Re: forwarders (IPv6)
In message <3c929ce024ce174480d567360a8291b1ee69071...@hq1-mailmb-v1.trade.ftc.gov>, "Chakrapani, Praveen CTR via bind-users" writes: > > Hi, > > I added below line to my named.conf to include IPv6 addresses to the > forwarders list. However I am getting this error "Sep 13 10:33:06 > servername named[24778]: [ID 873579 daemon.error] /etc/named.conf:158: > expected IP address near '2001:1890:1C04:3000:0CB7:4432'" > > "forwarders { 12.227.230.4; 12.227.230.10; 12.183.68.50; 12.183.68.51; > 12.71.76.50; 12.71.76.51; 2001:1890:1C04:3000:0CB7:4432; > 2001:1890:1C04:3000:0CB7:4433; 2001:1890:1C04:3400:0C47:4C32; > 2001:1890:1C04:3400:0C47:4C33; }; > forward first;" > > Please let know how to add IPv6 addresses to the forwarders list. Add a syntactically valid IPv6 address. 2001:1890:1C04:3000:0CB7:4432 is NOT a valid IPv6 address. It's missing 32 bits of the address. Did you mean 2001:1890:1C04:3000::0CB7:4432 perhaps as you seem to be encoding the IPv4 addresses in the last 32 bits? Note the double "::" signifying 32 zero bits in this case. Mark > Thanks, > Praveen Kumar Chakrapani (CTR) > AECOM Contractor, Lead UNIX Administrator > Desk (202)326-3282 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarders (IPv6)
I added below line to my named.conf to include IPv6 addresses to the forwarders list. However I am getting this error *“Sep 13 10:33:06 servername named[24778]: [ID 873579 daemon.error] /etc/named.conf:158: expected IP address near '2001:1890:1C04:3000:0CB7:4432'”* That's because it's not a valid representation of an IPv6 address (it has only 6 hextets where you would expect to see 8, or a double-colon to mark compressed zeros): 2001:db8:a4:ea5c:0:0:53:a1 = 2001:db8:a4:ea5c::53:a1 Graham ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: forwarders (IPv6)
That's not a valid IPv6 address representation. You probably mistyped a double colon as a single colon in the middle of the address. (RFC 4291) 2.2. Text Representation of Addresses There are three conventional forms for representing IPv6 addresses as text strings: 1. The preferred form is x:x:x:x:x:x:x:x, where the 'x's are one to four hexadecimal digits of the eight 16-bit pieces of the address. Examples: ABCD:EF01:2345:6789:ABCD:EF01:2345:6789 2001:DB8:0:0:8:800:200C:417A Note that it is not necessary to write the leading zeros in an individual field, but there must be at least one numeral in every field (except for the case described in 2.). 2. Due to some methods of allocating certain styles of IPv6 addresses, it will be common for addresses to contain long strings of zero bits. In order to make writing addresses containing zero bits easier, a special syntax is available to compress the zeros. The use of "::" indicates one or more groups of 16 bits of zeros. The "::" can only appear once in an address. The "::" can also be used to compress leading or trailing zeros in an address. - Kevin From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Chakrapani, Praveen CTR via bind-users Sent: Tuesday, September 13, 2016 4:48 PM To: 'bind-users@lists.isc.org' Subject: forwarders (IPv6) Hi, I added below line to my named.conf to include IPv6 addresses to the forwarders list. However I am getting this error "Sep 13 10:33:06 servername named[24778]: [ID 873579 daemon.error] /etc/named.conf:158: expected IP address near '2001:1890:1C04:3000:0CB7:4432'" "forwarders { 12.227.230.4; 12.227.230.10; 12.183.68.50; 12.183.68.51; 12.71.76.50; 12.71.76.51; 2001:1890:1C04:3000:0CB7:4432; 2001:1890:1C04:3000:0CB7:4433; 2001:1890:1C04:3400:0C47:4C32; 2001:1890:1C04:3400:0C47:4C33; }; forward first;" Please let know how to add IPv6 addresses to the forwarders list. Thanks, Praveen Kumar Chakrapani (CTR) AECOM Contractor, Lead UNIX Administrator Desk (202)326-3282 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forwarders (IPv6)
Hi, I added below line to my named.conf to include IPv6 addresses to the forwarders list. However I am getting this error "Sep 13 10:33:06 servername named[24778]: [ID 873579 daemon.error] /etc/named.conf:158: expected IP address near '2001:1890:1C04:3000:0CB7:4432'" "forwarders { 12.227.230.4; 12.227.230.10; 12.183.68.50; 12.183.68.51; 12.71.76.50; 12.71.76.51; 2001:1890:1C04:3000:0CB7:4432; 2001:1890:1C04:3000:0CB7:4433; 2001:1890:1C04:3400:0C47:4C32; 2001:1890:1C04:3400:0C47:4C33; }; forward first;" Please let know how to add IPv6 addresses to the forwarders list. Thanks, Praveen Kumar Chakrapani (CTR) AECOM Contractor, Lead UNIX Administrator Desk (202)326-3282 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS views and zone transfers, cont
On Tue, Sep 13, 2016 at 10:58 AM, project722wrote: > I have moved the new views into production, and all seems to be working > fine. I have an "internal" view and an "external" view. I have noticed a > few re-occuring messages in the logs of the master server that I'd like to > suppress. Here is what I am seeing: > > 1) Warning: view external: 'empty-zones-enable/disable-empty-zone' not > set: disabling RFC 1918 empty zones: 37 Time(s) > > 2) connect(fe80::216:3eff:fe37:b866#53) 22/Invalid argument: 7 Time(s) > > 3) zone > 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN/external: > (master) removed: 1 Time(s) > zone 112/x.x.x.IN-ADDR.ARPA/IN: (master) removed: 1 Time(s) > zone x.x.x.in-addr.arpa/IN: (master) removed: 1 Time(s) > > For # 3 I basically see an entry for each of our reverse mapping zones, > which are valid and I don't want them "removed" as the message states And I > think these are related to #1. I believe I can fix #1 with the > "empty-zones-enable > no;" in my external view, but I am not sure what effect it would have on > the message generation or how it would affect zone behavior in that view. > > I have "empty-zones-enable yes;" in my options, and then "empty-zones-enable no;" in the view that is forwarding. So either define it in every view, or define a default in the options. > For #2, - I already have a statement "server fe80::/16 { bogus yes; };" in > my named.conf. However it is above the options statement and I am now > wondering if I need this defined in each view now. Also this > fe80::216:3eff:fe37:b866 > is not even my actual link local IP so I am not sure where/how that is > being generated. My actual link local is > fe80::f21f:afff:fedd:6a26/64 > > I have the "server ... bogus ..." statement in each view, so try it there. > Any help is greatly appreciated. > > On Thu, Sep 8, 2016 at 11:33 AM, project722 wrote: > >> I am not seeing that but thanks for the heads up. I will keep an eye on >> it. >> >> On Thu, Sep 8, 2016 at 10:14 AM, Bob Harold wrote: >> >>> I changed the subject slightly, because I had to cut out a lot of the >>> forwarded message - the list server was complaining about the size of the >>> messages. >>> >>> I just found that my setup was not working completely as I expected. >>> The view with only a few zones and forwarding to another view automatically >>> got the "empty zones" created, so any queries in those zones did not get >>> forwarded. I am fixing it by adding to that view the line: >>>empty-zones-enable no; >>> >>> -- >>> Bob Harold >>> >>> >>> On Thu, Sep 8, 2016 at 9:41 AM, Bob Harold wrote: >>> On Thu, Sep 8, 2016 at 9:13 AM, project722 wrote: > Bob, in our prod environment, we are allowing 127.0.0.1 to make zone > transfers. First off, what is the reasoning or benefit of allowing > localhost to make zone transfers? Secondly, In my new view config since I > will be using 127.0.0.1 as a forwarder, would this in any way cause a > problem or a conflict if I was to leave the localhost IP in the ACL for > zone transfers? > I would allow 127.0.0.1 to do zone transfers for troubleshooting purposes, if I am on the server and want to look at a whole zone. But it is not required, if you don't use it for transfers. Allowing zone transfers should not affect its use for forwarding, as far as I can see. -- Bob Harold > On Wed, Sep 7, 2016 at 2:30 PM, Bob Harold wrote: > >> You should change: >> match-clients { internal; key tsigkey; !key tsigkeyext; >> To: >> match-clients { !key tsigkeyext; internal; key tsigkey; >> >> The 'not' (!) won't work if it is last, they are checked in order, so >> it needs to be first. >> >> -- >> Bob Harold >> >> >> On Wed, Sep 7, 2016 at 3:21 PM, project722 >> wrote: >> >>> I think I have found the problem. I did not need dnssec enabled >>> after all. All this time I thought it was needed for TSIG to work. But >>> apparently, the forwarding is working, and zone transfers are going to >>> the >>> right view without it enabled. >>> >>> On Wed, Sep 7, 2016 at 1:15 PM, project722 >>> wrote: >>> Ok I'm with you now. I have reconfigured my servers and I cant get the forwarding to work. Since 127.0.0.1 is forwarding request, I made sure in the options stanza to set it to a listen IP. I have tried several different variations of this method and all end up with SERVFAIL's using dig from a client that gets the "internal" view. Here is my config. acl internal { 192.168.254.0/23; // corpnet };
Re: DNS views and zone transfers, cont
I have moved the new views into production, and all seems to be working fine. I have an "internal" view and an "external" view. I have noticed a few re-occuring messages in the logs of the master server that I'd like to suppress. Here is what I am seeing: 1) Warning: view external: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones: 37 Time(s) 2) connect(fe80::216:3eff:fe37:b866#53) 22/Invalid argument: 7 Time(s) 3) zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN/external: (master) removed: 1 Time(s) zone 112/x.x.x.IN-ADDR.ARPA/IN: (master) removed: 1 Time(s) zone x.x.x.in-addr.arpa/IN: (master) removed: 1 Time(s) For # 3 I basically see an entry for each of our reverse mapping zones, which are valid and I don't want them "removed" as the message states And I think these are related to #1. I believe I can fix #1 with the "empty-zones-enable no;" in my external view, but I am not sure what effect it would have on the message generation or how it would affect zone behavior in that view. For #2, - I already have a statement "server fe80::/16 { bogus yes; };" in my named.conf. However it is above the options statement and I am now wondering if I need this defined in each view now. Also this fe80::216:3eff:fe37:b866 is not even my actual link local IP so I am not sure where/how that is being generated. My actual link local is fe80::f21f:afff:fedd:6a26/64 Any help is greatly appreciated. On Thu, Sep 8, 2016 at 11:33 AM, project722wrote: > I am not seeing that but thanks for the heads up. I will keep an eye on > it. > > On Thu, Sep 8, 2016 at 10:14 AM, Bob Harold wrote: > >> I changed the subject slightly, because I had to cut out a lot of the >> forwarded message - the list server was complaining about the size of the >> messages. >> >> I just found that my setup was not working completely as I expected. The >> view with only a few zones and forwarding to another view automatically got >> the "empty zones" created, so any queries in those zones did not get >> forwarded. I am fixing it by adding to that view the line: >>empty-zones-enable no; >> >> -- >> Bob Harold >> >> >> On Thu, Sep 8, 2016 at 9:41 AM, Bob Harold wrote: >> >>> >>> On Thu, Sep 8, 2016 at 9:13 AM, project722 wrote: >>> Bob, in our prod environment, we are allowing 127.0.0.1 to make zone transfers. First off, what is the reasoning or benefit of allowing localhost to make zone transfers? Secondly, In my new view config since I will be using 127.0.0.1 as a forwarder, would this in any way cause a problem or a conflict if I was to leave the localhost IP in the ACL for zone transfers? >>> >>> I would allow 127.0.0.1 to do zone transfers for troubleshooting >>> purposes, if I am on the server and want to look at a whole zone. But it >>> is not required, if you don't use it for transfers. >>> Allowing zone transfers should not affect its use for forwarding, as far >>> as I can see. >>> >>> -- >>> Bob Harold >>> >>> >>> On Wed, Sep 7, 2016 at 2:30 PM, Bob Harold wrote: > You should change: > match-clients { internal; key tsigkey; !key tsigkeyext; > To: > match-clients { !key tsigkeyext; internal; key tsigkey; > > The 'not' (!) won't work if it is last, they are checked in order, so > it needs to be first. > > -- > Bob Harold > > > On Wed, Sep 7, 2016 at 3:21 PM, project722 > wrote: > >> I think I have found the problem. I did not need dnssec enabled after >> all. All this time I thought it was needed for TSIG to work. But >> apparently, the forwarding is working, and zone transfers are going to >> the >> right view without it enabled. >> >> On Wed, Sep 7, 2016 at 1:15 PM, project722 >> wrote: >> >>> Ok I'm with you now. I have reconfigured my servers and I cant get >>> the forwarding to work. Since 127.0.0.1 is forwarding request, I made >>> sure >>> in the options stanza to set it to a listen IP. I have tried several >>> different variations of this method and all end up with SERVFAIL's using >>> dig from a client that gets the "internal" view. Here is my config. >>> >>> acl internal { >>> 192.168.254.0/23; // corpnet >>> }; >>> >>> acl external { >>> 192.168.155.0/24; >>> 192.168.160.0/24; >>> }; >>> >>> options { >>> listen-on port 53 { 192.168.155.128; 127.0.0.1; }; #Master >>> DNS Servers IP >>> directory "/var/named"; >>> dump-file "/var/named/data/cache_dump.db"; >>> statistics-file "/var/named/data/named.stats"; >>> memstatistics-file "/var/named/data/named_mem_stats.txt"; >>> allow-query{