LLQ and UL support in BIND 9
Hi Everyone, Does BIND 9 support LLQ and UL? LLQ http://files.dns-sd.org/draft-sekar-dns-llq.txt UL http://files.dns-sd.org/draft-sekar-dns-ul.txt They were originally in Apple's dnsextd implementation long ago. In my own test, it seems that UL is working. When a client went away, its record also got removed. But I am not sure if this is the real UL implementation in BIND. I am also not sure about the LLQ feature. Thanks. David ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Service Discovery
Hi Warren, I am aware of DNS-SD and related IETF drafts/RFCs. I also know about Apple's Bonjour implementation. We are implementing an enterprise distributed system with many Centos 7 servers. Each server or a group of servers may run a different app or provide a difference service to others. These service may come and go. The challenge is how to use DNS-SD to let them discover each other dynamically. We do have DHCP and use Dynamic DNS updates. Another challenge is we can't use multicast so mDNS is out of the question. But I know mDNS is not required. Unicast DNS might just work. I have been researching to see what 's out there or what's the common practice. Though this is a pretty common but so far I haven't turned up any promising leads. I did find Avahi but not sure if this is one. Any one has any suggestions? Thanks. David On Sun, Mar 13, 2016 at 12:06 AM, Warren Kumari <war...@kumari.net> wrote: > On Sun, Mar 13, 2016 at 2:34 AM David Li <dlipub...@gmail.com> wrote: >> >> Hi Everyone, >> >> Is this the right place ask general DNS-SD questions? If not, can >> someone point me to the right list? I can't seem to find one. > > > > It almost definitely is not the right place, but what is the question? > Perhaps someone can point you at the best place to ask it (or, just answer > it :-)). > I'm guessing dns-operations may be the place, but... > > W > > >> >> >> Thanks. >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Service Discovery
Hi Everyone, Is this the right place ask general DNS-SD questions? If not, can someone point me to the right list? I can't seem to find one. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A Zone Transfer Question
Hi Mark,
Thanks for the explanation!
At this time all my stuff are internal to the data center so I just
added an option to listen to the IPv4 only. This seems to have made
these error messages gone away.
I do have another question: If I don't need to do reverse lookup, do
I still need PTR records? In other words, is there any downside if I
don't have PTR records in my zone files?
David
On Mon, Feb 22, 2016 at 4:04 PM, Mark Andrews <ma...@isc.org> wrote:
>
> This is named trying to talk to nameservers over IPv6 and being
> told by the OS that they are unreachable.
>
> At this point in time you should be yelling at your ISP to supply
> you with IPv6 connectivity if they aren't already as the world ran
> out of IPv4 addresses years ago and the network is only running
> because ISP's that don't have enough addresses are sharing them
> between multiple customers which is costing everyone in one way or
> another.
>
> If your ISP is offering you IPv6 you may need to update your CPE
> router to one which supports IPv6.
>
> There is no valid excuse for a ISP not supplying IPv6 in 2016. They
> have had over a decade to plan for how to deliver IPv6 to you.
>
> Mark
>
>
> In message
> <caeutsaydpmhzikenfyzeppxgafqazfdecsbtzjx+h7f4ygp...@mail.gmail.com>
> , David Li writes:
>> Barry and others:
>>
>> Thanks for the help!
>> It's my bad that the slave zone's subnet range was missing from
>> allow-query. I also added the slave IP explicitly to the
>> allow-transfer option. Now it's seems to be working.
>>
>>
>> Another issue that I haven't quite figured out is the errors in the
>> syslog. I have no idea where these are coming from:
>>
>>
>>
>> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
>> resolving 'node2/A/IN': 2001:503:c27::2:30#53
>> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
>> resolving 'node2/A/IN': 2001:7fd::1#53
>> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
>> resolving './NS/IN': 2001:500:1::803f:235#53
>> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
>> resolving './NS/IN': 2001:503:c27::2:30#53
>> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
>> resolving './NS/IN': 2001:7fd::1#53
>> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
>> resolving 'node2/A/IN': 2001:dc3::35#53
>> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
>> resolving 'node2/A/IN': 2001:7fe::53#53
>> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
>> resolving './NS/IN': 2001:dc3::35#53
>> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
>> resolving './NS/
>>
>>
>> I don't have a zone file that have these records defined. Any idea?
>>
>> David
>>
>>
>>
>>
>> > --
>> >
>> > Message: 3
>> > Date: Fri, 19 Feb 2016 21:25:43 -0500
>> > From: Barry Margolin <bar...@alum.mit.edu>
>> > To: comp-protocols-dns-b...@isc.org
>> > Subject: Re: A Zone Transfer Question
>> > Message-ID: <barmar-b6877f.21254319022...@88-209-239-213.giganet.hu>
>> >
>> > In article <mailman.269.1455926963.73610.bind-us...@lists.isc.org>,
>> > David Li <dlipub...@gmail.com> wrote:
>> >
>> >> Hi John,
>> >>
>> >> Well, I was wrong about the log. I did find some info about why zone
>> >> transfer failed. On one server running zone rack1.com, I see:
>> >>
>> >> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
>> >> (rack1.com): query 'rack1.com/SOA/IN' denied
>> >> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#52612
>> >> (rack1.com): transfer of 'rack1.com/IN': IXFR ended
>> >>
>> >> Any idea why it's denied?
>> >
>> > VM1 has the option:
>> >
>> > allow-query {
>> >10.4.1/24;
>> >127.0.0.1;
>> > };
>> >
>> > 10.4.3.101 isn't in 10.4.1/24. The slave has to be allowed to query the
>> > master.
>> >
>> > --
>> > Barry Margolin
>> > Arlington, MA
>> >
>> >
>> > --
>> >
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: A Zone Transfer Question
Hi John, Nothing in the /var/log/messages indicates transfer problems. In fact I don't think the transfer ever started by itself for some reason until I manually used "dig" to initiate. David On Fri, Feb 19, 2016 at 9:00 AM, John W. Blue <john.b...@rrcic.com> wrote: > Hello David, > > You can get started by checking your log files to see if named is > complaining about anything it might not like that is preventing the > transfer. > > John > > Sent from Nine > > From: David Li <dlipub...@gmail.com> > Sent: Feb 19, 2016 10:46 AM > To: BIND Users > Subject: A Zone Transfer Question > > This is my first time to try master slave configuration. Here is a > brief description: > > I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the > master for zone1 and slave for zone2. VM2 is master for zone2 and > slave for zone1. Both zones uses DNS Dynamic Update from DHCP > servers on the same VM > to update the A records in their zone files. No DNSSEC configured. > > > To start, everything seems to be working fine. I have one host in each > zone and they can resolve each other fine. > > Now I add a new host to zone1 and its sequence number has been bumped > up. I read that when the zone1 file changes, it will automatically > notify its slave zone (ie. zone2) to start a zone transfer after 15 > min. This never happened. Then I restarted named on VM2 and hoped it > would pull the new zone1 file. This didn't happened either. > Eventually I have to either restart the VM2 or use dig to start the > zone transfer. > > Can anyone spot anything obviously wrong here? Do I need to post my > zone file and named.conf? > > > Thanks. > > David > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A Zone Transfer Question
Hi John,
Here are the files. They are all internal zones without any references
to external name servers.
VM1:
named.conf:
-
#
# master (on VM1)
#
zone "rack1.com" {
type master;
file "/var/named/db.rack1.com";
allow-update { key rndc-key-rack1; }; # For DHCP dynamic update
};
#
# slave (on VM2)
#
zone "rack3.com" {
type slave;
file "/var/named/bak.rack3.com";
masters { 10.4.3.101; }; #VM3 named IP
};
zone file:
/var/named/db.rack1.com
-
$ORIGIN .
$TTL 907200 ; 1 week 3 days 12 hours
rack1.com IN SOA dnsserver1.rack1.com. admin.rack1.com. (
8 ; serial
60 ; refresh (1 minute)
60 ; retry (1 minute)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS dnsserver1.rack1.com.
$ORIGIN rack1.com.
dnsserver1 A 10.4.1.101
$TTL 3600 ; 1 hour
node1 A 10.4.1.11
TXT "007ddd47ea6ddcd890312de89e37bde496"
node2 A 10.4.1.12
TXT "316a8d5e65fbd9f853df6d90ad1f24ecac"
node3 A 10.4.1.13
TXT "009da8179478f9169cb47965e53d19f134"
On VM2
===
named.conf file
---
#
# Master
#
zone "rack3.com" {
type master;
file "/var/named/db.rack3.com";
allow-update { key rndc-key-rack3; }; # For DHCP update
};
#
# Slave
#
zone "rack1.com" {
type slave;
file "/var/named/bak.rack1.com";
masters { 10.4.1.101; }; # VM1 named IP address
};
zone file:
--
$ORIGIN .
$TTL 907200 ; 1 week 3 days 12 hours
rack3.com IN SOA dnsserver3.rack3.com. admin.rack3.com. (
2 ; serial
60 ; refresh ()
60 ; retry ()
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS dnsserver3.rack3.com.
$ORIGIN rack3.com.
dnsserver3 A 10.4.3.101
$TTL 3600 ; 1 hour
node1 A 10.4.3.11
TXT "001395d7d2a164c7efde811584bbc470b9"
On Fri, Feb 19, 2016 at 8:59 AM, John Miller <johnm...@brandeis.edu> wrote:
> On Fri, Feb 19, 2016 at 11:45 AM, David Li <dlipub...@gmail.com> wrote:
>> This is my first time to try master slave configuration. Here is a
>> brief description:
>>
>> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
>> master for zone1 and slave for zone2. VM2 is master for zone2 and
>> slave for zone1. Both zones uses DNS Dynamic Update from DHCP
>> servers on the same VM
>> to update the A records in their zone files. No DNSSEC configured.
>>
>>
>> To start, everything seems to be working fine. I have one host in each
>> zone and they can resolve each other fine.
>>
>> Now I add a new host to zone1 and its sequence number has been bumped
>> up. I read that when the zone1 file changes, it will automatically
>> notify its slave zone (ie. zone2) to start a zone transfer after 15
>> min. This never happened. Then I restarted named on VM2 and hoped it
>> would pull the new zone1 file. This didn't happened either.
>> Eventually I have to either restart the VM2 or use dig to start the
>> zone transfer.
>>
>> Can anyone spot anything obviously wrong here? Do I need to post my
>> zone file and named.conf?
>>
>
> Hi David -
>
> Yes, it'd certainly help if you posted your named.conf. I don't know
> that we need the whole zone file: the SOA and NS records would
> probably suffice in this case, especially if the zone has tons of
> records.
>
> I'll say: it sounds a little odd that you'd expect zone2 to be updated
> when zone1 changes. The master NS for zone1 will send out NOTIFY
> messages to the servers listed in the NS records for zone1; it'll also
> send NOTIFYs to anything you've put in an also-notify block.
>
> The 15-minute wait also sounds strange: NOTIFY happens as soon as the
> serial number of the master zone is incremented and the zone is
> reloaded. Also, a slave NS will automatically check its master for
> updates after the refresh interval (1st number after the serial)
> specified in the SOA record. If you have that set to 15 minutes (900
&g
Re: Newbie's BIND Questions on DNSSEC, HA and SD
Hi Tony/Chris, Thanks for the suggestion and pointers. At this stage, my network design is still very fluid. However, the basic architecture constrains call for at least three racks of servers. Each is served by a TOR switch. One of the servers in each rack is dedicated to DHCP/DNS services so there will be three of them at least. Each rack potentially is a subnet or VLAN by itself. Every other server in each rack should be able to reach any other servers in the whole cluster. All names and addresses are internal private ones. Questions are: 1. Does it make sense to have one DNS zone for the cluster? 2. Does it make sense to have one master authoritative DNS server and two other slaves to cover the cluster and meet the HA requirement? Thanks. David On Tue, Jan 19, 2016 at 10:14 AM, Chris Buxton <cli...@buxtonfamily.us> wrote: > On Jan 16, 2016, at 9:33 PM, David Li <dlipub...@gmail.com> wrote: >> >> Hi, >> >> I am new to BIND. I am researching for a DNS server that can meet a >> list of requirements to be used in a distributed system. They are: >> >> 1. Security (DNSSEC) >> 2. High Availability (HA) >> 3. Service Discovery (DNS-SD) > > > Hello David, > > I think you’ll find 1 and 3 are easy to find. For 2, it depends on what you > mean. Tony Finch has already given you several excellent options covering > most of the use cases. > > The one thing that is most difficult is HA for the primary master name > server, which is the target for dynamic updates and is therefore fairly > important; even a few minutes of downtime of this server might cause outages > for DHCP service, for example. There are several commercial offerings that > include this sort of HA. I work for one of these vendors, BlueCat. > > Regards, > Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Newbie's BIND Questions on DNSSEC, HA and SD
Hi, I am new to BIND. I am researching for a DNS server that can meet a list of requirements to be used in a distributed system. They are: 1. Security (DNSSEC) 2. High Availability (HA) 3. Service Discovery (DNS-SD) So I think BIND might be my best choice so far. Others I have looked at include dnsmasq, unbound, PowerDNS etc. Because I don't have real experience with BIND yet and our architecture hasn't been finalized, I am asking the community experts for validations on my conclusion. Another question I haven't quite figured out is the HA architecture. Is it possible to set up a cluster of BIND servers (> 2) for each VLAN subnet with one of them as master the rest as slaves? Thanks! David ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
