IXFR and AXFR
At what time the slave executes AXFR and at what time it executes IXFR from the master? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IXFR and AXFR
> At what time the slave executes AXFR and at what time it executes IXFR > from the master? Someone please correct me if I give misleading information. I don't believe I am, but I've been wrong before :D There's a good section about this in the ARM, such as BIND 9.7 ARM section 4.3 - Incremental Zone Transfers (IXFR). Basically, a BIND 9 slave will normally ask for IXFR unless told not to (request-ixfr). A BIND 9 master can't always provide IXFR though - if it can't it will provide AXFR instead. To be able to provide IXFR it needs to have some idea of the changes being made, so it can give a meaningful reply when asked to provide "all changes since serial number X", so you'll normally see IXFR being possible for dynamically updated zones (and a couple of other cases, check the ARM). Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Recursive DNS problem
Hello all, I am running Bind 9.7.1-p2 as recursive dns. I encountered this problem with the domain hsbc.com.bd. When I dig hsbc.com.bd, it gives me a connection timed out response. #dig hsbc.com.bd ; <<>> DiG 9.7.1-P2 <<>> hsbc.com.bd ;; global options: +cmd ;; connection timed out; no servers could be reached But when I cleared my cache thru rndc flush, I then have a response and solved the problem: #dig hsbc.com.bd ; <<>> DiG 9.7.1-P2 <<>> hsbc.com.bd ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10733 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3 ;; QUESTION SECTION: ;hsbc.com.bd. IN A ;; ANSWER SECTION: hsbc.com.bd.900 IN A 203.112.92.6 ;; AUTHORITY SECTION: hsbc.com.bd.900 IN NS ns2.hsbc.com.sg. hsbc.com.bd.900 IN NS ns13.hsbc.com.hk. hsbc.com.bd.900 IN NS ns11.hsbc.com.hk. hsbc.com.bd.900 IN NS ns1.hsbc.com.sg. ;; ADDITIONAL SECTION: ns1.hsbc.com.sg.899 IN A 203.112.84.5 ns11.hsbc.com.hk. 899 IN A 203.112.90.4 ns13.hsbc.com.hk. 899 IN A 203.112.90.5 ;; Query time: 884 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jan 26 18:53:23 2011 ;; MSG SIZE rcvd: 189 I digged further about the problem as to what causes it. I found out that if I clear the cache and then dig first the ns record(s) of com.bd, before I dig hsbc.com.bd, I will be able to replicate the problem. What bothered me is what is in com.bd that blocks the response from hsbc.com.bd? Please I need your inputs. Thanks, Bangla ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursive DNS problem
Dnia 2011-01-27 17:38 bangla desh napisał(a): > >Hello all, > >I am running Bind 9.7.1-p2 as recursive dns. I encountered this problem with >the domain hsbc.com.bd. When I dig hsbc.com.bd, it gives me a connection >timed out response. > [cut] > >I digged further about the problem as to what causes it. I found out that if >I clear the cache and then dig first the ns record(s) of com.bd, before I >dig hsbc.com.bd, I will be able to replicate the problem. can't reproduce it here, works for me when I try stright hsbc.com.bd, or dig ns com.bd beforehand, or dig both ns bd and com.bd. > >What bothered me is what is in com.bd that blocks the response from >hsbc.com.bd? Please I need your inputs. One thing for sure. It has only one nameserver. This is plainly wrong, each domain should have at least 2 (and SLD like this one even more). does it work when you type dig ns hsbc.com.bd @ns.com.bd because that's what fails for me. And there's more: $ dig ns com.bd @dns.bd ; <<>> DiG 9.7.1 <<>> ns com.bd @dns.bd ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57519 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;com.bd. IN NS ;; ANSWER SECTION: com.bd. 86400 IN NS ns.com.bd. ;; ADDITIONAL SECTION: ns.com.bd. 86400 IN A 203.112.194.18 ;; Query time: 368 msec ;; SERVER: 209.58.24.3#53(209.58.24.3) ;; WHEN: Thu Jan 27 11:00:46 2011 ;; MSG SIZE rcvd: 57 $ dig ns hsbc.com.bd @dns.bd ; <<>> DiG 9.7.1 <<>> ns hsbc.com.bd @dns.bd ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2379 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;hsbc.com.bd. IN NS ;; AUTHORITY SECTION: hsbc.com.bd. 86400 IN NS ns11.hsbc.com.hk. hsbc.com.bd. 86400 IN NS ns13.hsbc.com.hk. hsbc.com.bd. 86400 IN NS ns1.hsbc.com.sg. ;; Query time: 368 msec ;; SERVER: 209.58.24.3#53(209.58.24.3) ;; WHEN: Thu Jan 27 11:01:07 2011 ;; MSG SIZE rcvd: 107 Which means that DNS server for .bd domain (at leas one of them) returns answer for ns for .com.bd (ok, it is a delegation probably), but also a (non-authorative) answer for hsbc.com.bd. This is a bit strange, it doesn't provide recursive queries, it has delegation for com.bd, but it's still willing to return deeper answers. Now, what happens when you have clear cache is that it asks dns.bd for reference and gets hsbc records. But if you have NS com.bd in your cache, bind probably assumes (and quite correclty) that it shoud ask com.bd nameservers, not the bd. ones. But com.bd ones don't provide an answer, so you have timeout. Looks like the com.bd zone is broken somewhat. either the delegation should be removed from bd, or the server needs fixing and adding another servers is necessary. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind Bind or BIND?
On 27/01/2011 02:43, Alan Clegg wrote: > On 1/26/2011 9:22 PM, Chuck Swiger wrote: >> Yes, BIND is an acronym for Berkeley Internet Name Daemon. > Berkeley Internet Name Domain. Hi Alan, Could you correct the reference on http://www.isc.org/software/bind/whatis please. Cheers, Stace ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IXFR and AXFR
In message , "Eivind Ols en" writes: > > At what time the slave executes AXFR and at what time it executes IXFR > > from the master? > > Someone please correct me if I give misleading information. I don't > believe I am, but I've been wrong before :D > > There's a good section about this in the ARM, such as BIND 9.7 ARM section > 4.3 - Incremental Zone Transfers (IXFR). > > Basically, a BIND 9 slave will normally ask for IXFR unless told not to > (request-ixfr). > A BIND 9 master can't always provide IXFR though - if it can't it will > provide AXFR instead. To be able to provide IXFR it needs to have some > idea of the changes being made, so it can give a meaningful reply when > asked to provide "all changes since serial number X", so you'll normally > see IXFR being possible for dynamically updated zones (and a couple of > other cases, check the ARM). > > Regards > Eivind Olsen named will do a axfr initially, anytime it believes it has lost sync with the master (the ixfr did not apply without error), when "rndc retransfer" is called, when ixfr is rejected by the master. The master will return a AXFR style IXFR whenever it doesn't have the requested axfr stream. > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IXFR and AXFR
Mark Andrews writes: The master will return a AXFR style IXFR whenever it doesn't have the requested axfr stream. Do you mean whenever it doesn't have the requested IXFR stream? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind Bind or BIND?
On 1/27/2011 5:20 AM, Stacey Jonathan Marshall wrote: > On 27/01/2011 02:43, Alan Clegg wrote: >> On 1/26/2011 9:22 PM, Chuck Swiger wrote: >>> Yes, BIND is an acronym for Berkeley Internet Name Daemon. >> Berkeley Internet Name Domain. > > Hi Alan, > > Could you correct the reference on > http://www.isc.org/software/bind/whatis please. Yep, I'm going to open a ticket with the web developers to purge the badness. :) Thanks, AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc confusion
On Jan 26, 2011, at 10:32 PM, Alan Clegg wrote: > On 1/26/2011 10:27 PM, donovan jeffrey j wrote: > >> okay >> so what is the rndc.conf for ? -- my finger is on the rm button. >> is it for listing other server keys ? > > rndc.conf is used by rndc in the circumstances that you have put the > required "controls" section into your named.conf directly (where there > is no /etc/rndc.key file) > a > It can contain additional definitions so that you can do magic like > "rndc -s foo.bar.baz flush". i love magic thanks for the explanation. > > Lots of additional information and samples in "man rndc.conf" > > AlanC > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IXFR and AXFR
In message <20110127124124.5b8ed2d...@mail.nsbeta.info>, p...@mail.nsbeta.info writes: > Mark Andrews writes: > > > The master will return a AXFR style IXFR whenever it doesn't have the > > requested a > xfr stream. > > Do you mean whenever it doesn't have the requested IXFR stream? When you make a IXFR request you say "please send me the changes starting at this serial". Sometimes the master will have already discarded some or all of the changes. IXFR allows for optional compression of deltas and if one of the masters in the axfr graph does that and you have multiple masters listed you make end up ask a master that about a serial that was compressed away. > Thanks. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursive DNS problem
> -- Forwarded message -- > From: "Torinthiel" > To: "\"bind-users@lists.isc.org\"" > Date: Thu, 27 Jan 2011 11:08:07 +0100 > Subject: Re: Recursive DNS problem > Dnia 2011-01-27 17:38 bangla desh napisał(a): > > > >Hello all, > > > >I am running Bind 9.7.1-p2 as recursive dns. I encountered this problem > with > >the domain hsbc.com.bd. When I dig hsbc.com.bd, it gives me a connection > >timed out response. > > > > [cut] > > > >I digged further about the problem as to what causes it. I found out that > if > >I clear the cache and then dig first the ns record(s) of com.bd, before I > >dig hsbc.com.bd, I will be able to replicate the problem. > > can't reproduce it here, works for me when I try stright hsbc.com.bd, or > dig > ns com.bd beforehand, or dig both ns bd and com.bd. > > > >What bothered me is what is in com.bd that blocks the response from > >hsbc.com.bd? Please I need your inputs. > > One thing for sure. It has only one nameserver. This is plainly wrong, each > domain should have at least 2 (and SLD like this one even more). > does it work when you type > dig ns hsbc.com.bd @ns.com.bd > because that's what fails for me. > > And there's more: > > $ dig ns com.bd @dns.bd > > ; <<>> DiG 9.7.1 <<>> ns com.bd @dns.bd > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57519 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;com.bd.IN NS > > ;; ANSWER SECTION: > com.bd. 86400 IN NS ns.com.bd. > > ;; ADDITIONAL SECTION: > ns.com.bd. 86400 IN A 203.112.194.18 > > ;; Query time: 368 msec > ;; SERVER: 209.58.24.3#53(209.58.24.3) > ;; WHEN: Thu Jan 27 11:00:46 2011 > ;; MSG SIZE rcvd: 57 > > $ dig ns hsbc.com.bd @dns.bd > > ; <<>> DiG 9.7.1 <<>> ns hsbc.com.bd @dns.bd > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2379 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;hsbc.com.bd. IN NS > > ;; AUTHORITY SECTION: > hsbc.com.bd.86400 IN NS ns11.hsbc.com.hk. > hsbc.com.bd.86400 IN NS ns13.hsbc.com.hk. > hsbc.com.bd.86400 IN NS ns1.hsbc.com.sg. > > ;; Query time: 368 msec > ;; SERVER: 209.58.24.3#53(209.58.24.3) > ;; WHEN: Thu Jan 27 11:01:07 2011 > ;; MSG SIZE rcvd: 107 > > Which means that DNS server for .bd domain (at leas one of them) returns > answer for ns for .com.bd (ok, it is a delegation probably), but also a > (non-authorative) answer for hsbc.com.bd. This is a bit strange, it > doesn't > provide recursive queries, it has delegation for com.bd, but it's still > willing to return deeper answers. > Now, what happens when you have clear cache is that it asks dns.bd for > reference and gets hsbc records. But if you have NS com.bd in your cache, > bind probably assumes (and quite correclty) that it shoud ask com.bd > nameservers, not the bd. ones. But com.bd ones don't provide an answer, so > you have timeout. > Looks like the com.bd zone is broken somewhat. either the delegation > should > be removed from bd, or the server needs fixing and adding another servers > is > necessary. > Torinthiel > > > I believed so that com.bd is broken. It only has 1 ns server and hsbc.com.bd, whois.com.bd and even google.com.bd they are all delegate directly from bd and not from com.bd. I am wondering, is there a dns rule/standard (or RFC) that explains about delegation? -Bangla ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: root hints
On Wed, Jan 26, 2011 at 04:16:47PM +, Chris Thompson wrote: ... > which puts it in BIND 9.2 but not in 9.1. I can't find any indication > in the CHANGES files or in my memory that BIND 8 ever had compiled-in > hints. ... Which just shows that my memory going back to BIND 8 has deteriorated. I apologize for throwing that in - I know I have no sense of time, and I should have looked it up if I was going to answer it at all. But I still think it better to have an explicit "root.hints" file than to trust in the invisible file compiled in. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: root hints
On Thu, Jan 27, 2011 at 09:59:58AM +0800, p...@mail.nsbeta.info wrote: ... > That means since BIND 9.2 we don't have the need to make a hints file for > named. Yep in current days who are running the named version below 9.2? ... Surprisingly more people than you would imagine. Is Bill M still doing his periodic surveys? Just because we don't need to, doesn't mean that it's a good practtice not to. And it's so easy to create one on a system where DNS is already set up. dig ns . > root.hints -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
