RE: dnssec-delegation seems to be broken from .gov to bls.gov

2023-12-07 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Point taken and understood.

But you know how it is when there is major outage the push from upper 
management is always for "fix it now" and get us up and running do your RCA 
later.

Thanks
Sandeep



-Original Message-
From: Mark Andrews  
Sent: Wednesday, December 6, 2023 10:19 PM
To: Bhangui, Sandeep - BLS CTR 
Cc: Nick Tait ; bind-users@lists.isc.org
Subject: Re: dnssec-delegation seems to be broken from .gov to bls.gov

CAUTION: This email originated from outside of BLS. DO NOT click (select) links 
or open attachments unless you recognize the sender and know the content is 
safe. Please report suspicious emails through the "Phish Alert Report" button 
on your email toolbar.

More to the point why was the old KSK removed *before* checking that the DS 
record for the new KSK was published and had been for the TTL of the DS RRset?  
With proper procedures this should not happen.  When something goes wrong / is 
delayed in a key rollover the process should stall until that step is complete, 
not proceed blindly ahead.

> On 7 Dec 2023, at 07:35, Bhangui, Sandeep - BLS CTR via bind-users 
>  wrote:
> 
> The problem has been resolved.
>  The automatic KSK rollover on the dotgov.gov did not happen properly and 
> once we manually updated the DS record with the correct KSK keytags and keys 
> things were fixed.
>  All is good now.
>  Now to see if we can find out as to why the automatic KSK failover on the 
> dotgov.gov did not happen correctly.
>  Thanks
> Sandeep
>  From: bind-users  On Behalf Of Nick 
> Tait via bind-users
> Sent: Wednesday, December 6, 2023 3:23 PM
> To: bind-users@lists.isc.org
> Subject: Re: dnssec-delegation seems to be broken from .gov to bls.gov
>  CAUTION: This email originated from outside of BLS. DO NOT click (select) 
> links or open attachments unless you recognize the sender and know the 
> content is safe. Please report suspicious emails through the “Phish Alert 
> Report” button on your email toolbar. On 7/12/2023 9:05 am, Nick Tait via 
> bind-users wrote:
> I could be wrong, but based on the output above it looks like the current TTL 
> is 0, which means that doing this should provide immediate relief.
> Sorry it looks like the DNS server on the Wi-Fi network I'm connected to has 
> done something weird with the TTL.
> This is what I get when querying one of the "gov." authoritative servers 
> directly:
> $ dig -t ds bls.gov @a.ns.gov +norecurse
>  
> ; <<>> DiG 9.18.18-0ubuntu2-Ubuntu <<>> -t ds bls.gov @a.ns.gov 
> +norecurse ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32241 ;; flags: qr 
> aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>  
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;bls.gov.   IN  DS
>  
> ;; ANSWER SECTION:
> bls.gov.3600IN  DS  50951 8 2 
> E6B0A294066904F20A2B8EBA3FA9920F9A1822802977F59D706B30A1 77F7DC0C
>  
> ;; Query time: 16 msec
> ;; SERVER: 2001:503:ff40::1#53(a.ns.gov) (UDP) ;; WHEN: Thu Dec 07 
> 09:19:24 NZDT 2023 ;; MSG SIZE  rcvd: 84 This means when you remove 
> the DS record, it will take 1 hour to fully take effect (assuming no delay 
> replicating between authoritative servers).
> Nick.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dnssec-delegation seems to be broken from .gov to bls.gov

2023-12-06 Thread Bhangui, Sandeep - BLS CTR via bind-users 
The problem has been resolved.

The automatic KSK rollover on the dotgov.gov did not happen properly and once 
we manually updated the DS record with the correct KSK keytags and keys things 
were fixed.

All is good now.

Now to see if we can find out as to why the automatic KSK failover on the 
dotgov.gov did not happen correctly.

Thanks
Sandeep

From: bind-users  On Behalf Of Nick Tait via 
bind-users
Sent: Wednesday, December 6, 2023 3:23 PM
To: bind-users@lists.isc.org
Subject: Re: dnssec-delegation seems to be broken from .gov to bls.gov

CAUTION: This email originated from outside of BLS. DO NOT click (select) links 
or open attachments unless you recognize the sender and know the content is 
safe. Please report suspicious emails through the “Phish Alert Report” button 
on your email toolbar.
On 7/12/2023 9:05 am, Nick Tait via bind-users wrote:
I could be wrong, but based on the output above it looks like the current TTL 
is 0, which means that doing this should provide immediate relief.

Sorry it looks like the DNS server on the Wi-Fi network I'm connected to has 
done something weird with the TTL.

This is what I get when querying one of the "gov." authoritative servers 
directly:

$ dig -t ds bls.gov @a.ns.gov +norecurse



; <<>> DiG 9.18.18-0ubuntu2-Ubuntu <<>> -t ds bls.gov @a.ns.gov +norecurse

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32241

;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

;; QUESTION SECTION:

;bls.gov.   IN  DS



;; ANSWER SECTION:

bls.gov.3600IN  DS  50951 8 2 
E6B0A294066904F20A2B8EBA3FA9920F9A1822802977F59D706B30A1 77F7DC0C



;; Query time: 16 msec

;; SERVER: 2001:503:ff40::1#53(a.ns.gov) (UDP)

;; WHEN: Thu Dec 07 09:19:24 NZDT 2023

;; MSG SIZE  rcvd: 84

This means when you remove the DS record, it will take 1 hour to fully take 
effect (assuming no delay replicating between authoritative servers).

Nick.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-delegation seems to be broken from .gov to bls.gov

2023-12-06 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Hi

It seems the DNSSEC delegation is broken from ".gov" to bls.gov domain and due 
to which the records for bls.gov are considered as bogus and we are having 
issues at our site.

It looks like we were in the process of KSK rollover and that may have caused 
the issue as things were fine till yesterday.

As we troubleshoot this issue was wondering whether from our master DNS server 
can we use some option in named.conf so that dnssec verification is NOT done 
for any bls.gov DNS lookups from outside to get a quick fix to this problem.

Currently DNS lookups from outside are flaky and I believe the reason behind 
that being that the DNSSEC delegation is broken.

>From the output at dnsviz.net analyzing for bls.gov it seems that KSK rollover 
>for bls.gov is the issue.

Basically, trying to see if I can get a quick interim fix till we resolve the 
issue correctly.

Please advise.

Thanks
Sandeep


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Facing issues while resolving only one record

2023-08-30 Thread Bhangui, Sandeep - BLS CTR via bind-users 
This seems to be an issue with the domain incometax.gov.in.

DNSSEC looks like is broken for that domain.

NS servers at our location also cannot resolve that directly  but if I forward 
that query to any ISP provider NS which are more lax it resolves just fine.

Thanks
Sandeep

From: bind-users  On Behalf Of John W. Blue 
via bind-users
Sent: Wednesday, August 30, 2023 9:39 AM
To: bind-users 
Subject: RE: Facing issues while resolving only one record

CAUTION: This email originated from outside of BLS. DO NOT click (select) links 
or open attachments unless you recognize the sender and know the content is 
safe. Please report suspicious emails through the “Phish Alert Report” button 
on your email toolbar.
Recommend you turn off DNSSEC validation and see if it starts working.

If it does, then you know the issue is with how DNSSEC is configured on your 
server.

John

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Blason R
Sent: Wednesday, August 30, 2023 8:20 AM
To: bind-users
Subject: Facing issues while resolving only one record

Hi all,

I have bind BIND 9.18.17-1+ubuntu22.04.1+isc+1-Ubuntu (Extended Support Version)
And I am facing this weird issue. Somehow 
eportal.incometax.gov.in site is not getting 
resolved through DNS.

I tried a lot but unfortunately the issue still persists.

Here are packet capture logs.

listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 
262144 bytes
18:47:19.56 ens18 In  IP 192.168.1.162.61110 > 192.168.1.133.53: 20+ A? 
eportal.incometax.gov.in. (42)
18:47:19.587705 ens18 Out IP 192.168.1.133.40263 > 208.67.222.222.53: 30627+% 
[1au] A? eportal.incometax.gov.in. (65)
18:47:19.599214 ens18 Out IP 192.168.1.133.44299 > 1.1.1.1.53: 62952+% [1au] 
DNSKEY? incometax.gov.in. (57)
18:47:20.800736 ens18 Out IP 192.168.1.133.56154 > 8.8.8.8.53: 16152+% [1au] 
DNSKEY? incometax.gov.in. (57)
18:47:21.573628 ens18 In  IP 192.168.1.162.53536 > 192.168.1.133.53: 21+ ? 
eportal.incometax.gov.in. (42)
18:47:21.576427 ens18 Out IP 192.168.1.133.55356 > 8.8.8.8.53: 57361+% [1au] 
? eportal.incometax.gov.in. (65)
18:47:22.002738 ens18 Out IP 192.168.1.133.33064 > 208.67.222.222.53: 16204+% 
[1au] DNSKEY? incometax.gov.in. (57)
18:47:22.777934 ens18 Out IP 192.168.1.133.58739 > 208.67.222.222.53: 34205+% 
[1au] ? eportal.incometax.gov.in. (65)
18:47:23.20 ens18 Out IP 192.168.1.133.60920 > 9.9.9.9.53: 46145+% [1au] 
DNSKEY? incometax.gov.in. (57)
18:47:23.584820 ens18 In  IP 192.168.1.162.53962 > 192.168.1.133.53: 22+ A? 
eportal.incometax.gov.in. (42)
18:47:24.405041 ens18 Out IP 192.168.1.133.56475 > 198.41.0.4.53: 12349 [1au] 
DNSKEY? incometax.gov.in. (57)
18:47:25.205136 ens18 Out IP 192.168.1.133.33517 > 192.36.148.17.53: 18768 
[1au] DNSKEY? incometax.gov.in. (57)
18:47:25.237837 ens18 Out IP 192.168.1.133.43646 > 156.154.100.20.53: 28883 
[1au] DNSKEY? incometax.gov.in. (57)
18:47:25.259888 ens18 Out IP 192.168.1.133.51762 > 59.160.103.171.53: 46716 
[1au] DNSKEY? incometax.gov.in. (57)
18:47:25.597312 ens18 In  IP 192.168.1.162.53963 > 192.168.1.133.53: 23+ ? 
eportal.incometax.gov.in. (42)
18:47:26.498891 ens18 Out IP 192.168.1.133.52631 > 125.16.225.122.53: 12762 
[1au] DNSKEY? incometax.gov.in. (57)

I feel this is something related to DNS RRKEY Record size?

Plus then I dumbdb on my server and went through cache using command
#rndc dumpdb -all

And here is the output

incometax.gov.in.   3422NS  
ns01.incometax.gov.in.
3422NS  
ns02.incometax.gov.in.
ns01.incometax.gov.in.  131 \-  ;-$NXRRSET
; ns01.incometax.gov.in. RRSIG NSEC ...
; ns01.incometax.gov.in. NSEC 
ns02.incometax.gov.in. A RRSIG NSEC
; incometax.gov.in. SOA 
ns01.incometax.gov.in. 
ns-admin.cpc.incometax.gov.in. 2023060970 
7200 3600 1209600 3600
; incometax.gov.in. RRSIG SOA ...
ns02.incometax.gov.in.  120 \-  ;-$NXRRSET
; ns02.incometax.gov.in. RRSIG NSEC ...
; ns02.incometax.gov.in. NSEC 
ns03.incometax.gov.in. A RRSIG NSEC
; incometax.gov.in.

Intermittent issues resolving "labor.upload.akamai.com"

2023-02-02 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Hi

We are running ISC DNS Bind Version 9.18.10 ( will soon be moving to 9.18.11) 
on our Linux Servers.

DNS resolution in general seems to work just fine as expected.

It seems we have intermittent issues resolving "labor.upload.akamai.com" and 
then some scripts fail. It is clear that the failure of the script is due to 
DNS name lookup.

Not sure if this is an issue that needs to be looked up at our end ( since DNS 
as such is working just fine for all the rest of the name resolution) or things 
are not configured properly at other end as far as how this DNS record is 
published and due to which I see the behavior of intermittent dns name lookup 
failure.

Any pointers would be appreciated.

Thanks
Sandeep

dig labor.upload.akamai.com

; <<>> DiG 9.18.10 <<>> labor.upload.akamai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51211
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 17e14f79ba23179d010063dc4895fbcf47353a31763c (good)
;; QUESTION SECTION:
;labor.upload.akamai.com.   IN  A

;; Query time: 1203 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 02 18:34:45 EST 2023
;; MSG SIZE  rcvd: 80


But if I point to a public DNS server like VZ or google I seem to resolve it 
fine all the time.

dig @198.6.1.1 labor.upload.akamai.com

; <<>> DiG 9.18.10 <<>> @198.6.1.1 labor.upload.akamai.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43891
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;labor.upload.akamai.com.   IN  A

;; ANSWER SECTION:
labor.upload.akamai.com. 300IN  CNAME   labor.c-ftp.upload.akamai.com.
labor.c-ftp.upload.akamai.com. 900 IN   CNAME   
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net.
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.137
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.149
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.144
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.143
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.142
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.148
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.139
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.146

;; Query time: 202 msec
;; SERVER: 198.6.1.1#53(198.6.1.1) (UDP)
;; WHEN: Thu Feb 02 18:35:50 EST 2023
;; MSG SIZE  rcvd: 267
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users 

If I go to my personal computer or my personal phone ( not on VPN connected to 
BLS network or using BLS resources) I can get to the site www.ssa.gov which I 
would mean to believe that it is able to resolve www.ssa.gov.

Does that mean the dns resolution for www.ssa.gov is not broken globally as 
explained below?

 Or maybe personal computer & my personal phone are querying different DNS 
servers over the internet which are able to resolve www.ssa.gov correctly and 
get to the website?

Thanks
Sandeep



-Original Message-
From: bind-users  On Behalf Of Bjørn Mork
Sent: Thursday, September 1, 2022 5:26 PM
To: BIND users 
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to sec...@bls.gov.

www.ssa.gov is a separate zone according to the ssa.gov NS:

bjorn@idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; 
QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good) ;; QUESTION 
SECTION:
;www.ssa.gov.   IN  NS

;; AUTHORITY SECTION:
www.ssa.gov.60  IN  NS  gtms2.ssa.gov.
www.ssa.gov.60  IN  NS  gtms1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu2.ssa.gov.

;; ADDITIONAL SECTION:
GTMS1.ssa.gov.  36000   IN  2001:1930:e03::13
GTMS2.ssa.gov.  36000   IN  2001:1930:e03::14
GTMU1.ssa.gov.  36000   IN  2001:1930:d07:1::10
GTMU2.ssa.gov.  36000   IN  2001:1930:d07:1::11
GTMS1.ssa.gov.  36000   IN  A   137.200.4.203
GTMS2.ssa.gov.  36000   IN  A   137.200.4.204
GTMU1.ssa.gov.  36000   IN  A   137.200.43.16
GTMU2.ssa.gov.  36000   IN  A   137.200.43.17

;; Query time: 107 msec
;; SERVER: 2001:1930:d07:1::8#53(2001:1930:d07:1::8)
;; WHEN: Thu Sep 01 23:24:13 CEST 2022
;; MSG SIZE  rcvd: 348



But it's a CNAME according to the www.ssa.gov NS:


bjorn@idefix:~$ dig a www.ssa.gov @gtms1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> a www.ssa.gov @gtms1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43620 ;; flags: qr aa rd; 
QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   www.ssa.gov.edgekey.net.

;; Query time: 127 msec
;; SERVER: 2001:1930:e03::13#53(2001:1930:e03::13)
;; WHEN: Thu Sep 01 23:25:01 CEST 2022
;; MSG SIZE  rcvd: 77



CDNs playing tricks. This won't fly.



Bjørn
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Thanks Bjorn.

This indeed looks like a mess up from SSA side.

Sandeep

-Original Message-
From: bind-users  On Behalf Of Bjørn Mork
Sent: Thursday, September 1, 2022 5:26 PM
To: BIND users 
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to sec...@bls.gov.

www.ssa.gov is a separate zone according to the ssa.gov NS:

bjorn@idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; 
QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good) ;; QUESTION 
SECTION:
;www.ssa.gov.   IN  NS

;; AUTHORITY SECTION:
www.ssa.gov.60  IN  NS  gtms2.ssa.gov.
www.ssa.gov.60  IN  NS  gtms1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu2.ssa.gov.

;; ADDITIONAL SECTION:
GTMS1.ssa.gov.  36000   IN  2001:1930:e03::13
GTMS2.ssa.gov.  36000   IN  2001:1930:e03::14
GTMU1.ssa.gov.  36000   IN  2001:1930:d07:1::10
GTMU2.ssa.gov.  36000   IN  2001:1930:d07:1::11
GTMS1.ssa.gov.  36000   IN  A   137.200.4.203
GTMS2.ssa.gov.  36000   IN  A   137.200.4.204
GTMU1.ssa.gov.  36000   IN  A   137.200.43.16
GTMU2.ssa.gov.  36000   IN  A   137.200.43.17

;; Query time: 107 msec
;; SERVER: 2001:1930:d07:1::8#53(2001:1930:d07:1::8)
;; WHEN: Thu Sep 01 23:24:13 CEST 2022
;; MSG SIZE  rcvd: 348



But it's a CNAME according to the www.ssa.gov NS:


bjorn@idefix:~$ dig a www.ssa.gov @gtms1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> a www.ssa.gov @gtms1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43620 ;; flags: qr aa rd; 
QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   www.ssa.gov.edgekey.net.

;; Query time: 127 msec
;; SERVER: 2001:1930:e03::13#53(2001:1930:e03::13)
;; WHEN: Thu Sep 01 23:25:01 CEST 2022
;; MSG SIZE  rcvd: 77



CDNs playing tricks. This won't fly.



Bjørn
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users 
John,

We have not moved to PDNS as yet.

I am not sure about DNSSEC for SSA will check on that.

Thanks
Sandeep

From: bind-users  On Behalf Of John W. Blue 
via bind-users
Sent: Thursday, September 1, 2022 5:03 PM
To: bind-users@lists.isc.org
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to 
sec...@bls.gov<mailto:sec...@bls.gov>.

Sandeep,

Are you all using CISA's Protective DNS?  If so, there might be a ruleset that 
is causing problems.

If not, and I have not checked, but is DNSSEC for SSA working correctly?

John

Sent from Nine<http://www.9folders.com/>

________
From: "Bhangui, Sandeep - BLS CTR via bind-users" 
mailto:bind-users@lists.isc.org>>
Sent: Thursday, September 1, 2022 3:11 PM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Issue with dns resolution for www.ssa.gov<http://www.ssa.gov>

Hi

We are running Bind Version 9.16.31 on RHEL 7.X Server and things are working 
fine in general.

Having issue with DNS resolution for www.ssa.gov<http://www.ssa.gov> no other 
DNS issues reported at this time.

Our DNS server cannot seem to resolve www.ssa.gov<http://www.ssa.gov> using 
nslookup ( know this is an old utility and cannot be used much for 
troubleshooting), dig seems to respond properly.

Just curious what could be the issue is this on our DNS server as nslookup 
seems to work fine for lot of other sites that I used just to check if it 
responds correctly.

The VZ public NS which is listed as one of the NS under /etc/resolv.conf seems 
to respond to nslookup just fine.

I am not sure what more information I could include which could be helpful if 
anything else is needed please let me know and I will post it.

Thanks in advance.

Sandeep


# nslookup www.ssa.gov<http://www.ssa.gov>

;; Got SERVFAIL reply from 127.0.0.1, trying next server

Server: 198.6.1.1
Address:198.6.1.1#53

Non-authoritative answer:
www.ssa.gov<http://www.ssa.gov> canonical name = 
www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>.
www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net> canonical name = 
e82396.dsca.akamaiedge.net.
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.54
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.58
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:293
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:289


Dig output from the same DNS server seems to give a response.

# dig www.ssa.gov<http://www.ssa.gov>

; <<>> DiG 9.16.31 <<>> www.ssa.gov<http://www.ssa.gov>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24578
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov<http://www.ssa.gov>.300 IN  CNAME   
www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>.
www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>. 9625   IN  CNAME   
e82396.dsca.akamaiedge.net.
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.58
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.51

;; Query time: 171 msec
;; SERVER: 198.6.1.1#53(198.6.1.1)
;; WHEN: Thu Sep 01 16:03:21 EDT 2022
;; MSG SIZE  rcvd: 146


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Hi

We are running Bind Version 9.16.31 on RHEL 7.X Server and things are working 
fine in general.

Having issue with DNS resolution for www.ssa.gov no other 
DNS issues reported at this time.

Our DNS server cannot seem to resolve www.ssa.gov using 
nslookup ( know this is an old utility and cannot be used much for 
troubleshooting), dig seems to respond properly.

Just curious what could be the issue is this on our DNS server as nslookup 
seems to work fine for lot of other sites that I used just to check if it 
responds correctly.

The VZ public NS which is listed as one of the NS under /etc/resolv.conf seems 
to respond to nslookup just fine.

I am not sure what more information I could include which could be helpful if 
anything else is needed please let me know and I will post it.

Thanks in advance.

Sandeep


# nslookup www.ssa.gov

;; Got SERVFAIL reply from 127.0.0.1, trying next server

Server: 198.6.1.1
Address:198.6.1.1#53

Non-authoritative answer:
www.ssa.gov canonical name = www.ssa.gov.edgekey.net.
www.ssa.gov.edgekey.net canonical name = e82396.dsca.akamaiedge.net.
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.54
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.58
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:293
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:289


Dig output from the same DNS server seems to give a response.

# dig www.ssa.gov

; <<>> DiG 9.16.31 <<>> www.ssa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24578
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   www.ssa.gov.edgekey.net.
www.ssa.gov.edgekey.net. 9625   IN  CNAME   e82396.dsca.akamaiedge.net.
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.58
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.51

;; Query time: 171 msec
;; SERVER: 198.6.1.1#53(198.6.1.1)
;; WHEN: Thu Sep 01 16:03:21 EDT 2022
;; MSG SIZE  rcvd: 146


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about linking jemalloc with Bind 9.18.x when doing the compile.

2022-08-02 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Hello all

We are getting ready to test Bind 9.18.x. Currently we are running the latest 
version of 9.16.x branch.

We have downloaded and successfully installed the jemalloc module on the Server 
( RHEL 7.9 OS) and getting ready to compile the latest version of Bind 9.18.x.

Can someone please point me to some documentation which tells as to what exact 
flags/parameters to use to properly link jemalloc when we compile latest 
version of Bind 9.18.x using "configure" so that we get the compile correctly 
done in the first run.

Thanks in advance.

Sandeep


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Errors loading Named ( 9.16.26) on RHEL 7.9

2022-02-24 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Thanks Ondrej….will check on that.

From: Ondřej Surý 
Sent: Thursday, February 24, 2022 1:29 PM
To: Bhangui, Sandeep - BLS CTR 
Cc: bind-users@lists.isc.org
Subject: Re: Errors loading Named ( 9.16.26) on RHEL 7.9

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to 
sec...@bls.gov<mailto:sec...@bls.gov>.


The server isn’t same. All the libraries that you are using to compile BIND 9 
needs to be at same or higher version, which isn’t the case here.

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


On 24. 2. 2022, at 19:06, Bhangui, Sandeep - BLS CTR via bind-users 
mailto:bind-users@lists.isc.org>> wrote:

Hello

Successfully compiled 9.16.26 on RHEL 7.9 server. The compile server is a 
different one but running the exact same OS and kernel as the DNS server on 
which, the created RPM packaged was installed.

Installed the rpm package and tried to start named on a DNS server it does not 
load and gives a fatal error.

I will dig into things further to troubleshoot and capture the core dump as 
with this install attempt the core dump was not captured so there is not much 
to go with but for the messages captured from the logs.

Usually, I have seen errors doing compile, but this is the first time I am 
having issues loading named after a successful compile.

Based on what little information is provided below would appreciate if someone 
can throw some light/pointers as to what the issue may be.

Currently we are running 9.16.25 in our environment and I have reverted back 
successfully.

Thanks
Sandeep


Feb 24 11:28:08 cpdnsquar01v named[72797]: starting BIND 9.16.26 (Extended 
Support Version) 
Feb 24 11:28:08 cpdnsquar01v named[72797]: running on Linux x86_64 
3.10.0-1160.53.1.el7.x86_64 #1 SMP Thu Dec 16 10:19:28 UTC 2021
Feb 24 11:28:08 cpdnsquar01v named[72797]: built with 
'--prefix=/usr/local/named-jail9.16.26' 
'--sysconfdir=/usr/local/named-jail9.16.26/etc' 
'--mandir=/usr/local/named-jail9.16.26/usr/man' 
'--bindir=/usr/local/named-jail9.16.26/usr/bin' '--sb
indir=/usr/local/named-jail9.16.26/usr/sbin' 
'--libexecdir=/usr/local/named-jail9.16.26/usr/libexec' 
'--sharedstatedir=/usr/local/named-jail9.16.26/usr/shared' 
'--localstatedir=/usr/local/named-jail9.16.26/var' 
'--libdir=/usr/local/named-jail9
.16.26/usr/lib' '--includedir=/usr/local/named-jail9.16.26/usr/include' 
'--with-randomdev=/dev/urandom' '--disable-static' '--with-openssl' 
'--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset' 
'--enable-rrl' '--enable-large
file' '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2 -g 
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong 
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 
'PKG_CONFIG_PATH=:/u
sr/lib64/pkgconfig:/usr/share/pkgconfig'
Feb 24 11:28:08 cpdnsquar01v named[72797]: running as: named -u named
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled by GCC 4.8.5 20150623 (Red 
Hat 4.8.5-44)
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with OpenSSL version: 
OpenSSL 1.0.2k-fips  26 Jan 2017
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to OpenSSL version: OpenSSL 
1.0.2k-fips  26 Jan 2017
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with libxml2 version: 2.9.1
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to libxml2 version: 20901
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with zlib version: 1.2.7
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to zlib version: 1.2.7
Feb 24 11:28:08 cpdnsquar01v named[72797]: 

Feb 24 11:28:08 cpdnsquar01v named[72797]: BIND 9 is maintained by Internet 
Systems Consortium,
Feb 24 11:28:08 cpdnsquar01v named[72797]: Inc. (ISC), a non-profit 501(c)(3) 
public-benefit
Feb 24 11:28:08 cpdnsquar01v named[72797]: corporation.  Support and training 
for BIND 9 are
Feb 24 11:28:08 cpdnsquar01v named[72797]: available at 
https://www.isc.org/support
Feb 24 11:28:08 cpdnsquar01v named[72797]: 

Feb 24 11:28:08 cpdnsquar01v named[72797]: adjusted limit on open files from 
4096 to 1048576
Feb 24 11:28:08 cpdnsquar01v named[72797]: found 1 CPU, using 1 worker thread
Feb 24 11:28:08 cpdnsquar01v named[72797]: using 1 UDP listener per interface
Feb 24 11:28:08 cpdnsquar01v named[72797]: using up to 21000 sockets
Feb 24 11:28:08 cpdnsquar01v named[72797]: loading configuration from 
'/usr/local/named-jail9.16.26/etc/named.conf'

Errors loading Named ( 9.16.26) on RHEL 7.9

2022-02-24 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Hello

Successfully compiled 9.16.26 on RHEL 7.9 server. The compile server is a 
different one but running the exact same OS and kernel as the DNS server on 
which, the created RPM packaged was installed.

Installed the rpm package and tried to start named on a DNS server it does not 
load and gives a fatal error.

I will dig into things further to troubleshoot and capture the core dump as 
with this install attempt the core dump was not captured so there is not much 
to go with but for the messages captured from the logs.

Usually, I have seen errors doing compile, but this is the first time I am 
having issues loading named after a successful compile.

Based on what little information is provided below would appreciate if someone 
can throw some light/pointers as to what the issue may be.

Currently we are running 9.16.25 in our environment and I have reverted back 
successfully.

Thanks
Sandeep


Feb 24 11:28:08 cpdnsquar01v named[72797]: starting BIND 9.16.26 (Extended 
Support Version) 
Feb 24 11:28:08 cpdnsquar01v named[72797]: running on Linux x86_64 
3.10.0-1160.53.1.el7.x86_64 #1 SMP Thu Dec 16 10:19:28 UTC 2021
Feb 24 11:28:08 cpdnsquar01v named[72797]: built with 
'--prefix=/usr/local/named-jail9.16.26' 
'--sysconfdir=/usr/local/named-jail9.16.26/etc' 
'--mandir=/usr/local/named-jail9.16.26/usr/man' 
'--bindir=/usr/local/named-jail9.16.26/usr/bin' '--sb
indir=/usr/local/named-jail9.16.26/usr/sbin' 
'--libexecdir=/usr/local/named-jail9.16.26/usr/libexec' 
'--sharedstatedir=/usr/local/named-jail9.16.26/usr/shared' 
'--localstatedir=/usr/local/named-jail9.16.26/var' 
'--libdir=/usr/local/named-jail9
.16.26/usr/lib' '--includedir=/usr/local/named-jail9.16.26/usr/include' 
'--with-randomdev=/dev/urandom' '--disable-static' '--with-openssl' 
'--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset' 
'--enable-rrl' '--enable-large
file' '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2 -g 
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong 
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 
'PKG_CONFIG_PATH=:/u
sr/lib64/pkgconfig:/usr/share/pkgconfig'
Feb 24 11:28:08 cpdnsquar01v named[72797]: running as: named -u named
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled by GCC 4.8.5 20150623 (Red 
Hat 4.8.5-44)
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with OpenSSL version: 
OpenSSL 1.0.2k-fips  26 Jan 2017
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to OpenSSL version: OpenSSL 
1.0.2k-fips  26 Jan 2017
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with libxml2 version: 2.9.1
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to libxml2 version: 20901
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with zlib version: 1.2.7
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to zlib version: 1.2.7
Feb 24 11:28:08 cpdnsquar01v named[72797]: 

Feb 24 11:28:08 cpdnsquar01v named[72797]: BIND 9 is maintained by Internet 
Systems Consortium,
Feb 24 11:28:08 cpdnsquar01v named[72797]: Inc. (ISC), a non-profit 501(c)(3) 
public-benefit
Feb 24 11:28:08 cpdnsquar01v named[72797]: corporation.  Support and training 
for BIND 9 are
Feb 24 11:28:08 cpdnsquar01v named[72797]: available at 
https://www.isc.org/support
Feb 24 11:28:08 cpdnsquar01v named[72797]: 

Feb 24 11:28:08 cpdnsquar01v named[72797]: adjusted limit on open files from 
4096 to 1048576
Feb 24 11:28:08 cpdnsquar01v named[72797]: found 1 CPU, using 1 worker thread
Feb 24 11:28:08 cpdnsquar01v named[72797]: using 1 UDP listener per interface
Feb 24 11:28:08 cpdnsquar01v named[72797]: using up to 21000 sockets
Feb 24 11:28:08 cpdnsquar01v named[72797]: loading configuration from 
'/usr/local/named-jail9.16.26/etc/named.conf'
Feb 24 11:28:08 cpdnsquar01v named[72797]: reading built-in trust anchors from 
file '/usr/local/named-jail9.16.26/etc/bind.keys'
Feb 24 11:28:08 cpdnsquar01v named[72797]: using default UDP/IPv4 port range: 
[32768, 60999]
Feb 24 11:28:08 cpdnsquar01v named[72797]: using default UDP/IPv6 port range: 
[32768, 60999]
Feb 24 11:28:08 cpdnsquar01v named[72797]: listening on IPv4 interface lo, 
127.0.0.1#53
Feb 24 11:28:08 cpdnsquar01v named[72797]: udp.c:226: fatal error:
Feb 24 11:28:08 cpdnsquar01v named[72797]: RUNTIME_CHECK(r == 0) failed
Feb 24 11:28:08 cpdnsquar01v named[72797]: exiting (due to fatal error in 
library)
Feb 24 11:28:08 cpdnsquar01v abrt-hook-ccpp: Process 72797 (named) of user 200 
killed by SIGABRT - dumping core
Feb 24 11:28:10 cpdnsquar01v abrt-server: Package 'bind' isn't signed with 
proper key
Feb 24 11:28:10 cpdnsquar01v abrt-server: 'post-create' on 
'/var/spool/abrt/ccpp-2022-02-24-11:28:08-72797' exited with 1
Feb 24 11:28:10 cpdnsquar01v abrt-server: Deleting problem directory 
'/var/spool/abrt/ccpp-2022-02-24-11:28:08-72797'


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri

RE: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X [ Issue resolved on RHEL 7.X ]

2020-05-19 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Hello

Finally got time to work on this and happy to report that the  compile was 
successful for 9.16.3 on RHEL 7.X. 

What it needed was just the installation of  libuv-devel package to be 
installed on RHEL 7.X

So basically addition of two libuv packages on RHEL 7.X resolved the compile 
issue for me.

Now moving to address the issue on RHEL 6.X.

Thanks
Sandeep





-Original Message-
From: Anand Buddhdev [mailto:ana...@ripe.net] 
Sent: Tuesday, March 24, 2020 4:04 PM
To: Bhangui, Sandeep - BLS CTR ; 
bind-users@lists.isc.org
Subject: Re: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X

On 24/03/2020 20:44, Bhangui, Sandeep - BLS CTR via bind-users wrote:

Hi Sandeep,

[snip]

> As far as I can tell has the libuv library packageis installed on this 
> RHEL 7.X machine.
> 
> sh-4.2# rpm -qa | grep -i libuv
> 
> libuv-1.34.0-1.el7.x86_64

This package contains just the runtime library. However, in order to compile 
code that links against libuv, you need the "libuv-devel"
package. Besides "libuv-devel", you also need some other packages to build and 
run BIND properly.

However, seeing as you're stumbling on even this basic step, I'd advise you not 
to compile BIND. You're better off using packages made by other experienced 
people. The packages also contain additional files, such as systemd unit files, 
that make it easy to run BIND. For CentOS, have a look at:

https://copr.fedorainfracloud.org/coprs/isc/

Regards,
Anand

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X

2020-03-24 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Anand

Thanks for the update.

 I have  always compiled all versions of Bind we have used so far...we are 
currently running 9.14.11 so have gone through the compile process before for 
multiple versions of Bind.

My last successful compile was 9.14.11 and this looks like some new 
dependencies for 9.16.1 so will try to compile further by getting the package.

Will also look at the link you have provided but those I believe would be set 
packages and those configuration may not map with what we have but will take a 
look if need be.

Thanks
Sandeep


-Original Message-
From: Anand Buddhdev [mailto:ana...@ripe.net] 
Sent: Tuesday, March 24, 2020 4:04 PM
To: Bhangui, Sandeep - BLS CTR ; 
bind-users@lists.isc.org
Subject: Re: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X

On 24/03/2020 20:44, Bhangui, Sandeep - BLS CTR via bind-users wrote:

Hi Sandeep,

[snip]

> As far as I can tell has the libuv library packageis installed on this 
> RHEL 7.X machine.
> 
> sh-4.2# rpm -qa | grep -i libuv
> 
> libuv-1.34.0-1.el7.x86_64

This package contains just the runtime library. However, in order to compile 
code that links against libuv, you need the "libuv-devel"
package. Besides "libuv-devel", you also need some other packages to build and 
run BIND properly.

However, seeing as you're stumbling on even this basic step, I'd advise you not 
to compile BIND. You're better off using packages made by other experienced 
people. The packages also contain additional files, such as systemd unit files, 
that make it easy to run BIND. For CentOS, have a look at:

https://copr.fedorainfracloud.org/coprs/isc/

Regards,
Anand

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X

2020-03-24 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Hello

Trying to compile Bind 9.16.1 on RHEL 7.X and RHEL 6.X and getting compile 
errors hopefully someone can point me in the right direction.

The download for the source code from the ISC site was done sometimes late last 
week.

Configuration.

RHEL 7.X  and RHEL 6.X running on HP-BLADE physical server.

RHEL 7.X Kernel

Linux  3.10.0-1062.12.1.el7.x86_64 #1 SMP Thu Dec 12 06:44:49 EST 2019 x86_64 
x86_64 x86_64 GNU/Linux

As far as I can tell has the libuv library packageis installed on this RHEL 
7.X machine.

sh-4.2# rpm -qa | grep -i libuv

libuv-1.34.0-1.el7.x86_64


This is the configure error I getwhen I try to compileon the RHEL 7.X 
machine.

checking for sched_setaffinity... yes

checking for pthread_setname_np... yes

checking for pthread_set_name_np... no

checking for pthread_np.h... no

checking for libuv... checking for libuv >= 1.0.0... no

configure: error: libuv not found

+ exit 0

I am getting a similar error on RHEL 6.X machine but on that machine I do not 
have the libuv package so that could explain that.

Please advise.

Thanks in advance.

Sandeep

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Checking whether some configure options to compile are not longer available for Bind 9.14.1

2019-04-29 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Hi

Is IPV6  by default enabled in DNS bind Ver 9.14.1 ?

I am trying to compile the 9.14.1 source code on Sparc Solaris 10 and I see 
that following options are not recognizes any more when used with configure.

 " -enable-ipv6" and "-enable-threads"

Both these options worked with source code for 9.12.4.am I doing something 
wrong or wondering whether I have messed up something in my configure file.


These are the options I am using.

./configure --build=sparc-sun-solaris2.10
--host=sparc-sun-solaris2.10
--with-openssl
--with-libxml2 --disable-
--enable-ipv6
--enable-fixed-rrset
--enable-threads
--enable-largefile
   --enable-querytrace
  --with-python=no




Thanks
Sandeep

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND 9.12.4-P1 build fails on Solaris 10

2019-04-26 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Solaris 10, Sparc based.  

Forgot to addthat

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
Bhangui, Sandeep - BLS CTR via bind-users
Sent: Friday, April 26, 2019 1:31 PM
To: bind-us...@isc.org
Subject: BIND 9.12.4-P1 build fails on Solaris 10

Hi

Seen exact similar thread from last few days for Bind 9.11.6-P1 on Solaris. 

I get a make error when I try to compile Bind 9.12.4-P1 on Solaris 10. 

Using same configure file I can compile Bind 9.12.4 successfully on Solaris 10.

This is the make error that I get 

ndefined   first referenced
 symbol in file
isc_atomic_xadd ../../lib/ns/libns.a(client.o)
ld: fatal: symbol referencing errors. No output written to namedtmp0
collect2: ld returned 1 exit status
*** Error code 1

I see that someone posted this two links to check... this talks about Solaris 
11 but looking at the error it seems that is what I am hitting too


https://gitlab.isc.org/isc-projects/bind9/issues/999


https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864


Some questions.

1. Has this been considered/reported as a BUG and will be fixed in next release 
?

2. The second link above talks of making changes to client.c what exact changes 
have to be made? Is this worthwhile or better to wait till this is addressed in 
the next release ( assuming that this is considered as a Bug and will be 
addressed in the next release ).


The configure file I am using is as follows...if that is of any relevance.

./configure --build=sparc-sun-solaris2.10
--host=sparc-sun-solaris2.10 
--with-openssl
--with-libxml2 --disable- 
--enable-ipv6 
--enable-fixed-rrset 
--enable-threads 
--enable-largefile  
   --enable-querytrace 
  --with-python=no 


Any advice/help would be appreciated.

Thanks
Sandeep


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.12.4-P1 build fails on Solaris 10

2019-04-26 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Hi

Seen exact similar thread from last few days for Bind 9.11.6-P1 on Solaris. 

I get a make error when I try to compile Bind 9.12.4-P1 on Solaris 10. 

Using same configure file I can compile Bind 9.12.4 successfully on Solaris 10.

This is the make error that I get 

ndefined   first referenced
 symbol in file
isc_atomic_xadd ../../lib/ns/libns.a(client.o)
ld: fatal: symbol referencing errors. No output written to namedtmp0
collect2: ld returned 1 exit status
*** Error code 1

I see that someone posted this two links to check... this talks about Solaris 
11 but looking at the error it seems that is what I am hitting too


https://gitlab.isc.org/isc-projects/bind9/issues/999


https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864


Some questions.

1. Has this been considered/reported as a BUG and will be fixed in next release 
?

2. The second link above talks of making changes to client.c what exact changes 
have to be made? Is this worthwhile or better to wait till this is addressed in 
the next release ( assuming that this is considered as a Bug and will be 
addressed in the next release ).


The configure file I am using is as follows...if that is of any relevance.

./configure --build=sparc-sun-solaris2.10
--host=sparc-sun-solaris2.10 
--with-openssl
--with-libxml2 --disable- 
--enable-ipv6 
--enable-fixed-rrset 
--enable-threads 
--enable-largefile  
   --enable-querytrace 
  --with-python=no 


Any advice/help would be appreciated.

Thanks
Sandeep


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Make install error compiling Bind 9.12.4 on RHEL 6.X [ Resolved ]

2019-04-03 Thread Bhangui, Sandeep - BLS CTR via bind-users 
My badI had an typo when I tried."--without-python" option did the 
trick.

Was able to compile it successfully.

Thanks a lot 

Sandeep

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
Bhangui, Sandeep - BLS CTR via bind-users
Sent: Wednesday, April 3, 2019 9:18 AM
To: bind-users@lists.isc.org
Subject: RE: Make install error compiling Bind 9.12.4 on RHEL 6.X

Thanks

Tried what was suggested and got the same exact error.

Sandeep

-Original Message-
From: Anand Buddhdev [mailto:ana...@ripe.net]
Sent: Wednesday, April 3, 2019 8:29 AM
To: Bhangui, Sandeep - BLS CTR ; 
bind-users@lists.isc.org
Subject: Re: Make install error compiling Bind 9.12.4 on RHEL 6.X

On 03/04/2019 14:05, Bhangui, Sandeep - BLS CTR via bind-users wrote:

Hi Sandeep,

> Trying to compile Bind 9.12.4 on RHEL 6.X running on physical HP blade server.
> 
> Looks like I am missing something trivial  but have looked at things 
> couple of times but cannot figure it out.

One cause could be that this version of BIND will try to build the "isc"
python module, and fail, because it requires python >= 2.7. However, RHEL 6 
only ships with python 2.6. You can probably see this if you examine the build 
logs.

You'll need to add "--without-python" to work around this.

I also recommend that you remove the DIG_SIGCHASE define. This feature has been 
deprecated, and the newest release of BIND, 9.14.0, doesn't even have it any 
more.

Regards,
Anand

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Make install error compiling Bind 9.12.4 on RHEL 6.X

2019-04-03 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Thanks

Tried what was suggested and got the same exact error.

Sandeep

-Original Message-
From: Anand Buddhdev [mailto:ana...@ripe.net] 
Sent: Wednesday, April 3, 2019 8:29 AM
To: Bhangui, Sandeep - BLS CTR ; 
bind-users@lists.isc.org
Subject: Re: Make install error compiling Bind 9.12.4 on RHEL 6.X

On 03/04/2019 14:05, Bhangui, Sandeep - BLS CTR via bind-users wrote:

Hi Sandeep,

> Trying to compile Bind 9.12.4 on RHEL 6.X running on physical HP blade server.
> 
> Looks like I am missing something trivial  but have looked at things 
> couple of times but cannot figure it out.

One cause could be that this version of BIND will try to build the "isc"
python module, and fail, because it requires python >= 2.7. However, RHEL 6 
only ships with python 2.6. You can probably see this if you examine the build 
logs.

You'll need to add "--without-python" to work around this.

I also recommend that you remove the DIG_SIGCHASE define. This feature has been 
deprecated, and the newest release of BIND, 9.14.0, doesn't even have it any 
more.

Regards,
Anand

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Make install error compiling Bind 9.12.4 on RHEL 6.X

2019-04-03 Thread Bhangui, Sandeep - BLS CTR via bind-users 
Hello

Trying to compile Bind 9.12.4 on RHEL 6.X running on physical HP blade server.

Looks like I am missing something trivial  but have looked at things couple of 
times but cannot figure it out.

Did a fresh download of the source code but got the same error.

Here are the detailsabout the machine, SPEC FILe used and the make install 
error The install directory exists.

Thanks
Sandeep

[root@cfsand01 SPECS]# uname -a
Linux cfsand01 2.6.32-754.11.1.el6.x86_64 #1 SMP Tue Jan 22 17:25:23 EST 2019 
x86_64 x86_64 x86_64 GNU/Linux

[root@cfsand01 SPECS]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.10 (Santiago)

We have rpm-build, rpmdevtools and openssl-devel installed.

We have the /rpmbuild directory under /root with the bind9.12.4.tar.gz source 
code under /root/rpmbuild/SOURCES.

Here is the SPEC file.


Vendor: Internet Systems Consortium ISC
# Orginal Name: Bind
#This is the spec file used to build  a bind-9.12.4 rpm package.

%define _topdir  /root/rpmbuild
%define DESTDIR  /usr/local/named-jail9.12.4
%define name   bind
%define version9.12.4
%define release%{dist}

Summary:   Setup to use ISC BIND at BLS
URL:   http://www.isc.org/
Packager:  xyz
License:ISC
Name:  %{name}
Version:  %{version}
Release:  %{dist}
Group: Development/Tools
#Source: http://www.isc.org/downloads/
# artifical source for tar file name
Source:%{name}-%{version}.tar.gz
Prefix:/usr

# Location installed package
BuildRoot: %{buildroot}

%description
Bind configured for BLS use
Set as a first time install on a server
No previous version of bind exists

%prep
%setup  -n %{name}-%{version}
# In the prep section the tar.gz file gets unpacked to a directory.

%build
# First we make sure we start clean
rm -rf $RPM_BUILD_ROOT

#Create directory
mkdir -p $RPM_BUILD_ROOT

STD_CDEFINES="-DDIG_SIGCHASE=1"
export STD_CDEFINES

CFLAGS="$RPM_OPT_FLAGS" ./configure \
--prefix=/usr/local/named-jail9.12.4\
   --sysconfdir=/usr/local/named-jail9.12.4/etc  \
   --mandir=/usr/local/named-jail9.12.4/usr/man  \
   --bindir=/usr/local/named-jail9.12.4/usr/bin  \
   --sbindir=/usr/local/named-jail9.12.4/usr/sbin  \
   --libexecdir=/usr/local/named-jail9.12.4/usr/libexec  \
   --sharedstatedir=/usr/local/named-jail9.12.4/usr/shared  \
   --localstatedir=/usr/local/named-jail9.12.4/var  \
   --libdir=/usr/local/named-jail9.12.4/usr/lib  \
   --includedir=/usr/local/named-jail9.12.4/usr/include  \
   --with-randomdev=/dev/urandom \
   --disable-static \
   --with-openssl   \
   --disable-openssl-version-check \
   --enable-ipv6  \
   --enable-fixed-rrset   \
   --enable-rrl\
   --enable-largefile  \
   --enable-newstats  \
   --with-libxml2  \
   --enable-fullreport  \
&&
make

%install
make install DESTDIR=$RPM_BUILD_ROOT

mkdir -p $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev
mkdir -p $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log
mkdir -p $RPM_BUILD_ROOT//usr/local/named-jail9.12.4/var/run/named
mkdir  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/usr/named
mkdir -p $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/usr/share/lib/zoneinfo


touch  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log/named.lame
touch   $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log/named.log
touch  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log/named.querylog
touch  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/run/named.pid

%clean
rm -rf $RPM_BUILD_ROOT

%files -f /adminfiles/Rhel6.5/bind/rpmbuild/

%defattr(-, named, named)
%attr(-, root, root)
%attr(700, named, named) /usr/local/named-jail9.12.4


%post

chown -R named:named /usr/local/named-jail9.12.4

# directory ownership

chmod 755 $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var
chmod 770 $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/run
chgrp -R named $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/run
chmod 770 $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log
chgrp -R named  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log
chown  named:named  
$RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log/named.lame
chown named:named /usr/local/named-jail9.12.4/var/log/named.log
chown named:named /usr/local/named-jail9.12.4/var/log/named.querylog
chown -R root:named /usr/local/named-jail9.12.4/usr/named
chmod 770 /usr/local/named-jail9.12.4/usr/named



mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/tcp c 11 42
mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/udp c 11 41
mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/log c 21 5
mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/null c 13 2
mknod $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/zero c 13 2
chmod 666 $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/null
mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/conslog  c 21 0
mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/de