bind-users Digest V4 #178
Brett Ussher
brett.ussher at domail.maricopa.edu
Tue Jul 2 14:53:05 UTC 2002
yup, I did mean to do dig @140.198.8.135 -x 140.198.4.158. Got an intelligible
response that time.
Thanks!
Brett Ussher
ITS, Matrix
Maricopa Community College District
(480) 731-8691
brett.ussher at domail.maricopa.edu
-----Original Message-----
From: BIND Users Mailing List [mailto:bind-users at isc.org]
Sent: Monday, July 01, 2002 23:50
To: bind-users digest users
Subject: bind-users Digest V4 #178
bind-users Digest Mon, 01 Jul 2002 Volume: 04 Issue: 178
In This Issue:
Re: bind issue
Re: NT DNS Doesn't resolves
Re: Compile problems
bind8.2 security issues
Re: bind8.2 security issues
Re: TXT records
Re: bind8.2 security issues
Re: bind8.2 security issues
Re: bind8.2 security issues
Re: NT DNS Doesn't resolves
Re: bind8.2 security issues
Re: bind8.2 security issues
client 1.2.3.4#56789: update 'sampledomain.com/IN' denied
Re: Upgrading to BIND9 (was Re: bind8.2 security issues)
Re: Upgrading to BIND9 (was Re: bind8.2 security issues)
Can SERVFAIL be incorrectly returned through caching?
Re: Can SERVFAIL be incorrectly returned through caching?
Re: bind8.2 security issues
Re: Whats wrong with this
Re: Can SERVFAIL be incorrectly returned through caching?
Re: bind8.2 security issues
Bind 9.2.1 Problems
Requirements to register my BIND DNS server with register.co
Re: Bind 9.2.1 Problems
Re: Bind 9.2.1 Problems
Bind 9.2.1 not resolving names
Re: reverse zone using generate produced 500M image
Load balancing w/ failover.
Re: client 1.2.3.4#56789: update 'sampledomain.com/IN' denie
Re: Bind 9.2.1 not resolving names
Re: Load balancing w/ failover.
Re: Bind 9.2.1 Problems
Re: client 1.2.3.4#56789: update 'sampledomain.com/IN' denie
Re: Load balancing w/ failover.
Re: Domain name registration: A records and PTR records need
Re: Requirements to register my BIND DNS server with registe
Load balancing w/ failover.
Re: bind issue
Re: Load balancing w/ failover.
Question about adding new domains/subdomains/parenting (real
Re: Question about adding new domains/subdomains/parenting (
Re: Upgrading to BIND9 (was Re: bind8.2 security issues)
problems with notify
Re: problems with notify
Re: client 1.2.3.4#56789: update 'sampledomain.com/IN' denie
Re: Whats wrong with this
Re: TXT records
Re: Bind 9.2.1 on Mandrake Linux 8.2
Re: TXT records
Bind related Sendmail problem
----------------------------------------------------------------------
From: "Andrew St. Jean" <bitbucket at black.hole>
Subject: Re: bind issue
Date: Mon, 01 Jul 2002 00:32:14 -0400
When you wrote that you want bind to listen on one port only did you mean
that you want it to listen on one interface only? If so, try this in your
named.conf file:
listen-on { 10.3.0.2; 127.0.0.1; };
This example will tell bind to listen on one external interface as well as
the loopback interface. You can also tell bind to listen on a particular
subnet with this:
listen-on { 192.168.2/24; };
These commands work for bind 8 and bind 9. Enjoy!
Andrew
arfan wrote:
> Dear Sir /Madam Regards
> How can i close name dport as there is a name server running on my
>
> machine where more then two interfaces , so when i give command
> netstat -lpn it shows following
>
> udp 0 0 10.3.0.2:53
> 0.0.0.0:* 3839/named
> udp 0 0 xxx.yyy.z.aa:53
> 0.0.0.0:* 3839/named
> udp 0 0 192.168.3.1:53
> 0.0.0.0:* 3839/named
> udp 0 0 aaa.bbb.ccc.d:53
> 0.0.0.0:* 3839/named
> udp 0 0 192.168.2.1:53
> 0.0.0.0:* 3839/named
> udp 0 0 127.0.0.1:53
> 0.0.0.0:* 3839/named
>
> but i want that when i run named it should listen one port
> onlyyyyyyyyyy
>
> hoping early reply
> arfan ahmad rana
> arfan at pakfree.net
------------------------------
From: those who know me have no need of my name <not-a-real-address at usa.net>
Subject: Re: NT DNS Doesn't resolves
Date: 01 Jul 2002 04:33:19 GMT
in comp.protocols.dns.bind i read:
>After your advise, I did a dig hotmail.com with Samspade and it replies
>correct.
i meant that you use post the results of running dig not samspade on your
system. if you don't have dig then you are using the wrong mailing-list /
newsgroup, but you can easily correct that (and other problems you might be
having) by installing bind and disabling or removing msdns. if you don't
want to do this, and i can certainly understand why you might hesitate,
then you need to try your question again in a microsoft.* group.
>Subsequent recursive queries resolves correctly. What should I do ? I was
>advised to put the whole hotmail.com zone info into my DNS record
what do you mean, i don't understand?
--
bringing you boring signatures for 17 years
------------------------------
From: those who know me have no need of my name <not-a-real-address at usa.net>
Subject: Re: Compile problems
Date: 01 Jul 2002 05:04:09 GMT
in comp.protocols.dns.bind i read:
>I am having an issues installing Bind 9.2.1 on a machine with SSL
>support!
>
>
>
>If I configure with:
>--with-openssl=/usr/bin/openssl
--with-openssl=/usr
--
bringing you boring signatures for 17 years
------------------------------
Date: Mon, 01 Jul 2002 09:55:13 +0100
From: Steve Foster <fosters at uk.psi.com>
Subject: bind8.2 security issues
All,
i have seen the postings on this group and via CERT about the
vulnerabilities in Bind8.X , however i am bit confused as to how to
progress. I currently have bind running 8.2.3 on Solaris 2.6 , i have no
problems re-building a new version of bind to replace it, however Sun have
not released any details on new resolver library patches, So should i wait
until they do before building a new version of bind, or does bind use its
own internal ones for build named etc...
Also it says that named itself is not vulnerable, how can this be so??
many thanks in advance
Steve
Steve Foster
Senior Systems Administrator
PSINet Europe
Work: +44 (1223) 577322
Mobile: +44 (7720) 425911
------------------------------
From: phn at icke-reklam.ipsec.nu
Subject: Re: bind8.2 security issues
Date: 1 Jul 2002 09:58:47 GMT
Steve Foster <fosters at uk.psi.com> wrote:
> All,
> i have seen the postings on this group and via CERT about the
> vulnerabilities in Bind8.X , however i am bit confused as to how to
> progress. I currently have bind running 8.2.3 on Solaris 2.6 , i have no
> problems re-building a new version of bind to replace it, however Sun have
> not released any details on new resolver library patches, So should i wait
> until they do before building a new version of bind, or does bind use its
> own internal ones for build named etc...
Using bind-9 as resolving nameserver for all your clients seems to be
a good workaround. That way no resolver is ever exposed to an
answer from hostile nameservers "out there".
Time to install bind-9 !!
> Also it says that named itself is not vulnerable, how can this be so??
It's not named that is vulnerable, it's the resolver code that all your
applications use. Named uses it's own ( not vulnerable) code for resolving.
> many thanks in advance
> Steve
> Steve Foster
> Senior Systems Administrator
> PSINet Europe
> Work: +44 (1223) 577322
> Mobile: +44 (7720) 425911
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
------------------------------
Date: Mon, 01 Jul 2002 04:31:44 -0600
From: "Nitin Khurana" <nkhurana at novell.com>
Subject: Re: TXT records
> I am having a problem in updating a TXT record using res_update query
in
> BIND 8.2.3, it gives me a FORMERR, I have set the class to IN, type
t-
> T_TXT and the RR owner that is the r_dname parameter to
> host.blr.novell.com and the r_data parameter to the text string
> "something", but it gives me a format error in the r_data.
Where as I am able to update the same record using the nsupdate
utility. Could someone tell me as to what should be the format of the
rdata section for the txt record if I just want to put a string say
"something"??
Thanks in advance.
Regards,
Nitin Khurana.
------------------------------
Date: Mon, 01 Jul 2002 11:40:28 +0100
From: Steve Foster <fosters at uk.psi.com>
Subject: Re: bind8.2 security issues
At 09:58 01/07/02 GMT, phn at icke-reklam.ipsec.nu wrote:
>
>Steve Foster <fosters at uk.psi.com> wrote:
>
>> All,
>
>
>> i have seen the postings on this group and via CERT about the
>> vulnerabilities in Bind8.X , however i am bit confused as to how to
>> progress. I currently have bind running 8.2.3 on Solaris 2.6 , i have no
>> problems re-building a new version of bind to replace it, however Sun=
have
>> not released any details on new resolver library patches, So should i=
wait
>> until they do before building a new version of bind, or does bind use its
>> own internal ones for build named etc...
>
>Using bind-9 as resolving nameserver for all your clients seems to be=20
>a good workaround. That way no resolver is ever exposed to an=20
>answer from hostile nameservers "out there".
Cool, i have no problem replacing my resolvers with bind9, as there are no
specific config issues i have to worry about...at the moment all my
resolvers are running named, which as you suggest below is not an
issue...so assuming sun bring out a patch, we should be okay to patch all
of internal and external servers which use the customer resolvers. my other
servers are primary and secondary servers running named, i assume that
there is no inherent risk in leaving these at bind8.2.3 in the short-term,
as as you say, any calls to named from externally will use the internal
resolver functions in named...
>
>Time to install bind-9 !!
>
>> Also it says that named itself is not vulnerable, how can this be so??
>
>It's not named that is vulnerable, it's the resolver code that all your=20
>applications use. Named uses it's own ( not vulnerable) code for resolving.
>
>
>> many thanks in advance
>
>> Steve
>> Steve Foster
>> Senior Systems Administrator
>> PSINet Europe
>> Work: +44 (1223) 577322
>> Mobile: +44 (7720) 425911
>
>
>--=20
>Peter H=E5kanson =20
> IPSec Sverige ( At Gothenburg Riverside )
> Sorry about my e-mail address, but i'm trying to keep spam out,
> remove "icke-reklam" if you feel for mailing me. Thanx.
>
>
>
Steve Foster
Senior Systems Administrator
PSINet Europe
Work: +44 (1223) 577322
Mobile: +44 (7720) 425911
------------------------------
From: phn at icke-reklam.ipsec.nu
Subject: Re: bind8.2 security issues
Date: 1 Jul 2002 11:29:34 GMT
Steve Foster <fosters at uk.psi.com> wrote:
> At 09:58 01/07/02 GMT, phn at icke-reklam.ipsec.nu wrote:
>>
>>Steve Foster <fosters at uk.psi.com> wrote:
>>
>>> All,
>>
>>
>>> i have seen the postings on this group and via CERT about the
>>> vulnerabilities in Bind8.X , however i am bit confused as to how to
>>> progress. I currently have bind running 8.2.3 on Solaris 2.6 , i have no
>>> problems re-building a new version of bind to replace it, however Sun=
> have
>>> not released any details on new resolver library patches, So should i=
> wait
>>> until they do before building a new version of bind, or does bind use its
>>> own internal ones for build named etc...
>>
>>Using bind-9 as resolving nameserver for all your clients seems to be=20
>>a good workaround. That way no resolver is ever exposed to an=20
>>answer from hostile nameservers "out there".
> Cool, i have no problem replacing my resolvers with bind9, as there are no
> specific config issues i have to worry about...at the moment all my
> resolvers are running named, which as you suggest below is not an
> issue...so assuming sun bring out a patch, we should be okay to patch all
> of internal and external servers which use the customer resolvers. my other
> servers are primary and secondary servers running named, i assume that
> there is no inherent risk in leaving these at bind8.2.3 in the short-term,
> as as you say, any calls to named from externally will use the internal
> resolver functions in named...
Not entirely,
any packet that will cause an application ( and syslog is an application) to
ask DNS for an answer is risky.
To reduce that , make shure /etc/resolv.conf points to a bind-9 in all your
systems
exposed to Internet.
>>
>>Time to install bind-9 !!
>>
>>> Also it says that named itself is not vulnerable, how can this be so??
>>
>>It's not named that is vulnerable, it's the resolver code that all your=20
>>applications use. Named uses it's own ( not vulnerable) code for resolving.
>>
>>
>>> many thanks in advance
>>
>>> Steve
>>> Steve Foster
>>> Senior Systems Administrator
>>> PSINet Europe
>>> Work: +44 (1223) 577322
>>> Mobile: +44 (7720) 425911
>>
>>
>>--=20
>>Peter H=E5kanson =20
>> IPSec Sverige ( At Gothenburg Riverside )
>> Sorry about my e-mail address, but i'm trying to keep spam out,
>> remove "icke-reklam" if you feel for mailing me. Thanx.
>>
>>
>>
> Steve Foster
> Senior Systems Administrator
> PSINet Europe
> Work: +44 (1223) 577322
> Mobile: +44 (7720) 425911
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
------------------------------
Date: Mon, 01 Jul 2002 12:39:21 +0100
From: Steve Foster <fosters at uk.psi.com>
Subject: Re: bind8.2 security issues
At 11:29 01/07/02 GMT, phn at icke-reklam.ipsec.nu wrote:
>Not entirely,
>
>any packet that will cause an application ( and syslog is an application) to
>ask DNS for an answer is risky.
>
>To reduce that , make shure /etc/resolv.conf points to a bind-9 in all
your systems
>exposed to Internet.
Hi, thanks for this, so the best option in the short-term is to upgrade all
our resolvers to use bind9 , i assume that i can use bind9.2.1 for this, as
this is the latest on the isc website.
Steve
Steve Foster
Senior Systems Administrator
PSINet Europe
Work: +44 (1223) 577322
Mobile: +44 (7720) 425911
------------------------------
From: "William Stacey [MVP]" <staceyw at mvps.org>
Subject: Re: NT DNS Doesn't resolves
Date: Mon, 1 Jul 2002 07:57:58 -0400
"Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
news:affumm$3rnr$1 at isrv4.isc.org...
> > Initial recursive query reply using Dexpro DNS Expert.
> >
...
What is your client and post an ipconfig /all if it is w2k.
--
William Stacey, MCSE
Windows Server MVP
------------------------------
From: phn at icke-reklam.ipsec.nu
Subject: Re: bind8.2 security issues
Date: 1 Jul 2002 12:55:34 GMT
Steve Foster <fosters at uk.psi.com> wrote:
> At 11:29 01/07/02 GMT, phn at icke-reklam.ipsec.nu wrote:
>>Not entirely,
>>
>>any packet that will cause an application ( and syslog is an application) to
>>ask DNS for an answer is risky.
>>
>>To reduce that , make shure /etc/resolv.conf points to a bind-9 in all
> your systems
>>exposed to Internet.
> Hi, thanks for this, so the best option in the short-term is to upgrade all
> our resolvers to use bind9 , i assume that i can use bind9.2.1 for this, as
> this is the latest on the isc website.
9.2.1 is the recommended one yes.
I found a solaris-8/sparc package from steve at smc.vnet.net , i have a copy
on ftp://ftp.manet.nu/pub/bind/bind-9.2.1-sol8-sparc-local.gz ( yes
you _should_ build your own, but to get running asap installing a package
could be ok)
> Steve
> Steve Foster
> Senior Systems Administrator
> PSINet Europe
> Work: +44 (1223) 577322
> Mobile: +44 (7720) 425911
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
------------------------------
Date: Mon, 01 Jul 2002 15:48:18 +0100
From: Steve Foster <fosters at uk.psi.com>
Subject: Re: bind8.2 security issues
At 12:55 01/07/02 GMT, phn at icke-reklam.ipsec.nu wrote:
>
>I found a solaris-8/sparc package from steve at smc.vnet.net , i have a copy
>on ftp://ftp.manet.nu/pub/bind/bind-9.2.1-sol8-sparc-local.gz ( yes
>you _should_ build your own, but to get running asap installing a package
>could be ok)
Hi,
i decided to build from scratch, and it seems to have gone okay. I have
started named with a modified version of the named.conf i used to use for
our 8.2.3 installations, certain things had to be removed for it to start,
such as the following:
named-xfer "/usr/local/sbin/named-xfer" ;
topology {
localhost;
localnets;
{ 154.32/16; };
};
Are these not used anymore, and is there an equivalent of named-xfer, this
is not something i need now, but will be when/if i build my secondary and
primary servers???
the startup shows the following:
Jul 1 15:41:30 testmonitor.europe.psi.com named[25973]: starting BIND
9.2.1 -u nobody -c /usr/local/etc/named.conf
Jul 1 15:41:30 hostname named[25973]: using 1 CPU
Jul 1 15:41:30 hostname named[25973]: loading configuration from
'/usr/local/etc/named.conf'
Jul 1 15:41:30 hostname named[25973]: no IPv6 interfaces found
Jul 1 15:41:30 hostname named[25973]: listening on IPv4 interface lo0,
127.0.0.1#53
Jul 1 15:41:30 hostname named[25973]: listening on IPv4 interface hme0,
154.8.2.126#53
Jul 1 15:41:30 hostname named[25973]: none:0: open:
/usr/local/etc/rndc.key: file not found
Jul 1 15:41:30 hostname named[25973]: couldn't add command channel
127.0.0.1#953: file not found
Jul 1 15:41:30 hostname named[25973]: no source of entropy found
Jul 1 15:41:30 hostname named[25973]: zones/named.127:1: no TTL specified;
using SOA MINTTL instead
Jul 1 15:41:30 hostname named[25973]: zone 127.in-addr.arpa/IN: loaded
serial 1
Jul 1 15:41:30 hostname named[25973]: zones/named.localhost:1: no TTL
specified; using SOA MINTTL instead
Jul 1 15:41:30 hostname named[25973]: zone localhost/IN: loaded serial 1
Jul 1 15:41:30 hostname named[25973]: running
Do i need to worry anout rndc.key, or is this for something else other than
resolving, and is there any specific options for named.conf to fix the
"couldn't add command channel 127.0.0.1#953: file not found" error.
my conf file is attached below, i couldn't find a sample resolver file, or
does anybody have a 9 specific one i can review.
many thanks
Steve
Conffile:
# more named.conf
options {
directory "/usr/local/etc" ;
pid-file "/var/domain/run/named.pid" ;
};
logging {
channel xferlog {
file "/var/domain/log/named-xfer" versions 5 size 1m;
print-time yes;
print-category yes;
severity info;
};
category xfer-in { xferlog ; } ;
category xfer-out { xferlog ; } ;
category notify { xferlog ; } ;
category lame-servers { null; };
channel queries {
file "/var/domain/log/queries" versions 5 size 10m;
print-time yes;
print-category no;
print-severity yes;
};
category queries { queries ; } ;
};
zone "." {
type hint ;
file "zones/named.hint" ;
};
zone "127.in-addr.arpa" {
type master ;
file "zones/named.127" ;
};
zone "localhost" {
type master ;
file "zones/named.localhost" ;
};
Steve Foster
Senior Systems Administrator
PSINet Europe
Work: +44 (1223) 577322
Mobile: +44 (7720) 425911
------------------------------
From: "Johan Kuuse" <kuuse at redantigua.com>
Subject: client 1.2.3.4#56789: update 'sampledomain.com/IN' denied
Date: Mon, 1 Jul 2002 09:11:53 -0600
I was using BIND 9.1.0 until recently, now I am using BIND 9.2.1.
The upgrade implies that the log file is filling up with the message
client 1.2.3.4#56789: update 'sampledomain.com/IN' denied
for various domains (we are an ISP managing about 250 domains).
I have seen on this list that one solution to this problem is to fix the
client (normally Win2k).
In our case the problem cannot be solved that way (too many clients).
I think I found a solution here:
http://www.acmebw.com/askmrdns/archive.php?category=83&question=603
which says:
"Change the MNAME field of your SOA record to "localhost" and include a
"localhost" in the zone that points to 127.0.0.1."
I still have some doubts.
If I change the MNAME field to "localhost" for zone "sampledomain.com",
should the host "localhost.sampledomain.com" be used as 127.0.0.1?
And what happens with the slave server if the the MNAME points to
"localhost"?
(I thought that the MNAME always should point to the master DNS server?)
Any comment to this approach, or any other "server-side" solution is
appreciated.
Regards,
Johan Kuuse
kuuse at redantigua.com
Zone file as I guess it would look like:
----------------------------------------------------------------------------
-------
$ORIGIN .
$TTL 86400 ; 1 day
sampledomain.com. IN SOA localhost
postmaster.sampledomain.com. (
2002070100 ; serial
3600 ; refresh (1 hour)
1200 ; retry (20 minutes)
1296000 ; expire (2 weeks 1 day)
86400 ; minimum (1 day)
)
NS ns.me-the-isp.com.
NS ns2.me-the-isp.com.
A 1.2.3.5
$ORIGIN sampledomain.com.
localhost A 127.0.0.1
mail A 1.2.3.4
www A 1.2.3.5
----------------------------------------------------------------------------
-------
------------------------------
Subject: Upgrading to BIND9 (was Re: bind8.2 security issues)
Date: Mon, 01 Jul 2002 16:20:44 +0100
From: Jim Reid <jim at rfc1035.com>
>>>>> "Steve" == Steve Foster <fosters at uk.psi.com> writes:
Steve> i decided to build from scratch, and it seems to have gone
Steve> okay. I have started named with a modified version of the
Steve> named.conf i used to use for our 8.2.3 installations,
Steve> certain things had to be removed for it to start, such as
Steve> the following:
Steve> named-xfer "/usr/local/sbin/named-xfer" ;
Steve> topology { localhost; localnets; { 154.32/16; }; };
These are not in BIND9. The former is obsolete and the latter is not
implemented. Did you read the documentation, especially the BIND9
migration notes in doc/misc/migration? Legacy syntax from BIND8 config
files is parsed but otherwise ignored by the BIND9 server, apart from
warnings in the logs.
Steve> Are these not used anymore, and is there an equivalent of
Steve> named-xfer, this is not something i need now, but will be
Steve> when/if i build my secondary and primary servers???
The BIND9 name servers handles inbound zone transfers itself. There's
no need for it to have a separate executable to do this, unlike BIND4
or BIND8.
Steve> Do i need to worry anout rndc.key, or is this for something
Steve> else other than resolving, and is there any specific
Steve> options for named.conf to fix the "couldn't add command
Steve> channel 127.0.0.1#953: file not found" error.
Read the migration notes. BIND9 uses a new protocol and program to
control the name server. The program is called rndc and it supersedes
ndc. The migration notes have a reference to rndc-confgen which is the
utility used to create the named.conf statements needed to set up the
server side of the rndc control socket. [Though if you read the ARM
and man page for rndc, you shouldn't need a utility to create those
statements for named.conf.] The log messages are telling you the
server didn't create this socket (=> you can't control the name server
with rndc) because it doesn't do this unless the server's explicitly
told about it in named.conf.
Steve> my conf file is attached below, i couldn't find a sample
Steve> resolver file, or does anybody have a 9 specific one i can
Steve> review.
The syntax and contents of resolv.conf does not change between BIND8
and BIND9.
------------------------------
Date: Mon, 01 Jul 2002 16:28:44 +0100
From: Steve Foster <fosters at uk.psi.com>
Subject: Re: Upgrading to BIND9 (was Re: bind8.2 security issues)
At 16:20 01/07/02 +0100, Jim Reid wrote:
>Read the migration notes. BIND9 uses a new protocol and program to
>control the name server. The program is called rndc and it supersedes
>ndc. The migration notes have a reference to rndc-confgen which is the
>utility used to create the named.conf statements needed to set up the
>server side of the rndc control socket. [Though if you read the ARM
>and man page for rndc, you shouldn't need a utility to create those
>statements for named.conf.] The log messages are telling you the
>server didn't create this socket (=> you can't control the name server
>with rndc) because it doesn't do this unless the server's explicitly
>told about it in named.conf.
>
i'll have another browse at the notes...
> Steve> my conf file is attached below, i couldn't find a sample
> Steve> resolver file, or does anybody have a 9 specific one i can
> Steve> review.
>
>The syntax and contents of resolv.conf does not change between BIND8
>and BIND9.
i know that, i was specifically asking about named.conf files for a resolver.
>
>
Steve Foster
Senior Systems Administrator
PSINet Europe
Work: +44 (1223) 577322
Mobile: +44 (7720) 425911
------------------------------
Date: Mon, 01 Jul 2002 17:04:24 +0100
From: Steve Foster <fosters at uk.psi.com>
Subject: Re: Upgrading to BIND9 (was Re: bind8.2 security issues)
All,
One other thing, should i have compiled bind9 with libbind, i noticed it is
not selected as default when running configure.
many thanks
STeve
Steve Foster
Senior Systems Administrator
PSINet Europe
Work: +44 (1223) 577322
Mobile: +44 (7720) 425911
------------------------------
From: Simon Waters <Simon at wretched.demon.co.uk>
Subject: Can SERVFAIL be incorrectly returned through caching?
Date: Mon, 01 Jul 2002 17:10:10 +0100
A BIND 9.2.1 server on Redhat Linux 7.0 built from source,
default options.
After a brief period of being disconnected, and following a
reconnect a dig to the local nameserver for a record returned
SERVFAIL.
This continued after the name server was reconnected for a
noticable period.
The SERVFAIL error was reported long enough for me to manually
follow the resolution procedure down from the root name servers,
and confirm that nothing obvious was wrong (routing/DNS
delegation).
So course of events....
disconnect from internet.
Look up record - SERVFAIL
Reconnect to internet
Look up record - SERVFAIL
Lookup up other stuff appear okay.
Lookup uk NS - okay
Query co.uk NS for ISP NS - okay
Lookup ISP NS - okay
Query ISP NS for record - okay
Lookup record - SERVFAIL
Lookup record - okay
The record was "news.demon.co.uk" but I'm more interested in why
I might get a SERVFAIL once connectivity is restored. Is there
an additional caching going on I'm not aware of? I'm not
particularly concerned by the episode other than I can't explain
what the order of what happened.
The whole issue resolved itself quickly and I guess I can't rule
out a transient network problem dropping the odd packet, or a
change at the ISP (although this seems unlikely).
No LAME server messages were logged, and whilst some odd packets
were dropped during the episode these appear to be related to
some overkeen Microsoft PC somewhere wanting to talk NetBIOS to
my nameserver.
------------------------------
Date: Mon, 1 Jul 2002 11:31:51 -0500
From: Pete Ehlke <pde at ehlke.net>
Subject: Re: Can SERVFAIL be incorrectly returned through caching?
On Mon, Jul 01, 2002 at 05:10:10PM +0100, Simon Waters wrote:
>
> A BIND 9.2.1 server on Redhat Linux 7.0 built from source,
> default options.
>
> After a brief period of being disconnected, and following a
> reconnect a dig to the local nameserver for a record returned
> SERVFAIL.
>
> This continued after the name server was reconnected for a
> noticable period.
>
> The SERVFAIL error was reported long enough for me to manually
> follow the resolution procedure down from the root name servers,
> and confirm that nothing obvious was wrong (routing/DNS
> delegation).
>
> So course of events....
>
> disconnect from internet.
> Look up record - SERVFAIL
> Reconnect to internet
> Look up record - SERVFAIL
> Lookup up other stuff appear okay.
> Lookup uk NS - okay
> Query co.uk NS for ISP NS - okay
> Lookup ISP NS - okay
> Query ISP NS for record - okay
> Lookup record - SERVFAIL
> Lookup record - okay
>
I suspect that it was more completely described like this:
disconnect from internet
interface_interval expires, named scans interfaces, deletes absent connection
reconnect
look up record not in local cache- SERVFAIL
look up stuff in cache- okay
etc...
interfaces get scanned again, normal functionality reappears
Sound reasonable?
-P.
------------------------------
Date: Mon, 01 Jul 2002 12:41:13 -0400
From: Danny Mayer <mayer at gis.net>
Subject: Re: bind8.2 security issues
At 10:48 AM 7/1/02, Steve Foster wrote:
>At 12:55 01/07/02 GMT, phn at icke-reklam.ipsec.nu wrote:
> >
> >I found a solaris-8/sparc package from steve at smc.vnet.net , i have a copy
> >on ftp://ftp.manet.nu/pub/bind/bind-9.2.1-sol8-sparc-local.gz ( yes
> >you _should_ build your own, but to get running asap installing a package
> >could be ok)
>
>Hi,
>
>i decided to build from scratch, and it seems to have gone okay. I have
>started named with a modified version of the named.conf i used to use for
>our 8.2.3 installations, certain things had to be removed for it to start,
>such as the following:
>
>named-xfer "/usr/local/sbin/named-xfer" ;
This is obsolete. The functionality is now integrated into BIND 9.
> topology {
> localhost;
> localnets;
> { 154.32/16; };
> };
This is not implemented in BIND 9.
>Are these not used anymore, and is there an equivalent of named-xfer, this
>is not something i need now, but will be when/if i build my secondary and
>primary servers???
You don't need anything else.
>the startup shows the following:
>
>Jul 1 15:41:30 testmonitor.europe.psi.com named[25973]: starting BIND
>9.2.1 -u nobody -c /usr/local/etc/named.conf
>Jul 1 15:41:30 hostname named[25973]: using 1 CPU
>Jul 1 15:41:30 hostname named[25973]: loading configuration from
>'/usr/local/etc/named.conf'
>Jul 1 15:41:30 hostname named[25973]: no IPv6 interfaces found
>Jul 1 15:41:30 hostname named[25973]: listening on IPv4 interface lo0,
>127.0.0.1#53
>Jul 1 15:41:30 hostname named[25973]: listening on IPv4 interface hme0,
>154.8.2.126#53
>Jul 1 15:41:30 hostname named[25973]: none:0: open:
>/usr/local/etc/rndc.key: file not found
Use rndc-confgen to generate an rndc.conf file and append the screen output to
the named.conf file. This will allow you to control named.
>Jul 1 15:41:30 hostname named[25973]: couldn't add command channel
>127.0.0.1#953: file not found
See above.
>Jul 1 15:41:30 hostname named[25973]: no source of entropy found
You need a source of entropy. This is usually /dev/random on Unix platforms.
Check with your O/S vendor for details.
>Jul 1 15:41:30 hostname named[25973]: zones/named.127:1: no TTL specified;
>using SOA MINTTL instead
>Jul 1 15:41:30 hostname named[25973]: zone 127.in-addr.arpa/IN: loaded
>serial 1
>Jul 1 15:41:30 hostname named[25973]: zones/named.localhost:1: no TTL
>specified; using SOA MINTTL instead
>Jul 1 15:41:30 hostname named[25973]: zone localhost/IN: loaded serial 1
>Jul 1 15:41:30 hostname named[25973]: running
>
>Do i need to worry anout rndc.key, or is this for something else other than
>resolving, and is there any specific options for named.conf to fix the
>"couldn't add command channel 127.0.0.1#953: file not found" error.
See above.
Danny
------------------------------
Date: Mon, 01 Jul 2002 12:01:45 -0400
From: Danny Mayer <mayer at gis.net>
Subject: Re: Whats wrong with this
At 08:46 PM 6/30/02, tariq at www.jftechnologies.net wrote:
>whats wrong with this named.conf file
>
>/*
>BIND8 main confiuration file with master zone statements: named.conf
>*/
>
>
>acl mynameservers {ip_list;};
>acl myrecursers {ip_list;};
>acl myqueriers {ip_list;};
You're missing the actual ip_list here.
>options
>{
>directory "d:\windows\system32\dns\etc";
>allow-transfer {localhost;};
>allow-recursion {myrecursers;};
You're missing the myrecursers IP list here.
>fetch-glue no;
>version "";
>use-id-pool yes;
>};
>
>/* remove/add the comment delimiters below to activate/disactivate
>logging */
>/*
>logging
>{
> channel my_file {file "d:\windows\system32\dns\etc\named.run";
>severity debug; print-time yes; };
> category default {my_file;};
> category panic {my_file;};
> category packet {my_file;};
> category eventlib {my_file;};
> category queries {my_file;};
> category lame-servers { null;};
> category cname { null;};
>};
>*/
>
>zone "." {type hint; file "db.cache"; };
>zone "anydomain.com" {type master; file "db.anydomain.com"; };
>zone "210.73.212.IN-ADDR.ARPA" {type master; file "db.212.73.210"; };
>zone "0.0.127.IN-ADDR.ARPA" {type master; file "db.127.0.0"; };
>zone "jftechnologies.net" {type master; file "db.jftechnologies.net";
>};
>
>It is not working on xp.
What does the application event log say? All errors go there when you don't
have anything else specified.
Danny
------------------------------
From: Simon Waters <Simon at wretched.demon.co.uk>
Subject: Re: Can SERVFAIL be incorrectly returned through caching?
Date: Mon, 01 Jul 2002 18:12:07 +0100
Pete Ehlke wrote:
>
> I suspect that it was more completely described like this:
>
> disconnect from internet
> interface_interval expires, named scans interfaces, deletes absent connection
> reconnect
> look up record not in local cache- SERVFAIL
> look up stuff in cache- okay
> etc...
> interfaces get scanned again, normal functionality reappears
>
> Sound reasonable?
Good answer but for one slight flaw in named.conf
...
interface-interval 0; // ....
...
which I believe rules this one out as the interface should
neither be dropped or found again.
BIND logs errors when it tries to use an unavilable interface on
Linux, so that is usually fairly obvious.
I'm sure it is something simple that I should have realised. I
fear I didn't record enough information to prove any subtler
suggestions, and I'm all too well aware how fallible our
recollections of events are.
------------------------------
From: phn at icke-reklam.ipsec.nu
Subject: Re: bind8.2 security issues
Date: 1 Jul 2002 17:47:42 GMT
Steve Foster <fosters at uk.psi.com> wrote:
> At 12:55 01/07/02 GMT, phn at icke-reklam.ipsec.nu wrote:
>>
>>I found a solaris-8/sparc package from steve at smc.vnet.net , i have a copy
>>on ftp://ftp.manet.nu/pub/bind/bind-9.2.1-sol8-sparc-local.gz ( yes
>>you _should_ build your own, but to get running asap installing a package
>>could be ok)
> Hi,
> i decided to build from scratch, and it seems to have gone okay. I have
Good.
> started named with a modified version of the named.conf i used to use for
> our 8.2.3 installations, certain things had to be removed for it to start,
> such as the following:
> named-xfer "/usr/local/sbin/named-xfer" ;
> topology {
> localhost;
> localnets;
> { 154.32/16; };
> };
> Are these not used anymore, and is there an equivalent of named-xfer, this
> is not something i need now, but will be when/if i build my secondary and
> primary servers???
You might want to install /etc/rndc.conf and add a key to that and
/etc/named.conf. It's pretty well described in the arp-book, section
3.4.1.2 Administrative tools ( at the end) has an example.
( http://www.ipsec.nu/dns/bind9/Bv9ARM.ch03.html#AEN371 )
> the startup shows the following:
> Jul 1 15:41:30 testmonitor.europe.psi.com named[25973]: starting BIND
> 9.2.1 -u nobody -c /usr/local/etc/named.conf
> Jul 1 15:41:30 hostname named[25973]: using 1 CPU
> Jul 1 15:41:30 hostname named[25973]: loading configuration from
> '/usr/local/etc/named.conf'
> Jul 1 15:41:30 hostname named[25973]: no IPv6 interfaces found
> Jul 1 15:41:30 hostname named[25973]: listening on IPv4 interface lo0,
> 127.0.0.1#53
> Jul 1 15:41:30 hostname named[25973]: listening on IPv4 interface hme0,
> 154.8.2.126#53
> Jul 1 15:41:30 hostname named[25973]: none:0: open:
> /usr/local/etc/rndc.key: file not found
This will get fixed by inserting a rndc key
> Jul 1 15:41:30 hostname named[25973]: couldn't add command channel
> 127.0.0.1#953: file not found
> Jul 1 15:41:30 hostname named[25973]: no source of entropy found
> Jul 1 15:41:30 hostname named[25973]: zones/named.127:1: no TTL specified;
> using SOA MINTTL instead
> Jul 1 15:41:30 hostname named[25973]: zone 127.in-addr.arpa/IN: loaded
> serial 1
> Jul 1 15:41:30 hostname named[25973]: zones/named.localhost:1: no TTL
> specified; using SOA MINTTL instead
> Jul 1 15:41:30 hostname named[25973]: zone localhost/IN: loaded serial 1
> Jul 1 15:41:30 hostname named[25973]: running
> Do i need to worry anout rndc.key, or is this for something else other than
> resolving, and is there any specific options for named.conf to fix the
> "couldn't add command channel 127.0.0.1#953: file not found" error.
Probably solved when you have a working key configured.
> my conf file is attached below, i couldn't find a sample resolver file, or
> does anybody have a 9 specific one i can review.
/etc/resolv.conf is the same.
Have a look at logging categories, they have changed substantially.
> many thanks
> Steve
> Conffile:
> # more named.conf
> options {
> directory "/usr/local/etc" ;
> pid-file "/var/domain/run/named.pid" ;
> };
> logging {
> channel xferlog {
> file "/var/domain/log/named-xfer" versions 5 size 1m;
> print-time yes;
> print-category yes;
> severity info;
> };
> category xfer-in { xferlog ; } ;
> category xfer-out { xferlog ; } ;
> category notify { xferlog ; } ;
> category lame-servers { null; };
> channel queries {
> file "/var/domain/log/queries" versions 5 size 10m;
> print-time yes;
> print-category no;
> print-severity yes;
> };
> category queries { queries ; } ;
> };
> zone "." {
> type hint ;
> file "zones/named.hint" ;
> };
> zone "127.in-addr.arpa" {
> type master ;
> file "zones/named.127" ;
> };
> zone "localhost" {
> type master ;
> file "zones/named.localhost" ;
> };
> Steve Foster
> Senior Systems Administrator
> PSINet Europe
> Work: +44 (1223) 577322
> Mobile: +44 (7720) 425911
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
------------------------------
From: "Frank Durham" <fdurham at nospam.sportsendeavors.com>
Subject: Bind 9.2.1 Problems
Date: Mon, 1 Jul 2002 10:17:57 -0400
Greetings-
I was able to correct the majority of the problems I encountered with bind.
But I have these two problems that seem to be getting the best of me. When
I start the named service, and check the syslog the following message
appear.
/etc/named.conf:6: option 'check-names' is not implemented --- This
message appears when I check the warnings.
Then when i try to do a "dig @ 127.0.0.1 or any of my local zones, I get
this..
dig: couldn't find server '' : Nme or Service not Known
I have been all over web sites and through this Bid/DNS book by O'Reilly and
can't seem to figure out what these two messages corrulate to.
Frank
------------------------------
From: HYK_TremorZ at hotmail.com (Crazy Diamond)
Subject: Requirements to register my BIND DNS server with register.com?
Date: 1 Jul 2002 09:05:35 -0700
Hi,
I've been having trouble registering my dns server
(lucky.cs.uml.edu) on register.com's website for my domain name
testing123.net.
The computer that BIND is hosted on happens to be in a computer lab
here in the University of Massachusetts Lowell. Are there any
requirements that i should know about when trying to register my DNS
server? Do i have to change the in-addr.arpa PTR records? DO i have to
own them? I just can't find any conceivable reason why i shouldn't be
allowed to register this server and it's driving me insane :( Any
help would be greatly appreciated, thanks.
------------------------------
Date: Mon, 1 Jul 2002 20:12:18 +0200 (CDT)
From: Michael Kjorling <michael at kjorling.com>
Subject: Re: Bind 9.2.1 Problems
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jul 1 2002 10:17 -0400, Frank Durham wrote:
> Then when i try to do a "dig @ 127.0.0.1 or any of my local zones, I get
> this..
> dig: couldn't find server '' : Nme or Service not Known
The correct syntax for specifying is a server to dig is the @ (at)
sign immediately followed by a host name or IP address. You are not
allowed to have any spaces in between.
Michael Kjörling
- --
Michael Kjörling -- Programmer/Network administrator ^..^
Internet: michael at kjorling.com -- FidoNet: 2:204/254.4 \/
PGP: 95f1 074d 336d f8f0 f297 6a5b 2aa3 7bfd 8a70 e33e
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Public key is at http://michael.kjorling.com/contact/pgp.html
iD8DBQE9IJuPKqN7/Ypw4z4RArOZAJsFEyKHh35FFNKvo+HrCFxvmM5FxgCghXXA
DKkZsd23XXIajZx1KfA7OU0=
=o3o+
-----END PGP SIGNATURE-----
------------------------------
From: "Mark Damrose" <mdamrose at elgin.cc.il.us>
Subject: Re: Bind 9.2.1 Problems
Date: Mon, 1 Jul 2002 13:14:04 -0500
"Frank Durham" <fdurham at nospam.sportsendeavors.com> wrote in message
news:afq5oi$9ov8$1 at isrv4.isc.org...
> Greetings-
>
> I was able to correct the majority of the problems I encountered with
bind.
> But I have these two problems that seem to be getting the best of me.
When
> I start the named service, and check the syslog the following message
> appear.
>
> /etc/named.conf:6: option 'check-names' is not implemented --- This
> message appears when I check the warnings.
On line 6 of your /etc/named.conf file, you use the 'check-names' option.
This is not implemented in this version of bind. Remove it from the config
file.
>
> Then when i try to do a "dig @ 127.0.0.1 or any of my local zones, I get
> this..
> dig: couldn't find server '' : Nme or Service not Known
Is there a space between the @ and 127.0.0.1 in your command? @ is how you
tell dig what server to query. With a space there, dig can't figure out
which server you want to query.
>
> I have been all over web sites and through this Bid/DNS book by O'Reilly
and
> can't seem to figure out what these two messages corrulate to.
>
> Frank
>
>
>
------------------------------
Subject: Re: Bind 9.2.1 Problems
From: dbotham at edeltacom.com
Date: Mon, 1 Jul 2002 14:14:40 -0400
Frank,
See the man page for 'dig', you have typed it wrong. It should be
something like this:
dig -x 127.0.0.1 @127.0.0.1
if you are trying to dig for the ptr rr associate with 127.0.0.1 on the
local host (that is, what comes after the @ sign is the name server you are
going to query, and there should not be a space between the '@' and the
name server...)
Aslo, see page 79 of the BIND9 ARM, as bind 9 does not implement the
check-names option...
However, I think it is a little wierd that it is listed in the "Options"
syntax section...
Dave...
|---------+------------------------------------>
| | "Frank Durham" |
| | <fdurham at nospam.sportsend|
| | eavors.com> |
| | Sent by: |
| | bind-users-bounce at isc.org|
| | |
| | |
| | 07/01/2002 10:17 AM |
| | |
|---------+------------------------------------>
>-------------------------------------------------------------------------------
-----------------------------------------------|
|
|
| To: comp-protocols-dns-bind at isc.org
|
| cc:
|
| Subject: Bind 9.2.1 Problems
|
>-------------------------------------------------------------------------------
-----------------------------------------------|
Greetings-
I was able to correct the majority of the problems I encountered with bind.
But I have these two problems that seem to be getting the best of me. When
I start the named service, and check the syslog the following message
appear.
/etc/named.conf:6: option 'check-names' is not implemented --- This
message appears when I check the warnings.
Then when i try to do a "dig @ 127.0.0.1 or any of my local zones, I get
this..
dig: couldn't find server '' : Nme or Service not Known
I have been all over web sites and through this Bid/DNS book by O'Reilly
and
can't seem to figure out what these two messages corrulate to.
Frank
------------------------------
Subject: Re: Requirements to register my BIND DNS server with register.com?
From: dbotham at edeltacom.com
Date: Mon, 1 Jul 2002 14:17:06 -0400
What troubles are you having (specifically)?
One reason you may not be able to register the name server is because you
are not the admin contact for the parent domain. In other words, only the
admin contact for uml.edu would be able register your name server...
Dave...
|---------+---------------------------->
| | HYK_TremorZ at hotma|
| | il.com (Crazy |
| | Diamond) |
| | Sent by: |
| | bind-users-bounce|
| | @isc.org |
| | |
| | |
| | 07/01/2002 12:05 |
| | PM |
| | |
|---------+---------------------------->
>-------------------------------------------------------------------------------
-----------------------------------------------|
|
|
| To: comp-protocols-dns-bind at isc.org
|
| cc:
|
| Subject: Requirements to register my BIND DNS server with
register.com? |
>-------------------------------------------------------------------------------
-----------------------------------------------|
Hi,
I've been having trouble registering my dns server
(lucky.cs.uml.edu) on register.com's website for my domain name
testing123.net.
The computer that BIND is hosted on happens to be in a computer lab
here in the University of Massachusetts Lowell. Are there any
requirements that i should know about when trying to register my DNS
server? Do i have to change the in-addr.arpa PTR records? DO i have to
own them? I just can't find any conceivable reason why i shouldn't be
allowed to register this server and it's driving me insane :( Any
help would be greatly appreciated, thanks.
------------------------------
From: "Brett Ussher" <brett.ussher at domail.maricopa.edu>
Subject: Bind 9.2.1 not resolving names
Date: Mon, 1 Jul 2002 11:30:23 -0700
I tried setting my w2k workstation up to point to a new bind server and
discovered it could not be found. Where I work is currently using two bind
9.2.1 servers (master, secondary) and I'm working on a test environment using a
third, independent bind 9.2.1 server. I tried using dig from a linux console
prompt and got the following output:
# dig @140.198.8.135 140.198.4.158
; <<>> DiG 9.2.0 <<>> @140.198.8.135 140.198.4.158
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20602
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;140.198.4.158. IN A
;; AUTHORITY SECTION:
. 10800 IN SOA A.ROOT-SERVERS.NET.
NSTLD.VERISIGN-GRS.COM. 2002070100 1800 900 604800 86400
;; Query time: 116 msec
;; SERVER: 140.198.8.135#53(140.198.8.135)
;; WHEN: Mon Jul 1 11:01:30 2002
;; MSG SIZE rcvd: 106
The current DNS admin here found the authority section of the output interesting
since it seems to be trying to use 'nstld.verisign-grs.com' as the name server.
I've checked to see if bind is running on my server, it is with five instances
and all my zone files are being noticed in /var/log/messages with notes like
"serial loaded <serial number>" so it looks to be starting fine.
Anyone got any ideas on why my computers can't seem to reach my DNS server?
Oh, for reference, I'm using Linux 7.2, Bind 9.2.1 (RedHat RPM binary)
Brett Ussher
ITS, Matrix
Maricopa Community College District
(480) 731-8691
brett.ussher at domail.maricopa.edu
-- Binary/unsupported file stripped by Ecartis --
-- Type: text/x-vcard
-- File: Brett D. Ussher.vcf
------------------------------
Date: Mon, 01 Jul 2002 15:36:34 -0400
From: Kevin Darcy <kcd at daimlerchrysler.com>
Subject: Re: reverse zone using generate produced 500M image
"Sorkin, David (David)" wrote:
> Hi,
>
> I upgraded today to 8.3.3 from 8.2.3 to addresses security issues. I also
configured bind to run chrooted and as a non-privileged user. This worked out
but the upgrade broke a piece of in house code which I did not write that we use
for reverse zone auto generation. The program is supposed to take queries like:
>
> 109.88.118.135.in.addr.arpa ptr
>
> and produce a response like
>
> h135.118.88.109.outland.lucent.com.
>
> > It would also do the inverse process for the forward zone.
> >
> > Anyway, after the upgrade I started seeing thousands and thousands of
entries like:
> >
> 30-Jun-2002 07:37:39.144 wrong ans. name (. != 142.66.118.199.in-addr.arpa)
> 30-Jun-2002 07:37:39.156 invalid RR type 'PTR' in authority section (name =
'142.66.118.199.in-addr.arpa') from [192.11.223.170].53
> 30-Jun-2002 07:37:39.164 invalid RR type 'NS' in additional section (name =
'66.118.199.in-addr.arpa') from [192.11.223.170].53
>
> I'd like to try to solve this problem without more coding so just to see what
would happen I tried using the generate directive to create PTR records for 82 B
class networks. It used up nearly 500 Mb of RAM. This is not going to be
workable and wildcard PTR records aren't an option either. (also I can't get rid
of split DNS).
>
> I was hoping that someone could tell me how they've dealt with this problem
elsewhere.
How many organizations have 82 B-class networks? We only have about 4 (in
addition to our A-class).
If you're large enough to have that many B-class'es, aren't you large enough to
buy enough RAM for your nameservers?
I'm not sure why *every* node on every possible IP address in your network needs
a PTR anyway. Seems like overkill to me.
- Kevin
------------------------------
From: "Ben Timby" <asp at webexc.com>
Subject: Load balancing w/ failover.
Date: Mon, 1 Jul 2002 14:50:47 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, I would like to know the easiest way to setup the following:
4 DNS servers running BIND 8
1 controller machine that distributes queries to the 4 DNS servers
evenly.
Controller will skip any machine that is not responding.
None of the DNS server are authoritive.
I would also like a way of sharing cache, or sending like queries to
the same box since the domain record would already be in cache.
I need this setup for my Lyris ListManager box, it is killing my
current DNS server. Lyris says not to just setup multiple DNS servers
as if one fails, it will actually slow down mail delivery more than
just using a single DNS server would. I would like a nice automatic
solution that always works, our lyris box cannot slow down :-). I
took a look at:
lbnamed
http://www.stanford.edu/~riepel/lbnamed/
And it seems to lack good docs (maybe I have not dug into it enough
yet).
Does anyone have experience w/ it? Will it do what I want? Is there a
better/easier way?
Thanks in advance.
Ben Timby
Webexcellence
asp at webexc.com
www.webexc.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQA/AwUBPSCyavnby1cCm2Q8EQK8MQCeLLah27h1k07GQ8I91i//JK0Sd+kAn2KE
rUiL37wrwjwqNARU4HtELMGN
=G+HS
-----END PGP SIGNATURE-----
------------------------------
From: Simon Waters <Simon at wretched.demon.co.uk>
Subject: Re: client 1.2.3.4#56789: update 'sampledomain.com/IN' denied
Date: Mon, 01 Jul 2002 20:49:27 +0100
Johan Kuuse wrote:
>
> I still have some doubts.
> If I change the MNAME field to "localhost" for zone "sampledomain.com",
> should the host "localhost.sampledomain.com" be used as 127.0.0.1?
Yes, all domains (that clients belong to) should have a
localhost (that is in an RFC somewhere), pointing to 127.0.0.1.
I just put "localhost 86400 IN A 127.0.0.1" in the zone
template, since having it in every zone won't hurt.
> And what happens with the slave server if the the MNAME points to
> "localhost"?
MNAME is only used in dynamic DNS, if you do things statically
it isn't used.
Slaves will use the masters specified in their named.conf files.
------------------------------
Date: Mon, 1 Jul 2002 15:06:50 -0500
From: Pete Ehlke <pde at ehlke.net>
Subject: Re: Bind 9.2.1 not resolving names
On Mon, Jul 01, 2002 at 11:30:23AM -0700, Brett Ussher wrote:
> I tried setting my w2k workstation up to point to a new bind server and
> discovered it could not be found. Where I work is currently using two bind
> 9.2.1 servers (master, secondary) and I'm working on a test environment using
a
> third, independent bind 9.2.1 server. I tried using dig from a linux console
> prompt and got the following output:
>
> # dig @140.198.8.135 140.198.4.158
>
> ; <<>> DiG 9.2.0 <<>> @140.198.8.135 140.198.4.158
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20602
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;140.198.4.158. IN A
>
> ;; AUTHORITY SECTION:
> . 10800 IN SOA A.ROOT-SERVERS.NET.
> NSTLD.VERISIGN-GRS.COM. 2002070100 1800 900 604800 86400
>
> ;; Query time: 116 msec
> ;; SERVER: 140.198.8.135#53(140.198.8.135)
> ;; WHEN: Mon Jul 1 11:01:30 2002
> ;; MSG SIZE rcvd: 106
>
> The current DNS admin here found the authority section of the output
interesting
> since it seems to be trying to use 'nstld.verisign-grs.com' as the name
server.
No, it's not. You're seeing the SOA record for ., which was returned because
you have asked for an A record in a TLD (158.) that does not exist.
nstld at verisign-grs.com is the rname field of that record.
What I expect you *wanted* to do was:
dig @140.198.8.135 -x 140.198.4.158
or:
dig @140.198.8.135 158.4.198.140.in-addr.arpa
> I've checked to see if bind is running on my server, it is with five instances
That's an FAQ. There are not five instances running, there are five
threads running in one instance, and linux's broken implementation of
ps(1) incorrectly shows each thread as a seperate process.
> and all my zone files are being noticed in /var/log/messages with notes like
> "serial loaded <serial number>" so it looks to be starting fine.
>
> Anyone got any ideas on why my computers can't seem to reach my DNS server?
>
Well, it seems they can, in fact, reach your server. The reply to your
dig query above came from the server that you asked. You just asked it a
bogus question ;)
-P.
------------------------------
From: Simon Waters <Simon at wretched.demon.co.uk>
Subject: Re: Load balancing w/ failover.
Date: Mon, 01 Jul 2002 21:08:03 +0100
Ben Timby wrote:
>
> Does anyone have experience w/ it? Will it do what I want? Is there a
> better/easier way?
Have you tried running a caching DNS server on the mailing list
box itself?
What is the spec of the current DNS server? Are you sure it
isn't a bandwidth issue?
------------------------------
From: phn at icke-reklam.ipsec.nu
Subject: Re: Bind 9.2.1 Problems
Date: 1 Jul 2002 20:14:40 GMT
Frank Durham <fdurham at nospam.sportsendeavors.com> wrote:
> Greetings-
> I was able to correct the majority of the problems I encountered with bind.
> But I have these two problems that seem to be getting the best of me. When
> I start the named service, and check the syslog the following message
> appear.
> /etc/named.conf:6: option 'check-names' is not implemented --- This
> message appears when I check the warnings.
If you read the documentation you could have noticed that 'check-names'
is not (and won't be) implemented.
> Then when i try to do a "dig @ 127.0.0.1 or any of my local zones, I get
> this..
> dig: couldn't find server '' : Nme or Service not Known
Remove the space between '@' and '127.0.0.1'
> I have been all over web sites and through this Bid/DNS book by O'Reilly and
> can't seem to figure out what these two messages corrulate to.
You read too fast :-)
> Frank
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
------------------------------
Date: Mon, 01 Jul 2002 16:18:55 -0400
From: Kevin Darcy <kcd at daimlerchrysler.com>
Subject: Re: client 1.2.3.4#56789: update 'sampledomain.com/IN' denied
Simon Waters wrote:
> Johan Kuuse wrote:
> >
> > I still have some doubts.
> > If I change the MNAME field to "localhost" for zone "sampledomain.com",
> > should the host "localhost.sampledomain.com" be used as 127.0.0.1?
>
> Yes, all domains (that clients belong to) should have a
> localhost (that is in an RFC somewhere), pointing to 127.0.0.1.
I doubt it.
- Kevin
------------------------------
From: phn at icke-reklam.ipsec.nu
Subject: Re: Load balancing w/ failover.
Date: 1 Jul 2002 20:21:49 GMT
Ben Timby <asp at webexc.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hello, I would like to know the easiest way to setup the following:
> 4 DNS servers running BIND 8
4 intelboxes + FreeBSD from CDROM. 15 minutes / box. Bind-8 included
in basic kit.
> 1 controller machine that distributes queries to the 4 DNS servers
One more intelbox + FreeBSD, this one with a 'forwarders { the four above };'
Another
> evenly.
> Controller will skip any machine that is not responding.
> None of the DNS server are authoritive.
> I would also like a way of sharing cache, or sending like queries to
> the same box since the domain record would already be in cache.
> I need this setup for my Lyris ListManager box, it is killing my
> current DNS server. Lyris says not to just setup multiple DNS servers
> as if one fails, it will actually slow down mail delivery more than
> just using a single DNS server would. I would like a nice automatic
> solution that always works, our lyris box cannot slow down :-). I
> took a look at:
You still have a single point of failure in my suggestion. But since
'lyris' does not cope gracefully with a nameserver failure this might be
your best solution. ( not mentioning OSPF tricks which under carefully
controlled environments give a transparent switchover )
> lbnamed
> http://www.stanford.edu/~riepel/lbnamed/
> And it seems to lack good docs (maybe I have not dug into it enough
> yet).
> Does anyone have experience w/ it? Will it do what I want? Is there a
> better/easier way?
Install a Good Working bind in a Good HW and use FreeBSD( or if you are so
inclined solaris on sparc).
> Thanks in advance.
> Ben Timby
> Webexcellence
> asp at webexc.com
> www.webexc.com
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.4
> iQA/AwUBPSCyavnby1cCm2Q8EQK8MQCeLLah27h1k07GQ8I91i//JK0Sd+kAn2KE
> rUiL37wrwjwqNARU4HtELMGN
> =G+HS
> -----END PGP SIGNATURE-----
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
------------------------------
Date: Mon, 01 Jul 2002 16:24:40 -0400
From: Kevin Darcy <kcd at daimlerchrysler.com>
Subject: Re: Domain name registration: A records and PTR records need to match?
HYK_TremorZ at hotmail.com wrote:
> I've been having a dickens of a time trying to register dns servers to
> my domain name registrars (to both namecheap.com and register.com).
>
> I'm wondering though, do both the registered pointer records and A
> records have to be the same for it to work? I'm trying to register
> this machine in my lab (lucky.cs.uml.edu) as an authoratative primary
> name server for my domain testing123.net (both are the same machine)
> but it doesn't seem to work.
>
> Here is what happens when i dig my IP address
>
> ivan at lucky:~$ dig -x 129.63.24.90|more
>
> ; <<>> DiG 9.2.1 <<>> -x 129.63.24.90
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30808
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL
> : 3
>
> ;; QUESTION SECTION:
> ;90.24.63.129.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 90.24.63.129.in-addr.arpa. 86393 IN PTR lucky.cs.uml.edu.
>
> ;; AUTHORITY SECTION:
> 24.63.129.in-addr.arpa. 86393 IN NS saturn.cs.uml.edu
> ..
> 24.63.129.in-addr.arpa. 86393 IN NS mars.cs.uml.edu.
> 24.63.129.in-addr.arpa. 86393 IN NS phobos.cs.uml.edu
> ..
>
> ;; ADDITIONAL SECTION:
> ;; ADDITIONAL SECTION:
> saturn.cs.uml.edu. 253227 IN A 129.63.8.2
> mars.cs.uml.edu. 253227 IN A 129.63.32.3
> phobos.cs.uml.edu. 253227 IN A 129.63.16.100
>
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Jun 29 17:19:39 2002
> ;; MSG SIZE rcvd: 182
I doubt that either of those registrars require matching A/PTR records.
In any case, it's a moot point since for lucky.cs.uml.edu, the A and PTR
records *do* match. Why do you think they don't? Look at what's in the
Answer section of the response...
- Kevin
------------------------------
Date: Mon, 01 Jul 2002 16:26:02 -0400
From: Kevin Darcy <kcd at daimlerchrysler.com>
Subject: Re: Requirements to register my BIND DNS server with register.com?
HYK_TremorZ at hotmail.com wrote:
> Hi,
>
> I've been having trouble registering my dns server
> (lucky.cs.uml.edu) on register.com's website for my domain name
> testing123.net.
>
> The computer that BIND is hosted on happens to be in a computer lab
> here in the University of Massachusetts Lowell. Are there any
> requirements that i should know about when trying to register my DNS
> server? Do i have to change the in-addr.arpa PTR records? DO i have to
> own them? I just can't find any conceivable reason why i shouldn't be
> allowed to register this server and it's driving me insane :( Any
> help would be greatly appreciated, thanks.
If the error messages from the registration tool don't explain the
problem sufficiently, use email or the phone to find out from your
registrar what the real problem is.
- Kevin
------------------------------
From: "Ben Timby" <ben at webexc.com>
Subject: Load balancing w/ failover.
Date: Mon, 1 Jul 2002 14:47:14 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, I would like to know the easiest way to setup the following:
4 DNS servers running BIND 8
1 controller machine that distributes queries to the 4 DNS servers
evenly.
Controller will skip any machine that is not responding.
None of the DNS server are authoritive.
I would also like a way of sharing cache, or sending like queries to
the same box since the domain record would already be in cache.
I need this setup for my Lyris ListManager box, it is killing my
current DNS server. Lyris says not to just setup multiple DNS servers
as if one fails, it will actually slow down mail delivery more than
just using a single DNS server would. I would like a nice automatic
solution that always works, our lyris box cannot slow down :-). I
took a look at:
lbnamed
http://www.stanford.edu/~riepel/lbnamed/
And it seems to lack good docs (maybe I have not dug into it enough
yet).
Does anyone have experience w/ it? Will it do what I want? Is there a
better/easier way?
Thanks in advance.
Ben Timby
Webexcellence
asp at webexc.com
www.webexc.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQA/AwUBPSCxuPnby1cCm2Q8EQJ38QCgkLfAHZDnrJUpY+bLWJZ7oqxFSlMAoNck
iwxvTSyhdQsklaod9X+L2ABw
=uibo
-----END PGP SIGNATURE-----
------------------------------
From: those who know me have no need of my name <not-a-real-address at usa.net>
Subject: Re: bind issue
Date: 01 Jul 2002 04:54:20 GMT
in comp.protocols.dns.bind i read:
>How can i close name dport as there is a name server running on my
>machine where more then two interfaces
>but i want that when i run named it should listen one port
>onlyyyyyyyyyy
interface-interval 0; // turn off interface scanning
listen-on { 1.2.3.4; }; // listen only on these addresses
--
bringing you boring signatures for 17 years
------------------------------
Date: Mon, 1 Jul 2002 14:25:00 -0700 (PDT)
From: Steve Lee <maillist at blitzen.net>
Subject: Re: Load balancing w/ failover.
Lyris is Junk, from my exp. why even bother using it.
shaddy software.
my 2 cents.
On 1 Jul 2002 phn at icke-reklam.ipsec.nu wrote:
>
> Ben Timby <asp at webexc.com> wrote:
>
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
>
> > Hello, I would like to know the easiest way to setup the following:
>
> > 4 DNS servers running BIND 8
>
> 4 intelboxes + FreeBSD from CDROM. 15 minutes / box. Bind-8 included
> in basic kit.
>
> > 1 controller machine that distributes queries to the 4 DNS servers
>
> One more intelbox + FreeBSD, this one with a 'forwarders { the four above };'
>
>
> Another
> > evenly.
> > Controller will skip any machine that is not responding.
> > None of the DNS server are authoritive.
> > I would also like a way of sharing cache, or sending like queries to
> > the same box since the domain record would already be in cache.
>
> > I need this setup for my Lyris ListManager box, it is killing my
> > current DNS server. Lyris says not to just setup multiple DNS servers
> > as if one fails, it will actually slow down mail delivery more than
> > just using a single DNS server would. I would like a nice automatic
> > solution that always works, our lyris box cannot slow down :-). I
> > took a look at:
>
> You still have a single point of failure in my suggestion. But since
> 'lyris' does not cope gracefully with a nameserver failure this might be
> your best solution. ( not mentioning OSPF tricks which under carefully
> controlled environments give a transparent switchover )
>
> > lbnamed
> > http://www.stanford.edu/~riepel/lbnamed/
>
> > And it seems to lack good docs (maybe I have not dug into it enough
> > yet).
>
> > Does anyone have experience w/ it? Will it do what I want? Is there a
> > better/easier way?
>
> Install a Good Working bind in a Good HW and use FreeBSD( or if you are so
> inclined solaris on sparc).
>
> > Thanks in advance.
>
> > Ben Timby
> > Webexcellence
> > asp at webexc.com
> > www.webexc.com
>
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 7.0.4
>
> > iQA/AwUBPSCyavnby1cCm2Q8EQK8MQCeLLah27h1k07GQ8I91i//JK0Sd+kAn2KE
> > rUiL37wrwjwqNARU4HtELMGN
> > =G+HS
> > -----END PGP SIGNATURE-----
>
>
>
>
------------------------------
From: HYK_TremorZ at hotmail.com (Crazy Diamond)
Subject: Question about adding new domains/subdomains/parenting (real confused
Date: 1 Jul 2002 14:39:16 -0700
Ok,
I'm trying to add my host lucky.cs.uml.edu as a nameserver for my
new domain name testing123.net (incidentally, lucky.cs.uml.edu and
testing123.net will be on the same computer). I've had problems
adding lucky.cs.uml.edu to the list of name servers at register.com
(which is what i used to register testing123.net). Basically, the
webform won't let me add it. From my understanding, do i need to add
an NS record to lucky's parent (cs.uml.edu... saturn.cs.uml.edu being
the nameserver for the cs.uml.edu zone) indicating that lucky is a
nameserver?
Would the following record on saturn.cs.uml.edu work:
lucky IN NS lucky.cs.uml.edu.
(ps, there should already be an A record for lucky on saturn).
Thanks in advance.
------------------------------
Date: Mon, 01 Jul 2002 18:08:47 -0400
From: Kevin Darcy <kcd at daimlerchrysler.com>
Subject: Re: Question about adding new domains/subdomains/parenting (real
HYK_TremorZ at hotmail.com wrote:
> Ok,
>
> I'm trying to add my host lucky.cs.uml.edu as a nameserver for my
> new domain name testing123.net (incidentally, lucky.cs.uml.edu and
> testing123.net will be on the same computer). I've had problems
> adding lucky.cs.uml.edu to the list of name servers at register.com
> (which is what i used to register testing123.net). Basically, the
> webform won't let me add it. From my understanding, do i need to add
> an NS record to lucky's parent (cs.uml.edu... saturn.cs.uml.edu being
> the nameserver for the cs.uml.edu zone) indicating that lucky is a
> nameserver?
>
> Would the following record on saturn.cs.uml.edu work:
>
> lucky IN NS lucky.cs.uml.edu.
>
> (ps, there should already be an A record for lucky on saturn).
No, that's completely unnecessary, and unless you're actually going to
define a "lucky.cs.uml.edu" zone on lucky.cs.uml.edu, it would be lame
for the zone. Which is Not a Good Thing.
Do you think the name of every nameserver on the Internet has its own
zone? fxshpr01.extra.daimlerchrysler.com -- as one example among many --
doesn't.
TALK TO YOUR REGISTRAR. Making wild conjectures about what your
registrar requires or doesn't require, for their proprietary
registration form/CGI/whatever, isn't a very efficient way of resolving
this issue. Sometimes you just have to go directly to the source. Email
and the telephone are wonderful inventions.
- Kevin
------------------------------
From: Mark_Andrews at isc.org
Subject: Re: Upgrading to BIND9 (was Re: bind8.2 security issues)
Date: Tue, 02 Jul 2002 08:51:20 +1000
>
> All,
>
> One other thing, should i have compiled bind9 with libbind, i noticed it is
> not selected as default when running configure.
No. Libbind in 9.2.[01] contains the vulnerable code.
>
> many thanks
>
> STeve
> Steve Foster
> Senior Systems Administrator
> PSINet Europe
> Work: +44 (1223) 577322
> Mobile: +44 (7720) 425911
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
------------------------------
From: "Steve-Kai Vyska" <vyska at web.de>
Subject: problems with notify
Date: Tue, 2 Jul 2002 02:03:40 +0200
Hi,
I have activated notify an both of my bind9 DNS server. As soon as I alter
the zone files on my primary server, the secondary says:
notify failed: not authoritative for notify zone (REFUSED)
although the server, who sends the notify is authoritive for the domain?
Has anyone an Idea, what is wrong?
Steve
------------------------------
Date: Mon, 01 Jul 2002 20:13:00 -0400
From: Kevin Darcy <kcd at daimlerchrysler.com>
Subject: Re: problems with notify
Steve-Kai Vyska wrote:
> Hi,
>
> I have activated notify an both of my bind9 DNS server. As soon as I alter
> the zone files on my primary server, the secondary says:
>
> notify failed: not authoritative for notify zone (REFUSED)
>
> although the server, who sends the notify is authoritive for the domain?
Is the slave authoritative for the zone?
- Kevin
------------------------------
From: Mark_Andrews at isc.org
Subject: Re: client 1.2.3.4#56789: update 'sampledomain.com/IN' denied
Date: Tue, 02 Jul 2002 11:50:06 +1000
> I was using BIND 9.1.0 until recently, now I am using BIND 9.2.1.
> The upgrade implies that the log file is filling up with the message
>
> client 1.2.3.4#56789: update 'sampledomain.com/IN' denied
>
> for various domains (we are an ISP managing about 250 domains).
> I have seen on this list that one solution to this problem is to fix the
> client (normally Win2k).
> In our case the problem cannot be solved that way (too many clients).
You might actually get some kudos with your clients if you
inform them that their machines are mis-configured. Also
it is easy enough to automate the reporting. Just make
sure there are clear instructions on how to fix the problem.
Changing the SOA MNAME field just makes debugging harder, people
can't see which nameserver is the master and which are the slaves.
It also results in NOTIFY messages being sent to the master server.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
------------------------------
From: phn at icke-reklam.ipsec.nu
Subject: Re: Whats wrong with this
Date: 1 Jul 2002 09:55:58 GMT
tariq at www.jftechnologies.net <tariq at jftechnologies.net> wrote:
> whats wrong with this named.conf file
> /*
> BIND8 main confiuration file with master zone statements: named.conf
> */
> acl mynameservers {ip_list;};
> acl myrecursers {ip_list;};
> acl myqueriers {ip_list;};
> options
> {
> directory "d:\windows\system32\dns\etc";
> allow-transfer {localhost;};
> allow-recursion {myrecursers;};
> fetch-glue no;
> version "";
> use-id-pool yes;
> };
> /* remove/add the comment delimiters below to activate/disactivate
> logging */
> /*
> logging
> {
> channel my_file {file "d:\windows\system32\dns\etc\named.run";
> severity debug; print-time yes; };
> category default {my_file;};
> category panic {my_file;};
> category packet {my_file;};
> category eventlib {my_file;};
> category queries {my_file;};
> category lame-servers { null;};
> category cname { null;};
> };
> */
> zone "." {type hint; file "db.cache"; };
> zone "anydomain.com" {type master; file "db.anydomain.com"; };
> zone "210.73.212.IN-ADDR.ARPA" {type master; file "db.212.73.210"; };
> zone "0.0.127.IN-ADDR.ARPA" {type master; file "db.127.0.0"; };
> zone "jftechnologies.net" {type master; file "db.jftechnologies.net";
> };
> It is not working on xp.
What is not working ? Any traces of en eventlog ?
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
------------------------------
From: Mark_Andrews at isc.org
Subject: Re: TXT records
Date: Tue, 02 Jul 2002 12:09:24 +1000
>
>
> > I am having a problem in updating a TXT record using res_update query
> in
> > BIND 8.2.3, it gives me a FORMERR, I have set the class to IN, type
> t-
> > T_TXT and the RR owner that is the r_dname parameter to
> > host.blr.novell.com and the r_data parameter to the text string
> > "something", but it gives me a format error in the r_data.
>
> Where as I am able to update the same record using the nsupdate
> utility. Could someone tell me as to what should be the format of the
> rdata section for the txt record if I just want to put a string say
> "something"??
>
> Thanks in advance.
> Regards,
> Nitin Khurana.
The answer depends upon the age of your resolver library.
I suspect that you have a old resolver library so you will
need to use "wire format".
wire format:
<length octet> <string> [<length octet> <string> ...]
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
------------------------------
From: those who know me have no need of my name <not-a-real-address at usa.net>
Subject: Re: Bind 9.2.1 on Mandrake Linux 8.2
Date: 01 Jul 2002 05:11:45 GMT
in comp.protocols.dns.bind i read:
>I have configured Bind 9.2.1 on Mandrake Linux and the install and
>configuration seemed to go just find. But when i run the dig command, this
>is the error message I receive.
>
>; <<>>Dig 9.2.1 <<>>
>;; global options: printcmd
>;; connection timed out; no servers could be reached
smells like your firewall is dropping packets to port 53.
--
bringing you boring signatures for 17 years
------------------------------
Date: Mon, 01 Jul 2002 22:05:16 -0600
From: "Nitin Khurana" <nkhurana at novell.com>
Subject: Re: TXT records
Thanks for the advice but I have tried the wire format also, I have
encoded the string in the length and then the string pair and sent it
using the res_send but still it gives me the same format error.....
its like this.
Mark is encoded as 0x04Mark\0
I hope this is correct.
Could you please let me know how I can solve this problem.
Thanks & Regards,
Nitin Khurana.
>>> <Mark.Andrews at isc.org> 07/02/02 07:39AM >>>
>
>
> > I am having a problem in updating a TXT record using res_update
query
> in
> > BIND 8.2.3, it gives me a FORMERR, I have set the class to IN,
type
> t-
> > T_TXT and the RR owner that is the r_dname parameter to
> > host.blr.novell.com and the r_data parameter to the text string
> > "something", but it gives me a format error in the r_data.
>
> Where as I am able to update the same record using the nsupdate
> utility. Could someone tell me as to what should be the format of
the
> rdata section for the txt record if I just want to put a string say
> "something"??
>
> Thanks in advance.
> Regards,
> Nitin Khurana.
The answer depends upon the age of your resolver library.
I suspect that you have a old resolver library so you will
need to use "wire format".
wire format:
<length octet> <string> [<length octet> <string> ...]
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
------------------------------
From: "Christensen Tom" <paveraware at hotmail.com>
Subject: Bind related Sendmail problem
Date: Tue, 02 Jul 2002 05:13:19 +0000
I used to have only 1 machine running apache and sendmail/imap as a web/mail
server, and I was virtual-hosting multiple domains, everything worked fine.
Now I have broken 2 domains off of that machine, and put them on their own
machines, so I have 1 box running bind, apache sendmail and imap that is
still virtual hosting 4 domains, and everything works. And 2 other boxen
running bind sendmail apache and imap each hosting a dedicated domain. Now,
everything works on the 2 new machines except for receiving email. I can
send email, I can access the web pages from anywhere, but email sent to
those two domains gets returned. The reason I am posting on this list is
because I had the same problem on the single machine when I set it up, about
1 year ago, and the problem was my Bind configuration. The domains in
question are injuryhelpnow.com and christensen4senate.org. Previously I
posted on the sendmail boards and someone helped me with the bind
configuration. They did something to query my DNS and found a problem... I
added dots to the end of the NS entries in my zone files, however, that does
not fix the problem now.
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
------------------------------
End of bind-users Digest V4 #178
********************************
-- Binary/unsupported file stripped by Ecartis --
-- Type: text/x-vcard
-- File: Brett D. Ussher.vcf
More information about the bind-users
mailing list