Re: Advice on balancing web traffic using geoip ACls
As far as we know the bug is present in all current BIND releases. We are still investigating the issue, but things are looking positive thanks to Vikor Dukhovni’s help with debugging his coredump. Ondřej -- Ondřej Surý — ISC > On 24 Feb 2020, at 11:08, Jukka Pakkanen wrote: > > > Hi, at the download page the status of 9.16 is “Current-Stable” but it also > states “only for testing & evalution, *not* recommended for production”? > > Can you confirm if the DNSSEC inline-signing problem (signing just stops > sometimes, affects both 9.11 and 9.14 branch) is present in this or not? I > read from the docs that 9.16 had some work to inline signing done, maybe > works better in that regards too? > > Jukka > > Lähettäjä: bind-users Puolesta Victoria > Risk > Lähetetty: 23. helmikuuta 2020 20:35 > Vastaanottaja: @lbutlr > Kopio: bind-users > Aihe: Re: Advice on balancing web traffic using geoip ACls > > … > 9.14 has just been replaced by 9.16, released just this past week. We will > continue offering security releases for 9.14 for a 3-month period to support > migration to 9.16. Someone doing a migration today should look at 9.16 rather > than 9.14. > … > > > Victoria Risk > Product Manager > Internet Systems Consortium > vi...@isc.org > > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
VS: Advice on balancing web traffic using geoip ACls
Hi, at the download page the status of 9.16 is “Current-Stable” but it also states “only for testing & evalution, *not* recommended for production”? Can you confirm if the DNSSEC inline-signing problem (signing just stops sometimes, affects both 9.11 and 9.14 branch) is present in this or not? I read from the docs that 9.16 had some work to inline signing done, maybe works better in that regards too? Jukka Lähettäjä: bind-users Puolesta Victoria Risk Lähetetty: 23. helmikuuta 2020 20:35 Vastaanottaja: @lbutlr Kopio: bind-users Aihe: Re: Advice on balancing web traffic using geoip ACls … 9.14 has just been replaced by 9.16, released just this past week. We will continue offering security releases for 9.14 for a 3-month period to support migration to 9.16. Someone doing a migration today should look at 9.16 rather than 9.14. … Victoria Risk Product Manager Internet Systems Consortium vi...@isc.org<mailto:vi...@isc.org> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice on balancing web traffic using geoip ACls
My apologies. I now realize how important that "extended support" P2 is after the version number which I should have specified in my original email. I assume that since OpenVAS credentialed scanning doesn't complain about it that the really important patches have been backported to it which is why RHEL / CentOS offer it in their package stores. When I upgrade OS in the environment I'm sure my BIND version will advance with it. Thanks, Scott From: bind-users on behalf of Victoria Risk Sent: February 23, 2020 2:35 PM To: @lbutlr Cc: bind-users Subject: Re: Advice on balancing web traffic using geoip ACls On Feb 23, 2020, at 6:57 AM, @lbutlr mailto:krem...@kreme.com>> wrote: On 22 Feb 2020, at 18:25, Scott A. Wozny mailto:sawo...@hotmail.com>> wrote: I’m setting up hot-hot webserver clusters hosted on the west and east coasts of the US and would like to use Bind 9.11.4 I’d consider changing that version. While Bind 9.11 *is* still supported, it is EOL at the end of this year. If you really really want to run 9.11, at least run the latest patch level (9.11.6 should be coming really soon). We will continue with security patches for 9.11 through the end of 2021, so 9.11 is not a bad choice for someone who doesn’t want to migrate for a long time. 9.14.10 is the current stable release and 9.11.15 is the current extended support release. Unless you know something is broken in 9.14.10 (unlikely) that would be the version to look at. 9.14 has just been replaced by 9.16, released just this past week. We will continue offering security releases for 9.14 for a 3-month period to support migration to 9.16. Someone doing a migration today should look at 9.16 rather than 9.14. You absolutely should not be running a bind version several years old, as 9.11.4 is. agreed Victoria Risk Product Manager Internet Systems Consortium vi...@isc.org<mailto:vi...@isc.org> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice on balancing web traffic using geoip ACls
Thanks for your reply. I'm starting to really examine my motivations behind traffic splitting by geography. While I definitely want to run traffic to all web servers at all times (outside maintenance time and down time) the user performance delta of geographical load balancing may not be worth the hassle and, more importantly, with large central caches being so popular, may not ACTUALLY be routing users to their closest data center, anyway. CDN and anycast are intriguing options in the trade-off of cost for development effort. Not sure if they're going to work for my situation, but I appreciate the suggestion. Thanks, Scott From: bind-users on behalf of Timothe Litt Sent: February 23, 2020 10:44 AM To: bind-users@lists.isc.org Subject: Re: Advice on balancing web traffic using geoip ACls "Splitting traffic evenly" may not be in the interest of your clients - suppose their locations are skewed? In any case, this seems like a lot of work - including committing to ongoing maintenance - for not much gain. Consider setting up an anycast address - let the network do the work. This will route to the server closest to the client. You can do this with two DNS servers - pair each with a webserver, have the zone file select the corresponding webserver. And/Or the webservers - works well for static content; there's a distributed DB challenge. (It might be nice if someone with experience could write an end-to-end tutorial on how to do this - from obtaining a suitable address - at a reasonable cost - to setting up the BGP routing to the servers...) Of course the simplest way out is to use a CDN - as this is a previously solved problem. It trades money for effort, which may be worthwhile if it allows you to concentrate on your unique value proposition. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 22-Feb-20 20:25, Scott A. Wozny wrote: Greetings BIND gurus, I’m setting up hot-hot webserver clusters hosted on the west and east coasts of the US and would like to use Bind 9.11.4 with the Maxmind GeoIP database to split the traffic about evenly between those clusters. Most of the traffic will be from the US so what I would like most to do is set up my ACLs to use the longitude parameter in the city DB and send traffic less than X (let's say -85) to a zone file that prioritizes the west coast servers and those greater than X to the east coast servers. However, when I look through the 9.11.4 ARM it doesn’t include the longitude field in the geoip available field list in section 7.1. Has anyone tried this and it actually works as an undocumented feature or, because it’s not an “exact match” type operation, this is a non-starter? If this isn’t an option at all, does anyone have any suggestions on how to get a reasonably close split with ACLs using the geoIP database? My first thought is to do continent based assignments to west and east coast zone files for all the non North American IPs with country based assignments of the non-US North American countries and then region (which, in the US, I believe translates to states) based assignments within the US. I would need to do some balancing, but it seems fairly straightforward. The downside is that the list would be fairly long and ACLs in most software can be kind of a performance hit. The other alternative I was considering was doing splits by time zone, but there are a little over 400 TZs in the MaxMind GeoLite DB last time I checked and that also seems like it would be a performance hit UNLESS I could use wildcards in the ACL to group overseas time zones. While I’ve not seen a wildcard in a geoip ACL, that doesn’t necessarily mean it can’t be done so I was wondering if anyone was able to make that work. Finally, I could try a hybrid of continent matches outside North America and then the North American timezones which seems like a reasonable compromise, but only if my preferred options of longitude < > isn’t available nor is wildcarding tz matches. OR am I overthinking all of this and there is a simple answer for splitting my load that I haven’t thought of? The documentation and examples available online are fairly limited so I thought I’d check with the people most likely to have actually done this. Any thoughts or suggestions would be appreciated. Thanks, Scott ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice on balancing web traffic using geoip ACls
> On Feb 23, 2020, at 6:57 AM, @lbutlr wrote: > > On 22 Feb 2020, at 18:25, Scott A. Wozny wrote: >> I’m setting up hot-hot webserver clusters hosted on the west and east coasts >> of the US and would like to use Bind 9.11.4 > > I’d consider changing that version. While Bind 9.11 *is* still supported, it > is EOL at the end of this year. If you really really want to run 9.11, at > least run the latest patch level (9.11.6 should be coming really soon). We will continue with security patches for 9.11 through the end of 2021, so 9.11 is not a bad choice for someone who doesn’t want to migrate for a long time. > > 9.14.10 is the current stable release and 9.11.15 is the current extended > support release. Unless you know something is broken in 9.14.10 (unlikely) > that would be the version to look at. 9.14 has just been replaced by 9.16, released just this past week. We will continue offering security releases for 9.14 for a 3-month period to support migration to 9.16. Someone doing a migration today should look at 9.16 rather than 9.14. > You absolutely should not be running a bind version several years old, as > 9.11.4 is. > agreed Victoria Risk Product Manager Internet Systems Consortium vi...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice on balancing web traffic using geoip ACls
Thanks for the feedback. I'm trying to avoid building from source so I'm using the version offered up by my distro which is presently 9.11.4-9.P2 on CentOS 7.6. I may end up having to change that position based upon external factors, but if it works, it's supported and it's in my distro's package store, I'm probably going to stick with it unless one of those criteria for use changes. Thanks, Scott From: bind-users on behalf of @lbutlr Sent: February 23, 2020 9:57 AM To: bind-users Subject: Re: Advice on balancing web traffic using geoip ACls On 22 Feb 2020, at 18:25, Scott A. Wozny wrote: > I’m setting up hot-hot webserver clusters hosted on the west and east coasts > of the US and would like to use Bind 9.11.4 I’d consider changing that version. While Bind 9.11 *is* still supported, it is EOL at the end of this year. If you really really want to run 9.11, at least run the latest patch level (9.11.6 should be coming really soon). 9.14.10 is the current stable release and 9.11.15 is the current extended support release. Unless you know something is broken in 9.14.10 (unlikely) that would be the version to look at. You absolutely should not be running a bind version several years old, as 9.11.4 is. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice on balancing web traffic using geoip ACls
Thanks for your reply. Regarding versioning, while I would like to be on the most current version, I don't want to build from source and that leaves me relying on my distro (CentOS 7.6 is where I put my stake in the ground, at present) package manager's version which is presently 9.11.4-9.P2. I assume someone is backporting critical patches as I'm not getting complaints from a credentialed OpenVAS scan, but I appreciate your caution about the version I'm using and MaxMind GeoIP. You also make a good point about the delta between round-robin and geoIP being rapidly eaten up with hassle credits, particularly considering the abstraction layer introduced by DNS caches decoupling user location from DNS server location. I feel that the really large public DNS caches would only exacerbate this problem to the point that all my effort will be wasted and my time better spent making my site as responsive as it can be, regardless of source. Lots to think about... Much obliged, Scott From: bind-users on behalf of G.W. Haywood via bind-users Sent: February 23, 2020 7:59 AM To: bind-users@lists.isc.org Subject: Re: Advice on balancing web traffic using geoip ACls Hi there, On Sun, 23 Feb 2020, Scott A. Wozny wrote: > Greetings BIND gurus, Sorry, I can't make any claim to be a BIND guru. > ... webserver clusters hosted on the west and east coasts of the US > and would like to use Bind 9.11.4 Hmmm. You might want to look e.g. at all the fixes since 9.11.4 in https://downloads.isc.org/isc/bind9/9.11.16/RELEASE-NOTES-bind-9.11.16.html > with the Maxmind GeoIP database to split the traffic about evenly ... especially the release notes for 9.11.15 if you're sure about MaxMind. (After the changes in their APIs a while back cost me many weeks of effort, and some temporary loss in functionality, I'd be very cautious about relying on them again. It was a completely different scenario.) Of course even if you do look at the location of your DNS clients, it doesn't tell you much about where _their_ clients are, nor much about the routing of any packets that their clients might exchange with your webservers. In England I frequently see email from the neighbouring town that's been routed via Austria, Finland, Japan... Wouldn't even random routing or round-robin (basically do nothing) be easier to implement, faster, more reliable, more (perhaps strangely) predictable, and ... ? https://en.wikipedia.org/wiki/Round-robin_DNS For your use case I guess you'd really need to instrument something to know for sure, and by then you've gone and done it anyway. :) -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice on balancing web traffic using geoip ACls
"Splitting traffic evenly" may not be in the interest of your clients - suppose their locations are skewed? In any case, this seems like a lot of work - including committing to ongoing maintenance - for not much gain. Consider setting up an anycast address - let the network do the work. This will route to the server closest to the client. You can do this with two DNS servers - pair each with a webserver, have the zone file select the corresponding webserver. And/Or the webservers - works well for static content; there's a distributed DB challenge. (It might be nice if someone with experience could write an end-to-end tutorial on how to do this - from obtaining a suitable address - at a reasonable cost - to setting up the BGP routing to the servers...) Of course the simplest way out is to use a CDN - as this is a previously solved problem. It trades money for effort, which may be worthwhile if it allows you to concentrate on your unique value proposition. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 22-Feb-20 20:25, Scott A. Wozny wrote: > Greetings BIND gurus, > > I’m setting up hot-hot webserver clusters hosted on the west and east > coasts of the US and would like to use Bind 9.11.4 with the Maxmind > GeoIP database to split the traffic about evenly between those > clusters. Most of the traffic will be from the US so what I would > like most to do is set up my ACLs to use the longitude parameter in > the city DB and send traffic less than X (let's say -85) to a zone > file that prioritizes the west coast servers and those greater than X > to the east coast servers. However, when I look through the 9.11.4 > ARM it doesn’t include the longitude field in the geoip available > field list in section 7.1. Has anyone tried this and it actually > works as an undocumented feature or, because it’s not an “exact match” > type operation, this is a non-starter? > > If this isn’t an option at all, does anyone have any suggestions on > how to get a reasonably close split with ACLs using the geoIP > database? My first thought is to do continent based assignments to > west and east coast zone files for all the non North American IPs with > country based assignments of the non-US North American countries and > then region (which, in the US, I believe translates to states) based > assignments within the US. I would need to do some balancing, but it > seems fairly straightforward. The downside is that the list would be > fairly long and ACLs in most software can be kind of a performance hit. > > The other alternative I was considering was doing splits by time zone, > but there are a little over 400 TZs in the MaxMind GeoLite DB last > time I checked and that also seems like it would be a performance hit > UNLESS I could use wildcards in the ACL to group overseas time zones. > While I’ve not seen a wildcard in a geoip ACL, that doesn’t > necessarily mean it can’t be done so I was wondering if anyone was > able to make that work. > > Finally, I could try a hybrid of continent matches outside North > America and then the North American timezones which seems like a > reasonable compromise, but only if my preferred options of longitude < > > isn’t available nor is wildcarding tz matches. OR am I overthinking > all of this and there is a simple answer for splitting my load that I > haven’t thought of? The documentation and examples available online > are fairly limited so I thought I’d check with the people most likely > to have actually done this. > > Any thoughts or suggestions would be appreciated. > > Thanks, > > Scott signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice on balancing web traffic using geoip ACls
On 23 Feb 2020, at 07:57, @lbutlr wrote: > (9.11.6 should be coming really soon) 9.11.16, and I appear to be behind a touch, it is already released. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice on balancing web traffic using geoip ACls
On 22 Feb 2020, at 18:25, Scott A. Wozny wrote: > I’m setting up hot-hot webserver clusters hosted on the west and east coasts > of the US and would like to use Bind 9.11.4 I’d consider changing that version. While Bind 9.11 *is* still supported, it is EOL at the end of this year. If you really really want to run 9.11, at least run the latest patch level (9.11.6 should be coming really soon). 9.14.10 is the current stable release and 9.11.15 is the current extended support release. Unless you know something is broken in 9.14.10 (unlikely) that would be the version to look at. You absolutely should not be running a bind version several years old, as 9.11.4 is. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice on balancing web traffic using geoip ACls
Hi there, On Sun, 23 Feb 2020, Scott A. Wozny wrote: Greetings BIND gurus, Sorry, I can't make any claim to be a BIND guru. ... webserver clusters hosted on the west and east coasts of the US and would like to use Bind 9.11.4 Hmmm. You might want to look e.g. at all the fixes since 9.11.4 in https://downloads.isc.org/isc/bind9/9.11.16/RELEASE-NOTES-bind-9.11.16.html with the Maxmind GeoIP database to split the traffic about evenly ... especially the release notes for 9.11.15 if you're sure about MaxMind. (After the changes in their APIs a while back cost me many weeks of effort, and some temporary loss in functionality, I'd be very cautious about relying on them again. It was a completely different scenario.) Of course even if you do look at the location of your DNS clients, it doesn't tell you much about where _their_ clients are, nor much about the routing of any packets that their clients might exchange with your webservers. In England I frequently see email from the neighbouring town that's been routed via Austria, Finland, Japan... Wouldn't even random routing or round-robin (basically do nothing) be easier to implement, faster, more reliable, more (perhaps strangely) predictable, and ... ? https://en.wikipedia.org/wiki/Round-robin_DNS For your use case I guess you'd really need to instrument something to know for sure, and by then you've gone and done it anyway. :) -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Advice on balancing web traffic using geoip ACls
Greetings BIND gurus, I’m setting up hot-hot webserver clusters hosted on the west and east coasts of the US and would like to use Bind 9.11.4 with the Maxmind GeoIP database to split the traffic about evenly between those clusters. Most of the traffic will be from the US so what I would like most to do is set up my ACLs to use the longitude parameter in the city DB and send traffic less than X (let's say -85) to a zone file that prioritizes the west coast servers and those greater than X to the east coast servers. However, when I look through the 9.11.4 ARM it doesn’t include the longitude field in the geoip available field list in section 7.1. Has anyone tried this and it actually works as an undocumented feature or, because it’s not an “exact match” type operation, this is a non-starter? If this isn’t an option at all, does anyone have any suggestions on how to get a reasonably close split with ACLs using the geoIP database? My first thought is to do continent based assignments to west and east coast zone files for all the non North American IPs with country based assignments of the non-US North American countries and then region (which, in the US, I believe translates to states) based assignments within the US. I would need to do some balancing, but it seems fairly straightforward. The downside is that the list would be fairly long and ACLs in most software can be kind of a performance hit. The other alternative I was considering was doing splits by time zone, but there are a little over 400 TZs in the MaxMind GeoLite DB last time I checked and that also seems like it would be a performance hit UNLESS I could use wildcards in the ACL to group overseas time zones. While I’ve not seen a wildcard in a geoip ACL, that doesn’t necessarily mean it can’t be done so I was wondering if anyone was able to make that work. Finally, I could try a hybrid of continent matches outside North America and then the North American timezones which seems like a reasonable compromise, but only if my preferred options of longitude < > isn’t available nor is wildcarding tz matches. OR am I overthinking all of this and there is a simple answer for splitting my load that I haven’t thought of? The documentation and examples available online are fairly limited so I thought I’d check with the people most likely to have actually done this. Any thoughts or suggestions would be appreciated. Thanks, Scott ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
