BIND and ENUM NAPTR...

2008-12-02 Thread Gregory Hicks 

Greetings:

SIP (NAPTR and ENUM) uses a DNS like structure.  Does BIND support
these data types?  Are there any references?

Regards,
Gregory Hicks

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND and ENUM NAPTR...

2008-12-03 Thread Gregory Hicks 
Greetings:

SIP (NAPTR and ENUM) uses a DNS like structure.  Does BIND support
these data types?  Are there any references?

Regards,
Gregory Hicks

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rfc1918 ns records coming from internet are queried?

2008-12-03 Thread Gregory Hicks 

> Date: Wed, 26 Nov 2008 21:09:53 +0100 (CET)
> To: [EMAIL PROTECTED]
> Subject: Re: rfc1918 ns records coming from internet are queried?
> From: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> 
> > > A border router knows what is "inside" and "outside" your network, while
> > > a DNS server does not. Important difference.
> > 
> > You're missing the point.  This is not about inside and outside networks, it
> > is about rfc1918 responses from internet queries.
> 
> I'm afraid I have seen too many organizations using a mix of public and
> RFC1918 IP addresses on the "inside". Thus I don't believe that you can
> differentiate based on RFC1918 addresses or not on a general basis.

Actually, I got the impression that the OP wanted to know if BIND would
ignore and NS records provided by some server on the internet that
pointed to RFC-1918 type IP addresses.  (It could be that everyone is
talking to the same thing...)

If BIND sends out a request, as it should, to some set of NS record IP
addresses, it keeps a record of WHEN the request was sent out and marks
how long it takes to get a response back from those requests.  The
RFC-1918 type addresses SHOULD never respond - unless you happen to
have a server at the same address that someone else is advertizing.
(The "SHOULD never respond" is driven by the BCP-38 filtering at edge
routers.)  Thus those addresses will have ungodly high round trip times
and should be removed from further queries...

(My read of how it works.  I could be wrong though.)

Regards,
Gregory Hicks

> 
> Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: FW: Pls help me for bind9

2008-12-03 Thread Gregory Hicks 

> Subject: FW: Pls help me for bind9
> Date: Fri, 21 Nov 2008 10:25:49 +0800
> From: "Sun, Rui \(IT Operation Director\)" <[EMAIL PROTECTED]>
> To: 
> 
> Hi dear
> 
>   Pls help me for bind9 

What problem are you having?

What does your named.conf look like?  your zone files?
(Please include the 'real' files, not any sanitized ones.

> 
> Ëïî£   /  Rui Sun
> 
> -Original Message-
> From: Sue Graves [mailto:[EMAIL PROTECTED] 
> Sent: Friday, November 21, 2008 12:48 AM
> To: Sun, Rui (IT Operation Director)
> Cc: [EMAIL PROTECTED]
> Subject: Re: Pls help me for bind9
> 
> As BIND is Open Source software, there is free support and discussion 
available from the community by sending mail to 
[EMAIL PROTECTED]
> There are 3 mail lists for discussions among users of ISC's BIND 
Distribution. You can subscribe via our website at 
https://lists.isc.org/mailman/listinfo
> 
> Updates as to our development work are shared with the BIND Forum 
members which you are welcome to join.
> See https://www.isc.org/software/guild
> 
> We also offer paid support contracts 
https://www.isc.org/services/support
> 
> Regards,
> Sue
> 
> Sun, Rui (IT Operation Director) wrote:
> > Hi dear
> >  
> > pls help me for bind 9
> >  
> > [In my tel DNS server]
> > nslookup www.baihui.com
> > Server: 118.102.24.83
> > Address:118.102.24.83#53
> >  
> > Non-authoritative answer:
> > www.baihui.com  canonical name = baihui.com.
> > Name:   baihui.com
> > Address: 219.143.38.65
> > 
> >  
> > [But my db file is set as below]
> > $TTL 600
> > @ IN SOA dns1.baihui.name. hostmaster.baihui.name. (
> > 140024 ; Serial
> > 6000 ; Refresh
> > 3000 ; Retry
> > 2419200 ; Expire
> > 604800 ) ; Negative Cache TTL;
> > @IN  NS dns1.baihui.name.
> > @IN  NS dns2.baihui.name.
> > baihui.com. IN  A   202.127.112.36
> > 
> >  
> > [Could you pls give me some help?]
> >  
> >  
> > Ëïî£   /  Rui Sun
> > 
> 
> --
> Susan Graves
> Internet Systems Consortium
> +1 650-423-1323 office
> [EMAIL PROTECTED]
> See http://www.isc.org/training/ for the latest information on our 
training offerings
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 50 million records under one domain using Bind

2008-12-14 Thread Gregory Hicks 

> From: Robert 
> Date: Sun, 14 Dec 2008 13:01:16 -0500
> 
> On Sun, 14 Dec 2008 14:06:05 +0100, Stephane Bortzmeyer wrote:
> 
> > On Sat, Dec 13, 2008 at 05:09:57PM +0530,
> >  Vinay Y S  wrote 
> >  a message of 23 lines which said:
> > 
> >> Also, is there any known deployments of bind of this scale out there?
> > 
> > Half of the ".de" name servers are BIND and ".de" has 12 millions of
> > domains, which probably means close to 50 millions of records.
> 
> I believe he is talking on one server not spread out over several
> servers. I think he is trying to see the limit on one server as to how
> many records it could serve reliably.

I believe that the limiting factor is not going to be the size of the
database, but how fast the machine can process network requests.  Ie,
how many queries per second;  If the machine can only handle 10k
queries per second, then the MOST it will see is 10k qps even if 11k
qps are coming in.

Regards,
GRegory Hicks

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Where is the open recursion test?

2008-12-14 Thread Gregory Hicks 
Greetings:

Seeing in my named.log entries for "too many timeouts resolving
''..." makes me wonder if my server is an
open recursive server.

Where is the test please for open recursion so I can check?

Assist appreciated.

Regards,
GRegory Hicks
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Where is the open recursion test?

2008-12-15 Thread Gregory Hicks 

> Date: Mon, 15 Dec 2008 06:44:18 -0200
> From: Leonardo Rodrigues Magalhães 
> 
> Gregory Hicks escreveu:
> > Greetings:
> >
> > Seeing in my named.log entries for "too many timeouts resolving
> > ''..." makes me wonder if my server is an
> > open recursive server.
> >
> > Where is the test please for open recursion so I can check?
> 
> http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl

Thanks!  But I tried that about 6 hours earlier today.  It said address
64.139.55.108 had status "untested".  It also said that if I wanted my
address retested, make a TCP connection to
dns-surveyor.measurement-factory.com port 999 (e.g., with telnet) from
the address to be tested.  I did THAT also. So far, nothing.

Any other ideas?

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Where is the open recursion test?

2008-12-15 Thread Gregory Hicks 

> Date: Mon, 15 Dec 2008 11:52:01 +0100
> From: Peter Dambier 
> To: bind-users@lists.isc.org
> Subject: Re: Where is the open recursion test?
> X-FuHaFi: 0.62
> 
> just try
> 
> dig -t any peter-dambier.de @
> 
> If it tells you something about denic it is not recursive.
> If you get the complete answer it is very likely recursive.
> 
> Something internal could have triggered the query but only
> if your server is in /etc/resolv.conf.

Peter:

Thanks!  I ran that and got a full response back.  Then I remembered
that you cannot check on recursiveness from a trusted interface...

I went to my ISP (alt email provider) and ran

well% dig -t any peter-dambier.de @64.139.55.108

; <<>> DiG 2.0 <<>> -t peter-dambier.de @64.139.55.108 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_send to server 64.139.55.108: Connection timed out

"Connection timed out" is expected.  Means that the ACLs are working.

Just to make sure, lets test for something that CAN be resolved:

well% dig metis.hicks-net.net @64.139.55.108

; <<>> DiG 2.0 <<>> metis.hicks-net.net @64.139.55.108 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; Ques: 1, Ans: 1, Auth: 3, Addit: 1
;; QUESTIONS:
;;  metis.hicks-net.net, type = A, class = IN

;; ANSWERS:
metis.hicks-net.net.3600A   64.139.55.108

;; AUTHORITY RECORDS:
hicks-net.net.  3600NS  ns1.xname.org.
hicks-net.net.  3600NS  ns0.xname.org.
hicks-net.net.  3600NS  ns.hicks-net.net.

;; ADDITIONAL RECORDS:
ns.hicks-net.net.   3600A   64.139.55.108

;; FROM: well to SERVER: 64.139.55.108
;; WHEN: Mon Dec 15 02:57:50 2008
;; MSG SIZE  sent: 37  rcvd: 131

well% 

That worked also.  (I got the expected results...  Yay!)

Again, thanks!

Regards,
Gregory Hicks

> 
> Kind regards
> Peter
> 
> 
> Gregory Hicks wrote:
> >> Date: Mon, 15 Dec 2008 06:44:18 -0200
> >> From: Leonardo Rodrigues Magalhães 
> >>
> >> Gregory Hicks escreveu:
> >>> Greetings:
> >>>
> >>> Seeing in my named.log entries for "too many timeouts resolving
> >>> ''..." makes me wonder if my server 
is an
> >>> open recursive server.
> >>>
> >>> Where is the test please for open recursion so I can check?
> >> http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl
> > 
> > Thanks!  But I tried that about 6 hours earlier today.  It said 
address
> > 64.139.55.108 had status "untested".  It also said that if I wanted 
my
> > address retested, make a TCP connection to
> > dns-surveyor.measurement-factory.com port 999 (e.g., with telnet) 
from
> > the address to be tested.  I did THAT also. So far, nothing.
> > 
> > Any other ideas?
[...]
-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help tracing out a strange lookup case

2008-12-28 Thread Gregory Hicks 

> To: comp-protocols-dns-b...@isc.org
> From: Blah Blah Blah 
> Subject: Re: Help tracing out a strange lookup case
> Date: 27 Dec 2008 15:49:17 GMT
> 
> On Sat, 27 Dec 2008 10:39:22 -0500, Barry Margolin faxed us with
> 
> > In article ,
> >  Stephen Ward  wrote:
> > 
> >> I get this clue myself:
> >> 
> >> ;; WARNING: recursion requested but not available
> > 
> > No, that's unrelated, because you're not a customer of the ISP he was
> > using.
> > 
> > The problem, as the previous poster said, is that the domain has both a
> > CNAME and A record for crm.share-ideas.com.  You can see it if you query
> > the authoritative server:
> > 
[...]
> 
> That's not what I get:
> # dig crm.share-ideas.com a @89.111.171.191 +norec

Do the command again but change the "a" to "cname".  I got the same
result as did Barry.  (I also do not have dig 9.4.1 hanging around any
longer.  You might try upgrading to 9.5.x...)

metis% dig crm.share-ideas.com +norec @89.111.171.191 cname

; <<>> DiG 9.5.0-P2 <<>> crm.share-ideas.com +norec @89.111.171.191 cname
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1185
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;crm.share-ideas.com.   IN  CNAME

;; ANSWER SECTION:
crm.share-ideas.com.3600IN  CNAME   share-ideas.com.

;; AUTHORITY SECTION:
share-ideas.com.3600IN  SOA ns1.hc.ru. support.hc.ru. 
2008110347 
3600 1800 604800 3600

;; Query time: 270 msec
;; SERVER: 89.111.171.191#53(89.111.171.191)
;; WHEN: Sun Dec 28 08:22:01 2008
;; MSG SIZE  rcvd: 104

metis% dig crm.share-ideas.com +norec @89.111.171.191 a

; <<>> DiG 9.5.0-P2 <<>> crm.share-ideas.com +norec @89.111.171.191 a
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1119
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;crm.share-ideas.com.   IN  A

;; ANSWER SECTION:
crm.share-ideas.com.3600IN  A   213.242.225.169

;; Query time: 310 msec
;; SERVER: 89.111.171.191#53(89.111.171.191)
;; WHEN: Sun Dec 28 08:23:55 2008
;; MSG SIZE  rcvd: 53


> 
> ; <<>> DiG 9.4.1-P1.1 <<>> crm.share-ideas.com a @89.111.171.191 +norec
> ; (1 server found)
[...]
-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS spoofing

2009-01-16 Thread Gregory Hicks 

> Date: Fri, 16 Jan 2009 10:47:27 -0800
> Subject: Re: DNS spoofing
> From: Josh Kuo 
> To: Ben Croswell 
> Cc: bind-users@lists.isc.org
> 
> Oops, I missed that part. Sorry, yes, as Ben pointed out, my proposed
> solution will take over *ALL* records in somedomain.com, anything you
> don't list in your somedomain.com will NOT be resolved.

BUT!...  If the NAME of the zone to be spoofed is

zone "HOST.spoofed.zone" IN {
type master;
file "db.HOST.spoofed.zone"
allow-update...
}

And "db.HOST.spoofed.zone" contains: (Of course, you can put anything
in here that you fits your installation...)

@   IN  SOA metis.example.net. root.metis.example.net. (
20041217   ; serial number
300; refresh
600; retry
6300   ; expire
300  ) ; minimum TTL

;
;  Zone NS records
;

@  IN NS metis.example.net.

;
;  Zone records
;

@  IN  A   127.0.0.1

Then the ONLY host to be resolved will be $HOST.  Anything else falls
through to the original zone.

This solution only takes over ONE (1) host record in the zone.

Regards,
Gregory Hicks

-----
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: compile 9.6.0p1 etc empty

2009-01-17 Thread Gregory Hicks 

> To: Gregory Hicks 
> Subject: Re: compile 9.6.0p1 etc empty
> Date: Sat, 17 Jan 2009 20:56:32 +0100
> From: GanGan 
> 
> 
>   
> before, at the compilation there have the conf files?

Either use the O'Reilly "DNS & Bind" book and enter their samples or 
find a working installation and copy their files.

There are THREE (maybe four) methods to get the start up files:

1.  Copy from an existing install.  Use "as is".

2.  Copy from an existing install.  Modify for your local install.

3.  Copy files from the O'Reilly book.  Modify as necessary for local 
install.

4.  Study O'Reilly book.  Invent your own files.

My 'nameserver' directory contains these files:

db.10 db.hicks-net.net
db.127.0.0db.hicks-net.org
db.96-111.55.139.64.in-addr   db.uc8010.com
db.cache  named_dump.db
named.recursing   named.stats

They are all same format.

db.10 == in-addr.arpa for 10.x.x.x

db.127.0.0 == localhost/localdomain PTR (copied)

db.96-111... == My /28 reverse PTR

db.cache == "hint" file.  Copied.  Then replaced with the file
 available via 'dig' from the root nameservers.

db.hicks-net.net == My 'forward' zone file.  I wrote it.

db.hicks-net.org == My other 'forward' zone.  I also wrote this (but it
basically is a copy of the .net file...)

db.uc8010.com == My zone file that points known malware sites to
localhost...

named.recursing, named_dump, and named.stats are from named while
running.

> 
> I have not invented this:
> 
> db.0  db.local 
> db.127named.conf
> db.255named.conf.local
> db.root   named.conf.options
> db.empty  rndc.key
> zones.rfc1918

named.conf.local, and named.conf.options look to me to be part of
named.conf.  I could be wrong, but...

rndc.key is generated, along with rndc.conf, when you run
rndc-confgen.  But even rndc.key is part of the .conf file...

db.127 is probably the same as MY db.127.0.0 (attached)

db.root is probably the same as my db.cache (also attached).

I don't have a db.local...  The only one really needed is the PTR
zone.

db.empty is ...???  Never heard of it.  How is it used?  For what
zones?

Regards,
Gregory Hicks

> 
> 
> On Sat, 17 Jan 2009 09:34:02 -0800 (PST), Gregory Hicks
>  wrote:
> > 
> >> To: "Jeremy C. Reed" 
> >> Subject: Re: compile 9.6.0p1 etc empty
> >> Date: Sat, 17 Jan 2009 13:30:18 +0100
> >> From: GanGan 
> >> Cc: bind-users@lists.isc.org
> >> 
> >> 
> >> ok thanks
> >> then how to get the conf files?
> > 
> > Um-m-m-m, well, given that *MY* choice of text editor is vi, *I'd*
> > use:  ;-)
> > 
> > vi /etc/named.conf (as root)
> > 
> > :-)
> > 
> > cp (some file location) /etc/named.conf  
> > followed by
> > vi /etc/named.conf
> > 
> > (also works if you have a 'sample' file at "some file location")
> > 
> > Seriously, I've used BOTH of those at some time or another in my
> > life...
> > 
> > Regards,
> > Gregory Hicks
> > 
> >> 
> >> 
> >> 
> >> On Fri, 16 Jan 2009 09:34:56 -0600 (CST), "Jeremy C. Reed"
> >>  wrote:
> >> > On Fri, 16 Jan 2009, GanGan wrote:
> >> > 
> >> >> when I compile bind 9.6.0p1 I have nothing in etc
> >> > 
> >> > BIND doesn't install a configuration file.
> >> -- 
> >> - GanGan -
> >> 
> >> www.system-linux.eu
> >> 
> >> (">
> >> /\
> >> V_V
> >> 
> >> ___
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> > 
> > 
---------
> > Gregory Hicks   | Principal Systems Engineer
> > | Direct:   408.569.7928
> > 
> > People sleep peaceably in their beds at night only because rough men
> > stand ready to do violence on their behalf -- George Orwell
> > 
> > The price of freedom is eternal vigilance.  -- Thomas Jefferson
> > 
> > "The best we can hope for concerning the people at large is that 
they
> > be properly armed." --Alexander Hamilton
> -- 
> - GanGan -
> 
> www.system-linux.eu
> 
> (">
> /\
> V_V
> 

---

RE: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses

2009-01-23 Thread Gregory Hicks 

> From: 
> To: 
> Subject: RE: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
> Date: Fri, 23 Jan 2009 15:24:55 -0500
> Cc: bind-users@lists.isc.org
> 
> 
[...]
 
> By the way, what would cause a DNS server to fragment packets or send 
out of order? Aren't the packets typically small enough to fit within 
the typical 1500 imposed size? 

512 bytes for UDP..

> 
> >> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network
> >> unreachable resolving
> >> 'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53
> >
> > This is odd. The IP address listed is for f-root. That adns1 name
> > server does have an IPv6 address, but for some reason that address 
is
> > not listed in the root zone file (currently).
> >
> >> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network
> >> unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53
> >
> > Same here.
> >
> > Doug
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What are these entries in the log file - " query: . IN NS +"?

2009-01-26 Thread Gregory Hicks 

> To: comp-protocols-dns-b...@isc.org
> From: "Tony Toews [MVP]" 
> Subject: What are these entries in the log file - " query: . IN NS +"?
> Date: Mon, 26 Jan 2009 21:45:18 GMT
> 
> Folks
> 
> Warning - I know just enough about Bind to be dangerous.   Which is
> why I'm asking.
> 
> I just noticed that our small scale Bind server as a lot of the
> following lines.
> 
> 26-Jan-2009 14:28:24.004 client 76.9.16.171#23101: query: . IN NS +
> 26-Jan-2009 14:28:58.254 client 63.217.28.226#28035: query: . IN NS +
> 26-Jan-2009 14:29:00.691 client 63.217.28.226#35549: query: . IN NS +
> 26-Jan-2009 14:29:26.332 client 76.9.16.171#19817: query: . IN NS +
> 
> As far as I can tell from the same 5 or 20 IP addresses.  I haven't
> seen these lines before.
> 
> 1) What am I doing wrong?  If anything.

You are doing nothing wrong.

> 2) What are they?

They look like the DDoS being discussed on the NANOG list.

Have you implemented BCP38?  If not, why not...

Regards,
Gregory Hicks

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is per "view" logging possible with bind?

2009-02-02 Thread Gregory Hicks 

> Date: Mon, 02 Feb 2009 14:37:42 -0800
> From: JINMEI Tatuya / ...@l@C#:H(B 
> 
> At Sat, 31 Jan 2009 08:31:35 -0500 (EST),
> Justin Piszcz  wrote:
> > 
> > I have multiple views:
> > 
> > internal
> > external
> > localhost
> > 
> > Is it possible instead of seeing this in the logs:
> 
> It's impossible if my understanding of the implementation is correct.

I may have mis-understood here, but I have TWO views and get logging by
view, thusly:

02-Feb-2009 07:04:42.544 queries: info: client 127.0.0.1#41764: view trusted: 
query: 137.139.188.205.in-addr.arpa IN PTR +
02-Feb-2009 07:04:42.547 queries: info: client 127.0.0.1#41765: view trusted: 
query: imo-d23.mx.aol.com IN A +
02-Feb-2009 07:05:18.297 queries: info: client 65.98.93.197#53: view external: 
query: metis.hicks-net.net IN MX -ED
02-Feb-2009 07:05:18.392 queries: info: client 65.98.93.197#53: view external: 
query: metis.hicks-net.net IN A -ED
02-Feb-2009 07:05:18.636 queries: info: client 127.0.0.1#41766: view trusted: 
query: 14.190.83.208.in-addr.arpa IN PTR +
02-Feb-2009 07:05:18.857 queries: info: client 127.0.0.1#41767: view trusted: 
query: discoursesfascinate.com IN A +
This is the way I have it set up...  (Kinda simple):

logging {
  channel example_log {
   file "/var/log/named.log" versions 3 size 2m;
   severity info;
   print-severity yes;
   print-time yes;
   print-category yes;
 };
  channel "security" {
   file "/var/log/named.sec" versions 3 size 2m ;
   severity info;
   print-severity yes ;
   print-category yes ;
   print-time yes ;
};

  channel "queries" {
   file "/var/log/named.queries" versions 3 size 2m ;
   severity info ;
   print-severity yes ;
   print-category yes ;
   print-time yes ;
};

 category default {
  example_log;
 };

 category security {
  security;
  default_syslog;
  default_debug;
 };

 category queries {
  queries;
  default_syslog ;
  default_debug;
 };
};

view "trusted" {
 match-clients { "internal"; };
 recursion yes;

[...zones go here...]

};

view "external" {
 match-clients { "any"; };
 recursion no;
 additional-from-cache no;

[...zones go here...]

};

If this is NOT what you're looking for, I apologize for wasting your time...

Regards,
Gregory Hicks

> 
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Unexpected error question

2009-02-05 Thread Gregory Hicks 

> Subject: RE: Unexpected error question 
> Date: Thu, 5 Feb 2009 09:51:05 -0500
> From: "Cherney John-CJC030" 
> To: 
> 
> I see. I was assuming that the second line was caused by the first 
line,
> and that if I could get more info on the first line, I could take care
> of both of them. I have a "named" user that the named process is run 
as.
> However, I see these errors even when I use rndc stop as root. 
> 
> Is there any resource that recommends what permissions need to be on
> specific SMF files for DNS? (or in general). Or is this even a
> permissioning issue with SMF files?

The problem comes from the idea that SMF wants to be the 'controller'.
When the program in question (named in the case) receives a 'stop'
command from rndc, SMF doesn't know WHY the program stopped, just that
it DID stop.  Thus the error.

A better way to stop named might be

svcadm named disable

(I think that's the right syntax but could be wrong.  I am NOT an SMF
expert...)  That should avoid the error message.

There was some discussion on the smf-disc...@opensolaris.org list last
month on how to avoid error messages when you don't care if the
underlying service stops all by itself.

Regards,
Gregory Hicks

> 
> Thanks!
> jwc
> 
> -Original Message-
> From: mark_andr...@isc.org [mailto:mark_andr...@isc.org] 
> Sent: Thursday, February 05, 2009 1:18 AM
> Cc: Cherney John-CJC030; bind-us...@isc.org
> Subject: Re: Unexpected error question 
> 
> 
> In message <200902050609.n1569ktg082...@drugs.dv.isc.org>, Mark 
Andrews
> writes:
> > 
> > In message
> , "
> > Ch
> > erney John-CJC030" writes:
> > > I'm seeing the following lines in syslog, which occur when I shut 
> > > down
> > > named:
> > > =20
> > > general: error: ./main.c:858: unexpected error:
> > > general: error: smf_disable_instance() failed for 
> > > svc:/network/dns/server:default : insufficient privileges for 
action
> 
> > > =20 I'm running 9.3.5-P1 on Solaris 10 x86 =20 I took a quick look 
> > > at the source code and it looks like there should be a file and/or 
> > > filenumber as part of the unexpected error line. I've noticed the 
> > > same two lines when I issue an rndc stop. The named process does 
> > > stop, but I'm worried that there may be data in the cache that 
isn't
> 
> > > getting written to the db files. Nothing jumped out at me from my 
> > > google search. It seems like I have a file permissions issue, but 
I 
> > > haven't recently changed any file permissions. I don't see any 
> > > unusual messages on startup.=20 =20 Can someone point me the right 
> > > direction for this? Is there any other information I should/could 
> > > provide?
> > > =20
> > > Thanks!
> > > jwc
> > 
> > SMF is Sun's management facility.  The code in question was
> > submitted by Sun.  I would be looking at how you have SMF set
> > up in particular how to give the user named is running under
> > permission to disable itself.
> 
> See also
> <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>
> as mentioned in the FAQ.
> 
> > 
> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: 
mark_andr...@isc.org
> > _______
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc -> wrong number of zones

2009-02-22 Thread Gregory Hicks 

> Date: Mon, 23 Feb 2009 03:52:08 +0100
> Subject: rndc -> wrong number of zones
> From: squid proxy 
> To: bind-users@lists.isc.org
> 
> I've bind9 installed under Lenny.
> 
> rndc status shows 35 zones, but I have only 21 zones in
> /etc/bind/named.conf.local.

> So...?  Where DO the number of zones I'm serving come from?

Named has added a number of zones to the trusted view.
They wern't added to the external view as recursion is
disabled in it.

static const struct {
const char  *zone;
isc_boolean_t   rfc1918;
} empty_zones[] = {
#ifdef notyet
/* RFC 1918 */
{ "10.IN-ADDR.ARPA", ISC_TRUE },
{ "16.172.IN-ADDR.ARPA", ISC_TRUE },
{ "17.172.IN-ADDR.ARPA", ISC_TRUE },
{ "18.172.IN-ADDR.ARPA", ISC_TRUE },
{ "19.172.IN-ADDR.ARPA", ISC_TRUE },
{ "20.172.IN-ADDR.ARPA", ISC_TRUE },
{ "21.172.IN-ADDR.ARPA", ISC_TRUE },
{ "22.172.IN-ADDR.ARPA", ISC_TRUE },
{ "23.172.IN-ADDR.ARPA", ISC_TRUE },
{ "24.172.IN-ADDR.ARPA", ISC_TRUE },
{ "25.172.IN-ADDR.ARPA", ISC_TRUE },
{ "26.172.IN-ADDR.ARPA", ISC_TRUE },
{ "27.172.IN-ADDR.ARPA", ISC_TRUE },
{ "28.172.IN-ADDR.ARPA", ISC_TRUE },
{ "29.172.IN-ADDR.ARPA", ISC_TRUE },
{ "30.172.IN-ADDR.ARPA", ISC_TRUE },
{ "31.172.IN-ADDR.ARPA", ISC_TRUE },
{ "168.192.IN-ADDR.ARPA", ISC_TRUE },
#endif

/* RFC 3330 */
{ "0.IN-ADDR.ARPA", ISC_FALSE },/* THIS NETWORK */
{ "127.IN-ADDR.ARPA", ISC_FALSE },  /* LOOPBACK */
{ "254.169.IN-ADDR.ARPA", ISC_FALSE },  /* LINK LOCAL */
{ "2.0.192.IN-ADDR.ARPA", ISC_FALSE },  /* TEST NET */
{ "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE },  /* BROADCAST */

/* Local IPv6 Unicast Addresses */
{ 
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.AR
PA", ISC_FALSE },
{ 
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.AR
PA", ISC_FALSE },
/* LOCALLY ASSIGNED LOCAL ADDRES S SCOPE */
{ "D.F.IP6.ARPA", ISC_FALSE },
{ "8.E.F.IP6.ARPA", ISC_FALSE },/* LINK LOCAL */
{ "9.E.F.IP6.ARPA", ISC_FALSE },/* LINK LOCAL */
{ "A.E.F.IP6.ARPA", ISC_FALSE },/* LINK LOCAL */
{ "B.E.F.IP6.ARPA", ISC_FALSE },/* LINK LOCAL */

{ NULL, ISC_FALSE }
};

> 
> # rndc status
> version: 9.5.1-P1
> number of zones: 35
> debug level: 0
> xfers running: 1
> xfers deferred: 0
> soa queries in progress: 1
> query logging is OFF
> recursive clients: 0/0/1000
> tcp clients: 0/100
> server is up and running
> 
> in /etc/bind/named.conf I have just 5 default zones.
> where else read rndc zones?
> 
> kind regards
> Piotr
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-02-23 Thread Gregory Hicks 

> Date: Mon, 23 Feb 2009 19:07:31 +
> From: Evan Hunt 
> To: "Eric C. Davis" 
> Subject: Re: Hostname Naming Compliance
> Cc: "bind-users@lists.isc.org" 
> 
> On Mon, Feb 23, 2009 at 01:54:46PM -0500, Eric C. Davis wrote:
> > I know the option to use this compliance checker is present, but I'm 
> > curious to know if there are plans to make it mandatory to comply.  We 
> > aren't using this feature now, but I would like to.  My problem is 
> > politicking my way around the issue of breaking something that works.  
> > If Bind were to say they were going to start forcing compliance with 
> > this naming standard, then I simply have to say it's a standard that is 
> > being enforced.  Shouldn't enforcement be applied across the board 
> > anyway instead of at the operator's discretion?
> 
> I haven't heard anyone at ISC suggest this, but if I did, I'd argue
> against it.  I don't think we have any wish to be the "enforcers". :)
> And anyway, if we put "mandatory" compliance into BIND, people who
> wanted to break the rule would just hack it back out again.

If you want to "enforce" compliance, get M$ on board.  Otherwise it
ain't gonna fly.

I had good luck with $PREVIOUS_JOB with getting the company to
implement a "policy" of what host names should look like and then, when
a user tried to register a host via the helpdesk, the HelpDesk
personnel 'enforced' the naming standard.  (We also ran into several
places where non-compliance "broke things".  (And no, I don't remember
what they were...)

I personally, whenever I saw a non-compliant hostname, would contact
the user and tell them that their hostname, formatted thus-and-so,
could cause problems and "Why don't you let me fix the name for you?"
990 times out of a 1,000, I got a "Go ahead.  Let me know when you're
finished."  ($COMPANY's host table had some 48,000-50,000 names in it
any one time...  There were MANY chances to excel there.)

Regards,
Gregory Hicks

> 
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Two outgoing queries for each incoming query

2009-03-12 Thread Gregory Hicks 

> Date: Thu, 12 Mar 2009 13:43:44 +0200
> Subject: Two outgoing queries for each incoming query
> From: My Name 
> To: bind-users@lists.isc.org
> 
> Is this possible with 9.6.0-P1 or do I need to change the code (all
> ideas where to start are welcome, I haven't looked at the code yet).
>
> I want to setup a forwarder and each incoming query (in fact only A
> or ) should be sent to two different upstream servers.

Why?  Bind already does this.  If there are two (or more) servers
serving a zone, it will already query all of them for the initial
query.  However, it uses the answer from the server that has the
fastest response time.

Regards,
Gregory Hicks
---------
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: help on strange dig info

2009-04-12 Thread Gregory Hicks 

> Date: Sun, 12 Apr 2009 15:22:42 +0800 (CST)
> From: "Tech W." 
> Subject: help on strange dig info
> To: bind-users@lists.isc.org
> 
> 
> Hello,
> 
> 
> I digged a domain name as below:
> 
> r...@dev1:~# dig www.csfunds.com.cn
> 
> ; <<>> DiG 9.5.0-P2 <<>> www.csfunds.com.cn
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23283
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.csfunds.com.cn.IN  A
> 
> ;; ANSWER SECTION:
> www.csfunds.com.cn. 86149   IN  CNAME   www.f5.csfunds.com.cn.
> www.f5.csfunds.com.cn.  30  IN  A   124.207.40.24
> 
> ;; AUTHORITY SECTION:
> f5.csfunds.com.cn.  85769   IN  NS  lc2.f5.csfunds.com.cn.
> f5.csfunds.com.cn.  85769   IN  NS  lc1.f5.csfunds.com.cn.
> 
> 
> It said f5.csfunds.com.cn's nameservers are lc1.f5.csfunds.com.cn and 
lc2.f5.csfunds.com.cn.
> 
> 
> But, I can't dig the info for both lc1 and lc2.

Those are lame servers, kind sir.  In other words, the domain is
delegated to those servers but those servers don't recognize their
authority.

Regards,
Gregory Hicks
> 
> r...@dev1:~# dig lc1.f5.csfunds.com.cn
> 
> ; <<>> DiG 9.5.0-P2 <<>> lc1.f5.csfunds.com.cn
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29538
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;lc1.f5.csfunds.com.cn. IN  A
> 
> 
> r...@dev1:~# dig lc2.f5.csfunds.com.cn
> 
> ; <<>> DiG 9.5.0-P2 <<>> lc2.f5.csfunds.com.cn
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39091
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;lc2.f5.csfunds.com.cn. IN  A
> 
> 
> 
> This let me really confused.
> When clients can't get IP addr for lc1 and lc2, how clients query the 
domain records in zone of f5.csfunds.com.cn?
> 
> Thanks for your helps.
> 
> Regards.
> Ken.
> 
> 
>   Yahoo!7 recommends that you update your browser to the new 
Internet Explorer 8.Get it now.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Combined master + forward zone

2009-04-20 Thread Gregory Hicks 

> Date: Mon, 20 Apr 2009 10:39:59 +0300 (EEST)
> From: Petteri Heinonen 
> 
> Chris Buxton [cbux...@menandmice.com] wrote: 
> > On Apr 19, 2009, at 8:06 AM, Petteri Heinonen wrote:
> > 
> > > Hello all. I have been struggling with a seeming simple Bind 
related  
> > > problem. My main goal would be to have dynamically added RRs 
served  
> > > by different server than the normal statically configured RRs.  
> > > Essentially, the zone's RRs would be divided on two Bind servers.  
> > > Here is the setup I would like to achieve:
[...]
> 
> Ok, thanks for confirming my doubts. As a related issue, how is Bind
> supposed to be used in a domain where Windows Domain Controllers are
> used for Windows domain services, but Bind is used for DNS? I mean,
> in a Windows domain DDNS updates are used by both Domain Controllers
> and by normal domain clients. For Domain Controllers, it is essential
> that they can register their SRV records dynamically in DNS. Now in
> case of distributed domain (several Domain Controllers on separate
> sites, but all still belonging to the same Windows domain and all
> using the same DNS zone), there should be also own DNS service for
> each site (for fault tolerance and redundancy etc). But, as only one
> site can host the master DNS server which accepts DDNS update
> requests, all sites' machines have to be configured to use that
> single Bind instance as their primary DNS server?
> 
> So the actual question: if DDNS update functionality is needed, am I
bound to use only one Bind instance as the primary DNS server for all
the hosts, on all the separate sites?

How about:  Place all the Windows Boxen into subdomains, managed by 
Windows AD?  Bind manages the main domain.com DNS...

That works.

Regards,
Gregory Hicks

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-28 Thread Gregory Hicks 

> From: Jonathan Petersson 
> Date: Tue, 28 Apr 2009 08:13:25 -0700
> Subject: Re: approach on parsing the query-log file
> To: niall.orei...@ucd.ie
> Cc: Bind Mailing 
> 
> Yeah I've thought about using tail but I'm not sure how locking would
> be managed when logrotate kicks in, does anyone know?

I use "tail -f "

When the log rotates, the tail is still running against the rotated 
file.  I have to manually change to the current file. ("^C-!!" works)

A better way to do it might be to have the 'logfile' be a pipe and have 
the parsing intelligence on the other side of the pipe.  Have the log 
rotation "smarts" be on the other side of the pipe also.  (At one $JOB, 
I used this technique to separate out different log messages from 
simultaneously running SMTP processes.)

Regards,
GRegory Hicks
> 
> On Tue, Apr 28, 2009 at 3:41 AM, Niall O'Reilly  
wrote:
> > On Mon, 2009-04-27 at 22:26 -0700, Jonathan Petersson wrote:
> >> The obvious question that occurs is; What would be what's the best
> >> approach to do this?
> >
> >        I've not used it, but a colleague is very keen on File::Tail
> >        (http://search.cpan.org/~mgrabnar/File-Tail-0.99.3/Tail.pm).
> >        Apparently, it looks after log-file roll-over and 'just 
works'.
> >
> >        /Niall
> >
> >
> >
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: two NS servers on a single host

2009-05-13 Thread Gregory Hicks 

> Date: Wed, 13 May 2009 10:29:19 -0400
> From: "Jeff Lightner" 
> 
> It is network redundancy only in so far the DOS attack doesn't cause
> your CPU and memory to get slammed.   
> 
> If you're doing redundancy you really ought to do the whole thing by
> getting another server and putting IT on the other network.   Then you
> don't have a single point of failure (unless they're both in the same
> data center).
> 
> If you really want to do two different IPs on one host you could
> probably use views to accomplish this but that would be all within a
> single BIND setup so your theoretical DOS attack would probably cause
> both views to have issues.

There is no reason NOT to have redundancy (two hosts, two networks) no 
matter how small your network is.

Google for "free dns hosting".  You'll get back a very large number of 
hits.  Use your google-foo to limit the search parameters some.  You'll 
get back a slightly smaller, but still very large, number of hits.

Investigate to see who has better services.  Select one.  Configure and 
configure at your domain registrar.  You're back in service.

Regards,
Gregory Hicks
> 
> -Original Message-
> From: bind-users-boun...@lists.isc.org
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley
> Giesbrecht
> Sent: Wednesday, May 13, 2009 10:22 AM
> To: Stephane Bortzmeyer
> Cc: bind-users@lists.isc.org
> Subject: Re: two NS servers on a single host
> 
> 
> On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote:
> 
> > On Wed, May 13, 2009 at 09:02:55PM +0800,
> > Tech W.  wrote
> > a message of 34 lines which said:
> >
> >> I want to give two NS records for my domain, each NS take each of
> >> the IP set in the host.
> >
> > Why? This would be completely useless. RFC 1034 and other documents
> > call for at least two name servers, for redundancy reasons. If the 
two
> > name servers are on the same host, what's the point? There would be 
no
> > gain in reliability.
> 
> If you have ever had the ip for your name server the target of a dos  
> attack you could have blocked traffic to that ip and still had dns.
> 
> Two networks to same host is network redundancy and has value.
> 

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to configure a webhop with BIND?

2009-05-30 Thread Gregory Hicks 

> Date: Sat, 30 May 2009 07:57:16 +0200
> From: Saša Stupar 
> 
> I use BIND as a local DNS server for 200 users. Now I am in situation
> that I need to use a webhop since I need to change listening port on
> apache to other than 80 ( I have another application which need to
> use only port 80).
>
> How do I configure webhop for my eg. local.domain to
> local.domain:10080?

This isn't a bind problem but an HTTP problem.

Your application that only can use port 80 is going to have to get some 
'smarts' so that if the remote host is a port 80 client, to go ahead and 
process commands.

If the remote host is a port 10080 client, then your port 80 app is 
going to have to issue an HTTP redirect to port 10080.

Regards,
Gregory Hicks

---------
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic DNS and Slave Servers

2009-06-18 Thread Gregory Hicks 

> Date: Thu, 18 Jun 2009 12:41:04 -0400
> From: Kevin Darcy 
> 
> Joseph S D Yao wrote:
> > On Thu, Jun 18, 2009 at 07:50:49AM -0700, Chris Buxton wrote:
[...]
> > For which reason, of course, dynamic data should always be in a
> > separate subdomain from static data, which may someday need to be
> > updated.
> >   
> Surely you mean sub*zone* (?)

Kevin:

I'll bite!  What is the difference between a sub*domain* and a
sub*zone*?

I don't see how you could have the one w/o the other.  But that could
be because I'm feeling especially slow today.

Regards,
Gregory Hicks

---------
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How See what is Cached?

2009-07-05 Thread Gregory Hicks 

> From: "Alans" 
> Date: Sun, 5 Jul 2009 11:29:27 +0300
> 
> I run that command but nothing happened!  And named.conf option is
> dump-file "/data/cache_dump.db"; , I checked that directory that file
> doesn't exist!!
> Do you think there is a problem in configuration?

File / directory permissions perhaps?

> 
[...]
> 
> rndc dumpdb -cache
> 
> Check the rndc manual. By default the data will be written to file
> named_dump.db. Check the "dump-file" option in Bind ARM.
> 
> ena

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Classless CIDR delegation...

2009-08-15 Thread Gregory Hicks 
Greetings:

I'm having a bit of a problem with my DNS server.  Serves my forward
zone OK but fails to load the DATA for the PTR (reverse) zone.
Something about "ignoring out of zone data"...  I understand that my
reverse zone actually has NOT been delegated to my servers.  (That was
done with malice aforethought because I have not been able to get the
reverse zone to load...)

My named.conf file (extracts) looks like this:

 zone "hicks-net.net" in {
type master;
file "db.hicks-net.net";
allow-update { none; };
allow-transfer { 87.98.164.164; 195.234.42.1; };
};

 zone "96-28.55.139.64.in-addr.arpa" {
type master ;
file "db.96-28.55.139.64.in-addr.arpa" ;
allow-update { none; };
};

This is my reverse zone:


$ORIGIN .
$TTL 3600

96-28.55.139.64.in-addr.arpa.  IN SOA ns.hicks.net. hostmaster.ns.hicks-net.net 
(   2009081502  ; serial
3600; refresh
900 ; retry
604800  ; expire (1 week)
3600; minimum (1 hour)
)

IN NS   ns.hicks-net.net.
IN NS   ns0.xname.org.
IN NS   NS1.xname.org
IN A64.139.55.108
IN MX 10 mx.hicks-net.net.

97.139.55.64.in-addr.arpa.  IN PTR  localhost. ; rtr.hicks-net.net.
98.139.55.64.in-addr.arpa.  IN PTR  localhost. ; fw.hicks-net.net.
99.139.55.64.in-addr.arpa.  IN PTR  mx.hicks-net.net ; mx.hicks-net.net.
100.139.55.64.in-addr.arpa. IN PTR  young-one.hicks-net.net.
101.139.55.64.in-addr.arpa. IN PTR  young.hicks-net.net.
102.139.55.64.in-addr.arpa. IN PTR  kris.hicks-net.net. (laptop)
108.139.55.64.in-addr.arpa. IN PTR  metis.hicks-net.net.


I have tried this variant on the PTR record.  (There were others but I
cannot remember them.)  Anyway, all failed.

97.96-28.139.55.64.in-addr.arpa.  IN PTR localhost.

This is what I get from named when I try and load the zone:

15-Aug-2009 00:25:10.775 general: warning: db.96-28.55.139.64.in-addr.arpa:17: 
ignoring out-of-zone data (97)
15-Aug-2009 00:25:10.775 general: warning: db.96-28.55.139.64.in-addr.arpa:18: 
ignoring out-of-zone data (98)
15-Aug-2009 00:25:10.775 general: warning: db.96-28.55.139.64.in-addr.arpa:19: 
ignoring out-of-zone data (99)
15-Aug-2009 00:25:10.776 general: warning: db.96-28.55.139.64.in-addr.arpa:20: 
ignoring out-of-zone data (100)
15-Aug-2009 00:25:10.783 general: warning: db.96-28.55.139.64.in-addr.arpa:21: 
ignoring out-of-zone data (101)
15-Aug-2009 00:25:10.783 general: warning: db.96-28.55.139.64.in-addr.arpa:22: 
ignoring out-of-zone data (102)
15-Aug-2009 00:25:10.783 general: warning: db.96-28.55.139.64.in-addr.arpa:23: 
ignoring out-of-zone data (108)
15-Aug-2009 00:25:10.785 general: info: zone 
96-28.55.139.64.in-addr.arpa/IN/external: loaded serial 2009081500
15-Aug-2009 00:25:10.787 general: info: reloading zones succeeded
15-Aug-2009 00:25:10.799 notify: info: zone 
96-28.55.139.64.in-addr.arpa/IN/external: sending notifies (serial 
2009081500)

I get these messages from named-checkzone:

 named-checkzone 96-28.55.139.64.in-addr.arpa /var/yp/name*/db.96*
/var/yp/nameserver/db.96-28.55.139.64.in-addr.arpa:17: ignoring out-of-zone 
data (97.55.139.64.in-addr.arpa)
/var/yp/nameserver/db.96-28.55.139.64.in-addr.arpa:18: ignoring out-of-zone 
data (98.55.139.64.in-addr.arpa)
/var/yp/nameserver/db.96-28.55.139.64.in-addr.arpa:19: ignoring out-of-zone 
data (99.55.139.64.in-addr.arpa)
/var/yp/nameserver/db.96-28.55.139.64.in-addr.arpa:20: ignoring out-of-zone 
data (100.55.139.64.in-addr.arpa)
/var/yp/nameserver/db.96-28.55.139.64.in-addr.arpa:21: ignoring out-of-zone 
data (101.55.139.64.in-addr.arpa)
/var/yp/nameserver/db.96-28.55.139.64.in-addr.arpa:22: ignoring out-of-zone 
data (102.55.139.64.in-addr.arpa)
/var/yp/nameserver/db.96-28.55.139.64.in-addr.arpa:23: ignoring out-of-zone 
data (108.55.139.64.in-addr.arpa)
zone 96-28.55.139.64.in-addr.arpa/IN: loaded serial 2009081503
OK

(Basically, the same messages I get from named...)

Any thoughts on what I'm doing wrong?  (I have a copy of RFC-2317 but
I'm still lost.)

Any assist would be appreciated.

Regards,
Gregory Hicks
---------
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Classless CIDR delegation...

2009-08-15 Thread Gregory Hicks 

> From: "Caveguy" 
> To: "Gregory Hicks" 
> Date: Sat, 15 Aug 2009 22:15:59 -0400
> Subject: Re: Classless CIDR delegation...
> 
> On Sat, 15 Aug 2009 18:59:03 -0700 (PDT), Gregory Hicks wrote:
> 
> > zone "96-28.55.139.64.in-addr.arpa" {
> ...
> >file "db.96-28.55.139.64.in-addr.arpa" ;
> 
> Try:
>  zone "96/28.55.139.64.in-addr.arpa" {
> 
> The - is ok in the filename where you cant use / but not in the zone
> name

Tried that.  Got new error now - along with the same old errors:

# named-checkzone 96/28.55.139.64.in-addr.arpa db.96*
db.96-28.55.139.64.in-addr.arpa:14: 96/28.55.139.64.in-addr.arpa: bad owner 
name (check-names)
db.96-28.55.139.64.in-addr.arpa:15: 96/28.55.139.64.in-addr.arpa: bad owner 
name (check-names)
db.96-28.55.139.64.in-addr.arpa:17: ignoring out-of-zone data 
(97.55.139.64.in-addr.arpa)
db.96-28.55.139.64.in-addr.arpa:18: ignoring out-of-zone data 
(98.55.139.64.in-addr.arpa)
db.96-28.55.139.64.in-addr.arpa:19: ignoring out-of-zone data 
(99.55.139.64.in-addr.arpa)
db.96-28.55.139.64.in-addr.arpa:20: ignoring out-of-zone data 
(100.55.139.64.in-addr.arpa)
db.96-28.55.139.64.in-addr.arpa:21: ignoring out-of-zone data 
(101.55.139.64.in-addr.arpa)
db.96-28.55.139.64.in-addr.arpa:22: ignoring out-of-zone data 
(102.55.139.64.in-addr.arpa)
db.96-28.55.139.64.in-addr.arpa:23: ignoring out-of-zone data 
(108.55.139.64.in-addr.arpa)
zone 96/28.55.139.64.in-addr.arpa/IN: loaded serial 2009081503
OK

Regards,
Gregory Hicks

> 
> Hope that helps
> 
> Bob Bradlee
> 
> 
> 

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: call for testers (Re: ISC BIND 9.7.0b1 is now available)

2009-10-26 Thread Gregory Hicks 

> Date: Wed, 21 Oct 2009 15:50:00 -0700
> From: JINMEI Tatuya / ...@l@C#:H(B 
>
> 
> 1. build 9.7.0b1
> 2. go to the "bind-9.7.0b1/bin/tests" directory
> 3. % make backtrace_test
> 4. % ./backtrace_test

metis% uname -a
SunOS metis 5.9 Generic_122300-31 sun4u sparc SUNW,Ultra-1

metis% make backtrace_test
gcc  -I/home/ghicks/incoming/bind/bind-9.7.0b1 
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/dns/include  
-I../../lib/dns/include 
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/isc/include  
-I../../lib/isc  -I../../lib/isc/include  -I../../lib/isc/unix/include  
-I../../lib/isc/pthreads/include  -I../../lib/isc/noatomic/include 
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/isccfg/include  
-I../../lib/isccfg/include  
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/lwres/include  
-I../../lib/lwres/unix/include  -I../../lib/lwres/include
-D_REENTRANT -DBIND9 -D_XPG4_2 -D__EXTENSIONS__ -g   -W -Wall 
-Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat 
-Wpointer-arith -fno-strict-aliasing   -o backtrace_test_nosymtbl \
backtrace_test.c ../../lib/isc/libisc.a  -L/usr/local/ssl/lib 
-R/usr/local/ssl/lib -R/usr/local/ssl/lib -lcrypto -ldl -lnsl -lsocket 
-lpthread  -lthread
#first step: create a first symbol table
rm -f symtbl.c
if test X/usr/bin/perl != X; then \
/usr/bin/perl ../../util/mksymtbl.pl \
backtrace_test_nosymtbl; else \
cp ../../lib/isc/backtrace-emptytbl.c symtbl.c; fi
#second step: build a binary with the first symbol table
gcc  -I/home/ghicks/incoming/bind/bind-9.7.0b1 
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/dns/include  
-I../../lib/dns/include 
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/isc/include  
-I../../lib/isc  -I../../lib/isc/include  -I../../lib/isc/unix/include  
-I../../lib/isc/pthreads/include  -I../../lib/isc/noatomic/include 
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/isccfg/include  
-I../../lib/isccfg/include  
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/lwres/include  
-I../../lib/lwres/unix/include  -I../../lib/lwres/include
-D_REENTRANT -DBIND9 -D_XPG4_2 -D__EXTENSIONS__ -g   -W -Wall 
-Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat 
-Wpointer-arith -fno-strict-aliasing   \
-o backtrace_test0 backtrace_test.c symtbl.c \
../../lib/isc/libisc-nosymtbl.a  -L/usr/local/ssl/lib 
-R/usr/local/ssl/lib -R/usr/local/ssl/lib -lcrypto -ldl -lnsl -lsocket 
-lpthread  -lthread
rm -f symtbl.c
#third step: create a second symbol table
if test X/usr/bin/perl != X; then \
/usr/bin/perl ../../util/mksymtbl.pl backtrace_test0; else \
cp ../../lib/isc/backtrace-emptytbl.c symtbl.c; fi
#fourth step: build the final binary
rm -f backtrace_test0
gcc  -I/home/ghicks/incoming/bind/bind-9.7.0b1 
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/dns/include  
-I../../lib/dns/include 
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/isc/include  
-I../../lib/isc  -I../../lib/isc/include  -I../../lib/isc/unix/include  
-I../../lib/isc/pthreads/include  -I../../lib/isc/noatomic/include 
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/isccfg/include  
-I../../lib/isccfg/include  
-I/home/ghicks/incoming/bind/bind-9.7.0b1/lib/lwres/include  
-I../../lib/lwres/unix/include  -I../../lib/lwres/include
-D_REENTRANT -DBIND9 -D_XPG4_2 -D__EXTENSIONS__ -g   -W -Wall 
-Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat 
-Wpointer-arith -fno-strict-aliasing   \
-o backtrace_test backtrace_test.c symtbl.c 
../../lib/isc/libisc-nosymtbl.a  -L/usr/local/ssl/lib 
-R/usr/local/ssl/lib -R/usr/local/ssl/lib -lcrypto -ldl -lnsl -lsocket 
-lpthread  -lthread
rm -f symtbl.c
metis% ./backtrace_test
isc_backtrace_gettrace failed: not implemented
metis% 
> 
> On success, "backtrace_test" simply exits without any output (I know
> it's not a good UI); if something goes wrong it will dump some warning
> messages to stderr and exit with a non-0 exit code.  If the test fails
> on your platform, please report it to bind9-b...@isc.org, including
> the OS, its version, and hardware architecture (x86, amd64, sparc,
> etc).
> 
> There are several known defects:
> - this feature doesn't work if it's built with libtool
> - this doesn't work for Windows (probably obvious)
> these cases don't have to be tested.
> 
> Thanks,
> 
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope fo

Re: Bind sometimes SERVFAIL

2009-11-11 Thread Gregory Hicks 

> From: "Pawel Rutkowski" 
> To: 
> Subject: Bind sometimes SERVFAIL
> Date: Wed, 11 Nov 2009 07:42:14 +0100
> 
> Hello,
> 
> My Internet ISP give two nameservers address.
> But when I'm asking those two servers sometimes I get:
> [r...@linux ~]# host d.yimg.com ns.my.isp
> Using domain server:
> Name: ns.my.isp
> Address: ns.my.isp#53
> Aliases:
> Host d.yimg.com not found: 2(SERVFAIL)

I just saw the same thing:

metis% host d.timg.com
Host d.timg.com not found: 3(NXDOMAIN)
metis% !!
host d.timg.com
Host d.timg.com not found: 3(NXDOMAIN)
metis% host d.yimg.com 
d.yimg.com is an alias for geoycs-d.gy1.b.yahoodns.net.
geoycs-d.gy1.b.yahoodns.net is an alias for 
fo-anyycs-d.ay1.b.yahoodns.net.
fo-anyycs-d.ay1.b.yahoodns.net has address 98.137.88.88
metis% named -v
BIND 9.6.1-P1

Above executed in the space of about a minute...
> 
> but sometimes I get:
> 
> [r...@linux ~]# host d.yimg.com ns.my.isp
> Using domain server:
> Name: ns.my.isp
> Address: ns.my.isp#53
> Aliases:
> d.yimg.com is an alias for geoycs-d.gy1.b.yahoodns.net.
> geoycs-d.gy1.b.yahoodns.net is an alias for 
fo-anyycs-d.ay1.b.yahoodns.net.
> fo-anyycs-d.ay1.b.yahoodns.net has address 98.137.80.54
> 
> 
> He explain me this thats a normal because of this:
> http://www.faqs.org/rfcs/rfc2308.html
> Some resolvers incorrectly continue processing if the authoritative
>answer flag is not set, looping until the query retry threshold is
>exceeded and then returning SERVFAIL.  This is a problem when your
>nameserver is listed as a FORWARDER for such resolvers.  If the
>nameserver is used as a FORWARDER by such resolver, the authority
>flag will have to be forced on for NXDOMAIN responses to these
>resolvers.  In practice this causes no problems even if turned on
>always, and has been the default behaviour in BIND from 4.9.3
>onwards.
> 
> Is this true ?
> 
> Thanks
> Pawel R.
> 
> 
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Split view logging?

2009-11-19 Thread Gregory Hicks 

> From: Chris Buxton 
> Date: Tue, 17 Nov 2009 08:16:18 -0800
> 
> On Nov 17, 2009, at 7:02 AM, John Horne wrote:
> 
> > Hello,
> > 
> > Using BIND 9.5.1, is it possible to configure split view logging -
> > that is, a separate logging channel/category for different views?
> > I'm trying to separate out the queries of our local clients from
> > the external ones.
> 
> No, not using views. The logging statement, like the options
> statement, is a singleton statement type.
> 
> You would have to stand up separate instances of named, with separate
> configs, to achieve your goal.

Well, not exactly...

I have two views:  "trusted" (hosts on my internal LAN), and "external"
(hosts external to my LAN).  I want queries logged from my internal LAN
to /var/log/named.trusted.{0-9} and all other queries to go to
/var/log/named.external.{0-9}.  I've also got some odd sods and trash
going to other log files...

First, create a 'pipe' in the /var/log directory with the name of the
logging file.  (You probably want to do this in the named startup
script.)  Log absolutely EVERYTHING to the log file.

Here are three sample log entries coming from the 'pipe':

19-Nov-2009 14:39:30.701 queries: info: client 127.0.0.1#50776: view trusted: 
query: reutersukmedia.outbound.ed10.com IN A +

19-Nov-2009 14:40:01.923 queries: info: client 213.91.4.46#59094: view 
external: query: _policy._domainkey.hicks-net.net IN TXT -EDC

19-Nov-2009 14:41:00.712 queries: info: client 127.0.0.1#50777: view trusted: 
query: a3.twimg.com IN A +

Then, as another step in the startup script, do a "read while true" on
the pipe.  Pipe that to a

"grep trusted >>named.trusted | grep external >>named.external | tee
named.log >/dev/null"...  

Stick in as many other grep commands as desired.  (Given my setup,
there isn't much going to named.log...)

Voila!  Separate log files by query location.

(The original incantation for the above was from a mail host that
required two sendmail configs where, of course, all sendmail
messages are logged by the system logger.  One config was for an
incoming 'normal' port.  This one fed received mail to a spam scanner
from...someone.  This spam scanner fed the output to a second sendmail
process.  This setup was required because the scanner software didn't
queue mail for delivery.  The setup, while somewhat awkward, worked
fine and lasted a long time...)

You will also have to configure log rotation yourself since the "pipe"
never reaches the stated size.

Regards,
Gregory Hicks

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Has anyone Seen the NANOG post titled "Upcoming DNS behavior changes to .com/.net/.edu name servers"

2010-01-19 Thread Gregory Hicks 

> Date: Tue, 19 Jan 2010 13:36:39 -0600
> From: "da...@from525.com" 
> 
> All, 
>
> Last Friday (Jan 8th 2010) Matt Larson from Verisign started a thread
> on the NANOG mailing list titled "Upcoming DNS behavior changes to
> .com/.net/.edu name servers". [...snip...]
>
> http://mailman.nanog.org/pipermail/nanog/2010-January/016924.html 

It was also posted to the dns-ops list.

-----
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to make one ZONE (subdomain) non-public?

2010-04-12 Thread Gregory Hicks 

> Date: Mon, 12 Apr 2010 09:52:03 +0200
> From: Matus UHLAR - fantomas 
> 
> On 12.04.10 09:47, Michelle Konzack wrote:
> > in my domain I have a "subdomain" which is absolutely private  and
> > non-accesible from the rest of the world.  It use <192.168.x.y>.
> > 
> > Which option must I use hat this ZONE ist only accesible/visible  
local?
> 
> allow-access in zone statement.

I think the easiest way to do this would make several VIEWS.  Put the
zone file for the subdomain in the internal only view.  Yes, some zone
descriptions would be duplicated, but... Oh well...

For instance, when it is time for my children to do homework, I add a
zone "facebook.com" that points to localhost to my zone descriptions.
This effectively locks them out of facebook for the duration of
"homework time".  (This local facebook.com zone is NOT something that I
would want the internet to use...)

eg:

// for the ACL, you can put in CIDR notation for your network ALSO...
// Note that the difference between the zone descriptions is that 
// "some-subdomain" is missing from the external view.  You would also 
// populate the views with any additional zones...

acl internal {localhost; localnets; };

view "trusted" {
  match-clients { "internal"; };
  recursion yes;
  
 zone "ext-domain" in {
type master;
file "db.ext-domain";
allow-update { none; };
allow-transfer { ; ; };
};
 zone "some-subdomain" in {
type master;
file "db.sub-domain";
allow-update { none; };
allow-transfer { ; ; };
};

More zone(s) {}

}; // End of trusted or internal view

view "external" {
 match-clients { "any"; };
 recursion no;
 additional-from-cache no;

 zone "ext-domain" in {
type master;
file "db.ext-domain";
allow-update { none; };
allow-transfer { ; ; };
};

}; // End of External view

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: logging forwarding reqs

2010-04-15 Thread Gregory Hicks 

> Date: Thu, 15 Apr 2010 14:25:35 -0400
> Subject: Re: logging forwarding reqs
> From: Jonathan Reed 
> To: bind-users@lists.isc.org
> 
> But I am still unable to determine if those reqs are asking the
> forwarders.
>
> The forwarders are all Windows boxes which I dont have rights to
> access.  Still hoping there is something within bind9 that can say
> the req went to fwd'er.

Since you don't have access to the Windows boxen, it seems to me that
this is a candidate for the "old sniff the firewall" trick.

Sniff the DNS traffic on the internal facing connection of your
firewall (you DO have a firewall, don't you?) and see which IP
addresses the DNS requests are originating from.  If from your Windows
boxen, then the forwarding is working correctly.  (You ARE getting dns
requests resolved on the non-windows clients are you not?)

If not from the Windows boxen, then there is an error in your setup.

Regards,
Gregory Hicks

-----
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem with domain and sub-domain configuration

2010-05-03 Thread Gregory Hicks 

> Date: Mon, 03 May 2010 17:37:46 +0200
> From: fddi 
> To: Bind Users Mailing List 
> Subject: problem with domain and sub-domain configuration
> X-FuHaFi: 0.68005
> 
> 
> 
> Hello I have one domain
> 
> test.com with namserver ns.test.com (10.0.0.1)
> 
> and a subdomain
> 
> cr.test.com with nameserver ns.cr.test.com (10.1.0.1)
> 
> 
> my problem is that if I update hostnames inside test.com zone
> updates are not seen by cr.test.com nameserver

Do you update the serial number in the zone file before you save the 
file?  

What you describe seems indicative of no update.  The serial must be 
bumped once per update.  This indicates that the zone has been changed 
and a reload is necessary.  After you save the zone file, execute a 
"rndc reload " to make named reload the zone.

Hope this helps.

> 
> they are seen if I restart named on cr.test.com
> 
> 
> actually on ns.cr.test.com I have the following directive
> 
> zone "test.com" IN {
> type forward;
> forward only;
> forwarders { 10.0.0.1; };
> };
> 
> but when I update the father zone test.com for example I add an ip 
address,
> the update is not seen by cr.test.com nameserver and I have to restart 
> named and after that
> it works. So that clients using cr.test.com nameserver cannot see 
> updates to test.com domain ip addresses.
> 
> I do not know how to fix this problem unless I configure cr.test.com 
to 
> be slave of test.com
> but i did not want to do so.
> 
> any hints ?
> 
> thank you
> 
> Rick
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.7.0-P2 Bus Error - Solaris 9

2010-06-14 Thread Gregory Hicks 

> From: b19...@anl.gov
> To: bind-users@lists.isc.org
> Subject: Re: Bind 9.7.0-P2 Bus Error - Solaris 9
> Date: Mon, 14 Jun 2010 13:53:13 -0500 (CDT)
> 
> b19141> This morning on a Solaris 9 system, I issued these comands:
> b19141> titania% dig cnnet.upr.edu
> b19141> ; <<>> DiG 9.7.0-P1 <<>> cnnet.upr.edu
> [...]
> b19141> Bus Error (core dumped)
> 
> ebers...@isc.org (Paul Ebersman) replied:
> 
> >Tried to repro on ubuntu and mac os with this bind version. Unless I try
> >to control-C out, I can't repro this. If left to run, dig just times out
> >(all three NS are unreachable for that zone, at least from my machines).
> >
> >Did you try to abort the +trace before it timed out?
> 
> I tried again a few minutes ago, and I got the same
> 
>  "Bus Error (core dumped)"
> 
> I did not hit control-c.

Well, I don't get a core-dump but I DO get "connection timed out"...

metis% cd incoming/bind/bind-9.7*1
/home/ghicks/incoming/bind/bind-9.7.0-P1
metis% cd bin/dig
/home/ghicks/incoming/bind/bind-9.7.0-P1/bin/dig
metis% ./dig cnnet.upr.edu

; <<>> DiG 9.7.0-P1 <<>> cnnet.upr.edu
;; global options: +cmd
;; connection timed out; no servers could be reached

metis% ./dig cnnet.upr.edu +trace

; <<>> DiG 9.7.0-P1 <<>> cnnet.upr.edu +trace
;; global options: +cmd
.   283923  IN  NS  f.root-servers.net.
.   283923  IN  NS  d.root-servers.net.
.   283923  IN  NS  h.root-servers.net.
.   283923  IN  NS  b.root-servers.net.
.   283923  IN  NS  e.root-servers.net.
.   283923  IN  NS  m.root-servers.net.
.   283923  IN  NS  c.root-servers.net.
.   283923  IN  NS  j.root-servers.net.
.   283923  IN  NS  k.root-servers.net.
.   283923  IN  NS  l.root-servers.net.
.   283923  IN  NS  a.root-servers.net.
.   283923  IN  NS  i.root-servers.net.
.   283923  IN  NS  g.root-servers.net.
;; Received 336 bytes from 127.0.0.1#53(127.0.0.1) in 10 ms

edu.172800  IN  NS  e.gtld-servers.net.
edu.172800  IN  NS  a.gtld-servers.net.
edu.172800  IN  NS  d.gtld-servers.net.
edu.172800  IN  NS  f.gtld-servers.net.
edu.172800  IN  NS  c.gtld-servers.net.
edu.172800  IN  NS  l.gtld-servers.net.
edu.172800  IN  NS  g.gtld-servers.net.
;; Received 299 bytes from 192.228.79.201#53(b.root-servers.net) in 27 ms

upr.edu.172800  IN  NS  dns1.uprm.edu.
upr.edu.172800  IN  NS  dns2.uprm.edu.
upr.edu.172800  IN  NS  ns1.upr.edu.
upr.edu.172800  IN  NS  upr1.upr.clu.edu.
;; Received 183 bytes from 192.35.51.30#53(f.gtld-servers.net) in 19 ms

cnnet.upr.edu.  28800   IN  NS  NS1.cnnet.upr.edu.
cnnet.upr.edu.  28800   IN  NS  GOLIATH.cnnet.upr.edu.
cnnet.upr.edu.  28800   IN  NS  NS3.cnnet.upr.edu.
;; Received 137 bytes from 136.145.5.66#53(ns1.upr.edu) in 118 ms

;; connection timed out; no servers could be reached
metis% 
-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: I get "No mail exchanger (MX) records available for rim.com" error just for a couple of domains

2010-08-19 Thread Gregory Hicks 

> Date: Thu, 19 Aug 2010 11:58:45 -0700
> Subject: Re: I get "No mail exchanger (MX) records available for 
rim.com" error just for a couple of domains
> From: Samad Agha 
> To: Dave Sparro 
> Cc: bind-users@lists.isc.org
> 
--- original
Dave or anyone else who can help:

1- ns2 is a solaris 8 box.

2- I'm not sure what's the version of bind running on it (I'm
relatively new here). I do "#named -v" and I get nothing. When I
perform "# find / -name named", I only get "/var/named" as output. This
is a directory with all the db.* files in it.

3- Which log file can I look to see this. There is nothing in
/var/adm/messages.0 file.
---end original

named on a solaris boxen is usually called "in.named" that is generally
stored at /usr/sbin/in.named ...  (IF you're running the "as
distributed" version...)

Do "ps -ef|grep named" to see which version is running.

Where your logfiles are stored depends on your /etc/named.conf...
Typically, this file either exists in /etc or in whatever .../etc
directory that may be named on the command line when named is started.
("ps -ef|grep named" is your friend to find out...)

After you find out WHICH named is running, you can find out the
version, config file, etc, etc...

HTH.

Regards,
Gregory Hicks
-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users