Re: problems resolving domains unser NSxx.DOMAINCONTROL.COM - this problem i have too! :(((((

2010-06-23 Thread Anatoly Pugachev 
On 23.06.2010 / 17:51:24 +1000, Mark Andrews wrote:
 
 In message aanlktinjqorplnyqj5tso2tdwlt_ropzdmrymoiph...@mail.gmail.com, 
 Piff
  writes:
  Mark,
  
  more than once you have blamed firewal but I have tested without
  firewall and NSxx.DOMAINCONTROL.COM do not answer to dig +dnssec.
 
 Wrong.  The nameserver DO answer these queries.
 
 # dig +dnssec @ns33.domaincontrol.com. replacementservices.com.
 
 ;  DiG 9.3.6-P1  +dnssec @ns33.domaincontrol.com. 
 replacementservices.com.
 ; (1 server found)
 ;; global options:  printcmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41760
 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;replacementservices.com.   IN  A
 
 ;; ANSWER SECTION:
 replacementservices.com. 3600   IN  A   72.32.12.235
 
 ;; AUTHORITY SECTION:
 replacementservices.com. 3600   IN  NS  ns33.domaincontrol.com.
 replacementservices.com. 3600   IN  NS  ns34.domaincontrol.com.
 

This dig query timeouts on my side, checked from 3 different IPs from 3
different AS (autonomous systems).

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: our isp not supports EDNS?

2010-06-22 Thread Anatoly Pugachev 

Mark,

please see below...

On 04.05.2010 / 14:31:25 +1000, Mark Andrews wrote:
 
 In message y2sf7e964441005031927m7774769ev280156817d8b4...@mail.gmail.com, 
 Je
 ff Pang writes:
  Hello,
  
  Following the discussions in the list, I made a test on one of our
  servers, which is in an ISP's datacenter.
  
  The result is below:
  
  $ dig +short rs.dns-oarc.net txt
  rst.x476.rs.dns-oarc.net.
  rst.x485.x476.rs.dns-oarc.net.
  rst.x490.x485.x476.rs.dns-oarc.net.
  218.204.255.72 DNS reply size limit is at least 490
  218.204.255.72 lacks EDNS, defaults to 512
  Tested at 2010-05-04 02:23:51 UTC
  
  Does this mean our ISP's filrewall block EDNS query/response?
 
 Maybe / maybe not.  It could just mean that the nameserver itself
 doesn't support EDNS.

How bad it is, if providers server doesn't support/make eDNS queries?
Does eDNS support/usage is for DNSSEC protocol only? I mean, that my
collegue propose to use the following statement in named.conf:

server 0.0.0.0/0 {
edns no;
};

in fix to the broken servers, which are doesn't support eDNS queries, for
example ns51 / ns52.domaincontrol.com ( which are hosting a lot of domains 
http://www.statsinfinity.com/ns_parent_zone_info/DOMAINCONTROL.COM and dig
+bufsize requests to them are ending with a timeout, so it probably just
firewall'ed for packets more than 512 bytes long). 



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: our isp not supports EDNS?

2010-06-22 Thread Anatoly Pugachev 

Thanks Bill.

I'm well aware of dns-oarc tests...
but they are no more than firewall / dns packet size tests.

My idea/concern is what could be wrong/broken (except of DNSSEC), if we
disable eDNS on our servers - I need to carry this idea to my collegue.
My quick test show that disabling edns per 0/0 { edns no;}; doesn't
broke resolving/anything (except of dnssec queries).

On 22.06.2010 / 10:14:36 -0700, Bill Buhlman wrote:
 another example:
  
 dig +short rs.dns-oarc.net txt
 rst.x3827.rs.dns-oarc.net.
 rst.x3837.x3827.rs.dns-oarc.net.
 rst.x3843.x3837.x3827.rs.dns-oarc.net.
 Tested at 2010-06-22 17:11:44 UTC
 169.199.1.1 sent EDNS buffer size 4096
 169.199.1.1 DNS reply size limit is at least 3843
 
 --- On Tue, 6/22/10, Anatoly Pugachev ma...@team.co.ru wrote:
 
 
 From: Anatoly Pugachev ma...@team.co.ru
 Subject: Re: our isp not supports EDNS?
 To: Mark Andrews ma...@isc.org
 Cc: Jeff Pang pa...@arcor.de, bind-us...@isc.org
 Date: Tuesday, June 22, 2010, 8:58 AM
 
 
 
 Mark,
 
 please see below...
 
 On 04.05.2010 / 14:31:25 +1000, Mark Andrews wrote:
  
  In message 
  y2sf7e964441005031927m7774769ev280156817d8b4...@mail.gmail.com, Je
  ff Pang writes:
   Hello,
   
   Following the discussions in the list, I made a test on one of our
   servers, which is in an ISP's datacenter.
   
   The result is below:
   
   $ dig +short rs.dns-oarc.net txt
   rst.x476.rs.dns-oarc.net.
   rst.x485.x476.rs.dns-oarc.net.
   rst.x490.x485.x476.rs.dns-oarc.net.
   218.204.255.72 DNS reply size limit is at least 490
   218.204.255.72 lacks EDNS, defaults to 512
   Tested at 2010-05-04 02:23:51 UTC
   
   Does this mean our ISP's filrewall block EDNS query/response?
  
  Maybe / maybe not.  It could just mean that the nameserver itself
  doesn't support EDNS.
 
 How bad it is, if providers server doesn't support/make eDNS queries?
 Does eDNS support/usage is for DNSSEC protocol only? I mean, that my
 collegue propose to use the following statement in named.conf:
 
 server 0.0.0.0/0 {
         edns no;
 };
 
 in fix to the broken servers, which are doesn't support eDNS queries, for
 example ns51 / ns52.domaincontrol.com ( which are hosting a lot of domains 
 http://www.statsinfinity.com/ns_parent_zone_info/DOMAINCONTROL.COM and dig
 +bufsize requests to them are ending with a timeout, so it probably just
 firewall'ed for packets more than 512 bytes long). 
 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: manage large dns record

2009-11-19 Thread Anatoly Pugachev 

There's $INCLUDE zone directive in bind zone file, read more in bind
docs. 
Hope this helps.

On 19.11.2009 / 15:40:32 +0700, Sokvantha YOUK wrote:
 Dear ALL,
 
 Could you advice me what is the good way to manage large dns record in zone
 file? I'm using bind v9, currently I need to add around 20 000 hostname  but
 it is a pain to put them in one single file.
 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: call for testers (Re: ISC BIND 9.7.0b1 is now available)

2009-10-22 Thread Anatoly Pugachev 

JINMEI,

we're not using sparc for our bind installations, but this is a feedback
on your 'call for testers' (bind compilation went successfully on both
compilers):

solaris 10 sparc, sun studio 12u1 compiler:

$ uname -a
SunOS chuck 5.10 Generic_141414-10 sun4u sparc SUNW,Sun-Fire-V440
$ cc -V
cc: Sun C 5.10 SunOS_sparc 2009/06/03
[tests]$ ./backtrace_test
isc_backtrace_gettrace failed: not implemented
[tests]$ echo $?
1

solaris 10 sparc, sun gcc compiler:

$ gcc -v
Reading specs from /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/specs
Configured with:
/sfw10/builds/build/sfw10-patch/usr/src/cmd/gcc/gcc-3.4.3/configure
--prefix=/usr/sfw --with-as=/usr/ccs/bin/as --without-gnu-as
--with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++
--enable-shared
Thread model: posix
gcc version 3.4.3 (csl-sol210-3_4-branch+sol_rpath)

[tests]$ ./backtrace_test
isc_backtrace_gettrace failed: not implemented


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: call for testers

2009-10-22 Thread Anatoly Pugachev 

Solaris 10 sparc running on T5120

$ uname -a
SunOS hosting1 5.10 Generic_137111-04 sun4v sparc SUNW,SPARC-Enterprise-T5120
$ gcc -v
Reading specs from /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/specs
Configured with:
/sfw10/builds/build/sfw10-patch/usr/src/cmd/gcc/gcc-3.4.3/configure
--prefix=/usr/sfw --with-as=/usr/ccs/bin/as --without-gnu-as
--with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++
--enable-shared
Thread model: posix
gcc version 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
$ ./backtrace_test
isc_backtrace_gettrace failed: not implemented
$ echo $?
1


Debian 5 sparc running on Sun E250

$ gcc -v
Using built-in specs.
Target: sparc-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian
4.3.2-1.1' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs
--enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr
--enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --enable-nls
--with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3
--enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc
--enable-mpfr --with-cpu=v8 --with-long-double-128
--enable-checking=release --build=sparc-linux-gnu --host=sparc-linux-gnu
--target=sparc-linux-gnu
Thread model: posix
gcc version 4.3.2 (Debian 4.3.2-1.1)
$ uname -a
Linux squat 2.6.26-2-sparc64-smp #1 SMP Sun Jun 21 05:58:06 UTC 2009 sparc64 
GNU/Linux
$ ./backtrace_test
isc_backtrace_gettrace failed: not found
$ echo $?
1

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.5.1-P3 compilation problems.

2009-08-11 Thread Anatoly Pugachev 

Hello!

If you don't need DNSSEC for your zones, you can compile bind without
SSL support, like ./configure --with-openssl=no

On 11.08.2009 / 07:28:31 -0400, Emery wrote:
 Good morning,

 I've conducted two maintenance windows to upgrade our BIND primary  
 server to the new code to address the recent security vulnerability, but  
 cannot get past the error below. I have Openssl 9.8.0k installed. I have  
 no problems running tests from the openssl prompt. I have tried  
 exporting the LD_LIBRARY_PATH to include the /usr/local/ssl directory  
 and have run the compilation with the --with-openssl=/usr/local/ssl  
 switch to no avail.

 I am running Solaris 10 Sparc -
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.6.1 stops after few hours.

2009-07-08 Thread Anatoly Pugachev 
On 07.07.2009 / 11:55:34 -0400, Rob Payne wrote:
 
  What do you mean by stop?  Did the daemon crash, simply not respond
  to queries, or something else?
 
 I don't know if this is the same as what Laurence is seeing.  Testing
 9.6.1 on Solaris 10/sparc, with a local build (THREADS, no MEMFILL,
 openssl 0.9.8k) the server stops responding to queries made from the
 network (LAN), until a local query comes in (dig @localhost ...).

We're using 9.6.0-P1 in solaris 10 x86 zone, acting as both recursive
and authoritative server (a bit loaded, like 1k concurrent recursive
queries during daytime hours seen with 'rndc status') and don't seeing
any problems with it. Bind was configured as 
'./configure --with-openssl=no' since we don't use DNSSEC.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

servfail on 9.6.1rc1

2009-05-28 Thread Anatoly Pugachev 
Hello.

Installed bind-9.6.1rc1 for the query-errors category debugging.
Server is a usual recursive server on solaris 10 x86 with 4Gb of RAM.
Named was compiled with SunStudio 12 compiler suite as:
CFLAGS=-m32 -xarch=sse2 ./configure --prefix=/ --with-openssl=no
make

named.conf without any views defined, max-cache-size is set to 1500m
usual daily load shown with 'rndc status' is 1500 recursive clients.

$ prstat
   PID USERNAME  SIZE   RSS STATE  PRI NICE  TIME  CPU PROCESS/NLWP   
 19567 bind  232M  228M sleep   590   0:12:08  19% named/7

Here's what I've got in the logs:

first query:

28-May-2009 05:57:40.578 query-errors: debug 1: client 213.33.171.242#1130: 
query failed (SERVFAIL) for 5.126.208.91.IN-ADDR.ARPA/IN/PTR at query.c:4619
28-May-2009 05:57:40.578 query-errors: debug 2: fetch completed at 
resolver.c:2908 for 5.126.208.91.IN-ADDR.ARPA/PTR in 0.000163: out of 
memory/success 
[domain:91.in-addr.arpa,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

second same query coming to server resolving properly (NOERROR)

Can you please help me to investigate what is wrong?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named querylog, cache hit

2009-05-19 Thread Anatoly Pugachev 
Hello!

This is a request to enhancement. 

Is it possible to make named querylog log somehow if clients query hit
the server cache or not, not regarding to other logged query options
(like +EDC).

Thanks.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users