RRSIG Expired
Hi All, Anyone has issue with RRSIG expired on in-addr.arpa on b.root server? general: /etc/namedb/slave/in-addr.arpa.slave:10: signature has expired in-addr.arpaIN SOA b.in-addr-servers.arpa. nstld.iana.org. ( 2011022011 ; serial 1800 ; refresh (30 minutes) 900; retry (15 minutes) 604800 ; expire (1 week) 3600 ; minimum (1 hour) ) RRSIG SOA 8 2 3600 2011032057 ( 20110304032519 11514 in-addr.arpa. m/QWGaDFqtuN+j4twE9CBD/Fjag93Ebw84OT3I0D1qvr UVBAjmJSv2MUqTadQKsHjdVWBb5bI8YIrJBIyboJOpoB esE4Nk1Clmx4doh2tdsReXekh0Wj1zXtoXMHb7v9JIgM 0w4q+lB2N+HSZFUCT2nPM4qkTCFVz+Enx26lHPw= ) -- Paul Ooi ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.4.3-P2 assertion failure
Hi, I used BIND 9.4.3-P2 on FreeBSD 7.2-RELEASE (which is built-in) about two years without problems. Since last Friday sometimes I see error messages like following: Mar 28 16:44:06 gate2 named[60455]: /usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:2361: INSIST(!sock-pending_accept) failed Mar 28 16:44:06 gate2 named[60455]: exiting (due to assertion failure) Mar 28 16:44:06 gate2 kernel: pid 60455 (named), uid 53: exited on signal 6 What is a reason of this problem? No any system configuration changes were made last time. I use BIND as caching DNS server for a my LAN. Squid server only queries this BIND. My named.conf is: options { // Relative to the chroot directory, if any directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; listen-on { 127.0.0.1; }; forward first; //provider's dns forwarders { xx.xx.xx.xx; yy.yy.yy.yy; }; allow-recursion { 127.0.0.1; }; }; zone . { type hint; file named.root; }; // RFC 1912 zone localhost{ type master; file master/localhost-forward.db; }; zone 127.in-addr.arpa { type master; file master/localhost-reverse.db; }; zone 255.in-addr.arpa { type master; file master/empty.db; }; // Private Use Networks (RFC 1918) zone 10.in-addr.arpa { type master; file master/empty.db; }; zone 16.172.in-addr.arpa { type master; file master/empty.db; }; zone 17.172.in-addr.arpa { type master; file master/empty.db; }; zone 18.172.in-addr.arpa { type master; file master/empty.db; }; zone 19.172.in-addr.arpa { type master; file master/empty.db; }; zone 20.172.in-addr.arpa { type master; file master/empty.db; }; zone 21.172.in-addr.arpa { type master; file master/empty.db; }; zone 22.172.in-addr.arpa { type master; file master/empty.db; }; zone 23.172.in-addr.arpa { type master; file master/empty.db; }; zone 24.172.in-addr.arpa { type master; file master/empty.db; }; zone 25.172.in-addr.arpa { type master; file master/empty.db; }; zone 26.172.in-addr.arpa { type master; file master/empty.db; }; zone 27.172.in-addr.arpa { type master; file master/empty.db; }; zone 28.172.in-addr.arpa { type master; file master/empty.db; }; zone 29.172.in-addr.arpa { type master; file master/empty.db; }; zone 30.172.in-addr.arpa { type master; file master/empty.db; }; zone 31.172.in-addr.arpa { type master; file master/empty.db; }; zone 168.192.in-addr.arpa { type master; file master/empty.db; }; zone lan.local { type forward; forward first; forwarders { 10.1.1.1; 10.1.1.2; }; }; ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: GUI for bind
Hi, we already used the Incognito Name Commander DMS. It is very intuitive and doesn´t necessary without any modifications on Bind. Cagnin -Original Message- From: bind-users-bounces+icagnin=timbrasil.com...@lists.isc.org [mailto:bind-users-bounces+icagnin=timbrasil.com...@lists.isc.org] On Behalf Of Jorg B. Sent: segunda-feira, 28 de março de 2011 19:55 To: bind-users Subject: GUI for bind Hello, I'm looking for a GUI for bind that meets the following requirements: (1) Must still be under development (and supported, either commercially or via community support) (2) Supports accounts/groups that will allow me to create user accounts that are able to modify only zone records assigned to the account/group. (3) Administrator access with the permissions to modify any zone record. (4) Should support most common features of bind. (5) Should support 100's of zone records. (6) Should be somewhat easy to use, so that non-experts can figure it out. The product does not have to be free... a commercial product is perfectly fine. I've spend some time searching around, but most of the GUI products either don't support bind or are no longer maintained... Any recommendations would be appreciated... Thanks JB ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: openssl pkcs#11 engine patch
On Wed, 23 Mar 2011, Billy Glynn wrote: For me, I had the same problem. I'm running RHEL5, openssl-0.9.8l with the ISC patch and integrating with the AEP Keyper PKCS#11 lib. After applying the ISC patch, I found that this worked for me: # ./Configure linux-elf -m32 -pthread --pk11-libname=/opt/Keyper/PKCS11Provider/pkcs11.so --pk11-flavor=sign-only --prefix=/opt/pkcs11/usr # make # ./apps/openssl engine pkcs11 (pkcs11) PKCS #11 engine support (sign only) Note that fedora/rhel have a package bind-pkcs11 that *should* would without patching bind manually. I have not tried this recently, but if it does not work, I suggest opening a bug report about this, so that we can get it fixed. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dynamically updating the forwarders with bind/rndc
Hi, Is there a way for bind9 (or planned for bind10) to dynamically update the forwarders via rndc? I believe currently the only way to do this is to rewrite the config file and then cal rndc reload. This is not something that lends itself to automating based on a network manager based network that receives DHCP updates and needs to reconfigure the forwarder based on the obtained DNS server options. I know unbound can do this using unbound-remote forward a.b.c.d. If a patch for bind9 would be written to allow this via rndc, would it have a chance of being accepted? Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dynamically updating the forwarders with bind/rndc
On 29/03/11 12:25, Paul Wouters wrote: Hi, Is there a way for bind9 (or planned for bind10) to dynamically update the forwarders via rndc? I believe currently the only way to do this is to rewrite the config file and then cal rndc reload. I believe there's a DBUS interface that NetworkManager on Linux uses for this purpose. http://opensource.apple.com/source/bind9/bind9-31/bind9/contrib/dbus/README.DBUS ...but it seems to be absent from the bind build on my Fedora 12 box, so I don't know if it's fallen by the wayside. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns RR method is not equal balanced?
First and foremost you shouldn't be running any version of BIND 8. That is way out of date and open to a lot of exploits. That being said if by some -Ben Croswell On Mar 29, 2011 4:55 AM, Kay ch...@daumcorp.com wrote: Dear my friends. I use bind 8.4.7-REL on RHEL 4.4 OS and have thousands of domains. In my case ; some domain has 12 IPs but traffic of the server is not equal. The traffic of 11 IPs is same and just 1 IP is higher than others. Today, I moved the dns that is not equal to GSLB(F5) and set address-return 2(Maximum Addresses Returned). And then, it's disappeared, equal traffic incoming completely. Is there some kind of bugs in bind that I use? or any idea? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dynamically updating the forwarders with bind/rndc
On Tue, Mar 29, 2011 at 01:12:38PM +0100, Phil Mayers wrote: On 29/03/11 12:25, Paul Wouters wrote: Hi, Is there a way for bind9 (or planned for bind10) to dynamically update the forwarders via rndc? I believe currently the only way to do this is to rewrite the config file and then cal rndc reload. I believe there's a DBUS interface that NetworkManager on Linux uses for this purpose. http://opensource.apple.com/source/bind9/bind9-31/bind9/contrib/dbus/README.DBUS ...but it seems to be absent from the bind build on my Fedora 12 box, so I don't know if it's fallen by the wayside. Hello, the DBus interface is old and is not compatible with current NetworkManager interface. Due this reason BIND in Fedora is built without it. Regards, Adam -- Adam Tkac, Red Hat, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dns RR method is not equal balanced?
Not to mention that RedHat just announced pending EOL of RHEL4 last week. RHEL5 has been out since around 2007 and RHEL6 was released around the start of this year. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ben Croswell Sent: Tuesday, March 29, 2011 8:56 AM To: Kay Cc: bind-users@lists.isc.org Subject: Re: dns RR method is not equal balanced? First and foremost you shouldn't be running any version of BIND 8. That is way out of date and open to a lot of exploits. That being said if by some -Ben Croswell On Mar 29, 2011 4:55 AM, Kay ch...@daumcorp.com wrote: Dear my friends. I use bind 8.4.7-REL on RHEL 4.4 OS and have thousands of domains. In my case ; some domain has 12 IPs but traffic of the server is not equal. The traffic of 11 IPs is same and just 1 IP is higher than others. Today, I moved the dns that is not equal to GSLB(F5) and set address-return 2(Maximum Addresses Returned). And then, it's disappeared, equal traffic incoming completely. Is there some kind of bugs in bind that I use? or any idea? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns RR method is not equal balanced?
I apologize for the cut off reply. I accidently hit send before I was complete. If by some domains have 12 ips you mean a 12 A record round robin, then it is important remember that BIND doesn't have any way of telling the load on the 12 servers. So it's load sharing not load balancing. The f5 is load balancing so you would see a more even load across the 12 servers. -Ben Croswell On Mar 29, 2011 4:55 AM, Kay ch...@daumcorp.com wrote: Dear my friends. I use bind 8.4.7-REL on RHEL 4.4 OS and have thousands of domains. In my case ; some domain has 12 IPs but traffic of the server is not equal. The traffic of 11 IPs is same and just 1 IP is higher than others. Today, I moved the dns that is not equal to GSLB(F5) and set address-return 2(Maximum Addresses Returned). And then, it's disappeared, equal traffic incoming completely. Is there some kind of bugs in bind that I use? or any idea? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns RR method is not equal balanced?
Kay ch...@daumcorp.com wrote: some domain has 12 IPs but traffic of the server is not equal. The traffic of 11 IPs is same and just 1 IP is higher than others. If you use round-robin DNS you are relying on the clients not to muck around with the responses they get from your DNS server. If they sort them, for example, that will mess up the balancing. For example RFC 3484 screws it up. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ FitzRoy, Sole: Mainly westerly or southwesterly 4 or 5, increasing 6 or 7 at times. Moderate or rough. Rain or showers, fog patches in Sole. Moderate, occasionally very poor in Sole. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
TTLs and Timeout Question
I'm investigating the failure of a slave server during a network outage at a primary server. The slave server was running and answering queries, but not delivering results for domains for which it is authoritative during the outage. Since the outage occurred in the middle of the night, I have no tests during the outage period and have to infer from logs and the behavior of everything that depended on this server. The SOA TTL was 1 week on most zones, but the individual records had short TTLs, on the order of an hour. The outage lasted long enough for these shorter TTLs to expire. My question is: Will a BIND slave server stop serving RRs when their individual TTLs have expired, or only when the SOA TTL has expired? Thanks in Advance, --Bill ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TTLs and Timeout Question
From: listmail listm...@entertech.com Date: Tue, 29 Mar 2011 09:58:27 -0700 Sender: bind-users-bounces+oberman=es@lists.isc.org I'm investigating the failure of a slave server during a network outage at a primary server. The slave server was running and answering queries, but not delivering results for domains for which it is authoritative during the outage. Since the outage occurred in the middle of the night, I have no tests during the outage period and have to infer from logs and the behavior of everything that depended on this server. The SOA TTL was 1 week on most zones, but the individual records had short TTLs, on the order of an hour. The outage lasted long enough for these shorter TTLs to expire. My question is: Will a BIND slave server stop serving RRs when their individual TTLs have expired, or only when the SOA TTL has expired? Bill, You are getting issues confused. TTL is the time for a server to cache data for which it is not authoritative. For an authoritative server TTL is irrelevant. Also, the TTL in the SOA is the TTL for negative cache entries, not cached data. (And, if the server is authoritative, it is NOT cached data.) The relevant field in the SOA is the expire' field. If the server has either transferred the zone from the master server or confirmed (via serial #) that the current data is still current. If the data is expired, the slave will stop serving it. Until then, it will serve it and TTL has absolutely nothing to do with this. I should note that you really need to have rational values for refresh, retry, and expire in your SOA. I like a refresh on the order of an hour for stable zones and 15-30 minutes for fast changing ones. I set retry to about 15 minutes and expire to a couple of weeks. Finally, you probably want your minimum TTL set to a fairly short time like 15 minutes so that you will not continue to use a negative cache entry for too long. It is fairly common for a new name to be queried before it gets into DNS. It may get updated in just a few seconds, but the server will continue to respond that it does not exist until the negative cache TTL expires. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TTLs and Timeout Question
On Tue, 29 Mar 2011 10:52:49 -0700, Kevin Oberman wrote From: listmail listm...@entertech.com I'm investigating the failure of a slave server during a network outage at a primary server. The SOA TTL was 1 week on most zones, but the individual records had short TTLs, on the order of an hour. The outage lasted long enough for these shorter TTLs to expire. My question is: Will a BIND slave server stop serving RRs when their individual TTLs have expired, or only when the SOA TTL has expired? Bill, You are getting issues confused. TTL is the time for a server to cache data for which it is not authoritative. For an authoritative server TTL is irrelevant. Also, the TTL in the SOA is the TTL for negative cache entries, not cached data. (And, if the server is authoritative, it is NOT cached data.) I guess I didn't state my question very well. When I referred to the SOA TTL, I was referring to the expire field, not the negative cache timeout field. The relevant field in the SOA is the expire' field. If the server has either transferred the zone from the master server or confirmed (via serial #) that the current data is still current. If the data is expired, the slave will stop serving it. Until then, it will serve it and TTL has absolutely nothing to do with this. So is this correct: A slave will continue serving RRs regardless of their TTL, as long as the expire value in the SOA has not expired? If true, I need another theory as to why the slave stopped serving records. Thanks, --Bill ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
children whose zones do not reflect the delegation from the parent
hi- i'm curious for some feedback on something i've noticed here and there, and came across again the other day. my experience with dns, and the method which i've always practiced, is that when a zone is delegated, there should be agreement between the parent and the child - that is to say that whatever nameservers the parent lists for the zone, all children should also list. i've noticed though, from time to time [it seems to be most common in in-addr.arpa. zones], i see a case where a parent has delegated a zone, but the child does not corroborate this delegation. an example is 33.50.in-addr.arpa. according to the parent, there are two nameservers responsible for this zone: dig @dill.arin.net 33.50.in-addr.arpa ns +norec ; DiG 9.7.1-P2 @dill.arin.net 33.50.in-addr.arpa ns +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 49118 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;33.50.in-addr.arpa.IN NS ;; AUTHORITY SECTION: 33.50.in-addr.arpa. 86400 IN NS AUTH01.ROC.NY.FRONTIERNET.NET. 33.50.in-addr.arpa. 86400 IN NS AUTH.LKV.MN.FRONTIERNET.NET. ;; Query time: 89 msec ;; SERVER: 192.35.51.32#53(192.35.51.32) ;; WHEN: Tue Mar 29 23:29:10 2011 ;; MSG SIZE rcvd: 105 when asking these two servers the same question, i expected them to provide the same answer [but in the answer section, of course] - but: dig @auth01.roc.ny.frontiernet.net 33.50.in-addr.arpa ns +norec ; DiG 9.7.1-P2 @auth01.roc.ny.frontiernet.net 33.50.in-addr.arpa ns +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 59545 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;33.50.in-addr.arpa.IN NS ;; Query time: 58 msec ;; SERVER: 66.133.170.3#53(66.133.170.3) ;; WHEN: Tue Mar 29 23:30:02 2011 ;; MSG SIZE rcvd: 36 dig @auth.lkv.mn.frontiernet.net 33.50.in-addr.arpa ns +norec ; DiG 9.7.1-P2 @auth.lkv.mn.frontiernet.net 33.50.in-addr.arpa ns +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 5181 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;33.50.in-addr.arpa.IN NS ;; Query time: 41 msec ;; SERVER: 66.133.150.11#53(66.133.150.11) ;; WHEN: Tue Mar 29 23:31:14 2011 ;; MSG SIZE rcvd: 36 both fail to do so. so - it would seem to me that at least somehow, in some sense, the delegation is broken. however, if queried further for a /24 within that /16, both servers now work properly, and further delegate to other servers [and themselves]: dig @auth.lkv.mn.frontiernet.net 151.33.50.in-addr.arpa ns +norec ; DiG 9.7.1-P2 @auth.lkv.mn.frontiernet.net 151.33.50.in-addr.arpa ns +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62298 ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3 ;; QUESTION SECTION: ;151.33.50.in-addr.arpa.IN NS ;; ANSWER SECTION: 151.33.50.in-addr.arpa. 86400 IN NS auth.dlls.pa.frontiernet.net. 151.33.50.in-addr.arpa. 86400 IN NS auth.lkvl.mn.frontiernet.net. 151.33.50.in-addr.arpa. 86400 IN NS auth.roch.ny.frontiernet.net. ;; ADDITIONAL SECTION: auth.dlls.pa.frontiernet.net. 86400 IN A 199.224.64.201 auth.lkvl.mn.frontiernet.net. 86400 IN A 66.133.150.11 auth.roch.ny.frontiernet.net. 86400 IN A 66.133.170.3 ;; Query time: 42 msec ;; SERVER: 66.133.150.11#53(66.133.150.11) ;; WHEN: Tue Mar 29 23:32:32 2011 ;; MSG SIZE rcvd: 184 those servers all properly answer queries for that /24: dig @auth.dlls.pa.frontiernet.net 1.151.33.50.in-addr.arpa ptr +norec ; DiG 9.7.1-P2 @auth.dlls.pa.frontiernet.net 1.151.33.50.in-addr.arpa ptr +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53648 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.151.33.50.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.151.33.50.in-addr.arpa. 86400 IN PTR static-50-33-151-1.mskg.mi.frontiernet.net. ;; Query time: 76 msec ;; SERVER: 199.224.64.201#53(199.224.64.201) ;; WHEN: Tue Mar 29 23:33:42 2011 ;; MSG SIZE rcvd: 98 but, interestingly, also, so do their parents [auth01.roc.ny.frontiernet.net and auth.lkv.mn.frontiernet.net]: dig @auth01.roc.ny.frontiernet.net 1.151.33.50.in-addr.arpa ptr +norec ; DiG 9.7.1-P2 @auth01.roc.ny.frontiernet.net 1.151.33.50.in-addr.arpa ptr +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21100 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.151.33.50.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.151.33.50.in-addr.arpa.