Re: Problems building bind 9.18.1 on FreeBSD

[Dennis Clarke via bind-users]

On 3/25/22 09:37, The Doctor via bind-users wrote:

On Fri, Mar 25, 2022 at 11:49:54AM +0100, Borja Marcos wrote:

Following up on this subject, looks like there were substantial changes to the 
build process for 9.18.1? The port maintainers
seem to be having a hard time with it.




You got that right.

One include is messed up and so are some libraries
and man pages.




The entire ISC *preocess* has become gradually more toxic for at
least a decade.  Many systems and architectures are slowly dropped
and they fall to the wayside to be forgotten and abandoned. Regardless
if you have a decent compiler or really substantial processors and
memory and various standard compliant headers etc. One may file a bug
report and then be politely told to go away. Expect that. That is what
will happen. The build process has become more toxic and complicated
and even outright obfuscated to the point that it is hopeless to even
bother looking at a system running FreeBSD on RISC-V or some other UNIX
on just about any architecture. Even Python3 was slammed into the mess
for a code base that was always pure clean portable C. My opinion is
that ISC is all about the "Support Subscription" business and quite
frankly it stopped being any sort of a welcome "community" a long time
ago.  To the point that I now consider it a waste of time to even bother
dealing with BIND.  If it works ( at all ) on the future FreeBSD 13.1
release then be happy and say nothing. Don't expect it to stay that way.
Expect future problems and more toxic traffic until it is all just a
Linux SystemD service.


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: should I be seeing piles of gnuism extensions in the test suite?

[Dennis Clarke via bind-users]

On 7/30/21 11:13, Ondřej Surý wrote:
> Dennis,
> 
> not sure why you are repeating the message you sent to the list before, but 
> here’s
> the answer I gave you in May and it is still true:

 this -->   -print0 and xargs -0 might not be exactly POSIX.1, but
   it’s important for safe passing of filenames.


What you are saying is that your testsuite is not portable. It may or
may not work on some systems and good luck if it does not.  If I were
to try a z/OS system then your code would certainly break there. I can
and will test that.

Dennis Clarke

ps: I recall I was the person ISC reached out to with your internal
  code that you could not get running on a customer system. I was
  the one that fixed that problem and did it with a smile. Maybe
  you need to get your head out of the clouds.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

should I be seeing piles of gnuism extensions in the test suite?

[Dennis Clarke via bind-users]

While running the testsuite for 9.11.26 on a strict UNIX system I see :

.
.
.
I:autosign:  resigned after the active KSK is deleted - stage 2: Verify
that DNSKEY
I:autosign:  is now signed with the ZSK. (87)
I:autosign:check that zone with active and inactive ZSK and active KSK
is properly
I:autosign:  resigned after the active ZSK is deleted - stage 2: Verify
that zone
I:autosign:  is now signed with the KSK. (88)
I:autosign:checking for out-of-zone NSEC3 records after ZSK removal (89)
I:autosign:check that DNAME at apex with NSEC3 is correctly signed
(auto-dnssec maintain) (90)
I:autosign:checking that DNAME is not treated as a delegation when
signing (91)
I:autosign:exit status: 1
find: bad option -or
find: [-H | -L] path-list predicate-list
xargs: illegal option -- 0
find: bad option -print0
findxargs: : [-H | -L] path-list predicate-list
Usage: xargs: [-t] [-p] [-e[eofstr]] [-E eofstr] [-I replstr]
[-i[replstr]] [-L #] [-l[#]] [-n # [-x]] [-s size] [cmd [args ...]]
R:autosign:FAIL
E:autosign:Fri Jul 30 14:34:57 GMT 2021
S:builtin:Fri Jul 30 14:34:57 GMT 2021
T:builtin:1:A
A:builtin:System test builtin
I:builtin:PORTRANGE:5800 - 5899
I:builtin:Checking expected empty zones were configured (1)
I:builtin:Checking that reconfiguring empty zones is silent (2)
I:builtin:Checking that reloading empty zones is silent (3)
I:builtin:Checking that default version works for rndc (4)
I:builtin:Checking that custom version works for rndc (5)
I:builtin:Checking that default version works for query (6)
I:builtin:Checking that custom version works for query (7)
I:builtin:Checking that default hostname works for query (8)
I:builtin:Checking that custom hostname works for query (9)
I:builtin:Checking that default server-id is none for query (10)
I:builtin:Checking that server-id hostname works for query (11)
I:builtin:Checking that server-id hostname works for EDNS name server ID
request (12)
I:builtin:Checking that custom server-id works for query (13)
I:builtin:Checking that custom server-id works for EDNS name server ID
request (14)
I:builtin:exit status: 0
find: bad option -or
find: [-H | -L] path-list predicate-list
xargs: illegal option -- 0
find: bad option -print0
findxargs: : [-H | -L] path-list predicate-list
Usage: xargs: [-t] [-p] [-e[eofstr]] [-E eofstr] [-I replstr]
[-i[replstr]] [-L #] [-l[#]] [-n # [-x]] [-s size] [cmd [args ...]]
R:builtin:PASS
E:builtin:Fri Jul 30 14:35:19 GMT 2021
S:cacheclean:Fri Jul 30 14:35:19 GMT 2021
T:cacheclean:1:A
A:cacheclean:System test cacheclean
I:cacheclean:PORTRANGE:5900 - 5999
I:cacheclean:check correctness of routine cache cleaning (1)
I:cacheclean:only one tcp socket was used (2)
I:cacheclean:reset and check that records are correctly cached initially (3)
I:cacheclean:check flushing of the full cache (4)
I:cacheclean:check flushing of individual nodes (interior node) (5)
I:cacheclean:check flushing of individual nodes (leaf node, under the
interior node) (6)
I:cacheclean:check flushing of individual nodes (another leaf node, with
both positive and negative cache entries) (7)
I:cacheclean:check flushing a nonexistent name (8)
I:cacheclean:check flushing of namespaces (9)
I:cacheclean:check flushing a nonexistent namespace (10)
I:cacheclean:check the number of cached records remaining (11)
I:cacheclean:check the check that flushname of a partial match works (12)
I:cacheclean:check the number of cached records remaining (13)
I:cacheclean:check flushtree clears adb correctly (14)
I:cacheclean:check expire option returned from master zone (15)
I:cacheclean:check expire option returned from slave zone (16)
I:cacheclean:exit status: 0
.
.
.

Is there a requirement for GNU sed and GNU awk etc etc ?

Also I will try this on z/OS which is even far more strict and I worry
that the entire build process may fail due to such extensions.

-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I identify if bind9 is using 4 cores?

[Dennis Clarke via bind-users]

On 6/17/21 03:47, Manish Rane wrote:
> Does this mean and I can assume that bind has started with 4 cores?
> 
>   CGroup: /system.slice/named.service
>`-3150 /usr/sbin/named -f -u bind -n 4
> --
> Thanks and Regards,
> Manish R
> 

You may be able to ask with rndc :

#
# /usr/local/sbin/rndc -s 127.0.0.1 \
> -k /etc/opt/isc/named/rndc.key \
> -p 953 status 2>&1 | grep 'threads'
worker threads: 1
#


-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: where are the testing docs ?

[Dennis Clarke via bind-users]

On 5/10/21 01:55, @lbutlr wrote:
> On 06 May 2021, at 09:57, Dennis Clarke via bind-users 
>  wrote:
>> I do NOT trust a build result where I had to go hacking into all the
>> Makefiles just to get it to build. You install without doing testing?
> 
> That's a very strange definition of "hacking". Setting makefile [preferences 
> and options is not in and way "hacking".
> 

I realize you are being a jerk on purpose but regardless :

1) 9.11.26 builds perfectly out of the box with no issues

2) 9.11.27 fails to build with a bucket of undefined symbols

3) 9.11.28 fails to build in the same manner

4) 9.11.29 why waste my time looking here ?

5) 9.11.30 does not even exist ... please play again

6) 9.11.31 fails to build with a bucket of undefined symbols

7) dig around madly into 9.11.26 to see if *something* has gone
   wonky thereafter ... rebuild it and watch everything "just work"

8) change some compiler flags, look at the CPPFLAGS and begin
   digging into the Makefiles to see where things have gone bork

9) find that the Makefile in bin/tools is in fact bork bork bork

   10) compare the Makefile in bin/tools with the results from 9.11.26

   11) find possible bork botk bork and begin to hack in some silly
   edits to get past the bin/tools portion of this mess

   12) that works and now other things break, so begin a pile of sed
   and grep and awk and such over ALL the Makefiles everywhere and
   determine that in fact yes they are all borked slightly

I call all of those four days of work a pile of hack. On an old legacy
platform that no one wants to keep running anymore, and it just keeps
running and running. I don't know what you call it. I just say that
releases after 9.11.26 are borked. However only slightly and in places
no one would look at anyways.


-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: where are the testing docs ?

[Dennis Clarke via bind-users]

On 5/8/21 14:13, Evan Hunt wrote:
> On Thu, May 06, 2021 at 11:57:58AM -0400, Dennis Clarke via bind-users wrote:
>> I do NOT trust a build result where I had to go hacking into all the
>> Makefiles just to get it to build. You install without doing testing?
> 
> I think Ondrej just meant that we haven't put much emphasis on making the
> tests user-friendly, since most of the time you *don't* have to hack
> makefiles. We generally use the tests to make sure we haven't broken
> something while making changes, but we're not expecting everybody to
> do so when installing a published release.  That said, I'm *delighted*
> to see people running them.
> 
> We seem to have inadvertently removed a nice feature when the tests were
> revamped a while back - it used to print a helpful message if you ran
> "make check" without setting up the environment first, and told you what
> you needed to do (specifically, "sudo sh bin/tests/system/ifconfig.sh up").
> I think the message got lost when we switched to automake.
> 
> Some tests will be skipped if there are missing dependencies, so you may
> also wish to install the Net::DNS, Net::DNS::Nameserver and XML::Simple
> modules for perl, and dnspython for python.
> 

Well to be fair the build result seems to be just fine. At least fine
enough on this legacy system. The idea is to rip this machine out of
existence in the next year regardless and that will be the last time I
ever look at Solaris or SPARC. End of an era and I think LawnMower Larry
wants things that way.  So 9.11.31 will be running as a service on some
Fujitsu SPARC64 boxen until Jan next year and that is he end of that.

For that matter, even Fujitsu tossed the platform out a window and they
built their latest supercomputer with arm64.  Lets hope that RISC-V will
get some traction but risc on big endian anything is an endangered
species rarely ever seen in the wild anymore.


-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: took a while to figure out why all your tests fail

[Dennis Clarke via bind-users]

On 5/7/21 16:00, Ondřej Surý wrote:
> No, the tests run fine on BSDs, there are no gnuisms.
> 
> Solaris just isn’t on our supported platform list

Oh thats right .. you guys dropped it.

Still a whack of legacy boxes out there running but I guess
not ISC Bind in the very very very near future anyways.

.whatever.

Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

how to run tests separately

[Dennis Clarke via bind-users]

My test results are a little suspect :

.
.
.
I:ok
I:lwresd:using nosearch.conf
I:ok
I:lwresd:exit status: 0
find: bad option -or
find: [-H | -L] path-list predicate-list
xargs: illegal option -- 0
xargs: find: bad option -print0Usage: xargs: [-t] [-p] [-e[eofstr]] [-E
eofstr] [-I replstr] [-i[replstr]] [-L #] [-l[#]] [-n # [-x]] [-s size]
[cmd [args ...]]

find: [-H | -L] path-list predicate-list
R:lwresd:PASS
E:lwresd:Fri May  7 19:37:44 GMT 2021
S:tkey:Fri May  7 19:37:44 GMT 2021
T:tkey:1:A
A:tkey:System test tkey
I:tkey:PORTRANGE:5300 - 5399
I:tkey:generating new DH key (1)
I:tkey:creating new key using owner name "." (2)
I:tkey:checking the new key (3)
I:tkey:deleting new key (4)
I:tkey:checking that new key has been deleted (5)
I:tkey:creating new key using owner name "foo.example." (6)
I:tkey:checking the new key (7)
I:tkey:deleting new key (8)
I:tkey:checking that new key has been deleted (9)
I:tkey:creating new key using owner name bar.example. (10)
I:tkey:checking the key with 'rndc tsig-list' (11)
I:tkey:using key in a request (12)
I:tkey:deleting the key with 'rndc tsig-delete' (13)
I:tkey:recreating the bar.example. key (14)
I:tkey:checking the new key with 'rndc tsig-list' (15)
I:tkey:using the new key in a request (16)
I:tkey:exit status: 0
find: bad option -or
find: [-H | -L] path-list predicate-list
xargs: illegal option -- 0
find: bad option -print0
find: [-H | -L] path-list predicate-list
xargs: Usage: xargs: [-t] [-p] [-e[eofstr]] [-E eofstr] [-I replstr]
[-i[replstr]] [-L #] [-l[#]] [-n # [-x]] [-s size] [cmd [args ...]]
R:tkey:PASS
E:tkey:Fri May  7 19:37:51 GMT 2021
I:System test result summary:
I:   4 FAIL
I:  65 PASS
I:   5 SKIPPED
I:  15 UNTESTED
I:The following system tests failed:
I:  autosign
I:  ecdsa
I:  nsupdate
I:  tsig
find: bad option -or
find: [-H | -L] path-list predicate-list
*** Error code 1
The following command caused the error:
/opt/bw/bin/bash ./testsummary.sh
make: Fatal error: Command failed for target `test'
-bash-5.0$


Let's ignore the bad xargs and find options for now. How can I run those
 tests as separate items manually ?

-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: took a while to figure out why all your tests fail

[Dennis Clarke via bind-users]

On 5/6/21 19:03, Mark Andrews wrote:
> First of all the user running the tests needs to be able to write to 
> bin/tests/system. See the permission denied from tee. 
> 


Well I gave up and decided to run the tests with the same userid and
gid as the acct that created the build.

However I see a whack of :

I:allow-query:exit status: 0
find: bad option -or
find: [-H | -L] path-list predicate-list
find: bad option -print0
find: [-H | -L] path-list predicate-list
xargs: illegal option -- 0
xargs: Usage: xargs: [-t] [-p] [-e[eofstr]] [-E eofstr] [-I replstr]
[-i[replstr]] [-L #] [-l[#]] [-n # [-x]] [-s size] [cmd [args ...]]
R:allow-query:PASS


So I guess there are hard coded gnuisms in there?

Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: took a while to figure out why all your tests fail

[Dennis Clarke via bind-users]

On 5/6/21 19:03, Mark Andrews wrote:
> First of all the user running the tests needs to be able to write to 
> bin/tests/system. See the permission denied from tee. 
> 

I tried that and a pile of *other* things fail :


dude@nix$ ifconfig -a
lo0:6: flags=2001000849 mtu
8232 index 1
inet 127.0.0.1 netmask ff00
bge2:6: flags=1000803 mtu 1500 index 4
inet 172.16.1.202 netmask ff00 broadcast 172.16.1.255
bge2:7: flags=1000803 mtu 1500 index 4
inet 10.53.0.1 netmask ff00 broadcast 10.255.255.255
bge2:8: flags=1000803 mtu 1500 index 4
inet 10.53.0.2 netmask ff00 broadcast 10.255.255.255
bge2:9: flags=1000803 mtu 1500 index 4
inet 10.53.0.3 netmask ff00 broadcast 10.255.255.255
bge2:10: flags=1000803 mtu 1500 index 4
inet 10.53.0.4 netmask ff00 broadcast 10.255.255.255
bge2:11: flags=1000803 mtu 1500 index 4
inet 10.53.0.5 netmask ff00 broadcast 10.255.255.255
bge2:12: flags=1000803 mtu 1500 index 4
inet 10.53.0.6 netmask ff00 broadcast 10.255.255.255
bge2:13: flags=1000803 mtu 1500 index 4
inet 10.53.0.7 netmask ff00 broadcast 10.255.255.255
bge2:14: flags=1000803 mtu 1500 index 4
inet 10.53.0.8 netmask ff00 broadcast 10.255.255.255
bge2:15: flags=1000803 mtu 1500 index 4
inet 10.53.0.9 netmask ff00 broadcast 10.255.255.255
bge2:16: flags=1000803 mtu 1500 index 4
inet 10.53.0.10 netmask ff00 broadcast 10.255.255.255
bge2:17: flags=1000803 mtu 1500 index 4
inet 10.53.1.1 netmask ff00 broadcast 10.255.255.255
bge2:18: flags=1000803 mtu 1500 index 4
inet 10.53.1.2 netmask ff00 broadcast 10.255.255.255
bge2:19: flags=1000803 mtu 1500 index 4
inet 10.53.2.1 netmask ff00 broadcast 10.255.255.255
bge2:20: flags=1000803 mtu 1500 index 4
inet 10.53.2.2 netmask ff00 broadcast 10.255.255.255
lo0:6: flags=2002000849 mtu
8252 index 1
inet6 ::1/128
bge2:1: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:::1/128
bge2:2: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:::2/128
bge2:3: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:::3/128
bge2:4: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:::4/128
bge2:5: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:::5/128
bge2:6: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:::6/128
bge2:7: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:::7/128
bge2:8: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:::8/128
bge2:9: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:::9/128
bge2:10: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:::10/128
bge2:11: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:99ff::1/128
bge2:12: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:99ff::2/128
bge2:13: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:ff::1/128
bge2:14: flags=2000801 mtu 1500 index 4
inet6 fd92:7065:b8e:ff::2/128
bge2:15: flags=2000801 mtu 1500 index 4
inet6 fe80::203:baff:fe13:3c25/10
dude@nix$
dude@nix$ ./runall.sh -n
+ SYSTEMTESTTOP=.
+ . ./conf.sh
++ TOP=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005
++ DEFAULT_ALGORITHM=RSASHA256
++ DEFAULT_ALGORITHM_NUMBER=8
++ DEFAULT_BITS=1280
++ TMPDIR=/tmp
++ ALTERNATIVE_ALGORITHM=RSASHA1
++ ALTERNATIVE_ALGORITHM_NUMBER=5
++ ALTERNATIVE_BITS=1280
++ DISABLED_ALGORITHM=ECDSAP384SHA384
++ DISABLED_ALGORITHM_NUMBER=14
++ DISABLED_BITS=384
++ NAMED=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/named/named
++
LWRESD='/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/named/named -l'
++ DIG=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/dig/dig
++ DELV=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/delv/delv
++ RNDC=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/rndc/rndc
++
NSUPDATE=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/nsupdate/nsupdate
++
DDNSCONFGEN=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/confgen/ddns-confgen
++
TSIGKEYGEN=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/confgen/tsig-keygen
++
RNDCCONFGEN=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/confgen/rndc-confgen
++
KEYGEN=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/dnssec/dnssec-keygen
++
KEYFRLAB=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/dnssec/dnssec-keyfromlabel
++
SIGNER=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/dnssec/dnssec-signzone
++
REVOKE=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/dnssec/dnssec-revoke
++
SETTIME=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/dnssec/dnssec-settime
++
DSFROMKEY=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/dnssec/dnssec-dsfromkey
++ HOST=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/dig/host
++
IMPORTKEY=/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.005/bin/dnssec/dnssec-importkey
++

took a while to figure out why all your tests fail

[Dennis Clarke via bind-users]

parallel.mk check
make: Fatal error: Command failed for target `test'
airgap$


So then, is there a non-node.js and python way to test this build?


-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: where are the testing docs ?

[Dennis Clarke via bind-users]

On 5/6/21 11:24, Ondřej Surý wrote:
> FTR the test suite is meant to be used by developers. There’s little value to 
> use it for validating the production systems.
> 
> Generally speaking, having the dependencies and test interfaces (`sudo 
> bin/tests/system/ifconfig.sh up`) and running `make check` is enough.
> 

I do NOT trust a build result where I had to go hacking into all the
Makefiles just to get it to build. You install without doing testing?

Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: where are the testing docs ?

[Dennis Clarke via bind-users]

On 5/6/21 10:50, Tony Finch wrote:
> Dennis Clarke via bind-users  wrote:
>>
>> Hey there. I looked in the README and I dont see an INSTALL file at all
>>  so I have to assume that the testing docs exist somewhere.
> 
> Have a look at
> 
> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/bin/tests/system

Good stuff, thank you. I was searching high and low and I did see :

https://kb.isc.org/docs/aa-00768

However that says nothing at all about running the testsuite after a
nice clean build. Which is non-trivial now that Makefiles are slightly
borked but that is another issue.

Perhaps the docs at https://kb.isc.org/docs/aa-00768 can be updated to
at least point to the gutlab link above?

> 
> There are some more notes in:
> 
> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/dev
> 

I will glance there but for now I think the testsuite should be able to
at least run.

Dennis

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

where are the testing docs ?

[Dennis Clarke via bind-users]

Hey there. I looked in the README and I dont see an INSTALL file at all
 so I have to assume that the testing docs exist somewhere.

I build 9.11.31 after wrangling the Makefile(s) everywhere and now I
have built a separate machine to run the tests.  I needed that because
there are a bucket of interfaces needed and I can not do that on any
large production hardware easily. So anyways ... where are the testing
docs ?


-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slightly baffled about Undefined symbols that are in OpenSSL

[Dennis Clarke via bind-users]

On 5/5/21 08:35, Mark Andrews wrote:
> Use a non EoL version of OpenSSL. 
> 
alpha $ openssl version
OpenSSL 1.1.1k  25 Mar 2021

Not a problem. I have all that sorted out and I did go climb all over
the Makefile in bin/tools and see that it is borked. So I did some
un-bork and now the compile completes.

I will dig a bit and see where things went wrong after 9.11.26.


-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Slightly baffled about Undefined symbols that are in OpenSSL

[Dennis Clarke via bind-users]

include/sys/types.h
/usr/include/sys/machtypes.h
/usr/include/sys/select.h
/usr/include/sys/time_impl.h
/usr/include/sys/time.h
/usr/include/sys/types.h
/usr/include/time.h

/usr/include/iso/time_iso.h
/usr/include/sys/select.h
/usr/include/stddef.h
/usr/include/iso/stddef_iso.h

/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.003/lib/isc/include/isc/list.h

/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.003/lib/isc/include/isc/assertions.h

/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.003/lib/isc/include/isc/lang.h

/opt/bw/build/bind-9.11.31_sunos5.10_sparcv9.003/lib/isc/include/isc/likely.h
cat /var/tmp/dclarke/acomp.1620217682.10303.01.ir
>/var/tmp/dclarke/acomp.1620217682.10303.02.ir
/opt/developerstudio12.6/lib/compilers/bin/previse -Qy -erroff=%none
-errwarn=%none -errtags -O3 -xarch=sparc -m64 -xchip=generic
-xcache=generic -xdebuginfo=line,param,variable,tagtype,codetag,decl
-depend -xbuiltin=%none -xprefetch=auto,explicit -xprefetch_level=1
-xprefetch_auto_type=no%indirect_array_access -o
/var/tmp/dclarke/iropt.1620217682.10303.03.ir
"-Astatic_err_check:previse_iropt=on:umr=on:aob=on:free=on:nulld=on:nullc=on:msg_ctl_level=0:analytics=off:stderr_output=on"
/var/tmp/dclarke/acomp.1620217682.10303.02.ir
/opt/developerstudio12.6/lib/compilers/bin/cg -Qy -fsimple=0
-xarch=sparc -m64 -xchip=generic -xcache=generic -comdat -ftrap=%none
-xpatchpadding=fix -xdebuginfo=line,param,variable,tagtype,codetag,decl
-xkeep_unref=funcs,vars -s -xbuiltin=%none -xcode=pic32 -xannotate=yes
-xmemalign=8s -xprefetch=auto,explicit
-xprefetch_auto_type=no%indirect_array_access -xcheck=stkovf
-xcheck=noreturn -xthreadvar=dynamic -xregs=no%appl -unroll=1
-xvector=no -mt -oo isc-hmac-fixup-symtbl.o -ir
/var/tmp/dclarke/acomp.1620217682.10303.01.ir
/usr/ccs/bin/mcs -c isc-hmac-fixup-symtbl.o
alpha $

OKee and that looks like it worked.

I did go back and rebuild 9.11.26 with no issue. However this same
strange bizarre pile of undefined symbols appears when I try to build
9.11.27 and 9.11.28 and of course 9.11.31.

Any hints at all would be great.



-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

[Dennis Clarke via bind-users]

> And for what it's worth, not all systems moved away from "named" to
> "bind9".  I've been running FreeBSD for decades, and I can't remember
> ever calling the service "bind9".

No one ever calls named anything other than named. In a sane world.


-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?

[Dennis Clarke via bind-users]

> So as an experienced person who has been doing this you-nuxs thing since
> 1982 - I DON'T see it different - and in fact, I see it as a RETURN to
> what it originally was!

Exactly !  Hear hear ! Well said.

-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?

[Dennis Clarke via bind-users]

On 4/15/20 8:15 AM, Ondřej Surý wrote:

Klaus,

the default and preferred init system on both Debian and Ubuntu is systemd,
and the unit has proper Alias, so it is recognized also under "bind9" name.

The sysv-rc script doesn’t have the capability of aliases, so unfortunately, 
there’s
a downfall from the renaming, but it would not make sense to have a different 
name
for different init systems. If you are using sysvinit, the choice and the 
suffering that
comes from that choice is all yours.

The renaming was done as it was a logical choice, the service is starting a 
daemon,
and not a package, and daemon name is `named`. Also it is the name used by RPM
based systems and Arch Linux and Gentoo, so it was also made to make BIND 9 
packages
in Debian/Ubuntu more unified with rest of the Linux world.



An even more beautiful name would have been "iscbind" :

beta$ svcs -l iscbind
fmri svc:/network/dns/iscbind:default
name ISC BIND 9.11.16 SPARC V9 genunix
enabled  true
stateonline
next_state   none
state_time   Thu Feb 20 04:35:15 2020
logfile  /var/svc/log/network-dns-iscbind:default.log
restartersvc:/system/svc/restarter:default
contract_id  196663
dependency   require_all/none svc:/system/filesystem/local (online)
dependency   require_any/error svc:/network/loopback (online)
dependency   optional_all/error svc:/milestone/network (online)
beta$

Sadly the newer releases will never be *easily* ported back to old
Solaris but we all need to move forwards.

--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.15.8: task.h includes uninstalled netmgr.h

[Dennis Clarke via bind-users]

On 2020-02-19 16:01, Andreas Hasenack wrote:

Hi,

I didn't find a bind-devel mailing list, so I'm sending this here.

After a plain ./configure && make install, I see in the installed
task.h header file that it includes netmgr.h, but netmgr.h is not
installed. It's not listed in HEADERS in
lib/isc/include/isc/Makefile.in. Is this expected?


Please see

https://kb.isc.org/docs/aa-01540

Not sure what version you are looking at but I have seen bind work on
just about everything everywhere for at least twenty years. Actually
more than that.  The recent bumb in the road over someone doing Python
scripts in the code base it funny but easily worked around. Otherwise
ISC Bind "just works"(tm) and so I am curious what version you have
there ?

--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--without-python does not work for 9.11.13

[Dennis Clarke]

If one tries to build 9.11.13 with ( or without ) --without-python then
the build fails in multiple ways :

.
.
.
gmake[2]: Leaving directory 
'/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/confgen'
making all in 
/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python
gmake[2]: Entering directory 
'/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python'
making all in 
/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc
gmake[3]: Entering directory 
'/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc'
making all in 
/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc/tests
gmake[4]: Entering directory 
'/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc/tests'
gmake[4]: Leaving directory 
'/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc/tests'

/usr/local/bin/python3.7 policy.py parse /dev/null > /dev/null
Fatal Python error: initfsencoding: unable to load the file system codec
ModuleNotFoundError: No module named 'encodings'

Current thread 0x0001 (most recent call first):
/usr/local/bin/bash: line 1: 15637 Abort   (core dumped) 
/usr/local/bin/python3.7 policy.py parse /dev/null > /dev/null

gmake[3]: *** [Makefile:441: parsetab.py] Error 134
gmake[3]: Leaving directory 
'/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python/isc'

gmake[2]: *** [Makefile:132: subdirs] Error 1
gmake[2]: Leaving directory 
'/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin/python'

gmake[1]: *** [Makefile:79: subdirs] Error 1
gmake[1]: Leaving directory 
'/usr/local/build/bind-9.11.13_Oracle_sparc64vii+.001/bin'

gmake: *** [Makefile:88: subdirs] Error 1


The above happens regardless which direction you choose.

Yes Python is available.  Yes it is in the path.

beta$ $PYTHON --version
Python 3.7.4
beta$ echo $PYTHON
/usr/local/bin/python3.7
beta$

Regardless which direction a person jumps this python trash gets created
 during configure :

config.status: creating bin/python/Makefile
config.status: creating bin/python/isc/Makefile
config.status: creating bin/python/isc/utils.py
config.status: creating bin/python/isc/tests/Makefile
config.status: creating bin/python/dnssec-checkds.py
config.status: creating bin/python/dnssec-coverage.py
config.status: creating bin/python/dnssec-keymgr.py
config.status: creating bin/python/isc/__init__.py
config.status: creating bin/python/isc/checkds.py
config.status: creating bin/python/isc/coverage.py
config.status: creating bin/python/isc/dnskey.py
config.status: creating bin/python/isc/eventlist.py
config.status: creating bin/python/isc/keydict.py
config.status: creating bin/python/isc/keyevent.py
config.status: creating bin/python/isc/keymgr.py
config.status: creating bin/python/isc/keyseries.py
config.status: creating bin/python/isc/keyzone.py
config.status: creating bin/python/isc/policy.py
config.status: creating bin/python/isc/rndc.py
config.status: creating bin/python/isc/tests/dnskey_test.py
config.status: creating bin/python/isc/tests/policy_test.py

Whomever came up with the idea to embed python inside ISC Bind is
someones cousin that can't find a job elsewhere? Who let this happen?
To pure beautiful cross platform clean C code someone allowed python
in the door?

Has anyone tested this "--without-python" option ?




--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what is this python stuff in 9.11.7 ??

[Dennis Clarke]

On 5/30/19 6:05 PM, Anand Buddhdev wrote:

On 30/05/2019 23:45, Dennis Clarke wrote:

Hi Dennis,

Some of the utilities in newer version of BIND, such as dnssec-keymgr,
are written in python. This utility is very useful if you're going to
sign zones using BIND.

If you don't want or need this and a couple of other utilities for
DNSSEC key management, you can rebuild BIND by passing the
--without-python flag to configure.



Someone somewhere figured it made sense to drag in a dependency the size
of python?

It must be a "soft" dependency as named itself seems to need :

beta$ ldd /usr/local/sbin/named | grep 'local'
libcrypto.so.1.1 =>  /usr/local/lib/libcrypto.so.1.1
libxml2.so.2 =>  /usr/local/lib/libxml2.so.2
libz.so.1 => /usr/local/lib/libz.so.1
libiconv.so.2 => /usr/local/lib/libiconv.so.2
liblzma.so.5 =>  /usr/local/lib/sparcv9/liblzma.so.5
beta$

Plus the usual system bits :

libgss.so.1 =>   /usr/lib/64/libgss.so.1
libkrb5.so.1 =>  /usr/lib/64/libkrb5.so.1
libnsl.so.1 =>   /lib/64/libnsl.so.1
libsocket.so.1 =>/lib/64/libsocket.so.1
libscf.so.1 =>   /lib/64/libscf.so.1
librt.so.1 =>/lib/64/librt.so.1
libpthread.so.1 =>   /lib/64/libpthread.so.1
libm.so.2 => /lib/64/libm.so.2
libc.so.1 => /lib/64/libc.so.1
libcmd.so.1 =>   /lib/64/libcmd.so.1
libdl.so.1 =>/lib/64/libdl.so.1
libmp.so.2 =>/lib/64/libmp.so.2
libmd.so.1 =>/lib/64/libmd.so.1
libdoor.so.1 =>  /lib/64/libdoor.so.1
libuutil.so.1 => /lib/64/libuutil.so.1
libgen.so.1 =>   /lib/64/libgen.so.1
libaio.so.1 =>   /lib/64/libaio.so.1
mech_krb5.so.1 =>/usr/lib/64/gss/mech_krb5.so.1
libresolv.so.2 =>/lib/64/libresolv.so.2
libpkcs11.so.1 =>/usr/lib/64/libpkcs11.so.1
libcryptoutil.so.1 =>/usr/lib/64/libcryptoutil.so.1

But a massive brontosaurus lumbering in the size of Python?

Did anyone discuss this in the open or was it a management decision to
be followed next by mono and C# and perhaps libbloatware.so.1 ??

--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

what is this python stuff in 9.11.7 ??

[Dennis Clarke]

I didn't think 9.11.7 had any need for python however after a fresh 
build I see this :


./lib/python3.7
./lib/python3.7/site-packages
./lib/python3.7/site-packages/isc-2.0-py3.7.egg-info
./lib/python3.7/site-packages/isc
./lib/python3.7/site-packages/isc/parsetab.py
./lib/python3.7/site-packages/isc/__pycache__
./lib/python3.7/site-packages/isc/__pycache__/checkds.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/utils.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/parsetab.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/keyevent.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/rndc.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/policy.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/dnskey.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/eventlist.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/keydict.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/coverage.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/keyzone.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/keyseries.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/__init__.cpython-37.pyc
./lib/python3.7/site-packages/isc/__pycache__/keymgr.cpython-37.pyc

Is any of this stuff needed? Is this somehow operational stuff for a
production named daemon ?   Is this documented anywhere?


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A little baffled by bind 9.14.2 wanting some special python?

[Dennis Clarke]

On 5/29/19 2:22 AM, Michał Kępień wrote:

For reasons unknown the configure process blows up even if I specify
the option --disable-python and in the config.log I see :


The option is actually called --without-python; the fix for that mistake
is already committed:

 https://gitlab.isc.org/isc-projects/bind9/merge_requests/1964

Apologies about the confusion.



Thanks but won't matter much anyways. Time to shutdown all the Solaris
systems and move to FreeBSD or similar.  Sadly there is nothing that can
run on these Fujitsu sparc boxes I have.  Nothing that I know of.


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bug in ifiter_getifaddrs.c cannot find include file: ??

[Dennis Clarke]

Not sure where the need for ifaddrs.h came from but it doesn't exist in
 ye old Solaris 10 sparc boxen :

/opt/developerstudio12.6/bin/cc 
-I/usr/local/build/bind-9.14.2_SunOS5.10_sparc64vii+.002 -I../../.. 
-I./include -I./../pthreads/include -I../include -I./../include -I./.. 
-I/usr/local/include  -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 
-std=iso9899:2011 -m64 -xarch=sparc -g -errfmt=error -errshort=full 
-xstrconst -xildoff -xmemalign=8s -xnolibmil -xcode=pic32 -xregs=no%appl 
-xlibmieee -mc -ftrap=%none -xbuiltin=%none -xunroll=1 -xs 
-xdebugformat=dwarf -errtags=yes -errwarn=%none -erroff=%none 
-D_POSIX_PTHREAD_SEMANTICS -mt -I/usr/local/include/libxml2 
-I/usr/local/include -I/usr/local/include -KPIC-c interfaceiter.c

"ifiter_getifaddrs.c", line 21: cannot find include file: 
"ifiter_getifaddrs.c", line 81: warning: implicit function declaration: 
getifaddrs (E_NO_IMPLICIT_DECL_ALLOWED)
"ifiter_getifaddrs.c", line 107: warning: implicit function declaration: 
freeifaddrs (E_NO_IMPLICIT_DECL_ALLOWED)
"ifiter_getifaddrs.c", line 135: error: undefined struct/union member: 
ifa_name

"ifiter_getifaddrs.c", line 137: error: improper member use: ifa_addr
"ifiter_getifaddrs.c", line 137: error: operands have incompatible types:
 struct sockaddr {unsigned short sa_family, array[14] of char 
sa_data} "==" long

"ifiter_getifaddrs.c", line 140: error: improper member use: ifa_addr
"ifiter_getifaddrs.c", line 140: error: left operand of "->" must be 
pointer to struct/union

"ifiter_getifaddrs.c", line 151: error: improper member use: ifa_name
"ifiter_getifaddrs.c", line 151: warning: improper pointer/integer 
combination: arg #1 (E_BAD_PTR_INT_COMB_ARG)

"ifiter_getifaddrs.c", line 156: error: improper member use: ifa_name
"ifiter_getifaddrs.c", line 156: warning: improper pointer/integer 
combination: arg #2 (E_BAD_PTR_INT_COMB_ARG)
"ifiter_getifaddrs.c", line 160: error: undefined struct/union member: 
ifa_flags
"ifiter_getifaddrs.c", line 163: error: undefined struct/union member: 
ifa_flags
"ifiter_getifaddrs.c", line 166: error: undefined struct/union member: 
ifa_flags

"ifiter_getifaddrs.c", line 171: error: improper member use: ifa_addr
"ifiter_getifaddrs.c", line 171: error: improper member use: ifa_name
"ifiter_getifaddrs.c", line 171: error: argument #3 is incompatible with 
prototype:
prototype: pointer to struct sockaddr {unsigned short 
sa_family, array[14] of char sa_data} : "interfaceiter.c", line 59
argument : struct sockaddr {unsigned short sa_family, array[14] 
of char sa_data}
"ifiter_getifaddrs.c", line 171: warning: improper pointer/integer 
combination: arg #4 (E_BAD_PTR_INT_COMB_ARG)
"ifiter_getifaddrs.c", line 173: error: undefined struct/union member: 
ifa_netmask

"ifiter_getifaddrs.c", line 174: error: improper member use: ifa_netmask
"ifiter_getifaddrs.c", line 175: error: improper member use: ifa_name
"ifiter_getifaddrs.c", line 174: warning: improper pointer/integer 
combination: arg #3 (E_BAD_PTR_INT_COMB_ARG)
"ifiter_getifaddrs.c", line 175: warning: improper pointer/integer 
combination: arg #4 (E_BAD_PTR_INT_COMB_ARG)

"ifiter_getifaddrs.c", line 177: error: improper member use: ifa_ifu
"ifiter_getifaddrs.c", line 177: error: operands have incompatible types:
 struct sockaddr {unsigned short sa_family, array[14] of char 
sa_data} "!=" long

"ifiter_getifaddrs.c", line 179: error: improper member use: ifa_ifu
"ifiter_getifaddrs.c", line 180: error: improper member use: ifa_name
"ifiter_getifaddrs.c", line 179: error: argument #3 is incompatible with 
prototype:
prototype: pointer to struct sockaddr {unsigned short 
sa_family, array[14] of char sa_data} : "interfaceiter.c", line 59
argument : struct sockaddr {unsigned short sa_family, array[14] 
of char sa_data}
"ifiter_getifaddrs.c", line 180: warning: improper pointer/integer 
combination: arg #4 (E_BAD_PTR_INT_COMB_ARG)

"ifiter_getifaddrs.c", line 196: error: improper member use: ifa_next
"ifiter_getifaddrs.c", line 196: warning: assignment type mismatch:
pointer to struct ifaddrs {} "=" pointer to struct ifaddr 
{struct sockaddr {..} ifa_addr, union  {..} ifa_ifu, pointer to struct 
ifnet {..} ifa_ifp, pointer to struct ifaddr {..} ifa_next} 
(E_ASSIGNMENT_TYPE_MISMATCH)

cc: acomp failed for interfaceiter.c
gmake[3]: *** [Makefile:174: interfaceiter.o] Error 2
gmake[3]: Leaving directory 
'/usr/local/build/bind-9.14.2_SunOS5.10_sparc64vii+.002/lib/isc/unix'

gmake[2]: *** [Makefile:203: subdirs] Error 1
gmake[2]: Leaving directory 
'/usr/local/build/bind-9.14.2_SunOS5.10_spar

A little baffled by bind 9.14.2 wanting some special python?

[Dennis Clarke]

For reasons unknown the configure process blows up even if I specify
the option --disable-python and in the config.log I see :

configure:8855: checking for perl5
configure:8885: result: /usr/local/bin/perl
configure:8952: checking for python
configure:8982: result: /opt/python/bin/python3.7
configure:9001: checking if /opt/python/bin/python3.7 is python2 version 
>= 2.7 or python3 version >= 3.2

configure:9004: result: yes
configure:9013: checking Python module 'argparse'
configure:9016: result: yes
configure:9025: checking Python module 'ply'
configure:9031: result: no
configure:8952: checking for python3
configure:8970: found /opt/python/bin/python3
configure:8982: result: /opt/python/bin/python3
configure:9001: checking if /opt/python/bin/python3 is python2 version 
>= 2.7 or python3 version >= 3.2

configure:9004: result: yes
configure:9013: checking Python module 'argparse'
configure:9016: result: yes
configure:9025: checking Python module 'ply'
configure:9031: result: no
configure:8952: checking for python3.7
configure:8970: found /opt/python/bin/python3.7
configure:8982: result: /opt/python/bin/python3.7
configure:9001: checking if /opt/python/bin/python3.7 is python2 version 
>= 2.7 or python3 version >= 3.2

configure:9004: result: yes
configure:9013: checking Python module 'argparse'
configure:9016: result: yes
configure:9025: checking Python module 'ply'
configure:9031: result: no
configure:8952: checking for python3.6
configure:8985: result: no
configure:8952: checking for python3.5
configure:8985: result: no
configure:8952: checking for python3.4
configure:8985: result: no
configure:8952: checking for python3.3
configure:8985: result: no
configure:8952: checking for python3.2
configure:8985: result: no
configure:8952: checking for python2
configure:8985: result: no
configure:8952: checking for python2.7
configure:8970: found /bin/python2.7
configure:8982: result: /bin/python2.7
configure:9001: checking if /bin/python2.7 is python2 version >= 2.7 or 
python3 version >= 3.2

configure:9007: result: no
configure:9043: checking for Python support
configure:9045: result: no
configure:9047: error: Python >= 2.7 or >= 3.2 and the PLY package are 
required for dnssec-keymgr and other Python-based tools. PLY may be 
available from your OS package manager as python-ply or python3-ply; it 
can also be installed via pip. To build without Python/PLY, use 
--disable-python.


Which is bizarre. Did someone at isc decide Python was now needed to
 build ISC Bind ??  Something more special than Python 3.7.3 ?

beta$
beta$ echo $PYTHON
/opt/python/bin/python3.7

beta$ $PYTHON --version
Python 3.7.3

beta$ $PYTHON
Python 3.7.3 (default, May 29 2019, 03:46:38) [C] on sunos5
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys;
>>> print(sys.path);
['', '/opt/python/lib/python37.zip', '/opt/python/lib/python3.7', 
'/opt/python/lib/python3.7/lib-dynload', 
'/opt/python/lib/python3.7/site-packages']

>>>
beta$

So configure is only looking at the old /bin/python2.7 stuff ?

Anyway around this?


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: isc-bind-esv Repository - "yum update" doing undesirable things!

[Dennis Clarke]

On 5/8/19 11:06 PM, Greg Rivers wrote:

On Wednesday, May 8, 2019 1:49:38 PM CDT Matthew Richardson wrote:

I have been using the isc-bind-esv repository on Centos 7 since it was
created.  On each upgrade, a "yum update" has done the correct thing by
upgrading from the running version to the latest version.

Today (happily on a cloned test server!) I repeated this with the upgrade
being from 9.11.6 to 9.11.6.P1-1.2.el7.

It seems that the package names have changed and that Bind is now installed
in a new directory structure below /opt/isc.  In my case, a previously
working authoratitive configuration is now comprehensively broken.

Before troubleshooting, I was wondering whether I had missed any release
notes or similar which might explain what is going on.


Probably ISC's new packages have installed a "Software Collection" to avoid
conflicts with "native" packages. Read the scl(1) manual page for more
information. To get a shell with the proper context to manage named, you'll
need to run something like `scl enable isc-bind bash`. Or to run ad hoc
commands, `scl enable isc-bind -- named -V`, etc.. And as you noticed, named's
configuration and data are now under /opt/isc/isc-bind/.



If the old XPG4 and POSIX rules are to be at least paid some attention
then the config data should be under /etc/opt/isc/named and the software
binaries and libs stay in /opt/isc/named with logs going to the correct
/var/opt/isc/named. But those are old rules for ensuring separation from
the vendor OS.  With systemctl and other new paradigms then all manner
of oddball stuff may happen.


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11.6-P1 build fails on Solaris

[Dennis Clarke]

On 5/3/19 1:52 AM, Carl Byington via bind-users wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2019-04-26 at 10:41 +1000, Nick Edwards wrote:

lots of things failing in recent times, even with CentOS, mostly
because of openssl min version changes, and most recently even latest
releases wont build now because of a change in min python versions
*sigh*, i'm just going to leave it as is, thats all we can do.


On centos, you might try

https://www.five-ten-sg.com/mapper/bind



I have had no problems building solid ISC bind named services on Solaris
10 ( and earlier ) for a very long long time now. If there are problems
they are most likely your build environment and nothing to do with the
ISC release code.

Having said that I still have production and up to date iscbind under
smf running fine and I have no love for Solaris anymore.  It runs fine
but is very crusty and has no future really.


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: odd failures from 9.12.3

[Dennis Clarke]

On 10/18/2018 11:38 PM, Evan Hunt wrote:

On Thu, Oct 18, 2018 at 07:21:49PM -0400, Dennis Clarke wrote:


oh .. also .. I'll look into these and see if I can clean them up :

"zone.c", line 4275: warning: syntax error:  empty declaration

"client.c", line 2983: warning: argument #2 is incompatible with prototype:

"zoneconf.c", line 242: warning: argument #2 is incompatible with prototype:


Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: odd failures from 9.12.2-P2

[Dennis Clarke]

On 10/18/2018 11:38 PM, Evan Hunt wrote:

On Thu, Oct 18, 2018 at 07:21:49PM -0400, Dennis Clarke wrote:

I:System test result summary:
I:   7 FAIL
I:  69 PASS
I:   4 SKIPPED
I:  12 UNTESTED
I:The following system tests failed:
I:  autosign
I:  catz
I:  dnssec
I:  filter-
I:  legacy
I:  mkeys
I:  staticstub

This is on Solaris 10 sparc and using the Oracle Studio 12.6 tools as
   well as OpenSSL 1.1.1 which passes all tests.

Is there a way to dig out more information from these failures?


Yes, the full output from all of the system tests will be in
bin/tests/system/systests.output, and you can look for messages that
say "I:autosign:failed" (or whatever) to find out which bits didn't
work.

Each of the failing system tests should also have its directory full of
files that were created during the test -- they would have been deleted
if it had passed but should still be there now -- which can also be
used to work out what went wrong.

If you want to just tar up bin/tests/system and send it to me, I'd be
happy to take a look.



Thank you very much and I appreciate the offer.  Really I do.
I'll go digging ... however I jumped onto 9.12.3 while the bits were 
still hot from the oven .. so ... only two tests failed :



I:System test result summary:
I:   2 FAIL
I:  74 PASS
I:   4 SKIPPED
I:  12 UNTESTED
I:The following system tests failed:
I:  dnssec
I:  nsupdate

I will go have a look and not tie up your time. Yet :-\

Dennis Clarke
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

okay ... odd failures in 9.12.3

[Dennis Clarke]

I see these results :

I:System test result summary:
I:   2 FAIL
I:  74 PASS
I:   4 SKIPPED
I:  12 UNTESTED
I:The following system tests failed:
I:  dnssec
I:  nsupdate


This is on Solaris 10 sparc and using the Oracle Studio 12.6 tools as
well as OpenSSL 1.1.1 which passes all tests.

Is there a way to dig out more information from these failures?

Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

odd failures from 9.12.2-P2

[Dennis Clarke]

I see these results :

I:System test result summary:
I:   7 FAIL
I:  69 PASS
I:   4 SKIPPED
I:  12 UNTESTED
I:The following system tests failed:
I:  autosign
I:  catz
I:  dnssec
I:  filter-
I:  legacy
I:  mkeys
I:  staticstub

This is on Solaris 10 sparc and using the Oracle Studio 12.6 tools as
 well as OpenSSL 1.1.1 which passes all tests.

Is there a way to dig out more information from these failures?

Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.12.2-P2 fails to compile with baffling undefined symbol issues

[Dennis Clarke]

On 10/18/2018 04:04 AM, Michał Kępień wrote:
...

-L/usr/local/lib -latomic
Undefined   first referenced
  symbol in file
_TG_atomic_fetch_add../dns/libdns.a(tsig.o)
_TG_atomic_fetch_sub../dns/libdns.a(tsig.o)
_TG_atomic_load ../dns/libdns.a(tsig.o)
_TG_atomic_compare_exchange_strong  ../isc/libisc.a(rwlock.o)
_TG_atomic_store../isc/libisc.a(stats.o)
ld: fatal: symbol referencing errors. No output written to resolve

...



This looks like an Oracle Developer Studio glitch related to C11 atomic
operations.  To fix it, try fiddling around with the -xatomic compiler
option [1] and/or the -std compiler option and/or the CC environment
variable.  To work around the problem, build BIND with --disable-atomic.
Note that atomic operations support is mandatory as of BIND 9.13.3.



After talking with experts in the field I have learned that :

in Studio 12.6, stdatomic.h lives in
lib/compilers/include/cc/stdatomic.h and uses
those _TG_atomic_* intrinsics

Thus if one compiles a trivial test with -std=c11 we see :

#include 

int
main (void)
{
  _Atomic int i;
  atomic_store (, 0);
  return 0;
}


No issues at all with -xatomic=studio -std=c11 however this is 
impossible with c99.


So what is the minimum spec for ISC Bind? If the ISO/IEC 9899:2011
standard is minimum then perhaps there could be a notation somewhere
on the isc site for that.

Dennis Clarke
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.12.2-P2 fails to compile with baffling undefined symbol issues

[Dennis Clarke]

On 10/18/2018 04:04 AM, Michał Kępień wrote:

This looks like an Oracle Developer Studio glitch related to C11 atomic
operations.  To fix it, try fiddling around with the -xatomic compiler
option [1] and/or the -std compiler option and/or the CC environment
variable.  To work around the problem, build BIND with --disable-atomic.
Note that atomic operations support is mandatory as of BIND 9.13.3.

[1]https://docs.oracle.com/cd/E60778_01/html/E60745/gqico.html

-- Best regards, Michał Kępień


Thank you for the hint. I had not ever seen this before with a build of
anything from isc however I had also recently switched build machines. I
had an older system which used a well patched Oracle Studio 12.4 release
as that thing supported old sparc units. When all the old sparc units
went away then so did the Oracle Studio 12.4 and here we are with 12.6
which seems to do ... odd things.

Could switch over whole hog to gcc of course.

I'll look into this "atomics" thingy.  Thank you.

Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind-9.12.2-P2 fails to compile with baffling undefined symbol issues

[Dennis Clarke]

This has me baffled :


/opt/developerstudio12.6/bin/c99 -mt -errfmt=error -erroff=%none 
-errshort=full -xstrconst -xildoff -m64 -xmemalign=8s -xnolibmil -Xc 
-xcode=pic32 -xregs=no%appl -xlibmieee -mc -ftrap=%none -xbuiltin=%none 
-xdebugformat=dwarf -xunroll=1 -xarch=sparc -I/usr/include/libxml2 -I 
/usr/local/include -KPIC  -o resolve \
resolve.o ../irs/libirs.a ../dns/libdns.a  -lgss -lkrb5 
../isccfg/libisccfg.a ../isc/libisc.a  -L/usr/local/lib -R/usr/local/lib 
-R/usr/local/lib -lcrypto -ldl -lnsl -lsocket -lscf -lrt -lpthread 
-L/usr/lib -R/usr/lib -lxml2 -lz -lpthread -lm -lsocket -lnsl 
-L/usr/local/lib -latomic

Undefined   first referenced
 symbol in file
_TG_atomic_fetch_add../dns/libdns.a(tsig.o)
_TG_atomic_fetch_sub../dns/libdns.a(tsig.o)
_TG_atomic_load ../dns/libdns.a(tsig.o)
_TG_atomic_compare_exchange_strong  ../isc/libisc.a(rwlock.o)
_TG_atomic_store../isc/libisc.a(stats.o)
ld: fatal: symbol referencing errors. No output written to resolve
gmake[2]: *** [Makefile:464: resolve] Error 2
gmake[2]: Leaving directory 
'/usr/local/build/bind-9.12.2-P2_SunOS5.10_sparc64vii+.001/lib/samples'

gmake[1]: *** [Makefile:82: subdirs] Error 1
gmake[1]: Leaving directory 
'/usr/local/build/bind-9.12.2-P2_SunOS5.10_sparc64vii+.001/lib'

gmake: *** [Makefile:88: subdirs] Error 1

There is no such thing as TG_atomic anywhere in any sources and there is 
a small reference to it in the config.log :


"conftest.c", line 105: warning: implicit function declaration: 
_TG_atomic_fetch_add
"conftest.c", line 101: warning: implicit function declaration: 
_TG_atomic_fetch_add

_TG_atomic_fetch_addconftest.o


Something obvious here ??

Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about visibility

[Dennis Clarke]

On 10/11/2018 03:21 PM, Leonardo Rodrigues wrote:

Em 11/10/18 16:13, Barry Margolin escreveu:


If you accidentally, or someone else intentionally, create a link to the
site that uses the IP and put it on a web page that Google can get to,
it will probably find the page.




     robots.txt, on your website root, is your friend. Simply deny web 
crawling on it, and you're (probably) done.




If you believe robots.txt means anything at all.

Dennis

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named tcp dos?

[Dennis Clarke]

On 08/02/2018 04:16 PM, Randy Bush wrote:

it is in a contest with ipv6 for non-deployment


I read this mail list ALL the time and finally something appears that
quite literally made me call over a few guys to point at my screen.
Well done. Let's make up a tee-shirt with that on it :


DNSSEC?  IPv6?

Which will deploy last?


Something similar .. maybe a cartoon is needed.

Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Should we bundle the MaxMind GeoIP db?

[Dennis Clarke]

I think that would be more useful (and less likely to complicate the 
lives of packagers) than bundling the database.


And less work for you :-)



right on.

Also, my fear is that "what else?" will happen and then we have codebase
tossed in for a https/tls_1.3 admin front end being bolted in.

This "kitchen sink" approach happens about once a decade in every 
project and then we all just move on :-)


https://bugzilla.mozilla.org/show_bug.cgi?id=122411

Dennis

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Should we bundle the MaxMind GeoIP db?

[Dennis Clarke]

On 05/30/2018 06:30 PM, Victoria Risk wrote:



On May 30, 2018, at 3:15 PM, Rick Dicaire <mailto:kri...@gmail.com>> wrote:


Hi, would this conflict with any similar pkg installed by an OS's pkg 
management system?


The package manager could choose whether or not to include the database



I think the philosophy[1] of ISC BIND and DHCP has been to "do one
thing and do it well" whereas recent software minds are creeping towards
"do one thing and add on everything else".  Let's look at the editor
called "vim" or "emacs" which are both monstrous in size for what they
do. Or at least what they were intended to do. I think original vi fit
neatly into a few hundred KB.  At last glance emacs was 62MB of source.
I think the entire operating system on an IBM 3090 MVS/ESA mainframe was
a few megabytes and the front 3092 controller booted from an 8 inch
floppy.  Two decades ago.

BIND is a precisely targeted tool. It may have add on things that
can be brought along later by a user or a package manager or production
software manager on some site. However throwing in GeoIP would add on
code control and database update sub-projects and costs and staff. Is
this really necessary for what Berkeley Internet Name Daemon should be
doing?

Dennis Clarke
ye old UNIX silverback
[1] also "Write programs to work together."
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: My domain name name not propagating through the Internet.

[Dennis Clarke]

On 05/26/2018 12:44 PM, Thomas Strike wrote:

I have been fighting a problem of setting up a new Bind9.9 primary...



If I dig for your name server via google I get told not much :


$ dig ns1.sleepyvalley.net @8.8.8.8

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> ns1.sleepyvalley.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3448
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ns1.sleepyvalley.net.  IN  A

;; Query time: 3172 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat May 26 17:53:24 BST 2018
;; MSG SIZE  rcvd: 49


Are you sure the name server is registered ?


$ dig ns1.sleepyvalley.net @my_primary_dns_ip +trace

.
.
.

dig: couldn't get address for 'ns1.sleepyvalley.net': no more


Looks like no such dns server exists.


Dennis

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND source distribution missing?

[Dennis Clarke]

ftp://ftp.isc.org/isc/bind9/

Ah yes, there they are!  Thanks.
I will blame the hour and the lack of caffeine for missing that one. :)



As is often the case I find the solution to something immediately
 *after* I post to a maillist and stare at my coffee cup ... it happens
 .. all the time.

Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND source distribution missing?

[Dennis Clarke]

On 04/05/18 08:04 AM, Matthew Pounsett wrote:

Hi ISC!

I'm writing to let you know there seems to be a bug on the ISC web 
site.  Coming from MacOS Chrome, I'm only being offered the binary 
Windows distribution of BIND for download from 
 and from 
.


Also,  needs an update to its 'welcome' file, because 
BIND doesn't seem to be distributed from there anymore.


See ftp://ftp.isc.org/isc/bind9/

Dennis
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange problem with query being dropped/ignored by the BIND process

[Dennis Clarke]

On 06/29/2017 12:52 PM, Marc Richter wrote:

Hi again,

I have checked this again today.

Send & receive buffers are both 1MB, the Server has 8 CPUs and during
startup BIND is reporting this:

found 8 CPUs, using 8 worker threads
using 7 UDP listeners per interface
using up to 32768 sockets

We only have about 1.500 queries per second on this server. CPU(30%) and
memory(50%) usage also is not an issue here.


Do you have any adjustments in /etc/system ?

I will assume you don't have ip_forwarding messed with and let's just 
look at your network stack config. You don't need to publish your 
results to the maillist but have a look at :


# ndd -get /dev/ip \? | grep "read"
# ndd -get /dev/tcp \? | grep "read"

Here you have the full range of stack kernel tunables. At the very least
the ones you can read data from.

You probably already did this but create a quick script :

#!/bin/sh
/usr/bin/printf "\n"

/usr/bin/printf "tcp_wscale_always = "
ndd -get /dev/tcp tcp_wscale_always

/usr/bin/printf "tcp_tstamp_if_wscale = "
ndd -get /dev/tcp tcp_tstamp_if_wscale

/usr/bin/printf "tcp_max_buf = "
ndd -get /dev/tcp tcp_max_buf

/usr/bin/printf "tcp_cwnd_max = "
ndd -get /dev/tcp tcp_cwnd_max

/usr/bin/printf "tcp_xmit_hiwat = "
ndd -get /dev/tcp tcp_xmit_hiwat

/usr/bin/printf "tcp_recv_hiwat = "
ndd -get /dev/tcp tcp_recv_hiwat


Run that.


What I see here on three diff Sol10 servers for various purposes is :

M5 # /tmp/foo.sh

tcp_wscale_always = 1
tcp_tstamp_if_wscale = 1
tcp_max_buf = 1048576
tcp_cwnd_max = 1048576
tcp_xmit_hiwat = 49152
tcp_recv_hiwat = 49152


st0 # /tmp/foo.sh

tcp_wscale_always = 1
tcp_tstamp_if_wscale = 1
tcp_max_buf = 1048576
tcp_cwnd_max = 1048576
tcp_xmit_hiwat = 49152
tcp_recv_hiwat = 49152


st1 #

tcp_wscale_always = 1
tcp_tstamp_if_wscale = 1
tcp_max_buf = 16777216
tcp_cwnd_max = 8388608
tcp_xmit_hiwat = 65535
tcp_recv_hiwat = 65535


The first two are defaults whereas the last unit needs to sling around
terabytes daily.  I am curious what your system thinks it is doing
with its tcp/ip stack.

Since you are on contract ( me too .. arn't we all these days ) then I
have to assume you have reasonable kernel updates and tcp patches in
this Solaris server ?

Dennis




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

[Dennis Clarke]

On 01/26/2017 06:48 PM, Reindl Harald wrote:

librarie sgot overwritten by the package manager


Impossible.

If the user built or the vendor supplied software follows the rules
of separation along with the RPATH and RUNPATH data inside the ELF
dynamic sections then what you say is impossible.  Clearly impossible.


dc
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

[Dennis Clarke]

On 01/26/2017 06:39 PM, Alan Clegg wrote:

On 1/26/17 1:31 PM, Dennis Clarke wrote:

The POSIX and XPG4 approach [is a great idea]


(My text in brackets)

Said no one, ever.


   Clearly I just said it ... and have before ... as have others for
about twenty years or at least since 1999. Essentially any ELF file that
does not specify a RUNPATH and/or RPATH leaves the dependencies to be
found anywhere the runtime linker chooses. This is how a very bad mix
of user built software can end up messing up their lives. Full and
clear separation is best with full specification to the runtime linker
also.  That wasn't the point however. The point is that the sources do
exist for very valid reasons and that a user can and should be able to
compile as they choose and to install as they choose.  Merely some sort
of logic in the separation is needed and the POSIX/XPG4 manner works in
a very stable way.  Go install a MySQL package from the Oracle download
and see where it goes.

Dennis Clarke


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

[Dennis Clarke]

:  0x40  e_phentsize:  56  e_phnum: 5

Version Needed Section:  .SUNW_version
 index  fileversion
   [2]  libgss.so.1 SUNW_1.2
   [3]  libnsl.so.1 SUNW_1.7
   [4]  libsocket.so.1  SUNW_1.4
   [5]  SUNW_1.1 [ INFO ]
   [6]  SUNW_0.7 [ INFO ]
   [7]  librt.so.1  SUNW_1.2
   [8]  SUNW_0.7 [ INFO ]
   [9]  libpthread.so.1 SUNW_1.2
  [10]  SUNW_0.9 [ INFO ]
  [11]  libthread.so.1  SUNW_1.1
  [12]  libc.so.1   SUNW_1.19
  [13]  SUNW_1.1 [ INFO ]
  [14]  SUNW_0.7 [ INFO ]

Dynamic Section:  .dynamic
 index  tagvalue
   [0]  NEEDED0x10ec2 libgss.so.1
   [1]  NEEDED0x10f5d libkrb5.so.1
   [2]  NEEDED0x10f6a libcrypto.so.1.0.0
   [3]  NEEDED0x10f7d libdl.so.1
   [4]  NEEDED0x10ed7 libnsl.so.1
   [5]  NEEDED0x10eec libsocket.so.1
   [6]  NEEDED0x10f88 libscf.so.1
   [7]  NEEDED0x10f16 librt.so.1
   [8]  NEEDED0x10f21 libpthread.so.1
   [9]  NEEDED0x10f94 libxml2.so.2
  [10]  NEEDED0x10fa1 libz.so.1
  [11]  NEEDED0x10fab libm.so.2
  [12]  NEEDED0x10f3a libthread.so.1
  [13]  NEEDED0x10f49 libc.so.1
  [14]  INIT  0x100380680
  [15]  FINI  0x100380690
  [16]  RUNPATH   0x10fb5 
/usr/local/lib:/usr/local/ssl/lib
  [17]  RPATH 0x10fb5 
/usr/local/lib:/usr/local/ssl/lib

  [18]  HASH  0x10178
  [19]  STRTAB0x100019d38
  [20]  STRSZ 0x111d7
  [21]  SYMTAB0x16880
  [22]  SYMENT0x18
  [23]  CHECKSUM  0x49d3
  [24]  VERNEED   0x10002af10
  [25]  VERNEEDNUM0x7
  [26]  PLTRELSZ  0x1d28
  [27]  PLTREL0x7
  [28]  JMPREL0x10002ca58
  [29]  RELA  0x10002ca10
  [30]  RELASZ0x1d70
  [31]  RELAENT   0x18
  [32]  DEBUG 0
  [33]  FLAGS 0   0
  [34]  FLAGS_1   0   0
  [35]  SUNW_STRPAD   0x200
  [36]  SUNW_LDMACH   0x2bEM_SPARCV9
  [37]  PLTGOT0x1004f5f00
   [38-48]  NULL  0


Therefore it is clear that this binary executable file "dig" which is
in the Linux defacto standard ( no clear spec seems to exist ) path of
the /usr/local area needs dynamic libs which are clearly specified to
the run time linker with RPATH and even RUNPATH inside the ELF dynamic
section.

Therefore a user may feel free to compile their own software from source
in a free and open way and implement the software they build themselves
from source as they please so long as they are careful to separate the
runtime executables and the dynamic library dependencies away from the
supplied distro.

The point of ALL of the above is that users of open software should
always have the freedom to build software on their own computers from
sources as they please and to install the results of their work as they
please.  However a bit of caution should be used in the placement of
the resultant executables and the libraries such that they do not
affect the runtime characteristics of their distro.  However the freedom
is there and the sources exist for very good reasons and if a user makes
the choice to dance in a minefield then by all means let them. However a
caution sign should be posted on the outer edge with some fine print
which says "you have the freedom to do so but here are some guidelines."

Dennis Clarke


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

[Dennis Clarke]

OpenSSL 1.1 is currently not supported because they made

> backwards-incompatible API changes ...

Is this issue documented somewhere ?


Dennis Clarke



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Jumbo" Security Release of BIND corrects four exploitable vulnerabilities.

[Dennis Clarke]

On 01/12/2017 03:51 PM, project722 wrote:

Is there a way to mitigate these vulnerabilities outside of updating


The source code from ISC is the official patch.


We use RHEL and have to wait on the official patch they provide.


I run Solaris servers from Oracle and I build iscbind named service
from sources from ISC and that is the official patch.


Our Bind version is 9.8.2 for RHEL 6 and 9.9.4 for RHEL 7.


Yes, Red Hat is very slow to release security patches.

Really, you need to make a slight adjustment and realize that the real
patch is from ISC and then you make the decision to wait for someone
else to compile it in for you ( Red Hat or whomever ) or just do it
yourself and then you know it is done and you even know it was done
correctly and as a real bonus you know who did it.

Dennis Clarke
d...@genunix.com

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-validation [ ddig_sigchase option ]

[Dennis Clarke]

On 10/12/16 15:07, Evan Hunt wrote:

On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote:

On 10/12/16 13:36, Evan Hunt wrote:

I recommend using "delv" instead.  "dig +sigchase" isn't good code.


? well that is news to me  :-\


It's code that was contributed over ten years ago; we put it into dig
(hidden behind #ifdef's) because at the time there was no better
alternative, but we never formally supported it.  It's buggy and
broken in a number of edge cases and hasn't really kept up with the
evolution of DNSSEC.

Please try "delv" and if you find that it doesn't meet your needs,
let me know so I can try to improve it.

NLNetLabs's "drill" is also useful.


I expect we'll be removing it in a future release.


cool .. so ... any change in our build process here ? A configure change
? Anything ?


No, delv is built and installed in BIND 9.10 and higher.



Thing of beauty.  Now I understand why there wasn't a configure option 
for sigchase and we needed a define. Makes sense.


Moving upwards to 9.11 anyways.

Thanks for the info.

Dennis

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-validation [ ddig_sigchase option ]

[Dennis Clarke]

On 10/12/16 13:36, Evan Hunt wrote:

On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote:

Was trying to run dig commands to do some dnssec validation and got the following 
message "

"Invalid option: +sigchase"


I recommend using "delv" instead.  "dig +sigchase" isn't good code.


? well that is news to me  :-\


I expect we'll be removing it in a future release.


cool .. so ... any change in our build process here ? A configure change 
? Anything ?



Dennis



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-validation [ ddig_sigchase option ]

[Dennis Clarke]

On 10/12/16 11:40, Bhangui, Sandeep - BLS CTR wrote:

Hi

Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3.

Was trying to run dig commands to do some dnssec validation and got the following 
message "

"Invalid option: +sigchase"

When checked found that the dig utility has to be compiled with 
"-DDIG_SIGCHASE" option for that apparently looks like I have not done when we 
compiled 9.10.4-P2

I plan to soon compile 9.10.4.-P3 is it simply using " --DDIG_SIGCHASE" when I compile 
which will than allow me to run the dig binary with the "+sigchase" option?

My current compile options are as follows so would I be just adding 
"--DDIG_SIGCHASE" to get the dig binary which will allow me run dig with 
+sigchase option when I run the compile for 9.10.4-P3?



Create an environment var thus :

STD_CDEFINES=-D_TS_ERRNO -D_POSIX_PTHREAD_SEMANTICS 
-D_LARGEFILE64_SOURCE -DDIG_SIGCHASE=1


The run configure and carry on as usual.  Test with :

$ dig @my1.mydnsserver.com facebook.com +sigchase +trace



Dennis





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to log client MAC address?

[Dennis Clarke]

On 08/06/2016 10:01 PM, Frank Pikelner wrote:

MAC addresses are layer 2 and you only see those on your subnet, i.e.
most likely your default gateway, etc.

So the answer is no.


Unless he only cares about internal clients on a local subnet.

dc

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC considering a change to the BIND open source license

[Dennis Clarke]

On 06/13/2016 04:52 PM, Victoria Risk wrote:
> Hello BIND users-
>
> ISC published BIND under a very permissive open source license...

Not sure what inspired this change but I suspect that meetings have been 
held with legal teams for quite some time. I won't speculate on what 
reasons this legal license shift is being taken other than to say a 
clear "Thank You" to ISC for amazing work done over many many years. I 
don't think there will be much argument from the millions of users that 
enjoy code releases of BIND that keeps the entire global internet DNS 
infrastructure working.


>
> The MPL license requires that anyone redistributing the code who has
> changed it must publish their changes (or pay for an exception to the
> license). It doesn’t impact anyone who is using the software without
> redistributing it, nor anyone redistributing it without changes – so
> most users will not see any change.

Magnificent.  Also ensures that the implementations of ISC BIND that we 
see out in the wild will conform to expected behavior as documented in 
the code itself. Those that stray from the expected behavior will now be 
documented also.  This is an excellent transition for all involved and 
ensures a higher level of quality control on DNS products.


Dennis Clarke

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

sockmgr 1005a1080: unexpected POLL timeout

[Dennis Clarke]

I have a recent build of BIND 9.9.3-P1 and after bringing up the service on a 
Solaris 10 server I begin to see many log entries like so : 

28-Jun-2013 15:41:17.636 sockmgr 1005a1080: unexpected POLL timeout

I don't know what this is and am mildly concerned.  Is this evidence of a config
problem or a compile problem or ?  Really I have not seen this before and there
are roughly 5000 such entries in my log thus far today.

Dennis


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: sockmgr 1005a1080: unexpected POLL timeout

[Dennis Clarke]

 I have a recent build of BIND 9.9.3-P1 and after bringing up the service
 on a 
 Solaris 10 server I begin to see many log entries like so :
 
 28-Jun-2013 15:41:17.636 sockmgr 1005a1080: unexpected POLL timeout
 
 I don't know what this is and am mildly concerned.  Is this evidence 
 of a
 config
 problem or a compile problem or ?  Really I have not seen this before 
 and
 there
 are roughly 5000 such entries in my log thus far today.
 
 Dennis
 
 just as a data point i setup a couple new 9.9.3-P1 boxes last night that
 get around 30,000 qps combined and with rolling logs the last million
 lines or so don't show any trace of POLL on centos 6.4 with bind
 compiled from latest isc.org src.  the only option i have is enable-ssl.
 
 not much help i know, but it does seem solaris/compile specific.  maybe
 something like this can help:
 
 http://comp.protocols.dns.bind.narkive.com/fijjEh47/workaround-solaris-s-ke
 rnel-bug
 

I was looking at that and thinking that my problems on Solaris 10 should not
be related to a kernel bug from dark history on Solaris 8.  This problem may
be related to this : 

STD_CDEFINES=-D_TS_ERRNO -D_POSIX_PTHREAD_SEMANTICS -D_LARGEFILE64_SOURCE 
-DDIG_SIGCHASE=1 -DISC_SOCKET_USE_POLLWATCH=1

I think, and this is a guess, the issue is in ISC_SOCKET_USE_POLLWATCH.

I will do a rebuild without that defined and see what happens.  Nothing beats 
trial and
error :-\

Dennis 






___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named in BIND 9.9.3-P1 needs libpkcs11.so ?

[Dennis Clarke]

# /opt/adbs/sbin/named -u named -c /etc/opt/adbs/named/named.conf -4 -d 2 -f -g 
-n 1 
27-Jun-2013 03:43:27.243 starting BIND 9.9.3-P1 -u named -c 
/etc/opt/adbs/named/named.conf -4 -d 2 -f -g -n 1
27-Jun-2013 03:43:27.246 built with '--build=sparc-sun-solaris2.10' 
'--host=sparc-sun-solaris2.10' '--prefix=/opt/adbs' '--enable-threads=yes' 
'--disable-openssl-version-check' '--enable-ipv6' 
'--with-randomdev=/dev/urandom' 

... huge bucket of option here ...
.
.
.
27-Jun-2013 03:43:27.248 
27-Jun-2013 03:43:27.250 BIND 9 is maintained by Internet Systems Consortium,
27-Jun-2013 03:43:27.251 Inc. (ISC), a non-profit 501(c)(3) public-benefit 
27-Jun-2013 03:43:27.253 corporation.  Support and training for BIND 9 are 
27-Jun-2013 03:43:27.255 available at https://www.isc.org/support
27-Jun-2013 03:43:27.257 
27-Jun-2013 03:43:27.259 found 1 CPU, using 1 worker thread
27-Jun-2013 03:43:27.260 using 1 UDP listener per interface
27-Jun-2013 03:43:27.268 using up to 4096 sockets
27-Jun-2013 03:43:27.271 Registering DLZ_dlopen driver
27-Jun-2013 03:43:27.274 Registering SDLZ driver 'dlopen'
27-Jun-2013 03:43:27.276 Registering DLZ driver 'dlopen'
27-Jun-2013 03:43:27.296 decrement_reference: delete from rbt: 1005a9b08 .
27-Jun-2013 03:43:27.341 initializing DST: no engine
27-Jun-2013 03:43:27.343 exiting (due to fatal error)
# 

initializing DST: no engine ? 

That seems somewhat of a mystery to me and so I used truss to see this : 

12636/1: 0.7352 stat(/opt/adbs/ssl/lib/engines/libpkcs11.so, 
0x7FFFE850) Err#2 ENOENT

Well I have no idea how to generate libpkcs11.so in my openssl engines area. 

Is this really needed ? 

This build of OpenSSL 1.0.1e was fully tested and passed all tests so I am 
thinking
that an option to the build of bind is the issue here.   Probably 
--with-pkcs11 .

If I don't have that option am I totally shafted for DNSSEC ? 

am I maing sense here ? 

Dennis 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named in BIND 9.9.3-P1 needs libpkcs11.so ?

[Dennis Clarke]

 
 You don't need --with-pkcs11 unless you're planning to use a 
 cryptographic accelerator
 or hardware service module, and you'd have had to build a special 
 version of OpenSSL
 for that. Remove it from the configure options and you should be fine.

Did a quick rebuild and yes Sir, runs like a charm. 

Not sure why I bothered with --with-pkcs11 given that I have never used
it before ... regardless, that little experiment gave me a brief moment of 
concern.

Thank you .. my DNS servers are up to date and all is well. 

dc




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Build BIND 9.9.3-P1 on Solaris 10 with 'cc', using OpenSSL built with 'gcc'?

[Dennis Clarke]

 That seems oddthough I haven't tried building 9.9.3-P1 yet.
 
 But, all the previous releases built with gcc.  Our Solaris package 
 build/management system only has gcc.
 
 BIND 9.9.3 was the first BIND that got built 64-bit, which did take a 
 little extra work in getting it find our 64-bit builds of openssl and 
 zlib.
 
 Which was basically to have it look in /usr/local/lib/(amd64|sparcv9) 
 instead of just /usr/local/lib (had found in config.log that it was 
 complain about architecture mismatch.)

I have been building bind 9.x for years on Solaris with cc and no problem.
As for OpenSSL, well the issue seems trivial, most likely there is a downstream
lib dependency on libgcc.so or some gcc c++ libs perhaps. One merely needs
to setup a LD_OPTIONS correctly with care paid to LD_RUN_PATH and you
should be fine.  

Ultimately Oracle Studio 12.3 ( or Sun Studio or Forte or whatever the brand
name du jour is ) doesn't care where you put your libs so long as you say 
where to find them and have a match on the architecture. 

Dennis 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Possible DDoS?

[Dennis Clarke]

 From time to time I notice a large number of queries like these to one 
 of my external dns servers:
 
 14:14:40.01407 121.10.105.66 - 143.231.1.67 DNS C gop.gov. Internet * 
 ?
snip
 
 Does this rise to the level of a DDoS attack?
 No NS record for this IP.
 I blackhole IPs that behave like this.
 Thanks
 

I have the exact same problem with an ip inside State of Colorado General 
Government Computer subnet : 

http://whois.arin.net/rest/org/SCGGC

Some server there has been pounding queries at me at a rate of 48,000+ a day : 

# head -1  named.run
08-Oct-2012 17:40:49.733 now using logging configuration from config file
# 
# grep ^08-Oct-2012 named.run | grep -c 165\.127\.10\.50
12245
# grep ^09-Oct-2012 named.run | grep -c 165\.127\.10\.50
48200
# grep ^10-Oct-2012 named.run | grep -c 165\.127\.10\.50
48198
# grep ^11-Oct-2012 named.run | grep -c 165\.127\.10\.50
47737
# grep ^12-Oct-2012 named.run | grep -c 165\.127\.10\.50
48345
# grep ^13-Oct-2012 named.run | grep -c 165\.127\.10\.50
48810
# grep ^14-Oct-2012 named.run | grep -c 165\.127\.10\.50
48385
# grep ^15-Oct-2012 named.run | grep -c 165\.127\.10\.50
48429
# grep ^16-Oct-2012 named.run | grep -c 165\.127\.10\.50
48768

Thus far today : 

# grep ^17-Oct-2012 named.run | grep -c 165\.127\.10\.50
37279

Queries show up in bunches, while the average is every 1.7 secs I see dozens of 
queries all arrive nearly at the same time, then a ten second pause, then again 
another burst. 

Makes no sense to me what is going on there. 

Dennis 





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: VMware Bind

[Dennis Clarke]

I think you mean : will bind run within VMware ?

The answer from me is total yes.

I have multiple systems in vSphere and running fine with bind 9.8.x


Dennis

- Original Message -
From: Manson, John john.man...@mail.house.gov
Date: Tuesday, June 5, 2012 1:28 pm
Subject: VMware  Bind
To: 'bind-users@lists.isc.org' bind-users@lists.isc.org


 Will bind run on VMware?
 
 
 John Manson
 CAO/HIR/NI Data-Communications | U.S. House of Representatives | 
 Washington, DC 20515
 Desk: 202-226-4244 | Team: 202-225-5552 | john.man...@mail.house.gov
 
 
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind9.9.1 Dependences

[Dennis Clarke]

 How can I find out which Unix files/libraries bind requires before I do the
 compile?
 Thanks


I am not sure of the question but here is my best response:

   assume you need openssl, libiconv, gnu gettext, libxml2

 you may also want libidn and a few others.

Does this help?

Dennis


-- 
--
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B
+-+---+
| Dennis Clarke   | Solaris and Linux and Open Source |
| dcla...@blastwave.org   | Respect for open standards.   |
+-+---+

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind9.9.1 Dependences

[Dennis Clarke]

 How can I find out which Unix files/libraries bind requires before I do
 the compile?

 configure will complain if you're missing anything critical.

 BIND 9 has relatively few dependencies other than a C compiler and
 POSIX-compliant system libraries.  You need openssl if you want to use
 crypto; libxml2 if you want XML-based statistics; perl if you want to
 run the tests, and some of the tests specifically want Net::DNS.  I
 can't think of anything else, offhand.

 (I'm assuming you mean BIND 9.  BIND 10 has a longer list.)

Here is what I see :

root@testy:~# rndc -s 127.0.0.1 -p 953 -k /usr/local/mm/etc/rndc.key status
version: 9.8.3
CPUs found: 1
worker threads: 1
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

root@testy:~# readelf -d /usr/local/mm/sbin/named

Dynamic section at offset 0x9d380 contains 34 entries:
  TagType Name/Value
 0x0001 (NEEDED) Shared library: [liblwres.so.80]
 0x0001 (NEEDED) Shared library: [libdns.so.81]
 0x0001 (NEEDED) Shared library: [libbind9.so.80]
 0x0001 (NEEDED) Shared library: [libisccfg.so.82]
 0x0001 (NEEDED) Shared library: [libcrypto.so.0.9.8]
 0x0001 (NEEDED) Shared library: [libisccc.so.80]
 0x0001 (NEEDED) Shared library: [libisc.so.83]
 0x0001 (NEEDED) Shared library: [libpthread.so.0]
 0x0001 (NEEDED) Shared library: [libxml2.so.2]
 0x0001 (NEEDED) Shared library: [libdl.so.2]
 0x0001 (NEEDED) Shared library: [libz.so.1]
 0x0001 (NEEDED) Shared library: [libiconv.so.2]
 0x0001 (NEEDED) Shared library: [libm.so.6]
 0x0001 (NEEDED) Shared library: [libc.so.6]
 0x000f (RPATH)  Library rpath: [/usr/local/mm/lib]
 0x000c (INIT)   0x412cd8
 0x000d (FINI)   0x489878
 0x0004 (HASH)   0x400240
 0x0005 (STRTAB) 0x4079c8
 0x0006 (SYMTAB) 0x401a58
 0x000a (STRSZ)  19400 (bytes)
 0x000b (SYMENT) 24 (bytes)
 0x0015 (DEBUG)  0x0
 0x0003 (PLTGOT) 0x69d960
 0x0002 (PLTRELSZ)   21648 (bytes)
 0x0014 (PLTREL) RELA
 0x0017 (JMPREL) 0x40d848
 0x0007 (RELA)   0x40cdf8
 0x0008 (RELASZ) 2640 (bytes)
 0x0009 (RELAENT)24 (bytes)
 0x6ffe (VERNEED)0x40cd88
 0x6fff (VERNEEDNUM) 3
 0x6ff0 (VERSYM) 0x40c590
 0x (NULL)   0x0


Most of those NEEDed items are from the bind package so that is a
non-issue.  libcrypto.so.0.9.8 is from openssl and libxml2.so.2 is
what it is. libz.so.1 and libiconv.so.2 are pretty obvious.

I thinks that is all that one would want or need.

Dennis




-- 
--
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B
+-+---+
| Dennis Clarke   | Solaris and Linux and Open Source |
| dcla...@blastwave.org   | Respect for open standards.   |
+-+---+

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND 9.8.2 followup announcement

[Dennis Clarke]

 fyi, DLZ external has been broken post 9.8.1p1.  fails to compile with
 an undefined reference to main.  both for 9.8.2 and 9.9.0

 Thanks for the heads-up.  Please open a bug ticket at bind9-b...@isc.org,
 and include information about the OS you're building on.  I expect this is
 going to turn out to be a quirk of your OS: it's supposed to be building a
 dynamically loadable shared object, but seems to be trying to build an
 executable binary instead.  We'll need to fix it with a change to
 'configure'.

 (For what it's worth, i.e. very little, it does work on all the platforms
 we routinely test.)

Certainly fine on baseline Solaris 8 on Sparc and i386 and Solaris 10
on Sparc 32-bit and 64-bit bins and x86_64. All with Sun Studio compilers.

So that's a fair test on SUSv3 and/or SVR4 UNIX.

dc

-- 
--
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B
+-+---+
| Dennis Clarke   | Solaris and Linux and Open Source |
| dcla...@blastwave.org   | Respect for open standards.   |
+-+---+

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.8.2 is now available

[Dennis Clarke]

Hello there ISC folks.
Me again from Blastwave :-)

Small problem with the 9.8.2 tarball :

$ ls $SRC/bind-9*
/export/medusa/src/bind-9.8.1-P1.tar.gz
/export/medusa/src/bind-9.8.2.tar.gz
$ gzip -dc /export/medusa/src/bind-9.8.2.tar.gz | tar -xf -
$ cd bind-9.8.2

$ ls -lo REL*
-rw-r--r--   1 sysadmin   16744 Mar 22 19:20 RELEASE-NOTES-BIND-9.8.1.html
-rw-r--r--   1 sysadmin   62760 Mar 22 19:20 RELEASE-NOTES-BIND-9.8.1.pdf
-rw-r--r--   1 sysadmin   14419 Mar 22 19:20 RELEASE-NOTES-BIND-9.8.1.txt

$ cat version
# $Id$
#
# This file must follow /bin/sh rules.  It is imported directly via # configure.
#
MAJORVER=9
MINORVER=8
PATCHVER=2
RELEASETYPE=
RELEASEVER=

Looks like the release notes for 9.8.1 are in the 9.8.2 tarball.

If I check the MD5 hash I see the pdf is the same as the 9.8.1-P1 release.

Just a FYI there.

Dennis

ps: I hit this when doing the Solaris SVR4 packages and my package
prototype kept complaining that I had 9.8.1 Release notes. Yup.

-- 
--
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B
+-+---+
| Dennis Clarke   | Solaris and Linux and Open Source |
| dcla...@blastwave.org   | Respect for open standards.   |
+-+---+
---





 Introduction

   BIND 9.8.2 is the latest production release of BIND 9.8.

   This document summarizes changes from BIND 9.8.1 to BIND 9.8.2. Please see
the CHANGES file in the source code release for a complete list of all
changes.

 Download

   The latest versions of BIND 9 software can always be found on our web site
at http://www.isc.org/downloads/all. There you will find additional
information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

 Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options. Free support
is provided by our user community via a mailing list.
   Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

 Security Fixes

   + BIND 9 nameservers performing recursive queries could cache an
 invalid record and subsequent queries for that record could
 crash the resolvers with an assertion failure. [RT #26590]
 [CVE-2011-4313]

 Feature Changes

   + RPZ implementation now conforms to version 3 of the specification.
 [RT #27316]

   + It is now possible to explicitly disable DLV in named.conf by
 specifying dnssec-lookaside no;. This is the default, but the ability
to configure it makes it clearly visible to administrators. [RT #24858]

   + --enable-developer, a new composite argument to the configure
 script, enables a set of build options normally disabled but frequently
selected in test or development builds, specifically:
enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip,
enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin,
also enable_exportlib) [RT #27103]

 Bug Fixes
   + Named could dereference a NULL pointer in  zmgr_start_xfrin_ifquota
 if the zone was being removed. [RT #28419]

   + A parser bug could cause named to crash while reading a malformed
 zone file. [RT #28467]

   + Fixed a problem preventing proper use of 64 bit time values in
 libbind. [RT # 26542]

   + isccc/cc.c:table_fromwire could fail to free an allocated object on
 error, leading to a possible memory leak condition. [RT #28265]

   + Fixed a build error on systems without ENOTSUP.  [RT #28200]

   + The header file isc/hmacsha.h is now installed when building BIND.
 [RT #28169]

   + Resolves spurious test failures in ans.pl by updating it to work
 correctly with Net::DNS 0.68 [RT  #28028]

   + The managed key maintenance timer could fail to restart after 'rndc
 reconfig' resulting in managed keys not being properly added to
managed-keys.bind [RT #27686]

   + Corrects a potential overflow problem in the computation of
 RRSIG expiration times. [RT #23311]

   + The maximum number of NSEC3 iterations for a DNSKEY RRset was
 not being properly computed.  [RT #26543]

   + Error reporting has been improved for failures encountered
 when sending or receiving network packets.  In particular
 some memory allocation failures were being logged as unexpected error
- these will now be reported accurately.  A new
 ISC_R_UNSET result code has also been added to cover those
 situations where there is no error code returned by the OS
 sockets implementation.  [RT #27336]

   + Corrects an INSIST failure by addressing race conditions in
 the handling of rbtnode.deadlink. [RT #27738]

   + SOA refresh queries could be treated as cancelled despite
 succeeding over the loopback interface. [RT #27782]

   + When replacing an NS RRset, BIND now restricts the TTL of the
 new NS RRset to no more

Re: BIND 9.8.2 is now available

[Dennis Clarke]

 Looks like the release notes for 9.8.1 are in the 9.8.2 tarball.

 Yep, we've stopped including the release notes inside the BIND tarballs,
 but I missed removing them from one branch--oops.  We noticed it over the
 weekend, and a new tarball should be up by tomorrow.  (I'm just waiting
 for the person with the signing key to get me a new set of signatures.)

 Sorry about that, and thanks for the heads up.

No problem .. the release works great so I guess I'll just remove
the release notes and then carry on with the pkg as per.


Dennis


-- 
--
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B
+-+---+
| Dennis Clarke   | Solaris and Linux and Open Source |
| dcla...@blastwave.org   | Respect for open standards.   |
+-+---+

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can't compile bind 9.8.1-P1 on Solaris

[Dennis Clarke]

 I get an error compiling Bind at:

 make[4]: Entering directory
 `/usr/local/src/bind-9.8.1-P1/bin/tests/system/dlzexternal'
 ld -G -z text -o driver.so driver.o
 ld: invalid number `-z'

 Giving –G a number makes –z unrecognized.

 I'm in Solaris 10, Sparc, GCC 3.4.6


I'm not seeing any problems yet .. but I use Sun Studio 11 for the builds.
If you are willing to wait a few hours I'll have packages released pretty
quick.

Dennis


-- 
--
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B
+-+---+
| Dennis Clarke   | Solaris and Linux and Open Source |
| dcla...@blastwave.org   | Respect for open standards.   |
+-+---+

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can't compile bind 9.8.1-P1 on Solaris

[Dennis Clarke]

 Is anyone else having problems with the compile?


Give me 60 minutes


-- 
--
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B
+-+---+
| Dennis Clarke   | Solaris and Linux and Open Source |
| dcla...@blastwave.org   | Respect for open standards.   |
+-+---+

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can't compile bind 9.8.1-P1 on Solaris

[Dennis Clarke]

 I get an error compiling Bind at:

 make[4]: Entering directory
 `/usr/local/src/bind-9.8.1-P1/bin/tests/system/dlzexternal'
 ld -G -z text -o driver.so driver.o
 ld: invalid number `-z'

 Giving ?G a number makes ?z unrecognized.

 I'm in Solaris 10, Sparc, GCC 3.4.6

 Thanks for the report.  We didn't touch that code in the security
 patch, so this bug must have also been in 9.8.1; we'll try to address
 it in 9.8.2.

 That isn't critical code; it's just one of the system tests.
 Just touch bin/tests/system/dlzexternal/driver.o and then
 run make again.  The dlzexternal system test will fail
 when you run make check, but otherwise your server will
 be fine.

 In general, issues like this are best sent to the bind9-b...@isc.com
 alias, which opens a ticket in our bug database.   I'll do so now.

  9.8.1 and 9.8.1-P1 build fine for me. No really.  :-)

# ldd bin/dig
liblwres.so.80 =/opt/csw/lib/sparcv8/liblwres.so.80
libdns.so.81 =  /opt/csw/lib/sparcv8/libdns.so.81
libbind9.so.80 =/opt/csw/lib/sparcv8/libbind9.so.80
libisccfg.so.82 =   /opt/csw/lib/sparcv8/libisccfg.so.82
libcrypto.so.0.9.8 =/opt/csw/lib/sparcv8/libcrypto.so.0.9.8
libisccc.so.80 =/opt/csw/lib/sparcv8/libisccc.so.80
libisc.so.83 =  /opt/csw/lib/sparcv8/libisc.so.83
libxml2.so.2 =  /opt/csw/lib/sparcv8/libxml2.so.2
libdl.so.1 =/usr/lib/libdl.so.1
libz.so =   /opt/csw/lib/sparcv8/libz.so
libpthread.so.1 =   /usr/lib/libpthread.so.1
libiconv.so.2 = /opt/csw/lib/sparcv8/libiconv.so.2
libm.so.1 = /usr/lib/libm.so.1
libsocket.so.1 =/usr/lib/libsocket.so.1
libnsl.so.1 =   /usr/lib/libnsl.so.1
libthread.so.1 =/usr/lib/libthread.so.1
libc.so.1 = /usr/lib/libc.so.1
libgcc_s.so.1 = /opt/csw/lib/sparcv8/libgcc_s.so.1
libmp.so.2 =/usr/lib/libmp.so.2
/usr/platform/SUNW,UltraAX-i2/lib/libc_psr.so.1


# elfdump -d bin/dig

Dynamic Section:  .dynamic
 index  tag   value
   [0]  NEEDED   0x2d4fliblwres.so.80
   [1]  NEEDED   0x2d5elibdns.so.81
   [2]  NEEDED   0x2d6blibbind9.so.80
   [3]  NEEDED   0x2d7alibisccfg.so.82
   [4]  NEEDED   0x2d8alibcrypto.so.0.9.8
   [5]  NEEDED   0x2d9dlibisccc.so.80
   [6]  NEEDED   0x2daclibisc.so.83
   [7]  NEEDED   0x2db9libxml2.so.2
   [8]  NEEDED   0x2dc6libdl.so.1
   [9]  NEEDED   0x2dd1libz.so
  [10]  NEEDED   0x2d13libpthread.so.1
  [11]  NEEDED   0x2dd9libiconv.so.2
  [12]  NEEDED   0x2de7libm.so.1
  [13]  NEEDED   0x2df1libsocket.so.1
  [14]  NEEDED   0x2e00libnsl.so.1
  [15]  NEEDED   0x2e0clibthread.so.1
  [16]  NEEDED   0x2d2clibc.so.1
  [17]  INIT 0x33560
  [18]  FINI 0x33570
  [19]  RUNPATH  0x2e1b   
/opt/csw/lib/$ISALIST:/opt/csw/lib:/opt/csw/lib:/opt/csw/lib/sparcv8
  [20]  RPATH0x2e1b   
/opt/csw/lib/$ISALIST:/opt/csw/lib:/opt/csw/lib:/opt/csw/lib/sparcv8
  [21]  HASH 0x100e8
  [22]  STRTAB   0x13514
  [23]  STRSZ0x2e60
  [24]  SYMTAB   0x11254
  [25]  SYMENT   0x10
  [26]  CHECKSUM 0x7b54
  [27]  VERNEED  0x16374
  [28]  VERNEEDNUM   0x2
  [29]  PLTRELSZ 0xb28
  [30]  PLTREL   0x7
  [31]  JMPREL   0x16448
  [32]  RELA 0x163c4
  [33]  RELASZ   0xbac
  [34]  RELAENT  0xc
  [35]  DEBUG0
  [36]  FEATURE_10x1   [ PARINIT ]
  [37]  FLAGS0 0
  [38]  FLAGS_1  0 0
  [39]  PLTGOT   0x49120
#
#

Everything here is working great on Solaris and I expect to have all my
Solaris name servers updated before morning.  The Debian folks have
already release update patches. Life is good.

Dennis


-- 
--
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B
+-+---+
| Dennis Clarke   | Solaris and Linux and Open Source |
| dcla...@blastwave.org   | Respect for open standards.   |
+-+---+

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

9.8.0-P1 platform.h questions

[Dennis Clarke]

I compiled 9.8.0-P1 on both 32-bit and 64-bit Solaris Sparc and the output
in all the header files looks identical with the exception of platform. I
expect to see things like this :

The 32-bit build results in :

 #define ISC_PLATFORM_QUADFORMAT l

The 64-bit build platform.h has this :

 #define ISC_PLATFORM_QUADFORMAT ll


That seems perfectly fine and reasonable.


Not so reasonable is this :

#undef ISC_PLATFORM_HAVEIFNAMETOINDEX

  versus

#define ISC_PLATFORM_HAVEIFNAMETOINDEX 1

The compile was done on the same server with either CFLAGS having 
-xarch=v9 for 64-bit and then  -xarch=v8 for the 32-bit builds. Everything
seems fine but this server does have if_nametoindex(3XNET) as well as
if_nametoindex(3NSL) where the 3xnet libs are X/Open Networking Services
Library Functions.

Why would platform.h be so different as there were a multitude of such
differences?


-- 
Dennis Clarke
dcla...@blastwave.org


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND 9.8.0 is now available

[Dennis Clarke]

 In addition to my pvt email Evan

 The dev link page still shows 9.7.3 as current production, no 9.8.0, but
 going to all downloads shows 9.8.0 as current production, and as things
 happen in three's ...

 bind-9.8.0.tar.gz  clicking on this  yields a file called
 bind-980targzno periods, looks like some script has collapsed
 asc
 sha1
 sha256
 sha512

works for me :

/opt/csw/bin/wget http://ftp.isc.org/isc/bind9/9.8.0/bind-9.8.0.tar.gz

$ /opt/schily/bin/mdigest -a sha256 bind-9.8.0.tar.gz
e44183f5a4ab7d3deb3c08171c4821c391d6b10ed8d4bc6485a1fc3ba6490c06 
bind-9.8.0.tar.gz

$ /opt/csw/bin/wget
http://ftp.isc.org/isc/bind9/9.8.0/bind-9.8.0.tar.gz.sha512.asc
--2011-03-03 09:42:06-- 
http://ftp.isc.org/isc/bind9/9.8.0/bind-9.8.0.tar.gz.sha512.asc
Resolving ftp.isc.org... 204.152.184.110
Connecting to ftp.isc.org|204.152.184.110|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 481 [text/plain]
Saving to: `bind-9.8.0.tar.gz.sha512.asc'

 0K  100% 9.42M=0s

2011-03-03 09:42:06 (9.42 MB/s) - `bind-9.8.0.tar.gz.sha512.asc' saved
[481/481]

$ /opt/csw/bin/wget
http://ftp.isc.org/isc/bind9/9.8.0/bind-9.8.0.tar.gz.sha256.asc
--2011-03-03 09:42:15-- 
http://ftp.isc.org/isc/bind9/9.8.0/bind-9.8.0.tar.gz.sha256.asc
Resolving ftp.isc.org... 204.152.184.110
Connecting to ftp.isc.org|204.152.184.110|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 481 [text/plain]
Saving to: `bind-9.8.0.tar.gz.sha256.asc'

 0K  100% 8.51M=0s

2011-03-03 09:42:15 (8.51 MB/s) - `bind-9.8.0.tar.gz.sha256.asc' saved
[481/481]


$ /opt/csw/bin/wget http://www.isc.org/files/pgpkey2009.txt
--2011-03-03 09:45:13--  http://www.isc.org/files/pgpkey2009.txt
Resolving www.isc.org... 149.20.64.42
Connecting to www.isc.org|149.20.64.42|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2849 (2.8K) [text/plain]
Saving to: `pgpkey2009.txt'

 0K  100% 51.3M=0s

2011-03-03 09:45:14 (51.3 MB/s) - `pgpkey2009.txt' saved [2849/2849]


$ /opt/csw/bin/gpg --import pgpkey2009.txt
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: key 0B7BAE00: public key Internet Systems Consortium, Inc. (Signing
key, 2009) pgpkey2...@isc.org imported
gpg: Total number processed: 1
gpg:   imported: 1  (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   2  signed:   2  trust: 2-, 0q, 0n, 0m, 0f, 0u


$ /opt/csw/bin/gpg --verify bind-9.8.0.tar.gz.sha256.asc bind-9.8.0.tar.gz
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Mon Feb 28 15:57:39 2011 GMT using RSA key ID 0B7BAE00
gpg: Good signature from Internet Systems Consortium, Inc. (Signing key,
2009) pgpkey2...@isc.org
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: FA76 7A86 A371 E359 22F6  A5C8 D811 B53F 0B7B AE00
$ /opt/csw/bin/gpg --verify bind-9.8.0.tar.gz.sha512.asc bind-9.8.0.tar.gz
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Mon Feb 28 15:57:38 2011 GMT using RSA key ID 0B7BAE00
gpg: Good signature from Internet Systems Consortium, Inc. (Signing key,
2009) pgpkey2...@isc.org
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: FA76 7A86 A371 E359 22F6  A5C8 D811 B53F 0B7B AE00
$




-- 
Dennis Clarke
dcla...@opensolaris.ca  - Email related to the open source Solaris
dcla...@blastwave.org   - Email related to open source for Solaris


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Security Advisory: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

[Dennis Clarke]

Sorry for the top post but there is no data yet at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0414. I'll assume
that is coming along. I have 9.7.3 ready for relase on Solaris 8 and 9 and
10 however I wanted to refer to the various security info sites.

Do you know if the folks at nist are doing an update ?

-- 
Dennis Clarke
dcla...@opensolaris.ca  - Email related to the open source Solaris
dcla...@blastwave.org   - Email related to open source for Solaris


--

 Internet Systems Consortium Security
 Advisory

 Title: Server Lockup Upon IXFR or DDNS Update Combined with High Query
 Rate

 (http://www.isc.org/software/bind/advisories/cve-2011-0414)

 CVE-2011-0414

 VU#559980

 CVSS: 7.1  (AV:N/AC:M/Au:N/C:N/I:N/A:C)
 for more information on the Common Vulnerability Scoring System and to
 obtain your specific environmental score please visit:
 http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2
 http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2

 Posting date: 2011-02-22

 Program Impacted: BIND

 Versions affected: 9.7.1-9.7.2-P3

 Severity: High

 Exploitable: Remotely

 Description and Impact:

 When an authoritative server processes a successful IXFR transfer or a
 dynamic update, there is a small window of time during which the
 IXFR/update coupled with a query may cause a deadlock to occur. This
 deadlock will cause the server to stop processing all requests. A high
 query rate and/or a high update rate will increase the probability of
 this condition.

 Workaround:

 Depending on your performance requirements, a work-around may be
 available. ISC was not able to reproduce this defect in 9.7.2 using -n
 1, which causes named to use only one worker thread, thus avoiding the
 deadlock. If your server is powerful enough to serve your data with a
 single processor, this option may be fast to implement until you have
 time to perform an upgrade.

 Active exploits: None known, but a description of the issue is available
 in the release notes for BIND 9.6.3 and 9.7.3.

 Solution: If you run BIND 9.7.1 or 9.7.2, upgrade to BIND 9.7.3. Earlier
 versions are not vulnerable. If you run BIND 9.6.x, 9.6-ESV-R?, or
 9.4-ESV-R4, you do not need to upgrade. BIND 9.5 is End of Life and is
 not supported by ISC. BIND 9.8 is not vulnerable.

 Credits: Thank you to Neustar for finding the initial defect and JPRS
 for further testing and analysis.

 Questions regarding this advisory or ISC's Support services should be
 sent to bind9-b...@isc.org mailto:bind9-b...@isc.org
 For more information on ISC's support, consulting, training, and other
 services, visit
 http://www.isc.org/community/blog/201102/open-source-software-unsupported-isnt-it



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Security Advisory: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

[Dennis Clarke]

 Hi Dennis,

 Thank you for getting 9.7.3 out on Solaris, that is a huge help in
 getting this important update out there.

I have been running 9.7.3 for a few days now on all my production DNS
servers ( a bunch ) and a few in client sites in Europe. All seems to be
running very well and the upgrade was silky smooth.  A measure of awesome
software to be true.

# uname -a
SunOS callistoz 5.10 Generic_144488-04 sun4u sparc SUNW,Sun-Fire-480R
# /opt/csw/sbin/rndc -s 127.0.0.1 -k /etc/opt/csw/rndc.key status
version: 9.7.3
CPUs found: 4
worker threads: 4
number of zones: 44
debug level: 1
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

$ pkginfo -l CSWbind
   PKGINST:  CSWbind
  NAME:  bind - ISC BIND 9.7.3 DNS main package
  CATEGORY:  application
  ARCH:  sparc
   VERSION:  9.7.3,REV=2011.02.19
   BASEDIR:  /opt/csw
VENDOR:  http://www.isc.org/software/bind packaged by Blastwave.org Inc.
  DESC:  CSWbind - ISC BIND 9.7.3 DNS main package
PSTAMP:  mimas20110219031415
  INSTDATE:  Feb 19 2011 16:57
   HOTLINE:  http://www.blastwave.org/
 EMAIL:  supp...@blastwave.org
STATUS:  completely installed
 FILES:  361 installed pathnames
   9 shared pathnames
  23 linked files
  17 directories
  34 executables
   28684 blocks used (approx)

This has been tested all the way back to Solaris 8 on i386 and sparc so it
looks very solid.

The 9.7.3 packages are released a few minutes ago to the primary site at
download.blastwave.org and it will be in the various US universities and
then the other 50 or so mirrors within six hours. More or less.

 I do not know the answer to your question about the NIST CVE listings,
 but I will inquire. Our CVE numbers actually come to us from
 Carnegie-Mellon CERT, not NIST, but NIST does keep an up to date list
 generally.

 I'll also post here if/when I find out more.

thank you and stay in touch !

-- 
Dennis Clarke
dcla...@opensolaris.ca  - Email related to the open source Solaris
dcla...@blastwave.org   - Email related to open source for Solaris


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.7.3 is now available.

[Dennis Clarke]

 2011/2/15 Mark Andrews ma...@isc.org:

 9.7.3

     * BIND now builds with threads disabled in versions of NetBSD
 earlier
       than 5.0 and with pthreads enabled by default in NetBSD versions
       5.0 and higher. Also removes support for unproven-pthreads,
       mit-pthreads and ptl2. [RT #19203]

 Looks a great release.
 BTW, does bind-9.7's threads work well on Linux X86 platform?


I would think a posix speec compliant implementation would work anywhere.
However, who knows, I'll give a quick build on Debian squeeze and see what
happens. Personally I'm not sure if there is a comprehensive test suite in
the iscbind packages. Is there ? How would one verify the functionality of
the new security features?


-- 
Dennis Clarke
dcla...@opensolaris.ca  - Email related to the open source Solaris
dcla...@blastwave.org   - Email related to open source for Solaris


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.7.2-P3 does not resolve www.microsoft.com

[Dennis Clarke]

 trying to resolve www.microsoft.com or microsoft.com results in a
 connection timed out; no servers could be reached

 Well, for what it's worth - it's not just you having that issue. When
 testing from home and from work I get the same.


works fine for me on linux and Solaris.




-- 
Dennis Clarke
dcla...@opensolaris.ca  - Email related to the open source Solaris
dcla...@blastwave.org   - Email related to open source for Solaris


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind named 9.7.2-P2 segfault and core dump when in debug mode

[Dennis Clarke]

I am trying to track down a bit of strange behavior. Not sure if anyone
else sees this.

I tend to run named in the foreground and in debug level 2 for a while
after I compile it. If all looks good then I can run it as a service
daemon in the usual way.

This means I run it like so :

bash-3.00# /opt/csw/sbin/named -4 -c /etc/opt/csw/named.conf \
 -d 2 -f -g -n 1 -p 53 -u named

Note the -d 2 there.

29-Sep-2010 17:31:43.715 starting BIND 9.7.2-P2 -4 -c
/etc/opt/csw/named.conf -d 2 -f -g -n 1 -p 53 -u named
.
.
.

Everything seems to be fine until I saw this after 20 minutes or so :

29-Sep-2010 17:40:35.964 error (unexpected RCODE REFUSED) resolving
'243.136.240.111.dun.dnsrbl.net/A/IN': 66.11.124.26#53
29-Sep-2010 17:40:35.965 client 66.225.151.243#45979: query failed
(SERVFAIL) for 243.136.240.111.dun.dnsrbl.net/IN/A at query.c:4650


   At this point it is just hung.


So I started it up again in the exact same way and then went to a client
machine and issued this query via dig :

$ /opt/csw/bin/dig +qr @ns1.blastwave.org 243.136.240.111.dun.dnsrbl.net

;  DiG 9.7.2-P2  +qr @ns1.blastwave.org
243.136.240.111.dun.dnsrbl.net
; (1 server found)
;; global options: +cmd
;; Sending:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 430
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;243.136.240.111.dun.dnsrbl.net.IN  A

;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 430
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;243.136.240.111.dun.dnsrbl.net.IN  A

;; Query time: 235 msec
;; SERVER: 66.225.151.252#53(66.225.151.252)
;; WHEN: Wed Sep 29 17:47:25 2010
;; MSG SIZE  rcvd: 48

So that response looks okay but

QUERY, status: SERVFAIL, id: 430

also the named process was hung again :

29-Sep-2010 17:47:24.850 createfetch: 243.136.240.111.dun.dnsrbl.net A
29-Sep-2010 17:47:24.986 error (unexpected RCODE REFUSED) resolving
'243.136.240.111.dun.dnsrbl.net/A/IN': 66.11.124.26#53
29-Sep-2010 17:47:25.081 lame server resolving
'243.136.240.111.dun.dnsrbl.net' (in 'dnsrbl.net'?): 66.11.124.30#53
29-Sep-2010 17:47:25.082 client 66.225.151.227#24722: query failed
(SERVFAIL) for 243.136.240.111.dun.dnsrbl.net/IN/A at query.c:4650
Killed

So I figured I would run this in debug level 4 :

bash-3.00# /opt/csw/sbin/named -4 -c /etc/opt/csw/named.conf -d 4 -f -g -n
1 -p 53 -u named
29-Sep-2010 17:48:56.400 starting BIND 9.7.2-P2 -4 -c
/etc/opt/csw/named.conf -d 4 -f -g -n 1 -p 53 -u named
.
.
.
29-Sep-2010 17:48:56.455 loading configuration from '/etc/opt/csw/named.conf'
29-Sep-2010 17:48:56.470 reading built-in trusted keys from file
'/etc/opt/csw/bind.keys'
Segmentation Fault (core dumped)

bash-3.00# file core
core: ELF 32-bit MSB core file SPARC Version 1, from 'named'

wow .. that is really not good.

What failed ?

bash-3.00# mdb /opt/csw/sbin/sparcv8/named core
Loading modules: [ libc.so.1 ld.so.1 ]
 ::status
debugging core file of named (32-bit) from callistoz
file: /opt/csw/sbin/sparcv8/named
initial argv:
/opt/csw/sbin/named -4 -c /etc/opt/csw/named.conf -d 3 -f -g -n 1 -p 53 -u
name
threading model: multi-threaded
status: process terminated by SIGSEGV (Segmentation Fault)

 $c
libc.so.1`strlen+0x18(cf73c, 2000, a7cb0, fe94fc00, cf720, fe8c0d60)
libisc.so.62`isc_log_doit+0x794(cf700, fee27ab0, c4f44, 3, 0, 0)
libisc.so.62`isc_log_write+0x60(cf700, fee27ab0, c4f44, 3, a7cb0, a7cd8)
set_limit+0x210(a7cb0, a7cd8, a7cd8, 9, , fffd)
set_limits+0x64(fe94fdf8, d89e0, ff0719c0, fe94fe14, a8028, d89e0)
load_configuration+0x7d4(ffbffe22, dc758, 1, 0, ea758, 5fc28)
run_server+0x420(ea758, e89c8, fe935840, 0, fe7e0200, fe8c21f0)
libisc.so.62`dispatch+0x7d8(d6758, 0, 0, 0, fe7e0200, 1)
libisc.so.62`run+0x14(d6758, fe95, 0, 0, fedde7f0, 0)
libc.so.1`_lwp_start(0, 0, 0, 0, 0, 0)

 ::stack
libc.so.1`strlen+0x18(cf73c, 2000, a7cb0, fe94fc00, cf720, fe8c0d60)
libisc.so.62`isc_log_doit+0x794(cf700, fee27ab0, c4f44, 3, 0, 0)
libisc.so.62`isc_log_write+0x60(cf700, fee27ab0, c4f44, 3, a7cb0, a7cd8)
set_limit+0x210(a7cb0, a7cd8, a7cd8, 9, , fffd)
set_limits+0x64(fe94fdf8, d89e0, ff0719c0, fe94fe14, a8028, d89e0)
load_configuration+0x7d4(ffbffe22, dc758, 1, 0, ea758, 5fc28)
run_server+0x420(ea758, e89c8, fe935840, 0, fe7e0200, fe8c21f0)
libisc.so.62`dispatch+0x7d8(d6758, 0, 0, 0, fe7e0200, 1)
libisc.so.62`run+0x14(d6758, fe95, 0, 0, fedde7f0, 0)
libc.so.1`_lwp_start(0, 0, 0, 0, 0, 0)

bash-3.00# pstack core
core 'core' of 1647:/opt/csw/sbin/named -4 -c /etc/opt/csw/named.conf
-d 3 -f -g -n 1 -p 5
-  lwp# 1 / thread# 1  
 fe8cbc3c ___sigtimedwait (ffbffbb0, 0, 0, fefe2a00, 0, 1) + 8
 fe8b4158 __posix_sigwait (ffbffbb0, ffbffb2c, 0, 0, fefe2a00, 1) + 18
 fede4aac isc__app_ctxrun (fee27fb8, c5170, c4f34, fffe, a5574, a5728)
+ 45c
 fede4bd8 isc__app_run (c9be0, a56fc, 0, 6e616d65, 80808080, 1010101) + 28
 000458dc main (e, ffbffd14, 

Re: Bind 9.4.3-P3 on Solaris 10 Hang

[Dennis Clarke]

 hi.

 I'm satoshi.

 I use BIND 9.4.3.

 Same situation was generated in my DNS server.

 Did you solve this problem?

 I would like you to teach when doing because it solved it.

 Regards


Just upgrade to 9.7.1-P1 on Solaris.
There are free packages ready to run at Blastwave.org


-- 
Dennis

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users