Re: historical issues with query performance during AXFR
At Thu, 25 Apr 2013 13:42:00 -0500, C. B. cbroo...@gmail.com wrote: I was wondering if there were any well known (or otherwise) historical issues with query performance by an authoriative BIND server answering queries for records in a zone it was in the middle of performing an AXFR/IXFR on? Particularly in the 9.5.x code branch? This may be related to this topic 2878. [func] Incrementally write the master file after performing a AXFR. [RT #21010] but it depends on what specifically you mean AXFR/IXFR on and in the middle. From the above description of yours I guess that's probably irrelevant of your background situation. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Caching server - named process is limit at 500MB
Hi, Long time trying but still cannot pass the issue. This is my steps I do, could u please take a look? I install SunStudio SunStudio12u1-SunOS-SPARC-pkgs-ML. gunzip bind-9.9.2-P2.tar.gz tar xf bind-9.9.2-P2.tar CC=/bin/cc CXX=/bin/CC F77=/bin/f77 CFLAGS=-m64 -Qoption cg -xregs=no%appl -xmemalign=8s -mt CXXFLAGS=-m64 LDFLAGS=-L/usr/sfw/lib/64:/lib/64:/usr/lib/64 LIBS=-l/usr/sfw/lib/64 LD_LIBRARY_PATH=/usr/sfw/lib/64:/lib/64:/usr/lib/64 PATH=$PATH:/usr/ccs/bin ./configure -bindir=/opt/cbind9 --disable-openssl-version-check make make install cd /opt/cbind9/ There is no named!? No works. Thanks and Best Regards, === Chu Ha Khanh Website: www.svtech.com.vn E-mail: khanh@svtech.com.vn -Original Message- From: Jaco Lesch [mailto:ja...@saix.net] Sent: Wednesday, April 17, 2013 2:29 PM To: Chu Ha Khanh Cc: 'Mike Hoskins (michoski)'; bind-users@lists.isc.org Subject: Re: Caching server - named process is limit at 500MB Chu My version of BIND is compiled 64-bit and running: ~: file bin/named/named bin/named/named:ELF 64-bit MSB executable SPARCV9 Version 1, dynamically linked, not stripped Compiled with Studio I passed the following variables in configure: CC=/bin/cc CXX=/bin/CC F77=/bin/f77 CFLAGS=-m64 -Qoption cg -xregs=no%appl -xmemalign=8s -mt CXXFLAGS=-m64 LDFLAGS=-L/usr/sfw/lib/64:/lib/64:/usr/lib/64 LIBS=-l/usr/sfw/lib/64 LD_LIBRARY_PATH=/usr/sfw/lib/64:/lib/64:/usr/lib/64 The important flag is CFLAGS=-m64 to tell make to generate 64-bit binaries. For GCC you can do something like this for configure: CC=/usr/bin/gcc CFLAGS=-m64 -mcpu=v9 CXX=/usr/bin/g++ CXXFLAGS=-m64 -mcpu=v9 F77=/usr/bin/gfortran See how that goes. If you are going to use DNSSEC make sure OpenSSL also have 64 libraries available. Regards On 17/04/2013 04:46, Chu Ha Khanh wrote: Hi, Here is my output from command. It looks like my bind version is actually 32 bit. But there are some default applications also 32 bit although all are installed on a 64 bit OS. I have to check this for a moment. bash-3.2# file `which named` /usr/local/sbin/named: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, not stripped bash-3.2# bash-3.2# file /usr/local/bin/gcc /usr/local/bin/gcc: ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically linked, not stripped bash-3.2# file `which java` /usr/bin/java: ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically linked, not stripped, no debugging information available bash-3.2# isainfo -kv 64-bit amd64 kernel modules Thanks and Best Regards, Website: www.svtech.com.vn E-mail: khanh@svtech.com.vn -Original Message- From: Mike Hoskins (michoski) [mailto:micho...@cisco.com] Sent: Wednesday, April 17, 2013 9:34 AM To: Chu Ha Khanh; 'Jaco Lesch' Cc: bind-users@lists.isc.org Subject: Re: Caching server - named process is limit at 500MB -Original Message- From: Chu Ha Khanh khanh@svtech.com.vn Date: Tuesday, April 16, 2013 10:25 PM To: 'Jaco Lesch' ja...@saix.net Cc: bind-users@lists.isc.org bind-users@lists.isc.org Subject: RE: Caching server - named process is limit at 500MB Hi, How to check 64 bit version of bind? I often download source code from isc.org and compile on 64 bit Solaris 10 OS then. I always consider my version is 64 bit. $ file `which named` /usr/sbin/named: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, stripped (or whatever path to the right named executable...) -- --- Jaco Lesch SAIX HLS Email: ja...@saix.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Caching server - named process is limit at 500MB
On Wed, Apr 17, 2013 at 9:46 AM, Chu Ha Khanh khanh@svtech.com.vn wrote: Hi, Here is my output from command. It looks like my bind version is actually 32 bit. But there are some default applications also 32 bit although all are installed on a 64 bit OS. I have to check this for a moment. Correct. If you want to blame someone, blame Oracle. I assume you HAVE some kind of support contract for Solaris, since its free for development purposes only, and other uses require support subscription. If you do, you might be able to open a support ticket and get them to explain in detail why they made that choice. Short version is solaris use and compile 32bit programs by default. In past I've forced some programs to compile as 64bit by using something like export CFLAGS=-m64 ./configure ... Since you wrote you can't compile it with sun studio, try gcc witch that flag. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bug reports?
Hi, can someone please briefly explain how to submit a bug report? I think I have found a small bug causing a protocol error in Bind 9.7.7 (and obviously still existent in 9.9.2) and would like the ISC people know about. Regards, Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Caching server - named process is limit at 500MB
Hi, I installed 64 bit successfully. I am greatly appreciate your help. PATH=$PATH:/usr/ccs/bin export CFLAGS='-m64' export CXXFLAGS='-m64' export LDFLAGS='-m64 -R/usr/local/lib' export LD_LIBRARY_PATH=/usr/sfw/lib/64:/lib/64:/usr/lib/64 cd /bind-9.9.2-P2 ./configure -bindir=/opt/cbind1 --disable-openssl-version-check ./configure --disable-openssl-version-check make make install file /usr/local/sbin/named Thanks and Best Regards, === Chu Ha Khanh Website: www.svtech.com.vn E-mail: khanh@svtech.com.vn -Original Message- From: Fajar A. Nugraha [mailto:w...@fajar.net] Sent: Friday, April 26, 2013 4:16 PM To: Chu Ha Khanh Cc: bind-users@lists.isc.org Subject: Re: Caching server - named process is limit at 500MB On Wed, Apr 17, 2013 at 9:46 AM, Chu Ha Khanh khanh@svtech.com.vn wrote: Hi, Here is my output from command. It looks like my bind version is actually 32 bit. But there are some default applications also 32 bit although all are installed on a 64 bit OS. I have to check this for a moment. Correct. If you want to blame someone, blame Oracle. I assume you HAVE some kind of support contract for Solaris, since its free for development purposes only, and other uses require support subscription. If you do, you might be able to open a support ticket and get them to explain in detail why they made that choice. Short version is solaris use and compile 32bit programs by default. In past I've forced some programs to compile as 64bit by using something like export CFLAGS=-m64 ./configure ... Since you wrote you can't compile it with sun studio, try gcc witch that flag. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ISC Courses
Hello, Can anyone say why Bind course offering appears so expensive? Is something else included in the package that is not specified? 2-Day Introduction to DNS BIND Training Price: $1,795.00 Rohan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Courses
That's stiff... On 4/26/13 2:47 PM, rohan.he...@cwjamaica.com wrote: Hello, Can anyone say why Bind course offering appears so expensive? Is something else included in the package that is not specified? 2-Day Introduction to DNS BIND Training Price: $1,795.00 Rohan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: ISC Courses
Seriously! I would love to go, but I can't afford that, plain and simple. The DNSSEC stuff is 2K + Date: Fri, 26 Apr 2013 14:57:40 -0300 From: carlosm3...@gmail.com To: rohan.he...@cwjamaica.com Subject: Re: ISC Courses CC: bind-users@lists.isc.org That's stiff... On 4/26/13 2:47 PM, rohan.he...@cwjamaica.com wrote: Hello, Can anyone say why Bind course offering appears so expensive? Is something else included in the package that is not specified? 2-Day Introduction to DNS BIND Training Price: $1,795.00 Rohan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Courses
Years ago I used to work for a training company so I will go ahead and try to answer this one for you. The training company is not like a grocery store where they have a steady stream of customers. They are all feast or famine companies. Some months there's new software releases and everyone wants training and all of their trainers are busy. Other months it's dead and their trainers are sitting around doing research or other stuff that isn't revenue generating. It's not like the training company can just lay off their teachers when there are no classes. That happened at the one training company I worked at (as a trainer), and since the company gave me no assurances they would rehire (we will hire you back -if- we get some classes) I said screw it and started looking and within 3 weeks had another job. (If you ever want something on your resume that will guarantee you an interview, get hired to teach a class) As did the other trainers who were laid off. For a trainer to lay off it's trainers is equivalent to Intel laying off it's CPU designers - those are the people making the gold, you get rid of them and you have nothing. Intel will sacrifice everyone else in the company before they touch those people, and a well run training company will do the same for it's trainers. So, the training companies often have months during the year that they are paying teacher salaries and there's no classes bringing in the money. So, when they do get classes, the class has to not only pay the salary of the trainer who is teaching it, it has to pay the salary of that same trainer for the rest of the year that he's not doing anything. Obviously a lot of training companies try to use part timers. That works if your teaching something like how to use Microsoft Word or Excel. But nobody who really knew anything about Bind would tolerate that sort of stuff - either you hire them full time or get the $uc$ out of the business. Frankly, it is possible to self train on this stuff so you have to look at how much time that you save by taking a class vs buying the book and doing it yourself. If your cost to your company is $80 an hour and you can do the book in 40 hours (1 week) and take the class and get trained in 20 hours - well right there that $1795 is a wash. Meaning that if the class saves your company 22 hours then it's cost them the same to send you to class vs paying you the extra time to learn it yourself is the same. Ted Mittelstaedt Internet Partners, Inc. On 4/26/2013 10:47 AM, rohan.he...@cwjamaica.com wrote: Hello, Can anyone say why Bind course offering appears so expensive? Is something else included in the package that is not specified? 2-Day Introduction to DNS BIND Training Price: $1,795.00 Rohan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Courses
Ted made some really good points. It's also worth pointing out that overhead, like renting the facility to teach the classes in, food, travel expenses for the trainers to get to the site, course materials, insurance, etc. often run into the 'many hundreds' of dollars per student before the first word is spoken in class. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY; ignoring
On 4/25/2013 11:57 AM, Evan Hunt wrote: The warning is spurious and has been fixed in 9.9.3. It was incorrectly checking to see whether there were any DNSKEY records in the zone *before* loading them from the key files. It should have been doing so afterward, obviously. Ah, okay, thanks for the info. It didn't look like anything was broken but it's nice to have a confirmation before rolling it out :). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Courses
From: rohan.he...@cwjamaica.com Can anyone say why Bind course offering appears so expensive? Is something else included in the package that is not specified? 2-Day Introduction to DNS BIND Training Price: $1,795.00 I took this class about 2 years ago. IIRC, the instructor wasn't just a trainer, but a support engineer from ISC who could also teach. He pops up here on the list from time to time. Another advantage to taking this class is you can bring your DNS issues and discuss them with others to see how they are tackling them, and get an expert's opinion on it too. Some training company instructors and just certification mill graduates with little hands on experience. Other than the ISC course, I haven't had a truly knowledgeable instructor since my Netware 3 and 4 CNE classes. Aren't most Microsoft classes running about $1600/day. Don't forget that any modest profit from this class will go towards the continued development of BIND. Disclosure, I have no ties to ISC other than user of BIND and past student of the 2 day Intro to DNS and BIND. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
This didn't work....
Had a strange problem where our servers couldn't resolve hosts in an AD subdomain. This was in the zone file: $ORIGIN foo.example.com. ... ads NS ads.foo.example.com ... ... ... ads A a.b.c.d ... ... ... They said if you used their ADS for lookups, things worked...except they can't resolve anything else using it. (there appears to be a problem with DNS interference from their firewall.) Plus, if it worked...they wouldn't be able to resolve hosts in our internal view But, they can't resolve hosts in their ADS domain using our DNS. It's not clear where the users are w.r.t. this firewall. But, since we can reproduce the issue...guessing outsideits probably a datacenter firewall rather than the department. So, got the NS changed...though they said the way it was done is how Microsoft says their supposed to do it. Evidently... on their side it resolves ads.foo.example.com resolves to a.b.c.d a.b.c.e - dc2 a.b.c.f - dc3 So changing to: $ORIGIN foo.example.com ... ads NS dc2.foo.example.com. NS dc3.foo.example.com. dc2 A a.b.c.e dc3 A a.b.c.f ... Still doesn't work'dig +trace ads.foo.example.com' worked, but 'dig ads.foo.example.com' doesn'tand 'dig +trace host.ads.foo.example.com' appears to work, but 'dig host.ads.foo.example.com' doesn't. Meanwhile somebody else happened to be doing a network capture, and they see dc2.foo.example.com replying to our caching dns servers, but the dns servers aren't answering. I then notice that the dig responses aren't authoritative. How do you have an AD domain where your AD servers aren't authoritative for itself? I assume that's the problem now...or is there something else on my end that I should be looking at? Meanwhileif things do start workingthe 'host.foo.example.com' that started this problem will resolve to a 10.b.c.d address. Which is another problem I've been trying to quash... -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: This didn't work....
Hi Lawrence, I'm going to answer your questions a bit out of order, but hopefully things'll still be clear. How do you have an AD domain where your AD servers aren't authoritative for itself? This is how our AD domain is set up -- the root of the AD domain is brandeis.edu, but the domain controllers do not run the MS DNS Server service. Client computers get the main campus DNS resolvers via DHCP, and are set not to use the MS DNS Client service. We've set up dynamic zones in BIND for the zones needed by AD: _msdcs.brandeis.edu, _tcp.brandeis.edu, _udp.brandeis.edu, etc. Microsoft TechNet has some really thorough docs on this: http://technet.microsoft.com/en-us/library/dd316373.aspx It's a bit dated, but the principles still apply. The more general Microsoft docs: http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/library/cc772774%28v=ws.10%29.aspx are also quite good. Had a strange problem where our servers couldn't resolve hosts in an AD subdomain. Can you clarify the problem a bit here? Is it that the authoritative nameservers for foo.example.com are unable to resolve ads.foo.example.com? Do the foo.example.com servers look to themselves for recursion? Am I correct that a department on campus is running their own AD environment with a root of ads.foo.example.com, and you simply delegate the subdomain to them? This was in the zone file: $ORIGIN foo.example.com. ... ads NS ads.foo.example.com ... ... ... ads A a.b.c.d ... ... ... This looks pretty normal if you're delegating the ads.foo.example.com zone to a server called ads.foo.example.com. A little confusing to use the same name for the nameserver as the subdomain itself, but it seems like it should work. So changing to: $ORIGIN foo.example.com ... ads NS dc2.foo.example.com. NS dc3.foo.example.com. dc2 A a.b.c.e dc3 A a.b.c.f ... This looks very odd indeed. If the root of the AD domain is ads.foo.example.com, why do the DCs live in the parent zone? Is that something you allow? The first zone config looked more appropriate. Without going any further into this, it looks as though the department may have set their AD domain up as foo.example.com when in reality it should be ads.foo.example.com. Can you clarify this? John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How does bind select what master to use?
Does it use an algorithm to determine the best server to use or does it try the masters in the order they are listed? I am wondering if listing the masters in a different order can optimize the performance of bind. -- Kevin Morgan PGP Public Key ID 0xB6028066 Key fingerprint = 09FB 59EB D9FE 7C9C 12DF 9530 A877 FAB7 B602 8066 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
