<div dir="auto">I highly recommend the following checker: <a href="https://zonemaster.se/en/run-test">https://zonemaster.se/en/run-test</a></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 4, 2024, 3:25 PM Julian Panke via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Maybe <a href="https://dnsviz.net/" target="_blank" rel="noreferrer">https://dnsviz.net/</a> ? </p>
<p dir="ltr">Mit freundlichen Grüßen</p>
<p dir="ltr">Julian Panke<br></p>
<p dir="ltr">-------- Ursprüngliche Nachricht -------- <br>
Am 04.11.24 12:58 um Robert Wagner schrieb : <br>
Any chance someone from the bind group knows of an open-source DNS compliance validation tool that can analyze and check configuration settings? <br>
I hate to say it, but there are a lot of people managing DNS servers as part of other responsibilities. If it responds with an IP, then they consider it working/functional and nothing needs to be done. Having a tool that reviews your configuration and points out issues would help us advocate for proper configuration. Kind of a SSL checker for DNS... </p>
<p dir="ltr">Thanks in advance for any thoughts you can provide. </p>
<p dir="ltr">Robert Wagner<br>
From: bind-users <<a href="mailto:bind-users-bounces@lists.isc.org" target="_blank" rel="noreferrer">bind-users-bounces@lists.isc.org</a>> on behalf of Robert Edmonds <<a href="mailto:edmonds@mycre.ws" target="_blank" rel="noreferrer">edmonds@mycre.ws</a>><br>
Sent: Friday, November 1, 2024 4:16 PM<br>
To: Robert Mankowski <<a href="mailto:robert.mankowski@hotmail.com" target="_blank" rel="noreferrer">robert.mankowski@hotmail.com</a>><br>
Cc: <a href="mailto:bind-users@lists.isc.org" target="_blank" rel="noreferrer">bind-users@lists.isc.org</a> <<a href="mailto:bind-users@lists.isc.org" target="_blank" rel="noreferrer">bind-users@lists.isc.org</a>><br>
Subject: Re: DNSSEC, OpenDNS and <a href="http://www.cdc.gov" target="_blank" rel="noreferrer">www.cdc.gov</a> <br>
<br>
This email originated from outside of TESLA </p>
<p dir="ltr">Do not click links or open attachments unless you recognize the sender and know the content is safe. </p>
<p dir="ltr">This is a problem with the operational configuration of the <a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a> <br>
nameservers. </p>
<p dir="ltr">The gov nameservers publish the following NS records for <a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>: </p>
<p dir="ltr"><a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>. 10800 IN NS <a href="http://auth00.ns.uu.net" target="_blank" rel="noreferrer">auth00.ns.uu.net</a>. <br>
<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>. 10800 IN NS <a href="http://auth100.ns.uu.net" target="_blank" rel="noreferrer">auth100.ns.uu.net</a>. <br>
<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>. 10800 IN NS <a href="http://ns1.cdc.gov" target="_blank" rel="noreferrer">ns1.cdc.gov</a>. <br>
<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>. 10800 IN NS <a href="http://ns2.cdc.gov" target="_blank" rel="noreferrer">ns2.cdc.gov</a>. <br>
<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>. 10800 IN NS <a href="http://ns3.cdc.gov" target="_blank" rel="noreferrer">ns3.cdc.gov</a>. </p>
<p dir="ltr">The <a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a> nameservers publish the following NS records for <a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>: </p>
<p dir="ltr"><a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>. 3600 IN NS <a href="http://ns1.cdc.gov" target="_blank" rel="noreferrer">ns1.cdc.gov</a>. <br>
<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>. 3600 IN NS <a href="http://ns2.cdc.gov" target="_blank" rel="noreferrer">ns2.cdc.gov</a>. <br>
<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>. 3600 IN NS <a href="http://ns3.cdc.gov" target="_blank" rel="noreferrer">ns3.cdc.gov</a>. </p>
<p dir="ltr">This NS RRset from the <a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a> nameservers (the NS RRset directly above <br>
which has three .<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a> NS records) is the authoritative NS RRset for <br>
<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a> and is used by standards conforming resolver implementation in <br>
preference to the non-authoritative NS RRset in the referral response <br>
from the .gov nameservers (the NS RRset at the top of this email with <br>
five NS records). See RFC 2181, section 5.4.1. </p>
<p dir="ltr">The domain name <a href="http://www.cdc.gov" target="_blank" rel="noreferrer">www.cdc.gov</a> is a CNAME to <a href="http://www.akam.cdc.gov" target="_blank" rel="noreferrer">www.akam.cdc.gov</a>: </p>
<p dir="ltr"><a href="http://www.cdc.gov" target="_blank" rel="noreferrer">www.cdc.gov</a>. 300 IN CNAME <a href="http://www.akam.cdc.gov" target="_blank" rel="noreferrer">www.akam.cdc.gov</a>. </p>
<p dir="ltr">The ".<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>" nameservers all generate RCODE "REFUSED" answers for <br>
queries for <a href="http://www.akam.cdc.gov" target="_blank" rel="noreferrer">www.akam.cdc.gov</a> (as well as <a href="http://akam.cdc.gov" target="_blank" rel="noreferrer">akam.cdc.gov</a>): </p>
<p dir="ltr"> ; <<>> DiG 9.20.2-1-Debian <<>> +norec @<a href="http://ns1.cdc.gov" target="_blank" rel="noreferrer">ns1.cdc.gov</a> <a href="http://www.akam.cdc.gov" target="_blank" rel="noreferrer">www.akam.cdc.gov</a> <br>
; (1 server found) <br>
;; global options: +cmd <br>
;; Got answer: <br>
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27267 <br>
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 </p>
<p dir="ltr"> ;; OPT PSEUDOSECTION: <br>
; EDNS: version: 0, flags:; udp: 1232 <br>
;; QUESTION SECTION: <br>
;<a href="http://www.akam.cdc.gov" target="_blank" rel="noreferrer">www.akam.cdc.gov</a>. IN A </p>
<p dir="ltr"> ;; Query time: 4 msec <br>
;; SERVER: 198.246.96.61#53(<a href="http://ns1.cdc.gov" target="_blank" rel="noreferrer">ns1.cdc.gov</a>) (UDP) <br>
;; WHEN: Fri Nov 01 15:40:44 EDT 2024 <br>
;; MSG SIZE rcvd: 45 </p>
<p dir="ltr">This is a standards conformance problem with the .<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a> nameservers. <br>
The .<a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a> nameservers should either return a response containing <br>
records that answer the query, or a referral response to the nameservers <br>
that do. See RFC 1034, section 4.3.2(3)(b). </p>
<p dir="ltr">The reason that some DNS resolver services are able to resolve this <br>
name is because they are probably also querying the .<a href="http://uu.net" target="_blank" rel="noreferrer">uu.net</a> nameservers <br>
included in the delegation NS RRset for <a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>, and those nameservers <br>
are able to return a delegation for the <a href="http://akam.cdc.gov" target="_blank" rel="noreferrer">akam.cdc.gov</a> zone: </p>
<p dir="ltr"> ; <<>> DiG 9.20.2-1-Debian <<>> +norec @<a href="http://auth00.ns.uu.net" target="_blank" rel="noreferrer">auth00.ns.uu.net</a> <a href="http://www.akam.cdc.gov" target="_blank" rel="noreferrer">www.akam.cdc.gov</a> <br>
; (1 server found) <br>
;; global options: +cmd <br>
;; Got answer: <br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51056 <br>
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 </p>
<p dir="ltr"> ;; OPT PSEUDOSECTION: <br>
; EDNS: version: 0, flags:; udp: 1232 <br>
; NSID: 56 65 72 69 7a 6f 6e ("Verizon") <br>
;; QUESTION SECTION: <br>
;<a href="http://www.akam.cdc.gov" target="_blank" rel="noreferrer">www.akam.cdc.gov</a>. IN A </p>
<p dir="ltr"> ;; AUTHORITY SECTION: <br>
<a href="http://akam.cdc.gov" target="_blank" rel="noreferrer">akam.cdc.gov</a>. 86400 IN NS <a href="http://a1-43.akam.net" target="_blank" rel="noreferrer">a1-43.akam.net</a>. <br>
<a href="http://akam.cdc.gov" target="_blank" rel="noreferrer">akam.cdc.gov</a>. 86400 IN NS <a href="http://a5-66.akam.net" target="_blank" rel="noreferrer">a5-66.akam.net</a>. <br>
<a href="http://akam.cdc.gov" target="_blank" rel="noreferrer">akam.cdc.gov</a>. 86400 IN NS <a href="http://a2-64.akam.net" target="_blank" rel="noreferrer">a2-64.akam.net</a>. <br>
<a href="http://akam.cdc.gov" target="_blank" rel="noreferrer">akam.cdc.gov</a>. 86400 IN NS <a href="http://a8-67.akam.net" target="_blank" rel="noreferrer">a8-67.akam.net</a>. <br>
<a href="http://akam.cdc.gov" target="_blank" rel="noreferrer">akam.cdc.gov</a>. 86400 IN NS <a href="http://a9-64.akam.net" target="_blank" rel="noreferrer">a9-64.akam.net</a>. <br>
<a href="http://akam.cdc.gov" target="_blank" rel="noreferrer">akam.cdc.gov</a>. 86400 IN NS <a href="http://a28-65.akam.net" target="_blank" rel="noreferrer">a28-65.akam.net</a>. </p>
<p dir="ltr"> ;; Query time: 16 msec <br>
;; SERVER: 198.6.1.65#53(<a href="http://auth00.ns.uu.net" target="_blank" rel="noreferrer">auth00.ns.uu.net</a>) (UDP) <br>
;; WHEN: Fri Nov 01 15:44:13 EDT 2024 <br>
;; MSG SIZE rcvd: 185 </p>
<p dir="ltr">To be clear, though, this is unambiguously a problem with the <a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a> <br>
nameservers and not a fault in resolver implementations that utilize the <br>
authoritative NS RRset for <a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a> which does not include the .<a href="http://uu.net" target="_blank" rel="noreferrer">uu.net</a> <br>
nameservers. </p>
<p dir="ltr">Various issues with the operation of the <a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a> zone have been reported <br>
to DNS-OARC's dns-operations mailing list over the years (as well as <br>
other forums). The most recent thread is archived here: </p>
<p dir="ltr"><a href="https://lists.dns-oarc.net/pipermail/dns-operations/2024-July/022642.html" target="_blank" rel="noreferrer">https://lists.dns-oarc.net/pipermail/dns-operations/2024-July/022642.html</a> </p>
<p dir="ltr">Robert Mankowski wrote: <br>
> I recently implemented a forward only BIND server for home. I was forwarding to <br>
> OpenDNS FamilyShield using TLS and DNSSEC at first, but I was getting a <br>
> noticeable amount of SERVFAIL responses. I believe it is related to DNSSEC (see <br>
> delv tests below), but I don’t believe it is my configuration because when I <br>
> forward to Cloudflare’s Family service, or to Google DNS, I don’t have any <br>
> problems with the same domains (e.g. <a href="http://www.cdc.gov" target="_blank" rel="noreferrer">www.cdc.gov</a>). <br>
> <br>
> <br>
> <br>
> I contacted Cisco Umbrella support because I was thinking it’s an issue with <br>
> their servers, but they didn’t really help, so I thought I would try this list <br>
> for advice. <br>
> <br>
> <br>
> <br>
> Would appreciate it if someone could review my configuration and/or reproduce <br>
> my results to see if I’m doing something wrong. <br>
> <br>
> <br>
> <br>
> Thanks, <br>
> <br>
> <br>
> <br>
> Bob <br>
> <br>
> <br>
> <br>
> Here are some tests I ran: <br>
> <br>
> <br>
> <br>
> admin@router1:~$ apt-cache policy bind9 <br>
> <br>
> bind9: <br>
> <br>
> Installed: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 <br>
> <br>
> Candidate: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 <br>
> <br>
> Version table: <br>
> <br>
> *** 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 500 <br>
> <br>
> 500 <a href="https://packages.sury.org/bind-dev" target="_blank" rel="noreferrer">https://packages.sury.org/bind-dev</a> bookworm/main amd64 Packages <br>
> <br>
> 100 /var/lib/dpkg/status <br>
> <br>
> 1:9.18.28-1~deb12u2 500 <br>
> <br>
> 500 <a href="http://deb.debian.org/debian" target="_blank" rel="noreferrer">http://deb.debian.org/debian</a> bookworm/main amd64 Packages <br>
> <br>
> 500 <a href="http://security.debian.org/debian-security" target="_blank" rel="noreferrer">http://security.debian.org/debian-security</a> bookworm-security/main <br>
> amd64 Packages <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> admin@router1:~$ delv -v <br>
> <br>
> delv 9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7-Debian <br>
> <br>
> <br>
> <br>
> admin@router1:~$ delv -4 @<a href="http://208.67.220.123" target="_blank" rel="noreferrer">208.67.220.123</a> <a href="http://www.cdc.gov" target="_blank" rel="noreferrer">www.cdc.gov</a>. A <br>
> <br>
> ;; insecurity proof failed resolving '<a href="http://cdc.gov/DNSKEY/IN" target="_blank" rel="noreferrer">cdc.gov/DNSKEY/IN</a>': 208.67.220.123#53 <br>
> <br>
> ;; broken trust chain resolving '<a href="http://www.cdc.gov/A/IN" target="_blank" rel="noreferrer">www.cdc.gov/A/IN</a>': 208.67.220.123#53 <br>
> <br>
> ;; resolution failed: broken trust chain <br>
> <br>
> <br>
> <br>
> admin@router1:~$ delv -4 @<a href="http://208.67.222.123" target="_blank" rel="noreferrer">208.67.222.123</a> <a href="http://www.cdc.gov" target="_blank" rel="noreferrer">www.cdc.gov</a>. A <br>
> <br>
> ;; insecurity proof failed resolving '<a href="http://cdc.gov/DNSKEY/IN" target="_blank" rel="noreferrer">cdc.gov/DNSKEY/IN</a>': 208.67.222.123#53 <br>
> <br>
> ;; broken trust chain resolving '<a href="http://www.cdc.gov/A/IN" target="_blank" rel="noreferrer">www.cdc.gov/A/IN</a>': 208.67.222.123#53 <br>
> <br>
> ;; resolution failed: broken trust chain <br>
> <br>
> <br>
> <br>
> admin@router1:~$ delv -4 @<a href="http://1.1.1.3" target="_blank" rel="noreferrer">1.1.1.3</a> <a href="http://www.cdc.gov" target="_blank" rel="noreferrer">www.cdc.gov</a>. A <br>
> <br>
> ; fully validated <br>
> <br>
> <a href="http://www.cdc.gov" target="_blank" rel="noreferrer">www.cdc.gov</a>. 248 IN CNAME <a href="http://www.akam.cdc.gov" target="_blank" rel="noreferrer">www.akam.cdc.gov</a>. <br>
> <br>
> <a href="http://www.cdc.gov" target="_blank" rel="noreferrer">www.cdc.gov</a>. 248 IN RRSIG CNAME 8 3 300 20241019153420 <br>
> 20241009150230 1503 <a href="http://cdc.gov" target="_blank" rel="noreferrer">cdc.gov</a>. <br>
> b99UIGmCOTJj+C7JFXORmtUXQEIIGdF0q3Z5u6HfAbKcJhjfFjJrkRE6 <br>
> yntzr0pSksCp1Uwi146xvKz7ImCqkYK67/WlOujyquOGSfgOwO1DvUyj <br>
> TfvXJWvjSRLTx30lwU6RV80RrC596A16anTpLc7Zi4VEAVncRHeUl1y1 /MG/CSCtE/ <br>
> Ef6tPD1FtGZjhXszVAgrk3fhISCsImRHuGAoIBnIKCKx2M <br>
> YMhxirfV0z9Qq46PnW9zTzh+EbVKZkN0C+Xl3j2+4sqyHlubhrtgklG/ g0u+99/g/ <br>
> jdfex+Vh7dtcAXFcTZ1XGuPQXgsn6GrznecB8PaXmCxXfft GaDOdQ== <br>
> <br>
> <a href="http://www.akam.cdc.gov" target="_blank" rel="noreferrer">www.akam.cdc.gov</a>. 20 IN A 23.51.224.222 <br>
> <br>
> <a href="http://www.akam.cdc.gov" target="_blank" rel="noreferrer">www.akam.cdc.gov</a>. 20 IN RRSIG A 10 4 20 20241018102927 <br>
> 20241015092927 16701 <a href="http://akam.cdc.gov" target="_blank" rel="noreferrer">akam.cdc.gov</a>. <br>
> Lcd7WthqqU+A7UwQkBHZsT0nqxztJkn9cx57wXr4eHHCvJR0cCxZFkwl <br>
> eIbSffPIu364terXJlcEvuWbWTLrCX7bo0c6B9bA5EPi2DsbegTfkG5u <br>
> cqrZP9RTzXbfbs5l5w6CQ9DfSPcYx9BIYkusErQu5qQnGhoQ5bXI1VxT Otc= <br>
> <br>
> <br>
> <br>
> The relevant portion of my named configuration is: <br>
> <br>
> <br>
> <br>
> tls opendns-tls { <br>
> <br>
> remote-hostname "<a href="http://dns.opendns.com" target="_blank" rel="noreferrer">dns.opendns.com</a>"; <br>
> <br>
> }; <br>
> <br>
> <br>
> <br>
> tls cloudflare_family-tls { <br>
> <br>
> remote-hostname "one.one.one.one"; <br>
> <br>
> }; <br>
> <br>
> <br>
> <br>
> tls google-tls { <br>
> <br>
> }; <br>
> <br>
> <br>
> <br>
> tls router1-tls { <br>
> <br>
> key-file "/var/cache/bind/privkey.pem"; <br>
> <br>
> cert-file "/var/cache/bind/fullchain.pem"; <br>
> <br>
> dhparam-file "/var/cache/bind/dhparam.pem"; <br>
> <br>
> ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:! <br>
> SHA1:!SHA256:!SHA384"; <br>
> <br>
> prefer-server-ciphers yes; <br>
> <br>
> session-tickets no; <br>
> <br>
> }; <br>
> <br>
> <br>
> <br>
> options { <br>
> <br>
> directory "/var/cache/bind"; <br>
> <br>
> recursion yes; <br>
> <br>
> allow-query { trusted_nets; }; <br>
> <br>
> version "none"; <br>
> <br>
> <br>
> <br>
> forwarders { <br>
> <br>
> # 1.1.1.3 port 853 tls cloudflare_family-tls; <br>
> <br>
> # 1.0.0.3 port 853 tls cloudflare_family-tls; <br>
> <br>
> 208.67.222.123 port 853 tls opendns-tls; <br>
> <br>
> 208.67.220.123 port 853 tls opendns-tls; <br>
> <br>
> # 8.8.8.8 port 853 tls google-tls; <br>
> <br>
> # 8.8.4.4 port 853 tls google-tls; <br>
> <br>
> }; <br>
> <br>
> <br>
> <br>
> forward only; <br>
> <br>
> <br>
> <br>
> allow-transfer { none; }; <br>
> <br>
> <br>
> <br>
> dnssec-validation auto; <br>
> <br>
> <br>
> <br>
> listen-on port 443 tls router1-tls http default { trusted_interfaces; }; <br>
> <br>
> listen-on port 853 tls router1-tls { trusted_interfaces; }; <br>
> <br>
> listen-on { trusted_interfaces; }; <br>
> <br>
> listen-on-v6 { none; }; <br>
> <br>
> <br>
> <br>
> zone-statistics yes ; <br>
> <br>
> }; <br>
> <br>
> <br>
> <br>
> <br>
> </p>
<p dir="ltr">> -- <br>
> Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" rel="noreferrer">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list <br>
> <br>
> ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank" rel="noreferrer">https://www.isc.org/contact/</a> for more information. <br>
> <br>
> <br>
> bind-users mailing list <br>
> <a href="mailto:bind-users@lists.isc.org" target="_blank" rel="noreferrer">bind-users@lists.isc.org</a> <br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" rel="noreferrer">https://lists.isc.org/mailman/listinfo/bind-users</a> <br></p>
<p dir="ltr">-- <br>
Robert Edmonds <br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" rel="noreferrer">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list </p>
<p dir="ltr">ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank" rel="noreferrer">https://www.isc.org/contact/</a> for more information. <br></p>
<p dir="ltr">bind-users mailing list <br>
<a href="mailto:bind-users@lists.isc.org" target="_blank" rel="noreferrer">bind-users@lists.isc.org</a> <br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" rel="noreferrer">https://lists.isc.org/mailman/listinfo/bind-users</a> <br>
</p>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank" rel="noreferrer">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>