Re: Email migration and MX records
No one realistically has a choice about dealing with either for email. In any case, we found a vastly simpler way of doing this; our cloud email security/anti-spam provider (Barracuda) can spool mail for delivery if our systems go offline for up to 96 hours, so we’re setting them to not deliver tonight, doing the migration, changing our MX Records after to let the outside know where its supposed to send us email and then changing the delivery address we have on Barracuda to the new one, and the mail should flow in. In theory! :-) Thanks for all the suggestions, everyone. On Jan 6, 2023, at 12:52 PM, Mark Andrews mailto:ma...@isc.org>> wrote: Just a reason to not use them for your email. Not everybody is in a position to repair stuff on a 7/24/365 basis. Notify that the mail is delayed by don’t bounce. -- Mark Andrews On 7 Jan 2023, at 06:11, Brown, William mailto:wbr...@e1b.org>> wrote: Last I saw, both M365 and Google only retry for 24 hours before returning as undeliverable. -- William Brown WNYRIC/Erie 1 BOCES -Original Message- From: bind-users mailto:bind-users-boun...@lists.isc.org>> On Behalf Of Marcus Kool Sent: Wednesday, January 4, 2023 7:17 AM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Re: Email migration and MX records This email originated from outside of the organization. Use caution when replying, opening attachment(s), and/or clicking on URL's. SMTP is a wonderful protocol that queues messages and retries delivery for 5 days so a non-responsive email server is no issue. Just do not have a temporary solution that bounces emails since those will never arrive (the sender is notified about the bounce). Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Email migration and MX records
We’re making an O365 tenant switchover for our domain (a subdomain of the arizona.edu domain) and moving from our Barracuda cloud email SMTP to the University’s tenant, but email cannot flow until the Arizona.edu O365 tenant can take over our email domain. In anticipation I set our TTL for MX records quite low before the break (150 seconds) so, but the process may take up to an hour (if everything goes well ) Will setting our mx record to a bogus address cause email to bounce on the sending end and eventually get retried later after the mx record has been properly set to the Universities main smtp MX address? Or are we approaching this in the wrong way? Basically our end result is we want to stop accepting email from anywhere until the whole process has been changed and we have established the correct route so email starts flowing correctly. As it’s been explained to me the main campus tenant cannot start accepting email for our domain until we’ve transferred the email domain between tenants, so we cannot just change the MX record in our DNS server to the University’s (a Cisco Ironport setup) -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Move from Development to Production
That’s the wrong repo, the stable repo is here: https://copr.fedorainfracloud.org/coprs/isc/bind/ It works very well with Rocky Linux 8.6 at least. On Aug 26, 2022, at 12:50 PM, David C. Templeton mailto:david.temple...@troycable.com>> wrote: Sorry for any confusion. I started with 9.18.4 because I also wanted to test out upgrading. Install 9.18.4 first then make sure I could upgrade to 9.18.6 without issue. Am I following the correct link (https://copr.fedorainfracloud.org/coprs/isc/bind-dev) ? The note at the top of the page says, "Software published in this Copr should be considered unstable." Is it recommended for a production environment? Regards, Dave -Original Message- From: Ondřej Surý mailto:ond...@isc.org>> Sent: Friday, August 26, 2022 2:33 PM To: David C. Templeton mailto:david.temple...@troycable.com>> Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Re: Move from Development to Production CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Setting Up An Running Your Own Dmarc using Bind DNS
On Jun 27, 2022, at 11:34 AM, Stephane Bortzmeyer mailto:bortzme...@nic.fr>> wrote: Also, I do not understand the writing of "hundreds of lines of code". The code to load DMARC records is in BIND for a very long time since they are just TXT records. @ IN TXT v=DMARC1; p=reject; rua=mailto:dmarc_rep...@mail.netassoc.net; ruf=mailto:demarc_foren...@mail.netassoc.net; fo=1; Quotes, may be? Yes this part needs to be in quotes"v=DMARC1; p=reject; rua=mailto:dmarc_rep...@mail.netassoc.net ruf=mailto:demarc_foren...@mail.netassoc.net; fo=1;" Also, DMARC records need to be at _dmarc under the apex, not at the apex. I found this to be a very helpful guide to setting up DMARC in bind. it has examples: https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/ here is a good site with tools to check DMARC, DKIM and SPF records. https://www.dmarcanalyzer.com/dmarc/ I think cname "_dmarc.netassoc.net<http://dmarc.netassoc.net>. IN CNAME netassoc.net<http://netassoc.net>.” is not needed. The _dmarc.netassoc.net<http://dmarc.netassoc.net> entry identifies netassoc.net<http://netaccoc.net> as the domain the dmarc record is for. At least I do not have that CNAME set for my domain and DMARC passes all the tests. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Probably stupid simple question...
Thanks! On Jun 1, 2022, at 1:48 PM, Sandro mailto:li...@penguinpee.nl>> wrote: On 01-06-2022 20:07, Bruce Johnson via bind-users wrote: I am migrating our BIND system to a new server/BIND version, and have a question about dynamically updated zone files (we have one dynamic zone). I am just copying all the configuration and zone files to the new server, do I need to run rndc freeze before shutting down bind and moving them or will just stopping the bind service properly deal with updating the zone file? Also do I need to copy over the .jnl file when I do this or will a new one get generated as needed? Not a stupid question, but an easy answer (man 8 rndc): This command stops the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files of the updated zones. So as long as you stop named with 'rndc stop', the zone file will be up to date. That also makes the journal file obsolete. So, you don't need to move that over. But it doesn't hurt if you do. Before starting named on the new system, assuming your main configuration file is 'etc/named.conf', use: named-checkconf -z /etc/named.conf This will check your configuration and all your zones and tell you if anything is wrong. -- Sandro -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Probably stupid simple question...
I am migrating our BIND system to a new server/BIND version, and have a question about dynamically updated zone files (we have one dynamic zone). I am just copying all the configuration and zone files to the new server, do I need to run rndc freeze before shutting down bind and moving them or will just stopping the bind service properly deal with updating the zone file? Also do I need to copy over the .jnl file when I do this or will a new one get generated as needed? -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Has anyone run Sophos Server Protection on a linux system running bind?
We getting a centralized IT push to install the university’s sophos product on all servers, including linux: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/SPLCommandLineOptions.html We have three systems running bind: a primary and two secondaries; all are running on Rocky Linux 8 minimal system (basically our VM linux template is a stock minimum install), and we added nothing more than what we needed to get bind (and on the master dhcpd as it’s also our dhcp server) working; communication is via ssh and that’s it, no web service, external mounts of any kind I’m thinking that there's no real avenue for malware to get on this system (beyond some sort of 0-day in the software that is running…) so it’s probably not necessary; but if we get told we have to, does anyone foresee any issues with it interfering with DNS? -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
odd MX entry error in zone file
I added a new zone to our domain today and ran named-checkzone and got the following when it ran: named-checkzone -t /var/named/chroot Pharmacy.Arizona.EDU /etc/Pharmacy.Hosts zone Pharmacy.Arizona.EDU/IN: getaddrinfo(xxx1.barracudanetworks.com) failed: System error zone Pharmacy.Arizona.EDU/IN: getaddrinfo(xxx2.barracudanetworks.com) failed: System error zone Pharmacy.Arizona.EDU/IN: loaded serial 1762233835 OK These are our Barracuda cloud service addresses set as MX entries in the zone: ;MX records ;pharmacy.arizona.edu. 3600 IN MX 99 barracuda.pharmacy.arizona.edu. ;message exchangeer pharmacy.arizona.edu. 3600IN MX 10 xxx1.barracudanetworks.com. pharmacy.arizona.edu. 3600IN MX 10 xxx1.barracudanetworks.com. Mail is working and the OK at the end of the named-checkzone output indicates that it thinks the zone file passes ok. I can resolve the actual addresses without an issue : dig d256777b.ess.barracudanetworks.com @elixir.pharmacy.arizona.edu ; <<>> DiG 9.10.6 <<>> d256777b.ess.barracudanetworks.com @elixir.pharmacy.arizona.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3699 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;d256777b.ess.barracudanetworks.com. IN A ;; ANSWER SECTION: d256777b.ess.barracudanetworks.com. 60 IN A 209.222.82.252 d256777b.ess.barracudanetworks.com. 60 IN A 209.222.82.253 d256777b.ess.barracudanetworks.com. 60 IN A 209.222.82.255 ;; AUTHORITY SECTION: com.8416IN NS k.gtld-servers.net. com.8416IN NS i.gtld-servers.net. com.8416IN NS b.gtld-servers.net. com.8416IN NS a.gtld-servers.net. com.8416IN NS l.gtld-servers.net. com.8416IN NS d.gtld-servers.net. com.8416IN NS g.gtld-servers.net. com.8416IN NS h.gtld-servers.net. com.8416IN NS m.gtld-servers.net. com.8416IN NS f.gtld-servers.net. com.8416IN NS e.gtld-servers.net. com.8416IN NS j.gtld-servers.net. com.8416IN NS c.gtld-servers.net. ;; ADDITIONAL SECTION: e.gtld-servers.net. 149240 IN A 192.12.94.30 m.gtld-servers.net. 10936 IN A 192.55.83.30 d.gtld-servers.net. 10936 IN A 192.31.80.30 b.gtld-servers.net. 53266 IN A 192.33.14.30 j.gtld-servers.net. 53266 IN A 192.48.79.30 i.gtld-servers.net. 53266 IN A 192.43.172.30 c.gtld-servers.net. 10936 IN A 192.26.92.30 g.gtld-servers.net. 53266 IN A 192.42.93.30 h.gtld-servers.net. 169371 IN A 192.54.112.30 f.gtld-servers.net. 10936 IN A 192.35.51.30 a.gtld-servers.net. 82539 IN A 192.5.6.30 k.gtld-servers.net. 10936 IN A 192.52.178.30 l.gtld-servers.net. 10936 IN A 192.41.162.30 e.gtld-servers.net. 53266 IN 2001:502:1ca1::30 m.gtld-servers.net. 169371 IN 2001:501:b1f9::30 d.gtld-servers.net. 53266 IN 2001:500:856e::30 b.gtld-servers.net. 169371 IN 2001:503:231d::2:30 j.gtld-servers.net. 149240 IN 2001:502:7094::30 i.gtld-servers.net. 64023 IN 2001:503:39c1::30 c.gtld-servers.net. 169371 IN 2001:503:83eb::30 g.gtld-servers.net. 169371 IN 2001:503:eea3::30 h.gtld-servers.net. 10936 IN 2001:502:8cc::30 f.gtld-servers.net. 169371 IN 2001:503:d414::30 a.gtld-servers.net. 20333 IN 2001:503:a83e::2:30 k.gtld-servers.net. 53266 IN 2001:503:d2d::30 l.gtld-servers.net. 53266 IN 2001:500:d937::30 ;; Query time: 15 msec ;; SERVER: 128.196.116.5#53(128.196.116.5) ;; WHEN: Thu Feb 03 10:26:49 MST 2022 ;; MSG SIZE rcvd: 907 And I don’t see anything in the logs about this. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error staring named, permissions denied on named.ca
Ugh, forgot about that…that was it. Thanks! On Dec 9, 2021, at 3:48 PM, Mark Andrews mailto:ma...@isc.org>> wrote: Almost certainly SELinux or AppArmor on the new platform getting in the way. On 10 Dec 2021, at 06:08, Bruce Johnson via bind-users mailto:bind-users@lists.isc.org>> wrote: I'm setting up a new secondary for our domain with the intent to shut down an existing one (which is running on a very old OS and bind version) Running Rocky Linux (replacement for CentOS 8.5) using the isc bind-esv package here https://copr.fedorainfracloud.org/coprs/isc/bind-esv/ instead of the built in (and old) version in the standard repo. I’ve copied over the named.conf file from the working secondary and made appropriate changes; it passes named-checkconf Starting the service though I get the following error: ● isc-bind-named.service Loaded: loaded (/usr/lib/systemd/system/isc-bind-named.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2021-12-09 13:16:09 EST; 24min ago Process: 3732 ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named $OPTIONS (code=exited, status=1/FAILURE) Dec 09 13:16:09 example.com<http://example.com> named[3733]: listening on IPv4 interface lo, 127.0.0.1#53 Dec 09 13:16:09 example.com<http://example.com> named[3733]: listening on IPv4 interface ens192,123.456.789.123#53 Dec 09 13:16:09 example.com<http://example.com> named[3733]: generating session key for dynamic DNS Dec 09 13:16:09 example.com<http://example.com> named[3733]: sizing zone task pool based on 35 zones Dec 09 13:16:09 example.com<http://example.com> named[3733]: could not configure root hints from 'named.ca<http://named.ca>': permission denied Dec 09 13:16:09 example.com<http://example.com> named[3733]: loading configuration: permission denied Dec 09 13:16:09 example.com<http://example.com> named[3733]: exiting (due to fatal error) Dec 09 13:16:09 example.com<http://example.com> systemd[1]: isc-bind-named.service: Control process exited, code=exited status=1 Dec 09 13:16:09 example.com<http://example.com> systemd[1]: isc-bind-named.service: Failed with result 'exit-code'. Dec 09 13:16:09 example.com<http://example.com> systemd[1]: Failed to start isc-bind-named.service. Permissions for named.ca<http://named.ca> are the same as on our other working servers: -rw-rw-r--. 1 root named 3289 Dec 9 13:13 /var/named/named.ca<http://named.ca> This is the entry for that file in named.conf: zone "." IN { type hint; file "named.ca<http://named.ca>"; }; does it need the full path? On the working secondary it’s entered the same way in named.conf, but that’s running and ancient version BIND 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 (and why I’m building a new one!) -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org<mailto:ma...@isc.org> -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Error staring named, permissions denied on named.ca
I'm setting up a new secondary for our domain with the intent to shut down an existing one (which is running on a very old OS and bind version) Running Rocky Linux (replacement for CentOS 8.5) using the isc bind-esv package here https://copr.fedorainfracloud.org/coprs/isc/bind-esv/ instead of the built in (and old) version in the standard repo. I’ve copied over the named.conf file from the working secondary and made appropriate changes; it passes named-checkconf Starting the service though I get the following error: ● isc-bind-named.service Loaded: loaded (/usr/lib/systemd/system/isc-bind-named.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2021-12-09 13:16:09 EST; 24min ago Process: 3732 ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named $OPTIONS (code=exited, status=1/FAILURE) Dec 09 13:16:09 example.com named[3733]: listening on IPv4 interface lo, 127.0.0.1#53 Dec 09 13:16:09 example.com named[3733]: listening on IPv4 interface ens192,123.456.789.123#53 Dec 09 13:16:09 example.com named[3733]: generating session key for dynamic DNS Dec 09 13:16:09 example.com named[3733]: sizing zone task pool based on 35 zones Dec 09 13:16:09 example.com named[3733]: could not configure root hints from 'named.ca': permission denied Dec 09 13:16:09 example.com named[3733]: loading configuration: permission denied Dec 09 13:16:09 example.com named[3733]: exiting (due to fatal error) Dec 09 13:16:09 example.com systemd[1]: isc-bind-named.service: Control process exited, code=exited status=1 Dec 09 13:16:09 example.com systemd[1]: isc-bind-named.service: Failed with result 'exit-code'. Dec 09 13:16:09 example.com systemd[1]: Failed to start isc-bind-named.service. Permissions for named.ca are the same as on our other working servers: -rw-rw-r--. 1 root named 3289 Dec 9 13:13 /var/named/named.ca This is the entry for that file in named.conf: zone "." IN { type hint; file "named.ca"; }; does it need the full path? On the working secondary it’s entered the same way in named.conf, but that’s running and ancient version BIND 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 (and why I’m building a new one!) -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named service suddenly fails to start
On Nov 4, 2021, at 12:05 PM, Reindl Harald mailto:h.rei...@thelounge.net>> wrote: ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exi this nonsense of bash in systemd units typically comes from distributions and so you should at least name which one you are using In this case it is CentOS8. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named service suddenly fails to start
On Nov 4, 2021, at 12:01 PM, Bruce Johnson mailto:john...@pharmacy.arizona.edu>> wrote: This morning our server started failing to reload or start. checking the status reveals not a lot of info: systemctl status named-chroot ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2021-11-04 11:55:17 MST; 27s ago Process: 2020 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exit> named-checkconf -z revealed a name had been entered with underscores. The person responsible has been sacked. (not really, merely reminded no underscores are allowed in A records :-) Does named-checkzone not check for this? -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named service suddenly fails to start
This morning our server started failing to reload or start. checking the status reveals not a lot of info: systemctl status named-chroot ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2021-11-04 11:55:17 MST; 27s ago Process: 2020 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exit> Nov 04 11:55:17 elixir bash[2020]: zone 126.140.10.IN-ADDR.ARPA/IN: loaded serial 4 Nov 04 11:55:17 elixir bash[2020]: zone 233.196.128.IN-ADDR.ARPA/IN: loaded serial 350 Nov 04 11:55:17 elixir bash[2020]: zone pharm-classless.124.135.150.IN-ADDR.ARPA/IN: loaded serial 4830 Nov 04 11:55:17 elixir bash[2020]: zone bio5-classless.123.135.150.in-addr.arpa/IN: loaded serial 402 Nov 04 11:55:17 elixir bash[2020]: zone 18.129.10.IN-ADDR.ARPA/IN: loaded serial 4755 Nov 04 11:55:17 elixir bash[2020]: zone 19.129.10.IN-ADDR.ARPA/IN: loaded serial 4756 Nov 04 11:55:17 elixir bash[2020]: zone 118.193.10.IN-ADDR.ARPA/IN: loaded serial 9 Nov 04 11:55:17 elixir systemd[1]: named-chroot.service: Control process exited, code=exited status=1 Nov 04 11:55:17 elixir systemd[1]: named-chroot.service: Failed with result 'exit-code'. Nov 04 11:55:17 elixir systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). We have one dynamically updated zone and only three other zone files that have been updated today and named-checkzone says they’re ok. I'm guessing it’s the zone file after the last successfully loaded one, but we have a LOT of zone files; is there a particular order in which they’re loaded at startup? I’ve made no changed to named.conf or anything else on this server. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DKIM setup
I’m trying to set up DNS records for DKIM in our system; we have a hybrid O365/On-Prem Exchange server and separate Mailman list server, all of which send email from our domain (and are in the spf list in DNS.) I’m a little unclear on the syntax described here: (https://kb.isc.org/docs/aa-00725 ) alice._domainkey.itverx.com.ve.86400 IN TXT “v=…ZZZ” Is alice, in this case, the server with the MTA and private keys and itverx.com the base domain of the zone? IE alice.itverx.com is the server that is signing the emails? what is the .ve. part? -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Odd A record in our hosts zone file
Thank you…this is very useful information; I thought TTL could only be specified on a per-zone basis, not per-host. On Jun 25, 2021, at 11:10 AM, Richard T.A. Neal mailto:rich...@richardneal.com>> wrote: Hi Bruce, Here you're specifying a distinct TTL for those records which overrides the default TTL for this zone (which you will have set towards the top of the file with the rest of the defaults) 1m = 60 seconds: https://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/s1-bind-zone.html So you're essentially telling DNS clients that the value provided for mail.{your-fqdn} is only valid for 60 seconds. As you say, a cheap load balancing attempt! Best, Richard. -Original Message- From: bind-users On Behalf Of Bruce Johnson Sent: 25 June 2021 6:56 pm To: bind-users@lists.isc.org Subject: Odd A record in our hosts zone file I ran across these A records in one of our zone files: ;EXCHANGE STUFF mail1m IN A xxx.xxx.xxx.52; dhbex1 mail1m IN A xxx.xxx.xxx.54; dhbex2 I can see that this is a cheap load-balancing for our exchange OWA servers, but what is the ‘1m’ notation? I haven’t been able to find that in my searching of the manual. (We’re adding new servers and I need to make sure our DNS is properly set for them.) -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Odd A record in our hosts zone file
I ran across these A records in one of our zone files: ;EXCHANGE STUFF mail1m IN A xxx.xxx.xxx.52; dhbex1 mail1m IN A xxx.xxx.xxx.54; dhbex2 I can see that this is a cheap load-balancing for our exchange OWA servers, but what is the ‘1m’ notation? I haven’t been able to find that in my searching of the manual. (We’re adding new servers and I need to make sure our DNS is properly set for them.) -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.16.13 and Mac OS X 10.13.6 - problems with ./configure
> On Mar 26, 2021, at 9:17 AM, Paul Cizmas wrote: > > Ondrej: > > Thank you - I installed bind with brew. It says it installed 9.16.13. > However, it still seems that I am running 9.9.7-P3: Make sure that the launchd plist for bind is pointing to the correct location of named. (probably /usr/local/opt/bind/sbin judging from the screen shot) If the previous version was installed as part of Mac OS Server, or MacPorts, for example that binary will live somewhere other than /usr/local. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic zone update problems, continued
Turne out to be a dumdum mistake on my part. SELinux was set to enforce…set it to permissive and voila! the .jnl file was created. I coulda sworn I’d fixed that before... > On Mar 5, 2021, at 12:39 PM, Grant Taylor via bind-users > wrote: > > On 3/5/21 12:07 PM, Bruce Johnson wrote: >> Fixing the permissions and restarting named got dynamic updating working >> again, but new systems (ie names that are NOT already in the Zone file ) are >> throwing errors about the journal file: error: journal open failed: >> unexpected error > > It seems like you still have a permissions error. > > Can the user that named is running as create new files in the directory where > the zone is stored? > >> Is there a specific command to create the .jnl file? I thought named created >> it automatically as needed. (at least the named-journalprint man page >> indicates this…) > > I don't remember ever needing to manually create a journal (.jnl) file. I > think that named always did it. > > Named will create, modify, and remove the journal file as needed. rndc > freeze will sync the in memory zone contents to the journal file. rndc sync > will sync the journal file to the main zone file. The -clean option to rndc > sync will remove the journal file. -- Don't forget to rndc thaw a frozen > zone to start allowing dynamic updates again. > > Beyond that, I've not needed to worry about the journal file or it's contents. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic zone update problems, continued
named process is running as ’named’: named 45631 1.0 11.8 411576 220744 ? Ssl 11:28 0:57 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot if I run su --shell=/bin/sh named I can create files in the directory the journal file should be. On Mar 5, 2021, at 12:39 PM, Grant Taylor via bind-users mailto:bind-users@lists.isc.org>> wrote: On 3/5/21 12:07 PM, Bruce Johnson wrote: Fixing the permissions and restarting named got dynamic updating working again, but new systems (ie names that are NOT already in the Zone file ) are throwing errors about the journal file: error: journal open failed: unexpected error It seems like you still have a permissions error. Can the user that named is running as create new files in the directory where the zone is stored? Is there a specific command to create the .jnl file? I thought named created it automatically as needed. (at least the named-journalprint man page indicates this…) I don't remember ever needing to manually create a journal (.jnl) file. I think that named always did it. Named will create, modify, and remove the journal file as needed. rndc freeze will sync the in memory zone contents to the journal file. rndc sync will sync the journal file to the main zone file. The -clean option to rndc sync will remove the journal file. -- Don't forget to rndc thaw a frozen zone to start allowing dynamic updates again. Beyond that, I've not needed to worry about the journal file or it's contents. -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic zone update problems, continued
I”m running it as named-chroot, and named is rw permissions at the /var/named This is the directory listing: [root@mydns named]# ls -l total 16 drwxr-x---. 7 named named 61 Oct 9 13:30 chroot drwxrwx---. 2 named named 127 Feb 28 03:27 data drwxrwx---. 2 named named 60 Mar 4 13:57 dynamic drwxr-xr-x. 2 named named 31 Mar 2 13:46 log -rw-r-. 1 named named 2253 Sep 9 09:48 named.ca<http://named.ca> -rw-r-. 1 named named 152 Sep 9 09:48 named.empty -rw-r-. 1 named named 152 Sep 9 09:48 named.localhost -rw-r-. 1 named named 168 Sep 9 09:48 named.loopback drwxrwx---. 2 named named6 Sep 9 09:47 slaves On Mar 5, 2021, at 12:19 PM, Gregory Sloop mailto:gr...@sloop.net>> wrote: You may need to set permissions on not just the files, but the directory too. If it didn't have permissions to existing files, I suspect the parent directory doesn't allow that same user/group to create files either - so the jnl files don't get created. -Greg BJ> Fixing the permissions and restarting named got dynamic updating BJ> working again, but new systems (ie names that are NOT already in BJ> the Zone file ) are throwing errors about the journal file: error: BJ> journal open failed: unexpected error BJ> Mar 5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 BJ> 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN':<http://DYN.Zone.COM/IN':> deleting BJ> rrset at 'dhbfswrkgrps1.DYN.Zone.COM<http://dhbfswrkgrps1.DYN.Zone.COM>' BJ> Mar 5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 BJ> 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN':<http://DYN.Zone.COM/IN':> deleting BJ> rrset at 'dhbfswrkgrps1.DYN.Zone.COM<http://dhbfswrkgrps1.DYN.Zone.COM>' A BJ> Mar 5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 BJ> 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN':<http://DYN.Zone.COM/IN':> adding an BJ> RR at 'dhbfswrkgrps1.DYN.Zone.COM<http://dhbfswrkgrps1.DYN.Zone.COM>' A 10.128.206.151 BJ> Mar 5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 BJ> 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN':<http://DYN.Zone.COM/IN':> deleting BJ> rrset at 'NIC-COPIT.DYN.Zone.COM<http://NIC-COPIT.DYN.Zone.COM>' BJ> Mar 5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 BJ> 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN':<http://DYN.Zone.COM/IN':> deleting BJ> rrset at 'NIC-COPIT.DYN.Zone.COM<http://NIC-COPIT.DYN.Zone.COM>' A BJ> Mar 5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 BJ> 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN':<http://DYN.Zone.COM/IN':> adding an BJ> RR at 'NIC-COPIT.DYN.Zone.COM<http://NIC-COPIT.DYN.Zone.COM>' A 128.196.45.228 BJ> Mar 5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 BJ> 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN':<http://DYN.Zone.COM/IN':> error: BJ> journal open failed: unexpected error BJ> Is there a specific command to create the .jnl file? I thought BJ> named created it automatically as needed. (at least the BJ> named-journalprint man page indicates this…) -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dynamic zone update problems, continued
Fixing the permissions and restarting named got dynamic updating working again, but new systems (ie names that are NOT already in the Zone file ) are throwing errors about the journal file: error: journal open failed: unexpected error Mar 5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': deleting rrset at 'dhbfswrkgrps1.DYN.Zone.COM' Mar 5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': deleting rrset at 'dhbfswrkgrps1.DYN.Zone.COM' A Mar 5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': adding an RR at 'dhbfswrkgrps1.DYN.Zone.COM' A 10.128.206.151 Mar 5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': deleting rrset at 'NIC-COPIT.DYN.Zone.COM' Mar 5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': deleting rrset at 'NIC-COPIT.DYN.Zone.COM' A Mar 5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': adding an RR at 'NIC-COPIT.DYN.Zone.COM' A 128.196.45.228 Mar 5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': error: journal open failed: unexpected error Is there a specific command to create the .jnl file? I thought named created it automatically as needed. (at least the named-journalprint man page indicates this…) -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone set for dynamic updating isn't updating
Thanks, this should help. On Mar 4, 2021, at 12:40 PM, Mark Andrews mailto:ma...@isc.org>> wrote: The permissions on the directory holding the zone file and journal need to allow named to create files. Named will recreate new versions of these as part of processing the dynamic update and move them into place once they are complete. If you are running Linux also se SELinux settings as they add additional constraints. Additionally if you are running as root named does not have permission to override file permissions root normally has. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Zone set for dynamic updating isn't updating
We have one zone set for Active directory to update dynamically that has stopped doing so. Someone manually updated the zone without doing a freeze/thaw and the host that was added wasn’t properly resolving. What I found looking for a solution was to freeze the zone, delete the .jnl file, update the serial #, then thaw the zone. That got lookup working properly again, but now the zone is not longer updating. I found a bunch of errors about permissions denied Mar 2 14:00:30 example named[42659]: etc/DynZone.Hosts.jnl: create: permission denied I created the file and chowned it to named but it hasn’t been written to: -rw-r--r--. 1 root root 108578 Feb 22 09:43 DynZone.Hosts -rw-rw-r--. 1 named named 0 Mar 2 14:01 DynZone.Hosts.jnl I know that there have been new hosts added that should have been updated in that zone. It was working before the incident so I don’t think it’s a permissions issue, but I could well be wrong. Unfortunately I can’t really find any info on what the permissions SHOULD be for the bind config and files. Another clue that permissions are wrong, is that any time I’ve tried to set up logging directives in named.conf restarting it results in a failure due to permissions; but as I mentioned, it was working until recently. This is the zone config in named.conf: zone “DynZone.com" { type master; file “etc/DynZone.Hosts"; check-names ignore; allow-update {"trusted";}; }; The trusted acl is a list of our (name) vlans, but checking the config syntax with named-checonf -z shows all are properly loading, and the zone transfers after the manual update did work. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Possibly stupid Q
I am running bind in a chroot jail using the named-chroot package in CentOS 8. Looking at this page in the docs about logging https://kb.isc.org/docs/aa-01526 the sample ones are set to : channel default_log { file "/var/named/log/default" versions 3 size 20m; print-time yes; print-category yes; print-severity yes; severity info; }; in named-chroot do these go to the actual system /var/named/log or does the named-chroot process put them in /var/named/chroot/var directory? -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND through COPR after CentOS
I’m evaluating Oracle Linux to replace CentOS right now for other uses, which Oracle pinky-swears will always be free (beer and speech); it’s essentially another RHEL clone, with some additional stuff for oracle in the repo. I think it’ll end up replacing our CentOS 8 upgrade of ours. Available Packages Name : bind Epoch: 32 Version : 9.11.20 Release : 5.el8 Architecture : src Size : 8.1 M Source : None Repository : ol8_baseos_latest Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server URL : http://www.isc.org/products/BIND/ License : MPLv2.0 Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS : (Domain Name System) protocols. BIND includes a DNS server (named), : which resolves host names to IP addresses; a resolver library : (routines for applications to use when interfacing with DNS); and : tools for verifying that the DNS server is operating properly. On Dec 18, 2020, at 11:15 AM, John Thurston mailto:john.thurs...@alaska.gov>> wrote: We have been using the ISC COPR packages for BIND on CentOS. With the demise of CentOS, we (along with a few other people on the planet) need to consider where we will move our applications. We have been completely happy with the packages provided by ISC through COPR. Does anyone want to offer up other linux distributions on which they have had unqualified success with these same packages? -- -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov<mailto:john.thurs...@alaska.gov> Department of Administration State of Alaska ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Serial number question..
Thanks, that worked perfectly! > On Dec 17, 2020, at 12:02 PM, Reindl Harald wrote: > > > > Am 17.12.20 um 19:56 schrieb Bruce Johnson: >> Someone updated out name server and messed up the serial number on the >> primary; as a result our secondaries are not updating properly. >> Primary: >> bruces-Mac-Mini:~ johnson$ dig @elixir.pharmacy.arizona.edu -t SOA +noall >> +answer pharmacy.arizona.edu >> pharmacy.arizona.edu.86404 IN SOA >> elixir.pharmacy.arizona.edu. wunz.elixir.pharmacy.arizona.edu. 1297117089 >> 3600 120 1209600 86400 >> Secondaries: >> bruces-Mac-Mini:~ johnson$ dig @dhbns1.pharmacy.arizona.edu -t SOA +noall >> +answer pharmacy.arizona.edu >> pharmacy.arizona.edu.86404 IN SOA >> elixir.pharmacy.arizona.edu. wunz.elixir.pharmacy.arizona.edu. 1762233707 >> 3600 120 1209600 86400 >> bruces-Mac-Mini:~ johnson$ dig @ns-remote.arizona.edu -t SOA +noall +answer >> pharmacy.arizona.edu >> pharmacy.arizona.edu.86404 IN SOA >> elixir.pharmacy.arizona.edu. wunz.elixir.pharmacy.arizona.edu. 1762233707 >> 3600 120 1209600 86400 >> Is the fix here just setting the serial number on the primary to 1762233708 ? >> The various things online I’ve found are all based on “you accidentally set >> the primary more than 2^32 ahead” so you have to do a bunch of modulo >> arithmetic... > > just set it *higher* on the master and you are done > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Serial number question..
Someone updated out name server and messed up the serial number on the primary; as a result our secondaries are not updating properly. Primary: bruces-Mac-Mini:~ johnson$ dig @elixir.pharmacy.arizona.edu -t SOA +noall +answer pharmacy.arizona.edu pharmacy.arizona.edu. 86404 IN SOA elixir.pharmacy.arizona.edu. wunz.elixir.pharmacy.arizona.edu. 1297117089 3600 120 1209600 86400 Secondaries: bruces-Mac-Mini:~ johnson$ dig @dhbns1.pharmacy.arizona.edu -t SOA +noall +answer pharmacy.arizona.edu pharmacy.arizona.edu. 86404 IN SOA elixir.pharmacy.arizona.edu. wunz.elixir.pharmacy.arizona.edu. 1762233707 3600 120 1209600 86400 bruces-Mac-Mini:~ johnson$ dig @ns-remote.arizona.edu -t SOA +noall +answer pharmacy.arizona.edu pharmacy.arizona.edu. 86404 IN SOA elixir.pharmacy.arizona.edu. wunz.elixir.pharmacy.arizona.edu. 1762233707 3600 120 1209600 86400 Is the fix here just setting the serial number on the primary to 1762233708 ? The various things online I’ve found are all based on “you accidentally set the primary more than 2^32 ahead” so you have to do a bunch of modulo arithmetic... -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Testing a new master server...
On Nov 18, 2020, at 11:26 PM, John W. Blue via bind-users mailto:bind-users@lists.isc.org>> wrote: Hello Bruce! For opening comments .. I have nothing but empathy for you and the firefight you are in. "Intuitional inertia" is never enjoyable especially when you are the one tasked with change. So you indicated "upstream network management" is sending DNS/DHCP traffic but then you say that it is from your vLAN's. That does not make sense. It feels like what you meant to say is that you have a bunch of zones and there is a ton of traffic (DNS/DHCP) being sent from your vLAN's *and* you need to coordinate and changes with "upstream network management". The reason why I bring this up is because (without extra data points) it feels like you are attempting to replace an old bandaid with a new one hoping that will resolve user angst. I am probably explaining this poorly. Our college has units in 5 different buildings on two campuses in different cities. The University network has set up Vlans in those buildings on the larger network that they control, and we provide DNS/DHCP/Windows Domain service on those VLANS, so when a dhcp request comes from one of them it is directed to this server. The server itself resides on a vlan that is tied to one port from the switch, and if it is moved to a different port (which it now has to be, since it’s now going to be virtualized) and that is not under our control, but the main campus network management, so that needs to be coordinated. Some things to think about as a sanity check: If the current configuration is so easy to break, do you really want to keep administrating a design that is doing that? It isn't ‘easy to break’, it’s that I am a neophyte at setting this up. We’ve really had zero issues with DNS/DHCP with the current setup, but I wasn’t the one doing the configuring. As I said, I’m probably overthinking what can go wrong. The previous person who did this told me “Just copy all the configuration files over to the new box, give it the right IP address and you’re good”. What change management processes are in place when OS patches need to be applied or there DNS/DHCP maintenance to be done? Does this server face the open Internet or is it exclusively an RFC1918 box? It faces the open internet. We have a mix of public and private zones. If one server is responsible for both DNS/DHCP for everything would it make more sense to split the roles out? That’s probably a very good idea, that it hasn’t been done before now is that this setup has worked reliably for decades, and we pretty much proceeded on the “it ain’t broke, so lets not fix it” …then the people who had done this retired or moved to other jobs, I’m now the “*nix ‘Expert’"…and now it’s old enough that we have to deal with replacing it in an orderly fashion rather than on an emergency one. Assuming there is currently one RFC1918 server for everything, my thoughts (at a very high level) would be to redesign the environment to start using a hidden primary. Next, stand up two DNS servers as secondaries (configured with ' allow-update-forwarding ') each running DHCP to take advantage of "auto partner down". With a hidden primary there is now a single source of truth on the network that is being dynamically update by the secondaries. When it comes time for maintenance, rebooting or taking one of the secondary servers offline will not kill off the services for the users. When it is time to apply patches to the hidden primary, do that after hours. " allow-update-forwarding" is real-time forwarding not store and forward. To address your question about "allow-transfer" and "allow-update" I don’t think those are as important as disabling "also-notify". Thanks for these tips, this makes me feel a lot more confident that I'm on the right track. Regardless, I do hope your migration goes smooth! John -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bruce Johnson Sent: Wednesday, November 18, 2020 11:35 AM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Testing a new master server... I’m in the process of migrating our master DNS server from an ancient system (it’s running RHEL4.0) to a modern system. This kind of fell in my lap; I’m familiar with adding host assignments and such but managing the server itself in the past is pretty much relegated to ’service named reload’ and finding the newly introduced typo in the hosts or zone file if it fails... It's a mildly complicated setup with a bunch of zones (including a big one that is dynamically updated) and more pressingly I will need to coordinate with upstream network management that sends DNS and dhcp requests from our VLAN's to the specific switch port it is on when we do the cutover,
Testing a new master server...
I’m in the process of migrating our master DNS server from an ancient system (it’s running RHEL4.0) to a modern system. This kind of fell in my lap; I’m familiar with adding host assignments and such but managing the server itself in the past is pretty much relegated to ’service named reload’ and finding the newly introduced typo in the hosts or zone file if it fails... It's a mildly complicated setup with a bunch of zones (including a big one that is dynamically updated) and more pressingly I will need to coordinate with upstream network management that sends DNS and dhcp requests from our VLAN's to the specific switch port it is on when we do the cutover, then change the IP address on the new server so that it repsonds as the old master, so if I can be sure it’ll work I’ll have fewer main campus network mnanagers annoyed with me and many fewer end users with torches and pitchforks at my door for breaking everything... I've made some changes to the configuration (mostly removing zones and address assignments that are no longer valid) and I'd like to bring it up for testing so I know it’s working before we do the cutover to production. If I comment out the the allow-transfer directive so it does not divert requests to our ‘real' secondary servers and the allow-update for the dynamically updated zone, I think I should be able to bring it up in a master server role (on a different IP address) without it interfering with our real one, as the only clients that would actually talk to it would be ones that specify that IP address for resolution. Am I missing something or overcomplicating things? -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users