Re: named daemon hangs
On Sat, May 02, 2009 at 04:06:18PM +0100, Nelson Vale wrote: Hi all, I've been facing a problem in my private network which I was not able to fix yet. In my gateway (linux debian alike) I have bind 9.5 installed and running, and I have one IPSec tunnel to another gateway over the internet. It also has configured a forward zone with the name server being the other gateway internal address (accessibly through the IPSec tunnel only). Recently the other IPSec endpoint was shutdown and, of course, my queries to the forward domain started failling. Nothing strange here... The real problem is that I suddendly were not able to resolve any other DNS queries, like www.google.com, from inside my network: host www.google.com ;; connection timed out; no servers could be reached I took a look at the named daemon and I see that it does not respond to anything as long as the IPSec tunnel is down, but only if it's the other endpoint that is down. I've tried stopping my endpoint and this problem do not occur as long as I restart named. I think this happens because as long as my endpoint is up the routes to the other endpoint are set, and named trys to querie the forward domain name server. The problem is that the queries do not timeout and named hangs there: Please check this: - https://bugzilla.redhat.com/show_bug.cgi?id=427629 - http://lkml.org/lkml/2007/12/4/260 - http://lkml.org/lkml/2008/4/17/474 $ echo 1 /proc/sys/net/core/xfrm_larval_drop should help you. Adam -- Adam Tkac, Red Hat, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named daemon hangs
Hi, Thank you all for your help. This fix surely made the difference :). echo 1 /proc/sys/net/core/xfrm_larval_drop Nelson Vale On Mon, May 4, 2009 at 8:18 AM, Adam Tkac at...@redhat.com wrote: On Sat, May 02, 2009 at 04:06:18PM +0100, Nelson Vale wrote: Hi all, I've been facing a problem in my private network which I was not able to fix yet. In my gateway (linux debian alike) I have bind 9.5 installed and running, and I have one IPSec tunnel to another gateway over the internet. It also has configured a forward zone with the name server being the other gateway internal address (accessibly through the IPSec tunnel only). Recently the other IPSec endpoint was shutdown and, of course, my queries to the forward domain started failling. Nothing strange here... The real problem is that I suddendly were not able to resolve any other DNS queries, like www.google.com, from inside my network: host www.google.com ;; connection timed out; no servers could be reached I took a look at the named daemon and I see that it does not respond to anything as long as the IPSec tunnel is down, but only if it's the other endpoint that is down. I've tried stopping my endpoint and this problem do not occur as long as I restart named. I think this happens because as long as my endpoint is up the routes to the other endpoint are set, and named trys to querie the forward domain name server. The problem is that the queries do not timeout and named hangs there: Please check this: - https://bugzilla.redhat.com/show_bug.cgi?id=427629 - http://lkml.org/lkml/2007/12/4/260 - http://lkml.org/lkml/2008/4/17/474 $ echo 1 /proc/sys/net/core/xfrm_larval_drop should help you. Adam -- Adam Tkac, Red Hat, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ISC libbind 6.0
Hello, It's come to our attention that when libbind 6.0 was released, a little over a month ago, something went wrong with the mail announcing it and it never got outside ISC. My apologies for not noticing the error sooner, and here's the mail again: ISC libbind 6.0 is now available. ISC's libbind provides the standard UNIX resolver library, along with header files and documentation. Originally written for BIND 8, it was included in BIND 9 as optionally-compiled code through release 9.5. It has been removed from subsequent releases of BIND 9, and is now provided as a separate package. ISC libbind 6.0 can be downloaded from ftp://ftp.isc.org/isc/libbind/6.0/libbind-6.0.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/libbind/6.0/libbind-6.0.tar.gz.asc ftp://ftp.isc.org/isc/libbind/6.0/libbind-6.0.tar.gz.sha256.asc ftp://ftp.isc.org/isc/libbind/6.0/libbind-6.0.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at: https://www.isc.org/about/openpgp Changes since 6.0b1: None. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Postgres v MySQL v Berkely backend for BIND
I have to bother you all again. I was asked Friday afternoon about using a database with the new BIND servers. To me it seems using MySQL or PostgreSQL is a bit like hunting rabbits with a howitzer though Berkely DB looks like a good fit. I can find patches for all three but no real information on reliability or performance. Performance is not the big deal but reliability and ease of maintenance is. Anyone here have experience or an informed opinion in using a database backend to BIND? This is for BIND 9 on a CentOS or Redhat 5 system. -- Stephen Carville ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Postgres v MySQL v Berkely backend for BIND
I use the DLZ/PG backend and it's rock solid. I use Ant with a few modifications for my front end. Stephen Carville wrote: I have to bother you all again. I was asked Friday afternoon about using a database with the new BIND servers. To me it seems using MySQL or PostgreSQL is a bit like hunting rabbits with a howitzer though Berkely DB looks like a good fit. I can find patches for all three but no real information on reliability or performance. Performance is not the big deal but reliability and ease of maintenance is. Anyone here have experience or an informed opinion in using a database backend to BIND? This is for BIND 9 on a CentOS or Redhat 5 system. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mass update of TTL and serial
Next stage of evolution = Dynamic Update. Never have to futz with bumping serial numbers ever again. - Kevin Bradley Giesbrecht wrote: You may find named-compilezone useful to get your zone files in a consistent format before performing your mass update. //Brad On May 2, 2009, at 3:39 PM, Scott Haneda wrote: I client of mine has thousands of DNS zones that will need a ttl chance and a serial bump. I want to set a relevant ttl to 300 for a few days. After that, an IP address change will be made, and I would like to change the TTL back to something sane. The general format of the zone looks something like below. Any suggestions on the best way to go trough these? Some will have variations on them, like some have mx records, most do not: $TTL 1D @ IN SOA ns2.example.com. dns.example.com. ( 2009041300 ; serial, todays date + todays serial # 8H ; refresh 2H ; retry 4W ; expire 1H ) ; minimum @ IN NS ns2.example.com. ;Primary Nameserver @ IN NS ns1.example.com. ;Secondary Nameserver ; http website base @ IN A 000.122.226.210 www IN A 000.122.226.210 Would the refresh be the best value to target in this case? -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Postgres v MySQL v Berkely backend for BIND
On Mon, May 4, 2009 at 3:16 PM, Stephen Carville stephen.carvi...@gmail.com wrote: Anyone here have experience or an informed opinion in using a database backend to BIND? I've been using the pgsql sdb backend for 5+ years, wrote my own php front end to it. Its been solid. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
tcp versus udp
When are tcp dns queries necessary? It was my understanding that clients could user tcp or udp. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: tcp versus udp
Hi, On Mon, May 4, 2009 at 9:28 PM, Martin McCormick mar...@dc.cis.okstate.eduwrote: When are tcp dns queries necessary? It was my understanding that clients could user tcp or udp. According to what I read, dns queries are executed using udp Only zone transfers use tcp connections. But still according to my reading, it's possible do dns queries through tcp connections. Read RFC 1035 Everything will be more clear. :) []'s -- Eduardo Júnior GNU/Linux user #423272 :wq ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: tcp versus udp
In addition, TCP is used for queries 512bytes. Josh From: bind-users-boun...@lists.isc.org on behalf of Eduardo Júnior Sent: Mon 5/4/2009 8:35 PM To: Martin McCormick Cc: bind-us...@isc.org Subject: Re: tcp versus udp Hi, On Mon, May 4, 2009 at 9:28 PM, Martin McCormick mar...@dc.cis.okstate.edu wrote: When are tcp dns queries necessary? It was my understanding that clients could user tcp or udp. According to what I read, dns queries are executed using udp Only zone transfers use tcp connections. But still according to my reading, it's possible do dns queries through tcp connections. Read RFC 1035 Everything will be more clear. :) []'s -- Eduardo Júnior GNU/Linux user #423272 :wq ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: tcp versus udp
On May 4, 2009, at 7:28 PM, Martin McCormick wrote: When are tcp dns queries necessary? It was my understanding that clients could user tcp or udp. When a response can not fit in a single UDP packet the server will mark the truncated flag (and respond with all the data it can inside the UDP packet). That should trigger a client to resubmit the query via TCP. Zone transfers are the most common use for TCP, but it can be required for normal queries, although that is far from normal. -- Matt Baxter m...@fatpipe.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: tcp versus udp
Also if EDNS0 is in effect theoretically the max size would be 4096 bytes before a truncate happened. -- -Ben Croswell On Mon, May 4, 2009 at 8:55 PM, Martin McCormick mar...@dc.cis.okstate.eduwrote: Matt Baxter writes: When a response can not fit in a single UDP packet the server will mark the truncated flag (and respond with all the data it can inside the UDP packet). That should trigger a client to resubmit the query via TCP. Zone transfers are the most common use for TCP, but it can be required for normal queries, although that is far from normal. My thanks to you and to 2 other list members who replied off list. This confirms what I thought I remembered reading some time before. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users