AW: High memory consumption in bind 9.18.2

2022-05-17 Thread Klaus Darilion via bind-users 
I remember we had similar issues with 9.18 (isc ppa packages) and hence wen't 
back to 9.16. But I can not remember the details.

regards
Klaus

> -Ursprüngliche Nachricht-
> Von: bind-users  Im Auftrag von Ondrej
> Surý
> Gesendet: Mittwoch, 18. Mai 2022 08:37
> An: Raman kumar 
> Cc: bind-users@lists.isc.org
> Betreff: Re: High memory consumption in bind 9.18.2
> 
> You did not provided any details, so we can’t really help you.
> 
> What is “RAM consumption” anyway? VSZ, RSS, numbers pulled from stats
> channel from named?
> 
> What’s the hardware, what is the configuration, how was BIND 9 compiled
> (or packaged)?
> 
> The more details, the better
> 
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
> 
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
> 
> > On 18. 5. 2022, at 8:32, Raman kumar 
> wrote:
> >
> > Hello Team,
> >
> > While upgrading from BIND 9.16.10 to 9.18.2, we have observed high
> memory consumption.
> >
> > On version 9.16.2, RAM consumption was 3.8 GB. And on 9.18.2, RAM
> consumption is 4.5 GB. Due to this an increase of approximately 20 %
> memory is observed.
> >
> > Is this the expected behaviour or any tuning is needed?
> >
> > Thanks in advance.
> >
> > Regards,
> > Raman
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: High memory consumption in bind 9.18.2

2022-05-17 Thread Ondřej Surý 
You did not provided any details, so we can’t really help you.

What is “RAM consumption” anyway? VSZ, RSS, numbers pulled from stats channel 
from named?

What’s the hardware, what is the configuration, how was BIND 9 compiled (or 
packaged)?

The more details, the better

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 18. 5. 2022, at 8:32, Raman kumar  wrote:
> 
> Hello Team,
> 
> While upgrading from BIND 9.16.10 to 9.18.2, we have observed high memory 
> consumption.
> 
> On version 9.16.2, RAM consumption was 3.8 GB. And on 9.18.2, RAM consumption 
> is 4.5 GB. Due to this an increase of approximately 20 % memory is observed.
> 
> Is this the expected behaviour or any tuning is needed?
> 
> Thanks in advance.
> 
> Regards,
> Raman
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

High memory consumption in bind 9.18.2

2022-05-17 Thread Raman kumar 
Hello Team,

While upgrading from BIND 9.16.10 to 9.18.2, we have observed high memory
consumption.

On version 9.16.2, RAM consumption was 3.8 GB. And on 9.18.2, RAM
consumption is 4.5 GB. Due to this an increase of approximately 20 % memory
is observed.

Is this the expected behaviour or any tuning is needed?

Thanks in advance.

Regards,
Raman
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

2022-05-17 Thread Victoria Risk 
Hi Frank,

The use of example.com and the like on this list is provocative specifically 
because people are frustrated that they then cannot help you. It is something 
of a special situation that since you are not a regular participant here, you 
were unaware of. 

The people on this list will often go to great lengths to help people who post 
problems here, by diagnosing the domain that is having an issue. The way that 
is done is by querying the domain, perhaps closely related domains (parents, 
children, etc), looking at signatures, other fields in the response, etc. This 
very often leads quickly to an answer that helps the poster. This kind of 
active help in troubleshooting your DNS issue cannot be done if you obscure the 
domain name, and that can be frustrating for people on the list who then cannot 
help you. 

This is why it says in the list information: 
(https://lists.isc.org/mailman/listinfo/bind-users)
- If you are debugging an active issue with an externally published domain, 
providing the full domain name allows others to query it in order to help you. 
Omitting, changing, or obscuring the domain can make it harder or impossible 
for others to help you. 

Regards,

Vicky Risk

> On May 16, 2022, at 8:41 PM, frank picabia  wrote:
> 
> I've been using open source for decades.  Long enough that I rarely need to 
> use lists for help.
> 
> Here's the RFC mentioning reserved domain name use:  
> https://www.rfc-editor.org/rfc/rfc2606.html 
> 
> 
> I am ridiculed by an ISC member for using a reserved domain according to the 
> purpose in the RFC and then
> a second ISC member states I am arrogant?   I think there's a bunch of you 
> that need to check your privilege!
> Or maybe these persons are the chief whips responsible for driving people 
> from the lists into paying customers?
> 
> Check other lists.  Postfix. Apache.  Whatever.  No one ever has an issue 
> when they see example.com 
> It's widely known as the boilerplate value you're leaving out of the equation 
> for the moment.
> 
> In the documentation I see this:
> 
> Once the rndc reconfig 
> 
>  command is issued, BIND serves a signed zone. The file dsset-example.com 
>  (created by dnssec-signzone 
> 
>  when it signed the example.com  zone) contains the DS 
> record for the zone’s KSK. You will need to pass that to the administrator of 
> the parent zone, to be placed in the zone.
> 
> It seems the first value in dsset file is okay.  The documentation doesn't 
> talk about the second one, and this is where
> the problem is seen.  I see one value on the second key (digest 2) in dsset 
> file, and a different value using the value
> obtained by running something like:
> 
> dig @localhost dnskey irrashai.net  | dnssec-dsfromkey 
> -f – irrashai.net 
> The digest 2 second key here seems to be what should be used with the domain 
> registrar.  I'll soon find out.
> 
> 
> 
> On Mon, May 16, 2022 at 2:54 PM Ondřej Surý  > wrote:
> Well, then don’t expect people will want to help you. If you need to hide the 
> information and you need help then you should be prepared to pay for the 
> support. Coming to open source list asking for help for free and expect other 
> people to help you is just plain arrogant behavior. Again, Bert Hubert was 
> exactly right here:
> 
> https://berthub.eu/articles/posts/anonymous-help/ 
> 
> 
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
> 
> My working hours and your working hours may be different. Please do not feel 
> obligated to reply outside your normal working hours.
> 
>> On 16. 5. 2022, at 19:06, frank picabia > > wrote:
>> 
>> Suppose I was working on a problem for Barclays
>> Bank, do you suppose they would be thrilled with me posting
>> their networking innards for the world to see?
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fwd: Request to use "Canonical/Mirror"

2022-05-17 Thread Tony Finch 
Greg Choules  wrote:
>
> IMHO the terms "primary" and "secondary" are just as meaningful as the
> terms "master" and "slave", but without the emotional and historical
> baggage.

I think "master" and "slave" is actively misleading, because the DNS
protocol does not allow a master to tell a slave to do anything. (The
closest is NOTIFY which is a hint not a command.)

> You just have to give yourself time to get used to them.

Indeed :-)

-- 
Tony Finch(he/they)  Cambridge, England
Fitzroy, Sole: South or southwest, 4 to 6, occasionally 7 later in
west. Rough or very rough. Showers. Good.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: per record responses based on originating IP

2022-05-17 Thread Angus Clarke 
Hello

I found that knot's geoip module can modify responses to individual records 
based on the source address of the client through the module's "net" directive 
and have successfully tested the modification of NS responses based on the 
client's source subnet - it seems to do exactly what I want.

I had a quick check of the bind geoip module but the example given in the 
documentation suggests presenting an entire zone as an alternative view.

Thanks for taking the time with me on my quest, but I think I'll further 
investigate knot at this time.

knot geoip module overview:
https://blog.apnic.net/2018/11/14/geoip-in-knot-dns-2-7/

Thanks
Angus


From: bind-users  on behalf of Nick Tait via 
bind-users 
Sent: 16 May 2022 13:55
To: BIND Users Mailing List 
Subject: Re: per record responses based on originating IP

On 16/05/22 20:05, Angus Clarke wrote:
As mentioned in a separate reply to Grant, the goal is to have (amongst other 
things) local recursors "find" the locally deployed authoritative servers 
through NS records. What hasn't been mentioned is that I am also looking to 
simplify configuration management by means of a single set of data which can be 
deployed to all authoritative servers - I don't think the RPZ solution proposed 
by Nick achieves that.

That being said, can RPZ-CLIENT-IP be a subnet? I don't think it can.

Hi Angus.

Thanks for clarifying. Based on what you've said, what I proposed probably has 
slightly more merit than I concluded, although admittedly it doesn't quite tick 
all the boxes...

Firstly, yes RPZ-CLIENT-IP can be a subnet. IPv4 addresses are represented as 
prefixlength.B4.B3.B2.B1.rpz-client-ip. In my examples I was specifying a 
single host which is why the RPZ-CLIENT-IP records all started with 32.

Secondly, RPZs are more commonly used on recursive resolvers rather than the 
authoritative nameservers for the zone, although in your case if you are 
wanting to change the answer that an authoritative nameserver gives to the NS 
question from the recursive resolver, then it probably makes the most sense to 
put the RPZ on the authoritative nameserver. In this case you'd also need to 
specify "recursive-only no". (FYI Default behaviour is to apply RPZ rewriting 
to queries with RD=1 and DO=0.)

However this still doesn't meet your requirement for "a single set of data", 
unless you are only talking about zone data, and in that case you could 
replicate all the RPZ zone files to all authoritative nameservers, and then 
configure each server to specify only one of these in its "response-policy" 
configuration?

But the anycast suggestion sounds like it has the most merit? Or at least it 
sounds the coolest to me. :-)

Nick.

P.S. I don't think this will be useful to you, but FWIW... if your goal is 
simply to have the recursive resolvers use a specific subset of nameservers for 
specific zones, then there is yet another option: static-stub zones. 
Static-stub zones allow you to effectively override the authoritative 
nameserver that will be used for a particular zone. So you could configure the 
static-stub zone on the recursive resolver, and that would point to the local 
authoritative nameserver(s). However the main drawback with static-stub zones 
is that you need to create a static-stub zone (on the local resolver) for every 
authoritative zone that you are doing this with, so it probably isn't practical 
if you have many zones or are adding or removing zones frequently?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: wrong path for geoip-directory

2022-05-17 Thread MAYER Hans 

Dear Mark,

many thanks for your hint again.
 —-with-geoip=yes does not exist, but  --enable-geoip does.
Based on you suggestion I tested different possibilities, finally
'--with-maxminddb=auto‘
did do the trick.

Kind regards
Hans

—


On 17.05.2022, at 02:58, Mark Andrews mailto:ma...@isc.org>> 
wrote:

Did you try re-running configure with ‘--with-maxminddb=/usr’ and then 
recompiling?

What does 'named -V’ report when you do this?

again a missing /

  geoip-directory:  usr/share/GeoIP



--with-maxminddb is used to find the header (include) files, the library and 
the database.  These should all be relative to a common prefix which is what 
you specify.

You also missed the leading ‘/‘ on the path when you ran configure previously 
as it is not in the path reported below.  This all said you should be able just 
specify —-with-geoip=yes and configure will figure out the rest.

No, I didn’t. I gave an absolute path with a leading /
But -V didn’t show it.
As I said, „auto“ is the right option.




Mark

On 17 May 2022, at 06:09, MAYER Hans 
mailto:hans.ma...@iiasa.ac.at>> wrote:



Dear All,

I posted my question originally at GitLab issue area because I thought it’s 
maybe a bug. But it isn’t.

I compiled commit c77fcc61 (HEAD -> v9_18, origin/v9_18) with configure options
--enable-geoip  --with-maxminddb=/usr/share/GeoIP
when i run named -V there is:

default paths:
named configuration:  /usr/local/etc/named.conf
rndc configuration:   /usr/local/etc/rndc.conf
DNSSEC root key:  /usr/local/etc/bind.keys
nsupdate session key: /usr/local/var/run/named/session.key
named PID file:   /usr/local/var/run/named/named.pid
named lock file:  /usr/local/var/run/named/named.lock
geoip-directory:  usr/share/GeoIP/share/GeoIP


The geoip-directory is quite strange as it doesn't exist
OS is Debian 11.3 ( bullseye ) with latest patch level.
pkg libmaxminddb-dev and libmaxminddb0 are installed.

Mark was so nice and replied for this issue request.

"Use --with-maxminddb=/usr. share/GeoIP is appended to this configure argument. 
This is the same as libraries where /include and /lib are appended to the 
configure argument.“

If I understand correctly "--with-maxminddb" is a relative path and will be add 
to "--prefix" which is in my case /usr/local
To work well I should compile with option --with-maxminddb=GeoIP and I make a 
symbolic link from /usr/local/GeoIP to /usr/share/GeoIP

But when I run configure with --with-maxminddb=GeoIP the following „make“ 
terminates with an error:
../../libtool: line 7563: cd: GeoIP/lib: No such file or directory
libtool:   error: cannot determine absolute directory name of 'GeoIP/lib'

Which is also quite curios because below /usr/share/GeoIP there is no directory 
„lib“ but with --with-maxminddb=/usr/share/GeoIP it compiles well.

How to compile bind with the maxmind db located in /usr/share/GeoIP ?
Any help would be appreciated.


Kind regards
Hans




--

Ing. Dipl.-Ing. Hans Mayer
Systems Analyst
Network Unix Security Team (NUST)
Information and Communication Technologies (ICT)

International Institute for Applied Systems Analysis (IIASA)
Schlossplatz 1
A-2361 Laxenburg, Austria
Phone: +43 2236 807 Ext 215
Mobile: +43 676 83 807 215
Web: http://www.iiasa.ac.at
E-Mail: hans.ma...@iiasa.at

Note: If there is a disclaimer or other legal boilerplate in the above message, 
it is NULL AND VOID.  You may ignore it.







--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: 
ma...@isc.org


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users