Re: dyndb regression: bind fails to build --without-dlopen
Hi, what this correct place to report issue? Is there any better way to contact developers? -- Peter. On Mon, May 8, 2017 at 11:01 AM, Peter Volkov <peter.vol...@gmail.com> wrote: > Hello. > > bind 9.10.x and 9.11.x fails to build if ./configure'ed > --without-dlopen[1]: > > libtool: compile: x86_64-pc-linux-gnu-gcc -I/var/tmp/portage/net-dns/bin > d-9.11.0_p1/work/bind-9.11.0-P1 -I../.. -I./include -I../dns/include > -I/var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/dns/include > -I../../lib/dns/include -I/var/tmp/portage/net-dns/bin > d-9.11.0_p1/work/bind-9.11.0-P1/lib/isc/include -I../../lib/isc > -I../../lib/isc/include -I../../lib/isc/unix/include > -I../../lib/isc/nothreads/include -I../../lib/isc/x86_32/include > -I../../lib/irs/include -I../../lib/irs/include -DVERSION=\"9.11.0-P1\" > -DSYSCONFDIR=\"/etc/bind\" -D_GNU_SOURCE -march=core2 > -freorder-blocks-and-partition -O2 -pipe -W -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing > -fno-delete-null-pointer-checks -c nsprobe.c -o nsprobe.o >/dev/null 2>&1 > libtool: link: x86_64-pc-linux-gnu-gcc -march=core2 > -freorder-blocks-and-partition -O2 -pipe -Wl,-O1 -o .libs/sample-gai > .libs/sample-gai.o -Wl,--as-needed ../irs/.libs/libirs.so > ../dns/.libs/libdns.so ../isccfg/.libs/libisccfg.so > /var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/dns/.libs/libdns.so > /var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/isccc/.libs/libisccc.so > /var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/isc/.libs/libisc.so > ../isc/.libs/libisc.so -lcap -lz > ../dns/.libs/libdns.so: undefined reference to `dlopen' > ../dns/.libs/libdns.so: undefined reference to `dlclose' > ../dns/.libs/libdns.so: undefined reference to `dlerror' > ../dns/.libs/libdns.so: undefined reference to `dlsym' > collect2: error: ld returned 1 exit status > make[2]: *** [Makefile:463: sample-gai] Error 1 > > This fails under lib/samples/, but the problem is with libdns.so/la > itself. Failure was introduced by "merge dyndb" commit: > https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=comm > it;h=a00f9e2f50675bd43cc6a9fe2669709162a2ccb4 > lib/dns/dyndb.c has dlopen() reference, but configure still allows to > disable -ldl (--without-dlopen) and thus libdns.la will be linked without > -ldl. Probably correct fix will be to remove --with/without-dlopen option > from ./configure. > > > Ref: > [1] https://bugs.gentoo.org/show_bug.cgi?id=600212 > > -- > Peter. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dyndb regression: bind fails to build --without-dlopen
Hello. bind 9.10.x and 9.11.x fails to build if ./configure'ed --without-dlopen[1]: libtool: compile: x86_64-pc-linux-gnu-gcc -I/var/tmp/portage/net-dns/ bind-9.11.0_p1/work/bind-9.11.0-P1 -I../.. -I./include -I../dns/include -I/var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/dns/include -I../../lib/dns/include -I/var/tmp/portage/net-dns/ bind-9.11.0_p1/work/bind-9.11.0-P1/lib/isc/include -I../../lib/isc -I../../lib/isc/include -I../../lib/isc/unix/include -I../../lib/isc/nothreads/include -I../../lib/isc/x86_32/include -I../../lib/irs/include -I../../lib/irs/include -DVERSION=\"9.11.0-P1\" -DSYSCONFDIR=\"/etc/bind\" -D_GNU_SOURCE -march=core2 -freorder-blocks-and-partition -O2 -pipe -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -fno-delete-null-pointer-checks -c nsprobe.c -o nsprobe.o >/dev/null 2>&1 libtool: link: x86_64-pc-linux-gnu-gcc -march=core2 -freorder-blocks-and-partition -O2 -pipe -Wl,-O1 -o .libs/sample-gai .libs/sample-gai.o -Wl,--as-needed ../irs/.libs/libirs.so ../dns/.libs/libdns.so ../isccfg/.libs/libisccfg.so /var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/dns/.libs/libdns.so /var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/isccc/.libs/libisccc.so /var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/isc/.libs/libisc.so ../isc/.libs/libisc.so -lcap -lz ../dns/.libs/libdns.so: undefined reference to `dlopen' ../dns/.libs/libdns.so: undefined reference to `dlclose' ../dns/.libs/libdns.so: undefined reference to `dlerror' ../dns/.libs/libdns.so: undefined reference to `dlsym' collect2: error: ld returned 1 exit status make[2]: *** [Makefile:463: sample-gai] Error 1 This fails under lib/samples/, but the problem is with libdns.so/la itself. Failure was introduced by "merge dyndb" commit: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h= a00f9e2f50675bd43cc6a9fe2669709162a2ccb4 lib/dns/dyndb.c has dlopen() reference, but configure still allows to disable -ldl (--without-dlopen) and thus libdns.la will be linked without -ldl. Probably correct fix will be to remove --with/without-dlopen option from ./configure. Ref: [1] https://bugs.gentoo.org/show_bug.cgi?id=600212 -- Peter. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging to syslog
On Tue, 2016-12-06 at 13:23 +0100, Ivan Fabris wrote: > I set up some dns logging to syslog ( rsyslog actually ), which > forwards local1.* and local2.* to a remote rsyslog [...] > Both syslog, and journalctl, have all the rate limits set to infinite > ( all that I could find ) Urgh... journalctl. Remember to also set "RateLimitInterval=0" in the "[Journal]" section of journald.conf. And since journald picks up and stores _everything_, including debug messages from "execute", you might want "Storage=volatile" there as well. You probably already have rsyslog write things to disk, no need for it to be written two places. > Did anyone find some slow down under heavy load with such a config, > due to syslog ? e.g, no slow downs with file logging > Or when the local o remote syslog are not available ( I configured > the local rsyslog with a disk cache ) What exactly does "slow down" mean here? Are you missing messages in the log files? Or are requests not answered in a timely fashion? What is heavy load for you? I have a set of 2 vCPU / 4G RAM virtual machines that service a hotspot network and logs around 3 million lines per day each. Without RateLimitInterval=0 it routinely drops messages. -- Peter ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.4 may have a fatal crash defect.
Hello, On 12 May 2016, at 15:44, Peter van Dijk wrote: I’ve heard two proposals: (1) brew fakes up a version number X that sorts 9.10.4 < X < Y, where Y is whatever ISC is going to release next (2) ISC ‘clones’ 9.10.3-P4 into 9.10.5 (or 9.10.4-P1 but that seems wrong) so the highest version in the BIND version tree is in fact a stable version There’s also (3) do nothing, wait for ISC to figure the issue out and fix it (which will obviously be in a version higher than 9.10.4); doing nothing increases the odds of somebody running into the crash but one might argue that this is helpful! I think all three options are a bit ugly, to be fair. I don’t have any preference. A fourth proposal, just posted at https://github.com/Homebrew/homebrew-core/pull/796#issuecomment-218763988 - homebrew just rolls back, and users who get in trouble will complain and get instructions to downgrade. This is my favourite option. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.4 may have a fatal crash defect.
Hello Michael, On 11 May 2016, at 10:49, Michael McNally wrote: To our users: Recently, on Thursday 28 April, ISC released two maintenance releases of BIND 9: - BIND 9.9.9 - BIND 9.10.4 Beginning after the release of BIND 9.10.4 we started receiving a small number of reports from recursive server operators who have encountered an INSIST assertion in code which checks the consistency of the Red-Black Tree structure in which BIND stores cache information. OSX Homebrew had already upgraded to 9.10.4. They are now interested in rolling back, but they cannot simply undo the update - ‘brew upgrade’ will not ‘go back’ automatically then. As there is no ‘epoch’ support like RPM and dpkg have, something else needs to happen. I’ve heard two proposals: (1) brew fakes up a version number X that sorts 9.10.4 < X < Y, where Y is whatever ISC is going to release next (2) ISC ‘clones’ 9.10.3-P4 into 9.10.5 (or 9.10.4-P1 but that seems wrong) so the highest version in the BIND version tree is in fact a stable version There’s also (3) do nothing, wait for ISC to figure the issue out and fix it (which will obviously be in a version higher than 9.10.4); doing nothing increases the odds of somebody running into the crash but one might argue that this is helpful! I think all three options are a bit ugly, to be fair. I don’t have any preference. Thoughts? Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Moving dynamic zones to new master+slave pair without interruptions
We currently have two internal DNS servers that are both authoritative for a range of internal zones and caching resolvers for our clients. We would like to split this so authorizative and caching roles exist on different servers. And we would like to do this with as little down time as possible, also for dynamic zones. Moving static zones is of course trivial. Moving dynamic zones is what I cannot quite wrap my head around. I think I want to set up a new slave and AXFR from the existing master. Then I can point delegations and "forwarders" at this new slave only,. Together with having the configured "masters" pointing at a not yet running master server this would make it "stand alone". Next step in my head would be to re-create the master from this slave. I thought that I could just copy the zone files from the slave, since that slave would not have made any changes, seeing as it is only the master that can do that. (I am fine with rejecting changes to the dynamic zones during the move exercise.) However, I see that the current slave also has ".jnl" files for the dynamic zones and "rndc freeze " is invalid except on the zone master. With journal files present I guess that I cannot trust the zone files to actually be valid/complete. So... What do I do then? Is there another way of committing the journal to disk on a slave? Is there a "best practice" for re-creating a lost master when dealing dynamic zones? I may of course have started out completely wrong. If there are better ways to acheive what I want then I am all ears! :-) This is all a thought exercise right now, I have not actually tried to move anything yet. If BIND versions are relevant then we plan on using the CentOS 6 default which is BIND 9.8.2 (with some patches, so it's bind-9.8.2- 0.37.rc1.el6_7.5.x86_64) on the new servers. Building from sources is a hassle we would rather avoid, but since we are already doing this with ISC DHCP we could also do it with BIND if necessary. Current master is _quite_ old, BIND 9.3.6 (bind-9.3.6-25.P1.el5_11.5). So the setup is really in need of a refresh. :-) Thank you in advance! -- Peter Rathlev ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Moving dynamic zones to new master+slave pair without interruptions
On Wed, 2016-01-06 at 18:04 +, Darcy Kevin (FCA) wrote: > I'd just like to note in passing that the "separate authoritative and > recursive" herd mentality reaches the ultimate point of absurdity > when you only have 2 servers and you're going to create single points > of failure (apparently, unless I'm misinterpreting "stand alone") to > conform to this so-called "best practice". [...] I'm not religious about either model, but in this case the load on the recursive caching servers merits them being their own instances. We are not splitting the functions based on security concerns. > Needless to say, I don't subscribe to the (apparently popular) notion > that the roles need to exist on separate *hardware*. [...] One of two authoritative servers and two of three recursing will be virtual servers. So it's not as much a waste of hardware as it could be. :-) > View-level separation is, in my opinion, sufficient to meet the > security requirements. [...] Certainly. We use views on the resolvers for our public "guest" network and have had not concerns about this. [...] > Speaking of availability, as your network evolves, you might want to > consider running recursive service on Anycast addresses [...] We already use anycasting on the recursive servers and would prefer a simple configuration that can easily be replicated to new instances. As part of this pending transition we will introduce an extra recursing server. Keeping things simple, even if that means running more servers, helps me sleep at night. It helps my colleagues handling things without having to call me. :-) -- Peter Rathlev ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Moving dynamic zones to new master+slave pair without interruptions
Hi Tony, Thank you for the suggestions! On Wed, 2016-01-06 at 16:05 +, Tony Finch wrote: > * Set up a new hidden master, with copies of your zones. (See below) > > * Change your existing servers to slave from the new hidden master > instead of the old master. Reconfigure the old master to be a slave > of the new one. Wouldn't this ruin dynamic updates from the DHCP servers? These updates need to be sent to the master. I could of course configur™e "allow- update-forwarding". Manually specifying the hidden master in the DHCP configuration seems clumsy. > You don't need to worry about the data on disk on your existing > slaves. They will continue to serve the same data, they will just > xfer changes from a different master. This made my think... Maybe I could just AXFR from the running slave and use the output as zone files on the master. As far as I can see this should Just Work™. > My program nsdiff (http://dotat.at/prog/nsdiff) is useful for copying > dynamic zones from from an existing master to a new master without > faffing around with `rndc freeze`. Nice. :-) Perfect for copying changes without touching the files. I'll take a thorough look at it. -- Peter Rathlev ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is it possible to have separate query logs for different views?
On Tue, Mar 10, 2015 at 02:05:50PM -0400, Bob Harold wrote: Note that named includes the name of the view in the query log lines, so you could copy them from the query log to separate files, even in real time, if desired. tail -f named-queries | awk '/ view inside / {print $0 named-queries-inside; next} / view outside / {print $0 named-queries-outside; next} {print $0 named-queries-other}' (not tested, but have used similar before) Ok, I'm officially blind... Should have seen this myself. This will solve my problem. Thanks! Peter Olsson -- Bob Harold hostmaster, UMnet, ITcom Information and Technology Services (ITS) rharo...@umich.edu 734-647-6524 desk On Mon, Mar 9, 2015 at 9:55 PM, Alan Clegg a...@clegg.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 3/9/15 3:04 AM, Peter Olsson wrote: Hello! Is it possible to have separate query logs for different views? I tried putting this in the view block, but it failed with unknown option 'logging': logging { channel logging_query { file /var/log/named/query-inside.log versions 30 size 5M; print-time yes; severity debug; }; }; Nope. Logging is global only, not per view. AlanC -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJU/k8MAAoJEOW2o5eiJADbLAcH/R00aujdwht4RNRrfGbgIWRM 057lnBKLMvWRR2IJmJBRcOvJW3teVXYCwlu4BYhfswKTfFbX9Xnb8ZfnmZuHurEv 2Itmv2R4Fx1RG3U4JLfxZRlgjBKdiVXHnITO94h9YygY7F91M1MjtdPa5SqcC5DA Ij2dr4kD6ePxJjkaWOsId96T5X6FAQYboWAFeY6dvHxmU3DFafXyDybD7tV00AOX qNgQMTuh6uM3mopqQonMFpr2O9O8eypZaioX4+53g34X9ID7lnfeDnkE8FikvwzW lmTMLLHai5myi4TMkWB6dNJ2nICWpG2hCOkdkEb1UdGCJMEod2mqGQpzrT1QS1k= =vfB1 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Is it possible to have separate query logs for different views?
Hello! Is it possible to have separate query logs for different views? I tried putting this in the view block, but it failed with unknown option 'logging': logging { channel logging_query { file /var/log/named/query-inside.log versions 30 size 5M; print-time yes; severity debug; }; }; Thanks! -- Peter Olsson ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master (HA)
Well, we use two masters in different locations, w/o DLZ. Files for signed zones are being generated from databases and uploaded to servers. What we need here - is propagating of DDNS plus periodical synchronizing of zones, journals etc. Regarding zone templates - I'm using it with NSD4 and I'm totally happy. Actually I don't have words to emphasize how I love those templates! 2014-05-08 2:06 GMT+04:00 Lawrence K. Chen, P.Eng. lkc...@ksu.edu: On 05/06/14 13:39, Evan Hunt wrote: On Tue, May 06, 2014 at 06:20:11PM +, Baird, Josh wrote: Hi, For those of you who operate at multiple sites or datacenters, are you doing any HA for your BIND masters? Ideally, we would have a master in each datacenter; maybe not an active one, but one that is standing by in case your primary master becomes unavailable. Do you have multiple active masters and list them as master in each of your slave's zone definitions? This seems like it could get rather messy. One thought is to use a technology like VMWare SRM which will spin up a master/virtual machine automatically in a second datacenter if your primary master goes down. This coupled with Layer2 connectivity between your sites could make things fairly simple. The standby/secondary master would retain the same IP address as your primary, so everything should just *work*. What are others doing? Any thoughts, ideas or advice is much appreciated. Thank you for bringing this up. As it happens, high-availability/ multi-master support in BIND is something we've been seriously considering for a future release. There's been a lot of internal discussion of use cases, requirements, and possible design approaches. I don't want to influence the conversation here by saying too much about the ideas we've had so far, but I wanted to say: if anyone has specific thoughts on how to make this sort of thing easier in BIND -- even just at the level of boy, it irritates me that I can't make BIND do X -- such comments will fall on welcoming ears. I hadn't thought of doing multi-master...but the issue of promoting a slave to master for DR had come up. At the time the problem was DNSSEC. Its one thing for the slave to become master, its another when it needs to change entries in the zone file to redirect key web-services to DR instances. (at the time, it was create two signed zone files each time...and secure transfer the second one out of bandbut no DR web servers were ever setup, so both were identical files and eventually got scrapped. The issue of raw vs text on secondaries came up after abandonment. But, DR comes up now and then...recently its using DNS appliances and cloud... OTOH, the idea of multi-master is intriguing.the only down side I see, is that I have one really powerful server for my current master(Sun Fire X4170)and my other servers are weak leftoversjust passed EOL last year. And, have all the servers doing full DNSSEC signing could be interesting. It also raises the question of how does the outside world cope with all the servers having identical zones...signed on slightly different times, etc. (especially since I'm using unix timestamp for zone serialavoids issues of multiple admins incrementing serial without noticing others and/or collisions with DNSSEC's incrementing of serials.) But, it shouldn't be too hard to implement since, our nameservers are managed by CFEngine. And, it makes possible for all my name servers to have both internal and external views. Instead of having to have separate external slaves and internal slaves. (and other issues that I'm still working through with having thisnamely my recursive caching servers hitting external slaves instead of internal slaves...) Things have gotten more complicated since we started allowing vanity internal namesbefore it was one subdomain that only existed on internal, and everybody had to put their host in there, as dept-host.subdomain.ksu.edu but then certain VIPs wanted host.dept.ksu.edu to work even though its a 10.x.x.x address. It would also mean one of our satellite campuses that refuses to use our caching servers (and even sent our server that was providing the service for their campus back, which they had firewalled their users from using while it was there)...can have their own caching servers work without needing to understand that our whois record doesn't list our stealth/internal nameservers...which is why they can't resolve any internal services and need to track down somebody to give them the 10.x.x.x IP and having their users use that, etc. Wonder if they know about the change in forwarding on my caching resolvers to AD? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to
Re: All client resolvers support DNSSEC compatible queries ???
2014-04-24 13:46 GMT+04:00 Carsten Strotmann c...@strotmann.de: Hello Jeronimo, Jeronimo L. Cabral jelocab...@gmail.com writes: Dear, we have several hosts in our LAN that ask our BIND DNS: Debian, Windows 7, Red Hat and CentOS. If we implement DNSSEV validation support in our BIND9 server...how can I know if our hosts' resolvers are compatible with DNSSEC queries ??? client host resolvers are usually not DNSSEC aware today. Certain applications (Browser with a DNSSEC validator plugin, postfix MTA ...) running on a client can be DNSSEC aware. You can enable DNSSEC validation support on a BIND 9 caching server that is used as a resolver by your clients. BIND 9 9.9.x already comes with DNSSEC validation enabled, for older versions you need to enable it manually in the configuration. Legacy (non DNSSEC aware) clients will send just regular DNS queries towards the BIND 9 caching resolver. BIND 9 will send queries with the DO-Flag (DNSSEC OK) towards the authoritative DNS server in the network. For DNSSEC signed zones, BIND 9 will validate the DNSSEC data. If the data is validating without issues, the data is returned to the client as normal DNS (no DNSSEC). If the data fails to validate, the bad data is not send to the clients, instead a SERVFAIL error message is send to the client. Actually a resolver sends to client an answer with AD (authenticated data) bit set if response from authoritative server is successfully validated. If zone in question isn't secured by DNSSec, then client receives response without AD bit. If validation fails - SERVFAIL. DNSSEC is backwards compatible in the sense that you can enable DNSSEC validation without the need to make changes to legacy clients. Windows 7 and Windows 8 clients can build a special trust relationship with an AD integrated Windows DNS Server to secure the last mile between the client and the resolving DNS cache. However to my knowledge this is not possible with Windows and a BIND 9 DNS. IPSec, AFAIK. Best regards Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Is there any problem Exterminatus cannot solve? I have not found one yet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to create a fake root server?
Hi Kevin, Thanks for your reply. It's just for a closed internal network with no access to the rest of the internet. Making labs such as testing ISP functions and services, mail servers etc. Everything is running inside an VMware host with an internal closed network. I have created a closed Internet on 172.16.x.x where I would like to put up a root server for .loc, where several other ISP-DNS servers, with domains, are referred to. I've managed to create those ISP-DNS servers which works fine. But I'm having trouble to create the root DNS server with Bind. I haven't found any useful examples at the web yet. It's for a school project. Regards, Peter On 12/03/14 19:56, Kevin Darcy wrote: First of all, don't use .loc as an internal TLD. There are *many* proposals in process with ICANN for establishing new TLDs, and for all you know, .loc might be one of them. If .loc gets established on the Internet, and you're using it internally, that presents abundant opportunities for confusion and failure. Use a publically-registered domain, a descendant of a publically-registered domain, or potentially, one of the reserved TLDs in RFC 6761. I'm not sure what your question is, exactly. Set up the root zone, slave it, publish 2 or more of the master/slaves in the NS records, delegate whatever TLD you're going to use, set up *that* zone, lather, rinse, repeat, for the entire hierarchy. Anyone who reads _DNS_and_BIND_ should be able to set up an internal-root infrastructure, IMO (although, sadly, the later editions don't seem as aligned to internal-root as they used to be). - Kevin On 3/12/2014 11:07 AM, Peter wrote: Hi guys, I'm doing a virtual internet (internal net) for several VPS's. My goal is to simulate the Internet root servers and the ISP:s domain servers, which are hosting the actual domains. I want to the create several DNS nameservers that will contain the specific domain under the xxx.loc, yyy.loc, zzz.loc. 1 server for the .loc root 3 servers for xxx.loc (server1), yyy.loc (server2), zzz.loc (server3) Running BIND 9 at every server. Any suggestions or good links are highly appreciated. Best regards, Peter ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to create a fake root server?
I finally managed to configure a TLD DNS server which will answer, in its own CLI, with proper IP:s for added domains. The problem is that it doesn't reply to the other querying Domain DNS servers when they are asking for domain lookups to it. I can only do lookups inside the TLD DNS server. The TLD server settings: named.conf --- options { directory /var/cache/bind; // forwarders { // 0.0.0.0; // }; dnssec-validation auto; auth-nxdomain no;# conform to RFC1035 listen-on-v6 { any; }; allow-query { any; }; recursion yes; }; zone loc { type master; file /etc/bind/pri.loc; }; --- pri.loc --- $ORIGIN . $TTL 7200 ; 2 hours loc IN SOA ns1.intranet admin.intranet.loc ( 2 ; serial 7200 ; refresh (2 hours) 1800 ; retry (30 minutes) 7200 ; expire (2 hours) 7200 ; minimum (2 hours) ) NS ns1.intranet $ORIGIN loc. domain1 A 172.16.0.121 domain2A 172.16.0.122 --- TLD Server# ping domain1.loc PING domain1.loc (172.16.0.121) 56(84) bytes of data. 64 bytes from 172.16.0.121: icmp_req=1 ttl=64 time=0.196 ms 64 bytes from 172.16.0.121: icmp_req=2 ttl=64 time=0.160 ms 64 bytes from 172.16.0.121: icmp_req=3 ttl=64 time=0.177 ms TLD Server# ping domain2.loc PING domain2.loc (172.16.0.121) 56(84) bytes of data. 64 bytes from 172.16.0.121: icmp_req=1 ttl=64 time=0.193 ms 64 bytes from 172.16.0.121: icmp_req=2 ttl=64 time=0.168 ms 64 bytes from 172.16.0.121: icmp_req=3 ttl=64 time=0.172 ms Domain Server1# ping domain2.loc ping: unknown host domain2.loc Domain Server2# ping domain1.loc ping: unknown host domain2.loc On both Domain DNS servers, I have made forwards with the IP of the TLD server. But they simply will not receive any lookup answers. They have also been configured with 127.0.0.1 in the resolv.conf file, which means they will use their own internal DNS server for lookups. All servers are on the same 172.16.0.x network. What am I doing wrong here? Sincerely, Peter On 13/03/14 11:10, Mark Andrews wrote: In message 53216b43.8040...@gmail.com, Peter writes: Hi Kevin, Thanks for your reply. It's just for a closed internal network with no access to the rest of the internet. Making labs such as testing ISP functions and services, mail servers etc. Everything is running inside an VMware host with an internal closed network. I have created a closed Internet on 172.16.x.x where I would like to put up a root server for .loc, where several other ISP-DNS servers, with domains, are referred to. I've managed to create those ISP-DNS servers which works fine. But I'm having trouble to create the root DNS server with Bind. I haven't found any useful examples at the web yet. Perhaps because a root zone is like any other zone. It has a SOA record and NS records at the apex and other records. . 3600 SOA server.example.net. hostmaster.example.net. 1 3600 1200 2419200 3600 . 3600 NS server.example.net. . 3600 NS another.example.net. server.example.net. 3600 A 1.2.3.4 another.example.net. 3600 A 1.2.3.5 It's for a school project. Regards, Peter On 12/03/14 19:56, Kevin Darcy wrote: First of all, don't use .loc as an internal TLD. There are *many* proposals in process with ICANN for establishing new TLDs, and for all you know, .loc might be one of them. If .loc gets established on the Internet, and you're using it internally, that presents abundant opportunities for confusion and failure. Use a publically-registered domain, a descendant of a publically-registered domain, or potentially, one of the reserved TLDs in RFC 6761. I'm not sure what your question is, exactly. Set up the root zone, slave it, publish 2 or more of the master/slaves in the NS records, delegate whatever TLD you're going to use, set up *that* zone, lather, rinse, repeat, for the entire hierarchy. Anyone who reads _DNS_and_BIND_ should be able to set up an internal-root infrastructure, IMO (although, sadly, the later editions don't seem as aligned to internal-root as they used to be). - Kevin On 3/12/2014 11:07 AM, Peter wrote: Hi guys, I'm doing a virtual internet (internal net) for several VPS's. My goal is to simulate the Internet root servers and the ISP:s domain servers, which are hosting the actual domains. I want to the create several DNS nameservers that will contain the specific domain under the xxx.loc, yyy.loc, zzz.loc. 1 server for the .loc root 3 servers for xxx.loc (server1
How to create a fake root server?
Hi guys, I'm doing a virtual internet (internal net) for several VPS's. My goal is to simulate the Internet root servers and the ISP:s domain servers, which are hosting the actual domains. I want to the create several DNS nameservers that will contain the specific domain under the xxx.loc, yyy.loc, zzz.loc. 1 server for the .loc root 3 servers for xxx.loc (server1), yyy.loc (server2), zzz.loc (server3) Running BIND 9 at every server. Any suggestions or good links are highly appreciated. Best regards, Peter ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind vs flood
Well, at first glance it looks like malicious activity, so the best action is to call all users, suspected in sending such requests, and warn them. The fast and very (very-very-very) dirty solution is to set up zone 84822258.com http://niqcs.www.84822258.com on your resolver. This should supress outgoing queries and thus minimize resolving time. 2014-02-28 12:06 GMT+04:00 Dmitry Rybin kirg...@corbina.net: On 27.02.2014 09:59, Dmitry Rybin wrote: Bind answers with Server failure. On high load (4 qps) all normal client can get Servfail on good query. Or query can execute more 2-3 second. I have an a mistake, 4'000 QPS. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Is there any problem Exterminatus cannot solve? I have not found one yet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind vs flood
However, if you choose the second action, then your tech support should be ready. 2014-02-28 13:36 GMT+04:00 Peter Andreev andreev.pe...@gmail.com: Well, at first glance it looks like malicious activity, so the best action is to call all users, suspected in sending such requests, and warn them. The fast and very (very-very-very) dirty solution is to set up zone 84822258.com http://niqcs.www.84822258.com on your resolver. This should supress outgoing queries and thus minimize resolving time. 2014-02-28 12:06 GMT+04:00 Dmitry Rybin kirg...@corbina.net: On 27.02.2014 09:59, Dmitry Rybin wrote: Bind answers with Server failure. On high load (4 qps) all normal client can get Servfail on good query. Or query can execute more 2-3 second. I have an a mistake, 4'000 QPS. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Is there any problem Exterminatus cannot solve? I have not found one yet. -- Is there any problem Exterminatus cannot solve? I have not found one yet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind vs flood
Hi Dmitry, If your problem is a lot of strange queries, then there is two ways: 1. You operate an open resolver. If you can - restrict it to a limited scope of clients, otherwise the only way you can lower number of incoming queries is DPI; 2. You operate a non-open resolver. Then you can find who sending these queries and ask them to stop. 2014-02-27 9:59 GMT+04:00 Dmitry Rybin kirg...@corbina.net: Over 2 weeks ago begins flood. A lot of queries: niqcs.www.84822258.com vbhea.www.84822258.com abpqeftuijklm.www.84822258.com adcbefmzidmx.www.84822258.com and many others. Bind answers with Server failure. On high load (4 qps) all normal client can get Servfail on good query. Or query can execute more 2-3 second. Recursion clients via rnds status 300-500. I can try to use rate limit: rate-limit { nxdomains-per-second 10; errors-per-second 10; nodata-per-second 10; }; I do not see an any improvement. Found one exit in this situation, add flood zones local. What can we do in this situation? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Is there any problem Exterminatus cannot solve? I have not found one yet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forwarding requests when DNS name doesn't exist?
(This is probably a silly question, but I want to explore every possibility.) We have a proxy firewall, with no contact between inside and outside. We have a fake internal DNS root for zones that we use internally. This works fine, since lookup of external names are only made from the outside of the proxy servers. We are about to change to a transparent firewall, which means that we remove the proxy servers. Then we have to let the inside get access to real outside DNS. Is there any way with bind, or any other DNS product, to keep our internal fake zones and have them selectively forwarded to external DNS for all names that don't exist in the internal fake zones? Clients would first ask internal DNS, and if the name exists there they will use that, but if the name doesn't exist internally they won't get a negative response. Instead their request would be forwarded to external DNS. Thanks! Peter Olsson ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: listen-to clusterIP address
2013/6/5 Phil Mayers p.may...@imperial.ac.uk On 06/05/2013 07:37 PM, paul wrote: Hi. I have a two node active passive cluster serving webpages. When a failover occurs, I have to restart named on the now active node because You don't have to restart it. rndc reconfig will re-check the IPs on the machine and re-listen. This definitely will not work if BIND dropped privileges after start. the cluster Ip was not available when named originally started even though I have listen-to the cluster ip listed in my named.conf. Is there a way to make named listen-to an ip address that is not yet available? The cimplest way, I think is to configure cluster IP on loopback interfaces and set up routing No. This has come up before - the bind listen-on statement is an ACL which is matched against the list of IPs on the box, not a list of IPs passed to the bind() syscall. There are various solutions, but rndc reconfig is the right one IMO. __**_ Please visit https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: high volume from outside our networks question
On 1/31/13 7:05 PM, rich carroll wrote: antispoof log quick for em0 inet but that did not trigger on any of the requests. This leads to nowhere in your specific case, check 'pfctl -sr' and the docs[1] to learn how this rule expands. [1] http://www.openbsd.org/faq/pf/filter.html#antispoof -- Oliver PETERoli...@peter.de.com 0x456D688F signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wildcard CNAME record?
On Wed, Jan 16, 2013 at 10:33:03AM -0500, Barry Margolin wrote: In article mailman.1072.1358349671.11945.bind-us...@lists.isc.org, Oliver Peter li...@peter.de.com wrote: On Wed, Jan 16, 2013 at 02:57:48PM +, Baird, Josh wrote: Is it acceptable to have a wildcard CNAME? Example: * IN CNAMEsomewhere.com. Or, would it be advised to only use wildcard 'A' records? Not valid since there should be SOA and NS records for somewhere.com, the CNAME would conflict with them. But wildcards only synthesize records that are actually queried for. If no one ever asks for these SOA and NS records, the conflicts will never occur. They're the DNS equivalent of trees falling in a forest. Gah, mixed it up, was thinking the other way round. Sorry. -- Oliver PETER oli...@opdns.de 0x456D688F You need healthy, natural sleep. Chew some Valerian root and get more exercise. signature.asc Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone of type forward when /28 subnet
Actually, Mark's advice is much better. 2012/12/29 Dmitri Tarkhov tark...@dionaholding.ru: Hi, this finally works: view reverse1 IN { recursion yes; zone z.y.x.in-addr.arpa IN { type forward; forward only; forwarders { A; B; }; }; zone localhost IN { type master; file master.localhost; }; zone 0.0.127.in-addr.arpa IN { type master; file localhst.rev; }; }; And Happy New Year! Dmitri Tarkhov wrote: Hi, all, thank you very much for discussion. It was interesting and very useful. You can pretty well imagine that I am not much dns involved, I am rather unix and unix HW guy. Unfortunately I saw dns cache poisoning attack and although it could be provoked by side effects it's better to get rid of it altogether. For just 14 (241-254) addresses it is not difficult to maintain 2 types of master zones in sync (RFC 2317 and RFC 1035) and it's enough to put a couple of comment lines to not forget it later. Yes, life is short but this is not the reason to not train the brain, can help to hook a life a bit longer ... Bring stir to the chicken coop and request compliance is generally good idea and fingers itch but I don't expect much from our ISPs ... So first I'll try type forward within a view, then I'm sure, one address zones can serve me right. I will also contact the ISP but without great expectations. Why I do all this is: - enforce security - assure stable mail exchange (which depends on reverse resolving) Mark Andrews wrote: In message 50dcd454.2070...@dougbarton.us, Doug Barton writes: On 12/27/2012 11:18 AM, Mark Andrews wrote: zone 241.Z.X.Y.IN-ADDR.ARPA { type master; file 241.Z.X.Y.IN-ADDR.ARPA; }; That's great locally, but it doesn't match the 2317 delegation from the upstream, and usually it's not possible to change what they send you. Or are you suggesting maintaining both the individual versions of the zones, and the 2317 zone? No. I'm suggesting that they tell their ISP to do RFC 2317 right or do RFC 1035 delegations. If their ISP won't do either change ISP. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards, Dmitri Tarkhov ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone of type forward when /28 subnet
Forwarding does not work without recursion enabled. There is a few ways to solve the problem: 1. Using views; 2. Using another dns resolver (for example Unbound); 3. Downloading the zone via script (bad idea from any point); 4. Do not bother where your resolver get authoritative data (I'd recommend this one). Actually, I'm afraid you won't be able to achieve your goal without needless overcomplication. 2012/12/27 Dmitri Tarkhov tark...@dionaholding.ru: Well, it's Ok with that. I indeed am the owner of small reverse zone 255-241.z.y.x.in-addr.arpa IN { type master; named with accordance with rfc2317 CNAME trick and can edit it. The changes are transferred one way to the ISP side and make part of their zone z.y.x.in-addr.arpa. So my changes are seen by the world. But this small subzone cannot be used for direct reverse resolving right at my dns. It can only be done at class C (or B, or A) granularity. So to achieve exactly what I want I need to pull somehow this class C zone z.y.x.in-addr.arpa to my dns. Either as slave zone (which is denied by ISP) or as forward zone which I cannot tune to work. May be some other unknown by me approach exists. Again, there is no problem with reverse resolving in general but I cannot achieve this directly at my dns, that is to receive a response from it no matter wherever it forwards the request or from where it gets the PTR records. Peter Andreev wrote: Please correct me if I'm wrong: you'd like to edit PTR records for your part of the /24 zone? If so, what you ISP says about rfc2317? 2012/12/27 Dmitri Tarkhov tark...@dionaholding.ru: Hi, I've searched the list archives and Google and don't see anything to answer my question subj. we have let's say x.y.z.240/28 subnet and BIND 9.9.2-P1. We want to have a master DNS without unnecessary extra functionality. (Including no caching) This is the named.conf with obscured addresses: # cat /dns992/etc/named.conf key rndc-key { ... }; controls { ... }; acl nameservers { A; B; }; options { directory /var/named; allow-query { any; }; recursion no; version Some Server; listen-on { x.y.z.w; }; pid-file /var/run/named.pid; }; zone company IN { type master; file company.dat; allow-transfer { nameservers; }; }; zone 255-241.z.y.x.in-addr.arpa IN { type master; file company.rev; allow-transfer { nameservers; }; }; zone z.y.x.in-addr.arpa IN { type forward; forward only; forwarders { intranet.1; }; }; //zone z.y.x.in-addr.arpa IN { type slave; //file z_y_x_in-addr.arpa; //masters { A; B; }; //}; zone localhost IN { type master; file master.localhost; allow-update { none; }; }; zone 0.0.127.in-addr.arpa IN { type master; file localhst.rev; notify no; }; Direct resolving works fine. Our subzone is delegated from ISP properly. dig +trace shows due CNAMEs and in general reverse resolving works as well. But I want to achieve reverse resolving on our DNS itself. It is a quite natural desire, to be self sufficient or at least pretend to be, isn't it ... The simplest way to achieve that would be to have a slave zone for the whole class C network x.y.z.0/24 but the ISP don't allow zone transfer. A can understand why transfers of direct zones are limited by security reasons. But reverse zones do not contain any private subdomains or whatever. There is nothing in the reverse zone that cannot be collected by simple queries. And, BTW nothing to hide. Well, another way would be to have a reverse zone for z.y.x.in-addr.arpa of type forward with forward only clause and due forwarders. But it doesn't seem to work. I've tried external forwarders including 8.8.8.8 + 8.8.8.4 without success and now stick with our internal dns at intranet/24.1 This internal dns produces perfect reverse resolving but only for internal users, of course the internals acl includes the address of external dns. It has this set of options: options { directory /var/named; forward first; version not available; forwarders { A; B; }; allow-query { internals; }; allow-transfer { none; }; allow-recursion { internals; }; listen-on { intranet.1; }; }; What I have when performing reverse resolving at external dns is: x.y.z.k Server: x.y.z.w Address:x.y.z.w#53 ** server can't find k.z.y.x.in-addr.arpa: REFUSED and setting set d2 in nslookup v9.9.2 doesn't reveal anything catching attention although I see that there is an attempt to contact the forwarder. trying origin company.internal (obscured as well) recursive query add_question() starting to render the message done rendering create query 0x402a4010 linked to lookup 0x82168c0 do_lookup() send_udp(0x402a4010) bringup_timer() have local timeout of 5 working on lookup 0x82168c0, query 0x402a4010 sockcount=1 recving
Re: reverse zone of type forward when /28 subnet
2012/12/27 Dmitri Tarkhov tark...@dionaholding.ru: Hi, thanks a lot for the information. Contains key reason and sounds interesting. 1. Do you mean I can isolate zone z.y.x.in-addr.arpa into a separate view where recursion is enabled but all other zones are excluded? If so, it's very promising. Actually, forwarding also doesn't work for queries without RD bit. Such queries are being sent by resolver in normal circumstances. 2. Sorry, Unbound - is it just another dns server? Yep, it is recursive-only dns server. It has an option called local-zone, which is absolutelly what you are looking for. Note that Unbound has very limited capabilities to support authoritative data. 3. Thought about a script. Know Korn shell at middle level. Nobody prohibits to maintain yet another copy of master zone. Nobody but zone owner. But I don't want to indulge into such remote circumventions. 4. That's possible to not bother about the issue but for now I am not ready to fold hands. I just meant that fencing your resolver without really good reasons is a bad idea. If you do it just for fun in production environment, you should think twice. Peter Andreev wrote: Forwarding does not work without recursion enabled. There is a few ways to solve the problem: 1. Using views; 2. Using another dns resolver (for example Unbound); 3. Downloading the zone via script (bad idea from any point); 4. Do not bother where your resolver get authoritative data (I'd recommend this one). Actually, I'm afraid you won't be able to achieve your goal without needless overcomplication. 2012/12/27 Dmitri Tarkhov tark...@dionaholding.ru: Well, it's Ok with that. I indeed am the owner of small reverse zone 255-241.z.y.x.in-addr.arpa IN { type master; named with accordance with rfc2317 CNAME trick and can edit it. The changes are transferred one way to the ISP side and make part of their zone z.y.x.in-addr.arpa. So my changes are seen by the world. But this small subzone cannot be used for direct reverse resolving right at my dns. It can only be done at class C (or B, or A) granularity. So to achieve exactly what I want I need to pull somehow this class C zone z.y.x.in-addr.arpa to my dns. Either as slave zone (which is denied by ISP) or as forward zone which I cannot tune to work. May be some other unknown by me approach exists. Again, there is no problem with reverse resolving in general but I cannot achieve this directly at my dns, that is to receive a response from it no matter wherever it forwards the request or from where it gets the PTR records. Peter Andreev wrote: Please correct me if I'm wrong: you'd like to edit PTR records for your part of the /24 zone? If so, what you ISP says about rfc2317? 2012/12/27 Dmitri Tarkhov tark...@dionaholding.ru: Hi, I've searched the list archives and Google and don't see anything to answer my question subj. we have let's say x.y.z.240/28 subnet and BIND 9.9.2-P1. We want to have a master DNS without unnecessary extra functionality. (Including no caching) This is the named.conf with obscured addresses: # cat /dns992/etc/named.conf key rndc-key { ... }; controls { ... }; acl nameservers { A; B; }; options { directory /var/named; allow-query { any; }; recursion no; version Some Server; listen-on { x.y.z.w; }; pid-file /var/run/named.pid; }; zone company IN { type master; file company.dat; allow-transfer { nameservers; }; }; zone 255-241.z.y.x.in-addr.arpa IN { type master; file company.rev; allow-transfer { nameservers; }; }; zone z.y.x.in-addr.arpa IN { type forward; forward only; forwarders { intranet.1; }; }; //zone z.y.x.in-addr.arpa IN { type slave; //file z_y_x_in-addr.arpa; //masters { A; B; }; //}; zone localhost IN { type master; file master.localhost; allow-update { none; }; }; zone 0.0.127.in-addr.arpa IN { type master; file localhst.rev; notify no; }; Direct resolving works fine. Our subzone is delegated from ISP properly. dig +trace shows due CNAMEs and in general reverse resolving works as well. But I want to achieve reverse resolving on our DNS itself. It is a quite natural desire, to be self sufficient or at least pretend to be, isn't it ... The simplest way to achieve that would be to have a slave zone for the whole class C network x.y.z.0/24 but the ISP don't allow zone transfer. A can understand why transfers of direct zones are limited by security reasons. But reverse zones do not contain any private subdomains or whatever. There is nothing in the reverse zone that cannot be collected by simple queries. And, BTW nothing to hide. Well, another way would be to have a reverse zone for z.y.x.in-addr.arpa of type forward with forward only clause and due forwarders. But it doesn't seem to work. I've tried external forwarders including 8.8.8.8
Re: reverse zone of type forward when /28 subnet
2012/12/27 Dmitri Tarkhov tark...@dionaholding.ru: Ok, thank you, I'll try views first of all. And I need some further clarification about this: I just meant that fencing your resolver without really good reasons is a bad idea. By fencing your resolver do you mean converting a dns server into only a source of information from its master zones cutting severely any unnecessary functionality or anything else? What is a bad idea and why? You are trying to cut some ways of information obtaining for resolver. That is what I mean. In fact I want to do so because I want to protect it from cache poisoning and any other attack of forge nature. I can't say these attacks are very common. Actually I can't recall any cases of such attacks in a wild nature. Also, in-addr.arpa isn't a good target. As for now the best defence against cache poisoning is DNSSec and since we have signed all russian TLDs you could implement it. Peter Andreev wrote: 2012/12/27 Dmitri Tarkhov tark...@dionaholding.ru: Hi, thanks a lot for the information. Contains key reason and sounds interesting. 1. Do you mean I can isolate zone z.y.x.in-addr.arpa into a separate view where recursion is enabled but all other zones are excluded? If so, it's very promising. Actually, forwarding also doesn't work for queries without RD bit. Such queries are being sent by resolver in normal circumstances. 2. Sorry, Unbound - is it just another dns server? Yep, it is recursive-only dns server. It has an option called local-zone, which is absolutelly what you are looking for. Note that Unbound has very limited capabilities to support authoritative data. 3. Thought about a script. Know Korn shell at middle level. Nobody prohibits to maintain yet another copy of master zone. Nobody but zone owner. But I don't want to indulge into such remote circumventions. 4. That's possible to not bother about the issue but for now I am not ready to fold hands. I just meant that fencing your resolver without really good reasons is a bad idea. If you do it just for fun in production environment, you should think twice. Peter Andreev wrote: Forwarding does not work without recursion enabled. There is a few ways to solve the problem: 1. Using views; 2. Using another dns resolver (for example Unbound); 3. Downloading the zone via script (bad idea from any point); 4. Do not bother where your resolver get authoritative data (I'd recommend this one). Actually, I'm afraid you won't be able to achieve your goal without needless overcomplication. 2012/12/27 Dmitri Tarkhov tark...@dionaholding.ru: Well, it's Ok with that. I indeed am the owner of small reverse zone 255-241.z.y.x.in-addr.arpa IN { type master; named with accordance with rfc2317 CNAME trick and can edit it. The changes are transferred one way to the ISP side and make part of their zone z.y.x.in-addr.arpa. So my changes are seen by the world. But this small subzone cannot be used for direct reverse resolving right at my dns. It can only be done at class C (or B, or A) granularity. So to achieve exactly what I want I need to pull somehow this class C zone z.y.x.in-addr.arpa to my dns. Either as slave zone (which is denied by ISP) or as forward zone which I cannot tune to work. May be some other unknown by me approach exists. Again, there is no problem with reverse resolving in general but I cannot achieve this directly at my dns, that is to receive a response from it no matter wherever it forwards the request or from where it gets the PTR records. Peter Andreev wrote: Please correct me if I'm wrong: you'd like to edit PTR records for your part of the /24 zone? If so, what you ISP says about rfc2317? 2012/12/27 Dmitri Tarkhov tark...@dionaholding.ru: Hi, I've searched the list archives and Google and don't see anything to answer my question subj. we have let's say x.y.z.240/28 subnet and BIND 9.9.2-P1. We want to have a master DNS without unnecessary extra functionality. (Including no caching) This is the named.conf with obscured addresses: # cat /dns992/etc/named.conf key rndc-key { ... }; controls { ... }; acl nameservers { A; B; }; options { directory /var/named; allow-query { any; }; recursion no; version Some Server; listen-on { x.y.z.w; }; pid-file /var/run/named.pid; }; zone company IN { type master; file company.dat; allow-transfer { nameservers; }; }; zone 255-241.z.y.x.in-addr.arpa IN { type master; file company.rev; allow-transfer { nameservers; }; }; zone z.y.x.in-addr.arpa IN { type forward; forward only; forwarders { intranet.1; }; }; //zone z.y.x.in-addr.arpa IN { type slave; //file z_y_x_in-addr.arpa; //masters { A; B; }; //}; zone localhost IN { type master; file master.localhost; allow-update { none; }; }; zone 0.0.127.in-addr.arpa IN { type master; file
Re: Strange issue with signed zone
2012/11/9 Tony Finch d...@dotat.at: Peter Andreev andreev.pe...@gmail.com wrote: We signed another zone and met the same problem again. The only difference is algorithm - now it is RSASHA256. We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. Recently we realised that our servers don't generate NSEC3 for signed zone. Problem has gone after we restarted BIND instances. We are using views, could it be related? Did you add an NSEC3PARAM record? Yes, we did. The signing algorithms that support NSEC3 use NSEC by default unless the zone has an NSEC3PARAM record. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange issue with signed zone
2012/11/9 Peter Andreev andreev.pe...@gmail.com: 2012/11/9 Tony Finch d...@dotat.at: Peter Andreev andreev.pe...@gmail.com wrote: We signed another zone and met the same problem again. The only difference is algorithm - now it is RSASHA256. We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. Recently we realised that our servers don't generate NSEC3 for signed zone. Problem has gone after we restarted BIND instances. We are using views, could it be related? Did you add an NSEC3PARAM record? Yes, we did. Actually without restart, servers didn't generate neither NSEC3, nor NSEC. The signing algorithms that support NSEC3 use NSEC by default unless the zone has an NSEC3PARAM record. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. -- AP -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange issue with signed zone
Hi everybody! We signed another zone and met the same problem again. The only difference is algorithm - now it is RSASHA256. We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. Recently we realised that our servers don't generate NSEC3 for signed zone. Problem has gone after we restarted BIND instances. We are using views, could it be related? -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Lots of RSA_verify failed after upgrade to 9.7.7
Yesterday I upgraded our slave DNS (running FreeBSD 7.4) from bind 9.7.6.4 to 9.7.7. The server uses bind97 from ports. After that upgrade I get lots of these in syslog: RSA_verify failed error:04077068:rsa routines:RSA_verify:bad signature:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_sign.c:263: I have never seen these before. I tried Google but got no recent results. Anyone know what this means and how to get rid of these errors? Thanks! Peter Olsson ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using BIND-DLZ for a hidden master [was: Re: dns master-slave transfer]
2012/11/1 Chris Thompson c...@cam.ac.uk: On Oct 29 2012, Feng He wrote: 于 2012-10-29 9:58, kavin 写道: Now,I want transfer the zone data from the master dns serverto slave dns server ,the master dns use bind-dlz+mysql and the slave dns server use bind+file. AFAIK, BIND DLZ doesn't send a notify message to slave, so both your master and slave should be able to use the DLZ backend and run a mysql replication for data sync. That exchange prompts me to ask whether anyone has managed to use BIND-DLZ in something like the following scenario. We have a hidden master for vanity zones (we call them something else for the punters) that runs in a small footprint virtual machine together with the web server providing the updating interface. The latter stores the data in a MySQL database. At the moment there is a crontab that extracts data from that database and updates zone files (if they need changing - there are some neat-o optimisations) and does an rndc reload on the hidden master daemon. That NOTIFYs the public nameservers for the zones, which are are in fact our regular authoritative-only ones. It seems that one ought to be able to use BIND-DLZ to cut out a step there, but none of the how-to's for it seem to address this sort of scenario, and the NOTIFY issue is particularly relevant. Fast responses from the hidden master to queries are certainly *not* a requirement here, and indeed we expect to be able to operate with it (and its MySQL database) down for significant periods. On the other hand, there is also a possibility that we might want to sign the vanity zones (we use JANET, Nominet and Gandi for their registrations, who all support signed delegations now), and how that would interact with BIND-DLZ might also be an issue. Can one use BIND 9.9 inline signing with the unsigned version provided by a DLZ interface? In our case (big zones, distant servers) we have found DLZ very inefficient because of huge overhead due to AXFRs. Another problem is absence of NOTIFIes. As for me the way your system is working now is much more simple, predictable and reliable than DLZ. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What does deleted from unreachable cache mean?
On Fri, Aug 03, 2012 at 09:13:50AM +0100, Cathy Almond wrote: On 02/08/12 19:00, Michael Hoskins (michoski) wrote: -Original Message- From: Peter Olsson p...@leissner.se Date: Thursday, August 2, 2012 10:25 AM To: Cathy Almond cat...@isc.org Cc: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: What does deleted from unreachable cache mean? Excellent information, thanks! Agreed. I really appreciate the effort ISC has put into the KB. However, it is worrying that the master sometimes is unreachable. Is there some way I can make the slave server log, with timestamp, what zone it was trying to refresh when it failed? Not sure if you've already tried, but do you have xfer logging enabled? logging { snip channel audit_log { file /var/named/bind/named.log; severity debug; print-time yes; }; snip category xfer-in { audit_log; }; category xfer-out { audit_log; }; category notify { audit_log; }; category network { audit_log; }; category update { audit_log; }; // might want this to debug... //category queries { audit_log; }; }; The point at which the 'unreachable' entry is cached, is logged under category 'xfer-in' - although it doesn't actually tell you that it's caching it. Look for messages containing text failed to connect or could not refresh. Once the master is already in the unreachable cache, if the refresh code checks and finds it there, then there are several messages (different circumstances) that explain why a transfer isn't going to happen right then - and these ones all incorporate the text unreachable (cached). But yesterday, I dug further into the code that's reporting deleted from unreachable cache and I'm sorry that I have to report that there is a bug there - the code is matching the source of the notify correctly, but may also mistakenly include and report on older cache entries that are already deleted. We'll fix this. It's being tracked as bug ticket #30501. But if you have no evidence of ongoing problems (looking at what's logged in category xfer-in - per my suggestions above) then you can safely ignore these messages. There will have been an issue at some point in the past, but which is now cleared. Apologies. I will try logging, but it's good to know that it might not be a big problem. Thanks! -- Peter Olssonp...@leissner.se ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What does deleted from unreachable cache mean?
On Thu, Aug 02, 2012 at 03:26:08PM +0100, Cathy Almond wrote: On 19/07/12 00:49, Peter Olsson wrote: Hello! After my latest bind upgrade our slave server started occasionally writing these messages to the log: master 2a02:::::2#53 (source ::#0) deleted from unreachable cache master 62.xxx.xxx.2#53 (source 0.0.0.0#0) deleted from unreachable cache DNS seems to work fine anyway, and all zonefiles in the slave seem to update like they should, so everything seems ok. But I would like to be certain that there is nothing to worry about, so I wonder what these messages mean. (I didn't find anything interesting in the list archives or in Google.) Both master and slave are FreeBSD, running port bind97-9.7.6.1. Thanks! There'll be a new KB FAQ published on this early next week (https://kb.isc.org/article/AA-00765). Preview is that it will say something like this: What does named log message deleted from unreachable cache mean? An example of the messages being logged is: 02-Aug-2012 07:58:20.601 general: info: master 192.0.2.4#53 (source 192.0.2.8#0) deleted from unreachable cache BIND maintains a cache of unreachable masters to which it refers when handling a zone refresh. If a zone refresh fails with a specific master (either during the query for the SOA or after querying and while attempting a subsequent zone transfer), then this master is cached as 'unreachable' for 10 minutes. As of versions 9.6-ESV-R6, 9.7.5, 9.8.2 and 9.9.0 onwards, the change below implements an earlier removal of a master server from the unreachable cache if a notify is received from it. Note that receipt of a notify (which is a UDP packet travelling from master to slave) doesn't guarantee that the master will be reachable from the slave, but it does ensure quicker recovery in the situation where a master was temporarily unavailable, for example for a reboot. This is the relevant info from the Release Notes: Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the unreachable list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] In the CHANGES file, it is described thus: 3204. [bug] When a master server that has been marked as unreachable sends a NOTIFY, mark it reachable again. [RT #25960] Excellent information, thanks! However, it is worrying that the master sometimes is unreachable. Is there some way I can make the slave server log, with timestamp, what zone it was trying to refresh when it failed? Thanks! -- Peter Olssonp...@leissner.se ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What does deleted from unreachable cache mean?
Hello! After my latest bind upgrade our slave server started occasionally writing these messages to the log: master 2a02:::::2#53 (source ::#0) deleted from unreachable cache master 62.xxx.xxx.2#53 (source 0.0.0.0#0) deleted from unreachable cache DNS seems to work fine anyway, and all zonefiles in the slave seem to update like they should, so everything seems ok. But I would like to be certain that there is nothing to worry about, so I wonder what these messages mean. (I didn't find anything interesting in the list archives or in Google.) Both master and slave are FreeBSD, running port bind97-9.7.6.1. Thanks! -- Peter Olssonp...@leissner.se ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TTL for name servers
2012/6/6 Mark Andrews ma...@isc.org In message CABUciRkVT6mBS0ZS3WL4tS7uTPgYNVBkOr890fsB9OoqP= c...@mail.gmail.com , Alexander Gurvitz writes: Hi. TTL returned by YOUR zone authoritative server will (at least should) be preferred by caches. Matt Larson from verisign explained on these: http://www.merit.edu/mail.archives/nanog/2004-07/msg00255.html Regards, Alexander Gurvitz, net-me.net TTL of NS records are complicated as the existance of the delegation is covered by the parents NS records but the contents of the NS records comes from the child zone. Named looks at both TTLs to determine when to remove the NS RRset. Mark, could you please describe the algorithm being used by BIND? Does it choose NS rrset with lowest TTL or something else? https://deepthought.isc.org/article/AA-00691/ If you are wanting to workout when to decommission a nameserver take the maximum of the two NS rrset after they have both been updated as when it is safe to decommission. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TTL for name servers
Just to clarify, let's assume that you maintain zone example.be. Let's also say that in .be zone TTL for your NS'es is 86400 and TTL for NS'es in your zone is 345600. In such scenario the latter will be cached by resolver because it is the authoritative data. For some resolver implementations this behaviour can be overrided. To replace nameserver with new one I would do the following: 1. set up new server; 2. send updates to parent zone; 3. wait for TTL mentioned in my zone (for example above - 345600); 4. shut down old server(s). 2012/6/5 hugo hugoo hugo...@hotmail.com Dear all, Can anyone clarify to me the use of the TTL for a NS record? Let’s take the example of a *.be domain. A TTL value is present on both locations. 1)In a dns.be server (for example x.dns.be): in my example here below, value is 86400 2)In the name server itself: in my example here below, value is 345600 If we plan to change the name server to be used for a certain domain, do we have to change the TTL in the dns.be? Is this possible? Is this value that all the cache servers use? If yes…what about the TTL value of the name server itself? Thank in advance of any useful feedback, Hugo, *Example:* dig @localhost google.be NS +trace ; DiG 9.6-ESV-R4 @localhost google.be NS +trace ; (1 server found) ;; global options: +cmd . 502894 IN NS f.root-servers.net. . 502894 IN NS g.root-servers.net. . 502894 IN NS h.root-servers.net. . 502894 IN NS a.root-servers.net. . 502894 IN NS i.root-servers.net. . 502894 IN NS b.root-servers.net. . 502894 IN NS j.root-servers.net. . 502894 IN NS c.root-servers.net. . 502894 IN NS k.root-servers.net. . 502894 IN NS l.root-servers.net. . 502894 IN NS d.root-servers.net. . 502894 IN NS m.root-servers.net. . 502894 IN NS e.root-servers.net. ;; Received 436 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms be. 172800 IN NS m.ns.dns.be. be. 172800 IN NS x.dns.be. be. 172800 IN NS london.ns.dns.be. be. 172800 IN NS prague.ns.dns.be. be. 172800 IN NS brussels.ns.dns.be. be. 172800 IN NS amsterdam.ns.dns.be. ;; Received 307 bytes from 198.41.0.4#53(a.root-servers.net) in 27 ms google.be. 86400 IN NS ns2.google.com. google.be. 86400 IN NS ns1.google.com. google.be. 86400 IN NS ns4.google.com. google.be. 86400 IN NS ns3.google.com. ;; Received 109 bytes from 193.190.135.4#53(brussels.ns.dns.be) in 1 ms google.be. 345600 IN NS ns4.google.com. google.be. 345600 IN NS ns1.google.com. google.be. 345600 IN NS ns3.google.com. google.be. 345600 IN NS ns2.google.com. ;; Received 173 bytes from 216.239.36.10#53(ns3.google.com) in 18 ms ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I build a new DNS/BIND system parallel to our existing DNS production system?
Hello, Samad, Another way to estimate you query rate is using system's udp counters. Not as precise as query logging, but doesn't cause performance drop in case of high query rates and accurate enough for estimation. 2012/5/4 Samad Agha samad.agha2...@gmail.com Thanks Daniel, I really appreciate your help. SA On Thu, May 3, 2012 at 1:34 PM, Daniel Deighton ddeighton-...@aplura.comwrote: On 05/03/2012 02:44 PM, Samad Agha wrote: Thanks for your help Eivind. Depends, how long is a piece of string? I don't know what amount of traffic you're currently seeing, or what your uptime requirements are. - Are there tools to find out about current amount of traffic? - Our uptime requirements are basically from 6am to 6pm during city's business hours. Estimate what amount of traffic you're seeing during prime time. How many queries per second? - Again, how do I find out? It is fairly easy to find out your query load using BIND. You will just need to enable query logging (if it isn't already enabled) and use the data to calculate your queries per second from the data. Getting the information from your Windows DNS servers is not as easy. You will likely need to put your Windows DNS servers into debug mode to get any sort of query logging and the output isn't exactly pretty. You could also get the data by taking packet captures and/or using a tool such as dnssnarf, dnsdump or some other tool that another list member might recommend. I'd normally not recommend running BIND on slower multi-threaded Sun/Oracle servers like the T-series, you'll normally be better off with fewer threads but higher clock speeds from typical Intel/AMD systems.(caveat: I haven't bench-marked BIND 9.9.x, which might have improved this). - Currently I have two: Dell PowerEdge 2950 servers with two Intel Xeon 3.0GHZ CPUs, and 4GB RAM each running RHEL 5.8 OS Thanks again, SA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind doesn't make zone delegation.
Hi, First of all, nslookup isn't a good tool for debug DNS problems. Use dig instead. Could you show the output of dig @freebsdbox sokol.msk.united-networks.ru. NS +norec run from freebsd box itself? 2012/4/19 Ellad G. Yatsko eyat...@ngs.ru Hello! I have FreeBSD 7.2 x64 installed. And Bind 9.4: /etc/namedb named -v BIND 9.4.3-P2 I have zone /united-networks.ru/ and I try to do the following: ... $ORIGIN sokol.msk.united-networks.ru. @ IN NS srvgate srvgate IN A172.31.16.16 $ORIGIN united-networks.ru. ... As I understand I delegated the SOA (IN NS) to server with name srvgate.sokol.msk.united-**networks.ruhttp://srvgate.sokol.msk.united-networks.ru(srvgate has no tailing dot so domain sokol.msk.united-networks.ru from $ORIGIN operator will be appended), then I placed glue-record with srvgate.sokol.msk's address. It is because as I understood nameserver of delegated zone is in it. From here I thought on the server 172.31.16.16 (it's Ubuntu) I must receive DNS-requests related to zone sokol.msk.united-networks.ru. For example if I try do nslookup sokol.msk.united-networks.ru on FreeBSD 7.2 x64. But: /etc/bind# hostname -f srvgate.sokol.msk.united-**networks.ruhttp://srvgate.sokol.msk.united-networks.ru /etc/bind# tshark -ta -ni tun0 -R dns Running as user root and group root. This could be dangerous. Capturing on tun0 ...there is nothing! And FreeBSD issues NXDOMAIN. I say more - FreeBSD tries to resolve name sokol.msk.united-networks.ru through its forwarder in external world! Where am I wrong? I simulated this situation with the same configurations on Ubuntu (Bind 9.7.0-P1) and fresh-installed FreeBSD 9.0 x64 (Bind 9.8.1-P1). All works fine! --** related portion of named.conf --** options { directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; listen-on { 127.0.0.1; 172.16.0.1; 172.16.1.1; 172.16.2.1; 172.31.0.1; }; forwarders { 89.222.167.2; 8.8.8.8; }; recursion yes; allow-recursion {0/0;}; }; ... view internal { match-clients { 127.0.0.0/8; 172.16.0.0/12; }; ... zone united-networks.ru { type master; file master/forward/united-**networks.ru.internal; allow-transfer { 172.16.0.2; 172.16.16.2; 172.31.16.16; 172.31.17.0; 172.31.18.0; }; }; ... }; ... --**--** --**- Kind regards, Ellad __**_ Please visit https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind doesn't make zone delegation.
2012/4/19 Ellad G. Yatsko eyat...@ngs.ru Hello! Here is output: /etc/namedb dig @172.16.0.1 sokol.msk.united-networks.ru. NS +norec ; DiG 9.4.3-P2 @172.16.0.1 sokol.msk.united-networks.ru. NS +norec ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 14255 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;sokol.msk.united-networks.ru. IN NS ;; AUTHORITY SECTION: sokol.msk.united-networks.ru. 3600 IN NS srvgate.sokol.msk.united-networks.ru. ;; ADDITIONAL SECTION: srvgate.sokol.msk.united-networks.ru. 3359 IN A 172.31.16.16 srvgate.sokol.msk.united-networks.ru. 3359 IN A 172.16.16.1 ;; Query time: 0 msec ;; SERVER: 172.16.0.1#53(172.16.0.1) ;; WHEN: Thu Apr 19 14:08:55 2012 ;; MSG SIZE rcvd: 100 Looks good for me. I noticed that after some time FreeBSD still tried to ask for sokol.msk.united-networks.ru from Ubuntu (srvgate.sokol.msk). It happened after 2-3 minutes after named was restarted on FreeBSD. But now FreeBSD doesn't ask for hosts in this zone. All what I was doing during this time period - I restarted freevrrp-daemon on FreeBSD machine. Could it be related to issue? Is FreeBSD a master for sokol.msk.united-networks.ru? Looks like it is trying to send notifies. Something very strange.. Another FreeBSD (9.0) works fine in the same (or much like) conditions... Kind regards, Ellad Hi, First of all, nslookup isn't a good tool for debug DNS problems. Use dig instead. Could you show the output of dig @freebsdbox sokol.msk.united-networks.ru. NS +norec run from freebsd box itself? 2012/4/19 Ellad G. Yatsko eyat...@ngs.ru Hello! I have FreeBSD 7.2 x64 installed. And Bind 9.4: /etc/namedb named -v BIND 9.4.3-P2 I have zone /united-networks.ru/ and I try to do the following: ... $ORIGIN sokol.msk.united-networks.ru. @ IN NS srvgate srvgate IN A172.31.16.16 $ORIGIN united-networks.ru. ... As I understand I delegated the SOA (IN NS) to server with name srvgate.sokol.msk.united-networks.ru (srvgate has no tailing dot so domain sokol.msk.united-networks.ru from $ORIGIN operator will be appended), then I placed glue-record with srvgate.sokol.msk's address. It is because as I understood nameserver of delegated zone is in it. From here I thought on the server 172.31.16.16 (it's Ubuntu) I must receive DNS-requests related to zone sokol.msk.united-networks.ru. For example if I try do nslookup sokol.msk.united-networks.ru on FreeBSD 7.2 x64. But: /etc/bind# hostname -f srvgate.sokol.msk.united-networks.ru /etc/bind# tshark -ta -ni tun0 -R dns Running as user root and group root. This could be dangerous. Capturing on tun0 ...there is nothing! And FreeBSD issues NXDOMAIN. I say more - FreeBSD tries to resolve name sokol.msk.united-networks.ru through its forwarder in external world! Where am I wrong? I simulated this situation with the same configurations on Ubuntu (Bind 9.7.0-P1) and fresh-installed FreeBSD 9.0 x64 (Bind 9.8.1-P1). All works fine! -- related portion of named.conf -- options { directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; listen-on { 127.0.0.1; 172.16.0.1; 172.16.1.1; 172.16.2.1; 172.31.0.1; }; forwarders { 89.222.167.2; 8.8.8.8; }; recursion yes; allow-recursion {0/0;}; }; ... view internal { match-clients { 127.0.0.0/8; 172.16.0.0/12; }; ... zone united-networks.ru { type master; file master/forward/united-networks.ru.internal; allow-transfer { 172.16.0.2; 172.16.16.2; 172.31.16.16; 172.31.17.0; 172.31.18.0; }; }; ... }; ... --- Kind regards, Ellad ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- AP
Re: Bind doesn't make zone delegation.
2012/4/19 Ellad G. Yatsko eyat...@ngs.ru Nope. FreeBSD is not the master for sokol.msk.united-networks.ru. It delegates zone sokol.msk only. Not more.Master for sokol.msk.united-networks.ru is srvgate.sokol.msk.united-networks.ru (Ubuntu server). Indeed, now when I try nslookup sokol.msk.united-networks.ru - it returns me its IP. FreeBSD asks for zone information Ubuntu. Ubuntu answers. But when I try to resolve what is ap-1131.sokol.msk.united-networks.ru FreeBSD is silent as before. It does not ask Ubuntu. It does not return any IP: NXDOMAIN. Kind regards, Ellad Is zone united-networks.ru http://sokol.msk.united-networks.ru/ listed in external view? If so has it records for sokol.msk.united-networks.ruhttp://sokol.msk.united-networks.ru/? Is option recursion yes global or view-specific? Could you provide configuration details for recursing and forwarding? 2012/4/19 Ellad G. Yatsko eyat...@ngs.ru Hello! Here is output: /etc/namedb dig @172.16.0.1 sokol.msk.united-networks.ru. NS +norec ; DiG 9.4.3-P2 @172.16.0.1 http://172..16.0.1 sokol..msk.united-networks.ru http://sokol.msk.united-networks.ru. NS +norec ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 14255 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;sokol.msk.united-networks.ru. IN NS ;; AUTHORITY SECTION: sokol..msk.united-networks.ru http://sokol.msk.united-networks.ru. 3600 IN NS srvgate.sokol.msk.united-networks.ru. ;; ADDITIONAL SECTION: srvgate.sokol.msk.united-networks.ru. 3359 IN A 172.31.16.16 srvgate.sokol.msk.united-networks.ru. 3359 IN A 172.16.16.1 ;; Query time: 0 msec ;; SERVER: 172.16.0.1#53(172.16.0.1) ;; WHEN: Thu Apr 19 14:08:55 2012 ;; MSG SIZE rcvd: 100 Looks good for me. I noticed that after some time FreeBSD still tried to ask for sokol..msk.united-networks.ru http://sokol.msk.united-networks.ru from Ubuntu (srvgate.sokol.msk). It happened after 2-3 minutes after named was restarted on FreeBSD. But now FreeBSD doesn't ask for hosts in this zone. All what I was doing during this time period - I restarted freevrrp-daemon on FreeBSD machine. Could it be related to issue? Is FreeBSD a master for sokol.msk.united-networks.ru? Looks like it is trying to send notifies. Something very strange.. Another FreeBSD (9.0) works fine in the same (or much like) conditions... Kind regards, Ellad Hi, First of all, nslookup isn't a good tool for debug DNS problems. Use dig instead. Could you show the output of dig @freebsdbox sokol.msk.united-networks.ru. NS +norec run from freebsd box itself? 2012/4/19 Ellad G. Yatsko eyat...@ngs.ru Hello! I have FreeBSD 7.2 x64 installed. And Bind 9.4: /etc/namedb named -v BIND 9.4.3-P2 I have zone /united-networks.ru/ and I try to do the following: ... $ORIGIN sokol.msk.united-networks.ru. @ IN NS srvgate srvgate IN A172.31.16.16 $ORIGIN united-networks.ru. ... As I understand I delegated the SOA (IN NS) to server with name srvgate.sokol.msk.united-networks.ru (srvgate has no tailing dot so domain sokol.msk.united-networks.ru from $ORIGIN operator will be appended), then I placed glue-record with srvgate.sokol.msk's address. It is because as I understood nameserver of delegated zone is in it. From here I thought on the server 172.31.16.16 (it's Ubuntu) I must receive DNS-requests related to zone sokol.msk.united-networks.ru. For example if I try do nslookup sokol.msk.united-networks.ruhttp://sokol.msk..united-networks.ruon FreeBSD 7.2 x64. But: /etc/bind# hostname -f srvgate.sokol.msk.united-networks.ru /etc/bind# tshark -ta -ni tun0 -R dns Running as user root and group root. This could be dangerous. Capturing on tun0 ...there is nothing! And FreeBSD issues NXDOMAIN. I say more - FreeBSD tries to resolve name sokol.msk.united-networks.ru through its forwarder in external world! Where am I wrong? I simulated this situation with the same configurations on Ubuntu (Bind 9.7.0-P1) and fresh-installed FreeBSD 9.0 x64 (Bind 9.8.1-P1). All works fine! -- related portion of named.conf -- options { directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; listen-on { 127.0.0.1; 172.16.0.1; 172.16.1.1; 172.16.2.1; 172.31.0.1; }; forwarders { 89.222.167.2; 8.8.8.8; };
Re: slave not updating or creating ofd zone files
2012/3/29 RYAN M. vAN GINNEKEN r...@computerking.ca Hello all i have what is to me a very strange bind 9 master slave transfer issue. When i update a zone file on the master the file updates correctly the notifies are sent and every thing seems to work perfectly except it transfers 0 bytes to the slave. Checking the slave confirms that indeed thier was no transfer and that the slave is still serving the old zone, i have gon as far as to completely delete the zone files from the slave and restart bind to my suprise it puts back all the old files. What is going on? Below is an example of one of the files that is not updating correctly there are many and some of file I have updated more recently are not even showing up in the logs of the server. On the server Ubuntu 8.04 LTS running BIND 9.4.2-P2.1 chrooted 29-Mar-2012 06:03:39.461 general: info: zone jodygamracy.com/IN/external: loaded serial 2012031501 29-Mar-2012 06:03:39.614 notify: info: zone jodygamracy.com/IN/external: sending notifies (serial 2012031501) 29-Mar-2012 06:03:41.761 xfer-out: info: client 96.51.192.233#33074: view external: transfer of 'jodygamracy.com/IN': IXFR ended On the slave Ubuntu 10.04 LTS BIND 9.7.0-P1 29-Mar-2012 00:03:41.666 general: info: zone jodygamracy.com/IN/external: Transfer started. 29-Mar-2012 00:03:41.706 xfer-in: info: transfer of ' jodygamracy.com/IN/external' from 204.244.122.132#53: connected using 96.51.192.233#33074 29-Mar-2012 00:03:41.782 xfer-in: info: transfer of ' jodygamracy.com/IN/external' from 204.244.122.132#53: Transfer completed: 0 messages, 1 records, 0 bytes, 0.076 secs (0 bytes/sec) As a side not i have both machines firewalled, but have port 53 open on both machines, and have ports set using this in these lines in the named.conf. file query-source address * port 53; transfer-source * port 53; notify-source * port 53; and see this in the dameon logs /etc/named.conf:9: using specific query-source port suppresses port randomization and can be insecure. Computer King CaN-MailSurveillance King http://computerking.ca http://canmail.org http://surveillanceking.net Surveillance - Sales Service - Hosting Backup Internet Based Surveillance Systems Custom Service Pac kages Secure IMAP Email - Automated Remote Backups - Photo Blogs - Online ERP and Accounting Packages ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Enlarge your serial! -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: slave not updating or creating ofd zone files
2012/3/29 Peter Andreev andreev.pe...@gmail.com 2012/3/29 RYAN M. vAN GINNEKEN r...@computerking.ca Hello all i have what is to me a very strange bind 9 master slave transfer issue. When i update a zone file on the master the file updates correctly the notifies are sent and every thing seems to work perfectly except it transfers 0 bytes to the slave. Checking the slave confirms that indeed thier was no transfer and that the slave is still serving the old zone, i have gon as far as to completely delete the zone files from the slave and restart bind to my suprise it puts back all the old files. What is going on? Below is an example of one of the files that is not updating correctly there are many and some of file I have updated more recently are not even showing up in the logs of the server. On the server Ubuntu 8.04 LTS running BIND 9.4.2-P2.1 chrooted 29-Mar-2012 06:03:39.461 general: info: zone jodygamracy.com/IN/external: loaded serial 2012031501 29-Mar-2012 06:03:39.614 notify: info: zone jodygamracy.com/IN/external: sending notifies (serial 2012031501) 29-Mar-2012 06:03:41.761 xfer-out: info: client 96.51.192.233#33074: view external: transfer of 'jodygamracy.com/IN': IXFR ended On the slave Ubuntu 10.04 LTS BIND 9.7.0-P1 29-Mar-2012 00:03:41.666 general: info: zone jodygamracy.com/IN/external: Transfer started. 29-Mar-2012 00:03:41.706 xfer-in: info: transfer of ' jodygamracy.com/IN/external' from 204.244.122.132#53: connected using 96.51.192.233#33074 29-Mar-2012 00:03:41.782 xfer-in: info: transfer of ' jodygamracy.com/IN/external' from 204.244.122.132#53: Transfer completed: 0 messages, 1 records, 0 bytes, 0.076 secs (0 bytes/sec) As a side not i have both machines firewalled, but have port 53 open on both machines, and have ports set using this in these lines in the named.conf. file query-source address * port 53; transfer-source * port 53; notify-source * port 53; and see this in the dameon logs /etc/named.conf:9: using specific query-source port suppresses port randomization and can be insecure. Computer King CaN-MailSurveillance King http://computerking.ca http://canmail.org http://surveillanceking.net Surveillance - Sales Service - Hosting Backup Internet Based Surveillance Systems Custom Service Pac kages Secure IMAP Email - Automated Remote Backups - Photo Blogs - Online ERP and Accounting Packages ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Enlarge your serial! -- AP Sorry for previous message, I suggest you to update BIND. -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
2012/3/20 michoski micho...@cisco.com On 3/19/12 11:58 AM, Peter Andreev andreev.pe...@gmail.com wrote: 2012/3/19 hugo hugoo hugo...@hotmail.com Jay, - Can you give me an example of such configuration? As anyone else some examples of IPV6 reverse configuration used in production environment? Thanks for sharing your experience... We use IPv6 in production environment. It was a real headache to fill reverse ip6.arpa zones by hand until I have learned about arpaname utility. Since that maintaining reverse IPv6 zones is just a piece of cake. Hmm... Yes, well I can see this as useful (though not much more than a few lines of any programming language?) if you intend to maintain generic placeholders...but not if you want RFC-compliant matching A/PTR. Granted, you should not drop mail in such cases, but many do. I guess tools and best practices take time to catch up to technological leaps. ;-) Or do you actually create A's matching your generic PTR and heavily rely on CNAMEs? Of course that simply won't do for some standard RR types. As much as I dislike djb in general, the way tinydns auto-creates matching PTR (and also provides a mechanism to disable as needed) for each A RR kinda makes sense. Granted, it doesn't do IPv6 at all without 3rd-party hacks...but they do at least exist. -- All his life he has looked away... to the horizon, to the sky, to the future. Never his mind on where he was, on what he was doing. -- Yoda Sorry for my stupidity, but I didn't catch your idea. We have finite number of hardware. Due to geographic distribution, security issues, lots of different prefixes in use, etc we don't use DHCP and assign addresses by hand. So we do with PTRs. Of course I would go crazy if I fill full v6 reverse zone, so I write only those PTRs which are needed. If we assign IP blocks to clients, usually we simply delegate them corresponding reverse zone. -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
2012/3/19 hugo hugoo hugo...@hotmail.com Jay, - Can you give me an example of such configuration? As anyone else some examples of IPV6 reverse configuration used in production environment? Thanks for sharing your experience... Hugo, We use IPv6 in production environment. It was a real headache to fill reverse ip6.arpa zones by hand until I have learned about arpaname utility. Since that maintaining reverse IPv6 zones is just a piece of cake. Date: Mon, 12 Mar 2012 16:28:53 -0500 From: jay-f...@uiowa.edu To: hugo...@hotmail.com CC: bind-users@lists.isc.org Subject: RE: reverse dns for IPV6 ranges On Mon, 12 Mar 2012, hugo hugoo wrote: Has anyone else experience with reverse IPV6 configuration with Bind? We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa zones, to create address-name mappings matching the name-address mappings created by the A records. I fairly recently started fiddling with wildcard PTR records for DHCPv6 address pools, to at least return some answer for a query about the addresses. Right now I have it configured so that a query for any address in any of the pools returns the same name, but it could be changed to return different names for different pools. This obviously doesn't create symmetric name-address address-name mapping, which might or might not be a problem. I don't have enough real use of this to know whether this wildcard stuff is helpful or not. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Detailed Log Analysis based on rndc stats!!
Sorry, Shiva I have confused you. Mark is absolutely right and I was wrong. Another way is to capture responses with tcpdump or dnscap. 2012/1/30 Mark Andrews ma...@isc.org In message canbtt6nxwb4fqygev4x8_jl+m5ho7wfenirxzg3pgvc-kzc...@mail.gmail.com , Shiva Raman writes: Hi Peter Thanks a lot for your reply. I had enabled query-errors with debug level 2 in my bind logging, now i am able to log all SERVFAIL related error logs in query-errors.log. But i am unable to log the NXDOMAIN error logs . NXDOMAIN is not a error. It is a *normal* response code in a well running system. Asking to log NXDOMAIN is like asking to log every positive answer. Referring to Bind documentation, i enabled delegation-only option(which Logs queries that have returned NXDOMAIN as the result of a delegation-only zone or a delegation-only statement in a hint or stub zone declaration) , but this also not logging the NXDOMAIN errors. Kindly guide me whether any additional parameters to be enabled in query-errors to log NXDOMAIN also. delegation-only does *not* log normal NXDOMAIN responses. It logs answers that are *forced* to NXDOMAIN. Regards Shiva Raman -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Defense against a client?
2012/1/16 Tom Schmitt tomschm...@gmx.de Hi, I have a problem with the load on my Bind. Normally it's fine, but from time to time there are clients which causes through a misconfiguration or a failed local service (not intentionally) a very high amount of queries. After finding and informing the responsible person this problem is mostly solved in short time. One of these cases my DNS server can handle, but sometimes there is more than one of these cases at the same time and I have a load problem which causing problems for all clients of my DNS servers. My question: Is there any possibility in Bind to give a quoata to a client? e.g. that from a given IP no more than houndred queries per second are allowed and the rest is to be blackholed. That way only the client causing the load would have a problem but not all other clients. Is there such a possibility? I found nothing in the documentation. Or are there other ways to achive this? How do you guys do this? As far as I know there is no way to limit query-rate in BIND. I suppose firewall should cope with the problem much better. Tom. -- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is bind support conditionally resolution?
2012/1/10 Drunkard Zhang gongfan...@gmail.com I am designing a big deploy system, which will implement via DNS. The demond is misc, one of them is conditionally resolve, which means that if one CDN node near unavailable, or latency increased significantly, no matter why, I want bind to give another second best result, which located in distant places. Is bind support this natively? Or I have to write external program? If bind doesn't support, is there any other DNS impletions I can try? As Matus said DNS is not a good place for such magick. Nonetheless you can use Bind with DLZ and some third-party script/program which will change database entries depending on reachability or latency. May be you should look at PowerDNS, it has something called Dynamic resolution and its resolver has scripting support. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk: On 21.12.11 19:21, Peter Andreev wrote: I think that if server is authoritative - and - slave-only it should use system resolver rather than querying by itself. 2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk: BIND will not use system resolver. BIND is the resolver. Relying on other resolver could cause troubles. If BIND does not need to resolve, it will not. If it needs, don't block it. On 02.01.12 16:42, Peter Andreev wrote: I understood your point, however it differs from mine. Matus, I'm afraid we won't find consent on this topic. So I offer you to stop this discussion. Thank you for suggestions and happy new year! I don't see your point now. I'm afraid that you will have to live with the fact that you can not disable sending queries from BIND when it needs them, you can only prevent it by configuring BIND (so it will not need them) or firewall such packets so they will not get outside (which may break its functionality). My point: I need my servers to answer with authoritative data only. I need them to not perform anything else. Only get query - send authoritative response. Where in this scenario BIND has to resolve something? In which scenario (except master notifies) BIND has to resolve something? Maybe ISC will patch BIND to use system resolver for internal queries, but I doubt so. Maybe you can do it but imho it's not worth trying. Maybe you can set up forward only; and forwarders {}; so BIND will forward all recursive queries it generates to your recursive servers. But the way you are trying to get over this, I'm afrait you will fail and that's what I am trying to tell you. I'm free to replace BIND with another authoritative DNS implementation. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/3 Matus UHLAR - fantomas uh...@fantomas.sk: 2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk: I don't see your point now. I'm afraid that you will have to live with the fact that you can not disable sending queries from BIND when it needs them, you can only prevent it by configuring BIND (so it will not need them) or firewall such packets so they will not get outside (which may break its functionality). On 03.01.12 16:53, Peter Andreev wrote: My point: I need my servers to answer with authoritative data only. I need them to not perform anything else. Only get query - send authoritative response. Where in this scenario BIND has to resolve something? Nowhere. Note that BIND may send upward or root referrals, for clients that are allowed to view cached data (the hint zone is taken as cached). Also, bind can send additional data (authoritative or from cache) when configured so, but won't recursively resolve them. See description of additional-from-cache and additional-from-auth, maybe minimal-responses. Yep, that's what I done first when problem appeared. Second step was deleting root.hints to (as I hoped) prevent any further resolving and caching. In which scenario (except master notifies) BIND has to resolve something? I don't know about any. Neither do I. Unfortunately it is not covered in documentation. Maybe ISC will patch BIND to use system resolver for internal queries, but I doubt so. Maybe you can do it but imho it's not worth trying. Maybe you can set up forward only; and forwarders {}; so BIND will forward all recursive queries it generates to your recursive servers. But the way you are trying to get over this, I'm afrait you will fail and that's what I am trying to tell you. I'm free to replace BIND with another authoritative DNS implementation. Yes, you are. but i'd advise you focus on the real problem, if it exists. Kevin Darcy mentioned that in his response. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/3 Chuck Swiger cswi...@mac.com: On Jan 3, 2012, at 11:13 AM, Peter Andreev wrote: Unfortunately as I learning BIND more, I understand that it is not very suitable for my requirements. Which are? I've been trying to understand what the actual problem you are trying to solve might be. I'm not trying to solve any problem. I'm wondering why this thread grown so big. The only question I have unanswered is where I can find documents/articles/whatever describing BIND's internals, architecture etc? That's all :) It was asked in 13th post. May be it's still unanswered because of unhappy number, I'm not sure. Regards, -- -Chuck -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/4 Mark Andrews ma...@isc.org: If you want named to be authoritative only set recursion no; or allow-recursion { none; } or allow-query-cache { none; }; and no data will be returned from the cache. allow-recursion and allow-query-cache cross inherit from each other. If you only want master zones to send notify messages then set notify master-only;. If you want named to only use the same nameservers as the system uses then set forward only; forwarders { list from resolv.conf; };. Named does not read resolv.conf though the tools do. Thank you, Mark, these things was done long time ago. Is there any documentation related to BIND's internals? -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk: On 21.12.11 19:21, Peter Andreev wrote: All these servers are slaves. They don't send notifies. 2011/12/21 Matus UHLAR - fantomas uh...@fantomas.sk: they do, unless you have turned it off... On 22.12.11 11:54, Peter Andreev wrote: Of course I turned it off, it's normal practice for slaves, I assume. even sending notifies by slaves can have a reason. for example, other slaves not getting notifies from master... Do you think if server needed to resolve something, and you would disable it, it would work better? I think just the oposite. If a server does lookups only when needed, then disabling required lookups would make it not working. I think that if server is authoritative - and - slave-only it should use system resolver rather than querying by itself. BIND will not use system resolver. BIND is the resolver. Relying on other resolver could cause troubles. If BIND does not need to resolve, it will not. If it needs, don't block it. I understood your point, however it differs from mine. Matus, I'm afraid we won't find consent on this topic. So I offer you to stop this discussion. Thank you for suggestions and happy new year! Where can I find information about what causes queries for internal duties? If it can be found in ARM, could you please point me to the right chapter. May be I missed something while reading it. The only mention I have met is that additional resolving is needed for sending notifies (And will this resolving be performed in case of list of slaves' ip addresses is written in named.conf?). Someone other will have to answer this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2011/12/20 Matus UHLAR - fantomas uh...@fantomas.sk: 2011/12/20 Mark Andrews ma...@isc.org: Named has a compiled in set of root hints. It is used if a root zone is not defined in named.conf. On 20.12.11 17:37, Peter Andreev wrote: Whether it means that without hint zone named still can perform iterative lookups for its internal purposes? yes. This fact is really disappointing. Anyway thank you, Matus, for answer -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2011/12/21 Matus UHLAR - fantomas uh...@fantomas.sk: 2011/12/20 Mark Andrews ma...@isc.org: Named has a compiled in set of root hints. It is used if a root zone is not defined in named.conf. On 20.12.11 17:37, Peter Andreev wrote: Whether it means that without hint zone named still can perform iterative lookups for its internal purposes? 2011/12/20 Matus UHLAR - fantomas uh...@fantomas.sk: yes. On 21.12.11 12:17, Peter Andreev wrote: This fact is really disappointing. well, it's needed for proper functionality. What exactly seems to be your problem? Well, we run a bunch of authoritative-only slave servers and obviously they don't have to perform any kind of lookups. Some time ago user complained that one of these slave servers responses with wrong data. My colleague tried to investigate this issue, but without any success. Just in case we disabled additional-from-cache. That's why any sort of internal lookups looks very suspicious for me. Note that - only clients that are allowed to recurse are able to see date the type hint zone - only clients from local networks are allowed to recurse by default. You can tune this by configuring the allow-recursion option. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2011/12/21 Matus UHLAR - fantomas uh...@fantomas.sk: On 20.12.11 17:37, Peter Andreev wrote: Whether it means that without hint zone named still can perform iterative lookups for its internal purposes? On 21.12.11 13:05, Peter Andreev wrote: Well, we run a bunch of authoritative-only slave servers and obviously they don't have to perform any kind of lookups. If they don't have to, they won't. I hope so. Some time ago user complained that one of these slave servers responses with wrong data. My colleague tried to investigate this issue, but without any success. Just in case we disabled additional-from-cache. Disabling recursion should do the same afaik. However, disabling additional-from-cache is OK and afaik disabled by default. No, it is enabled by default. That's why any sort of internal lookups looks very suspicious for me. server needs to resolve names if it's supposed to send NOTIFY messages. All these servers are slaves. They don't send notifies. So while I'm really confused about described issue, I'd like to not speculate on it, because it happened only once. What I don't like at all is the impossibility to disable these lookups. Of course I can follow Jeff's advice and redirect these lookups to localhost, but it is not a solution, it only transfers problem to another area. Ok, may be I'm a paranoid and worrying about trifles, but news about compiled in hints astonished me. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
David, thank you, I checked and all seems good :). 2011/12/21 Matus UHLAR - fantomas uh...@fantomas.sk: 2011/12/21 Matus UHLAR - fantomas uh...@fantomas.sk: Disabling recursion should do the same afaik. However, disabling additional-from-cache is OK and afaik disabled by default. On 21.12.11 19:21, Peter Andreev wrote: No, it is enabled by default. server needs to resolve names if it's supposed to send NOTIFY messages. All these servers are slaves. They don't send notifies. they do, unless you have turned it off... Of course I turned it off, it's normal practice for slaves, I assume. So while I'm really confused about described issue, I'd like to not speculate on it, because it happened only once. What I don't like at all is the impossibility to disable these lookups. Do you think if server needed to resolve something, and you would disable it, it would work better? I think just the oposite. If a server does lookups only when needed, then disabling required lookups would make it not working. I think that if server is authoritative - and - slave-only it should use system resolver rather than querying by itself. Where can I find information about what causes queries for internal duties? If it can be found in ARM, could you please point me to the right chapter. May be I missed something while reading it. The only mention I have met is that additional resolving is needed for sending notifies (And will this resolving be performed in case of list of slaves' ip addresses is written in named.conf?). Ok, may be I'm a paranoid and worrying about trifles, but news about compiled in hints astonished me. since it only happened once and you weren't able to find out what really happened (did you at least make sure your customer is right?), it should not be an issue to care about this much... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2011/12/20 Mark Andrews ma...@isc.org: Named has a compiled in set of root hints. It is used if a root zone is not defined in named.conf. Mark Whether it means that without hint zone named still can perform iterative lookups for its internal purposes? -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
zone before delegation?
It seems like there are two ways I could delegate a zone. I could, in the zone file for the parent, simply list the name of the zone and a number of NS records to which the zone has been delegated. Or, I could create a zone statement within named.conf that points to a file that contains an SOA and a number of NS records to which the zone has been delegated. Which is better and which should I prefer? Ideally, I'd like to make the zone first with the NSes pointed to the same server plus various and sundry other As and CNAMEs, but need help on this point before I do anything. BTW, this is on RHEL's BIND9 and no, the master has yet to have the RHEL bind97 RPMs installed, and yes, I am a bad admin for not doing that. -- Peter Laws / N5UWY ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: zone before delegation?
On Fri, Oct 28, 2011 at 04:48:10PM +, Laws, Peter C. wrote: It seems like there are two ways I could delegate a zone. I could, in the zone file for the parent, simply list the name of the zone and a number of NS records to which the zone has been delegated. Or, I could create a zone statement within named.conf that points to a file that contains an SOA and a number of NS records to which the zone has been delegated. Which is better and which should I prefer? Bill Owens owens at nysernet.org wrote: If I'm reading this correctly, both ;) I take it the same servers are authoritative for both parent and child, right? You can get away with just creating the new zone in named.conf and not delegating it properly in the parent, due to a quirk in BIND behavior; it always answers from its authority and the chain of resolution will always pass through the server (because it's authoritative for the parent). But when* you configure DNSSEC, the lack of NS records in the parent zone will break your configuration. So installing them now will save you that grief later. I don't think that the order is particularly important, since queries can't be answered until the zone is created and configured in named.conf, though I suppose that creating the zone first is slightly more correct. Thanks. That's the bit I was looking for, SOME stuff is a quirk of BIND, like this. OK, so simply putting the NS records in the parent zone is sufficient to make it a separate zone. No need to put stuff in named.conf unless I want to or until I actually delegate to a different set of nameservers. My thought was to create the new zones as zones on the parent server as a prelude to actually delegating them, in a sense, delegating the zone to myself. That will let me clean stuff up and get it ready for the coming move. Yes, DNSSEC is, IMHO, much like IPv6 - no one wants to mess with it but a lot of people claim it's inevitable. *Hopefully* both will end up like maglevs and monorails - technology of the future: always has been, always will be. :-) -- Peter Laws / N5UWY ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME record for the root of the domain
On 10/12/2011 09:20 AM, Paul Wouters wrote: On Wed, 12 Oct 2011, Niccolò Belli wrote: Subject: CNAME record for the root of the domain How to set it? I know there is a workaround, but I hadn't been able to make it work... I use bind 9.7.3. Perhaps you mean DNAME? How widely are DNAMEs supported? -hpa -- H. Peter Anvin, Intel Open Source Technology Center I work for Intel. I don't speak on their behalf. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME or A record?
If you use two A records, your web server needs to be setup to handle both names. If you use a CNAME, you only need to handle the single A record name in the server. On Wed, Sep 28, 2011 at 10:36 AM, feralert feral...@gmail.com wrote: Thanks Jeff, But I really only wrote that as an example :) . The real question is what is best or what is recommended, two A RR (one for domain, one for www) or a single A RR for domain and a CNAME RR for www, is one way better than the other or can I choose either way? Cheers!, Fred. On Wed, Sep 28, 2011 at 4:30 PM, Lightner, Jeff jlight...@water.com wrote: If you set your SOA properly to use @ (which means this zone) your A records should be: domain.com. A 1.1.1.1 www A 1.1.1.1 The SOA should append the domain.com to every record not terminated by a dot so that www is read as www.domain.com. Similarly you put a dot at the end of domain.com A record to prevent it from being appended and read as domain.com.domain.com. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto: bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of feralert Sent: Wednesday, September 28, 2011 10:20 AM To: bind-us...@isc.org Subject: CNAME or A record? Hi all, I'm sure this has been asked trillions of times but since I couldn't find any concrete answer/reference in google I am asking you guys in this list. Sorry if anyone thinks this a dumb question or something very obvious. The thing is that i want users redirected to 'www.domain.com' even when they just type the domain name 'domain.com'. In order to do so I am not sure if its best to have one A RR for each or have an A RR for the domain and a CNAME RR pointing to 'domain.com' for 'www.domain.com'. domain.com A1.1.1.1 www.domain.com A1.1.1.1 OR domain.com A1.1.1.1 www.domain.com CNAME domain.com Any help appreciated. Thanks, Fred ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: updating Bind made it slower
2011/9/27 Tom Schmitt tomschm...@gmx.de: I just updated a couple of my DNS-servers from the rather old version 9.4.1 to a newer version 9.8.0-P4. After this I have problem with outages. Looking into it, I found that the time for a rndc reload has nearly doubled! This has been pointed out to me before; do you really need reload, or would reconfig suffice? I will try it if this is reducing the times and if a reload is realy not needed. If it works, I will change my updating-scripts. Thank you! It is not clear in your question, are you use rndc reload or rndc reload zone.name? Latter will be faster in case if you change one or few zones in one pass of your updating-script. -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: updating Bind made it slower
2011/9/27 Tom Schmitt tomschm...@gmx.de: It is not clear in your question, are you use rndc reload or rndc reload zone.name? Latter will be faster in case if you change one or few zones in one pass of your updating-script. I generate from my database the complete named.conf, especially including new zones and then trigger a rndc reload to make this new config activ. In this case rndc reconfig should be sufficient. This command tells BIND to re-read config file and load all new zones without touching any previously loaded zones. This process is now taking much more time, leading to outages in the DNS-service :-( I'll try to replace it with rndc reconfig. Not sure if this really is sufficient. Tom. -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and MS AD
2011/8/9 Chris Buxton chris.p.bux...@gmail.com: On Aug 9, 2011, at 10:07 AM, John Williams wrote: --- On Tue, 8/9/11, Chris Buxton chris.p.bux...@gmail.com wrote: With a private version of a domain, you should not need to worry about a DS record in the parent. Just make sure your internal caching servers not only can find the internal version of your domain, but also can validate the signatures therein, most likely using a trusted or managed key specific to that internal domain. I'll not try to get into the specifics of using MS DNS for this purpose because this is not the right forum. Regards, Chris Buxton BlueCat Networks Based on your response, I'm wondering how an application such as Exchange (SMTP, which clearly relies on DNS) will work in this model. Are there there any affects of the parent domain (.com, .net, whatever...) not having the DS records? for the domain? I don't follow your reasoning. For SMTP, the DNS-related operation is in looking up the MX and A/ records of other mail servers based on an outgoing message. If you're worried about other mail servers finding your Exchange server, there are two cases: - External. My comments had nothing to do with external (Internet-facing) DNS records. There, you would want to have DS records put into the parent zone to be able to authenticate the link from parent to child. - Internal. If you're using MX records internally, you're either very large or misguided. If you are large enough to warrant this, then your caching servers should be able to follow your internal chain of trust, starting at a private trust anchor. This is the point I was getting at. The use of internal, private namespace should be entirely transparent to any service other than DNS. Your mail server should not need to know about it, and should not be able to detect it (other than watching for private address space and obviously-private domain names like corp.dom). As I understood from there - http://technet.microsoft.com/en-us/library/ee649277(WS.10).aspx - Chris' scenario should work. But I doubt that it is reasonable to use DNSSEC for internal domain and, moreover, with such limitations. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Breaking up RFC 1918 reverse space
On 07/23/11 22:08, Karl Auer wrote: Maybe this is an overly naive approach, but can't you set up one zone for 10.0.0.0/8 and delegate as necessary from that single zone file? Anything that you don't have an answer for will get NXDOMAIN, which is presumably what you want. So: zone 10.IN-ADDR.ARPA { type master; file internal/db.10.rev; allow-query { network_internal; }; }; Then in the zone file internal/db.0.rev: $ORIGIN 10.in-addr.arpa. [...] 0 3600 IN NS ns00.mydomain. 1 3600 IN NS ns01.mydomain. ... etc I thought of that, too. Were I delegating all slivers of the 10/8 space (it's actually 4 10/10 spaces), then I'd have done it long ago and not asked the question. I'm more confused than that - read on. :-) What I think I didn't make clear in my first post was that I actually want to do two things: 1) I want to break 10/8 space into 4 10/10 zones (actual, independent zones). 10.0.0.0/10 10.64.0.0/10 10.128.0.0/10 10.192.0.0/10 2) Serve one resulting zone myself, delegate all of two others, then delegate parts of the last one. So my initial question was incomplete. I've read about $GENERATEing CNAME records for chunks and then delegating the chunks, for example 0 IN CNAME 0-63.10.in-addr.arpa. 1 IN CNAME 0-63.10.in-addr.arpa. 2 IN CNAME 0-63.10.in-addr.arpa. etc but done with $GENERATE and then actually delegating with 0-63.10.in-addr.arpa. IN NS ns1.edu. 64-127.10.in-addr.arpa. IN NS ns2.edu. etc Where I'm confused (or have confused myself) is the part about wanting to actually break the zone up (I want to break it up for the usual reasons - size and limiting damage) -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu - Feedback? Contact my director, Eddie Huebsch, ehueb...@ou.edu. Thank you! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward only zones.
2011/7/25 Vbvbrj vbv...@gmail.com: On 25.07.2011 10:15, Matus UHLAR - fantomas wrote: This is how BIND is supposed to work. If you _need_ such setup, why don't you setup your AD servers as recursive point clients directly to them? you can teoretically configure maximum cache time in BIND but that would be useless server. I can configure AD servers to Microsoft DNS. But how about workstations? The all are configured to use BIND DNS. If I change them to Microsoft DNS, then there is no use of BIND DNS. There's already no use for BIND if you really want what you described. So better deinstall BIND and configure stations to use microsoft's DNS. Not that I prefer or advise using microsoft's DNS, is sucks pretty much. But as you described it, there's no point in using BIND for you. I have this point. I want to use BIND, because the server on wich resides BIND is also a gateway to internet and every client is configured to use it. And this server I prepare to switch to *unix system, and I am moving every necessary service from windows integrated to opensource multisystem support. I just can't for now move active directory's dns database to BIND. May be you should look at the problem from other point and configure microsoft's dns server to forward queries to BIND? Of course you will need to reconfigure clients to use microsoft's dns only, but in this case microsoft's dns will serve queries to your domain and BIND wil server qeries to other domains. I think it will be better solution. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Breaking up RFC 1918 reverse space
Decloaking to ask for pointers to some help regarding RFC 1918 zone delegation. We use 10/8 space extensively over multiple campuses. We need to delegate at the 10/ essentially, the 10/16 level. Is there a better way to do it than zone 0.10.IN-ADDR.ARPA { type master; file internal/db.10.rev; allow-query { network_internal; }; }; zone 1.10.IN-ADDR.ARPA { type master; file internal/db.10.rev; allow-query { network_internal; }; }; zone 2.10.IN-ADDR.ARPA { type master; file internal/db.10.rev; allow-query { network_internal; }; }; et cetera, ad nauseum and then putting in NS records as necessary? A little less than half of the zones would remain with us with the other half-and-a-bit delegated away. I'm afraid of the answer since I fear I'm stuck with making 256 zones ... BIND 9.3 as hacked by Red Hat, though now that we found the bind97 packages in the supported repo, we may go with that. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu (Remote) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Patching bind for additional stats - any tips?
Hi, I've written some middleware that takes the stats channel from bind and translates it to cacti/cricket/mrtg http://members.iinet.net/~pyard...@ihug.com.au/projects/?project=bind9_5_counters. If you haven't looked at what the XML stats channel can give you should take a look at it in the Bind doco. Another tack could be log analysis. Nomium offer some free dns performance testing tools http://www.nominum.com/resources/measurement-tools. Alex Kolchinski wrote: Hi everyone - I'm at Google and currently starting on a mini-project to get some more insight into how our BIND servers are performing. Our first thoughts on how to add logging on metrics we're interested in are currently to patch BIND to spit out the wanted stats directly from BIND (data on each query, perhaps aggregated). An alternative to this would be to try to match the incoming and outgoing request and response packets and amass the data from that, but our attempts at data gathering through sniffing have given unreliable results. (One alternative I've stumbled upon is DSC - http://dns.measurement-factory.com/tools/dsc/ - but I'm not sure yet how appropriate or effective it would be for our needs, so if anyone has any thoughts, that would be much appreciated.) I've never worked with BIND before, so I'm looking over the code right now figuring out which approach is going to be the most effective and straightforward. Does anyone have any experience with something similar and/or suggestions on approaches or considerations to think about? It's looking like if the patch is going to be the way to go, simply modifying BIND's stats-outputting functionality should be a good way to extend what statistics we're getting, although I'm not sure on that count either. Any thoughts? Thanks, everyone -Alex ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- ._--_|\ Peter Yardley| / \ Senior Network Administrator | peter.yard...@uts.edu.au \_.--._* Information Technology Division, | Ph: +61 2 9514-2358 . v University of Technology, Sydney.| Fax: +61 2 9514-2435 -- UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views the University of Technology, Sydney. Before opening any attachments, please check them for viruses and defects. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
link-local glue AAAA
Hi I'm puzzled a little - i see in my zone glue records with link-local addresses. I think it is not good, but no rfc mentions about link-local in glue. Could someone tell me best practices for link-local in glue? Thanks for advance. -- -- AP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: link-local glue AAAA
Thank you, Matus, that's all i wanted to know. 2011/6/5 Matus UHLAR - fantomas uh...@fantomas.sk: On 05.06.11 17:07, Peter Andreev wrote: I'm puzzled a little - i see in my zone glue records with link-local addresses. I think it is not good, but no rfc mentions about link-local in glue. Could someone tell me best practices for link-local in glue? It's the same as using private range or other bogus ip addresses in NS records for public domains. Technically correct, but will not apparently work from outside and any registry should reject that. However registries do not have power over delegating within your registered zone so the rest is up to you -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.8 with dlz and dnssec
Hello, List Now DLZ supports dynamic updates and theoretically it is possible to make such tricks: rndc freeze example.com put some new records in database rndc thaw example.com rndc sign example.com rndc freeze example.com That is zone isn't really dynamic, but it is dynamically loadable and signed. Will it work? -- -- AP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.8 with dlz and dnssec
2011/3/10 Evan Hunt e...@isc.org Now DLZ supports dynamic updates and theoretically it is possible to make such tricks: rndc freeze example.com put some new records in database rndc thaw example.com rndc sign example.com rndc freeze example.com That is zone isn't really dynamic, but it is dynamically loadable and signed. Will it work? DLZ only supports dynamic updates if you're using a back-end that supports them. Right now the only combination that works is the DLZ dlopen driver running the SMB/CIFS module provided in Samba 4, bind_dlz.c. As far as I know, that module doesn't understand DNSSEC RRtypes, so I doubt if that trick would work today. Even with a back-end module that can manage DNSSEC records, my guess is that it wouldn't answer queries correctly, because AFAIK DLZ doesn't have a mechanism for finding the closest previous name, and that's necessary for returning a signed NXDOMAIN response. (This problem would also apply if you used dnssec-signzone and loaded the signed data into the database directly.) Incidentally, we've been expanding DLZ support further. In 9.8.1, the dlopen driver will be part of the default build on unix/linux platforms, no longer requiring a configure option, so you can use the Samba module (or other modules yet to be written) with a stock BIND 9 build. In 9.9.0, we'll be adding support for the dlopen driver on Windows as well. I plan to convert the other DLZ drivers (mysql, postgresql, ldap, etc) to back-end modules for the dlopen driver at that time as well. I'm not expecting to make them support dynamic updates yet, and hadn't even given any thought to to the problem of supporting DNSSEC, but we can add those features to the roadmap as well if there's user demand. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. Thank you, Evan I'd like to add my vote for DNSSEC in DLZ to Christian's one :) -- -- AP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone and file name
2011/1/13 Alan Clegg acl...@isc.org: On 1/13/2011 11:08 AM, Peter Andreev wrote: I've executed rndc addzone test.test '{ type master; file /etc/namedb/master/test.1; };' and have got the file /etc/namedb/3bf305731dd26307.nzf: zone test.test { type master; file /etc/namedb/master/test.1; }; The question was: can I force rndc addzone to use specific file (for example /etc/namedb/includes/file2) instead of 3bf305731dd26307.nzf? No. The file is a hash of the view in which the data resides. it's automated, just leave it alone and it won't hurt anyone :) AlanC Thank you very much, Alan. Could you describe why it was made so? I asking because this feature could be very helpful for me, but such restriction does its completely useless. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
\On 07/26/10 23:02, Barry Margolin wrote: In articlemailman.100.1280077153.15649.bind-us...@lists.isc.org, Laws, Peter C.pl...@ou.edu wrote: Understood, but what I'm asking about is that the slave does not appear to be losing contact with the first-listed master. In fact, from the logs, it appears to be flipping back and forth (though not round-robinning). Multiple masters is not about losing contact, it's about getting the most up-to-date version of the zone. There's no reason for the slave to A HA! So the answer to my original question, after all this, is Yes (this is expected behavior). Thanks. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Multiple masters expected behavior?
Understood, but what I'm asking about is that the slave does not appear to be losing contact with the first-listed master. In fact, from the logs, it appears to be flipping back and forth (though not round-robinning). Someone else asked, essentially, why? ... The network paths are diverse to the different interfaces so, while I'm not protecting against failure of the master, I am protecting against network path failure. -- Peter Laws / N5UWY National Weather Center / Network Operations Center / Web University of Oklahoma Information Technology pl...@ou.edu From: bind-users-bounces+plaws=ou@lists.isc.org [bind-users-bounces+plaws=ou@lists.isc.org] on behalf of Barry Margolin [bar...@alum.mit.edu] Sent: Saturday, July 24, 2010 07:09 To: comp-protocols-dns-b...@isc.org Subject: Re: Multiple masters expected behavior? In article mailman.83.1279918361.15649.bind-us...@lists.isc.org, Peter Laws pl...@ou.edu wrote: On 07/22/10 19:57, Barry Margolin wrote: In articlemailman.65.1279835965.15649.bind-us...@lists.isc.org, Peter Lawspl...@ou.edu wrote: I have multiple interfaces on my master and multiple interfaces on most of my slaves. Is that expected behavior? Yes. What if the first server stops getting updates, but the second one does and has a higher serial number? Don't you want the slaves to check the SOA record on it to pick up these changes? Except that the 2 masters are simply different interfaces on the same master ... so the serial number *better* always be the same! That's true in *your* case. But BIND was designed to handle the more general case, where the masters can be different machines. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Multiple masters expected behavior?
Well aware of that, but we have RedHat support so we're stuck with that given that the alternatives are self-supporting BIND (which you could argue I'm doing right now!) or going with a 3rd party. Given the economy, I'm pleased we're keeping RH support. -- Peter Laws / N5UWY National Weather Center / Network Operations Center / Web University of Oklahoma Information Technology pl...@ou.edu From: Doug Barton [do...@dougbarton.us] Sent: Friday, July 23, 2010 19:23 To: Laws, Peter C. Cc: bind-us...@isc.org Subject: Re: Multiple masters expected behavior? On Thu, 22 Jul 2010, Peter Laws wrote: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 9.3.x has been EOL for a long time now, FYI. -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters expected behavior?
On 07/22/10 19:57, Barry Margolin wrote: In articlemailman.65.1279835965.15649.bind-us...@lists.isc.org, Peter Lawspl...@ou.edu wrote: I have multiple interfaces on my master and multiple interfaces on most of my slaves. Is that expected behavior? Yes. What if the first server stops getting updates, but the second one does and has a higher serial number? Don't you want the slaves to check the SOA record on it to pick up these changes? Except that the 2 masters are simply different interfaces on the same master ... so the serial number *better* always be the same! Looking at the logs, it appears that the choice of masters is a second-to-second thing because what I'm seeing is that one zone goes via one interface and then the next zone, perhaps only a few 10s of ms later, goes via the other interface. I would have expected that it would only ask the second-listed master if the first didn't answer ... but I didn't write the code (and haven't read it either! -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Multiple masters expected behavior?
I have multiple interfaces on my master and multiple interfaces on most of my slaves. I've got one of the slaves set up so that its masters {}; statement has two of the master's interfaces in it. The preferred is first, with the non-preferred second. I was contemplating using this on all slaves to guard against a network path failure. Note that I also have both of the slave's interfaces in the also-notify statement on the master (it's an unpublished slave). I would have thought that BIND would always hit the first and never the second. That doesn't seem to be the case however. In fact, in a few cases I've seen it seems to use both, though not round-robinning that I can see from the logs. Is that expected behavior? BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't get hints or outside resolution.
On 07/09/10 02:23, Matus UHLAR - fantomas wrote: On 08.07.10 14:42, Peter Laws wrote: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 From the host itself, a slave for all my zones, I can resolve all my zones. I cannot, however, resolve anything else. For example, if I dig google.com I get a timeout. Further, if I do a blank dig, I don't get the root servers even though the hints zone is set up correctly. recursion is not allowed for you. In such case, you can't resolve foreign zones and even hint zone. I thought Oh, I bet that's it! Sadly, allow-recursion is set globally and I'm in the list of those allowed to (curse) and recurse. allow-query is set correctly as well. No views on this system, either. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't get hints or outside resolution.
Hey! A firewall setting was wrong! Imagine that! Thanks, all. :-) On 07/09/10 14:18, Peter Laws wrote: On 07/09/10 02:23, Matus UHLAR - fantomas wrote: On 08.07.10 14:42, Peter Laws wrote: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 From the host itself, a slave for all my zones, I can resolve all my zones. I cannot, however, resolve anything else. For example, if I dig google.com I get a timeout. Further, if I do a blank dig, I don't get the root servers even though the hints zone is set up correctly. recursion is not allowed for you. In such case, you can't resolve foreign zones and even hint zone. I thought Oh, I bet that's it! Sadly, allow-recursion is set globally and I'm in the list of those allowed to (curse) and recurse. allow-query is set correctly as well. No views on this system, either. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split view - differing SOA serial number
2010/7/8 John Horne john.ho...@plymouth.ac.uk [..] Both views use the same zone file (which currently contains 3330257 as the serial number), and the zone is configured to use a single master. If I use rndc to reload the zone in both views, then nothing changes. If I stop and restart the whole named service, then both views have the same serial number. Why doesn't a reload cause the zone serial number to be updated from the file copy of the zone? Looks like then you do rndc reload for external view, the answer from master is being processed like any other query from internal network, i.e. by internal view. And the same situation with notifies. -- -- AP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't get hints or outside resolution.
Yep, zone for hint is right. No interesting messages service named checkconfig (which RH has helpfully set up to run named-checkconf and named-checkzone) shows that all is well. :-( On 07/08/10 15:55, Warren Kumari wrote: On Jul 8, 2010, at 3:42 PM, Peter Laws wrote: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 From the host itself, a slave for all my zones, I can resolve all my zones. I cannot, however, resolve anything else. For example, if I dig google.com I get a timeout. Further, if I do a blank dig, I don't get the root servers even though the hints zone is set up correctly. Sure? Are you loading it? // prime the server with knowledge of the root servers zone . { type hint; file /etc/namedb/db.root; }; Do you have any interesting log messages at startup? Is the hints inna view maybe? w The same is true if I try to resolve from a different host against this host. I thought of iptables and dumped those, but disabling iptables doesn't change anything. In fact, if I look up the IP (of the google, say) on another host I can ping that IP. There are query ACLs set up, but I have confirmed that RFC 1918 space, 127/8, and our public IP range are all allowed to query the internal stuff. The external zones are, of course, set to any. (default, in options, is internal-only, but the public zones all have any as over-rides). SELinux is set to enforcing, but no messages are showing up and based on my experience, if SELinux is going to prevent BIND from working it's going to COMPLETELY prevent it from working, not pick certain zones. resolv.conf on the slave itself has 127.0.0.1 on the nameserver line. The only thing different on this host vs my other slaves is some extra notifies and allow-transfers from when this was still a master for some zones (some other slaves *still* get a few zones from this host). Missing something easy, I'm sure. But what? -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users For every complex problem, there is a solution that is simple, neat, and wrong. -- H. L. Mencken -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FW: BIND 9 errors
2010/7/1 Y z yan...@hotmail.com (bind version 9.7.0-P1) A DNS slave server has two IPs: an internal RFC1918 number to talk to the internal net, and an external one to talk to the rest of the world. If I *don't* put the external IP in a master: zone example.com { type slave; file example; masters port 1053 { 172.16.0.30; } ; }; I get errors: Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify from non-master: external.ip#59808 This error appears because your master sends notify from external.ip, which isn't listed in masters {}; statement. Whereas, if I *do* put the IP in as a master, I get: Jun 30 14:02:08 hostname named[1792]: transfer of 'example.com/IN' from external.ip#1053 failed to connect: connection refused And this error appears because your master doesn't configured to allow connections to external.ip#1053. It will be very helpful in resolving your problem if you provide options{}; part of your named.conf file. (the reason I'm using port 1053 is because the real master is running on two different instances, one on port 53, and one on port 1053). Despite the errors, the zones still seem to function. So, what do I do to make the errors go away? Thanks! _ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How can I fake a part of domain?
How can I fake a part of domain? Explanation of what I mean: - There is example.com domain somewhere on internet (not under my control) that contains: www.example.com IP: 1.2.3.4www2.example.com ... IP: 11.22.33.44 - I have local DNS; and for my local network I fake to have example.com domain. - I would like to configure my local DNS (BIND) to: 1. return real IP (1.2.3.4) of www.example.com 2. return fake IP (11.11.11.11) of www2.example.com 3. return IP (99.99.99.99) of www3.example.com that do not really exists No 1. have to forward the request to the real example.com DNS,but No 2. and 3. should fake the result. Thank you. _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: +, -, -E
On 06/21/10 14:06, Justin T Pryzby wrote: On Mon, Jun 21, 2010 at 01:46:55PM -0500, Peter Laws wrote: What do they mean? I can't find them and yes, I've googled and also grepped the docs on isc.org ... Googling for symbols isn't easy.. http://www.isc.org/files/arm96.html#the_category_phrase That's what I needed - thanks, all! -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Running both a cache-only and an authoritative server on the same server
On 06/17/10 08:36, Torsten wrote: Am Thu, 17 Jun 2010 13:35:38 +0100 schrieb Phil Mayersp.may...@imperial.ac.uk: On 17/06/10 12:39, Jørn Skjerven wrote: Is it possible to achieve this in a single named.conf, or is it recommended to run two instances of bind, each with a different listen-onip statement? Sure. Use views: view authoritative { recursion no; match-destinations { mycurrentip; }; zone ... }; view authoritative { recursion yes; match-destinations { myrecurseip; }; }; The important part seems to be on a secondary IP and afaik listen-on statements don't work inside of view statements. Why not just have named run on as many interfaces as needed and let views sort it out? Views don't need to care which physical interface traffic is on. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: using TXT fields
On 05/18/10 06:16, Chris Thompson wrote: On May 18 2010, fddi wrote: I wanted to ask if using TXT fields can have some bad implication security issues It rather depends what you put in them, doesn't it? hostname TXT Root password is AndyPandy mc-room TXT Entacode is 2038 Post-Its are great, but they often fall off the monitor. This is a superior solution and has the benefit of being remotely accessible. Thanks for the pro tip! -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dig 9.7 DNSSEC output
Hi, might be me, but I don't get it. # dig @ns.nic.se nic.se ns +dnssec ; DiG 9.7.0-P1 @ns.nic.se nic.se ns +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15071 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;nic.se.IN NS ;; ANSWER SECTION: nic.se. 3600IN NS ns2.nic.se. nic.se. 3600IN NS ns3.nic.se. nic.se. 3600IN NS ns.nic.se. nic.se. 3600IN RRSIG NS 5 2 3600 20100517132001 20100507132001 20273 nic.se. Q9kNPVor5vCyji7XVDQMYAUcbhVTU43a/ftTBi04qXxe/AMkTO1m2C97 aRcSNG2dUWZsZ6TmaiqReMx1fARqjcP9fHHbdEtt3Oolvw9WH5KLd0Jg TnDql5bN1vUQpULOli86enlCBHCz5FWX5izQ7i+WmLKTI1zC+R9NYd3T G1g= ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ns.nic.se. 3600IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. TLTnkqESLN7DdoC2urF14ox1JolvUSCySe4oqYfof4ER/ZNNl8DO1P46 mSKpNxf3kNUJWoMkjBjtUgZgiMcVSuD7V6qTHLA2A8tEhnM4pXCeo/yj kirCEzo3YQzcW56BZVXgVe41K3QT4GpIm0rmTyEy+8ZCe7oeMKFem5PL Ibw= ns.nic.se. 3600IN RRSIG 5 3 3600 20100517132001 20100507132001 20273 nic.se. HcUbk9y1aR9zeHOwNsqTtPL97P+ftyoQVAyTZbuPpr6GEzIsKL8MyQoP h4qyAkOHFWC2lgZ4xroHemR9OXa3JCLn1UtYE0UbgszUJWSJcQW+2ho3 GIsfEzVfJwMEomhvPuEyVfNxdaP87ITFTfNJcUvEApHCnYHO0RNgeEL0 l/Y= ns2.nic.se. 3600IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. fGqc3OIwmaYPFJoRrULGaUIRxGV+i6FJkcSZ4HRJL0x+siwVcTrIb+5t ER9woGl9sabyXH9H4aHc90ARABer0RodbnQSZDT7SPamDb97UP1ESBs2 Av9N43nr54M/ctLk8EZc1q7GblBK7inf7iY/AQsHTsFv1BWJOAYw+n4N YaM= ns3.nic.se. 60 IN RRSIG A 5 3 60 20100517132001 20100507132001 20273 nic.se. vTil1+1r3dOyV3zHdd53p2O5qnBHfexdwJVjx2E+G5z5FTqa50YRQYfH JwVHHertJcMo2wek/y2g0GBQJdkFTKwpJZv3IWWp9TYqJ3lCIYzoWxWV pzc7i+m2Ha3HupVY0e/tOJPKsiJu+LnyH3LJ66WV/xCRDjhZ8N6RONl5 xQU= ;; Query time: 35 msec ;; SERVER: 212.247.7.228#53(212.247.7.228) ;; WHEN: Sun May 9 17:22:05 2010 ;; MSG SIZE rcvd: 994 The issue I have with this is, dig announces 9 additional section entries, while 3 A, 1 and 4 RRSIG, in my book sums up to 8. Without DNSSEC, it seems to be able to count correctly... # dig @ns.nic.se nic.se ns ; DiG 9.7.0-P1 @ns.nic.se nic.se ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4920 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;nic.se.IN NS ;; ANSWER SECTION: nic.se. 3600IN NS ns2.nic.se. nic.se. 3600IN NS ns.nic.se. nic.se. 3600IN NS ns3.nic.se. ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ;; Query time: 34 msec ;; SERVER: 212.247.7.228#53(212.247.7.228) ;; WHEN: Sun May 9 17:23:51 2010 ;; MSG SIZE rcvd: 153 Am I missing something? Or is this already reported? If so, what would be the correct channel? R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dig 9.7 DNSSEC output
Hi Rick, as per the header of Dig output ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 a part from that, I'm glad that my counting is still up to par :-) R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu From: R Dicaire [mailto:dicai...@gmail.com] Sent: Sunday, May 09, 2010 17:42 To: Peter Janssen Cc: bind-users@lists.isc.org Subject: Re: Dig 9.7 DNSSEC output On Sun, May 9, 2010 at 11:24 AM, Peter Janssen peter.jans...@eurid.eu wrote: ;; ADDITIONAL SECTION: ns.nic.se. 3600 IN A 212.247.7.228 ns.nic.se. 3600 IN 2a00:801:f0:53::53 ns2.nic.se. 3600 IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ns.nic.se. 3600 IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. TLTnkqESLN7DdoC2urF14ox1JolvUSCySe4oqYfof4ER/ZNNl8DO1P46 mSKpNxf3kNUJWoMkjBjtUgZgiMcVSuD7V6qTHLA2A8tEhnM4pXCeo/yj kirCEzo3YQzcW56BZVXgVe41K3QT4GpIm0rmTyEy+8ZCe7oeMKFem5PL Ibw= ns.nic.se. 3600 IN RRSIG 5 3 3600 20100517132001 20100507132001 20273 nic.se. HcUbk9y1aR9zeHOwNsqTtPL97P+ftyoQVAyTZbuPpr6GEzIsKL8MyQoP h4qyAkOHFWC2lgZ4xroHemR9OXa3JCLn1UtYE0UbgszUJWSJcQW+2ho3 GIsfEzVfJwMEomhvPuEyVfNxdaP87ITFTfNJcUvEApHCnYHO0RNgeEL0 l/Y= ns2.nic.se. 3600 IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. fGqc3OIwmaYPFJoRrULGaUIRxGV+i6FJkcSZ4HRJL0x+siwVcTrIb+5t ER9woGl9sabyXH9H4aHc90ARABer0RodbnQSZDT7SPamDb97UP1ESBs2 Av9N43nr54M/ctLk8EZc1q7GblBK7inf7iY/AQsHTsFv1BWJOAYw+n4N YaM= ns3.nic.se. 60 IN RRSIG A 5 3 60 20100517132001 20100507132001 20273 nic.se. vTil1+1r3dOyV3zHdd53p2O5qnBHfexdwJVjx2E+G5z5FTqa50YRQYfH JwVHHertJcMo2wek/y2g0GBQJdkFTKwpJZv3IWWp9TYqJ3lCIYzoWxWV pzc7i+m2Ha3HupVY0e/tOJPKsiJu+LnyH3LJ66WV/xCRDjhZ8N6RONl5 xQU= I count 8 RRs. 3 A, 1 , 4 RRSIG. Where are you seeing 9? -- aRDy Music/Rick Dicaire http://www.ardynet.com http://linux.ardynet.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dig 9.7 DNSSEC output
Or this one : # dig @j.ns.se se. dnskey +dnssec ; DiG 9.7.0-P1 @j.ns.se se. dnskey +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24743 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;se.IN DNSKEY ;; ANSWER SECTION: se. 3600IN DNSKEY 257 3 5 Asnip... EaRlZigUCp8= se. 3600IN DNSKEY 257 3 5 Asnip 7TKYyQgsTlc= se. 3600IN DNSKEY 256 3 5 Asnip 2oXgSod9 se. 3600IN RRSIG DNSKEY 5 1 3600 20100515203911 20100509131031 39547 se. gsnip uAYDHw== se. 3600IN RRSIG DNSKEY 5 1 3600 20100517001830 20100509131031 8779 se. vsnip NRwr1A== ;; Query time: 17 msec ;; SERVER: 199.254.63.1#53(199.254.63.1) ;; WHEN: Sun May 9 18:54:10 2010 ;; MSG SIZE rcvd: 1311 One (1) additional announced, while there is not even an additional section. Maybe this is related to the EDNS0 stuff? --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu From: bind-users-bounces+peter.janssen=eurid...@lists.isc.org [mailto:bind-users-bounces+peter.janssen=eurid...@lists.isc.org] On Behalf Of Sten Carlsen Sent: Sunday, May 09, 2010 17:48 To: bind-users@lists.isc.org Subject: Re: Dig 9.7 DNSSEC output On 09/05/10 17:24, Peter Janssen wrote: Hi, might be me, but I don't get it. ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 ADDITIONAL: 9 But as you count to 8, where is number 9. I seem to be counting as Peter here. The issue I have with this is, dig announces 9 additional section entries, while 3 A, 1 and 4 RRSIG, in my book sums up to 8. Without DNSSEC, it seems to be able to count correctly... # dig @ns.nic.se nic.se ns ; DiG 9.7.0-P1 @ns.nic.se nic.se ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4920 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;nic.se.IN NS ;; ANSWER SECTION: nic.se. 3600IN NS ns2.nic.se. nic.se. 3600IN NS ns.nic.se. nic.se. 3600IN NS ns3.nic.se. ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ;; Query time: 34 msec ;; SERVER: 212.247.7.228#53(212.247.7.228) ;; WHEN: Sun May 9 17:23:51 2010 ;; MSG SIZE rcvd: 153 Am I missing something? Or is this already reported? If so, what would be the correct channel? R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Master server offline
On 05/07/10 06:49, Chris Thompson wrote: Sure - just step into your time machine, go back to before the master server died, and increase the SOA.expire value there so that it gets propagated to the slave(s) in time. If he has a small number of slaves, the OP may not need a Tardis. It's possible to just edit the cache files. It's UGLY, you need to make sure you hit all the slaves, and they will get overwritten the instant your master returns from the dead ... but that latter's a good thing. About this master being offline for some time due to a disk failure ... that policy may need review. If the OP serves his organization's DNS, it's pretty darn critical that customers be able to resolv their DNS info. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [OT] MSDN use google apps for email hosting
On 05/07/10 09:22, Jeff Pang wrote: Though this is offtopic, but I'm surprised that msdn.net (microsoft developer networks) has been using google's apps for email hosting. It is not commercial for MS, isn't it? msdn.netMX preference = 30, mail exchanger = aspmx4.googlemail.com Funny, yes, but whois doesn't seem to point to M$ in any way. Independent? -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ftp.isc.org back up
On 05/06/10 13:27, Lightner, Jeff wrote: They can't fool us - we know it was caused by the J server DNSSEC issue. Damn that DNSSEC!!! :-D -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Preparing for upcoming DNSSEC changes on 5/5
It may be the person that suggested setting it was under the misapprehension that the two values would be the same but the quote from the Java testing tool made it clear that is NOT the case. I think this is it exactly. But someone in the thread seemed pretty certain that we needed to set our packet size to what the test reported which just didn't make sense. OK, so, bring on the End Of The Internet tomorrow! Peter ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Preparing for upcoming DNSSEC changes on 5/5
On 01/-10/37 13:59, Kalman Feher wrote: Second, make sure the tested effective size appears in your named.conf in the options statement edns-udp-size on your resolver. In your case: edns-udp-size 3843; Mine are all saying x.x.x.x sent EDNS buffer size 4096 when I run the dns-oarc.net test, which I assume is the default. I, too, get the 3843 at least value. Why would I set it to 3843? Wouldn't I want it to be set to 4096 even if *some* device between here and dns-oarc.net only allows that smaller value? I just woke up to this issue, sorry to say. Interestingly, it didn't come up (directly) during the Educause webinar about DNSSEC last week (.edu will be signed in July). -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Preparing for upcoming DNSSEC changes on 5/5
On 05/03/10 14:56, Kalman Feher wrote: You probably should. Your resolver is saying its capable of handling 4096, but apparently your network path may not support that. The changes on the The network path to dns-oarc.net doesn't, but that doesn't really mean anything. To some resolvers, the path may support 4096 while to others it is 591. Who knows where the constriction is? I still don't see the point of setting it to something *smaller* than the default unless I knew for certain that MY stuff couldn't handle a larger size. 12 of the 16 hops twixt here and there are far beyond my control (and the other 4 only marginally :-). Besides, we've seen one example where setting it smaller results in yet a smaller result. -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Preparing for upcoming DNSSEC changes on 5/5
Yes, I get all that. But earlier in the thread, I noted that: Mine are all saying x.x.x.x sent EDNS buffer size 4096 when I run the dns-oarc.net test, which I assume is the default. I, too, get the 3843 at least value. Why would I set it to 3843? Wouldn't I want it to be set to 4096 even if *some* device between here and dns-oarc.net only allows that smaller value? We've already had one anecdote of someone that also got 3843, setting edns-udp-size, re-running the test and getting a smaller number. Makes no sense to me to set it at less than the 4096-byte default unless *I* had faulty network equipment. -- Peter Laws / N5UWY National Weather Center / Network Operations Center / Web University of Oklahoma Information Technology pl...@ou.edu From: ma...@isc.org [ma...@isc.org] Sent: Monday, May 03, 2010 20:19 To: Laws, Peter C. Cc: bind-us...@isc.org Subject: Re: Preparing for upcoming DNSSEC changes on 5/5 In message 4bdf4b79.4050...@ou.edu, Peter Laws writes: On 05/03/10 16:19, Mark Andrews wrote: The test is a rough guide to the maximum packet size supported by the path. So what would be the point of using edns-udp-size to something even smaller? None I can see ... What am I missing? There is a difference between what the path is capable of and what named will try to use. Named will try 4096 and 512 bytes, by default. Lets say the path is only capable of handling unfragmented IPv4 packets. You then have a path limit of ~1460 (depends on how many IP in IP tunnels there are in the path). If the response is bigger that 1460 it won't get through, named will timeout, try a different server, timeout, try a differnet server, timeout and then send requests advertising a 512 byte buffer instead of 4096 which will get through usually with TC set and named will then fallback to TCP. Now we do the same with a edns-udp-size set to 1460. The response will no longer be 1460 so it is unlikely to be fragmented and it gets through first time. Depending upon where the response is truncated it will have TC set or not. Some parts of some responses are optional. We have eliminated 3 timeouts and a almost certain TCP query by setting edns-udp-size to match the path characteristics. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
shut down: operation canceled on zone transfer
Hello, I have a primary and secondary nameserver which host a number of domains. Recently, the secondary has started failing to sync one of the domains, and comes up with the following... Apr 19 10:46:06 fw2 named[24065]: transfer of 'mydomain.com.au/IN' from 203.XXX.YYY.ZZZ#53: shut down: operation canceled Apr 19 10:46:06 fw2 named[24065]: transfer of 'mydomain.com.au/IN' from 203.XXX.YYY.ZZZ#53: end of transfer The zone file on the zone fails to update. All other domains (200+) are replicating perfectly. I am not seeing anything unusual in the logfiles on the primary - it shows that the zone has been transferred. I've tried making a copy of the zonefile as a test on the master as a new test domain, and transferring that to the slave, and it works fine - so I think I can discount any errors in the zonefile itself. I've also tried reverting to a copy of the primary zone file from two weeks ago, and this hasn't helped. Anyone have any clues ? Bind version bind-9.2.4 under CentOS on both servers. Ta, P -- peter skipworth argo open solutions mob 0413 962 064 ph 03 9820 0536 fax 03 8610 0379 em p...@argoinf.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: shut down: operation canceled on zone transfer
Mark Andrews wrote: In message 4bcbb36f.6040...@argoinf.com, Peter Skipworth writes: Hello, I have a primary and secondary nameserver which host a number of domains. Recently, the secondary has started failing to sync one of the domains, and comes up with the following... Apr 19 10:46:06 fw2 named[24065]: transfer of 'mydomain.com.au/IN' from 203.XXX.YYY.ZZZ#53: shut down: operation canceled Apr 19 10:46:06 fw2 named[24065]: transfer of 'mydomain.com.au/IN' from 203.XXX.YYY.ZZZ#53: end of transfer What else is being logged? Can you transfer the zone using dig from the slave, from somewhere else? I've just tried - if I try and transfer any other zone using dig from the same secondary, it works. If I try transferring the 'broken' zone, it sits there for about 30 seconds and then comes back with nothing at all. I see a few messages on the primary stating AXFR started. If I try from another secondary, it works, though. So the problem would appear to be on the initial secondary server ? I have no idea what it could be though ? Thanks for your help, Mark. P -- peter skipworth argo open solutions mob 0413 962 064 ph 03 9820 0536 fax 03 8610 0379 em p...@argoinf.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: Delegation - what needs to be there?
On 01/-10/37 13:59, Barry Margolin wrote: Or do I need to provide glue records in the delegated zone ... probably not, but thought I'd better ask. The only time you're required to provide glue is when a subzone is delegated to a nameserver whose name is in the subzone, to prevent a chicken-and-egg problem. This is what I thought but thought I'd make doubly certain. Thanks! Peter -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users