Mon, Sep 12, 2022 at 12:27:25PM +0200, Borja Marcos wrote: ! I am not sure this is intended behavior, or maybe I should file a bug. ! ! I am doing some tests with dnstap and bind (9.18.6 now but I see the same behavior with older 9.18 versions). I am using ! dnstap-go. ! ! I have configured

Re: Question about dnstap

On 12. 09. 22 12:27, Borja Marcos wrote: Hi, I am not sure this is intended behavior, or maybe I should file a bug. I am doing some tests with dnstap and bind (9.18.6 now but I see the same behavior with older 9.18 versions). I am using dnstap-go. I have configured bind to use dnstap with

Re: Question about additional section in BIND-responses

On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote: Using BIND-9.18.5 as a recursive server: What's the reason, that BIND answers with the additional section for the the following query where for example Knot resolver and also PowerDNS resolver doesn't add the additional section for the same

Re: Question regarding newsyslog.conf and Bind logs

On 2022-08-25 18:04, Greg Choules wrote: Hi again J. If I understand correctly, you want to enable querylog on a busy recursive server permanently, rotate the files once a day and don't care if you lose some logs because the number of queries on a busy day generates more data than the

Re: Question regarding newsyslog.conf and Bind logs

Hi again J. If I understand correctly, you want to enable querylog on a busy recursive server permanently, rotate the files once a day and don't care if you lose some logs because the number of queries on a busy day generates more data than the specified log file is allowed to contain. My

Re: Question regarding newsyslog.conf and Bind logs

On 2022-08-25 16:46, Richard T.A. Neal wrote: Hi J, I'm coming a little late to the party on this one and I think you might struggle to do rotation based on both date/time *and* file size, but I use logrotate to rotate all of my BIND logs daily, keeping 31 days of logs. And you'll see that

RE: Question regarding newsyslog.conf and Bind logs

J wrote: > I'm looking to have my: queries.log (which logs all the queries my Bind > 9.16.30 recursive resolver resolves), rotated at the end of the day and I'd > like to keep 7 days worth of those logs. {snip} > I still want any daily log *before* it's being rotated to be a maximum size >

Re: Question regarding newsyslog.conf and Bind logs

On 2022-08-25 04:52, Anand Buddhdev wrote: On 25/08/2022 05:23, J Doe wrote: Hello J Doe, I was wondering if anyone could provide feedback on whether the following: newsyslog.conf file is correct to allow for daily log rotation for my Bind 9.16.30 logs ? My currently logging settings in:

Re: Question regarding newsyslog.conf and Bind logs

On 2022-08-25 03:05, Greg Choules wrote: Hello J What is it you're actually trying to achieve here? Cheers, Greg Hi Greg, I'm looking to have my: queries.log (which logs all the queries my Bind 9.16.30 recursive resolver resolves), rotated at the end of the day and I'd like to keep 7 days

Re: Question regarding newsyslog.conf and Bind logs

On 25/08/2022 05:23, J Doe wrote: Hello J Doe, I was wondering if anyone could provide feedback on whether the following: newsyslog.conf file is correct to allow for daily log rotation for my Bind 9.16.30 logs ? My currently logging settings in: named.conf are:     ...     logging {

Re: Question regarding newsyslog.conf and Bind logs

Hello J What is it you're actually trying to achieve here? Cheers, Greg On Thu, 25 Aug 2022 at 04:24, J Doe wrote: > Hello, > > I was wondering if anyone could provide feedback on whether the > following: newsyslog.conf file is correct to allow for daily log > rotation for my Bind 9.16.30 logs

Re: Question about additional section in BIND-responses

On 8/17/22 06:45, Tom wrote: On 8/17/22 02:27, Evan Hunt wrote: On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote: Using BIND-9.18.5 as a recursive server: What's the reason, that BIND answers with the additional section for the the following query where for example Knot resolver and

Re: Question about additional section in BIND-responses

On 8/17/22 02:27, Evan Hunt wrote: On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote: Using BIND-9.18.5 as a recursive server: What's the reason, that BIND answers with the additional section for the the following query where for example Knot resolver and also PowerDNS resolver doesn't add

Re: Question about additional section in BIND-responses

On Tue, Aug 16, 2022 at 05:28:19PM +0200, Tom wrote: > Using BIND-9.18.5 as a recursive server: > What's the reason, that BIND answers with the additional section for the > the following query where for example Knot resolver and also PowerDNS > resolver doesn't add the additional section for the

Re: Question about linking jemalloc with Bind 9.18.x when doing the compile.

On 02/08/2022 18:46, Bhangui, Sandeep - BLS CTR via bind-users wrote: Hello all We are getting ready to test Bind 9.18.x. Currently we are running the latest version of 9.16.x branch. We have downloaded and successfully installed the jemalloc module on the Server ( RHEL 7.9 OS) and getting

Re: Question about missing bind.keys

On Tue, Apr 12, 2022 at 09:37:22PM -0400, J Doe wrote: > Apologies for my late reply. Thank you so much for the detailed > explanation of: dnssec-validation auto and what happens when: bind.keys > doesn't exist. > > With this setting in place in my: named.conf I then restarted BIND, gave > it

Re: Question about missing bind.keys

On 2022-03-30 02:23, Evan Hunt wrote: On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote: I have a question about the bind.keys file and what happens when it is not available. [...] ** If I don't have bind.keys in my BIND directory but have: dnssec-validation auto in my named.conf, is

Re: Question about missing bind.keys

On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote: > I have a question about the bind.keys file and what happens when it is > not available. [...] > ** If I don't have bind.keys in my BIND directory but have: > dnssec-validation auto in my named.conf, is BIND automatically getting > the

Re: Question about "max-zone-ttl" in dnssec-policy

On Tue, Sep 21, 2021 at 03:11:30PM +0200, Tom wrote: > The documentation says, that "any record encountered with a TTL higher > than max-zone-ttl is capped at the maximum permissible TTL value". > > Is the documentation wrong here? It does appear to be wrong, yes. It also differs from the

Re: Question about "max-zone-ttl" in dnssec-policy

Hi Matthijs Thank you for your explanation. The documentation says, that "any record encountered with a TTL higher than max-zone-ttl is capped at the maximum permissible TTL value". Is the documentation wrong here? Thank you. Kind regards, Tom On 21.09.21 09:47, Matthijs Mekking wrote:

Re: Question about "max-zone-ttl" in dnssec-policy

Hi Tom, The max-zone-ttl is there to calculate the right timings for key rollovers. It won't alter the zone TTL values. You should set the max-zone-ttl to whatever the highest TTL is in your zone to make sure key rollovers timings are correct. This value exists until we have added code to

Re: [Question] About migration for 9.11.X to 9.16.X.

Hi, I would recommend reading Release notes for BIND 9.16.0 and 9.14.0 as primary source of key differences. They include most of important differences. I don't know about good summary at single place. Regards, Petr On 8/19/21 7:35 AM, Techs-yama wrote: > Hi BIND users all. > > I'm thinking

Re: [Question] About migration for 9.11.X to 9.16.X.

Hi, Thank you for replying. > called README. In it you will find the answers to your questions. Thanks. Yes, I know that. also, I wanted to hear from anyone who had actual experience and knowledge about migration as opinions. >You could also spend some quality time in the mailing list archives.

Re: [Question] About migration for 9.11.X to 9.16.X.

Hi there, On Thu, 19 Aug 2021, Techs-yama wrote: I'm thinking about BIND Version migration for 9.11.X to 9.16.X. Also, I'm about to check the different default config value and config parameters for the purpose of that now. I would like to ask you all. Are there any other points of observe

Re: Question about Recommended stress test tools for bind.

Hi, UHLAR. Thank you for your advice. I'll check these templates. Best regards. 2020年6月26日(金) 19:28 Matus UHLAR - fantomas : > > >On 2020-06-25 04:10, Techs-yama wrote: > >>and How do you have any recommended statistics items to check by > >>rndc stats. > > On 25.06.20 12:43, Chuck Aurora

Re: Question about Recommended stress test tools for bind.

On 2020-06-25 04:10, Techs-yama wrote: and How do you have any recommended statistics items to check by rndc stats. On 25.06.20 12:43, Chuck Aurora wrote: I don't know what you are looking for, but I would recommend NOT using rndc stats: https://kb.isc.org/docs/aa-00769 if you want to say

Re: Question about Recommended stress test tools for bind.

On Thu, 25 Jun 2020, Chuck Aurora wrote: On 2020-06-25 04:10, Techs-yama wrote: Hi, bind forks ! I'm a spoon, not a fork! :) 418 I'm a teapot! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC

Re: Question about Recommended stress test tools for bind.

Thank you for your reply! >I'm a spoon, not a fork! :) Oops I'm Sorry typo. >I don't know what you are looking for, but I would recommend NOT Are there any stats result items, I should check when I perform tuning on bind? e.g.) socket error, cache memory in use, and more... Thank you

Re: Question about Recommended stress test tools for bind.

On 2020-06-25 04:10, Techs-yama wrote: Hi, bind forks ! I'm a spoon, not a fork! :) [snip] and How do you have any recommended statistics items to check by rndc stats. I don't know what you are looking for, but I would recommend NOT using rndc stats: https://kb.isc.org/docs/aa-00769

Re: Question about expected recursive resolver behavior

Sarah Newman wrote: > What should happen when for a given domain: > > - The domain resolves via TCP but not UDP - UDP for this domain had no > response at all. I would expect the domain to be completely unresolvable: the resolver will only try TCP if it gets a truncated reaponse over UDP. > -

Re: Question about expected recursive resolver behavior

On 4/23/20 12:41 PM, Chuck Aurora wrote: On 2020-04-23 14:16, Sarah Newman wrote: What should happen when for a given domain: - The domain resolves via TCP but not UDP - UDP for this domain had no response at all. - That authoritative nameserver hosts other domains, and those domains resolve

Re: Question about expected recursive resolver behavior

On 2020-04-23 14:16, Sarah Newman wrote: What should happen when for a given domain: - The domain resolves via TCP but not UDP - UDP for this domain had no response at all. - That authoritative nameserver hosts other domains, and those domains resolve via UDP. Do you have an example for this?

ipv6, was: Re: Question About Recursion ...

On 2020-04-17 11:40, Tim Daneliuk wrote: On 4/17/20 10:17 AM, julien soula wrote: On Fri, Apr 17, 2020 at 09:56:21AM -0500, Tim Daneliuk wrote: On 4/17/20 9:50 AM, Bob Harold wrote: 'dig' should tell you what address it used, at the bottom of the output - what does it say? ;; Query time:

Re: Question About Recursion In A Split Horizon Setup

On Fri, Apr 17, 2020 at 12:45 PM Tim Daneliuk wrote: > On 4/17/20 10:17 AM, julien soula wrote: > > On Fri, Apr 17, 2020 at 09:56:21AM -0500, Tim Daneliuk wrote: > >> On 4/17/20 9:50 AM, Bob Harold wrote: > >>> > >>> Agree, that's odd, and not what the man page says. Any chance that > there is

Re: Question About Recursion In A Split Horizon Setup

On 17-Apr-20 10:56, Tim Daneliuk wrote: > On 4/17/20 9:50 AM, Bob Harold wrote: >> Agree, that's odd, and not what the man page says.  Any chance that there is >> some other DNS helper running, like resolved, nscd, dnsmasq, etc? > Nope. This is vanilla FreeBSD with vanilla bind running. > >>

Re: Question About Recursion In A Split Horizon Setup

On 4/17/20 10:17 AM, julien soula wrote: > On Fri, Apr 17, 2020 at 09:56:21AM -0500, Tim Daneliuk wrote: >> On 4/17/20 9:50 AM, Bob Harold wrote: >>> >>> Agree, that's odd, and not what the man page says.  Any chance that there >>> is some other DNS helper running, like resolved, nscd, dnsmasq,

Re: Question About Recursion In A Split Horizon Setup

On Fri, Apr 17, 2020 at 09:56:21AM -0500, Tim Daneliuk wrote: > On 4/17/20 9:50 AM, Bob Harold wrote: > > > > Agree, that's odd, and not what the man page says.  Any chance that there > > is some other DNS helper running, like resolved, nscd, dnsmasq, etc? > > Nope. This is vanilla FreeBSD

Re: Question About Recursion In A Split Horizon Setup

On Fri, Apr 17, 2020 at 11:03 AM Konstantin Stefanov wrote: > On 17.04.2020 17:56, Tim Daneliuk wrote: > > On 4/17/20 9:50 AM, Bob Harold wrote: > >> > >> Agree, that's odd, and not what the man page says. Any chance that > there is some other DNS helper running, like resolved, nscd, dnsmasq,

Re: Question About Recursion In A Split Horizon Setup

On 17.04.2020 17:56, Tim Daneliuk wrote: On 4/17/20 9:50 AM, Bob Harold wrote: Agree, that's odd, and not what the man page says.  Any chance that there is some other DNS helper running, like resolved, nscd, dnsmasq, etc? Nope. This is vanilla FreeBSD with vanilla bind running. Lately

  1   2   3   4   >