f



Z flag is different from 0

Hi -

I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master =
and secondard), which support a dozen (+/-) domains.  We recently =
upgraded our firewall to CheckPoint with thier SmartDefense product. (We =
had been running an older Gauntlet firewall)

My issue is that SmartDefense is alerting on our outgoing DNS queries, =
saying "Bad DNS Headers, Z flag is different from 0".  I've looked at =
RFC2929, which says:

--quote--
2.1 One Spare Bit?

   There have been ancient DNS implementations for which the Z bit being
   on in a query meant that only a response from the primary server for
   a zone is acceptable.  It is believed that current DNS
   implementations ignore this bit.

   Assigning a meaning to the Z bit requires an IETF Standards Action.
---------

Should I be looking for a way to configure bind to not set the Z flag? =
Or is there some other solution to this issue?

Thanks in advance.


0
Miner
11/30/2004 1:54:12 PM
comp.protocols.dns.bind 16245 articles. 1 followers. Post Follow

0 Replies
322 Views

Similar Articles

[PageSpeed] 3

Reply:

Similar Artilces:

Re: Z flag is different from 0
bind-users-bounce@isc.org wrote on 11/30/2004 08:54:12 AM: > Hi - > > I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master = > and secondard), which support a dozen (+/-) domains. We recently = > upgraded our firewall to CheckPoint with thier SmartDefense product. (We = > had been running an older Gauntlet firewall) I typically turn off the DNS checking in smartdefense. hth, dave... > > My issue is that SmartDefense is alerting on our outgoing DNS queries, = > saying "Bad DNS Headers, Z flag is different from 0". I've looked at = > RFC2929, which says: > > --quote-- > 2.1 One Spare Bit? > > There have been ancient DNS implementations for which the Z bit being > on in a query meant that only a response from the primary server for > a zone is acceptable. It is believed that current DNS > implementations ignore this bit. > > Assigning a meaning to the Z bit requires an IETF Standards Action. > --------- > > Should I be looking for a way to configure bind to not set the Z flag? = > Or is there some other solution to this issue? > > Thanks in advance. > > ...

RE: Z flag is different from 0 #3
Thanks to everyone for the replies both on and off the list. I've done some packet captures, and so far all the packets I've seen = have the Z flag set to zero. I'll have to escalate this to the folks at = CheckPoint and see what they have to say. For now, (as others suggested), I'm going to turn off SmartDefence for = DNS. Thanks again! -----Original Message----- From: Mark Andrews [mailto:Mark_Andrews@isc.org] Sent: Tue 11/30/2004 04:18 PM To: Miner, Jonathan W (CSC) (US SSA) Cc: comp-protocols-dns-bind@isc.org Subject: Re: Z flag is different from 0=20 > Hi - >=20 > I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master = =3D > and secondard), which support a dozen (+/-) domains. We recently =3D > upgraded our firewall to CheckPoint with thier SmartDefense product. = (We =3D > had been running an older Gauntlet firewall) >=20 > My issue is that SmartDefense is alerting on our outgoing DNS queries, = =3D > saying "Bad DNS Headers, Z flag is different from 0". I've looked at = =3D > RFC2929, which says: >=20 > --quote-- > 2.1 One Spare Bit? >=20 > There have been ancient DNS implementations for which the Z bit = being > on in a query meant that only a response from the primary server = for > a zone is acceptable. It is believed that current DNS > implementations ignore this bit. >=20 > Assigning ...

Re: Z flag is different from 0 #2
> Hi - > > I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master = > and secondard), which support a dozen (+/-) domains. We recently = > upgraded our firewall to CheckPoint with thier SmartDefense product. (We = > had been running an older Gauntlet firewall) > > My issue is that SmartDefense is alerting on our outgoing DNS queries, = > saying "Bad DNS Headers, Z flag is different from 0". I've looked at = > RFC2929, which says: > > --quote-- > 2.1 One Spare Bit? > > There have been ancient DNS implementations for which the Z bit being > on in a query meant that only a response from the primary server for > a zone is acceptable. It is believed that current DNS > implementations ignore this bit. > > Assigning a meaning to the Z bit requires an IETF Standards Action. > --------- > > Should I be looking for a way to configure bind to not set the Z flag? = > Or is there some other solution to this issue? > > Thanks in advance. BIND 9.3 does not set the final bit. Are you sure it is not triggering on CD? dnssec-enable no; // default 07:51:01.130013 192.168.191.236.2498 > 198.6.1.65.53: 16310 [1au] A? ftp.uu.net. (39) 4500 0043 0a63 0000 4011 286b c0a8 bfec c606 0141 09c2 0035 002f 72bd 3fb6 0000 0001 0000 00...

0.0 is different with 0?
Dear all Here is an example to show my question. SF[N_Integer, a_Real, fs_Real] := Table[Sin[(1 + fs)*k*2 Pi/N + a], {k, 0, N - 1}] SF[32, 0.1, 0.0] can show the table contents, however, SF[32, 0.1, 0] cannot show the result. Why? Best Regards mayi 2008-06-26 damayi wrote: > Here is an example to show my question. > SF[N_Integer, a_Real, fs_Real] := > Table[Sin[(1 + fs)*k*2 Pi/N + a], {k, 0, N - 1}] > > SF[32, 0.1, 0.0] can show the table contents, however, SF[32, 0.1, 0] > cannot show the result. Why? If you were writing this function is a stron...

ColorFunctions again (making z=0 be different from z=1)
The simple ColorFunction->Hue option in Plot3D, ContourPlot, and DensityPlot, makes z = 0 appear the same as z = 1 (i.e., both bright red), a situation which seems to me to make these plots confusing and more difficult to interpret, given that "high peaks" and "sea level valleys" may be the most interesting features of such a plot. Do others have any favorite, not too messy ColorFunctions that make values near z = 0 tend toward white, or grey, or less bright, or something so that there's a clearly unidirectional visual effect going from values of z nea...

Re: ColorFunctions again (making z=0 be different from z=1)
On 9/7/04 at 5:43 AM, siegman@stanford.edu (AES/newspost) wrote: >The simple ColorFunction->Hue option in Plot3D, ContourPlot, and >DensityPlot, makes z = 0 appear the same as z = 1 (i.e., both >bright red), a situation which seems to me to make these plots >confusing and more difficult to interpret, given that "high peaks" >and "sea level valleys" may be the most interesting features of >such a plot. >Do others have any favorite, not too messy ColorFunctions that make >values near z = 0 tend toward white, or grey, or less bright, or...

Bind named to 0.0.0.0 (INADDR_ANY)
Hello, I'm trying to get named to listen on IPv4 0.0.0.0:53 (INADDR_ANY): * http://www.cs.cmu.edu/afs/cs/academic/class/15441-f01/www/assignments/P2/htmlsim_split/node18.html I've tried: listen-on { 0.0.0.0; }; This gives no binding at all. listen-on { any; }; listen-on { localhost; }; listen-on { localnets; }; These explicitly bind named to the configured local IP addresses. Is there another way to do this? Thanks in advance. -RichardW. System Information * BIND 9.4.2-P1 * Linux 2.6.24 -- Richard Wall Support Engineer ApplianSys Ltd http://www...

Re: ColorFunctions again (making z=0 be different from z=1) #2
On 9/10/04 at 4:06 AM, siegman@stanford.edu (AES/newspost) wrote: >In article <chpa0a$jsl$1@smc.vnet.net>, "Peltio" ><peltio@twilight.zone> wrote: > >>>Do others have any favorite, not too messy ColorFunctions that >>>make values near z = 0 tend toward white, or grey, or less >>>bright, or something so that there's a clearly unidirectional >>>visual effect going from values of z near 0 to those near z = 1? >>Black and white is elegant, isn't it? : ) So, why not to use >>GrayLevel >Thanks...

Re: Bind named to 0.0.0.0 (INADDR_ANY)
In message <cbf1a1340809300721j468531d5sa5da8bedb3fff47e@mail.gmail.com>, "Rich ard Wall" writes: > Hello, > > I'm trying to get named to listen on IPv4 0.0.0.0:53 (INADDR_ANY): > * http://www.cs.cmu.edu/afs/cs/academic/class/15441-f01/www/assignments/P2/h > tmlsim_split/node18.html > > I've tried: > listen-on { 0.0.0.0; }; Which is "listen-on { 0.0.0.0/32; };" which won't match any interface's address. > This gives no binding at all. > > listen-on { any; }; > listen-on { localhost; }; >...

make_sock: could not bind to address 0.0.0.0:80
Hi, I installed Apache on win2000 Server and everything worked fine. After restarting the machine it didnt come up anymore. THe eventlog said: The Apache service named reported the following error: >>> (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : make_sock: could not bind to address 0.0.0.0:80 The Apache service named reported the following error: >>> no listening sockets available, shutting down . EitherIIS is not running, nor Kazza or skype. can someone help me to fix this problem ? Rolf ...

#if 0?0?0:0:0
The following 4-lines source fragment test.c (fourth line empty) #if 0?0?0:0:0 #endif int main(void){return 0?0?0:0:0;} cause: test.c(1) : fatal error C1017: invalid integer constant expression when compiled by cl.exe aka "Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86". On the other hand this compile and runs fine. #if 0?(0?0:0):0 #endif int main(void){return 0?0?0:0:0;} Did I hit a but it this compiler's preprocessor? Francois Grieu On 3/30/2010 12:47 PM, Francois Grieu wrote: > The following 4-lines source fr...

Problem: make_sock: could not bind to address 0.0.0.0:80
Hi, When installing Apache 2.0, I get the following error message in the DOS command prompt. (32548)Only one usage of each socket address (protocol/network address/port) is normally permitted. : make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down. The Apache HTTP Server instance does not exist in Services. I don't know how to solve this problem. I would greatly appreciate any help on this. Thanks in advance! Ben. do u have IIS installed and running? "Ben" <blam_mo@yahoo.com> wrote in message news:5eba615e.0403311745.1497d...

Re: Bind named to 0.0.0.0 (INADDR_ANY) #2
In message <cbf1a1340809301028o3ffc5e71ua6a38d7aaefeedca@mail.gmail.com>, "Rich ard Wall" writes: > 2008/9/30 Mark Andrews <Mark_Andrews@isc.org>: > > In message <cbf1a1340809300721j468531d5sa5da8bedb3fff47e@mail.gmail.com>, " > Rich > > ard Wall" writes: > <snip> > >> I've tried: > >> listen-on { 0.0.0.0; }; > > Which is "listen-on { 0.0.0.0/32; };" which won't match any > > interface's address. > > Hi Mark, > > Understood. > &g...

Problem: make_sock: could not bind to address 0.0.0.0:80
Hi, When installing Apache 2.0, I get the following error message in the DOS command prompt. (32548)Only one usage of each socket address (protocol/network address/port) is normally permitted. : make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down. The Apache HTTP Server instance does not exist in Services. I don't know how to solve this problem. I would greatly appreciate any help on this. Thanks in advance! Ben. do u have IIS installed and running? "Ben" <blam_mo@yahoo.com> wrote in message news:5eba615e.0403311745.1497d...

Why named bind(2)s 0.0.0.0 and :: adresses?
Hi all, has anyone here explanation why named bind(2)s addresses 0.0.0.0 and :: ? I have this in options statement: options { .... listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; .... }; but netstat says named listen also on udp 0 0 0.0.0.0:32779 0.0.0.0:* 6898/named udp 0 0 :::32780 :::* 6898/named I'm interested why named listen on that ports. Adam -- Adam Tkac, Red Hat, Inc. ...

0,0 not 0,0
hi all, i have 2 drawings - ground floor and first floor. when i do an ID on a point on the grid i get the same readings for both drawings however, when i xref one into the other or both into a new drawing they come in in different locations. i've checked they're both using world UCS and the same units. any ideas? i thought with autocad 0,0 was always 0,0? cheers rob "Coro, Rob" <RE-Coro@bdp.co.uk> schrieb: >hi all, > >i have 2 drawings - ground floor and first floor. when i do an ID on a >point on the grid i get the same readings for both drawings however, >when i xref one into the other or both into a new drawing they come in >in different locations. i've checked they're both using world UCS and >the same units. any ideas? i thought with autocad 0,0 was always 0,0? UCS? INSBASE? Tom Berger -- ArchTools: Architektur-Werkzeuge f�r AutoCAD (TM) ArchDIM - architekturgerechte Bema�ung und H�henkoten ArchAREA - Fl�chenermittlung und Raumbuch nach DIN 277 Info und Demo unter http://www.archtools.de insbase, that's the bugger. thanks tom rob -----Original Message----- From: Tom Berger [mailto:berger@archtools.de] Posted At: 13 July 2004 12:24 Posted To: autocad Conversation: 0,0 not 0,0 Subject: Re: 0,0 not 0,0 "Coro, Rob" <RE-Coro@bdp.co.uk> schrieb: >hi all, > >i have 2 drawings - ground floor and first floor. wh...

(= 0/0 0/0)
Hi, shouldn't > (= 0/0 0/0) => NIL or > (= 0/0 0/0) => T instead of giving out division by zero? 0/0 is different from 1/0, which is the non-existent number n such that 1 x n = 0. The actual result of that expression depends of what you think 0/0 is. I personally feel that 0/0 is any number n such that 0 x n = 0, that is all numbers. hal9@cyberspace.org (Hal Niner) writes: > Hi, > > shouldn't > > > (= 0/0 0/0) => NIL > > or > > > (= 0/0 0/0) => T > > instead of giving out division by zero? 0/0 is different fro...

Re: Why named bind(2)s 0.0.0.0 and :: adresses?
FAQ. > Hi all, > > has anyone here explanation why named bind(2)s addresses 0.0.0.0 and > :: ? I have this in options statement: > > options { > ... > listen-on port 53 { 127.0.0.1; }; > listen-on-v6 port 53 { ::1; }; > ... > }; > > but netstat says named listen also on > udp 0 0 0.0.0.0:32779 0.0.0.0:* 6898/named > udp 0 0 :::32780 :::* 6898/named > > I'm interested why named listen on that ports. > > Adam > > -- > Adam Tkac, Red Hat, Inc. > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org ...

Bind to port 22 on 0.0.0.0 failed: Address already in use
I have a few dozen servers at work that reboot every week. On one of them, sshd could not start. Feb 28 00:04:51 WORK_SERVER_NAME sshd[5465]: Server listening on :: port 22. Feb 28 00:04:52 WORK_SERVER_NAME sshd[5465]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. Feb 28 00:04:52 WORK_SERVER_NAME sshd[5465]: Received SIGHUP; restarting. My question is WTF, what could it be that keeps the port during boot time? For now, I added a command that attempts to restart sshd after 3 minutes, but I am a little concerned. Googling suggests that it is because ipv4 ...

Differences between 5.0.0 and 5.0.1?
Can anyone tell me what the differences are between 5.0 and its point release? I bought 5.0 (student) last fall, and Wolfram wants $100 maintenance fee to get the minor point release upgrade. ...

DNS (A 1.0.0.0) problem with DSL
Here's one I can't quite figure out: Qwest DSL with ActionTec GT701-wg (which runs Linux). Under Windows, works great. Under Linux, works great so long as I don't have to go to the secondary DNS server (i.e. websites such as www.novell.com work fine, gmail.google.com are unreachable). My resolv.conf looks like this after DHCP assigns my Linux box an addy: ; generated by /sbin/dhclient-script search domain.actdsltmp nameserver 192.168.0.1 nameserver 216.190.127.1 If I switch the last two lines, the problem goes away: nameserver 216.190.127.1 nameserver 192.168.0.1 If I leave the...

IP 0.0.0.0/0
Hi Any useful link that explains this IP address range in details, please? Thanks in advance! The Dude In article <Jp6Hg.458762$IK3.24918@pd7tw1no>, The Dude <The Dude@thedu.de> wrote: >Any useful link that explains this IP address range in details, please? Urrr -- 0.0.0.0/0 is the *entire* IPv4 address range, and 0.0.0.0/32 is just the single IPv4 address 0.0.0.0. For any given network, the lowest address in the network is reserved. Historically, the lowest address was one of the two allowed choices for the broadcast address; later, the broadcast a...

RE: where did all them bits go ? (dns-parameters/dns-header-flags/dnskey-flags)
I do not believe RFC 2929 should appear in any of the registries. I thought it was simply an RFC of the current IANA registry states. I doesn't actually seek to allocate anything that isn't already defined in some other DNS specification. It is a handy guide for people that don't check all the IANA registries to go to one RFC and get all the reserved values. If I'm wrong, someone correct me Scott > -----Original Message----- > From: owner-namedroppers@ops.ietf.org > [mailto:owner-namedroppers@ops.ietf.org]On Behalf Of IANA > Sent: Thursday, June 09...

Difference between BIND and Windows AD DNS
I have noticed that our BIND servers do not return IP addresses in response to an SRV query as the Windows AD DNS servers do for the same query. Is there a way to make them do this? The AD zones are transferred in from the AD DNS servers, so they should be working with the same zone information. Thanks, Ken Traynham 919-767-7059 ---------------------------------------------------------------------------------------- This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ---------------------------------------------------------------------------------------- ...

Web resources about - Z flag is different from 0 - comp.protocols.dns.bind

Bill Gates sides with FBI over iPhone access issue
Bill Gates says that Apple should help the FBI break open the San Bernardino shooter's iPhone. Talking to the Financial Times, he said this was ...

Teen Shooting Victim Responds to Doctor With Thumbs-Up
A simple squeeze of her mother's hand was enough to alert doctors that a 14-year-old victim of the mass shooting in Kalamazoo had survived the ...

Is David Cameron losing touch with Britain over EU Referendum
Cameron was at it again yesterday, trying to persuade MPs that the pathetic deal would bring about a fundamental change in Britain’s relationship ...

Demi Lovato Explains Her Passion After Taylor Swift 'Shade'
Demi Lovato is seemingly apologizing for throwing “shade” at Taylor Swift after her donation to Kesha . The 22-year-old entertainer took to ...

Vanessa Hudgens & Her Mom Pay Tribute to Her Late Father
Vanessa Hudgens ‘ father passed late last month but she is keeping his memory alive and continuing to share about him on social media. The 27-year-old ...

Marie Hatch: Woman, 97, Evicted From Home After 66 Years
Marie Hatch is 97-years-old. She is battling her second round with cancer and has little to no family. The only thing Marie has is the wood-shingled ...

Kourtney, Khloe & Kim Kardashian Honor Robert Kardashian’s Birthday: Rob Kardashian Ignores Family For ...
If Robert Kardashian were still alive, the Keeping Up With The Kardashians clan would have celebrated his 72nd birthday Monday. But although ...

Samantha Bee Destroys John Kasich's Moderate Charade
Samantha Bee set her sights on Ohio Governor John Kasich tonight, and it was devastatingly hilarious. "In the nauseating bus terminal restroom ...

US, Russia announce Syria ceasefire plan, questions unresolved
Xinhua US, Russia announce Syria ceasefire plan, questions unresolved Xinhua United States Secretary of State John Kerry (R), Russian Foreign ...

AT&T and Intel to test 4G LTE for drones to potentially increase their flight range and reduce signal ...
Roger Cheng / CNET : AT&T and Intel to test 4G LTE for drones to potentially increase their flight range and reduce signal interference — AT&T, ...

Resources last updated: 2/23/2016 6:36:00 AM