Re: bind autosign - DS distribution
> From: Chris Buxton > Date: Thu, 9 Dec 2010 21:16:41 -0800 > Sender: bind-users-bounces+oberman=es@lists.isc.org > > > On Dec 9, 2010, at 2:26 PM, Matus UHLAR - fantomas wrote: > > > Is it possible(planned) for bind to sign slave zone? > > And, are incremental updates possible with dnssec? > > > > I'm thinking about hidden master bind loading (un)signed zones and providing > > axfr/ixfr to our public servers > > Secure64 makes a product that does this. > > - The hidden master creates/updates an unsigned zone. > - Secure64 appliance acts as a slave, transferring the zone in > response to notify messages. It then signs the zone, including > auto-generating and auto-rotating keys as needed (I believe). > - Secure64 appliance then acts as a second hidden master, replicating > the zone out to the regular slaves. > > I believe it's implemented using two instances of nsd (from NLnet > Labs), one acting as a slave and another acting as a primary master, > with some proprietary code in between. > > http://www.secure64.com/automated-DNSSEC-signer-software-appliance > > Note: You hinted that the unsigned zone content is generated by some > process that would be difficult to modify. Products from my employer > and our other competitors would not have as easy a time handling that > type of need as this off-the-shelf product from Secure64. If that is > not the case, however, I would be happy to talk to you about DNSSEC > solutions from BlueCat Networks. Your description is pretty close. The main exception is that it only runs a single instance of nsd. It acts as both client and server. When it updates a zone, it then signs the data and sends out notifies to the slaves which publicly serve the data. No need for two instances. I believe the real claim to fame of Secure64 is the security of the private keys. The system is FIPS140-2 level 2 certified and that is hard to come by, especially without an HSM. This is very nice of dynamic updates are required since most solutions require an HSM or store the private key in an on-line system. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
On Dec 9, 2010, at 2:26 PM, Matus UHLAR - fantomas wrote: > Is it possible(planned) for bind to sign slave zone? > And, are incremental updates possible with dnssec? > > I'm thinking about hidden master bind loading (un)signed zones and providing > axfr/ixfr to our public servers Secure64 makes a product that does this. - The hidden master creates/updates an unsigned zone. - Secure64 appliance acts as a slave, transferring the zone in response to notify messages. It then signs the zone, including auto-generating and auto-rotating keys as needed (I believe). - Secure64 appliance then acts as a second hidden master, replicating the zone out to the regular slaves. I believe it's implemented using two instances of nsd (from NLnet Labs), one acting as a slave and another acting as a primary master, with some proprietary code in between. http://www.secure64.com/automated-DNSSEC-signer-software-appliance Note: You hinted that the unsigned zone content is generated by some process that would be difficult to modify. Products from my employer and our other competitors would not have as easy a time handling that type of need as this off-the-shelf product from Secure64. If that is not the case, however, I would be happy to talk to you about DNSSEC solutions from BlueCat Networks. Chris Buxton BlueCat Networks___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 10.12.2010 00:24, Matus UHLAR - fantomas a écrit : > On 09.12.10 23:45, fakessh @ wrote: >> webmin implement the mecanism of resign zones > > good to know, but our system fille DNS data using some automatic processes > from more sources and I don't think they should use webmin for that ;) > look the source for the construct a perl script webmin is build with modules its easy i think sincerely -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNAXq+tXI/OwkhZKcRAiAsAJ9fOIX3XOyFww+8Q+oJtw2stfZJ6gCdHcoX lrB2atZdwHiHmncD52yFEl8= =mFzL -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DiG 9.3.6-P1 segfaults on CentOS
On Dec 9, 2010, at 4:20 PM, Mark Andrews wrote: > > In message , Brian Keefer > write > s: >> Downloading the tarball for bind-9.7.2-P1 from ftp.isc.org and building it fr >> om source fixed the segfault issue. >> >> I'm still seeing a (possibly related) issue where if I do dig +trace txt > bl record> it takes 6-10 seconds (measured by time(1)) to complete, all after >> printing the authoritative server for DNSBL (prior to printing answer). >> >> If I do dig @ txt I get the same pause. If I d >> o dig @ txt there is no pause. There is also no pau >> se if I do dig . It doesn't look like there's any issue reso >> lving the A RR, so why the long pause with dig +trace or dig @hostname vs. di >> g @IP? > > And if you look for IPv6 addresses? > > dig That's exactly it. I just figured that out by looking at the PCAP a minute before I read your e-mail. It's silently ignored. Mystery solved on the delay. -- bk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DiG 9.3.6-P1 segfaults on CentOS
In message , Brian Keefer write s: > Downloading the tarball for bind-9.7.2-P1 from ftp.isc.org and building it fr > om source fixed the segfault issue. > > I'm still seeing a (possibly related) issue where if I do dig +trace txt bl record> it takes 6-10 seconds (measured by time(1)) to complete, all after > printing the authoritative server for DNSBL (prior to printing answer). > > If I do dig @ txt I get the same pause. If I d > o dig @ txt there is no pause. There is also no pau > se if I do dig . It doesn't look like there's any issue reso > lving the A RR, so why the long pause with dig +trace or dig @hostname vs. di > g @IP? And if you look for IPv6 addresses? dig > I'm only getting this behavior with this particular DNSBL, so far as I know. > The DNSBL runs a modified (only the back-end, SFAIK) version of rbldnsd. > > -- > bk > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DiG 9.3.6-P1 segfaults on CentOS
On Dec 9, 2010, at 1:16 PM, Brian Keefer wrote: > This issue was initially reported to me by a customer running CentOS 5.5 > x86_64. I was able to duplicate it on CentOS 5.5 i386 with dig version: > DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 > > When doing a dig +trace to a DNSBL for a TXT record they're getting a > segfault after making the final query (prior to displaying the answer). I > did a tcpdump of this behavior and saw two identical queries from the same > source port with the same transaction ID 0.74 seconds apart. The > responses were received 0.000745 seconds apart, from the same IP with the > same transaction ID. > > When I repeat the test through an intermediary resolver it only sends one > query datagram and gets a single response (and doesn't crash). > > Any ideas? > > -- > bk Downloading the tarball for bind-9.7.2-P1 from ftp.isc.org and building it from source fixed the segfault issue. I'm still seeing a (possibly related) issue where if I do dig +trace txt it takes 6-10 seconds (measured by time(1)) to complete, all after printing the authoritative server for DNSBL (prior to printing answer). If I do dig @ txt I get the same pause. If I do dig @ txt there is no pause. There is also no pause if I do dig . It doesn't look like there's any issue resolving the A RR, so why the long pause with dig +trace or dig @hostname vs. dig @IP? I'm only getting this behavior with this particular DNSBL, so far as I know. The DNSBL runs a modified (only the back-end, SFAIK) version of rbldnsd. -- bk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: m master file managed-keys.bind failed
On 12/08/2010 11:51, Martin McCormick wrote: I wrote: Who is supposed to own /var/named? I received a response from a kind soul from this list who reminded me of a directive new to bind9.7.1 that lets you determine where the managed-keys.bind file lives. I set up managed-keys-directory "/etc/namedb/working"; That looks like a FreeBSD install. If you let it, /etc/rc.d/named will use mtree to update the permissions on all relevant directories at each startup, chroot, drop root privs, etc. and all is now well with that zone. This appears to be a logical place for the file and there is nothing else in that directory which is already under bind ownership. Yes, that is the purpose of the /working directory on FreeBSD installs. In the default conf there is this: directory "/etc/namedb/working"; I have set up DNSSEC validation on my personal workstation and using the managed keys directive it creates the files there. If you're using FreeBSD I strongly suggest that you use the named.conf file provided as your starting point. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
On 09.12.10 23:45, fakessh @ wrote: > webmin implement the mecanism of resign zones good to know, but our system fille DNS data using some automatic processes from more sources and I don't think they should use webmin for that ;) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
> In message <20101209222644.ga2...@fantomas.sk>, Matus UHLAR - fantomas writes: > > Is it possible(planned) for bind to sign slave zone? On 10.12.10 09:41, Mark Andrews wrote: > The master signs the zone. The slaves just serve it. The master still loads the zone somehow, from a file probably (even dynamic zones are saved to disk on shutdown, aren't they?) Being able to fetch zone from different server vi axfr/ixfr and sign it as it would be dynamic zone would spare me from playing with opendnssec or running dnssec-signzone manually. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 09.12.2010 23:26, Matus UHLAR - fantomas a écrit : >> In message <20101209220716.ga2...@fantomas.sk>, Matus UHLAR - fantomas >> writes: >>> pardon my ignorance if this has been discussed (haven't notice), but >>> if BIND is configured to automatically sign dynamic zones, does it >>> distribute DS records to parent zones somehow? and if not, what are ways to >>> do that? > > On 10.12.10 09:15, Mark Andrews wrote: >> This is IETF dnsext/dnsop fodder. >> >> The simple way would be to just record a TSIG key in the child zones >> config to update the parent zone and use signed UPDATE messages. >> Unfortunately this has run into layer 9 issues. > > maybe some alternative of NOTIFY mechanism? > > However that's apparently why I missed it... > I think I'll try with opendnssec. I even don't like the automatic mechanism > much because of bulk updates which I do quite often. > > Is it possible(planned) for bind to sign slave zone? > And, are incremental updates possible with dnssec? > > I'm thinking about hidden master bind loading (un)signed zones and providing > axfr/ixfr to our public servers > webmin implement the mecanism of resign zones - -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNAVwJtXI/OwkhZKcRAvrpAJ4oY1jMstShHD4lvNLqsYTHqDTCPACfS6sa JvRPYH48kCyV6W2tBDtgpmw= =UhUW -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
In message <20101209222644.ga2...@fantomas.sk>, Matus UHLAR - fantomas writes: > > In message <20101209220716.ga2...@fantomas.sk>, Matus UHLAR - fantomas writ > es: > > > pardon my ignorance if this has been discussed (haven't notice), but > > > if BIND is configured to automatically sign dynamic zones, does it > > > distribute DS records to parent zones somehow? and if not, what are ways > to > > > do that? > > On 10.12.10 09:15, Mark Andrews wrote: > > This is IETF dnsext/dnsop fodder. > > > > The simple way would be to just record a TSIG key in the child zones > > config to update the parent zone and use signed UPDATE messages. > > Unfortunately this has run into layer 9 issues. > > maybe some alternative of NOTIFY mechanism? > > However that's apparently why I missed it... > I think I'll try with opendnssec. I even don't like the automatic mechanism > much because of bulk updates which I do quite often. > > Is it possible(planned) for bind to sign slave zone? The master signs the zone. The slaves just serve it. > And, are incremental updates possible with dnssec? Yes. You just send the signature and nsec/nsec3 changes as well as the data changes themselves. > I'm thinking about hidden master bind loading (un)signed zones and > providing axfr/ixfr to our public servers DNSSEC works with hidden masters. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
> In message <20101209220716.ga2...@fantomas.sk>, Matus UHLAR - fantomas writes: > > pardon my ignorance if this has been discussed (haven't notice), but > > if BIND is configured to automatically sign dynamic zones, does it > > distribute DS records to parent zones somehow? and if not, what are ways to > > do that? On 10.12.10 09:15, Mark Andrews wrote: > This is IETF dnsext/dnsop fodder. > > The simple way would be to just record a TSIG key in the child zones > config to update the parent zone and use signed UPDATE messages. > Unfortunately this has run into layer 9 issues. maybe some alternative of NOTIFY mechanism? However that's apparently why I missed it... I think I'll try with opendnssec. I even don't like the automatic mechanism much because of bulk updates which I do quite often. Is it possible(planned) for bind to sign slave zone? And, are incremental updates possible with dnssec? I'm thinking about hidden master bind loading (un)signed zones and providing axfr/ixfr to our public servers -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
In message <20101209220716.ga2...@fantomas.sk>, Matus UHLAR - fantomas writes: > Hello, > > pardon my ignorance if this has been discussed (haven't notice), but > if BIND is configured to automatically sign dynamic zones, does it > distribute DS records to parent zones somehow? and if not, what are ways to > do that? This is IETF dnsext/dnsop fodder. The simple way would be to just record a TSIG key in the child zones config to update the parent zone and use signed UPDATE messages. Unfortunately this has run into layer 9 issues. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind autosign - DS distribution
Hello, pardon my ignorance if this has been discussed (haven't notice), but if BIND is configured to automatically sign dynamic zones, does it distribute DS records to parent zones somehow? and if not, what are ways to do that? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DiG 9.3.6-P1 segfaults on CentOS
This issue was initially reported to me by a customer running CentOS 5.5 x86_64. I was able to duplicate it on CentOS 5.5 i386 with dig version: DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 When doing a dig +trace to a DNSBL for a TXT record they're getting a segfault after making the final query (prior to displaying the answer). I did a tcpdump of this behavior and saw two identical queries from the same source port with the same transaction ID 0.74 seconds apart. The responses were received 0.000745 seconds apart, from the same IP with the same transaction ID. When I repeat the test through an intermediary resolver it only sends one query datagram and gets a single response (and doesn't crash). Any ideas? -- bk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DIG Source IP
Gary Wallis wrote: John Williams wrote: If I have a Linux host with multiple IP's, is there a way to utilize the DIG command such that the query appears like it's coming from different IP addresses? So If I have 10 virtual IP's, is there a way to control the source IP of the query? I've referenced the DIG man page and it doesn't appear to be possible. Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Not supported. But that would be a great feature for dig. Would make testing views on other ACL related issues much easier. Cheers, Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Whoops... -b has been available for some time. OPTIONS The -b option sets the source IP address of the query to address. This must be a valid address on one of the hostâs network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#" ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DIG Source IP
On Dec 9, 2010, at 9:51 AM, John Williams wrote: > If I have a Linux host with multiple IP's, is there a way to utilize the DIG > command such that the query appears like it's coming from different IP > addresses? > > So If I have 10 virtual IP's, is there a way to control the source IP of the > query? > > I've referenced the DIG man page and it doesn't appear to be possible. > Thanks > in advance. > What version of dig? man for DiG 9.7.2-P3 says: The -b option sets the source IP address of the query to address. This must be a valid address on one of the host’s network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#" W > > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DIG Source IP
John Williams wrote: If I have a Linux host with multiple IP's, is there a way to utilize the DIG command such that the query appears like it's coming from different IP addresses? So If I have 10 virtual IP's, is there a way to control the source IP of the query? I've referenced the DIG man page and it doesn't appear to be possible. Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Not supported. But that would be a great feature for dig. Would make testing views on other ACL related issues much easier. Cheers, Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DIG Source IP
On 09.12.10 06:51, John Williams wrote: > If I have a Linux host with multiple IP's, is there a way to utilize the DIG > command such that the query appears like it's coming from different IP > addresses? > > So If I have 10 virtual IP's, is there a way to control the source IP of the > query? > > I've referenced the DIG man page and it doesn't appear to be possible. > Thanks > in advance. which dig version? See the -b option -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DIG Source IP
Hi Have you tried [-b address] ? --- Sim 2010/12/9 John Williams : > If I have a Linux host with multiple IP's, is there a way to utilize the DIG > command such that the query appears like it's coming from different IP > addresses? > > So If I have 10 virtual IP's, is there a way to control the source IP of the > query? > > I've referenced the DIG man page and it doesn't appear to be possible. Thanks > in advance. > > > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DIG Source IP
dig -b {srcip}
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of John
Williams
Sent: Thursday, December 09, 2010 9:51 AM
To: bind-users@lists.isc.org
Subject: DIG Source IP
If I have a Linux host with multiple IP's, is there a way to utilize the DIG
command such that the query appears like it's coming from different IP
addresses?
So If I have 10 virtual IP's, is there a way to control the source IP of the
query?
I've referenced the DIG man page and it doesn't appear to be possible. Thanks
in advance.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or constitute non-public
information. Any use of this information by anyone other than the intended
recipient is prohibited. If you have received this transmission in error,
please immediately reply to the sender and delete this information from your
system. Use, dissemination, distribution, or reproduction of this transmission
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
DIG Source IP
If I have a Linux host with multiple IP's, is there a way to utilize the DIG command such that the query appears like it's coming from different IP addresses? So If I have 10 virtual IP's, is there a way to control the source IP of the query? I've referenced the DIG man page and it doesn't appear to be possible. Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: maximum number of FD events (64) received
28.09.2010 10:46, JINMEI Tatuya / 神明達哉 пишет: > These logs are not (directly) related to file descriptors. They mean > epoll returned more socket events than the implementation normally > expects (which is 64). This is not necessarily an error because the > remaining events will be returned with the next call to epoll_wait(). > However, the event loop should generally runs pretty quickly, so it's > still an unexpected situation. > > You may want to check overall stability of the server, e.g., in terms > of the ratio of server failures (SERVFAIL) that your server returns to > the clients, cache memory footprint, cache hit ratio, number of query > drops (if any), etc. If these are okay and you only see the log > messages occasionally, you can probably ignore them. > > Otherwise, if you use multiple threads on a multi-core machine and you > set max-cache-size to some finite value, you may be hit by a recently > found bug in the cache memory management, which can make a caching > server very busy. (but it's a wild guess: I've personally never seen > this bug trigger the log message in question). This bug will be fixed > in 9.7.2. A have same error after upgrade from 9.7.0-P1 to 9.7.2-P2: Dec 9 11:40:03 thunderball named[13574]: 09-Dec-2010 11:40:03.719 general: info: sockmgr 0x101856f70: maximum number of FD events (64) received bind-9.7.2-P3, FreeBSD 8. vanilla src: make with: $ STD_CDEFINES='-DFD_SETSIZE=16384' ./configure --enable-threads --enable-largefile --enable-atomic --with-libxml2=yes $ STD_CDEFINES='-DFD_SETSIZE=16384' make === Decision: Add to configure & make STD_CDEFINES='-DISC_SOCKET_MAXEVENTS=256' -- Рыбин Дмитрий Эксперт по аварийному восстановлению сервисов Отдел систем ШПД Департамент ИТ- инфраструктуры Группа компаний Вымпелком Tel: +7(495) 7871000 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
