forwarders question

2009-08-10 Thread Michael Monnerie 
We are having 2 sites at different locations now with a DNS resolver on 
each site. Internet speed between those two different ISPs is very fast, 
and the hosts to resolve will be about the same because of similar 
services.

My idea is to use 
forward X; 
on site Y and 
forward Y;
on site X, but, as I couldn't find it in the documents, I believe this 
could lead to a resolver loop between X and Y and therefore even slower 
resolution. Or is BIND clever enough to only ask the other server once?

My tests seem to indicate it's working well, but maybe someone knows of 
any issues?

There are 2 reasons for this:
1) performance. Having the caches hot on both sides and with a high 
chance one caches knows entries the other can use, it should be quick.
2) reliability. Asking only internal servers which I can control is more 
secure than using any ISPs DNS. They start to do the DNS mangling here 
in Austria also (instead NXDOMAIN they deliver their web sites A record 
to point to their search engine).

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4




signature.asc
Description: This is a digitally signed message part.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reverse delegation - refused on my DNS

2009-08-19 Thread Michael Monnerie 
After reading other threads I got my ISP delegate me reverse DNS for our
subnet:


212.69.164.48/28


But now I try to resolve it from external:


# dig -x 212.69.164.57 @dns1.zmi.at
; <<>> DiG 9.3.4 <<>> -x 212.69.164.57 @dns1.zmi.at
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16794
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 


Why does my server refuse it? I got this:


zone "48-28.164.69.212.in-addr.arpa" in {
   type master;
   file "master/48-28.164.69.212.in-addr.arpa";
   allow-transfer { mydns; };
   allow-update { none; };
   allow-query { any; };
};
 


And the zone file looks like:


$TTL 60 ; default positive TTL
@   SOA ns4.zmi.at.  
hostmaster.ns4.zmi.at. (
   
42  ; serial
   
2d  ; refresh
   
4h  ; retry
   
6w  ; expiry
    60
)    ; negative TTL

    NS  power4u.zmi.at.
    NS  dns1.zmi.at.
    NS  dns2.zmi.at.
    A   212.69.164.60
    MX 10   protegate5.zmi.at.

49  PTR gateway-p3u.zmi.at.
50  PTR reserved.zmi.at.
 


So where's the error?


mfg zmi


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Reverse delegation - refused on my DNS

2009-08-20 Thread Michael Monnerie 
I'm still searching for the error.
Also, sorry for the strangeness of the mail format, I used a webmail for the 
last mails. This time it's Outlook, don't know if it's really any better... at 
least not for correctly indenting old mail texts :-(

>   Because you don't serve 164.69.212.in-addr.arpa and you
>   tried to access the cache. You should slave
>   164.69.212.in-addr.arpa so you have the CNAMEs locally.
>   This will also make the above dig directed at your server
>   work as the answer will come from the zone rather than
>   the cache.

I did that now, helps :-))
 
>   Note: the lookups are working remotely because interative
>   resolvers ask for 57.48-28.164.69.212.in-addr.arpa rather
>   that 57.164.69.212.in-addr.arpa as generated by the above
>   dig.

Ah, I get the point. I always tested from a remote side with
dig @dns1.zmi.at -x 212.69.164.57
but that didn't work as this is not an open resolver. Slaving the zone as you 
suggested enables even these lookups to work now. I think it's good, as it 
helps remote sites to debug DNS when hunting an error.

A plain
dig -x 212.69.164.57
also works, so, do I have an issue or is everything OK with my configuration?

Thanks for all your help, to all three of you!
mfg zmi

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse delegation - refused on my DNS

2009-08-22 Thread Michael Monnerie 
"Mark Andrews"  schrieb:
> You do however have a delegation mismatch.
> 
> 48-28.164.69.212.in-addr.arpa. 86400 IN NS  dns1.zmi.at.
> 48-28.164.69.212.in-addr.arpa. 86400 IN NS  dns2.zmi.at.
> ;; Received 91 bytes from 82.98.222.6#53(dns2.serico.de) in 717 ms
> 
> 48-28.164.69.212.in-addr.arpa. 3600 IN  NS  power4u.zmi.at.
> 48-28.164.69.212.in-addr.arpa. 3600 IN  NS  dns2.zmi.at.
> 48-28.164.69.212.in-addr.arpa. 3600 IN  NS  dns1.zmi.at.
> ;; Received 161 bytes from 212.69.162.197#53(dns1.zmi.at) in 999 ms

Yes, the registered dns are dns[12], power4u is our old DNS which will be
replaced soon, but we still have it in the config until them. Shouldn't be
harmful, I hope.

Thanks for checking!

mfg zmi

(and sorry, again sending from webmail)


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

root and in-addr.arpa zone transfers

2009-09-08 Thread Michael Monnerie 
Hello,

right now I'm using scripts to download root.zone and in-addr.arpa from 
internic.net. But this is a non-standard way, I'd prefer to directly 
slave and zone-transfer those 2 zones.
Is it possible, and can you show the bind config for these?

Thanks a lot,

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4



signature.asc
Description: This is a digitally signed message part.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root and in-addr.arpa zone transfers

2009-09-10 Thread Michael Monnerie 
On Mittwoch 09 September 2009 Rich Goodson wrote:
> zone "." {
> zone "arpa" {
> zone "in-addr.arpa" {

Thank you Rich, and the others. Can anyone confirm that this is the way 
to do? Or should I stay with ftp updates from the websites? Is there an 
"officially supported" or "recommended" way to do this or that?

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root and in-addr.arpa zone transfers

2009-09-10 Thread Michael Monnerie 
On Donnerstag 10 September 2009 Stephane Bortzmeyer wrote:
> > right now I'm using scripts to download root.zone and in-addr.arpa
> > from internic.net. But this is a non-standard way,
>
> But a secure way since the files on internic.net are PGP-signed.
>
> > I'd prefer to directly slave and zone-transfer those 2 zones.
>
> That's widely regarded as a bad practice.
>
> FreeBSD backed off:
> <http://lists.freebsd.org/pipermail/freebsd-stable/2007-August/036545
>.html>
>
> Why it is a bad idea:
> <http://lists.freebsd.org/pipermail/freebsd-stable/2007-August/036470
>.html>
>
> Discussion:
> <https://lists.dns-oarc.net/pipermail/dns-operations/2007-August/0018
>91.html>

Merci beaucoup, Stephane,
that's a clear statement, so I'll keep the ftp transfers.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4



signature.asc
Description: This is a digitally signed message part.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root and in-addr.arpa zone transfers

2009-09-10 Thread Michael Monnerie 
On Freitag 11 September 2009 Joseph S D Yao wrote:
> However, as M. Bortzmeyer has said, why do this?

Faster queries after a named restart. Reverse lookups faster too, good 
for the spam filters.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4



signature.asc
Description: This is a digitally signed message part.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root and in-addr.arpa zone transfers

2009-09-12 Thread Michael Monnerie 
On Freitag 11 September 2009 Matus UHLAR - fantomas wrote:
> - it's quite useless to cache the .arpa and .in-addr.arpa since
> unlike other TLD's they are hierarchically organised so there won't
> be any valuable benefit from slaving them, only risks (see above).

Every other point is OK, but I don't understand this one. They are all 
hierarchical, what's the difference with .in-addr.arpa?

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root and in-addr.arpa zone transfers

2009-09-14 Thread Michael Monnerie 
On Montag 14 September 2009 Stephane Bortzmeyer wrote:
> > Faster queries after a named restart. Reverse lookups faster too,
> > good for the spam filters.
>
> Did you measure it or is it, like most claims "X is faster", just a
> guess?

In normal Setup, we see lots of querie to the 3rd DNS entry in 
resolv.conf for quite some time after a restart.
With root/arpa copies local, even after a restart very quick 
normalisation occurs.

I wouldn't recommend doing the slaving if you have to start new, but we 
already have the infrastructure/scripts running and tested, so I'll just 
keep it. We had no negative side effects so far. While it's a small 
gain, keeping it doesn't hurt, so: I won't touch the running system.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Michael Monnerie 
On Montag 21 September 2009 Shi Jin wrote:
> However, it looks to me like the ISP provided DNS server
> (216.171.238.66) was not able to resolve any of the names and all the
> resolving is done at the top level servers. Is my understanding
> correct?

Try
dig @216.171.238.66 hp.com
to see if the .66 host answers to your queries. Maybe you got a wrong IP 
there? Try the same for .67, the other DNS.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query Refused problem

2009-10-01 Thread Michael Monnerie 
On Donnerstag 01 Oktober 2009 Mark Andrews wrote:
>                   Specifies which hosts are allowed to get answers
>                   from the cache.  If
> allow-query-cache is not set then
> allow-recursion is used if set, otherwise
> allow-query is used if set unless
> recursion no; is set in which case
> none; is used, otherwise the default
> (localnets; localhost;) is
> used.

Not exactly a good explanation. At least, I've read it twice and still 
don't exactly know where the "if..else..elseif..." parts connect. Maybe 
someone could change that to pseudocode with "if" statements, or make it 
several sentences so it's clear where if..unless..except..otherwise 
parts start and end.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query Refused problem

2009-10-02 Thread Michael Monnerie 
On Freitag 02 Oktober 2009 Mark Andrews wrote:
> if (set(allow-query-cache))
> use allow-query-cache;
> else if (set(allow-recursion))
> use allow-recursion;
> else if (set(allow-query))
> use allow-query;
> else if (set(recursion no;))
> use { none; };
> else
> use { localnets; localhost; };

Ah, it's always an elseif. That wasn't clear to me. Easier to read C 
than english, am I a nerd? ;-)
Maybe it's because I'm not native English, but the paragraph is very 
confusing. A simpler wording would surely help others as well.

Thank you Mark!

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users