How can I set the interface used to transfer zones?
Hello All, I´m getting messages like this in the log of my slave: 05-Jul-2012 08:32:48.395 general: info: zone example.com/IN/external: refresh: retry limit for master 143.X.X.X#53 exceeded (source 0.0.0.0#0) 05-Jul-2012 08:33:47.860 general: info: zone example.com/IN/internal: refresh: retry limit for master 143.X.X.X#53 exceeded (source 0.0.0.0#0) I have two slaves. One needs to connect with master using private IP and the other using public IP. In the example above, the slave must receive zones using the private IP from master instead of public IP. Is it possible to configure my slave to receive zones using an specific interface from master? Regards, - Carlos Eduardo Ribas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I set the interface used to transfer zones?
Hi,
Yes. That´s the problem. I have this statement defined, but it still
try to connect using the wrong IP. Any ideas?
Regards,
-
Carlos Eduardo Ribas
2012/7/5 Jan-Piet Mens jpmens@gmail.com
Is it possible to configure my slave to receive zones using an
specific interface from master?
Your slave's zone stanza looks like this:
zone example.net {
type slave;
file ...;
masters { 10.1.1.1; };
};
The `masters' statement defines the address of the master server, so you
specify the private IP address of your master here.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I set the interface used to transfer zones?
I tried transfer-source before, but this is what happened:
05-Jul-2012 11:04:53.550 general: info: zone example.com/IN/internal:
refresh: retry limit for master 143.X.X.X#53 exceeded (source 10.0.1.3#0)
Maybe I'm doing something wrong, but this only tells to slave to use its
private IP, but it still try to use the public IP from master. This is my
configuration:
Slave (10.0.1.3)
Options{
auth-nxdomain no;# conform to RFC1035
version Not Available;
allow-notify { 10.0.1.24; }; # Master
transfer-source 10.0.1.3;
allow-transfer { none; };
notify no;
dnssec-enable yes;
dnssec-validation yes;
}
view internal {
match-clients { key internal; !allviewkeys; local; };
server 10.0.1.24 { keys internal; };
allow-query { local; };
allow-query-cache { local; };
recursion yes;
Zones...
}
Master (10.0.1.24)
view internal {
match-clients { key internal; !allviewkeys; local; };
server 10.0.1.3 { keys internal; };
allow-query { local; };
allow-query-cache { local; };
allow-transfer { 10.0.1.3; };
allow-recursion { local; };
zone-statistics yes;
Zones...
}
Any help?
-
Carlos Eduardo Ribas
2012/7/5 Jan-Piet Mens jpmens@gmail.com
Yes. That´s the problem. I have this statement defined, but it still
try to connect using the wrong IP. Any ideas?
I misunderstood then. Try `transfer-source'.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I set the interface used to transfer zones?
I did not write, but I have it. For example:
zone 10.in-addr.arpa {
type slave;
file db2.10;
masters { 10.0.1.24; };
};
That's really odd...
-
Carlos Eduardo Ribas
2012/7/5 Phil Mayers p.may...@imperial.ac.uk
On 05/07/12 15:34, Carlos Ribas wrote:
I tried transfer-source before, but this is what happened:
You still need to set masters { 10.x.x.x; }; on the zone.
Transfer source controls the source IP. Masters controls the destination
IP.
__**_
Please visit
https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I set the interface used to transfer zones?
Yes. This is the acl:
acl local { 10.0.1.0/24; 127.0.0.1; };
Thanks,
-
Carlos Eduardo Ribas
2012/7/5 Jan-Piet Mens jpmens@gmail.com
That's really odd...
I note that on the master zone you have
allow-query { local; };
Does local contain the slave's address? It must be allowed to query
the SOA record of the zone to transfer.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Zone transfer using TSIG
Hello all,
I have a server that is authoritative to my domain and is secondary to
four different domains. What is the best way to receive the zones from
master using TSIG? May I have something like this into a view statement?
server 10.0.1.1 { keys hostA-myserver; };
server 10.0.1.2 { keys hostB-myserver; };
server 10.0.1.3 { keys hostC-myserver; };
server 10.0.1.4 { keys hostD-myserver; };
Best regards,
-
Carlos Eduardo Ribas
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: testing validation
Hello,
Is your recursive resolver also authoritative for raindrop.us? If so,
you will not get the ad flag. You can test with DNS-OARC resolver [1]:
# dig +dnssec +multiline @149.20.64.20 raindrop.us
; DiG 9.7.3 +dnssec +multiline @149.20.64.20 raindrop.us
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 28120
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;raindrop.us. IN A
;; ANSWER SECTION:
raindrop.us.3600 IN A 199.26.172.34
raindrop.us.3600 IN RRSIG A 5 2 3600 20120512011136 (
20120412010327 41190 raindrop.us.
kH5rKfIHghbsiKLTMkO6GjDtXI0Afkgl2x74K0o0AKtD
lTDfsk+2pPZ/XwKj1k2jIYButqXximUjHOHQHK1bSru7
V8DkkN7JF/wozTOiGCs777sOs90jKmaHIIMSTbNcQgtD
ySqzPsd4Sn9Qp86Iykj0nvXyUeMib2bzPJ5SVBY= )
;; Query time: 787 msec
;; SERVER: 149.20.64.20#53(149.20.64.20)
;; WHEN: Wed Apr 18 14:39:45 2012
;; MSG SIZE rcvd: 227
It's working fine.
[1] - https://www.dns-oarc.net/oarc/services/odvr
Best regards,
-
Carlos Eduardo Ribas
2012/4/18 Alan Batie a...@peak.org
I'm testing out dnssec with bind 9.9.0's auto signing and a test domain;
this appears to be working (see below, RRSIG records returned from the
actual nameserver), however and attempt to validate fails with:
# dig +dnssec +sigchase soa raindrop.us
;; RRset to chase:
raindrop.us.987 IN SOA ns1.raindrop.us.
hostmaster.rdrop.com.
2012030815 3600 3600 86400 3600
Launch a query to find a RRset of type RRSIG for zone: raindrop.us.
;; RRSIG is missing for continue validation: FAILED
I have this included in the resolver's named.conf:
managed-keys {
. initial-key 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ;
};
per https://calomel.org/dns_bind.html
When I simply try to validate the root:
# dig +dnssec +sigchase .
;; NO ANSWERS: no more
We want to prove the non-existence of a type of rdata 1 or of the zone:
there is no NSEC for this zone: validating that the zone doesn't exist
;; Impossible to verify the Non-existence, the NSEC RRset can't be
validated: FAILED
I'm not sure what to look for now...
# dig +dnssec @ns6.peak.org raindrop.us
; DiG 9.9.0 +dnssec @ns6.peak.org raindrop.us
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 15953
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;raindrop.us. IN A
;; ANSWER SECTION:
raindrop.us.3600IN A 199.26.172.34
raindrop.us.3600IN RRSIG A 5 2 3600 20120512011136
20120412010327
41190 raindrop.us.
kH5rKfIHghbsiKLTMkO6GjDtXI0Afkgl2x74K0o0AKtDlTDfsk+2pPZ/
XwKj1k2jIYButqXximUjHOHQHK1bSru7V8DkkN7JF/wozTOiGCs777sO
s90jKmaHIIMSTbNcQgtDySqzPsd4Sn9Qp86Iykj0nvXyUeMib2bzPJ5S VBY=
;; AUTHORITY SECTION:
raindrop.us.3600IN NS ns1.raindrop.us.
raindrop.us.3600IN RRSIG NS 5 2 3600
20120512011136 20120412010327
41190 raindrop.us.
UQxIRpKV+b4opfCJx/j4oIFht8nqxpn1g0siOLI2XkxfVrnXHh17/ChT
X6PH5YOrF7D3v7AUMbVo+o8glSUfk1uML8i3C8H5lD/NmujPPrIqFaO/
6zCJen1q34FVunCoqfrYvYlaKHenFGsrpOl61H75ns0IjLMXSs+TRpIY GTs=
;; ADDITIONAL SECTION:
ns1.raindrop.us.3600IN 2607:f678::56
ns1.raindrop.us.3600IN RRSIG 5 3 3600
20120512011136
20120412010327 41190 raindrop.us.
MhaOIt7D7kT8k4USk9Mpocw+tSx8WBSO/Yi+4F/YFV1ZVSXLKgYj4K4S
hTjVTBD3tCQYMJY+SkArlkoQRyTk4QYrLV8CP2TvvdrUPjZUZNAEMsuk
0NWsd2tLgStZ34yN0Pe1xa9P2SZjvsXJj1D1N5JNFxfS/OFCwMa9Hvcr atM=
;; Query time: 253 msec
;; SERVER: 2607:f678:10::53#53(2607:f678:10::53)
;; WHEN: Tue Apr 17 23:29:08 2012
;; MSG SIZE rcvd: 615
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: testing validation
Because this IP has dnssec enabled and raindrop.us is signed :-) Regards, - Carlos Eduardo Ribas 2012/4/18 Alan Batie a...@peak.org On 4/18/12 10:46 AM, Carlos Ribas wrote: Is your recursive resolver also authoritative for raindrop.us? If so, you will not get the ad flag. You can test with DNS-OARC resolver [1]: # dig +dnssec +multiline @149.20.64.20 raindrop.us Why would 149.20.64.20 return ad then? It's not authoritative either... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Doubt about RFC1918 response from Internet
Hello,
I'm sending this message to see if I understood the meaning of RFC
1918 response from Internet message logs. I read the FAQ of Bind [1], but
I have to be honest to say that I'm a litlle bit confused, since English is
not my first language.
I'm using Bind 9.7.3 in a Debian server. It has a arquive named
zones.rfc1918 [2] that is enabled. I just took off the line refering to
10.0.0.0 network because I'm using it in my organization. I have the
reverse configured for my network, eg: 1.0.10.in-addr.arpa, but I dont have
the reverse for the rest of this network.
If, by mistake or not, a client asks for a address in the 10.0.2.0
network, my server will querying the Internet's name servers for this
address once I dont have it configured and then I will receive message logs
about it [3]. Is that correct?
[1] - http://www.bind9.net/BIND-FAQ
[2] - zones.rfc1918 arquive:
zone 16.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 17.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 18.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 19.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 20.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 21.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 22.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 23.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 24.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 25.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 26.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 27.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 28.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 29.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 30.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 31.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 168.192.in-addr.arpa { type master; file /etc/bind/db.empty; };
[3] Message logs:
04-Apr-2012 18:15:25.099 security: client 10.0.1.13#47738: view internal:
RFC 1918 response from Internet for 50.2.0.10.in-addr.arpa
04-Apr-2012 18:21:09.245 security: client 10.0.1.13#42000: view internal:
RFC 1918 response from Internet for 50.2.0.10.in-addr.arpa
Best regards,
-
Carlos Eduardo Ribas
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Doubt about RFC1918 response from Internet
Hello,
Thanks for your response. Ok, now I understood what happend. I created
the 10.in-addr.arpa arquive and now I'm authoritative for all the reverse
address space 10/8. I believe I will not querying the Internet's name
servers for these address anymore.
Best regards,
-
Carlos Eduardo Ribas
2012/4/5 Mark Andrews ma...@isc.org
In message
cagdn3fe22-rh0gcp3soym5d2snykex7_m7fdhj_kde00y9u...@mail.gmail.com
, Carlos Ribas writes:
Hello,
I'm sending this message to see if I understood the meaning of RFC
1918 response from Internet message logs. I read the FAQ of Bind [1],
but
I have to be honest to say that I'm a litlle bit confused, since English
is
not my first language.
I'm using Bind 9.7.3 in a Debian server. It has a arquive named
zones.rfc1918 [2] that is enabled. I just took off the line refering to
10.0.0.0 network because I'm using it in my organization. I have the
reverse configured for my network, eg: 1.0.10.in-addr.arpa, but I dont
have
the reverse for the rest of this network.
Add a 10.in-addr.arpa zone to your configuration that delegates
1.0.10.in-addr.arpa. This will catch any leaks.
$TTL 3600
@ SOA ns1.example.net. hostmaster.example.net 1 3600 1200 2419200
3600
@ NS ns1.example.net.
@ NS ns2.example.net.
1.0 NS ns1.example.net.
1.0 NS ns2.example.net.
If, by mistake or not, a client asks for a address in the 10.0.2.0
network, my server will querying the Internet's name servers for this
address once I dont have it configured and then I will receive message
logs
about it [3]. Is that correct?
[1] - http://www.bind9.net/BIND-FAQ
[2] - zones.rfc1918 arquive:
zone 16.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 17.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 18.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 19.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 20.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 21.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 22.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 23.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 24.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 25.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 26.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 27.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 28.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 29.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 30.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 31.172.in-addr.arpa { type master; file /etc/bind/db.empty; };
zone 168.192.in-addr.arpa { type master; file /etc/bind/db.empty; };
[3] Message logs:
04-Apr-2012 18:15:25.099 security: client 10.0.1.13#47738: view internal:
RFC 1918 response from Internet for 50.2.0.10.in-addr.arpa
04-Apr-2012 18:21:09.245 security: client 10.0.1.13#42000: view internal:
RFC 1918 response from Internet for 50.2.0.10.in-addr.arpa
Best regards,
-
Carlos Eduardo Ribas
--00248c6a671a32f51404bced3fd5
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hello,divbr/divdivdiv=A0 =A0 I#39;m sending this message to
see =
if I understood the meaning of quot; RFC 1918 response from
Internetquot;=
message logs. I read the FAQ of Bind [1], but I have to be honest to
say t=
hat I#39;m a litlle bit confused, since English is not my first
language.=
/div
divbr/divdiv=A0 =A0 I#39;m using Bind 9.7.3 in a Debian server.
It=
has a arquive named zones.rfc1918 [2] that is enabled. I just took off
the=
line refering to 10.0.0.0 network because I#39;m using it in my
organizat=
ion. I have the reverse configured for my network, eg:
1.0.10.in-addr.arpa,=
but I dont have the reverse for the rest of this network./div
/divdivbr/divdiv=A0 =A0 If, by mistake or not, a client asks
for =
a address in the 10.0.2.0 network, my server will querying the
Internet#39=
;s name servers for this address once I dont have it configured and then
I =
will receive message logs about it [3]. Is that correct?=A0/div
divbr/divdiv[1] -=A0a href=3Dhttp://www.bind9.net/BIND-FAQ
http:=
//www.bind9.net/BIND-FAQ/a=A0/divdivbr/divdiv[2]
-=A0zones.rfc1=
918 arquive:/divdivdivzone quot;16.172.in-addr.arpaquot; =A0{
type =
master; file quot;/etc/bind/db.emptyquot;; };/div
divzone quot;17.172.in-addr.arpaquot; =A0{ type master; file
quot;/etc=
/bind/db.emptyquot;; };/divdivzone quot;18.172.in-addr.arpaquot;
=A0=
{ type master; file quot;/etc/bind/db.emptyquot;; };/divdivzone
quot=
;19.172.in-addr.arpaquot; =A0{ type master; file
quot;/etc/bind/db.empty
Re: How can I know if I have problems with my views?
Hello,
You're right Mark, thanks. The problem I said yesterday was solved
with the implementation of TSIG as mentioned in
https://www.isc.org/faq/item/182.
What happened was that my slave was receiving zones from the same
master view. I know, my fault! but I hope my error helps you guys.
Best regards,
-
Carlos Eduardo Ribas
2012/3/27 Mark Andrews ma...@isc.org
In message CAGdn3FHQzc=
kfln+egfkcnqbuuzm9lpj+vrlu0lov4nzm6v...@mail.gmail.com,
Hello all,
I'm with problems in my dns. Some external clients access my zones
without problem, but others can't access because they are receiving
internal IP instead of public ones. I'm using views and below is the
basic
configuration. Is there something wrong?
acl rede_local { 10.0.1.0/24; };
Don't forget loopback addressess. 127/8 is also local.
acl rede_confiavel {
my_public_ips;
};
// ===
// View interno
// ===
view internal {
match-clients { rede_local; };
allow-query { rede_local; };
allow-recursion { rede_local; };
allow-query-cache { rede_local; };
zone-statistics yes;
zone example.br {
type master;
file /var/named/db.example.br.intranet;
};
zone 1.0.10.in-addr.arpa {
type master;
file /var/named/db.10_0_1;
};
include /etc/bind/zonas/default;
include /etc/bind/zonas/my_zones;
include /etc/bind/zones.rfc1918;
};
// ===
// View externo
// ===
view external {
match-clients { rede_confiavel; };
allow-query { rede_confiavel; };
allow-recursion { rede_confiavel; };
allow-query-cache { rede_confiavel; };
zone-statistics yes;
zone example.br {
type master;
file /var/named/db.example.br;
};
include /etc/bind/zonas/default;
include /etc/bind/zonas/my_zones;
include /etc/bind/zones.rfc1918;
};
// ===
// View recursivo
// ===
view recursion {
match-clients { any; };
zone-statistics yes;
recursion no;
additional-from-auth no;
additional-from-cache no;
zone example.br {
type master;
file /var/named/db.example.br;
};
include /etc/bind/zonas/my_zones;
include /etc/bind/zones.rfc1918;
};
Best regards,
-
Carlos Eduardo Ribas
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How to reset the serial number?
Hello all, I just want to say thank you for all the responses. Now it works! I removed the slave zone, but I also had to change the master configuration to use db.example.br rather than db.example.br.signed, then re-sign the zone and then back to use db.example.br.signed. Best regards, - Carlos Eduardo Ribas Analista de Suporte Rede ANSP / Projeto NARA 2012/3/27 Chris Thompson c...@cam.ac.uk On Mar 27 2012, wbr...@e1b.org wrote: Chuck Swiger wrote on 03/26/2012 02:35:24 PM: Shut down the slave server(s). Use scp or rsync to copy over the zone file, one with a corrected serial #. Restart the slave server(s). If I have access to the slave, I just deleted slave zone and issue rndc reload. It will transfer the missing zone. Several advantages: No need to shut down slave. Less typing/less chance to mis-type something. If you have control over all the slaves, then using rnds retransfer [zone] on them for each zone with serial number trouble is easier still. If you don't have such control, you are more or less stuck with using serial number wrapround in the style of RFC 1982. Even if you do that right, you may find DNS server implementations on the slaves that don't. As we discovered in September 2009, when we did the last stage of wrapping our serials round from MMDDNN style to seconds-since-1970, the stealth-slaving Windows DNS servers of that time (even the 2008 ilk) just could not cope, and went into a tizzy continuously trying to fetch the zones and then rejecting them for their smaller serials. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How can I know if I have problems with my views?
Hello all,
I'm with problems in my dns. Some external clients access my zones
without problem, but others can´t access because they are receiving
internal IP instead of public ones. I'm using views and below is the basic
configuration. Is there something wrong?
acl rede_local { 10.0.1.0/24; };
acl rede_confiavel {
my_public_ips;
};
// ===
// View interno
// ===
view internal {
match-clients { rede_local; };
allow-query { rede_local; };
allow-recursion { rede_local; };
allow-query-cache { rede_local; };
zone-statistics yes;
zone example.br {
type master;
file /var/named/db.example.br.intranet;
};
zone 1.0.10.in-addr.arpa {
type master;
file /var/named/db.10_0_1;
};
include /etc/bind/zonas/default;
include /etc/bind/zonas/my_zones;
include /etc/bind/zones.rfc1918;
};
// ===
// View externo
// ===
view external {
match-clients { rede_confiavel; };
allow-query { rede_confiavel; };
allow-recursion { rede_confiavel; };
allow-query-cache { rede_confiavel; };
zone-statistics yes;
zone example.br {
type master;
file /var/named/db.example.br;
};
include /etc/bind/zonas/default;
include /etc/bind/zonas/my_zones;
include /etc/bind/zones.rfc1918;
};
// ===
// View recursivo
// ===
view recursion {
match-clients { any; };
zone-statistics yes;
recursion no;
additional-from-auth no;
additional-from-cache no;
zone example.br {
type master;
file /var/named/db.example.br;
};
include /etc/bind/zonas/my_zones;
include /etc/bind/zones.rfc1918;
};
Best regards,
-
Carlos Eduardo Ribas
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
How to reset the serial number?
Hello all, I accidentally changed the serial number to one bigger than 32 bits and now I'm trying to reset the serial number. Following the manual of Bind9 I tried to add 2147483647 (2ˆ31-1) to the number and reload the server, but my slave is not updating to the new zone serial number. Here is what I'm doing: # dig @10.0.1.24 saturno.br SOA ... ;; ANSWER SECTION: example.br. 86400 IN SOA ns1.example.br. hostmaster.example.br. *2694341036* 7200 3600 604800 86400 ... 2694341036 + 2147483647 = 4841824683 I put this number as serial, but did not work. I also saw that when the number is over than 4,294,967,295 I have to substract 4,294,967,296. So 4841824683 - 4294967296 = 546857387. It did not work too. Does anybody knows what I'm doing wrong? I'm using Bind 9.7.3. Best regards, - Carlos Eduardo Ribas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to reset the serial number?
Hello, I was doing some tests with DNSSEC in that zone. I used one day of signature lifetime, now it is expired. All this happen when I was trying to regenerate the signature. In fact, the problem is that my master did not see the serial change. If I run dig using the master I still got the old serial number,even after restart bind. Should I have to disable DNSSEC? Regards, - Carlos Eduardo Ribas 2012/3/26 Chuck Swiger cswi...@mac.com On Mar 26, 2012, at 11:30 AM, Carlos Ribas wrote: I accidentally changed the serial number to one bigger than 32 bits and now I'm trying to reset the serial number. Following the manual of Bind9 I tried to add 2147483647 (2ˆ31-1) to the number and reload the server, but my slave is not updating to the new zone serial number. Shut down the slave server(s). Use scp or rsync to copy over the zone file, one with a corrected serial #. Restart the slave server(s). [ Is BIND putting SOA serial #'s into a signed int? ] Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
