Re: User wanting to use a .local domain to host DNS
Hi there, On Wed, 14 Nov 2012, Phil Mayers wrote: On 14/11/12 15:39, Kevin Darcy wrote: I stopped reading as soon as I saw the requirement to add a NetBIOS name, being overpowered by the stench of obsolescence. Does anyone As per our recent thread, there's load of (recent, modern) stuff that still uses NetBIOS. Sadly. actually run 2000 or 2003 versions of Microsoft products any more? Yes. Does Microsoft even support those versions? No. ... That's incorrect. Windows 2003 server products are in the 'Extended Support' phase which runs until July 2015 http://support.microsoft.com/lifecycle/default.aspx?LN=en-gbx=22y=15c2=1163 Until then security fixes are provided free, and hotfix support is available if the customer pre-purchased an extended hotfix agreement. It will no doubt be my misfortune to provide support long after that... -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
Phil Mayers p.may...@imperial.ac.uk writes: On 14/11/12 15:02, King, Harold Clyde (Hal) wrote: I'm a bit confused by a user request. I think he is trying to keep some hosts on the private side of DNS, but he wants to use a DNS name like host.sub.local. I do not know of the use of the .local TLD except in bonjure. Can anyone shed some light on the use of the .local TLD? Pick a private sub-domain of a *real* domain that *you* own e.g. if you are example.com, pick: sub.private.example.com From my experience I recommend the solution Phil is describing. While using a private top level domain is technical possible, I have seen too many DNS admins that do not understand the implications and end up with a system that is a burden for the local network and as well a burden for the root-server system in the Internet. Look at the DSC graphs of l.root-servers.net for invalid TLDs requested http://dns.icann.org/cgi-bin/dsc-grapher.pl?window=86400node=ams01plot=qtype_vs_invalid_tldserver=L-root-Europe '.local is the 4th most queried domain name (after localhost, com and net), but it should not exist at all in the Internet (or queries should not reach the root server system). You see corp, intern and intra as well in the top 20 list. Failing to operate a private TLD correctly is causing internal data leaking to the Internet, which could be a security risk but in all cases is a burden on the root server system. A private subdomain of a delegated DNS domain owned by the company (organization, individual) is much more save, and simpler to setup, and serves the same purpose. -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
On 15/11/12 15:39, Carsten Strotmann wrote: Phil Mayers p.may...@imperial.ac.uk writes: On 14/11/12 15:02, King, Harold Clyde (Hal) wrote: I'm a bit confused by a user request. I think he is trying to keep some hosts on the private side of DNS, but he wants to use a DNS name like host.sub.local. I do not know of the use of the .local TLD except in bonjure. Can anyone shed some light on the use of the .local TLD? Pick a private sub-domain of a *real* domain that *you* own e.g. if you are example.com, pick: sub.private.example.com From my experience I recommend the solution Phil is describing. While using a private top level domain is technical possible, I have seen too many DNS admins that do not understand the implications and end up with a system that is a burden for the local network and as well a burden for the root-server system in the Internet. A private subdomain of a delegated DNS domain owned by the company (organization, individual) is much more save, and simpler to setup, and serves the same purpose. I will certainly agree, my story about changing .local to .home to make things work again has a continuation that I eventually use the same domain inside the nat and outside, with a split DNS. It gives a bit more work for DNS administration but makes life very easy for clients, they see no difference because the names are the same but resolve to different IPs. I believe the load on the roots is not influenced by this. If having different internal and external domains gives problems this is a possibility, if the purpose is to isolate internal vs. external hosts, use different subdomains. Just my 0.02$ -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/15/2012 09:40 AM, Carsten Strotmann wrote: '.local is the 4th most queried domain name (after localhost, com and net), but it should not exist at all in the Internet (or queries should not reach the root server system). You see corp, intern and intra as well in the top 20 list. Failing to operate a private TLD correctly is causing internal data leaking to the Internet, which could be a security risk but in all cases is a burden on the root server system. Not that I think that I'm doing this (and as I'd said, the only place I use this is at home on a NAT'd network where there is no public DNS at all), but what are some common ways to let this happen if you happen to know? - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlClBs4ACgkQmb+gadEcsb6YTwCgkg/OXg2ivDpNATEsfiz6Of+x iJgAoJ58HdhMcUj8Zv5G1jhgLbGMtuvH =i4ol -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.9.2 ADB Question Update
The adb grow-names process? does not appear to be related to recursive cache as I cleared cache while monitoring syslog and the counter kept increasing. However a reload did start the adb grow-names process anew. Both shown below . . . Nov 14 15:25:40 local@mercury named[2920]: [ID 873579 daemon.notice] all zones loaded Nov 14 15:25:40 local@mercury named[2920]: [ID 873579 daemon.notice] running Nov 14 15:27:15 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 1531 starting Nov 14 15:27:15 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:28:40 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 2039 starting Nov 14 15:28:40 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:30:27 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 3067 starting Nov 14 15:30:27 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:32:38 local@mercury named[2920]: [ID 873579 daemon.info] received control channel command 'flush' Nov 14 15:32:38 local@mercury named[2920]: [ID 873579 daemon.info] flushing caches in all views succeeded Nov 14 15:40:43 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 4093 starting Nov 14 15:40:43 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:46:41 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 6143 starting Nov 14 15:46:41 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 16:01:11 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 8191 starting Nov 14 16:01:12 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished John Manson CAO/HIR/NAF Data-Communications | U.S. House of Representatives | Washington, DC 20515 Desk: 202-226-4244 | TCC: 202-226-6430 | john.man...@mail.house.gov ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.2 ADB Question Update
On 15/11/12 15:49, Manson, John wrote: The adb grow-names process? does not appear to be related to recursive cache as I cleared cache while monitoring syslog and the counter kept increasing. However a reload did start the adb grow-names process anew. Both shown below . . . Nov 14 15:25:40 local@mercury named[2920]: [ID 873579 daemon.notice] all zones loaded Nov 14 15:25:40 local@mercury named[2920]: [ID 873579 daemon.notice] running Nov 14 15:27:15 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 1531 starting Nov 14 15:27:15 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:28:40 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 2039 starting Nov 14 15:28:40 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:30:27 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 3067 starting Nov 14 15:30:27 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:32:38 local@mercury named[2920]: [ID 873579 daemon.info] received control channel command 'flush' Nov 14 15:32:38 local@mercury named[2920]: [ID 873579 daemon.info] flushing caches in all views succeeded Nov 14 15:40:43 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 4093 starting Nov 14 15:40:43 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:46:41 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 6143 starting Nov 14 15:46:41 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 16:01:11 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 8191 starting Nov 14 16:01:12 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Hope this helps: https://kb.isc.org/article/AA-00548/30/Why-is-BIND-logging-adb%3A-grow_entries-to-and-adb%3A-grow_names-to-.html (And we've not had any reports of any performance problems during the resizing). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
On 2012.11.15 10.14, Novosielski, Ryan wrote: Failing to operate a private TLD correctly is causing internal data leaking to the Internet, which could be a security risk but in all cases is a burden on the root server system. Not that I think that I'm doing this (and as I'd said, the only place I use this is at home on a NAT'd network where there is no public DNS at all), but what are some common ways to let this happen if you happen to know? a nat'd network is a prime example of exactly the sort of place this kind of thing happens. what it usually boils down to is non public namespace being used [be it invented tlds or rfc1918/5735/etc address space] with no nameserver on the local network with those zones configured as authoritative. for example, someone decides it would be fun to have a play domain name on their private network, but doesn't set up a nameserver [aside from the simple caching nameserver built into their access device [dsl/cable modem, router, whatever]]. naturally, hosts on the network are constantly doing dns lookups which reference this domain name, and as such, the access device tries to resolve said hostname, likely passing the query on to some upstream resolver. regardless of it a forwarder is used or traditional iterative queries are used by the access device, now the query ends up getting shopped around in some capacity to various nameservers, all on the public internet, to see if it can be resolved. queries for dns data which will never exist on the public internet should never make it beyond the borders of a private network. running an authoritative nameserver with the proper zones loaded [and bind makes this even easier with empty zones] is what prevents this from happening. unfortunately, it is exceedingly common, as carsten points out, and in some contexts has become bad enough - e.g. rfc1918 arpa space - that separate nameservers have been set up to deal with the problem [rfc 6305]. -ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/15/2012 11:36 AM, btb wrote: On 2012.11.15 10.14, Novosielski, Ryan wrote: Failing to operate a private TLD correctly is causing internal data leaking to the Internet, which could be a security risk but in all cases is a burden on the root server system. Not that I think that I'm doing this (and as I'd said, the only place I use this is at home on a NAT'd network where there is no public DNS at all), but what are some common ways to let this happen if you happen to know? a nat'd network is a prime example of exactly the sort of place this kind of thing happens. what it usually boils down to is non public namespace being used [be it invented tlds or rfc1918/5735/etc address space] with no nameserver on the local network with those zones configured as authoritative. Great, thanks, sounds like I'm covered then (I have BIND running authoritative for my zone on the firewall/NAT machine only accepting queries from my local 1918 addresses) and DHCP providing its address as the nameserver. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlClGsIACgkQmb+gadEcsb7NKwCfUELoFIjKy1TAHFysZ0megp82 MuwAn2V+fOa3enJ6UxRTJmMEmqj3wNeg =ygQY -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.2 ADB Question Update
On 15/11/12 16:17, Cathy Almond wrote: On 15/11/12 15:49, Manson, John wrote: The adb grow-names process? does not appear to be related to recursive cache as I cleared cache while monitoring syslog and the counter kept increasing. However a reload did start the adb grow-names process anew. Both shown below . . . Nov 14 15:25:40 local@mercury named[2920]: [ID 873579 daemon.notice] all zones loaded Nov 14 15:25:40 local@mercury named[2920]: [ID 873579 daemon.notice] running Nov 14 15:27:15 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 1531 starting Nov 14 15:27:15 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:28:40 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 2039 starting Nov 14 15:28:40 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:30:27 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 3067 starting Nov 14 15:30:27 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:32:38 local@mercury named[2920]: [ID 873579 daemon.info] received control channel command 'flush' Nov 14 15:32:38 local@mercury named[2920]: [ID 873579 daemon.info] flushing caches in all views succeeded Nov 14 15:40:43 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 4093 starting Nov 14 15:40:43 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 15:46:41 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 6143 starting Nov 14 15:46:41 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Nov 14 16:01:11 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names to 8191 starting Nov 14 16:01:12 local@mercury named[2920]: [ID 873579 daemon.info] adb: grow_names finished Hope this helps: https://kb.isc.org/article/AA-00548/30/Why-is-BIND-logging-adb%3A-grow_entries-to-and-adb%3A-grow_names-to-.html KB article updated to note that when cache (including ADB) is flushed via rndc flush, the hash tables are not made smaller again. (There is no reason to expect that the cache will not need the larger sizes again if it needed them before). So in John's example above, the cache grew for ~7 minutes before it was flushed. It started repopulating again after the flush, and ~8 minutes later had reached and exceeded its earlier levels, and the hash tables were once again increased. Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Change in statistics format
Hello everyone, When did BIND 9 switch over from the older +++ Statistics Dump +++ (timestamp) success # referral # nxrrset # nxdomain # recursion # failure # --- Statistics Dump --- (timestamp) to the newer +++ Statistics Dump +++ (timestamp) ++ Incoming Requests ++ x QUERY ++ Incoming Queries ++ x A x NS x PTR x x SRV ++ Outgoing Queries ++ [View: default] x A x NS x PTR x x SRV [View: _bind] ++ Name Server Statistics ++ x IPv4 requests received x responses sent x queries resulted in successful answer x queries resulted in non authoritative answer x queries resulted in nxrrset x queries resulted in NXDOMAIN x queries caused recursion x duplicate queries received ... etc.? Is this a tunable parameter? I didn't think so, but always helps to ask before assuming. I'm getting ready to file a bug for our monitoring software (Hyperic HQ), because it only reads the older format, and wanted to be sure I had my ducks in a row. -- John Miller Systems Engineer Brandeis University johnm...@brandeis.edu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change in statistics format
Thanks, Phil. Those were my thoughts as well. For the present, I'll write my own monitoring plugin to parse the XML data. John On 11/15/2012 11:47 AM, Phil Mayers wrote: On 15/11/12 16:44, John Miller wrote: Hello everyone, When did BIND 9 switch over from the older I think that was *years* ago? I'm getting ready to file a bug for our monitoring software (Hyperic HQ), because it only reads the older format, and wanted to be sure I had my ducks in a row. You might want to ask them to parse the XML statistics channel, rather than the human-readable stuff. It's obviously machine-readable, and contains a *lot* more granular stuff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change in statistics format
Thanks, Carsten, I've opened bug #4619 and indeed asked Hyperic to parse the XML output. I agree, it's much nicer than trying to parse the rndc.stats file! If anyone here has already written a BIND plugin for Hyperic, let me know--I'd love to have a copy and see if it'll work for us. John On 11/15/2012 11:58 AM, Carsten Strotmann wrote: Hello John, John Miller johnm...@brandeis.edu writes: Hello everyone, When did BIND 9 switch over from the older +++ Statistics Dump +++ (timestamp) success # referral # nxrrset # nxdomain # recursion # failure # --- Statistics Dump --- (timestamp) to the newer +++ Statistics Dump +++ (timestamp) ++ Incoming Requests ++ x QUERY ++ Incoming Queries ++ [...] I'm getting ready to file a bug for our monitoring software (Hyperic HQ), because it only reads the older format, and wanted to be sure I had my ducks in a row. I'm not sure in which version this change of the output happen, but if you write a bug report for the monitoring system, you might want to ask the vendor/developer to also implement an option to parse the BIND statistics channel output data. The statistics channel delivers well formed XML, which (in my view) is much easier to parse compared to the text output produced by rndc stats. With proper XML parsing, it should also guard against issues in case the statistics data be expanded in the future. And as a bonus, there is much more interesting data in the statistics channel XML. -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
On 2012.11.15 11.39, Novosielski, Ryan wrote: Great, thanks, sounds like I'm covered then (I have BIND running authoritative for my zone on the firewall/NAT machine only accepting queries from my local 1918 addresses) and DHCP providing its address as the nameserver. be sure that bind is also authoritative for your 1918 arpa space as well [and you might as well just make it authoritative for all previously mentioned address space]. accepting queries from only your private network is good, but that alone will not prevent leakage [and leakage is never good, dns or otherwise :) ] -ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change in statistics format
Thanks, Phil. Those were my thoughts as well. For the present, I'll write my own monitoring plugin to parse the XML data. If you need some inspiration, I wrote a bit of C code [1] which does that rather effectively. It doesn't do what you want, but it may get you started. ;-) -JP [1] http://jpmens.net/2010/10/21/using-binds-statistics-server-to-list-zones-and-axfr-the-list/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change in statistics format
On Thu, Nov 15, 2012 at 11:44:12AM -0500, John Miller wrote: Hello everyone, When did BIND 9 switch over from the older The new stats counters were added in 9.5.0. They're in all currently- supported releases; the old format is fully deprecated now. Incidentally, that release also introduced an http statistics channel and XML stats reporting, which might be of interest to your monitoring software. (Note, though, in 9.9.3 we're going to introduce a newer better XML schema for statistics as a compile-time option, and it'll be standard in 9.10, so if they wanted to write code to parse our XML, they might want to know there'll be a few different schema versions in the field soon.) Is this a tunable parameter? No. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change in statistics format
Thanks, Evan. That's exactly what I wanted to know. I'm already running the statistics server, so I'd certainly prefer to leverage that rather than rely on a bunch of regexes to parse the statistics file. I'll let the folks at Hyperic know about the upcoming schema changes. John On 11/15/2012 12:22 PM, Evan Hunt wrote: On Thu, Nov 15, 2012 at 11:44:12AM -0500, John Miller wrote: Hello everyone, When did BIND 9 switch over from the older The new stats counters were added in 9.5.0. They're in all currently- supported releases; the old format is fully deprecated now. Incidentally, that release also introduced an http statistics channel and XML stats reporting, which might be of interest to your monitoring software. (Note, though, in 9.9.3 we're going to introduce a newer better XML schema for statistics as a compile-time option, and it'll be standard in 9.10, so if they wanted to write code to parse our XML, they might want to know there'll be a few different schema versions in the field soon.) Is this a tunable parameter? No. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forcing DNSSEC queries
Hi, I have using Bind for a while and last night upgraded to Bind 9.9.2 on my OpenIndiana 151a7. I would like to be able to control my DNS queries on Unix/Linux hosts, so that by default the client queries would only be DNSSEC authenticated/validated. However, as DNSSEC is not completely deployed I would need to have some control over the DNSSEC query operation. From my research the libresolv library used is taken from a library created by ISC. Could libresolv be modified so that it would permit the following directives in /etc/resolv.conf. dnssec enable - perform only DNSSEC queries (default mode of operation if no directive supplied) dnssec disable - disable DNSSEC queries dnssec warn - warn about DNSSEC queries which are not authenticated dnssec ignore -ignore DNSSEC queries which are not authenticated dnssec trust zone | zone1 zoneN- trust non DNSSEC signed (non public) internal zones only -- Russell Aspinwall russell.aspinwall at bcs.org.uk Great minds discuss ideas; Average minds discuss events; Small minds discuss people Former First Lady Eleanor Roosevelt (1884-1962) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Zone File Entries Limit
In message 50a580c1.9080...@blacklistthisdomain.com, Silas Cutler writes: Good Evening, I've been doing some DNS RPZ experiments and during my testing I found that if a DNS Zone on an Authoritative DNS Server has more then 100k elements, it will not replicate to a slave DNS Server. Do you know if this is a known issue or a PEBKAC related problem? Given named hosts zones with 10's, if not 100's, of millions of records it isn't record count. There are no fixed limits, just what the machines memory can support. Cheers, Silas Cutler Security Researcher ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Zone File Entries Limit
Well, the authoritative server can handle the zone file size. However, with the slave makes the request for the zone, I get: refresh: unexpected rcode (REFUSED) On 11/15/12 6:59 PM, Mark Andrews wrote: In message 50a580c1.9080...@blacklistthisdomain.com, Silas Cutler writes: Good Evening, I've been doing some DNS RPZ experiments and during my testing I found that if a DNS Zone on an Authoritative DNS Server has more then 100k elements, it will not replicate to a slave DNS Server. Do you know if this is a known issue or a PEBKAC related problem? Given named hosts zones with 10's, if not 100's, of millions of records it isn't record count. There are no fixed limits, just what the machines memory can support. Cheers, Silas Cutler Security Researcher ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Zone File Entries Limit
No ACLs in place. [SLAVE] Nov 15 19:13:36 [Redacted] named[21899]: zone rpz/IN: refresh: unexpected rcode (REFUSED) from master MASTER#53 (source 0.0.0.0#0) Nov 15 19:13:36 [Redacted] named[21899]: zone rpz/IN: Transfer started. Nov 15 19:13:36 [Redacted] named[21899]: transfer of 'rpz/IN' from MASTER#53: connected using SLAVE#39164 Nov 15 19:13:36 [Redacted] named[21899]: transfer of 'rpz/IN' from MASTER#53: failed while receiving responses: NOTAUTH Nov 15 19:13:36 [Redacted] named[21899]: transfer of 'rpz/IN' from MASTER#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.070 secs (0 bytes/sec) [MASTER] Nov 16 00:12:51 [Redacted] named[32736]: client SLAVE#39164: bad zone transfer request: 'rpz/IN': non-authoritative zone (NOTAUTH) Nov 16 00:13:40 [Redacted] named[32736]: client SLAVE#59205: bad zone transfer request: 'rpz/IN': non-authoritative zone (NOTAUTH) On 11/15/12 7:08 PM, Mark Andrews wrote: In message 50a582d2.30...@blacklistthisdomain.com, Silas Cutler writes: Well, the authoritative server can handle the zone file size. However, with the slave makes the request for the zone, I get: refresh: unexpected rcode (REFUSED) The slave is making a SOA query to the master and is getting refused as as response. I would be checking your acls. Look at the logs on the master. On 11/15/12 6:59 PM, Mark Andrews wrote: In message 50a580c1.9080...@blacklistthisdomain.com, Silas Cutler writes: Good Evening, I've been doing some DNS RPZ experiments and during my testing I found that if a DNS Zone on an Authoritative DNS Server has more then 100k elements, it will not replicate to a slave DNS Server. Do you know if this is a known issue or a PEBKAC related problem? Given named hosts zones with 10's, if not 100's, of millions of records it isn't record count. There are no fixed limits, just what the machines memory can support. Cheers, Silas Cutler Security Researcher ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr ibe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Zone File Entries Limit
In message 50a58610.8000...@blacklistthisdomain.com, Silas Cutler writes: No ACLs in place. [SLAVE] Nov 15 19:13:36 [Redacted] named[21899]: zone rpz/IN: refresh: unexpected rcode (REFUSED) from master MASTER#53 (source 0.0.0.0#0) Nov 15 19:13:36 [Redacted] named[21899]: zone rpz/IN: Transfer started. Nov 15 19:13:36 [Redacted] named[21899]: transfer of 'rpz/IN' from MASTER#53: connected using SLAVE#39164 Nov 15 19:13:36 [Redacted] named[21899]: transfer of 'rpz/IN' from MASTER#53: failed while receiving responses: NOTAUTH Nov 15 19:13:36 [Redacted] named[21899]: transfer of 'rpz/IN' from MASTER#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.070 secs (0 bytes/sec) [MASTER] Nov 16 00:12:51 [Redacted] named[32736]: client SLAVE#39164: bad zone transfer request: 'rpz/IN': non-authoritative zone (NOTAUTH) Nov 16 00:13:40 [Redacted] named[32736]: client SLAVE#59205: bad zone transfer request: 'rpz/IN': non-authoritative zone (NOTAUTH) There is no master/slave zone called rpz configured in the master server. On 11/15/12 7:08 PM, Mark Andrews wrote: In message 50a582d2.30...@blacklistthisdomain.com, Silas Cutler writes: Well, the authoritative server can handle the zone file size. However, with the slave makes the request for the zone, I get: refresh: unexpected rcode (REFUSED) The slave is making a SOA query to the master and is getting refused as as response. I would be checking your acls. Look at the logs on the master. On 11/15/12 6:59 PM, Mark Andrews wrote: In message 50a580c1.9080...@blacklistthisdomain.com, Silas Cutler write s: Good Evening, I've been doing some DNS RPZ experiments and during my testing I found that if a DNS Zone on an Authoritative DNS Server has more then 100k elements, it will not replicate to a slave DNS Server. Do you know if this is a known issue or a PEBKAC related problem? Given named hosts zones with 10's, if not 100's, of millions of records it isn't record count. There are no fixed limits, just what the machines memory can support. Cheers, Silas Cutler Security Researcher ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubs cr ibe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change in statistics format
Looks like I'll have to update it for 9.10 tho, hope they updated the schema number. Yes, we did. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change in statistics format
Its there
zone rpz {
type master;
file /etc/bind/zones/rpz.db;
allow-query { none; };
allow-transfer { 10.0.0.1; };
};
On 11/15/12 8:10 PM, Peter Yardley wrote:
I wrote a script to extract stats from the XML channel. Works for cricket,
cacti, MRTG ...
You can find it here…
http://members.iinet.net/~pyard...@ihug.com.au/projects/?project=bind9_5_counters
Looks like I'll have to update it for 9.10 tho, hope they updated the schema
number.
On 16/11/2012, at 6:04 AM, John Miller johnm...@brandeis.edu wrote:
Thanks, Evan. That's exactly what I wanted to know. I'm already
running the statistics server, so I'd certainly prefer to leverage that
rather than rely on a bunch of regexes to parse the statistics file.
I'll let the folks at Hyperic know about the upcoming schema changes.
John
On 11/15/2012 12:22 PM, Evan Hunt wrote:
On Thu, Nov 15, 2012 at 11:44:12AM -0500, John Miller wrote:
Hello everyone,
When did BIND 9 switch over from the older
The new stats counters were added in 9.5.0. They're in all currently-
supported releases; the old format is fully deprecated now.
Incidentally, that release also introduced an http statistics channel
and XML stats reporting, which might be of interest to your monitoring
software. (Note, though, in 9.9.3 we're going to introduce a newer
better XML schema for statistics as a compile-time option, and it'll
be standard in 9.10, so if they wanted to write code to parse our XML,
they might want to know there'll be a few different schema versions in
the field soon.)
Is this a tunable parameter?
No.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
._--_|\ Peter Yardley|
/ \ Senior Network Administrator | peter.yard...@uts.edu.au
\_.--._* Information Technology Division, | Ph: +61 2 9514-2358
. v University of Technology, Sydney.| Fax: +61 2 9514-4327
UTS CRICOS Provider Code: 00099F
DISCLAIMER: This email message and any accompanying attachments may contain
confidential information.
If you are not the intended recipient, do not read, use, disseminate,
distribute or copy this message or
attachments. If you have received this message in error, please notify the
sender immediately and delete
this message. Any views expressed in this message are those of the individual
sender, except where the
sender expressly, and with authority, states them to be the views of the
University of Technology Sydney.
Before opening any attachments, please check them for viruses and defects.
Think. Green. Do.
Please consider the environment before printing this email.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Zone File Entries Limit
Its there
zone rpz {
type master;
file /etc/bind/zones/rpz.db;
allow-query { none; };
allow-transfer { 10.0.0.1; };
};
I asked:
The slave is making a SOA query to the master and is getting refused as
as response. I would be checking your acls. Look at the logs on the
master.
And you answered:
No ACLs in place.
allow-query { none; }; is _not_ No ACLs in place.
Allow-query should be a superset of allow-transfer.
Nov 16 00:12:51 [Redacted] named[32736]: client SLAVE#39164: bad zone
transfer request: 'rpz/IN': non-authoritative zone (NOTAUTH)
Nov 16 00:13:40 [Redacted] named[32736]: client SLAVE#59205: bad zone
transfer request: 'rpz/IN': non-authoritative zone (NOTAUTH)
Is still indicative of the server not being configured to serve the zone.
You have the wrong named.conf or have not reloaded the nameserver.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Change in statistics format
Hi Peter, Would you consider donating that script to ISC so they can bundle it with the BIND distribution? I have a whole library of scripts like yours which I've collected over the last 10 years. Most of the hosts that are linked to as where these scripts are located are long gone and the authors long since disappeared. It is very frustrating when I'm looking for a script to do something on Google to come up with links to these old dead hosts. Your post here is going to be archived in Google's bowels for at least the next decade. if you maintain your host - great - kids who don't even have their drivers licenses today will be able to get the current version when they are system admins someday in the future. But, if something happens to you - slip in the shower, fall down the stairs, hit by a bus - I guarantee that your heirs are not going to be interested in maintaining it. Ted On 11/15/2012 5:10 PM, Peter Yardley wrote: I wrote a script to extract stats from the XML channel. Works for cricket, cacti, MRTG ... You can find it here… http://members.iinet.net/~pyard...@ihug.com.au/projects/?project=bind9_5_counters Looks like I'll have to update it for 9.10 tho, hope they updated the schema number. On 16/11/2012, at 6:04 AM, John Miller johnm...@brandeis.edu wrote: Thanks, Evan. That's exactly what I wanted to know. I'm already running the statistics server, so I'd certainly prefer to leverage that rather than rely on a bunch of regexes to parse the statistics file. I'll let the folks at Hyperic know about the upcoming schema changes. John On 11/15/2012 12:22 PM, Evan Hunt wrote: On Thu, Nov 15, 2012 at 11:44:12AM -0500, John Miller wrote: Hello everyone, When did BIND 9 switch over from the older The new stats counters were added in 9.5.0. They're in all currently- supported releases; the old format is fully deprecated now. Incidentally, that release also introduced an http statistics channel and XML stats reporting, which might be of interest to your monitoring software. (Note, though, in 9.9.3 we're going to introduce a newer better XML schema for statistics as a compile-time option, and it'll be standard in 9.10, so if they wanted to write code to parse our XML, they might want to know there'll be a few different schema versions in the field soon.) Is this a tunable parameter? No. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ._--_|\ Peter Yardley| / \ Senior Network Administrator | peter.yard...@uts.edu.au \_.--._* Information Technology Division, | Ph: +61 2 9514-2358 . v University of Technology, Sydney.| Fax: +61 2 9514-4327 UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. Think. Green. Do. Please consider the environment before printing this email. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
