Re: Checking for zone expiration?

2012-05-21 Thread Mike Hoskins 
-Original Message-
From: Barry Margolin 
Organization: A noiseless patient Spider
Date: Monday, May 21, 2012 12:59 PM
To: 
Subject: Re: Checking for zone expiration?

>In article ,
> Alan Batie  wrote:
>
>> We had a rather key zone mysteriously expire on a slave this morning -
>> the log files show a transfer a couple weeks ago, but it hadn't been
>> updated so there was no reason for one since and there were no log
>> entries about failed connection attempts.  I was wondering if there's a
>> way to check the remaining time on a zone for monitoring?  If you fetch
>> the SOA, you get the full ttl, for obvious reasons, not the server's
>> timer...
>
>Check the modification time of the zone file on the slave server, that's
>when it was last refreshed.
>
>-- 
>Barry Margolin
>Arlington, MA

as usual there is more than one way to skin a cat...  another
network-based way that doesn't involve local mtime checks would be
querying the master soa from your monitoring host, and then hitting each
slave on port 8080 (or whatever) via statistics-channels (if you enable
it) as mentioned earlier on the list.  the statistics view returns xml you
can parse which includes the zones and serials for each zone in each view
on the slave.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Checking for zone expiration?

2012-05-21 Thread Mike Hoskins 
-Original Message-
From: Mark Pettit 
Date: Monday, May 21, 2012 3:53 PM
To: Microsoft Office User 
Cc: Barry Margolin ,
"comp-protocols-dns-b...@isc.org" 
Subject: Re: Checking for zone expiration?

>On May 21, 2012, at 2:02 PM, Mike Hoskins wrote:
>
>> as usual there is more than one way to skin a cat...  another
>> network-based way that doesn't involve local mtime checks would be
>> querying the master soa from your monitoring host, and then hitting each
>> slave on port 8080 (or whatever) via statistics-channels (if you enable
>> it) as mentioned earlier on the list.  the statistics view returns xml
>>you
>> can parse which includes the zones and serials for each zone in each
>>view
>> on the slave.
>
>I have not tried this, so pardon me if I misunderstand, but getting the
>zones and serials from each zone on a slave does not help you determine
>if a zone is about to expire.
>
>If a zone doesn't change for two years, the serial will never change.
>But the refresh timer will expire over and over, and each time the zone
>must be refreshed.  The only guaranteed way I know of to determine
>whether or not it's been refreshed is to check the mtime on the zone file
>on the slave.

*sigh* thanks for the stupidity catch, i jumped the gun -- just enabled
statistics-channels and trying to find more uses for it!  ;-)

maybe this could be a feature in a future bind release (per-zone
expiration timer in statistics output).  we generally always work to move
anything we can from local/shell-based checks to network queries.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind configuration and log error

2012-05-23 Thread Mike Hoskins 
-Original Message-
From: Matus UHLAR - fantomas 
Date: Wednesday, May 23, 2012 4:04 AM
To: 
Subject: Re: Bind configuration and log error

>On 23.05.12 12:56, Amira Othman wrote:
>>I have in my messages log file many lines as follows but with different
>>domains unreachable what does this mean:
>>
>>named[15490]: network unreachable resolving
>>'platinum.cs.umanitoba.ca/A/IN'
>>
>>also I can't dig or nslookup or ping my DNS server remotely what should
>>I do
>>to enable that?
>
>your server has apparently problems with internet conectivity. Is it
>behind firewall?

i suppose it could be peering or some other internet anomaly as well,
anything affecting connectivity?

i'm in the middle of migrating several large sites from tiny to bind and
had to work through errors in logs with firewall admins...  allowing
general 'any 53 udp/tcp' access and adjusting permissible udp payload size
for edns are the two main examples which are well understood.  that said,
even after the firewall admins opened up access to any on 53 udp/tcp from
the name servers i still see these in my logs...but only occasionally and
typicaly for hosts that are "far away" geographically.

after having the firewall configuration shown to me in plain text, i
mostly wrote it off...how often do others see this?

thanks!


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind configuration and log error

2012-05-23 Thread Mike Hoskins 
-Original Message-
From: Amira Othman 
Date: Wednesday, May 23, 2012 3:56 AM
To: 
Subject: Bind configuration and log error

>Hi all
>
>I have in my messages log file many lines as follows but with different
>domains unreachable what does this mean:
>
>named[15490]: network unreachable resolving
>'platinum.cs.umanitoba.ca/A/IN'
>
>also I can't dig or nslookup or ping my DNS server remotely what should I
>do
>to enable that?

i selfishly focused too much on the log message and ignored your question
at the end...

if you can't dig or ping the server (do you really need to be able to ping
it?  many smart admins will filter most icmp only allowing type 3, code 4
to avoid breaking pmtud), first check intermediate firewalls as Matus
suggested.  on your test host fire up a "ping " and on your
name server run "tcpdump -i  -vvv host " (
should be the interface with the ip address hosting bind) and ensure you
can see the icmp traffic.  do the same for dig.  if you don't see the
traffic at all, it's getting dropped upstream.

that said, you might also share your named.conf and more details...  it's
possible you also need to ensure your listen-on and things like
match-destinations within views are properly configured.  at this point,
you might also want to enable query logging so it's clear when things are
working just be watching the named logs.

the secure bind template includes a logging configuration that enables
query logging:

http://www.cymru.com/Documents/secure-bind-template.html


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: different between views and having multiple instances

2012-05-24 Thread Mike Hoskins 
-Original Message-
From: Amira Othman 
Date: Thursday, May 24, 2012 8:04 AM
To: 
Subject: different between views and having multiple instances

>Hi all
>
>I need to understand the difference between configuring bind views and
>having multiple instances of bind. I have 5 network interfaces on my
>server
>and I want to have 2 instances of DNS server (just for testing) and I
>don't
>know which one to do ?

i'm sure others will chime in with additional detail, but i think it's
largely a matter of your needs and level of paranoia.  if you are
separating authoritative and caching functions, do you trust software to
institute that policy or do you want to have physical segregation?

i use views extensively now, and haven't had any issues...  but have gone
the physical route in the past (particularly before views existed).
however, when i did that i actually had entirely different servers on
disparate networks hosting the internal and external instances of bind.

the other thing is if your testing needs to stop/start named for some
reason, it might be less impactful to run separate instances.  however, if
you run 'rndc' you will see that many of the commands can be ran in a
manner that only affects specified views.

historically there were also performance considerations, but i think those
are mostly moot with all the tuning in recent releases.

if it's all on one server, views probably make sense...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Default Options

2012-06-05 Thread Mike Hoskins 
i'd love to hear there is...  something like postconf.  :-)

in the past, i've always read through the options syntax section of each
version's ARM to determine current defaults.  documentation can get out of
date or have errors though, so a command that prints real values would be
a useful auditing tool.

-Original Message-
From: "Manson, John" 
Date: Tuesday, June 5, 2012 8:02 AM
To: "'bind-users@lists.isc.org'" 
Subject: Default Options

>Is there a command for bind that will list all Options default names and
>settings in named.conf?
>Might be helpful in understanding why bind is acting a certin way.
> 
>Thanks
> 
> 
> 
>John Manson 
>CAO/HIR/NI Data-Communications | U.S. House of Representatives |
>Washington, DC 20515
>Desk: 202-226-4244 | Team: 202-225-5552 | john.man...@mail.house.gov
> 
> 
> 
> 
>
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: VMware & Bind

2012-06-05 Thread Mike Hoskins 
absolutely -- after a few weeks of migration effort (my own choice to move
clients in phases to mitigate risk), i have moved several thousand clients
from bare metal + tinydns to ucs/vmware/bind with no reported issues.

many of these are demanding "power users" (developers with what i'd often
categorize as "insane" workloads, firing off queries in batches of 10's of
thousands of uncached forward/reverse RRs).

that said, we were fairly cautious and chose to deploy load balanced vips
as our nameservers in resolv.conf.  this imposes a slight hit as each
cache must be warmed independently (some sort of mechanism allowing a
single cache to be shared amongst a cluster of binds via rpc or similar
would be cool, while imposing it's own overhead), but gave desired
resilience in the case of individual virtual machines getting overloaded
or ucs chassis/switches/etc requiring maintenance.  each vip has a set of
virtual machines on separate power sources, network uplink, etc.

we also use cfengine to creatively alternate odd/even-numbered hosts
across vips (you could do this with any DNS software, and i recommend it
along with the use of 'options' -- if you don't have legacy clients which
won't support it -- so failure of a single VIP/server won't maim entire
clusters), and got better monitoring thanks to statistics-channels.

-Original Message-
From: "Manson, John" 
Date: Tuesday, June 5, 2012 9:58 AM
To: "'bind-users@lists.isc.org'" 
Subject: VMware & Bind

>Will bind run on VMware?
> 
> 
>John Manson 
>CAO/HIR/NI Data-Communications | U.S. House of Representatives |
>Washington, DC 20515
>Desk: 202-226-4244 | Team: 202-225-5552 | john.man...@mail.house.gov
> 
> 
> 
> 
>
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recommended value for max-cache-size for cache-only shared hosts..

2012-06-05 Thread Mike Hoskins 
-Original Message-
From: Doug Barton 
Organization: http://SupersetSolutions.com/
Date: Tuesday, June 5, 2012 11:49 AM
To: JINMEI Tatuya / 神明達哉 
Cc: 
Subject: Re: Recommended value for max-cache-size for cache-only shared
hosts..

>On 6/5/2012 11:30 AM, JINMEI Tatuya / 神明達哉 wrote:
>> Good question, I wonder the same thing:-) I don't remember the
>> original plan, but I guess it was actually planned to be deprecated
>> but it has just been forgotten or left as a lower priority thing since
>> then.
>
>So, get busy! It's not like you have nothing else to do ... :)

sorry to waste bandwidth, but just wanted to point out this statement is
more true than expected in jest...with the double negative (nothing vs
anything).

i hate english...  ;-)


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with recursive name server

2012-06-08 Thread Mike Hoskins 
please share configuration and possibly zone file(s) so we can help...

if your isp has done rfc2317 style delegation, your servers are actually
authoritative so i don't think it has anything to do with allow-recursion
(and i doubt you want to set that to any, unless you have network acls in
place to prevent abuse).

http://www.ietf.org/rfc/rfc2317.txt

-Original Message-
From: Mike Bobkiewicz 
Date: Friday, June 8, 2012 1:08 PM
To: 
Subject: Problem with recursive name server

>Dear list,
>
>we are running an authorative name server for some domains. After some
>time our ISP has now delegated the reverse name lookups to our server. We
>are running bind 9.7.3 on Mac OS X 10.6 and are not able to bring the
>reverse name lookups to life. The master db-file is loaded and we  to set
>the allow-recursive { any; }; option in the named.conf but it still
>doesn´t work. We are getting RFC 1912 2.1 with some mail servers which is
>the biggest problem. Which additional options must be set in the
>named.conf to make the reverse name lookups for our domains work?
>
>Best regards,
>
> Mike 
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [SOLVED] Problem with recursive name server

2012-06-10 Thread Mike Hoskins 
glad you got this resolved -- rfc2317 delegation usually always trips
folks up the first time around.  it's almost always good to ask your isp
for the exact zone definitions they delegate so you can match things up.

your server is in fact responsible for the full subnet that was delegated
to you by your isp.  "213.191.95.0/27" is a cidr subnet containing 32 (30
usable) addresses.

http://www.oav.net/mirrors/cidr.html

ipv4 provides 32-bit network addresses, 27 bits reserved for the network,
32-27=5, 2^5=32.  :-)

-Original Message-
From: Mike Bobkiewicz 
Date: Sunday, June 10, 2012 5:37 AM
To: 
Subject: Re: [SOLVED] Problem with recursive name server

>Dear Mark,
>thanks for the help, now we are up and running. Because of some very bad
>things the Apple Admin Interface did to the PTR-file preventing it from
>being loaded AND not reporting this somewhere the times of OS X Server
>are over. But there is one last thing that puzzles me: to my
>understanding our nameserver is now master for the ip addresses
>213.191.95.0 - 27. Shouldn´t it be responsible for our complete subnet
>which is from 0-32? It´s no problem at this point because all the mail
>servers are in the lower region, but did we have to contact our isp about
>that?
>
>Best regards,
>
> Mike
>P.S. If you ever make it to Hamburg I owe you a beer...
>
>Mike
>
>Am 10.06.2012 um 06:58 schrieb Mark Andrews:
>
>> 
>> In message , Mike
>>Bobkiewicz 
>> writes:
>>> HI all,
>>> first Eduardo:
>>> I did an upgrade with the mentioned package to 9.9.1 P1, it=B4s now up
>>>and =
>>> running but doesn=B4t fix the problem.
>>> I have to correct one thing: It=B4s not a 10.6 client system it=B4s a
>>>10.7.=
>>> 4 Server system, this is important because the client running this
>>>server d=
>>> oes configure bind with Apple=B4s Admin Tools. When something
>>>doesn=B4t wor=
>>> k he calls me and I log in via ssh and try to figure out what=B4s
>>>wrong. Te=
>>> lling the truth: I like vi very much...
>>> 
>>> Am 08.06.2012 um 22:13 schrieb Chuck Swiger:
>>> 
 Hi--
 =
>>> 
 On Jun 8, 2012, at 1:08 PM, Mike Bobkiewicz wrote:
> we are running an authorative name server for some domains. After
>some t=
>>> ime our ISP has now delegated the reverse name lookups to our server.
>>>We ar=
>>> e running bind 9.7.3 on Mac OS X 10.6 and are not able to bring the
>>>reverse=
>>> name lookups to life. The master db-file is loaded and we  to set the
>>>allo=
>>> w-recursive { any; }; option in the named.conf but it still doesn=B4t
>>>work.=
>>> We are getting RFC 1912 2.1 with some mail servers which is the
>>>biggest pr=
>>> oblem. Which additional options must be set in the named.conf to make
>>>the r=
>>> everse name lookups for our domains work?
 =
>>> 
 Mailservers doing a double-reverse lookup try to validate that your
IP ha=
>>> s a PTR record which returns a name that a normal forward lookup
>>>finds, and=
>>> gives back the original IP.
 =
>>> 
 Give us an example of a bad hostname or IP, and we can probably tell
you =
>>> what aspect isn't working right...
 =
>>> 
>>> Sorry, was late last night for me so here are some parts of the
>>>configurati=
>>> on:
>>> /etc/named.conf
>>> include "/etc/rndc.key";
>>> options {
>>>directory "/var/named";
>>>listen-on-v6 port 53 {
>>>"none";
>>>};
>>>allow-recursion {
>>>any;
>>>};
>>>allow-transfer {
>>>none;
>>>};
>>> };
>>> controls {
>>>inet 127.0.0.1 port 54 allow {
>>>"any";
>>>} keys {
>>>"rndc-key";
>>>};
>>> };
>>> acl "com.apple.ServerAdmin.DNS.public" {
>>>any;
>>> };
>>> logging {
>>>channel _default_log {
>>>file "/Library/Logs/named.log";
>>>severity info;
>>>print-time yes;
>>>};
>>>category "default" {
>>>"_default_log";
>>>};
>>> };
>>> view "com.apple.ServerAdmin.DNS.public" {
>>>zone "0.0.127.in-addr.arpa" IN {
>>>type master;
>>>file "named.local";
>>>allow-update {
>>>none;
>>>};
>>>};
>>> 
>>> ... around 15 working master zones
>>> 
>>>zone "95.191.213.in-addr.arpa" IN {
>>>type master;
>>>file "db.95.191.213.in-addr.arpa";
>>>allow-transfer {
>>>com.apple.ServerAdmin.DNS.public;
>>>};
>>>allow-update {
>>>none;
>>>};
>>>};
>>>};
>>> };
>> 
>> The ISP has delegated "0/27.95.191.213.in-addr.arpa" not
>> "95.191.213.in-addr.arpa" to you.   You need to be serving
>> "0/27.95.191.213.in-addr.arpa".
>> 
>> You should be slaving "95.191.213.in-addr.arpa" so that you have
>> the CNAME records available locally for when the external link i

Re: OT: cached memory

2012-06-13 Thread Mike Hoskins 
this is a common source of confusion and more of a linuxism...it will fill
all available memory with cache, and reclaim as needed.  you can adjust it
somewhat with various sysctls.

http://www.linuxhowtos.org/System/Linux%20Memory%20Management.htm

-Original Message-
From: Dan Letkeman 
Date: Wednesday, June 13, 2012 10:50 AM
To: bind-users 
Subject: OT: cached memory

>Hello,
>
>Just wondering if anyone has a real world example of how much cached
>memory a server really needs?
>
>If I run the command "free -m" it shows that it is using all of the
>memory on the server and most of it is cached.  I understand the
>concept and the reasoning, but what I would like to know is how much
>is a reasonable amount to have?  I am assuming that if I gave this
>server 10 times the amount it would eventually cache that as well.
>
>
>  total   used   free sharedbuffers
>cached
>Mem:  3017   2961 56  0158   2434
>-/+ buffers/cache:368   2649
>Swap: 5023  0   5023
>
>
>Thanks,
>Dan.
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: truncated responses vs. minimal-responses?

2012-11-27 Thread Mike Hoskins (michoski) 
-Original Message-

From: Matus UHLAR - fantomas 
Date: Tuesday, November 27, 2012 12:28 PM
To: "bind-users@lists.isc.org" 
Subject: truncated responses vs. minimal-responses?

>Hello,
>
>last few weeks I have seen many discussions over UDP truncating and using
>"minimal-responses yes;" to prevent BIDN from doing that.
>
>I've read article stating that nameserver should avoid truncating packets
>even by skipping additional and authority sections in its responses, which
>should mean that using minimal-responses would not help.
>
>However, I've seen a few mails mentioning that a query can get truncated
>when the authority section is too big and advices to turn
>minimal-responses
>on.
>
>Reading the 9.9.2 docs and even looking at the sources (I am not a C
>coder)
>did not help me with this.

It seems it should help...  less bits in the packet relating to additional
and authority should leave room for other data.

That said, I think the better way (when possible) is to adjust RRs not to
return "too much data" (e.g. NS, A, etc. not returning more than ~8 hosts
-- which in turn could be multicast, load balanced, etc to get the desired
scale).

Akamai, for example, defaults to limiting up to 8 "RDATAs" per RR (or
however you'd describe that).  If you add 20 As for a name you'll rotate
through 8 at a time.  You can request more at your own risk...they assume
you'll ensure the larger answer will fit in a UDP packet and not cause TCP
responses which cripple performance.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: another performance tuning question

2012-12-02 Thread Mike Hoskins (michoski) 
-Original Message-

From: "Jeremy C. Reed" 
Date: Friday, November 30, 2012 4:18 PM
To: "Adamiec, Lawrence" 
Cc: "bind-users@lists.isc.org" 
Subject: Re: another performance tuning question

>On Fri, 30 Nov 2012, Adamiec, Lawrence wrote:
>
>> I got similar results when running against the master server.
>
>Then why so many lost?
>
>>   Queries sent: 11000 queries
>>   Queries completed:8968 queries
>>   Queries lost: 2032 queries
>...
>>   Percentage completed:  81.53%
>>   Percentage lost:   18.47%
>
>Look at your queryperf data file and figure out what is not hosted by
>you.  Some of my systems get around 60,000 QPS with none lost.  If
>really do host these on same system, and are really lost, then will need
>other research.
>
>Even if you are doing recursive work, your results are quite slow. you
>may want to look in your queryperf input to see what is causing
>problems. (It may not be a realistic, real world input set.)

Based on your "hosted by you" reference, I assume 60K QPS was only
resolving local names?  If not I'd love to see the config.

Some extra data points for the OP:

I might have misread (or be mis-remembering since I last tested), but I
think the default resperf query file includes ten million "real-world"
entries -- if testing recursion, try it vs generating your own.

If you are not just doing local queries, from experience server hardware
(physical or virtual) and bandwidth play a big part in the numbers.  More
cores = more worker threads, faster connectivity to upstream servers =
more responses.

With the default resperf query file and drop rate capped at 1%, I was able
to get ~20K qps w/ four vCPUs vs ~5K with one vCPU (VMware, RHEL, BIND
9.8).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Distribute named.conf

2013-01-03 Thread Mike Hoskins (michoski) 
-Original Message-

From: Phil Mayers 
Date: Thursday, January 3, 2013 9:44 AM
To: "bind-users@lists.isc.org" 
Subject: Re: Distribute named.conf

>On 03/01/13 14:36, Warren Kumari wrote:
>
>> Yup, have a look at Puppet.
>>
>> For the first while it will seem like way way more work than it is
>> worth (and the whole declarative language bit makes my head hurt) but
>> after investing a few hours getting things setup you'll wonder how
>> you ever managed without itŠ Deploying a new server (or configs, etc
>> to a bunch of servers) suddenly becomes trivial...
>
>A bit OT, but we use cfengine (because puppet didn't exist when we
>started doing it), but I strongly endorse the general sentiment behind
>this statement; if you run any number of servers at all, a config
>management tool like puppet/cfengine will transform your working life.

We started with cfengine as well, for the same reason...I still love it,
but we are moving to Puppet mostly because they are very similar at a high
level, the mothership invests and other acquisitions use it (convergence).

That said, fully agree the tool doesn't matter -- you want configuration
management.  To me that minimally includes a tool like cfengine or puppet
and some sort of CMDB to track objects (and serve as an ENC).

>> Setup Puppet to distribute the file, and then have an exec action
>> that does: rndc addzone example.com '{type master; file
>> "master/example.com"; };'
>
>Does puppet provide built-in facilities to synchronise events across
>multiple servers, because that was a concern to the OP.

Yes, and so did cfengine all the way back to 2.x...though it was a bit
scary to try and use the RPC functionality.  :-)  In Puppet MCollective
should be able to handle this.  While it takes more setup than the usual
client install, it also provides functionality larger shops will likely
not want to live without.

There are also other "orchestration layers" beside MC, this paper gives a
good overview:

http://www.puppetlabs.com/wp-content/uploads/2010/03/FullyAutomatedProvisio
ning_Whitepaper7.pdf

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: open-source tool for filter out stats from dns logs

2013-01-03 Thread Mike Hoskins (michoski) 
-Original Message-

From: Jeff Wright 
Date: Thursday, January 3, 2013 8:41 AM
To: "bind-users@lists.isc.org" 
Subject: Re: open-source tool for filter out stats from dns logs

>There might be some tools already out there (like Splunk) that do this
>for you.  I think you can get a free Splunk license if you parse
>relatively small amounts of daily data.  If you're particularly
>concerned about open-source, this thread might also help:
>http://stackoverflow.com/questions/183977/what-commercial-and-open-source-
>competitors-are-there-to-splunk.

Just wanted to add a few things based on some research I've been doing...
By all means, start with the SO thread above and [your favorite search
engine] as I did.  This may just save folks some time.  :-)

Splunk is an amazing tool, but gets expensive fast when indexing much
data...  With the maturity of many OSS solutions, I'm not sure it even
makes sense on a small scale these days (unless you plan to stick with it).

After reading through several SO threads and spending many late nights
searching, I've mostly concluded that there are two OSS "solutions" (a mix
of technologies/tools) that can fill this gap.  You can go the "neato"
(newer, being discussed more) way of [ logstash + graylog + elastic search
] or the "oldschool" (relatively at this point) of [ syslog-ng + mysql +
sphinx ] (ELSA).

For the prior, my initial research let to buzzword/acronym overload.  This
post helped immensely:

http://jpmens.net/2012/08/06/my-logstash-and-graylog2-notes/

And also led me to find this useful ES utility:

http://jpmens.net/2012/08/09/must-have-ui-for-elasticsearch/

These are also obvious places to start playing (the first is worth
visiting just to watch the, hilarious IMCO, video on the front page):

http://logstash.net/

http://graylog2.org/

http://www.elasticsearch.org/

Of course after setting all that up, some conclude it's too slow for
real-time analytics.  There's discussion about this on SO and other
places.  Based on your use cases, you might not care.  If you do, consider
ELSA:

https://code.google.com/p/enterprise-log-search-and-archive/

Somewhat dated, but great overview by the author (refer to the docs for
latest features):

http://ossectools.blogspot.com/2011/03/fighting-apt-with-open-source-softwa
re.html

We are in the process of building prototype environments for both of these
atm, so wanted to share.

hth

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Distribute named.conf

2013-01-03 Thread Mike Hoskins (michoski) 
-Original Message-

From: "wbr...@e1b.org" 
Date: Thursday, January 3, 2013 2:29 PM
To: "bind-users@lists.isc.org" 
Subject: Re: Distribute named.conf

>How does Puppet compare to Ansible?  http://ansible.cc/

Thanks for sharing, first I'd heard of it...

>From a quick glance (in a rush atm), it seems ansible uses SSH and PUSH
whereas cfengine/puppet use TLS/SSL and PULL.  In general, scaling is
easier with non-SSH approaches built around PULL.

That said, Puppet is not scalable out of the box (unlike cfengine's
server, though you still need to tune several knobs there) -- but it's not
intended to be, a common mis-conception.  The bulit-in webrick server is
for development only, and building the more scalable web services
infrastructure (apache, passenger) is not as difficult as it first seems.
Many folks also run without a puppetmaster (masterless/nodeless).

It'd been awhile since I'd checked, but I see ansible is not listed here
(in case others haven't seen the master table):

http://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_manage
ment_software

I highly advise anyone new to configuraton management to setup some
virtual machines and play with as many solutions as time permits...they
each have interesting features, and no one solution will work for everyone
IMHO.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Distribute named.conf

2013-01-03 Thread Mike Hoskins (michoski) 
-Original Message-

From: "wbr...@e1b.org" 
Date: Thursday, January 3, 2013 3:15 PM
To: Mike Hoskins 
Cc: "bind-users@lists.isc.org" ,
"bind-users-bounces+wbrown=e1b@lists.isc.org"

Subject: Re: Distribute named.conf

>Mike wrote on 01/03/2013 02:45:29 PM:
>
>> Thanks for sharing, first I'd heard of it...
>
>I read about it on http://jpmens.net/
>
>> 
>http://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_manag
>e
>
>> ment_software
>
>It's there today.

Apologies to the list, it's what I get for typing on the run...  I meant
to say, I see it there (it just wasn't there in the past when I last
looked at that list).  Glad to see wikipedia is staying up to date.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: gitnamed, a project to manage name server by git

2013-01-08 Thread Mike Hoskins (michoski) 
-Original Message-

From: Jan-Piet Mens 
Date: Tuesday, January 8, 2013 4:35 PM
To: "bind-users@lists.isc.org" 
Subject: Re: gitnamed, a project to manage name server by git

>> GitNamed is a project that manage name server by git. you can clone
>> the git repo to any workstation, edit zone file, commit and push it.
>> the data will push to the master and slave name server on the fly.
>
>Very interesting; thanks for sharing.
>
>I hear the Fedora Project does something along similar lines. Code &
>'docs' are at [1].
>
>-JP
>
>[1] http://infrastructure.fedoraproject.org/infra/dns/README

Thanks for sharing both.

Like the built-in sanity checks...Wonder why the fedora folks don't
automate the serial number update, since in my experience that seems to be
one of the top silly mistakes with BIND updates?

Our push process sets that to the mtime of the zone for non-dynamic zones,
which seems to work well except for the occasional DNS validation tool
baulking that we're not using MMDDNN format.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name resolution fails if not forwarding

2013-01-09 Thread Mike Hoskins (michoski) 
-Original Message-

From: Daniele 
Date: Wednesday, January 9, 2013 9:17 AM
To: "bind-users@lists.isc.org" 
Subject: Re: Name resolution fails if not forwarding

>This is the scenario.
>
>I installed BIND9 via `apt-get` on a newly installed UBUNTU 12.04,
>virtualized on VirtualBox.
>The network works properly because if I indicate a different server from
>my own BIND9 (the first line of '/etc/resolv.conf' is, for example,
>`nameserver 8.8.8.8`) the lookups and any action on the Internet
> succeed.

What are you using for a firewall?  iptables within UBUNTU, your internet
gateway, both, something else?

With iptables, it's stateful so outbound queries should allow what's
needed inbound...if it's related, you should be able to check stats and
look for drops.  It's not perfect, but on a typical small network you
should be able to use -Z (zero counters), run some queries, then use -nvL
to see what if any rules are incremented.

IPTables 'port' matches don't match UDP fragments after the first one, so
you either need to use stateful matching (-m state --state
related,established) or specifically accept trailing fragments (the
iptables "-f" option for IPv4, or "-m frag ! --fragid 0" for IPv6).

For something like a home router, it's harder...but there are sometimes
firewall-related statistics exposed through the web interfaces (varies
from vendor to vendor).  It might also be some form of masquerading
getting in the way (e.g. DNS queries get rewritten as your defgw which
confuses iptables).  Just reaching for ideas.

Regardless, spending more time with your firewall might be
worthwhile...try a few queries with it disabled just to get an idea if
that's where to look.

>BIND9 configuration is the default one.
>I deleted all local zones that I added (even if internal lookups worked
>correctly). Now there are only default zones (root, localhost,
>127.in-addr.arpa, 0.in-addr.arpa, 255.in-addr.arpa).
>Options are the default ones
>options {
>directory "/var/cache/bind";
>dnssec-validation auto;
>auth-nxdomain no;
>listen-on-v6 {any;}
>};

Is /var/cache/bind writable by the user BIND runs as (named/bind vs root)?

>In this situation, if I dig anything the lookup fails, and the log is
>full of "lame server" and "FORMERR".

Unfortunately lame server is a can of worms (search the archives), but
FORMERR in my experience often indicates firewall problems on one end or
the other (malformed responses).

>Why?
>Perhaps the problem is due to the presence of ³dnssec-validaton³ line?

It shouldn't be that alone.  However, you could test...does it work fine
if you set:

dnssec-enable no;
dnssec-validation no;


Good luck!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: query about EDNS UDP Packet

2013-01-09 Thread Mike Hoskins (michoski) 
-Original Message-

From: Gaurav Kansal 
Date: Wednesday, January 9, 2013 12:34 AM
To: Sten Carlsen , "bind-users@lists.isc.org"

Subject: Re: query about EDNS UDP Packet

>Thanks for help.
>My Firewall was dropping packet size larger than 512 bytes.
>Cisco 5580 having ASA 8.3. It is by default blocking my EDNS0 Packet.

This should be a FAQ.  :-)

For anyone else who happens to be reading the archives -- googling for
"cisco edns0" will lead to a lot of useful information...better than
duplicating it all here.  Many older network devices (including Cisco) had
default policies which assumed a 512 byte limit.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MNAME not a listed NS record

2013-01-16 Thread Mike Hoskins (michoski) 
-Original Message-

From: Vernon Schryver 
Date: Wednesday, January 16, 2013 5:05 PM
To: "bind-users@lists.isc.org" 
Subject: Re: MNAME not a listed NS record

>> From: Dave Warren 
>
>> Various online DNS diagnostic tools throw warnings,
>
>Speaking of so called DNS diagnostic tools, one claims that my domains
>have DNS servers with "private" network addresses.  My only guess is
>that they don't know the difference between IPv6 addresses and
>RFC 1918 addresses.  On the other hand, maybe that was random FUD
>intended to drum up business, because they've stopped that nonsense
>in the last 3 days and without my changing anything.

Same thing here.  It's important to remember these tools are written by
humans that also have busy mornings where they don't get to drink enough
coffee...  :-)

Awhile back we updated an internal tool that generates DNS records as part
of a hosted email solution and one of these tools started baulking.
Everything we were doing was RFC compliant, but the tool turned red.  This
spawned a lot of calls to support from customers who took the tool as an
omniscient being, support escalated to management because the customer is
always right (and were threatening to go elsewhere even after being
pointed to relevant RFCs and walking through dig showing everything worked
just fine in practice).

After triple-checking the RFCs and contacting the maintainer with our
justification, the tool started doing the right thing a few weeks later.

So now we need tools that check the tools, and they need to be written by
omniscient beings...

Failing that, the big thing I hope folks learn from this is that automated
tools written by third parties are helpful at times, but no substitute for
familiarity with standards and generally understanding how things work.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what do you use for logging?

2013-01-17 Thread Mike Hoskins (michoski) 
-Original Message-

From: Alan Batie 
Date: Thursday, January 17, 2013 1:52 PM
To: "bind-users@lists.isc.org" 
Subject: Re: what do you use for logging?

>On 1/17/13 10:48 AM, Jan-Piet Mens wrote:
>
>>> By the way, all of the BIND10 logging
>>> messages are unique and we provide a paragraph or more documentation
>>>for 
>>> each of its 933 possible log identifiers!)
>> 
>> I haven't checked whether you have that, but that screams for a CLI
>> utility to show the paragraph without having to browse documentation. :)
>
>Agreed!
>
>We use rsyslog here...

Could "CLI utility" be man(1) and info(1)?  :-)

I agree, being able to access the full documentation from command line is
always useful...but probably doesn't require a new utility so much as an
investment in porting documentation to applicable formats.

FWIW, we package our own from source internally, and use
syslog-ng/rsyslog/logstash/elasticsearch.  Syslog as the default is
perfectly fine with us.  I do also use the rotated file method a few
places, so hoping that doesn't disappear.

Thanks for asking the list.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.9.3b1 is now available

2013-01-25 Thread Mike Hoskins (michoski) 
-Original Message-

From: Timothe Litt 
Date: Friday, January 25, 2013 6:13 PM
To: "bind-users@lists.isc.org" 
Subject: Re: BIND 9.9.3b1 is now available

>On 25-Jan-13 17:32, Michael McNally wrote:
>>   BIND 9.9.3b1 is the first beta release of BIND 9.9.3.
>>
>> Makes available a new XML schema (version 3.0) for the statistics
>> channel that adds query type statistics at the zone level,
>> flattens the XML tree and uses compressed format to optimize
>> parsing. It also includes new XSL that permits charting via the
>> Google Charts API on browsers that support javascript in XSL.
>> To enable, build BIND with "configure --enable-newstats". [RT
>> #30023]
>>
>> (c) 2001-2013 Internet Systems Consortium
>>
>2 bits of feedback on the beta announcement:
>
>I have software that reads the stats channel.

Me too.  Took awhile to get right, I'd hate to see it break.  :-(

>Please, if you have a new schema, put it on another URI so that software
>that wants the old schema gets it, and software that wants the new
>explicitly requests it.  E.g.  '/statistics/v3'

Some sort of "API-like" deprecation would at least be cool...

But am I reading right?  If I don't build with --enable-newstats, all my
monitoring and trending scripts will continue to chug happily along with
the old view?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slaving from DNS masters behind LVS

2013-02-12 Thread Mike Hoskins (michoski) 
Note: Removing cross-post, but feel free to forward.

-Original Message-

From: Nick Urbanik 
Date: Tuesday, February 12, 2013 10:00 PM
To: "keepalived-de...@lists.sourceforge.net"
, "bind-users@lists.isc.org"

Subject: Slaving from DNS masters behind LVS

>Dear Folks,
>
>We have a pair of DNS servers running BIND behind a direct routing LVS
>director pair running keepalived.  Let's call these two DNS servers A
>and B, and the VIP V.

We run a similar setup, so I'm looking forward to hearing the community's
answers.  My views below.

>They slave from a hidden master; let's call it M.
>
>I want to allow another machine S to slave from A and B, the pair of
>DNS servers that are behind LVS.
>
>Another machine F will forward to the DNS servers behind the load
>balancer, A and B.
>
>[There is another similar setup at another location, so there will
>be a V1 and V2, A1, A2, B1, B2; all of A1, A2, B1, B2 slave from M.]
>
>1. Should the machine in the SOA be V, or A or B?

I would use V.

Some will argue M if you are doing things like DDNS with DHCP...though
that's not clear here.  Even if you are, it should not require using M
with the right configuration.  I never publish my hidden master name in
public records.

>2. Should the NS records for the zones be A, B and V, or just V?

I think it depends on what you are trying to accomplish.

>From a Murhpy's Law perspective, where the VIP could go down (or need to
be taken down for maintenance), if the real servers are reachable by
clients in this case...listing A and B would be useful.

However you might accomplish the same thing with multiple VIPs hosted on
separate LVS clusters pointing to different sets of real servers, where
you only list V, V', etc.  This is similar to what we do.

If you really don't want any queries directed to the real servers
themselves (or network topology prevents this), then you would only list V.

>3, Should S slave from A and B, or should it slave from V?

Either way you achieve the primary goal of HA, via VIP or masters {}.  If
you use the VIP, you need to consider how much you care about the VIP
going down (maybe you don't if your expire time is high).  If you use
masters, you need to consider how often you add new servers and require
updates to your configuration.

>4. Should F forward to V, or to both A and B?

I would actually setup a couple VIPs in cases like this, and use those as
my forwarders, resolv.conf entries, etc.  If a DNS resolver tries a given
VIP, which gets a timeout from one real server, odd things might happen if
the client can't fail-over to a second VIP (it's retry logic will be tied
to the VIP address irrespective of # real servers).  Edge case for sure,
but something to consider when load balancing DNS.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: chroot/etc/named/ directory?

2013-02-13 Thread Mike Hoskins (michoski) 
-Original Message-

From: Robert Moskowitz 
Date: Wednesday, February 13, 2013 10:53 AM
To: "bind-users@lists.isc.org" 
Subject: chroot/etc/named/ directory?

>I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in
>Centos 6.3.
>
>I have and will run bind chrooted and on my test setup I noticed a 'new'
>subdirectory in the chroot tree:
>
>/var/named/chroot/etc/named/
>
>I cannot find any documentation as what is indended to be placed in this
>subdirectory.  my includes for named.conf?
>
>I am assuming the pki subdirectory is for DNSSEC related files, but I
>have not found any documentation indicating so.  But then I have not
>plowed through DNSSEC documention in depth yet.

If you installed bind*-chroot, it will populate the /var/named/chroot
hierarchy.  It's not strictly required (though I would suggest it), but if
you intend to run BIND chrooted "/var/named/chroot" is essentially "/".
You'll have to place the usual things BIND needs to operate under that
directory -- configs, zones, etc.  Assuming this came from the chroot RPM,
you'll already have other essential pieces for chroot such as your
null/random/zero devices.  Since you mention CentOS, you'll likely also
want to pay attention to things like ROOTDIR in /etc/sysconfig/named.

Having said all that, you might search the archives (SRPMS have been
provided by community members) or other sources for a newer BIND while
you're at it...9.8.2 isn't ancient, but also not technically "up to date"
now.  I am personally waiting for 9.9.3 to leave beta, but 9.8.4-P1
probably makes sense for you today.  This won't affect your chroot setup,
just something worth considering since you're upgrading.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: chroot/etc/named/ directory?

2013-02-13 Thread Mike Hoskins (michoski) 
-Original Message-

From: Robert Moskowitz 
Date: Wednesday, February 13, 2013 2:15 PM
To: Mike Hoskins 
Cc: "bind-users@lists.isc.org" 
Subject: Re: chroot/etc/named/ directory?

>>Having said all that, you might search the archives (SRPMS have been
>> provided by community members) or other sources for a newer BIND while
>> you're at it...9.8.2 isn't ancient, but also not technically "up to
>>date"
>> now.
>
>I am not up to building on my own and the few extra repos I work with
>(EPEL and rpmfusion) do not have a newer version all ready for Centos 6.3.
>
>How bad is it? :)

That's for you to decide:

https://www.isc.org/software/bind/security/matrix

Of course RHEL/CentOS make it somewhat hard to know what "9.8.2" means
without reading change logs.  They tend to select stable software versions
at release time, then backport fixes with their own version numbering.  So
"Red Hat's 9.8.2" likely has fixes for a lot of the "ISC 9.8.2"
issues...but you might want to confirm vs assume that.

>I would want to find it already in an rpm. Once on the build it yourself
>carousel you are set there and I have other things I am suppose to be
>doing.

Understood.  Happily, running secure DNS infra is one of the things that
pays my mortgage.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND9 statistics-server: JSON?

2013-02-15 Thread Mike Hoskins (michoski) 
-Original Message-

From: Jan-Piet Mens 
Date: Friday, February 15, 2013 12:57 AM
To: "bind-users@lists.isc.org" 
Subject: BIND9 statistics-server: JSON?

>As a fan of BIND's statistics-server I was tempted to see if I could
>reduce the size of the data (XML) named produces by adding an option to
>produce JSON. The patch [1] (which is terribly quick and dirty) does that.
>
>[1] https://gist.github.com/jpmens/4958763

Just wanted to say thanks for this, and hope it becomes official at some
point.  Many here prefer JSON anywhere it is available...sounds like we
are not alone.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Randoming ports and firewall rules

2013-02-15 Thread Mike Hoskins (michoski) 
-Original Message-

From: Robert Moskowitz 
Date: Friday, February 15, 2013 1:33 PM
To: "bind-users@lists.isc.org" 
Subject: Randoming ports and firewall rules

>So it is past time for me to only use port 53 and support port
>randomization.  But I do run iptables (and ip6tables) and the server
>sits behind a Juniper SSG firewall.
>
>Where are there instructions for setting up iptables for port
>randomization
>
>and for general firewall rules (I doubt I will find specific for my
>Juniper).

I'm likely misunderstanding the question, but I think stateful firewalls
will address this for you.  Unlike the days of ipchains, iptables makes
this easy...as should any commercial firewall.  The idea being that when
you receive a query on 53/tcp or 53/udp and answer back on a random src
port, that entire conversation is tracked as one session and therefore
succeeds without a bunch of extra rules (the stateful rules are generated
and expired on the fly).

https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall

Fully agreed that you need to leverage src port randomization in the
modern world.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot create A record issue

2013-02-20 Thread Mike Hoskins (michoski) 
-Original Message-

From: Jsilliman 
Date: Wednesday, February 20, 2013 1:57 PM
To: Alan Clegg 
Cc: "bind-users@lists.isc.org" 
Subject: Re: Cannot create A record issue

>Ubuntu does not use that:
>
>root@:/etc/bind# cat /etc/resolv.conf
># Dynamic resolv.conf(5) file for glibc resolver(3) generated by
>resolvconf(8)
># DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Doh, so know enough about your distro to figure out where to look.  In
this case ``man resolvconf`` would likely be useful for you to read.

Also, you don't need to cat resolv.conf at all...just include full dig
output.  That will show the name server used:

OPS:54 f...@bar.baz:~$ dig google.com

;; SERVER: a.b.c.d#53(a.b.c.d)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-query and views

2013-02-21 Thread Mike Hoskins (michoski) 
-Original Message-

From: Robert Moskowitz 
Date: Thursday, February 21, 2013 12:53 PM
To: Vernon Schryver 
Cc: "bind-users@lists.isc.org" 
Subject: Re: allow-query and views

>Whow...  This is news.  A hidden view?  Where is this documented.  I
>have no restrictions in my general options section.  Figured that the
>specific view ones were all that was needed.  Now I am upset.

As usual, knowledge is easy but wisdom takes time...

http://www.cymru.com/Documents/secure-bind-template.html

You can easily incorporate that before Passover.  :-)

hth

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND master , Windows 2008 stub zone not transferring

2013-02-21 Thread Mike Hoskins (michoski) 
-Original Message-

From: Sowmya Manjanatha 
Date: Thursday, February 21, 2013 1:11 PM
To: "bind-users@lists.isc.org" 
Subject: Re: BIND master , Windows 2008 stub zone not transferring

>Well, I have a stub zone on Windows 2008 server set-up to use two
>different BIND server as its list of IPs to use as masters.  In the DNS
>manager on Windows, you can always right click on the zone and select
>"Transfer zone from Master".  With Wireshark on Windows,
> I have found that this triggers a DNS request for the given zone name.
>You may be right that it may very well not be a zone transfer and just a
>regular query/response.  However, I was just going by the terminology on
>the zone from Windows.

Yes, it is a request for the NS RRset I presume...as Mark kindly pointed
out, stub zones do not "transfer" by definition:

http://technet.microsoft.com/en-us/library/cc771898.aspx

>Another problem I am also having is that Windows 2008 server doesn't seem
>to pick up the latest SOA i.e. it does not seem to honour the serial
>number within the SOA.  It appears it just picks up the 1st response it
>gets.  So, I find that sometimes the records
> are stale.  I am trying to understand if there is any configuration in
>BIND that can help provide the right response the 2008 server prefers.

Are you simply seeing the effects of TTL and caching on the Windows side?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Registrar that supports self-run domains and provides DNSSEC support

2013-02-22 Thread Mike Hoskins (michoski) 
-Original Message-

From: Shawn Bakhtiar 
Date: Friday, February 22, 2013 12:06 AM
To: "bind-users@lists.isc.org" 
Subject: RE: Registrar that supports self-run domains and provides
DNSSEC  support

>2) We don't buy or maintain street addresses from a for profit company,
>why should domain name be any different? Domain name registration should
>be a free government/ ma'bell function.

Being an outsider with no beef or raves for GD (just realized that sounds
like something else), I feel this isn't necessarily true.  Government
functions rarely get ran well, at least here in the US.  They're slow,
bloated, and tend to spend lots of tax dollars (not really free) producing
things hackers easily circumvent the day after release.

Also, in ma'bell (er um netsol?) fashion, lack of competition stifles
innovation.  Of course all the registrars don't do what any one of us
likes, but at least there is choice.  Lack of competition also tends to
drive price up vs down.

However, I'm not sure making choices based on "cheaper" and then
complaining about quality makes sense.  I'd like to think such gems could
exist, but it's certainly not illogical to expect problems from free
services with less money to devote to improving their infrastructure or
conducting R&D to adopt new technologies.

I know this last bit from experience, having worked at CELECs back in the
day and running an ISP that was severely underfunded because the Internet
was "new" and couldn't be trusted like a telephone.  Lots of committed
people working long hours for very little, but there's only so much you
can do with blood, sweat and tears.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward First on Master Zone (bypass SOA)

2013-04-01 Thread Mike Hoskins (michoski) 
-Original Message-

From: Kevin Darcy 
Date: Monday, April 1, 2013 2:46 PM
To: "bind-users@lists.isc.org" 
Subject: Re: Forward First on Master Zone (bypass SOA)

>On 3/29/2013 12:09 AM, Doug Barton wrote:
>> On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:
>>> My organization is evaluating the use of split-view DNS in our
>>> environment.
>>
>> Simple ... don't do it. It's almost never the right answer, and as
>> you're learning carries with it more administrative overhead than the
>> problems it's designed to solve.
>>
>> Much better to spend the time carefully considering what your goals
>> are, and finding other ways to reach them.
>And your alternative is what? Run the external version of the namespace
>on a completely separate infrastructure from the internal version?

Wouldn't you do that to some extent anyway, to separate external infra --
which I'd think is authoritative only -- and internal which is likely a
mix of authoritative and recursive?

I guess we've overkilled...We're running a split-horizon config on
separate infrastructure.

There has always been those for and against split horizon.  I often flip
back and forth since I see logic in many of the arguments on both sides.
When I usually hear people speak against split-horizon it has to do with
added complexity and minimal benefit (can be harder to debug, confusing to
new admins, internal resources should rely on more than DNS for protection
and leak out in a lot of ways beside DNS, etc).  They generally advocate
converging the namespace itself more than dictating what the
infrastructure should look like.  You could have a cohesive name space
served from separate infra or common infra using views and ACLs to decide
who can access the cache.  I would envision a hidden master feeding both
sets of infra so maintenance is still centralized.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

2013-04-05 Thread Mike Hoskins (michoski) 
-Original Message-

From: Chris Thompson 
Date: Friday, April 5, 2013 3:10 PM
To: Bind Users Mailing List 
Subject: Re: Simple question about zone and CNAME

>On Apr 5 2013, John Wobus wrote:
>
>>> DNAME? 
>>
>>Or SRV records.  Surely browsers are adding support
>>in the next day or two?
>
>Come on, April 1 has been over for too long for this.
>
>Incidentally, we have just been asked for an A record for cam.ac.uk to
>duplicate www.cam.ac.uk because, and I quote, "all the publicity material
>sent out by the nominator [for an award for the web site] gave the URL
>as http://cam.ac.uk/ and this has been retweeted around".

Yes, sadly I've lost that technical battle with marketing several places
now.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ANNOUNCEMENT: New BIND versions are available.

2013-04-13 Thread Mike Hoskins (michoski) 
-Original Message-

From: Doug Barton 
Date: Saturday, April 13, 2013 12:34 AM
To: "bind-users@lists.isc.org" 
Subject: Re: ANNOUNCEMENT:  New BIND versions are available.

>Michael,
>
>Thanks for this announcement, and a welcome change.
>
>Given the following:
>
>1. bind-announce is very low volume, and carries only critical
>information that the community needs to know
>2. Currently all posts to bind-announce are duplicated to the other lists
>
>Wouldn't it make sense to 'sort -u' the membership of the 3 lists, call
>that the new bind-announce, and give people a 1-time message about how
>to unsubscribe if they don't want to be there?
>
>I applaud ISC's desire to not subscribe people to lists willy-nilly
>without their permission, but given the specific circumstances here you
>may have over-engineered the solution a bit. :)
>
>Doug

I don't get why expecting to receive announcements on -announce is so
surprising.  People that don't get that likely don't keep BIND updated
anyway.  ;-)

I'm not too passionate either way...currently getting ~6 (one per version,
per list) announces each time a new version comes out is something I've
been dealing with for years.

However, a question to ask might be how other OSS projects do it.  People
used to managing OSS will generally be on several lists with -chat,
-users, -announce, etc.  POLA.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching server - named process is limit at 500MB

2013-04-16 Thread Mike Hoskins (michoski) 
-Original Message-

From: Chu Ha Khanh 
Date: Tuesday, April 16, 2013 10:25 PM
To: 'Jaco Lesch' 
Cc: "bind-users@lists.isc.org" 
Subject: RE: Caching server - named process is limit at 500MB

>Hi,
> 
>How to check 64 bit version of bind?
> 
>I often download source code from isc.org and compile on 64 bit Solaris
>10 OS then. I always consider my version is 64 bit.

$ file `which named`
/usr/sbin/named: ELF 64-bit LSB shared object, AMD x86-64, version 1
(SYSV), for GNU/Linux 2.6.9, stripped


(or whatever path to the right named executable...)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Mike Hoskins (michoski) 
-Original Message-

From: Jeremy P 
Date: Wednesday, May 8, 2013 1:33 PM
To: Steven Carr 
Cc: bind-users 
Subject: Re: architecture question

>I understand letter of the law, spirit of the law and playing it safe to
>avoid headaches.
>
>However, there are times where registering a real domain just isn't
>practical.  For example, I'm not going to ask all of the students in my
>courses to go out and register a .com for the semester.  It would be a
>waste of money as their systems never leave the
> local network, except through a NAT connection.  So in those types of
>instances, I'm assuming .lan or .test are safest?

I've seen .lan before, and .test should certainly suffice for student use.

http://tools.ietf.org/html/rfc2606

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Mike Hoskins (michoski) 
-Original Message-

From: Jonathan Reed 
Date: Wednesday, May 8, 2013 4:38 PM
To: Jeremy P 
Cc: bind-users 
Subject: Re: architecture question

>It would be a waste of money as their systems never leave the local
>network, except through a NAT connection.
>
>Godaddy is selling .coms for $0.99 right now (US/Canada). In the spirit
>of an educational setting, it might be a viable exercise for students to
>understand how easy and affordable
> it is to establish a legitimate digital entity.

The spirit of education is often saving money based on a former life as a
lab tech.  While cheap, the proposal to "just go register a real one!"
seems good for $registrar, but potentially bad for the Internet (will we
end up with a bunch of garbage domains that are never used again, and
might actually want to be used by someone else, but will then be squatted
when they expire? yada yada), and better suited for business vs school
networks.

Also, I had a digital entity long before entering a college setting.  I
suspect kids these days are even more likely to have similar.  If real is
the answer, maybe most students wouldn't have to do anything at all.

I really think a lab experiment would be fine using local TLDs, but I
guess it's impossible to really know how valid some of the concerns are
unless we sit through the class or see the course material.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-09 Thread Mike Hoskins (michoski) 
-Original Message-

From: Tony Finch 
Date: Thursday, May 9, 2013 11:01 AM
To: Matus UHLAR - fantomas 
Cc: "bind-users@lists.isc.org" 
Subject: Re: architecture question

>Matus UHLAR - fantomas  wrote:
>> On 09.05.13 10:21, Tony Finch wrote:
>> > Right. Give each student a subdomain of some existing domain, even if
>>the
>> > subdomains aren't publicly delegated.
>>
>> yes, so they will start using it in their job and home.
>
>They shouldn't do that if the teacher has properly explained how domains
>are delegated and who the tutorial domain belongs to.

Based on #students generate N random-string sub-domains assigned in their
course handout.  You can either pre-delegate those or let them delegate
the named domain, based on your requirements.  Start with a fresh config
and newly generated set of sub-domains each quarter.  Just a thought if
you want to go this route and avoid mis-use.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: This list's prefix

2013-06-05 Thread Mike Hoskins (michoski) 
-Original Message-

From: Narcis Garcia 
Date: Wednesday, June 5, 2013 12:43 PM
To: "bind-users@lists.isc.org" 
Subject: This list's prefix

>It's not the only mailing list where I'm subscribed.
>Could please the administrator setup a prefix for messages' subject?
>
>For example:
>[bind-u]

Or do your own dirty work, and filter yourself.

List-Id: BIND Users Mailing List 


If you are on many mailing lists, folders vs an inbox full of subjects
will be easier to read...

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: This list's prefix

2013-06-05 Thread Mike Hoskins (michoski) 
-Original Message-

From: Narcis Garcia 
Date: Wednesday, June 5, 2013 1:02 PM
To: "bind-users@lists.isc.org" 
Subject: Re: This list's prefix

>Somebody has answered me privately and didn't realized until I've
>checked all details of each message. I've been near to respond to the
>list about that message, unknown for the whole list.
>
>There are some Mailman's features that help a lot to usability for
>users, both subject prefix and Reply-To list.
>It's a small step for the single administrator, and a big+multiple steps
>for the rest of people.

I'm fairly certain the list maintainers understand Mailman's features, and
probably have understood similar features since before Mailman existed
(majordomo *gasp*).  That said, we're debating a personal preference.
Opinions are like...  for those who don't want the default behavior, you
can do whatever you prefer (support yourself vs relying on others -- it's
not a hard task to setup filters).  Others are fine with it.  Life goes on.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: This list's prefix

2013-06-05 Thread Mike Hoskins (michoski) 
-Original Message-

From: Warren Kumari 
Date: Wednesday, June 5, 2013 1:46 PM
To: Narcis Garcia 
Cc: "bind-users@lists.isc.org" 
Subject: Re: This list's prefix

>--
>Curse the dark, or light a match. You decide, it's your dark.
>-- Valdis Kletnieks

Very appropriate!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: This list's prefix

2013-06-06 Thread Mike Hoskins (michoski) 
-Original Message-

From: "Elmar K. Bins" 
Organization: unorganized since 1789
Date: Thursday, June 6, 2013 6:18 AM
To: "bind-users@lists.isc.org" 
Subject: Re: This list's prefix

>s...@resistor.net (SM) wrote:
>
>> >And the 100-dollar-question is: How do you remove them on outgoing
>>mails? ;-)
>> The answer is to edit the subject line after hitting the reply button.
>>:-)
>
>I feared this would be the ugly truth...

Or don't buy into religion and have a simpler life.

;-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Health Check feature in BIND ?

2013-06-17 Thread Mike Hoskins (michoski) 
-Original Message-

From: Gaurav Kansal 
Date: Monday, June 17, 2013 3:27 AM
To: "bind-users@lists.isc.org" 
Subject: Health Check feature in BIND ?

>Dear All,
> 
>I was just thinking whether it is possible to have a some type of health
>checking of servers through BIND DNS Server and DNS Server should replied
>to clients based on that only.
> 
>i.e., Suppose I have two entries of www record for domain
>xyz.in having ip address 10.1.1.10 and 10.2.2.10.
>Now I want that my DNS Server should check whether the server is up or
>not before replying to clients.
>If one is down, then DNS server should reply the IP address of the second
>one.
> 
>Although this is not a DNS Job and we should use Load-Balancer for this.
>But I just wanna to check whether this feature is available in Bind or in
>any Open-Source Program which in turn can be combined with BIND to
>achieve the desired result.

You are right, this is not the job of DNS alone...  A load balancer or
GSLB would be ideal.

There have been threads on similar things in the past.  One I recall
involved DDNS and local glue.  Scripts doing pings, port checks, etc
combined with low TTLs and dynamic updates to "route" around potential
problems.

Such an approach can have pitfalls, but does have a place and is
relatively easy to implement.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Health Check feature in BIND ?

2013-06-17 Thread Mike Hoskins (michoski) 
-Original Message-

From: "", "P.Eng." 
Date: Monday, June 17, 2013 2:55 PM
To: Gaurav Kansal 
Cc: "bind-users@lists.isc.org" 
Subject: Re: Health Check feature in BIND ?

>- Original Message -
>> Dear All,
>> 
>> I was just thinking whether it is possible to have a some type of
>> health checking of servers through BIND DNS Server and DNS Server
>> should replied to clients based on that only.
>> 
>> 
>> 
>> i.e., Suppose I have two entries of www record for domain xyz.in
>> having ip address 10.1.1.10 and 10.2.2.10.
>> 
>> Now I want that my DNS Server should check whether the server is up
>> or not before replying to clients.
>> 
>> If one is down, then DNS server should reply the IP address of the
>> second one.
>> 
>> 
>> 
>> Although this is not a DNS Job and we should use Load-Balancer for
>> this.
>> 
>> But I just wanna to check whether this feature is available in Bind
>> or in any Open-Source Program which in turn can be combined with
>> BIND to achieve the desired result.
>> 
>
>Well, doesn't DNS kind of already do this...if the first DNS server isn'
>up, then the user's resolver will timeout and try the next resolver

For DNS/MX yes, but I didn't read that as a limitation of the original
request (e.g. how would you do the same auto-redirect with web or other
server types -- round robin alone can be particularly problematic).

You could certainly handle the more generic case with commercial
appliances, or a bit of tinkering on a budget.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

9.9.3-P2

2013-06-24 Thread Mike Hoskins (michoski) 
i'm probably the last to notice, but first...good work on the site
redesign.  nice and clean.


generating a new internal package for 9.9.3, and going through the
site/request form i get directed here:

http://www.isc.org/wp-content/plugins/email-before-download/download.php?dl
=7a5b7f9dbac01f45b0fd96cfd7e4e39b


which downloads 9.9.3-p1, but then there's this:

https://kb.isc.org/article/AA-00889/0/BIND-9.9.2-P2-Release-Notes.html

which points to 9.9.3-p2, and has a link to download all bind
versions...but that just goes to the dl page/form which links to p1.

has the latest p1 tarball incorporated the fixes in those release notes,
is there a link i've missed for p2, or am i just going insane (or any
combination of the above)?

sorry to ask an obvious question...but i'm already a bit behind the times,
and want to be sure i grab the latest.

thanks!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.9.3-P2

2013-06-24 Thread Mike Hoskins (michoski) 
fwd to spare the list further responses :-)

-Original Message-

From: Mike Hoskins 
Date: Monday, June 24, 2013 4:59 PM
To: "sgra...@isc.org" 
Subject: Re: 9.9.3-P2

>-Original Message-
>
>From: Sue Graves 
>Organization: Internet Systems Consortium
>Reply-To: "sgra...@isc.org" 
>Date: Monday, June 24, 2013 4:51 PM
>To: Mike Hoskins 
>Subject: Re: 9.9.3-P2
>
>>Hi Mike,
>>9.9.two-P2 release note, not 9.9.three-P2.  So 9.9.3-P1 is the latest
>>BIND 9 release.
>
>thanks all for a little sanity on another insane monday...
>
>so the correct answer is "c" for "i'm going insane."
>
>cheers!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: sockmgr 1005a1080: unexpected POLL timeout

2013-06-28 Thread Mike Hoskins (michoski) 
-Original Message-

From: Dennis Clarke 
Date: Friday, June 28, 2013 11:43 AM
To: "bind-users@lists.isc.org" 
Subject: sockmgr 1005a1080: unexpected POLL timeout

>
>I have a recent build of BIND 9.9.3-P1 and after bringing up the service
>on a 
>Solaris 10 server I begin to see many log entries like so :
>
>28-Jun-2013 15:41:17.636 sockmgr 1005a1080: unexpected POLL timeout
>
>I don't know what this is and am mildly concerned.  Is this evidence of a
>config
>problem or a compile problem or ?  Really I have not seen this before and
>there
>are roughly 5000 such entries in my log thus far today.
>
>Dennis

just as a data point i setup a couple new 9.9.3-P1 boxes last night that
get around 30,000 qps combined and with rolling logs the last million
lines or so don't show any trace of "POLL" on centos 6.4 with bind
compiled from latest isc.org src.  the only "option" i have is enable-ssl.

not much help i know, but it does seem solaris/compile specific.  maybe
something like this can help:

http://comp.protocols.dns.bind.narkive.com/fijjEh47/workaround-solaris-s-ke
rnel-bug

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: configure syslog prefix

2013-07-03 Thread Mike Hoskins (michoski) 
-Original Message-

From: Shawn Bakhtiar 
Date: Wednesday, July 3, 2013 12:15 PM
To: "bind-us...@isc.org" 
Subject: RE: configure syslog prefix

>hhhmmm
>
>I have not run multiple binds on the same box, but according to the man
>pages for named.conf (assuming you have a different configuration file
>for each instance) setup each to report to a different logging facility
>ie:
>
>in named.conf:
>
>
>logging {
>  channel default_syslog {
>syslog local7;
>severity info;
>  };
>
>...
>
>
>and in /etc/rsyslog.conf
>
># Save named messages firstnamedinstance.log
>local7.*  
>/var/log/firstnamedinstance.log
>
>(If you have logrotate installed)You may also want to add a file in
>/etc/logrotate.d with the following info:
>
>/var/log/firstnamedinstance.log {
>sharedscripts
>postrotate
>/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2>
>/dev/null || true
>endscript
>}

Good call, and if you're running rsyslog go to rsyslog.conf/doc and read
about templates...  You can rewrite anything to your heart's content with
a little effort.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Service Hung

2013-07-03 Thread Mike Hoskins (michoski) 
-Original Message-

From: , Ryan 
Date: Wednesday, July 3, 2013 12:38 PM
To: Matus UHLAR - fantomas 
Cc: "bind-users@lists.isc.org" 
Subject: Re: BIND Service Hung

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>On 07/03/2013 05:09 AM, Matus UHLAR - fantomas wrote:
>> On 03.07.13 09:33, Arie Lendra Putra wrote:
>>> Now the problem is sometimes (not quite often, just seldomly)
>>> Named on one of this server is just plain not responding, the
>>> process is still there but just not responding to any queries,
>>> when this happened the only way to revive it is to kill the PID
>>> and restart the named service, plain service named restart not
>>> working.
>>> 
>>> and nothing on logs.
>>> 
>>> What seems to be the problem, is it because the bind version is
>>> too outdated?
>> 
>> most probably. get a newer version within your package
>> distribution, or try to upgrade the system if you can.
>
>I don't think there is any evidence whatsoever that points in that
>direction.

sure but even in the commercial world, typical support model says
"reproduce with latest version" -- even moreso with OSS.  if you have a
problem an on ancient version, there are too many variables.  reproduce on
an updated system and you are more likely to get help.  not a perfect
answer, but quite common.  ultimately it is your problem so others might
help but impetus ultimately yours.  you really want to run an updated
version anyway, have you read the CVEs?  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The Path of source code

2013-08-21 Thread Mike Hoskins (michoski) 
-Original Message-

From: Nidal Shater 
Date: Wednesday, August 21, 2013 4:27 PM
To: "bind-users@lists.isc.org" 
Subject: The Path of source code

>I have installed BIND by using the command " yum install bind" in
>"centos6.3",what is the location(path) of the  source code  and espically
>the ".c" files on my filesystem
>
>Nidal

Find out what's installed with rpm -ql .  You will likely need
to install bind-devel and bind-libs.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: /etc/named.conf won't be installed !!

2013-08-27 Thread Mike Hoskins (michoski) 
-Original Message-

From: Nidal Shater 
Date: Tuesday, August 27, 2013 12:02 PM
To: "bind-users@lists.isc.org" 
Subject: /etc/named.conf won't be installed !!

>hi 
>when I install BIND,,,BIND won't install the /etc/named.conf file why ???
>I think bind has problems with centos6.3
>could anybody figure it out
>PS: I use (./configure ,make, make install ) to install it

Others pointed out it's normal for source install, refer to this as a
reference:

http://www.cymru.com/Documents/secure-bind-template.html

Then check the latest ARM for other options you might need:

https://kb.isc.org/article/AA-00845/0/BIND-9.9-Administrator-Reference-Manu
al-ARM.html

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: the location of dig and named

2013-08-28 Thread Mike Hoskins (michoski) 
-Original Message-

From: Nidal Shater 
Date: Wednesday, August 28, 2013 5:35 PM
To: "bind-users@lists.isc.org" 
Subject: the location of dig and named

>when I typed dig  or named ,,, what is the location of the executable
>program dig and named is ?

It will vary by platform, and you can ultimately control it via
./configure --bindir=/foo --sbindir=/bar.  Easiest thing to do is look at
the configure defaults or simply find / -type f -name {dig,named,etc}.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: detect if zone/s is frozen

2013-09-03 Thread Mike Hoskins (michoski) 
-Original Message-

From: /dev/rob0 
Organization: RTFM
Reply-To: "bind-users@lists.isc.org" 
Date: Tuesday, September 3, 2013 5:17 PM
To: "bind-users@lists.isc.org" 
Subject: Re: detect if zone/s is frozen

>On Tue, Sep 03, 2013 at 12:31:08PM -0700, Justin T Pryzby wrote:
>> Is there a nice way to tell if any zone is frozen (or a
>> specific zone)?  I'm hoping to implement a nagios check, since
>> I have several times gotten distracted while making an update,
>> and forgot to "thaw"ed the zone until something odd happens
>> later on.
>
>I would suggest that if you're making much use of rndc freeze, YDIW.
>Consider using nsupdate(8) to make your changes.

True, but I just setup two new networks where the tenants wanted exactly
this capability...so use cases exist.  It got me thinking, and I was
hoping for a answer all day.  :-)  It would be nice to be able to monitor,
since just looking for missing jnl's or something obvious doesn't work
(maybe a command to force jnl rewrite for any thawed zones would do it,
then you could really just monitor for jnl's missing >threshold).

Failing an easy monitoring solution (I don't see anything in terms of rndc
options, or old/new stats output), you might consider creating a wrapper
that does the rndc freeze/vi/update serial to mtime/rndc thaw and post it
clearly in /etc/motd.  Not perfect, but would mostly work except when you
get distracted in the middle of the vi session.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: detect if zone/s is frozen

2013-09-04 Thread Mike Hoskins (michoski) 
-Original Message-

From: Tony Finch 
Date: Wednesday, September 4, 2013 4:50 AM
To: Mike Hoskins 
Cc: "bind-users@lists.isc.org" 
Subject: Re: detect if zone/s is frozen

>Mike Hoskins (michoski)  wrote:
>> /dev/rob0  wrote:
>> >
>> >I would suggest that if you're making much use of rndc freeze, YDIW.
>> >Consider using nsupdate(8) to make your changes.
>>
>> True, but I just setup two new networks where the tenants wanted exactly
>> this capability...so use cases exist. [...]
>>
>> Failing an easy monitoring solution (I don't see anything in terms of
>>rndc
>> options, or old/new stats output), you might consider creating a wrapper
>> that does the rndc freeze/vi/update serial to mtime/rndc thaw and post
>>it
>> clearly in /etc/motd.  Not perfect, but would mostly work except when
>>you
>> get distracted in the middle of the vi session.  :-)
>
>Better option: use nsdiff, which calculates the differences between the
>live version of your zone and a master file that you edit, and turns the
>result into an nsupdate script.
>
>http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff

Thanks for the pointer...

Also, I guess I overlooked the obvious?  If you nsupdate while a zone is
frozen it looks like the update is refused vs silenty queued (nsupdate
exists non-zero)...so a nagios/whatever monitor could be written that
periodically updates a test record within the zone and complains on
failure.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: filter-aaaa-on-v4

2013-09-18 Thread Mike Hoskins (michoski) 
-Original Message-

From: "", "P.Eng." 
Date: Wednesday, September 18, 2013 10:08 AM
To: bind-users 
Subject: filter--on-v4

>I finally turned this feature on when I built bind-9.9.3-P2
>
>Had only gotten the occasional user complaints that some browser/client
>tries to connect to IPv6 and fails.  Because our IT Security group
>doesn't allow IPv6 and is/was blocking tunneling protocols on campus.
>
>As a side effect, my NTP servers are happiersince all #.pool.ntp.org
>(where # is 0-3) now resolve to usable addresses.
>
>Why 4?  If you only have one NTP server, you know what the time is, but
>you don't know if it is correct.  If you have two servers, you won't know
>what time it is.  With 3, you can have a pretty good idea of the correct
>time, until one breaks.  So, 4 gives you a good idea of what the correct
>time is, even if one breaks.  Though I had seen another article
>suggesting the sets of 3's (3,6,9,12)
>
>Only 0-3 are defined with the pools, so that's what I go with.  Problem
>is that they have been putting all the IPv6 NTP servers in pool 2, along
>with some IPv4 ones.  And, most of the time when I start ntpd, it picks
>an IPv6 one from 2.
>
>Had a server where one of the others was intermittent, so it was going
>between 2 or 3 servers (and, of course, I put my NTP servers in
>Nagios...so I get alerted when this happenswhich had been fine for
>months, until the system got rebooted for OS updates
>
>Just restarted it again, and saw it found 4 servers... wish I had thought
>of this sooner.  Wonder if I should do this at home?  Guessing its not
>enabled in the system bind, so I'll have to switch to using ports.

FWIW, you could also add -4 to ntpd args or use -4 prefix in ntpd.conf.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Install DNS Server

2013-10-10 Thread Mike Hoskins (michoski) 
While I mostly agree, simply doing a 'yum update' against the CentOS repos
will pull you up to 5.9...which isn't really old, it was released around
the same time as 6.4.  Then at least your base OS is up to date, and you
don't have to use the community RPMs.  You can build from source, generate
your own packages, or use community SRPMs that are available.


Newer is generally better, but depending upon what you're doing moving
from 5.x to 6.x (or changing major versions in general) is often not as
easy as it sounds.  I personally still have to maintain 5.x and 6.x to
keep our developers happy.  That said, running 5.x is still not an excuse
to be out of date.  Based on the question, this might just be lack of
experience...but moving to the latest minor release is very simple.

http://www.tecmint.com/how-to-upgrade-from-centos-5-x-to-centos-5-9/

http://www.howtoforge.com/bind-installation-on-centos

http://www.linuxfromscratch.org/blfs/view/svn/server/bind.html

http://www.five-ten-sg.com/mapper/bind

-Original Message-
From: , Jeff 
Date: Thursday, October 10, 2013 7:26 AM
To: Sten Carlsen , Chandran Manikandan

Cc: "bind-users@lists.isc.org" 
Subject: RE: Install DNS Server

>Any reason why you¹re using CentOS 5.7 given that 6.4 (and maybe later)
>is available?
>
>if this is a new system you really ought to think about use the 6.x
>stuff.   5.x is long in the tooth even though still supported it has many
>older upstream packages of things including BIND.   CentOS does put bug
>and security fixes in (or RedHat does and CentOS
> gets them because they build from RHEL source) but you still end up with
>something very old (BIND 9.3.x) that most folks on this list don¹t want
>to talk about because it is long past EOL for BIND.
> 
>
> 
> 
>From: bind-users-bounces+jlightner=water@lists.isc.org
> [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
>Of 
>Sten Carlsen
>Sent: Thursday, October 10, 2013 6:38 AM
>To: Chandran Manikandan
>Cc: bind-users@lists.isc.org
>Subject: Re: Install DNS Server
>
>
> 
>Hi
>
>I do that and more on an ATOM machine with 2GB RAM. I use Postfix instead
>of qmail but see no reason qmail would not work.
>
>I installed all the relevant RPMs, configured them and it works.
>
>One thing to remember is that you need two or more DNS servers, I do that
>by being a stealth master with several slaves on my 3rd party provider.
>
>
>On 10/10/13 12.27, Chandran Manikandan wrote:
>
>
>Hi All, 
>I am running Centos 5.7 32 bit server machine.
>
>I have installed and successfully run qmail,web,ftp with the same machine.
>
>Now am DNS hosting with third party. I would like to install and keep DNS
>hosting myself. 
>
>How to do that , How to install Dns server with the same machine or
>different machine as well what is the complete procedure and steps.
>
> 
>
>Any one help me.
>
> 
>
>-- 
>Thanks, 
>Manikandan.C
>
>System Administrator
>
>
>
>
>
>
>
>
>___Please visit
>https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
>this list bind-users mailing
>listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-us
>ers
>
>
>
>
>-- Best regards Sten Carlsen No improvements come from shouting:
>"MALE BOVINE MANURE!!!"
> 
> 
>Athena®, Created for the Cause
>
>Making a Difference in the Fight Against Breast Cancer
> 
> 
>How and Why I Should Support Bottled Water!
>Do not relinquish your right to choose bottled water as a healthy
>alternative to beverages that contain sugar, calories, etc. Your support
>of bottled water will make a difference! Your signatures count! Go to
>http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and
>sign a petition to support your right to always choose bottled water.
>Help fight federal and state issues,
> such as bottle deposits (or taxes) and organizations that want to ban
>the sale of bottled water. Support community curbside recycling programs.
>Support bottled water as a healthy way to maintain proper hydration. Our
>goal is 50,000 signatures. Share this petition
> with your friends and family today!
> 
>-
>CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
>confidential information and is for the sole use of the intended
>recipient(s). If you are not the intended recipient, any disclosure,
>copying, distribution, or use of the contents of this information
> is prohibited and may be unlawful. If you have received this electronic
>transmission in error, please reply immediately to the sender that you
>have received the message in error, and delete it. Thank you.
>--
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance Tuning RHEL 5 and Bind

2013-10-22 Thread Mike Hoskins (michoski) 
-Original Message-

From: Alan Clegg 
Date: Tuesday, October 22, 2013 7:44 AM
To: "bind-users@lists.isc.org" 
Subject: Re: Performance Tuning RHEL 5 and Bind

>On Oct 21, 2013, at 9:47 AM, wbr...@e1b.org wrote:
>
>>> From: Alan Clegg 
>> 
>>> Fix your windows clients.
>> 
>> You can't fix stupid.
>
>I have lots of windows clients and they don't exhibit this "feature".
>There's something wrong on the windows clients and it's not the norm.
>
>To be honest, recent windows releases do a pretty fine job with DNS.

Agreed.  The problem here is the TCP fall-back vs BIND/OS tuning.  I've
got a lot of Windows clients (mostly vmware related infra) that don't
query via TCP.  I would focus on a deeper inspection of the environment
including network layer.  The OP needs to figure out why the queries are
using TCP.

Speculating based on the available data, I'm wondering if the new BIND
servers were stood up behind a firewall...possibly with broken protocol
inspection/fixup type configuration limiting UDP packet size to 512
bytes...and zone data with large NS/whatever RR sets resulting in TCP
retries.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: intermittent resolution

2013-10-31 Thread Mike Hoskins (michoski) 
-Original Message-

From: Matus UHLAR - fantomas 
Date: Thursday, October 31, 2013 7:49 AM
To: "bind-users@lists.isc.org" 
Subject: Re: [External]  Re: intermittent resolution

>On 30.10.13 21:58, Samp, Daniel [USA] wrote:
>>In the past when I've had issues with certain .gov sites (e.g. noaa.gov,
>> nih.gov, ssa.gov) it was due to application based filtering (layer 4).
>> For some reason the responses from these sites are more often than not
>> fragmented and if you have something doing filtering based on ports it
>>may
>> not be delivering the follow-up fragments because they do not have the
>>tcp
>> headers.  Do a tcpdump of your DNS traffic from noaa.gov and check to
>>see
>> if reponses are being fragmented and whether you are receiving all of
>>the
>> fragments. 
>
>> We had to set edns-udp-size to 512 as a workaround until we
>> could identify the problematic piece of hardware.
>
>this is a server option, not a client option. did you have to set this on
>your recursive servers, because HW between them and your clients was
>problematic?
>
>If you did find the culprit, can you tell us who was it?

i would assume a firewall somewhere between the server and clients doing
things like protocol inspection or "fixups" based on outdated BCPs.  i've
encountered that numerous times myself.  one more reason the oarc reply
size test is useful.

https://www.dns-oarc.net/oarc/services/replysizetest/

http://www.cisco.com/web/about/security/intelligence/dnssec.html#11

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

xml stats question

2013-11-02 Thread Mike Hoskins (michoski) 
Hi folks,


Quick question on xml stats...  I've used the new style statistics for
monitoring, etc. and find it really useful as I'm sure many do.  One of
the things I'm working on is moving to collectd vs remote polling, and the
bind plugin seems to require v2 vs v3 xml schema (my first guess, since it
won't parse the default xml I'm seeing under /, which looks different in
the latest releases).

I'm sure the plugin will get updated at some point, but from reading over
the 9.9.4 ARM it says I should be able to access URIs like /xml/v2 and
/xml/v3 but neither of those work for me -- just the top level page which
I think is the newer schema (it looks different than it did in 9.8).
However, the ARM also says the v? URIs will be available only "if the
requested schema is supported by the server" -- what determines that
availability?  I've compiled with libxml2 which makes the top-level stats
work.  Do I just need more configure options or something else to get
/xml/v2 working?

TIA

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: xml stats question

2013-11-02 Thread Mike Hoskins (michoski) 
-Original Message-

From: Mike Hoskins 
Date: Saturday, November 2, 2013 1:31 PM
To: "bind-users@lists.isc.org" 
Subject: xml stats question

>Hi folks,
>
>Quick question on xml stats...  I've used the new style statistics for
>monitoring, etc. and find it really useful as I'm sure many do.  One of
>the things I'm working on is moving to collectd vs remote polling, and the
>bind plugin seems to require v2 vs v3 xml schema (my first guess, since it
>won't parse the default xml I'm seeing under /, which looks different in
>the latest releases).
>
>I'm sure the plugin will get updated at some point, but from reading over
>the 9.9.4 ARM it says I should be able to access URIs like /xml/v2 and
>/xml/v3 but neither of those work for me -- just the top level page which
>I think is the newer schema (it looks different than it did in 9.8).
>However, the ARM also says the v? URIs will be available only "if the
>requested schema is supported by the server" -- what determines that
>availability?  I've compiled with libxml2 which makes the top-level stats
>work.  Do I just need more configure options or something else to get
>/xml/v2 working?

Answered my own question, sorry for the noise.  It was getting late last
night, and I thought I'd configured without "--enable-newstats", but after
doing a fresh build today the v2 xml appears at / again.

Still not sure about the 9.9.4 ARM reference to /xml/v2 and /xml/v3 (it
would be nice to be able to access /xml/v2 within collectd and /xml/v3
elsewhere), but the right configure options will at least keep collectd
happy for now.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind server crashing (lots of EAGAIN, ENOENT, ...). With strace log.

2013-11-05 Thread Mike Hoskins (michoski) 
-Original Message-

From: Alan Clegg 
Date: Tuesday, November 5, 2013 9:28 PM
To: "bind-users@lists.isc.org" 
Subject: Re: Bind server crashing (lots of EAGAIN, ENOENT,  ...). With
strace log.

>
>On Nov 5, 2013, at 7:31 AM, K L  wrote:
>
>> Here is a strace log from when it happens:
>>http://pastebin.com/raw.php?i=7i0PgALG . Example:
>> 6500 recvmsg(518, {msg_name(16)={sa_family=AF_INET, sin_port=htons(53),
>>sin_addr=inet_addr("10.0.101.50")},
>>msg_iov(1)=[{"~\223\201\200\0\1\0\1\0\5\0\6\3ns3\5cymru\3com\0\0\1\0\1\30
>>0"..., 4096}], msg_controllen=32, {cmsg_len=32, cmsg_level=SOL_SOCKET,
>>cmsg_type=0x1d /* SCM_??? */, ...}, msg_flags=0}, 0) = 252
>> 6500 recvmsg(518, 0x7fd4b6588900, 0) = -1 EAGAIN (Resource temporarily
>>unavailable)
>
>What about more "normal" bind logging?  Anything useful in there?

It's been awhile since I looked at a strace of named under load, but seem
to recall this being normal for non-blocking sockets...take that with a
grain of salt, it's was long ago when I went looking for EAGAIN/ENOENT on
google.  :-)  I'm sure someone from ISC can provide a lot more insight
into "normal" operation.

Aside from logs, how does rndc status look under load?  Do you have
anything like cacti or graphite pulling numbers out of statistics output,
to possibly spot any trends?  What options are you running in named.conf,
and what is the BIND version?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: logging query time

2013-11-13 Thread Mike Hoskins (michoski) 
-Original Message-
From: Birta Levente 
Date: Wednesday, November 13, 2013 3:29 PM
To: "bind-users@lists.isc.org" 
Subject: logging query time

>Hi
>
>I have a caching nameserver (bind 9.8.2) and I curious if I can log the
>duration of queries to the forwarders?

not that i know of easily (from logs), nor from collectd's bind plugin
that i've found, though the dns plugin could be expanded to provide
this...however, since that ultimately involves running a sniffer process
on your name server(s), it might be better to just do it yourself if it's
for debug purposes.  something like:

http://ask.wireshark.org/questions/3678/dns-transaction-latency

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Size boundaries for zones of IPv6 rDNS

2013-11-14 Thread Mike Hoskins (michoski) 
-Original Message-
From: Listas 
Date: Thursday, November 14, 2013 12:57 PM
To: "bind-users@lists.isc.org" 
Subject: Size boundaries for zones of IPv6 rDNS

>Hi!
>
>Are there size limits for zones of IPv6 reverse DNS ?
>
>For example, is this a valid zone?
>
>5.a.8.3.4.f.3.0.c.a.d.f.ip6.arpa
>
>Thank you in advance!

Looks valid to me.

zone "1.0.0.4.8.6.8.1.1.0.0.2.ip6.arpa" {
type master;
file "external/master/2001.1868.4001.db";
};

zone "0.0.2.1.3.0.0.2.1.0.1.0.0.2.6.2.ip6.arpa" {
type master;
file "external/master/2620.101.2003.1200.db";
};


etc

http://www.zytrax.com/books/dns/ch3/#ipv6

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RHEL 6 CPU load

2013-11-20 Thread Mike Hoskins (michoski) 
-Original Message-
From: Blake Hudson 
Date: Wednesday, November 20, 2013 11:03 AM
To: "bind-users@lists.isc.org" 
Subject: Re: RHEL 6 CPU load

>Daniel, what do you see the load as? I see 4.6% CPU usage (100% possible
>- 95.4% idle).


Wondering the same.  Don't consider 0.00 high load.  ;-)



>I'm not sure which versions of BIND you were using on RHEL5, but the
>newer versions do tend to use more CPU usage (I'll assume due to new
>features, patches, etc in the BIND code).
>
>--Blake
>
>- wrote the following on 11/20/2013 9:37 AM:
>
>We recently upgraded one of our DNS servers to RHEL 6. The other two
>servers are running RHEL 5. The new system is showing much higher CPU
>load than the other two (RHEL 5 machines sit around 11-15%). I am not
>sure if this is related to the OS versions
> or something else. The build procedure for the new system is completely
>different than before which could also be the cause. Any ideas why this
>could be happening?


Were the configure options the same when you built on 5.x vs 6.x? You can
see that with named -V.

You mention a different build procedure -- do you mean named or OS? As a
first step I would focus on those differences. FWIW I have moved about 30
recursive resolvers with the highest iterative workload I've had the
privilege of managing to centos 6.x and had no ill effects so I don't
think it's simply the OS itself.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation and Forwarding

2013-12-11 Thread Mike Hoskins (michoski) 
-Original Message-
From: Bob McDonald 
Date: Wednesday, December 11, 2013 7:10 AM
To: "bind-users@lists.isc.org" 
Subject: Delegation and Forwarding

>I'm a bit confused on the need for a blank forwarders statement inside of
>a zone statement in the named.conf file.  Given an internal zone on a
>recursive server with global forwarders,
> what are the situations which would require me to code a blank
>forwarders statement inside of a zone statement in a named.conf?  I have
>internal zones which 1) do not delegate children, 2) delegate children on
>the same server, and delegate children on different
> servers (and different versions of bind).  I know that delegation is not
>affected on servers without global forwarders.  The documentation around
>this is not clear (at least to me ).

empty forwarders in zone stanza effectively cancels global forwarders.
from the arm:

"If no forwarders statement is present or an empty list for forwarders is
given, then no forwarding will be done for the domain, canceling the
effects of any forwarders in the options statement."





so you can assume the same behavior for that zone as if you had no
forwarders defined.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding DS records

2013-12-20 Thread Mike Hoskins (michoski) 
-Original Message-
From: Warren Kumari 
Date: Friday, December 20, 2013 12:15 PM
To: "bind-users@lists.isc.org" 
Subject: Re: Adding DS records

>On Dec 20, 2013, at 10:38 AM, /dev/rob0  wrote:
>
>> On Fri, Dec 20, 2013 at 10:04:59AM -0500, Thomas Schulz wrote:
>>> Has anyone been able to get Network Solutions to add DS records
>>> for their domain? I am trying to get DS records added for my
>>> domain and so far it looks like Network Solutions can not do that.
>> 
>> The last time this was asked here was in August:
>> 
>> https://lists.isc.org/pipermail/bind-users/2013-August/091340.html
>> 
>> If I was a NetSol customer, I would ask them, "Why not?²
>
>And if I were a NetSol customer, I would ask myself, ³Why?²

If I were a capitalist, I'd vote with my wallet and go somewhere with the
features I want.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading from 9.8.3 to 9.9.4

2014-01-14 Thread Mike Hoskins (michoski) 
Good call out.  I'd always enabled empty-zones so didn't get bit by that,
but do think the move to 9.9 is when masterfile-format bit some.  Not a
big deal if you're aware of it.Other than that the upgrade as quick
and painless.  I would suggest testing the upgrade on a VM or somewhere
first...always good to confirm for your exact configuration.

-Original Message-
From: "", "P.Eng." 
Organization: Kansas State University - ITS/Enterprise Server Technologies
Date: Tuesday, January 14, 2014 2:46 PM
To: "bind-users@lists.isc.org" 
Subject: Re: Upgrading from 9.8.3 to 9.9.4

>IIRC, The main change I ran into when I upgraded to 9.9.2-P1 (from
>9.7.6-P4) was the change in default for empty-zones.  All are enabled by
>default, including RFC1918 ranges whether you have any defined or not.
>
>On 01/14/14 12:16, Mike Bernhardt wrote:
>> Is there anything I need to know regarding changes in default operation
>>when
>> upgrading from 9.8.3 to 9.9.4? I'm specifically looking for changes that
>> must be addressed in named.conf options in order to keep an upgrade as
>> transparent as possible.
>> 
>> Thanks,
>> 
>> Mike
>> 
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
>
>-- 
>Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
>For: Enterprise Server Technologies (EST) -- & SafeZone Ally
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading from 9.8.3 to 9.9.4

2014-01-16 Thread Mike Hoskins (michoski) 
-Original Message-
From: Mike Bernhardt 
Date: Thursday, January 16, 2014 4:09 PM
To: "bind-users@lists.isc.org" 
Subject: RE: Upgrading from 9.8.3 to 9.9.4

>Sorry for the double post, but I forgot to ask this:
>And if it is indeed enabled regardless of my RFC1918 ranges, I would
>imagine
>that for my internal servers which have those ranges, I would want to add
>"disable-empty-zone ".";" to my global options? And for my external-facing
>server which of course has no RFC1918, I would leave it to the default
>setting?


You don't have to do this.  BIND won't enable the empty zone if you
already have it defined.


>-Original Message-
>From: Mike Bernhardt [mailto:bernha...@bart.gov]
>Sent: Thursday, January 16, 2014 1:03 PM
>To: 'bind-users@lists.isc.org'
>Subject: RE: Upgrading from 9.8.3 to 9.9.4
>
>Am I correct in understanding that the change to "enabled by default" was
>in
>9.9.x, not in 9.8.x? The 9.9.x specifically states that is enabled by
>default whereas the 9.8.x documentation does not.


Yes.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading from 9.8.3 to 9.9.4

2014-01-22 Thread Mike Hoskins (michoski) 
-Original Message-
From: Mike Bernhardt 
Date: Wednesday, January 22, 2014 at 3:25 PM
To: "'Lawrence K. Chen, P.Eng.'" ,
"bind-users@lists.isc.org" 
Subject: RE: Upgrading from 9.8.3 to 9.9.4

>Thanks for that. I just remembered there was also the change to the db
>file
>having a default raw format on slaves unless specified.

That's what I meant by my response about masterfile-format.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading from 9.8.3 to 9.9.4

2014-01-23 Thread Mike Hoskins (michoski) 
-Original Message-
From: Thomas Schulz 
Date: Thursday, January 23, 2014 at 9:50 AM
To: "bind-users@lists.isc.org" 
Subject: RE: Upgrading from 9.8.3 to 9.9.4

>> I just remembered there was also the change to the db file
>> having a default raw format on slaves unless specified.
>
>Interesting. I did not notice that when it happened, but now that I
>look, I see that my slaves indeed have raw format files. Apparently
>the switch over did not require me to do anything.

For those who are interested, if you search list archives you can see the
situations where it caused problems for some.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Difference between BIND 9.8 and 9.9

2014-02-19 Thread Mike Hoskins (michoski) 
From:  , Frank 
Date:  Wednesday, February 19, 2014 at 12:41 PM
To:  "bind-users@lists.isc.org" 
Subject:  Difference between BIND 9.8 and 9.9

>Hello
>
>is there a link to a documentation that lists the main differences
>between BIND 9.8 and 9.9 ?
>
>I would like to read it before swiching from 9.8
>
>thank you


I generally browse the release notes.

https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: High recursive client counts

2014-03-25 Thread Mike Hoskins (michoski) 
Hi Jason,

I've experienced similar things in the past on 9.8.  Since then we've
moved to the latest 9.9, but don't think this is at all version specific
(that said, you could obviously try upgrading).  I don't have an exact
solution for you, but some ideas of things to check and personal
experiences which might help you.

Are the servers in question VM or bare metal?  Several years back we made
a big push to virtualize everything, and after migrating recursive DNS it
worked great for awhile...as sites grew we hit a tipping point where
VM-based resolvers seemed to introduce additional query latency.  These
servers were running far below BIND's capabilities, not taxing virtual
resources, optimized per all available BIND/OS/virtualization knobs, and
using enterprise (read: not just the latest free bits slapped together and
expected to work) network, server and hypervisor tech.  I spent several
months trying to improve the situation and find a real root cause, but on
a whim I setup an identical cluster on bare metal...no more problems.  I
didn't have time to dig further, so we avoid virtualization on busy
resolvers (for now at least).

As your client count has grown...is there any bottlenecks on your network
that might be unaccounted for?  Beyond bandwidth I'm thinking of things
like resource constrained firewalls (are the resolvers in a DMZ?) which
could cause queries to be dropped/timed out/retried, etc?  I've seen
issues where overworked NetOps teams got behind in capacity
planning/upgrades and as clients/#DMZs grew firewalls couldn't keep up and
created all sorts of issues not related to BIND itself.

When the recursive client count backs up, you know more queries than usual
are taking longer than expected to get answers...if this is not related to
BIND itself, your servers, or the network...a bit of spelunking is in
order.  Capture some packets with tcpdump, and take a look at rndc
recursing output.  Take a look at the queries causing delays, dig them
manually from various locations, and try to find a common theme.  If there
is no common theme to the query destinations, then look even closer at
your network.  :-)

hth

-Original Message-
From: Jason Brandt 
Date: Tuesday, March 25, 2014 at 10:31 AM
To: "bind-users@lists.isc.org" 
Subject: High recursive client counts

>We recently migrated to BIND for our internal resolvers, and since the
>migration, we are experiencing periods of high recursive client counts,
>which will at times cause the BIND server to quit responding.  As a
>workaround, I've been able to point
> the BIND server to a forwarder, bypassing the root hints, to restore
>stability, but this morning even with the forwarder, our count spiked.
>
>
>We are using Ubuntu 12.04 LTS, BIND version 9.8.1-P1.  The server is
>configured strictly as a resolver, and is not authoritative for any
>domains.
>
>
>We have approximately 15-20k client devices on campus.  Our average
>recursive client count is between 10 and 50.  When the spikes occur,
>counts will get upwards of 3-4k (this morning: recursive clients:
>2358/9900/1). 
>
>
>What are possible causes of high recursive client count?  What can be
>done to prevent this or tune around it?  Obviously raising the max
>clients doesn't solve the problem, and the forwarder seemed to help, but
>apparently is still susceptible to
> the issue.  
>
>
>Any suggestions would be greatly appreciated.
>
>
>-- 
>Jason K. Brandt
>Systems Administrator
>
>
>
>

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation of part of a zone to a global server load balancer

2014-04-07 Thread Mike Hoskins (michoski) 
In the past when doing this with Cisco GSS I followed Akamai's example,
and had success with stuff like (gdns* were the CSS):

; delegation of gslb.domain.com
$TTL 172800 ; 2 days
gdns1.domain.com. A   a.b.c.d
gdns2.domain.com. A   e.f.g.h
gdns3.domain.com. A   i.j.k.l
gdns4.domain.com. A   m.n.o.p
gdns5.domain.com. A   q.r.s.t
gdns6.domain.com. A   u.v.w.x
gslb.domain.com.  NS  gdns1.domain.com.
gslb.domain.com.  NS  gdns2.domain.com.
gslb.domain.com.  NS  gdns3.domain.com.
gslb.domain.com.  NS  gdns4.domain.com.
gslb.domain.com.  NS  gdns5.domain.com.
gslb.domain.com.  NS  gdns6.domain.com.
$TTL 3600   ; 1 hour
$ORIGIN domain.com.
; Hey we look like Akamai!
gsstest CNAME   gsstest.domain.com.gslb.domain.com.


...

# dig @8.8.8.8 gsstest.domain.com
...
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3701
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
...
;; ANSWER SECTION:
gsstest.domain.com.   3599IN  CNAME
gsstest.domain.com.gslb.domain.com.
gsstest.domain.com.gslb.domain.com. 19 IN A ip.ad.dr.es
...


-Original Message-
From: , Dan 
Date: Monday, April 7, 2014 at 10:16 AM
To: Bind Users 
Subject: Delegation of part of a zone to a global server load balancer

>What¹s the right way to delegate individual zone records to a ³global
>server load balancer², which is just a simple DNS server that checks to
>see if a server is up and if so adds the address to the rotation for
>resolution.
>
>
>I¹ve tried simple delegation using ns records, but I don¹t get
>resolution.  In this example, nsg3 and 4 are my global server load
>balancers for the outlook.aelabad.net zone,  and ns3.aelabad.net is the
>start of authority for  the aelabad.net zone.
>
>
>
>
>Daniel-McDonalds-iMac:~ mcdonalddj$ dig outlook.aelabad.net +norecurse
>@ns3.aelabad.net
>
>
>; <<>> DiG 9.8.3-P1 <<>> outlook.aelabad.net +norecurse @ns3.aelabad.net
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25051
>;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
>
>
>;; QUESTION SECTION:
>;outlook.aelabad.net.IN A
>
>
>;; AUTHORITY SECTION:
>outlook.aelabad.net.1200 INNS nsg4.austin-energy.net.
>outlook.aelabad.net.1200 INNS nsg3.austin-energy.net.
>
>
>;; ADDITIONAL SECTION:
>nsg3.austin-energy.net.918 INA 10.10.9.3
>
>
>;; Query time: 1 msec
>;; SERVER: 10.1.9.34#53(10.1.9.34)
>;; WHEN: Mon Apr  7 09:05:42 2014
>;; MSG SIZE  rcvd: 105
>Daniel-McDonalds-iMac:~ mcdonalddj$ dig outlook.aelabad.net
>@nsg3.austin-energy.net
>
>
>; <<>> DiG 9.8.3-P1 <<>> outlook.aelabad.net @nsg3.austin-energy.net
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8783
>;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
>
>;; QUESTION SECTION:
>;outlook.aelabad.net.IN A
>
>
>;; ANSWER SECTION:
>outlook.aelabad.net.10 INA 10.10.223.52
>
>
>;; Query time: 3 msec
>;; SERVER: 10.10.9.3#53(10.10.9.3)
>;; WHEN: Mon Apr  7 09:03:03 2014
>;; MSG SIZE  rcvd: 72
>Daniel-McDonalds-iMac:~ mcdonalddj$ dig outlook.aelabad.net
>@ns3.aelabad.net
>
>
>; <<>> DiG 9.8.3-P1 <<>> outlook.aelabad.net @ns3.aelabad.net
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14770
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>
>;; QUESTION SECTION:
>;outlook.aelabad.net.IN A
>
>
>;; AUTHORITY SECTION:
>net.686 INSOA a.gtld-servers.net. nstld.verisign-grs.com. 1396879162 1800
>900 604800 86400
>
>
>;; Query time: 2 msec
>;; SERVER: 10.1.9.34#53(10.1.9.34)
>;; WHEN: Mon Apr  7 09:03:17 2014
>;; MSG SIZE  rcvd: 110
>
>
>
>
>
>
>

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enterprise IPAM/DNS Solutions

2014-04-28 Thread Mike Hoskins (michoski) 
Cisco (apply liberal amounts of salt considering my FROM) has a product
suite called Prime, one piece of which is CNR (unless it's been renamed
again this week) -- Cisco Network Registrar, which handles the IPAM piece
and has DHCP and DNS components as well.  CNR can integrate with BIND (as
well as other common DNS software), and is licensed from BT Diamond.

I did a fairly extensive PoC of the IPAM, DNS and DHCP components a couple
years back.  Being completely honest, the downsides I've found during PoC
are "clunky" UI (admittedly personal opinion, and based on little
experience with other IPAMs -- experiment and decide for yourself), DHCP
implementation geared more toward IT/cable operators (high performance,
but lacking some options for PXE), and lack of true multi-tenant (you can
make logical containers of address space mapped to tenants, but you can't
have address space overlap across containers -- which for RFC1918 is a
problem on any network which consists of numerous acquisitions ;-) ).

DNS and DHCP I've continued solving myself with OSS ISC, but IPAM has
still been useful -- especially adding sanity to IPv6 allocations and
support of fully automated provisioning (API).  I've got a few clusters
deployed (easier to just run an instance per tenant for me), and rely on
the capabilities more over time.  Once you have real IPAM, it's hard to
remember how you lived without it.


cisco.com/go/cnr

-Original Message-
From: , Josh 
Date: Monday, April 28, 2014 at 12:31 PM
To: "bind-users@lists.isc.org" 
Subject: Enterprise IPAM/DNS Solutions

>Hi,
>
>We currently use the Men & Mice DNS/IPAM/DHCP suite which is essentially
>a front-end "wrapper" for BIND.  We deploy our own BIND boxes and simply
>install the Men & Mice agent on them which allows us to centrally manage
>the zones from a GUI (or CLI) based interface.
>
>I'm curious about the other "enterprise" solutions that are on the
>market.  Bluecat is the first one that comes to mind, but I'm completely
>unfamiliar with their product.  Does their product run alongside native
>BIND (like M&M) or do I need to purchase their own appliances and place
>them all over my network?
>
>Are there any other suggestions for products similar to Men & Mice and
>Bluecat that I should be looking at?  I'm looking for DNS and IPAM and
>central management.
>
>Thanks,
>
>Josh
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF RR type

2014-06-05 Thread Mike Hoskins (michoski) 
-Original Message-
From: Nicholas F Miller 
Date: Thursday, June 5, 2014 at 10:25 AM
To: "bind-users@lists.isc.org" 
Subject: SPF RR type

>Are SPF RR types finally dead or not? I¹ve read through rfc7208 it
>appears that they are:
>
>   "SPF records MUST be published as a DNS TXT (type 16) Resource Record
>   (RR) [RFC1035] only.  The character content of the record is encoded
>   as [US-ASCII].  Use of alternative DNS RR types was supported in
>   SPF's experimental phase but has been discontinued."
>
>...but to confuse the issue rfc7208 goes on to say:
>
>   "If a future update to SPF were developed that did not
>   reuse existing SPF records, it could use the SPF RR type.  SPF's use
>   of the TXT RR type for structured data should in no way be taken as
>   precedent for future protocol designers.²
>
>Bind-9.10.0-P1 still reports errors if you don¹t have SPF RRs defined
>with the SPF TXT records or are not using 'check-spf ignore¹.  Should one
>keep existing SPF RRs or remove them? Will future versions of bind stop
>reporting errors when SPF RRs don¹t exist?

RFC 7208 is dated April 2014...  Even if/when BIND stops complaining, how
long will it take for the Internet to align with the new standard?  :-)

Look how long BCP38's existed and how many networks don't align despite
obvious benefits to the Internet at large.  I know it's a different ball
of wax...but only kinda.

During such transitional periods, I suggest maintaing the old form for at
least awhile (probably a couple years) to give the world time to update
its configuration.  There used to be quite a few major mail providers who
would bounce or at least flag as spam any mail from hosts not represented
in the domain's SPF TXT record...so the choice of when to change depends
on how much you care (or your users will complain) about misbehaved mail
delivery.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: In BIND 8.2 running on Solaris 8, how to start logging

2014-06-27 Thread Mike Hoskins (michoski) 
-Original Message-
From: Samad Agha 
Date: Friday, June 27, 2014 at 1:07 PM
To: "bind-users@lists.isc.org" , DNS BIND

Subject: In BIND 8.2 running on Solaris 8, how to start logging

>Hi All,
>I have two Solaris 8 servers running BIND 8.2. I'd like to retire them
>both and transfer everything to a couple of RHEL 7 boxes. The City (I
>work for a mid-size California city) has outsourced different aspects of
>our DNS that I even lost track and have
> no idea what these two DNS servers serve. I'd like to start logging all
>queries on these two boxes to know who queries them. How do I start a
>comprehensive logging to capture all transactions going through these two
>servers?
> 
>Please advise; please be thorough and don't assume anything. Many thanks
>in advance.

I see two options:

Enable query logging.  In your named.conf, do something like:

logging {
channel my_querylog {
file "/var/adm/query.log" versions 5 size 10m;
print-time yes;
};
category queries { my_querylog; };
};


Adjust paths, number of copies (versions) to keep, etc.  Note that this
can fill quickly on busy servers.

Alternatively, use tcpdump to write a pcap of anything to 53/udp or 53/tcp
and analyze it after 1, 7, 30 or whatever days.  Again, if the server is
busy you will get a very large file.  You can limit the amount of time you
capture traffic, or rotate capture files with -C  e.g. tcpdump -i
eth0 -s0 -C 100 -w dnscap  (you'll endup with dnscap1, dnscap2,
etc each 100MB in size).

Good luck, BIND 8.2 is ancient now so good to hear you are working to get
it updated.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching Nameserver and BIND RPM Compatibility

2014-07-11 Thread Mike Hoskins (michoski) 
-Original Message-
From: Asai 
Date: Friday, July 11, 2014 at 12:56 PM
To: "bind-users@lists.isc.org" 
Subject: Caching Nameserver and BIND RPM Compatibility

>Greetings,
>
>We're setting up caching-nameserver on an existing BIND instance. The
>version of BIND is 9.7. Is there a specific compatible version of
>caching-nameserver RPM that's compatible with 9.7?  The latest one
>available in the yum repos on this particular server (CentOS 5.8) is
>9.3.6-20.P1.el5_8.6

In general I don't think you have to be too concerned about compatibility.
 One exception I know of is the default zone format change when moving to
the latest BIND versions:

https://lists.isc.org/pipermail/bind-users/2012-May/087554.html

I'm sure others will call out points I've missed.

Assuming you just use upstream vendor repos to update, the latest
caching-nameserver should have relevant fixes backported by now and will
be based on the same major release in terms of functionality (how
RedHat/CentOS generally do things)...

I'd still suggest moving to the latest BIND version.  The config is
straight-forward, you have many templates from the 'Net as well as a
reference in the caching-nameserver files, and you can generate your own
RPMs easily if this is large-scale and building from source doesn't make
sense.

http://www.cymru.com/Documents/secure-bind-template.html

http://www.five-ten-sg.com/mapper/bind

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching Nameserver and BIND RPM Compatibility

2014-07-11 Thread Mike Hoskins (michoski) 
-Original Message-
From: Mark Andrews 
Date: Friday, July 11, 2014 at 8:41 PM
To: Mike Hoskins 
Cc: "bind-users@lists.isc.org" 
Subject: Re: Caching Nameserver and BIND RPM Compatibility

>Not every *important* fix is a *security* fix.
>
>OS vendor that just backport security fixes are doing their customers
>a disservice.  We issue -P's because security issues require timely
>fixes.  We expect OS maintainers to actually include our maintainence
>fixes in their maintainence releases.

I couldn't agree more, and it's one of the biggest reasons I avoided Red
Hat flavored operating systems for so long.  On the RHEL/CentOS based DNS
servers we run, we purposefully generate our own packages just to avoid
this annoyance...but it's a problem for a lot more than BIND.  I always
much preferred the BSD approach, where the port maintainers pull in the
latest releases in mostly real time.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Public facing authoritative NS all masters

2014-07-13 Thread Mike Hoskins (michoski) 
-Original Message-
From: Gary Wallis 
Date: Sunday, July 13, 2014 at 12:11 PM
To: "bind-users@lists.isc.org" 
Subject: Public facing authoritative NS all masters

>Hello,
>
>What are the drawbacks, if any, of running only master name servers for
>the set of authoritative NSs?
>
>For example given:
>
>[root@rc37 unxsVZ]# dig latimes.com NS +short
>dns1.tribune.com.
>dns2.tribune.com.
>dns4.tribune.com.
>dns3.tribune.com.
>
>Where all 4 dnsN servers are in fact masters (this is just a
>hypothetical, the NS above are most likely secondary servers)

I'm not aware of any drawbacks from a strict DNS perspective.  There could
be administrative overhead depending how you set it up, but we have hidden
masters which allow central control of our "public masters" which in turn
serve a few zones + act as origins for services like Akamai.  It's worked
well for us over the past decade.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: initial lookup fails every time

2014-07-13 Thread Mike Hoskins (michoski) 
-Original Message-
From: Matus UHLAR - fantomas 
Date: Sunday, July 13, 2014 at 6:24 AM
To: "bind-users@lists.isc.org" 
Subject: Re: initial lookup fails every time

>On 12.07.14 01:19, Tony Publiski wrote:
>> I'm hoping someone has seen this before. I'm running a couple of BIND
>> 9.8.2 DNS servers and having an issue with them for some reason.  The
>> servers end up failing to lookup on the initial lookup of a domain that
>> hasn't been previously cached every time.  If you immediately retry, the
>> lookup succeeds without issue.  I've looked all over but not been able
>>to
>> find any answers, and it's driving me crazy.  Anyone seen this before or
>> have an idea?
>>
>>[root@ns ~]# nslookup www.chase.com
>>;; connection timed out; trying next origin
>>Server: 127.0.0.1
>>Address:127.0.0.1#53
>>
>>** server can't find www.chase.com: NXDOMAIN
>>
>>[root@ns ~]# nslookup www.chase.com
>>Server: 127.0.0.1
>>Address:127.0.0.1#53
>>
>>Non-authoritative answer:
>>www.chase.com   canonical name = wwwbcchase.gslb.bankone.com.
>>Name:   wwwbcchase.gslb.bankone.com
>>Address: 159.53.84.126
>
>there's too much places where the issue can be.
>First, use "dig" or at least "host" to track DNS problems.

+1

only idea from info given, is upstream firewall or other network device
doing inspection or filtering and causing timeouts due to edns
fall-back...a race condition where the answer ultimately gets cached but
not before the client times out, so it works next time.

that's just one idea thought, as said above many things could cause the
behavior.  to rule out my idea, you can test yourself:

https://www.dns-oarc.net/oarc/services/replysizetest/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Tools to automatically test the resolution speed ...

2014-07-21 Thread Mike Hoskins (michoski) 
I haven't used those, but not sure if smokeping's DNS plugin would do what
you want.

-Original Message-
From: Barry Greene 
Date: Monday, July 21, 2014 at 11:59 PM
To: "bind-users@lists.isc.org" 
Subject: Tools to automatically test the resolution speed ...

>Hi Team,
>
>I'm going to get my team to script a tool to test the DNS resolution
>speed of our DNS Resolvers. Something that would give us a "MRTG like"
>output and can be used for KPIs.
>
>I use Namebench a lot for my own testing. Has anyone done any scripting
>with Namebench, GRC's DNS Benchmark, or any other tools?
>
>Thanks,
>
>Barry
>
>

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc (and now nsupdate too)

2014-08-01 Thread Mike Hoskins (michoski) 
-Original Message-
From: Tony Finch 
Date: Friday, August 1, 2014 at 5:31 AM
To: Reindl Harald 
Cc: "bind-users@lists.isc.org" 
Subject: Re: rndc (and now nsupdate too)

>Reindl Harald  wrote:
>> Am 31.07.2014 um 21:08 schrieb /dev/rob0:
>> >
>> > The proper tool to manage zone data is nsupdate(8).  Likewise well
>> > suited for automation.
>>
>> zone file *editing*?
>>
>> sorry, no, i developed 2008 a interface to create all zone files based
>> on database records, write the complete zone content in a main table
>> with a textfiled and a second textfiled where translation for NAT/WAN
>> zones happens and so there is and never was a reason to *edit* a
>> zone file
>>
>> it is created from scratch when changes in a zone happen and cronjobs
>> only pull zones with the "updated-field" set to 1
>
>In our setup, changes made in the database are turned into an nsupdate
>script, so we don't need to bounce the name server and we can use
>BIND's automatic signing.

no argument on nsupdate, but even if you copy files around...you don't
need to bounce the nameserver, unless rndc reload is what you mean (when i
hear bounce i think stop/start).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc (and now nsupdate too)

2014-08-01 Thread Mike Hoskins (michoski) 
-Original Message-
From: Reindl Harald 
Organization: the lounge interactive design
Date: Friday, August 1, 2014 at 9:23 AM
To: "bind-users@lists.isc.org" 
Subject: Re: rndc (and now nsupdate too)

>
>Am 01.08.2014 um 15:14 schrieb Mike Hoskins (michoski):
>> From: Tony Finch 
>> Date: Friday, August 1, 2014 at 5:31 AM
>> To: Reindl Harald 
>> Cc: "bind-users@lists.isc.org" 
>> Subject: Re: rndc (and now nsupdate too)
>> 
>>> Reindl Harald  wrote:
>>>> Am 31.07.2014 um 21:08 schrieb /dev/rob0:
>>>>>
>>>>> The proper tool to manage zone data is nsupdate(8).  Likewise well
>>>>> suited for automation.
>>>>
>>>> zone file *editing*?
>>>>
>>>> sorry, no, i developed 2008 a interface to create all zone files based
>>>> on database records, write the complete zone content in a main table
>>>> with a textfiled and a second textfiled where translation for NAT/WAN
>>>> zones happens and so there is and never was a reason to *edit* a
>>>> zone file
>>>>
>>>> it is created from scratch when changes in a zone happen and cronjobs
>>>> only pull zones with the "updated-field" set to 1
>>>
>>> In our setup, changes made in the database are turned into an nsupdate
>>> script, so we don't need to bounce the name server and we can use
>>> BIND's automatic signing.
>> 
>> no argument on nsupdate, but even if you copy files around...you don't
>> need to bounce the nameserver, unless rndc reload is what you mean
>>(when i
>> hear bounce i think stop/start)
>
>since when is -SIGHUP stop/start?

i suspect a language barrier, since if you read what i typed i never said
that.  in fact, i'm not sure you read what Tony typed either.

"bouncing a daemon" often means stop/start.  whether you rndc reload or
HUP, such a restart is not needed on zone changes.  my entire point is
that a costly full restart is not needed, even without nsupdate.

i'm sure Tony knows this, and simply wanted to clarify for posterity in
the thread archive.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Metazones or Something Else?

2014-08-04 Thread Mike Hoskins (michoski) 
-Original Message-
From: Evan Hunt 
Date: Monday, August 4, 2014 at 1:26 PM
To: John Anderson 
Cc: "bind-users@lists.isc.org" 
Subject: Re: Metazones or Something Else?

>> So to the best of your knowledge this functionality is still on drawing
>> board, unless implemented out-of-band?  (i.e. a perl script to parse
>> metazone.zone, and create /etc/named.d/*.conf files)
>
>Or run "rndc addzone".
>
>There's currently no supported way to perform in-band zone provisioning
>via the DNS itself.  I do have access to the metazone implementation that
>Vixie wrote his paper about, and I can send it to you if you like, but I'm
>not sure how useful you'll find it.  There might also be some interesting
>tricks possible with DLZ or with redhat's "dynDB" LDAP extension (which we
>plan to include in BIND 9.11 but is currently only available as a set of
>patches).
>
>Improving DNS provisioning is a hot topic for future development, but
>we're still just in the requirements-gathering phase.  Would you like to
>share what it is you hope to do in more detail?

Just as a data point, if you're looking for references -- I'd like to be
able to do "Amazon Route 53" type things (add/edit zones, not just RRs)
via some sort of API.  Of course I want to be able to do this myself,
built on a standard platform (vs implementing the API layer as a one-off),
and not relying on external parties.  I suspect I'm not alone in an
increasing world of cloud operators.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logs problem with Bind 9.9.4

2014-08-11 Thread Mike Hoskins (michoski) 
-Original Message-
From: Reindl Harald 
Organization: the lounge interactive design
Date: Friday, August 8, 2014 at 6:33 AM
To: "bind-users@lists.isc.org" 
Subject: Re: Logs problem with Bind 9.9.4

>so if you have nothing to say go back from where you came

abusive

>why do you reply off-list, in HTML and top-posting?

because some things are better suited off-list

>jesus christ learn to use mailing-lists, stop to reply
> in private and strip your qutes

abusive

i'm not sure if you are 12 (we've all been there), or just "bored" as you
accuse others...but either way the abusive posts with little/no helpful
content really are better suited for self-talk (take a breath, walk around
the block, then reply) or at least private responses.

no community needs abusive know-it-alls, we actually want to encourage
users of all skill levels.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

2014-09-09 Thread Mike Hoskins (michoski) 
Do you guys have max-cache-size set?  I didn't see it in the borderworlds
named.conf.  I've seen similar growth problems when testing 9.x before
setting that (experiment at the time just to see what would happen, and
confirmed this behavior).  Set sensible resource limits based on available
resources.

-Original Message-
From: Vinícius Ferrão 
Date: Tuesday, September 9, 2014 at 10:17 AM
To: Thomas Schulz 
Cc: "bind-us...@isc.org" 
Subject: Re: bind-9.10.0-P2 memory leak?

>I'm having the exactly same issue. Take a look at my post @ServerFault:
>http://serverfault.com/questions/616752/bind-9-10-constantly-killed-on-fre
>ebsd-10-0-with-out-of-swap-space
>
>Sent from my iPhone
>
>On 09/09/2014, at 11:15, "Thomas Schulz"  wrote:
>
>>> Hello
>>> 
>>> I recently upgraded my authoritative nameservers to bind-9.10.0-P2 and
>>> after a while one of them ended up using all its swap and the named
>>> process got killed. The other servers are seeing similar behaviour,
>>>but 
>>> I restarted named on all of them to postpone further crashes.
>>> 
>>> I am using rate-limiting as well DLZ with PostgreSQL. The server has
>>>two 
>>> views. The operating system is FreeBSD 8.4.
>>> 
>>> My configuration:
>>> http://borderworlds.dk/~xi/named-leak/named.conf
>>> 
>>> Log of the memory usage:
>>> http://borderworlds.dk/~xi/named-leak/named-mem-usage.log
>>> 
>>> As you can see, in less than a week, named has grown more than 900MB
>>>in 
>>> size.
>>> 
>>> Is anyone else experiencing something similar?
>>> 
>>> If I need to provide more information, I will be happy to do so.
>>> 
>>> -- 
>>> Christian Laursen
>> 
>> What version did you upgrade from? I am seeing bind 9.9.5 and 9.9.6
>> grow without any evidence that it will ever stop. See my mail to this
>> list with the subject "Re: Process size versus cache size." Mine is
>> growing slower than yours, but it is now up to 548 MB.
>> 
>> Tom Schulz
>> Applied Dynamics Intl.
>> sch...@adi.com
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

2014-09-12 Thread Mike Hoskins (michoski) 
-Original Message-
From: Thomas Schulz 
Date: Friday, September 12, 2014 at 11:47 AM
To: "bind-us...@isc.org" 
Subject: Re: bind-9.10.0-P2 memory leak?

>> Mike Hoskins wrote:
>>
>> Do you guys have max-cache-size set?  I didn't see it in the
>>borderworlds
>> named.conf.  I've seen similar growth problems when testing 9.x before
>> setting that (experiment at the time just to see what would happen, and
>> confirmed this behavior).  Set sensible resource limits based on
>>available
>> resources.
>
>I am going to see what happens with max-cache-size set, but I am convinced
>that there is a bug in bind. My named has been running for 7.5 weeks now
>and has been steadily growing in size except for a 1.5 week pause after I
>did an rndc flush. The process size started out at 36 MB and is now up to
>584 MB. But when I do an rndc dumpdb -cache I get a file that is only 5 MB
>in size. Given the automatic cache cleaning, named should stabilize in
>size in less than 7.5 weeks.


Just to be clear, I tend to agree with the memory leak hypothesis at this
point...  Based on the described behavior and past experience I related, I
initially just did a search of your config looking for max-cache-size.
Sorry for that, was in training at the time and somewhat distracted.

However, your use case is obviously very different from mine as you are
not doing recursion (my test environment without max-cache-size was, and
getting hit with an almost endless stream of random real-world queries
from my queryfile).

That said, I wonder if it could be dlz related?  That's the only thing I
see "special" about your config.  Just trying to find possible clues,
since I have ran all 9.9.x versions over time in heavily loaded production
environments (authoritative and recursive) without seeing the unbounded
growth you mentioned below for 9.9.x.

I do have a lot of interest in the community getting to the bottom of
this, as we are just planning a large upgrade in one of our environments
which will move caching clusters serving 6-8k clients over to 9.10.1.


>
>> -Original Message-
>> From: Vinícius Ferrão 
>> Date: Tuesday, September 9, 2014 at 10:17 AM
>> To: Thomas Schulz 
>> Cc: "bind-us...@isc.org" 
>> Subject: Re: bind-9.10.0-P2 memory leak?
>> 
>>>I'm having the exactly same issue. Take a look at my post @ServerFault:
>>>http://serverfault.com/questions/616752/bind-9-10-constantly-killed-on-f
>>>re
>>>ebsd-10-0-with-out-of-swap-space
>>>
>>>Sent from my iPhone
>>>
>>>On 09/09/2014, at 11:15, "Thomas Schulz"  wrote:
>>>
>>>>> Hello
>>>>> 
>>>>> I recently upgraded my authoritative nameservers to bind-9.10.0-P2
>>>>>and
>>>>> after a while one of them ended up using all its swap and the named
>>>>> process got killed. The other servers are seeing similar behaviour,
>>>>>but 
>>>>> I restarted named on all of them to postpone further crashes.
>>>>> 
>>>>> I am using rate-limiting as well DLZ with PostgreSQL. The server has
>>>>>two 
>>>>> views. The operating system is FreeBSD 8.4.
>>>>> 
>>>>> My configuration:
>>>>> http://borderworlds.dk/~xi/named-leak/named.conf
>>>>> 
>>>>> Log of the memory usage:
>>>>> http://borderworlds.dk/~xi/named-leak/named-mem-usage.log
>>>>> 
>>>>> As you can see, in less than a week, named has grown more than 900MB
>>>>>in 
>>>>> size.
>>>>> 
>>>>> Is anyone else experiencing something similar?
>>>>> 
>>>>> If I need to provide more information, I will be happy to do so.
>>>>> 
>>>>> -- 
>>>>> Christian Laursen
>>>> 
>>>> What version did you upgrade from? I am seeing bind 9.9.5 and 9.9.6
>>>> grow without any evidence that it will ever stop. See my mail to this
>>>> list with the subject "Re: Process size versus cache size." Mine is
>>>> growing slower than yours, but it is now up to 548 MB.
>>>> 
>>>> Tom Schulz
>>>> Applied Dynamics Intl.
>>>> sch...@adi.com
>
>Tom Schulz
>Applied Dynamics Intl.
>sch...@adi.com

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

2014-09-12 Thread Mike Hoskins (michoski) 
-Original Message-
From: Doug Barton 
Date: Friday, September 12, 2014 at 2:15 PM
To: Mike Hoskins , Thomas Schulz ,
"bind-us...@isc.org" 
Subject: Re: bind-9.10.0-P2 memory leak?

>On 9/12/14 11:07 AM, Mike Hoskins (michoski) wrote:
>> I do have a lot of interest in the community getting to the bottom of
>> this, as we are just planning a large upgrade in one of our environments
>> which will move caching clusters serving 6-8k clients over to 9.10.1.
>
>Given all of the problems that have been reported with 9.10 you may wish
>to reconsider that plan.

Heh thanks, yeah...initially I was erring on the side of caution and using
9.9.x because it's served us well (~20k recursive clients without any
significant problems).  Meanwhile we've been keeping a close eye on
community comments, and to be honest opinions wax and wane.  Just as I
think it's stabilized, someone else complains.  I suppose sticking to
9.9.x a bit longer is wise.

That said, based on the 9.10.1 fixes, we will run it through our own perf
tests for comparison.  Upgrades are automated and easy, but I'd obviously
like to go live with the latest version unless there is a strong technical
reason otherwise.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

2014-10-01 Thread Mike Hoskins (michoski) 
-Original Message-
From: Doug Barton 
Date: Wednesday, October 1, 2014 at 2:07 PM
To: "bind-users@lists.isc.org" 
Subject: Re: Diagnostic help part 2

>On 10/1/14 8:17 AM, Barry Margolin wrote:
>> In article ,
>>   Eli Heady  wrote:
>>
>>> With response sizes growing (dnssec, ipv6), answers are more likely to
>>>be
>>> too large for UDP.
>>
>> That's unlikely. That's why EDNS was created, so that these large
>> answers wouldn't require TCP.
>
>... and more than a decade later EDNS still fails very often due to
>misconfigured and/or ancient firewalls that don't understand it. 53/TCP
>is part of the spec, and should not be blocked.

This isn't even specific to DNS...for example, there was a time when just
"turning on what sounds good" for cisco, netscreen and even checkpoint
would break other things like ESMTP.  As an admin you needed to test your
changes and understand the protocol...many don't.

It's just far worse for DNS, since there was a time when many
well-intentioned checklists suggested locking down 53/tcp.  So in this
case DNS admins were reading docs, just the wrong ones.  RTRFM.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

2014-10-03 Thread Mike Hoskins (michoski) 
-Original Message-
From: Dave Sparro 
Date: Friday, October 3, 2014 at 1:04 PM
To: "bind-users@lists.isc.org" 
Subject: Re: Diagnostic help part 2

>On 10/1/2014 3:45 PM, Tony Finch wrote:
>> (Sorry for straying off topic. I have less experience of Cisco PIX/ASA
>> breaking DNS than of them breaking SMTP.)
>I can't resist either..
>I specifically remember a PIX that bit me by "helpfully" changing the
>payload of an axfr so that the A records that traveled through the PIX's
>NAT got flipped to the inside RFC-1918 addresses for the servers that
>were behind the NAT as well.
>
>It took a couple rounds of "your sending me the wrong stuff... No I'm
>Not!" until we figured it out.

Yeah, I've had similar experiences on various platforms over the years...
I know it's hard for smaller shops, but even when I was in startup land I
built labs to validate design and behavior (the difference was the "labs"
were often under my desk or in a closet).

Finding unexpected behavior like this in production is always stressful.
Ultimately, we have a responsibility as engineers/architects to conduct
due diligence and not make assumptions.  Testing and validation are key
parts of our job.  Anything made by people can have bugs or simply
unexpected behavior.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Again question about edns (like swupdl.adobe.com)

2014-10-22 Thread Mike Hoskins (michoski) 
For what little it's worth, I've seen this somewhat even on 9.8 (it's not new), 
though increasingly on 9.9...not saying it's BIND specific, just that I've hit 
these kind of annoyances with remote servers awhile now.

I've tried explaining this on numerous internal email threads, tickets, webex 
(calls are great), etc...but it is quite frustrating, because so long as 
reasonably savvy users can "dig @8.8.8.8" and get a response, they don't 
believe your server isn't broken.

From: IDS Submit mailto:sub...@ids.it>>
Date: Wednesday, October 22, 2014 at 6:30 AM
To: "bind-us...@isc.org" 
mailto:bind-us...@isc.org>>
Subject: Again question about edns (like swupdl.adobe.com)

Good morning,

with www.acer.it I have the same problem as swupdl.adobe.com

NXDOMAIN with bind 9.10 but NOERROR with Google DNS

I have read the Mark Andrews reply on july 4 2014:
--

It looks like nameserver vendors are not doing even rudimentry checks like 
those above.  DiG has thos options so that we could perform checks like these.



Until Adobe fix their broken servers you can use a server clause to disable 
sending SIT requests to them.  Obviously this does not scale.



  server  { request-sit no; };



Mark
--
But this doesn’t solve the problem on others domains …
… should be possible enable “request-sit no” for all domains and not manually 
add it?
Because I think there are lot of domains with this problem :(


--
\Server\Bind\bin\dig.exe @81.174.15.142 www.acer.it

; <<>> DiG 9.10.1 <<>> @81.174.15.142 www.acer.it
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42228
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.acer.it.   IN  A

;; ANSWER SECTION:
www.acer.it.300 IN  CNAME   public-akamai.gtm.acer.com.

;; AUTHORITY SECTION:
gtm.acer.com.   60  IN  SOA gtm1.acer.com. 
hostmaster.gtm1.acer.com. 482 10800 3600 604800 60

;; Query time: 572 msec
;; SERVER: 81.174.15.142#53(81.174.15.142)
;; WHEN: Wed Oct 22 12:13:12 ora legale Europa occidentale 2014
;; MSG SIZE  rcvd: 132
--


--
\Server\Bind\bin\dig.exe @8.8.8.8 www.acer.it

; <<>> DiG 9.10.1 <<>> @8.8.8.8 www.acer.it
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34510
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.acer.it.   IN  A

;; ANSWER SECTION:
www.acer.it.281 IN  CNAME   public-akamai.gtm.acer.com.
public-akamai.gtm.acer.com. 11  IN  CNAME   www.acer.com.edgesuite.net.
www.acer.com.edgesuite.net. 12306 INCNAME   a492.b.akamai.net.
a492.b.akamai.net.  19  IN  A   88.149.196.137
a492.b.akamai.net.  19  IN  A   88.149.196.145

;; Query time: 60 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 22 12:14:02 ora legale Europa occidentale 2014
;; MSG SIZE  rcvd: 180
--

Thanks in advance and best regards

Staff IDS
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with BIND 9.10.1-P1 recursion limits

2014-12-09 Thread Mike Hoskins (michoski) 
Thanks for digging in so fast.  Our mitigation will be sticking to
9.9.6-P1, since we like ESV anyway.

Wanted to point out that (perhaps sadly) this isn't so crazypants...or at
least not uncommon.  The *edge* and *aka* references speak Akamai DNS+CDN.
 From my last overview, this has gotten cleaner in the latest versions of
their offerings -- but many of the large(est) sites on the Internet will
be configured this way today.

-Original Message-
From: Evan Hunt 
Date: Tuesday, December 9, 2014 at 2:41 PM
To: Stuart Henderson 
Cc: Tony Finch , "bind-users@lists.isc.org"

Subject: Re: Problem with BIND 9.10.1-P1 recursion limits

>On Tue, Dec 09, 2014 at 05:51:58PM +, Evan Hunt wrote:
>> That's unexpected. I'll see if I can reproduce it.
>
>Okay, I can.
>
>Part of the problem is the somewhat crazypants DNS configuration
>of www.ibm.com:
>
>  $ dig +noall +answer www.ibm.com
>  www.ibm.com.3600IN  CNAME   www.ibm.com.cs186.net.
>  www.ibm.com.cs186.net.  60  IN  CNAME
>china-cdn.san.ibm.com.edgekey.net.
>  china-cdn.san.ibm.com.edgekey.net. 21600 IN CNAME
>china-cdn.san.ibm.com.edgekey.net.globalredir.akadns.net.
>  china-cdn.san.ibm.com.edgekey.net.globalredir.akadns.net. 900 IN CNAME
>e7826.x.akamaiedge.net.
>  e7826.x.akamaiedge.net. 20  IN  A   23.59.201.136
>
>... like, *wow*.  A chain of five aliases with TTLs ranging from 20
>seconds to 6 hours, passing through five different zones (ibm.com,
>cs186.net, edgekey.net, akadns.net, akamaiedge.net), hosted by
>servers in three *more* zones (ihost.com, akam.net, and akadns.org,
>in addition to akadns.net and akamaiedge.net).  I had to almost
>double the maximum recursion queries to 99 to get this to work on
>an empty cache.  Yikes.
>
>Almost any non-empty cache will dodge the bullet. Preceeding the
>lookup of www.ibm.com with "dig @::1 ns com" causes the query to
>succeed.  Also, as previously noted, on 9.9 it will succeed without
>a five-minute delay if you just issue the query a second time.
>
>So, possible workarounds if this issue is causing problems for you:
>
>  - Ensure that the first query sent to a newly-primed recursive
>resolver isn't quite as spectacular as this one;
>  - Add "max-recursion-queries 100;" to your options statement;
>  - Run 9.9.6-P1 instead of 9.10.1-P1
>
>The five-minute delay is still a bit of a puzzle. It happens because
>of this code in adb.c:
>
>/* XXXMLG Don't pound on bad servers. */
>if (address_type == DNS_ADBFIND_INET) {
>name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
>name->fetch_err = FIND_ERR_FAILURE;
>inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
>} else {
>name->expire_v6 = ISC_MIN(name->expire_v6, now + 300);
>name->fetch6_err = FIND_ERR_FAILURE;
>inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
>}
>
>The "now + 300" bit is where the five minutes comes from.  That's code
>that's been around for years, and it is in 9.9, but apparently it's
>reached more easily in 9.10.  I'm looking into the reasons for this.
>
>The problem should be addressed in 9.10.2, which is likely to be
>released next month.
>
>-- 
>Evan Hunt -- e...@isc.org
>Internet Systems Consortium, Inc.
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mentor Required

2015-01-29 Thread Mike Hoskins (michoski) 
The other thing is, you mention having tried and failed (agreed that isn't a 
bad thing, we've all failed countless times and it's how we learn)...how have 
you failed?

What I think you'll find is you have a list (many lists and other resources 
really) of mentors.  BIND much like many other Internet projects has a helpful 
community.  As asked below, you could start by describing your goals or use 
cases, then share what hasn't worked so far or where you're stuck, as well as 
sharing your config and any errors you're getting in logs.

You might have to adopt some paths based on your OS, or make other small 
modifications based on what you are trying to accomplish, but this is a good 
resource to get you started:

http://www.cymru.com/Documents/secure-bind-template.html

Some others you may not have seen:

http://www.zytrax.com/books/dns/

https://kb.isc.org/article/AA-00845/0/BIND-9.9-Administrator-Reference-Manual-ARM.html

From: Vinícius Ferrão mailto:fer...@if.ufrj.br>>
Date: Thursday, January 29, 2015 at 9:28 AM
To: STEPHEN EYRE mailto:sce...@btinternet.com>>
Cc: "bind-users@lists.isc.org" 
mailto:bind-users@lists.isc.org>>
Subject: Re: Mentor Required

First of all, why you want to run a full featured DNS server such as BIND9 at 
your home?

Do you want to make some special things? Do you want to publish a zone on the 
Internet? Do you have a DNS name acquired from your country registration 
authority?

Cheers,

Sent from my iPhone

On Jan 29, 2015, at 11:54, STEPHEN EYRE 
mailto:sce...@btinternet.com>> wrote:


Dear All

For the past 3 or 4 years on and off I have been trying to set up a name server 
on an old machine at home. Each time I have failed which isnt a bad thing as I 
have used each failure to do more research and gain more knowledge.

I think the time is nigh to see if there is someone out there who would take on 
the role of mentor. Someone who has patience and doesnt mind being asked a 
whole range of banal questions.

I am not an IT professional but I do find the who process as endlessly 
fascinating. Its doubtful I will ever make any money out of the skills I have 
gained or obtain any employment either. But I will not stop until I have a 
server up and running.

The software I am using is Ubuntu 14.04 lts.

Is there anyone out there who would like to help?

Regards

Stephen Eyre

Sent from Yahoo Mail on 
Android


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SRV records etc

2015-02-10 Thread Mike Hoskins (michoski) 
-Original Message-
From: John 
Date: Tuesday, February 10, 2015 at 7:29 PM
To: "bind-users@lists.isc.org" 
Subject: SRV records etc

>How useful are SRV records? Are they worth installing? What are their
>benefits, and pitfalls?
>Similar question about HINFO.

In my limited experience, this is a question about requirements...  In the
past I had to support applications which made extensive use of SRV for
service discovery.  It was a requirement, it worked well in testing, so we
considered it useful and happily supported it.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: incoming tcp query

2015-02-24 Thread Mike Hoskins (michoski) 
The answer is BIND does accept TCP queries by default (it's required to be
RFC compliant), but a lot of times upstream firewalls/ACLs/etc block TCP,
munge UDP packet size, etc...  Just firing up BIND with basic
configuration and checking netstat will show you TCP 53 listening.  If
it's not working as expected, you often have to start walking up (or down
as it were) the stack and potentially working with other folks to fix the
problem.

-Original Message-
From: Shuangrong 
Date: Saturday, February 21, 2015 at 11:08 PM
To: "bind-users@lists.isc.org" 
Subject: incoming tcp query

>Hello,
>
>Does Bind accept tcp incoming query by default? Or is there any options
>to enable this feature?
>
>
>Regards,
>Shuangrong
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: com.google how did they do that

2015-04-01 Thread Mike Hoskins (michoski) 
-Original Message-
From: Reindl Harald 
Organization: the lounge interactive design
Date: Wednesday, April 1, 2015 at 2:44 PM
To: "bind-users@lists.isc.org" 
Subject: Re: com.google how did they do that


>Am 01.04.2015 um 20:42 schrieb Thomas Schulz:
>> As of the time I am sending this, you can point your browser to
>> http://com.google and get a web page. How did they get com.google
>> to resolve?
>
>.google is just another new TLD

Wow.  I see the trend now -- .hp, .ibm, .cisco -- everyone will now have
www.company.  (Please, let's not.)

..then again, I'd claim .evil if I had a few billions.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: shutting up logs

2015-05-14 Thread Mike Hoskins (michoski) 
Another option might be changing 'file' to 'syslog' then using stuff like
":msg, contains, 'skipping nameserver' stop" (or whatever pattern you want
to match) in your rsyslog configuration.

http://www.rsyslog.com/doc/rsyslog_conf_filter.html

-Original Message-
From: Reindl Harald 
Organization: the lounge interactive design
Date: Thursday, May 14, 2015 at 8:44 PM
To: "bind-users@lists.isc.org" 
Subject: Re: shutting up logs

>
>
>Am 15.05.2015 um 02:01 schrieb Nick Edwards:
>>   skipping nameserver 'ns5.concord.org' because it is a CNAME, while
>> resolving '210.128-25.119.138.63.in-addr.arpa/PTR'
>>
>> I have logs grow by about 30 megs a day with pretty much only this in
>> it (of course not always same remote server), how do I shut this up ?
>>
>> My logging statments are
>>
>> logging {
>>  category lame-servers { null; };
>>  category edns-disabled { null; };
>>  category client { null; };
>>  category dnssec { null; };
>>  //  channel log_queries { file "/tmp/debug_query.log";
>> print-category yes; };
>>  //  category queries { log_queries; };
>> };
>
>you can't shut up specific messages
>but you can limit the log file sizes
>
>logging
>{
>  channel default_log
>  {
>   file "data/named.log" versions 0 size 1m;
>   severity dynamic;
>   print-time   yes;
>   print-category   yes;
>  };
>  channel transfer_log
>  {
>   file "data/transfer.log" versions 0 size 1m;
>   severity dynamic;
>   print-time   yes;
>   print-category   yes;
>  };
>  channel rate_limit_log
>  {
>   file "data/rate_limit.log" versions 0 size 1m;
>   severity dynamic;
>   print-time   yes;
>   print-category   yes;
>  };
>  channel lame_servers_log
>  {
>   file "data/lame_servers.log" versions 0 size 1m;
>   severity dynamic;
>   print-time   yes;
>   print-category   yes;
>  };
>  channel query_errors_log
>  {
>   file "data/query_errors.log" versions 0 size 1m;
>   severity dynamic;
>   print-time   yes;
>   print-category   yes;
>  };
>
>  category default  {default_log;};
>  category resolver {default_log;};
>  category security {default_log;};
>  category xfer-in  {transfer_log;};
>  category xfer-out {transfer_log;};
>  category config   {default_log;};
>  category queries  {default_log;};
>  category notify   {default_log;};
>  category database {default_log;};
>  category rate-limit   {rate_limit_log;};
>  category lame-servers {lame_servers_log;};
>  category query-errors {query_errors_log;};
>};
>

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RRL settings that work for you

2015-05-26 Thread Mike Hoskins (michoski) 
Hi folks,

I've read about RRL with interest since its inception, but just now
getting around to rolling it out.  That is partially because we run a very
small authoritative infrastructure serving mostly as Akamai EDNS origins.
However, since it is exposed externally, used by a few tenants and RRL has
been running in the wild for awhile now...we decided to finally hop on the
bandwagon as part of our latest round of DNS infrastructure upgrades.

We are experimenting in log-only mode, and wanted to get feedback on
settings which work well for others in production.  So far we have the
following which appears to work well (not limiting typical clients during
normal operation):

rate-limit {
log-only yes;
ipv4-prefix-length 32;
window 10;
responses-per-second 20;
nxdomains-per-second 10;
exempt-clients {
[...]
};




};


However, as we've mostly just been turning knobs in an attempt to minimize
log entries...  insight from operators is appreciated.

Thanks!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: random latency in named

2015-05-26 Thread Mike Hoskins (michoski) 
FWIW as another data point we've seen the same in the wild across
RHEL/CentOS 5.x and 6.x on "large" (32 core) Xeon based servers
(E5-2650's), including 6.6 with the 2.6.32-504.16.2.el6.x86_64 kernel.
Observed while debugging other things, and haven't had time to follow up.

-Original Message-
From: Mathew Ian Eis 
Date: Friday, May 22, 2015 at 11:33 AM
To: "bind-users@lists.isc.org" 
Cc: Tony Finch 
Subject: Re: random latency in named

>
>-Original Message-
>From: Tony Finch 
>Date: Friday, May 22, 2015 at 2:32 AM
>To: Mathew Eis 
>Cc: "bind-users@lists.isc.org" 
>Subject: Re: random latency in named
>
>>Mathew Ian Eis  wrote:
>>>
>>> * The OS is RHEL 6.6; we just updated the kernel to
>>> 2.6.32-504.16.2.el6.x86_64, also with no effect.
>>
>>Is your server using a Haswell CPU? If so it might be the lost futex
>>wakeup bug discussed at the links below, in which case the problem might
>>go away if you upgrade to RHEL 6.6.z.
>>
>>https://groups.google.com/forum/#!topic/mechanical-sympathy/QbmpZxp6C64
>>https://news.ycombinator.com/item?id=9542548
>
>Nope, AMD here, but that probably wouldn¹t rule it out. I think I have a
>comment somewhere on that HN thread... It looks like the futex bug
>probably affects all architectures; just some more than others, as the
>actual kernel patch references ARM.
>
>Anyhow, I wish it had been that, but the 2.6.32-504.16.2.el6.x86_64 kernel
>didn¹t fix the issue.
>
>(6.6 2.6.32-504.16.2.el6.x86_64 kernel is the 6.6.z one):
>https://rhn.redhat.com/errata/rhel-server-6.6-errata.html
>
>https://rhn.redhat.com/errata/RHSA-2015-0864.html
>
>
>Thanks,
>
>Mathew Eis
>Northern Arizona University
>Information Technology Services
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

  1   2   >