**another** connection timed out; no servers could be reached

[Beavis]

I have 2 dns servers running the same zones,hints and named.conf each
of them acts as a master (I do most of the updates of the zones i have
through a script)

I'm running a simple query from both of the box and it seems that I
can't query the 2nd box.

#1 box

$ dig @1.1.1.10 www.yahoo.com

; <<>> DiG 9.3.4 <<>> @1.1.1.10 www.yahoo.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31303
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.yahoo.com. IN  A

;; ANSWER SECTION:
www.yahoo.com.  300 IN  CNAME   www.wa1.b.yahoo.com.
www.wa1.b.yahoo.com.60  IN  CNAME   www-real.wa1.b.yahoo.com.
www-real.wa1.b.yahoo.com. 60IN  A   69.147.76.15
www-real.wa1.b.yahoo.com. 60IN  A   209.191.93.52

;; AUTHORITY SECTION:
wa1.b.yahoo.com.299 IN  NS  yf1.yahoo.com.
wa1.b.yahoo.com.299 IN  NS  yf2.yahoo.com.

;; Query time: 219 msec
;; SERVER: 10.0.100.10#53(1.1.1.10)
;; WHEN: Tue May 26 17:52:42 2009
;; MSG SIZE  rcvd: 146


#2 box

$ dig @1.1.1.11 www.yahoo.com

; <<>> DiG 9.3.4 <<>> @1.1.1.11 www.yahoo.com
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

both boxes sit on the same subnet, and they both have the same hints
file. no fw(pf) installed on any of the boxes.

if it's a straight forward query for box#2 it calls out the
"connection timed out; no servers could be reached" but when i add the
+trace on the query it can actually resolve the site.

I'd did a bit of googling, and most of the posts i see regarding this
is a firewall issue.


any help would be awesomely appreciated.


-- 
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

request for advice

[Myo Than]

Sirs,

I would like to make a request for advice on one problem I faced with DNS.

I have to delegate one /26 and one /27 subnet  in one reverse zone.
In my reverse zone file, I put these;

; <<128-159>> /27
128-159    NS    udns1.ultradns.net.
128-159    NS    udns2.ultradns.net.
;
129 CNAME 129.128-159.137.166.203.in-addr.arpa.

When I run the queries;
1. I can resolve NS query for dummy domain
> set type=ns
> 128-159.137.166.203.in-addr.arpa.
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
128-159.137.166.203.in-addr.arpa    nameserver = udns1.ultradns.net
128-159.137.166.203.in-addr.arpa    nameserver = udns2.ultradns.net

Authoritative answers can be found from:
udns1.ultradns.net  internet address = 204.69.234.1
udns2.ultradns.net  internet address = 204.74.101.1

2. But, I got error on NS query for individual IP
> set type=ns
> 129.137.166.203.in-addr.arpa.
Server:  localhost
Address:  127.0.0.1

*** localhost can't find 129.137.166.203.in-addr.arpa.: Server failed

> 129.128-159.137.166.203.in-addr.arpa.
Server:  localhost
Address:  127.0.0.1

*** localhost can't find 129.128-159.137.166.203.in-addr.arpa.: Server
failed



Please advise me on how to fix the problem ?
I am not sure I am having problem with CNAME or the config is already
working ?


Respects,
Mt



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

CNAME used in Global Server Loadbalancing - is it RFC compliant ?

[support]

Hello,

we are using Global Server Loadbalancing (GSLB) for site redundancy.

GSLB is based on DNS technology and works as follows

---
 standard implementation case
---

www.example.com.NS   loadbalancer-1.example.com.
#   --> ( LB located at site-a)

www.example.com.NS   loadbalancer-2.example.com.
#   --> ( LB located at site-b)


#  the loadbalancer (LB) resolves the DNS query for www.example.com, based
#  on load balancing criteria with a site specific public IP address

loadbalancer-1.example.com. A   1.y.z.w
loadbalancer-2.example.com. A   2.y.z.w



---
 ?? 'CNAME approach' in question
---

(-) Above setup works fine and for each service and we need 2 public IP
addresses ­ one at each site hosted on the loadbalancer device.

(--) now considering that we host the same application with different names
on the same server ­ we need for each one another 2 public IP addresses -
this leads to an unnecessary waste of addresses (x * 2)

==> NEW APPROACH 

Instead of using two new IP public addresses for the new service name I
defined following:

new-www.example.com  CNAME www.example.com.

==> it works fine so far an the resolve process is as it should be, but




Is it legitimate (RFC compliant) to use CNAME in this setup or is is just
luck that it works and more compliant resolvers won't work properly ??


Thanks a lot
Marcel


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: file descriptors and max-clients-per-query

[JINMEI Tatuya / 神明達哉]

At Thu, 14 May 2009 17:46:42 +0200,
"Philippe Maechler"  wrote:

> > > I'm running a bind 9.4.2-p2 and a 9.5.1-P1 both on a 
> > FreeBSD 6.x box 
> > > as caching servers.
> > > let's call them ns1 and ns2 :P
> > > 
> > > short after we shutdown server one we get error messages on 
> > the other server
> > > -> socket: too many open file descriptors
> > 
> > What is the "other server"? I assume you are getting this 
> > error message with the old 9.4.2-P2 (and not on the 9.5.1-P1).
> 
> No i have the messages on both servers. 
> If ns1 goes down, we get the messages on ns2 and vice-versa.  

How many sockets are open when you see this message?  Normally the
socket() call shouldn't fail even if named uses many sockets (it will
fail anyway, but the failure mode is normally different), so it's very
odd to see the above message.  Are you perhaps limiting the system
resource for the number of allowable open sockets?  Do you set the
'files' option in your named.conf?

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Why does key-directory have to be absolute?

[Chris Thompson]

BIND imposes the same restriction on the key-directory value as it does
on directory, i.e. that it has to be an absolute path or ".". I don't
see why this should be necessary: why can't it be a path relative to the
directory setting? (Just as "file" values in zone statements can be.)

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig return values

[Scott Haneda]

On May 26, 2009, at 6:19 AM, Stephane Bortzmeyer wrote:


On Fri, May 22, 2009 at 03:15:56PM -0700,
Scott Haneda  wrote
a message of 32 lines which said:


I do not know, nor would I want to have to know, all the possible
return strings I may get back.  My needs are simple, I believe any
ANSWER of > 0 I would determine to be true, any timeout of any form
I would determine to be false.


Yes, but what about an answer of NOERROR,ANCOUNT=0, for instance:

dig @a.nic.fr A www.google.fr

Is it an error or not?


In my case, that would not be an error, my needs are for a rather  
custom checking system.


Can anyone point me to docs on return codes, or is this going to  
amount

to string parsing?


I do string parsing. As an example, see the script in
 (the text is in
french but the comments in the script are in english).


Very nice, thank you for that.  This is a good start for me to see  
what many of the possible return codes are that I need.  My tool never  
gets used in production, this is just something developers are going  
to use.  I installed for them DLZ, and get a lot of "DNS is down"  
emails from the developers.  In all reality, "database has bad data"  
is more accurate.  I just need a tool to show them what is going on,  
without them having to learn all the replies dig may send back.


Thank you again for your link, most helpful.
--
Scott * If you contact me off list replace talklists@ with scott@ *

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Has PGP key been changed?

[Evan Hunt]

> has PGP key been changed?

Yes, it has.  The release announcement contains a link to the new key
(https://www.isc.org/files/pgpkey2009.txt).

We should have flagged the change more prominently, sorry about that.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

A question from RFC 3403

[sandoche BALAKRICHENAN]

An example from RFC 3403

The URN might look like this:

urn:cid:199606121851.1@bar.example.com

 This Application's First Well Known Rule is to extract the characters
 between the first and second colon.  For this URN that would be
 'cid'.  The Application also specifies that, in order to build a
 Database-valid Key, the string 'urn.arpa' should be appended to the
 result of the First Well Known Rule.  The result is 'cid.urn.arpa'.
 Next, the client queries the DNS for NAPTR records for the domain-
 name 'cid.urn.arpa'.  The result is a single record:

cid.urn.arpa.   IN NAPTR 100   10   """"  
"!^urn:cid:.+@([^\.]+\.)(.*)$!\2!i"


My question is when the application has already converted 
"urn:cid:199606121851.1@bar.example.com" -> cid.urn.arpa.


==> why does the regexp string again searches for  "urn:cid:" ?

The RFC says

REGEXP - A  containing a substitution expression that is applied to the original string 



==> Anyone have an idea why it always should be applied to the original string?






begin:vcard
fn:Sandoche BALAKRICHENAN
n:;Sandoche BALAKRICHENAN
org:AFNIC
email;internet:sandoche.balakriche...@afnic.fr
title:Ingenieur R&D
note;quoted-printable:Move Together=0D=0A=
	
x-mozilla-html:FALSE
version:2.1
end:vcard

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig return values

[Stephane Bortzmeyer]

On Fri, May 22, 2009 at 03:15:56PM -0700,
 Scott Haneda  wrote 
 a message of 32 lines which said:

> Does `dig` have return codes that I can use to make some form of
> automated tests?

Not for everything.

% dig +short SOA dummy.example && echo Success 
Success

% dig +short @192.168.42.42 SOA dummy.example && echo Success 
;; connection timed out; no servers could be reached

% dig @a.nic.fr AXFR dummy.example && echo Success  

; <<>> DiG 9.5.1-P1 <<>> @a.nic.fr AXFR dummy.example
; (2 servers found)
;; global options:  printcmd
; Transfer failed.
Success

So, some errors are detected but not all.

> I do not know, nor would I want to have to know, all the possible
> return strings I may get back.  My needs are simple, I believe any
> ANSWER of > 0 I would determine to be true, any timeout of any form
> I would determine to be false.

Yes, but what about an answer of NOERROR,ANCOUNT=0, for instance:

dig @a.nic.fr A www.google.fr

Is it an error or not?

> Can anyone point me to docs on return codes, or is this going to amount 
> to string parsing? 

I do string parsing. As an example, see the script in
 (the text is in
french but the comments in the script are in english).

if ! egrep "Transfer failed|connection timed out|Name or service not 
known|connection refused|network unreachable|host unreachable|communications 
error" $tmp > /dev/null; then 
...
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Has PGP key been changed?

[Rob Austein]

At Tue, 26 May 2009 15:12:15 +0200, Adam Tkac wrote:
> 
> has PGP key been changed?

Yes.

> Current ISC key located on http://oldwww.isc.org/about/openpgp/pgpkey2006.txt
> has different ID - 1BC91E6C.
> 
> Would it be possible to publish updated PGP key, please?

Sigh.

The new key is in the worldwide PGP keyserver system, but yes, the
copy on the ISC web site should have been updated.  Thanks.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Has PGP key been changed?

[Adam Tkac]

Hi,

has PGP key been changed?

I downloaded bind-9.6.1rc1.tar.gz and SHA512 signature and tried to
verify the tarball. Unfortunately verification failed because
the public key is not known.

$ gpg --verify bind-9.6.1rc1.tar.gz.sha512.asc bind-9.6.1rc1.tar.gz
gpg: Signature made Thu 21 May 2009 11:01:12 PM CEST using RSA key ID 0B7BAE00
gpg: Can't check signature: public key not found

Current ISC key located on http://oldwww.isc.org/about/openpgp/pgpkey2006.txt
has different ID - 1BC91E6C.

Would it be possible to publish updated PGP key, please?

Regards, Adam

-- 
Adam Tkac, Red Hat, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users