From Jim.Reid at nominum.com Tue Apr 29 10:47:38 2003 From: Jim.Reid at nominum.com (Jim Reid) Date: Tue, 29 Apr 2003 01:47:38 -0700 Subject: views in bind9 In-Reply-To: Message from Mansoor Ahmed of "Tue, 29 Apr 2003 09:48:21 +0400." <000e01c30e12$f1664f00$a900000a@dic.ezone> Message-ID: <9171.1051606058@shell.nominum.com> Mansoor, your question would probably be better posted to bind9-users at isc.org, rather than this mailing list. dns-wg at ripe.net is for stuff related to the RIPE DNS Working Group and doesn't usually deal with errors or misunderstandings about named.conf files. If you do post to bind-users, I strongly suggest you provide your named.conf file *exactly* as your name server would see it. [Don't hide domain names or whatever.] That would permit someone on that list to accurately diagnose the problem. My guess is you have syntax errors in named.conf or perhaps you're running a BIND8 name server with a BIND9 configuration file. If it's the former, you can use named-checkconf from BIND9 to find the error. A sample named.conf file which uses views can be found under the tests directory in the BIND9 distribution. This directory contains a test suite for most of the features in BIND9. Here's an outline of how to set up views in BIND9, with an inside view for network 10/8 and an outside view for everything else. options { ...... }; controls { ...... }; view "inside" { match-clients { 10/8; }; zone "." { ....... }; zone "example" { ..... }; }; view "outside" { match-clients { !10/8; }; zone "." { ....... }; zone "example" { ..... }; }; If you have further questions about BIND9 config file syntax, please take them to bind9-users at isc.org, not here. And please don't ask me directly. :-) From mansoor at dubaiinternetcity.net Tue Apr 29 13:07:20 2003 From: mansoor at dubaiinternetcity.net (Mansoor Ahmed) Date: Tue, 29 Apr 2003 15:07:20 +0400 Subject: add me Message-ID: <002a01c30e3f$80bb8f90$a900000a@dic.ezone> An HTML attachment was scrubbed... URL: From mally at ripe.net Tue Apr 29 13:10:12 2003 From: mally at ripe.net (Mally Mclane) Date: Tue, 29 Apr 2003 13:10:12 +0200 Subject: add me In-Reply-To: <002a01c30e3f$80bb8f90$a900000a@dic.ezone> References: <002a01c30e3f$80bb8f90$a900000a@dic.ezone> Message-ID: <2147483647.1051621812@ginger.ripe.net> Hi Mansoor, > Subject: add me You can subscribe yourself through the web interface at: http://www.ripe.net/mailman/listinfo/dns-wg Current subscribers can also use the same web interface to change options relating to their subscription. Regards, Mally Mclane RIPE NCC - Operations From sanz at denic.de Tue Apr 29 15:49:38 2003 From: sanz at denic.de (Marcos Sanz/Denic) Date: Tue, 29 Apr 2003 15:49:38 +0200 Subject: I-D on SRV and whois servers Message-ID: Hi all, In this version of the draft, Gerhard and I have incorporated comments made in the last WG session: http://www.ietf.org/internet-drafts/draft-sanz-whois-srv-00.txt Feedback and comments are very welcome. On the other hand I'd like to raise the question whether some registry zone administrators would be willing to include SRV records pointing to their whois servers, as .de and .at have done. This would increase the gene pool of the initiative. Regards, Marcos Sanz DENIC eG From mansoor at dubaiinternetcity.net Tue Apr 29 16:00:12 2003 From: mansoor at dubaiinternetcity.net (Mansoor Ahmed) Date: Tue, 29 Apr 2003 18:00:12 +0400 Subject: views.........please Message-ID: <004801c30e57$a6feb5c0$a900000a@dic.ezone> Hi, I have a requirment of 2 views one for internal and one for external, the named.conf is very simple, but i am unable to query other domains when doing nslookup from outside, it is replaying root servers only. ------------------------------------------------------------ options { directory "/var/named"; pid-file "/var/named/named.pid"; }; logging { channel sec_channel { file "/var/tmp/named.security"; severity info; }; category security { sec_channel; default_syslog; default_debug; }; }; acl "corpnet" { 10.0.0.1; }; view "internal" { match-clients { "corpnet"; }; recursion yes; zone "." in { type hint; file "root.ca"; }; zone "domain-local" { type slave; file "domain-local.hosts"; allow-transfer { any; }; masters { 216.137.31.87; }; }; }; view "external" { match-clients { any; }; recursion no; zone "." in { type hint; file "root.ca"; }; zone "domain1.com" { type slave; file "domain1.com"; allow-transfer { none; }; masters { 216.137.31.87; }; }; }; Please advice, thanks in advance. Mansoor From andrei at ripe.net Tue Apr 22 16:01:05 2003 From: andrei at ripe.net (Andrei Robachevsky) Date: Tue, 22 Apr 2003 16:01:05 +0200 Subject: [staff] [local-ir@ripe.net]signing the roots Message-ID: <3EA54B21.3070307@ripe.net> Dear colleagues, At the DNS-WG at the last RIPE meeting (RIPE 44) Johan Ihren presented his proposal for an interim scheme for signing the public DNS root. The current version of this Internet-Draft is: draft-ietf-dnsop-interim-signed-root-01.txt The full text of this Internet-Draft can be found at: http://www.ietf.org/internet-drafts/draft-ietf-dnsop-interim-signed-root-01.txt In the Internet-Draft, a mechanism has been proposed for a first stage of a transition from a unsigned DNS root to a signed root, such that the data in the root zone is accompanied by DNSSEC signatures to allow validation. The process of doing this involves the use of a set of operator keys which are signed by one key signing key, sometimes referred to a "master key". It has been further proposed that these key signing keys be managed by the Regional Internet Registries (RIRs). The proposal states the requirements of the RIRs would be to: * establish a secure out-of-band communication path in collaboration with the signing operators which will be used for authenticated exchange of the unsigned keyset. * periodically generate strong keys using a good random number generator * manage their keys (i.e. use them for signing the operator keyset and keeping the private key appropriately secret) Question: Since this Internet-Draft suggests future action by the RIRs, the RIPE community should discuss this issue and provide feedback to the author. Therefore, the following question is asked: Is this a task that should be performed by the RIPE NCC? Please direct your feedback to dns-wg at ripe.net mailing list. Regards, Andrei Robachevsky CTO, RIPE NCC