RE: Please help with stuck BIND-9.9.11-P1 named process on rndc reconfig
Hi BIND expert, I could not have sent the followings thru https://www.isc.org/bind- subscription-contact/ due to error on the site. -- I am a S/W engineer who is working on BIND, especially named in Seoul/Korea. I've got reports from a customer regarding stucked "named" process which had not been performed any request from clients for 5 secs during "rndc reconfig" even if it is used to be finished in 700ms 24-Aug-2018 17:36:39.073 general: info: received control channel command 'reconfig' ….. 24-Aug-2018 17:36:44.100 general: info: any newly configured zones are now loaded My customer's DNS server has been installing BIND-9.9.11-P1. I would like to figure out why named was stucked for even 5 secs on rndc reconfig. I've figured out I/O event values(majflt/s) of SAR information on the server is quite high which is 58.34 even if it usually is 0.18 ~ 0.32. The server information is as following; 1. OS : CentOS 7.3 2. CPU : Intel Xeon3.5Ghz 64bits(6 CPUs, 2 cores per CPU) 3. Mem. : 8G Would you please give me any information about it ? I know a lot of fixes on “rndc reconfig” for latter version of 9.9.11-P1 Please take a look at the following logs from bind for your information; === general log = 24-Aug-2018 17:36:39.073 general: debug 1: received control channel command 'null' 24-Aug-2018 17:36:39.073 general: info: received control channel command 'reconfig' 24-Aug-2018 17:36:39.073 general: info: loading configuration from '/etc/named.conf' 24-Aug-2018 17:36:39.159 general: info: unable to open 'conf/named.iscdlv.key' using built-in keys 24-Aug-2018 17:36:39.168 general: info: using default UDP/IPv4 port range: [9000, 61000] 24-Aug-2018 17:36:39.169 general: info: using default UDP/IPv6 port range: [9000, 61000] 24-Aug-2018 17:36:39.190 general: info: sizing zone task pool based on 4704 zones 24-Aug-2018 17:36:39.293 general: debug 1: zone_settimer: zone xn-- pi5bm5e/IN: enter ….(removed)….. 24-Aug-2018 17:36:41.809 general: debug 1: zone_settimer: zone xn--o78b/IN: enter 24-Aug-2018 17:36:41.816 general: info: dns64 reverse zone: 0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa. ….(removed)….. 24-Aug-2018 17:36:43.927 general: debug 1: now using logging configuration from config file 24-Aug-2018 17:36:43.935 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa/IN: (master) removed 24-Aug-2018 17:36:43.938 general: debug 1: load_configuration: success 24-Aug-2018 17:36:43.938 general: info: reloading configuration succeeded It would be appreciated if you share any hints, information. Regards, Sunghwan. -- (주)아이비아이(www.ibi.net) DNS사업부/본부장 02-2165-7234/010-3558-3736 [03909]서울 마포구 매봉산로 37(상암동, DMC산학협력센터1304호) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!
Thank you for your response.. I thought of that earlier, but when I run the exact same configure options on an older machine of ours (for 9.10.1) it creates the output files just fine.. That is where it confused me. Thanks On Thu, Mar 17, 2016 at 5:18 PM, Mark Andrewswrote: > > *Think* about the arguments you are passing to configure. You told > configue > to NOT CREATE the makefiles. > > Mark > > In message
Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!
I think I Know why it worked on the old server.. it is because there is an existing Makefile already.. I am going to rename the existing makefile and see if it creates one. If it doesnt, then I will know that the no-create option is the culprit! Thanks for your help.. I will report back with what I find. On Thu, Mar 17, 2016 at 5:20 PM, Majid Mirwrote: > > Thank you for your response.. I thought of that earlier, but when I run > the exact same configure options on an older machine of ours (for 9.10.1) > it creates the output files just fine.. That is where it confused me. > > Thanks > > > On Thu, Mar 17, 2016 at 5:18 PM, Mark Andrews wrote: > >> >> *Think* about the arguments you are passing to configure. You told >> configue >> to NOT CREATE the makefiles. >> >> Mark >> >> In message
Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!
Hello all I am trying to compile Bind 9.10.3-P4 from source and whenever I try to run the following: ./configure --sbindir=/usr/sbin --sysconfdir=/etc/bind --with-openssl --disable-openssl-version-check --no-create --no-recursion I receive the following error after the configuration script is fully executed: configure: creating ./config.status make: *** No rule to make target `clean'. Stop. When I try to run make, I get: make: *** No targets specified and no makefile found. Stop. Yet in both the untarred source code directory as well as the make directory within it, both have a Makefile.in file. I have absolutely no idea how to get this configure script to create the makefile! I have to use those configuration options because that is what we used on our previous installs (Bind 9.10.1) on other servers. Also when I run ./configure without any options, the make file is created with no issues! I am totally confused All help is greatly appreciated! Thank you! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!
--no-create is for when you want to tinker with the final results built into config.status prior to building the Makefiles. I've committed changes to no run "make clean" if --no-create is set. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!
*Think* about the arguments you are passing to configure. You told configue to NOT CREATE the makefiles. Mark In message
Re: Cannot get ./configure to create Makefile for Bind 9.10.3-P4. Please help!
Mark. I owe you a virtual beer.. You were right! Thank you Sorry I am still a n00b at this at times On Thu, Mar 17, 2016 at 5:24 PM, Majid Mirwrote: > I think I Know why it worked on the old server.. it is because there is an > existing Makefile already.. I am going to rename the existing makefile and > see if it creates one. If it doesnt, then I will know that the no-create > option is the culprit! > > Thanks for your help.. I will report back with what I find. > > On Thu, Mar 17, 2016 at 5:20 PM, Majid Mir > wrote: > >> >> Thank you for your response.. I thought of that earlier, but when I run >> the exact same configure options on an older machine of ours (for 9.10.1) >> it creates the output files just fine.. That is where it confused me. >> >> Thanks >> >> >> On Thu, Mar 17, 2016 at 5:18 PM, Mark Andrews wrote: >> >>> >>> *Think* about the arguments you are passing to configure. You told >>> configue >>> to NOT CREATE the makefiles. >>> >>> Mark >>> >>> In message
Update-Policy ms-self for reverse zone dont work - please help
Hello, I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server. For my forward zones I have the following rules: zonecp.test { type master; file forward/cp.test; notify yes; update-policy { grant MSADC40T$@CP.TEST wildcard * ANY; grant Key_TEST wildcard * ANY; grant CP.TEST ms-self * A; }; }; The last line only allows Microsoft Client to set their A-Record. Works perfect. - Now I try the same for the reverse zone and it should make the client only to update its PTR-Record. Example 1: zone10.in-addr.arpa { type master; file reverse/10.in-addr.arpa; update-policy { grant Key_TEST wildcard * ANY; -- (Test-Local-Key works) grant CP.TEST ms-self * PTR; --- DONT WORK }; notify yes; }; Example 2: zone10.in-addr.arpa { type master; file reverse/10.in-addr.arpa; update-policy { grant Key_TEST wildcard * ANY; grant CP.TEST wildcard * PTR; --- DONT WORK }; notify yes; Example 3: zone10.in-addr.arpa { type master; file reverse/10.in-addr.arpa; update-policy { grant MSADC40T$@CP.TEST ms-self * PTR; -- DONT WORK grant Key_TEST wildcard * ANY; grant CP.TEST wildcard * PTR; --- DONT WORK }; notify yes; }; Only solution that works is: grant MSADC40T$@CP.TEST wildcard * PTR; So it looks like that in reverse zone its only possible to exactly name the host that should update its own record and only use it with the wildcard command. Am i right? Or what am i doing wrong? Thanx a lot for all your help. Wish you a nice weekend. cheers, Juergen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update-Policy ms-self for reverse zone dont work - please help
If I'm not mistaken, ms-self means that the client's hostname must match the name of the record being updated. This is not the case in the reverse space, where record names end in in-addr.arpa instead of cp.test. Your DHCP server should own the reverse space. I don't know how else to manage this. Regards, Chris Buxton BlueCat Networks On Jun 24, 2011, at 1:13 AM, Juergen Dietl wrote: Hello, I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server. For my forward zones I have the following rules: zonecp.test { type master; file forward/cp.test; notify yes; update-policy { grant MSADC40T$@CP.TEST wildcard * ANY; grant Key_TEST wildcard * ANY; grant CP.TEST ms-self * A; }; }; The last line only allows Microsoft Client to set their A-Record. Works perfect. - Now I try the same for the reverse zone and it should make the client only to update its PTR-Record. Example 1: zone10.in-addr.arpa { type master; file reverse/10.in-addr.arpa; update-policy { grant Key_TEST wildcard * ANY; -- (Test-Local-Key works) grant CP.TEST ms-self * PTR; --- DONT WORK }; notify yes; }; Example 2: zone10.in-addr.arpa { type master; file reverse/10.in-addr.arpa; update-policy { grant Key_TEST wildcard * ANY; grant CP.TEST wildcard * PTR; --- DONT WORK }; notify yes; Example 3: zone10.in-addr.arpa { type master; file reverse/10.in-addr.arpa; update-policy { grant MSADC40T$@CP.TEST ms-self * PTR; -- DONT WORK grant Key_TEST wildcard * ANY; grant CP.TEST wildcard * PTR; --- DONT WORK }; notify yes; }; Only solution that works is: grant MSADC40T$@CP.TEST wildcard * PTR; So it looks like that in reverse zone its only possible to exactly name the host that should update its own record and only use it with the wildcard command. Am i right? Or what am i doing wrong? Thanx a lot for all your help. Wish you a nice weekend. cheers, Juergen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Please Help
On Thu, Feb 17, 2011 at 09:53:43AM -0500, Ryan Novosielski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glad to hear it was a help. Does anyone happen to know if anything changed for .gov addresses just last week? This problem appears to have come out of the clear blue sky (not that there wasn't plenty of warning) so I have to assume that something was just activated. From an earlier message: A KSK roll for the .gov zone will occur at the end of January, 2011. This key change is necessitated by a registry operator transition: VeriSign has been selected by the U.S. General Services Administration (GSA) to operate the domain name registry for .gov. ... Perhaps the new name servers are different somehow. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Please Help
We have checked list archives and our side has increased the allowed DNS packet size. Now we are fine to get correct answer for **.gov. Thanks for help and Best Regards, Xiao 2/17/2011 -Original Message- From: bind-users-bounces+xhuang=graphnet@lists.isc.org [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Wednesday, February 16, 2011 5:47 PM To: bind-users@lists.isc.org Subject: Re: Please Help -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I asked this same question this week. Check the list archives. On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 Can any one help? Thanks and Best Regards, Xiao 2/16/2011 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1cU/8ACgkQmb+gadEcsb5siQCfePHtptnoSYkoDpw5ge4eRYjE EdkAni7xiaBkebYvOR4MpKVmX/jpcOb0 =zWSH -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Please Help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glad to hear it was a help. Does anyone happen to know if anything changed for .gov addresses just last week? This problem appears to have come out of the clear blue sky (not that there wasn't plenty of warning) so I have to assume that something was just activated. On 02/17/2011 09:47 AM, Xiaoxu Huang wrote: We have checked list archives and our side has increased the allowed DNS packet size. Now we are fine to get correct answer for **.gov. Thanks for help and Best Regards, Xiao 2/17/2011 -Original Message- From: bind-users-bounces+xhuang=graphnet@lists.isc.org [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Wednesday, February 16, 2011 5:47 PM To: bind-users@lists.isc.org Subject: Re: Please Help I asked this same question this week. Check the list archives. On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 Can any one help? Thanks and Best Regards, Xiao 2/16/2011 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La otcAoJLIkine7oyqXxix3wKRHReUa5F8 =B/pX -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Please Help
IIRC the U.S. Government last year or the year before mandated all their sites be DNSSEC compliant by early this year. Maybe it is just a sign they are actually doing it. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Thursday, February 17, 2011 9:54 AM To: Xiaoxu Huang Cc: bind-users@lists.isc.org Subject: Re: Please Help -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glad to hear it was a help. Does anyone happen to know if anything changed for .gov addresses just last week? This problem appears to have come out of the clear blue sky (not that there wasn't plenty of warning) so I have to assume that something was just activated. On 02/17/2011 09:47 AM, Xiaoxu Huang wrote: We have checked list archives and our side has increased the allowed DNS packet size. Now we are fine to get correct answer for **.gov. Thanks for help and Best Regards, Xiao 2/17/2011 -Original Message- From: bind-users-bounces+xhuang=graphnet@lists.isc.org [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Wednesday, February 16, 2011 5:47 PM To: bind-users@lists.isc.org Subject: Re: Please Help I asked this same question this week. Check the list archives. On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 Can any one help? Thanks and Best Regards, Xiao 2/16/2011 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La otcAoJLIkine7oyqXxix3wKRHReUa5F8 =B/pX -END PGP SIGNATURE- Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Please Help
Date: Thu, 17 Feb 2011 11:45:06 -0500 From: Lightner, Jeff jlight...@water.com Sender: bind-users-bounces+oberman=es@lists.isc.org IIRC the U.S. Government last year or the year before mandated all their sites be DNSSEC compliant by early this year. Maybe it is just a sign they are actually doing it. Yes, they are. As of the last report I have received, something over 50% of all .gov zones are now signed with the DS records installed in the .gov zone. Still quite a ways to go but substantial progress has been made and people with broken firewall are starting to notice. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Thursday, February 17, 2011 9:54 AM To: Xiaoxu Huang Cc: bind-users@lists.isc.org Subject: Re: Please Help Glad to hear it was a help. Does anyone happen to know if anything changed for .gov addresses just last week? This problem appears to have come out of the clear blue sky (not that there wasn't plenty of warning) so I have to assume that something was just activated. On 02/17/2011 09:47 AM, Xiaoxu Huang wrote: We have checked list archives and our side has increased the allowed DNS packet size. Now we are fine to get correct answer for **.gov. Thanks for help and Best Regards, Xiao 2/17/2011 -Original Message- From: bind-users-bounces+xhuang=graphnet@lists.isc.org [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Wednesday, February 16, 2011 5:47 PM To: bind-users@lists.isc.org Subject: Re: Please Help I asked this same question this week. Check the list archives. On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 Can any one help? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Please Help
From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain # nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 Can any one help? Thanks and Best Regards, Xiao 2/16/2011 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Please Help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I asked this same question this week. Check the list archives. On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 Can any one help? Thanks and Best Regards, Xiao 2/16/2011 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1cU/8ACgkQmb+gadEcsb5siQCfePHtptnoSYkoDpw5ge4eRYjE EdkAni7xiaBkebYvOR4MpKVmX/jpcOb0 =zWSH -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Please Help
On 02/16/11 23:24, Xiaoxu Huang wrote: From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain#nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 And your configuration is? (both named.conf and network topology) Try (from both servers) a) dig @127.0.0.1 b) ping 198.41.0.4 (which is a.root-servers.net's IP address) Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Please Help
1) This server is not allowed to ping. But from one network monitoring machine on the same IP range, we can ping 198.41.0.4 2) The following is dig result form one machine. Thanks and Best Regards, Xiao 2/16/2011 # dig @127.0.0.1 ; DiG 8.3 @127.0.0.1 ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 7 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 5d22h41m23s IN NS h.root-servers.net. . 5d22h41m23s IN NS a.root-servers.net. . 5d22h41m23s IN NS f.root-servers.net. . 5d22h41m23s IN NS m.root-servers.net. . 5d22h41m23s IN NS b.root-servers.net. . 5d22h41m23s IN NS l.root-servers.net. . 5d22h41m23s IN NS d.root-servers.net. . 5d22h41m23s IN NS e.root-servers.net. . 5d22h41m23s IN NS i.root-servers.net. . 5d22h41m23s IN NS k.root-servers.net. . 5d22h41m23s IN NS c.root-servers.net. . 5d22h41m23s IN NS j.root-servers.net. . 5d22h41m23s IN NS g.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 5d22h41m23s IN A 198.41.0.4 b.root-servers.net. 5d22h41m23s IN A 192.228.79.201 c.root-servers.net. 5d22h41m23s IN A 192.33.4.12 d.root-servers.net. 5d22h41m23s IN A 128.8.10.90 e.root-servers.net. 5d22h41m23s IN A 192.203.230.10 f.root-servers.net. 5d22h41m23s IN A 192.5.5.241 g.root-servers.net. 5d22h41m23s IN A 192.112.36.4 ;; Total query time: 1 msec ;; FROM: www7 to SERVER: 127.0.0.1 127.0.0.1 ;; WHEN: Wed Feb 16 17:59:04 2011 ;; MSG SIZE sent: 17 rcvd: 340 # dig @127.0.0.1 ; DiG 8.3 @127.0.0.1 ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 7 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 5d22h41m23s IN NS h.root-servers.net. . 5d22h41m23s IN NS a.root-servers.net. . 5d22h41m23s IN NS f.root-servers.net. . 5d22h41m23s IN NS m.root-servers.net. . 5d22h41m23s IN NS b.root-servers.net. . 5d22h41m23s IN NS l.root-servers.net. . 5d22h41m23s IN NS d.root-servers.net. . 5d22h41m23s IN NS e.root-servers.net. . 5d22h41m23s IN NS i.root-servers.net. . 5d22h41m23s IN NS k.root-servers.net. . 5d22h41m23s IN NS c.root-servers.net. . 5d22h41m23s IN NS j.root-servers.net. . 5d22h41m23s IN NS g.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 5d22h41m23s IN A 198.41.0.4 b.root-servers.net. 5d22h41m23s IN A 192.228.79.201 c.root-servers.net. 5d22h41m23s IN A 192.33.4.12 d.root-servers.net. 5d22h41m23s IN A 128.8.10.90 e.root-servers.net. 5d22h41m23s IN A 192.203.230.10 f.root-servers.net. 5d22h41m23s IN A 192.5.5.241 g.root-servers.net. 5d22h41m23s IN A 192.112.36.4 ;; Total query time: 1 msec ;; FROM: www7 to SERVER: 127.0.0.1 127.0.0.1 ;; WHEN: Wed Feb 16 17:59:04 2011 ;; MSG SIZE sent: 17 rcvd: 340 -Original Message- From: bind-users-bounces+xhuang=graphnet@lists.isc.org [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of Torinthiel Sent: Wednesday, February 16, 2011 5:47 PM To: bind-users@lists.isc.org Subject: Re: Please Help On 02/16/11 23:24, Xiaoxu Huang wrote: From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain#nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 And your configuration is? (both named.conf and network topology) Try (from both servers) a) dig @127.0.0.1 b) ping 198.41.0.4 (which is a.root-servers.net's IP address) Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A simple question, please help
Ken Lai wrote: Scott Haneda wrote: 99% of the time openDNS works by just pointing some agent to their ip space. That 1% of the time, openDNS tries to make DNS responses that are modified in a way to try to help you. Maybe this is your issue? Googl.com being common enough they elect to return the google.com's answer istead. By default openDNS does not know how to return NXDOMAIN. This is fine for end users. This is bad for developed and servers. OpenDNS also does phishing URL blocking, stats, and a lot more. If you plan on using them as a resolver you want to be accurate, you must disable these features. Simply create an account with open DNS, login, add your IP, and disable all respond modification settings. Make sure someone elses IP has not been inherited by you with settings you will not want. I used to reccomend openDNS to everone. I found a problem in their system many many months back. Despite a small effort to resolve it, they have seemingly forgot about the problem. Maybe someone else here has recommendationd to huge robust recursive resolvers that do not focus on any response modification. thanks for your replays. but the forwarders in the zone entry seems not work for me, which has mentioned in the manual. the opendns return a A: 119.167.247.147 but the other return 121.199.253.147, which i want to use if i remove the forwarders in option, the answer is right. Well, you haven't told us the name you're looking up, so troubleshooting is going to be limited to mainly speculation. I tried doing reverse lookups on both of those addresses, but it gave me no insight into what you're actually trying to look up as a forward name. Note that if you want named to use forwarders *exclusively* then you should specify forward only along with each forwarders definition. Otherwise, if the forwarders are unavailable, even if only temporarily, named may fall back to using iterative resolution, i.e. following the delegation hierarchy to get the answer, all of the way down from the root zone, if necessary. This may give inconsistent answers and, if you're relying on seeing the cooked responses from OpenDNS, potentially undesirable lookup results. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A simple question, please help
99% of the time openDNS works by just pointing some agent to their ip space. That 1% of the time, openDNS tries to make DNS responses that are modified in a way to try to help you. Maybe this is your issue? Googl.com being common enough they elect to return the google.com's answer istead. By default openDNS does not know how to return NXDOMAIN. This is fine for end users. This is bad for developed and servers. OpenDNS also does phishing URL blocking, stats, and a lot more. If you plan on using them as a resolver you want to be accurate, you must disable these features. Simply create an account with open DNS, login, add your IP, and disable all respond modification settings. Make sure someone elses IP has not been inherited by you with settings you will not want. I used to reccomend openDNS to everone. I found a problem in their system many many months back. Despite a small effort to resolve it, they have seemingly forgot about the problem. Maybe someone else here has recommendationd to huge robust recursive resolvers that do not focus on any response modification. -- Scott Iphone says hello. On Jul 18, 2009, at 11:52 PM, Ken Lai soulhacker...@gmail.com wrote: my bind server have a default option forwarders { 208.67.222.222; 208.67.220.220; }; to send all query to OpenDNS. but some answer could not access, while a answer can which solved by another server i put these in the config: zone x.com { type forward; forwarders { x.x.x.x; }; }; but this not work. how can i make this happen. THANKS. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users