configuration error in lists.isc.org
Lawrence K. Chen, P.Eng.
lkchen at ksu.edu
Mon Aug 10 21:49:43 UTC 2015
On 2015-08-07 22:23, Reindl Harald wrote:
> Am 08.08.2015 um 05:13 schrieb Lawrence K. Chen, P.Eng.:
>> So, when we were with this provider, our SPF had exclusive pool as good,
>> but included the other pool prefixed with '~'
>
> can we stop that foolish discussion on the named list?
>
How about an unnamed one?
Plus this is passing the time while I'm waiting to see if I understood
https://kb.isc.org/article/AA-00295/
And, had adjusted it for BIND 9.9.0 or greater correctly... Not quite sure
if use of external or internal in master vs notify is on the correct side....
It links to https://kb.isc.org/article/AA-00851/0 (and says example 4 which
gives an example that where its hard to tell if it or how it matches like
it....except its two server example, and while its better formatted than the
previous article, it doesn't say what the server IPs are, so the IPs getting
notified or being master could just as well servers not shown....let along
whether its the other server or itself.
Plus it has master zones in one view, and then says loopback is the master
for the slave zone in second....(should be the one if first view right?, but
the only notify it does is some unknown external IP that could be itself the
other server in the example or one not shown....and not its master.
Which might seem an odd thing to do normally...except that on my system, both
views, both zones are slaves. So, internal view does zone transfers with
master(s), and passes it to external view so that it exposed slaves can get
it. And, hopefully this solution will restore sending them
notification....which seemed to work as both sides sharing the file, but not
as the outside by updating them by unison (for reasons unknown I have one
internal server that updates the external view, Though only 3 zones go to
internal slaves...and originate from this server's master zone.
Also the one exception in direction has multimaster set, as it received
notifications and transfers from AD servers (3)...with off by one serial
numbers. Presumably all the multimaster option does is shutoff the noise
(and the highest one always wins), since the alternative is probably the
latest one wins. No sure how one would handle if the its middle one or
youngest one....or a mix. Or maybe its the one name ads1 that wins over ads2
and ads3....but what happen when they're impossible type and diff only a
letter or two....that were names of jedi masters (or so we were told...)
Though I thought the boss said skywalker was part of his naming servers after
bulldozers or something.
Of servers from that time, only brutus and muskie live on.... Solaris 9 sun
cluster, doing NFS from our 9990V (which had replaced our 9985.) Needed to
be retired a long time ago...but getting people to migrate to NAS has been a
problem. especially one group that had made extensive use of sunacls, and we
don't yet have NFSv4 working anywhere...our ksuPerson schema makes LDAP
integration difficult everywhere...though the new devs are making progress at
some things back, like striping it totally of any way to do or support
groups. Though that group's use of sunacls are on the decline since they're
pushing the use of central cms for everything...so cms becomes the only user
allowed to write....though it wiped out secret 'intranet' directory...and the
idea of getting restored didn't occur until after the 90 day backup retention
time. And, apparently now an area covered by any archive policy. (some of
which are subject to infinite retention.)
All future LTO drives will retain the ability to read LTO1 tapes, which
leaves the problem of the period of time where they were NDMP backups from a
NetApp filer.
> that above is pure nonsense - your DOMAIN has either a strict SPF policy -
> or a testing policy ~ and no mix of both
>
> ~ means "testing, please don't reject if it don't pass" and *nothing* with
> good or bad IP's - from the moment on you have a ~ you don't enforce SPF for
> *anybody* - bad enough that this topic appeared at all but much more bad
> that so many people setup SPF without understand it
>
Except there are people that feel a strict black and white policy is too
limiting.
Especially when the IPs are a shared resource of the service provider where
this little to stop another customer from pretending to be us (just as there
was nothing for us to pretend to be.... or permit a visiting research to
continue to send with his email address but through our servers....)
When suddenly they setup an SPF and rejected mail from us, with lots of angry
messages and calls that its my job to fix it so it'll work again.
As the apparently lots of different universities have been originating mail
this way for years and years. And, they need to continue to do so, as the
application can't do any authentication for sending....(since it had always
worked....)
Though I haven't gotten a smarttable hack that I found that should allow me
to send through different authenticated smtp servers, each needing different
credentials...at least in the login name, as I noticed for a couple domains,
all the logins have the same password. Pretty sure password wasn't tied to
the domain. More likely is that I forgot passwords and reset them all at
once and then forgot about them.... its hard generating memorable passwords
based on login but not contain the login. OTOH, its left over from where I
had tried creating unique accounts for online place I shopped at. A
co-worker had said that's how he tells which of them sells customer email
addresses.
But, they all just fill up with email that I don't have time to sift
through. especially since my dovecot search is broken :(
Plus my read of the RFC, didn't say anything that softfail would for one
entry would cause the entire SPF to be considered experimental. Just that a
sites' doing strict SPF treat softfail the same as fail.
Though I realize my error not recalling that there is a middle (neutral)
level, and which is more appropriate, since softfail is somewhere between
fail and neutral which is not where I had intended the servers to be.
OTOH, one of the mass mailing services, they have include an SPF record that
ends with '~all'...though it doesn't matter, as my understand of the RFC is
that include is treeated like an if-match....if a pass results in ends,
otherwise continue processing. Though there's quite a penalty of doing a new
recursive lookup to get the include, etc. Not much I can do with includes
that service provides require us to set (and some do validation (and maybe
monitoring) that they are in our SPF in the expected format, sometimes I've
had temporarily remove parts to get validated, I've strip back for a
revalidation once .... )
But, just about time to deploy my fix and see what happens.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
with LOPSA Professional Recognition.
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
More information about the bind-users
mailing list