isc_socket_create: fcntl/reserved: Too many open files

[john]

Hi,
I'm seeing this quite frequently in syslog from bind:

Dec  7 11:00:00 ext named[26731]: isc_socket_create: fcntl/reserved: Too 
many open files
Dec  7 11:00:00 ext named[26731]: isc_socket_create: fcntl/reserved: Too 
many open files


Googling found someone asked before on here in February and was advised to 
upgrade to 9.3.6, however I'm using 9.5.1-P3 (debian release).


Any ideas how to fix this?

Thanks,

john


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: isc_socket_create: fcntl/reserved: Too many open files

[big bond]

ulimit?

2009/12/7 john 

> Hi,
> I'm seeing this quite frequently in syslog from bind:
>
> Dec  7 11:00:00 ext named[26731]: isc_socket_create: fcntl/reserved: Too
> many open files
> Dec  7 11:00:00 ext named[26731]: isc_socket_create: fcntl/reserved: Too
> many open files
>
> Googling found someone asked before on here in February and was advised to
> upgrade to 9.3.6, however I'm using 9.5.1-P3 (debian release).
>
> Any ideas how to fix this?
>
> Thanks,
>
> john
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.4.3-P3 on Solaris 10 Hang

[Steve Foster]

On Fri, 4 Dec 2009, Steve Foster wrote:

Hi Folks,

just to followup on this, I've caputred a core of named when this happens. 
From the looks of it there is a deadlock/very long pause occuring as most 

of the threads appear to be parked.

The output of the stacktrace suggests that 3 out of 5 threads are parked 
for soem reason.


Anyone got any suggestions?

Cheers

Steve

Here is a stack trace of the threads:

stack pointer for thread 1: 7fffee51
[ 7fffee51 libc.so.1`___sigtimedwait+4() ]
  7011 libc.so.1`__posix_sigwait+0x18()
  70c1 isc_app_run+0x268()
  7221 main+0x208()
  72e1 _start+0x17c()
stack pointer for thread 2: 7db0f0e1
[ 7db0f0e1 libc.so.1`__lwp_park+0x10() ]
  7db0f191 dns_dispatch_attach+0xbc()
  7db0f241 fctx_query+0x3c4()
  7db0f431 fctx_try+0x19c()
  7db0f4f1 fctx_timeout+0x174()
  7db0f5d1 dispatch+0x48c()
  7db0f6a1 run+4()
  7db0f751 libc.so.1`_lwp_start()
stack pointer for thread 3: 7da0e7e1
[ 7da0e7e1 libc.so.1`_write+8() ]
  7da0e891 select_poke+0x28()
  7da0e9d1 socket_recv+0x190()
  7da0eac1 startrecv+0x194()
  7da0eb81 dns_dispatch_addresponse2+0x958()
  7da0ec61 resquery_send+0x158()
  7da0f241 fctx_query+0x518()
  7da0f431 fctx_try+0x19c()
  7da0f4f1 fctx_timeout+0x174()
  7da0f5d1 dispatch+0x48c()
  7da0f6a1 run+4()
  7da0f751 libc.so.1`_lwp_start()
stack pointer for thread 4: 7d90f121
[ 7d90f121 libc.so.1`__lwp_park+0x10() ]
  7d90f1d1 libc.so.1`cond_wait_queue+0x28()
  7d90f281 libc.so.1`cond_wait_common+0x2d8()
  7d90f331 libc.so.1`_cond_timedwait+0x34()
  7d90f3f1 libc.so.1`cond_timedwait+0x14()
  7d90f4a1 libc.so.1`pthread_cond_timedwait+0xc()
  7d90f551 isc_condition_waituntil+0x9c()
  7d90f691 run+0xc0()
  7d90f751 libc.so.1`_lwp_start()
stack pointer for thread 5: 7d80f3f1
[ 7d80f3f1 libc.so.1`__lwp_park+0x10() ]
  7d80f4a1 process_fd+0x158()
  7d80f551 process_fds+0x108()
  7d80f601 watcher+0x138()
  7d80f751 libc.so.1`_lwp_start()

So the only threads that are not parked are what looks to be the parent 
thread and a results thread.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC Bogus NXDOMAIN survives authenticating RR

[Niobos]

Hi all,

I'm having some problems with implementing DNSSEC with NSEC3. I'm fairly new to 
DNSSEC, so it is certainly possible that my understanding of the subject is 
causing me to miss something. Also, I'm not entirely sure this is the correct 
mailing list, more accurate pointers are welcome.

The setup contains two BIND nameservers, both version 9.6.1-P1 on a linux OS 
(ubuntu 9.10 and gentoo). One is configured as authorative name-server for a 
(test)zone; the other is configured to be an authenticating recursive resolver.

I created a zone with the following entries (besides the standard SOA and NS):
* normal A 127.0.0.1
* changed A 127.0.0.1
* removed A 127.0.0.1
I also have two DNSKEY records (one KSK and one ZSK).

After signing this zone with the keys, I intentionally modify the signed 
zonefile to simulate a MITM attack:
* I change the "changed" A record to point to 127.0.0.2
* I remove the "removed" A record, along with its RRSIG
I would expect DNSSEC to catch these changes and reject the bogus responses.

When requesting a lookup of "normal", I get a NOERROR and the AuthenticatedData 
flag is set, along with the requested data.
When requesting a lookup of "changed", I get a SERVFAIL. I'm not sure if this 
is the expected behaviour, but it seems logical.
When requesting a lookup of "removed", I get a SERVFAIL as well. However, every 
subsequent request for "removed" gets an NXDOMAIN. (dig outputs below)
Flushing the caches on the RR with "rndc flush" causes the first request to be 
a SERVFAIL again.

When I look at the debug output of the RR for channel dnssec, I see no 
additional entries after the initial request. Log in attachement (sorry for the 
wrong mime-type; if anyone knows how to convince Mail.app to de this decently, 
let me know)


dnssec.log
Description: Binary data

According to my understanding, this is a bug, probably in the caching. Can 
anyone confirm this is actually a bug? Point me to the right config-parameter? 
Or explain to me why this _isn't_ a bug?

Niobos


$ dig +dnssec removed.dnssec.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec removed.dnssec.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8658
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;removed.dnssec..  IN  A

;; Query time: 603 msec
;; SERVER: 10..1#53(10..1)
;; WHEN: Sun Dec  6 19:10:05 2009
;; MSG SIZE  rcvd: 59

$ dig +dnssec removed.dnssec.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec removed.dnssec.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65296
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;removed.dnssec..  IN  A

;; AUTHORITY SECTION:
.  3599IN  SOA serv02.. hostmaster.. 
2009111618 3600 3600 604800 3600

;; Query time: 946 msec
;; SERVER: 10..1#53(10..1)
;; WHEN: Sun Dec  6 19:10:07 2009
;; MSG SIZE  rcvd: 122

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: which information is cached?

[Matus UHLAR - fantomas]

On 06.12.09 18:13, MontyRee wrote:
> I have one question about chached information.
> If I have example.com domain and let's assume registered like below.
>  
> 1. root dns 
> example.com. 3600IN  NS  ns1.example.com.
>  3600IN  NS  ns2.example.com.
>  
> but my ns1.example.com dns zone file set like below(assumption)
>  
> 2. ns1.example.com dns 
> example.com.86400IN  NS   ns3.example.com.
> 86400IN  NS   ns4.example.com.
> 
> As you see TTL and NS server is diferent between them.
>  
> What will be happen if the data is different each other like above? 
> Is there any possibility that data2 is cached?
> (In my test, data1(root dns) seems to be cached.)

all records will be cached, but only the autoritative will be used if they
will be found in cache. It is important to keep both informations in sync
(or at least all servers have to provide correct informations) otherwise you
may find strange problems.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode & nslookup

[Danny Mayer]

Chris Buxton wrote:
> On Dec 4, 2009, at 10:12 AM, Joe Baptista wrote:
> 
>> On Fri, Dec 4, 2009 at 12:26 PM, Chris Buxton  wrote:
>>  
>>> nslookup will only understand IDN if BIND is compiled with that
option in the ./configure step.
>> might be a good idea if it was the default option. as idn becomes
popular the lack of idn support for the tools will result in confusion.
> 
> The reason IDN support in the BIND query tools (dig, host, nslookup)
is not the default is because it relies on a 3rd party library, which
must be installed and configured by the package builder beforehand. This
is just like SSL support, needed for DNSSEC and TSIG, except that most
operating systems don't already ship with libidnkit.
> 

And I haven't looked for one for Windows so it probably won't work with
Windows.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: isc_socket_create: fcntl/reserved: Too many open files

[Dmitry Rybin]

Hi! RTFM :)

/etc/security/limits.conf
binduser   softnofile  32384
binduser   hardnofile  32384


change binduser - to you real BIND user.

john wrote:

Hi,
I'm seeing this quite frequently in syslog from bind:

Dec  7 11:00:00 ext named[26731]: isc_socket_create: fcntl/reserved: Too 
many open files
Dec  7 11:00:00 ext named[26731]: isc_socket_create: fcntl/reserved: Too 
many open files


Googling found someone asked before on here in February and was advised 
to upgrade to 9.3.6, however I'm using 9.5.1-P3 (debian release).


Any ideas how to fix this?

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND9 slave

[George]

Hi,

I am trying to set up a BIND9 slave server.

>From the docs I found on the internet I can see that when you add a
new domain it needs to be added on both slave and master in
named.conf. Is this correct?

Is there a way to make the slave server automatically get and update
any new domains that are added to the master server?

Please advise.

Thanks
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: isc_socket_create: fcntl/reserved: Too many open files

[john]

On Mon, 7 Dec 2009, Dmitry Rybin wrote:


Hi! RTFM :)

/etc/security/limits.conf
binduser   softnofile  32384
binduser   hardnofile  32384


change binduser - to you real BIND user.


Thanks,

john
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind9.6.1-P2 - Zone Statistic counters remaining 0

[Dangl, Thomas]

Hello,
 
some counters in the zone statistics remain 0 although queries have been
answered.
 
Here is the example for a zone statistics.
The counter Requestv4 is still 0. Requestv6 is irrelevant for what I
did, queries were done via IPv4.
QrySuccess, QryAuthAns and QryNXDOMAIN are correct.
 
My target is to have a number of all queries (successful and failed) -
i.e. without XFR and update - for each zone.
Please note that the counter shall be based on queries, not o responses.
 

  4.3.2.1.e164.arpa/IN
  IN
  3
  
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
4
0
0
0
0
0
2
0
0
0
0
1
0
0
0
0
0
0
  


Could you please expain the behavior?
 
 
Best regards
 
 
Thomas Dangl

 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode & nslookup

[jefsey]

At 14:07 07/12/2009, Danny Mayer wrote:

> The reason IDN support in the BIND query tools (dig, host, nslookup)
is not the default is because it relies on a 3rd party library, which
must be installed and configured by the package builder beforehand. This
is just like SSL support, needed for DNSSEC and TSIG, except that most
operating systems don't already ship with libidnkit.
>

And I haven't looked for one for Windows so it probably won't work with
Windows.


IDNA2008 is an "elementary" solution: i.e. at individual application 
level. This means that we now need an IDNA system that will 
identically support all the elementary needs of each of the 
applications on a machine. And we need to incorporate IDNA in the 
network globalilty, meaning making sure the various (ICANN, Google, 
Interplus, Microsoft(?), IDNA2003, Unicode approaches) do 
interoperate. This is the fundamental issue currently discussed at 
the WG/IDNABIS. This cannot be attained in curbing humanity to the 
current uncomplete text limitations. This is to be based upon 
experimentation, adaptation, and practice of the IDNA2008 proposition.


My current conclusion is that the general solution lies in a 
replacement of the punycode implementation (i.e libidnkit) by an 
extended punyplus module that will perform along the IDNA2010 wrap-up 
exploratory effort that was initiated yesterday 
(http://iucg.org/wiki/BUD-IDNA2010). This seems to be the most 
natural and the most portable place.


jfc

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND9 slave

[Matthew Pounsett]

On 07-Dec-2009, at 08:37, George wrote:


Is there a way to make the slave server automatically get and update
any new domains that are added to the master server?


This question pops up about once every two months on the list.  There  
are several other discussions on the subject that you could search for  
and read.


In short, though:  There's nothing in the protocol for doing that, and  
BIND does not currently have a proprietary way of doing this.


Previous discussions on the list have covered a number of different  
ways of implementing this yourself.  Most are pretty simple  
descriptions of perl scripts that modify your master sever's  
named.conf to work on the slave so that it can be automatically scp'd  
over when it's updated.  My personal favourite is Paul Vixie's  
'federated domains' example, described here:





If you search the list you'll find many, many others.

Matt




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

single entry to hosted service

[Dan Letkeman]

Hello,

I need to add an entry in our dns servers for a hosted service we
purchased.  Do I just add a master zone and a single entry?  Or is
there a better way to add a single entry to forward to a remote
server?

Thanks,
Dan.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND9 slave

[Todd Snyder]

In BIND, no.

There are some solutions discussed (check the archives) around setting
up special zones with the meta data required for the slaves to create
their own slaves, I've even whipped up a POC, but I've not found a
ready-made tool yet.

Your best bet is to script something up.  We have a standard format for
our files, so all I do is parse the named.conf from my master, change
"master" to "slave" and add the "masters" line.  I then have a script
that pushes the new file out to the slaves and "rndc reconfigs" them.
This works best if you use includes for your zone configuration, keeping
it out of named.conf.

It's pretty trivial for a lab quality deployment, but for production,
I'd look around or develop something a little more robust.

Cheers,

Todd.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of George
Sent: Monday, December 07, 2009 8:37 AM
To: bind-users@lists.isc.org
Subject: BIND9 slave

Hi,

I am trying to set up a BIND9 slave server.

>From the docs I found on the internet I can see that when you add a
new domain it needs to be added on both slave and master in
named.conf. Is this correct?

Is there a way to make the slave server automatically get and update
any new domains that are added to the master server?

Please advise.

Thanks
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND9 slave

[Kevin Darcy]

George wrote:

Hi,

I am trying to set up a BIND9 slave server.

>From the docs I found on the internet I can see that when you add a
new domain it needs to be added on both slave and master in
named.conf. Is this correct?

Is there a way to make the slave server automatically get and update
any new domains that are added to the master server?

  
There's no way within the DNS protocol, or as a feature of vanilla BIND, 
to make this happen.


Folks have devised various ways to automate this. Commercial DNS systems 
often have some sort of "push" mechanism, which updates the DNS config 
file on remote sytems automatically, using their own proprietary 
protocols and subsystems (which are often used for maintaining DHCP 
configs as well).


Others mimic this basic approach in their own homegrown systems by 
having a central slave config and then replicating it out to all of the 
slaves (e.g. using rsync), along with some way to tell each slave to 
reload the config when it changes (e.g. rndc).


Or, you can run a script on the slaves which consults some centralized 
"zone slaving database" to determine what zones to slave, or to stop 
slaving. This "zone slaving database" can take many forms. One idea is 
to represent this list as a special zone within DNS itself, containing 
just one entry per zone to be slaved. I prefer using PTR records for 
this, over, say, TXT records, since PTR records can benefit from label 
compression.


How one interprets that special "zone slaving zone" and 
populates/modifies/regenerates the named.conf to reflect the slave-zone 
definitions at any particular time, is left as an exercise to the 
reader. Unfortunately, I can't share any code, since it's all 
intellectual property of my employer...


- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: single entry to hosted service

[Kevin Darcy]

Dan Letkeman wrote:

Hello,

I need to add an entry in our dns servers for a hosted service we
purchased.  Do I just add a master zone and a single entry?  Or is
there a better way to add a single entry to forward to a remote
server?

  
Maybe I'm not understanding your requirements. If this hosted service 
uses a name that's already populated in the Internet-facing DNS, why do 
you need any special DNS configuration at all? Why can't you resolve 
this like you resolve any other Internet name?


Assuming that you _do_ in fact need some special configuration, for some 
reason, the zone types for (non-root) zones in BIND are: master, slave, 
forward, and stub. Each of them has benefits and disadvantages, but I'll 
defer that discussion until and unless it's determined that you need a 
special DNS configuration at all...


- Kevin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISC website down

[Chris Hills]

It is sod's law that just when I need to look up the email address to
report a bug, currently the website is showing:-

Unable to connect to database server
[..]
The MySQL error was: Can't connect to local MySQL server through socket
'/tmp/mysql.sock' (2).
[..]

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC website down

[Chris Hills]

It is back now.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC website down

[fakessh]

On Mon, 07 Dec 2009 19:07:19 +0100, Chris Hills  wrote:
> It is back now.
> 

it is up for me

https://www.isc.org/

> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: single entry to hosted service

[Dan Letkeman]

Yes I do need some kind of dns configuration.  We bought a hosted
accounting service from a company that has asked us to put a dns entry
into our dns servers so that our internal machines only can resolve
there hosted service via dns.  I guess they don't want to populate
there isp's dns servers with all of the dns entries for all of there
customers

So with my limited knowledge of bind (using webmin to configure it) I
need to make an entry like this:

222.222.222.222  A  hosted.accounting.com

In our internal DNS servers.

I don't have any "internet side" dns, just internal.  I'm just a bit
unsure on what the best way to do this is, and I don't want to have to
append everyone's hosts file on there workstations.  I have many
master zones for our internal systems, and I have created all of the
nessesary records.  I have setup slave servers, and the whole bit.

So i'm wondering do I need to setup a master zone, and put in the
222.222.222.222 A hosted.accounting.com as an A record, and then have
the zone forward everything else?  Reason being is because our users
will still need to access other sites from the accounting company's
domain.


Thanks,
Dan.

On Mon, Dec 7, 2009 at 11:43 AM, Kevin Darcy  wrote:
> Dan Letkeman wrote:
>>
>> Hello,
>>
>> I need to add an entry in our dns servers for a hosted service we
>> purchased.  Do I just add a master zone and a single entry?  Or is
>> there a better way to add a single entry to forward to a remote
>> server?
>>
>>
>
> Maybe I'm not understanding your requirements. If this hosted service uses a
> name that's already populated in the Internet-facing DNS, why do you need
> any special DNS configuration at all? Why can't you resolve this like you
> resolve any other Internet name?
>
> Assuming that you _do_ in fact need some special configuration, for some
> reason, the zone types for (non-root) zones in BIND are: master, slave,
> forward, and stub. Each of them has benefits and disadvantages, but I'll
> defer that discussion until and unless it's determined that you need a
> special DNS configuration at all...
>
> - Kevin
>
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind slave to Windows 2008 AD/DNS

[Jukka Pakkanen]

I have out Bind servers running as slaves to Windows 2008 DNS server, 
and it's working fine as far as I can see (except that the slaves after 
a period of times lose the data and never update it unless restart the 
Bind process, but that's another matter) but browsing the web I noticed 
there should be 6 zones I need to slave to have it correctly:


>What zones are you slaving on your BIND server? There should be six:
>
>DomainDNSZones.example.com
>ForestDNSZones.example.com
>_msdcs.example.com
>_sites.example.com
>_tcp.example.com
>_udp.example.com
>
>If you have these six zones slaved on your BIND server, and these 
zones are being transferred successfully, then there should be no 
problems. "


What exactly does this mean?  I only have this:

zone "company.local" {
   type slave;
   file "company.local.cache";
   masters { 62.x.x.x; };
};

Should I instead have these six zones in the named.conf, like:

zone "DomainDNSZones.company.local" {
   type slave;
   file "domaindnszones.company.local.cache";
   masters { 62.x.x.x; };
};

zone "ForestDNSZones.company.local" {
   type slave;
   file "forestdnszones.company.local.cache";
   masters { 62.x.x.x; };
};

zone "_msdcs.company.local" {
   type slave;
   file "_nsdcs.company.local.cache";
   masters { 62.x.x.x; };
};

etc...??


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: single entry to hosted service

[Jeff Lightner]

You create a zone file that only has the entries for accounting.com.  You add 
that to named.conf.  

Your other zone files are still in place so you shouldn't need to forward 
anything else because you're saying this is internal to your network.  If a 
user is sitting at his desk and types:

InternalSite1.excample.com to get to one of your internal websites then goes to 
hosted.accounting.com then tries to go to InternalSite2.example.com then their 
current stub server setting should use the same resolution setting (e.g. 
/etc/resolv.conf on UNIX/Linux) to get to InternalSite2 as it used to get to 
InternalSite1.

The above assumes all your workstations etc... always ask your DNS server for 
any lookup first which is the normal way of doing things.

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Dan Letkeman
Sent: Monday, December 07, 2009 1:41 PM
To: Kevin Darcy
Cc: bind-users
Subject: Re: single entry to hosted service

Yes I do need some kind of dns configuration.  We bought a hosted
accounting service from a company that has asked us to put a dns entry
into our dns servers so that our internal machines only can resolve
there hosted service via dns.  I guess they don't want to populate
there isp's dns servers with all of the dns entries for all of there
customers

So with my limited knowledge of bind (using webmin to configure it) I
need to make an entry like this:

222.222.222.222  A  hosted.accounting.com

In our internal DNS servers.

I don't have any "internet side" dns, just internal.  I'm just a bit
unsure on what the best way to do this is, and I don't want to have to
append everyone's hosts file on there workstations.  I have many
master zones for our internal systems, and I have created all of the
nessesary records.  I have setup slave servers, and the whole bit.

So i'm wondering do I need to setup a master zone, and put in the
222.222.222.222 A hosted.accounting.com as an A record, and then have
the zone forward everything else?  Reason being is because our users
will still need to access other sites from the accounting company's
domain.


Thanks,
Dan.

On Mon, Dec 7, 2009 at 11:43 AM, Kevin Darcy  wrote:
> Dan Letkeman wrote:
>>
>> Hello,
>>
>> I need to add an entry in our dns servers for a hosted service we
>> purchased.  Do I just add a master zone and a single entry?  Or is
>> there a better way to add a single entry to forward to a remote
>> server?
>>
>>
>
> Maybe I'm not understanding your requirements. If this hosted service uses a
> name that's already populated in the Internet-facing DNS, why do you need
> any special DNS configuration at all? Why can't you resolve this like you
> resolve any other Internet name?
>
> Assuming that you _do_ in fact need some special configuration, for some
> reason, the zone types for (non-root) zones in BIND are: master, slave,
> forward, and stub. Each of them has benefits and disadvantages, but I'll
> defer that discussion until and unless it's determined that you need a
> special DNS configuration at all...
>
> - Kevin
>
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: single entry to hosted service

[Kevin Darcy]

Can't you just add something to your _own_ DNS, pointing to the external 
IP address, and have your clients use that name?


It would pretty ridiculous if a) the server code of the app actually 
cares what name the client uses for accessing it, b) they mandate that 
their (<-- note spelling of word) customers use a name in *the*vendor's* 
domain to access the app, c) had a different name for each customer, but 
d) couldn't be bothered adding the name for each customer to their own 
domain. Essentially, they'd be forcing all of their customers to kludge 
their DNS (or to use something even less manageable, like WINS or local 
hosts-file entries).



   - Kevin


Dan Letkeman wrote:

Yes I do need some kind of dns configuration.  We bought a hosted
accounting service from a company that has asked us to put a dns entry
into our dns servers so that our internal machines only can resolve
there hosted service via dns.  I guess they don't want to populate
there isp's dns servers with all of the dns entries for all of there
customers

So with my limited knowledge of bind (using webmin to configure it) I
need to make an entry like this:

222.222.222.222  A  hosted.accounting.com

In our internal DNS servers.

I don't have any "internet side" dns, just internal.  I'm just a bit
unsure on what the best way to do this is, and I don't want to have to
append everyone's hosts file on there workstations.  I have many
master zones for our internal systems, and I have created all of the
nessesary records.  I have setup slave servers, and the whole bit.

So i'm wondering do I need to setup a master zone, and put in the
222.222.222.222 A hosted.accounting.com as an A record, and then have
the zone forward everything else?  Reason being is because our users
will still need to access other sites from the accounting company's
domain.


Thanks,
Dan.

On Mon, Dec 7, 2009 at 11:43 AM, Kevin Darcy  wrote:
  

Dan Letkeman wrote:


Hello,

I need to add an entry in our dns servers for a hosted service we
purchased.  Do I just add a master zone and a single entry?  Or is
there a better way to add a single entry to forward to a remote
server?


  

Maybe I'm not understanding your requirements. If this hosted service uses a
name that's already populated in the Internet-facing DNS, why do you need
any special DNS configuration at all? Why can't you resolve this like you
resolve any other Internet name?

Assuming that you _do_ in fact need some special configuration, for some
reason, the zone types for (non-root) zones in BIND are: master, slave,
forward, and stub. Each of them has benefits and disadvantages, but I'll
defer that discussion until and unless it's determined that you need a
special DNS configuration at all...

- Kevin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: single entry to hosted service

[Dan Letkeman]

Thanks Jeff.  I'll give this a try.

On Mon, Dec 7, 2009 at 1:53 PM, Jeff Lightner  wrote:
> You create a zone file that only has the entries for accounting.com.  You add 
> that to named.conf.
>
> Your other zone files are still in place so you shouldn't need to forward 
> anything else because you're saying this is internal to your network.  If a 
> user is sitting at his desk and types:
>
> InternalSite1.excample.com to get to one of your internal websites then goes 
> to hosted.accounting.com then tries to go to InternalSite2.example.com then 
> their current stub server setting should use the same resolution setting 
> (e.g. /etc/resolv.conf on UNIX/Linux) to get to InternalSite2 as it used to 
> get to InternalSite1.
>
> The above assumes all your workstations etc... always ask your DNS server for 
> any lookup first which is the normal way of doing things.
>
> -Original Message-
> From: bind-users-boun...@lists.isc.org 
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Dan Letkeman
> Sent: Monday, December 07, 2009 1:41 PM
> To: Kevin Darcy
> Cc: bind-users
> Subject: Re: single entry to hosted service
>
> Yes I do need some kind of dns configuration.  We bought a hosted
> accounting service from a company that has asked us to put a dns entry
> into our dns servers so that our internal machines only can resolve
> there hosted service via dns.  I guess they don't want to populate
> there isp's dns servers with all of the dns entries for all of there
> customers
>
> So with my limited knowledge of bind (using webmin to configure it) I
> need to make an entry like this:
>
> 222.222.222.222  A  hosted.accounting.com
>
> In our internal DNS servers.
>
> I don't have any "internet side" dns, just internal.  I'm just a bit
> unsure on what the best way to do this is, and I don't want to have to
> append everyone's hosts file on there workstations.  I have many
> master zones for our internal systems, and I have created all of the
> nessesary records.  I have setup slave servers, and the whole bit.
>
> So i'm wondering do I need to setup a master zone, and put in the
> 222.222.222.222 A hosted.accounting.com as an A record, and then have
> the zone forward everything else?  Reason being is because our users
> will still need to access other sites from the accounting company's
> domain.
>
>
> Thanks,
> Dan.
>
> On Mon, Dec 7, 2009 at 11:43 AM, Kevin Darcy  wrote:
>> Dan Letkeman wrote:
>>>
>>> Hello,
>>>
>>> I need to add an entry in our dns servers for a hosted service we
>>> purchased.  Do I just add a master zone and a single entry?  Or is
>>> there a better way to add a single entry to forward to a remote
>>> server?
>>>
>>>
>>
>> Maybe I'm not understanding your requirements. If this hosted service uses a
>> name that's already populated in the Internet-facing DNS, why do you need
>> any special DNS configuration at all? Why can't you resolve this like you
>> resolve any other Internet name?
>>
>> Assuming that you _do_ in fact need some special configuration, for some
>> reason, the zone types for (non-root) zones in BIND are: master, slave,
>> forward, and stub. Each of them has benefits and disadvantages, but I'll
>> defer that discussion until and unless it's determined that you need a
>> special DNS configuration at all...
>>
>> - Kevin
>>
>>
>>
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
> Proud partner. Susan G. Komen for the Cure.
>
> Please consider our environment before printing this e-mail or attachments.
> --
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
> information and is for the sole use of the intended recipient(s). If you are 
> not the intended recipient, any disclosure, copying, distribution, or use of 
> the contents of this information is prohibited and may be unlawful. If you 
> have received this electronic transmission in error, please reply immediately 
> to the sender that you have received the message in error, and delete it. 
> Thank you.
> --
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: parent dns answers the ARR of child dns

[Kevin Darcy]

Tech W. wrote:

--- On Fri, 4/12/09, Kevin Darcy  wrote:

  

From: Kevin Darcy 
Subject: Re: parent dns answers the ARR of child dns
To: bind-users@lists.isc.org
Received: Friday, 4 December, 2009, 1:56 AM
Not only that, but DNS.gduf.edu.cn is
performing recursion, while not 
setting RA in, and not copying RD into, the header of the

response.

% dig www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn

; <<>> DiG 9.3.0 <<>>
www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 593
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1,
ADDITIONAL: 0

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn. IN A

;; ANSWER SECTION:
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.3
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.4
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.10

I suspect this is YABDLBD (Yet Another Brain-Damaged
Load-Balancer 
Device). Or a defective DNS proxy.



Thanks for your answers.
But DNS.gduf.edu.cn is a Windows DNS Server running on MS Advanced Server,
not a proxy or load-balancer.

  

While the cache is populated with these records, even
*non-recursive* 
queries will be given this answer directly, instead of a
referral. Once 
the records time out, referrals are given again.





Yes I am also confused by this behavior.
So do you have any suggestion how to resolve it?
I want, any query to the subzone should be answered by subzone's NS server, not 
by the parent one.


  
This can't happen as long as the parent nameserver keeps on recursing 
queries and then responding with cached answers to those 
previously-recursed queries.


This isn't a Microsoft DNS mailing list, and I'm not that familiar with 
Microsoft DNS, so about the only advice I can give you is look through 
the config and see where to turn off recursion completely. If that's not 
possible, because the server also needs to act as a resolver for some 
set of clients, then I don't know how such requirements are met, if at 
all, by Microsoft DNS. I don't think that product has a "view" feature, 
for instance.


Even if Microsoft provides fine-grained control of who can recurse and 
who can't, that alone still might not solve your problem, since you can 
never control if and when one or more of its "authorized" clients may 
look up www.smartip.gduf.edu.cn and then that answer will be cached for 
some period of time. You'd also need, at a bare minimum, fine-grained 
control over who can query the cache (e.g. something analogous to 
allow-query-cache), in order to really pull that off.


- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode & nslookup

[Danny Mayer]

jefsey wrote:
> At 11:06 06/12/2009, Chris Buxton wrote:
>> On Dec 5, 2009, at 6:34 AM, JFC Morfin wrote:
>> > Chris Buxton  4 décembre 2009 20:29
>> >> The reason IDN support in the BIND query tools (dig, host,
>> nslookup) is not the default is because it relies on a 3rd party
>> library, which must be installed and configured by the package builder
>> beforehand. This is just like SSL support, needed for DNSSEC and TSIG,
>> except that most operating systems don't already ship with libidnkit.
>> >
>> > Do you know the hook? I am just starting investigating the code, and
>> I have C only as a minor :-)
>>
>> All I know is what you find in the BIND source code directory. For
>> example, with BIND 9.7.0b2:
>>
>> $ ./configure --help | grep idn
>>   --with-idn=MPREFIX  enable IDN support using idnkit default PREFIX
>>   --with-idnlib=ARG   specify libidnkit
>>
>> $ less README.idnkit
> 
> Due to my lack of time and because at the same time I use BIND/Windows
> on my XP machine to test my own way to use the DNS in the IDNA suggested
> context; I selected 9.5.2.
> 

Which means spending even more time since BIND/Windows does not yet
support the IDN libs.

Danny

> I understand from quick digging that the IDN libs are of 2003. Since I
> mainly want to work on them, I feel this os OK. Except if they have been
> updated?
> Best.
> jfc

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing to bind

[Danny Mayer]

jefsey wrote:
> At 06:36 06/12/2009, Danny Mayer wrote:
>> JFC Morfin wrote:
>> > I wish to set-up my BIND DNS server on window XP as a service. I
>> checked
>> > the "automatic start-up". Unfortunately it did not work. The readme1st
>> > guide only says that the way to do it is as usual, what does not
>> help me
>> > since I never did it. When I try using mmc there is no way I find to
>> > declare named as a service.
>> >
>> > Would there be a dedicated Windows/BIND internet user oriented site
>> > which explains how to install BIND on windows?
>>
>> Did you actually read the readme? Did you run BINDInstall? Did you
>> create an named.conf file? Did you check your application event log?
> 
> Dear Danny,
> My questions were basic questions of a basic user, i.e. what I either to
> answer or to solve for him, as part of a complete support of IDNA. I
> therefore understand that BINDInstall is the tool to start from, i.e.
> study and extend as per the new requirements I may perceive. And that a
> dedicated (IDNA/)BIND(/Windows) support solution is to be explored if it
> appears necessary, none existing yet.
> Best.
> jfc

No, BINDInstall is just an install tool. You need to start with
readme1st.txt, named.conf and the ARM, the same as Unix.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Signing with the KSK and ZSK

[xu dong]

Hi folks, i have a question about signing zone files with the ksk and the
zsk, as i know,when signing the zone files i have to use the ksk and zsk
both,just as following:

*dnssec-signzone -o domain-name -t -k KSK zone-name ZSK*
but i want to sign the ZSK with KSK first,and then sign the zone files with
zsk,so how can i do?

Thanks.
-- 
-
Xudong
email：xudon...@gmail.com
Beijing,China
-
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users