connect call failing with EINPROGRESS error code.
Hi, I am new to socket programming. Please help me with a situation. The function call connect (non -blocking) is failing with setting the errorcode as 36 (EINPROGRESS). I have checked all the relative things. They are set properly. ::connect(sd, ((struct sockaddr*) (void*) (proxyDataPtr-remoteAddr)), sizeof(struct sockaddr)) Please help me with the solution to handle this situation. or some clues, what could be the problem !! Thanks in advance. Best Regards Richi =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Records on an IPv4 Network
On 07/21/2010 10:10 PM, Martin McCormick wrote: This is admittedly not a bind question, but it has become a major nag factor and I am not sure what to recommend. We delegate our Microsoft Active Directory zone to Microsoft domain controllers and they have stuffed their zone with about 750 AAA records and all are publicly visible if one does a lookup. even the top level of the AD domain has 10 IPv6 Yes. This is windows' default behaviour. responses, one for each controller. The AD admins say that IPv6 is turned off and that the work stations register IPv6 addresses automatically and so forth, but the final truth is that they are If IPv6 is turned off, the windows machines should not be registering IPv6 addresses. Maybe IPv6 was turned on in the past, and they haven't been garbage-collected for some reason? (Windows DNS records which were inserted by dynamic update are supposed to be garbage collected if left untouched after 7 days IIRC) there, however they got there, and other systems will get the records when they try to resolve the host name. Recently, there was a Microsoft update which appears to cause the resolvers on these Windows7 systems to favor IPv6 records first and now I am getting reports of timeouts from Windows boxes looking up other Windows boxes. I don't think this is true - I think windows has *always* preferred a lookup under all versions with IPv6 support. However, windows should only be making lookups if the client itself has an IPv6 address. Clients without IPv6 addresses will only make A lookups. What I am asking the list is whether or not anybody knows of a way to get the Microsoft controllers to ignore the IPv6 registrations. Having 0 IPv6 records would probably solve the problem until the day we get a IPv6 allocation and make our nework IPv6 capable. As of now, it is a down right nuisance. I am running bind in its default mode where it could handle both IPv4 and IPv6 addresses, but we have no IPv6 addresses at all in the zones that we do not delegate. I believe that if I ran bind in IPv4-only mode, it would make no difference because the problem zone is delegated. If I am wrong about that, please let me know. Correct, that won't help. (In fact, even in IPv4 mode, bind supports records. The content of the DNS records is unrelated to the transport) You have two issues, neither of which are bind-related: 1. Clients and servers have registered IPv6 addresses via DDNS. They *must* have had IPv6 enabled for this to happen. Either they still do have IPv6 enabled, or they don't and the records haven't been garbage collected. 2. Some clients are making and using lookups. Again, the clients MUST have an IPv6 address if this is the case. Basically you have some IPv6 somewhere inside your network. Maybe someone has brought up a tunnel and turned on internet connection sharing - we've had problems with that. Also, about turning IPv6 off - don't do that. Microsoft test with it turned on, and some windows components expect to be able to talk to themselves locally on IPv6 (I think newer versions of IIS do this for example). Again, we've had problems with apps when server admins have disabled IPv6. Take a look at one of the clients - I'm fairly sure you'll find they have IPv6 somewhere. You might need to investigate blocking it internally if someone has leaked it in using connection sharing - see: http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-06 HTH ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: connect call failing with EINPROGRESS error code.
On 07/22/2010 07:52 AM, R Juneja wrote: Hi, I am new to socket programming. Please help me with a situation. This is the wrong place to ask. This mailing list is for discussing the Bind DNS server, not socket programming. The function call connect (non -blocking) is failing with setting the errorcode as 36 (EINPROGRESS). I have checked all the relative things. They are set properly. ::connect(sd, ((struct sockaddr*) (void*) (proxyDataPtr-remoteAddr)), sizeof(struct sockaddr)) Try http://www.faqs.org/faqs/unix-faq/socket/ ...or Google more generally. If you've put the socket into non-blocking mode, EINPROGRESS is normal. You need to use select() or poll() to wait for the file descriptor to become available. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: . SOA: got insecure response
On Thu, 22 Jul 2010 07:15:25 +1000, Mark Andrews ma...@isc.org said: In message 19526.43429.234698.104...@hadron.switch.ch, Alexander Gall writes: On Wed, 21 Jul 2010 09:20:21 +0200, Gilles Massen gilles.mas...@restena.lu said: Hello, Since enabling the root TA in my resolver, I keep seeing from time to time: 21-Jul-2010 08:52:27.929 dnssec: debug 3: validating @0x134fe7e8: . SOA: attempting insecurity proof 21-Jul-2010 08:52:27.929 dnssec: debug 3: validating @0x134fe7e8: . SOA: insecurity proof failed 21-Jul-2010 08:52:27.929 dnssec: info: validating @0x134fe7e8: . SOA: got insecure response; parent indicates it should be secure I've seen this for various top-level domains for which I have trust anchors configure as well. I could never track this down either, but I suspect it has nothing to do with the authoritative servers. -- Alex Named has to deal with multually incompatible senarios. DNSSEC which requires EDNS and nameservers and firewalls which drop EDNS requests so named has to turn off EDNS to get answers back. Occasionally a set of answers will take too long to get back to named or are lost due to network problems and named will fallback to issuing plain DNS queries which will of course fail validation if the zone is secure and you have a trusted path from a trust anchor to that zone. Named will normally re-issue the queries and get a answer that can be validated as it tries again to use EDNS. That doesn't sound plausible to me. Wouldn't these messages refer to those zones in that case? Instead, they refer to the zones that are covered by the trust anchors themselves (like the root or some TLD). This will happen more often if you have network equipment that is blocking large DNS responses (512 or network MTU) but still lets through EDNS responses. If you see this you should also look for congested network paths and paths with long delays. That's definitively a negative here. Also, I can't see any EDNS backoff or disable messages that I could link to these events. -- Alex ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Maching characteristics
Well i wonder this is the right place. What server characteristics you recomend me as minimum for a bind that will get about 1 req/sec Insufficient information. What kind of queries should the server handle? There's a big difference between an authoritative only server and a recursive server. And at 10k q/s you definitely want to separate the two... Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Records on an IPv4 Network
Windows Vista and 7 clients will query both type A and query even only IPv4 interface is enabled. If I put the option filter--on-v4 {yes;};, will my DNS reject the queries? Thanks Rock From: Phil Mayers p.may...@imperial.ac.uk To: bind-users@lists.isc.org Sent: Thu, July 22, 2010 3:45:29 PM Subject: Re: IPv6 Records on an IPv4 Network On 07/21/2010 10:10 PM, Martin McCormick wrote: This is admittedly not a bind question, but it has become a major nag factor and I am not sure what to recommend. We delegate our Microsoft Active Directory zone to Microsoft domain controllers and they have stuffed their zone with about 750 AAA records and all are publicly visible if one does a lookup. even the top level of the AD domain has 10 IPv6 Yes. This is windows' default behaviour. responses, one for each controller. The AD admins say that IPv6 is turned off and that the work stations register IPv6 addresses automatically and so forth, but the final truth is that they are If IPv6 is turned off, the windows machines should not be registering IPv6 addresses. Maybe IPv6 was turned on in the past, and they haven't been garbage-collected for some reason? (Windows DNS records which were inserted by dynamic update are supposed to be garbage collected if left untouched after 7 days IIRC) there, however they got there, and other systems will get the records when they try to resolve the host name. Recently, there was a Microsoft update which appears to cause the resolvers on these Windows7 systems to favor IPv6 records first and now I am getting reports of timeouts from Windows boxes looking up other Windows boxes. I don't think this is true - I think windows has *always* preferred a lookup under all versions with IPv6 support. However, windows should only be making lookups if the client itself has an IPv6 address. Clients without IPv6 addresses will only make A lookups. What I am asking the list is whether or not anybody knows of a way to get the Microsoft controllers to ignore the IPv6 registrations. Having 0 IPv6 records would probably solve the problem until the day we get a IPv6 allocation and make our nework IPv6 capable. As of now, it is a down right nuisance. I am running bind in its default mode where it could handle both IPv4 and IPv6 addresses, but we have no IPv6 addresses at all in the zones that we do not delegate. I believe that if I ran bind in IPv4-only mode, it would make no difference because the problem zone is delegated. If I am wrong about that, please let me know. Correct, that won't help. (In fact, even in IPv4 mode, bind supports records. The content of the DNS records is unrelated to the transport) You have two issues, neither of which are bind-related: 1. Clients and servers have registered IPv6 addresses via DDNS. They *must* have had IPv6 enabled for this to happen. Either they still do have IPv6 enabled, or they don't and the records haven't been garbage collected. 2. Some clients are making and using lookups. Again, the clients MUST have an IPv6 address if this is the case. Basically you have some IPv6 somewhere inside your network. Maybe someone has brought up a tunnel and turned on internet connection sharing - we've had problems with that. Also, about turning IPv6 off - don't do that. Microsoft test with it turned on, and some windows components expect to be able to talk to themselves locally on IPv6 (I think newer versions of IIS do this for example). Again, we've had problems with apps when server admins have disabled IPv6. Take a look at one of the clients - I'm fairly sure you'll find they have IPv6 somewhere. You might need to investigate blocking it internally if someone has leaked it in using connection sharing - see: http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-06 HTH ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Records on an IPv4 Network
Phil Mayers writes: If IPv6 is turned off, the windows machines should not be registering IPv6 addresses. Maybe IPv6 was turned on in the past, and they haven't been garbage-collected for some reason? (Windows DNS records which were inserted by dynamic update are supposed to be garbage collected if left untouched after 7 days IIRC) plus much more great information. Thanks for an excellent answer. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
reject or drop AAAA queries
Hi All, I just want to know if I put listen--on-v4 {yes;}; on opetions of named.conf, will my DNS drop or reject all queries by IPv4 clients? Thanks, Rock July ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: . SOA: got insecure response
Mark, Named has to deal with multually incompatible senarios. DNSSEC which requires EDNS and nameservers and firewalls which drop EDNS requests so named has to turn off EDNS to get answers back. Occasionally a set of answers will take too long to get back to named or are lost due to network problems and named will fallback to issuing plain DNS queries which will of course fail validation if the zone is secure and you have a trusted path from a trust anchor to that zone. Named will normally re-issue the queries and get a answer that can be validated as it tries again to use EDNS. This will happen more often if you have network equipment that is blocking large DNS responses (512 or network MTU) but still lets through EDNS responses. If you see this you should also look for congested network paths and paths with long delays. We have a root-server instance in our building, and reach most other over excellent lines. So while link issues might account for some of these messages, I don't think it's all of them. Especially as I don't expect the resolver to query for '. SOA' very often. Or is this triggered by each (unsigned) response to a question asking for an unexistent TLD? Is there a way to get bind to tell the entire story by enabling debug is specific categories? Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Records on an IPv4 Network
On 22/07/10 12:19, Rock July wrote: Windows Vista and 7 clients will query both type A and query even The OS might make the query, but the application will (should) be using getaddrinfo, and this will return the IPv4 addresses first, so it doesn't matter. only IPv4 interface is enabled. If I put the option filter--on-v4 {yes;};, will my DNS reject the queries? This option breaks DNSSEC. If the clients doesn't have an IPv6 address, it shouldn't use the (even if it does do the lookup). If the client does has IPv6, you need to investigate way (e.g. Teredo and other tunneling mechanisms) Don't mess with the DNS - fix the underlying problem. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reject or drop AAAA queries
On Thu, Jul 22, 2010 at 9:24 AM, Rock July headgea...@yahoo.com wrote: I just want to know if I put listen--on-v4 {yes;}; on opetions of named.conf, will my DNS drop or reject all queries by IPv4 clients? Why do you think you want to know this? It was recommended in another listmail on this list that you fix the underlying problem of potentially having ipv6 enabled clients on the network. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Script for verifying zone files
Does anyone know of an existing script or program that can parse a zone file and verify records against an active server? I'm attempting to clean up some large zone files and want to ensure that none of the changes will break DNS when I implement it. Later, I'd like to use it to verify that the records point to active hosts, but that's later. I started putting together a bash script, but I'm having issues where a record exists on multiple lines. For example: $ORIGIN example.com. www A 10.1.2.3 A 10.1.2.4 A 10.1.2.5 ... Or where a record is delegated to a secondary name server (GSLB): $ORIGIN example.com. www NS gss1.example.com. NS gss2.example.com. Below is my kludge of a script for reference. It works (somewhat) for single line CNAME and A records, but errors abound. Brian = BEGIN = #!/bin/bash if [[ -z $1 ]] thenecho -n Please enter a file name (full path) : read FILE elseFILE=$1 fi DOM=`echo $FILE | awk -F\/ '{print $NF}' | sed 's/db\.//g'` cat ${FILE} | egrep -v ^\;|^$|TXT | while read LINE do LINE=(${LINE}) if [[ ${LINE[0]} == \$ORIGIN ]] thenORIGIN=${LINE[1]} [[ ${ORIGIN} == . ]] ORIGIN=${DOM} elseCNT=0 while [[ ${CNT} -le ${#LINE[*]} ]] do if [[ ${LINE[$CNT]} == A ]] || [[ ${LINE[$CNT]} == CNAME ]] thenHOST=${LINE[0]} : ${LINE[*]} ADDRESS=$_ # Random number between 6-9 to select DNS server to query GW=$[ ( $RANDOM % 4 ) + 6 ] QUERY=`host ${HOST}.${ORIGIN} 10.1.2.${GW} | egrep has address|an alias` : ${QUERY[*]} RESPONSE=$_ [[ ${ADDRESS} != ${REPONSE} ]] echo ${HOST}.${ORIGIN},${LINE[$CNT]},${ADDRESS},${RESPONSE} break fi ((CNT=$CNT+1)) done fi done === END === ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Records on an IPv4 Network
On 7/22/2010 8:33 AM, Phil Mayers wrote: only IPv4 interface is enabled. If I put the option filter--on-v4 {yes;};, will my DNS reject the queries? This option breaks DNSSEC. Actually, it doesn't. If the DO bit is set in the query, the default behavior (I'll let you dig to find the knob that changes this) is to return the actual records without damaging them. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script for verifying zone files
On Thu, 22 Jul 2010, Atkins, Brian (GD/VA-NSOC) wrote: Does anyone know of an existing script or program that can parse a zone file and verify records against an active server? Have you looked at named-checkzone? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ FORTIES: NORTH 5 OR 6, DECREASING 3 OR 4. MODERATE OR ROUGH. SHOWERS. GOOD. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script for verifying zone files
On Thu, 22 Jul 2010, Atkins, Brian (GD/VA-NSOC) wrote: Does anyone know of an existing script or program that can parse a zone file and verify records against an active server? named-checkzone these days does some checks unless specified not to do so. (note to self: dont do that on a 2.5M record zone) If you want to verify if the contents of the current zone and your new zone file still match, you prob want some kind of diff. Perhaps load the new zone on a spare server, and do an AXFR of both zones, with some sort/uniq/sed processing? Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Script for verifying zone files
Thanks, Bill. That's more what I'm looking for. Several people suggested looking at named-checkzone, but my goal is to compare an edited version of the zone file against the active zone file. The named-checkzone program, to my understanding, merely checks for syntax and doesn't do anything with actual verification of the records. Brian -Original Message- From: wllarso [mailto:wlla...@swcp.com] Sent: Thursday, July 22, 2010 12:45 PM To: Atkins, Brian (GD/VA-NSOC) Cc: bind-users@lists.isc.org Subject: Re: Script for verifying zone files On Thu, 22 Jul 2010 11:44:55 -0400, Atkins, Brian (GD/VA-NSOC) brian.atki...@va.gov wrote: Does anyone know of an existing script or program that can parse a zone file and verify records against an active server? Oh, a challenge. Thanks I'm attempting to clean up some large zone files and want to ensure that none of the changes will break DNS when I implement it. Later, I'd like to use it to verify that the records point to active hosts, but that's later. I started putting together a bash script, but I'm having issues where a record exists on multiple lines. For example: Since, in a zone file, any line that begins with white space (tab or space character) will use the same left hand side name as the previous line. So, using AWK, you could do something like: awk 'BEGIN{LHS=}/^[WS]/{print LHS,$0;next}{print $0;LHS=$1}' (Guaranteed NOT to work without lots of tweeks and testing. Use at your own risk!) Now, as to checking that the records point to active hosts, well, I won't even try for that. What do you mean by active? But, as someone else said, look at named-checkzone. Bill ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Script for verifying zone files
Hi Brian, Why don't you load the zonefile you changed into a test dns server and then compare the queries against prod and your test system? Might be easier than parsing the file in my opinion. Regards, Adrian -Original Message- From: bind-users-bounces+urs-t.bolliger=ubs@lists.isc.org [mailto:bind-users-bounces+urs-t.bolliger=ubs@lists.isc.org] On Behalf Of Atkins, Brian (GD/VA-NSOC) Sent: Donnerstag, 22. Juli 2010 19:02 To: bind-users@lists.isc.org Subject: RE: Script for verifying zone files Thanks, Bill. That's more what I'm looking for. Several people suggested looking at named-checkzone, but my goal is to compare an edited version of the zone file against the active zone file. The named-checkzone program, to my understanding, merely checks for syntax and doesn't do anything with actual verification of the records. Brian -Original Message- From: wllarso [mailto:wlla...@swcp.com] Sent: Thursday, July 22, 2010 12:45 PM To: Atkins, Brian (GD/VA-NSOC) Cc: bind-users@lists.isc.org Subject: Re: Script for verifying zone files On Thu, 22 Jul 2010 11:44:55 -0400, Atkins, Brian (GD/VA-NSOC) brian.atki...@va.gov wrote: Does anyone know of an existing script or program that can parse a zone file and verify records against an active server? Oh, a challenge. Thanks I'm attempting to clean up some large zone files and want to ensure that none of the changes will break DNS when I implement it. Later, I'd like to use it to verify that the records point to active hosts, but that's later. I started putting together a bash script, but I'm having issues where a record exists on multiple lines. For example: Since, in a zone file, any line that begins with white space (tab or space character) will use the same left hand side name as the previous line. So, using AWK, you could do something like: awk 'BEGIN{LHS=}/^[WS]/{print LHS,$0;next}{print $0;LHS=$1}' (Guaranteed NOT to work without lots of tweeks and testing. Use at your own risk!) Now, as to checking that the records point to active hosts, well, I won't even try for that. What do you mean by active? But, as someone else said, look at named-checkzone. Bill ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mails are not encrypted and cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. UBS reserves the right to retain all messages. Messages are protected and accessed only in legally justified cases. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script for verifying zone files
On Thu, Jul 22, 2010 at 10:01 AM, Atkins, Brian (GD/VA-NSOC) brian.atki...@va.gov wrote: Several people suggested looking at named-checkzone, but my goal is to compare an edited version of the zone file against the active zone file. If you're just looking at changes, try something like: named-checkzone -D -o zone1-canonical.txt example.com zone1.txt named-checkzone -D -o zone2-canonical.txt example.com zone2.txt diff -u zone{1,2}-canonical.txt The named-checkzone program, to my understanding, merely checks for syntax and doesn't do anything with actual verification of the records. From 'man named-checkzone': [named-checkzone] performs the same checks as named does when loading a zone [named-compilezone] applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by named. See options in the man page for checks that are done by default (e.g., -i, -k, -m, etc.) Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Records on an IPv4 Network
On 22/07/10 16:45, Alan Clegg wrote: On 7/22/2010 8:33 AM, Phil Mayers wrote: only IPv4 interface is enabled. If I put the option filter--on-v4 {yes;};, will my DNS reject the queries? This option breaks DNSSEC. Actually, it doesn't. If the DO bit is set in the query, the default behavior (I'll let you dig to find the knob that changes this) is to return the actual records without damaging them. Ah yes: filter--on-v4 break-dnssec; ...breaks it! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Multiple masters expected behavior?
I have multiple interfaces on my master and multiple interfaces on most of my slaves. I've got one of the slaves set up so that its masters {}; statement has two of the master's interfaces in it. The preferred is first, with the non-preferred second. I was contemplating using this on all slaves to guard against a network path failure. Note that I also have both of the slave's interfaces in the also-notify statement on the master (it's an unpublished slave). I would have thought that BIND would always hit the first and never the second. That doesn't seem to be the case however. In fact, in a few cases I've seen it seems to use both, though not round-robinning that I can see from the logs. Is that expected behavior? BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reject or drop AAAA queries
In message 210229.86286...@web120110.mail.ne1.yahoo.com, Rock July writes: Hi All, I just want to know if I put listen--on-v4 {yes;}; on opetions of named.conf, will my DNS drop or reject all queries by IPv4 clients? The option is filter--on-v4. Additionally filter- can be used to only apply the filter to some IPv4 clients. We also recommend that you fix the underlying condition. Thanks, Rock July -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
On 07/22/2010 10:59 PM, Peter Laws wrote: I have multiple interfaces on my master and multiple interfaces on most of my slaves. I've got one of the slaves set up so that its masters {}; statement has two of the master's interfaces in it. The preferred is first, with the non-preferred second. I was contemplating using this on all slaves to guard against a network path failure. Note that I also have both of the slave's interfaces in the also-notify statement on the master (it's an unpublished slave). I would have thought that BIND would always hit the first and never the second. That doesn't seem to be the case however. In fact, in a few cases I've seen it seems to use both, though not round-robinning that I can see from the logs. I believe like all DNS servers, bind will pick the quickest-responding one (with the highest SOA serial, of course). It will certainly send SOA queries to both in case one master has a higher serial than the other. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.7.2b1 is now available.
BIND 9.7.2b1 is now available. BIND 9.7.2b1 is a beta version of the maintenance release for BIND 9.7. BIND 9.7.2b1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.7.2b1/bind-9.7.2b1.tar.gz http://ftp.isc.org/isc/bind9/9.7.2b1/bind-9.7.2b1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.7.2b1/bind-9.7.2b1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.7.2b1/bind-9.7.2b1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.2b1/bind-9.7.2b1.tar.gz.sha512.asc http://ftp.isc.org/isc/bind9/9.7.2b1/bind-9.7.2b1.tar.gz.asc http://ftp.isc.org/isc/bind9/9.7.2b1/bind-9.7.2b1.tar.gz.sha256.asc http://ftp.isc.org/isc/bind9/9.7.2b1/bind-9.7.2b1.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp. A binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.zip http://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.zip ftp://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.debug.zip http://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.debug.zip The PGP signature of the binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.zip.asc ftp://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.zip.sha512.asc http://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.zip.asc http://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.zip.sha256.asc http://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.debug.zip.sha512.asc http://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.debug.zip.asc http://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.debug.zip.sha256.asc http://ftp.isc.org/isc/bind9/9.7.2b1/BIND9.7.2b1.debug.zip.sha512.asc Changes since 9.7.0. --- 9.7.2b1 released --- 2931. [bug] Temporarily and partially disable change 2864 because it would cause inifinite attempts of RRSIG queries. This is an urgent care fix; we'll revisit the issue and complete the fix later. [RT #21710] 2930. [experimental] New rndc addzone and rndc delzone commads allow dynamic addition and deletion of zones. To enable this feature, specify a new-zone-file option at the view or options level in named.conf. Zone configuration information for the new zones will be written into that file. To make the new zones persist after a restart, include the file into named.conf in the appropriate view. (Note: This feature is not yet documented, and its syntax is expected to change.) [RT #19447] 2929. [bug] Improved handling of GSS security contexts: - added LRU expiration for generated TSIGs - added the ability to use a non-default realm - added new realm keyword in nsupdate - limited lifetime of generated keys to 1 hour or the lifetime of the context (whichever is smaller) [RT #19737] 2925. [bug] Named failed to accept uncachable negative responses from insecure zones. [RT# 21555] 2924. [func] 'rndc secroots' dump a combined summary of the current managed keys combined with trusted keys. [RT #20904] 2923. [bug] 'dig +trace' could drop core after connection timeout. [RT #21514] 2922. [contrib] Update zkt to version 1.0. 2921. [bug] The resolver could attempt to destroy a fetch context too soon. [RT #19878] 2920. [func] Allow 'filter--on-v4' to be applied selectively to IPv4 clients. New acl 'filter-' (default any). 2919. [func] Add autosign-ksk and autosign-zsk virtual time tests. [RT #20840] 2918. [maint] Add address for I.ROOT-SERVERS.NET. 2917. [func] Virtual time test framework. [RT #20801] 2916. [func] Add framework to use IPv6 in tests. fd92:7065:b8e:::1 ... fd92:7065:b8e:::7 2915. [cleanup] Be smarter about which objects we attempt to compile based on
Re: Multiple masters expected behavior?
In article mailman.65.1279835965.15649.bind-us...@lists.isc.org, Peter Laws pl...@ou.edu wrote: I have multiple interfaces on my master and multiple interfaces on most of my slaves. I've got one of the slaves set up so that its masters {}; statement has two of the master's interfaces in it. The preferred is first, with the non-preferred second. I was contemplating using this on all slaves to guard against a network path failure. Note that I also have both of the slave's interfaces in the also-notify statement on the master (it's an unpublished slave). I would have thought that BIND would always hit the first and never the second. That doesn't seem to be the case however. In fact, in a few cases I've seen it seems to use both, though not round-robinning that I can see from the logs. Is that expected behavior? Yes. What if the first server stops getting updates, but the second one does and has a higher serial number? Don't you want the slaves to check the SOA record on it to pick up these changes? -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: USADOTGOV.NET Root Problems?
Thanks for the confirmation that the problem was related to DNSSEC. I didn't see your message until I got home from work; however, I did find the root of the problem late this afternoon. At each of our Internet egress and ingress points, we have Cisco ASA devices sitting in front of a pair of redundant firewalls. Each ASA is configured with the default DNS inspect policy that doesn't accept fragmented UDP packets. On Jul 22, 2010, at 9:42 AM, Nicholas Wheeler wrote: Hello, From what I can see, radar.weather.gov is currently unsigned. There's a KSK, but I see no ZSKs, and cannot complete the chain of trust. On the other hand, noaa.gov is a signed zone, and I can complete the chain of trust. It does not seem like the usadotgov.net root name servers have a problem. If you would like to test, this is the tool used by dotgov.gov's helpdesk to test DNSSEC. Unfortunately, it's not a very good website. http://www.dnssecreport.com/DNSSECReport/DNSKeyReport.aspx Thanks, -- Nicholas Wheeler Merton Campbell Crockett wrote: Does anyone know if there have been problems with the USADOTGOV.NET http://USADOTGOV.NET root name servers today? We've had people complaining about resolving RADAR.WEATHER.GOV http://RADAR.WEATHER.GOV and several systems in the NOAA.GOV http://NOAA.GOV domain. If you query for the NS resource records, you only receive the ANSWER section. The ADDITIONAL section with the addresses is missing. -- Merton Campbell Crockett m.c.crock...@roadrunner.com mailto:m.c.crock...@roadrunner.com -- Merton Campbell Crockett m.c.crock...@roadrunner.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reject or drop AAAA queries
This is my current setup right now and the reason why I want to reject or drop the queries; PC Clients: XP, Vista and 7 (Vista and 7 clients are sending both A and queries) send queries to DNS A. DNS A: will just forward the query to My DNS MyDNS: will query to DNS B in behalf of DNS A. DNS B: hosting the domain name (sample: xxx.test.com) DNS B only hosting A record for xxx.test.com so when it receive query, it respond no such name or NXDOMAIN. This result causes negative caching on MyDNS and name resolution will also fail for other client computers. I only have control on MyDNS so I am thinking if there is any way that I can reject/drop those queries so it will not query to DNS B. Regards, Rock From: Mark Andrews ma...@isc.org To: Rock July headgea...@yahoo.com Cc: Bind Users bind-users@lists.isc.org Sent: Fri, July 23, 2010 6:37:41 AM Subject: Re: reject or drop queries In message 210229.86286...@web120110.mail.ne1.yahoo.com, Rock July writes: Hi All, I just want to know if I put listen--on-v4 {yes;}; on opetions of named.conf, will my DNS drop or reject all queries by IPv4 clients? The option is filter--on-v4. Additionally filter- can be used to only apply the filter to some IPv4 clients. We also recommend that you fix the underlying condition. Thanks, Rock July -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reject or drop AAAA queries
On 7/22/2010 8:42 PM, Rock July wrote: This is my current setup right now and the reason why I want to reject or drop the queries; PC Clients: XP, Vista and 7 (Vista and 7 clients are sending both A and queries) send queries to DNS A. DNS A: will just forward the query to My DNS MyDNS: will query to DNS B in behalf of DNS A. DNS B: hosting the domain name (sample: xxx.test.com) DNS B only hosting A record for xxx.test.com so when it receive query, it respond no such name or NXDOMAIN. This result causes negative caching on MyDNS and name resolution will also fail for other client computers. I only have control on MyDNS so I am thinking if there is any way that I can reject/drop those queries so it will not query to DNS B. If the server at DNS B is responding with NXDOMAIN to a query for XXX.TEST.COM when XXX.TEST.COM A exists, then you need to find someone else to host TEST.COM as DNS B is broken. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users