RE: Defining custom root zone by subnet.
Its maybe sily just for you. But not for all. For example, I authorize users via radius with 2 way: without acl and with guest acl. So I give same dns servers to all users, but I give public ip to the normal users and private ip to the users with guest acl for purpose redirecting all dns requests from with guest acl users to the defined webserver. That's all. Sorry for my english. -Original Message- From: Larry Brower [mailto:la...@maxqe.com] Sent: Tuesday, July 13, 2010 10:43 AM To: Nadir Aliyev Cc: bind-users@lists.isc.org Subject: Re: Defining custom root zone by subnet. Nadir Aliyev wrote: > Hi friends, > > > > Its possible in bind define fake root zone by subnet? (in this case just > for zone1) > > Sounds like you need to use views. Why would you want to do this though? It is silly. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Defining custom root zone by subnet.
Not helped...
view "internal-in" in {
match-clients { zone1; };
recursion yes;
zone "." {
type master;
file "db.lockdown";
};
};
-Original Message-
From: Nadir Aliyev [mailto:na...@ultel.net]
Sent: Tuesday, July 13, 2010 3:28 PM
To: 'Larry Brower'
Cc: 'bind-users@lists.isc.org'
Subject: RE: Defining custom root zone by subnet.
Its maybe sily just for you. But not for all.
For example,
I authorize users via radius with 2 way: without acl and with guest acl.
So I give same dns servers to all users, but I give public ip to the normal
users and private ip to the users with guest acl for purpose redirecting all
dns requests from with guest acl users to the defined webserver.
That's all.
Sorry for my english.
-Original Message-
From: Larry Brower [mailto:la...@maxqe.com]
Sent: Tuesday, July 13, 2010 10:43 AM
To: Nadir Aliyev
Cc: bind-users@lists.isc.org
Subject: Re: Defining custom root zone by subnet.
Nadir Aliyev wrote:
> Hi friends,
>
>
>
> Its possible in bind define fake root zone by subnet? (in this case just
> for zone1)
>
>
Sounds like you need to use views. Why would you want to do this
though? It is silly.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: bind-users Digest, Vol 573, Issue 2
Hmm worked, problem was with db.lockdown syntax.
Not actual now.
-Original Message-
From: bind-users-bounces+nadir=ultel@lists.isc.org
[mailto:bind-users-bounces+nadir=ultel@lists.isc.org] On Behalf Of
bind-users-requ...@lists.isc.org
Sent: Tuesday, July 13, 2010 5:00 PM
To: bind-users@lists.isc.org
Subject: bind-users Digest, Vol 573, Issue 2
Send bind-users mailing list submissions to
bind-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org
You can reach the person managing the list at
bind-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."
Today's Topics:
1. Behavior of a slave to a NOTIFY (Richard Tom)
2. Defining custom root zone by subnet. (Nadir Aliyev)
3. Re: Defining custom root zone by subnet. (Larry Brower)
4. RE: Defining custom root zone by subnet. (Nadir Aliyev)
5. RE: Defining custom root zone by subnet. (Nadir Aliyev)
--
Message: 1
Date: Mon, 12 Jul 2010 22:28:48 -0400
From: Richard Tom
Subject: Behavior of a slave to a NOTIFY
To: bind-users@lists.isc.org
Message-ID: <4c3bcf60.5010...@cv.net>
Content-Type: text/plain; format=flowed; charset=ISO-8859-1
What would delay a slave responding to a notify? More importantly, what
would delay a slave from transferring a zone after verifying the
master's serial for the zone is newer than the serial the slave has?
I've looked over the bug fixes as accumulated by the latest revisions
for the 9.[2-7].x releases and see there have been some fixes to code
related to notifies and zone transfers.
Is it safe to say a busy BIND 9.5.x slave performing lots of zone
transfers retrieves zones (from a master) more timely than a similarly
busy 9.2.x slave?
Regards,
Richard
The information transmitted in this email and any of its attachments is
intended only for the person or entity to which it is addressed and may
contain Cablevision proprietary information, which is privileged,
confidential, or subject to copyright belonging to Cablevision. Any review,
retransmission, dissemination or other use of, or taking of any action in
reliance upon, this information by persons or entities other than the
intended recipient is prohibited and may be unlawful. If you received this
in error, please contact the sender immediately and delete and destroy the
communication and all of the attachments you have received and all copies
thereof.
--
Message: 2
Date: Tue, 13 Jul 2010 10:25:47 +0500
From: "Nadir Aliyev"
Subject: Defining custom root zone by subnet.
To:
Message-ID: <002201cb224b$d9b090f0$8d11b2...@net>
Content-Type: text/plain; charset="koi8-r"
Hi friends,
Its possible in bind define fake root zone by subnet? (in this case just for
zone1)
acl zone1 {
10.0.10.0/24
}
acl zone2 {
XXX.XXX.XXX.XXX/24
}
zone "." {
type master;
file "db.lockdown";
};
-- next part --
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/bind-users/attachments/20100713/178f7aef/at
tachment-0001.html>
--
Message: 3
Date: Tue, 13 Jul 2010 00:43:14 -0500
From: Larry Brower
Subject: Re: Defining custom root zone by subnet.
To: Nadir Aliyev
Cc: bind-users@lists.isc.org
Message-ID: <4c3bfcf2.5010...@maxqe.com>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Nadir Aliyev wrote:
> Hi friends,
>
>
>
> Its possible in bind define fake root zone by subnet? (in this case just
> for zone1)
>
>
Sounds like you need to use views. Why would you want to do this
though? It is silly.
--
Message: 4
Date: Tue, 13 Jul 2010 15:27:30 +0500
From: "Nadir Aliyev"
Subject: RE: Defining custom root zone by subnet.
To: "'Larry Brower'"
Cc: bind-users@lists.isc.org
Message-ID: <000301cb2275$ffd37fc0$ff7a7f...@net>
Content-Type: text/plain; charset="us-ascii"
Its maybe sily just for you. But not for all.
For example,
I authorize users via radius with 2 way: without acl and with guest acl.
So I give same dns servers to all users, but I give public ip to the normal
users and private ip to the users with guest acl for purpose redirecting all
dns requests from with guest acl users to the defined webserver.
That's all.
Sorry for my english.
-Original Message-
From: Larry Brower [mailto:la...@maxqe.com]
Sent: Tuesday, July 13, 2010 10:43 AM
To: Nadir Aliyev
Cc: bind-users@lists.isc.org
Subject: Re: Defining custom root zone by sub
reason for "expected covering NSEC3, got an exact match" ?
Hello, I have a signed zone (dnssec.lu) with NSEC3 / no optout, signed through OpenDNSSEC. The zone contains a wildcard with a TXT and A record. Each time the server is queried for something where the QNAME is matched by the wildcard, but the QTYPE is not, named logs a warning: "expected covering NSEC3, got an exact match". This behaviour exists only if a wildcard is present in the zone. The zone doesn't contain any stale or unnecessary NSEC3 records. Is there an explanation for the warning? Apart from complaining, bind seems to do everything correctly. (Bind 9.7.1 P1) best, Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reason for "expected covering NSEC3, got an exact match" ?
It looks like normal NSEC to me, unless you are referring to an isolated copy of the domain not accessible to the public: ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22416 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec.lu. IN TXT ;; AUTHORITY SECTION: dnssec.lu. 300 IN SOA ns1.restena.lu. hostmaster.restena.lu. 2008110708 3600 300 1209600 300 dnssec.lu. 300 IN RRSIG SOA 5 2 3600 20081207145334 20081107145334 23997 dnssec.lu. kH1rP6S1AIBEe5LoZN+b4f+IfRB48LcMMbfHUAsAP6Pp+7gLIiJwNWfK u5GEgjMlsiO6irarcAfugWd3hkjbThPXpN7mgCxQa35FIluxCkmW7bRr WD78Tg4RMGmKJyFzzNA/m6Vxi9O04fjgk0tlxhoE0MTTsvWP++3ungVO KsU= dnssec.lu. 300 IN NSEC*.dnssec.lu. NS SOA RRSIG NSEC DNSKEY dnssec.lu. 300 IN RRSIG NSEC 5 2 300 20081207145334 20081107145334 23997 dnssec.lu. HVMxwETY/E1EiVfAHcA/zqiCnntg1Eh9CCQzgPLjbqC32Heu9eASgUjT hQcpImO2ehXWNFMKGOPobMqY8AQIKQP0AZ3QLNsYHtyD+tDcJhIQ7HHJ ihAXe5Tg6cFqXWE1ACD3KEekWsAxCvZtBNY8FC+a0oVLiZQlxb7Sufdy o6s= On 13/07/10 2:28 PM, "Gilles Massen" wrote: > Hello, > > I have a signed zone (dnssec.lu) with NSEC3 / no optout, signed through > OpenDNSSEC. The zone contains a wildcard with a TXT and A record. > > Each time the server is queried for something where the QNAME is matched > by the wildcard, but the QTYPE is not, named logs a warning: "expected > covering NSEC3, got an exact match". > > This behaviour exists only if a wildcard is present in the zone. The > zone doesn't contain any stale or unnecessary NSEC3 records. > > Is there an explanation for the warning? Apart from complaining, bind > seems to do everything correctly. (Bind 9.7.1 P1) > > best, > Gilles -- Kal Feher | Melbourne IT | Malmö, Sweden | ph: +46 406 919185 | mob: +46 734 224407 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reason for "expected covering NSEC3, got an exact match" ?
Kalman Feher wrote: > It looks like normal NSEC to me, unless you are referring to an isolated > copy of the domain not accessible to the public: Yes, indeed, sorry about that. I should keep my playgrounds tidier. The actual zone is located on nssec.restena.lu, and is publicly queriable (even with AXFR). Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reason for "expected covering NSEC3, got an exact match" ?
Ok now I see it. The response appears ok, but the log entry is odd. I see the same on my test box (9.7.1 not patched to P1 yet). A brief thread on this occurred earlier in the year (archived here): http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.dns.bind/2010-03 /msg00282.html On 13/07/10 3:10 PM, "Gilles Massen" wrote: > > Kalman Feher wrote: >> It looks like normal NSEC to me, unless you are referring to an isolated >> copy of the domain not accessible to the public: > > Yes, indeed, sorry about that. I should keep my playgrounds tidier. The > actual zone is located on nssec.restena.lu, and is publicly queriable > (even with AXFR). > > > Gilles > -- Kal Feher | Melbourne IT ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reason for "expected covering NSEC3, got an exact match" ?
Kalman Feher wrote: > Ok now I see it. > The response appears ok, but the log entry is odd. I see the same on my test > box (9.7.1 not patched to P1 yet). I saw this on earlier 9.7 as well. > A brief thread on this occurred earlier > in the year (archived here): > http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.dns.bind/2010-03 > /msg00282.html I saw this as well, but it doesn't give an explanation on why Bind logs this, because the requested data does not exist in the zone. However, while digging a bit in the source, I wondered if bind was not confused because during the lookup of the NSEC3 record it found data synthesized by the wildcard, when no data was expected. If that's the case it's a very minor bug, but I'm not good in reading source code... Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Performance tuning tips required for bind 9.6.1-P3!!!
Dear All
This is in reference to the performance tuning , i had already gone through
the mailing list archives , but could not find answer to my
specific query mentioned here.
I had installed bind as a caching name server for test purposes and
planning to test performance that could give me around 1 qps.
The os running Centos 5.4 64 bit , with minimal packages installed. The
server is dual quad core Intel Xeon 2.53 GHz ,16 GB RAM with 300 GB Hdd(
Raid 1) .
*Bind version installed is bind 9.6.1-P3 . Source extracted and compiled
with the following options. *
./configure --enable-epoll --enable-atomic --enable-ipv6 --enable-chroot
--with-openssl --with-randomdev=/chroot/named
--disable-openssl-version-check --with-libtool --enable-threads
Chrooted bind installation is done.
Only named, ssh and ntp services are running on the servers.
Right now i am using queryperf to test the performance with sample query
file of thousand entries. Right now
i am getting only 2000 to 2300 qps . I am writing querylogs to a separate
partition with noatime enabled for the
partition.
OS hardening is done by removing unwanted services, closing all
unneccesary ports and securing the running services.
My system is now using only 3 GB of RAM of total 16 GB.
*Following is the output of "uptime;free -m" during performance testing*
[r...@localhost ~]# uptime;free -m
22:19:52 up 1 day, 6:06, 3 users, load average: 2.03, 2.06, 1.34
total used free sharedbuffers cached
Mem: 16047 3183 12864 0238 2037
-/+ buffers/cache:907 15140
Swap: 8189 0 8189
*Following is my named.conf*
acl testsetup_net {
10.201.31.0/26; };
acl blacklistnets {
192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 192.168.0.0/16;
};
// Main options defined here
options {
directory "/conf";
dump-file "named_dump.db";
statistics-file "named.stats";
pid-file "/var/run/named.pid";
allow-recursion { localhost; ; testsetup_net; };
allow-query { localhost; testsetup_net; };
allow-query-cache { localhost; testsetup_net; };
allow-transfer { none; };
blackhole { blacklistnets; };
recursive-clients 2;
version "Not old!";
datasize default;
notify yes;
};
// Logging options are defined here.
logging { // logging option for named process
channel "default_debug" {
file "/logs/named.log" versions 10 size 50m;
print-time yes;
print-category yes;
severity dynamic;
};
channel "queries" { // logging option for queries to named
file "/logs/query.log" versions 20 size 100m;
print-time yes;
print-category yes;
severity dynamic;
};
category default { "default_debug"; };
category queries { "queries"; };// uncomment this to log queries
category config { "default_debug"; };
category security { "default_debug"; };
category network { "default_debug"; };
category lame-servers { null; };
category edns-disabled { null; };
};
zone "." in {
type hint;
file "db.rootcache";
};
zone "localhost" in {
type master;
file "db.local";
notify no;
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
notify no;
};
Kindly guide me for improving the bind performance from 2000 qps to
nearly 1 qps. Which are the parameters i should change for improving
the performance? Any os level parameters to be changed for improving the
performance?
thanks in advance
Regards
Shiva Raman
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Performance tuning tips required for bind 9.6.1-P3!!!
On 7/13/2010 1:11 PM, Shiva Raman wrote: Dear All This is in reference to the performance tuning , i had already gone through the mailing list archives , but could not find answer to my specific query mentioned here. Right now i am using queryperf to test the performance with sample query file of thousand entries. Right now i am getting only 2000 to 2300 qps . > Kindly guide me for improving the bind performance from 2000 qps to nearly 1 qps. Which are the parameters i should change for improving the performance? Any os level parameters to be changed for improving the performance? What does your query file look like. On of the biggest things that affects the numbers for a caching server is the response time of the authoritative servers that answer the queries in your file. Network bottlenecks can be a problem too. (I remember one time I experimented with a caching server that had a stateful firewall between it and the Internet; effectively killed connectivity for everybody in the building) You may want to look at resperf: http://www.nominum.com/services/measurement_tools.php You may be able to get some more meaningful numbers from it. -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind hang out when named reach to 5-600 Mb
At Thu, 8 Jul 2010 02:30:25 -0700 (PDT),
khanh rua wrote:
> I install bind as a cache server on Solaris 10, Sun Sparc T5140. It
> has problem, bind always hang out when named reach to 5-600 Mb
> ('prstat' check). I have several servers and all have this problem
> even when i install bind in zone or try with a 64bit version.
> T5140's a powerful server but bind can't make use of its power. I'm
> newb with bind an so i have just try some other way but useless.
> What should i do to track this problem ?
As others asked, please clarify a bit more what "hang" means. I'd
particularly interested in
- whether it responds to rndc (e.g. rndc status)
- whether it responds to queries for build in data, such as
version.bind/TXT/CH (try 'dig @server_address version.bind txt ch'
from the local host).
- if you enable XML based statistics, whether it responds to
statistics request over http. If it does, showing the xml
statistics while the problem is happening would be useful.
Please also make sure you kernel doesn't have this problem:
http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
If you are not sure, and if the query load is not so heavy, (e.g. up
to 2000qps or so), you may also want to try rebuilding named with
--disable-devpoll
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ad flag for RRSIG queries
Hi, Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org How does a validating resolver determine that such an answer is secure? Thank you. -- Marco Davids ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Behavior of a slave to a NOTIFY
On Mon, 12 Jul 2010, Richard Tom wrote: What would delay a slave responding to a notify? More importantly, what would delay a slave from transferring a zone after verifying the master's serial for the zone is newer than the serial the slave has? I've looked over the bug fixes as accumulated by the latest revisions for the 9.[2-7].x releases and see there have been some fixes to code related to notifies and zone transfers. Is it safe to say a busy BIND 9.5.x slave performing lots of zone transfers retrieves zones (from a master) more timely than a similarly busy 9.2.x slave? If you're saying that the server you're concerned about is running 9.2.x, the correct answer is, "Upgrade." It's been EOL for a long time now, and even if you find bugs in it no one is going to care. :) In fact, your best bet at this point is to upgrade to at least 9.6.x, and preferably 9.7.1-P1 since you're going to want to take advantage of this opportunity to prepare for the possibility of DNSSEC. If after upgrading you are still having problems, then we definitely would like to know. hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Defining custom root zone by subnet.
That should work fine, as long as
a) this view definition appears in named.conf before any more general
view (since views are matched in order),
b) the "zone1" ACL is defined to include all of the address ranges that
should get the "private" root zone, and
c) "db.lockdown" contains a root zone with only 1 A record -- a wildcard
entry with the "private IP" as the RDATA -- and no delegations
Note that you don't need "recursion yes" if every query is going to be
resolved directly from your "fake" root zone.
- Kevin
On 7/13/2010 6:33 AM, Nadir Aliyev wrote:
Not helped...
view "internal-in" in {
match-clients { zone1; };
recursion yes;
zone "." {
type master;
file "db.lockdown";
};
};
-Original Message-
From: Nadir Aliyev [mailto:na...@ultel.net]
Sent: Tuesday, July 13, 2010 3:28 PM
To: 'Larry Brower'
Cc: 'bind-users@lists.isc.org'
Subject: RE: Defining custom root zone by subnet.
Its maybe sily just for you. But not for all.
For example,
I authorize users via radius with 2 way: without acl and with guest acl.
So I give same dns servers to all users, but I give public ip to the normal
users and private ip to the users with guest acl for purpose redirecting all
dns requests from with guest acl users to the defined webserver.
That's all.
Sorry for my english.
-Original Message-
From: Larry Brower [mailto:la...@maxqe.com]
Sent: Tuesday, July 13, 2010 10:43 AM
To: Nadir Aliyev
Cc: bind-users@lists.isc.org
Subject: Re: Defining custom root zone by subnet.
Nadir Aliyev wrote:
Hi friends,
Its possible in bind define fake root zone by subnet? (in this case just
for zone1)
Sounds like you need to use views. Why would you want to do this
though? It is silly.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: ad flag for RRSIG queries
On Tue, 13 Jul 2010, Marco Davids (SIDN) wrote: Hi, Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What version of BIND are you using? Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ad flag for RRSIG queries
On 07/13/10 23:58, Doug Barton wrote: >> Can anyone explain to me why the 'ad'-flag is set for this query? >> >> dig +dnssec -t RRSIG www.forfunsec.org > > I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What > version of BIND are you using? > Hi Doug, I use BIND 9.7.0rc1, configured to work with the IANA testbed. dig +dnssec rrsig www.forfunsec.org @149.20.64.20 has the AD flag too, though. It run's BIND 9.6.1-P2. (DNS-OARC validating resolvers), The other one, 149.20.64.21, doesn't have it (Unbound) Regards -- Marco ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ad flag for RRSIG queries
On Wed, 14 Jul 2010, Marco Davids (SIDN) wrote: On 07/13/10 23:58, Doug Barton wrote: Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What version of BIND are you using? Hi Doug, I use BIND 9.7.0rc1, configured to work with the IANA testbed. You shouldn't use release candidates after the release is done. :) I'd be interested to see what happens if you upgrade to the latest versions in each branch (the 9.7.x server above, and the 9.6.x below). What you're seeing sounds like a bug, hopefully one that's been fixed (as it seems to be in 9.7.1-P1). Doug dig +dnssec rrsig www.forfunsec.org @149.20.64.20 has the AD flag too, though. It run's BIND 9.6.1-P2. (DNS-OARC validating resolvers), The other one, 149.20.64.21, doesn't have it (Unbound) Regards -- Marco -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GeoIP and maintaining high availability
On Fri, 9 Jul 2010, Tomasz Chmielewski wrote: Hi, I'm about to set up bind with GeoIP patches. What I'm not sure, is how do you guys handle high availability? Suppose I have zones for Americas and Europe, Just to be clear, you're saying that you have 2 different zones, one with the European IP addresses for the content server, and one with American, and a resolver gets an answer from one zone or the other based on a decision from the GeoIP stuff, right? and a destination server in Europe dies - how do you handle it so that new (i.e. web) requests hit American servers only? Set TTL to low values (i.e. 10 minutes max) and reconfigure the zones if European servers are down? Based on your parameters below, and what you said elsewhere in the thread; yes, that's your only option. hth, Doug Something else? I assume typical hosting, without access to sophisticated network settings, like BGP. -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
