Re: Moving DNS out of non-cooperative provider
On 19/06/12 11:18, Alexander Gurvitz wrote: 3282. [bug] Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. [RT #27792] [RT #27884] Just to clarify - does this rule applies also while replacing parent NS records with (more credible) child NS records ? If yes - child TTL larger than 48 hours (i.e. for .COM) is always disregarded. If not - ghost domains issue is not solved. (I'm sorry for being annoying.) No - you're not! In answer to your first question: TTL of the old NS RRset here means the current remaining TTL, or the original TTL value as received with the authoritative answer ? This means the current remaining TTL - otherwise it's not going to achieve the desired result. And yes - it does also apply when replacing parent NS records with child NS records - with the limitation that you already observed, that a child TTL that is larger than the TTL in the parent is going to be disregarded. Also - if in your example above, if the child NS records have a smaller TTL than the currently 'counting down' cached and larger TTL from the parent zone, then we'll use the smaller TTL of the child zone records thereafter too - although I think this is more intuitive/obvious. Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Compiling and testing on Fedora
Turning off SELinux also requires a reboot after changing mode. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Shawn Bakhtiar Sent: Thursday, June 21, 2012 1:19 AM To: bind-us...@isc.org Subject: RE: Compiling and testing on Fedora Did you turn OFF SELinux? promptsetenforce 0 Then run the test, From: dan.lut...@level3.commailto:dan.lut...@level3.com To: bind-us...@isc.orgmailto:bind-us...@isc.org Subject: Compiling and testing on Fedora Date: Wed, 20 Jun 2012 23:33:08 + Hi all, I've had a major problem with using Fedora Core (10 through 15), when compiling and running make test: A:System test acl I:Couldn't start server ns2 (pid=17344) R:FAIL S:allow_query:Wed Jun 20 23:21:47 GMT 2012 T:allow_query:1:A A:System test allow_query I:Couldn't start server ns2 (pid=17368) R:FAIL S:addzone:Wed Jun 20 23:22:01 GMT 2012 T:addzone:1:A A:System test addzone I:Couldn't start server ns2 (pid=17393) R:FAIL S:autosign:Wed Jun 20 23:22:15 GMT 2012 T:autosign:1:A A:System test autosign I:generating keys and preparing zones I:Couldn't start server ns1 (pid=17734) R:FAIL S:builtin:Wed Jun 20 23:22:35 GMT 2012 T:builtin:1:A A:System test builtin I:Couldn't start server ns1 (pid=17755) R:FAIL S:cacheclean:Wed Jun 20 23:22:49 GMT 2012 T:cacheclean:1:A A:System test cacheclean I:Couldn't start server ns1 (pid=17776) R:FAIL I'm running the bin/tests/system/ifconfig.sh up script, and see the lo:1 through lo:7 interfaces come up. I don't have this problem on any of my Solaris systems, just the Fedora servers. I do have several lo: interfaces already defined, and they cannot be removed Has anyone seen such an issue, and if so, how did you fix it? Dan Luther Operations Engineer Systems Operation Engineering Level 3 Communications One Technology Center, Tulsa OK 74103 p: 918-547-4370 e: dan.lut...@level3.commailto:dan.lut...@level3.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer How and Why I Should Support Bottled Water! Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling and testing on Fedora
On 21/06/12 15:21, Lightner, Jeff wrote: Turning off SELinux also requires a reboot after changing mode. setenforce 0 does not require a reboot. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Missing DNSSEC key causes BIND process overload
Running BIND 9.9.0 Upon having some DNSSEC keys run out of activity with no active replacements, we noticed some interesting behavior with the named process... When a zone signing key enters it's Inactive phase, the zone still loads on startup: 19-Jun-2012 09:54:10.176 general: zone_timer: zone badzone.nau.edu/IN: enter 19-Jun-2012 09:54:10.176 general: zone_maintenance: zone badzone.nau.edu/IN: enter 19-Jun-2012 09:54:10.176 notify: zone badzone.nau.edu/IN: sending notifies (serial 91416) 19-Jun-2012 09:54:10.177 general: zone badzone.nau.edu/IN: Key badzone.nau.edu/RSASHA1/11985 missing or inactive and has no replacement: retaining signatures. 19-Jun-2012 09:54:10.177 general: zone_settimer: zone badzone.nau.edu/IN: enter 19-Jun-2012 09:54:10.177 general: zone_settimer: zone badzone.nau.edu/IN: enter Eventually we'll see failures on updating the zone: Jun 17 04:06:58 diamond named[19951]: client 134.114.X.X#52804: updating zone 'badzone.nau.edu/IN': found no active private keys, unable to generate any signatures Jun 17 04:06:58 diamond named[19951]: client 134.114.X.X#52804: updating zone 'badzone.nau.edu/IN': RRSIG/NSEC/NSEC3 update failed: not found This occurred to a few zones, but then something odd started happening... The named process ramped up to +%100 of processor. Nothing in the named logs indicated why this was happening... This caused SERVFAIL and other timeouts on all kinds of operations on the machine. Our initial solution was to make new keys available (keys were actually created, just not put in place,) and the zones at issue should recover. The zones at issue ended up requiring a manual re-sign to completely resolve the issue. Anyone have an explanation of why this would happen (named gobbling up CPU, and also requiring manual resigning of the zones)? Thanks in advance, Raymond Walker Software Systems Engineer Sr. ITS Northern Arizona University ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Compiling and testing on Fedora
On Thu, 21 Jun 2012, Shawn Bakhtiar wrote: Did you turn OFF SELinux? That is not neccessary. I ran the tests with selinux enabled: E:zonechecks:Thu Jun 21 17:23:31 EDT 2012 I:System test result summary: I: 2 FAIL I:45 PASS I: 2 SKIPPED Looking at the failed test and interesting output tests.sh: line 130: 31718 Aborted (core dumped) $NSUPDATE -l -p 5300 -k ns1/session.key nsupdate.out 21 END update add other.nil. 600 in ns ns6.other.nil. update add ns6.other.nil 600 in a 10.53.0.1 send END S:dlz:Thu Jun 21 17:13:57 EDT 2012 T:dlz:1:A A:System test dlz I:no response from ns1 R:FAIL I:ns1 died before a SIGTERM was sent I:testing that rndc stop updates the master file I:check that 'nsupdate -l' with a missing keyfile reports the missing file I:check that changes to the DNSKEY RRset TTL do not have side effects (11) I:check notify with TSIG worked (12) I:exit status: 1 R:FAIL Other that then, the tests ran fine for me? This is on Fedora 17 Paul From: dan.lut...@level3.com To: bind-us...@isc.org Subject: Compiling and testing on Fedora Date: Wed, 20 Jun 2012 23:33:08 + Hi all, I've had a major problem with using Fedora Core (10 through 15), when compiling and running make test: A:System test acl I:Couldn't start server ns2 (pid=17344) R:FAIL S:allow_query:Wed Jun 20 23:21:47 GMT 2012 T:allow_query:1:A A:System test allow_query I:Couldn't start server ns2 (pid=17368) R:FAIL S:addzone:Wed Jun 20 23:22:01 GMT 2012 T:addzone:1:A A:System test addzone I:Couldn't start server ns2 (pid=17393) R:FAIL S:autosign:Wed Jun 20 23:22:15 GMT 2012 T:autosign:1:A A:System test autosign I:generating keys and preparing zones I:Couldn't start server ns1 (pid=17734) R:FAIL S:builtin:Wed Jun 20 23:22:35 GMT 2012 T:builtin:1:A A:System test builtin I:Couldn't start server ns1 (pid=17755) R:FAIL S:cacheclean:Wed Jun 20 23:22:49 GMT 2012 T:cacheclean:1:A A:System test cacheclean I:Couldn't start server ns1 (pid=17776) R:FAIL I'm running the bin/tests/system/ifconfig.sh up script, and see the lo:1 through lo:7 interfaces come up. I don't have this problem on any of my Solaris systems, just the Fedora servers. I do have several lo: interfaces already defined, and they cannot be removed Has anyone seen such an issue, and if so, how did you fix it? Dan Luther Operations Engineer Systems Operation Engineering Level 3 Communications One Technology Center, Tulsa OK 74103 p: 918-547-4370 e: dan.lut...@level3.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users