R: Unable to query the nameserver
On Mon, Oct 4, 2010 at 23:20, Andrey G. Sergeev (AKA Andris) wrote: > Hi Dotan! > Hello hello! > You might be blocking 53/udp and (or) 53/tcp port. Try to query your > problematic server from some other location rather than the site this > server is installed on. > The ports aren't blocked as another site (example.eu) hosted on the 1.1.1.1 server works fine. The working site has both nameservers pointed to that same server (on two different IP addresses on eth0 and etho0:0). Only the example.de site which has one nameserver on the 1.1.1.1 machine and the second nameserver on 1.1.2.2 is giving me a headache. Hello Dothan. You said: "The working site has both nameservers pointed to that same server (on two different IP addresses on eth0 and etho0:0)." So the question is "Are you sure you answer to queries on the proper interface?" Maybe you (for instance) receive a query on eth0:0 (1.1.2.2 ?) but answer on eth0 (1.1.1.1 ?)... What is your default gateway? Ciao. Stefano. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Hi Imran, Mon, 4 Oct 2010 20:33:02 -0400 "Imran" wrote: > Sounds like a resolv.conf issue ... make sure that you have an > entry in the resolv.conf file that maps ns1.example.de to 1.1.1.1 > and ns2.example.de to 1.1.2.2 You're wrong. The resolv.conf file has nothing to do with hostname-to-IP or vice versa mapping. Such mapping is a function of the hosts file. Regardless of the file name there is nothing to fix by setting some "mappings". > -Original Message- > From: bind-users-bounces+imran=netwave...@lists.isc.org > [mailto:bind-users-bounces+imran=netwave...@lists.isc.org] On Behalf > Of Dotan Cohen > Sent: Monday, October 04, 2010 5:09 PM > To: bind-users@lists.isc.org > Subject: Unable to query the nameserver > > I am configuring BIND on two servers: ns1.example.de on a server > with IP address 1.1.1.1 and ns2.example.de on a server with IP > address 1.1.2.2. BIND starts fine on both servers, but when I try > to configure my domain name in the registrar's control panel I get > this error: > """ > Error : Unable to query the nameserver ns1.example.de > """ > > Of course I have been googling this for hours and I've been reading > BIND manuals for about two weeks now! I'm really stuck. Here are my > configuration files: > > // On 1.1.1.1 > [r...@1.1.1.1]# cat /etc/named.conf > options { > directory "/etc"; > pid-file "/var/run/named/named.pid"; > listen-on { > any; > }; > }; > > zone "." { > type hint; > file "/etc/db.cache"; > }; > > zone "example.de" { > type master; > file "/var/named/example.de.hosts"; > notify yes; > allow-query { any; }; > }; > zone "example.eu" { > type master; > file "/var/named/example.eu.hosts"; > }; > [r...@1.1.1.1]# cat /var/named/example.de.hosts > $ORIGIN example.de. > $TTL 86400 > example.de. IN SOA example.de. foo.example.de. ( > 2010100401; Serial - increment me > 10800 > 3600 > 604800 > 38400 ) >IN NSns1.example.de. >IN NSns2.example.de. >IN A 1.1.1.1 > wwwIN A 1.1.1.1 > ns1IN A 1.1.1.1 > ns2IN A 1.1.2.2 > > > > > // On 1.1.2.2 > [r...@1.1.2.2]# cat /etc/named.conf > options { > directory "/etc"; > pid-file "/var/run/named/named.pid"; > listen-on { > any; > }; > }; > > zone "." { > type hint; > file "/etc/db.cache"; > }; > > zone "example.de" { > type slave; > masters { 1.1.1.1; }; > allow-update { 1.1.1.1; }; > file "/var/named/example.de.hosts"; > notify yes; > allow-query { any; }; > allow-notify { 1.1.2.2; }; > }; > [r...@1.1.2.2]# cat /var/named/example.de.hosts > $ORIGIN example.de. > $TTL 86400 > example.de. IN SOA example.de. foo.example.de. ( > 2010100401; Serial - increment me > 10800 > 3600 > 604800 > 38400 ) >IN NSns2.example.de. > ns2IN A 1.1.2.2 > > > > > Of course, when I make a change to a hosts file I increment the > serial number and restart bind. I also restart bind after making a > change to named.conf. What am I doing wrong? Thanks! -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
apart from my dig for you not giving real information.. On Mon, 2010-10-04 at 23:08 +0200, Dotan Cohen wrote: > > // On 1.1.1.1 > [r...@1.1.1.1]# cat /etc/named.conf > options { > directory "/etc"; > Why are you specifying /etc here? I suggest you use /var/named >pid-file "/var/run/named/named.pid"; > listen-on { > any; > }; > }; > > zone "." { > type hint; > file "/etc/db.cache"; remove /etc/ > }; > > zone "example.de" { > type master; > file "/var/named/example.de.hosts"; > only need the file name (so long as you correct the options statement > notify yes; > allow-query { any; }; > }; who are you notifying? where is.. allow-transfer { remotedns; }; > zone "example.eu" { > type master; > file "/var/named/example.eu.hosts"; > }; correct as above for who to transfer to > [r...@1.1.1.1]# cat /var/named/example.de.hosts > $ORIGIN example.de. > $TTL 86400 > example.de. IN SOA example.de. foo.example.de. ( replace example.de. with @ > 2010100401; Serial - increment me > 10800 > 3600 > 604800 > 38400 ) >IN NSns1.example.de. >IN NSns2.example.de. no MX record? >IN A 1.1.1.1 > wwwIN A 1.1.1.1 > ns1IN A 1.1.1.1 > ns2IN A 1.1.2.2 > > > > > // On 1.1.2.2 > [r...@1.1.2.2]# cat /etc/named.conf fix up as above > options { > directory "/etc"; > pid-file "/var/run/named/named.pid"; > listen-on { > any; > }; > }; > > zone "." { > type hint; > file "/etc/db.cache"; > }; > > zone "example.de" { > type slave; > masters { 1.1.1.1; }; > allow-update { 1.1.1.1; }; ^ not needed > file "/var/named/example.de.hosts"; > notify yes; remove > allow-query { any; }; ya got one right :) > allow-notify { 1.1.2.2; }; > }; remove > [r...@1.1.2.2]# cat /var/named/example.de.hosts irrelevant since it gets this from master > > > > Of course, when I make a change to a hosts file I increment the serial > number and restart bind. I also restart bind after making a change to 'rndc reload' is all u need to do > named.conf. What am I doing wrong? Thanks! > once you tell us your real domains and NS's, maybe, just maybe we can help more ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Unable to query the nameserver
Sounds like a resolv.conf issue ... make sure that you have an entry in the resolv.conf file that maps ns1.example.de to 1.1.1.1 and ns2.example.de to 1.1.2.2 -Original Message- From: bind-users-bounces+imran=netwave...@lists.isc.org [mailto:bind-users-bounces+imran=netwave...@lists.isc.org] On Behalf Of Dotan Cohen Sent: Monday, October 04, 2010 5:09 PM To: bind-users@lists.isc.org Subject: Unable to query the nameserver I am configuring BIND on two servers: ns1.example.de on a server with IP address 1.1.1.1 and ns2.example.de on a server with IP address 1.1.2.2. BIND starts fine on both servers, but when I try to configure my domain name in the registrar's control panel I get this error: """ Error : Unable to query the nameserver ns1.example.de """ Of course I have been googling this for hours and I've been reading BIND manuals for about two weeks now! I'm really stuck. Here are my configuration files: // On 1.1.1.1 [r...@1.1.1.1]# cat /etc/named.conf options { directory "/etc"; pid-file "/var/run/named/named.pid"; listen-on { any; }; }; zone "." { type hint; file "/etc/db.cache"; }; zone "example.de" { type master; file "/var/named/example.de.hosts"; notify yes; allow-query { any; }; }; zone "example.eu" { type master; file "/var/named/example.eu.hosts"; }; [r...@1.1.1.1]# cat /var/named/example.de.hosts $ORIGIN example.de. $TTL 86400 example.de. IN SOA example.de. foo.example.de. ( 2010100401; Serial - increment me 10800 3600 604800 38400 ) IN NSns1.example.de. IN NSns2.example.de. IN A 1.1.1.1 wwwIN A 1.1.1.1 ns1IN A 1.1.1.1 ns2IN A 1.1.2.2 // On 1.1.2.2 [r...@1.1.2.2]# cat /etc/named.conf options { directory "/etc"; pid-file "/var/run/named/named.pid"; listen-on { any; }; }; zone "." { type hint; file "/etc/db.cache"; }; zone "example.de" { type slave; masters { 1.1.1.1; }; allow-update { 1.1.1.1; }; file "/var/named/example.de.hosts"; notify yes; allow-query { any; }; allow-notify { 1.1.2.2; }; }; [r...@1.1.2.2]# cat /var/named/example.de.hosts $ORIGIN example.de. $TTL 86400 example.de. IN SOA example.de. foo.example.de. ( 2010100401; Serial - increment me 10800 3600 604800 38400 ) IN NSns2.example.de. ns2IN A 1.1.2.2 Of course, when I make a change to a hosts file I increment the serial number and restart bind. I also restart bind after making a change to named.conf. What am I doing wrong? Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
On Mon, 2010-10-04 at 17:29 -0500, Lyle Giese wrote: > Dotan Cohen wrote: > > The ports aren't blocked as another site (example.eu) hosted on the > > 1.1.1.1 server works fine. The working site has both nameservers > > pointed to that same server (on two different IP addresses on eth0 and > > etho0:0). Only the example.de site which has one nameserver on the > > 1.1.1.1 machine and the second nameserver on 1.1.2.2 is giving me a > > headache. > > > > > > > > I would like to help but since you are refusing to post the real ip > address or the real hostnames or the real domain names involved, I can > not. I could do some testing from here to see if your firewall was > configured correctly or what the view was from outside your network. > But I can not. > Quite right, too many people with paranoia come here looking for help but refuse to let us do correct remote testing. First post was 7.08am local, its 3 /12 hours later and we still have no real info, had it been supplied his problem may been identified and resolved 3 hours ago. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Unable to query the nameserver
You should first verify that you see the packets arriving to ns1.example.de - tcpdump should do the work. Then, enable the query log and ensure that BIND sees the query. Again, the logs are your friends. -Original Message- From: Dotan Cohen [mailto:dotanco...@gmail.com] Sent: Monday, October 04, 2010 11:09 PM To: bind-users@lists.isc.org Subject: Unable to query the nameserver I am configuring BIND on two servers: ns1.example.de on a server with IP address 1.1.1.1 and ns2.example.de on a server with IP address 1.1.2.2. BIND starts fine on both servers, but when I try to configure my domain name in the registrar's control panel I get this error: """ Error : Unable to query the nameserver ns1.example.de """ Of course I have been googling this for hours and I've been reading BIND manuals for about two weeks now! I'm really stuck. Here are my configuration files: // On 1.1.1.1 [r...@1.1.1.1]# cat /etc/named.conf options { directory "/etc"; pid-file "/var/run/named/named.pid"; listen-on { any; }; }; zone "." { type hint; file "/etc/db.cache"; }; zone "example.de" { type master; file "/var/named/example.de.hosts"; notify yes; allow-query { any; }; }; zone "example.eu" { type master; file "/var/named/example.eu.hosts"; }; [r...@1.1.1.1]# cat /var/named/example.de.hosts $ORIGIN example.de. $TTL 86400 example.de. IN SOA example.de. foo.example.de. ( 2010100401; Serial - increment me 10800 3600 604800 38400 ) IN NSns1.example.de. IN NSns2.example.de. IN A 1.1.1.1 wwwIN A 1.1.1.1 ns1IN A 1.1.1.1 ns2IN A 1.1.2.2 // On 1.1.2.2 [r...@1.1.2.2]# cat /etc/named.conf options { directory "/etc"; pid-file "/var/run/named/named.pid"; listen-on { any; }; }; zone "." { type hint; file "/etc/db.cache"; }; zone "example.de" { type slave; masters { 1.1.1.1; }; allow-update { 1.1.1.1; }; file "/var/named/example.de.hosts"; notify yes; allow-query { any; }; allow-notify { 1.1.2.2; }; }; [r...@1.1.2.2]# cat /var/named/example.de.hosts $ORIGIN example.de. $TTL 86400 example.de. IN SOA example.de. foo.example.de. ( 2010100401; Serial - increment me 10800 3600 604800 38400 ) IN NSns2.example.de. ns2IN A 1.1.2.2 Of course, when I make a change to a hosts file I increment the serial number and restart bind. I also restart bind after making a change to named.conf. What am I doing wrong? Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Are your servers running virtualized? No dia 2010/10/04, às 23:56, "Dotan Cohen" escreveu: On Mon, Oct 4, 2010 at 23:37, Greg Whynott wrote: someone with way more bind clues than I would be able to give you a better answer.the error returned begs two questions.. 1. is this server behind or running a local firewall? No. 2. is bind actually listening on the proper interface? Yes -- Dotan Cohen http://gibberish.co.il http://what-is-what.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
On Tue, Oct 5, 2010 at 00:29, Lyle Giese wrote: > I would like to help but since you are refusing to post the real ip address > or the real hostnames or the real domain names involved, I can not. I could > do some testing from here to see if your firewall was configured correctly > or what the view was from outside your network. But I can not. > Thanks Lyle for the offer. Actually, I would very much appreciate if you should me what to check so that I might do it myself. Although my concern is in fact to get this configured, my goal is to learn and I'm at a loss for which tools/commands to use to check that. How would you go about it? > You appear to be posting sanitized portions of named.conf, so we can not > tell if you have a typo in there that would cause this problem. I assure you that a typo in the domain name or IP address is not the issue, nor a missing period after the domain name. I've gone over that! > You may > also be bypassing a firewall misconfiguration because of your testing > methods, but we can not tell as you are not posting the real IP addresses. No firewall at this stage. > Even though the ip addresses involved are registered for web and dns > services that should be availible to the world anyway. > Yes, of course, I have no illusions that they might be hidden! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Can you successfuly telnet port 53 from an external host? Have you seen your logs? There must be something logged. No dia 2010/10/04, às 23:56, "Dotan Cohen" escreveu: On Mon, Oct 4, 2010 at 23:37, Greg Whynott wrote: someone with way more bind clues than I would be able to give you a better answer.the error returned begs two questions.. 1. is this server behind or running a local firewall? No. 2. is bind actually listening on the proper interface? Yes -- Dotan Cohen http://gibberish.co.il http://what-is-what.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
On Mon, Oct 4, 2010 at 23:37, Greg Whynott wrote: > someone with way more bind clues than I would be able to give you a better > answer. the error returned begs two questions.. > > 1. is this server behind or running a local firewall? No. > 2. is bind actually listening on the proper interface? > Yes -- Dotan Cohen http://gibberish.co.il http://what-is-what.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Mon, 4 Oct 2010 23:41:13 +0200 Dotan Cohen wrote: >> You might be blocking 53/udp and (or) 53/tcp port. Try to query >> your problematic server from some other location rather than the >> site this server is installed on. >> > > The ports aren't blocked as another site (example.eu) hosted on > the 1.1.1.1 server works fine. The working site has both > nameservers pointed to that same server (on two different IP > addresses on eth0 and etho0:0). Only the example.de site which has > one nameserver on the 1.1.1.1 machine and the second nameserver on > 1.1.2.2 is giving me a headache. It may be the zone transfer issue - the DENIC might want to trasfer the zone example.de and your server at 1.1.1.1 has been configured to deny these attempts originated from the unknown IPs. Grep your BIND log for any error messages related to 'example.de'. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Dotan Cohen wrote: > On Mon, Oct 4, 2010 at 23:20, Andrey G. Sergeev (AKA Andris) > wrote: > >> Hi Dotan! >> >> > > Hello hello! > > >> You might be blocking 53/udp and (or) 53/tcp port. Try to query your >> problematic server from some other location rather than the site this >> server is installed on. >> >> > > The ports aren't blocked as another site (example.eu) hosted on the > 1.1.1.1 server works fine. The working site has both nameservers > pointed to that same server (on two different IP addresses on eth0 and > etho0:0). Only the example.de site which has one nameserver on the > 1.1.1.1 machine and the second nameserver on 1.1.2.2 is giving me a > headache. > > > I would like to help but since you are refusing to post the real ip address or the real hostnames or the real domain names involved, I can not. I could do some testing from here to see if your firewall was configured correctly or what the view was from outside your network. But I can not. You appear to be posting sanitized portions of named.conf, so we can not tell if you have a typo in there that would cause this problem. You may also be bypassing a firewall misconfiguration because of your testing methods, but we can not tell as you are not posting the real IP addresses. Even though the ip addresses involved are registered for web and dns services that should be availible to the world anyway. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
On Mon, Oct 4, 2010 at 23:20, Andrey G. Sergeev (AKA Andris) wrote: > Hi Dotan! > Hello hello! > You might be blocking 53/udp and (or) 53/tcp port. Try to query your > problematic server from some other location rather than the site this > server is installed on. > The ports aren't blocked as another site (example.eu) hosted on the 1.1.1.1 server works fine. The working site has both nameservers pointed to that same server (on two different IP addresses on eth0 and etho0:0). Only the example.de site which has one nameserver on the 1.1.1.1 machine and the second nameserver on 1.1.2.2 is giving me a headache. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Unable to query the nameserver
someone with way more bind clues than I would be able to give you a better answer.the error returned begs two questions.. 1. is this server behind or running a local firewall? 2. is bind actually listening on the proper interface? you could confirm #2 by typing 'nslookup ns1.example.de 1.1.1.1' where 1.1.1.1 is the ip of the local machine(you could even do this on another machine, its telling the resolver to use 1.1.1.1 as the name server for initial queries, if it works internally, try an exterior machine to run the command on). it should return your A RR. also you could try typing " netstat -an | grep \:53\ | grep LIST " and see if its listening on the proper interface. do the logs complain about any zones? something like "not loading zone X".. good luck with things, -g From: Sent: Monday, October 04, 2010 5:08 PM To: bind-users@lists.isc.org Subject: Unable to query the nameserver I am configuring BIND on two servers: ns1.example.de on a server with IP address 1.1.1.1 and ns2.example.de on a server with IP address 1.1.2.2. BIND starts fine on both servers, but when I try to configure my domain name in the registrar's control panel I get this error: """ Error : Unable to query the nameserver ns1.example.de """ Of course ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Hi Dotan! Mon, 4 Oct 2010 23:08:43 +0200 Dotan Cohen wrote: > I am configuring BIND on two servers: ns1.example.de on a server with > IP address 1.1.1.1 and ns2.example.de on a server with IP address > 1.1.2.2. BIND starts fine on both servers, but when I try to > configure > my domain name in the registrar's control panel I get this error: > """ > Error : Unable to query the nameserver ns1.example.de [...] You might be blocking 53/udp and (or) 53/tcp port. Try to query your problematic server from some other location rather than the site this server is installed on. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unable to query the nameserver
I am configuring BIND on two servers: ns1.example.de on a server with IP address 1.1.1.1 and ns2.example.de on a server with IP address 1.1.2.2. BIND starts fine on both servers, but when I try to configure my domain name in the registrar's control panel I get this error: """ Error : Unable to query the nameserver ns1.example.de """ Of course I have been googling this for hours and I've been reading BIND manuals for about two weeks now! I'm really stuck. Here are my configuration files: // On 1.1.1.1 [r...@1.1.1.1]# cat /etc/named.conf options { directory "/etc"; pid-file "/var/run/named/named.pid"; listen-on { any; }; }; zone "." { type hint; file "/etc/db.cache"; }; zone "example.de" { type master; file "/var/named/example.de.hosts"; notify yes; allow-query { any; }; }; zone "example.eu" { type master; file "/var/named/example.eu.hosts"; }; [r...@1.1.1.1]# cat /var/named/example.de.hosts $ORIGIN example.de. $TTL 86400 example.de. IN SOA example.de. foo.example.de. ( 2010100401; Serial - increment me 10800 3600 604800 38400 ) IN NSns1.example.de. IN NSns2.example.de. IN A 1.1.1.1 wwwIN A 1.1.1.1 ns1IN A 1.1.1.1 ns2IN A 1.1.2.2 // On 1.1.2.2 [r...@1.1.2.2]# cat /etc/named.conf options { directory "/etc"; pid-file "/var/run/named/named.pid"; listen-on { any; }; }; zone "." { type hint; file "/etc/db.cache"; }; zone "example.de" { type slave; masters { 1.1.1.1; }; allow-update { 1.1.1.1; }; file "/var/named/example.de.hosts"; notify yes; allow-query { any; }; allow-notify { 1.1.2.2; }; }; [r...@1.1.2.2]# cat /var/named/example.de.hosts $ORIGIN example.de. $TTL 86400 example.de. IN SOA example.de. foo.example.de. ( 2010100401; Serial - increment me 10800 3600 604800 38400 ) IN NSns2.example.de. ns2IN A 1.1.2.2 Of course, when I make a change to a hosts file I increment the serial number and restart bind. I also restart bind after making a change to named.conf. What am I doing wrong? Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind won't start: /etc/named.conf
On Sat, Oct 2, 2010 at 11:16, Imri Zvik wrote: > What does the logs say? Thanks, Imri, the logs complain about /etc/db.cache. I copied /etc/db.cache from the ns1 server to the ns2 server and bind stopped complaining. > Is the server chrooted or not? no > And I think you want to use "type slave;" for that zone, if this is a > secondary server. Right, done, thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
minimum cache times?
Hello, recently, I ran into a debate on the merits of negative TTL caching. Digging a little into the issue I found that apparently - no version of Bind currently supports min-(n)cache-ttl parameters - MS DNS apparently has such a function - somebody (possibly Michael Milligan) at some time put it into Debian's BIND. Can anybody give any more information on that? Regards, Christoph Weber-Fahr ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT: Propagation of my NS records?
There is a lot of assumed magic with DNS. It would be nice if things were possible but they aren't. Think for a moment. 'I changed the IPOD address but my registrar isn't picking it up!' Well, how do you expect them to if you don't tell them? They don't have a crystal ball to read your mind or intentions. No magic involved. They can only do what you tell them. Not even the newest magic incantation, DNSSEC, can provide that magic. Sorry for the top posting. But, Sent from Garminfone by T-Mobile. online-reg wrote: >Hi All: I think this is a little OT, but I’m wondering why changes to my NS >records aren’t propagating when my NS is authoritative for my domain? > >enigmedia.com is registered at NetSol and delegated to my NS: > >ns.enigmedia.com (running on bind9/fedora) >ns1.enigmedia.com (running on bind9/Freebsd) > >Global TTL is 3h and TTL for the “NS1” record is 1200, but after changing the >IP address of ns1 more than 24 hrs ago, it is not being picked up by NetSol’s >servers. > >NetSol is returning the old record: 209.159.154.165, while my zone file has >216.218.228.131. > >I’ve seen this issue reported over the years, and the recommendation seems to >be “complain to NetSol”. > >Just wondering if something in my zone config is wrong, or if this is normal >for changes to NS records? NetSol is just ignoring my TTLs and caching the old >IP for as long as it wants?___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: managed-keys-zone file not found
Evan: > My statement about the expected behavior (i.e., that you'd see this log > message only on the first start, and not thereafter) turns out to be > true > only if there's actually a managed key that needs maintaining. If you > don't have any such keys, named won't create a file to save them in-- > but, > oops, it still tries to load the file on startup, and so it always logs > the "file not found" message. > > This is essentially a cosmetic bug, and will be fixed in a future > release. > You can work around it, as others have mentioned, by touching the file > so > that named will shut up, or you can ignore it. > > Thanks for your help with it. > that makes sense. It did go away when I set up lookaside properly, and I thought I knew how to make it go away. Then I reconfigured (as a test) without lookaside (or any dnssec features enabled for that matter) and the problem returned. I agree it is cosmetic and we can live with it. Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT: Propagation of my NS records?
> Date: Mon, 04 Oct 2010 17:29:33 +0200 > From: Anand Buddhdev > Sender: bind-users-bounces+oberman=es@lists.isc.org > > On 04/10/2010 16:01, online-reg wrote: > > > Hi All: I think this is a little OT, but Iâm wondering why changes to > > my NS records arenât propagating when my NS is authoritative for my > > domain? > > > > enigmedia.com is registered at NetSol and delegated to my NS: > > > > ns.enigmedia.com (running on bind9/fedora) ns1.enigmedia.com (running > > on bind9/Freebsd) > > > > Global TTL is 3h and TTL for the âNS1â record is 1200, but after > > changing the IP address of ns1 more than 24 hrs ago, it is not being > > picked up by NetSolâs servers. > > > > NetSol is returning the old record: 209.159.154.165, while my zone > > file has 216.218.228.131. > > > > Iâve seen this issue reported over the years, and the recommendation > > seems to be âcomplain to NetSolâ. > > > > Just wondering if something in my zone config is wrong, or if this is > > normal for changes to NS records? NetSol is just ignoring my TTLs and > > caching the old IP for as long as it wants? > > I don't think NetSol automatically checks for updates to glue records. > You'll have to manually change the A records of your servers at NetSol > for them to be able to propagate the glue into the com zone. I know that netsol (and the other registrars) do not update glue based on what is returned from an NS query to the current authoritative server. Doing so would create a huge security issue and an easy way to hijack DNS. Once DNSSEC is in place, it will become feasible to do this, but I would seriously discourage anyone from holding his or her breath while waiting (for technical, economic and political reasons). -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Propagation of my NS records?
Hi All: I think this is a little OT, but I'm wondering why changes to my NS records aren't propagating when my NS is authoritative for my domain? enigmedia.com is registered at NetSol and delegated to my NS: ns.enigmedia.com (running on bind9/fedora) ns1.enigmedia.com (running on bind9/Freebsd) Global TTL is 3h and TTL for the "NS1" record is 1200, but after changing the IP address of ns1 more than 24 hrs ago, it is not being picked up by NetSol's servers. NetSol is returning the old record: 209.159.154.165, while my zone file has 216.218.228.131. It's only returning it as "glue", not as an answer. Glue is not updated automatically. OK, I see. I've seen this issue reported over the years, and the recommendation seems to be "complain to NetSol". Just wondering if something in my zone config is wrong, or if this is normal for changes to NS records? NetSol is just ignoring my TTLs and caching the old IP for as long as it wants? You need to go through the procedure with Network Solutions that will give the new address for ns1.enigmedia.com in the output of whois -h whois.networksolutions.com enigmedia.com Just as you would if you were changing NS records. Thanks, Chris...that wasn't clear to me until now! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT: Propagation of my NS records?
On 04/10/2010 16:01, online-reg wrote: > Hi All: I think this is a little OT, but I’m wondering why changes to > my NS records aren’t propagating when my NS is authoritative for my > domain? > > enigmedia.com is registered at NetSol and delegated to my NS: > > ns.enigmedia.com (running on bind9/fedora) ns1.enigmedia.com (running > on bind9/Freebsd) > > Global TTL is 3h and TTL for the “NS1” record is 1200, but after > changing the IP address of ns1 more than 24 hrs ago, it is not being > picked up by NetSol’s servers. > > NetSol is returning the old record: 209.159.154.165, while my zone > file has 216.218.228.131. > > I’ve seen this issue reported over the years, and the recommendation > seems to be “complain to NetSol”. > > Just wondering if something in my zone config is wrong, or if this is > normal for changes to NS records? NetSol is just ignoring my TTLs and > caching the old IP for as long as it wants? I don't think NetSol automatically checks for updates to glue records. You'll have to manually change the A records of your servers at NetSol for them to be able to propagate the glue into the com zone. Regards, Anand Buddhdev RIPE NCC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: managed-keys-zone file not found
> The directory is writable. I run bind chrooted and the directory exists, > is owned by the named user and is writable by the named user. But you don't have managed-keys or dnssec-lookaside auto configured, right? I was confused, and thought you did. If you had, that would mean this bug was fairly serious, because it would mean your managed keys weren't stored permanently. My statement about the expected behavior (i.e., that you'd see this log message only on the first start, and not thereafter) turns out to be true only if there's actually a managed key that needs maintaining. If you don't have any such keys, named won't create a file to save them in--but, oops, it still tries to load the file on startup, and so it always logs the "file not found" message. This is essentially a cosmetic bug, and will be fixed in a future release. You can work around it, as others have mentioned, by touching the file so that named will shut up, or you can ignore it. Thanks for your help with it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT: Propagation of my NS records?
These are glue records for the delegation of your domain. You must contact Network Solutions to have them changed. I have done this type of thing in a long time, but they have a form somewhere. Regards, Mike On Mon, Oct 04, 2010 at 09:01:18AM -0500, online-reg wrote: > Hi All: I think this is a little OT, but I’m wondering why changes to my NS > records aren’t propagating when my NS is authoritative for my domain? > > enigmedia.com is registered at NetSol and delegated to my NS: > > ns.enigmedia.com (running on bind9/fedora) > ns1.enigmedia.com (running on bind9/Freebsd) > > Global TTL is 3h and TTL for the “NS1” record is 1200, but after changing the > IP address of ns1 more than 24 hrs ago, it is not being picked up by NetSol’s > servers. > > NetSol is returning the old record: 209.159.154.165, while my zone file has > 216.218.228.131. > > I’ve seen this issue reported over the years, and the recommendation seems to > be “complain to NetSol”. > > Just wondering if something in my zone config is wrong, or if this is normal > for changes to NS records? NetSol is just ignoring my TTLs and caching the > old IP for as long as it wants? > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT: Propagation of my NS records?
On Oct 4 2010, online-reg wrote: Hi All: I think this is a little OT, but I'm wondering why changes to my NS records aren't propagating when my NS is authoritative for my domain? enigmedia.com is registered at NetSol and delegated to my NS: ns.enigmedia.com (running on bind9/fedora) ns1.enigmedia.com (running on bind9/Freebsd) Global TTL is 3h and TTL for the "NS1" record is 1200, but after changing the IP address of ns1 more than 24 hrs ago, it is not being picked up by NetSol's servers. NetSol is returning the old record: 209.159.154.165, while my zone file has 216.218.228.131. It's only returning it as "glue", not as an answer. Glue is not updated automatically. I've seen this issue reported over the years, and the recommendation seems to be "complain to NetSol". Just wondering if something in my zone config is wrong, or if this is normal for changes to NS records? NetSol is just ignoring my TTLs and caching the old IP for as long as it wants? You need to go through the procedure with Network Solutions that will give the new address for ns1.enigmedia.com in the output of whois -h whois.networksolutions.com enigmedia.com Just as you would if you were changing NS records. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: managed-keys-zone file not found
Forgive the top post. The directory is writable. I run bind chrooted and the directory exists, is owned by the named user and is writable by the named user. -- Jack Tavares "How many more can we sell with this button?" From: David Forrest [...@maplepark.com] Sent: Sunday, October 03, 2010 09:12 To: Evan Hunt Cc: Jack Tavares; bind-users@lists.isc.org Subject: Re: managed-keys-zone file not found On Sun, 3 Oct 2010, Evan Hunt wrote: > On Fri, Oct 01, 2010 at 10:29:34PM +, Jack Tavares wrote: >> Hello >> While starting up bind I get the following 2 messages >> 01-Oct-2010 15:13:15.304 set up managed keys zone for view external, file >> '3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys' >> and >> 01-Oct-2010 15:13:15.309 managed-keys-zone ./IN/external: loading from >> master file >> 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys >> failed: file not found > > The expected behavior is, the first time you start BIND with managed-keys > configured in a view, it will try to load the keys from an existing > managed-keys file. If the file isn't found, it logs this warning, > and then if the directory is writable, it goes ahead and creates the file. > > So you should only be seeing this the first time, and not thereafter. > Which is why I'm concerned about this: > >> I have tried using managed-keys-directory option, but I cannot get rid of >> this message. > > BIND hasn't created the file yet? Is your working directory or > managed-keys-directory writable? Evan, I had this same message and it continued on every start. But it went ahead and loaded the zone (in memory I surmised) and everything worked OK. I just tried creating an empty file (via touch) in my working directory and, viola! No more messages except for the "set up managed keys zone for view external" and it still works as it should. My working directory is owned by named and I run as -u named so I don't know why it does not write the file. I had a similar problem with the internal view and removed the annoying message in the same manner; touching the file with the name in the message in the working directory. So I now have two empty files; No biggie. I searched in the source code for the message and found it in ./bin/named/server.c but didn't go any further as my invocation hack worked for me and it just seemed to be a log info message. YMMV. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
OT: Propagation of my NS records?
Hi All: I think this is a little OT, but I’m wondering why changes to my NS records aren’t propagating when my NS is authoritative for my domain? enigmedia.com is registered at NetSol and delegated to my NS: ns.enigmedia.com (running on bind9/fedora) ns1.enigmedia.com (running on bind9/Freebsd) Global TTL is 3h and TTL for the “NS1” record is 1200, but after changing the IP address of ns1 more than 24 hrs ago, it is not being picked up by NetSol’s servers. NetSol is returning the old record: 209.159.154.165, while my zone file has 216.218.228.131. I’ve seen this issue reported over the years, and the recommendation seems to be “complain to NetSol”. Just wondering if something in my zone config is wrong, or if this is normal for changes to NS records? NetSol is just ignoring my TTLs and caching the old IP for as long as it wants?___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: per-zone-recursion?
On 2/10/10 7:18 AM, "Joerg Dorchain" wrote: > On Fri, Oct 01, 2010 at 05:39:16PM +0200, Matus UHLAR - fantomas wrote: >> >> On 01.10.10 12:39, Joerg Dorchain wrote: >>> Well, I could agree agree that "wrong" means not thought of by >>> RfC-Designers and bind implementators (yet). >> >> probably it was not thought because it's wrong. > > This point is getting religious now, IMHO. Bear in mind that your rationale is based on getting an inaccessible DNS server to return information that a client has correctly asked for. I can't imagine a situation where there'll be a strong desire to codify that kind of set up. If your DNS server is not accessible to clients that need to query it for data, your set up is wrong. That isn't religious, that is practical reality. >> less palatable option: 1. Make the other DNS software available on another IP. So normal DNS behaviour works. >>> >>> Hm, this is not too easy in practice, but of course optimal solution. >>> IPv6 will help here, I hope. >> >> I don't think this will solve the problem, it will just be a workaround for >> it. > > With IPv6, I see much better chances of having more than one > address available, which would make the best architectural solution > a practical one as well. I think you need to consider your architectural design in a different light. Address availability is not your problem. Your solution seems to be a work around built on a work around. Ask yourself: "am I using DNS to fix a problem or shortcoming in another system?". If yes, fix the other system instead. >> 2. Add the zone as a slave within your authoritative view. (this option may be the easiest for your situation). >>> >>> Not feasible as it contains dynamically generated content, >>> typically with a TTL of 0. >> >> this strongly indicates that there's something broken in your DNS. The DNS >> is not designed to provide anything that short-lived, the whole DNS >> architecture is based on cachind. > > Yes, DNS works best with caching. I know that this setup is a > corner case and very individual (If would had two public IPs then > I would be fine) > > To be a bit polemic, if you think it is wrong, TTL of 0 should be > forbidden, I suppose. To be more accurate, the reasons people think they need a TTL of 0 indicate they are using DNS incorrectly. Often it is an attempt at working around the restrictions of other systems. Hence the guess at load balancing. What data are you providing that changes second to second and must be provided using DNS? >> >> Are you doing any kind of DNS-based load balancing? > > No, then multiple A records or so would be just fine. > > Bye, > > Joerg > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind not starting
On Fri, Oct 01, 2010 at 12:13:33PM -0400, John Wingenbach wrote a message of 440 lines which said: > NS records must point to an A record. Or a record. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.1-P2 managed-keys error
> 02-Oct-2010 17:33:53.125 general: error: managed-keys-zone ./IN: loading > from master file managed-keys.bind failed: file not found > > I've googled around but am not clear on what's causing this error? Does this > file need to be created manually for BIND to be able to write to it? I have > a directory "/etc/namedb/working", and permissions are: > > drwxr-xr-x 2 bind wheel 512 Jul 18 19:23 . > drwxr-xr-x 6 root wheel 512 Oct 2 15:52 .. https://lists.isc.org/mailman/htdig/bind-users/2010-October/081249.html -- ** Magali BERNARD - DSI pôle Système, Réseau et Sécurité Université Jean Monnet de Saint-Étienne - FRANCE - A: Yes. > Q: Are you sure ? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting annoying in email ? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users