Re: Binding on addresses
In message h4ofir$rt...@ger.gmane.org, Chris Hills writes: Hi After changing configuration from listen-on-v6 { any; }; to using specific addresses, I observed the following in the log after issuing `rndc reload` (times are CEST):- 29-Jul-2009 04:44:22.893 network: error: binding TCP socket: address in use 29-Jul-2009 04:44:22.893 network: error: binding TCP socket: address in use 29-Jul-2009 04:44:22.893 network: info: no longer listening on ::#53 29-Jul-2009 04:44:22.965 general: info: reloading configuration succeeded 29-Jul-2009 04:44:23.031 general: info: reloading zones succeeded 29-Jul-2009 05:19:10.179 general: info: received control channel command 'reload' 29-Jul-2009 05:19:10.180 general: info: loading configuration from '/usr/local/bind/9.6.1-P1/etc/named.conf' 29-Jul-2009 05:19:10.182 general: info: using default UDP/IPv4 port range: [1024, 65535] 29-Jul-2009 05:19:10.182 general: info: using default UDP/IPv6 port range: [1024, 65535] 29-Jul-2009 05:19:10.194 general: info: reloading configuration succeeded 29-Jul-2009 05:19:10.194 general: info: reloading zones succeeded After the reload, BIND no longer listened on tcp sockets, but udp sockets worked ok. After restarting named, it was listening on tcp sockets once more. Based on the log it looks like it is trying to bind to the address-specific tcp sockets before releasing tcp [::]:53. Linux's IP stack is broken. Reloading a second time would have fixed it. BIND is 9.6.1-P1 on Linux x86. Regards, Chris ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about tcp port 53
Hello, Doing a search on this at www.google.com offers this first link: http://www.tcpipguide.com/free/t_DNSMessageGenerationandTransport-2.htm HTH - Original Message From: Tech W. tech...@yahoo.com.cn To: Stephane Bortzmeyer bortzme...@nic.fr Cc: bind-users@lists.isc.org Sent: Wednesday, July 29, 2009 12:35:31 AM Subject: Re: about tcp port 53 --- On Tue, 28/7/09, Stephane Bortzmeyer bortzme...@nic.fr wrote: what's the use of bind's tcp port 53? DNS requests and responses. oh, I was always thinking dns requests and responses are going with udp protocal. under what condition it uses tcp protocal? Regards, Wah. Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV Record Priority set by IP Address
On 20.07.09 13:26, Lev Vanyan wrote: i've stumbled into a question whether it is possible to configure BIND in a way that it responds to DNS SRV requests with the priority flag changed depending on the IP address of the requesting party. For example, there are two SRV records for _foobar._tcp. One points to 10.0.1.2 and the other to 10.0.2.2. The requesting party has the ip address 10.0.1.53. I would want to have the first one with the priority higher than the second, which would allow me to split up the network by zones each one having their own server with the rest of servers used only in case of the prevalent zone server failure. Do you mean that bind could/should sort responses depending on source address of client requesting the data in the manner to the servers topologically closer to the client should precede others? The sortlist option should do that. However, to benefit of this sorting, all SRV records should have the same priority (so maybe you don't need SRV here at all). Also, the client (or intermediate relay, e.g. local DNS cache or nscd) must not re-sort responses, but has to use them in the order they came in. That may be problem in some libraries, some time ago I've been having similar problems, it seemed that nss_lwres was responsible for that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
9.5.1-P1 to 9.6.1-P1
Any known gotcha's for this upgrade? -- Sandy Mackenzie The contents of this e-mail message and all attachments are intended for the confidential use of the addressee and where addressed to our client are the subject of solicitor and client privilege. Any retention, review, reproduction, distribution or disclosure other than by the addressee is prohibited. Please notify us immediately if we have transmitted this message to you in error. Thank you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.5.1-P1 to 9.6.1-P1
On Wed, 29 Jul 2009, Sandy Mackenzie wrote: Any known gotcha's for this upgrade? The significant 9.6.0 changes are listed at https://www.isc.org/software/bind/new-features/9.6 The BIND 9.6.1 minor release has numerous improvements especially in portability, documentation, and DNSSEC. The release also includes the recent security fixes: correctly check the OpenSSL DSA_do_verify() and EVP_VerifyFinal() function results; and handling unknown algorithms in the DNSSEC lookaside validation. (Note that the BIND 9.6.0 version was not susceptible to the reported cases because it already had NSEC3 algorithm support.) The behavior of default allow-query-cache option has now changed to also possibly be affected by recursion no;. If the allow-query-cache option is not set, then the default for which hosts are allowed to get answers from the cache is determined by other configurations in the following order: 1) The allow-recursion ACL, if configured. 2) A recursion no; configuration implies none;. 3) The allow-query ACL, if configured. 4) Barring all of the above, the final default is { localnets; localhost }. So in other words, if you have defined recursion no; and have not defined the allow-query-cache, allow-recursion, and allow-query ACLs, then the default will be allow-query-cache { none; } and clients will not have access to the cache. This is a change from 9.3.6, 9.4.3, 9.5.1, and 9.6.0. For more details, see the ARM. The contrib/zkt was updated to version 0.98. BIND 9.6.1 introduces a new logging category called query-errors which provides detailed internal information about query failures, such server failures. (This is documented in the ARM.) Also new experimental new statistics counters were added, including for socket I/O events and query RTT (round trip time) histograms. And a bind.keys file is included in the source tree which contains the recent dlv.isc.org trust anchor for the administrator's convenience. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Correction to signatures on yesterday's BIND 9 releases
Due to a combination of circumstances, including extreme rush and the usual signer of our releases being away at IETF, we accidentally signed yesterday's BIND 9 patch releases (9.4.3-P3, 9.5.1-P3, and 9.6.1-P1) with the expired 2006 ISC signing key rather than the current one, and didn't notice the mistake until after publishing. All of the signatures have been replaced with the correct ones today. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is my slave DNS working right?
The +trace option *forces* dig to step through each level of the hierarchy. Therefore it's not a good way of testing any kind of override of the normal iterative-resolution process. - Kevin Rob Z wrote: Hello list, Here's my scenario: I have multiple DNS servers (one master and a few slaves) authoritative for a few zones (eg mydomain.com http://mydomain.com, zone1.mydomain.com http://zone1.mydomain.com etc). I also have a caching server (a stock Redhat caching-nameserver.rpm configuration, BIND 9.2.4 ) which is used by clients on LAN to query DNS for zone1.mydomain.com http://zone1.mydomain.com. As far as I understand this caching server does a full recursive resolution to get information for zone1.mydomain.com http://zone1.mydomain.com ( going to root servers, then going to .com servers then to mydomain.com http://mydomain.com server). My obective is to convert this caching server into a slave server, which will transfer the full zone1.mydomain.com http://zone1.mydomain.com. Am I correct in the assumption that the slave server should answer queries for zone1.mydomain.com http://zone1.mydomain.com directly as it has all the information? I modified the config by adding zone zone1.mydomain.com http://zone1.mydomain.com { type slave; file mydomain/hosts.mydomain.com http://hosts.mydomain.com; masters { A.B.C.D; }; }; to the caching server config and configured the master server to allow transfers. The zone is being transfered correctly, mydomain/hosts.mydomain.com http://hosts.mydomain.com is popupated. However, dig +trace @localhost host1.zone1.mydomain.com http://host1.zone1.mydomain.com shows that the server is still doing a full recursion, going to the root servers, tld servers etc. What am I missing? Do I also have to list my caching server as NS record in the zone1.mydomain.com http://zone1.mydomain.com? It's located on a private network and won't be able to answer queries from the Internet. Attached is my config file === // // named.conf for Red Hat caching-nameserver // options { directory /var/named; dump-file /var/named/data/cache_dump.db; statistics-file /var/named/data/named_stats.txt; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; }; // // a caching only nameserver config // controls { inet 127.0.0.1 allow { localhost; } keys { rndckey; }; }; zone . IN { type hint; file named.ca http://named.ca; }; zone localdomain IN { type master; file localdomain.zone; allow-update { none; }; }; zone localhost IN { type master; file localhost.zone; allow-update { none; }; }; zone 0.0.127.in-addr.arpa IN { type master; file named.local; allow-update { none; }; }; zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa IN { type master; file named.ip6.local; allow-update { none; }; }; zone 255.in-addr.arpa IN { type master; file named.broadcast; allow-update { none; }; }; zone 0.in-addr.arpa IN { type master; file named.zero; allow-update { none; }; }; zone zone1.MYDOMAIN.COM http://zone1.MYDOMAIN.COM { type slave; file mydomain/hosts.mydomain.com http://hosts.mydomain.com; masters { A.B.C.D; }; }; include /etc/rndc.key; === Thanks Rob ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Creating a CNAME to another domain.
Danny Mayer wrote: Kevin Darcy wrote: Ezra Taylor wrote: Hello All: How can I create a CNAME that points to another domain. Example below. Is the below example possible? stars.mydomain.com http://stars.mydomain.com INCNAME stars.otherdomain.com http://stars.otherdomain.com. If stars.mydomain.com is just an ordinary name in the mydomain.com zone, then there is no problem with what you show above (except, syntactically, you need the trailing dot, as was already pointed out). If, on the other hand, stars.mydomain.com is a *zone*, then it's not possible, because in that case there would be apex records (records whose name is the same as that of the zone); at a minimum, an SOA and at least 2 NS records, which are required for each and every zone. When a particular name owns a CNAME record, it cannot also own SOA or NS records. Not true. For a Domain alias use a DNAME: mydomain.com. IN DNAME otherdomain.com. Bearing in mind that the OP asked specifically about creation of CNAMEs, which part is not true? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[SPAM] Win2k and bind
I know this is a very lame question, But I have been out of the Bind loop for a number of years ( yes I went over to the dark side ...MS DNS) but I want to come back. My question is this I have win2K servers what version of bind will run on this? Thanks Greg This message has been checked by the GDSI Barracuda SPAM/Virus Firewall. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SPAM] Win2k and bind
Unfortunately W2K was dropped a while ago, no safe version available for it. I know this is a very lame question, But I have been out of the Bind loop for a number of years ( yes I went over to the dark side ...MS DNS) but I want to come back. My question is this I have win2K servers what version of bind will run on this? Thanks Greg This message has been checked by the GDSI Barracuda SPAM/Virus Firewall. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
Chris Thompson wrote: On Jul 28 2009, sth...@nethelp.no wrote: % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net 216.250.243.230 As long as that host record exists, with an IP different from what your authoritative servers reply with, you are going to have problems, because queries will be answered by the GTLD servers and not your own authoritative servers. This is the wretched glue promoted to answer bug (we can call it a bug by now, surely?) which we are assured that the GTLD servers will be cured of this year, next year, sometime, or ... ... well, they will have to fix it before they can roll out DNSSEC, won't they? No. The op always needs to notify the Registrar of their domain when the address of any of their nameservers changes. That has always been a requirement. Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users