Re: resolv.conf question / timeout behaviour

2021-03-31 Thread Grant Taylor via bind-users 

On 3/31/21 10:00 AM, Tony Finch wrote:
Because of this, if it's important for you to avoid multi-second 
DNS lookup times ... you need to design your system so that the libc 
resolver never tries to talk to a DNS server that isn't available.


I've seen various client OSs fail in really weird ways when the first 
DNS server in the list doesn't respond quick enough, much less never.



Another way is a high availability setup for your recursive servers.


+1 to something like VRRP / CARP / routing tricks to make sure that the 
Virtual / Service IP that client's use as the first DNS server is always 
available.  Even if the first and second IP are on the same system for a 
few minutes while the other is patched.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Local resolution first and then public resolution for "google.com" domain (Roberto Carna)

2021-03-31 Thread Bob McDonald 
You could use RPZ for the entry "www.google.com" and then the rest of the
domain would resolve from the internet.

Regards,

Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Matus UHLAR - fantomas 

On 31.03.21 13:57, Roberto Carna wrote:

But if I want to resolve:

foo.google.com

that doesn't exist in my google.com private zone, I don't obtain any result.


do NOT define private zone "google.com".
configure private zone "www.google.com" that will NOT contain anything other
than www.google.com and below it.

Or, better, install dnsmasq and redefine "www.google.com" via /etc/hosts.


I need to tell my private BIND to forward to 8.8.8.8 all the received
*.google.com queries, except www.google.com that is the one locally
resolved.


there's no point in forwarding from BIND to public nameservers.


El mié, 31 mar 2021 a las 13:48, Matus UHLAR - fantomas
() escribió:


On 31.03.21 13:07, Roberto Carna wrote:
>Dear Matus, maybe I have not understood very well...
>
>I can setup a master zone as you said:
>
>zone "www.google.com" {
>type master;
>file "...";
>};
>
>But what are the needed clauses from Bind's named.conf.options file in
>order to tell "if foo.google.com is not present in the google.com
>private zone, you have to forward the query to another server (public
>forwarder) in order to be publicly resolved" ???

that above will cover www.google.com and *.www.google.com

>El mié, 31 mar 2021 a las 12:56, Matus UHLAR - fantomas
>() escribió:
>>
>> On 31.03.21 12:49, Roberto Carna wrote:
>> >Dear, I have a BIND private DNS server which has two forwarders for
>> >public resolution.
>> >
>> >I need to create a private zone "google.com" with just one A record as 
follow:
>> >
>> >www.google.com IN A 192.168.0.100
>> >
>> >All the local clients will resolve www.google.com to a private address
>> >from our company.
>> >
>> >And for the other google.com records that this private BIND receives
>> >and they are not defined in the local private zone, they have to be
>> >forwarded to the public forwarders in order to be resolved as normal.
>> >
>> >Is it possible to have this scenario ???
>>
>> yes, simply define zone
>>
>> zone "www.google.com" {
>> type master;
>> file "...";
>> };
>>
>> note that for this kind setup, using dnsmasq with two forwarders and 
www.google.com
>> overriden through /etc/hosts would be easier solution.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Can you share some real-world queries with ISC?

2021-03-31 Thread Victoria Risk 
Hello again BIND-users,

Sorry for asking for help twice in one day.

We are setting up a new resolver performance test bed, one that we hope will be 
a better simulation of real-world deployment.  Once we have this working, we 
should be able to profile BIND performance using DoH and DoT as well as Do53. 
We are using the DNS Shotgun tool for this purpose. 
(https://dns-shotgun.readthedocs.io/en/stable/ 
)

Anyway, we need to feed this test bed with some PCAPS. We have only a few 
samples right now, and if we could get a few more, our test bed would be more 
representative of the actual Internet.

We don’t want to publish how to upload files to us, because that will 
immediately be filled with spam, so if you are willing to submit some of your 
resolver packet captures, please email me and I will give you instructions on 
where to put your file so that we can retrieve it.  I have included some 
instructions on capturing the packets below so you can see what is involved.

Thank you for considering this.

Vicky
-


If you are able to share some pcaps, here are some generic instructions. 

dnscap \
-z 192.0.2.1 \
-z 2001:db8::1 \
-i any \
-p \
-s i \
-w /output/pcap \
-C 1073741824 \
-k 'xz -9' \
-B '2021-01-08 11:40:00' \
-E '2021-01-08 21:40:00' \
-S \
-6 \
-P /usr/lib/dnscap/anonaes128.so \
-4 \
-K /dev/urandom \
-I /dev/urandom

Explanation:
dnscap - https://www.dns-oarc.net/tools/dnscap 


-z # IP address of the DNS resolver uses to receive client queries, duplicate 
-z if it has more IP addresses - this is crucial to filter queries from BIND 
itself to the Internet

-i any # network interface name receiving client queries ("any" should be fine 
so they do not need to bother with explicit names)

-p # ask for interface not be put into promiscuous mode, it's not needed as we 
capture only the traffic directed to this server

-s i # capture only queries but not answers (thus
making the output file smaller) - has to be combined with -z above

-w # output file name base

-C # maximum individual file size in bytes, 1 GB recommended

-k 'xz -9' # compression command, feel free to change

-B -E # starts/stops capture times, please do not forget to modify

-S # print statistics, optional

-6 # enable IPv6 support, omit for dnscap version 2.0.0 and newer

-P -4 ... # anonymizing IPv6 and also IPv4 addresses using random AES key, i.e. 
key is forgotten when process exits


A good sample size is 10 hours but shorter samples can be also useful, we can 
eventually combine samples from multiple submitters.


Bonus points if we can get the command running in parallel on multiple servers, 
e.g. on 10 servers for 1 hour, or 5 servers for 2 hours, etc.

If running on multiple servers please replace
-K /dev/urandom -I /dev/urandom
with
-k putrandomkeyhere -i putrandomkeyhere
and use the same 16-character string on all servers.

-k -i specify explicit anonymization keys so the same clients are anonymized in 
the same way across all servers. They should not tell us what values they were 
using during capture otherwise we could partially deanonymize the data.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Plan to remove ISC custom SPEGNO from BIND

2021-03-31 Thread Victoria Risk 
Hey there BIND Users-

We have removed the ISC custom SPEGNO implementation from the development 
branch (9.17.x). We intend to also remove it from BIND 9.16 and 9.11. This is 
very old and fragile code and it is provides extra risk for everyone, while 
being useful for (we think) almost nobody.

- First what it is: SPNEGO  is some black 
magic which helps to negotiate how a client authenticates to a server 
(basically find intersection of sets of supported mechanisms on both sides) 
(https://en.wikipedia.org/wiki/SPNEGO 

- Normally it is provided by libraries installed in the operating system, but 
for historical reasons BIND carries its own copy of that library. (back when 
there were more operating systems that didn’t have this support)

- Support for BIND was introduced in 2006, and in the same year support for the 
same was introduced into MIT Kerberos 1.5 
. 
(https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.html 
)

- Systems with the MIT Kerberos library (which is open-source) newer than 15 
years can use that system library version, and ignore whatever BIND ships.

- The MIT Kerberos version has been patched many times over the years while the 
ISC implementation has not been well maintained.

We wouldn’t normally remove something from an old stable extended support 
version (9.11) but since this code seems to be obsolete and risky, we plan to 
do so. If anyone can think of a good reason not to, please let us know asap. SW 
Engineering’s fingers are quivering over the delete key.

Thank you!

Vicky
-
Vicky Risk
Product Manager

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Roberto Carna 
But if I want to resolve:

foo.google.com

that doesn't exist in my google.com private zone, I don't obtain any result.

I need to tell my private BIND to forward to 8.8.8.8 all the received
*.google.com queries, except www.google.com that is the one locally
resolved.

Thanks again !!!

El mié, 31 mar 2021 a las 13:48, Matus UHLAR - fantomas
() escribió:
>
> On 31.03.21 13:07, Roberto Carna wrote:
> >Dear Matus, maybe I have not understood very well...
> >
> >I can setup a master zone as you said:
> >
> >zone "www.google.com" {
> >type master;
> >file "...";
> >};
> >
> >But what are the needed clauses from Bind's named.conf.options file in
> >order to tell "if foo.google.com is not present in the google.com
> >private zone, you have to forward the query to another server (public
> >forwarder) in order to be publicly resolved" ???
>
> that above will cover www.google.com and *.www.google.com
>
> >El mié, 31 mar 2021 a las 12:56, Matus UHLAR - fantomas
> >() escribió:
> >>
> >> On 31.03.21 12:49, Roberto Carna wrote:
> >> >Dear, I have a BIND private DNS server which has two forwarders for
> >> >public resolution.
> >> >
> >> >I need to create a private zone "google.com" with just one A record as 
> >> >follow:
> >> >
> >> >www.google.com IN A 192.168.0.100
> >> >
> >> >All the local clients will resolve www.google.com to a private address
> >> >from our company.
> >> >
> >> >And for the other google.com records that this private BIND receives
> >> >and they are not defined in the local private zone, they have to be
> >> >forwarded to the public forwarders in order to be resolved as normal.
> >> >
> >> >Is it possible to have this scenario ???
> >>
> >> yes, simply define zone
> >>
> >> zone "www.google.com" {
> >> type master;
> >> file "...";
> >> };
> >>
> >> note that for this kind setup, using dnsmasq with two forwarders and 
> >> www.google.com
> >> overriden through /etc/hosts would be easier solution.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "One World. One Web. One Program." - Microsoft promotional advertisement
> "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Matus UHLAR - fantomas 

On 31.03.21 13:07, Roberto Carna wrote:

Dear Matus, maybe I have not understood very well...

I can setup a master zone as you said:

zone "www.google.com" {
type master;
file "...";
};

But what are the needed clauses from Bind's named.conf.options file in
order to tell "if foo.google.com is not present in the google.com
private zone, you have to forward the query to another server (public
forwarder) in order to be publicly resolved" ???


that above will cover www.google.com and *.www.google.com


El mié, 31 mar 2021 a las 12:56, Matus UHLAR - fantomas
() escribió:


On 31.03.21 12:49, Roberto Carna wrote:
>Dear, I have a BIND private DNS server which has two forwarders for
>public resolution.
>
>I need to create a private zone "google.com" with just one A record as follow:
>
>www.google.com IN A 192.168.0.100
>
>All the local clients will resolve www.google.com to a private address
>from our company.
>
>And for the other google.com records that this private BIND receives
>and they are not defined in the local private zone, they have to be
>forwarded to the public forwarders in order to be resolved as normal.
>
>Is it possible to have this scenario ???

yes, simply define zone

zone "www.google.com" {
type master;
file "...";
};

note that for this kind setup, using dnsmasq with two forwarders and 
www.google.com
overriden through /etc/hosts would be easier solution.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Roberto Carna 
Dear Matus, maybe I have not understood very well...

I can setup a master zone as you said:

zone "www.google.com" {
type master;
file "...";
};

But what are the needed clauses from Bind's named.conf.options file in
order to tell "if foo.google.com is not present in the google.com
private zone, you have to forward the query to another server (public
forwarder) in order to be publicly resolved" ???

Thanks a lot again.



El mié, 31 mar 2021 a las 12:56, Matus UHLAR - fantomas
() escribió:
>
> On 31.03.21 12:49, Roberto Carna wrote:
> >Dear, I have a BIND private DNS server which has two forwarders for
> >public resolution.
> >
> >I need to create a private zone "google.com" with just one A record as 
> >follow:
> >
> >www.google.com IN A 192.168.0.100
> >
> >All the local clients will resolve www.google.com to a private address
> >from our company.
> >
> >And for the other google.com records that this private BIND receives
> >and they are not defined in the local private zone, they have to be
> >forwarded to the public forwarders in order to be resolved as normal.
> >
> >Is it possible to have this scenario ???
>
> yes, simply define zone
>
> zone "www.google.com" {
> type master;
> file "...";
> };
>
> note that for this kind setup, using dnsmasq with two forwarders and 
> www.google.com
> overriden through /etc/hosts would be easier solution.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Tony Finch 
Matus UHLAR - fantomas  wrote:
>
> note that for this kind setup, using dnsmasq with two forwarders and
> www.google.com
> overriden through /etc/hosts would be easier solution.

Or a response policy zone, if you don't want to switch software

https://bind9.readthedocs.io/en/v9_16_13/reference.html#rpz

Tony.
-- 
f.anthony.n.finchhttps://dotat.at/
Forties, Cromarty, Forth: Northeast 5 to 7, backing north 3 to 5.
Slight or moderate. Rain at first. Good, occasionally poor at first.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolv.conf question / timeout behaviour

2021-03-31 Thread Tony Finch 
Tom Preissler  wrote:
>
> at my work place we have a three resolver setup in /etc/resolv.conf.
>
> We had sometimes, though rarely, response times for DNS like 14000ms,
> due to the fact that the *first* listed resolver is down for maintenance
> reasons.

Sadly the traditional unix stub resolver behaves REALLY BADLY if any of
its servers are unavailable. It does not keep enough information about
server performance and isn't really designed to be able to do that. The
resolv.conf tuning options are too coarse to help in any meaningful way.

Because of this, if it's important for you to avoid multi-second DNS
lookup times (and it usually is!), you need to design your system so that
the libc resolver never tries to talk to a DNS server that isn't
available.

As Matus Uhlar said, one way is to run a resolver daemon (e.g. BIND
configured to forward to your recursive servers) on each machine. Resolver
daemons are better able to keep track of which server is up, and they are
less likely to be unavailable when the client software needs them since
they are on the same machine. Most operating systems have resolver daemons
now; it's bascially only oldskool unix that needs extra setup.

Another way is a high availability setup for your recursive servers. I use
keepalived (my servers are on a resilient layer 2 network that spans
multiple locations); or you can use anycast if you need to do failover at
layer 3.

Of course, you can do both :-)

Tony.
-- 
f.anthony.n.finchhttps://dotat.at/
Faeroes: North backing west 5 or 6, decreasing 3 or 4 for a time.
Moderate or rough. Fair. Good.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Matus UHLAR - fantomas 

On 31.03.21 12:49, Roberto Carna wrote:

Dear, I have a BIND private DNS server which has two forwarders for
public resolution.

I need to create a private zone "google.com" with just one A record as follow:

www.google.com IN A 192.168.0.100

All the local clients will resolve www.google.com to a private address
from our company.

And for the other google.com records that this private BIND receives
and they are not defined in the local private zone, they have to be
forwarded to the public forwarders in order to be resolved as normal.

Is it possible to have this scenario ???


yes, simply define zone

zone "www.google.com" {
type master;
file "...";
};

note that for this kind setup, using dnsmasq with two forwarders and 
www.google.com
overriden through /etc/hosts would be easier solution.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Roberto Carna 
Dear, I have a BIND private DNS server which has two forwarders for
public resolution.

I need to create a private zone "google.com" with just one A record as follow:

www.google.com IN A 192.168.0.100

All the local clients will resolve www.google.com to a private address
from our company.

And for the other google.com records that this private BIND receives
and they are not defined in the local private zone, they have to be
forwarded to the public forwarders in order to be resolved as normal.

Is it possible to have this scenario ???

Thanks a lot!!!

Robert
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: replication time for dynamic records from primary to secondary servers

2021-03-31 Thread Tony Finch 
Cuttler, Brian R (HEALTH) via bind-users  wrote:
>
> We are seeing a delay in the primary DNS server updating the secondary
> and would like to shorten that interval.

This is probably due to NOTIFY messages not working. NOTIFY is the
mechanism that allows primary servers to tell secondaries to get the
latest version of a zone promptly. I wrote some notes on debugging slow
zone transfers a couple of weeks ago:

https://lists.isc.org/pipermail/bind-users/2021-March/104278.html

Tony.
-- 
f.anthony.n.finchhttps://dotat.at/
Fair Isle: North 5 or 6, decreasing 3 or 4, then backing northwest 4
or 5 later. Moderate or rough, becoming slight or moderate. Mainly
fair. Good.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.16.13 overwrote master files

2021-03-31 Thread Ondřej Surý 
Hi Carl,

at this point, I am going to ask you to open an issue in our GitLab instance:

https://gitlab.isc.org/isc-projects/bind9/issues

Thanks,
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

> On 30. 3. 2021, at 22:24, Carl Byington via bind-users 
>  wrote:
> 
> Signed PGP part
> On Tue, 2021-03-30 at 15:45 +1100, Mark Andrews wrote:
> 
> > can you add a "#" in front of "dnssec-policy" in bin/named/config.c
> > and see how that goes for you.  That will comment out the default
> > 'dnssec-policy "none";'.
> 
> I have not been able to reproduce this in a disposable centos 8 VM,
> using the same /etc/named.conf and /var/named contents from the
> production server. If I cannot make that work, I will try reproducing
> the error on the production server tomorrow. Once I get a reproducible
> scenario, I will try your above patch.
> 
> 
> 



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: replication time for dynamic records from primary to secondary servers

2021-03-31 Thread Cuttler, Brian R (HEALTH) via bind-users 


Sorry, crisis (not named related)

I will post sections of the named.conf later if needed, but will answer the 
simple questions now.

I don't know what the propagation delay is, notifications are enabled, when the 
primary reloads a zone the secondary gets notified and requests a zone xfer.
When the secondary expires a zone a zone xfer request is sent to the primary.

I suspect that is happening is that when DHCPd creates/expires dynamic records 
in the primary we are not notifying the secondary of the change and there is no 
Ixfer.
That it what I was looking for and don't know where to find it, but looks to me 
like the button I want to press.
Is that where I should be looking?

Thanks,
Brian

-Original Message-
From: bind-users  On Behalf Of John Thurston
Sent: Tuesday, March 30, 2021 5:00 PM
To: bind-users@lists.isc.org
Subject: Re: replication time for dynamic records from primary to secondary 
servers

ATTENTION: This email came from an external source. Do not open attachments or 
click on links from unknown senders or unexpected emails.


On 3/30/2021 12:30 PM, Cuttler, Brian R (HEALTH) via bind-users wrote:
> We are seeing a delay in the primary DNS server updating the secondary and 
> would like to shorten that interval.

Can you post the pertinent bits of your primary's and secondary's config
for the zone?

In the absence of that, I pose a few questions:

How long is it taking now?
What is your target interval?

Do you have NOTIFY enabled on the primary?
How large is the zone?
If you look in the log, do you see XFRs queuing?
How many secondaries are there?
Do you have limits defined on the number of simultaneous transfers?

--
Do things because you should, not just because you can.

John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit 
https://protect2.fireeye.com/v1/url?k=cbf0c14f-946bf86b-cbf2387a-000babd9f8b3-62a89da1cb030f18=1=c3ff9561-4520-490e-967b-7c399b0453aa=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users
 to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at 
https://protect2.fireeye.com/v1/url?k=fd8a10c2-a21129e6-fd88e9f7-000babd9f8b3-f9d2813b6b8c4a78=1=c3ff9561-4520-490e-967b-7c399b0453aa=https%3A%2F%2Fwww.isc.org%2Fcontact%2F
 for more information.


bind-users mailing list
bind-users@lists.isc.org
https://protect2.fireeye.com/v1/url?k=5a41543e-05da6d1a-5a43ad0b-000babd9f8b3-9989cff63c934e23=1=c3ff9561-4520-490e-967b-7c399b0453aa=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Maximum limit in a NAPTR RR

2021-03-31 Thread Mark Andrews 
The flags, services and regexp are each limited to 255 characters.

https://tools.ietf.org/html/rfc2915

8. DNS Packet Format


 The packet format for the NAPTR record is:

  1  1  1  1  1  1
0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
  | ORDER |
  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
  |   PREFERENCE  |
  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
  / FLAGS /
  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
  /   SERVICES/
  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
  /REGEXP /
  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
  /  REPLACEMENT  /
  /   /
  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+





Mealling & Daniel   Standards Track[Page 13]
 
RFC 2915  NAPTR DNS RRSeptember 2000



where:

   FLAGS A  which contains various flags.

   SERVICES A  which contains protocol and service
  identifiers.

   REGEXP A  which contains a regular expression.

   REPLACEMENT A  which specifies the new value in the
  case where the regular expression is a simple replacement
  operation.

and  as used here are defined in
   
RFC1035 [1].



> On 31 Mar 2021, at 21:53, Harshith Mulky  wrote:
> 
> Hello Experts,
> 
> Need a help,
> How do I know what is the maximum limit in a NAPTR RR which I am trying to 
> configure?
> 
> If I configure as below
> 
> 5.4.7.7.7.0.1.telus.com. IN NAPTR 8 0 "u" "sip+E2U" 
> "!^(.*)()(..)$!sip:\\1@154.11.143.16;maddr=\\2.\\3.prim-sc.RL.telus.com;x-nortel-profile=canadian.destinations;lata=;tgrp=EGRESS;name=example;place=india;animal=peacock;thing=wheel;test1=;test2=;test3=;test4=;test5=;test6=;test7=!".
> 
> I am getting Error as below:
> # named-checkzone telus.com telus.zone
> dns_rdata_fromtext: telus.zone:35: syntax error
> zone telus.com/IN: loading from master file telus.zone failed: syntax error
> zone telus.com/IN: not loaded due to errors.
> 
> But if I have a reduced response removing few lines/characters as below
> 5.4.7.7.7.0.1.telus.com. IN NAPTR 8 0 "u" "sip+E2U" 
> "!^(.*)()(..)$!sip:\\1@154.11.143.16;maddr=\\2.\\3.prim-sc.RL.telus.com;x-nortel-profile=canadian.destinations;lata=;tgrp=EGRESS;name=example;place=india;animal=peacock;thing=wheel;test1=;test2=;test3=;test4=;test5=;test6=!";
> 
> I have no issues with loading the Zone file
> # named-checkzone telus.com telus.zone
> zone telus.com/IN: loaded serial 2021033103
> OK
> 
> My question:
> 
>   • Is there a limit to the number of characters in a Resource Record?
>   • If yes, is there a possibility to increase this limit in the RR? 
> Thanks in Advance
> Harshith
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolv.conf question / timeout behaviour

2021-03-31 Thread Matus UHLAR - fantomas 

On 31.03.21 10:56, Tom Preissler via bind-users wrote:

at my work place we have a three resolver setup in /etc/resolv.conf.


resolv.conf is not a BIND thing, it's configuration of system libraries. 


We had sometimes, though rarely, response times for DNS like 14000ms,
due to the fact that the *first* listed resolver is down for maintenance
reasons. The application we test this with is Oracle/TNSPing.


if this is an issue, you can run local caching DNS server like BIND or
dnsmasq. They can handle such timeouts better than most libraries.


As a mitigation we therefore put in timeout:1, but we just recently got
again a TNSPing response of 9000ms.

I noticed in man resolv.conf this section on "timeout":

 timeout:n
Sets the amount of time the resolver will wait for
a response from a remote name server before
retrying the query via a different name server.
|This may not be the total time taken by any
|resolver API call and there is no guarantee that a
|single resolver API call maps to a single timeout.
Measured in seconds, the default is RES_TIMEOUT
(currently 5, see ).  The value for this
option is silently capped to 30.

I am intrigued by the above sentence marked with "|". Does anybody
know what that means in detail, can anybody explain that please?

I explained the reason for the 9000ms so that Oracle and its many processes
all come together to resolve the DNS name and they *keep hitting* the first
resolver - and "timeout" can't kick in due to parallel requests from different
processes, hence the high overall response time.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

resolv.conf question / timeout behaviour

2021-03-31 Thread Tom Preissler via bind-users 
Hi,

at my work place we have a three resolver setup in /etc/resolv.conf.

We had sometimes, though rarely, response times for DNS like 14000ms,
due to the fact that the *first* listed resolver is down for maintenance
reasons. The application we test this with is Oracle/TNSPing.
As a mitigation we therefore put in timeout:1, but we just recently got
again a TNSPing response of 9000ms.

I noticed in man resolv.conf this section on "timeout":

  timeout:n
 Sets the amount of time the resolver will wait for
 a response from a remote name server before
 retrying the query via a different name server.
|This may not be the total time taken by any
|resolver API call and there is no guarantee that a
|single resolver API call maps to a single timeout.
 Measured in seconds, the default is RES_TIMEOUT
 (currently 5, see ).  The value for this
 option is silently capped to 30.

I am intrigued by the above sentence marked with "|". Does anybody
know what that means in detail, can anybody explain that please?

I explained the reason for the 9000ms so that Oracle and its many processes
all come together to resolve the DNS name and they *keep hitting* the first
resolver - and "timeout" can't kick in due to parallel requests from different
processes, hence the high overall response time.


Kind Regards

Thomas Preissler
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Maximum limit in a NAPTR RR

2021-03-31 Thread Harshith Mulky 
Hello Experts,

Need a help,
How do I know what is the maximum limit in a NAPTR RR which I am trying to 
configure?

If I configure as below

5.4.7.7.7.0.1.telus.com. IN NAPTR 8 0 "u" "sip+E2U" 
"!^(.*)()(..)$!sip:\\1@154.11.143.16;maddr=\\2.\\3.prim-sc.RL.telus.com;x-nortel-profile=canadian.destinations;lata=;tgrp=EGRESS;name=example;place=india;animal=peacock;thing=wheel;test1=;test2=;test3=;test4=;test5=;test6=;test7=!".

I am getting Error as below:
# named-checkzone telus.com telus.zone
dns_rdata_fromtext: telus.zone:35: syntax error
zone telus.com/IN: loading from master file telus.zone failed: syntax error
zone telus.com/IN: not loaded due to errors.

But if I have a reduced response removing few lines/characters as below
5.4.7.7.7.0.1.telus.com. IN NAPTR 8 0 "u" "sip+E2U" 
"!^(.*)()(..)$!sip:\\1@154.11.143.16;maddr=\\2.\\3.prim-sc.RL.telus.com;x-nortel-profile=canadian.destinations;lata=;tgrp=EGRESS;name=example;place=india;animal=peacock;thing=wheel;test1=;test2=;test3=;test4=;test5=;test6=!";

I have no issues with loading the Zone file
# named-checkzone telus.com telus.zone
zone telus.com/IN: loaded serial 2021033103
OK

My question:


  1.  Is there a limit to the number of characters in a Resource Record?
  2.  If yes, is there a possibility to increase this limit in the RR?

Thanks in Advance
Harshith
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users