Re: ISC Bind 9.11 and dyndb-ldap
On 10/17/2016 05:50 PM, Mark Andrews wrote: > In message, > "Pallissard, Matthew" writes: >> On 10/16/2016 09:34 PM, Mark Andrews wrote: >>> In message , "Pallissard, >>> Matt" writes: Has anyone successfully used LDAP as a dynamic back-end for bind 9.11? Unless I'm reading the release notes/new features pages incorrectly the bind-dyndb-ldap plugin has been rolled into ISC's official release a >> nd I shouldn't have to mess around with patching/building it from source. Yet I get the following errors upon startup; named[9937]: loading configuration from '/etc/named.conf' named[9937]: /etc/named.conf:23: unknown option 'dynamic-db' named[9937]: loading configuration: failure named[9937]: exiting (due to fatal error) systemd[1]: named.service: Main process exited, code=exited, status=1/FAILURE I'm using the package provided by Arch Linux and can provide the flags the bind package was compiled with if those are relevant. Any advice would be greatly appreciated. >>> >>> Did you mean "dyndb" perhaps? >>> Â Matt Pallissard >> >> Changing from dynamic-db to dyndb still causes named to fail. >> >> Using formatting similar to this; >> >> dyndb "domain.net" { >> Â library "ldap.so" >> Â arg... >> } >> >> Gives the following error; >> >> named[31641]: /etc/named.conf:23: expected quoted string near '{ >> >> Most of the documentation I can find around this seems to use 'dynamic-db' >> in named.conf > > Which would be for the unoffical extension. > > Did you read the documentation that comes with BIND 9.11 for dyndb? > > dyndb domain.net "ldap.so" { > ... > }; > > Mark > >> Matt Pallissard That was it. Thank you for your help As for the documentation, I was reading the 'bind-dyndb-ldap' documentation. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/bind-dyndb-ldap-config.html I wish I'd have thought to grep through the bind docs as it's right there. [matt bind-9.11.0]$ grep -r dyndb doc doc/misc/options:dyndb { }; I should remember to RTFM next time. Matt Pallissard ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Bind 9.11 and dyndb-ldap
In message, "Pallissard, Matthew" writes: > On 10/16/2016 09:34 PM, Mark Andrews wrote: > > In message , "Pallissard, > > Matt" writes: > >> > >> Has anyone successfully used LDAP as a dynamic back-end for bind 9.11? > >> > >> Unless I'm reading the release notes/new features pages incorrectly the > >> bind-dyndb-ldap plugin has been rolled into ISC's official release a > nd I shouldn't have to mess around with patching/building it from source. > >> > >> > >> Yet I get the following errors upon startup; > >> > >> named[9937]: loading configuration from '/etc/named.conf' > >> named[9937]: /etc/named.conf:23: unknown option 'dynamic-db' > >> named[9937]: loading configuration: failure > >> named[9937]: exiting (due to fatal error) > >> systemd[1]: named.service: Main process exited, code=exited, > >> status=1/FAILURE > >> > >> > >> I'm using the package provided by Arch Linux and can provide the flags the > >> bind package was compiled with if those are relevant. > >> > >> Any advice would be greatly appreciated. > > > > Did you mean "dyndb" perhaps? > >Â > >> Matt Pallissard > > Changing from dynamic-db to dyndb still causes named to fail. > > Using formatting similar to this; > > dyndb "domain.net" { > Â library "ldap.so" > Â arg... > } > > Gives the following error; > > named[31641]: /etc/named.conf:23: expected quoted string near '{ > > Most of the documentation I can find around this seems to use 'dynamic-db' in > named.conf Which would be for the unoffical extension. Did you read the documentation that comes with BIND 9.11 for dyndb? dyndb domain.net "ldap.so" { ... }; Mark > Matt Pallissard -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Bind 9.11 and dyndb-ldap
On 10/16/2016 09:34 PM, Mark Andrews wrote: > In message, "Pallissard, > Matt" writes: >> >> Has anyone successfully used LDAP as a dynamic back-end for bind 9.11? >> >> Unless I'm reading the release notes/new features pages incorrectly the >> bind-dyndb-ldap plugin has been rolled into ISC's official release and I >> shouldn't have to mess around with patching/building it from source. >> >> >> Yet I get the following errors upon startup; >> >> named[9937]: loading configuration from '/etc/named.conf' >> named[9937]: /etc/named.conf:23: unknown option 'dynamic-db' >> named[9937]: loading configuration: failure >> named[9937]: exiting (due to fatal error) >> systemd[1]: named.service: Main process exited, code=exited, status=1/FAILURE >> >> >> I'm using the package provided by Arch Linux and can provide the flags the >> bind package was compiled with if those are relevant. >> >> Any advice would be greatly appreciated. > > Did you mean "dyndb" perhaps? > >> Matt Pallissard Changing from dynamic-db to dyndb still causes named to fail. Using formatting similar to this; dyndb "domain.net" { library "ldap.so" arg... } Gives the following error; named[31641]: /etc/named.conf:23: expected quoted string near '{ Most of the documentation I can find around this seems to use 'dynamic-db' in named.conf Matt Pallissard___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.11.0 RPZ performance issue
Hi there, On Mon, 17 Oct 2016, Daniel Stirnimann wrote: I have upgraded some of our BIND resolvers from BIND 9.9.9-P3 to BIND 9.11.0 and I notice timeouts for 3 - 5 seconds about every 1 to 5 hour. Something to do with dlv.isc.org? -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: defines ip to acl
And don't forget the copious comments in named.conf, so that your successor can easily see, at a glance, what start/end addresses those clusters of ACL elements represent. sure! :-) thanks Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: defines ip to acl
And don't forget the copious comments in named.conf, so that your successor can easily see, at a glance, what start/end addresses those clusters of ACL elements represent. - Kevin -Original Message- From: Darcy Kevin (FCA) Sent: Monday, October 17, 2016 3:11 PM To: bind-users@lists.isc.org Subject: RE: defines ip to acl Well, things are messy, because you haven't carved up your subnet on bit-boundaries. BIND ACLs are either individual IPs, CIDR blocks, negations, or some combination of these. It can be done: 192.168.1.1 through 192.168.1.99 = !192.168.1.0; 192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; 192.168.1.100 through 192.168.1.199 = 192.168.1.100/30; 192.168.1.104/29; 192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29; I might have made an error in the above -- did I mention that this is very error-prone as well? :-) - Kevin -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol Hallen Sent: Monday, October 17, 2016 2:37 PM To: bind-users@lists.isc.org Subject: defines ip to acl Hello all :-) I need to setup 2 kind of acl on same network, ie: ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 to 192.168.1.199 to acl2 acl net1 { 192.168.1.1-99/24 }; acl net1 { 192.168.1.99-199/24 }; what's the correct way? I didn't find nothing :-/ thanks for help Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: defines ip to acl
Acls don’t support ranges, only prefixes. You don’t want the whole /24. I think you want: acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; } acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29; } thanks guys :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: defines ip to acl
Well, things are messy, because you haven't carved up your subnet on bit-boundaries. BIND ACLs are either individual IPs, CIDR blocks, negations, or some combination of these. It can be done: 192.168.1.1 through 192.168.1.99 = !192.168.1.0; 192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; 192.168.1.100 through 192.168.1.199 = 192.168.1.100/30; 192.168.1.104/29; 192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29; I might have made an error in the above -- did I mention that this is very error-prone as well? :-) - Kevin -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol Hallen Sent: Monday, October 17, 2016 2:37 PM To: bind-users@lists.isc.org Subject: defines ip to acl Hello all :-) I need to setup 2 kind of acl on same network, ie: ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 to 192.168.1.199 to acl2 acl net1 { 192.168.1.1-99/24 }; acl net1 { 192.168.1.99-199/24 }; what's the correct way? I didn't find nothing :-/ thanks for help Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: defines ip to acl
Acls don’t support ranges, only prefixes. You don’t want the whole /24. I think you want: acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; } acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29; } On 2016-10-17, 13:41, "bind-users on behalf of Pol Hallen"wrote: Hello all :-) I need to setup 2 kind of acl on same network, ie: ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 to 192.168.1.199 to acl2 acl net1 { 192.168.1.1-99/24 }; acl net1 { 192.168.1.99-199/24 }; what's the correct way? I didn't find nothing :-/ thanks for help Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
defines ip to acl
Hello all :-) I need to setup 2 kind of acl on same network, ie: ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 to 192.168.1.199 to acl2 acl net1 { 192.168.1.1-99/24 }; acl net1 { 192.168.1.99-199/24 }; what's the correct way? I didn't find nothing :-/ thanks for help Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: R: Reloading match-clients
On 14/10/2016 13:13, Matus UHLAR - fantomas wrote: > On 14.10.16 13:51, Job wrote: >> There is now way to update dinamically the match_clients without >> reconfig/reloading? What are you using the different views for, that the clients allowed to access them are changing so often? There may be a better way to achieve what you want that doesn't involve having to keep changing match-clients. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.11.0 RPZ performance issue
Hi, I have upgraded some of our BIND resolvers from BIND 9.9.9-P3 to BIND 9.11.0 and I notice timeouts for 3 - 5 seconds about every 1 to 5 hour. I have managed to trace this back to our RPZ configuration. I have 14 RPZ zones configured. Some of them are quite large (e.g. Spamhaus). The only work around for this timeout issue I came up with so far is to remove two large Spamhaus RPZ zones which leaves my configuration at 12 zones. Removing one or two smaller zones does not help though. The timeout does not occur during/after XFR of a zone. I also tried to optimize the zone format and journal size (e.g. masterfile-format map; max-journal-size 100M;) as I believed this could be a filesystem performance issue but this change did not help. It is important to mention that our BIND resolvers are virtualized. However, I have two virtualization stacks to try out and both (Openstack, KVM) have this problem. How busy a resolver is plays no role. I see this timeout issue on an almost idle (only monitoring requests) resolver as well although at a slightly lower frequency. There is no log event (BIND/linux) which indicates a problem. I believed RPZ performance would only get better after upgrading but apparently, there is some change which makes performance worse. Has anyone else noticed RPZ performance issues with BIND 9.11.0 and do you have any suggestions? Appended a slightly obfuscated configuration of ours). Daniel options { directory "/var/named/slaves"; listen-on port 53 { "any"; }; listen-on-v6 port 53 { "any"; }; pid-file "/var/run/named/named.pid"; auth-nxdomain no; dnssec-enable yes; dnssec-validation yes; empty-zones-enable yes; recursion yes; allow-query { "SWITCHlan"; }; allow-transfer { "none"; }; max-journal-size 104857600; notify no; }; controls { inet 127.0.0.1 allow { 127.0.0.1/32; } keys { "rndc-key"; }; inet ::1 allow { ::1/128; } keys { "rndc-key"; }; }; acl "SWITCHlan" { ?; }; masters "switch-rpz-master" { ? key "rpz-xfr.switch.ch."; ? key "rpz-xfr.switch.ch."; }; logging { channel "switch_local" { file "/var/log/named/named" versions 10 size 6291456; severity info; print-time yes; print-severity yes; print-category yes; }; channel "switch_queries" { file "/var/log/named/queries" versions 10 size 83886080; severity info; print-time yes; }; channel "switch_queryerrors" { file "/var/log/named/queryerrors" versions 2 size 52428800; severity debug 1; print-time yes; }; channel "switch_syslog" { syslog "local1"; severity info; print-time yes; print-severity yes; print-category yes; }; channel "switch_syslog-debug" { syslog "local1"; severity debug 1; print-time yes; print-severity yes; print-category yes; }; channel "switch_other" { file "/var/log/named/other" versions 10 size 6291456; severity info; print-time yes; print-severity yes; print-category yes; }; channel "switch_rpz_local" { file "/var/log/named/rpz" versions 10 size 10485760; severity info; print-time yes; print-severity yes; print-category yes; }; category "general" { "switch_local"; }; category "notify" { "switch_local"; }; category "xfer-in" { "switch_local"; }; category "xfer-out" { "switch_local"; }; category "network" { "switch_local"; }; category "dnssec" { "switch_syslog"; "switch_local"; }; category "rpz" { "switch_rpz_local"; }; category "default" { "switch_other"; }; category "query-errors" { "switch_queryerrors"; "switch_syslog-debug"; }; }; view "default" { match-destinations { "any"; }; zone "localhost" { type master; file "/etc/bind/db.local"; masterfile-format text; }; zone "zone.1.rpz.switch.ch." { type slave; file