Re: Installing bind is not very clear for me
Am 03.09.2015 um 23:16 schrieb Robert Moskowitz: On 09/03/2015 05:02 PM, Reindl Harald wrote: Am 03.09.2015 um 22:59 schrieb Robert Moskowitz: On 09/03/2015 04:35 PM, Leandro wrote: Ok ... I got BIND 9.10.2-P3 working. I compiled with ./configure --with-openssl --enable-threads --with-libxml2 --with-libjson make make install Json statistics channel is working and chroot is not longer mandatory. But do make sure you have selinux enforced. Or run behind multiple firewalls... behind *multiple firewalls* - ?!?! - oh come on and get serious instead promote snakeoil - typically BIND is *not* running as root and hence does not need any special handling compared to any other network service get rid of the horror stories from the 1990's.. I dealt with customers that did suffer from island hopping attacks. Deep penetration. They had some systems not registered and vulnerable allowing what was thought safe to be stolen. and 1000 firewalls in front doing all the same would not have changed anything, so just don't spread FUD and suggest anything gets better by throwing *random* undefined things in front of wahtever service But I am done with that work hopefully signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
On 09/03/2015 05:02 PM, Reindl Harald wrote: Am 03.09.2015 um 22:59 schrieb Robert Moskowitz: On 09/03/2015 04:35 PM, Leandro wrote: Ok ... I got BIND 9.10.2-P3 working. I compiled with ./configure --with-openssl --enable-threads --with-libxml2 --with-libjson make make install Json statistics channel is working and chroot is not longer mandatory. But do make sure you have selinux enforced. Or run behind multiple firewalls... behind *multiple firewalls* - ?!?! - oh come on and get serious instead promote snakeoil - typically BIND is *not* running as root and hence does not need any special handling compared to any other network service get rid of the horror stories from the 1990's.. I dealt with customers that did suffer from island hopping attacks. Deep penetration. They had some systems not registered and vulnerable allowing what was thought safe to be stolen. But I am done with that work. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
Am 03.09.2015 um 22:59 schrieb Robert Moskowitz: On 09/03/2015 04:35 PM, Leandro wrote: Ok ... I got BIND 9.10.2-P3 working. I compiled with ./configure --with-openssl --enable-threads --with-libxml2 --with-libjson make make install Json statistics channel is working and chroot is not longer mandatory. But do make sure you have selinux enforced. Or run behind multiple firewalls... behind *multiple firewalls* - ?!?! - oh come on and get serious instead promote snakeoil - typically BIND is *not* running as root and hence does not need any special handling compared to any other network service get rid of the horror stories from the 1990's.. signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
On 09/03/2015 04:35 PM, Leandro wrote: Ok ... I got BIND 9.10.2-P3 working. I compiled with ./configure --with-openssl --enable-threads --with-libxml2 --with-libjson make make install Json statistics channel is working and chroot is not longer mandatory. But do make sure you have selinux enforced. Or run behind multiple firewalls... Im happy. Thanks! Leandro. On 03/09/15 15:47, Mike Hoskins (michoski) wrote: Few points for clarification: With rhel/centos you're not getting the major version as reported. You need to look at the changlog for the package to see what fixes/features have been backported. That effort including associated QA is part of what you're paying for with rhel or getting for free as part of centos. If you need to build your own, there are community srpms for that so you don't have to start from scratch. http://www.five-ten-sg.com/mapper/bind ISC themselves has moved away from chroot as an absolute best practice. Critically think if it really makes sense for you. https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-ho w-to-build-and-run-named-with-a-basic-recursive-configuration.html On 9/3/15, 2:40 PM, "bind-users-boun...@lists.isc.org on behalf of Robert Moskowitz" wrote: Ok On 09/03/2015 01:45 PM, Leandro wrote: Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not very comfortable with Centos7 yet. My final goal is to get an updated and stable version and also use json format for the statistics channel. 1) Some bind users recommended to get at least a 9.10 release but: Using yum and repos, founded that 9.8 is available for Centos 6.6. Also , Centos recommend not to build from source when possible. 2)Building bind 9.10 from source is not complicated but: Could not install on chroot. Could not get the json or xml statistics , only html. If you need 9.10 for json, and you want to stay with Centos, you WILL be doing your own builds. I am working with C7 and it is 'only' 9.9.4 (or at least that is what dig is reporting). There are a lot of fun debates that if you are using selinux on Centos, you do not need chroot. In fact chroot introduces its own set of challenges. I tend to believe this, though it was years ago that I went through the arguments. There are people on the Centos list that build their own bind. Ask over there. Any ideas ? Is possible to update / add my repos to install a recent version with json support and chrooted with: If not , Is it possible to build from source in chrooted enviroment ? Any doc ? btw: Server is not in production yet. Thanks!! Leandro. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
Ok ... I got BIND 9.10.2-P3 working. I compiled with ./configure --with-openssl --enable-threads --with-libxml2 --with-libjson make make install Json statistics channel is working and chroot is not longer mandatory. Im happy. Thanks! Leandro. On 03/09/15 15:47, Mike Hoskins (michoski) wrote: Few points for clarification: With rhel/centos you're not getting the major version as reported. You need to look at the changlog for the package to see what fixes/features have been backported. That effort including associated QA is part of what you're paying for with rhel or getting for free as part of centos. If you need to build your own, there are community srpms for that so you don't have to start from scratch. http://www.five-ten-sg.com/mapper/bind ISC themselves has moved away from chroot as an absolute best practice. Critically think if it really makes sense for you. https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-ho w-to-build-and-run-named-with-a-basic-recursive-configuration.html On 9/3/15, 2:40 PM, "bind-users-boun...@lists.isc.org on behalf of Robert Moskowitz" wrote: Ok On 09/03/2015 01:45 PM, Leandro wrote: Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not very comfortable with Centos7 yet. My final goal is to get an updated and stable version and also use json format for the statistics channel. 1) Some bind users recommended to get at least a 9.10 release but: Using yum and repos, founded that 9.8 is available for Centos 6.6. Also , Centos recommend not to build from source when possible. 2)Building bind 9.10 from source is not complicated but: Could not install on chroot. Could not get the json or xml statistics , only html. If you need 9.10 for json, and you want to stay with Centos, you WILL be doing your own builds. I am working with C7 and it is 'only' 9.9.4 (or at least that is what dig is reporting). There are a lot of fun debates that if you are using selinux on Centos, you do not need chroot. In fact chroot introduces its own set of challenges. I tend to believe this, though it was years ago that I went through the arguments. There are people on the Centos list that build their own bind. Ask over there. Any ideas ? Is possible to update / add my repos to install a recent version with json support and chrooted with: If not , Is it possible to build from source in chrooted enviroment ? Any doc ? btw: Server is not in production yet. Thanks!! Leandro. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split horizon and some problems on sec.
Marek Kozlowski wrote: > > But it's rather annoying. I have over 50 "common" zones and only six > "private" and "public" ones. How can I implement split horizon for just > a few zones and consider other ones as "common"? Write a script that takes the real include file containing slave declarations for the common zones, and emits another include file containing in-view declarations. My version parses the output of named-checkconf -p (which pretty-prints named's configuration): https://gist.github.com/fanf2/9b55be70da32a1eefcb8 Tony. -- f.anthony.n.finchhttp://dotat.at/ Viking, North Utsire: Easterly 4 or 5, increasing 6 at times. Slight or moderate, but rough in southwest Viking. Showers later. Good, occasionally poor later. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
Few points for clarification: With rhel/centos you're not getting the major version as reported. You need to look at the changlog for the package to see what fixes/features have been backported. That effort including associated QA is part of what you're paying for with rhel or getting for free as part of centos. If you need to build your own, there are community srpms for that so you don't have to start from scratch. http://www.five-ten-sg.com/mapper/bind ISC themselves has moved away from chroot as an absolute best practice. Critically think if it really makes sense for you. https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-ho w-to-build-and-run-named-with-a-basic-recursive-configuration.html On 9/3/15, 2:40 PM, "bind-users-boun...@lists.isc.org on behalf of Robert Moskowitz" wrote: > > >On 09/03/2015 01:45 PM, Leandro wrote: >> Dear All: >> While installing bind still have not clear some issues: >> Im using Centos 6.6 since Im not very comfortable with Centos7 yet. >> >> My final goal is to get an updated and stable version and also use >> json format for the statistics channel. >> >> 1) Some bind users recommended to get at least a 9.10 release but: >> Using yum and repos, founded that 9.8 is available for Centos 6.6. >> Also , Centos recommend not to build from source when possible. >> >> 2)Building bind 9.10 from source is not complicated but: >> Could not install on chroot. >> Could not get the json or xml statistics , only html. > >If you need 9.10 for json, and you want to stay with Centos, you WILL be >doing your own builds. I am working with C7 and it is 'only' 9.9.4 (or >at least that is what dig is reporting). > >There are a lot of fun debates that if you are using selinux on Centos, >you do not need chroot. In fact chroot introduces its own set of >challenges. I tend to believe this, though it was years ago that I went >through the arguments. > >There are people on the Centos list that build their own bind. Ask over >there. > >> >> >> Any ideas ? >> Is possible to update / add my repos to install a recent version with >> json support and chrooted with: >> If not , Is it possible to build from source in chrooted enviroment ? >> Any doc ? >> >> btw: Server is not in production yet. >> >> Thanks!! >> Leandro. >> >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to >unsubscribe from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
On 09/03/2015 01:45 PM, Leandro wrote: Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not very comfortable with Centos7 yet. My final goal is to get an updated and stable version and also use json format for the statistics channel. 1) Some bind users recommended to get at least a 9.10 release but: Using yum and repos, founded that 9.8 is available for Centos 6.6. Also , Centos recommend not to build from source when possible. 2)Building bind 9.10 from source is not complicated but: Could not install on chroot. Could not get the json or xml statistics , only html. If you need 9.10 for json, and you want to stay with Centos, you WILL be doing your own builds. I am working with C7 and it is 'only' 9.9.4 (or at least that is what dig is reporting). There are a lot of fun debates that if you are using selinux on Centos, you do not need chroot. In fact chroot introduces its own set of challenges. I tend to believe this, though it was years ago that I went through the arguments. There are people on the Centos list that build their own bind. Ask over there. Any ideas ? Is possible to update / add my repos to install a recent version with json support and chrooted with: If not , Is it possible to build from source in chrooted enviroment ? Any doc ? btw: Server is not in production yet. Thanks!! Leandro. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
On 9/3/2015 12:53 PM, Reindl Harald wrote: Am 03.09.2015 um 19:45 schrieb Leandro: Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not very comfortable with Centos7 yet. My final goal is to get an updated and stable version and also use json format for the statistics channel. 1) Some bind users recommended to get at least a 9.10 release but: Using yum and repos, founded that 9.8 is available for Centos 6.6. Also , Centos recommend not to build from source when possible the whole purpose why you are using CentOS / RHEL is long-time-support and get critical bugfixes without major changes and compatibility break, not just for named, for any installed software "some people recommend" is not a strong reason for breaking that without any concrete issue Also the package managers for Centos will pull in the bug fixes of later versions of bind without changing the version number in Centos. It's not unique to Centos, but almost any of the heavily managed Linux distros do that. I use SuSE(historical reasons plus I am very familar with it's layout) and have always used source for mission critical Internet facing applications. Lyle Giese ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
Am 03.09.2015 um 19:45 schrieb Leandro: Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not very comfortable with Centos7 yet. My final goal is to get an updated and stable version and also use json format for the statistics channel. 1) Some bind users recommended to get at least a 9.10 release but: Using yum and repos, founded that 9.8 is available for Centos 6.6. Also , Centos recommend not to build from source when possible the whole purpose why you are using CentOS / RHEL is long-time-support and get critical bugfixes without major changes and compatibility break, not just for named, for any installed software "some people recommend" is not a strong reason for breaking that without any concrete issue signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Split horizon and some problems on sec.
:-) I have several domains for which I have two "internal" DNS servers (a primary and one of the secondaries) and two "external" DNS servers (both secondaries). There are six domains for each of them I have pairs of zone description files: a private (for internal clients) and a public (for all other clients) one. For all other domains there are single, common ZDFs. I'd like to have private ZDFs on "internal" servers only while public and "common" - on all four servers. I implemented split horizon as follows: /etc/named.conf on my primary server includes: -- acl "mini" {...};// my network acl "ns-mini" {...}; // "internal" DNS servers acl "ns-coi {...}; // "external" DNS servers key "public" { algorithm hmac-md5; secret ""; }; view "private" { match-clients { !key public; mini; }; allow-transfer { ns-mini; }; include "/etc/named-zone-include.conf"; ... }; view "public" { match-clients { key public; any; }; allow-transfer { ns-mini; ns-coi; }; server <"internal" DNS IP here> { keys public; }; include "/etc/named-zone-include.conf"; ... }; -- And on my "internal" DNS: ++ acl "mini" {...}; // my network acl "ns-mini" {...}; // "internal" DNS servers acl "ns-coi {...}; // "external" DNS servers key "public" { algorithm hmac-md5; secret ""; }; view "private" { match-clients { !key public; mini; }; include "/etc/named-zone-include.conf"; ... }; view "public" { match-clients { key public; any; }; server { keys public; }; include "/etc/named-zone-include.conf"; ... }; ++ It used to work. After the most recent update (9.10.2.P3-1 on ArchLinux) some problem occurred on my "internal" DNS. The problem is as follows: 1. All "zone" and "include" blocks must be contained inside "view" blocks (otherwise BIND fails). 2. "Internal" secondary DNS is a secondary DNS for all zones; it opens all zone description files in read-write mode. 3. If "common" ZDFs are declared or included in both views BIND fails because it can't open the same files as writable ones twice. OK, on my "internal" DNS I can declare fake (I mean: the same) "private" and "public" files for all "common" zones and use in views: include "/etc/named-zone-include-priv.conf"; and include "/etc/named-zone-include-pub.conf"; But it's rather annoying. I have over 50 "common" zones and only six "private" and "public" ones. How can I implement split horizon for just a few zones and consider other ones as "common"? Best regards, Marek ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Installing bind is not very clear for me
Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not very comfortable with Centos7 yet. My final goal is to get an updated and stable version and also use json format for the statistics channel. 1) Some bind users recommended to get at least a 9.10 release but: Using yum and repos, founded that 9.8 is available for Centos 6.6. Also , Centos recommend not to build from source when possible. 2)Building bind 9.10 from source is not complicated but: Could not install on chroot. Could not get the json or xml statistics , only html. Any ideas ? Is possible to update / add my repos to install a recent version with json support and chrooted with: If not , Is it possible to build from source in chrooted enviroment ? Any doc ? btw: Server is not in production yet. Thanks!! Leandro. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: logging bug for rpz at load-time?
On Thu, Sep 03, 2015 at 03:30:43PM +0100, Phil Mayers wrote: > I'm a tiny bit uncomfortable exposing the detailed config here given > what it does. You can open a bug ticket at bind9-b...@isc.org. ISC's bug database is closed and confidential for this exact reason. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: logging bug for rpz at load-time?
On 03/09/15 15:14, Mukund Sivaraman wrote: The numbers are overall counts for that view, after the contents of that policy zone have been loaded. Cumulatively, they should match the number of records in your policy zones (named starts with empty RPZ state). In that case, those counts are absolutely not correct (see below) This is on 9.10.2-P4 If these numbers (for the view) don't match up, can you try reproducing this with 9.10.3-rc1 and let us know what you get? There have been some bugfixes since 9.10.2. It'll be a couple of weeks before I could look at that - my availability is poor for the next while. How many policy zones do you have? If you can, please send us your named configuration and the expected number of RRs that you intend to see. I'm a tiny bit uncomfortable exposing the detailed config here given what it does. There are three zones, and the config basically looks like this: response-policy { # Local black/whitelist - currently 486 RRs zone "rpz."; # Commercial feed #1 - approx 600k entries zone "rpz." policy ...; # Commercial feed #2 - approx 750 entries zone "rpz."; }; I restarted named to get it to log them, and I saw: (re)loading policy zone 'rpz.' changed from 0 to 5458 qname (re)loading policy zone 'rpz.' changed from 5458 to 25032 qname (re)loading policy zone 'rpz.' changed from 25032 to 1216066 qname I then immediately restarted it again, and coming up with the *same* zone contents, a few seconds later, it logged: (re)loading policy zone 'rpz.' changed from 0 to 0 qname (re)loading policy zone 'rpz.' changed from 0 to 19089 qname (re)loading policy zone 'rpz.' changed from 19089 to 1216066 qname So they're basically totally fictitious - is it maybe logging the counts while the following zone(s) are loading in i.e. some concurrency thing? Cheers, Phil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: logging bug for rpz at load-time?
Hi Phil On Thu, Sep 03, 2015 at 01:22:48PM +0100, Phil Mayers wrote: > Minor cosmetic bug, but we're seeing logs like: > > 03-Sep-2015 12:18:50.751 (re)loading policy zone 'rpz.' changed from > 0 to 77406 qname, 0 to 0 nsdname, 769 to 771 IP, 0 to 0 NSIP, 0 to 0 > CLIENTIP entries > > 03-Sep-2015 12:18:58.029 (re)loading policy zone 'rpz.' changed > from 77406 to 1213943 qname, 0 to 0 nsdname, 771 to 771 IP, 0 to 0 NSIP, 0 > to 0 CLIENTIP entries > > Couple of problems here - the "local" RPZ (first log line) only has a few > hundred entries in it, definitely not 77406. > > Second, the next log line seems to claim the "upstream" RPZ goes from > exactly the same number (eh?) to some other number equally unrelated to the > contents of the zone. > > Or do the numbers here mean something different? The numbers are overall counts for that view, after the contents of that policy zone have been loaded. Cumulatively, they should match the number of records in your policy zones (named starts with empty RPZ state). > This is on 9.10.2-P4 If these numbers (for the view) don't match up, can you try reproducing this with 9.10.3-rc1 and let us know what you get? There have been some bugfixes since 9.10.2. How many policy zones do you have? If you can, please send us your named configuration and the expected number of RRs that you intend to see. Mukund pgpTyOsBlZUr7.pgp Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
logging bug for rpz at load-time?
Minor cosmetic bug, but we're seeing logs like: 03-Sep-2015 12:18:50.751 (re)loading policy zone 'rpz.' changed from 0 to 77406 qname, 0 to 0 nsdname, 769 to 771 IP, 0 to 0 NSIP, 0 to 0 CLIENTIP entries 03-Sep-2015 12:18:58.029 (re)loading policy zone 'rpz.' changed from 77406 to 1213943 qname, 0 to 0 nsdname, 771 to 771 IP, 0 to 0 NSIP, 0 to 0 CLIENTIP entries Couple of problems here - the "local" RPZ (first log line) only has a few hundred entries in it, definitely not 77406. Second, the next log line seems to claim the "upstream" RPZ goes from exactly the same number (eh?) to some other number equally unrelated to the contents of the zone. Or do the numbers here mean something different? This is on 9.10.2-P4 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL, Centos, Fedora rpm 9.10.2-P4
On 02/09/15 21:57, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.five-ten-sg.com/mapper/bind contains links to the source Sigh. FYI, Chrome popped this error up for me: """ Google Safe Browsing recently found harmful programs on www.five-ten-sg.com. """ Silly Google... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Solved - Re: A tale of two nameservers - resolution problems
On 09/03/2015 04:09 AM, Matus UHLAR - fantomas wrote: On 01.09.15 13:36, Robert Moskowitz wrote: On the Fedora-arm list I was told about systemd-timesyncd. Much better for these systems than chronyd which is suppose to be the replacement for ntpdate... chrony is replacement for ntpd (not ntpdate!) on systems that are not always online. "has been hooked up with networkd to only operate when network connectivity is available" according to: http://lists.freedesktop.org/archives/systemd-devel/2014-May/019537.html I find that a bit different and i believe that chronyd is better for systems that are often offline, although it doesn't fix the issue with boards without RTC. Newer version has added the -s option specifically for these systems. On Fedora (and soon RHEL/Centos): /etc/sysconfig/chronyd OPTIONS="-s" Also: /etc/chrony.conf #rtcsync rtcdevice /dev/nonexist This is useful if your home network nameserver is not adequately protected from power outages and comes back up before the Internet connection. A few other interesting edge cases. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Solved - Re: A tale of two nameservers - resolution problems
On 01.09.15 13:36, Robert Moskowitz wrote: On the Fedora-arm list I was told about systemd-timesyncd. Much better for these systems than chronyd which is suppose to be the replacement for ntpdate... chrony is replacement for ntpd (not ntpdate!) on systems that are not always online. "has been hooked up with networkd to only operate when network connectivity is available" according to: http://lists.freedesktop.org/archives/systemd-devel/2014-May/019537.html I find that a bit different and i believe that chronyd is better for systems that are often offline, although it doesn't fix the issue with boards without RTC. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users