Re: Bind 9.6.1 stops after few hours.
On 07.07.2009 / 11:55:34 -0400, Rob Payne wrote: > > > What do you mean by "stop"? Did the daemon crash, simply not respond > > to queries, or something else? > > I don't know if this is the same as what Laurence is seeing. Testing > 9.6.1 on Solaris 10/sparc, with a local build (THREADS, no MEMFILL, > openssl 0.9.8k) the server stops responding to queries made from the > network (LAN), until a local query comes in (dig @localhost ...). We're using 9.6.0-P1 in solaris 10 x86 zone, acting as both recursive and authoritative server (a bit loaded, like 1k concurrent recursive queries during daytime hours seen with 'rndc status') and don't seeing any problems with it. Bind was configured as './configure --with-openssl=no' since we don't use DNSSEC. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RES: Bind 9.6.1 stops after few hours.
Hi Rob, I could not reproduce this behavior on my Linux lab machine using queryperf. As Jinmei pointed this seens to be a Solaris thing. I still could not reproduce the problem I faced on my own production DNS... Thanks for your post! Laurence -Mensagem original- De: Rob Payne [mailto:rnspa...@the-paynes.com] Enviada em: terça-feira, 7 de julho de 2009 12:56 Para: JINMEI Tatuya / 神明達哉 Cc: Laurence Stendard; bind-users@lists.isc.org Assunto: Re: Bind 9.6.1 stops after few hours. On Sun, Jul 05, 2009 at 02:42:34PM -0700, JINMEI Tatuya / 神明達哉 wrote: > At Fri, 3 Jul 2009 17:31:57 -0300, > "Laurence Stendard" wrote: > > After an upgrade to 9.6.1 we noticed the Bind daemon stops after few > > hours. > What do you mean by "stop"? Did the daemon crash, simply not respond > to queries, or something else? I don't know if this is the same as what Laurence is seeing. Testing 9.6.1 on Solaris 10/sparc, with a local build (THREADS, no MEMFILL, openssl 0.9.8k) the server stops responding to queries made from the network (LAN), until a local query comes in (dig @localhost ...). > >From which version did you upgrade your named? > How often does that happen? To reproduce this: queryperf -> 9.6.1 acting as a mostly recursive server (haven't tested with a server configured as authoritative-only). The server stops responding during a 30 second queryperf run. Running a script on the name server with 'dig @localhost...' once per second wakes the system up and the server continues answering queries made via the network. > Does the problem change if you disable threads and/or epoll > (via --disable-threads / --disable-epoll)? Have not tested either of these changes, yet. I have not tested the packages from sunfreeware, yet. -rob ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC closed environment
Eduardo Júnior wrote: > it's possible configure dnssec only between 2 name servers, first is > the authoritative and second is the recurisve? The authoritative name > server would have zones signed and the recursive will do querys and > validation. Sure, why not? I personally prefer my setup whereby I have included the IANA testbed: https://ns.iana.org/dnssec/status.html. In other words, I use their root hints and zonefiles in my test-environment. In fact, I even managed to get an appearantly valid chain of trust all the way up to my 'home.forfunsec.org' testdomain with it. Quite instructive and fun to play with. :-) > And using dig (properly compiled and configured) makes > requests to recursive and validation occurs correctly? Yep, that sounds like it should work. But you might like 'drill', from NlNetlabs: http://www.nlnetlabs.nl/projects/ldns/ (sorry, for being a bit off-topic here) Regards, -- Marco Davids SIDN ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Maintenance
Hi, Can someone tell me how webhosting providers or ISPs do maintenance on their DNSs? I mean, can they take it offline? What is the procedure usually? Thanks, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Maintenance
Alans wrote: > Can someone tell me how webhosting providers or ISPs do maintenance on > their DNSs? > > I mean, can they take it offline? What is the procedure usually? You need to define "maintenance". With very few exceptions (none?) I can't think of a reason to take a DNS server off-line to do anything. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Maintenance
What u mean by Offline ..! On Wed, Jul 8, 2009 at 6:00 PM, Alan Clegg wrote: > Alans wrote: > > > Can someone tell me how webhosting providers or ISPs do maintenance on > > their DNSs? > > > > I mean, can they take it offline? What is the procedure usually? > > You need to define "maintenance". With very few exceptions (none?) I > can't think of a reason to take a DNS server off-line to do anything. > > AlanC > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Br. Mohamed Navas +971 55 5973731 +971 50 5973731 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Maintenance
On 08/07/09 15:46, Alans wrote: Hi, Can someone tell me how webhosting providers or ISPs do maintenance on their DNSs? I mean, can they take it offline? What is the procedure usually? Hi You can use a load balancer in front of your DNS servers, and remove the host from the pool when maintenance is needed. Another approach is to run your servers as virtual machines. With a platform like VMware you can move the guest from host to host without disruption using vmotion, which allows maintenance to be performed on the host. However, this will not help if you need to do a software or kernel upgrade on the guest. Regards, Chris Hills ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Maintenance
I have been thinking of this same issue lately when I had to move a dns service from one host to another to re-build the OS. I use virtual IPs on the host making it relatively easy to move the service around. But as I use Solaris 10 as the platform I am thinking that Zones would be a winner here as I could move the service around physical machines much easier, much like vmotion. It would require the zone data to be on shared storage, but would bring me huge flexibility. On 8 Jul 2009, at 15:15, Chris Hills wrote: On 08/07/09 15:46, Alans wrote: Hi, Can someone tell me how webhosting providers or ISPs do maintenance on their DNSs? I mean, can they take it offline? What is the procedure usually? Hi You can use a load balancer in front of your DNS servers, and remove the host from the pool when maintenance is needed. Another approach is to run your servers as virtual machines. With a platform like VMware you can move the guest from host to host without disruption using vmotion, which allows maintenance to be performed on the host. However, this will not help if you need to do a software or kernel upgrade on the guest. Regards, Chris Hills ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --- Barry Dean Principal Programmer/Analyst Networks Group Computing Services Department --- Nice boy, but about as sharp as a sack of wet mice. -- Foghorn Leghorn ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9.6.1 under perform after running for a couple of hours
Hi, After a couple of hours, performance of bind 9.6.1 suddenly drops. While the server remains responsive, the response time increases, the rate of the failed queries increases, and CPU/load average usage increases. Restarting named solves the problem. I cannot find anything useful in the logs, but a quick search in this mailing list archive shows that other users reported somewhat similar problems with this version of BIND :( The operating system is Linux (Linux ns1 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux) , Red Hat Enterprise Linux Server release 5.3 (Tikanga). Output of named -V: BIND 9.6.1 built with '--enable-threads' '--enable-largefile' '--prefix=/usr/local' /usr/local/sbin/named: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped It is important to state that we just upgraded from 9.4.3-P2. Any ideas? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
namespace verification
Good day all, I am looking at making some sweeping changes to some zone files, cleaning up NS records primarily. As I'm pondering the impact of this, I got to thinking about how to validate every single record in my namespace, and therefore the entirety of my change. What I'm thinking of is a script that will go through each zone file and do a dig against a server (localhost, or otherwise) for each record, verifying that every record resolves correctly. Has anyone written such a beast or know of a tool like this? Am I being obtuse in thinking that this would be useful to me to verify my changes? Cheers, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: namespace verification
On Wed, 8 Jul 2009 14:23:36 -0400, "Todd Snyder" wrote: > Good day all, > > I am looking at making some sweeping changes to some zone files, > cleaning up NS records primarily. As I'm pondering the impact of this, > I got to thinking about how to validate every single record in my > namespace, and therefore the entirety of my change. > > What I'm thinking of is a script that will go through each zone file and > do a dig against a server (localhost, or otherwise) for each record, > verifying that every record resolves correctly. > > Has anyone written such a beast or know of a tool like this? Am I being > obtuse in thinking that this would be useful to me to verify my changes? > > Cheers, > > Todd. > > - > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from > your system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be > unlawful. > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users I was forced into writing some stuff like this as I inherited a severely neglected DNS environment. Instead of having to write the logic capable of parsing a zone file I found it easier to parse host -l output. This allows for not needing to take account of all the allowed shorthand within the zone files that bind understands. I suppose it even makes the scripts non bind dependent. I choose to examine things such as A records with multiple entries (possible round robin or possible that someone didn't remove an old record before adding new), if PTR records exist for A records, if PTR records match the corresponding A records, for duplicate PTR records & if two different A records contain the same IP data (possible old IP that was reassigned to new machine while old DNS data was never removed or possibly one machine known by many names). I am sure there is some paid software out there that performs similar functionality. I tested the Men & Mice suite which performed alot of very similar functionality as my own scripts did. I wouldn't be surprised if there were some open source projects as well. Thanks, David ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSKEY dynamic update: unexpected change 9.6.0-P1 -> 9.6.1
Upgrading from 9.6.0-P1 to 9.6.1 on my master server
unexpectedly changed DNSKEY dynamic update behavior. My
tools to secure zones rely on insertion of DNSKEY
records via dynamic update. This stopped working when
I upgraded to 9.6.1.
The culprit seems to be:
*** bind-9.6.0-P1/bin/named/update.cWed Nov 19 01:21:45 2008
--- bind-9.6.1/bin/named/update.c Thu Apr 30 03:03:37 2009
***
*** 3971,3977
}
#endif
#ifndef ALLOW_INSECURE_TO_SECURE
! if (had_dnskey && !has_dnskey) {
update_log(client, zone, LOGLEVEL_PROTOCOL,
"update rejected: DNSKEY record added");
result = DNS_R_REFUSED;
--- 3981,3987
}
#endif
#ifndef ALLOW_INSECURE_TO_SECURE
! if (!had_dnskey && has_dnskey) {
update_log(client, zone, LOGLEVEL_PROTOCOL,
"update rejected: DNSKEY record added");
result = DNS_R_REFUSED;
I'm guessing this is related to
2530. [bug] named failed to reject insecure to secure transitions
via UPDATE. [RT #19101]
Admittedly the code didn't match the pre-processor definition
in 9.6.0-P1. But I was assuming secure<->insecure zone transition
capability was turned on by default in bind 9.6. At least the file
that documents this feature (NSEC3-NOTES) doesn't mention anything
about it not being on by default.
For type time being, I've recompiled to fix the problem with:
CFLAGS="-DALLOW_SECURE_TO_INSECURE -DALLOW_INSECURE_TO_SECURE"
Is there any reason these flags should not be set by default? And
if not, could I ask that the documentation (NSEC3-NOTES) be
updated to reflect what needs to be done.
Also the private type record seems to have changed from 65535 to
65534 but this hasn't been updated in NSEC3-NOTES.
Thanks!
--Shumon.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rDNS Round-Robin
On Mon, Jul 6, 2009 at 4:08 PM, Kevin Darcy wrote: > Bryan Irvine wrote: >> >> Other than to really annoy me; is there a valid reason for rr rDNS? >> >> > > Once upon a time, BIND specifically *disabled* round-robin behavior for > non-address (A/) record types. PTR RRsets, among other types, were > always given in a "fixed" order. > > But, I just tried a quick test, and it appears that round-robin has been > re-enabled for PTRs. Accident? I have no idea why anyone would want this > behavior, except perhaps to deliberately make things annoying and the query > results inconsistent, in the hopes that people will prevent the creation of > round-robin PTRs in the first place. Yes but is it explicitely forbidden anywhere? RFC's maybe? I can't find anything that says you shouldn't other than the majority of people say it's dumb. (Sometimes you need an RFC to point to in order to get someone to fix something that is clearly not working correctly). ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSKEY dynamic update: unexpected change 9.6.0-P1 -> 9.6.1
> Is there any reason these flags should not be set by default? Yes, there is: the code as written uses the NSEC3PARAM record in a way that, debatably, could be an RFC violation. We're planning to correct this, and turn the feature on by default in 9.7.0. (I can't promise, but it may make it into the next alpha release.) > Also the private type record seems to have changed from 65535 to > 65534 but this hasn't been updated in NSEC3-NOTES. Thank you for pointing that out. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.6.1 under perform after running for a couple of hours
Hello,
A few of the default settings changed from 9.4.x to 9.6.x
The appropriate README files, change logs, and BIND ARM will provide details
about them.
Below are some options and logging configurations you may want to investigate.
Ye Ole Disclaimer: Please be sure to understand what these do and the DNS
environment these alter before making changes.
options suggestions: (set some limits)
allow-query { "file-a"; "file-b"; }; #Employ ACLs to limit who can
query the server
allow-recursion { "file-a"; "file-b"; }; #Employ ACLs to
limit recursion - may or may not be the same files as in the previous statement
blackhole { "file-c"; }; #Employ ACLs to drop abusive queries. Note:
This will affect legitimate responses from any networks listed, too. Keep this
in mind.
recursive-clients X000; #Understand how many recursive clients
the hware should handle at a time
tcp-clients X00; # Understand how many TCP clients should be handled
at a time.
clients-per-query X0 ; #Limit the number of clients-per-query. This
helps to limit bogus queries (especially from malware). We use 10.
max-clients-per-query X0 ; # Same as above. That is, we hard set
to deal with bogus queries from malware. I believe BIND automagically adjusts
this by default.We use 20.
max-cache-size 0 ; #Setting to 0 makes this model older behavior. I
believe 9.5+ new default is 32MB. Setting to 0 is unlimited, if memory serves,
and is what we want in our environment.
logging suggestions: (throw away certain things from logging IF you are not
interested in them)
channel secure_messages { file "/dev/null"; }; #If "null" is not
understood, one can define it using this method.
category security { secure_messages; }; #Fancy way of sending these
logs to the garbage can using the previous definition. Setting ACLs generates a
lot of log chatter. A good thing while one tweaks ACLs to check the logs. Once
ACLs are tweaked, no need to waste CPU and HDD seak time logging data we no
longer need = trash can.
category lame-servers { null; }; #Nice info about lame servers, but
since we can't fix the Internet = toss to the garbage can for now.
category edns-disabled { null; }; #Again, nice info about EDNS, but it
isn't something our environment needs us to act upon at this time = trash can
for now.
HTH.
From: Imri Zvik
To: bind-users@lists.isc.org
Sent: Wednesday, July 8, 2009 2:24:17 PM
Subject: bind 9.6.1 under perform after running for a couple of hours
Hi,
After a couple of hours, performance of bind 9.6.1 suddenly drops. While the
server remains responsive, the response time increases, the rate of the failed
queries increases, and CPU/load average usage increases. Restarting named
solves the problem.
I cannot find anything useful in the logs, but a quick search in this mailing
list archive shows that other users reported somewhat similar problems with
this version of BIND :(
The operating system is Linux (Linux ns1 2.6.18-128.el5 #1 SMP Wed Dec 17
11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux) , Red Hat Enterprise Linux
Server release 5.3 (Tikanga).
Output of named –V:
BIND 9.6.1 built with '--enable-threads' '--enable-largefile'
'--prefix=/usr/local'
/usr/local/sbin/named: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV),
for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux
2.6.9, not stripped
It is important to state that we just upgraded from 9.4.3-P2.
Any ideas?___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSKEY dynamic update: unexpected change 9.6.0-P1 -> 9.6.1
On Wed, Jul 08, 2009 at 09:20:29PM +, Evan Hunt wrote: > > Is there any reason these flags should not be set by default? > > Yes, there is: the code as written uses the NSEC3PARAM record in a > way that, debatably, could be an RFC violation. We're planning to > correct this, and turn the feature on by default in 9.7.0. (I can't > promise, but it may make it into the next alpha release.) Thanks for the explanation. Since I'm not using NSEC3, I'm going to assume that it's safe to set the flags. Can I request that NSEC3-NOTES be updated to mention that these features need to be turned on explicitly? A configure flag would be nice. I'd also suggest giving the file a slightly less misleading name, eg. DNSSEC-DYNAMIC-UPDATE-NOTES. Or putting the text into the ARM. > > Also the private type record seems to have changed from 65535 to > > 65534 but this hasn't been updated in NSEC3-NOTES. > > Thank you for pointing that out. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. --Shumon. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rDNS Round-Robin
In message <53d706300907081412r191946eeo5c9a66657bf8e...@mail.gmail.com>, Bryan Irvine writes: > On Mon, Jul 6, 2009 at 4:08 PM, Kevin Darcy wrote: > > Bryan Irvine wrote: > >> > >> Other than to really annoy me; =A0is there a valid reason for rr rDNS? > >> > >> > > > > Once upon a time, BIND specifically *disabled* round-robin behavior for > > non-address (A/) record types. PTR RRsets, among other types, were > > always given in a "fixed" order. > > > > But, I just tried a quick test, and it appears that round-robin has been > > re-enabled for PTRs. Accident? I have no idea why anyone would want this > > behavior, except perhaps to deliberately make things annoying and the que= > ry > > results inconsistent, in the hopes that people will prevent the creation = > of > > round-robin PTRs in the first place. > > Yes but is it explicitely forbidden anywhere? RFC's maybe? I can't > find anything that says you shouldn't other than the majority of > people say it's dumb. (Sometimes you need an RFC to point to in order > to get someone to fix something that is clearly not working > correctly). > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users RRsets are unordered. Software and configurations should be prepared for this. Where ordering is required it is built into the RR type. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
