RE: rndc stats - 9.5.0-p2
As you see below the files are dated 15 august, we upgraded our 2 server in august and 2 in november, could it be first 2 servers have an early version of p2 and things are changed after that time in the stats. Because all the file sizes are different compaped to newest servers. #which named /usr/local/sbin/named /data/log/named #ls -la /usr/local/sbin/ total 53894 drwxr-xr-x 2 root other512 Feb 17 14:52 . drwxr-xr-x 13 root other512 Nov 21 14:02 .. -rwxr-xr-x 1 root other1199932 Aug 15 2008 dnssec-keygen -rwxr-xr-x 1 root other3675504 Aug 15 2008 dnssec-signzone -rwxr-xr-x 2 root other5134128 Aug 15 2008 lwresd -rwxr-xr-x 2 root other5134128 Aug 15 2008 named -rwxr-xr-x 1 root other3816336 Aug 15 2008 named-checkconf -rwxr-xr-x 1 root other3624412 Aug 15 2008 named-checkzone lrwxrwxrwx 1 root other 15 Aug 15 2008 named-compilezone - named-checkzone -rwxr-xr-x 1 root other 847676 Aug 15 2008 rndc -rwxr-xr-x 1 root other1136800 Aug 15 2008 rndc-confgen -rwxr-xr-x 1 root other2917848 Feb 17 14:52 rndcnew01 -Original Message- From: Jeremy C. Reed [mailto:jeremy_r...@isc.org] Sent: Tuesday, February 17, 2009 4:03 PM To: Cihan Subasi (Garanti Teknoloji) Cc: bind-users@lists.isc.org Subject: RE: rndc stats - 9.5.0-p2 Make sure you are really talking to the correct named. Maybe a you have a rndc.conf file. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange results from dnssec-dsfromkey
I wrote: I don't understand the results I am getting from dnssec-dsfromkey (BIND 9.6.0-P1, Solaris 10_x86, Sun Studio 10 C compiler). [...] Does dnssec-dsfromkey behave properly for others? and Mark Andrews wrote: Looks like a silly bug that will be simple to fix. This is just a follow-up to say that ISC have kindly provided me with a fix that works: 2559. [bug] dnssec-dsfromkey could compute bad DS records when reading from a K* files. [RT #19357] which will presumably be in the next 9.6.x version. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Catch ALL Setup
-Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sven Eschenberg Sent: Tuesday, February 17, 2009 11:28 PM To: bind-users@lists.isc.org Subject: Catch ALL Setup Dear list, I tried googling about a Catch-All setup for a DNS, with little success. I tried messing around with some zone/hint files in an isolated setup, but without any success. What I am trying to achieve is the following: No matter which host/name is looked up, the DNS should spit out the same IP address. The intention is to bring the users to a specific webserver/webpage, not matter what web page the intend to surf to, for the easiness of setting up their connection. The basic idea is, unauthenticated clients will be put in an isolated network, users then pop up their web browser, will land on a specific webpage with instructions on which steps they need to take, to get proper access. I tried to create a * zone, which seems to be ignored by bind, or rather bind doesn't like the contents of the zone file. I'd appreciate any pointer to some information, how I can tweak bind to do such a thing. With best regards -Sven Sven - Use the same/normal domain.com zone file, but make an A record like this: *.wildcard.com. IN A 192.149.109.1 (replace above with your stuff, then xxx.wildcard.com should work for any request). Cheers, jamie ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind Patch for Solaris 10
Hi, probably http://bugs.opensolaris.org/view_bug.do?bug_id=6799867 with comment: - The description shows that the '-t chrootdir' option has been used. The error reported by named indicate the error. BIND 9.3.6 now uses poll(7d) and therefore the chroot environment needs to be modified to include the poll device. - So you did correct thing. Best regards, Milan V st, 18. 02. 2009 v 04:34, Ray Van Dolson píše: On Thu, Feb 12, 2009 at 04:01:56AM -0800, Worrell, James J Mr CIV US DISA GS4T1 wrote: Thanks Ray! Any information would be greatly appreciated. Applied the patch but ran into one gotcha. The server wasn't starting up properly after applyign the patch. I tried running the binary in the foreground and turns out it was complaining about not being able to find /dev/poll in the chroot environment. I ran: # cd /var/named/dev # mknod poll c 138 0 # chmod 666 poll And everything worked fine. I'm not sure if Sun built things differently or there is a new requirement on this /dev/poll file. Regardless all seems to be working OK now. Ray -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ray Van Dolson Sent: Wednesday, February 11, 2009 14:35 To: bind-users@lists.isc.org Subject: Re: Bind Patch for Solaris 10 On Wed, Feb 11, 2009 at 12:30:19PM -0800, Worrell, James J Mr CIV US DISA GS4T1 wrote: Greeting! I am trying to load bind patch 119783-10 on a Solaris 10 system running DNS 9.35-p2 and ran into several problems. I suspect that the root cause is due to the security posture that we have in place that prevents a compiler from being loaded on the systems. Has anyone loaded this patch to a system without a compiler and if so did you experience any issues. Hmm, don't understand why a compiler would be necessary? I'll be trying this patch shortly on several Solaris 10 systems, so will let you know. Ray ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: rndc stats - 9.5.0-p2
On Wed, 18 Feb 2009, Cihan Subasi (Garanti Teknoloji) wrote: As you see below the files are dated 15 august, we upgraded our 2 server in august and 2 in november, could it be first 2 servers have an early version of p2 and things are changed after that time in the stats. Because all the file sizes are different compaped to newest servers. ISC did not release two different versions with identical filename nor version numbering. Again make sure you are really talking to the correct named. Maybe you have a rndc.conf file. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Basic DNS Server Setup
On Tue, 17 Feb 2009, atbigelow wrote: After entering input mode for nslookup: mydomain.com Says it can't find mydomain.com: REFUSED. Looking into /var/log/syslog I find numerous SERVFAIL and REFUSED RCODEs. And what did named log about attempting to load that zone? Maybe your named is ran in a chroot environment and can't even read your /etc/bind/zones/ ?? I ran named-checkzone mydomain.com /etc/bind/zones/mydomain.com.zone and it says everything is OK, as did named-checkconf. That does not look correct. In your named.conf.local output you showed that the origin is 202.201.200.in-addr.arpa for the /etc/bind/zones/mydomain.com.zone file. (I assume you made up fake names for your email -- misleading makes it harder to troubleshooting and encourages many to not even attempt to assist.) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: rndc stats - 9.5.0-p2
I checked and there isnt any rndc.conf... /var/named # /var/named #find / -name rndc.conf /var/named # /var/named # /var/named # And which named points to /usr/local/sbin/named (there isnt any other named either) and rndc stats dumps stats as follows 4:00pm up 435 day(s), 3:14, 0 users, load average: 0.01, 0.02, 0.02 +++ Statistics Dump +++ (1234965975) success 277866617 referral 163684 nxrrset 111597721 nxdomain 17996313 recursion 191169 failure 41001785 --- Statistics Dump --- (1234965975) ~ -Original Message- From: Jeremy C. Reed [mailto:jeremy_r...@isc.org] Sent: Wednesday, February 18, 2009 3:51 PM To: Cihan Subasi (Garanti Teknoloji) Cc: bind-users@lists.isc.org Subject: RE: rndc stats - 9.5.0-p2 On Wed, 18 Feb 2009, Cihan Subasi (Garanti Teknoloji) wrote: As you see below the files are dated 15 august, we upgraded our 2 server in august and 2 in november, could it be first 2 servers have an early version of p2 and things are changed after that time in the stats. Because all the file sizes are different compaped to newest servers. ISC did not release two different versions with identical filename nor version numbering. Again make sure you are really talking to the correct named. Maybe you have a rndc.conf file. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: rndc stats - 9.5.0-p2
#/usr/local/sbin/named -v BIND 9.5.0-P2 /var/named #which named /usr/local/sbin/named /var/named #which rndc /usr/local/sbin/rndc /var/named -Original Message- From: Jeremy C. Reed [mailto:jeremy_r...@isc.org] Sent: Wednesday, February 18, 2009 3:51 PM To: Cihan Subasi (Garanti Teknoloji) Cc: bind-users@lists.isc.org Subject: RE: rndc stats - 9.5.0-p2 On Wed, 18 Feb 2009, Cihan Subasi (Garanti Teknoloji) wrote: As you see below the files are dated 15 august, we upgraded our 2 server in august and 2 in november, could it be first 2 servers have an early version of p2 and things are changed after that time in the stats. Because all the file sizes are different compaped to newest servers. ISC did not release two different versions with identical filename nor version numbering. Again make sure you are really talking to the correct named. Maybe you have a rndc.conf file. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: rndc stats - 9.5.0-p2
Maybe you need to fully stop the process and restart it. (Maybe old named is still running even though you replaced the binary.) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Catch ALL Setup
On 02/18/09 05:19, Mark Andrews wrote: $ORIGIN . @ 0 SOA ... @ 0 NS ... * 0 A 1.2.3.4 Just be careful of what you wish for, don't come back here saying that your resolver search path is no longer working ;-) To explain, lets say you use the above in example.com and configure clients with 'search example.com another.com someother.com' in resolv.conf. A resolver looking for 'test', hoping to find it as 'test.another.com' would query the name server for test.example.com first and get back 'test.example.com IN A 1.2.3.4.'. regards, Stacey In message 499b8e5a.5010...@whgl.uni-frankfurt.de, Sven Eschenberg writes: Dear list, I tried googling about a Catch-All setup for a DNS, with little success. I tried messing around with some zone/hint files in an isolated setup, but without any success. What I am trying to achieve is the following: No matter which host/name is looked up, the DNS should spit out the same IP address. The intention is to bring the users to a specific webserver/webpage, not matter what web page the intend to surf to, for the easiness of setting up their connection. The basic idea is, unauthenticated clients will be put in an isolated network, users then pop up their web browser, will land on a specific webpage with instructions on which steps they need to take, to get proper access. I tried to create a * zone, which seems to be ignored by bind, or rather bind doesn't like the contents of the zone file. I'd appreciate any pointer to some information, how I can tweak bind to do such a thing. With best regards -Sven ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unexpected error question
On 02/05/09 16:04, Cherney John-CJC030 wrote: Yes, I normally use svcadm disable dns/server to stop named. Also, I've modified the dns/server stop method from the usual kill: to /usr/sbin/rndc stop. I did that because I want to make sure the cache gets written to the db files, which an rndc stop does. It seems that named is having a problem with one of the files, but I can't tell which one from the first syslog message. John, Did you make other SMF changes too? Could you provide output from 'svcprop dns/server'? As Gregory touches upon below, an 'rndc stop' does attempt to execute the SMF instances stop method before named exits as that is how named informs SMF that it intentionally exited. The message you see suggests that the privileges to do so have been lost, often associated with the use of chroot users. Instead of using chroot Sun recommends changing the SMF instance property ' start/user' to specify an alternative user and or using zones(5). FYI we did consider making the default stop method perform an 'rndc stop', however we found on a large DNS server an 'rndc stop' could take a long time and thus be problematic when trying to shut down the server. That and 'rndc stop' does eventually invoke the instances stop method! Stacey Marshall Sun Microsystems Ltd. jwc -Original Message- From: Gregory Hicks [mailto:ghi...@hicks-net.net] Sent: Thursday, February 05, 2009 10:56 AM To: bind-us...@isc.org; Cherney John-CJC030 Cc: mark_andr...@isc.org Subject: RE: Unexpected error question Subject: RE: Unexpected error question Date: Thu, 5 Feb 2009 09:51:05 -0500 From: Cherney John-CJC030 john.cher...@motorola.com To: bind-us...@isc.org I see. I was assuming that the second line was caused by the first line, and that if I could get more info on the first line, I could take care of both of them. I have a named user that the named process is run as. However, I see these errors even when I use rndc stop as root. Is there any resource that recommends what permissions need to be on specific SMF files for DNS? (or in general). Or is this even a permissioning issue with SMF files? The problem comes from the idea that SMF wants to be the 'controller'. When the program in question (named in the case) receives a 'stop' command from rndc, SMF doesn't know WHY the program stopped, just that it DID stop. Thus the error. A better way to stop named might be svcadm named disable (I think that's the right syntax but could be wrong. I am NOT an SMF expert...) That should avoid the error message. There was some discussion on the smf-disc...@opensolaris.org list last month on how to avoid error messages when you don't care if the underlying service stops all by itself. Regards, Gregory Hicks Thanks! jwc -Original Message- From: mark_andr...@isc.org [mailto:mark_andr...@isc.org] Sent: Thursday, February 05, 2009 1:18 AM Cc: Cherney John-CJC030; bind-us...@isc.org Subject: Re: Unexpected error question In message 200902050609.n1569ktg082...@drugs.dv.isc.org, Mark Andrews writes: In message f021020da23b6641a05e616d5ead146304597...@de01exm60.ds.mot.com, Ch erney John-CJC030 writes: I'm seeing the following lines in syslog, which occur when I shut down named: =20 general: error: ./main.c:858: unexpected error: general: error: smf_disable_instance() failed for svc:/network/dns/server:default : insufficient privileges for action =20 I'm running 9.3.5-P1 on Solaris 10 x86 =20 I took a quick look at the source code and it looks like there should be a file and/or filenumber as part of the unexpected error line. I've noticed the same two lines when I issue an rndc stop. The named process does stop, but I'm worried that there may be data in the cache that isn't getting written to the db files. Nothing jumped out at me from my google search. It seems like I have a file permissions issue, but I haven't recently changed any file permissions. I don't see any unusual messages on startup.=20 =20 Can someone point me the right direction for this? Is there any other information I should/could provide? =20 Thanks! jwc SMF is Sun's management facility. The code in question was submitted by Sun. I would be looking at how you have SMF set up in particular how to give the user named is running under permission to disable itself. See also http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris as mentioned in the FAQ. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews,
Re: Basic DNS Server Setup
On 18 Feb, 07:07, Jeremy C. Reed jeremy_r...@isc.org wrote: On Tue, 17 Feb 2009, atbigelow wrote: After entering input mode for nslookup: mydomain.com Says it can't find mydomain.com: REFUSED. Looking into /var/log/syslog I find numerous SERVFAIL and REFUSED RCODEs. And what did named log about attempting to load that zone? Maybe your named is ran in a chroot environment and can't even read your /etc/bind/zones/ ?? I ran named-checkzone mydomain.com /etc/bind/zones/mydomain.com.zone and it says everything is OK, as did named-checkconf. That does not look correct. In your named.conf.local output you showed that the origin is 202.201.200.in-addr.arpa for the /etc/bind/zones/mydomain.com.zone file. (I assume you made up fake names for your email -- misleading makes it harder to troubleshooting and encourages many to not even attempt to assist.) ___ bind-users mailing list bind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users I actually just got it working. I forgot a single letter off my domain name in the named.conf file which ruined the whole thing. Had I actually posted the domain name here, I would have caught it sooner. Lesson learned, I guess! Thanks a lot, Jeremy. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
query an external nameserver doubt
Hi all, Is it possible to send a query to a external nameserver that can be a CNAME for a record located in other nameserver zone where we are authoritive? Thanks in advance. Best Regards, -- Nuno Ribeiro ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Catch ALL Setup
In message 1234976434.12081.26.ca...@d410-heron, Niall O'Reilly writes: On Wed, 2009-02-18 at 16:19 +1100, Mark Andrews wrote: $ORIGIN . @ 0 SOA ... @ 0 NS ... * 0 A 1.2.3.4 That may be too minimal. I found I needed a few couple of extra wildcard records. $ORIGIN . @ IN SOA . bit-bucket.ucd.ie. ( 2009021302 ; serial 14400 ; Refresh - 4 hours 7200; Retry - 2 hours 1209600 ; Expire - 14 days 1800 ) ; Neg. Caching - 30 minutes ; @ IN NS captive.ucd.ie. ; ; Over-ride wildcard for captive.ucd.ie captive.ucd.ie. INTXT Unaddressable ; ; Target for all name resolution netreg.ucd.ie.IN A 137.43.116.32 ; ; Wildcard alias * IN CNAME netreg.ucd.ie. ; ; Wildcards otherwise masked by empty non-terminals *.ie. IN CNAME netreg.ucd.ie. *.ucd.ie. IN CNAME netreg.ucd.ie. /Niall Well if you want to go to such a complicated setup then yes you need to add the extra wildcards. You also need to add additional address records which you are missing for ie and ucd.ie. The OP said that *everything* had to resolve to the one address. Everything includes the nameserver. The only thing that doesn't resolve is the root and I think one can get by without that resolving to a address. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query an external nameserver doubt
In article gnhic8$o9...@sf1.isc.org, Nuno Ribeiro nribeir...@gmail.com wrote: Is it possible to send a query to a external nameserver that can be a CNAME for a record located in other nameserver zone where we are authoritive? It's hard to parse this. Could you give an example of what you're asking about? -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users