RE: Please help with stuck BIND-9.9.11-P1 named process on rndc reconfig

[Sunghwan Kim(IBI)]

Hi BIND expert,

 

I could not have sent the followings thru https://www.isc.org/bind-
subscription-contact/

due to error on the site.

 

--

I am a S/W engineer who is working on BIND, especially named in Seoul/Korea.

 

I've got reports from a customer regarding stucked "named" process which had

not been performed any request from clients for  5 secs during "rndc
reconfig"

even if it is used to be finished in 700ms

 

24-Aug-2018 17:36:39.073 general: info: received control channel command
'reconfig'

…..

24-Aug-2018 17:36:44.100 general: info: any newly configured zones are now
loaded

 

 My customer's DNS server has been installing BIND-9.9.11-P1.

 

I would like to figure out why named was stucked for even 5 secs on rndc
reconfig.

I've figured out I/O event values(majflt/s) of SAR information on the
server is quite high

which is 58.34 even if it usually is 0.18 ~ 0.32.

The server information is as following;

1. OS : CentOS 7.3

2. CPU : Intel Xeon3.5Ghz 64bits(6 CPUs, 2 cores per CPU)

3. Mem. : 8G

 

Would you please give me any information about it ?

I know a lot of fixes on “rndc reconfig” for latter version of 9.9.11-P1

 

Please take a look at the following logs from bind for your information;

=== general log =

24-Aug-2018 17:36:39.073 general: debug 1: received control channel command
'null'

24-Aug-2018 17:36:39.073 general: info: received control channel command
'reconfig'

24-Aug-2018 17:36:39.073 general: info: loading configuration from
'/etc/named.conf'

24-Aug-2018 17:36:39.159 general: info: unable to open
'conf/named.iscdlv.key' using built-in keys

24-Aug-2018 17:36:39.168 general: info: using default UDP/IPv4 port range:
[9000, 61000]

24-Aug-2018 17:36:39.169 general: info: using default UDP/IPv6 port range:
[9000, 61000]

24-Aug-2018 17:36:39.190 general: info: sizing zone task pool based on 4704
zones

24-Aug-2018 17:36:39.293 general: debug 1: zone_settimer: zone xn--
pi5bm5e/IN: enter

….(removed)…..

24-Aug-2018 17:36:41.809 general: debug 1: zone_settimer: zone xn--o78b/IN:
enter

24-Aug-2018 17:36:41.816 general: info: dns64 reverse zone: 0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa.

….(removed)…..

24-Aug-2018 17:36:43.927 general: debug 1: now using logging configuration
from config file

24-Aug-2018 17:36:43.935 general: info: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa/IN: (master)
removed

24-Aug-2018 17:36:43.938 general: debug 1: load_configuration: success

24-Aug-2018 17:36:43.938 general: info: reloading configuration succeeded



 

It would be appreciated if you share any hints, information.

 

Regards,

Sunghwan.

 

--

(주)아이비아이(www.ibi.net)

DNS사업부/본부장

02-2165-7234/010-3558-3736

[03909]서울 마포구 매봉산로 37(상암동, DMC산학협력센터1304호)

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Majid Mir]

Thank you for your response.. I thought of that earlier, but when I run the
exact same configure options on an older machine of ours (for 9.10.1) it
creates the output files just fine.. That is where it confused me.

Thanks


On Thu, Mar 17, 2016 at 5:18 PM, Mark Andrews  wrote:

>
> *Think* about the arguments you are passing to configure.  You told
> configue
> to NOT CREATE the makefiles.
>
> Mark
>
> In message 

Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Majid Mir]

I think I Know why it worked on the old server.. it is because there is an
existing Makefile already.. I am going to rename the existing makefile and
see if it creates one. If it doesnt, then I will know that the no-create
option is the culprit!

Thanks for your help.. I will report back with what I find.

On Thu, Mar 17, 2016 at 5:20 PM, Majid Mir 
wrote:

>
> Thank you for your response.. I thought of that earlier, but when I run
> the exact same configure options on an older machine of ours (for 9.10.1)
> it creates the output files just fine.. That is where it confused me.
>
> Thanks
>
>
> On Thu, Mar 17, 2016 at 5:18 PM, Mark Andrews  wrote:
>
>>
>> *Think* about the arguments you are passing to configure.  You told
>> configue
>> to NOT CREATE the makefiles.
>>
>> Mark
>>
>> In message 

Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Majid Mir]

Hello all

I am trying to compile Bind 9.10.3-P4 from source and whenever I try to run
the following:

./configure --sbindir=/usr/sbin --sysconfdir=/etc/bind --with-openssl
--disable-openssl-version-check --no-create --no-recursion


I receive the following error after the configuration script is fully
executed:

configure: creating ./config.status
make: *** No rule to make target `clean'.  Stop.

When I try to run make, I get:

make: *** No targets specified and no makefile found.  Stop.

Yet in both the untarred source code directory as well as the make
directory within it, both have a Makefile.in file.

I have absolutely no idea how to get this configure script to create the
makefile!  I have to use those configuration options because that is what
we used on our previous installs (Bind 9.10.1)  on other servers. Also when
I run ./configure without any options, the make file is created with no
issues!  I am totally confused

All help is greatly appreciated!


Thank you!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Mark Andrews]

--no-create is for when you want to tinker with the final results built
into config.status prior to building the Makefiles.

I've committed changes to no run "make clean" if --no-create is set.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Mark Andrews]

*Think* about the arguments you are passing to configure.  You told configue
to NOT CREATE the makefiles.

Mark

In message 

Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!

[Majid Mir]

Mark.

I owe you a virtual beer.. You were right! Thank you

Sorry I am still a n00b at this at times

On Thu, Mar 17, 2016 at 5:24 PM, Majid Mir 
wrote:

> I think I Know why it worked on the old server.. it is because there is an
> existing Makefile already.. I am going to rename the existing makefile and
> see if it creates one. If it doesnt, then I will know that the no-create
> option is the culprit!
>
> Thanks for your help.. I will report back with what I find.
>
> On Thu, Mar 17, 2016 at 5:20 PM, Majid Mir 
> wrote:
>
>>
>> Thank you for your response.. I thought of that earlier, but when I run
>> the exact same configure options on an older machine of ours (for 9.10.1)
>> it creates the output files just fine.. That is where it confused me.
>>
>> Thanks
>>
>>
>> On Thu, Mar 17, 2016 at 5:18 PM, Mark Andrews  wrote:
>>
>>>
>>> *Think* about the arguments you are passing to configure.  You told
>>> configue
>>> to NOT CREATE the makefiles.
>>>
>>> Mark
>>>
>>> In message 

Update-Policy ms-self for reverse zone dont work - please help

[Juergen Dietl]

Hello,

I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server.

For my forward zones I have the following rules:

zonecp.test {
type master;
file forward/cp.test;
notify yes;
update-policy {
grant  MSADC40T$@CP.TEST wildcard * ANY;
grant Key_TEST wildcard * ANY;
grant CP.TEST ms-self * A;
};
};


The last line only allows Microsoft Client to set their A-Record. Works
perfect.

-

Now I try the same for the reverse zone and it should make the client only
to update its PTR-Record.

Example 1:

zone10.in-addr.arpa {
type master;
file reverse/10.in-addr.arpa;
update-policy {
grant  Key_TEST wildcard * ANY;  --
(Test-Local-Key works)
grant  CP.TEST ms-self * PTR; --- DONT
WORK
};
notify yes;
};

Example 2:

zone10.in-addr.arpa {
type master;
file reverse/10.in-addr.arpa;
update-policy {
grant  Key_TEST wildcard * ANY;
grant  CP.TEST wildcard * PTR; --- DONT
WORK
};
notify yes;


Example 3:

zone10.in-addr.arpa {
type master;
file reverse/10.in-addr.arpa;
update-policy {
grant  MSADC40T$@CP.TEST ms-self * PTR; -- DONT
WORK
grant  Key_TEST wildcard * ANY;
grant  CP.TEST wildcard * PTR; --- DONT
WORK
};
notify yes;
};



Only solution that works is:

grant  MSADC40T$@CP.TEST wildcard * PTR;

So it looks like that in reverse zone its only possible to exactly name the
host that should update its own record and only use it with the wildcard
command.

Am i right? Or what am i doing wrong?

Thanx a lot for all your help.
Wish you a nice weekend.
cheers,
Juergen
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Update-Policy ms-self for reverse zone dont work - please help

[Chris Buxton]

If I'm not mistaken, ms-self means that the client's hostname must match the 
name of the record being updated. This is not the case in the reverse space, 
where record names end in in-addr.arpa instead of cp.test.

Your DHCP server should own the reverse space. I don't know how else to manage 
this.

Regards,
Chris Buxton
BlueCat Networks

On Jun 24, 2011, at 1:13 AM, Juergen Dietl wrote:

 Hello,
 
 I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server.
 
 For my forward zones I have the following rules:
 
 zonecp.test {
 type master;
 file forward/cp.test;
 notify yes;
 update-policy {
 grant  MSADC40T$@CP.TEST wildcard * ANY;
 grant Key_TEST wildcard * ANY;
 grant CP.TEST ms-self * A;
 };
 };
 
 
 The last line only allows Microsoft Client to set their A-Record. Works 
 perfect.
 
 -
 
 Now I try the same for the reverse zone and it should make the client only to 
 update its PTR-Record.
 
 Example 1:
 
 zone10.in-addr.arpa {
 type master;
 file reverse/10.in-addr.arpa;
 update-policy {
 grant  Key_TEST wildcard * ANY;  -- 
 (Test-Local-Key works)
 grant  CP.TEST ms-self * PTR; --- DONT 
 WORK
 };
 notify yes;
 };
 
 Example 2:
 
 zone10.in-addr.arpa {
 type master;
 file reverse/10.in-addr.arpa;
 update-policy {
 grant  Key_TEST wildcard * ANY;
 grant  CP.TEST wildcard * PTR; --- DONT 
 WORK
 };
 notify yes;
 
 
 Example 3:
 
 zone10.in-addr.arpa {
 type master;
 file reverse/10.in-addr.arpa;
 update-policy {
 grant  MSADC40T$@CP.TEST ms-self * PTR; -- DONT 
 WORK
 grant  Key_TEST wildcard * ANY;
 grant  CP.TEST wildcard * PTR; --- DONT 
 WORK
 };
 notify yes;
 };
 
 
 
 Only solution that works is:
 
 grant  MSADC40T$@CP.TEST wildcard * PTR;
 
 So it looks like that in reverse zone its only possible to exactly name the 
 host that should update its own record and only use it with the wildcard 
 command.
 
 Am i right? Or what am i doing wrong?
 
 Thanx a lot for all your help.
 Wish you a nice weekend.
 cheers,
 Juergen
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Please Help

[Joseph S D Yao]

On Thu, Feb 17, 2011 at 09:53:43AM -0500, Ryan Novosielski wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Glad to hear it was a help.
 
 Does anyone happen to know if anything changed for .gov addresses just
 last week? This problem appears to have come out of the clear blue sky
 (not that there wasn't plenty of warning) so I have to assume that
 something was just activated.


From an earlier message:

A KSK roll for the .gov zone will occur at the end of January, 2011.
This key change is necessitated by a registry operator transition:
VeriSign has been selected by the U.S. General Services Administration
(GSA) to operate the domain name registry for .gov. ...

Perhaps the new name servers are different somehow.


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Please Help

[Xiaoxu Huang]

We have checked list archives and our side has increased the allowed DNS
packet size. Now we are fine to get correct answer for **.gov.

Thanks for help and Best Regards,

Xiao
2/17/2011  
  

-Original Message-
From: bind-users-bounces+xhuang=graphnet@lists.isc.org
[mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of
Ryan Novosielski
Sent: Wednesday, February 16, 2011 5:47 PM
To: bind-users@lists.isc.org
Subject: Re: Please Help

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I asked this same question this week. Check the list archives.

On 02/16/2011 05:24 PM, Xiaoxu Huang wrote:
 From couple of our DNS servers, we are failed to get correct DNS answer
 like followings:
 
 1) From server A
 
 # nslookup
 
 Default Server:  localhost
 
 Address:  127.0.0.1
 
  
 
 www.nyc.gov
 
 Server:  localhost
 
 Address:  127.0.0.1
 
  
 
 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup
 
  
 
 2) From server B:
 
 # nslookup
 
 www.nyc.gov
 
 ;; connection timed out; no servers could be reached
 
  
 
 3) Both servers run bind-9.7.2-P2
 
  
 
 Can any one help?
 
  
 
 Thanks and Best Regards,
 
  
 
 Xiao
 
 2/16/2011
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1cU/8ACgkQmb+gadEcsb5siQCfePHtptnoSYkoDpw5ge4eRYjE
EdkAni7xiaBkebYvOR4MpKVmX/jpcOb0
=zWSH
-END PGP SIGNATURE-


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Please Help

[Ryan Novosielski]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glad to hear it was a help.

Does anyone happen to know if anything changed for .gov addresses just
last week? This problem appears to have come out of the clear blue sky
(not that there wasn't plenty of warning) so I have to assume that
something was just activated.

On 02/17/2011 09:47 AM, Xiaoxu Huang wrote:
 We have checked list archives and our side has increased the allowed DNS
 packet size. Now we are fine to get correct answer for **.gov.
 
 Thanks for help and Best Regards,
 
 Xiao
 2/17/2011  
   
 
 -Original Message-
 From: bind-users-bounces+xhuang=graphnet@lists.isc.org
 [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of
 Ryan Novosielski
 Sent: Wednesday, February 16, 2011 5:47 PM
 To: bind-users@lists.isc.org
 Subject: Re: Please Help
 
 I asked this same question this week. Check the list archives.
 
 On 02/16/2011 05:24 PM, Xiaoxu Huang wrote:
 From couple of our DNS servers, we are failed to get correct DNS answer
 like followings:
 
 1) From server A
 
 # nslookup
 
 Default Server:  localhost
 
 Address:  127.0.0.1
 
 
 
 www.nyc.gov
 
 Server:  localhost
 
 Address:  127.0.0.1
 
 
 
 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup
 
 
 
 2) From server B:
 
 # nslookup
 
 www.nyc.gov
 
 ;; connection timed out; no servers could be reached
 
 
 
 3) Both servers run bind-9.7.2-P2
 
 
 
 Can any one help?
 
 
 
 Thanks and Best Regards,
 
 
 
 Xiao
 
 2/16/2011
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 

- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La
otcAoJLIkine7oyqXxix3wKRHReUa5F8
=B/pX
-END PGP SIGNATURE-
attachment: novosirj.vcf___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Please Help

[Lightner, Jeff]

IIRC the U.S. Government last year or the year before mandated all their
sites be DNSSEC compliant by early this year.  Maybe it is just a sign
they are actually doing it.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Ryan Novosielski
Sent: Thursday, February 17, 2011 9:54 AM
To: Xiaoxu Huang
Cc: bind-users@lists.isc.org
Subject: Re: Please Help

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glad to hear it was a help.

Does anyone happen to know if anything changed for .gov addresses just
last week? This problem appears to have come out of the clear blue sky
(not that there wasn't plenty of warning) so I have to assume that
something was just activated.

On 02/17/2011 09:47 AM, Xiaoxu Huang wrote:
 We have checked list archives and our side has increased the allowed
DNS
 packet size. Now we are fine to get correct answer for **.gov.
 
 Thanks for help and Best Regards,
 
 Xiao
 2/17/2011  
   
 
 -Original Message-
 From: bind-users-bounces+xhuang=graphnet@lists.isc.org
 [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On
Behalf Of
 Ryan Novosielski
 Sent: Wednesday, February 16, 2011 5:47 PM
 To: bind-users@lists.isc.org
 Subject: Re: Please Help
 
 I asked this same question this week. Check the list archives.
 
 On 02/16/2011 05:24 PM, Xiaoxu Huang wrote:
 From couple of our DNS servers, we are failed to get correct DNS
answer
 like followings:
 
 1) From server A
 
 # nslookup
 
 Default Server:  localhost
 
 Address:  127.0.0.1
 
 
 
 www.nyc.gov
 
 Server:  localhost
 
 Address:  127.0.0.1
 
 
 
 *** localhost can't find www.nyc.gov: Non-existent host/domain#
nslookup
 
 
 
 2) From server B:
 
 # nslookup
 
 www.nyc.gov
 
 ;; connection timed out; no servers could be reached
 
 
 
 3) Both servers run bind-9.7.2-P2
 
 
 
 Can any one help?
 
 
 
 Thanks and Best Regards,
 
 
 
 Xiao
 
 2/16/2011
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 

- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La
otcAoJLIkine7oyqXxix3wKRHReUa5F8
=B/pX
-END PGP SIGNATURE-
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Please Help

[Kevin Oberman]

 Date: Thu, 17 Feb 2011 11:45:06 -0500
 From: Lightner, Jeff jlight...@water.com
 Sender: bind-users-bounces+oberman=es@lists.isc.org
 
 IIRC the U.S. Government last year or the year before mandated all their
 sites be DNSSEC compliant by early this year.  Maybe it is just a sign
 they are actually doing it.

Yes, they are. As of the last report I have received, something over 50%
of all .gov zones are now signed with the DS records installed in the
.gov zone. Still quite a ways to go but substantial progress has been
made and people with broken firewall are starting to notice.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net  Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

 -Original Message-
 From: bind-users-bounces+jlightner=water@lists.isc.org
 [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
 Of Ryan Novosielski
 Sent: Thursday, February 17, 2011 9:54 AM
 To: Xiaoxu Huang
 Cc: bind-users@lists.isc.org
 Subject: Re: Please Help
 
 Glad to hear it was a help.
 
 Does anyone happen to know if anything changed for .gov addresses just
 last week? This problem appears to have come out of the clear blue sky
 (not that there wasn't plenty of warning) so I have to assume that
 something was just activated.
 
 On 02/17/2011 09:47 AM, Xiaoxu Huang wrote:
  We have checked list archives and our side has increased the allowed
 DNS
  packet size. Now we are fine to get correct answer for **.gov.
  
  Thanks for help and Best Regards,
  
  Xiao
  2/17/2011  

  
  -Original Message-
  From: bind-users-bounces+xhuang=graphnet@lists.isc.org
  [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On
 Behalf Of
  Ryan Novosielski
  Sent: Wednesday, February 16, 2011 5:47 PM
  To: bind-users@lists.isc.org
  Subject: Re: Please Help
  
  I asked this same question this week. Check the list archives.
  
  On 02/16/2011 05:24 PM, Xiaoxu Huang wrote:
  From couple of our DNS servers, we are failed to get correct DNS
 answer
  like followings:
  
  1) From server A
  
  # nslookup
  
  Default Server:  localhost
  
  Address:  127.0.0.1
  
  
  
  www.nyc.gov
  
  Server:  localhost
  
  Address:  127.0.0.1
  
  
  
  *** localhost can't find www.nyc.gov: Non-existent host/domain#
 nslookup
  
  
  
  2) From server B:
  
  # nslookup
  
  www.nyc.gov
  
  ;; connection timed out; no servers could be reached
  
  
  
  3) Both servers run bind-9.7.2-P2
  
  
  
  Can any one help?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Please Help

[Xiaoxu Huang]

From couple of our DNS servers, we are failed to get correct DNS answer like
followings:

1) From server A

# nslookup

Default Server:  localhost

Address:  127.0.0.1

 

 www.nyc.gov

Server:  localhost

Address:  127.0.0.1

 

*** localhost can't find www.nyc.gov: Non-existent host/domain # nslookup

 

2) From server B:

# nslookup

 www.nyc.gov

;; connection timed out; no servers could be reached

 

3) Both servers run bind-9.7.2-P2

 

Can any one help?

 

Thanks and Best Regards,

 

Xiao

2/16/2011

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Please Help

[Ryan Novosielski]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I asked this same question this week. Check the list archives.

On 02/16/2011 05:24 PM, Xiaoxu Huang wrote:
 From couple of our DNS servers, we are failed to get correct DNS answer
 like followings:
 
 1) From server A
 
 # nslookup
 
 Default Server:  localhost
 
 Address:  127.0.0.1
 
  
 
 www.nyc.gov
 
 Server:  localhost
 
 Address:  127.0.0.1
 
  
 
 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup
 
  
 
 2) From server B:
 
 # nslookup
 
 www.nyc.gov
 
 ;; connection timed out; no servers could be reached
 
  
 
 3) Both servers run bind-9.7.2-P2
 
  
 
 Can any one help?
 
  
 
 Thanks and Best Regards,
 
  
 
 Xiao
 
 2/16/2011
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1cU/8ACgkQmb+gadEcsb5siQCfePHtptnoSYkoDpw5ge4eRYjE
EdkAni7xiaBkebYvOR4MpKVmX/jpcOb0
=zWSH
-END PGP SIGNATURE-
attachment: novosirj.vcf___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Please Help

[Torinthiel]

On 02/16/11 23:24, Xiaoxu Huang wrote:
 From couple of our DNS servers, we are failed to get correct DNS answer
 like followings:

 1) From server A
 # nslookup
 Default Server:  localhost
 Address:  127.0.0.1
  www.nyc.gov
 Server:  localhost
 Address:  127.0.0.1
 *** localhost can't find www.nyc.gov: Non-existent host/domain#nslookup

 2) From server B:
 # nslookup
  www.nyc.gov
 ;; connection timed out; no servers could be reached

 3) Both servers run bind-9.7.2-P2

And your configuration is? (both named.conf and network topology)

Try (from both servers)
a) dig @127.0.0.1

b) ping 198.41.0.4 (which is a.root-servers.net's IP address)
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Please Help

[Xiaoxu Huang]

1) This server is not allowed to ping. But from one network monitoring
machine on the same IP range, we can ping 198.41.0.4

2) The following is dig result form one machine.

Thanks and Best Regards, 

Xiao
2/16/2011


# dig @127.0.0.1

;  DiG 8.3  @127.0.0.1
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 7
;; QUERY SECTION:
;;  ., type = NS, class = IN

;; ANSWER SECTION:
.   5d22h41m23s IN NS  h.root-servers.net.
.   5d22h41m23s IN NS  a.root-servers.net.
.   5d22h41m23s IN NS  f.root-servers.net.
.   5d22h41m23s IN NS  m.root-servers.net.
.   5d22h41m23s IN NS  b.root-servers.net.
.   5d22h41m23s IN NS  l.root-servers.net.
.   5d22h41m23s IN NS  d.root-servers.net.
.   5d22h41m23s IN NS  e.root-servers.net.
.   5d22h41m23s IN NS  i.root-servers.net.
.   5d22h41m23s IN NS  k.root-servers.net.
.   5d22h41m23s IN NS  c.root-servers.net.
.   5d22h41m23s IN NS  j.root-servers.net.
.   5d22h41m23s IN NS  g.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net. 5d22h41m23s IN A  198.41.0.4
b.root-servers.net. 5d22h41m23s IN A  192.228.79.201
c.root-servers.net. 5d22h41m23s IN A  192.33.4.12
d.root-servers.net. 5d22h41m23s IN A  128.8.10.90
e.root-servers.net. 5d22h41m23s IN A  192.203.230.10
f.root-servers.net. 5d22h41m23s IN A  192.5.5.241
g.root-servers.net. 5d22h41m23s IN A  192.112.36.4

;; Total query time: 1 msec
;; FROM: www7 to SERVER: 127.0.0.1  127.0.0.1
;; WHEN: Wed Feb 16 17:59:04 2011
;; MSG SIZE  sent: 17  rcvd: 340 # dig @127.0.0.1

;  DiG 8.3  @127.0.0.1
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 7
;; QUERY SECTION:
;;  ., type = NS, class = IN

;; ANSWER SECTION:
.   5d22h41m23s IN NS  h.root-servers.net.
.   5d22h41m23s IN NS  a.root-servers.net.
.   5d22h41m23s IN NS  f.root-servers.net.
.   5d22h41m23s IN NS  m.root-servers.net.
.   5d22h41m23s IN NS  b.root-servers.net.
.   5d22h41m23s IN NS  l.root-servers.net.
.   5d22h41m23s IN NS  d.root-servers.net.
.   5d22h41m23s IN NS  e.root-servers.net.
.   5d22h41m23s IN NS  i.root-servers.net.
.   5d22h41m23s IN NS  k.root-servers.net.
.   5d22h41m23s IN NS  c.root-servers.net.
.   5d22h41m23s IN NS  j.root-servers.net.
.   5d22h41m23s IN NS  g.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net. 5d22h41m23s IN A  198.41.0.4
b.root-servers.net. 5d22h41m23s IN A  192.228.79.201
c.root-servers.net. 5d22h41m23s IN A  192.33.4.12
d.root-servers.net. 5d22h41m23s IN A  128.8.10.90
e.root-servers.net. 5d22h41m23s IN A  192.203.230.10
f.root-servers.net. 5d22h41m23s IN A  192.5.5.241
g.root-servers.net. 5d22h41m23s IN A  192.112.36.4

;; Total query time: 1 msec
;; FROM: www7 to SERVER: 127.0.0.1  127.0.0.1
;; WHEN: Wed Feb 16 17:59:04 2011
;; MSG SIZE  sent: 17  rcvd: 340  




-Original Message-
From: bind-users-bounces+xhuang=graphnet@lists.isc.org
[mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of
Torinthiel
Sent: Wednesday, February 16, 2011 5:47 PM
To: bind-users@lists.isc.org
Subject: Re: Please Help

On 02/16/11 23:24, Xiaoxu Huang wrote:
 From couple of our DNS servers, we are failed to get correct DNS answer
 like followings:

 1) From server A
 # nslookup
 Default Server:  localhost
 Address:  127.0.0.1
  www.nyc.gov
 Server:  localhost
 Address:  127.0.0.1
 *** localhost can't find www.nyc.gov: Non-existent host/domain#nslookup

 2) From server B:
 # nslookup
  www.nyc.gov
 ;; connection timed out; no servers could be reached

 3) Both servers run bind-9.7.2-P2

And your configuration is? (both named.conf and network topology)

Try (from both servers)
a) dig @127.0.0.1

b) ping 198.41.0.4 (which is a.root-servers.net's IP address)
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A simple question, please help

[Kevin Darcy]

Ken Lai wrote:

Scott Haneda wrote:
99% of the time openDNS works by just pointing some agent to their ip 
space.


That 1% of the time, openDNS tries to make DNS responses that are 
modified in a way to try to help you.


Maybe this is your issue?

Googl.com being common enough they elect to return the google.com's 
answer istead.


By default openDNS does not know how to return NXDOMAIN.

This is fine for end users. This is bad for developed and servers.

OpenDNS also does phishing URL blocking, stats, and a lot more.

If you plan on using them as a resolver you want to be accurate, you 
must disable these features. Simply create an account with open DNS, 
login, add your IP, and disable all respond modification settings.


Make sure someone elses IP has not been inherited by you with 
settings you will not want.


I used to reccomend openDNS to everone. I found a problem in their 
system many many months back. Despite a small effort to resolve it, 
they have seemingly forgot about the problem.


Maybe someone else here has recommendationd to huge robust recursive 
resolvers that do not focus on any response modification.



thanks for your replays.

but the forwarders in the zone entry seems not work for me, which has 
mentioned in the manual.


the opendns return a A: 119.167.247.147

but the other return 121.199.253.147, which i want to use

if i remove the forwarders in option, the answer is right.
Well, you haven't told us the name you're looking up, so troubleshooting 
is going to be limited to mainly speculation.


I tried doing reverse lookups on both of those addresses, but it gave me 
no insight into what you're actually trying to look up as a forward name.


Note that if you want named to use forwarders *exclusively* then you 
should specify forward only along with each forwarders definition. 
Otherwise, if the forwarders are unavailable, even if only temporarily, 
named may fall back to using iterative resolution, i.e. following the 
delegation hierarchy to get the answer, all of the way down from the 
root zone, if necessary. This may give inconsistent answers and, if 
you're relying on seeing the cooked responses from OpenDNS, 
potentially undesirable lookup results.


- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A simple question, please help

[Scott Haneda]

99% of the time openDNS works by just pointing some agent to their ip  
space.


That 1% of the time, openDNS tries to make DNS responses that are  
modified in a way to try to help you.


Maybe this is your issue?

Googl.com being common enough they elect to return the google.com's  
answer istead.


By default openDNS does not know how to return NXDOMAIN.

This is fine for end users. This is bad for developed and servers.

OpenDNS also does phishing URL blocking, stats, and a lot more.

If you plan on using them as a resolver  you want to be accurate, you  
must disable these features. Simply create an account with open DNS,  
login, add your IP, and disable all respond modification settings.


Make sure someone elses IP has not been inherited by you with settings  
you will not want.


I used to reccomend openDNS to everone. I found a problem in their  
system many many months back. Despite a small effort to resolve it,  
they have seemingly forgot about the problem.


Maybe someone else here has recommendationd to huge robust recursive  
resolvers that do not focus on any response modification.


--
Scott
Iphone says hello.

On Jul 18, 2009, at 11:52 PM, Ken Lai soulhacker...@gmail.com wrote:


my bind server have a default option

forwarders { 208.67.222.222; 208.67.220.220; };

to send all query to OpenDNS.

but some answer could not access, while a answer can which solved by  
another server


i put these in the config:

zone x.com {
type forward;
forwarders { x.x.x.x; };
};

but this not work.

how can i make this happen.
THANKS.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users