Re: Value of memory

2014-08-06 Thread Fajar A. Nugraha 
On Thu, Aug 7, 2014 at 10:39 AM, Robert Moskowitz  wrote:
> I have a server that is only running bind 9.8.2 (Centos 6.5).  It has 2Gb
> memory and free reports ~1.7Gb used.
>
> I am looking at replacing this server with an armv7 board running Redsleeve
> (until Centos 7 is out and stable for armv7).  I have a choice of boards,
> one with 1Gb memory ($60) and one with 2Gb memory ($90).
>
> This server servers out my zones and supports the couple handfull of systems
> on my net.  I would like to eventually get to DNSSEC, but that is another
> stalled project.
>
> About the only meaningful difference between the two boards (btw,
> Cubieboard2 and Cubietruck) for my needs is the memory.  I know more memory
> is better, but how much better?
>
> Oh, why the move to arm?  Power consumption.  ROI for the C2 board is one
> year just on power saving.

It depends on how much load your server currently handle, and how your
cache is configured.

I'd start with looking at your server load. Arm still have lower
per-core performance compared to x86, so if you currently see high CPU
utilization by named, I'd stick with x86.

Next see how your memory cache is configured. That should be where
bind uses most memory. AFAIK by default max-cache-size is unlimited
and max-cache-ttl is set to several days. See how much memory bind
currently uses for cache, and then you can try configuring those two
parameters (e.g. set an explicit max-cache-size to 512MB) and see how
much memory bind (and the rest of the OS) uses then, and how well it
performs. If it's still acceptable, then you can probably go with the
1GB board.

Cache can reduce the number of queries issued upstream and is very
important on busy servers, but if you serve a relatively low number of
queries from your clients then you won't see much difference between
(e.g.) 512MB and 1GB cache.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISP caching server setup

2014-08-06 Thread Jared Empson 
I have upgrade the bind version on one of my cache servers to 9.9.5.  This has 
resolved the issue of non-authoritative responses not being passed on to 
clients.

Thank you for your assistance.

Jared Empson
Systems Administrator
Zito Media
814.260.9450



On Aug 6, 2014, at 8:45 PM, Jared Empson  wrote:

> 
> Jared Empson
> Systems Administrator
> Zito Media
> 814.260.9450
> 
> 
> 
> On Aug 6, 2014, at 7:28 PM, Mark Andrews  wrote:
> 
>> 
>> In message <3a1ebfdb-a033-4e07-be61-9f6ba6916...@zitomedia.com>, Jared 
>> Empson w
>> rites:
>>> 
>>> I manage a small group of cache only servers for an ISP.  We run Bind 9.7
>> 
>> You run BIND 9.7.0 and haven't applied any of the maintainence releases
>> to BIND 9.7. 
> 
> I just updated the bind instance with the Ubuntu Lucid packages so I’m 
> running version BIND 9.7.0-P1.
> 
>> 
>>> and have noticed that several domains our customers would like to access
>>> are unavailable from our cache servers.  These same domains work on other
>>> provider networks such as Verizon or Google.
>> 
>> In BIND 9.7.0 we restored the code to skip to non authorative answers
>> from supposedly authorative servers having fixed a bug in named.
>> Unfortunately there are some zones for which all the servers are
>> broken and don't return authorative (aa=1) answers.
>> 
>> BIND 9.7.1 reversed the change to skip non authorative answers
>> despite it being technically correct.
> 
> Do you suggest we upgrade to bind version 9.7.1?
> 
>> 
>>> What I have found is that these domains all have misconfigured glue
>>> records.  This could be cause by a recent change of registrar or a
>>> misconfigured zone file pointing to NS records that no longer exist as
>>> glue records.  Because of this any query of a host from these domains
>>> receive a non-authoratative response and are dropped by our cache servers.
>>> 
>>> How do I configure the cache server to accept the non-authoritative
>>> response to provide our customers access to these domains with out
>>> forwarding to Google's caching servers?
>> 
>> 
>>> An example domain is losscontrol360.com.
>>> What our customers receive:
>>> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>> 
>>> ;; QUESTION SECTION:
>>> ;losscontrol360.com.IN  A
>>> 
>>> ;; Query time: 1380 msec
>>> ;; SERVER: 10.100.2.11#53(10.100.2.11)
>>> ;; WHEN: Wed Aug  6 16:00:55 2014
>>> ;; MSG SIZE  rcvd: 36
>>> 
>>> What our cache server receives:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38342
>>> ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags: do; udp: 1280
>>> ;; QUESTION SECTION:
>>> ;losscontrol360.com.IN  A
>>> 
>>> ;; ANSWER SECTION:
>>> losscontrol360.com. 173 IN  A   74.208.98.80
>>> 
>>> What Google provides:
>>> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com @8.8.8.8
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>> 
>>> ;; QUESTION SECTION:
>>> ;losscontrol360.com.IN  A
>>> 
>>> ;; ANSWER SECTION:
>>> losscontrol360.com. 586 IN  A   74.208.98.80
>>> 
>>> ;; Query time: 174 msec
>>> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>>> ;; WHEN: Wed Aug  6 16:01:07 2014
>>> ;; MSG SIZE  rcvd: 52
>>> 
>>> Jared Empson
>>> Systems Administrator
>>> Zito Media
>> 
>> -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Value of memory

2014-08-06 Thread Robert Moskowitz 
I have a server that is only running bind 9.8.2 (Centos 6.5).  It has 
2Gb memory and free reports ~1.7Gb used.


I am looking at replacing this server with an armv7 board running 
Redsleeve (until Centos 7 is out and stable for armv7).  I have a choice 
of boards, one with 1Gb memory ($60) and one with 2Gb memory ($90).


This server servers out my zones and supports the couple handfull of 
systems on my net.  I would like to eventually get to DNSSEC, but that 
is another stalled project.


About the only meaningful difference between the two boards (btw, 
Cubieboard2 and Cubietruck) for my needs is the memory.  I know more 
memory is better, but how much better?


Oh, why the move to arm?  Power consumption.  ROI for the C2 board is 
one year just on power saving.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISP caching server setup

2014-08-06 Thread Jared Empson 
I had my message settings set to digest so I apologize for responding to each 
of your responses in one email.  See all comments below.

Jared Empson
Systems Administrator
Zito Media
814.260.9450



On Aug 6, 2014, at 6:48 PM, bind-users-requ...@lists.isc.org wrote:

> 
> Message: 2
> Date: Wed, 06 Aug 2014 22:20:57 +0200
> From: Reindl Harald 
> To: bind-users@lists.isc.org
> Subject: Re: ISP caching server setup
> Message-ID: <53e28e29@thelounge.net>
> Content-Type: text/plain; charset="windows-1252"
> 
> interesting, that is indeed wrong configured
> http://www.intodns.com/losscontrol360.com
> 
> on the other hand all my recursive bind 9.9.4 nameservers
> resolve it as well my homeserver which is using the caching
> named on the office as forwarder
> 
> also the unbound instance running as caching server on
> our mail-machine using the internal named as forwarders
> has the same result
> 
> really interesting "dig NS" ends in a SERVFAIL everywhere
> except Google (8.8.8.8) so from where do my named get
> the responses at all
> 
> Am 06.08.2014 um 22:03 schrieb Jared Empson:
>> I manage a small group of cache only servers for an ISP.  We run Bind 9.7 
>> and have noticed that several domains our
>> customers would like to access are unavailable from our cache servers.  
>> These same domains work on other provider
>> networks such as Verizon or Google.  
>> 
>> What I have found is that these domains all have misconfigured glue records. 
>>  This could be cause by a recent
>> change of registrar or a misconfigured zone file pointing to NS records that 
>> no longer exist as glue records.
>> Because of this any query of a host from these domains receive a 
>> non-authoratative response and are dropped by our
>> cache servers.
>> 
>> How do I configure the cache server to accept the non-authoritative response 
>> to provide our customers access to
>> these domains with out forwarding to Google?s caching servers?
>> 
>> An example domain is losscontrol360.com <http://losscontrol360.com>.  
>> What our customers receive:
>> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com <http://losscontrol360.com>
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;losscontrol360.com <http://losscontrol360.com>.INA
>> 
>> ;; Query time: 1380 msec
>> ;; SERVER: 10.100.2.11#53(10.100.2.11)
>> ;; WHEN: Wed Aug  6 16:00:55 2014
>> ;; MSG SIZE  rcvd: 36
>> 
>> What our cache server receives:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38342
>> ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 1280
>> ;; QUESTION SECTION:
>> ;losscontrol360.com <http://losscontrol360.com>.INA
>> 
>> ;; ANSWER SECTION:
>> losscontrol360.com <http://losscontrol360.com>.173INA74.208.98.80
>> 
>> What Google provides:
>> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com <http://losscontrol360.com> 
>> @8.8.8.8
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;losscontrol360.com <http://losscontrol360.com>.INA
>> 
>> ;; ANSWER SECTION:
>> losscontrol360.com <http://losscontrol360.com>.586INA74.208.98.80
>> 
>> ;; Query time: 174 msec
>> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>> ;; WHEN: Wed Aug  6 16:01:07 2014
>> ;; MSG SIZE  rcvd: 52
> 
> -- next part --
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 181 bytes
> Desc: OpenPGP digital signature
> URL: 
> <https://lists.isc.org/pipermail/bind-users/attachments/20140806/fb91d94d/attachment-0001.bin>
> 
> --
> 
> Message: 3
> Date: Thu, 07 Aug 2014 08:33:28 +1000
> From: Noel Butler 
> To: bind-users@lists.isc.org
> Subject: Re: ISP caching server setup
> Message-ID: 
> Content-Type: text/plain; charset=US-ASCII; format=flowed
> 
> On 07/08/2014 06:03, Jared Empson wrote:
> 
>> 
>> What our cache server receives:
>> 
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38342
>> ;; flags:

Re: ISP caching server setup

2014-08-06 Thread Jared Empson 

Jared Empson
Systems Administrator
Zito Media
814.260.9450



On Aug 6, 2014, at 7:28 PM, Mark Andrews  wrote:

> 
> In message <3a1ebfdb-a033-4e07-be61-9f6ba6916...@zitomedia.com>, Jared Empson 
> w
> rites:
>> 
>> I manage a small group of cache only servers for an ISP.  We run Bind 9.7
> 
> You run BIND 9.7.0 and haven't applied any of the maintainence releases
> to BIND 9.7. 

I just updated the bind instance with the Ubuntu Lucid packages so I’m running 
version BIND 9.7.0-P1.

> 
>> and have noticed that several domains our customers would like to access
>> are unavailable from our cache servers.  These same domains work on other
>> provider networks such as Verizon or Google.
> 
> In BIND 9.7.0 we restored the code to skip to non authorative answers
> from supposedly authorative servers having fixed a bug in named.
> Unfortunately there are some zones for which all the servers are
> broken and don't return authorative (aa=1) answers.
> 
> BIND 9.7.1 reversed the change to skip non authorative answers
> despite it being technically correct.

Do you suggest we upgrade to bind version 9.7.1?

> 
>> What I have found is that these domains all have misconfigured glue
>> records.  This could be cause by a recent change of registrar or a
>> misconfigured zone file pointing to NS records that no longer exist as
>> glue records.  Because of this any query of a host from these domains
>> receive a non-authoratative response and are dropped by our cache servers.
>> 
>> How do I configure the cache server to accept the non-authoritative
>> response to provide our customers access to these domains with out
>> forwarding to Google's caching servers?
> 
> 
>> An example domain is losscontrol360.com.
>> What our customers receive:
>> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;losscontrol360.com. IN  A
>> 
>> ;; Query time: 1380 msec
>> ;; SERVER: 10.100.2.11#53(10.100.2.11)
>> ;; WHEN: Wed Aug  6 16:00:55 2014
>> ;; MSG SIZE  rcvd: 36
>> 
>> What our cache server receives:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38342
>> ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 1280
>> ;; QUESTION SECTION:
>> ;losscontrol360.com. IN  A
>> 
>> ;; ANSWER SECTION:
>> losscontrol360.com.  173 IN  A   74.208.98.80
>> 
>> What Google provides:
>> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com @8.8.8.8
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;losscontrol360.com. IN  A
>> 
>> ;; ANSWER SECTION:
>> losscontrol360.com.  586 IN  A   74.208.98.80
>> 
>> ;; Query time: 174 msec
>> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>> ;; WHEN: Wed Aug  6 16:01:07 2014
>> ;; MSG SIZE  rcvd: 52
>> 
>> Jared Empson
>> Systems Administrator
>> Zito Media
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISP caching server setup

2014-08-06 Thread Mark Andrews 

In message <3a1ebfdb-a033-4e07-be61-9f6ba6916...@zitomedia.com>, Jared Empson w
rites:
>
> I manage a small group of cache only servers for an ISP.  We run Bind 9.7

You run BIND 9.7.0 and haven't applied any of the maintainence releases
to BIND 9.7. 

> and have noticed that several domains our customers would like to access
> are unavailable from our cache servers.  These same domains work on other
> provider networks such as Verizon or Google.

In BIND 9.7.0 we restored the code to skip to non authorative answers
from supposedly authorative servers having fixed a bug in named.
Unfortunately there are some zones for which all the servers are
broken and don't return authorative (aa=1) answers.

BIND 9.7.1 reversed the change to skip non authorative answers
despite it being technically correct.

> What I have found is that these domains all have misconfigured glue
> records.  This could be cause by a recent change of registrar or a
> misconfigured zone file pointing to NS records that no longer exist as
> glue records.  Because of this any query of a host from these domains
> receive a non-authoratative response and are dropped by our cache servers.
>
> How do I configure the cache server to accept the non-authoritative
> response to provide our customers access to these domains with out
> forwarding to Google's caching servers?


> An example domain is losscontrol360.com.
> What our customers receive:
> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;losscontrol360.com.  IN  A
>
> ;; Query time: 1380 msec
> ;; SERVER: 10.100.2.11#53(10.100.2.11)
> ;; WHEN: Wed Aug  6 16:00:55 2014
> ;; MSG SIZE  rcvd: 36
>
> What our cache server receives:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38342
> ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1280
> ;; QUESTION SECTION:
> ;losscontrol360.com.  IN  A
>
> ;; ANSWER SECTION:
> losscontrol360.com.   173 IN  A   74.208.98.80
>
> What Google provides:
> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;losscontrol360.com.  IN  A
>
> ;; ANSWER SECTION:
> losscontrol360.com.   586 IN  A   74.208.98.80
>
> ;; Query time: 174 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Aug  6 16:01:07 2014
> ;; MSG SIZE  rcvd: 52
>
> Jared Empson
> Systems Administrator
> Zito Media

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISP caching server setup

2014-08-06 Thread Noel Butler 
 

You are in fact correct Harry, I never bothered with a whois, had I done
so I would have picked it up, put it down to too early in the morning,
so this problem is out of Jared's control, unless he also manages that
domain. 

Ohh and nice to see you are actually behaving yourself on this list :) 

On 07/08/2014 08:40, Reindl Harald wrote: 

> Am 07.08.2014 um 00:33 schrieb Noel Butler:
> 
>> Apart from stupid SOA values, losscontrol360.com seems OK
> 
> OK? the failing NS query is caused by the errors below
> this domain only works by luck from time to time
> 
> [harry@srv-rhsoft:~]$ dig NS losscontrol360.com
> ; <<>> DiG 9.9.4-P2-RedHat-9.9.4-15.P2.fc20 <<>> NS losscontrol360.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49902
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> http://www.intodns.com/losscontrol360.com [1]
> 
> Error Nameservers are lame ERROR: looks like you have lame nameservers. The 
> following nameservers are lame:
> 54.241.6.128
> 54.243.153.234
> 107.6.6.8
> 
> Error Missing nameservers reported by parent FAIL: The following nameservers 
> are listed at your nameservers as
> nameservers for your domain, but are not listed at the parent nameservers 
> (see RFC2181 5.4.1). You need to make
> sure that these nameservers are working.If they are not working ok, you may 
> have problems!
> b1.uberns.com
> a1.uberns.com
> 
> Error Missing nameservers reported by your nameservers ERROR: One or more of 
> the nameservers listed at the parent
> servers are not listed as NS records at your nameservers. The problem NS 
> records are:
> ns22.netriplex.com
> ns21.netriplex.com
> ns23.netriplex.com
> ns20.netriplex.com
> This is listed as an ERROR because there are some cases where nasty problems 
> can occur (if the TTLs vary from the
> NS records at the root servers and the NS records point to your own domain, 
> for example)
> 
> Error Stealth NS records sent Stealth NS records were sent:
> b1.uberns.com
> a1.uberns.com
> 
>> if your customers don't see what your cache server does, they cant be using 
>> the same cache server as you showed here
> 
> true
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users [2] to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users [2]

 

Links:
--
[1] http://www.intodns.com/losscontrol360.com
[2] https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISP caching server setup

2014-08-06 Thread Reindl Harald 


Am 07.08.2014 um 00:33 schrieb Noel Butler:
> Apart from stupid SOA values, losscontrol360.com seems OK

OK? the failing NS query is caused by the errors below
this domain only works by luck from time to time

[harry@srv-rhsoft:~]$ dig NS losscontrol360.com
; <<>> DiG 9.9.4-P2-RedHat-9.9.4-15.P2.fc20 <<>> NS losscontrol360.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49902
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1


http://www.intodns.com/losscontrol360.com

Error   Nameservers are lameERROR: looks like you have lame nameservers. 
The following nameservers are lame:
54.241.6.128
54.243.153.234
107.6.6.8

Error   Missing nameservers reported by parent  FAIL: The following nameservers 
are listed at your nameservers as
nameservers for your domain, but are not listed at the parent nameservers (see 
RFC2181 5.4.1). You need to make
sure that these nameservers are working.If they are not working ok, you may 
have problems!
b1.uberns.com
a1.uberns.com

Error   Missing nameservers reported by your nameservers ERROR: One or more of 
the nameservers listed at the parent
servers are not listed as NS records at your nameservers. The problem NS 
records are:
ns22.netriplex.com
ns21.netriplex.com
ns23.netriplex.com
ns20.netriplex.com
This is listed as an ERROR because there are some cases where nasty problems 
can occur (if the TTLs vary from the
NS records at the root servers and the NS records point to your own domain, for 
example)

Error   Stealth NS records sent Stealth NS records were sent:
b1.uberns.com
a1.uberns.com

> if your customers don't see what your cache server does, they cant be using 
> the same cache server as you showed here

true



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISP caching server setup

2014-08-06 Thread Noel Butler 

On 07/08/2014 06:03, Jared Empson wrote:



What our cache server receives:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38342
;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1280
;; QUESTION SECTION:
;losscontrol360.com [2]. IN A

;; ANSWER SECTION:
losscontrol360.com [2]. 173 IN A 74.208.98.80

What Google provides: ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com [2] 
@8.8.8.8

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;losscontrol360.com [2]. IN A

;; ANSWER SECTION:
losscontrol360.com [2]. 586 IN A 74.208.98.80

;; Query time: 174 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 6 16:01:07 2014

;; MSG SIZE rcvd: 52




Apart from stupid SOA values, losscontrol360.com seems OK, and from your 
two examples here even proves that, if your customers don't see what 
your cache server does, they cant be using the same cache server as you 
showed here. what error does bind log when your customer looks it up?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISP caching server setup

2014-08-06 Thread Reindl Harald 
interesting, that is indeed wrong configured
http://www.intodns.com/losscontrol360.com

on the other hand all my recursive bind 9.9.4 nameservers
resolve it as well my homeserver which is using the caching
named on the office as forwarder

also the unbound instance running as caching server on
our mail-machine using the internal named as forwarders
has the same result

really interesting "dig NS" ends in a SERVFAIL everywhere
except Google (8.8.8.8) so from where do my named get
the responses at all

Am 06.08.2014 um 22:03 schrieb Jared Empson:
> I manage a small group of cache only servers for an ISP.  We run Bind 9.7 and 
> have noticed that several domains our
> customers would like to access are unavailable from our cache servers.  These 
> same domains work on other provider
> networks such as Verizon or Google.  
> 
> What I have found is that these domains all have misconfigured glue records.  
> This could be cause by a recent
> change of registrar or a misconfigured zone file pointing to NS records that 
> no longer exist as glue records.
>  Because of this any query of a host from these domains receive a 
> non-authoratative response and are dropped by our
> cache servers.
> 
> How do I configure the cache server to accept the non-authoritative response 
> to provide our customers access to
> these domains with out forwarding to Google’s caching servers?
> 
> An example domain is losscontrol360.com .  
> What our customers receive:
> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com 
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;losscontrol360.com .INA
> 
> ;; Query time: 1380 msec
> ;; SERVER: 10.100.2.11#53(10.100.2.11)
> ;; WHEN: Wed Aug  6 16:00:55 2014
> ;; MSG SIZE  rcvd: 36
> 
> What our cache server receives:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38342
> ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1280
> ;; QUESTION SECTION:
> ;losscontrol360.com .INA
> 
> ;; ANSWER SECTION:
> losscontrol360.com .173INA74.208.98.80
> 
> What Google provides:
> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com  
> @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;losscontrol360.com .INA
> 
> ;; ANSWER SECTION:
> losscontrol360.com .586INA74.208.98.80
> 
> ;; Query time: 174 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Aug  6 16:01:07 2014
> ;; MSG SIZE  rcvd: 52



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISP caching server setup

2014-08-06 Thread Jared Empson 
I manage a small group of cache only servers for an ISP.  We run Bind 9.7 and 
have noticed that several domains our customers would like to access are 
unavailable from our cache servers.  These same domains work on other provider 
networks such as Verizon or Google.  

What I have found is that these domains all have misconfigured glue records.  
This could be cause by a recent change of registrar or a misconfigured zone 
file pointing to NS records that no longer exist as glue records.  Because of 
this any query of a host from these domains receive a non-authoratative 
response and are dropped by our cache servers.

How do I configure the cache server to accept the non-authoritative response to 
provide our customers access to these domains with out forwarding to Google’s 
caching servers?

An example domain is losscontrol360.com.  
What our customers receive:
; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;losscontrol360.com.IN  A

;; Query time: 1380 msec
;; SERVER: 10.100.2.11#53(10.100.2.11)
;; WHEN: Wed Aug  6 16:00:55 2014
;; MSG SIZE  rcvd: 36

What our cache server receives:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38342
;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1280
;; QUESTION SECTION:
;losscontrol360.com.IN  A

;; ANSWER SECTION:
losscontrol360.com. 173 IN  A   74.208.98.80

What Google provides:
; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;losscontrol360.com.IN  A

;; ANSWER SECTION:
losscontrol360.com. 586 IN  A   74.208.98.80

;; Query time: 174 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug  6 16:01:07 2014
;; MSG SIZE  rcvd: 52

Jared Empson
Systems Administrator
Zito Media




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: running named built with --enable-native-pkcs11 without HSM provider library

2014-08-06 Thread Evan Hunt 
On Wed, Aug 06, 2014 at 02:02:33PM -0400, Tomas Hozza wrote:
> As far as I understand, without native-pkcs11 OpenSSL is used for crypto
> operations if the provided PKCS#11 library did not support some operation, or
> if the PKCS#11 provider library was not provided/was not available at all.
> 
> With native-pkcs11 the the PKCS#11 provider library has to be provided
> and available all the time. I'm interested if there is any chance to
> fall-back to OpenSSL in that case OR specify OpenSSL as provider library
> (however preferably without the needed patch) during the build and if needed,
> specify e.g. the SoftHSMv2 provider library on the command line using '-E'
> during the runtime.

There are currently three possible ways to provide crypto in BIND.

- Link with OpenSSL (this is the default).

- PKCS#11 via patched OpenSSL.  This requires an alternate version of
  OpenSSL that originated as part of the OpenSolaris project (which is
  no more).  The patches were never accepted upstream by the OpenSSL
  maintainers, so ISC has been supporting them: they're included with
  the BIND source.

  In this model, BIND calls crypto functions in OpenSSL as usual, but
  OpenSSL passes along some of the requests as PKCS#11 primitives to an
  HSM instead of handling them itself.  Functions not provided by the HSM
  are handled by OpenSSL.

  This works with several HSMs, but it's complex, difficult to debug,
  and cumbersome to have to use a nonstandard OpenSSL.  Also, frankly
  we'd prefer not to have to maintain the patches forever, so we're
  hoping to deprecate this model in time.

- Native PKCS#11, introduced in BIND 9.10.  In this model, BIND speaks
  directly to a PKCS#11 provider; OpenSSL isn't in the picture at all.

  For it to work, we need the provider to have a *full* implementation of
  the PKCS#11 API, because the provider needs to serve *all* of BIND's
  cryptographic needs -- not just signing but also validation, hashing,
  random number generation, etc.  Currently I only know of two PKCS#11
  providers that work:  Thales, and SoftHSMv2.

  There isn't currently any mechanism to have BIND switch back and forth
  between providers.  You can use the -E option to select a provider
  at runtime, but there's no way to alter that selection except to
  restart the server.  That's what the "shim" I mentioned would be for.

  Unfortunately, I can't tell you anything about when such a thing is
  likely to get written; we've got a lot of other tasks lined up
  ahead of it, and not enough pairs of hands.  Contributed code or
  offers of sponsorship would be lovely.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Metazones or Something Else?

2014-08-06 Thread John Anderson 
> 
> Personally I'd like to extend UPDATE
> 
>   allow-addzone { acl; };  
>   allow-delzone { acl; };
> e.g.
>   nsupdate
>   new zone
>   server addresss [port]
>   key name:secret
>   [masters ]
>   [allow-query ]
>   [allow-transfer ]
>   [allow-update ]
>   [conf text]
>   [conf text]
>   [conf text]
>   [zone data for master]
>   send
> 
>   nsupdate
>   del zone
>   key name:secret
>   send
> 
> Where "new" is a EDNS options which optionally has master addresses / 
> names allow-query is a EDNS acl option of subtype query [default any; 
> if missing] allow-transfer is a EDNS acl option of subtype transfer 
> [default any; if missing] allow-update is a EDNS acl option of subtype 
> update [default none; if missing] conf is a EDNS which contains other 
> configuration data for a zone
> 
> Mark
> 
> In message <20140805164053.ga11...@fantomas.sk>, Matus UHLAR - fantomas 
> writes:
> > On 05.08.14 11:43, Brian Cuttler wrote:
> > >The slave trusts the master, for zone files, but creating a new 
> > >zone?
> > 
> > hmmm, when a meta-zone is signed by trusted key, why not? :-) using 
> > notifies and IXFR would be even more great...

This looks very interesting, and would likely do the trick.   While waiting to 
see what is incorporated into named, I'm going to attempt to implement metazone 
as originally describe by P. Vixie.  We are using NicTool's API to translate 
SOAP requests into persistent SQL, and then NicTool's scripts will convert the 
information in the SQL database into named compatible zone files.

I'm going to attach some triggers at the SQL level, so when the API creates a 
new "zone" entry in the SQL table, that zone entry will get inserted as a 
record in the "metazone" entry in the SQL tables.So when the scripts 
compile the SQL into zone files, a metazone file will be created as Vixie's 
white-paper describes.   Then I'll likely use a python or perl to convert the 
information in the metazone to named.conf fragments and HUP named.   The 
conversion will take place based on inotify events. So in short, NicTool 
will convert SQL to named.conf master and zone files.  One of those zone files 
will be in the metazone format.   NicTool will export these files to the 
stealth master DNS servers.   Each slave will be manually configured to 
sync/allow-update of the metazone.  So the metazone information will be 
transmitted to each slave via DNS IXFR, in-band.  Once the metazone is XFR'd to 
each slave, and written to disk, an inotify event will trigger a script which 
will re
 ad in the metazone file, and generate stub configuration in something like 
/etc/named.conf.d/*.conf files, and it will finish by sending a HUP to named.   
After reloading, named on the slaves will have knowledge of the new zones 
created on the masters, and will initiate an AXFR of those zones.

I'll be more than happy to share my work and architecture when I'm done.

John A.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: running named built with --enable-native-pkcs11 without HSM provider library

2014-08-06 Thread Tomas Hozza 
- Original Message -
> On Wed, Aug 06, 2014 at 05:14:53PM +0100, Tony Finch wrote:
> > > Right now it is not possible, and when named is built with
> > > --enable-native-pkcs11 it can not run without HSM and some PKCS#11
> > > provider library.
> > 
> > Would using SoftHSM solve your problem?
> > 
> > http://www.opendnssec.org/softhsm/
> > http://ftp.isc.org/isc/bind9/9.10.0-P2/doc/arm/Bv9ARM.ch04.html#id2666009
> 
> SoftHSM version 1 doesn't supply enough of the PKCS#11 API to meet all
> of BIND's crypto needs, but SoftHSMv2 works beautifully.  Last I checked,
> version 2 hadn't been formally released yet, but it can be cloned from
> github: https://github.com/opendnssec/SoftHSMv2.
> 
> The way things are currently set up, BIND can only drive one PKCS#11
> provider library at a time.  You build with a default provider, and it
> can be overridden via a command line option, but that's a little
> cumbersome.

As far as I understand, without native-pkcs11 OpenSSL is used for crypto
operations if the provided PKCS#11 library did not support some operation, or
if the PKCS#11 provider library was not provided/was not available at all.

With native-pkcs11 the the PKCS#11 provider library has to be provided
and available all the time. I'm interested if there is any chance to
fall-back to OpenSSL in that case OR specify OpenSSL as provider library
(however preferably without the needed patch) during the build and if needed,
specify e.g. the SoftHSMv2 provider library on the command line using '-E'
during the runtime.

> I've been thinking about using a "shim" provider that would pass along
> PKCS#11 primitives to a "back-end" according to context, so you could
> switch seamlessly between providers -- that might be useful, for example,
> if you wanted to use a proper HSM for your KSK, but SoftHSM for the ZSK
> because it's faster.  It might also enable us to drive an HSM that didn't
> have a complete PKCS#11 implementation, using SoftHSM to fill in the
> functional gaps.  Haven't done any work on it, though.

It sound like it would solve use-case I described.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.   http://cz.redhat.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: running named built with --enable-native-pkcs11 without HSM provider library

2014-08-06 Thread Tomas Hozza 
- Original Message -
> Tomas Hozza  wrote:
> 
> > Right now it is not possible, and when named is built with
> > --enable-native-pkcs11
> > it can not run without HSM and some PKCS#11 provider library.
> 
> Would using SoftHSM solve your problem?

No. We don't want to install SoftHSM by default, only if explicitly chosen
by the user. Basically we want to enable user to use native-pkcs11 with SoftHSM
if needed. However by default have named running without it.

> http://www.opendnssec.org/softhsm/
> http://ftp.isc.org/isc/bind9/9.10.0-P2/doc/arm/Bv9ARM.ch04.html#id2666009

Yeah, I read the ARM PKCS#11 section, that's why I think it is not possible.
However I wanted to hear some opinions from named guys.

Thanks.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.   http://cz.redhat.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: running named built with --enable-native-pkcs11 without HSM provider library

2014-08-06 Thread Evan Hunt 
On Wed, Aug 06, 2014 at 05:14:53PM +0100, Tony Finch wrote:
> > Right now it is not possible, and when named is built with
> > --enable-native-pkcs11 it can not run without HSM and some PKCS#11
> > provider library.
> 
> Would using SoftHSM solve your problem?
> 
> http://www.opendnssec.org/softhsm/
> http://ftp.isc.org/isc/bind9/9.10.0-P2/doc/arm/Bv9ARM.ch04.html#id2666009

SoftHSM version 1 doesn't supply enough of the PKCS#11 API to meet all
of BIND's crypto needs, but SoftHSMv2 works beautifully.  Last I checked,
version 2 hadn't been formally released yet, but it can be cloned from
github: https://github.com/opendnssec/SoftHSMv2.

The way things are currently set up, BIND can only drive one PKCS#11
provider library at a time.  You build with a default provider, and it
can be overridden via a command line option, but that's a little
cumbersome.

I've been thinking about using a "shim" provider that would pass along
PKCS#11 primitives to a "back-end" according to context, so you could
switch seamlessly between providers -- that might be useful, for example,
if you wanted to use a proper HSM for your KSK, but SoftHSM for the ZSK
because it's faster.  It might also enable us to drive an HSM that didn't
have a complete PKCS#11 implementation, using SoftHSM to fill in the
functional gaps.  Haven't done any work on it, though.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: running named built with --enable-native-pkcs11 without HSM provider library

2014-08-06 Thread Tony Finch 
Tomas Hozza  wrote:

> Right now it is not possible, and when named is built with 
> --enable-native-pkcs11
> it can not run without HSM and some PKCS#11 provider library.

Would using SoftHSM solve your problem?

http://www.opendnssec.org/softhsm/
http://ftp.isc.org/isc/bind9/9.10.0-P2/doc/arm/Bv9ARM.ch04.html#id2666009

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Irish Sea: West or southwest, veering northwest for a time, 4 or 5,
occasionally 6 at first. Slight or moderate. Showers. Moderate or good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

running named built with --enable-native-pkcs11 without HSM provider library

2014-08-06 Thread Tomas Hozza 
Hello.

I'm trying to figure out how can named be built with --enable-native-pkcs11
and run without the PKCS#11 provider library.

Our use-case is that given how OpenSSL does not support PKCS#11 properly,
we would like to use the the native-pkcs11 if using some HSM, but by default
run named without the need to have HSM. In case not having HSM, use OpenSSL
for example.

Right now it is not possible, and when named is built with 
--enable-native-pkcs11
it can not run without HSM and some PKCS#11 provider library.

Would it be possible to make named to operate in a manner described in the 
previous
section?

Thanks in advance.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.   http://cz.redhat.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Metazones or Something Else?

2014-08-06 Thread Brian Cuttler 

Mark,

That looks like a nice format for it.

I'd still like to see named.conf mark some zones as
uneditable via rdnc, just in case I want to allow a
peer institution to add/remove zone where I'm the 
secondary, I want some mechanism to prevent them from
accidently deleting zones I'm actually the master of.

Perhaps as 'simple' as having different zones fall under
different management keys? Is that possible? My zones
protected by a differnt management key then the zones that
my colleges use?

Albany.edu may provide DNS secondary for RPI.edu, but they
certainly don't want RPI to edit the wrong zones file.

On Wed, Aug 06, 2014 at 09:35:00AM +1000, Mark Andrews wrote:
> 
> Personally I'd like to extend UPDATE
> 
>   allow-addzone { acl; };  
>   allow-delzone { acl; };
> e.g.
>   nsupdate
>   new zone
>   server addresss [port]
>   key name:secret
>   [masters ]
>   [allow-query ]
>   [allow-transfer ]
>   [allow-update ]
>   [conf text]
>   [conf text]
>   [conf text]
>   [zone data for master]
>   send
> 
>   nsupdate
>   del zone
>   key name:secret
>   send
> 
> Where "new" is a EDNS options which optionally has master addresses / names
> allow-query is a EDNS acl option of subtype query [default any; if missing]
> allow-transfer is a EDNS acl option of subtype transfer [default any; if 
> missing]
> allow-update is a EDNS acl option of subtype update [default none; if missing]
> conf is a EDNS which contains other configuration data for a zone
> 
> Mark
> 
> In message <20140805164053.ga11...@fantomas.sk>, Matus UHLAR - fantomas 
> writes:
> > On 05.08.14 11:43, Brian Cuttler wrote:
> > >The slave trusts the master, for zone files, but creating
> > >a new zone?
> > 
> > hmmm, when a meta-zone is signed by trusted key, why not? :-)
> > using notifies and IXFR would be even more great...
> > 
> > -- 
> > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> > Warning: I wish NOT to receive e-mail advertising to this address.
> > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> > You have the right to remain silent. Anything you say will be misquoted,
> > then used against you. 
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> > unsubscribe from this list
> > 
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
---
   Brian R Cuttler brian.cutt...@wadsworth.org
   Computer Systems Support(v) 518 486-1697
   Wadsworth Center(f) 518 473-6384
   NYS Department of HealthHelp Desk 518 473-0773

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users