date:20150619

Re: file descriptor exceeds limit

2015-06-19 Thread Mike Hoskins (michoski)

On 6/19/15, 4:07 PM, "bind-users-boun...@lists.isc.org on behalf of
/dev/rob0" 
wrote:

>On Fri, Jun 19, 2015 at 02:55:23PM -0500, I wrote:
>> On Thu, Jun 18, 2015 at 11:11:16PM +,
>>Mike Hoskins (michoski) wrote:
>snip
>> Note that connection tracking can be a problem upstream as well,
>> for the same reasons as described in the article.  I would still
>> turn off conntrack for UDP DNS upstream, unless you're using DNAT
>> (yuck.)
>
>Oh ... hahaha ... I missed the @cisco.com, so I don't suppose you're
>using Linux on your upstream routers. :)
>
>The same idea applies regardless of implementation, of course.

Quite alright...  In past lives yes, and perhaps even internally at times
(more often OpenBSD and pf)...though I won't admit that.  ;-D

Regardless, all input is welcome.  I'll check out the KB article.  I have
sat for hours with the network team making sure "their" gear isn't
touching "my" DNS packets in any perverted ways, but it's always good to
triple check.

Thanks!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

2015-06-19 Thread /dev/rob0

On Fri, Jun 19, 2015 at 02:55:23PM -0500, I wrote:
> On Thu, Jun 18, 2015 at 11:11:16PM +,
>Mike Hoskins (michoski) wrote:
snip
> Note that connection tracking can be a problem upstream as well, 
> for the same reasons as described in the article.  I would still 
> turn off conntrack for UDP DNS upstream, unless you're using DNAT 
> (yuck.)

Oh ... hahaha ... I missed the @cisco.com, so I don't suppose you're 
using Linux on your upstream routers. :)

The same idea applies regardless of implementation, of course.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

2015-06-19 Thread /dev/rob0

On Thu, Jun 18, 2015 at 11:11:16PM +,
   Mike Hoskins (michoski) wrote:
> On 6/18/15, 7:09 PM, "Stuart Browne" 
>  wrote:
> 
> >Just wondering.  You mention you're using RHEL6; are you also 
> >getting messages in 'dmesg' about connection tracking tables being 
> >full?  You may need some 'NOTRACK' rules in your iptables.
> 
> Just following along, for the record...  On our side, iptables
> is completely disabled.  We do that sort of thing upstream on 
> dedicated firewalls.

There is a Knowledge Base article about this:
https://kb.isc.org/article/AA-01183/

Note that connection tracking can be a problem upstream as well, for 
the same reasons as described in the article.  I would still turn off 
conntrack for UDP DNS upstream, unless you're using DNAT (yuck.)

> Just now getting time to reply to Cathy...more detail on that
> there.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

2015-06-19 Thread Mike Hoskins (michoski)

On 6/19/15, 1:16 PM, "bind-users-boun...@lists.isc.org on behalf of Reindl
Harald"  wrote:

>Am 19.06.2015 um 18:44 schrieb Mike Hoskins (michoski):
>> I suppose the only way to avoid any "intermediate" firewalls would be to
>> place everything you run on a LAN segment hanging directly off your
>> router/Internet drop with host based firewalls
>
>well, if the router is from Cisco and has NAt enabled there are dns
>ALG's breaking zone-transfers in several ways been there done that
>until forced the ISP to never ever ship a default Cisco deivce to us

Over the years I've learned that trusting defaults is rarely sane,
regardless of vendor.

Having been involved in many discussions related to this sort of
thing...I've sadly also learned that, much like BCP38, things which seem
"simple" to fix from the outside often aren't.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "#service named restart" fails with a weird message

2015-06-19 Thread John Miller

Semicolons!  You need one for the second ip range in your list, and you
need one after the zone file for your localhost zone.  The error message
really does tell you what you need in this case ;-)  The config you pasted
only has nine lines, so I'm assuming that the last error really is on line
8/9 and something got lost in posting to the list.

John

On Fri, Jun 19, 2015 at 2:12 PM, Samad Agha 
wrote:

> Hey Gurus,
> When I try to restart named, it fails with the following message:
>
> [root@new-dns2 ~]# service named restart
> Stopping named:[  OK  ]
> Starting named:
> Error in named configuration:
> /etc/named.conf:3: missing ';' before '}'
> /etc/named.conf:11: missing ';' before '}'
>[FAILED]
> [root@new-dns2 ~]#
>
> And here is what my simple named.conf looks like:
>
> [root@new-dns2 ~]# cat /etc/named.conf
> options {
>  directory "/var/named";
> allow-recursion {207.151.36.0/24; 206.117.117.0/24};
>  };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "db.127.0.0"
> };
> [root@new-dns2 ~]#
>
> What am I doing wrong? Can you please assist?
>
> Many thanks in advance and have a nice day.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "#service named restart" fails with a weird message

2015-06-19 Thread Jeremy C. Reed

On Fri, 19 Jun 2015, Samad Agha wrote:

> Error in named configuration:
> /etc/named.conf:3: missing ';' before '}'

Look on line 3

> /etc/named.conf:11: missing ';' before '}'

Look on line 11

> options {
>  directory "/var/named";
>     allow-recursion {207.151.36.0/24; 206.117.117.0/24};

Add a semicolon before the } to end the list of networks.

>  };
>  
> zone "0.0.127.in-addr.arpa" {
>     type master;
>     file "db.127.0.0"

Add missing semicolon at the end of that line.

> };___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

"#service named restart" fails with a weird message

2015-06-19 Thread Samad Agha

Hey Gurus,
When I try to restart named, it fails with the following message:

[root@new-dns2 ~]# service named restart
Stopping named:[  OK  ]
Starting named:
Error in named configuration:
/etc/named.conf:3: missing ';' before '}'
/etc/named.conf:11: missing ';' before '}'
   [FAILED]
[root@new-dns2 ~]#

And here is what my simple named.conf looks like:

[root@new-dns2 ~]# cat /etc/named.conf
options {
 directory "/var/named";
allow-recursion {207.151.36.0/24; 206.117.117.0/24};
 };

zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0"
};
[root@new-dns2 ~]#

What am I doing wrong? Can you please assist?

Many thanks in advance and have a nice day.

Regards,
Samad Agha
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

2015-06-19 Thread Reindl Harald




Am 19.06.2015 um 18:44 schrieb Mike Hoskins (michoski):

I suppose the only way to avoid any "intermediate" firewalls would be to
place everything you run on a LAN segment hanging directly off your
router/Internet drop with host based firewalls


well, if the router is from Cisco and has NAt enabled there are dns 
ALG's breaking zone-transfers in several ways been there done that 
until forced the ISP to never ever ship a default Cisco deivce to us




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

2015-06-19 Thread Mike Hoskins (michoski)

On 6/19/15, 5:07 AM, "bind-users-boun...@lists.isc.org on behalf of Matus
UHLAR - fantomas"  wrote:

>>On 6/18/15, 7:09 PM, "Stuart Browne" 
>>wrote:
>>>Just wondering.  You mention you're using RHEL6; are you also getting
>>>messages in 'dmesg' about connection tracking tables being full?  You
>>>may
>>>need some 'NOTRACK' rules in your iptables.
>
>On 18.06.15 23:11, Mike Hoskins (michoski) wrote:
>>Just following along, for the record...  On our side, iptables is
>>completely disabled.  We do that sort of thing upstream on dedicated
>>firewalls.  Just now getting time to reply to Cathy...more detail on that
>>there.
>
>aren't those firewalls overloaded?

Originally we found an older set that was, and replaced those...  but
currently no mix of metrics, logs, packet traces, etc imply this is the
case for the current network infra components I have access to.  Being
completely transparent here, because it's something everyone should
carefully consider...but certainly not always the culprit.

More than overloading, the larger issue I've worked through (repeatedly)
over the years are various "protocol fixups", "ALGs" and the like which
try to "secure" you but really break standard things like EDNS.  After
back/forth with our network team I've reached a state of nirvana where all
that stuff is disabled and external tests like OARC are happy.

I suppose the only way to avoid any "intermediate" firewalls would be to
place everything you run on a LAN segment hanging directly off your
router/Internet drop with host based firewalls.  I've used iptables, pf,
etc a lot over the years but always considered host based firewalls an
add-on (layers of security) vs supplement for other types of
filtering...even if I placed the caches in such a segment, I'd have
clients talking through various firewalls (quite a few of them) so it's
not easy to avoid in any sort of large org -- particularly those with
various business units acquired and bolted on over time.

The original post asked if this was some sort of limit on BIND's
capability...almost certainly not, and the way to validate that is lab
testing.  I've done that using resperf and nominum's query file.  It would
be great to have two query files, one with known responsive and one with
known aberrant zones.  This would be difficult to maintain of course...
but what I've seen with the default query file (a mix of good and bad from
what I verified) you can push BIND much further than the reported qps
earlier in this post or in our production environments.  In the real world
vs lab, there are obviously a lot more variables.  Some of these we can
eliminate (like the overloaded firewall or broken fixups), others we can
tune (our own named.conf), but some we must live with...  I'm just trying
to get more confidence what's observed is really the last case.  :-)

I'm most likely being too OCD here, because after all the tuning we've got
servfails down to a fraction of a percent over any given time interval.
I've been distracted with other things recently, but need to dig into the
logs and see if these are really just unresponsive or broken upstream
servers.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec validation issue

2015-06-19 Thread Carl Byington

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, 2015-06-19 at 05:58 +, Eray Aslan wrote:
> With the root zone and most TLDs signed, I do not think it makes sense
> to use DLV anymore.  While a typical DNSSEC resolver configuration has
> DLV enabled, I personally make the effort to disable it.

I agree. My bind rpm packages now install the bind.keys file from the
isc tarball as /etc/named.bind.keys - rather than the older redhat
naming of /etc/named.iscdlv.key. That name was misleading anyway, since
the bind.keys file currently contains both the isc-dlv key, and the root
key.

My bind rpm packages have a default named.conf that now properly uses
"dnssec-validation auto;" to use the root key from that
/etc/named.bind.keys file. It contains a commented "// dnssec-lookaside
auto;", which if manually uncommented will use the dlv key from that
file.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlWENPcACgkQL6j7milTFsHmqwCfZN9+YluH+0s4L+vSDINPE7Is
0RUAnRakAQIwmybOO8v8T35BZ/2tNJr0
=CmK2
-END PGP SIGNATURE-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

2015-06-19 Thread Matus UHLAR - fantomas


On 6/18/15, 7:09 PM, "Stuart Browne" 
wrote:

Just wondering.  You mention you're using RHEL6; are you also getting
messages in 'dmesg' about connection tracking tables being full?  You may
need some 'NOTRACK' rules in your iptables.


On 18.06.15 23:11, Mike Hoskins (michoski) wrote:

Just following along, for the record...  On our side, iptables is
completely disabled.  We do that sort of thing upstream on dedicated
firewalls.  Just now getting time to reply to Cathy...more detail on that
there.


aren't those firewalls overloaded?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec validation issue

2015-06-19 Thread Jaap Akkerhuis

 Eray Aslan writes:

 > On Thu, Jun 18, 2015 at 07:26:28PM -0700, Carl Byington wrote:
 > > On Fri, 2015-06-19 at 11:10 +1000, Mark Andrews wrote:
 > > > To use the keys in "/etc/named.iscdlv.key" set "dnssec-validation
 > > > auto;"
 > > New centos rpms at http://www.five-ten-sg.com/mapper/bind with a default
 > > named.conf that should actually work.
 > 
 > With the root zone and most TLDs signed, I do not think it makes sense
 > to use DLV anymore.  While a typical DNSSEC resolver configuration has
 > DLV enabled, I personally make the effort to disable it.

Furthermore, the whole dlv register is going to disappear in 2017
as announced at .

jaap
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

Re: file descriptor exceeds limit

Re: file descriptor exceeds limit

Re: file descriptor exceeds limit

Re: "#service named restart" fails with a weird message

Re: "#service named restart" fails with a weird message

"#service named restart" fails with a weird message

Re: file descriptor exceeds limit

Re: file descriptor exceeds limit

Re: dnssec validation issue

Re: file descriptor exceeds limit

Re: dnssec validation issue

12 matches

Site Navigation

Mail list logo

Footer information