Re: ISC Bind 9.11 and dyndb-ldap

2016-10-17 Thread Pallissard, Matt 

On 10/17/2016 05:50 PM, Mark Andrews wrote:
> In message , 
> "Pallissard, Matthew" writes:
>> On 10/16/2016 09:34 PM, Mark Andrews wrote:
>>> In message , "Pallissard, 
>>> Matt" writes:

 Has anyone successfully used LDAP as a dynamic back-end for bind 9.11?

 Unless I'm reading the release notes/new features pages incorrectly the 
 bind-dyndb-ldap plugin has been rolled into ISC's official release a
>> nd I shouldn't have to mess around with patching/building it from source.


 Yet I get the following errors upon startup;

 named[9937]: loading configuration from '/etc/named.conf'
 named[9937]: /etc/named.conf:23: unknown option 'dynamic-db'
 named[9937]: loading configuration: failure
 named[9937]: exiting (due to fatal error)
 systemd[1]: named.service: Main process exited, code=exited, 
 status=1/FAILURE


 I'm using the package provided by Arch Linux and can provide the flags the 
 bind package was compiled with if those are relevant.

 Any advice would be greatly appreciated.
>>>
>>> Did you mean "dyndb" perhaps?
>>> Â  
 Matt Pallissard
>>
>> Changing from dynamic-db to dyndb still causes named to fail.
>>
>> Using formatting similar to this;
>>
>> dyndb "domain.net" {
>> Â  library "ldap.so"
>> Â  arg... 
>> }
>>
>> Gives the following error;
>>
>> named[31641]: /etc/named.conf:23: expected quoted string near '{
>>
>> Most of the documentation I can find around this seems to use 'dynamic-db' 
>> in named.conf
> 
> Which would be for the unoffical extension.
> 
> Did you read the documentation that comes with BIND 9.11 for dyndb?
> 
> dyndb domain.net "ldap.so" {
>   ...
> };
> 
> Mark
>  
>> Matt Pallissard

That was it.  Thank you for your help


As for the documentation, I was reading the 'bind-dyndb-ldap' documentation.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/bind-dyndb-ldap-config.html


I wish I'd have thought to grep through the bind docs as it's right there.

[matt bind-9.11.0]$ grep -r dyndb doc
doc/misc/options:dyndb   {  };

I should remember to RTFM next time.  


Matt Pallissard

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind 9.11 and dyndb-ldap

2016-10-17 Thread Mark Andrews 

In message , "Pallissard, 
Matthew" writes:
> On 10/16/2016 09:34 PM, Mark Andrews wrote:
> > In message , "Pallissard, 
> > Matt" writes:
> >>
> >> Has anyone successfully used LDAP as a dynamic back-end for bind 9.11?
> >>
> >> Unless I'm reading the release notes/new features pages incorrectly the 
> >> bind-dyndb-ldap plugin has been rolled into ISC's official release a
> nd I shouldn't have to mess around with patching/building it from source.
> >>
> >>
> >> Yet I get the following errors upon startup;
> >>
> >> named[9937]: loading configuration from '/etc/named.conf'
> >> named[9937]: /etc/named.conf:23: unknown option 'dynamic-db'
> >> named[9937]: loading configuration: failure
> >> named[9937]: exiting (due to fatal error)
> >> systemd[1]: named.service: Main process exited, code=exited, 
> >> status=1/FAILURE
> >>
> >>
> >> I'm using the package provided by Arch Linux and can provide the flags the 
> >> bind package was compiled with if those are relevant.
> >>
> >> Any advice would be greatly appreciated.
> > 
> > Did you mean "dyndb" perhaps?
> >  
> >> Matt Pallissard
> 
> Changing from dynamic-db to dyndb still causes named to fail.
> 
> Using formatting similar to this;
> 
> dyndb "domain.net" {
>   library "ldap.so"
>   arg... 
> }
> 
> Gives the following error;
> 
> named[31641]: /etc/named.conf:23: expected quoted string near '{
> 
> Most of the documentation I can find around this seems to use 'dynamic-db' in 
> named.conf

Which would be for the unoffical extension.

Did you read the documentation that comes with BIND 9.11 for dyndb?

dyndb domain.net "ldap.so" {
...
};

Mark
 
> Matt Pallissard
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind 9.11 and dyndb-ldap

2016-10-17 Thread Pallissard, Matthew 
On 10/16/2016 09:34 PM, Mark Andrews wrote:
> In message , "Pallissard, 
> Matt" writes:
>>
>> Has anyone successfully used LDAP as a dynamic back-end for bind 9.11?
>>
>> Unless I'm reading the release notes/new features pages incorrectly the 
>> bind-dyndb-ldap plugin has been rolled into ISC's official release and I 
>> shouldn't have to mess around with patching/building it from source.
>>
>>
>> Yet I get the following errors upon startup;
>>
>> named[9937]: loading configuration from '/etc/named.conf'
>> named[9937]: /etc/named.conf:23: unknown option 'dynamic-db'
>> named[9937]: loading configuration: failure
>> named[9937]: exiting (due to fatal error)
>> systemd[1]: named.service: Main process exited, code=exited, status=1/FAILURE
>>
>>
>> I'm using the package provided by Arch Linux and can provide the flags the 
>> bind package was compiled with if those are relevant.
>>
>> Any advice would be greatly appreciated.
> 
> Did you mean "dyndb" perhaps?
>  
>> Matt Pallissard

Changing from dynamic-db to dyndb still causes named to fail.

Using formatting similar to this;

dyndb "domain.net" {
  library "ldap.so"
  arg... 
}

Gives the following error;

named[31641]: /etc/named.conf:23: expected quoted string near '{

Most of the documentation I can find around this seems to use 'dynamic-db' in 
named.conf


Matt Pallissard___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11.0 RPZ performance issue

2016-10-17 Thread G.W. Haywood 

Hi there,

On Mon, 17 Oct 2016, Daniel Stirnimann wrote:


I have upgraded some of our BIND resolvers from BIND 9.9.9-P3 to BIND
9.11.0 and I notice timeouts for 3 - 5 seconds about every 1 to 5 hour.


Something to do with dlv.isc.org?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: defines ip to acl

2016-10-17 Thread Pol Hallen 

And don't forget the copious comments in named.conf, so that your successor can 
easily see, at a glance, what start/end addresses those clusters of ACL 
elements represent.



sure! :-)

thanks

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: defines ip to acl

2016-10-17 Thread Darcy Kevin (FCA) 
And don't forget the copious comments in named.conf, so that your successor can 
easily see, at a glance, what start/end addresses those clusters of ACL 
elements represent.


- Kevin


-Original Message-
From: Darcy Kevin (FCA) 
Sent: Monday, October 17, 2016 3:11 PM
To: bind-users@lists.isc.org
Subject: RE: defines ip to acl

Well, things are messy, because you haven't carved up your subnet on 
bit-boundaries. BIND ACLs are either individual IPs, CIDR blocks, negations, or 
some combination of these. It can be done:

192.168.1.1 through 192.168.1.99 = !192.168.1.0; 192.168.1.0/26; 
192.168.1.64/27; 192.168.1.96/30;

192.168.1.100 through 192.168.1.199 = 192.168.1.100/30; 192.168.1.104/29; 
192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29;

I might have made an error in the above -- did I mention that this is very 
error-prone as well? :-)


- Kevin

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol 
Hallen
Sent: Monday, October 17, 2016 2:37 PM
To: bind-users@lists.isc.org
Subject: defines ip to acl

Hello all :-)

I need to setup 2 kind of acl on same network, ie:

ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 
to 192.168.1.199 to acl2

acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };

what's the correct way? I didn't find nothing :-/

thanks for help

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: defines ip to acl

2016-10-17 Thread Pol Hallen 

Acls don’t support ranges, only prefixes.  You don’t want the whole /24.  I 
think you want:

acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; }
acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 
192.168.1.192/29; }


thanks guys :-)


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: defines ip to acl

2016-10-17 Thread Darcy Kevin (FCA) 
Well, things are messy, because you haven't carved up your subnet on 
bit-boundaries. BIND ACLs are either individual IPs, CIDR blocks, negations, or 
some combination of these. It can be done:

192.168.1.1 through 192.168.1.99 = !192.168.1.0; 192.168.1.0/26; 
192.168.1.64/27; 192.168.1.96/30;

192.168.1.100 through 192.168.1.199 = 192.168.1.100/30; 192.168.1.104/29; 
192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29;

I might have made an error in the above -- did I mention that this is very 
error-prone as well? :-)


- Kevin

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol 
Hallen
Sent: Monday, October 17, 2016 2:37 PM
To: bind-users@lists.isc.org
Subject: defines ip to acl

Hello all :-)

I need to setup 2 kind of acl on same network, ie:

ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 
to 192.168.1.199 to acl2

acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };

what's the correct way? I didn't find nothing :-/

thanks for help

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: defines ip to acl

2016-10-17 Thread McDonald, Daniel (Dan) 
Acls don’t support ranges, only prefixes.  You don’t want the whole /24.  I 
think you want:

acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; }
acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 
192.168.1.192/29; }
 

On 2016-10-17, 13:41, "bind-users on behalf of Pol Hallen" 
 wrote:

Hello all :-)

I need to setup 2 kind of acl on same network, ie:

ip from 192.168.1.1 to 192.168.1.99 belongs to acl1
and ip from 192.168.1.100 to 192.168.1.199 to acl2

acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };

what's the correct way? I didn't find nothing :-/

thanks for help

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

defines ip to acl

2016-10-17 Thread Pol Hallen 

Hello all :-)

I need to setup 2 kind of acl on same network, ie:

ip from 192.168.1.1 to 192.168.1.99 belongs to acl1
and ip from 192.168.1.100 to 192.168.1.199 to acl2

acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };

what's the correct way? I didn't find nothing :-/

thanks for help

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: R: Reloading match-clients

2016-10-17 Thread Cathy Almond 
On 14/10/2016 13:13, Matus UHLAR - fantomas wrote:
> On 14.10.16 13:51, Job wrote:
>> There is now way to update dinamically the match_clients without
>> reconfig/reloading?

What are you using the different views for, that the clients allowed to
access them are changing so often?

There may be a better way to achieve what you want that doesn't involve
having to keep changing match-clients.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.11.0 RPZ performance issue

2016-10-17 Thread Daniel Stirnimann 
Hi,

I have upgraded some of our BIND resolvers from BIND 9.9.9-P3 to BIND
9.11.0 and I notice timeouts for 3 - 5 seconds about every 1 to 5 hour.

I have managed to trace this back to our RPZ configuration. I have 14
RPZ zones configured. Some of them are quite large (e.g. Spamhaus). The
only work around for this timeout issue I came up with so far is to
remove two large Spamhaus RPZ zones which leaves my configuration at 12
zones. Removing one or two smaller zones does not help though.

The timeout does not occur during/after XFR of a zone. I also tried to
optimize the zone format and journal size (e.g. masterfile-format map;
max-journal-size 100M;) as I believed this could be a filesystem
performance issue but this change did not help. It is important to
mention that our BIND resolvers are virtualized. However, I have two
virtualization stacks to try out and both (Openstack, KVM) have this
problem. How busy a resolver is plays no role. I see this timeout issue
on an almost idle (only monitoring requests) resolver as well although
at a slightly lower frequency.

There is no log event (BIND/linux) which indicates a problem. I believed
RPZ performance would only get better after upgrading but apparently,
there is some change which makes performance worse.

Has anyone else noticed RPZ performance issues with BIND 9.11.0 and do
you have any suggestions? Appended a slightly obfuscated configuration
of ours).

Daniel
options {
directory "/var/named/slaves";
listen-on port 53 {
"any";
};
listen-on-v6 port 53 {
"any";
};
pid-file "/var/run/named/named.pid";
auth-nxdomain no;
dnssec-enable yes;
dnssec-validation yes;
empty-zones-enable yes;
recursion yes;
allow-query {
"SWITCHlan";
};
allow-transfer {
"none";
};
max-journal-size 104857600;
notify no;
};
controls {
inet 127.0.0.1 allow {
127.0.0.1/32;
} keys {
"rndc-key";
};
inet ::1 allow {
::1/128;
} keys {
"rndc-key";
};
};
acl "SWITCHlan" {
?;
};
masters "switch-rpz-master" {
? key "rpz-xfr.switch.ch.";
? key "rpz-xfr.switch.ch.";
};
logging {
channel "switch_local" {
file "/var/log/named/named" versions 10 size 6291456;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "switch_queries" {
file "/var/log/named/queries" versions 10 size 83886080;
severity info;
print-time yes;
};
channel "switch_queryerrors" {
file "/var/log/named/queryerrors" versions 2 size 52428800;
severity debug 1;
print-time yes;
};
channel "switch_syslog" {
syslog "local1";
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "switch_syslog-debug" {
syslog "local1";
severity debug 1;
print-time yes;
print-severity yes;
print-category yes;
};
channel "switch_other" {
file "/var/log/named/other" versions 10 size 6291456;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "switch_rpz_local" {
file "/var/log/named/rpz" versions 10 size 10485760;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category "general" {
"switch_local";
};
category "notify" {
"switch_local";
};
category "xfer-in" {
"switch_local";
};
category "xfer-out" {
"switch_local";
};
category "network" {
"switch_local";
};
category "dnssec" {
"switch_syslog";
"switch_local";
};
category "rpz" {
"switch_rpz_local";
};
category "default" {
"switch_other";
};
category "query-errors" {
"switch_queryerrors";
"switch_syslog-debug";
};
};
view "default" {
match-destinations {
"any";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
masterfile-format text;
};
zone "zone.1.rpz.switch.ch." {
type slave;
file