Two hidden masters - sending notifications to public slaves.
Hello, We are setting up to do zone generations of two separate hidden masters which will take turns on the zone generation. Public/visible DNS servers should get notifies from both servers and select the one with the with the highest serial number. I am planning to run bind on one server and knot on the other. On bind i have the issue that it would not send notifies to the name servers until I turned on notify-soa yes;. However I realise that his will only notify one single DNS server and introduces a single point of failure. How do I get bind to send notifies directly to each of the servers? Regards, Maren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Two hidden masters - sending notifications to public slaves.
Am 07.07.2014 13:22, schrieb Maren S. Leizaola: We are setting up to do zone generations of two separate hidden masters which will take turns on the zone generation. Public/visible DNS servers should get notifies from both servers and select the one with the with the highest serial number. I am planning to run bind on one server and knot on the other. On bind i have the issue that it would not send notifies to the name servers until I turned on notify-soa yes;. However I realise that his will only notify one single DNS server and introduces a single point of failure. How do I get bind to send notifies directly to each of the servers? also-notify {192.168.0.1; 192.168.0.2;}; http://www.zytrax.com/books/dns/ch7/xfer.html#also-notify signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dynamically adding/removing TSIG configuration
Hi! I currently use rndc addzone/delzone to manage zones on my slave. I now want to add TSIG for some of these zones and I want to be able to enable/disable TSIG dynamically per zone. Unfortunately I haven't found a nice solution yet. My results are: 1. delzone/addzone with adding the tsig key name to the { zone-options; } and include named.conf.tsigkeys where I add the key. Not nice because I have to touch 2 interfaces (rndc and manuelly edit config files) 2. do not use delzone/addzone anymore but manually rewrite the named.conf.local file and add/delete/update the zone. IMO it is not nice fumbling around in the config file - I have to take care of locks and so on. Thus, does anybody has an idea how I can configure TSIG via some kind of API? Thanks Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem resolving ardownload.adobe.com
On Wed, Jul 2, 2014 at 2:51 PM, Carl Byington c...@byington.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 version: 9.10.0-P2 dig ardownload.adobe.com. @localhost ;; ANSWER SECTION: ardownload.adobe.com. 8743IN CNAME ardownload.wip4.adobe.com. What is the rest of the dig output? Specifically, what status is your resolver giving you (NOERROR or NXDOMAIN)? When queried for type NS, the adobe load balancer returns NXDOMAIN: $ dig @du1gtm001.adobe.com ardownload.wip4.adobe.com ns ; DiG 9.8.4-rpz2+rl005.12-P1 @du1gtm001.adobe.com ardownload.wip4.adobe.com ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 42533 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ardownload.wip4.adobe.com.INNS ;; AUTHORITY SECTION: wip4.adobe.com.30INSOAsj1gtm001.adobe.com. hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60 ;; Query time: 116 msec ;; SERVER: 193.104.215.247#53(193.104.215.247) ;; WHEN: Mon Jul 7 16:58:37 2014 ;; MSG SIZE rcvd: 100 Even though A queries yield NOERROR: $ dig @du1gtm001.adobe.com ardownload.wip4.adobe.com a ; DiG 9.8.4-rpz2+rl005.12-P1 @du1gtm001.adobe.com ardownload.wip4.adobe.com a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21275 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ardownload.wip4.adobe.com.INA ;; ANSWER SECTION: ardownload.wip4.adobe.com. 300INCNAME ardownload.adobe.com.edgesuite.net. ;; Query time: 119 msec ;; SERVER: 193.104.215.247#53(193.104.215.247) ;; WHEN: Mon Jul 7 16:59:25 2014 ;; MSG SIZE rcvd: 91 Your cache might be adversely affected by this behavior if your cache is sending NS queries to authoritative servers (for example, RPZ with NS lookup), which would cause the name to be cached as NXDOMAIN. Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem resolving ardownload.adobe.com
The adobe servers are just plain broken. Request a CNAME - NXDOMAIN (Should return CNAME record) Request a TXT - NXDOMAIN (Should return CNAME record) Request a NS - NXDOMAIN (Should return CNAME record) Add a EDNS option - NXDOMAIN (Should return CNAME record) I suspect load balancer is passing non A/ queries through to a backing server that doesn't have a fallback CNAME in the zone for ardownload.wip4.adobe.com resulting in NXDOMAIN being returned. That said, the load balancer should know that if it returning CNAME to A and queries, that it should also return CNAME to all other query types. This is basic RFC 1034 behaviour. Mark ; DiG 9.11.0pre-alpha ardownload.wip4.adobe.com cname @du1gtm001.adobe.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 201 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ardownload.wip4.adobe.com. IN CNAME ;; AUTHORITY SECTION: wip4.adobe.com. 30 IN SOA sj1gtm001.adobe.com. hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60 ;; Query time: 486 msec ;; SERVER: 193.104.215.247#53(193.104.215.247) ;; WHEN: Tue Jul 08 12:15:41 EST 2014 ;; MSG SIZE rcvd: 111 ; DiG 9.11.0pre-alpha ardownload.wip4.adobe.com a @du1gtm001.adobe.com +nsid ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 37308 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ardownload.wip4.adobe.com. IN A ;; AUTHORITY SECTION: wip4.adobe.com. 30 IN SOA sj1gtm001.adobe.com. hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60 ;; Query time: 422 msec ;; SERVER: 193.104.215.247#53(193.104.215.247) ;; WHEN: Tue Jul 08 12:17:30 EST 2014 ;; MSG SIZE rcvd: 111 ; DiG 9.11.0pre-alpha ardownload.wip4.adobe.com a @du1gtm001.adobe.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 37210 ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ardownload.wip4.adobe.com. IN A ;; ANSWER SECTION: ardownload.wip4.adobe.com. 300 IN CNAME ardownload.adobe.com.edgesuite.net. ;; Query time: 441 msec ;; SERVER: 193.104.215.247#53(193.104.215.247) ;; WHEN: Tue Jul 08 12:15:57 EST 2014 ;; MSG SIZE rcvd: 102 In message CAEKtLiQWZUifPX_bxGJh7uhQkRUiiG=+k-d54q2i_vebm6_...@mail.gmail.com , Casey Deccio writes: On Wed, Jul 2, 2014 at 2:51 PM, Carl Byington c...@byington.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 version: 9.10.0-P2 dig ardownload.adobe.com. @localhost ;; ANSWER SECTION: ardownload.adobe.com. 8743IN CNAME ardownload.wip4.adobe.com. What is the rest of the dig output? Specifically, what status is your resolver giving you (NOERROR or NXDOMAIN)? When queried for type NS, the adobe load balancer returns NXDOMAIN: $ dig @du1gtm001.adobe.com ardownload.wip4.adobe.com ns ; DiG 9.8.4-rpz2+rl005.12-P1 @du1gtm001.adobe.com ardownload.wip4.adobe.com ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 42533 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ardownload.wip4.adobe.com.INNS ;; AUTHORITY SECTION: wip4.adobe.com.30INSOAsj1gtm001.adobe.com. hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60 ;; Query time: 116 msec ;; SERVER: 193.104.215.247#53(193.104.215.247) ;; WHEN: Mon Jul 7 16:58:37 2014 ;; MSG SIZE rcvd: 100 Even though A queries yield NOERROR: $ dig @du1gtm001.adobe.com ardownload.wip4.adobe.com a ; DiG 9.8.4-rpz2+rl005.12-P1 @du1gtm001.adobe.com ardownload.wip4.adobe.com a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21275 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ardownload.wip4.adobe.com.INA ;; ANSWER SECTION: ardownload.wip4.adobe.com. 300INCNAME ardownload.adobe.com.edgesuite.net. ;; Query time: 119 msec ;; SERVER: 193.104.215.247#53(193.104.215.247) ;; WHEN: Mon Jul 7 16:59:25 2014 ;; MSG SIZE rcvd: 91 Your cache might be adversely affected by this behavior if your cache is sending NS queries to authoritative servers (for example, RPZ with NS lookup), which would cause the name to be cached as NXDOMAIN. Casey