Ansgar Hegerfeld<p>Schöner DNS-Workaround, den ich bis jetzt noch nicht kannte/brauchte: Um die (z.B. aus versehen zu weit in die Zukunft gesetzte) serial number eines Eintrags zurückzusetzen, muss man einfach nur das 32-bit große Feld zum Überlauf und damit wieder auf 0 bringen. Anschließend kann man es neu auf den Wunschwert setzen 😅</p><p><a href="https://www.zytrax.com/books/dns/ch9/serial.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">zytrax.com/books/dns/ch9/seria</span><span class="invisible">l.html</span></a></p><p><a href="https://digitalcourage.social/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://digitalcourage.social/tags/bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bind9</span></a></p>
Recherches récentes
Aucune recherche récente
Options de recherche
Disponible uniquement lorsque vous êtes connecté.
framapiaf.org est l'un des nombreux serveurs Mastodon indépendants que vous pouvez utiliser pour participer au fédiverse.
Un service Mastodon fourni par l'association d’éducation populaire Framasoft.
Administré par :
Statistiques du serveur :
1,4Kcomptes actifs
framapiaf.org: À propos · État · Annuaire des profils · Politique de confidentialité
Mastodon: À propos · Télécharger l’application · Raccourcis clavier · Voir le code source · v4.3.7
#bind9
0 message · 0 participant · 0 message aujourd’hui
Felix Palmen :freebsd: :c64:<p>Adventures getting <a href="https://mastodon.bsd.cafe/tags/Netflix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Netflix</span></a> to work in a somewhat complex home <a href="https://mastodon.bsd.cafe/tags/network" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>network</span></a> 🤯</p><p>I decided to give their plan with ads a chance, sounding like a somewhat fair deal. First issue was, I couldn't even register. It only offered me US plans. Figured that's because my <a href="https://mastodon.bsd.cafe/tags/IPv6" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IPv6</span></a> connectivity is tunnelled through <a href="https://mastodon.bsd.cafe/tags/HE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HE</span></a> (for reasons, different story). Of course using an endpoint here in Germany, but nevertheless, Netflix seemed to think it's a US located address.</p><p>Running my own <a href="https://mastodon.bsd.cafe/tags/bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bind9</span></a> instance, I found a way to hide relevant AAAA records (netflix' own domain and also amazonws) by adding a view only operating on local loopback and filtering out ALL AAAA records, and then adding forward-only zones for these domains to this local view. Horrible, but works, now I could register, forcing <a href="https://mastodon.bsd.cafe/tags/IPv4" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IPv4</span></a>.</p><p>One particularly cheap "smart-tv" still couldn't connect to netflix, always showing me an error that I was using some "VPN". 🤨 No way to analyze what exactly was happening there, but I finally found a solution for that as well: I created an entirely new network segment (with its own <a href="https://mastodon.bsd.cafe/tags/vlan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vlan</span></a> on the switch). I don't offer IPv6 in this segment at all, and only allow it to access the internet as well as my local <a href="https://mastodon.bsd.cafe/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> server. Putting all tv sets and my <a href="https://mastodon.bsd.cafe/tags/minidlna" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>minidlna</span></a> instance into this segment, everything finally works.</p><p>The nice thing is, I always wanted to isolate the tv sets anyways, and this is now finally done, they're unable to see the rest of my home network! 🥳 Still a bit sad I have to restrict them to IPv4 for now, just to work around netflix' geolocation stuff... 🫤</p>
x0r<p>I’m currently playing around with DNSSEC. I have a hidden primary BIND server sign my zone and push it to publicly-visible secondaries.</p><p>But for KSK rollovers, I have to use my registrar’s REST API to publish a new DS record set.</p><p>With opendnssec, when it’s time to publish a new set of DS records, it can call a script to that effect. Can BIND also run such custom commands?</p><p><a href="https://mamot.fr/tags/BIND" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BIND</span></a> <a href="https://mamot.fr/tags/BIND9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BIND9</span></a> <a href="https://mamot.fr/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://mamot.fr/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNSSEC</span></a></p>
Fink :antifa:<p>Someone here know their way around <a href="https://chaos.social/tags/bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bind9</span></a> releases? I expected v9.20 end of March 2024 as documented in <a href="https://kb.isc.org/docs/aa-00896" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">kb.isc.org/docs/aa-00896</span><span class="invisible"></span></a> :/</p><p><a href="https://gitlab.isc.org/isc-projects/bind9/-/milestones/69#tab-issues" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gitlab.isc.org/isc-projects/bi</span><span class="invisible">nd9/-/milestones/69#tab-issues</span></a> also does not really help with an ETA</p><p><a href="https://chaos.social/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a><br><span class="h-card" translate="no"><a href="https://fosstodon.org/@iscdotorg" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>iscdotorg</span></a></span></p><p>Edit: release will be on 17.7.2024: <a href="https://lists.isc.org/pipermail/bind-announce/2024-July/001251.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">lists.isc.org/pipermail/bind-a</span><span class="invisible">nnounce/2024-July/001251.html</span></a><br>And the boxes in the Timeline are not to be read as "release beginning of that box" but "release within that box". The linked project milestones might hint to when something will happen in that direction :)</p>
Petr Menšík :fedora:<p><span class="h-card" translate="no"><a href="https://mastodon.gougere.fr/@bortzmeyer" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>bortzmeyer</span></a></span> <span class="h-card" translate="no"><a href="https://social.sdf.org/@draeath" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>draeath</span></a></span> <span class="h-card" translate="no"><a href="https://qoto.org/@Shamar" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Shamar</span></a></span> it depends. No stable <a href="https://fosstodon.org/tags/bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bind9</span></a> release can forward over DoT (yet). None of them can forward over <a href="https://fosstodon.org/tags/DoH" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DoH</span></a> even on the latest commit afaik.</p>
Petr Menšík :fedora:<p><span class="h-card" translate="no"><a href="https://social.sdf.org/@draeath" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>draeath</span></a></span> <span class="h-card" translate="no"><a href="https://qoto.org/@Shamar" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Shamar</span></a></span> no, both <a href="https://fosstodon.org/tags/bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bind9</span></a> and <a href="https://fosstodon.org/tags/unbound" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>unbound</span></a> implement only server side. They can accept queries over DoH, but cannot forward them to DoH remote server. I am not sure about Knot, but might have the same problem. Forwarding over DoH is rare ability. Dnsdist is one of few capable of it.</p>
ISC.org<p>ISC's Matthijs Mekking recently spoke on an Encrypted DNS Policy call about the <a href="https://fosstodon.org/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNSSEC</span></a> multi-signer model. His presentation covered best practices, rollovers, automation, and <a href="https://fosstodon.org/tags/BIND9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BIND9</span></a> configuration.</p><p>Slides and recording available at <a href="https://www.isc.org/presentations/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">isc.org/presentations/</span><span class="invisible"></span></a></p>
Felix Palmen 📯<p><span class="h-card" translate="no"><a href="https://mastodon.bsd.cafe/@jhx" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>jhx</span></a></span> For writing some kind of "howto", I'll have to find a sane scope ... otherwise there would be just too much to describe I guess 😮 </p><p>I could of course assume you already have</p><p>- network segmentation with a <a href="https://techhub.social/tags/DMZ" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DMZ</span></a> <br>- a working "domain" setup with a directory and <a href="https://techhub.social/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> (e.g. <a href="https://techhub.social/tags/samba" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>samba</span></a>, but could be <a href="https://techhub.social/tags/OpenLDAP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenLDAP</span></a> with <a href="https://techhub.social/tags/bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bind9</span></a> as well)<br>- (virtual) machines providing <a href="https://techhub.social/tags/RDP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RDP</span></a> (with <a href="https://techhub.social/tags/xrdp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>xrdp</span></a> in case of <a href="https://techhub.social/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> or <a href="https://techhub.social/tags/FreeBSD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FreeBSD</span></a>)<br>- a working mechanism to distribute X.509 <a href="https://techhub.social/tags/TLS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TLS</span></a> <a href="https://techhub.social/tags/certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>certificates</span></a> (I request them from <a href="https://techhub.social/tags/letsencrypt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>letsencrypt</span></a> using <a href="https://techhub.social/tags/uacme" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>uacme</span></a> and distribute them with simple shell scripts using special-purpose restricted <a href="https://techhub.social/tags/SSH" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SSH</span></a> keys)</p><p>With all that in place, it would "just" be describing the setup of <a href="https://techhub.social/tags/guacamole" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>guacamole</span></a> in a <a href="https://techhub.social/tags/FreeBSD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FreeBSD</span></a> <a href="https://techhub.social/tags/jail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>jail</span></a>, enabling <a href="https://techhub.social/tags/TLS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TLS</span></a> on all connection paths...</p>
Petr Menšík :fedora:<p><span class="h-card" translate="no"><a href="https://mastodon.social/@krcmar" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>krcmar</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.rfc1925.org/@ondrej" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>ondrej</span></a></span> musím poděkovat úžasné práci, kterou <span class="h-card" translate="no"><a href="https://fosstodon.org/@iscdotorg" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>iscdotorg</span></a></span> na kódu <a href="https://fosstodon.org/tags/bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bind9</span></a> dělá. Na codebase podobného stáří, jako já sám, je úžasně svěží. Nicméně tohle je dávná historie a nová sada zranitelností zase na světě. Díky!</p>
Pilou 🐧⚔️<p><span class="h-card" translate="no"><a href="https://gts.lapidak.is/@mike" class="u-url mention">@<span>mike</span></a></span> <a href="https://framapiaf.org/tags/DNSmasq" class="mention hashtag" rel="tag">#<span>DNSmasq</span></a> on <a href="https://framapiaf.org/tags/OpenWRT" class="mention hashtag" rel="tag">#<span>OpenWRT</span></a> (<a href="https://framapiaf.org/tags/TurrisOmnia" class="mention hashtag" rel="tag">#<span>TurrisOmnia</span></a>) and <a href="https://framapiaf.org/tags/Bind9" class="mention hashtag" rel="tag">#<span>Bind9</span></a> to define my own public NS.</p>
#Pfleger aus #Münster🏳️🌈🇪🇺<p>Bild ich mir das ein?<br>Am <a href="https://muenster.im/tags/Debian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Debian</span></a> <a href="https://muenster.im/tags/Laptop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Laptop</span></a> vorhin an den <a href="https://muenster.im/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> Einstellungen gebastelt. Browsen geht nun etwas fixer als zuvor...</p><p><a href="https://muenster.im/tags/Bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bind9</span></a> installileren</p><p>sudo nano /etc/systemd/resolved.conf </p><p>DNS=IP Adresse vom DNS anbieter ;-) <br>FallbackDNS=alternativ IP<br>DNSSEC=yes<br>DNSOverTLS=yes<br>ReadEtcHosts=yes</p><p>sudo systemctl restart systemd-resolved <br> <br>fertig</p>
mkj<p><span class="h-card" translate="no"><a href="https://mastodon.murkworks.net/@moira" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>moira</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@paul_ipv6" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>paul_ipv6</span></a></span> That glue NS RRs and authoritative NS RRs point at different domains isn't *necessarily* a problem (though it's still not good), as long as everything eventually resolves to IP addresses on which there are DNS servers authoritative for the zone you're trying to resolve names in.</p><p>In recursive mode BIND should be determining that one IP address isn't responding and resort to the second one. Maybe check resolver-query-timeout?</p><p><a href="https://social.linux.pizza/tags/BIND" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BIND</span></a> <a href="https://social.linux.pizza/tags/BIND9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BIND9</span></a></p>
Solarbird :flag_cascadia:<p>ugh i don't even know how to search for this properly</p><p>there's a domain that lists two DNS servers, one is fine, the second is a non-resolving hostname. it's not just not answering: it doesn't even resolve to an IP address.</p><p>(no, it's not just me, google DNS can't resolve the broken one either.)</p><p>if _my_ instance of bind9 on _my_ domain's DNS server tries the broken nameserver first, it obviously fails to resolve in any form.</p><p>the problem is that it does _not_ proceed to try the server that I know is working, and it should.</p><p>i've told the domain's owner that their DNS is fucked up and how, but really, I shouldn't've ever noticed.</p><p>anybody got any ideas why bind9 isn't trying the second server? because this is dumb.</p><p><a href="https://mastodon.murkworks.net/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://mastodon.murkworks.net/tags/bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bind9</span></a> <a href="https://mastodon.murkworks.net/tags/debian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>debian</span></a></p>
Colin Cogle 🔵<p><span class="h-card" translate="no"><a href="https://social.anoxinon.de/@jabberati" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>jabberati</span></a></span> <span class="h-card" translate="no"><a href="https://framapiaf.org/@debacle" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>debacle</span></a></span> For what it’s worth, I use a hidden master running BIND. Hurricane Electric provides my public-facing nameservers. <a href="https://mastodon.social/tags/BIND9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BIND9</span></a> <a href="https://mastodon.social/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://mastodon.social/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNSSEC</span></a> <a href="https://dns.he.net" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">dns.he.net</span><span class="invisible"></span></a></p>
Uhuru<p><span>dear </span><a href="https://electricrequiem.com/tags/lazyweb" rel="nofollow noopener noreferrer" target="_blank">#lazyweb</a><span> , any (automated) script for rotating DKIM keys in </span><a href="https://electricrequiem.com/tags/rspamd" rel="nofollow noopener noreferrer" target="_blank">#rspamd</a><span> and </span><a href="https://electricrequiem.com/tags/bind9" rel="nofollow noopener noreferrer" target="_blank">#bind9</a><span> , out there ? <br><br></span><a href="https://electricrequiem.com/tags/dkim" rel="nofollow noopener noreferrer" target="_blank">#dkim</a></p>
ADMIN magazine<p>Did you miss last week's ADMIN Update newsletter? Read it now and subscribe free to get it every Wednesday <a href="https://mailchi.mp/admin-magazine/admin-update-querying-sensors-for-metrics" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mailchi.mp/admin-magazine/admi</span><span class="invisible">n-update-querying-sensors-for-metrics</span></a> <a href="https://hachyderm.io/tags/metrics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>metrics</span></a> <a href="https://hachyderm.io/tags/sensors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sensors</span></a> <a href="https://hachyderm.io/tags/DevSecOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DevSecOps</span></a> <a href="https://hachyderm.io/tags/Cisco" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cisco</span></a> <a href="https://hachyderm.io/tags/Splunk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Splunk</span></a> <a href="https://hachyderm.io/tags/BIND9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BIND9</span></a> <a href="https://hachyderm.io/tags/KeePass" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>KeePass</span></a> <a href="https://hachyderm.io/tags/Matrix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Matrix</span></a> <a href="https://hachyderm.io/tags/ZeroTrust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ZeroTrust</span></a></p>
Shane Kerr<p>"apt update" on a Sunday night and my e-mail starts filling up with cron errors:</p><p>"Use of K* file pairs for HMAC is deprecated"</p><p>That -k syntax is still in the manual page, so I have no idea what happened. Looking at BIND 9 release notes the only thing which seems possibly related is this:</p><p>"The ability to read HMAC-MD5 key files, which was accidentally lost in BIND 9.18.8, has been restored."</p><p>But that is about *restoring* access, and Debian is at 9.18.19, so it should be fixed? 😭 </p><p><a href="https://fosstodon.org/tags/bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bind9</span></a></p>
Vftdan<p>How to completely disable DNSSEC in bind9 for exactly one zone?</p><p><a href="https://mastodon.ml/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://mastodon.ml/tags/bind9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bind9</span></a> <a href="https://mastodon.ml/tags/named" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>named</span></a></p>
ExplorerFlux en direct
Mastodon est le meilleur moyen de suivre ce qui se passe.
Suivez n'importe qui à travers le fédivers et affichez tout dans un ordre chronologique. Ni algorithmes, ni publicités, ni appâts à clics en perspective.
Se connecterGlissez et déposez pour envoyer