Re: Server mostly caching-only + acache

[yata]

On 22 Gru, 23:51, JINMEI Tatuya / 神明達哉  wrote:
> At Mon, 22 Dec 2008 01:47:37 -0800 (PST),
>
> y...@irc.pl wrote:
> > I think to change to version 9.4.3 because of interesing feature
> > "acache".
> > I would like to speed up response time for my clients.
>
> > My DNS server is mostly (95%) caching-only:
> > NLWP USERNAME  SWAP   RSS MEMORY  TIME  CPU
> > 7 named3294M 3299M21% 336:00:11  16%
>
> > Do you think after "acache-enable yes" bind will create "internal
> > short-cut" and
> > response time for client will be reduced?
>
> No, "acache" is specifically intended to be used for authoritative
> servers.  It doesn't improve anything for a caching (only) server.
Just to be sure.
When my server start working and have clear memory and for example
client need go to www.google.com. My server ask root servers. After
follow the tree, server got answer and send this to the client. Can
bind support internal short-cut (hash table) to speed up this request
for another client who ask about www.google.com or I can only short
response time when I am authoritative server and have a lot of domains
using acache?

> But if your server is a multi-processor/core machine, 9.4.x (and
> onward) is worth trying with enabling threads.  Its better support for
> threads will improve response time comparing with 9.3.
Thank you for information I will test 9.4.x.

Regards,
y.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: logs

[Chris Buxton]

On Dec 20, 2008, at 11:59 PM, billious wrote:

Chris Buxton says what?:

/etc/default/sysklogd


Would that not be:
/etc/default/syslogd ?


Sorry, you are correct. My mistake.

Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Using bind 9.5.0 with Active directory

[Nico De Ranter]

Hi,

I need to create a new Windows 2008 domain in a network with an existing
Bind setup.  I know I need dynamic DNS for the Windows domain. I also
know I need GSS support to get secure dynamic updates and this is
supported in Bind 9.5.0. However I can't figure out how to configure
everything properly (how do I generate the gss credentials? what if I
don't have a Kerberos server yet?).  Is there anybody who can point me
to some documentation on how to bootstrap a Windows domain installation
in a bind environment?  I'm not interested in running Bind on Windows, I
can find plenty of info about that but my binds are running just fine on
linux. The main issue is getting secure dynamic updates working.

Thanks in advance,

Nico

-- 
 With kind regards,

Nico De Ranter
Senior System Administrator

Sony Techsoft Centre
The Corporate Village · Da Vincilaan 7-D1 · B-1935 Zaventem · Belgium
 
Phone: +32 (0)2 700 8641
Fax: +32 (0)2 700 8622
E-mail: nico.deran...@eu.sony.com
Internet: www.sony-europe.com
 
Sony Technology and Software Centre Europe
A division of Sony Service Centre (Europe) N.V.
Registered office: Technologielaan 7 · B-1840 Londerzeel · Belgium
VAT BE 0413.825.160 · RPR Brussels
Fortis Bank Londerzeel 293-0376800-10 GEBA-BE-BB

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dynamic updates

[wes]

Would a dynamically created A record override an explicitly established one
in the zone file?

If so, can I deny dynamic updates for specific hostnames? I would like to
allow my Windows computers to dynamically update their names, but I don't
want to have a situation where a computer named "www" does a dynamic update
and updates www.[domain].com and breaks my website.

thanks,
-wes
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dynamic updates

[Chris Thompson]

On Dec 23 2008, wes wrote:


Would a dynamically created A record override an explicitly established one
in the zone file?


After the event, there's no difference between a record that was dynamically
created and one that was "explicitly established", by which I take you to
mean one created by editing the zone's master file.

But one A record doesn't "override" another with the same name, anyway.
If a dynamic update just adds a new A record, both would coexist. The
old one could be dynamically deleted in the same update transaction.


If so, can I deny dynamic updates for specific hostnames? I would like to
allow my Windows computers to dynamically update their names, but I don't
want to have a situation where a computer named "www" does a dynamic update
and updates www.[domain].com and breaks my website.


See "update-policy" in the ARM, especially the "self" rule and its variants.

--
Chris Thompson
Email: c...@cam.ac.uk

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnsperf and BIND memory consumption

[Doug Barton]

On Mon, 22 Dec 2008, ivan jr sy wrote:


I have confirmed that the ARCH=x86_64 trick resolved the issues with my 
configuration. I have tested this with an authoritative and recursive 
dns/bind95 port with modified Makefile.

I have not fully tested the acl.c and iptable.c since the patch suit my need.

Thanks!


Ok, thanks to all. Since 9.5.1 should be out soon, I'll test the port with 
that version and make any appropriate changes.


Doug

--

If you're never wrong, you're not trying hard enough
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Server mostly caching-only + acache

[JINMEI Tatuya / 神明達哉]

At Tue, 23 Dec 2008 01:34:35 -0800 (PST),
y...@irc.pl wrote:

> > No, "acache" is specifically intended to be used for authoritative
> > servers.  It doesn't improve anything for a caching (only) server.
> Just to be sure.
> When my server start working and have clear memory and for example
> client need go to www.google.com. My server ask root servers. After
> follow the tree, server got answer and send this to the client. Can
> bind support internal short-cut (hash table) to speed up this request
> for another client who ask about www.google.com or I can only short
> response time when I am authoritative server and have a lot of domains
> using acache?

It's the latter (whether you "have a lot of domains" doesn't matter
wrt acache though).

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.6.0 is now available.

[Mark Andrews]

BIND 9.6.0 is now available.

BIND 9.6.0 is a development release of BIND 9.

Bugs should be reported to bind9-b...@isc.org.

BIND 9.6 has a number of new features over 9.5, including:

Full NSEC3 support

Automatic zone re-signing

New update-policy methods tcp-self and 6to4-self

BIND 9.6.0 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.6.0/bind-9.6.0.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.6.0/bind-9.6.0.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.6.0/bind-9.6.0.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.0/bind-9.6.0.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.6.0/BIND9.6.0.zip
ftp://ftp.isc.org/isc/bind9/9.6.0/BIND9.6.0.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.6.0/BIND9.6.0.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.0/BIND9.6.0.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.0/BIND9.6.0.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.6.0/BIND9.6.0.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.0/BIND9.6.0.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.0/BIND9.6.0.debug.zip.sha512.asc

Changes since BIND 9.6.0a1

--- 9.6.0 released ---

2520.   [bug]   Update xml statistics version number to 2.0 as change
#2388 made the schema incompatible to the previous
version. [RT #19080]

--- 9.6.0rc2 released ---

2515.   [port]  win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
[RT #19063]

2513[bug]   Fix windows cli build. [RT #19062]

2510.   [bug]   "dig +sigchase" could trigger REQUIRE failures.
[RT #19033]

2509.   [bug]   Specifying a fixed query source port was broken.
[RT #19051]

2504.   [bug]   Address race condition in the socket code. [RT #18899]

--- 9.6.0rc1 released ---

2498.   [bug]   Removed a bogus function argument used with
ISC_SOCKET_USE_POLLWATCH: it could cause compiler
warning or crash named with the debug 1 level
of logging. [RT #18917]

2497.   [bug]   Don't add RRSIG bit to NSEC3 bit map for insecure
delegation.

2496.   [bug]   Add sanity length checks to NSID option. [RT #18813]

2495.   [bug]   Tighten RRSIG checks. [RT #18795]

2494.   [bug]   isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
installed. [RT #18826]

2493.   [bug]   The linux capabilities code was not correctly cleaning
up after itself. [RT #18767]

2492.   [func]  Rndc status now reports the number of cpus discovered
and the number of worker threads when running
multi-threaded. [RT #18273]

2491.   [func]  Attempt to re-use a local port if we are already using
the port. [RT #18548]

2490.   [port]  aix: work around a kernel bug where IPV6_RECVPKTINFO
is cleared when IPV6_V6ONLY is set. [RT #18785]

2489.   [port]  solaris: Workaround Solaris's kernel bug about
/dev/poll:
http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
Define ISC_SOCKET_USE_POLLWATCH at build time to enable
this workaround. [RT #18870]

2488.   [func]  Added a tool, dnssec-dsfromkey, to generate DS records
from keyset and .key files. [RT #18694]

2487.   [bug]   Give TCP connections longer to complete. [RT #18675]

2486.   [func]  The default locations for named.pid and lwresd.pid
are now /var/run/named/named.pid and
/var/run/lwresd/lwresd.pid respectively.

This allows the owner of the containing directory
to be set, for "named -u" support, and allows there
to be a permanent symbolic link in the path, for
"named -t" support.  [RT #18306]

2485.   [bug]   Change update's the handling of obscured RRSIG
records.  Not all orphaned DS records were being
removed. [RT #18828]

2484.   [bug]   It was possible to trigger a REQUIRE failure when
adding NSEC3 proofs to the response in
query_addwildcardproof().  [RT #18828]

2483.   [port]  win32: chroot() is not supported. [RT #18805]

2482.   [port]

BIND 9.5.1 is now available.

[Mark Andrews]

BIND 9.5.1 is now available.

BIND 9.5.1 is a maintenance release for BIND 9.5.

BIND 9.5.1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.5.1/bind-9.5.1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.5.1/bind-9.5.1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.1/bind-9.5.1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1/bind-9.5.1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at 

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.1/BIND9.5.1.zip
ftp://ftp.isc.org/isc/bind9/9.5.1/BIND9.5.1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.1/BIND9.5.1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1/BIND9.5.1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1/BIND9.5.1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.5.1/BIND9.5.1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1/BIND9.5.1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1/BIND9.5.1.debug.zip.sha512.asc

Changes since 9.5.0.

--- 9.5.1 released ---

2520.   [bug]   Update xml statistics version number to 2.0 as change
#2388 made the schema incompatible to the previous
version. [RT #19080]

--- 9.5.1rc2 released ---

2513[bug]   Fix windows cli build. [RT #19062]

2510.   [bug]   "dig +sigchase" could trigger REQUIRE failures.
[RT #19033]

2509.   [bug]   Specifying a fixed query source port was broken.
[RT #19051]

2504.   [bug]   Address race condition in the socket code. [RT #18899]

--- 9.5.1rc1 released ---

2498.   [bug]   Removed a bogus function argument used with
ISC_SOCKET_USE_POLLWATCH: it could cause compiler
warning or crash named with the debug 1 level
of logging. [RT #18917]

2496.   [bug]   Add sanity length checks to NSID option. [RT #18813]

2495.   [bug]   Tighten RRSIG checks. [RT #18795]

2494.   [bug]   isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
installed. [RT #18826]

2493.   [bug]   The linux capabilites code was not correctly cleaning
up after itself. [RT #18767]

2490.   [port]  aix: work around a kernel bug where IPV6_RECVPKTINFO
is cleared when IPV6_V6ONLY is set. [RT #18785]

2489.   [port]  solaris: Workaround Solaris's kernel bug about
/dev/poll:
http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
Define ISC_SOCKET_USE_POLLWATCH at build time to enable
this workaround. [RT #18870]

2487.   [bug]   Give TCP connections longer to complete. [RT #18675]

2485.   [bug]   Change update's the handling of obscured RRSIG
records.  Not all orphand DS records were being
removed. [RT #18828]

2482.   [port]  libxml2: support versions 2.7.* in addition
to 2.6.*. [RT #18806]

2479.   [bug]   xfrout:covers was not properly initalized. [RT #18801]

2478.   [bug]   'addresses' could be used uninitalized in
configure_forward(). [RT #18800]

2476.   [doc]   ARM: improve documentation for max-journal-size and
ixfr-from-differences. [RT #15909] [RT #18541]

--- 9.5.1b3 released ---

2475.   [bug]   LRU cache cleanup under overmem condition could purge
particular entries more aggressively. [RT #17628]

2474.   [bug]   ACL structures could be allocated with insufficient
space, causing an array overrun. [RT #18765]

2473.   [port]  linux: raise the limit on open files to the possible
maximum value before spawning threads; 'files'
specified in named.conf doesn't seem to work with
threads as expected. [RT #18784]

2472.   [port]  linux: check the number of available cpu's before
calling chroot as it depends on "/proc". [RT #16923]

2471.   [bug]   named-checkzone was not reporting missing mandatory
glue when sibling checks were disabled. [RT #18768]

2470.   [bug]   Elements of the isc_radix_node_t could be incorrectly
overwritten.  [RT# 18719]

2469.   [port]  solaris: Work around Solaris's select() limitations.
[RT #18769]

2468.   [bug]   Resolver could try unreachable servers mu

Re: Using bind 9.5.0 with Active directory

[Rob Austein]

Four things must be done to allow Bind 9 to support GSS-TKEY:

* kinit must work on the host which will run BIND 9. This means
  krb5.conf must be properly configured with the realm and
  locations of the Kerberos servers.
* Bind 9 must be compiled with GSSAPI enabled.
* Bind 9 must have a principal and a keytab.
* named.conf needs to be told the name of the principal. 

options {
   ...
   tkey-gssapi-credential "DNS/foo.example.org";
   ...
};

Extracting a Kerberos keytab from Active Directory is a two-step
process: first you create a user account in Active Directory, then you
map it to a Kerberos principal name and extract the keytab.  Windows
usernames don't use the same naming conventions as Kerberos principals
(the allowed set of Windows usernames are a subset of the allowed
Kerberos principal names, and a service principal name like
DNS/foo.example.org is not a legal Windows username).

Go into Active Directory's new user wizard and create a new user
account.  It's probably best to put accounts like this into a separate
organization unit (OU) within the active directory tree.  This could
be called unix or bind9 or anything you wish to help organize bind 9
server credentials and users.  The username can be any syntactically
legal thing you like, but when creating, eg, the DNS service principal
for host foo.example.org, it's probably best to use a username like
foo to avoid conflicts.

Select "password never expires" and "user cannot change password" in
the next screen of the wizard, to make sure that the account's
password can't change (which would invalidate the keytab).

The second step requires a command line tool, ktpass.  ktpass is
supplied on the Windows installation media but is not installed by
default.

ktpass accepts the usual /? option to display a help screen, but for
the task at hand you'll want to do something like this:

C:\> ktpass -out foo.keytab -princ DNS/foo.example@example.org -pass * 
-mapuser f...@example.org

where

* foo.keytab is the filename for the new keytab
* DNS/foo.example@example.org is the principal name
* f...@example.org is the Active Directory user account 

If all goes well, ktpass will tell you what it's doing, prompt you for
the password you set when creating the user account, and will write
out the keytab, which you can then install in the usual place on the
machine to run Bind 9.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using bind 9.5.0 with Active directory

[Danny Mayer]

Rob Austein wrote:
> Four things must be done to allow Bind 9 to support GSS-TKEY:
> 
> * kinit must work on the host which will run BIND 9. This means
>   krb5.conf must be properly configured with the realm and
>   locations of the Kerberos servers.
> * Bind 9 must be compiled with GSSAPI enabled.
> * Bind 9 must have a principal and a keytab.
> * named.conf needs to be told the name of the principal. 
> 
> options {
>...
>tkey-gssapi-credential "DNS/foo.example.org";
>...
> };
> 
> Extracting a Kerberos keytab from Active Directory is a two-step
> process: first you create a user account in Active Directory, then you
> map it to a Kerberos principal name and extract the keytab.  Windows
> usernames don't use the same naming conventions as Kerberos principals
> (the allowed set of Windows usernames are a subset of the allowed
> Kerberos principal names, and a service principal name like
> DNS/foo.example.org is not a legal Windows username).
> 
> Go into Active Directory's new user wizard and create a new user
> account.  It's probably best to put accounts like this into a separate
> organization unit (OU) within the active directory tree.  This could
> be called unix or bind9 or anything you wish to help organize bind 9
> server credentials and users.  The username can be any syntactically
> legal thing you like, but when creating, eg, the DNS service principal
> for host foo.example.org, it's probably best to use a username like
> foo to avoid conflicts.
> 
> Select "password never expires" and "user cannot change password" in
> the next screen of the wizard, to make sure that the account's
> password can't change (which would invalidate the keytab).
> 
> The second step requires a command line tool, ktpass.  ktpass is
> supplied on the Windows installation media but is not installed by
> default.
> 
> ktpass accepts the usual /? option to display a help screen, but for
> the task at hand you'll want to do something like this:
> 
> C:\> ktpass -out foo.keytab -princ DNS/foo.example@example.org -pass * 
> -mapuser f...@example.org
> 
> where
> 
> * foo.keytab is the filename for the new keytab
> * DNS/foo.example@example.org is the principal name
> * f...@example.org is the Active Directory user account 
> 
> If all goes well, ktpass will tell you what it's doing, prompt you for
> the password you set when creating the user account, and will write
> out the keytab, which you can then install in the usual place on the
> machine to run Bind 9.

The one thing that you missed out is that you need to be logged in as a
Domain administrator in order to do all this otherwise ktpass will not
work (and you cannot create the user account in the Active Directory).

Danny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

General performance

[Scott Haneda]

Hello, I am working with a client of mine, who jumped right into  
developing a backend system for managing his arsenal of sites.  I am  
not entirely sure what he is up to, but there is potential to have to  
add in 50,000 zones.


From what I can gather, all the zones are the same, they all have 2 A  
records, pointing to the same IP address.


First, if I learn it is in fact true that all 50K zones will be  
identical, is there any reason to make 50K zone files? Is it ok to  
point different domains to the same zone file?


If not, it is not a huge deal, just a little more management to clean  
up additions and deletions and such.


What type of hardware am I going to need CPU wise to deal with this  
many domains?  Currently, I have been managing cases in which a few  
thousand seem to be no big deal, on minimal hardware, something like a  
Mac Mini at times.


Does upping the qty of domains and zones a few orders of magnitude  
cause any issues?  Or does it all come back to how many lookups per  
second are happening?


There is no recursion on these servers, they are just serving out zone  
data, no clients connect to these machines.


Thanks
--
Scott

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: General performance

[Dawn Connelly]

You can make a single generic file and reference that one file repeatedly in
the named.conf in each zone definition. I do that frequently for private IP
address space. But keep in mind that if there are any errors in the file,
you loose EVERYTHING. You can also consider using "INCLUDE" statements if
you wanted. You can create a single file that all of the individual zone
files reference for data. You still have the upfront expense of creating
individual zone files for each domain..but it does give you the flexibility
to create unique records for any given domain without it populating in all
domains. Just a thought.

The number of zones is only really going to effect your performance when the
named.conf file has to be read in anew. It has to load each zone
individually.  The bigger concern you are going to have regarding what kind
of hardware you want to get is going to be based on the number of queries
the machine is going to have to answer at any one time. I don't have any
hard and fast formulas for calcuting that out but I'm sure there are others
on this list that do. Hopefully someone will cough one up. I wouldn't mind
seeing that myself. :)

On Tue, Dec 23, 2008 at 8:36 PM, Scott Haneda  wrote:

> Hello, I am working with a client of mine, who jumped right into developing
> a backend system for managing his arsenal of sites.  I am not entirely sure
> what he is up to, but there is potential to have to add in 50,000 zones.
>
> From what I can gather, all the zones are the same, they all have 2 A
> records, pointing to the same IP address.
>
> First, if I learn it is in fact true that all 50K zones will be identical,
> is there any reason to make 50K zone files? Is it ok to point different
> domains to the same zone file?
>
> If not, it is not a huge deal, just a little more management to clean up
> additions and deletions and such.
>
> What type of hardware am I going to need CPU wise to deal with this many
> domains?  Currently, I have been managing cases in which a few thousand seem
> to be no big deal, on minimal hardware, something like a Mac Mini at times.
>
> Does upping the qty of domains and zones a few orders of magnitude cause
> any issues?  Or does it all come back to how many lookups per second are
> happening?
>
> There is no recursion on these servers, they are just serving out zone
> data, no clients connect to these machines.
>
> Thanks
> --
> Scott
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Google for President
YouTube for VP
in any year divisible by 4
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users