restart named; missing TCP socket
I have had a few instances recently when named has failed to re-open its TCP listening socket after a restart. This is particularly likely if I try to bounce it quickly with a command line like # rndc stop; /etc/rc.d/rc.named start The servers in question are recursive (apart from a few local zones) with simple ACLs. (I have had the same problem on servers with less simple ACLs too.) listen-on-v6 { ::1; }; listen-on { 127.0.0.1; }; allow-query{ localhost; }; allow-transfer { localhost; }; What do others do to avoid this problem? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Just wondering if BIND can do GLB -Global Load Balancing Stuff?
Hi Folks, Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: restart named; missing TCP socket
Why use rndc to stop then the init script to start? Is there no /etc/rc.d/rc.named restart? On RHEL5 the init script has a restart option so it will stop then start. If a socket is open then it could take a finite amount of time for it to close making it unavailable on the restart if you haven't given it time enough to cleanup. If no restart option in init maybe try to add a sleep to your command line: Rndc stop;sleep 5;/etc/rc.d/rc.named start -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Tony Finch Sent: Wednesday, December 12, 2012 8:20 AM To: bind-users@lists.isc.org Subject: restart named; missing TCP socket I have had a few instances recently when named has failed to re-open its TCP listening socket after a restart. This is particularly likely if I try to bounce it quickly with a command line like # rndc stop; /etc/rc.d/rc.named start The servers in question are recursive (apart from a few local zones) with simple ACLs. (I have had the same problem on servers with less simple ACLs too.) listen-on-v6 { ::1; }; listen-on { 127.0.0.1; }; allow-query{ localhost; }; allow-transfer { localhost; }; What do others do to avoid this problem? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: restart named; missing TCP socket
Mark Andrews ma...@isc.org wrote: You need to wait for named to stop p=`rndc stop -p | awk '{print $2}'` while kill -0 $p do sleep 1 done /etc/rc.d/rc.named start Thanks. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just wondering if BIND can do GLB -Global Load Balancing Stuff?
BIND does a sort of round robin to load balance among the IPs for a specific host; however, it does not monitor any health or routes and doesn't have the same capabilities as a GTM to choose what IP to answer for a name.I've worked with F5 GTM to monitor and route traffic based on health, status, load, originator, time-of-day, etc. It depends on the model and modules you get that determine what can be done.The implementation you use will be different than ours and should be based on testing what works best. The F5 technicians we work with are very helpful.On 12/12/12, Manish Ranemanish...@gmail.com wrote:Hi Folks,Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing?___Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listbind-users mailing listbind-users@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just wondering if BIND can do GLB -Global Load Balancing Stuff?
I understand BIND by default can not work like GLB but wondering if there are any patches available or any other Open source software community is aware of who can perform such thing. On Wed, Dec 12, 2012 at 8:45 PM, cindyjohns...@verizon.net wrote: BIND does a sort of round robin to load balance among the IPs for a specific host; however, it does not monitor any health or routes and doesn't have the same capabilities as a GTM to choose what IP to answer for a name. I've worked with F5 GTM to monitor and route traffic based on health, status, load, originator, time-of-day, etc. It depends on the model and modules you get that determine what can be done. The implementation you use will be different than ours and should be based on testing what works best. The F5 technicians we work with are very helpful. On 12/12/12, Manish Ranemanish...@gmail.com wrote: Hi Folks, Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing? -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Strange Issue
I have a zone file in a view and there seems to be a single entry in the file that shows and nxdomain when queried. I have confirmed the view is correct and other entries are resolvable. I have also run named-checkconf which shows no errors. There are also no errors in the logs. Any ideas? Paula Bailey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange Issue
On Wed, 12 Dec 2012, Paula Bailey wrote: I have a zone file in a view and there seems to be a single entry in the file that shows and nxdomain when queried. I have confirmed the view is correct and other entries are resolvable. I have also run named-checkconf which shows no errors. There are also no errors in the logs. Any ideas? You may want to verify you are querying the correct name server? (and enable extra logging for that) Also it may be easier for others to point out problems if you show the actual configurations, data, reproducable steps, etc. Jeremy C. Reed ISC___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
validation error
I've got bind 9.8.1-P1 setup as a DNSSEC validating name server. af.mil uses DNSSEC and various web based external validation tools seem happy with their setup. I've turned up my logging for DNSSEC validation and in bind for af.mil/DNSKEY only always fails validation. It seems perfectly happy with other records in the domain. When validation fails the error below is being logged: Dec 11 15:29:12 ahostname named[25509]: error (insecurity proof failed) resolving 'af.mil/DNSKEY/IN': 199.252.162.234#53 Would anyone know why this is happening? Regards, Rob -- -Happiness is understanding.-- Robert Hardy C.E.O. Webcon Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: validation error
In message 55592.216.191.251.36.1355342351.squir...@secure.webcon.ca, Robert Hardy writes: I've got bind 9.8.1-P1 setup as a DNSSEC validating name server. af.mil uses DNSSEC and various web based external validation tools seem happy with their setup. I've turned up my logging for DNSSEC validation and in bind for af.mil/DNSKEY only always fails validation. It seems perfectly happy with other records in the domain. When validation fails the error below is being logged: Dec 11 15:29:12 ahostname named[25509]: error (insecurity proof failed) resolving 'af.mil/DNSKEY/IN': 199.252.162.234#53 Would anyone know why this is happening? The .mil servers are broken. When you fallback to TCP due to TC=1 in the UDP response you get a empty response. Mark ; DiG 9.10.0pre-alpha af.mil @199.252.154.234 +norec +dnssec dnskey +bufsize=1024 +ignore +tcp ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 56950 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1024 ;; QUESTION SECTION: ;af.mil.IN DNSKEY ;; Query time: 271 msec ;; SERVER: 199.252.154.234#53(199.252.154.234) ;; WHEN: Thu Dec 13 07:44:32 EST 2012 ;; MSG SIZE rcvd: 35 Regards, Rob -- -Happiness is understanding.-- Robert Hardy C.E.O. Webcon Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just wondering if BIND can do GLB -Global Load Balancing Stuff?
On Dec 12, 2012, at 10:28 AM, Manish Rane manish...@gmail.com wrote: I understand BIND by default can not work like GLB but wondering if there are any patches available or any other Open source software community is aware of who can perform such thing. This isn't really something that BIND does well natively, but you can beat it into submission if you care enough. Depending on what your application is it may be chapter to simply just buy a commercial product for this -- I'm guessing you've already gotten a bunch of replied from folk offering to sell you such a widget… By using dynamic updates and a small script to do the health check you can fairly easily cobble something together to do this. A long time back I write something that talks to Nagios and added A records when servers were up and pulled them out when the server went down. Worked fairly well, but ended up being more trouble than it was worth... If you also want geo type stuff: http://geo.bitnames.com/ http://oilq.org/fr/node/2725 http://backreference.org/2010/02/01/geolocation-aware-dns-with-bind/ W On Wed, Dec 12, 2012 at 8:45 PM, cindyjohns...@verizon.net wrote: BIND does a sort of round robin to load balance among the IPs for a specific host; however, it does not monitor any health or routes and doesn't have the same capabilities as a GTM to choose what IP to answer for a name. I've worked with F5 GTM to monitor and route traffic based on health, status, load, originator, time-of-day, etc. It depends on the model and modules you get that determine what can be done. The implementation you use will be different than ours and should be based on testing what works best. The F5 technicians we work with are very helpful. On 12/12/12, Manish Ranemanish...@gmail.com wrote: Hi Folks, Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- The duke had a mind that ticked like a clock and, like a clock, it regularly went cuckoo. -- (Terry Pratchett, Wyrd Sisters) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Just wondering if BIND can do GLB -Global Load Balancing Stuff?
A long time ago I used a perl script called lbnamed that acted as a DNS server and would monitor hosts and change the returned results based on aliveness and load. See http://www.stanford.edu/~riepel/lbnamed/ Mike Mitchell From: bind-users-bounces+mike.mitchell=sas@lists.isc.org [bind-users-bounces+mike.mitchell=sas@lists.isc.org] on behalf of Manish Rane [manish...@gmail.com] Sent: Wednesday, December 12, 2012 10:28 AM To: cindyjohns...@verizon.net; bind-users@lists.isc.org Subject: Re: Just wondering if BIND can do GLB -Global Load Balancing Stuff? I understand BIND by default can not work like GLB but wondering if there are any patches available or any other Open source software community is aware of who can perform such thing. On Wed, Dec 12, 2012 at 8:45 PM, cindyjohns...@verizon.netmailto:cindyjohns...@verizon.net wrote: BIND does a sort of round robin to load balance among the IPs for a specific host; however, it does not monitor any health or routes and doesn't have the same capabilities as a GTM to choose what IP to answer for a name. I've worked with F5 GTM to monitor and route traffic based on health, status, load, originator, time-of-day, etc. It depends on the model and modules you get that determine what can be done. The implementation you use will be different than ours and should be based on testing what works best. The F5 technicians we work with are very helpful. On 12/12/12, Manish Ranemanish...@gmail.commailto:manish...@gmail.com wrote: Hi Folks, Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
is there a also-allow-transfer
Hello, I have the allow-transfer{} section in the global options{} block. But for a special zone, I want to include another IP to allow transfer besides the global IPs. Is there a also-allow-transfer option in BIND? If not how to control this? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: is there a also-allow-transfer
In message 50c9818e.2060...@nsbeta.info, Feng He writes: Hello, I have the allow-transfer{} section in the global options{} block. But for a special zone, I want to include another IP to allow transfer besides the global IPs. Is there a also-allow-transfer option in BIND? If not how to control this? acl xxx { }; options { allow-transfer { xxx; }; }; zone yyy { allow-transfer { xxx; extra; }; }; Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this l ist bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: is there a also-allow-transfer
于 2012-12-13 15:23, Mark Andrews 写道: acl xxx { }; options { allow-transfer { xxx; }; }; zone yyy { allow-transfer { xxx; extra; }; } cool. thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users