BIND - out of memory
Hi, I am running ResPerf from Nominum against BIND 9.6.1b1, and I get a lot of: --cut-- 24-Mar-2009 08:51:30.495 database: adb: fetch of 'ns2.state.oh.us' A failed: out of memory 24-Mar-2009 08:51:30.630 database: adb: fetch of 'gz-dns.cncnet.net' A failed: out of memory 24-Mar-2009 08:51:30.657 query-errors: fetch completed at resolver.c:2908 for 129.83.61.195.in-addr.arpa/PTR in 22.401385: out of memory/success [domain:61.195.in-addr.arpa,referral:2,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 24-Mar-2009 08:51:30.672 query-errors: fetch completed at resolver.c:2908 for 211.121.239.211.in-addr.arpa/PTR in 18.586241: out of memory/success [domain:239.211.in-addr.arpa,referral:2,restart:1,qrysent:1,timeout:1,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 24-Mar-2009 08:51:30.684 database: adb: fetch of 'iit.rit.ac.th' A failed: out of memory 24-Mar-2009 08:51:30.685 database: adb: fetch of 'ritk6.rit.ac.th' A failed: out of memory 24-Mar-2009 08:51:30.708 query-errors: fetch completed at resolver.c:2908 for 118.95.219.66.in-addr.arpa/PTR in 31.293651: out of memory/success [domain:95.219.66.in-addr.arpa,referral:1,restart:3,qrysent:0,timeout:1,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] 24-Mar-2009 08:51:30.714 query-errors: fetch completed at resolver.c:2908 for 30.126.138.63.in-addr.arpa/PTR in 28.681399: out of memory/success [domain:138.63.in-addr.arpa,referral:1,restart:3,qrysent:0,timeout:1,lame:0,neterr:0,badresp:0,adberr:6,findfail:0,valfail:0] 24-Mar-2009 08:51:30.715 query-errors: fetch completed at resolver.c:2908 for 161.112.185.194.in-addr.arpa/PTR in 18.591808: out of memory/success [domain:185.194.in-addr.arpa,referral:1,restart:1,qrysent:1,timeout:1,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] 24-Mar-2009 08:51:30.739 query-errors: fetch completed at resolver.c:2908 for ppp85-141-184-239.pppoe.mtu-net.ru/A in 14.649606: out of memory/success [domain:mtu-net.ru,referral:1,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:1,findfail:0,valfail:0] 24-Mar-2009 08:51:30.812 database: adb: fetch of 'tirant.gva.es' A failed: out of memory 24-Mar-2009 08:51:30.814 database: adb: fetch of 'ns1.pldi.net' A failed: out of memory 24-Mar-2009 08:51:30.898 database: adb: fetch of 'ns1.corporatecolo.com' A failed: out of memory 24-Mar-2009 08:51:30.899 database: adb: fetch of 'ns1.gratisdns.dk' A failed: out of memory --cut-- What does database: adb: .. out of memory mean? What does query-errors: fetch completed at ... out of memory/success mean? Solaris 10 on a Sun T5140 with 6 cores/96 threads and 16GB of memory: SunOS xxx.xxx.xx 5.10 Generic_13-01 sun4v sparc SUNW,T5140 Solaris The named process takes only 170MB: Memory: 16G phys mem, 11G free mem, 4104M total swap, 4104M free swap 19563 named 99 590 171M 169M sleep1:35 0.00% named BIND 9.4.3 on the same server (running at the same time as testing 9.6.1b1): 10186 named 99 540 2990M 2989M cpu/66 5438.0 3.84% named I tried: datasize unlimited; stacksize unlimited; max-cache-size unlimited; But it had no effect, I still get just as many out of memory lines when running ResPerf. resperf -d queryfile-example-3million -e -s IP address -m 1 Plimit reports (on the named process): resource current maximum time(seconds) unlimited unlimited file(blocks) unlimited unlimited data(kbytes) unlimited unlimited stack(kbytes) unlimited unlimited coredump(blocks) unlimited unlimited nofiles(descriptors) unlimited unlimited vmemory(kbytes) unlimited unlimited Any hints on what these out of memory messages mean would be appreciated. Thanks Jan Arild Lindstrom ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Servers loading zones with lower serials
Good day, I saw some strange behaviour from BIND and am trying to understand it. In one of the labs, someone mucked up a DNS change and made the serial lower than the previous version. Some of the nameservers complained: Mar 23 15:07:24 ns1001 named[5913]: zone 5.1.10.in-addr.arpa/IN: serial number (2008030900) received from master 10.1.1.1#53 ours (2008062600) But some others just went ahead and loaded the zone anyways. One of the servers that loaded the zone was BIND9.2.4 One of the ones that rejected it was 9.4.2-P2 I've done some searching but can't find anything that jumps out at me to explain this behaviour. Am I misunderstanding the serials? Thanks, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Strange DNS Behaviour
Hi, Could someone kindly explain what is happening? I don't have domain name kemira.kemira.com anywhere in my primary database (and all secondaries, too) kemira.com = 137.33.1.2 I have doublechecked the master database and secondaries. I have restarted both of them, but nothing seems to help. In funet.fi (master for fi-domain) when I start named and query kemira.kemira.com for the first time, it looks like this: == datagram from 130.230.1.1 port 1536, fd 7, len 44 req: nlookup(kemira.kemira.com.funet.fi) id 1 type=1 req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0) findns: SOA found req: leaving (kemira.kemira.com.funet.fi, rcode 3) req: answer - 130.230.1.1 9 (1536) id=1 Local datagram from 130.230.1.1 port 1537, fd 7, len 44 req: nlookup(kemira.kemira.com.funet.fi) id 2 type=15 req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0) findns: SOA found req: leaving (kemira.kemira.com.funet.fi, rcode 3) req: answer - 130.230.1.1 9 (1537) id=2 Local datagram from 130.230.1.1 port 1538, fd 7, len 35 req: nlookup(kemira.kemira.com) id 3 type=1 req: found 'kemira.kemira.com' as 'com' (cname=0) findns: using cache findns: 7 NS's added for '' ns_forw() nslookup(nsp=xf7fff1e0,qp=x55000) nslookup: NS NS.NIC.DDN.MIL c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS AOS.BRL.MIL c1 t2 (x0) nslookup: 4 ns addrs nslookup: NS KAVA.NISC.SRI.COM c1 t2 (x0) nslookup: 5 ns addrs nslookup: NS C.NYSER.NET c1 t2 (x0) nslookup: 6 ns addrs nslookup: NS TERP.UMD.EDU c1 t2 (x0) nslookup: 7 ns addrs nslookup: NS NS.NASA.GOV c1 t2 (x0) nslookup: 9 ns addrs nslookup: NS NIC.NORDU.NET c1 t2 (x0) nslookup: 10 ns addrs total forw: forw - 192.33.4.12 7 (53) nsid=5 id=3 0ms retry 4 sec and a bit later: datagram from 192.33.4.12 port 53, fd 7, len 186 USER response nsid=5 id=3 stime 712944912/687743 now 712944912/887742 rtt 199 NS #0 addr 192.33.4.12 used, rtt 199 NS #1 128.63.4.82 rtt now 0 NS #2 26.3.0.29 rtt now 0 NS #3 192.5.25.82 rtt now 0 NS #4 192.33.33.24 rtt now 0 NS #5 128.8.10.90 rtt now 0 NS #6 192.52.195.10 rtt now 0 NS #7 128.102.16.10 rtt now 0 NS #8 192.36.148.17 rtt now 0 NS #9 192.112.36.4 rtt now 401 resp: ancount 1, aucount 3, arcount 3 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname kemira.kemira.com type 1 class 1 ttl 172800 db_update(kemira.kemira.com, 0x554b8, 0x554b8, 031, 0x44ca0) db_update: adding 554b8 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x55580, 0x55580, 031, 0x44ca0) db_update: adding 55580 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x555b8, 0x555b8, 031, 0x44ca0) db_update: adding 555b8 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x555f0, 0x555f0, 031, 0x44ca0) db_update: adding 555f0 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.KEMIRA.COM type 1 class 1 ttl 172800 db_update(KEMIRA.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0) db_update: new ttl 713117712, +172800 update failed (DATAEXISTS) doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname HYDRA.HELSINKI.FI type 1 class 1 ttl 518400 db_update(HYDRA.HELSINKI.FI, 0x55630, 0x55630, 031, 0x44ca0) 192.33.4.12 attempted update to auth zone 1 'fi' update failed (-10) doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname HKIUX9.FIN.KEMIRA.COM type 1 class 1 ttl 172800 db_update(HKIUX9.FIN.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0) db_update: adding 55630 resp: got as much answer as there is send_msg - 130.230.1.1 (UDP 9 1538) id=3 datagram from 130.230.1.1 port 1539, fd 7, len 35 req: nlookup(kemira.kemira.com) id 4 type=15 datagram from 130.230.1.1 port 1539, fd 7, len 35 req: nlookup(kemira.kemira.com) id 4 type=15 req: found 'kemira.kemira.com' as 'kemira.kemira.com' (cname=0) finddata: added 0 class 1 type 15 RRs findns: 3 NS's added for 'kemira' ns_forw() nslookup(nsp=xf7fff1e0,qp=x55000) nslookup: NS KEMIRA.KEMIRA.COM c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS HYDRA.HELSINKI.FI c1 t2 (x0) nslookup: 2 ns addrs nslookup: NS HKIUX9.FIN.KEMIRA.COM c1 t2 (x0) nslookup: 3 ns addrs nslookup: 3 ns addrs total forw: forw - 137.33.1.2 7 (53) nsid=7 id=4 0ms retry 4 sec datagram from 137.33.1.2 port 53, fd 7, len 92 USER response nsid=7 id=4 stime 712944912/917744 now 712944912/967742 rtt 49 NS #0 addr 137.33.1.2 used, rtt 49 NS #1 128.214.4.29 rtt now 0 NS #2 137.33.1.9 rtt now 0 resp: ancount 0, aucount 1, arcount 0 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname kemira.com type 6 class 1 ttl 3600 db_update(kemira.com, 0x556f8, 0x556f8, 031, 0x44ca0) db_update: adding 556f8 resp: leaving auth NO send_msg - 130.230.1.1 (UDP 9 1539) id=4 = Kindly advice! Many Thanks, Ashish Please do not print this email unless it is absolutely
Re: Strange DNS Behaviour
funet.finameserver = ns.funet.fi funet.finameserver = ns-secondary.funet.fi kemira.com Server: rockyd.rockefeller.edu Address: 129.85.1.24 Non-authoritative answer: kemira.com nameserver = ns1.capgemini.fi kemira.com nameserver = ns2.capgemini.fi Internet DNS thinks those domain names are under the authority of the name servers listed above. What are you trying to accomplish? Eric Ashish wrote: Hi, Could someone kindly explain what is happening? I don't have domain name kemira.kemira.com anywhere in my primary database (and all secondaries, too) kemira.com = 137.33.1.2 I have doublechecked the master database and secondaries. I have restarted both of them, but nothing seems to help. In funet.fi (master for fi-domain) when I start named and query kemira.kemira.com for the first time, it looks like this: == datagram from 130.230.1.1 port 1536, fd 7, len 44 req: nlookup(kemira.kemira.com.funet.fi) id 1 type=1 req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0) findns: SOA found req: leaving (kemira.kemira.com.funet.fi, rcode 3) req: answer - 130.230.1.1 9 (1536) id=1 Local datagram from 130.230.1.1 port 1537, fd 7, len 44 req: nlookup(kemira.kemira.com.funet.fi) id 2 type=15 req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0) findns: SOA found req: leaving (kemira.kemira.com.funet.fi, rcode 3) req: answer - 130.230.1.1 9 (1537) id=2 Local datagram from 130.230.1.1 port 1538, fd 7, len 35 req: nlookup(kemira.kemira.com) id 3 type=1 req: found 'kemira.kemira.com' as 'com' (cname=0) findns: using cache findns: 7 NS's added for '' ns_forw() nslookup(nsp=xf7fff1e0,qp=x55000) nslookup: NS NS.NIC.DDN.MIL c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS AOS.BRL.MIL c1 t2 (x0) nslookup: 4 ns addrs nslookup: NS KAVA.NISC.SRI.COM c1 t2 (x0) nslookup: 5 ns addrs nslookup: NS C.NYSER.NET c1 t2 (x0) nslookup: 6 ns addrs nslookup: NS TERP.UMD.EDU c1 t2 (x0) nslookup: 7 ns addrs nslookup: NS NS.NASA.GOV c1 t2 (x0) nslookup: 9 ns addrs nslookup: NS NIC.NORDU.NET c1 t2 (x0) nslookup: 10 ns addrs total forw: forw - 192.33.4.12 7 (53) nsid=5 id=3 0ms retry 4 sec and a bit later: datagram from 192.33.4.12 port 53, fd 7, len 186 USER response nsid=5 id=3 stime 712944912/687743 now 712944912/887742 rtt 199 NS #0 addr 192.33.4.12 used, rtt 199 NS #1 128.63.4.82 rtt now 0 NS #2 26.3.0.29 rtt now 0 NS #3 192.5.25.82 rtt now 0 NS #4 192.33.33.24 rtt now 0 NS #5 128.8.10.90 rtt now 0 NS #6 192.52.195.10 rtt now 0 NS #7 128.102.16.10 rtt now 0 NS #8 192.36.148.17 rtt now 0 NS #9 192.112.36.4 rtt now 401 resp: ancount 1, aucount 3, arcount 3 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname kemira.kemira.com type 1 class 1 ttl 172800 db_update(kemira.kemira.com, 0x554b8, 0x554b8, 031, 0x44ca0) db_update: adding 554b8 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x55580, 0x55580, 031, 0x44ca0) db_update: adding 55580 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x555b8, 0x555b8, 031, 0x44ca0) db_update: adding 555b8 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x555f0, 0x555f0, 031, 0x44ca0) db_update: adding 555f0 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.KEMIRA.COM type 1 class 1 ttl 172800 db_update(KEMIRA.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0) db_update: new ttl 713117712, +172800 update failed (DATAEXISTS) doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname HYDRA.HELSINKI.FI type 1 class 1 ttl 518400 db_update(HYDRA.HELSINKI.FI, 0x55630, 0x55630, 031, 0x44ca0) 192.33.4.12 attempted update to auth zone 1 'fi' update failed (-10) doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname HKIUX9.FIN.KEMIRA.COM type 1 class 1 ttl 172800 db_update(HKIUX9.FIN.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0) db_update: adding 55630 resp: got as much answer as there is send_msg - 130.230.1.1 (UDP 9 1538) id=3 datagram from 130.230.1.1 port 1539, fd 7, len 35 req: nlookup(kemira.kemira.com) id 4 type=15 datagram from 130.230.1.1 port 1539, fd 7, len 35 req: nlookup(kemira.kemira.com) id 4 type=15 req: found 'kemira.kemira.com' as 'kemira.kemira.com' (cname=0) finddata: added 0 class 1 type 15 RRs findns: 3 NS's added for 'kemira' ns_forw() nslookup(nsp=xf7fff1e0,qp=x55000) nslookup: NS KEMIRA.KEMIRA.COM c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS HYDRA.HELSINKI.FI c1 t2 (x0) nslookup: 2 ns addrs nslookup: NS HKIUX9.FIN.KEMIRA.COM c1 t2 (x0) nslookup: 3 ns addrs nslookup: 3 ns addrs total forw: forw - 137.33.1.2 7 (53) nsid=7 id=4 0ms retry 4 sec datagram from 137.33.1.2 port 53, fd 7, len 92 USER response nsid=7 id=4 stime 712944912/917744 now 712944912/967742 rtt 49 NS #0 addr 137.33.1.2 used, rtt 49 NS #1 128.214.4.29 rtt now 0 NS #2 137.33.1.9 rtt
Re: named-checkconf error
On 12/8/2008 11:00 AM, Chris Thompson wrote: In message 493b2b5d.40...@shockley.net, Steve Shockley wrote: I'm running BIND 9.4.2 on OpenBSD 4.3. I'm getting some errors with named-checkconf I don't really understand. I'm running: named-checkzone -t /var/named capmarksecurities.com /master/db.capmarksecurities.com and I get: zone capmarksecurities.com/IN: getaddrinfo(quarantine1.capmark.com) failed: non-recoverable failure in name resolution [etc.] This appears to happen with all zones with MX records that are in a different zone. The zone loads and seems to work as expected. What's going wrong? Something is wrong with the configuration of the host on which you ran named-checkzone. Either its resolver configuration is screwed, or getaddrinfo() isn't getting as far as using the resolver. Can you do host address lookups at all there? You can suppress the check by using -i local on named-checkzone (see the man page). But it would be better to fix the configuration problem, of course. For the archives, this error turned out to be because BIND is chrooted, and there was no hosts or resolv.conf in /var/named/etc. I copied those two files from /etc to /var/named/etc and the output came up with no errors. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Server names for query
Casey Deccio wrote: RFC 1035 [1] (page 44) describes the use of a list of server names (SLIST) to query for a particular name. It is unclear to me from the RFC as to whether the server is selected by address or by name. In other words, all history (e.g., batting average and response time) being equal, if a name resolves to two IP addresses, is it twice as likely to be used in resolution for a name as that which resolves to only one--both according to the RFC, and as implemented in BIND? Example: example.com http://example.com. 3600 IN NS ns1.example.com http://ns1.example.com. example.com http://example.com. 3600 IN NS ns2.example.com http://ns2.example.com. ns1.example.com http://ns1.example.com. 3600 IN A 10.0.0.1 ns1.example.com http://ns1.example.com. 3600 IN A 10.0.0.2 ns2.example.com http://ns2.example.com. 3600 IN A 10.0.0.3 On 23.03.09 17:20, Kevin Darcy wrote: For the *initial* NS query, I believe BIND will resolve those names down to a flat set of addresses, all of which have equal chance of being tried, so, yes, if a given NS name resolves to more addresses than other names, it is more likely to be tried on the initial NS query. Btw how does BIND send notifies? does it send them to _any_ of those IP addresses? Some RFCs in the past iirc assumed that one name with multiple IPs is one multihomed host, which could lead to assumption that it's enough to query one of those IP's. I believe it's not true. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DNS Behaviour
In message 00a901c9ac92$9dc4e8a0$f9281...@wipro74039c7ca, Ashish writes: Hi, Could someone kindly explain what is happening? You have a DNS client that is using a pre-RFC 1535 search algorithm that is looking up kemira.kemira.com. Network Working Group E. Gavron Request for Comments: 1535ACES Research Inc. Category: Informational October 1993 A Security Problem and Proposed Correction With Widely Deployed DNS Software You are also using BIND 4 or BIND 8 as a nameserver. You should upgrade the nameserver. Mark I don't have domain name kemira.kemira.com anywhere in my primary database (and all secondaries, too) kemira.com = 137.33.1.2 I have doublechecked the master database and secondaries. I have restarted both of them, but nothing seems to help. In funet.fi (master for fi-domain) when I start named and query kemira.kemira.com for the first time, it looks like this: == datagram from 130.230.1.1 port 1536, fd 7, len 44 req: nlookup(kemira.kemira.com.funet.fi) id 1 type=1 req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0) findns: SOA found req: leaving (kemira.kemira.com.funet.fi, rcode 3) req: answer - 130.230.1.1 9 (1536) id=1 Local datagram from 130.230.1.1 port 1537, fd 7, len 44 req: nlookup(kemira.kemira.com.funet.fi) id 2 type=15 req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0) findns: SOA found req: leaving (kemira.kemira.com.funet.fi, rcode 3) req: answer - 130.230.1.1 9 (1537) id=2 Local datagram from 130.230.1.1 port 1538, fd 7, len 35 req: nlookup(kemira.kemira.com) id 3 type=1 req: found 'kemira.kemira.com' as 'com' (cname=0) findns: using cache findns: 7 NS's added for '' ns_forw() nslookup(nsp=xf7fff1e0,qp=x55000) nslookup: NS NS.NIC.DDN.MIL c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS AOS.BRL.MIL c1 t2 (x0) nslookup: 4 ns addrs nslookup: NS KAVA.NISC.SRI.COM c1 t2 (x0) nslookup: 5 ns addrs nslookup: NS C.NYSER.NET c1 t2 (x0) nslookup: 6 ns addrs nslookup: NS TERP.UMD.EDU c1 t2 (x0) nslookup: 7 ns addrs nslookup: NS NS.NASA.GOV c1 t2 (x0) nslookup: 9 ns addrs nslookup: NS NIC.NORDU.NET c1 t2 (x0) nslookup: 10 ns addrs total forw: forw - 192.33.4.12 7 (53) nsid=5 id=3 0ms retry 4 sec and a bit later: datagram from 192.33.4.12 port 53, fd 7, len 186 USER response nsid=5 id=3 stime 712944912/687743 now 712944912/887742 rtt 199 NS #0 addr 192.33.4.12 used, rtt 199 NS #1 128.63.4.82 rtt now 0 NS #2 26.3.0.29 rtt now 0 NS #3 192.5.25.82 rtt now 0 NS #4 192.33.33.24 rtt now 0 NS #5 128.8.10.90 rtt now 0 NS #6 192.52.195.10 rtt now 0 NS #7 128.102.16.10 rtt now 0 NS #8 192.36.148.17 rtt now 0 NS #9 192.112.36.4 rtt now 401 resp: ancount 1, aucount 3, arcount 3 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname kemira.kemira.com type 1 class 1 ttl 172800 db_update(kemira.kemira.com, 0x554b8, 0x554b8, 031, 0x44ca0) db_update: adding 554b8 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x55580, 0x55580, 031, 0x44ca0) db_update: adding 55580 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x555b8, 0x555b8, 031, 0x44ca0) db_update: adding 555b8 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x555f0, 0x555f0, 031, 0x44ca0) db_update: adding 555f0 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.KEMIRA.COM type 1 class 1 ttl 172800 db_update(KEMIRA.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0) db_update: new ttl 713117712, +172800 update failed (DATAEXISTS) doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname HYDRA.HELSINKI.FI type 1 class 1 ttl 518400 db_update(HYDRA.HELSINKI.FI, 0x55630, 0x55630, 031, 0x44ca0) 192.33.4.12 attempted update to auth zone 1 'fi' update failed (-10) doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname HKIUX9.FIN.KEMIRA.COM type 1 class 1 ttl 172800 db_update(HKIUX9.FIN.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0) db_update: adding 55630 resp: got as much answer as there is send_msg - 130.230.1.1 (UDP 9 1538) id=3 datagram from 130.230.1.1 port 1539, fd 7, len 35 req: nlookup(kemira.kemira.com) id 4 type=15 datagram from 130.230.1.1 port 1539, fd 7, len 35 req: nlookup(kemira.kemira.com) id 4 type=15 req: found 'kemira.kemira.com' as 'kemira.kemira.com' (cname=0) finddata: added 0 class 1 type 15 RRs findns: 3 NS's added for 'kemira' ns_forw() nslookup(nsp=xf7fff1e0,qp=x55000) nslookup: NS KEMIRA.KEMIRA.COM c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS HYDRA.HELSINKI.FI c1 t2 (x0) nslookup: 2 ns addrs nslookup: NS HKIUX9.FIN.KEMIRA.COM
Make changes en mass
Greetings: According to http://thednsreport.com, my expire time for my zones are too short (recommended 2-4 weeks) and my SOA record is not good. Is there a tool that I can use to make changes to all my zones in one swoop? Thanks, Solaris/Bind 9.2.2. (yes, it is ancient) -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Make changes en mass
Hello, Some folks prefer to script something. Some may find this tool helpful: http://www.laffeycomputer.com/rpl.html I'm sure there are other ways. HTH - Original Message From: John D. Vo j...@eagle.net To: bind-users@lists.isc.org Sent: Tuesday, March 24, 2009 1:03:22 PM Subject: Make changes en mass Greetings: According to http://thednsreport.com, my expire time for my zones are too short (recommended 2-4 weeks) and my SOA record is not good. Is there a tool that I can use to make changes to all my zones in one swoop? Thanks, Solaris/Bind 9.2.2. (yes, it is ancient) -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Make changes en mass
Be very careful (test, test, test) before using in production, but something like: for file in *.db do sed -i-03242009 s/1200/2419200/g $file done should work. I'm making a couple of assumptions: 1) all of your zone database files end in .db 2) the -i flag is supported in Solaris sed (I don't know) 3) you want to make backup files with today's date appended 4) the integer representing seconds to expire (1200 in the example) only appears once in each zone file (grep to be sure). Hope this helps. Dale Lakes Antares Management Solutions -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo Sent: Tuesday, March 24, 2009 1:03 PM To: bind-users@lists.isc.org Subject: Make changes en mass Greetings: According to http://thednsreport.com, my expire time for my zones are too short (recommended 2-4 weeks) and my SOA record is not good. Is there a tool that I can use to make changes to all my zones in one swoop? Thanks, Solaris/Bind 9.2.2. (yes, it is ancient) -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users http://www.antaressolutions.com/ Industry Expertise. Intelligent Solutions. Visit http://www.antaressolutions.com/ CONFIDENTIALITY NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential or exempt from disclosure by law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are strictly prohibited from printing, storing, disseminating, distributing or copying this message. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature, unless a specific statement to the contrary is included in this message. Thank you, Antares Management Solutions. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Make changes en mass [done]
I used WinSCP and just select a bunch of files and edit command and copy/paste the good' settings into the zone files. -Thanks. -John John D. Vo wrote: Greetings: According to http://thednsreport.com, my expire time for my zones are too short (recommended 2-4 weeks) and my SOA record is not good. Is there a tool that I can use to make changes to all my zones in one swoop? Thanks, Solaris/Bind 9.2.2. (yes, it is ancient) -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Make changes en mass [done]
John D. Vo wrote: Thanks Jeff. I prefer your way better, more eloquent than the brute force method I did. To this point, nobody has updated the serial. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Make changes en mass [done]
Good point. The serial number should be updated since the zone file is being updated. The sed command could be used to do that as well. for zonefile in `ls *.com` do sed -e s/604800/709600/ -e s/200[0-9][0-1][0-9][0-9][0-9][0-9][0-9]/2009032401/ $zonefile ${zonefile}.new mv $zonefile ${zonefile}.old mv ${zonefile}.new $zonefile done The above does the same expiration value replacement as earlier and also changes the serial number to current day (2009032401 as of this writing). This substitution is based on the preferred serial number syntax of: CCYYMMDDsq where sq is a sequence number (01 being first). It assumes all the zone files have a current serial number using that in the current decade (2000s) and no sequence number higher than 99. The pattern would have to be adjusted if those assumptions weren't valid. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alan Clegg Sent: Tuesday, March 24, 2009 4:31 PM To: bind-users@lists.isc.org Subject: Re: Make changes en mass [done] John D. Vo wrote: Thanks Jeff. I prefer your way better, more eloquent than the brute force method I did. To this point, nobody has updated the serial. AlanC Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Make changes en mass [done]
It should not be too hard. Since you have such a rock solid format, you can safely assume in your case, the last 2 digits are ints always, always 2 digits long. Just find the string of chars you are interested in, and substring the last two. Now you have a number (int) and you can use a little math to +1 to it. The only area you have to be careful in, depending on the language, is 01 to 09 where the leading zero is going to get lost. You could use a string pad left function to put a zero in, or in this case, just check the string length, if it is one, concatenate a zero in front. On Mar 24, 2009, at 1:57 PM, Todd Snyder wrote: I am looking for a clever way to do the new serial number. Date will do the first bit no problem (date +%Y%m%d), but I'd love to find a clever way to auto increment the last 2 digits unless it's a new day. Then I could use the same script every time. -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: using bind for blacklist of domains
Quoting Doug McIntyre mer...@dork.geeks.org: In comp.protocols.dns.bind you write: Has anyone used their internal dns server for blacklisting? I would like to specifically block access to domains that are spreading malware. I was grepping around the internet and fell upon this website http://www.malwaredomains.com/, but dont seem to be able to get my internal name server to like any of the configs I push on it. thanks for any advice that might be offered. It should be easy enough to take the list, parse it into config line items pointing to a single zone file that just maps * to 127.0.0.1 or something. Or you could just use OpenDNS? (Not that I use them, but thats one of the free features they support). Sounds good and that is what I thought (except for OpenDNS), however I created a zone file named blacklist.host and added an entry into my named.conf file that said zone 00.devoid.us { type master; file blockeddomains.host; }; When I restart named I get the following error message in my message logs: Mar 24 14:14:14.970 dns_master_load: blockeddomains.host:9: no current owner name Mar 24 14:14:14.971 zone 00.devoid.us/IN: loading master file blockeddomains.host: no owner I actually have 8 existing zones on this server and they each have a root server listed in their zone files. Do I need to have a root server in this one? thanks, ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools Everything should be made as simple as possible, but not simpler. -- Albert Einstein The hottest places in Hell are reserved for those who, in times of moral crisis, preserved their neutrality. -- Dante ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: using bind for blacklist of domains
@ IN SOA ns.hhs.harrisonburg.k12.va.us ( 2004061000 ; serial number 09032401 28800 ; refresh 8 hours 7200; retry2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day SOA is broken two ways. Needs both machine name and contact name. And the ( (open parenthesis) should be on same line to start the continuation not on a line by itself. If you have no current owner name onm first line could be caused by indenting $TTL line too. It seems like you would have seen: 4: unknown RR type '28800' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: using bind for blacklist of domains
dhottin...@harrisonburg.k12.va.us wrote: Quoting Kevin Darcy k...@chrysler.com: dhottin...@harrisonburg.k12.va.us wrote: Quoting Doug McIntyre mer...@dork.geeks.org: In comp.protocols.dns.bind you write: Has anyone used their internal dns server for blacklisting? I would like to specifically block access to domains that are spreading malware. I was grepping around the internet and fell upon this website http://www.malwaredomains.com/, but dont seem to be able to get my internal name server to like any of the configs I push on it. thanks for any advice that might be offered. It should be easy enough to take the list, parse it into config line items pointing to a single zone file that just maps * to 127.0.0.1 or something. Or you could just use OpenDNS? (Not that I use them, but thats one of the free features they support). Sounds good and that is what I thought (except for OpenDNS), however I created a zone file named blacklist.host and added an entry into my named.conf file that said zone 00.devoid.us { type master; file blockeddomains.host; }; When I restart named I get the following error message in my message logs: Mar 24 14:14:14.970 dns_master_load: blockeddomains.host:9: no current owner name Mar 24 14:14:14.971 zone 00.devoid.us/IN: loading master file blockeddomains.host: no owner I actually have 8 existing zones on this server and they each have a root server listed in their zone files. Do I need to have a root server in this one? This isn't an architecture problem, it's a syntax error in the zone file. If you post the contents of the file, up to line 9, we should be able to spot the syntax error and explain to you how to fix it. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Contents of blockeddomains.host: $TTL 86400 ; one day @ IN SOA ns.hhs.harrisonburg.k12.va.us ( 2004061000 ; serial number 09032401 28800 ; refresh 8 hours 7200 ; retry 2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day NS ns1.harrisonburg.k12.va.us. NS ns2.harrisonburg.k12.va.us. A 0.0.0.0 * IN A 0.0.0.0 Before the all-numeric fields, your SOA record needs both an MNAME field and an RNAME field. MNAME (which you have) should be the name of the primary master; but if you fully-qualify the name you should dot-terminate it, to avoid the zone origin (00.devoid.us) from being appended. RNAME is a standard SMTP contact email address for the zone, e.g. ad...@harrisonbug.k12.va.us, with the @ in the email address replaced with a dot. As with MNAME, make sure to dot-terminate RNAME too if the domain part of the email address is fully-qualified. Your SOA should have total of 7 fields, you're only showing 6; RNAME is missing. A syntactically-better SOA might look like @ IN SOA ns.hhs.harrisonburg.k12.va.us. admin.harrisonbug.k12.va.us. ( 2004061000 28800 7200 864000 86400 ) Beyond that, I can't really tell because of the way email gets reformatted, but if you have any whitespace before @ or *, that's going to be a problem; the opening parenthesis should also be on the first SOA line. Last and least, the min ttl comment is misleading. The last field of the SOA record is now used as the negative caching TTL, not minimum in any sense of the word. The comment should probably reflect that. Note that you can use the named-checkzone utility -- included in the BIND distribution -- to check a zone file for syntax errors, without actually trying to get named to load the file. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Psuedo-Master Zones
Bind version: 9.6 OS: Gentoo Linux I am currently setting up an internal DNS server. I have a separate DNS server that is publicly accessible. Both servers have a zone for example.com. How do I set the internal DNS server to forward queries for entries that it does not have for example.com to the public DNS? An example: server2.example.com exists on both DNS servers. I query the internal server and get the internal address. I query the public DNS and get the public address. That works as it should. Now let's say server1.example.com exists on the public DNS, but not on the Internal DNS. I query the internal DNS for server1.example.com and it doesn't return anything. How can I make it forward that query to the public DNS which does have an entry for server1.example.com? Thanks for your help. _ Corey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: using bind for blacklist of domains
Contents of blockeddomains.host: $TTL 86400 ; one day @ IN SOA ns.hhs.harrisonburg.k12.va.us ( 2004061000 ; serial number 09032401 28800 ; refresh 8 hours 7200 ; retry 2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day NS ns1.harrisonburg.k12.va.us. NS ns2.harrisonburg.k12.va.us. A 0.0.0.0 * IN A 0.0.0.0 Before the all-numeric fields, your SOA record needs both an MNAME field and an RNAME field. MNAME (which you have) should be the name of the primary master; but if you fully-qualify the name you should dot-terminate it, to avoid the zone origin (00.devoid.us) from being appended. RNAME is a standard SMTP contact email address for the zone, e.g. ad...@harrisonbug.k12.va.us, with the @ in the email address replaced with a dot. As with MNAME, make sure to dot-terminate RNAME too if the domain part of the email address is fully-qualified. Your SOA should have total of 7 fields, you're only showing 6; RNAME is missing. A syntactically-better SOA might look like @ IN SOA ns.hhs.harrisonburg.k12.va.us. admin.harrisonbug.k12.va.us. ( 2004061000 28800 7200 864000 86400 ) Beyond that, I can't really tell because of the way email gets reformatted, but if you have any whitespace before @ or *, that's going to be a problem; the opening parenthesis should also be on the first SOA line. Last and least, the min ttl comment is misleading. The last field of the SOA record is now used as the negative caching TTL, not minimum in any sense of the word. The comment should probably reflect that. Note that you can use the named-checkzone utility -- included in the BIND distribution -- to check a zone file for syntax errors, without actually trying to get named to load the file. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Thanks, its been a while since I did a zone file. I new there was a way to check the file for errors, but couldnt remember it. I appreciate all the help. take care, ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools Everything should be made as simple as possible, but not simpler. -- Albert Einstein The hottest places in Hell are reserved for those who, in times of moral crisis, preserved their neutrality. -- Dante ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: using bind for blacklist of domains
On Tue, 24 Mar 2009, Kevin Darcy wrote: SOA record is now used as the negative caching TTL, not minimum in any sense of the word. The comment should probably reflect that. off-list now to get BIND's generated outputs to say the same thing :) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users