date:20090202

RE: Caching-only Name server does Zone Updates

2009-02-02 Thread Ashish

Thank you Mark,

Doupdate is followed by lot of statements like 

Db_update
Match

Please see the content below.
=
Doupdate(zone 0, savens x, flags y)
Doupdate: dname 21.in-addr.arpa type 6 class 1 ttl 600
Db_update(21.in-addr.arpa, 0x12345, 0x56789, 087, 0x76543) match(0x9b430, 1,
6) 1, 6
db_update: flags = 0x19, sizes = 71, 71 (1)
match(0x9123v, 1, 6) 1, 6
db_update: flags = 0x19, sizes = 71, 71 (1)
match(0x9sd33, 1, 6) 1, 6
db_update: flags = 0x19, sizes = 71, 71 (1)
match(0xdg6d8, 1, 6) 1, 6
db_update: flags = 0x19, sizes = 71, 71 (1)
match(0x6abde, 1, 6) 1, 6
==

Please correct me if I am wrong, I thought that for cache update it should
update only one record. So why so many updates are been made.

Please advice.

Thanks a lot
Ashish

-Original Message-
From: mark_andr...@isc.org [mailto:mark_andr...@isc.org] 
Sent: Tuesday, February 03, 2009 11:32 AM
To: Ashish
Cc: niall.orei...@ucd.ie; bind-users@lists.isc.org
Subject: Re: Caching-only Name server does Zone Updates 


In message <009201c985c0$aff05cb0$f9281...@wipro74039c7ca>, "Ashish" writes:
> Hello All,
> 
> Thank you for your replies.
> 
> Our configuration file is fairly simple (I have changed the domain name
for
> security). 

You care about security yet you run BIND 4?
 
> domain  example.group.net 
> cache   ./etc/dnscache  
> 
> We use BIND 4. Actually our DNS was doing lot of CPU utilization and when
we
> started it in Debug mode we found that there was a reverse lookup for some
> IP address which was in the dnscache file. (dnscache is the root hint
file)
> 
> This started zone updates, as we can observe in the debug file which calls
> function db_update()
> 
> Here is the debug file content (I have modified the IP address for
security
> reasons. Here 21.x.x.x is one of the entries in dnscache file. I mean that
> there was a network address starting with 21 in our dnscache file)
> 
> dgram from 1.2.3.4, 2 ()
>  ns_req()
>  req: nlookup(5.6.7.21.in-addr.arpa) id 111 type=11
>  req: found '5.6.7.21.in-addr.arpa' as '21.in-addr.arpa' (cname=0)
>  findns: np 0x6b41e
>  findns: 2 NS's added for '21'
>  ns_forw()
>  qnew(x45gte8)
>  nslookup(nsp=x2433d,qp=xfdgfv4)
>  nslookup: NS server01.example.grp.net c1 t2 (x0)
>  nslookup: 1 ns addrs
>  nslookup: NS cerver01.example.grp.net c1 t2 (x0)
>  nslookup: 2 ns addrs
>  nslookup: 2 ns addrs total
>  retrytime: nstime 0ms.
>  schedretry(0x1dfd8, 4sec)
> 
> Dgram from 21.x.x.x
> Ns_req()
> Qfindid(12345)
> USER response nsid= id 
> Respose from upexpected source 21.x.x.x
> Stime z/z now yy/yy rtt x
> NS #2 addr 21.x.x.x used rtt y
> NS #1 21.x.x.x rtt now z
> Resp: ancount 0, aucount 1, arcount 0
> Doupdate(zone 0, savens x, flags y)
> Doupdate: dname 21.in-addr.arpa type 6 class 1 ttl 600
> Db_update(21.in-addr.arpa, 0x12345, 0x56789, 087, 0x76543)
> 
> This is strange, there was NSLOOKUP for some IP 5.6.7.21 which caused zone
> updates and we do not have any zone specified in our configuration file.

zone 0 is the cache.  The cache was updated.

Mark
 
> Kindly advice
> 
> Thanks 
> Ashish
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org



Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email. 

www.wipro.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching-only Name server does Zone Updates

2009-02-02 Thread Barry Margolin

In article , "Ashish"  
wrote:

> Hello All,
> 
> Thank you for your replies.
> 
> Our configuration file is fairly simple (I have changed the domain name for
> security). 
> 
> domain  example.group.net 
> cache   ./etc/dnscache  
> 
> We use BIND 4.

BIND 4 is at least 15 years out of date, why are you still using it?  
You're not likely to get any sympathy here.

> Actually our DNS was doing lot of CPU utilization and when we
> started it in Debug mode we found that there was a reverse lookup for some
> IP address which was in the dnscache file. (dnscache is the root hint file)

The only things that should be in the dnscache file are NS and A records 
for the root servers.  I have no idea if it uses any of the other 
records.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching-only Name server does Zone Updates

2009-02-02 Thread Mark Andrews


In message <009201c985c0$aff05cb0$f9281...@wipro74039c7ca>, "Ashish" writes:
> Hello All,
> 
> Thank you for your replies.
> 
> Our configuration file is fairly simple (I have changed the domain name for
> security). 

You care about security yet you run BIND 4?
 
> domain  example.group.net 
> cache   ./etc/dnscache  
> 
> We use BIND 4. Actually our DNS was doing lot of CPU utilization and when we
> started it in Debug mode we found that there was a reverse lookup for some
> IP address which was in the dnscache file. (dnscache is the root hint file)
> 
> This started zone updates, as we can observe in the debug file which calls
> function db_update()
> 
> Here is the debug file content (I have modified the IP address for security
> reasons. Here 21.x.x.x is one of the entries in dnscache file. I mean that
> there was a network address starting with 21 in our dnscache file)
> 
> dgram from 1.2.3.4, 2 ()
>  ns_req()
>  req: nlookup(5.6.7.21.in-addr.arpa) id 111 type=11
>  req: found '5.6.7.21.in-addr.arpa' as '21.in-addr.arpa' (cname=0)
>  findns: np 0x6b41e
>  findns: 2 NS's added for '21'
>  ns_forw()
>  qnew(x45gte8)
>  nslookup(nsp=x2433d,qp=xfdgfv4)
>  nslookup: NS server01.example.grp.net c1 t2 (x0)
>  nslookup: 1 ns addrs
>  nslookup: NS cerver01.example.grp.net c1 t2 (x0)
>  nslookup: 2 ns addrs
>  nslookup: 2 ns addrs total
>  retrytime: nstime 0ms.
>  schedretry(0x1dfd8, 4sec)
> 
> Dgram from 21.x.x.x
> Ns_req()
> Qfindid(12345)
> USER response nsid= id 
> Respose from upexpected source 21.x.x.x
> Stime z/z now yy/yy rtt x
> NS #2 addr 21.x.x.x used rtt y
> NS #1 21.x.x.x rtt now z
> Resp: ancount 0, aucount 1, arcount 0
> Doupdate(zone 0, savens x, flags y)
> Doupdate: dname 21.in-addr.arpa type 6 class 1 ttl 600
> Db_update(21.in-addr.arpa, 0x12345, 0x56789, 087, 0x76543)
> 
> This is strange, there was NSLOOKUP for some IP 5.6.7.21 which caused zone
> updates and we do not have any zone specified in our configuration file.

zone 0 is the cache.  The cache was updated.

Mark
 
> Kindly advice
> 
> Thanks 
> Ashish
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How many nameservers?

2009-02-02 Thread Barry Margolin

In article , bsfin...@anl.gov wrote:

> One downside - if you have many NS records, then they might not all
> fit in one UDP packet (the Authority and/or Addition sections of a
> response to a DNS query).  This will cause the protocol to revert
> to TCP.

Truncation isn't supposed to happen if you overflow in the Additional 
section, is it?  These records are already optional, so they can be left 
out if it would cause the packet to exceed the maximum UDP size.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Caching-only Name server does Zone Updates

2009-02-02 Thread Ashish

Hello All,

Thank you for your replies.

Our configuration file is fairly simple (I have changed the domain name for
security). 

domain  example.group.net 
cache   ./etc/dnscache  

We use BIND 4. Actually our DNS was doing lot of CPU utilization and when we
started it in Debug mode we found that there was a reverse lookup for some
IP address which was in the dnscache file. (dnscache is the root hint file)

This started zone updates, as we can observe in the debug file which calls
function db_update()

Here is the debug file content (I have modified the IP address for security
reasons. Here 21.x.x.x is one of the entries in dnscache file. I mean that
there was a network address starting with 21 in our dnscache file)

dgram from 1.2.3.4, 2 ()
 ns_req()
 req: nlookup(5.6.7.21.in-addr.arpa) id 111 type=11
 req: found '5.6.7.21.in-addr.arpa' as '21.in-addr.arpa' (cname=0)
 findns: np 0x6b41e
 findns: 2 NS's added for '21'
 ns_forw()
 qnew(x45gte8)
 nslookup(nsp=x2433d,qp=xfdgfv4)
 nslookup: NS server01.example.grp.net c1 t2 (x0)
 nslookup: 1 ns addrs
 nslookup: NS cerver01.example.grp.net c1 t2 (x0)
 nslookup: 2 ns addrs
 nslookup: 2 ns addrs total
 retrytime: nstime 0ms.
 schedretry(0x1dfd8, 4sec)

Dgram from 21.x.x.x
Ns_req()
Qfindid(12345)
USER response nsid= id 
Respose from upexpected source 21.x.x.x
Stime z/z now yy/yy rtt x
NS #2 addr 21.x.x.x used rtt y
NS #1 21.x.x.x rtt now z
Resp: ancount 0, aucount 1, arcount 0
Doupdate(zone 0, savens x, flags y)
Doupdate: dname 21.in-addr.arpa type 6 class 1 ttl 600
Db_update(21.in-addr.arpa, 0x12345, 0x56789, 087, 0x76543)

This is strange, there was NSLOOKUP for some IP 5.6.7.21 which caused zone
updates and we do not have any zone specified in our configuration file.

Kindly advice

Thanks 
Ashish
-Original Message-
From: Niall O'Reilly [mailto:niall.orei...@ucd.ie] 
Sent: Monday, February 02, 2009 7:50 PM
To: Ashish
Cc: bind-users@lists.isc.org; niall.orei...@ucd.ie
Subject: Re: Caching-only Name server does Zone Updates

On Mon, 2009-02-02 at 17:25 +0530, Ashish wrote:
> Our DNS is configured as Caching-only Name server.

How do you know?

>  However, it's still
> performing Zone updates like a Slave Name Server.

How many 'zone' sections are in your configuration?

Why not post your configuration file to the list,
so that we can see?

/Niall

Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email. 

www.wipro.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is per "view" logging possible with bind?

2009-02-02 Thread JINMEI Tatuya / 神明達哉

At Mon, 2 Feb 2009 15:13:54 -0800 (PST),
Gregory Hicks  wrote:

> > > Is it possible instead of seeing this in the logs:
> > 
> > It's impossible if my understanding of the implementation is correct.
> 
> I may have mis-understood here, but I have TWO views and get logging by
> view, thusly:

I probably cut too much of the original post, but my understanding is
the OP wanted this:

> 02-Feb-2009 07:04:42.544 queries: info: client 127.0.0.1#41764: view trusted: 
> query: 137.139.188.205.in-addr.arpa IN PTR +

to go to one log file, say named-trusted.queries

and this one:

> 02-Feb-2009 07:05:18.297 queries: info: client 65.98.93.197#53: view 
> external: query: metis.hicks-net.net IN MX -ED

to another, such as named-external.queries, which I said was impossible.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrade 9.5.1-P1 to 9.6.0.P1 question

2009-02-02 Thread JINMEI Tatuya / 神明達哉

At Mon, 2 Feb 2009 12:34:06 -0800 (PST),
Terpasaur  wrote:

> I successfully and effortlessly upgraded two Bind servers running
> 9.5.1-P2 directly to 9.6.0-P1, simply by running ./configure
> make
> make install
> 
> Although this worked just fine, I am now planning to perform the same
> procedure one of my production servers which is running 9.5.1-P1, and
> wanted to know if there were any problems going this route instead of
> a full uninstall/install process?

It (=overriding by make install) should normally work well.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Open ports in Bind

2009-02-02 Thread JINMEI Tatuya / 神明達哉

At Mon, 02 Feb 2009 22:32:17 +0330,
"Bind"  wrote:

> maybe my first question type was wrong,sorry for terrible!,my question is:
> when i run netstat -an,why my server has some stablished connection with its 
> own ip address through different source port to one client address?
> 
> example:
> 
> 192.168.1.1.51121 74.222.11.71.53  Connected192.168.1.1.58967 
> 74.222.11.71.53  Connected192.168.1.1.46691 74.222.11.71.53  
> Connected
> 
> does it mean that,,client 74.222.11.71 [http://74.222.11.71/] at the time of 
> snapshot requests 3 dns queries from my server or something else?

These are most likely queries sent from a BIND9 caching server as part
of recursive name resolution.  They are not 'open' ports, but are
temporarily opened and connected to a specific remote server address
for a particular query.

> can we say the number of recursive-clients after run "rndc status" and
> the output of "netstat -an |grep 53 | wc" point to the same thing 
> (regardless of difference to running time)?

Not necessarily, because if named receives a same query from multiple
clients it combines the query and only sends one query to the remote
server.  Also, there are other queries internally sent from named.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is per "view" logging possible with bind?

2009-02-02 Thread Gregory Hicks

> Date: Mon, 02 Feb 2009 14:37:42 -0800
> From: JINMEI Tatuya / ...@l@C#:H(B 
> 
> At Sat, 31 Jan 2009 08:31:35 -0500 (EST),
> Justin Piszcz  wrote:
> > 
> > I have multiple views:
> > 
> > internal
> > external
> > localhost
> > 
> > Is it possible instead of seeing this in the logs:
> 
> It's impossible if my understanding of the implementation is correct.

I may have mis-understood here, but I have TWO views and get logging by
view, thusly:

02-Feb-2009 07:04:42.544 queries: info: client 127.0.0.1#41764: view trusted: 
query: 137.139.188.205.in-addr.arpa IN PTR +
02-Feb-2009 07:04:42.547 queries: info: client 127.0.0.1#41765: view trusted: 
query: imo-d23.mx.aol.com IN A +
02-Feb-2009 07:05:18.297 queries: info: client 65.98.93.197#53: view external: 
query: metis.hicks-net.net IN MX -ED
02-Feb-2009 07:05:18.392 queries: info: client 65.98.93.197#53: view external: 
query: metis.hicks-net.net IN A -ED
02-Feb-2009 07:05:18.636 queries: info: client 127.0.0.1#41766: view trusted: 
query: 14.190.83.208.in-addr.arpa IN PTR +
02-Feb-2009 07:05:18.857 queries: info: client 127.0.0.1#41767: view trusted: 
query: discoursesfascinate.com IN A +
This is the way I have it set up...  (Kinda simple):

logging {
  channel example_log {
   file "/var/log/named.log" versions 3 size 2m;
   severity info;
   print-severity yes;
   print-time yes;
   print-category yes;
 };
  channel "security" {
   file "/var/log/named.sec" versions 3 size 2m ;
   severity info;
   print-severity yes ;
   print-category yes ;
   print-time yes ;
};

  channel "queries" {
   file "/var/log/named.queries" versions 3 size 2m ;
   severity info ;
   print-severity yes ;
   print-category yes ;
   print-time yes ;
};

 category default {
  example_log;
 };

 category security {
  security;
  default_syslog;
  default_debug;
 };

 category queries {
  queries;
  default_syslog ;
  default_debug;
 };
};

view "trusted" {
 match-clients { "internal"; };
 recursion yes;

[...zones go here...]

};

view "external" {
 match-clients { "any"; };
 recursion no;
 additional-from-cache no;

[...zones go here...]

};

If this is NOT what you're looking for, I apologize for wasting your time...

Regards,
Gregory Hicks

> 
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is per "view" logging possible with bind?

2009-02-02 Thread JINMEI Tatuya / 神明達哉

At Sat, 31 Jan 2009 08:31:35 -0500 (EST),
Justin Piszcz  wrote:
> 
> I have multiple views:
> 
> internal
> external
> localhost
> 
> Is it possible instead of seeing this in the logs:

It's impossible if my understanding of the implementation is correct.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind-9.5.1 logging

2009-02-02 Thread JINMEI Tatuya / 神明達哉

At Fri, 30 Jan 2009 22:06:57 -0500,
Peter Fraser  wrote:

> I'm trying to configure bind-9.5 logging to help troubleshoot a
> problem. I put this in named.conf
> 
> logging {
> channel myfile {
> file "/etc/namedb/dns.log";
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel myfile-security {
> file "/etc/namedb/dns-security.log";
> severity info;
> };
> category update { myfile; };
> category security { myfile-security; };
> };
> 
> I then run rndc trace, but the log files stay empty. What could I be
> doing wrong?

'rndc trace' only affects debug logs.  There should be a file named
'named.run' on the working directory, and you'll find noisy output
there by issuing 'rndc trace'.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How many nameservers?

2009-02-02 Thread Stephane Bortzmeyer

On Sun, Feb 01, 2009 at 04:51:52PM -0800,
 shulkae  wrote 
 a message of 17 lines which said:

> How may NS entries typically is allowed per zone?

The protocol has no limit. But you may run into problems with old
software which still limits the DNS packets to 512 bytes. See all the
gory details in .

> Is there a bind limit

Well, since you cannot be sure of the software that will be used to
talk to your name servers, the problem is not BIND (which handles
EDNS0 for a long time), it is the others.

> We would like to start with around 16 Slaves per master per zone. Is
> this too much?

Why not using anycast instead? 16 is indeed a lot and you will have
trouble finding a zone with as many name servers.

But if you do it, please report it, it would be good news that EDNS0
is at last widely available.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How many nameservers?

2009-02-02 Thread Stephane Bortzmeyer

On Mon, Feb 02, 2009 at 02:25:35PM -0600,
 bsfin...@anl.gov  wrote 
 a message of 41 lines which said:

> One downside - if you have many NS records, then they might not all
> fit in one UDP packet

Let me demonstrate a bit of pedantism: the correct sentence is rather
"they might not all fit in a traditional DNS UDP packet (512
bytes)". The limit is not UDP's fault. And even with DNS, EDNS0 allows
more than 512 bytes and is now an old technology.

> This will cause the protocol to revert to TCP.

Not with EDNS0 (which is enabled by default on BIND).
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Upgrade 9.5.1-P1 to 9.6.0.P1 question

2009-02-02 Thread Terpasaur

Hello,

I successfully and effortlessly upgraded two Bind servers running
9.5.1-P2 directly to 9.6.0-P1, simply by running ./configure
make
make install

Although this worked just fine, I am now planning to perform the same
procedure one of my production servers which is running 9.5.1-P1, and
wanted to know if there were any problems going this route instead of
a full uninstall/install process?

Very Best Regards,

Emery Rudolph
Sr. Systems Analyst
Office of Information Technology
University of Maryland University College
Email: erudo...@umuc.edu
http://www.umuc.edu
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How many nameservers?

2009-02-02 Thread bsfinkel

On Sun, Feb 1, 2009 at 7:51 PM, shulkae  wrote:

>> How may NS entries typically is allowed per zone? Is there a bind
>> limit or does it cause any side effects if the
>> slaves are geographically distributed ?
>>
>> We would like to setup one zone for my new group who have offices all
>> over the world ? We are planning
>> to use BIND 9 over FreeBSD. There may be few SUN/Solaris hosts as
>> well.
>>
>> We would like to start with around 16 Slaves per master per zone. Is
>> this too much? My tests did not reveal any side effect fortunately.
>>
>> Anyone with experience of setting up DNS slaves all around the globe
>> please advise..


and Ben Croswell  replied:

>I have never heard of there being any downside to a large number of NS
>records for a domain.
>I know internally to my company we have large numbers of NS records for the
>internal domains.


One downside - if you have many NS records, then they might not all
fit in one UDP packet (the Authority and/or Addition sections of a
response to a DNS query).  This will cause the protocol to revert
to TCP.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND still will not resolve

2009-02-02 Thread Ben Bridges

Brain fart times 2.  That defines what IPv4 addresses it will listen on
for queries, not what addresses are allowed to query it.  And I failed
to notice that it was commented out.


> -Original Message-
> From: bind-users-boun...@lists.isc.org 
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ben Bridges
> Sent: Monday, February 02, 2009 1:29 PM
> To: S. Jeff Cold
> Cc: bind-users@lists.isc.org
> Subject: RE: BIND still will not resolve
> 
> It also appears that your name server (iceman) is configured to accept
> IPv4 queries only from itself.
> 
> >#listen-on port 53 { 127.0.0.1; };
> 
> 
> 
> > -Original Message-
> > From: bind-users-boun...@lists.isc.org 
> > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matthew 
> > Pounsett
> > Sent: Monday, February 02, 2009 1:23 PM
> > To: S. Jeff Cold
> > Cc: bind-users@lists.isc.org
> > Subject: Re: BIND still will not resolve
> > 
> > 
> > On 02-Feb-2009, at 14:03, S. Jeff Cold wrote:
> > 
> > > BIND list,
> > >
> > >Well, I thought I had this DNS problem licked with my ISP 
> > > volunteering as a secondary name server, but I guess not.
> > My server
> > > still will not resolve my jatec.us domain.  Maybe I have 
> something 
> > > wrong in named.conf or the zone files?  I can't figure it 
> to be so 
> > > difficult, but it just will not resolve.
> > 
> > Your authoritative DNS servers aren't configured to be 
> authoritative  
> > for jatec.us.   nx1.xmission.com gives an upward referral to 
> > the root,
> > and iceman.jatec.us gives a REFUSED response.  Both behaviours 
> > indicate that the servers don't believe they're 
> authoritative for the 
> > zone.
> > 
> > Looking at your configuration, I don't see a "zone" 
> statement anywhere 
> > to load a jatec.us zone file.
> > 
> > 
> > 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error sending response log messages

2009-02-02 Thread Thomas Schulz

In article ,
Andre LeClaire   wrote:
>Mark Andrews wrote:
>> In message <497caef2.80...@yahoo.com>, Andre LeClaire writes:
>>> Hello everyone,
>>> I've been seeing these syslog messages for about a week on a FreeBSD 
>>> server running BIND 9.4.3-P1:
>>>
>>> Jan 25 02:35:21 asimov named[145]: client 206.71.158.30#138: error 
>>> sending response: permission denied
>>> Jan 25 03:43:32 asimov named[145]: client 206.71.158.30#138: error 
>>> sending response: permission denied
>>> Jan 25 04:49:59 asimov named[145]: client 206.71.158.30#139: error 
>>> sending response: permission denied
>>> Jan 25 05:15:40 asimov named[145]: client 66.230.160.1#139: error 
>>> sending response: permission denied
>>> Jan 25 07:45:11 asimov named[145]: client 206.71.158.30#139: error 
>>> sending response: permission denied
>>> Jan 25 07:56:26 asimov named[145]: client 206.71.158.30#138: error 
>>> sending response: permission denied
>>> Jan 25 08:10:29 asimov named[145]: client 206.71.158.30#138: error 
>>> sending response: permission denied
>>> Jan 25 08:54:34 asimov named[145]: client 206.71.158.30#138: error 
>>> sending response: permission denied
>>> Jan 25 09:16:41 asimov named[145]: client 206.71.158.30#138: error 
>>> sending response: permission denied
>>> Jan 25 10:03:51 asimov named[145]: client 206.71.158.30#445: error 
>>> sending response: permission denied
>>>
>>> Ports 135-139 and 445 are denied by the firewall on the outside 
>>> interface.
>> 
>>  Why do you care about what port you are sending to?  Just
>>  allow named to send its replies.
>> 
>
>Ports 135-139 and 445 are blocked on the outside interface to protect 
>the Windows networks on the inside, which use those ports, from the 
>savage Internet.

You seem to be saying that you are blocking incomming traffic on those
ports, but the above errors suggest that you are allowing incomming
queries on those ports but blocking the outgoing reply. I don't understand
why you would do that.

>Are you saying that it's normal for named to send replies on those ports?
>Also, the server has been up for over 3 years with no problems, and 
>these errors just started happening last week.

New versions of Bind, and perhaps other dns implementations, make queries
on random ports and use a wider range of ports than before.  This is to
work around a security issue.  You are probably seeing the efects of other
sites upgrading their dns servers.

You should adjust your firewall to allow replies from Bind on any port.

>
>Andre
-- 
Tom Schulz
sch...@adi.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND still will not resolve --now fixed

2009-02-02 Thread S. Jeff Cold

Thanks everyone who helped.  You know you can look at something a hundred times 
and not see what
is obviously wrong until someone points it out.
 
Jc
 
 
S. Jeff Cold, Associate Professor
IS&T Dept., MS-181
Utah Valley University
800 W. University Pkwy.
Orem, UT 84058-5999
 
(801) 863-8851 - office
(801) 863-8522 - fax
(801) 494-4793 - cell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND still will not resolve

2009-02-02 Thread Ben Bridges

It also appears that your name server (iceman) is configured to accept
IPv4 queries only from itself.

>#listen-on port 53 { 127.0.0.1; };



> -Original Message-
> From: bind-users-boun...@lists.isc.org 
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
> Matthew Pounsett
> Sent: Monday, February 02, 2009 1:23 PM
> To: S. Jeff Cold
> Cc: bind-users@lists.isc.org
> Subject: Re: BIND still will not resolve
> 
> 
> On 02-Feb-2009, at 14:03, S. Jeff Cold wrote:
> 
> > BIND list,
> >
> >Well, I thought I had this DNS problem licked with my ISP 
> > volunteering as a secondary name server, but I guess not.  
> My server 
> > still will not resolve my jatec.us domain.  Maybe I have something 
> > wrong in named.conf or the zone files?  I can't figure it to be so 
> > difficult, but it just will not resolve.
> 
> Your authoritative DNS servers aren't configured to be authoritative  
> for jatec.us.   nx1.xmission.com gives an upward referral to 
> the root,  
> and iceman.jatec.us gives a REFUSED response.  Both 
> behaviours indicate that the servers don't believe they're 
> authoritative for the zone.
> 
> Looking at your configuration, I don't see a "zone" statement 
> anywhere to load a jatec.us zone file.
> 
> 
> 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND still will not resolve

2009-02-02 Thread Matthew Pounsett



On 02-Feb-2009, at 14:03, S. Jeff Cold wrote:


BIND list,

   Well, I thought I had this DNS problem licked with my ISP  
volunteering as a secondary name server, but I guess not.  My server  
still will not resolve my jatec.us domain.  Maybe I have something  
wrong in named.conf or the zone files?  I can't figure it to be so  
difficult, but it just will not resolve.


Your authoritative DNS servers aren't configured to be authoritative  
for jatec.us.   nx1.xmission.com gives an upward referral to the root,  
and iceman.jatec.us gives a REFUSED response.  Both behaviours  
indicate that the servers don't believe they're authoritative for the  
zone.


Looking at your configuration, I don't see a "zone" statement anywhere  
to load a jatec.us zone file.





PGP.sig
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"

2009-02-02 Thread Michael Milligan

David Sparks wrote:
> 
> There are plenty of ways to get a mail loop that don't involve DNS
> mis-configuration.  As such pretty much every major MTA detects and stops mail
> loops.

Not if you (accidentally) fat-finger the MTA configuration.  It is
completely possible to still mis-configure a MTA to deliver to itself as
fast as possible.  A DNS configuration with CNAMEs in the mix
short-circuits delivery loop detection at the MX level and just sets up
more potential for a loop.

> 
> So mail loops are a non-issue ... next?
> 

That is the _entire_ issue here.

Regards,
Mike

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND still will not resolve

2009-02-02 Thread Rich Goodson


just at a glance I see a problem in your zone file:


IN NS   iceman.jatecus. ; The DNS server


your NS record has jatecus as a TLD via you missing a . between jatec  
and us.


same in your SOA for the reverse.

@   IN  SOA iceman.jatecus.  
root.jatec.us. (



 -rich
On Feb 2, 2009, at 1:03 PM, S. Jeff Cold wrote:


BIND list,

   Well, I thought I had this DNS problem licked with my ISP  
volunteering as a secondary name server, but I guess not.  My server  
still will not resolve my jatec.us domain.  Maybe I have something  
wrong in named.conf or the zone files?  I can't figure it to be so  
difficult, but it just will not resolve.


dig jatec.us gives:

; <<>> DiG 9.5.0-P2 <<>> jatec.us
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9135
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jatec.us.  IN  A

;; Query time: 708 msec
;; SERVER: 166.70.208.147#53(166.70.208.147)
;; WHEN: Mon Feb  2 11:54:49 2009
;; MSG SIZE  rcvd: 26
dig @ns1.xmission.com jatec.us any gives:

; <<>> DiG 9.5.0-P2 <<>> @ns1.xmission.com jatec.us any
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54333
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;jatec.us.  IN  ANY

;; AUTHORITY SECTION:
.   518400  IN  NS  J.ROOT-SERVERS.NET.
.   518400  IN  NS  K.ROOT-SERVERS.NET.
.   518400  IN  NS  L.ROOT-SERVERS.NET.
.   518400  IN  NS  M.ROOT-SERVERS.NET.
.   518400  IN  NS  A.ROOT-SERVERS.NET.
.   518400  IN  NS  B.ROOT-SERVERS.NET.
.   518400  IN  NS  C.ROOT-SERVERS.NET.
.   518400  IN  NS  D.ROOT-SERVERS.NET.
.   518400  IN  NS  E.ROOT-SERVERS.NET.
.   518400  IN  NS  F.ROOT-SERVERS.NET.
.   518400  IN  NS  G.ROOT-SERVERS.NET.
.   518400  IN  NS  H.ROOT-SERVERS.NET.
.   518400  IN  NS  I.ROOT-SERVERS.NET.

;; Query time: 6 msec
;; SERVER: 204.228.159.2#53(204.228.159.2)
;; WHEN: Mon Feb  2 12:00:11 2009
;; MSG SIZE  rcvd: 237
My named.conf file:

# Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Frank Bodammer, Lars Mueller 
#
# /etc/named.conf
#
# This is a sample configuration file for the name server BIND 9.   
It works as

# a caching only name server without modification.
#
# A sample configuration for setting up your own domain can be found  
in

# /usr/share/doc/packages/bind/sample-config.
#
# A description of all available options can be found in
# /usr/share/doc/packages/bind/misc/options.

options {

# The directory statement defines the name server's working  
directory


directory "/var/lib/named";

# Write dump and statistics file to the log subdirectory.  The
# pathenames are relative to the chroot jail.

dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";

# The forwarders record contains a list of servers to which  
queries
# should be forwarded.  Enable this line and modify the IP  
address to
# your provider's name server.  Up to three servers may be  
listed.


#forwarders { 192.0.2.1; 192.0.2.2; };

# Enable the next entry to prefer usage of the name server  
declared in

# the forwarders section.

#forward first;

# The listen-on record contains a list of local network  
interfaces to
# listen on.  Optionally the port can be specified.  Default  
is to
# listen on all interfaces found on your system.  The  
default port is

# 53.

#listen-on port 53 { 127.0.0.1; };

# The listen-on-v6 record enables or disables listening on  
IPv6
# interfaces.  Allowed values are 'any' and 'none' or a list  
of

# addresses.

listen-on-v6 { any; };

# The next three statements may be needed if a firewall  
stands between

# the local server and the internet.

#query-source address * port 53;
#transfer-source * port 53;
#notify-source * port 53;

# The allow-query record contains a list of networks or IP  
addresses
# to accept and deny queries from. The default is to allow  
queries

# from all hosts.

#allow-query { 127.0.0.1; };

# If notify is set to yes (default), notify messages are  
sent to other
# name servers when the the zone data is changed.  Instead  
of setting
# a global '

BIND still will not resolve

2009-02-02 Thread S. Jeff Cold

BIND list,
 
   Well, I thought I had this DNS problem licked with my ISP volunteering as a 
secondary name server, but I guess not.  My server still will not resolve my 
jatec.us domain.  Maybe I have something wrong in named.conf or the zone files? 
 I can't figure it to be so difficult, but it just will not resolve.
 
dig jatec.us gives:
 
; <<>> DiG 9.5.0-P2 <<>> jatec.us
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9135
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;jatec.us.  IN  A
 
;; Query time: 708 msec
;; SERVER: 166.70.208.147#53(166.70.208.147)
;; WHEN: Mon Feb  2 11:54:49 2009
;; MSG SIZE  rcvd: 26
dig @ns1.xmission.com jatec.us any gives:
 
; <<>> DiG 9.5.0-P2 <<>> @ns1.xmission.com jatec.us any
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54333
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; WARNING: recursion requested but not available
 
;; QUESTION SECTION:
;jatec.us.  IN  ANY
 
;; AUTHORITY SECTION:
.   518400  IN  NS  J.ROOT-SERVERS.NET.
.   518400  IN  NS  K.ROOT-SERVERS.NET.
.   518400  IN  NS  L.ROOT-SERVERS.NET.
.   518400  IN  NS  M.ROOT-SERVERS.NET.
.   518400  IN  NS  A.ROOT-SERVERS.NET.
.   518400  IN  NS  B.ROOT-SERVERS.NET.
.   518400  IN  NS  C.ROOT-SERVERS.NET.
.   518400  IN  NS  D.ROOT-SERVERS.NET.
.   518400  IN  NS  E.ROOT-SERVERS.NET.
.   518400  IN  NS  F.ROOT-SERVERS.NET.
.   518400  IN  NS  G.ROOT-SERVERS.NET.
.   518400  IN  NS  H.ROOT-SERVERS.NET.
.   518400  IN  NS  I.ROOT-SERVERS.NET.
 
;; Query time: 6 msec
;; SERVER: 204.228.159.2#53(204.228.159.2)
;; WHEN: Mon Feb  2 12:00:11 2009
;; MSG SIZE  rcvd: 237
My named.conf file:
 
# Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Frank Bodammer, Lars Mueller 
#
# /etc/named.conf
#
# This is a sample configuration file for the name server BIND 9.  It works as
# a caching only name server without modification.
#
# A sample configuration for setting up your own domain can be found in
# /usr/share/doc/packages/bind/sample-config.
#
# A description of all available options can be found in
# /usr/share/doc/packages/bind/misc/options.
 
options {
 
# The directory statement defines the name server's working directory
 
directory "/var/lib/named";
 
# Write dump and statistics file to the log subdirectory.  The
# pathenames are relative to the chroot jail.
 
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
 
# The forwarders record contains a list of servers to which queries
# should be forwarded.  Enable this line and modify the IP address to
# your provider's name server.  Up to three servers may be listed.
 
#forwarders { 192.0.2.1; 192.0.2.2; };
 
# Enable the next entry to prefer usage of the name server declared in
# the forwarders section.
 
#forward first;
 
# The listen-on record contains a list of local network interfaces to
# listen on.  Optionally the port can be specified.  Default is to
# listen on all interfaces found on your system.  The default port is
# 53.
 
#listen-on port 53 { 127.0.0.1; };
 
# The listen-on-v6 record enables or disables listening on IPv6
# interfaces.  Allowed values are 'any' and 'none' or a list of
# addresses.
 
listen-on-v6 { any; };
 
# The next three statements may be needed if a firewall stands between
# the local server and the internet.
 
#query-source address * port 53;
#transfer-source * port 53;
#notify-source * port 53;
 
# The allow-query record contains a list of networks or IP addresses
# to accept and deny queries from. The default is to allow queries
# from all hosts.
 
#allow-query { 127.0.0.1; };
 
# If notify is set to yes (default), notify messages are sent to other
# name servers when the the zone data is changed.  Instead of setting
# a global 'notify' statement in the 'options' section, a separate
# 'notify' can be added to each zone definition.
 
notify no;
};
 
# To configure named's logging remove the leading '#' characters of the
# following examples.
#logging {
#   # Log queries to a file limited to a size of 100 MB.
#   channel query_logging {
#   file "/var/log/named_querylog"
#

RE: Error: isc_lex_gettoken() failed: I/O error

2009-02-02 Thread Jeff Lightner

Maybe if you do something like paste the line and pipe it through "cat
-v" you can see what special characters are being embedded by SecureCRT.

This by the way is why we tell our DBAs that use something other than
PuTTY that we won't help them unless it fails in PuTTY also.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Monday, February 02, 2009 12:38 PM
To: bind-us...@isc.org
Subject: RE: Error: isc_lex_gettoken() failed: I/O error

[replying to myself is bad form, I know]

The command we are running is:

r...@dnsbox:/var/named/var/named# named-checkzone -w /var/named
test.domain var/named/master/test.domain

So we did some more testing - if I type the command in, it works.

If I paste it into SecureCRT it fails. 

If I paste it in to PuTTY it works (except putty translates the - into a
. for some reason)

I can't imagine what SecureCRT is doing that would cause named-checkzone
to burst a blood vessel ... I'm guessing some special character is being
pasted by SecureCRT, but BIND isn't playing nice with it.

At any rate, now you know.  SecureCRT (tty = vt100) and bind don't play
nice.

Cheers,

Todd.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Monday, February 02, 2009 11:59 AM
To: bind-us...@isc.org
Subject: Error: isc_lex_gettoken() failed: I/O error

While running a checkzone, one of my users is getting this error:

dns_master_load: /var/named/var/named:1: isc_lex_gettoken() failed: I/O
error
dns_master_load: /var/named/var/named:1: I/O error


Google isn't helping me too much.

We're thinking maybe it's terminal related - a user has had success
using an xterm, but me and others are using SecureCRT and have problems.


Can anyone say what this error actually means?  We're a little stumped
at what's going on.

Thanks!

Todd.


-
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or constitute
non-public information. Any use of this information by anyone other than
the intended recipient is prohibited. If you have received this
transmission in error, please immediately reply to the sender and delete
this information from your system. Use, dissemination, distribution, or
reproduction of this transmission by unintended recipients is not
authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or constitute
non-public information. Any use of this information by anyone other than
the intended recipient is prohibited. If you have received this
transmission in error, please immediately reply to the sender and delete
this information from your system. Use, dissemination, distribution, or
reproduction of this transmission by unintended recipients is not
authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Open ports in Bind

2009-02-02 Thread Bind

Dear Admins
maybe my first question type was wrong,sorry for terrible!,my question is:
when i run netstat -an,why my server has some stablished connection with its 
own ip address through different source port to one client address?

example:

192.168.1.1.51121 74.222.11.71.53  Connected192.168.1.1.58967 
74.222.11.71.53  Connected192.168.1.1.46691 74.222.11.71.53  
Connected



does it mean that,,client 74.222.11.71 [http://74.222.11.71/] at the time of 
snapshot requests 3 dns queries from my server or something else?

can we say the number of recursive-clients after run "rndc status" and
the output of "netstat -an |grep 53 | wc" point to the same thing 
(regardless of difference to running time)?
Regards
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9 query logging

2009-02-02 Thread David Forrest


On Fri, 30 Jan 2009, Robert Coward wrote:


Sorry, I should have been a been a bit more specific. In reference to the O
Reilly book:

O' Reilly DNS and Bind by Paul Albitz & Cricket Liu (4th Edition)
pg. 163 - 173 (specifically pg. 164, paragraph 4) and
pg. 405 - 421 (info about using the debug options)

The web sites I looked at were:

http://www.bind9.net/manuals

and

http://www.zytrax.com/books/dns

So reading your response the current version of Bind (9.6 I think) does not
have the ability to log the responses.


O Reilly DNS and Bind Paul Albitz & Cricket Liu


Using 9.6.0-P1, I enabled the querylogs option like this:
channel querylogs   {
file "/var/log/dnsqueries" size 20m;
severity info;
print-category  yes;
print-severity  yes;
print-time  yes;
};
category queries {querylogs; };

and it generated a quite large log file so I wrote a rather inefficient 
bash script to distill it down to more readable format and end up with 
this little query report:



Total A NS  MX  TXT PTR SOA   SPF

External 740 3101   353 2   0   73  0
Internal 33504   23758  15451222553314450   0
Totals   34244   24068  154615755535144573  0

Other packets: (if any not detailed)
01-Feb-2009 13:34:27.796 queries: info: client64.246.42.203#40986: view 
external: query: maplepark.com IN IXFR -
02-Feb-2009 11:32:54.799 queries: info: client 192.168.102.95#53722: view 
internal: query: _ldap._tcp.dc._msdcs.maplepark.com IN SRV +

DDos ( . IN NS) attacks follow: (if any)

(Note: I don't get any of these anymore as I have them dropped at the 
firewall.  They amount to about 1000 per day, and demanded some sort of 
attention to make my logs readable.)


The script via cron runs daily mailing the output and it serves my 
purposes for a very small office network.

--
David Forrest
St. Louis, Missouri
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How many nameservers?

2009-02-02 Thread Ben Croswell

I have never heard of there being any downside to a large number of NS
records for a domain.
I know internally to my company we have large numbers of NS records for the
internal domains.

-- 
-Ben Croswell

On Sun, Feb 1, 2009 at 7:51 PM, shulkae  wrote:

> How may NS entries typically is allowed per zone? Is there a bind
> limit or does it cause any side effects if the
> slaves are geographically distributed ?
>
> We would like to setup one zone for my new group who have offices all
> over the world ? We are planning
> to use BIND 9 over FreeBSD. There may be few SUN/Solaris hosts as
> well.
>
> We would like to start with around 16 Slaves per master per zone. Is
> this too much? My tests did not reveal any side effect fortunately.
>
> Anyone with experience of setting up DNS slaves all around the globe
> please advise..
>
> Warm regards
> Shal
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Error: isc_lex_gettoken() failed: I/O error

2009-02-02 Thread Todd Snyder

[replying to myself is bad form, I know]

The command we are running is:

r...@dnsbox:/var/named/var/named# named-checkzone -w /var/named
test.domain var/named/master/test.domain

So we did some more testing - if I type the command in, it works.

If I paste it into SecureCRT it fails. 

If I paste it in to PuTTY it works (except putty translates the - into a
. for some reason)

I can't imagine what SecureCRT is doing that would cause named-checkzone
to burst a blood vessel ... I'm guessing some special character is being
pasted by SecureCRT, but BIND isn't playing nice with it.

At any rate, now you know.  SecureCRT (tty = vt100) and bind don't play
nice.

Cheers,

Todd.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Monday, February 02, 2009 11:59 AM
To: bind-us...@isc.org
Subject: Error: isc_lex_gettoken() failed: I/O error

While running a checkzone, one of my users is getting this error:

dns_master_load: /var/named/var/named:1: isc_lex_gettoken() failed: I/O
error
dns_master_load: /var/named/var/named:1: I/O error


Google isn't helping me too much.

We're thinking maybe it's terminal related - a user has had success
using an xterm, but me and others are using SecureCRT and have problems.


Can anyone say what this error actually means?  We're a little stumped
at what's going on.

Thanks!

Todd.


-
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or constitute
non-public information. Any use of this information by anyone other than
the intended recipient is prohibited. If you have received this
transmission in error, please immediately reply to the sender and delete
this information from your system. Use, dissemination, distribution, or
reproduction of this transmission by unintended recipients is not
authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error sending response log messages

2009-02-02 Thread neurowolf

I have them too. I received the exact same error message along with
some others from different IP's. Its been going on for 2 or 3 weeks
now.



On Jan 27, 9:49 am, Andre LeClaire  wrote:
> Mark Andrews wrote:
> > In message <497caef2.80...@yahoo.com>, Andre LeClaire writes:
> >> Hello everyone,
> >> I've been seeing these syslog messages for about a week on a FreeBSD
> >> server running BIND 9.4.3-P1:
>
> >> Jan 25 02:35:21 asimov named[145]: client206.71.158.30#138: error
> >> sending response: permission denied
> >> Jan 25 03:43:32 asimov named[145]: client206.71.158.30#138: error
> >> sending response: permission denied
> >> Jan 25 04:49:59 asimov named[145]: client206.71.158.30#139: error
> >> sending response: permission denied
> >> Jan 25 05:15:40 asimov named[145]: client 66.230.160.1#139: error
> >> sending response: permission denied
> >> Jan 25 07:45:11 asimov named[145]: client206.71.158.30#139: error
> >> sending response: permission denied
> >> Jan 25 07:56:26 asimov named[145]: client206.71.158.30#138: error
> >> sending response: permission denied
> >> Jan 25 08:10:29 asimov named[145]: client206.71.158.30#138: error
> >> sending response: permission denied
> >> Jan 25 08:54:34 asimov named[145]: client206.71.158.30#138: error
> >> sending response: permission denied
> >> Jan 25 09:16:41 asimov named[145]: client206.71.158.30#138: error
> >> sending response: permission denied
> >> Jan 25 10:03:51 asimov named[145]: client206.71.158.30#445: error
> >> sending response: permission denied
>
> >> Ports 135-139 and 445 are denied by the firewall on the outside
> >> interface.
>
> >    Why do you care about what port you are sending to?  Just
> >    allow named to send its replies.
>
> Ports 135-139 and 445 are blocked on the outside interface to protect
> the Windows networks on the inside, which use those ports, from the
> savage Internet.
> Are you saying that it's normal for named to send replies on those ports?
> Also, the server has been up for over 3 years with no problems, and
> these errors just started happening last week.
>
> Andre
>
> ___
> bind-users mailing list
> bind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How many nameservers?

2009-02-02 Thread shulkae

How may NS entries typically is allowed per zone? Is there a bind
limit or does it cause any side effects if the
slaves are geographically distributed ?

We would like to setup one zone for my new group who have offices all
over the world ? We are planning
to use BIND 9 over FreeBSD. There may be few SUN/Solaris hosts as
well.

We would like to start with around 16 Slaves per master per zone. Is
this too much? My tests did not reveal any side effect fortunately.

Anyone with experience of setting up DNS slaves all around the globe
please advise..

Warm regards
Shal
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind 9 query logging

2009-02-02 Thread Robert Coward

Sorry, I should have been a been a bit more specific. In reference to the O
Reilly book:

O' Reilly DNS and Bind by Paul Albitz & Cricket Liu (4th Edition)
pg. 163 - 173 (specifically pg. 164, paragraph 4) and
pg. 405 - 421 (info about using the debug options)

The web sites I looked at were:

http://www.bind9.net/manuals

and

http://www.zytrax.com/books/dns

So reading your response the current version of Bind (9.6 I think) does not
have the ability to log the responses.


O Reilly DNS and Bind Paul Albitz & Cricket Liu
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"

2009-02-02 Thread Carl Byington

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 29 Jan 2009 22:33:24 -0800, Al Stu wrote:

> Analyze this.



> Query MX dns.com

> Response MX nullmx.domainmanager.com



> Query A nullmx.domainmanager.com

> Response CNAME mta.dewile.net, A 64.40.103.249


So the fact that other random folks make errors in their dns is suprising,
or do you wish to use the existence of those errors to justify making those
same errors yourself?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFJgzPXL6j7milTFsERAmK2AKCHBKTudsFFbdekhR0pmCN0EAv+LwCfarkK
PTfobRXHugzLPmLdb1UQCMI=
=YQjr
-END PGP SIGNATURE-

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Error: isc_lex_gettoken() failed: I/O error

2009-02-02 Thread Todd Snyder

While running a checkzone, one of my users is getting this error:

dns_master_load: /var/named/var/named:1: isc_lex_gettoken() failed: I/O
error
dns_master_load: /var/named/var/named:1: I/O error


Google isn't helping me too much.

We're thinking maybe it's terminal related - a user has had success
using an xterm, but me and others are using SecureCRT and have problems.


Can anyone say what this error actually means?  We're a little stumped
at what's going on.

Thanks!

Todd.


-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching-only Name server does Zone Updates

2009-02-02 Thread Niall O'Reilly

On Mon, 2009-02-02 at 17:25 +0530, Ashish wrote:
> Our DNS is configured as Caching-only Name server.

How do you know?

>  However, it's still
> performing Zone updates like a Slave Name Server.

How many 'zone' sections are in your configuration?

Why not post your configuration file to the list,
so that we can see?

/Niall

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching-only Name server does Zone Updates

2009-02-02 Thread Matus UHLAR - fantomas

On 02.02.09 17:25, Ashish wrote:
> Our DNS is configured as Caching-only Name server. However, it's still
> performing Zone updates like a Slave Name Server.
> 
> Is it possible that a Caching-only Name server performs Zone updates, if yes
> under what conditions is this possible.

Zone updates work only if the zone is configured on the nameserver.
Do you have any zones configured (other than ".")?
How do you know that it's performing zone updates?
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Caching-only Name server does Zone Updates

2009-02-02 Thread Ashish

Hi Folks,

 

Hope you can guide me in the correct direction.

 

Our DNS is configured as Caching-only Name server. However, it's still
performing Zone updates like a Slave Name Server.

Is it possible that a Caching-only Name server performs Zone updates, if yes
under what conditions is this possible.

 

Thank you in advance for all your help.

 

Ashish Rao


Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email. 

www.wipro.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A newbies Bind question

2009-02-02 Thread Barry Margolin

In article ,
 "Peter Arends"  wrote:

> In addition to these recommendation, you can use MAC filtering to restrict
> users.
> This is ofcourse if you have a iptables based firewall with MAC module.

MAC filtering isn't much use if the clients are remote.  MAC addresses 
don't leave the local LAN.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

37 matches

Mail list logo