From Newsgroup: comp.protocols.dns.bind

Trying to verify that I can make changes with nsupdatem and running into something I don’t understand.

mail # nsupdate -k admin.key

zone name covisp.net
update delete ns1.covisp.net. IN A 65.121.55.42
update add ns1.covisp.net. 3601 IN A 65.121.55.42
send

; Communication with 192.42.173.30#53 failed: timed out
Uh… what? Why is it trying to update 192.42.173.30 (ac1.nstld.com)?
That IP does not appear in any file in /usr/local/etc/ nor in /etc/ on my system.
What am I missing here?
In fact, the only file on the entire /usr/ that has this IP address in it is the draft copy of this email.
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

--000000000000d9fe8105a9cda750
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

[ Classification Level: GENERAL BUSINESS ]


You didn't dot-terminate covisp.net in the "zone" statement, so it may be appending who-knows-what to one of its queries, and going awry.

nsupdate -d (or -D) shows all :-)

- Kevin

On Mon, Jul 6, 2020 at 6:32 PM @lbutlr <kremels@kreme.com> wrote:

Trying to verify that I can make changes with nsupdatem and running into something I don=E2=80=99t understand.

mail # nsupdate -k admin.key

zone name covisp.net
update delete ns1.covisp.net. IN A 65.121.55.42
update add ns1.covisp.net. 3601 IN A 65.121.55.42
send

; Communication with 192.42.173.30#53 failed: timed out

Uh=E2=80=A6 what? Why is it trying to update 192.42.173.30 (ac1.nstld.com=

)?

That IP does not appear in any file in /usr/local/etc/ nor in /etc/ on my system.

What am I missing here?

In fact, the only file on the entire /usr/ that has this IP address in it
is the draft copy of this email.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--000000000000d9fe8105a9cda750
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>[ Classification Level: <font color=3D"blue">GENERAL = BUSINESS</font> ]</div><br class=3D"cursAfter"><br>You didn&#39;t dot-termi= nate <a href=3D"http://covisp.net">covisp.net</a> in the &quot;zone&quot; s= tatement, so it may be appending who-knows-what to one of its queries, and = going awry.<div><br></div><div>nsupdate -d (or -D) shows all :-)</div><div>= <br></div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Kevi= n</div><div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_= attr">On Mon, Jul 6, 2020 at 6:32 PM @lbutlr &lt;<a href=3D"mailto:kremels@= kreme.com">kremels@kreme.com</a>&gt; wrote:<br></div><blockquote class=3D"g= mail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-l= eft:1ex">Trying to verify that I can make changes with nsupdatem and runnin=
g into something I don=E2=80=99t understand.<br>

=C2=A0mail # nsupdate -k admin.key <br>
&gt; zone name <a href=3D"http://covisp.net" rel=3D"noreferrer" target=3D"_= blank">covisp.net</a><br>
&gt; update delete <a href=3D"http://ns1.covisp.net" rel=3D"noreferrer" tar= get=3D"_blank">ns1.covisp.net</a>. IN=C2=A0 =C2=A0 =C2=A0 =C2=A0 A=C2=A0 = =C2=A0 =C2=A0 =C2=A065.121.55.42<br>
&gt; update add <a href=3D"http://ns1.covisp.net" rel=3D"noreferrer" target= =3D"_blank">ns1.covisp.net</a>. 3601 IN=C2=A0 =C2=A0 =C2=A0 =C2=A0 A=C2=A0 = =C2=A0 =C2=A0 =C2=A065.121.55.42<br>
&gt; send<br>
; Communication with 192.42.173.30#53 failed: timed out<br>

Uh=E2=80=A6 what? Why is it trying to update 192.42.173.30 (<a href=3D"http= ://ac1.nstld.com" rel=3D"noreferrer" target=3D"_blank">ac1.nstld.com</a>)?<=


That IP does not appear in any file in /usr/local/etc/ nor in /etc/ on my s= ystem.<br>

What am I missing here?<br>

In fact, the only file on the entire /usr/ that has this IP address in it i=
s the draft copy of this email.<br>


_______________________________________________<br>
Please visit <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" = rel=3D"noreferrer" target=3D"_blank">https://lists.isc.org/mailman/listinfo= /bind-users</a> to unsubscribe from this list<br>

ISC funds the development of this software with paid support subscriptions.=
Contact us at <a href=3D"https://www.isc.org/contact/" rel=3D"noreferrer" = target=3D"_blank">https://www.isc.org/contact/</a> for more information.<br=



bind-users mailing list<br>
<a href=3D"mailto:bind-users@lists.isc.org" target=3D"_blank">bind-users@li= sts.isc.org</a><br>
<a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" rel=3D"norefe= rrer" target=3D"_blank">https://lists.isc.org/mailman/listinfo/bind-users</= a><br>
</blockquote></div></div></div>

--000000000000d9fe8105a9cda750--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

On 06 Jul 2020, at 16:47, Kevin Darcy <kevin.darcy@fcagroup.com> wrote:

You didn't dot-terminate covisp.net in the "zone" statement

<Beats head on desk>

Ow!

<Beats head on desk>

Sigh.



--
The whole thing that makes a mathematician's life worthwhile is that
he gets the grudging admiration of three or four colleagues

--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

Actually you had "zone name covisp.net” which told nsupdate to update the “name.” zone as it was treated as “zone name”. Nsupdate then when and looked up the SOA for name and found ac1.nstld.com is the primary server.
name. 86400 IN SOA ac1.nstld.com. info.verisign-grs.com. 1594079077 1800 900 604800 86400
Nsupdate can normally determine the name of the zone that has to be updated so most of the time you don’t need to specify the zone. There are a few cases, like when adding delegating NS records or glue to the parent zone you have to override the normal zone discovery procedure.
Mark

On 7 Jul 2020, at 08:59, @lbutlr <kremels@kreme.com> wrote:

On 06 Jul 2020, at 16:47, Kevin Darcy <kevin.darcy@fcagroup.com> wrote:

You didn't dot-terminate covisp.net in the "zone" statement

<Beats head on desk>

Ow!

<Beats head on desk>

Sigh.

--
The whole thing that makes a mathematician's life worthwhile is that
he gets the grudging admiration of three or four colleagues

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

On 06 Jul 2020, at 17:59, Mark Andrews <marka@isc.org> wrote:

Nsupdate can normally determine the name of the zone that has to be updated so most of the time you don’t need to specify the zone. There are a few cases, like when adding delegating NS records or glue to the parent zone you have to override the normal zone discovery procedure.

So if I were to try adding web2.example.com via nsupdate I could simply > update add web2.example.com 96400 IN CNAME www.covisp.net

send

That's good to know, but I fear I will remember that and use it in cases where I do need to specify it and muck things up.
I change DNS settings so infrequently that each time it is almost like starting over, especially since the underlying software has changed as well. Also, I need better notes, which I am taking this time. (Most of the serials on the DNS files are more than two years old)
The latest surprise was that dnssec-enable yes; is obsolete in Bind 9.16. I've noticed no fallout from simply uncommenting it, so I assume it is either required now or implied with dnssec-validation set or auto-dnssec in the zone config.
I do have motivation to get all this nsupdate stuff square, however, as I want to move Letsencrypt to wildcard certs and that requires updating the DNS during the LE exchange.
--
Vi Veri Veniversum Vivus Vici
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

@lbutlr <kremels@kreme.com> wrote:

The latest surprise was that dnssec-enable yes; is obsolete in Bind 9.16.

`dnssec-enable yes` has been the default since 2007, so that directive has
been useless for quite a long time :-) What changed in 9.16 is that you
now can't turn DNSSEC off. (Specifically, support for correctly serving
signed zones on authoritative servers, and support for DNSSEC-aware
clients of resolvers, whether or not any validation is happening. `dnssec-validation` is a separate setting.)

Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
individual and social justice
--- Synchronet 3.18a-Linux NewsLink 1.113