From sbeyer at reactor.de Wed Jun 11 20:19:36 2008 From: sbeyer at reactor.de (Steffen Beyer) Date: Thu, 12 Jun 2008 02:19:36 +0200 Subject: MaraDNS as secondary Message-ID: Hi, wanting to run Mara as a secondary DNS for a number of domains, I developed two short Ruby scripts to fetch the zonedata, check the serial against the local copy and restart maradns as necessary. The list of zonefiles is inserted into the mararc before the restart. A seperate script deletes old zonefiles. Note that the SOA refresh time is being ignored. Call at least fetchzones.rb via crontab. Path- and filenames are based on the FreeBSD port, check before use. Regards, -- Steffen Beyer GnuPG key fingerprint: CA00 1611 242B 89D4 E643 E235 05F3 7689 DD3E EB26 Public key available upon request or at http://wwwkeys.de.pgp.net From sbeyer at reactor.de Wed Jun 11 20:23:10 2008 From: sbeyer at reactor.de (Steffen Beyer) Date: Thu, 12 Jun 2008 02:23:10 +0200 Subject: MaraDNS as secondary In-Reply-To: References: Message-ID: On Thu, 12 Jun 2008 02:19:36 +0200, Steffen Beyer wrote: > wanting to run Mara as a secondary DNS for a number of domains, I > developed two short Ruby scripts My attachments got truncated, as it seems. :/ Now I put the files here: http://teralink.net/misc/fetchzones.rb http://teralink.net/misc/wipezones.rb Regards, -- Steffen Beyer GnuPG key fingerprint: CA00 1611 242B 89D4 E643 E235 05F3 7689 DD3E EB26 Public key available upon request or at http://wwwkeys.de.pgp.net From strenholme.usenet at gmail.com Thu Jun 12 11:07:07 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Thu, 12 Jun 2008 10:07:07 -0500 Subject: MaraDNS as secondary In-Reply-To: References: Message-ID: <7bd685720806120807l69ae06f7hc37e3f0db60b9714@mail.gmail.com> Thanks a lot for the contributions to MaraDNS. I'm really sorry that I've been neglecting Mara; I will however integrate these scripts in to MaraDNS 1.3 (if you don't mind) and release a new version of MaraDNS 1.3 in the next few days. Is this OK with you? What is the license for these scripts? The one thing I want to do before making a new release is getting Deadwood (the next-generation recursive resolver; right now it's a caching-only DNS server) to be able to read and write its cache from a file. I added this ability, but it's not working for some reason :( - Sam 2008/6/11 Steffen Beyer : > On Thu, 12 Jun 2008 02:19:36 +0200, Steffen Beyer wrote: > >> wanting to run Mara as a secondary DNS for a number of domains, I >> developed two short Ruby scripts > > My attachments got truncated, as it seems. :/ > > Now I put the files here: > > http://teralink.net/misc/fetchzones.rb > http://teralink.net/misc/wipezones.rb > > Regards, > -- > Steffen Beyer > > GnuPG key fingerprint: CA00 1611 242B 89D4 E643 E235 05F3 7689 DD3E EB26 > Public key available upon request or at http://wwwkeys.de.pgp.net > From strenholme.usenet at gmail.com Thu Jun 12 15:21:55 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Thu, 12 Jun 2008 14:21:55 -0500 Subject: MaraDNS as secondary In-Reply-To: <48517043.5060705@damm.com> References: <7bd685720806120807l69ae06f7hc37e3f0db60b9714@mail.gmail.com> <48517043.5060705@damm.com> Message-ID: <7bd685720806121221s2dfc3838iacbcd66781b6e531@mail.gmail.com> Please direct MaraDNS support requests to the MaraDNS mailing list. I no longer answer MaraDNS support requests via private mail. Please read: http://maradns.blogspot.com/2008/06/maradns-email-support-suspended.html Or the newly revised http://www.maradns.org/contact.html - Sam 2008/6/12 Mike Damm : > I've been working on a PHP based zone distribution and management framework > for MaraDNS, but a few features are holding me back. > > It would be awesome to get a few of these added: > - An "include" operator in the mararc config parser so that machine > specific and zone configs can be separated out > - A command line option to syntax check a config or zone file (Similar to > 'apachectl configtest') > - Ability to reload the config (or at least the csv2 hash) without > restarting MaraDNS > > Thanks, > Mike > > Sam Trenholme wrote: > > Thanks a lot for the contributions to MaraDNS. I'm really sorry that > I've been neglecting Mara; I will however integrate these scripts in > to MaraDNS 1.3 (if you don't mind) and release a new version of > MaraDNS 1.3 in the next few days. Is this OK with you? What is the > license for these scripts? > > The one thing I want to do before making a new release is getting > Deadwood (the next-generation recursive resolver; right now it's a > caching-only DNS server) to be able to read and write its cache from a > file. I added this ability, but it's not working for some reason :( > > - Sam > > 2008/6/11 Steffen Beyer : > > > On Thu, 12 Jun 2008 02:19:36 +0200, Steffen Beyer wrote: > > > > wanting to run Mara as a secondary DNS for a number of domains, I > developed two short Ruby scripts > > > My attachments got truncated, as it seems. :/ > > Now I put the files here: > > http://teralink.net/misc/fetchzones.rb > http://teralink.net/misc/wipezones.rb > > Regards, > -- > Steffen Beyer > > GnuPG key fingerprint: CA00 1611 242B 89D4 E643 E235 05F3 7689 DD3E EB26 > Public key available upon request or at http://wwwkeys.de.pgp.net > > > > > From KenL at GraphixWizard.com Thu Jun 12 15:53:15 2008 From: KenL at GraphixWizard.com (Ken Lyons - Graphix Wizard/Data-Forms) Date: Thu, 12 Jun 2008 15:53:15 -0400 Subject: MaraDNS as secondary In-Reply-To: <2008-164-15-2-1213298527-022909@gwizfl.org> References: <7bd685720806120807l69ae06f7hc37e3f0db60b9714@mail.gmail.com> <48517043.5060705@damm.com> <2008-164-15-2-1213298527-022909@gwizfl.org> Message-ID: <2008-164-15-5-1213300417-013004@gwizfl.org> >>I've been working on a PHP based zone distribution and management framework >>for MaraDNS, but a few features are holding me back. >> >>It would be awesome to get a few of these added: >> - An "include" operator in the mararc config parser so that machine >>specific and zone configs can be separated out >> - A command line option to syntax check a config or zone file (Similar to >>'apachectl configtest') >> - Ability to reload the config (or at least the csv2 hash) without >>restarting MaraDNS Those feature would be nice. I think most of us, that use Mara, already made a work around. For me I made a wrapper script that is run from /etc/inittab and a control script /etc/init.d/maradns The wrapper simply builds a new config from several flat files (ie. cat xxx > /etc/mara.rc), the control script just kills off the PID to force a respawn and update. I've been using Mara on a dozen production servers for 2 years, and so far, it's worked great. Ken Lyons // Sam Trenholme wrote: > Please direct MaraDNS support requests to the MaraDNS mailing list. I > no longer answer MaraDNS support requests via private mail. > > Please read: > > http://maradns.blogspot.com/2008/06/maradns-email-support-suspended.html > > Or the newly revised > > http://www.maradns.org/contact.html > > - Sam > > 2008/6/12 Mike Damm : > >> I've been working on a PHP based zone distribution and management framework >> for MaraDNS, but a few features are holding me back. >> >> It would be awesome to get a few of these added: >> - An "include" operator in the mararc config parser so that machine >> specific and zone configs can be separated out >> - A command line option to syntax check a config or zone file (Similar to >> 'apachectl configtest') >> - Ability to reload the config (or at least the csv2 hash) without >> restarting MaraDNS >> >> Thanks, >> Mike >> >> Sam Trenholme wrote: >> >> Thanks a lot for the contributions to MaraDNS. I'm really sorry that >> I've been neglecting Mara; I will however integrate these scripts in >> to MaraDNS 1.3 (if you don't mind) and release a new version of >> MaraDNS 1.3 in the next few days. Is this OK with you? What is the >> license for these scripts? >> >> The one thing I want to do before making a new release is getting >> Deadwood (the next-generation recursive resolver; right now it's a >> caching-only DNS server) to be able to read and write its cache from a >> file. I added this ability, but it's not working for some reason :( >> >> - Sam >> >> 2008/6/11 Steffen Beyer : >> >> >> On Thu, 12 Jun 2008 02:19:36 +0200, Steffen Beyer wrote: >> >> >> >> wanting to run Mara as a secondary DNS for a number of domains, I >> developed two short Ruby scripts >> >> >> My attachments got truncated, as it seems. :/ >> >> Now I put the files here: >> >> http://teralink.net/misc/fetchzones.rb >> http://teralink.net/misc/wipezones.rb >> >> Regards, >> -- >> Steffen Beyer >> >> GnuPG key fingerprint: CA00 1611 242B 89D4 E643 E235 05F3 7689 DD3E EB26 >> Public key available upon request or at http://wwwkeys.de.pgp.net >> >> >> >> >> >> > > > > From strenholme.usenet at gmail.com Thu Jun 12 17:33:41 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Thu, 12 Jun 2008 16:33:41 -0500 Subject: New support policy Message-ID: <7bd685720806121433yb91dd3fp3d70ed2d054bb1af@mail.gmail.com> Due to a hectic work schedule, I no longer have time to personally answer MaraDNS support email. I apologize for any inconvenience caused. The only MaraDNS personal email I will answer is security bug reports. Please send all MaraDNS support concerns and feature requests to the mailing list. Please do NOT send MaraDNS support concerns to this email address. - Sam From kohi at iri.co.jp Thu Jun 12 21:31:41 2008 From: kohi at iri.co.jp (Koh-ichi Ito) Date: Fri, 13 Jun 2008 10:31:41 +0900 Subject: compile error of tcp/zoneserver.c in 1.3.07.08 Message-ID: <200806130131.m5D1VfYR017744@alphonse.himoo.iri.co.jp> Hello lists! I noticed about new support policy from Sam, so please let me report my issue here. Summary: - A compile is occured while making MaraDNS 1.3.07.08. - I could avoid the error, but I'm not sure wheather my correction is right or not and would like to here some opinion. ----- With MaraDNS 1.3.07.08, I experience the following compile error on tcp/zoneserver.c under FreeBSD 6.3. Script started on Fri Apr 11 15:38:08 2008 kohi at alphonse[1]% uname -a FreeBSD alphonse.himoo.iri.co.jp 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #2: Fri Feb 15 09:58:21 JST 2008 kohi at alphonse.himoo.iri.co.jp:/usr/src/sys/i386/compile/alphonse i386 kohi at alphonse[2]% cc -v Using built-in specs. Configured with: FreeBSD/i386 system compiler Thread model: posix gcc version 3.4.6 [FreeBSD] 20060305 kohi at alphonse[3]% pwd /u/share/pub/src/maradns/maradns-1.3.07.08 kohi at alphonse[4]% make cd libs ; make CC="cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread" ; cd ../dns ; make CC="cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread" ; cd ../rng ; make CC="cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread" ; cd ../parse ; make CC="cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread" ; cd ../qual ; make CC="cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread" ; cd ../server ; make CC="cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread" "DEFINES=-DSELECT_PROBLEM" COMPILED=\""FreeBSD system at Thu Apr 10 15:47:55 JST 2008"\" "VERSION=1.3.07.08" ; cd ../tools ; make CC="cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread" ; cd ../tcp ; make CC="cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread" "VERSION=1.3.07.08" ; cat ../00README.FIRST cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread -O2 -fno-strict-aliasing -pipe -c libtcp.c cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread -o getzone getzone.c ../libs/JsStr.o ../libs/JsStrOS.o ../libs/JsStrCP.o ../libs/MaraHash.o ../qual/qual_timestamp.o ../dns/Queries.o ../dns/Compress.o ../dns/bobbit.o ../dns/Decompress.o ../parse/ParseMaraRc.o ../parse/ParseCsv1.o ../parse/ParseIpAcl.o ../parse/Parse_ipv6.o ../parse/Csv2_read.o ../parse/Csv2_main.o ../parse/Csv2_parse.o ../parse/Csv2_rr_soa.o ../parse/Csv2_rr_aaaa.o ../parse/Csv2_rr_a.o ../parse/Csv2_rr_wks.o ../parse/Csv2_database.o ../parse/Csv2_rr_txt.o ../parse/Csv2_esc_txt.o ../server/timestamp.o ../server/MaraBigHash.o ../server/read_kvars.o ../server/MaraAnyChain.o libtcp.o cc -O2 -Wall -pipe -D_THREAD_SAFE -pthread -DVERSION=\"1.3.07.08\" -o zoneserver zoneserver.c ../libs/JsStr.o ../libs/JsStrOS.o ../libs/JsStrCP.o ../libs/MaraHash.o ../qual/qual_timestamp.o ../dns/Queries.o ../dns/Compress.o ../dns/bobbit.o ../dns/Decompress.o ../parse/ParseMaraRc.o ../parse/ParseCsv1.o ../parse/ParseIpAcl.o ../parse/Parse_ipv6.o ../parse/Csv2_read.o ../parse/Csv2_main.o ../parse/Csv2_parse.o ../parse/Csv2_rr_soa.o ../parse/Csv2_rr_aaaa.o ../parse/Csv2_rr_a.o ../parse/Csv2_rr_wks.o ../parse/Csv2_database.o ../parse/Csv2_rr_txt.o ../parse/Csv2_esc_txt.o ../server/timestamp.o ../server/MaraBigHash.o ../server/read_kvars.o ../server/MaraAnyChain.o libtcp.o ../rng/rng-api-fst.o ../rng/rng-alg-fst.o zoneserver.c: In function `main': zoneserver.c:1017: error: too few arguments to function `setpgrp' *** Error code 1 Stop in /u/share/pub/src/maradns/maradns-1.3.07.08/tcp. *** Error code 1 Stop in /u/share/pub/src/maradns/maradns-1.3.07.08. kohi at alphonse[5]% exit exit Script done on Fri Apr 11 15:38:30 2008 Though I'm not sure wheather it is right or wrong, the following patch is efficient to avoid the above error. *** maradns-1.3.07.08/tcp/zoneserver.c-dist Wed Dec 26 04:14:46 2007 --- maradns-1.3.07.08/tcp/zoneserver.c Thu Apr 10 15:19:25 2008 *************** *** 1014,1020 **** js_string *synth_soa_origin; /* Kill children processes when we are signaled */ ! if(setpgrp()) { printf(strerror(errno)); /* harderror() would kill the group which may not be correct yet */ return 3; } --- 1014,1020 ---- js_string *synth_soa_origin; /* Kill children processes when we are signaled */ ! if(setpgrp(0, getpid())) { printf(strerror(errno)); /* harderror() would kill the group which may not be correct yet */ return 3; } I cheat the FreeBSD ports, it was 1.2.12.08 and not contains the section above ;_; I guess your will by the comment, my understanding is that set the pgid of zoneserver to its onw one, not one inherits from shell to establish new pgrp of it and its sibling to isolate them from the shell, so I estimate that the right arguments of setpgrp() must be above ones. Sure? Thanks in advance. Koh-ichi Ito From babal at via.ecp.fr Fri Jun 13 06:18:49 2008 From: babal at via.ecp.fr (Boris Dores) Date: Fri, 13 Jun 2008 12:18:49 +0200 Subject: compile error of tcp/zoneserver.c in 1.3.07.08 In-Reply-To: <200806130131.m5D1VfYR017744@alphonse.himoo.iri.co.jp> Message-ID: <20080613101849.GI972@via.ecp.fr> On Fri, Jun 13, 2008 at 10:31:41AM (GMT+0900), Koh-ichi Ito wrote: > Though I'm not sure wheather it is right or wrong, the > following patch is efficient to avoid the above error. > > *** maradns-1.3.07.08/tcp/zoneserver.c-dist Wed Dec 26 04:14:46 2007 > --- maradns-1.3.07.08/tcp/zoneserver.c Thu Apr 10 15:19:25 2008 > *************** > *** 1014,1020 **** > js_string *synth_soa_origin; > > /* Kill children processes when we are signaled */ > ! if(setpgrp()) { > printf(strerror(errno)); /* harderror() would kill the group which may not be correct yet */ > return 3; > } > --- 1014,1020 ---- > js_string *synth_soa_origin; > > /* Kill children processes when we are signaled */ > ! if(setpgrp(0, getpid())) { > printf(strerror(errno)); /* harderror() would kill the group which may not be correct yet */ > return 3; > } Actually, these lines comes from a patch of my own that Sam kindly applied. So I will try to answer this one. I could not test my patch on FreeBSD, and according to [1], it seems that you did find a bug. Unfortunately however, the above proposed patch won't compile on Linux. 1. http://manpages.courier-mta.org/htmlman2/setpgid.2.html The proper solution seems to be to replace "setpgrp()" by "setpgid(0,0)" (or to #ifdef based on the platform which seems unnecessary here). I have checked that this new fix works on Linux. Could you please recompile with this change, and tell us if it works ok on BSD (the purpose of these lines is that if you kill the parent process, it must kill all children too) ? If it does, I think it will be safe for Sam to apply this correction. -- Boris Dor?s From sbeyer at reactor.de Fri Jun 13 10:52:04 2008 From: sbeyer at reactor.de (Steffen Beyer) Date: Fri, 13 Jun 2008 16:52:04 +0200 Subject: MaraDNS as secondary In-Reply-To: <7bd685720806120807l69ae06f7hc37e3f0db60b9714@mail.gmail.com> References: <7bd685720806120807l69ae06f7hc37e3f0db60b9714@mail.gmail.com> Message-ID: On Thu, 12 Jun 2008 10:07:07 -0500, Sam Trenholme wrote: > Thanks a lot for the contributions to MaraDNS. I'm really sorry that > I've been neglecting Mara; Well, it is what it is. :) > I will however integrate these scripts in to MaraDNS 1.3 (if you don't > mind) and release a new version of MaraDNS 1.3 in the next few days. > Is this OK with you? What is the license for these scripts? No problem to publish it under your BSD-style license. > The one thing I want to do before making a new release is getting > Deadwood (the next-generation recursive resolver; right now it's a > caching-only DNS server) to be able to read and write its cache from a > file. I added this ability, but it's not working for some reason :( OK, I am going to improve the script a little more until then... Regards, -- Steffen Beyer GnuPG key fingerprint: CA00 1611 242B 89D4 E643 E235 05F3 7689 DD3E EB26 Public key available upon request or at http://wwwkeys.de.pgp.net From duane at e164.org Fri Jun 13 11:08:47 2008 From: duane at e164.org (Duane) Date: Sat, 14 Jun 2008 01:08:47 +1000 Subject: Rough internet draft Message-ID: <48528D7F.9090907@e164.org> Don't know if anyone is interested in this or not, but I've been toying with an idea for DNS encryption, this is more important for some applications like ENUM lookups than your run of the mill DNS queries. In any case I've been trying to get feed back on this and so far pretty much nothing but silence, even from the likes of BIND authors and other DNSd coders. http://www.e164.org/docs/draft-groth-dns-encryption-00.odt I sort of have this fleshed out a little more, but informally on the e164.org wiki: http://www.e164.org/wiki/DNS_Encryption -- Best regards, Duane http://www.freeauth.org - Enterprise Two Factor Authentication http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Global Communication for the 21st Century "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." From strenholme.usenet at gmail.com Fri Jun 13 14:29:35 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Fri, 13 Jun 2008 13:29:35 -0500 Subject: Rough internet draft In-Reply-To: <48528D7F.9090907@e164.org> References: <48528D7F.9090907@e164.org> Message-ID: <7bd685720806131129n36fd2ebdgc3e2dafd967d0bab@mail.gmail.com> To be honest, I don't see the benefit of this. But, hey, if someone sends me a megapatch implementing this, I may consider merging it in to MaraDNS. I think there should be a rule that whatever new file format or network transport format someone proposes should be accompanied by a complete working implementation of said idea. And oh, for everyone on the list: If you send me a MaraDNS-related support question to this mailing address, I will *not* answer your question. I reserve the right to post your support email to the MaraDNS mailing list so that the community at large can examine your issue. MaraDNS security vulnerability reports, however, will be kept confidential. - Sam 2008/6/13 Duane : > > Don't know if anyone is interested in this or not, but I've been toying > with an idea for DNS encryption, this is more important for some > applications like ENUM lookups than your run of the mill DNS queries. > > In any case I've been trying to get feed back on this and so far pretty > much nothing but silence, even from the likes of BIND authors and other > DNSd coders. > > http://www.e164.org/docs/draft-groth-dns-encryption-00.odt > > I sort of have this fleshed out a little more, but informally on the > e164.org wiki: > > http://www.e164.org/wiki/DNS_Encryption > > -- > > Best regards, > Duane > > http://www.freeauth.org - Enterprise Two Factor Authentication > http://www.nodedb.com - Think globally, network locally > http://www.sydneywireless.com - Telecommunications Freedom > http://e164.org - Global Communication for the 21st Century > > "In the long run the pessimist may be proved right, > but the optimist has a better time on the trip." > > > > > > > From strenholme.usenet at gmail.com Fri Jun 13 14:35:55 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Fri, 13 Jun 2008 13:35:55 -0500 Subject: compile error of tcp/zoneserver.c in 1.3.07.08 In-Reply-To: <20080613101849.GI972@via.ecp.fr> References: <200806130131.m5D1VfYR017744@alphonse.himoo.iri.co.jp> <20080613101849.GI972@via.ecp.fr> Message-ID: <7bd685720806131135q7c82e901teb00d9ffa4f1a585@mail.gmail.com> Basically, I applied that patch because it apparently makes the program work a little better in Linux when daemonized. This seems to be a case of me not being careful enough with my patches; there's a lot of these little *NIX crevices that aren't really cross-platform compatible. It's up to someone using FreeBSD to make a patch that is not only FreeBSD compatible, but able to keep the old daemonization behavior in Linux. I personally only test the program in Linux and Windows + MinGW. I sometimes am charitable and test it in Cygwin for people who want more than the UDP DNS client and "askmara" in Win. And oh, for everyone on the list: If you send me a MaraDNS-related support question to this mailing address, I will *not* answer your question and reserve the right to post your support email to the MaraDNS mailing list so that the community at large can examine your issue. MaraDNS security vulnerability reports, however, will be kept confidential (Yes, I am posting this to the end of every message I post to the list) 2008/6/13 Boris Dores : > On Fri, Jun 13, 2008 at 10:31:41AM (GMT+0900), Koh-ichi Ito wrote: >> Though I'm not sure wheather it is right or wrong, the >> following patch is efficient to avoid the above error. >> >> *** maradns-1.3.07.08/tcp/zoneserver.c-dist Wed Dec 26 04:14:46 2007 >> --- maradns-1.3.07.08/tcp/zoneserver.c Thu Apr 10 15:19:25 2008 >> *************** >> *** 1014,1020 **** >> js_string *synth_soa_origin; >> >> /* Kill children processes when we are signaled */ >> ! if(setpgrp()) { >> printf(strerror(errno)); /* harderror() would kill the group which may not be correct yet */ >> return 3; >> } >> --- 1014,1020 ---- >> js_string *synth_soa_origin; >> >> /* Kill children processes when we are signaled */ >> ! if(setpgrp(0, getpid())) { >> printf(strerror(errno)); /* harderror() would kill the group which may not be correct yet */ >> return 3; >> } > > Actually, these lines comes from a patch of my own that Sam kindly > applied. So I will try to answer this one. > > I could not test my patch on FreeBSD, and according to [1], it seems > that you did find a bug. Unfortunately however, the above proposed > patch won't compile on Linux. > > 1. http://manpages.courier-mta.org/htmlman2/setpgid.2.html > > The proper solution seems to be to replace "setpgrp()" by > "setpgid(0,0)" (or to #ifdef based on the platform which seems > unnecessary here). > > I have checked that this new fix works on Linux. Could you please > recompile with this change, and tell us if it works ok on BSD (the > purpose of these lines is that if you kill the parent process, it must > kill all children too) ? > > If it does, I think it will be safe for Sam to apply this correction. > > -- > Boris Dor?s > From sbeyer at reactor.de Fri Jun 13 17:27:44 2008 From: sbeyer at reactor.de (Steffen Beyer) Date: Fri, 13 Jun 2008 23:27:44 +0200 Subject: MaraDNS as secondary In-Reply-To: References: <7bd685720806120807l69ae06f7hc37e3f0db60b9714@mail.gmail.com> Message-ID: On Fri, 13 Jun 2008 16:52:04 +0200, Steffen Beyer wrote: > OK, I am going to improve the script a little more until then... Done. :) Now the SOA refresh is used to determine update intervals. wipezones.rb is no longer needed, functionality has been integrated. fetchzone is being run unprivileged, documentation... http://teralink.net/misc/fetchzones-1.0alpha.rb Would be nice to have some testers to make it a beta release. Regards, -- Steffen Beyer GnuPG key fingerprint: CA00 1611 242B 89D4 E643 E235 05F3 7689 DD3E EB26 Public key available upon request or at http://wwwkeys.de.pgp.net From sbeyer at reactor.de Fri Jun 13 17:46:39 2008 From: sbeyer at reactor.de (Steffen Beyer) Date: Fri, 13 Jun 2008 23:46:39 +0200 Subject: MaraDNS as secondary In-Reply-To: References: <7bd685720806120807l69ae06f7hc37e3f0db60b9714@mail.gmail.com> Message-ID: On Fri, 13 Jun 2008 23:27:44 +0200, Steffen Beyer wrote: > Would be nice to have some testers to make it a beta release. As this is my first Ruby script, comments regarding the coding style are appreciated as well! :) Regards, -- Steffen Beyer GnuPG key fingerprint: CA00 1611 242B 89D4 E643 E235 05F3 7689 DD3E EB26 Public key available upon request or at http://wwwkeys.de.pgp.net From strenholme.usenet at gmail.com Fri Jun 13 17:52:05 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Fri, 13 Jun 2008 16:52:05 -0500 Subject: MaraDNS as secondary In-Reply-To: References: <7bd685720806120807l69ae06f7hc37e3f0db60b9714@mail.gmail.com> Message-ID: <7bd685720806131452s7cec2ae8kc562df76e277c7d6@mail.gmail.com> Looks good. I will integrate it in to the next release of MaraDNS, probably next week. I've been talking to some other people, and I think I will need to take an official break from MaraDNS. I had to end the email support line somewhat messily; the email support has been mainly annoying me. Up until late 2007, it was a good way to find subtle bugs I missed and mistakes in the documentation. Since then, it's just pretty much people giving me stuff answered in the FAQ, feature requests, or "MaraDNS doesn't compile in HP-UX" type bugs, or, ever since I put up the PayPal button, "I just gave you $1 in your PayPal account and want this feature added to MaraDNS RIGHT NOW" type emails. Sorry, guys. MaraDNS doesn't have a web interface. Doesn't support DNSSEC. Can't reload zones without restarting the program. No SQL support either. Has a strong, but not perfect security history. Yes, I have a PayPal button, but don't talk to me right now about writing code unless you're willing to pay me at least $3000. So, I just took all of the unanswered support requests from April and May, and told everyone I just don't answer MaraDNS support email any more. Here is my current plan for MaraDNS: Last time I looked at "Deadwood 2", the new recursive code that is currently a caching-only DNS server, its code to read and write the cache from a file wasn't working. So I want to fix that. I also want to integrate Mr. Beyer's script in to MaraDNS' code. This will be the next 1.3 release of MaraDNS, which I hope to release next week sometime (the operative word here is "hope"). Once I do that, I'm officially taking a break. The only MaraDNS updates during my break will be security patches. Don't send MaraDNS support requests or feature requests to this email address. Send them to the list. Or send me a patch. If you send me a MaraDNS-related support question, I reserve the right to post your support email to the MaraDNS mailing list so that the community at large can examine your issue. MaraDNS security vulnerability reports, however, will be kept confidential. I've taken breaks before; MaraDNS development was really quiet during 2003-2004, for example. I plan on getting back to MaraDNS work, but I just need to no longer be so burnt out. If anyone is curious about my personal life during the break, my personal blog is at http://www.samiam.org/blog - Sam From sbeyer at reactor.de Sun Jun 15 15:50:24 2008 From: sbeyer at reactor.de (Steffen Beyer) Date: Sun, 15 Jun 2008 21:50:24 +0200 Subject: MaraDNS as secondary In-Reply-To: <7bd685720806131452s7cec2ae8kc562df76e277c7d6@mail.gmail.com> References: <7bd685720806120807l69ae06f7hc37e3f0db60b9714@mail.gmail.com> <7bd685720806131452s7cec2ae8kc562df76e277c7d6@mail.gmail.com> Message-ID: On Fri, 13 Jun 2008 16:52:05 -0500, Sam Trenholme wrote: > Looks good. I will integrate it in to the next release of MaraDNS, > probably next week. This will probably be the final release for now. Mainly bug fixes and code cleanup. http://teralink.net/misc/fetchzones-1.11beta.rb http://teralink.net/misc/fetchzones_rb.html Regards, -- Steffen Beyer GnuPG key fingerprint: CA00 1611 242B 89D4 E643 E235 05F3 7689 DD3E EB26 Public key available upon request or at http://wwwkeys.de.pgp.net From kohi at iri.co.jp Sun Jun 15 22:56:24 2008 From: kohi at iri.co.jp (Koh-ichi Ito) Date: Mon, 16 Jun 2008 11:56:24 +0900 Subject: compile error of tcp/zoneserver.c in 1.3.07.08 In-Reply-To: <20080613101849.GI972@via.ecp.fr> References: <200806130131.m5D1VfYR017744@alphonse.himoo.iri.co.jp> <20080613101849.GI972@via.ecp.fr> Message-ID: <200806160256.m5G2uO8J030720@alphonse.himoo.iri.co.jp> Hello Boris, Thanks for your response. At Fri, 13 Jun 2008 12:18:49 +0200, Boris Dores wrote: > > The proper solution seems to be to replace "setpgrp()" by > "setpgid(0,0)" (or to #ifdef based on the platform which seems > unnecessary here). > > I have checked that this new fix works on Linux. Could you please > recompile with this change, and tell us if it works ok on BSD (the > purpose of these lines is that if you kill the parent process, it must > kill all children too) ? > > If it does, I think it will be safe for Sam to apply this correction. Compilation with setpgid(0,0) is okey and it looks that to set pgid to its own pid works fine. type95# ps ajxwwp 9780 USER PID PPID PGID SID JOBC STAT TT TIME COMMAND bind 9780 9779 9780 9051 1 I p0 0:00.01 /proj/maradns/sbin/zoneserver Though setpgid(2) on CentOS says: If pgid is zero, the process ID of the process specified by pid is used. The call setpgrp() is equivalent to setpgid(0,0). On the other hand, setpgid(2) on FreeBSD says: COMPATIBILITY The setpgrp() system call is identical to setpgid(), and is retained for calling convention compatibility with historical versions of BSD. and nothing is mentioned on the case of pgid is 0. You may browse FreeBSD man page at http://www.freebsd.org/cgi/man.cgi. As the answer of easy puzzle, I guess that setpgid(0,getpid()) satisfies that... - work on Linux fine. - within the documented usage on FreeBSD. so this must be better fix. Conclusion: - setpgid(0,0) which Boris kindly show me also works fine on FreeBSD. - According to the man page on CentOS, setpgid(0,0) is right usage. - 0 as second argument means the pid itself, so it is equivalant to my trial. - According to the man page on FreeBSD, setpgid(0,0) is undocumented usage. - I guess setpgid(0,getpid()) is better. Regards, Koh-ichi Ito From swurth at astaro.com Mon Jun 16 03:03:31 2008 From: swurth at astaro.com (Sven Wurth) Date: Mon, 16 Jun 2008 00:03:31 -0700 Subject: maximum memory allocation Message-ID: <13A7D16E6BC8794CB20DF8218B944BB20B584D32@dhost002-54.dex002.intermedia.net> Hello MaraDNS users, my question is about the "maximum memory allocation", how can I modify this ? kind regards Sven From remco at webconquest.com Mon Jun 16 06:17:58 2008 From: remco at webconquest.com (Remco Rijnders) Date: Mon, 16 Jun 2008 12:17:58 +0200 Subject: maximum memory allocation In-Reply-To: <13A7D16E6BC8794CB20DF8218B944BB20B584D32@dhost002-54.dex002.intermedia.net> References: <13A7D16E6BC8794CB20DF8218B944BB20B584D32@dhost002-54.dex002.intermedia.net> Message-ID: <9ECAA765-7314-4E69-9347-F3297A9A0F40@webconquest.com> Op 16 jun 2008, om 09:03 heeft Sven Wurth het volgende geschreven: > my question is about the "maximum memory allocation", > how can I modify this ? Hi Sven, You can change this value in the mararc file. From http://www.maradns.org/tutorial/man.mararc.html comes the following: max_mem max_mem is the maximum amount of memory we allow MaraDNS to allocate, in bytes. The default value of this is to allocate 1 megabyte for MaraDNS' general use, and in addition, to allocate 1536 bytes for each element we can have in the cache or DNS record that we are authoritatively serving. To set it to two MB, you'd put a line like the following in your mararc file: max_mem = 2097152 Kind regards, Remco Rijnders From strenholme.usenet at gmail.com Mon Jun 16 11:04:17 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Mon, 16 Jun 2008 10:04:17 -0500 Subject: maximum memory allocation In-Reply-To: <13A7D16E6BC8794CB20DF8218B944BB20B584D32@dhost002-54.dex002.intermedia.net> References: <13A7D16E6BC8794CB20DF8218B944BB20B584D32@dhost002-54.dex002.intermedia.net> Message-ID: <7bd685720806160804s443ae1cdp712482a430049d9f@mail.gmail.com> The thinking behind "maximum memory allocation" is that there were a few remotely exploitable memory leaks discovered in the MaraDNS codebase; by putting a cap on the maximum memory MaraDNS is allowed to allocate, the impact of any other memleaks that may be lurking in MaraDNS' code is mimimized. - Sam 2008/6/16 Sven Wurth : > Hello MaraDNS users, > > my question is about the "maximum memory allocation", > how can I modify this ? > kind regards > Sven > From sega01 at gmail.com Mon Jun 16 11:18:31 2008 From: sega01 at gmail.com (Teran McKinney) Date: Mon, 16 Jun 2008 11:18:31 -0400 Subject: Problem with recursively resolving AAAA records from CNAMES Message-ID: Hi, I had heard about MaraDNS from a friend and wanted to implement a recursive DNS server for my LAN. MaraDNS looked quite nice, so I decided to give it a try. I recently migrated from DD-WRT to OpenWRT, and used its 1.2.12.06 MaraDNS package. Everything worked perfectly, except I started to notice that I did not connect over IPv6 to some IPv6-enabled sites. Digging a little deeper, I found that only sites that used CNAMEs pointing to records with AAAA records were the culrpit. For example: sega01[~]$ dig ipv6.google.com aaaa ; <<>> DiG 9.4.2 <<>> ipv6.google.com aaaa ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4801 ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ipv6.google.com. IN AAAA ;; ANSWER SECTION: ipv6.google.com. 900 IN CNAME ipv6.l.google.com. ;; Query time: 221 msec ;; SERVER: 192.168.8.1#53(192.168.8.1) ;; WHEN: Mon Jun 16 11:11:00 2008 ;; MSG SIZE rcvd: 54 However, it appears that MaraDNS does not recursively resolve the CNAME's target for AAAA records. OpenDNS returns the following: sega01[~]$ dig ipv6.google.com aaaa @208.67.222.222 ; <<>> DiG 9.4.2 <<>> ipv6.google.com aaaa @208.67.222.222 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59569 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ipv6.google.com. IN AAAA ;; ANSWER SECTION: ipv6.google.com. 9753 IN CNAME ipv6.l.google.com. ipv6.l.google.com. 300 IN AAAA 2001:4860:0:2001::68 ;; Query time: 50 msec ;; SERVER: 208.67.222.222#53(208.67.222.222) ;; WHEN: Mon Jun 16 11:12:44 2008 ;; MSG SIZE rcvd: 82 There is no issue with MaraDNS using CNAMEs and A records, but AAAA records individually work fine. I have also tested this on 1.3.11 with the same results. Some other users on #ipv6 reported the same issues with MaraDNS after I asked about this. Any ideas? Thanks, Teran McKinney (sega01) From strenholme.usenet at gmail.com Mon Jun 16 11:28:43 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Mon, 16 Jun 2008 10:28:43 -0500 Subject: Problem with recursively resolving AAAA records from CNAMES In-Reply-To: References: Message-ID: <7bd685720806160828v57f0eb49xc7dabd3d0ef923d@mail.gmail.com> I know this issue has come up before; this is one of those issues I'm not going to fix because I'm completely rewriting the recursive resolver. Basically, the CNAME code in MaraDNS 1's recursive resolver is a bit of a hack. Well, maybe "a bit" is an understatement. The real solution is a complete rewrite. I stopped doing the rewrite for six months because I took a break from MaraDNS; I just continued the rewrite yesterday. Right now, the new code is a usable caching-only nameserver. In other words, you need to use your ISP's nameserver or MaraDNS 1 (or BIND or powerdns or dnscahe or pdnsd or...) to resolve the DNS queries, but the nameserver will remember the responses of the upstream nameserver. The new cache is a lot cleaner in terms of the code, doesn't use threads (yay!), and has some features MaraDNS doesn't have, such as the ability to read and write the cache to disk, and the ability to retrieve expired records from the cache if it's impossible to contact the upstream (ISP's) DNS servers. I just fixed the issue with reading and writing the cache to disk yesterday; I will upload this file later on today. GROUCHY DISCLAIMER: I'm a mean, grouchy, and nasty developer. I *hate* getting private email with MaraDNS support questions. This includes non-security bugfixes. I'm not technical support; sorry guys. If you send me a MaraDNS-related support question, I reserve the right to post your support email to the Mara-DNS mailing list so that the community at large can examine your issue. MaraDNS security vulnerability reports, however, will be kept confidential. 2008/6/16 Teran McKinney : > Hi, > > I had heard about MaraDNS from a friend and wanted to implement a > recursive DNS server for my LAN. MaraDNS looked quite nice, so I > decided to give it a try. I recently migrated from DD-WRT to OpenWRT, > and used its 1.2.12.06 MaraDNS package. Everything worked perfectly, > except I started to notice that I did not connect over IPv6 to some > IPv6-enabled sites. Digging a little deeper, I found that only sites > that used CNAMEs pointing to records with AAAA records were the > culrpit. > > For example: > sega01[~]$ dig ipv6.google.com aaaa > > ; <<>> DiG 9.4.2 <<>> ipv6.google.com aaaa > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4801 > ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;ipv6.google.com. IN AAAA > > ;; ANSWER SECTION: > ipv6.google.com. 900 IN CNAME ipv6.l.google.com. > > ;; Query time: 221 msec > ;; SERVER: 192.168.8.1#53(192.168.8.1) > ;; WHEN: Mon Jun 16 11:11:00 2008 > ;; MSG SIZE rcvd: 54 > > However, it appears that MaraDNS does not recursively resolve the > CNAME's target for AAAA records. > > OpenDNS returns the following: > > sega01[~]$ dig ipv6.google.com aaaa @208.67.222.222 > > ; <<>> DiG 9.4.2 <<>> ipv6.google.com aaaa @208.67.222.222 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59569 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;ipv6.google.com. IN AAAA > > ;; ANSWER SECTION: > ipv6.google.com. 9753 IN CNAME ipv6.l.google.com. > ipv6.l.google.com. 300 IN AAAA 2001:4860:0:2001::68 > > ;; Query time: 50 msec > ;; SERVER: 208.67.222.222#53(208.67.222.222) > ;; WHEN: Mon Jun 16 11:12:44 2008 > ;; MSG SIZE rcvd: 82 > > There is no issue with MaraDNS using CNAMEs and A records, but AAAA > records individually work fine. I have also tested this on 1.3.11 with > the same results. Some other users on #ipv6 reported the same issues > with MaraDNS after I asked about this. > > Any ideas? > > Thanks, > Teran McKinney (sega01) > From strenholme.usenet at gmail.com Mon Jun 16 16:07:42 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Mon, 16 Jun 2008 15:07:42 -0500 Subject: Deadwood 2.00 released; my official break begins Message-ID: <7bd685720806161307jfc8bcf7s1a39b2f72fd87c0@mail.gmail.com> Hello, everyone, I have just released Deadwood 2.00: http://www.maradns.org/deadwood I have a full announcement of it here: http://maradns.blogspot.com Now that I've done that (and it works nicely; I'm using it right now to surf the internet a little more quickly), I'm starting my official break from MaraDNS. Anything that's not a security bug will be cheerfully ignored during my break. I have no idea when I will end my break. Hopefully in a month or two. :) Note: If you send me a MaraDNS-related support question, I reserve the right to post your support email to the Mara-DNS mailing list so that the community at large can examine your issue. MaraDNS security vulnerability reports, however, will be kept confidential. - Sam From sbeyer at reactor.de Tue Jun 17 17:26:04 2008 From: sbeyer at reactor.de (Steffen Beyer) Date: Tue, 17 Jun 2008 23:26:04 +0200 (CEST) Subject: MaraDNS as secondary In-Reply-To: References: <7bd685720806120807l69ae06f7hc37e3f0db60b9714@mail.gmail.com> <7bd685720806131452s7cec2ae8kc562df76e277c7d6@mail.gmail.com> Message-ID: Am So, 15.06.2008, 21:50, schrieb Steffen Beyer: > This will probably be the final release for now. The files moved to an indexed directory: http://teralink.net/misc/fetchzones/ Future releases will be put there. I'm going to announce them on this list, too. Regards, -- Steffen Beyer GnuPG key fingerprint: CA00 1611 242B 89D4 E643 E235 05F3 7689 DD3E EB26 Public key available upon request or at http://wwwkeys.de.pgp.net From lloydie.t at googlemail.com Fri Jun 20 20:12:33 2008 From: lloydie.t at googlemail.com (Lloyd Thomas) Date: Sat, 21 Jun 2008 01:12:33 +0100 Subject: DNSstuff reports open DNS Message-ID: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> Hi, I am testing out maraDNS on my windows box to replace SimpleDNS. I think I am having a problem with my setup of maraDNS advertising itself as an open DNS server. I am using dnsstuff.com to test the server. The full text of the problem is below. Any help appreciated. ---------------------------------------- ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are: ------------------------------------------------- I also have a problem with the following error report as well ---------------------------------------------- WARNING: One or more of your DNS servers does not accept TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems. The problem servers are: 85.234.142.68: Error [Connection refused (10061)] ---------------------------------------------------- Lloydie T From remco at webconquest.com Sat Jun 21 05:37:18 2008 From: remco at webconquest.com (Remco Rijnders) Date: Sat, 21 Jun 2008 11:37:18 +0200 Subject: DNSstuff reports open DNS In-Reply-To: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> References: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> Message-ID: <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> Op 21 jun 2008, om 02:12 heeft Lloyd Thomas het volgende geschreven: > I am testing out maraDNS on my windows box to replace > SimpleDNS. I think I am having a problem with my setup of maraDNS > advertising itself as an open DNS server. I am using dnsstuff.com to > test > the server. The full text of the problem is below. Any help > appreciated. > > ---------------------------------------- > ERROR: One or more of your nameservers reports that it is an open DNS > server. This usually means that anyone in the world can query it for > domains > it is not authoritative for (it is possible that the DNS server > advertises > that it does recursive lookups when it does not, but that shouldn't > happen). > This can cause an excessive load on your DNS server. Also, it is > strongly > discouraged to have a DNS server be both authoritative for your > domain and > be recursive (even if it is not open), due to the potential for cache > poisoning (with no recursion, there is no cache, and it is > impossible to > poison it). Also, the bad guys could use your DNS server as part of an > attack, by forging their IP address. Problem record(s) are: > ------------------------------------------------- Hi Lloyd, In this case it looks like you've set maradns up as both a recursive resolver (able to resolve DNS for zones you are not authorative for) as well as being an authorative server (since you're using dnsstuff.com to test your server). Is this correct and what you intend to do? If you want to use maradns to look up addresses but restrict it to a certain (set) of IP addresses, you can do something like this in your mararc file: ipv4_alias = {} ipv4_alias["localhost"] = "127.0.0.0/8" recursive_acl = "localhost" This will tell mara to only resolve recursively queries coming from your local computer. Please see http://www.maradns.org/tutorial/man.mararc.html for more information on how to set this up. > I also have a problem with the following error report as well > > ---------------------------------------------- > WARNING: One or more of your DNS servers does not accept TCP > connections. > Although rarely used, TCP connections are occasionally used instead > of UDP > connections. When firewalls block the TCP DNS connections, it can > cause > hard-to-diagnose problems. The problem servers are: > > 85.234.142.68: Error [Connection refused (10061)] > ---------------------------------------------------- This is not an error but a warning, and one that can safely be ignored at that. Maradns doesn't use TCP but only UDP for its normal use. Only when you are running the zoneserver will that bind to the TCP port. DNS should work fine as it is for you even with this warning present. Kind regards, Remco From lloydie.t at googlemail.com Sat Jun 21 07:41:51 2008 From: lloydie.t at googlemail.com (Lloyd Thomas) Date: Sat, 21 Jun 2008 12:41:51 +0100 Subject: DNSstuff reports open DNS In-Reply-To: <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> References: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> Message-ID: <485ce8fe.0b9e100a.06e0.08a6@mx.google.com> Thanks Remco, Unfortunately your solution did not work. I soon as I try to run maradns, it stops with no error report. I suspect this feature may not be support in the windows port, but maybe my mararc file is wrong please find below ------------------------------------------ ipv4_bind_addresses = "192.168.93.2, 127.0.0.1" #chroot_dir = "" csv2 = {} ipv4_alias = {} ipv4_alias["localhost"] = "127.0.0.0/8" recursive_acl = "localhost" csv2["domain1.com."] = "c:/maradns/db/db.domain1.com " csv2["domain2.com."] = "c:/maradns/db/db.domain2.com " csv2["domain3.com."] = "c:/maradns/db/db.domain3.com " csv2["domain4.com."] = "c:/maradns/db/db.domain4.com " csv2["domain5.com."] = "c:/maradns/db/db.domain5.com " tcp_convert_acl = "0.0.0.0/0" tcp_convert_server = "192.168.93.2, 127.0.0.1" debug_msg_level = 0 # so no info about maradns will be made public. ----------------------------------------- -----Original Message----- From: list-bounces at maradns.org [mailto:list-bounces at maradns.org] On Behalf Of Remco Rijnders Sent: 21 June 2008 10:37 To: list at maradns.org Subject: Re: DNSstuff reports open DNS Op 21 jun 2008, om 02:12 heeft Lloyd Thomas het volgende geschreven: > I am testing out maraDNS on my windows box to replace > SimpleDNS. I think I am having a problem with my setup of maraDNS > advertising itself as an open DNS server. I am using dnsstuff.com to > test > the server. The full text of the problem is below. Any help > appreciated. > > ---------------------------------------- > ERROR: One or more of your nameservers reports that it is an open DNS > server. This usually means that anyone in the world can query it for > domains > it is not authoritative for (it is possible that the DNS server > advertises > that it does recursive lookups when it does not, but that shouldn't > happen). > This can cause an excessive load on your DNS server. Also, it is > strongly > discouraged to have a DNS server be both authoritative for your > domain and > be recursive (even if it is not open), due to the potential for cache > poisoning (with no recursion, there is no cache, and it is > impossible to > poison it). Also, the bad guys could use your DNS server as part of an > attack, by forging their IP address. Problem record(s) are: > ------------------------------------------------- Hi Lloyd, In this case it looks like you've set maradns up as both a recursive resolver (able to resolve DNS for zones you are not authorative for) as well as being an authorative server (since you're using dnsstuff.com to test your server). Is this correct and what you intend to do? If you want to use maradns to look up addresses but restrict it to a certain (set) of IP addresses, you can do something like this in your mararc file: ipv4_alias = {} ipv4_alias["localhost"] = "127.0.0.0/8" recursive_acl = "localhost" This will tell mara to only resolve recursively queries coming from your local computer. Please see http://www.maradns.org/tutorial/man.mararc.html for more information on how to set this up. > I also have a problem with the following error report as well > > ---------------------------------------------- > WARNING: One or more of your DNS servers does not accept TCP > connections. > Although rarely used, TCP connections are occasionally used instead > of UDP > connections. When firewalls block the TCP DNS connections, it can > cause > hard-to-diagnose problems. The problem servers are: > > 85.234.142.68: Error [Connection refused (10061)] > ---------------------------------------------------- This is not an error but a warning, and one that can safely be ignored at that. Maradns doesn't use TCP but only UDP for its normal use. Only when you are running the zoneserver will that bind to the TCP port. DNS should work fine as it is for you even with this warning present. Kind regards, Remco No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1511 - Release Date: 20/06/2008 11:52 From lloydie.t at googlemail.com Sat Jun 21 09:29:14 2008 From: lloydie.t at googlemail.com (Lloyd Thomas) Date: Sat, 21 Jun 2008 14:29:14 +0100 Subject: DNSstuff reports open DNS In-Reply-To: <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> References: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> Message-ID: <485d0227.0856100a.3e13.0666@mx.google.com> Following my previous email I tried the following, but my maradns is still acting as an authorative dns server for other domains as tested by dnsstuff.com. random_seed_file = "C:\maradns\seed\random.seed" ipv4_alias = {} ipv4_alias["localhost"] = "127.0.0.0/8" recursive_acl = "localhost" -----Original Message----- From: list-bounces at maradns.org [mailto:list-bounces at maradns.org] On Behalf Of Remco Rijnders Sent: 21 June 2008 10:37 To: list at maradns.org Subject: Re: DNSstuff reports open DNS Op 21 jun 2008, om 02:12 heeft Lloyd Thomas het volgende geschreven: > I am testing out maraDNS on my windows box to replace > SimpleDNS. I think I am having a problem with my setup of maraDNS > advertising itself as an open DNS server. I am using dnsstuff.com to > test > the server. The full text of the problem is below. Any help > appreciated. > > ---------------------------------------- > ERROR: One or more of your nameservers reports that it is an open DNS > server. This usually means that anyone in the world can query it for > domains > it is not authoritative for (it is possible that the DNS server > advertises > that it does recursive lookups when it does not, but that shouldn't > happen). > This can cause an excessive load on your DNS server. Also, it is > strongly > discouraged to have a DNS server be both authoritative for your > domain and > be recursive (even if it is not open), due to the potential for cache > poisoning (with no recursion, there is no cache, and it is > impossible to > poison it). Also, the bad guys could use your DNS server as part of an > attack, by forging their IP address. Problem record(s) are: > ------------------------------------------------- Hi Lloyd, In this case it looks like you've set maradns up as both a recursive resolver (able to resolve DNS for zones you are not authorative for) as well as being an authorative server (since you're using dnsstuff.com to test your server). Is this correct and what you intend to do? If you want to use maradns to look up addresses but restrict it to a certain (set) of IP addresses, you can do something like this in your mararc file: ipv4_alias = {} ipv4_alias["localhost"] = "127.0.0.0/8" recursive_acl = "localhost" This will tell mara to only resolve recursively queries coming from your local computer. Please see http://www.maradns.org/tutorial/man.mararc.html for more information on how to set this up. > I also have a problem with the following error report as well > > ---------------------------------------------- > WARNING: One or more of your DNS servers does not accept TCP > connections. > Although rarely used, TCP connections are occasionally used instead > of UDP > connections. When firewalls block the TCP DNS connections, it can > cause > hard-to-diagnose problems. The problem servers are: > > 85.234.142.68: Error [Connection refused (10061)] > ---------------------------------------------------- This is not an error but a warning, and one that can safely be ignored at that. Maradns doesn't use TCP but only UDP for its normal use. Only when you are running the zoneserver will that bind to the TCP port. DNS should work fine as it is for you even with this warning present. Kind regards, Remco No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1511 - Release Date: 20/06/2008 11:52 From lloydie.t at googlemail.com Sat Jun 21 10:28:25 2008 From: lloydie.t at googlemail.com (Lloyd Thomas) Date: Sat, 21 Jun 2008 15:28:25 +0100 Subject: DNSstuff reports open DNS References: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> Message-ID: <485d1006.0d84100a.65a3.120c@mx.google.com> Already done that, but thanks. random_seed_file = "C:\maradns\seed\random.seed" fixed the problem stopping maradns from running but it still reports as an opendns server and is trying to resolve other domains. -----Original Message----- From: Lloyd Thomas [mailto:lloydie.t at gmail.com] Sent: 21 June 2008 14:29 To: 'Remco Rijnders'; 'list at maradns.org' Subject: RE: DNSstuff reports open DNS Following my previous email I tried the following, but my maradns is still acting as an authorative dns server for other domains as tested by dnsstuff.com. random_seed_file = "C:\maradns\seed\random.seed" ipv4_alias = {} ipv4_alias["localhost"] = "127.0.0.0/8" recursive_acl = "localhost" -----Original Message----- From: list-bounces at maradns.org [mailto:list-bounces at maradns.org] On Behalf Of Remco Rijnders Sent: 21 June 2008 10:37 To: list at maradns.org Subject: Re: DNSstuff reports open DNS Op 21 jun 2008, om 02:12 heeft Lloyd Thomas het volgende geschreven: > I am testing out maraDNS on my windows box to replace > SimpleDNS. I think I am having a problem with my setup of maraDNS > advertising itself as an open DNS server. I am using dnsstuff.com to > test > the server. The full text of the problem is below. Any help > appreciated. > > ---------------------------------------- > ERROR: One or more of your nameservers reports that it is an open DNS > server. This usually means that anyone in the world can query it for > domains > it is not authoritative for (it is possible that the DNS server > advertises > that it does recursive lookups when it does not, but that shouldn't > happen). > This can cause an excessive load on your DNS server. Also, it is > strongly > discouraged to have a DNS server be both authoritative for your > domain and > be recursive (even if it is not open), due to the potential for cache > poisoning (with no recursion, there is no cache, and it is > impossible to > poison it). Also, the bad guys could use your DNS server as part of an > attack, by forging their IP address. Problem record(s) are: > ------------------------------------------------- Hi Lloyd, In this case it looks like you've set maradns up as both a recursive resolver (able to resolve DNS for zones you are not authorative for) as well as being an authorative server (since you're using dnsstuff.com to test your server). Is this correct and what you intend to do? If you want to use maradns to look up addresses but restrict it to a certain (set) of IP addresses, you can do something like this in your mararc file: ipv4_alias = {} ipv4_alias["localhost"] = "127.0.0.0/8" recursive_acl = "localhost" This will tell mara to only resolve recursively queries coming from your local computer. Please see http://www.maradns.org/tutorial/man.mararc.html for more information on how to set this up. > I also have a problem with the following error report as well > > ---------------------------------------------- > WARNING: One or more of your DNS servers does not accept TCP > connections. > Although rarely used, TCP connections are occasionally used instead > of UDP > connections. When firewalls block the TCP DNS connections, it can > cause > hard-to-diagnose problems. The problem servers are: > > 85.234.142.68: Error [Connection refused (10061)] > ---------------------------------------------------- This is not an error but a warning, and one that can safely be ignored at that. Maradns doesn't use TCP but only UDP for its normal use. Only when you are running the zoneserver will that bind to the TCP port. DNS should work fine as it is for you even with this warning present. Kind regards, Remco No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1511 - Release Date: 20/06/2008 11:52 From remco at webconquest.com Sat Jun 21 10:51:24 2008 From: remco at webconquest.com (Remco Rijnders) Date: Sat, 21 Jun 2008 16:51:24 +0200 Subject: DNSstuff reports open DNS In-Reply-To: <485d1006.0d84100a.65a3.120c@mx.google.com> References: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> <485d1006.0d84100a.65a3.120c@mx.google.com> Message-ID: <273BF8B1-9DAC-4860-84E5-263B61185917@webconquest.com> Op 21 jun 2008, om 16:28 heeft Lloyd Thomas het volgende geschreven: > Already done that, but thanks. > random_seed_file = "C:\maradns\seed\random.seed" fixed the problem > stopping > maradns from running but it still reports as an opendns server and > is trying > to resolve other domains. Assuming that the below is the IP address your mara is listening on, I do not see the problem you're seeing and get no recursive answer: Macintosh:~ remmy$ dig TXT webconquest.com @85.234.142.68 ; <<>> DiG 9.4.1-P1 <<>> TXT webconquest.com @85.234.142.68 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18206 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; WARNING: recursion requested but not available ...so, I'm out of ideas really why dnsstuff believes otherwise. Kind regards, Remco From lloydie.t at googlemail.com Sat Jun 21 11:29:15 2008 From: lloydie.t at googlemail.com (Lloyd Thomas) Date: Sat, 21 Jun 2008 16:29:15 +0100 Subject: DNSstuff reports open DNS In-Reply-To: <273BF8B1-9DAC-4860-84E5-263B61185917@webconquest.com> References: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> <485d1006.0d84100a.65a3.120c@mx.google.com> <273BF8B1-9DAC-4860-84E5-263B61185917@webconquest.com> Message-ID: <485d1e4a.0c92100a.3b67.204f@mx.google.com> Probably because I have switched back to using SimpleDNS, but I will try dig as I have not done this for myself. BR Lloyd -----Original Message----- From: Remco Rijnders [mailto:remco at webconquest.com] Sent: 21 June 2008 15:51 To: Lloyd Thomas Cc: list at maradns.org Subject: Re: DNSstuff reports open DNS Op 21 jun 2008, om 16:28 heeft Lloyd Thomas het volgende geschreven: > Already done that, but thanks. > random_seed_file = "C:\maradns\seed\random.seed" fixed the problem > stopping > maradns from running but it still reports as an opendns server and > is trying > to resolve other domains. Assuming that the below is the IP address your mara is listening on, I do not see the problem you're seeing and get no recursive answer: Macintosh:~ remmy$ dig TXT webconquest.com @85.234.142.68 ; <<>> DiG 9.4.1-P1 <<>> TXT webconquest.com @85.234.142.68 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18206 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; WARNING: recursion requested but not available ...so, I'm out of ideas really why dnsstuff believes otherwise. Kind regards, Remco No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1512 - Release Date: 21/06/2008 09:27 From lloydie.t at googlemail.com Sat Jun 21 11:38:57 2008 From: lloydie.t at googlemail.com (Lloyd Thomas) Date: Sat, 21 Jun 2008 16:38:57 +0100 Subject: DNSstuff reports open DNS In-Reply-To: <273BF8B1-9DAC-4860-84E5-263B61185917@webconquest.com> References: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> <485d1006.0d84100a.65a3.120c@mx.google.com> <273BF8B1-9DAC-4860-84E5-263B61185917@webconquest.com> Message-ID: <485d208e.0856100a.3e17.1e0f@mx.google.com> Just tried DIG myself using maradns and got the following response. ------------------------------------------ root at dnsserver:/# dig TXT webconquest.com @85.234.142.68 ; <<>> DiG 9.3.2 <<>> TXT webconquest.com @85.234.142.68 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 52964 ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; Query time: 75 msec ;; SERVER: 85.234.142.68#53(85.234.142.68) ;; WHEN: Sat Jun 21 16:31:03 2008 ;; MSG SIZE rcvd: 12 ------------------------------------- So it looks as though it will not return results, but it does advertise as a open DNS and by what DNSstuff has recommended this is not recommended. I will leave it running for a little if you want to have another look. Many thanks Lloyd -----Original Message----- From: Remco Rijnders [mailto:remco at webconquest.com] Sent: 21 June 2008 15:51 To: Lloyd Thomas Cc: list at maradns.org Subject: Re: DNSstuff reports open DNS Op 21 jun 2008, om 16:28 heeft Lloyd Thomas het volgende geschreven: > Already done that, but thanks. > random_seed_file = "C:\maradns\seed\random.seed" fixed the problem > stopping > maradns from running but it still reports as an opendns server and > is trying > to resolve other domains. Assuming that the below is the IP address your mara is listening on, I do not see the problem you're seeing and get no recursive answer: Macintosh:~ remmy$ dig TXT webconquest.com @85.234.142.68 ; <<>> DiG 9.4.1-P1 <<>> TXT webconquest.com @85.234.142.68 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18206 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; WARNING: recursion requested but not available ...so, I'm out of ideas really why dnsstuff believes otherwise. Kind regards, Remco No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1512 - Release Date: 21/06/2008 09:27 From lloydie.t at googlemail.com Sat Jun 21 12:14:51 2008 From: lloydie.t at googlemail.com (Lloyd Thomas) Date: Sat, 21 Jun 2008 17:14:51 +0100 Subject: DNSstuff reports open DNS In-Reply-To: <053CB553-6AF8-4BC2-9D7E-E02085A2F36B@webconquest.com> References: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> <485d1006.0d84100a.65a3.120c@mx.google.com> <273BF8B1-9DAC-4860-84E5-263B61185917@webconquest.com> <485d208e.0856100a.3e17.1e0f@mx.google.com> <053CB553-6AF8-4BC2-9D7E-E02085A2F36B@webconquest.com> Message-ID: <485d28f9.0ac0100a.2522.22b1@mx.google.com> I tried DIG from a different server. The results are slightly different as your first query said 'WARNING: recursion requested but not available ' at the end of the query and status was 'NOERROR'. From: Remco Rijnders [mailto:remco at webconquest.com] Sent: 21 June 2008 16:53 To: Lloyd Thomas Subject: Re: DNSstuff reports open DNS Op 21 jun 2008, om 17:38 heeft Lloyd Thomas het volgende geschreven: > Just tried DIG myself using maradns and got the following response. > ------------------------------------------ > root at dnsserver:/# dig TXT webconquest.com @85.234.142.68 > > ; <<>> DiG 9.3.2 <<>> TXT webconquest.com @85.234.142.68 > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 52964 > ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; Query time: 75 msec > ;; SERVER: 85.234.142.68#53(85.234.142.68) > ;; WHEN: Sat Jun 21 16:31:03 2008 > ;; MSG SIZE rcvd: 12 > ------------------------------------- > > So it looks as though it will not return results, but it does > advertise as a > open DNS and by what DNSstuff has recommended this is not > recommended. I > will leave it running for a little if you want to have another look. > > Many thanks > > Lloyd Not copying the list this time as I don't want to annoy too many people while we try to figure this out... This server you're running dig from, it is not the nameserver itself is it? I still get the same result using dig here as I did before: Macintosh:~ remmy$ dig TXT webconquest.com @85.234.142.68 ; <<>> DiG 9.4.1-P1 <<>> TXT webconquest.com @85.234.142.68 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 62330 ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; Query time: 25 msec ;; SERVER: 85.234.142.68#53(85.234.142.68) ;; WHEN: Sat Jun 21 17:52:58 2008 ;; MSG SIZE rcvd: 12 Cheers, Remco From strenholme.usenet at gmail.com Mon Jun 23 13:53:15 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Mon, 23 Jun 2008 12:53:15 -0500 Subject: My reply to the Debian bug reports Message-ID: <7bd685720806231053k5f70b88eu338c69d63089c7bc@mail.gmail.com> Since Martin Krafft sees fits to file bugs with Debian when having issues with MaraDNS, I will answer his issues here on the list. Bug#484466: provide a reload method Done. If MaraDNS is started with the Duende daemon, when MaraDNS is sent a HUP signal, MaraDNS will stop, exit with code 8, which Duende knows is a signal to immediately restart MaraDNS. "restarting maradns takes a long time" 1) Replace your 386 with a new Dell desktop. They're only about $300 2) Don't have so many zone files. Bug#486497: seemingly arbitrary restriction not to bind to 0.0.0.0 There's an undocumented fix for this: Use the csv2_synthip_list mararc variable. Now, using the 0.0.0.0 IP address may cause problems (BIND seems to not like transferring zones from something bound to 0.0.0.0), so you have been warned. And, oh, all Kai can do is email the bug reports to me. Since I don't answer MaraDNS concerns except through this list, all he can do is forward these back to the Debian bug database. From strenholme.usenet at gmail.com Mon Jun 23 14:06:19 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Mon, 23 Jun 2008 13:06:19 -0500 Subject: DNSstuff reports open DNS In-Reply-To: <485d28f9.0ac0100a.2522.22b1@mx.google.com> References: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> <485d1006.0d84100a.65a3.120c@mx.google.com> <273BF8B1-9DAC-4860-84E5-263B61185917@webconquest.com> <485d208e.0856100a.3e17.1e0f@mx.google.com> <053CB553-6AF8-4BC2-9D7E-E02085A2F36B@webconquest.com> <485d28f9.0ac0100a.2522.22b1@mx.google.com> Message-ID: <7bd685720806231106p65790d6fkf89e15427c976b27@mail.gmail.com> Which version of MaraDNS are you using. 1.2.12.09 gives a different value for RA than 1.2.12.08, for example, since this was causing some issues with embedded routers that actually check this bit. Basically, there's tree branches of MaraDNS: 1.2.12 1.3.07 1.3.(greater than 07) In 1.2.12.09, 1.3.07.07, and 1.3.11, the RA value was changed. As I recall, RA is cleared when sending an authoritative answer and set when sending a recursive answer (ideally, we should have RA be set if the client is allowed to recurse, but this fix seems to fix all real-world problems). Basically, I feel things like dnsreport.com and dnsstuff.com are pedantic, and don't consider problems with those web-DNS-reports that aren't real-world problems bugs (dnsreport.com, for no good reason, wants serial numbers in YYYYMMDDSS format). - Sam 2008/6/21 Lloyd Thomas : > I tried DIG from a different server. The results are slightly different as > your first query said 'WARNING: recursion requested but not available > > ' at the end of the query and status was 'NOERROR'. > > > > From: Remco Rijnders [mailto:remco at webconquest.com] > Sent: 21 June 2008 16:53 > To: Lloyd Thomas > Subject: Re: DNSstuff reports open DNS > > > > > > Op 21 jun 2008, om 17:38 heeft Lloyd Thomas het volgende geschreven: > >> Just tried DIG myself using maradns and got the following response. >> ------------------------------------------ >> root at dnsserver:/# dig TXT webconquest.com @85.234.142.68 >> >> ; <<>> DiG 9.3.2 <<>> TXT webconquest.com @85.234.142.68 >> ; (1 server found) >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 52964 >> ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; Query time: 75 msec >> ;; SERVER: 85.234.142.68#53(85.234.142.68) >> ;; WHEN: Sat Jun 21 16:31:03 2008 >> ;; MSG SIZE rcvd: 12 >> ------------------------------------- >> >> So it looks as though it will not return results, but it does >> advertise as a >> open DNS and by what DNSstuff has recommended this is not >> recommended. I >> will leave it running for a little if you want to have another look. >> >> Many thanks >> >> Lloyd > > Not copying the list this time as I don't want to annoy too many > people while we try to figure this out... > > This server you're running dig from, it is not the nameserver itself > is it? > > I still get the same result using dig here as I did before: > > Macintosh:~ remmy$ dig TXT webconquest.com @85.234.142.68 > > ; <<>> DiG 9.4.1-P1 <<>> TXT webconquest.com @85.234.142.68 > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 62330 > ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; Query time: 25 msec > ;; SERVER: 85.234.142.68#53(85.234.142.68) > ;; WHEN: Sat Jun 21 17:52:58 2008 > ;; MSG SIZE rcvd: 12 > > > Cheers, > > Remco > > From lloydie.t at googlemail.com Tue Jun 24 05:01:14 2008 From: lloydie.t at googlemail.com (lloyd thomas) Date: Tue, 24 Jun 2008 10:01:14 +0100 Subject: DNSstuff reports open DNS In-Reply-To: <7bd685720806231106p65790d6fkf89e15427c976b27@mail.gmail.com> References: <485c476f.0c92100a.3b67.ffffc2bd@mx.google.com> <7B88B805-6AD4-40B4-87F8-20C95D6EEF65@webconquest.com> <485d1006.0d84100a.65a3.120c@mx.google.com> <273BF8B1-9DAC-4860-84E5-263B61185917@webconquest.com> <485d208e.0856100a.3e17.1e0f@mx.google.com> <053CB553-6AF8-4BC2-9D7E-E02085A2F36B@webconquest.com> <485d28f9.0ac0100a.2522.22b1@mx.google.com> <7bd685720806231106p65790d6fkf89e15427c976b27@mail.gmail.com> Message-ID: <8b61bd670806240201v6a7148a5s6c6d64688b97bf76@mail.gmail.com> Hi Sam, Thanks for your interest. I am sure i'm using maradns-1-3-07-08. I have tried doing test with some other web-based DNS tests and they all seem to give varying advice. I will probably go with what I have set up and see what occurs 2008/6/23 Sam Trenholme : > Which version of MaraDNS are you using. 1.2.12.09 gives a different > value for RA than 1.2.12.08, for example, since this was causing some > issues with embedded routers that actually check this bit. > > Basically, there's tree branches of MaraDNS: > > 1.2.12 > 1.3.07 > 1.3.(greater than 07) > > In 1.2.12.09, 1.3.07.07, and 1.3.11, the RA value was changed. As I > recall, RA is cleared when sending an authoritative answer and set > when sending a recursive answer (ideally, we should have RA be set if > the client is allowed to recurse, but this fix seems to fix all > real-world problems). > > Basically, I feel things like dnsreport.com and dnsstuff.com are > pedantic, and don't consider problems with those web-DNS-reports that > aren't real-world problems bugs (dnsreport.com, for no good reason, > wants serial numbers in YYYYMMDDSS format). > > - Sam > > 2008/6/21 Lloyd Thomas : > > I tried DIG from a different server. The results are slightly different > as > > your first query said 'WARNING: recursion requested but not available > > > > ' at the end of the query and status was 'NOERROR'. > > > > > > > > From: Remco Rijnders [mailto:remco at webconquest.com] > > Sent: 21 June 2008 16:53 > > To: Lloyd Thomas > > Subject: Re: DNSstuff reports open DNS > > > > > > > > > > > > Op 21 jun 2008, om 17:38 heeft Lloyd Thomas het volgende geschreven: > > > >> Just tried DIG myself using maradns and got the following response. > >> ------------------------------------------ > >> root at dnsserver:/# dig TXT webconquest.com @85.234.142.68 > >> > >> ; <<>> DiG 9.3.2 <<>> TXT webconquest.com @85.234.142.68 > >> ; (1 server found) > >> ;; global options: printcmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 52964 > >> ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > >> > >> ;; Query time: 75 msec > >> ;; SERVER: 85.234.142.68#53(85.234.142.68) > >> ;; WHEN: Sat Jun 21 16:31:03 2008 > >> ;; MSG SIZE rcvd: 12 > >> ------------------------------------- > >> > >> So it looks as though it will not return results, but it does > >> advertise as a > >> open DNS and by what DNSstuff has recommended this is not > >> recommended. I > >> will leave it running for a little if you want to have another look. > >> > >> Many thanks > >> > >> Lloyd > > > > Not copying the list this time as I don't want to annoy too many > > people while we try to figure this out... > > > > This server you're running dig from, it is not the nameserver itself > > is it? > > > > I still get the same result using dig here as I did before: > > > > Macintosh:~ remmy$ dig TXT webconquest.com @85.234.142.68 > > > > ; <<>> DiG 9.4.1-P1 <<>> TXT webconquest.com @85.234.142.68 > > ; (1 server found) > > ;; global options: printcmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 62330 > > ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; WARNING: recursion requested but not available > > > > ;; Query time: 25 msec > > ;; SERVER: 85.234.142.68#53(85.234.142.68) > > ;; WHEN: Sat Jun 21 17:52:58 2008 > > ;; MSG SIZE rcvd: 12 > > > > > > Cheers, > > > > Remco > > > > > From bdantzig at medline.com Wed Jun 25 17:25:40 2008 From: bdantzig at medline.com (Dantzig, Brian) Date: Wed, 25 Jun 2008 16:25:40 -0500 Subject: wildcard for the domain only without wildcarding all missing records. Message-ID: <1F26704905C4804AAF98B0AE6BE029510359B6@MUNEXBE1.medline.com> I am running maradns v1.2.12.08 as an authoratative name server. Is there a way to have mara return a record for the domain but not match host in the domain? I wish to allow people to get to my www server if they don't have www in the URL as in "http://medline.com" working the same as "http://www.medline.com" . I know I can add a record such as: *.% A 216.143.4.37 But, this will also match any missing records in the "medline.com" domain as in "xyz.medline.com" Brian Dantzig Medline Industries bdantzig at medline.com From strenholme.usenet at gmail.com Wed Jun 25 19:25:35 2008 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Wed, 25 Jun 2008 18:25:35 -0500 Subject: wildcard for the domain only without wildcarding all missing records. In-Reply-To: <1F26704905C4804AAF98B0AE6BE029510359B6@MUNEXBE1.medline.com> References: <1F26704905C4804AAF98B0AE6BE029510359B6@MUNEXBE1.medline.com> Message-ID: <7bd685720806251625i5ab940fbm81c876c4ac502fbb@mail.gmail.com> How about: www.% A 216.143.4.37 And, oh, MaraDNS docs: http://maradns.org/notes.html If anything in the documentation isn't clear, please let me know. One thing that really annoys is documentation that sucks, so if my documentation sucks, let me know (ON THE LIST) so I can fix it. - Sam Note: If you send me a MaraDNS-related support question, I reserve the right to post your support email to the Mara-DNS mailing list so that the community at large can examine your issue. MaraDNS security vulnerability reports, however, will be kept confidential. 2008/6/25 Dantzig, Brian : > I am running maradns v1.2.12.08 as an authoratative name server. Is > there a way to have mara return a record for the domain but not match > host in the domain? I wish to allow people to get to my www server > if they don't have www in the URL as in "http://medline.com" working the > same as "http://www.medline.com" . I know I can add a record such as: > *.% A 216.143.4.37 > But, this will also match any missing records in the "medline.com" > domain as in "xyz.medline.com" > > Brian Dantzig > Medline Industries > bdantzig at medline.com > From bdantzig at medline.com Thu Jun 26 09:49:10 2008 From: bdantzig at medline.com (Dantzig, Brian) Date: Thu, 26 Jun 2008 08:49:10 -0500 Subject: wildcard for the domain only without wildcarding all missing records. In-Reply-To: <7bd685720806251625i5ab940fbm81c876c4ac502fbb@mail.gmail.com> References: <1F26704905C4804AAF98B0AE6BE029510359B6@MUNEXBE1.medline.com> <7bd685720806251625i5ab940fbm81c876c4ac502fbb@mail.gmail.com> Message-ID: <1F26704905C4804AAF98B0AE6BE029510359B8@MUNEXBE1.medline.com> Maybee my question was unclear. I have www.% A 216.143.4.37 # Matches http://www.medline.com" *.% A 216.143.4.37 # Matches http://medline.com but also, # matches http://xyz.medline.com where xyz is any host for which I do not have a record. I want to get http://medline.com to work and still return non existant when querying for hosts without records. How about: www.% A 216.143.4.37 And, oh, MaraDNS docs: http://maradns.org/notes.html If anything in the documentation isn't clear, please let me know. One thing that really annoys is documentation that sucks, so if my documentation sucks, let me know (ON THE LIST) so I can fix it. - Sam Note: If you send me a MaraDNS-related support question, I reserve the right to post your support email to the Mara-DNS mailing list so that the community at large can examine your issue. MaraDNS security vulnerability reports, however, will be kept confidential. 2008/6/25 Dantzig, Brian : > I am running maradns v1.2.12.08 as an authoratative name server. Is > there a way to have mara return a record for the domain but not match > host in the domain? I wish to allow people to get to my www server > if they don't have www in the URL as in "http://medline.com" working the > same as "http://www.medline.com" . I know I can add a record such as: > *.% A 216.143.4.37 > But, this will also match any missing records in the "medline.com" > domain as in "xyz.medline.com" > > Brian Dantzig > Medline Industries > bdantzig at medline.com > From marty at supine.com Thu Jun 26 09:58:41 2008 From: marty at supine.com (Martin Barry) Date: Thu, 26 Jun 2008 15:58:41 +0200 Subject: wildcard for the domain only without wildcarding all missing records. In-Reply-To: <1F26704905C4804AAF98B0AE6BE029510359B8@MUNEXBE1.medline.com> References: <1F26704905C4804AAF98B0AE6BE029510359B6@MUNEXBE1.medline.com> <7bd685720806251625i5ab940fbm81c876c4ac502fbb@mail.gmail.com> <1F26704905C4804AAF98B0AE6BE029510359B8@MUNEXBE1.medline.com> Message-ID: <20080626135841.GA30726@sprocket.mamista.net> $quoted_author = "Dantzig, Brian" ; > > I have > www.% A 216.143.4.37 # Matches http://www.medline.com" > *.% A 216.143.4.37 # Matches http://medline.com but also, > # matches http://xyz.medline.com where xyz is > any host for which I do not have a record. > > I want to get http://medline.com to work and still return non existant > when querying for hosts without records. So you only want medline.com and www.medline.com to resolve? www.% A 216.143.4.37 % A 216.143.4.37 cheers Marty From babal at via.ecp.fr Thu Jun 26 09:58:33 2008 From: babal at via.ecp.fr (Boris Dores) Date: Thu, 26 Jun 2008 15:58:33 +0200 Subject: wildcard for the domain only without wildcarding all missing records. In-Reply-To: <1F26704905C4804AAF98B0AE6BE029510359B8@MUNEXBE1.medline.com> References: <1F26704905C4804AAF98B0AE6BE029510359B6@MUNEXBE1.medline.com> <7bd685720806251625i5ab940fbm81c876c4ac502fbb@mail.gmail.com> <1F26704905C4804AAF98B0AE6BE029510359B8@MUNEXBE1.medline.com> Message-ID: <20080626135833.GN972@via.ecp.fr> On Thu, Jun 26, 2008 at 08:49:10AM (GMT-0500), Dantzig, Brian wrote: > I have > www.% A 216.143.4.37 # Matches http://www.medline.com" > *.% A 216.143.4.37 # Matches http://medline.com but also, > # matches http://xyz.medline.com where xyz is > any host for which I do not have a record. > > I want to get http://medline.com to work and still return non existant > when querying for hosts without records. You simply need the following lines: % A 216.143.4.37 www.% A 216.143.4.37 -- Boris Dor?s