Re: SERVFAIL debugging
JINMEI Tatuya / 神明達哉 wrote: At Fri, 13 Mar 2009 17:31:37 -0400, R Dicaire kri...@gmail.com wrote: Please try 9.6.1b1, which we expect to be released next week. It has a new experimental feature just for that purpose: Is this feature going to be back ported to 9.4 and 9.5 releases as well? For 9.5, yes. For 9.4, not according to the current plan. Note also that this is a new experimental feature. So far, we've only included a new feature in a .0 release, so this logging feature would only appear in 9.7.0. We're now trying to seek an intermediate path, considering the tradeoff between the plus of providing useful features for older versions and the risk of introducing instability to maintenance release. So, we may even remove this feature from the final release of 9.6.1 if we find significant regression with it through the beta cycle. On the other hand, we may include it to the next version of 9.4 if we find it very useful and can be sure that it does no harm. --- JINMEI, Tatuya Internet Systems Consortium, Inc. Hello! what does it mean: named[87071]: 22-Jun-2009 13:18:23.256 query-errors: debug 2: fetch completed at resolver.c:6569 for static.cache.l.google.com/A in 0.041364: SERVFAIL/success [domain:com,referral:1,restart:0,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] named[87071]: 22-Jun-2009 13:18:23.073 query-errors: debug 2: fetch completed at resolver.c:6569 for adservices.l.google.com/A in 0.461466: SERVFAIL/success [domain:l.google.com,referral:3,restart:0,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] amed[87071]: 22-Jun-2009 13:18:22.401 query-errors: debug 2: fetch completed at resolver.c:6569 for googlehosted.l.google.com/A in 0.007844: SERVFAIL/success [domain:com,referral:1,restart:0,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] -- Рыбин Дмитрий Управление магистральной сети Отдел Информационных Систем Руководитель группы АВР Corbina Telecom Tel: +7(495) 728-4000 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: SPF/TXT records
I don't get this at all. Rather than ask WHO is saying it why not post reasonable counter arguments to WHAT they said. Much of what one finds on the internet is anonymous at best but doesn't mean it has no value. Also for all I know they are well respected in certain areas. When I first posted to this list one common ISC poster's attacks on posts turned me off to him but others pointed out that he is with ISC and is knowledgeable in the subject. To me he seemed like a troll annoyed by newbies which often made me wonder why he bothered with the list at all. As I said before I posted those two links after someone on this list talked about a debate as to the value of SPF. The links I posted seemed to have some good points. My question wasn't how much value those two links had but rather whether people on this list think SPF should be used at all. I didn't post an exhaustive list of links but just two that came up quickly when I looked into the debate as suggested. From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Noel Butler Sent: Friday, June 19, 2009 5:25 PM To: bind-users@lists.isc.org Subject: Re: SPF/TXT records My comments below will be to all in general, not to anyone specific and no offence intended to anyone... RE: Advogato: Who? RE: Circlied: Who ? Ok enough of the sarcasm :) Is someone here seriously trying to use those sites as a reason to not do something, might as well reference us to mydogspewsupaftereatinglambbones.com http://www.mydogspewsupaftereatinglambbones.com (dunno if that's a real site, but its name has about as much credence as the ones given). Seriously if you want to show why not, reference a reputable site with reputable commentators. In relation to SPF2, if you use M$'s crap, you do have a slightly better chance of hotmail not losing your mail, so it is worth it if you provide services to anyone else other then yourself (where you *can* play god not affecting anyone else). BUT... do NOT use spf2 enforcement on your side, or you'll find a lot of mailing lists being very quiet :) Cheers Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
mdns to fill up a zone
Dear all, I am writing this question fearfully since it concerns mDNS and bind. I have read most of the messages in the archives concerning these two... and yes, I know that bind and mDNS are not the same thing and do not intend to provide the same service. But still... ok. let's get fried ! I would like to know if it would be possible to populate a DNS zone with mDNS. The question may become clearer with this simple example: Let's assume that I am a residential and I have a DNS server in charge of my domain mydomain.example.com. As a residential, this server is hosted on my home gateway. And still because I am a residential, I don't know a lot about bind and its configuration, so I would love my zone to be automatically populated with the hostnames of my terminals in my LAN. The mdns daemon on the home gateway discovers that host groovy is at 2002::10 and touchy at 2002::11 (IPv6). Could my zone be filled up automatically with two new records: mydomain.example.comIN SOAmydomain.example.com. root.mydomain.example.com. ( 1142330531 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 1800 ; minimum (30 minutes) ) $TTL 1800; 30 minutes NSmydomain.example.com. 2002::53 # here are the records from mDNS # groovy.mydomain.example.com IN 2002::10 touchy.mydomain.example.com IN 2002::11 Alternatively, could mDNS send DNS updates to bind9 instead ? Alternatively again, if the DNS server receives a (or A) query for funky.mydomain.example.com, could a mDNS broadcast be sent in the LAN and in case of a positive reply, the DNS server would respond accordingly (funky.mydomain.example.com IN 2002::12 - assuming it exists). My questions may sound out of scope and stupid. If so, again , sorry. I would nevertheless appreciate to clearly understand why. Many thanks. Congrads for the wonderfull work you do. Bind is great ! Yours, David. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: control channel logging
On 21.06.09 13:37, R Dicaire wrote: Hi folks, bind 9.6.1...I'm looking in the ARM but I dont see a logging category specific to control channel communications. In syslog I have (generated by an mrtg script): named[7837]: received control channel command 'stats' What category does this fall under? If in doubts and docs won't tell you, just enable print-category yes; -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
TSIG issues, but only for one zone
... and only on one host. So to start, yes my clocks are in sync to within 5 seconds. First the info on the setup: There's one master server ns00.example.net, and two slave servers ns01.example.net and ns11.example.net. The master hosts about a dozen zones to the slaves, and uses TSIG for the transfers. To make it more interesting, I can't replicate the issue transferring example.net with ns01, it's named does it fine, albeit with a different TSIG key. This is on CentOS 5.3 i386, which has BIND 9.3.4-P1 (more specifically RPM says bind-9.3.4-10.P1.el5). [r...@ns11 ~]# rndc reload example.net zone refresh queued [r...@ns11 ~]# Jun 22 14:28:21 ns11 named[1744]: 22-Jun-2009 14:28:21.775 general: debug 1: received control channel command 'null' Jun 22 14:28:21 ns11 named[1744]: 22-Jun-2009 14:28:21.776 general: debug 1: received control channel command 'reload example.net' Jun 22 14:28:21 ns11 named[1744]: 22-Jun-2009 14:28:21.776 general: debug 1: queue_soa_query: zone example.net/IN: enter Jun 22 14:28:21 ns11 named[1744]: 22-Jun-2009 14:28:21.776 general: debug 1: soa_query: zone example.net/IN: enter Jun 22 14:28:22 ns11 named[1744]: 22-Jun-2009 14:28:22.247 general: debug 1: refresh_callback: zone example.net/IN: enter Jun 22 14:28:22 ns11 named[1744]: 22-Jun-2009 14:28:22.247 general: info: zone example.net/IN: refresh: failure trying master 1.1.2.50#53 (source 0.0.0.0#0): tsig verify failure Jun 22 14:28:22 ns11 named[1744]: 22-Jun-2009 14:28:22.247 general: debug 1: queue_soa_query: zone example.net/IN: enter Jun 22 14:28:22 ns11 named[1744]: 22-Jun-2009 14:28:22.278 general: debug 1: soa_query: zone example.net/IN: enter Jun 22 14:28:22 ns11 named[1744]: 22-Jun-2009 14:28:22.279 general: debug 1: cancel_refresh: zone example.net/IN: enter But when I do another zone, keep in mind this is to the same master, so the TSIG settings are exactly the same (I've set them up per-IP not per-zone). Jun 22 14:31:14 ns11 named[1744]: 22-Jun-2009 14:31:14.008 general: info: zone example.com/IN: Transfer started. Jun 22 14:31:14 ns11 named[1744]: 22-Jun-2009 14:31:14.008 general: debug 1: zone example.com/IN: requesting IXFR from 1.1.2.50#53 Jun 22 14:31:14 ns11 named[1744]: 22-Jun-2009 14:31:14.100 general: debug 1: zone example.com/IN: zone transfer finished: success Jun 22 14:31:14 ns11 named[1744]: 22-Jun-2009 14:31:14.100 general: info: zone example.com/IN: transferred serial 2009062204: TSIG 'ns11.example.net-ns01.example.net' I can't make heads or tails of *WHY* exactly tsig is throwing the verify error, even with debugging turned up to 99 the above is all I get in my logs. Just to make things more interesting, if I do a TSIG AXFR query directly from dig on ns11, it works with example.net! [r...@ns11 ~]# dig @1.1.1.50 example.net axfr -y ns11.example.net- ns01.example.net.:2HL0vpUE2JYFxv0YaAtrVg== ; DiG 9.3.4-P1 @1.1.1.50 example.net axfr -y ns11.example.net-ns01.example.net. ; (1 server found) ;; global options: printcmd example.net. 86400 IN SOA example.net. support.example.net. 2009062202 600 300 360 86400 [snip] example.net. 86400 IN SOA example.net. support.example.net. 2009062202 600 300 360 86400 ns11.example.net-ns01.example.net. 0 ANY TSIG hmac-md5.sig- alg.reg.int. 1245707011 300 16 l+rb6H0RuqwXCT6H4G6JgQ== 49169 NOERROR 0 ;; Query time: 272 msec ;; SERVER: 1.1.1.50#53(1.1.1.50) ;; WHEN: Mon Jun 22 14:43:31 2009 ;; XFR size: 32 records (messages 1) Help? I'm open to trying just about any crazy ideas at this point. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL debugging
At Mon, 22 Jun 2009 13:30:42 +0400, Dmitry Rybin kirg...@corbina.net wrote: Please try 9.6.1b1, which we expect to be released next week. It has a new experimental feature just for that purpose: Is this feature going to be back ported to 9.4 and 9.5 releases as well? For 9.5, yes. For 9.4, not according to the current plan. named[87071]: 22-Jun-2009 13:18:23.256 query-errors: debug 2: fetch completed at resolver.c:6569 for static.cache.l.google.com/A in 0.041364: SERVFAIL/success [domain:com,referral:1,restart:0,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] Which version of BIND9 is this? To match the line number we need the exact version number. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users