Re: Multi-master (HA)

[Peter Andreev]

Well, we use two masters in different locations, w/o DLZ. Files for
signed zones are being generated from databases and uploaded to
servers. What we need here - is propagating of DDNS plus periodical
synchronizing of zones, journals etc.

Regarding zone templates - I'm using it with NSD4 and I'm totally
happy. Actually I don't have words to emphasize how I love those
templates!

2014-05-08 2:06 GMT+04:00 Lawrence K. Chen, P.Eng. :
>
>
> On 05/06/14 13:39, Evan Hunt wrote:
>> On Tue, May 06, 2014 at 06:20:11PM +, Baird, Josh wrote:
>>> Hi,
>>>
>>> For those of you who operate at multiple sites or datacenters, are you
>>> doing any HA for your BIND masters?  Ideally, we would have a master in
>>> each datacenter; maybe not an active one, but one that is standing by in
>>> case your primary master becomes unavailable.
>>>
>>> Do you have multiple "active" masters and list them as master in each of
>>> your slave's zone definitions?  This seems like it could get rather
>>> messy.  One thought is to use a technology like VMWare SRM which will
>>> spin up a master/virtual machine automatically in a second datacenter if
>>> your primary master goes down.  This coupled with Layer2 connectivity
>>> between your sites could make things fairly simple.  The
>>> standby/secondary master would retain the same IP address as your
>>> primary, so everything should just *work*.
>>>
>>> What are others doing?  Any thoughts, ideas or advice is much
>>> appreciated.
>>
>> Thank you for bringing this up.  As it happens, high-availability/
>> multi-master support in BIND is something we've been seriously considering
>> for a future release.  There's been a lot of internal discussion of use
>> cases, requirements, and possible design approaches.
>>
>> I don't want to influence the conversation here by saying too much about
>> the ideas we've had so far, but I wanted to say: if anyone has specific
>> thoughts on how to make this sort of thing easier in BIND -- even just at
>> the level of "boy, it irritates me that I can't make BIND do " --
>> such comments will fall on welcoming ears.
>>
>
> I hadn't thought of doing multi-master...but the issue of promoting a slave to
> master for DR had come up.  At the time the problem was DNSSEC.  Its one thing
> for the slave to become master, its another when it needs to change entries in
> the zone file to redirect key web-services to DR instances. (at the time, it
> was create two signed zone files each time...and secure transfer the second
> one out of bandbut no DR web servers were ever setup, so both were
> identical files and eventually got scrapped. The issue of raw vs text on
> secondaries came up after abandonment.  But, DR comes up now and
> then...recently its using DNS appliances and cloud...
>
> OTOH, the idea of multi-master is intriguing.the only down side I see, is
> that I have one really powerful server for my current master(Sun Fire
> X4170)and my other servers are weak leftoversjust passed EOL last
> year.  And, have all the servers doing full DNSSEC signing could be 
> interesting.
>
> It also raises the question of how does the outside world cope with all the
> servers having identical zones...signed on slightly different times, etc.
> (especially since I'm using unix timestamp for zone serialavoids issues of
> multiple admins incrementing serial without noticing others and/or collisions
> with DNSSEC's incrementing of serials.)
>
> But, it shouldn't be too hard to implement since, our nameservers are managed
> by CFEngine.  And, it makes possible for all my name servers to have both
> internal and external views.  Instead of having to have separate external
> slaves and internal slaves.  (and other issues that I'm still working through
> with having thisnamely my recursive caching servers hitting external
> slaves instead of internal slaves...)
>
> Things have gotten more complicated since we started allowing vanity internal
> namesbefore it was one subdomain that only existed on internal, and
> everybody had to put their host in there, as -host..ksu.edu
> but then certain VIPs wanted host..ksu.edu to work even though its a
> 10.x.x.x address.
>
> It would also mean one of our satellite campuses that refuses to use our
> caching servers (and even sent our server that was providing the service for
> their campus back, which they had firewalled their users from using while it
> was there)...can have their own caching servers work without needing to
> understand that our whois record doesn't list our stealth/internal
> nameservers...which is why they can't resolve any internal services and need
> to track down somebody to give them the 10.x.x.x IP and having their users use
> that, etc.
>
> Wonder if they know about the change in forwarding on my caching resolvers to 
> AD?
>
> --
> Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
> For: Enterprise Server Technologies (EST) -- & SafeZone Ally
> ___

Re: All client resolvers support DNSSEC compatible queries ???

[Peter Andreev]

2014-04-24 13:46 GMT+04:00 Carsten Strotmann :
> Hello Jeronimo,
>
> "Jeronimo L. Cabral"  writes:
>
>> Dear, we have several hosts in our LAN that ask our BIND DNS: Debian,
>> Windows 7, Red Hat and CentOS.
>>
>> If we implement DNSSEV validation support in our BIND9 server...how
>> can I know if our hosts' resolvers are compatible with DNSSEC queries
>> ???
>>
>
> client host resolvers are usually not DNSSEC aware today. Certain
> applications (Browser with a DNSSEC validator plugin, postfix MTA ...)
> running on a client can be DNSSEC aware.
>
> You can enable DNSSEC validation support on a BIND 9 caching server that
> is used as a resolver by your clients. BIND 9 9.9.x already comes with
> DNSSEC validation enabled, for older versions you need to enable it
> manually in the configuration.
>
> Legacy (non DNSSEC aware) clients will send just regular DNS queries
> towards the BIND 9 caching resolver. BIND 9 will send queries with the
> "DO"-Flag (DNSSEC OK) towards the authoritative DNS server in the
> network. For DNSSEC signed zones, BIND 9 will validate the DNSSEC
> data. If the data is validating without issues, the data is returned to
> the client as normal DNS (no DNSSEC). If the data fails to validate, the
> bad data is not send to the clients, instead a "SERVFAIL" error message
> is send to the client.

Actually a resolver sends to client an answer with AD (authenticated
data) bit set if response from authoritative server is successfully
validated.  If zone in question isn't secured by DNSSec, then client
receives response without AD bit. If validation fails - SERVFAIL.

>
> DNSSEC is backwards compatible in the sense that you can enable DNSSEC
> validation without the need to make changes to legacy clients.
>
> Windows 7 and Windows 8 clients can build a special trust relationship
> with an AD integrated Windows DNS Server to secure the "last mile"
> between the client and the resolving DNS cache. However to my knowledge
> this is not possible with Windows and a BIND 9 DNS.

IPSec, AFAIK.

>
> Best regards
>
> Carsten
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
Is there any problem Exterminatus cannot solve? I have not found one yet.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

[Peter Andreev]

However, if you choose the second action, then your tech support should be
ready.


2014-02-28 13:36 GMT+04:00 Peter Andreev :

> Well, at first glance it looks like malicious activity, so the best action
> is to call all users, suspected in sending such requests, and warn them.
> The fast and very (very-very-very) dirty solution is to set up zone
> 84822258.com <http://niqcs.www.84822258.com> on your resolver. This
> should supress outgoing queries and thus minimize resolving time.
>
>
> 2014-02-28 12:06 GMT+04:00 Dmitry Rybin :
>
> On 27.02.2014 09:59, Dmitry Rybin wrote:
>>
>>  Bind answers with "Server failure". On high load (4 qps) all normal
>>> client can get Servfail on good query. Or query can execute more 2-3
>>> second.
>>>
>>
>> I have an a mistake, 4'000 QPS.
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
>
> --
> Is there any problem Exterminatus cannot solve? I have not found one yet.
>
>


-- 
Is there any problem Exterminatus cannot solve? I have not found one yet.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

[Peter Andreev]

Well, at first glance it looks like malicious activity, so the best action
is to call all users, suspected in sending such requests, and warn them.
The fast and very (very-very-very) dirty solution is to set up zone
84822258.com  on your resolver. This should
supress outgoing queries and thus minimize resolving time.


2014-02-28 12:06 GMT+04:00 Dmitry Rybin :

> On 27.02.2014 09:59, Dmitry Rybin wrote:
>
>  Bind answers with "Server failure". On high load (4 qps) all normal
>> client can get Servfail on good query. Or query can execute more 2-3
>> second.
>>
>
> I have an a mistake, 4'000 QPS.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Is there any problem Exterminatus cannot solve? I have not found one yet.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

[Peter Andreev]

Hi Dmitry,

If your problem is a lot of strange queries, then there is two ways:

1. You operate an open resolver. If you can - restrict it to a limited
scope of clients, otherwise the only way you can lower number of incoming
queries is DPI;
2. You operate a non-open resolver. Then you can find who sending these
queries and ask them to stop.




2014-02-27 9:59 GMT+04:00 Dmitry Rybin :

> Over 2 weeks ago begins flood. A lot of queries:
>
> niqcs.www.84822258.com
> vbhea.www.84822258.com
> abpqeftuijklm.www.84822258.com
> adcbefmzidmx.www.84822258.com
> and many others.
>
> Bind answers with "Server failure". On high load (4 qps) all normal client
> can get Servfail on good query. Or query can execute more 2-3 second.
>
> Recursion clients via "rnds status" 300-500.
>
> I can try to use rate limit:
> rate-limit {
> nxdomains-per-second 10;
> errors-per-second 10;
> nodata-per-second 10;
> };
> I do not see an any improvement.
>
> Found one exit in this situation, add flood zones local.
>
> What can we do in this situation?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Is there any problem Exterminatus cannot solve? I have not found one yet.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: listen-to clusterIP address

[Peter Andreev]

2013/6/5 Phil Mayers 

> On 06/05/2013 07:37 PM, paul wrote:
>
>> Hi. I have a two node active passive cluster serving webpages. When a
>> failover occurs, I have to restart named on the now active node because
>>
>
> You don't have to restart it. "rndc reconfig" will re-check the IPs on the
> machine and re-listen.
>
>
This definitely will not work if BIND dropped privileges after start.


>
>  the cluster Ip was not available when named originally started even
>> though I have listen-to the cluster ip listed in my named.conf. Is there
>> a way to make named listen-to an ip address that is not yet available?
>>
>
The cimplest way, I think is to configure cluster IP on loopback interfaces
and set up routing


>
> No. This has come up before - the bind listen-on statement is an ACL which
> is matched against the list of IPs on the box, not a list of IPs passed to
> the bind() syscall. There are various solutions, but "rndc reconfig" is the
> right one IMO.
>
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse zone of type forward when /28 subnet

[Peter Andreev]

Actually, Mark's advice is much better.

2012/12/29 Dmitri Tarkhov :
> Hi,
> this finally works:
>
> view "reverse1" IN {
> recursion yes;
>
> zone "z.y.x.in-addr.arpa" IN { type forward; forward only;
> forwarders { A; B; }; };
>
>
> zone "localhost" IN { type master;
> file "master.localhost"; };
>
>
> zone "0.0.127.in-addr.arpa" IN { type master;
> file "localhst.rev"; };
> };
>
> And Happy New Year!
>
>
> Dmitri Tarkhov wrote:
>
>> Hi, all,
>>
>> thank you very much for discussion. It was interesting and very useful.
>> You can pretty well imagine that I am not much dns involved,
>> I am rather unix and unix HW guy.
>> Unfortunately I saw dns cache poisoning attack and although it could be
>> provoked by side effects it's better to get rid of it altogether.
>> For just 14 (241-254) addresses it is not difficult to maintain 2 types
>> of master zones in sync (RFC 2317 and RFC 1035) and it's enough to put a
>> couple of comment lines to not forget it later.
>> Yes, life is short but this is not the reason to not train the brain,
>> can help to hook a life a bit longer ...
>> Bring stir to the chicken coop and request compliance is generally
>> good idea and fingers itch but I don't expect much from our ISPs ...
>> So first I'll try "type forward" within a view,
>> then I'm sure, one address zones can serve me right.
>> I will also contact the ISP but without great expectations.
>>
>> Why I do all this is:
>> - enforce security
>> - assure stable mail exchange (which depends on reverse resolving)
>>
>> Mark Andrews wrote:
>>
>>> In message <50dcd454.2070...@dougbarton.us>, Doug Barton writes:
>>>
 On 12/27/2012 11:18 AM, Mark Andrews wrote:

> zone "241.Z.X.Y.IN-ADDR.ARPA" {
> type master;
> file "241.Z.X.Y.IN-ADDR.ARPA";
> };



 That's great locally, but it doesn't match the 2317 delegation from the
 upstream, and usually it's not possible to change what they send you.

 Or are you suggesting maintaining both the individual versions of the
 zones, and the 2317 zone?
>>>
>>>
>>>
>>>
>>> No.  I'm suggesting that they tell their ISP to do RFC 2317 right
>>> or do RFC 1035 delegations.   If their ISP won't do either change
>>> ISP.
>>>
>>>
 Doug
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>>
>
> --
> Best regards,
> Dmitri Tarkhov
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse zone of type forward when /28 subnet

[Peter Andreev]

2012/12/27 Dmitri Tarkhov :
> Ok, thank you,
> I'll try views first of all.
>
> And I need some further clarification about this:
>
>> I just meant that fencing your resolver without really good reasons is
>> a bad idea.
>
> By "fencing  your resolver" do you mean converting a dns
> server into only a source of information from its master zones
> cutting severely any unnecessary functionality or anything else?
> What is a bad idea and why?

You are trying to cut some ways of information obtaining for resolver.
That is what I mean.

>
> In fact I want to do so because I want to protect it from
> cache poisoning and any other attack of forge nature.

I can't say these attacks are very common. Actually I can't recall any
cases of such attacks in a wild nature. Also, in-addr.arpa isn't a
good target.

As for now the best defence against cache poisoning is DNSSec and
since we have signed all russian TLDs you could implement it.

>
>
> Peter Andreev wrote:
>
>> 2012/12/27 Dmitri Tarkhov :
>>
>>> Hi,
>>> thanks a lot for the information.
>>> Contains key reason and sounds interesting.
>>>
>>> 1. Do you mean I can isolate zone "z.y.x.in-addr.arpa"
>>>   into  a separate view where recursion is enabled but all
>>>   other zones are excluded? If so, it's very promising.
>>
>>
>>
>> Actually, forwarding also doesn't work for queries without RD bit.
>> Such queries are being sent by resolver in normal circumstances.
>>
>>
>>> 2. Sorry, "Unbound" - is it just another dns server?
>>
>>
>>
>> Yep, it is recursive-only dns server. It has an option called
>> "local-zone", which is absolutelly what you are looking for. Note that
>> Unbound has very limited capabilities to support authoritative data.
>>
>>
>>> 3. Thought about a script. Know Korn shell at middle level.
>>>   Nobody prohibits to maintain yet another copy of master zone.
>>
>>
>>
>> Nobody but zone owner.
>>
>>
>>>   But I don't want to indulge into such remote circumventions.
>>> 4. That's possible to not bother about the issue but for now
>>>   I am not ready to fold hands.
>>
>>
>>
>> I just meant that fencing your resolver without really good reasons is
>> a bad idea. If you do it "just for fun" in production environment, you
>> should think twice.
>>
>>
>>>
>>> Peter Andreev wrote:
>>>
>>>
>>>> Forwarding does not work without recursion enabled.
>>>>
>>>> There is a few ways to solve the problem:
>>>> 1. Using views;
>>>> 2. Using another dns resolver (for example Unbound);
>>>> 3. Downloading the zone via script (bad idea from any point);
>>>> 4. Do not bother where your resolver get authoritative data (I'd
>>>> recommend this one).
>>>>
>>>> Actually, I'm afraid you won't be able to achieve your goal without
>>>> needless overcomplication.
>>>>
>>>> 2012/12/27 Dmitri Tarkhov :
>>>>
>>>>
>>>>> Well, it's Ok with that. I indeed am the owner of small reverse
>>>>>
>>>>> zone "255-241.z.y.x.in-addr.arpa" IN { type master;
>>>>> named with accordance with rfc2317 CNAME trick and can edit it.
>>>>> The changes are transferred one way to the ISP side and make part of
>>>>> their zone "z.y.x.in-addr.arpa". So my changes are seen by the world.
>>>>> But this small subzone cannot be used for direct reverse resolving
>>>>> right
>>>>> at my dns. It can only be done at class C (or B, or A) granularity.
>>>>> So to achieve exactly what I want I need to pull somehow this class C
>>>>> zone "z.y.x.in-addr.arpa" to my dns. Either as slave zone (which is
>>>>> denied by ISP) or as forward zone which I cannot tune to work.
>>>>> May be some other unknown by me approach exists.
>>>>> Again, there is no problem with reverse resolving in general but
>>>>> I cannot achieve this directly at my dns, that is to receive a response
>>>>> from it no matter wherever it forwards the request or from where it
>>>>> gets the PTR records.
>>>>>
>>>>>
>>>>> Peter Andreev wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Please correct me i

Re: reverse zone of type forward when /28 subnet

[Peter Andreev]

2012/12/27 Dmitri Tarkhov :
> Hi,
> thanks a lot for the information.
> Contains key reason and sounds interesting.
>
> 1. Do you mean I can isolate zone "z.y.x.in-addr.arpa"
>into  a separate view where recursion is enabled but all
>other zones are excluded? If so, it's very promising.

Actually, forwarding also doesn't work for queries without RD bit.
Such queries are being sent by resolver in normal circumstances.

> 2. Sorry, "Unbound" - is it just another dns server?

Yep, it is recursive-only dns server. It has an option called
"local-zone", which is absolutelly what you are looking for. Note that
Unbound has very limited capabilities to support authoritative data.

> 3. Thought about a script. Know Korn shell at middle level.
>Nobody prohibits to maintain yet another copy of master zone.

Nobody but zone owner.

>But I don't want to indulge into such remote circumventions.
> 4. That's possible to not bother about the issue but for now
>I am not ready to fold hands.

I just meant that fencing your resolver without really good reasons is
a bad idea. If you do it "just for fun" in production environment, you
should think twice.

>
>
> Peter Andreev wrote:
>
>> Forwarding does not work without recursion enabled.
>>
>> There is a few ways to solve the problem:
>> 1. Using views;
>> 2. Using another dns resolver (for example Unbound);
>> 3. Downloading the zone via script (bad idea from any point);
>> 4. Do not bother where your resolver get authoritative data (I'd
>> recommend this one).
>>
>> Actually, I'm afraid you won't be able to achieve your goal without
>> needless overcomplication.
>>
>> 2012/12/27 Dmitri Tarkhov :
>>
>>> Well, it's Ok with that. I indeed am the owner of small reverse
>>>
>>> zone "255-241.z.y.x.in-addr.arpa" IN { type master;
>>> named with accordance with rfc2317 CNAME trick and can edit it.
>>> The changes are transferred one way to the ISP side and make part of
>>> their zone "z.y.x.in-addr.arpa". So my changes are seen by the world.
>>> But this small subzone cannot be used for direct reverse resolving right
>>> at my dns. It can only be done at class C (or B, or A) granularity.
>>> So to achieve exactly what I want I need to pull somehow this class C
>>> zone "z.y.x.in-addr.arpa" to my dns. Either as slave zone (which is
>>> denied by ISP) or as forward zone which I cannot tune to work.
>>> May be some other unknown by me approach exists.
>>> Again, there is no problem with reverse resolving in general but
>>> I cannot achieve this directly at my dns, that is to receive a response
>>> from it no matter wherever it forwards the request or from where it
>>> gets the PTR records.
>>>
>>>
>>> Peter Andreev wrote:
>>>
>>>
>>>> Please correct me if I'm wrong: you'd like to edit PTR records for
>>>> your part of the /24 zone?
>>>> If so, what you ISP says about rfc2317?
>>>>
>>>> 2012/12/27 Dmitri Tarkhov :
>>>>
>>>>
>>>>> Hi,
>>>>> I've searched the list archives and Google and don't see anything
>>>>> to answer my question subj.
>>>>> we have let's say x.y.z.240/28 subnet and BIND 9.9.2-P1.
>>>>> We want to have a master DNS without unnecessary extra functionality.
>>>>> (Including no caching)
>>>>>
>>>>> This is the named.conf with obscured addresses:
>>>>> # cat /dns992/etc/named.conf
>>>>> key "rndc-key" { ... };
>>>>> controls { ... };
>>>>> acl nameservers { A; B; };
>>>>> options { directory "/var/named";
>>>>> allow-query { any; };
>>>>> recursion no;
>>>>> version "Some Server";
>>>>> listen-on { x.y.z.w; };
>>>>> pid-file "/var/run/named.pid";
>>>>> };
>>>>> zone "company" IN { type master;
>>>>>   file "company.dat";
>>>>>   allow-transfer { nameservers; };
>>>>> };
>>>>> zone "255-241.z.y.x.in-addr.arpa" IN { type master;
>>>>>   file "company.rev";
>>>>>   allow-transfer { nameservers; };
>>>>> };
>>>>> zone "z.y.x.in-addr.arpa" IN { type forward; forward

Re: reverse zone of type forward when /28 subnet

[Peter Andreev]

Forwarding does not work without recursion enabled.

There is a few ways to solve the problem:
1. Using views;
2. Using another dns resolver (for example Unbound);
3. Downloading the zone via script (bad idea from any point);
4. Do not bother where your resolver get authoritative data (I'd
recommend this one).

Actually, I'm afraid you won't be able to achieve your goal without
needless overcomplication.

2012/12/27 Dmitri Tarkhov :
> Well, it's Ok with that. I indeed am the owner of small reverse
>
> zone "255-241.z.y.x.in-addr.arpa" IN { type master;
> named with accordance with rfc2317 CNAME trick and can edit it.
> The changes are transferred one way to the ISP side and make part of
> their zone "z.y.x.in-addr.arpa". So my changes are seen by the world.
> But this small subzone cannot be used for direct reverse resolving right
> at my dns. It can only be done at class C (or B, or A) granularity.
> So to achieve exactly what I want I need to pull somehow this class C
> zone "z.y.x.in-addr.arpa" to my dns. Either as slave zone (which is
> denied by ISP) or as forward zone which I cannot tune to work.
> May be some other unknown by me approach exists.
> Again, there is no problem with reverse resolving in general but
> I cannot achieve this directly at my dns, that is to receive a response
> from it no matter wherever it forwards the request or from where it
> gets the PTR records.
>
>
> Peter Andreev wrote:
>
>> Please correct me if I'm wrong: you'd like to edit PTR records for
>> your part of the /24 zone?
>> If so, what you ISP says about rfc2317?
>>
>> 2012/12/27 Dmitri Tarkhov :
>>
>>> Hi,
>>> I've searched the list archives and Google and don't see anything
>>> to answer my question subj.
>>> we have let's say x.y.z.240/28 subnet and BIND 9.9.2-P1.
>>> We want to have a master DNS without unnecessary extra functionality.
>>> (Including no caching)
>>>
>>> This is the named.conf with obscured addresses:
>>> # cat /dns992/etc/named.conf
>>> key "rndc-key" { ... };
>>> controls { ... };
>>> acl nameservers { A; B; };
>>> options { directory "/var/named";
>>>  allow-query { any; };
>>>  recursion no;
>>>  version "Some Server";
>>>  listen-on { x.y.z.w; };
>>>  pid-file "/var/run/named.pid";
>>> };
>>> zone "company" IN { type master;
>>>file "company.dat";
>>>allow-transfer { nameservers; };
>>> };
>>> zone "255-241.z.y.x.in-addr.arpa" IN { type master;
>>>file "company.rev";
>>>allow-transfer { nameservers; };
>>> };
>>> zone "z.y.x.in-addr.arpa" IN { type forward; forward only;
>>>forwarders { intranet.1; }; };
>>>
>>> //zone "z.y.x.in-addr.arpa" IN { type slave;
>>> //file "z_y_x_in-addr.arpa";
>>> //masters { A; B; };
>>> //};
>>>
>>> zone "localhost" IN { type master;
>>>file "master.localhost";
>>>allow-update { none; };
>>> };
>>> zone "0.0.127.in-addr.arpa" IN { type master;
>>>file "localhst.rev";
>>>notify no;
>>> };
>>>
>>> Direct resolving works fine. Our subzone is delegated from ISP properly.
>>> dig +trace shows due CNAMEs and in general reverse resolving works as
>>> well.
>>> But I want to achieve reverse resolving on our DNS itself.
>>> It is a quite natural desire, to be self sufficient or at least pretend
>>> to
>>> be,
>>> isn't it ...
>>> The simplest way to achieve that would be to have a slave zone for the
>>> whole
>>> class C network x.y.z.0/24 but the ISP don't allow zone transfer.
>>> A can understand why transfers of direct zones are limited by security
>>> reasons. But reverse zones do not contain any private subdomains or
>>> whatever.
>>> There is nothing in the reverse zone that cannot be collected by simple
>>> queries. And, BTW nothing to hide.
>>> Well, another way would be to have a reverse zone for z.y.x.in-addr.arpa
>>> of type forward with forward only clause and due forwarders.
>>> But it doesn't seem to work. I've tried external forwarders including
>>> 8.8.8.8 + 8.8.8.4 without success and now stick with our internal dns
>>

Re: reverse zone of type forward when /28 subnet

[Peter Andreev]

Please correct me if I'm wrong: you'd like to edit PTR records for
your part of the /24 zone?
If so, what you ISP says about rfc2317?

2012/12/27 Dmitri Tarkhov :
> Hi,
> I've searched the list archives and Google and don't see anything
> to answer my question subj.
> we have let's say x.y.z.240/28 subnet and BIND 9.9.2-P1.
> We want to have a master DNS without unnecessary extra functionality.
> (Including no caching)
>
> This is the named.conf with obscured addresses:
> # cat /dns992/etc/named.conf
> key "rndc-key" { ... };
> controls { ... };
> acl nameservers { A; B; };
> options { directory "/var/named";
>   allow-query { any; };
>   recursion no;
>   version "Some Server";
>   listen-on { x.y.z.w; };
>   pid-file "/var/run/named.pid";
> };
> zone "company" IN { type master;
> file "company.dat";
> allow-transfer { nameservers; };
> };
> zone "255-241.z.y.x.in-addr.arpa" IN { type master;
> file "company.rev";
> allow-transfer { nameservers; };
> };
> zone "z.y.x.in-addr.arpa" IN { type forward; forward only;
> forwarders { intranet.1; }; };
>
> //zone "z.y.x.in-addr.arpa" IN { type slave;
> //file "z_y_x_in-addr.arpa";
> //masters { A; B; };
> //};
>
> zone "localhost" IN { type master;
> file "master.localhost";
> allow-update { none; };
> };
> zone "0.0.127.in-addr.arpa" IN { type master;
> file "localhst.rev";
> notify no;
> };
>
> Direct resolving works fine. Our subzone is delegated from ISP properly.
> dig +trace shows due CNAMEs and in general reverse resolving works as well.
> But I want to achieve reverse resolving on our DNS itself.
> It is a quite natural desire, to be self sufficient or at least pretend to
> be,
> isn't it ...
> The simplest way to achieve that would be to have a slave zone for the whole
> class C network x.y.z.0/24 but the ISP don't allow zone transfer.
> A can understand why transfers of direct zones are limited by security
> reasons. But reverse zones do not contain any private subdomains or
> whatever.
> There is nothing in the reverse zone that cannot be collected by simple
> queries. And, BTW nothing to hide.
> Well, another way would be to have a reverse zone for z.y.x.in-addr.arpa
> of type forward with forward only clause and due forwarders.
> But it doesn't seem to work. I've tried external forwarders including
> 8.8.8.8 + 8.8.8.4 without success and now stick with our internal dns
> at "intranet/24".1
> This internal dns produces perfect reverse resolving but only for internal
> users, of course the "internals" acl includes the address of external dns.
> It has this set of options:
> options {
> directory "/var/named";
> forward first;
> version "not available";
> forwarders { A; B; };
> allow-query { internals; };
> allow-transfer { "none"; };
> allow-recursion { internals; };
> listen-on { intranet.1; };
> };
>
> What I have when performing reverse resolving at external dns is:
>>
>> x.y.z.k
>
> Server: x.y.z.w
> Address:x.y.z.w#53
>
> ** server can't find k.z.y.x.in-addr.arpa: REFUSED
>
> and setting set d2 in nslookup v9.9.2 doesn't reveal anything
> catching attention although I see that there is an attempt to
> contact the forwarder.
>
> trying origin "company.internal" (obscured as well)
> recursive query
> add_question()
> starting to render the message
> done rendering
> create query 0x402a4010 linked to lookup 0x82168c0
> do_lookup()
> send_udp(0x402a4010)
> bringup_timer()
> have local timeout of 5
> working on lookup 0x82168c0, query 0x402a4010
> sockcount=1
> recving with lookup=0x82168c0, query=0x402a4010, sock=0x402a5008
> recvcount=1
> sending a request
> unlock_lookup dighost.c:3530
> lock_lookup dighost.c:2328
> success
> send_done()
> sendcount=0
> check_if_done()
> list empty
> unlock_lookup dighost.c:2357
> recv_done()
> lock_lookup dighost.c:3053
> success
> recvcount=0
> lookup=0x82168c0, query=0x402a4010
> before parse starts
> after parse
> next_origin()
>
> So for some reason the list is empty and recvcount=0 in the second
> occasion.
> From the same shell, from the very same nslookup instance with
>>
>> server 
>
> the reverse lookup is OK.
>
> And of course I am more interested in some working solution than
> digging in subtleties of traces provided that I don't need to
> allow recursion and forward in general options section for
> my external dns.
>
> I look forward for any suggestions, working examples, corrections,
> sources of indepth information. TIA.
>
> --
> Best regards,
> Dmitri Tarkhov
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
AP
___
Please visit https://lists

Re: Strange issue with signed zone

[Peter Andreev]

2012/11/9 Peter Andreev :
> 2012/11/9 Tony Finch :
>> Peter Andreev  wrote:
>>>
>>> We signed another zone and met the same problem again. The only
>>> difference is algorithm - now it is RSASHA256.
>>>
>>> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we
>>> > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
>>> > Recently we realised that our servers don't generate NSEC3 for signed 
>>> > zone.
>>> > Problem has gone after we restarted BIND instances.
>>>
>>> We are using views, could it be related?
>>
>> Did you add an NSEC3PARAM record?
>
> Yes, we did.
>

Actually without restart, servers didn't generate neither NSEC3, nor NSEC.

>>
>> The signing algorithms that support NSEC3 use NSEC by default unless the
>> zone has an NSEC3PARAM record.
>>
>> Tony.
>> --
>> f.anthony.n.finchhttp://dotat.at/
>> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
>> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
>> occasionally poor at first.
>
>
>
> --
> AP



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange issue with signed zone

[Peter Andreev]

2012/11/9 Tony Finch :
> Peter Andreev  wrote:
>>
>> We signed another zone and met the same problem again. The only
>> difference is algorithm - now it is RSASHA256.
>>
>> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we
>> > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
>> > Recently we realised that our servers don't generate NSEC3 for signed zone.
>> > Problem has gone after we restarted BIND instances.
>>
>> We are using views, could it be related?
>
> Did you add an NSEC3PARAM record?

Yes, we did.

>
> The signing algorithms that support NSEC3 use NSEC by default unless the
> zone has an NSEC3PARAM record.
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
> occasionally poor at first.



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange issue with signed zone

[Peter Andreev]

Hi everybody!

We signed another zone and met the same problem again. The only
difference is algorithm - now it is RSASHA256.

> We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we
> signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
> Recently we realised that our servers don't generate NSEC3 for signed zone.
> Problem has gone after we restarted BIND instances.

We are using views, could it be related?


-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using BIND-DLZ for a hidden master [was: Re: dns master-slave transfer]

[Peter Andreev]

2012/11/1 Chris Thompson :
> On Oct 29 2012, Feng He wrote:
>
>> 于 2012-10-29 9:58, kavin 写道:
>>>
>>> Now，I want transfer the zone data from the master dns serverto slave
>>> dns server ,the master dns use bind-dlz+mysql and the slave dns server
>>> use bind+file.
>>
>>
>> AFAIK, BIND DLZ doesn't send a notify message to slave, so both your
>> master and slave should be able to use the DLZ backend and run a mysql
>> replication for data sync.
>
>
> That exchange prompts me to ask whether anyone has managed to use
> BIND-DLZ in something like the following scenario.
>
> We have a hidden master for vanity zones (we call them something else
> for the punters) that runs in a small footprint virtual machine
> together with the web server providing the updating interface. The
> latter stores the data in a MySQL database.
>
> At the moment there is a crontab that extracts data from that database
> and updates zone files (if they need changing - there are some neat-o
> optimisations) and does an "rndc reload" on the hidden master daemon.
> That NOTIFYs the public nameservers for the zones, which are are in fact
> our regular authoritative-only ones.
>
> It seems that one ought to be able to use BIND-DLZ to cut out a step
> there, but none of the how-to's for it seem to address this sort of
> scenario, and the NOTIFY issue is particularly relevant. Fast responses
> from the hidden master to queries are certainly *not* a requirement here,
> and indeed we expect to be able to operate with it (and its MySQL database)
> down for significant periods.
>
> On the other hand, there is also a possibility that we might want to sign
> the vanity zones (we use JANET, Nominet and Gandi for their registrations,
> who all support signed delegations now), and how that would interact with
> BIND-DLZ might also be an issue. Can one use BIND 9.9 "inline signing"
> with the unsigned version provided by a DLZ interface?

In our case (big zones, distant servers) we have found DLZ very
inefficient because of huge overhead due to AXFRs. Another problem is
absence of NOTIFIes.

As for me the way your system is working now is much more simple,
predictable and reliable than DLZ.

>
> --
> Chris Thompson
> Email: c...@cam.ac.uk
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TTL for name servers

[Peter Andreev]

2012/6/6 Mark Andrews 

>
> In message  c...@mail.gmail.com>
> , Alexander Gurvitz writes:
> > Hi.
> >
> > TTL returned by YOUR zone authoritative server will (at least should) be
> > preferred by caches.
> >
> > Matt Larson from verisign explained on these:
> >
> > http://www.merit.edu/mail.archives/nanog/2004-07/msg00255.html
> >
> > Regards,
> > Alexander Gurvitz,
> > net-me.net
>
> TTL of NS records are complicated as the existance of the delegation
> is covered by the parents NS records but the contents of the NS
> records comes from the child zone.  Named looks at both TTLs to
> determine when to remove the NS RRset.
>

Mark, could you please describe the algorithm being used by BIND? Does it
choose NS rrset with lowest TTL or something else?


> https://deepthought.isc.org/article/AA-00691/
>
> If you are wanting to workout when to decommission a nameserver take the
> maximum of the two NS rrset after they have both been updated as when it
> is safe to decommission.
>
> Mark
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TTL for name servers

[Peter Andreev]

Just to clarify, let's assume that you maintain zone example.be. Let's also
say that in .be zone TTL for your NS'es is 86400 and TTL for NS'es in your
zone is 345600.

In such scenario the latter will be cached by resolver because it is the
authoritative data. For some resolver implementations this behaviour can be
overrided.

To replace nameserver with new one I would do the following:
1. set up new server;
2. send updates to parent zone;
3. wait for TTL mentioned in my zone (for example above - 345600);
4. shut down old server(s).

2012/6/5 hugo hugoo 

>  Dear all,
>
>
>
> Can anyone clarify to me the use of the TTL for a NS record?
>
> Let’s take the example of a *.be domain.
>
>
>
> A TTL value is present on both locations.
>
>
>
> 1)In a dns.be server (for example x.dns.be): in my example here
> below, value is 86400
>
> 2)In the name server itself: in my example here below, value is 345600
>
>
>
>
> If we plan to change the name server to be used for a certain domain, do
> we have to change the TTL in the dns.be?
>
> Is this possible?
>
>
>
> Is this value that all the cache servers use?
>
> If yes…what about the TTL value of the name server itself?
>
>
>
>
>
> Thank in advance of any useful feedback,
>
>
>
> Hugo,
>
>
>
>
>
> *Example:*
>
>
>
>
>
> dig @localhost google.be NS +trace
>
>
>
> ; <<>> DiG 9.6-ESV-R4 <<>> @localhost google.be NS +trace
>
> ; (1 server found)
>
> ;; global options: +cmd
>
> .   502894  IN  NS  f.root-servers.net.
>
> .   502894  IN  NS  g.root-servers.net.
>
> .   502894  IN  NS  h.root-servers.net.
>
> .   502894  IN  NS  a.root-servers.net.
>
> .   502894  IN  NS  i.root-servers.net.
>
> .   502894  IN  NS  b.root-servers.net.
>
> .   502894  IN  NS  j.root-servers.net.
>
> .   502894  IN  NS  c.root-servers.net.
>
> .   502894  IN  NS  k.root-servers.net.
>
> .   502894  IN  NS  l.root-servers.net.
>
> .   502894  IN  NS  d.root-servers.net.
>
> .   502894  IN  NS  m.root-servers.net.
>
> .   502894  IN  NS  e.root-servers.net.
>
> ;; Received 436 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
>
>
>
> be. 172800  IN  NS  m.ns.dns.be.
>
> be. 172800  IN  NS  x.dns.be.
>
> be. 172800  IN  NS  london.ns.dns.be.
>
> be. 172800  IN  NS  prague.ns.dns.be.
>
> be. 172800  IN  NS  brussels.ns.dns.be.
>
> be. 172800  IN  NS  amsterdam.ns.dns.be.
>
> ;; Received 307 bytes from 198.41.0.4#53(a.root-servers.net) in 27 ms
>
>
>
> google.be.  86400   IN  NS  ns2.google.com.
>
> google.be.  86400   IN  NS  ns1.google.com.
>
> google.be.  86400   IN  NS  ns4.google.com.
>
> google.be.  86400   IN  NS  ns3.google.com.
>
> ;; Received 109 bytes from 193.190.135.4#53(brussels.ns.dns.be) in 1 ms
>
>
>
> google.be.  345600  IN  NS  ns4.google.com.
>
> google.be.  345600  IN  NS  ns1.google.com.
>
> google.be.  345600  IN  NS  ns3.google.com.
>
> google.be.  345600  IN  NS  ns2.google.com.
>
> ;; Received 173 bytes from 216.239.36.10#53(ns3.google.com) in 18 ms
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I build a new DNS/BIND system parallel to our existing DNS production system?

[Peter Andreev]

Hello, Samad,

Another way to estimate you query rate is using system's udp counters. Not
as precise as query logging, but doesn't cause performance drop in case of
high query rates and accurate enough for estimation.

2012/5/4 Samad Agha 

> Thanks Daniel, I really appreciate your help.
>
> SA
>
> On Thu, May 3, 2012 at 1:34 PM, Daniel Deighton 
> wrote:
>
>>
>>
>> On 05/03/2012 02:44 PM, Samad Agha wrote:
>> > Thanks for your help Eivind.
>> >
>> >>Depends, how long is a piece of string? I don't know what amount of
>> >>traffic you're currently seeing, or what your uptime requirements are.
>> >
>> > - Are there tools to find out about current amount of traffic?
>> > - Our uptime requirements are basically from 6am to 6pm during city's
>> > business hours.
>> >
>> >>Estimate what amount of traffic you're seeing during prime time. How
>> > many >queries per second?
>> >
>> > - Again, how do I find out?
>>
>> It is fairly easy to find out your query load using BIND. You will just
>> need to enable query logging (if it isn't already enabled) and use the
>> data to calculate your queries per second from the data.
>>
>> Getting the information from your Windows DNS servers is not as easy.
>> You will likely need to put your Windows DNS servers into debug mode to
>> get any sort of query logging and the output isn't exactly pretty. You
>> could also get the data by taking packet captures and/or using a tool
>> such as dnssnarf, dnsdump or some other tool that another list member
>> might recommend.
>>
>> >
>> >>I'd normally not recommend running BIND on slower
>> > multi-threaded Sun/Oracle >servers like the T-series, you'll normally be
>> > better off with fewer threads but >higher clock speeds from typical
>> > Intel/AMD systems.(caveat: I haven't bench->marked BIND 9.9.x, which
>> > might have improved this).
>> >
>> > - Currently I have two:
>> >  Dell PowerEdge 2950 servers with two Intel Xeon 3.0GHZ CPUs, and
>> > 4GB RAM each running RHEL 5.8 OS
>> >
>> >
>> > Thanks again,
>> > SA
>> >
>> >
>> > ___
>> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>> >
>> > bind-users mailing list
>> > bind-users@lists.isc.org
>> > https://lists.isc.org/mailman/listinfo/bind-users
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind doesn't make zone delegation.

[Peter Andreev]

2012/4/19 Ellad G. Yatsko 

>  Nope. FreeBSD is not the master for sokol.msk.united-networks.ru. It
> delegates zone sokol.msk only.
> Not more.Master for sokol.msk.united-networks.ru is
> srvgate.sokol.msk.united-networks.ru (Ubuntu
> server).
>
> Indeed, now when I try nslookup sokol.msk.united-networks.ru - it returns
> me its IP. FreeBSD asks for zone
> information Ubuntu. Ubuntu answers. But when I try to resolve what is "
> ap-1131.sokol.msk.united-networks.ru"
> FreeBSD is silent as before. It does not ask Ubuntu. It does not return
> any IP: NXDOMAIN.
>
> Kind regards,
> Ellad
>

Is zone united-networks.ru  listed in
external view? If so has it records for
sokol.msk.united-networks.ru?
Is option "recursion yes" global or view-specific? Could you provide
configuration details for recursing and forwarding?

>
> 2012/4/19 Ellad G. Yatsko 
>
>>  Hello!
>> Here is output:
>> /etc/namedb> dig @172.16.0.1 sokol.msk.united-networks.ru. NS +norec
>>
>> ; <<>> DiG 9.4.3-P2 <<>> @172.16.0.1 
>> sokol..msk.united-networks.ru . NS
>> +norec
>>
>> ; (1 server found)
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14255
>> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
>>
>> ;; QUESTION SECTION:
>> ;sokol.msk.united-networks.ru.  IN  NS
>>
>> ;; AUTHORITY SECTION:
>> sokol..msk.united-networks.ru .
>> 3600 IN   NS  srvgate.sokol.msk.united-networks.ru.
>>
>>
>> ;; ADDITIONAL SECTION:
>> srvgate.sokol.msk.united-networks.ru. 3359 IN A 172.31.16.16
>> srvgate.sokol.msk.united-networks.ru. 3359 IN A 172.16.16.1
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 172.16.0.1#53(172.16.0.1)
>> ;; WHEN: Thu Apr 19 14:08:55 2012
>> ;; MSG SIZE  rcvd: 100
>>
>
> Looks good for me.
>
>
>> I noticed that after some time FreeBSD still tried to ask for
>> sokol..msk.united-networks.ru  from
>> Ubuntu (srvgate.sokol.msk).
>>
>> It happened after 2-3 minutes after "named" was restarted on FreeBSD. But
>> now FreeBSD doesn't ask for hosts in this zone.
>> All what I was doing during this time period - I restarted
>> freevrrp-daemon on FreeBSD machine. Could it be related to issue?
>>
>
> Is FreeBSD a master for sokol.msk.united-networks.ru? Looks like it is
> trying to send notifies.
>
>
>> Something very strange..  Another FreeBSD (9.0) works fine in the same
>> (or much like) conditions...
>>
>> Kind regards,
>> Ellad
>>
>> Hi,
>>
>> First of all, nslookup isn't a good tool for debug DNS problems. Use dig
>> instead.
>>
>> Could you show the output of "dig @freebsdbox
>> sokol.msk.united-networks.ru. NS +norec" run from freebsd box itself?
>>
>>
>> 2012/4/19 Ellad G. Yatsko 
>>
>>>
>>> Hello!

I have FreeBSD 7.2 x64 installed. And Bind 9.4:

/etc/namedb> named -v
BIND 9.4.3-P2

I have zone "/united-networks.ru/" and I try to do the following:
...
$ORIGIN sokol.msk.united-networks.ru.
@   IN NS   srvgate
srvgate IN A172.31.16.16
$ORIGIN united-networks.ru.
...

As I understand I delegated the SOA (IN NS) to server with name
srvgate.sokol.msk.united-networks.ru ("srvgate" has no tailing "dot"
so domain "sokol.msk.united-networks.ru" from $ORIGIN operator will
 be
appended), then I placed "glue"-record with srvgate.sokol.msk's
 address.
It is because as I understood nameserver of delegated zone is in it.

From here I thought on the server 172.31.16.16 (it's Ubuntu) I must
receive DNS-requests related to zone sokol.msk.united-networks.ru.
 For
example if I try do nslookup 
 sokol.msk.united-networks.ruon 
 FreeBSD
7.2 x64. But:

/etc/bind# hostname -f
srvgate.sokol.msk.united-networks.ru
/etc/bind# tshark -ta -ni tun0 -R dns
Running as user "root" and group "root". This could be dangerous.
Capturing on tun0

...there is nothing! And FreeBSD issues NXDOMAIN. I say more -
 FreeBSD
tries to resolve name "sokol.msk.united-networks.ru" through its
 forwarder in
external world!

Where am I wrong? I simulated this situation with the same
 configurations
on Ubuntu (Bind 9.7.0-P1) and fresh-installed FreeBSD 9.0 x64 (Bind
 9.8.1-P1).
All works fine!

-- related portion of named.conf
 --
options {
 directory   "/etc/namedb";
 pid-file"/var/run/named/pid";
 dump-file   "/var/dump/named_dump.db";
 statistics-fil

Re: Bind doesn't make zone delegation.

[Peter Andreev]

2012/4/19 Ellad G. Yatsko 

>  Hello!
> Here is output:
> /etc/namedb> dig @172.16.0.1 sokol.msk.united-networks.ru. NS +norec
>
> ; <<>> DiG 9.4.3-P2 <<>> @172.16.0.1 sokol.msk.united-networks.ru. NS
> +norec
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14255
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;sokol.msk.united-networks.ru.  IN  NS
>
> ;; AUTHORITY SECTION:
> sokol.msk.united-networks.ru. 3600 IN   NS
> srvgate.sokol.msk.united-networks.ru.
>
> ;; ADDITIONAL SECTION:
> srvgate.sokol.msk.united-networks.ru. 3359 IN A 172.31.16.16
> srvgate.sokol.msk.united-networks.ru. 3359 IN A 172.16.16.1
>
> ;; Query time: 0 msec
> ;; SERVER: 172.16.0.1#53(172.16.0.1)
> ;; WHEN: Thu Apr 19 14:08:55 2012
> ;; MSG SIZE  rcvd: 100
>

Looks good for me.


> I noticed that after some time FreeBSD still tried to ask for
> sokol.msk.united-networks.ru from Ubuntu (srvgate.sokol.msk).
> It happened after 2-3 minutes after "named" was restarted on FreeBSD. But
> now FreeBSD doesn't ask for hosts in this zone.
> All what I was doing during this time period - I restarted freevrrp-daemon
> on FreeBSD machine. Could it be related to issue?
>

Is FreeBSD a master for sokol.msk.united-networks.ru? Looks like it is
trying to send notifies.


> Something very strange..  Another FreeBSD (9.0) works fine in the same (or
> much like) conditions...
>
> Kind regards,
> Ellad
>
> Hi,
>
> First of all, nslookup isn't a good tool for debug DNS problems. Use dig
> instead.
>
> Could you show the output of "dig @freebsdbox sokol.msk.united-networks.ru.
> NS +norec" run from freebsd box itself?
>
>
> 2012/4/19 Ellad G. Yatsko 
>
>>
>> Hello!
>>>
>>>I have FreeBSD 7.2 x64 installed. And Bind 9.4:
>>>
>>>/etc/namedb> named -v
>>>BIND 9.4.3-P2
>>>
>>>I have zone "/united-networks.ru/" and I try to do the following:
>>>...
>>>$ORIGIN sokol.msk.united-networks.ru.
>>>@   IN NS   srvgate
>>>srvgate IN A172.31.16.16
>>>$ORIGIN united-networks.ru.
>>>...
>>>
>>>As I understand I delegated the SOA (IN NS) to server with name
>>>srvgate.sokol.msk.united-networks.ru ("srvgate" has no tailing "dot"
>>>so domain "sokol.msk.united-networks.ru" from $ORIGIN operator will
>>> be
>>>appended), then I placed "glue"-record with srvgate.sokol.msk's
>>> address.
>>>It is because as I understood nameserver of delegated zone is in it.
>>>
>>>From here I thought on the server 172.31.16.16 (it's Ubuntu) I must
>>>receive DNS-requests related to zone sokol.msk.united-networks.ru.
>>> For
>>>example if I try do nslookup sokol.msk.united-networks.ru on FreeBSD
>>>7.2 x64. But:
>>>
>>>/etc/bind# hostname -f
>>>srvgate.sokol.msk.united-networks.ru
>>>/etc/bind# tshark -ta -ni tun0 -R dns
>>>Running as user "root" and group "root". This could be dangerous.
>>>Capturing on tun0
>>>
>>>...there is nothing! And FreeBSD issues NXDOMAIN. I say more - FreeBSD
>>>tries to resolve name "sokol.msk.united-networks.ru" through its
>>> forwarder in
>>>external world!
>>>
>>>Where am I wrong? I simulated this situation with the same
>>> configurations
>>>on Ubuntu (Bind 9.7.0-P1) and fresh-installed FreeBSD 9.0 x64 (Bind
>>> 9.8.1-P1).
>>>All works fine!
>>>
>>>-- related portion of named.conf
>>> --
>>>options {
>>> directory   "/etc/namedb";
>>> pid-file"/var/run/named/pid";
>>> dump-file   "/var/dump/named_dump.db";
>>> statistics-file "/var/stats/named.stats";
>>>
>>> listen-on   {
>>> 
>>> 127.0.0.1;
>>> 172.16.0.1;
>>> 172.16.1.1;
>>> 172.16.2.1;
>>> 172.31.0.1;
>>> };
>>>
>>> forwarders {
>>> 89.222.167.2;
>>> 8.8.8.8;
>>> };
>>> recursion yes;
>>> allow-recursion {0/0;};
>>>};
>>>
>>>...
>>>
>>>view internal {
>>> match-clients {
>>> 127.0.0.0/8;
>>> 172.16.0.0/12;
>>> };
>>>...
>>> zone "united-networks.ru" {
>>> type master;
>>> file "master/forward/united-networks.ru.internal";
>>> allow-transfer {
>>> 172.16.0.2;
>>> 172.16.16.2;
>>> 172.31.16.16;
>>> 172.31.17.0;
>>> 172.31.18.0;
>>> };
>>> };
>>>...
>>>};
>>>...
>>>
>>>  
>>> -

Re: Bind doesn't make zone delegation.

[Peter Andreev]

Hi,

First of all, nslookup isn't a good tool for debug DNS problems. Use dig
instead.

Could you show the output of "dig @freebsdbox sokol.msk.united-networks.ru.
NS +norec" run from freebsd box itself?


2012/4/19 Ellad G. Yatsko 

>
> Hello!
>>
>>I have FreeBSD 7.2 x64 installed. And Bind 9.4:
>>
>>/etc/namedb> named -v
>>BIND 9.4.3-P2
>>
>>I have zone "/united-networks.ru/" and I try to do the following:
>>...
>>$ORIGIN sokol.msk.united-networks.ru.
>>@   IN NS   srvgate
>>srvgate IN A172.31.16.16
>>$ORIGIN united-networks.ru.
>>...
>>
>>As I understand I delegated the SOA (IN NS) to server with name
>>
>> srvgate.sokol.msk.united-**networks.ru("srvgate"
>>  has no tailing "dot"
>>so domain "sokol.msk.united-networks.ru" from $ORIGIN operator will be
>>appended), then I placed "glue"-record with srvgate.sokol.msk's
>> address.
>>It is because as I understood nameserver of delegated zone is in it.
>>
>>From here I thought on the server 172.31.16.16 (it's Ubuntu) I must
>>receive DNS-requests related to zone sokol.msk.united-networks.ru. For
>>example if I try do nslookup sokol.msk.united-networks.ru on FreeBSD
>>7.2 x64. But:
>>
>>/etc/bind# hostname -f
>>
>> srvgate.sokol.msk.united-**networks.ru
>>/etc/bind# tshark -ta -ni tun0 -R dns
>>Running as user "root" and group "root". This could be dangerous.
>>Capturing on tun0
>>
>>...there is nothing! And FreeBSD issues NXDOMAIN. I say more - FreeBSD
>>tries to resolve name "sokol.msk.united-networks.ru" through its
>> forwarder in
>>external world!
>>
>>Where am I wrong? I simulated this situation with the same
>> configurations
>>on Ubuntu (Bind 9.7.0-P1) and fresh-installed FreeBSD 9.0 x64 (Bind
>> 9.8.1-P1).
>>All works fine!
>>
>>--** related portion of
>> named.conf --**
>>options {
>> directory   "/etc/namedb";
>> pid-file"/var/run/named/pid";
>> dump-file   "/var/dump/named_dump.db";
>> statistics-file "/var/stats/named.stats";
>>
>> listen-on   {
>> 
>> 127.0.0.1;
>> 172.16.0.1;
>> 172.16.1.1;
>> 172.16.2.1;
>> 172.31.0.1;
>> };
>>
>> forwarders {
>> 89.222.167.2;
>> 8.8.8.8;
>> };
>> recursion yes;
>> allow-recursion {0/0;};
>>};
>>
>>...
>>
>>view internal {
>> match-clients {
>> 127.0.0.0/8;
>> 172.16.0.0/12;
>> };
>>...
>> zone "united-networks.ru" {
>> type master;
>> file "master/forward/united-**networks.ru.internal";
>> allow-transfer {
>> 172.16.0.2;
>> 172.16.16.2;
>> 172.31.16.16;
>> 172.31.17.0;
>> 172.31.18.0;
>> };
>> };
>>...
>>};
>>...
>>--**--**
>> --**-
>>
>>Kind regards,
>>Ellad
>>
>
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: slave not updating or creating ofd zone files

[Peter Andreev]

2012/3/29 Peter Andreev 

>
>
> 2012/3/29 RYAN M. vAN GINNEKEN 
>
>> Hello all i have what is to me a very strange bind 9 master slave
>> transfer issue.
>>
>> When i update a zone file on the master the file updates correctly the
>> notifies are sent and every thing seems to work perfectly except it
>> transfers 0 bytes to the slave.  Checking the slave confirms that indeed
>> thier was no transfer and that the slave is still serving the old zone, i
>> have gon as far as to completely delete the zone files from the slave and
>> restart bind to my suprise it puts back all the old files.  What is going
>> on?  Below is an example of one of the files that is not updating correctly
>> there are many and some of file I have updated more recently are not even
>> showing up in the logs of the server.
>>
>> On the server Ubuntu 8.04 LTS running BIND 9.4.2-P2.1 chrooted
>> 29-Mar-2012 06:03:39.461 general: info: zone jodygamracy.com/IN/external:
>> loaded serial 2012031501
>> 29-Mar-2012 06:03:39.614 notify: info: zone jodygamracy.com/IN/external:
>> sending notifies (serial 2012031501)
>> 29-Mar-2012 06:03:41.761 xfer-out: info: client 96.51.192.233#33074: view
>> external: transfer of 'jodygamracy.com/IN': IXFR ended
>>
>> On the slave Ubuntu 10.04 LTS  BIND 9.7.0-P1
>> 29-Mar-2012 00:03:41.666 general: info: zone jodygamracy.com/IN/external:
>> Transfer started.
>> 29-Mar-2012 00:03:41.706 xfer-in: info: transfer of '
>> jodygamracy.com/IN/external' from 204.244.122.132#53: connected using
>> 96.51.192.233#33074
>> 29-Mar-2012 00:03:41.782 xfer-in: info: transfer of '
>> jodygamracy.com/IN/external' from 204.244.122.132#53: Transfer
>> completed: 0 messages, 1 records, 0 bytes, 0.076 secs (0 bytes/sec)
>>
>> As a side not i have both machines firewalled, but have port 53 open on
>> both machines, and have ports set using this in these lines in the
>> named.conf. file
>>   query-source address * port 53;
>> transfer-source * port 53;
>> notify-source * port 53;
>>
>> and see this in the dameon logs
>> /etc/named.conf:9: using specific query-source port suppresses port
>> randomization and can be insecure.
>>
>> Computer King   CaN-MailSurveillance
>> King
>> http://computerking.ca http://canmail.org
>> http://surveillanceking.net
>>
>> Surveillance - Sales Service - Hosting Backup
>> Internet Based Surveillance Systems
>> Custom Service Pac kages
>> Secure IMAP Email - Automated Remote Backups - Photo Blogs - Online ERP
>> and Accounting Packages
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> Enlarge your serial!
>
> --
> AP
>

Sorry for previous message, I suggest you to update BIND.

-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: slave not updating or creating ofd zone files

[Peter Andreev]

2012/3/29 RYAN M. vAN GINNEKEN 

> Hello all i have what is to me a very strange bind 9 master slave transfer
> issue.
>
> When i update a zone file on the master the file updates correctly the
> notifies are sent and every thing seems to work perfectly except it
> transfers 0 bytes to the slave.  Checking the slave confirms that indeed
> thier was no transfer and that the slave is still serving the old zone, i
> have gon as far as to completely delete the zone files from the slave and
> restart bind to my suprise it puts back all the old files.  What is going
> on?  Below is an example of one of the files that is not updating correctly
> there are many and some of file I have updated more recently are not even
> showing up in the logs of the server.
>
> On the server Ubuntu 8.04 LTS running BIND 9.4.2-P2.1 chrooted
> 29-Mar-2012 06:03:39.461 general: info: zone jodygamracy.com/IN/external:
> loaded serial 2012031501
> 29-Mar-2012 06:03:39.614 notify: info: zone jodygamracy.com/IN/external:
> sending notifies (serial 2012031501)
> 29-Mar-2012 06:03:41.761 xfer-out: info: client 96.51.192.233#33074: view
> external: transfer of 'jodygamracy.com/IN': IXFR ended
>
> On the slave Ubuntu 10.04 LTS  BIND 9.7.0-P1
> 29-Mar-2012 00:03:41.666 general: info: zone jodygamracy.com/IN/external:
> Transfer started.
> 29-Mar-2012 00:03:41.706 xfer-in: info: transfer of '
> jodygamracy.com/IN/external' from 204.244.122.132#53: connected using
> 96.51.192.233#33074
> 29-Mar-2012 00:03:41.782 xfer-in: info: transfer of '
> jodygamracy.com/IN/external' from 204.244.122.132#53: Transfer completed:
> 0 messages, 1 records, 0 bytes, 0.076 secs (0 bytes/sec)
>
> As a side not i have both machines firewalled, but have port 53 open on
> both machines, and have ports set using this in these lines in the
> named.conf. file
>   query-source address * port 53;
> transfer-source * port 53;
> notify-source * port 53;
>
> and see this in the dameon logs
> /etc/named.conf:9: using specific query-source port suppresses port
> randomization and can be insecure.
>
> Computer King   CaN-MailSurveillance
> King
> http://computerking.ca http://canmail.org
> http://surveillanceking.net
>
> Surveillance - Sales Service - Hosting Backup
> Internet Based Surveillance Systems
> Custom Service Pac kages
> Secure IMAP Email - Automated Remote Backups - Photo Blogs - Online ERP
> and Accounting Packages
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

Enlarge your serial!

-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

[Peter Andreev]

2012/3/20 michoski 

> On 3/19/12 11:58 AM, "Peter Andreev"  wrote:
> > 2012/3/19 hugo hugoo 
> >>  Jay,
> >>
> >> - Can you give me an example of such configuration?
> >>
> >> As anyone else some examples of IPV6 reverse configuration used in
> >> production environment?
> >>
> >> Thanks for sharing your experience...
> >
> > We use IPv6 in production environment. It was a real headache to fill
> > reverse ip6.arpa zones by hand until I have learned about "arpaname"
> > utility. Since that maintaining reverse IPv6 zones is just a piece of
> cake.
>
> Hmm...  Yes, well I can see this as useful (though not much more than a few
> lines of any programming language?) if you intend to maintain generic
> placeholders...but not if you want RFC-compliant matching A/PTR.  Granted,
> you should not drop mail in such cases, but many do.  I guess tools and
> best
> practices take time to catch up to technological leaps.  ;-)
>
> Or do you actually create A's matching your generic PTR and heavily rely on
> CNAMEs?  Of course that simply won't do for some standard RR types.
>
> As much as I dislike djb in general, the way tinydns auto-creates matching
> PTR (and also provides a mechanism to disable as needed) for each A RR
> kinda
> makes sense.  Granted, it doesn't do IPv6 at all without 3rd-party
> hacks...but they do at least exist.
>
> --
> All his life he has looked away... to the horizon, to the sky,
> to the future.  Never his mind on where he was, on what he was doing.
>-- Yoda
>
>
Sorry for my stupidity, but I didn't catch your idea.

We have finite number of hardware. Due to geographic distribution, security
issues, lots of different prefixes in use, etc we don't use DHCP and assign
addresses by hand. So we do with PTRs. Of course I would go crazy if I fill
full v6 reverse zone, so I write only those PTRs which are needed.
If we assign IP blocks to clients, usually we simply delegate them
corresponding reverse zone.

-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

[Peter Andreev]

2012/3/19 hugo hugoo 

>  Jay,
>
> - Can you give me an example of such configuration?
>
>
>
> As anyone else some examples of IPV6 reverse configuration used in
> production environment?
>
> Thanks for sharing your experience...
>
> Hugo,
>

We use IPv6 in production environment. It was a real headache to fill
reverse ip6.arpa zones by hand until I have learned about "arpaname"
utility. Since that maintaining reverse IPv6 zones is just a piece of cake.


>  > Date: Mon, 12 Mar 2012 16:28:53 -0500
> > From: jay-f...@uiowa.edu
>
> > To: hugo...@hotmail.com
> > CC: bind-users@lists.isc.org
> > Subject: RE: reverse dns for IPV6 ranges
> >
> > On Mon, 12 Mar 2012, hugo hugoo wrote:
> > > Has anyone else experience with reverse IPV6 configuration with Bind?
> >
> > We do static PTR records in the ip6.arpa zones like we do in the
> in-addr.arpa
> > zones, to create address->name mappings matching the name->address
> mappings
> > created by the  & A records.
> >
> > I fairly recently started fiddling with wildcard PTR records for DHCPv6
> > address pools, to at least return some answer for a query about the
> > addresses. Right now I have it configured so that a query for any
> address in
> > any of the pools returns the same name, but it could be changed to
> return
> > different names for different pools. This obviously doesn't create
> symmetric
> > name->address & address->name mapping, which might or might not be a
> problem.
> > I don't have enough real use of this to know whether this wildcard stuff
> is
> > helpful or not.
> >
> > 
> > Jay Ford, Network Engineering Group, Information Technology Services
> > University of Iowa, Iowa City, IA 52242
> > email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "rndc reconfig" vs. "rndc reload"

[Peter Andreev]

2012/3/16 Mark Pettit 

> I've read carefully through the BIND ARM and am still not sure of the
> answer to this, so I figured I'd ask on here.
>
> "rndc reconfig" causes BIND to re-load its config file, but unlike "rndc
> reload", BIND will not scan the zone files it's mastering to see if there
> have been any updates.  This is very useful in our situation because most
> of our name servers have tens of thousands of zones.
>
> We have an antiquated push process that copies files into the zonefile
> directory and then tells BIND "rndc reload".  For various reasons, "rndc
> reload" takes about 120 seconds to complete.  BIND is not answering queries
> for a very large part of that time.
>
> I recently started experimenting with a different process: instead of
> "rndc reload" after updaing some of the zone files, I loop through the list
> of updated zone files and run "rndc reload " for each one.
>
> This is a vast improvement, because BIND doesn't appear to ever stop
> answering queries.
>
> However, I'm curious what I should do when an update contains both a new
> config file and new zone files.
>
> Normally a "rndc reload" would rescan the config and then scan all zone
> files (including the new ones), loading the new ones into memory and
> starting to serve them.  But obviously we want to avoid "rndc reload" at
> all costs.
>
> I was considering doing "rndc reconfig", followed by a "rndc reload
> " for each of the new zones.
>
> Would this work?
>
>
"rndc reconfig" forces BIND to re-read config file and load *only* new
zones. So if you add a new zone and want BIND to load it, you don't need
"rndc reload " at all, "rndc reconfig" is completely sufficient.

"rndc reload " is needed only if you modify existing zone.

___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS

[Peter Andreev]

2012/3/1 Beavis 

> Just want to piggy back on this topic is there any documentation
> available online that shows a deployment guideline for Anycast?
>
> -beavis
>

What about RFC 4786?


> On Wed, Feb 29, 2012 at 10:31 AM, Warren Kumari  wrote:
> >
> > On Feb 29, 2012, at 11:00 AM, Todd Snyder wrote:
> >
> >> The reason I’ve heard a few times is that users are uncomfortable using
> only 1 address.  In the past I’ve done 2 or 3 addresses just so that we can
> give out 3 addresses that all point to the same pool of servers.
> >>
> >> Silly, I know, but sometimes it’s easier to placate than to change
> someone/groups understanding of the
> world/networking/resilience/dns/loadbalancing.
> >
> > It's partly silly, it's also partly not wanting to have all your eggs in
> one basket.
> >
> > Having more than one anycast address provides protection against things
> like routing attacks / leaks, overenthusiastic ACLs, router blackholes and
> similar.
> > It also provides a backup in case the primary node chosen by your
> routing infrastructure is unavailable -- if you only have a single anycast
> address (192.0.2.1) and the instance chosen by your routing system is down
> (for example though a DoS, misconfiguration, etc) you have no service. If
> you have a second address (10.10.10.10) that is announced by a different
> constellation you have redundancy.
> >
> > Also, anycast  provide the closest instance according to the *network
> topology* -- this doesn't always equate to fastest response -- if is not
> uncommon for a longer BGP path to have a shorter latency. providing
> multiple addresses allows the resolver to choose based upon time.
> >
> > W
> >
> >>
> >>
> >> $0.02
> >> t.
> >>
> >> From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:
> bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju wusuo
> >> Sent: Tuesday, February 28, 2012 10:56 PM
> >> To: bind-users@lists.isc.org
> >> Subject: Anycast DNS
> >>
> >> Have seen some anycast DNS implementations using more than one address,
> some times even on the same subnet, any considerations or reasons for doing
> that?
> >>
> >>
> >>
> >> -
> >> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from
> your system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be
> unlawful. ___
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >>
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> ()  ascii ribbon campaign - against html e-mail
> /\  www.asciiribbon.org   - against proprietary attachments
>
> Disclaimer:
> http://goldmark.org/jeff/stupid-disclaimers/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CVE-2012-1033 (Ghost domain names) mitigation

[Peter Andreev]

2012/2/9 John Hascall 

>
>
> Questions:
>
> (1) It looks to me like if the ghost name is in our
>DNS RPZ zone, then that 'fixes' the problem for
>that name.   Is this correct?
>

Ghost domain could be redelegated to a new owner and become absolutely
legal.

>
> (2) It also looks like restarting bind flushes the cache
>and that prevents the repopulation of the local cache
>with names which are ghosts (new different ghost names
>could, of course, be created).Is this correct?
>

AFAIK 'rndc flush' will do the same.

>
> Thanks,
> John
>
>
> ---
> John Hascall, j...@iastate.edu
> Team Lead, NIADS (Network Infrastructure, Authentication & Directory
> Services)
> IT Services, The Iowa State University of Science and Technology
>
> > In , ISC
> > writes:
> >
> > > ISC continues to recommend that organizations with security needs
> > > who are reliant on the Domain Name System proceed with adoption of
> > > DNSSEC; DNSSEC is the best known method of mitigating this issue.
> >
> > But ISC provides no details about *how* exactly DNSSEC will solve the
> > problem. I'm puzzled. In the ghost domain names attack, the child zone
> > is controlled by the bad guy, who wants the domain to stick. So, he
> > will certainly not sign it. Unless you make DNSSEC mandatory, how will
> > you solve the ghost domain problem with DNSSEC? If the resolver is
> > sticky (will not go to the parent to ask the NS RRset), it won't check
> > the NSEC at the parent either...
> >
> > Is it because the resolver, even if sticky, re-queries the parent when
> > the negative TTL of the (missing) DS records ends? And chokes when it
> > receives back a NXDOMAIN?
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe
>  from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Detailed Log Analysis based on rndc stats!!

[Peter Andreev]

Sorry, Shiva I have confused you. Mark is absolutely right and I was wrong.
Another way is to capture responses with tcpdump or dnscap.

2012/1/30 Mark Andrews 

>
> In message <
> canbtt6nxwb4fqygev4x8_jl+m5ho7wfenirxzg3pgvc-kzc...@mail.gmail.com>
> , Shiva Raman writes:
> > Hi Peter
> >
> > Thanks a lot for your reply. I had enabled query-errors with debug level
> 2
> > in my bind logging, now i am able to log all SERVFAIL related error logs
> in
> > query-errors.log. But i am unable to log the NXDOMAIN error logs .
>
> NXDOMAIN is not a error.  It is a *normal* response code in a well
> running system.  Asking to log NXDOMAIN is like asking to log every
> positive answer.
>
> >Referring to Bind documentation, i enabled delegation-only
> option(which
> > Logs queries that have returned NXDOMAIN as the result of a
> delegation-only
> > zone or a delegation-only statement in a hint or stub zone declaration) ,
> > but this also not logging the NXDOMAIN errors. Kindly guide me whether
> any
> > additional parameters to be enabled in query-errors to log NXDOMAIN also.
>
> delegation-only does *not* log normal NXDOMAIN responses.  It logs
> answers that are *forced* to NXDOMAIN.
>
> > Regards
> >
> > Shiva Raman
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Detailed Log Analysis based on rndc stats!!

[Peter Andreev]

2012/1/17 Shiva Raman 

> Hi All
>
>  i am running  Bind version 9.8.1  as an Authoritative Name server. From
> the rndc.stats , i observe that there are some query failures happening
> in the server. I am trying to get a detailed information of this query
> failures, but the current logging options is not allowing me to get a
> detailed
> report on the reason of failure. I tried enabling detailed logs, but that
> is also not providing me which all queries failed with  NXDOMAIN ,
> SERVFAILetc.
>
>  Please find  the ouptut of named.stats and Logging options enabled in
> named.conf
>
> Output of /chroot/named/conf/named.stats
> --
>
> +++ Statistics Dump +++ (1326803941)
> ++ Incoming Requests ++
>75808 QUERY
> ++ Incoming Queries ++
>75786 A
>   22 PTR
> ++ Outgoing Queries ++
> [View: default]
> 7374 A
>13410 NS
>   97 PTR
> [View: _bind]
> ++ Name Server Statistics ++
>75808 IPv4 requests received
>75781 requests with ADNS(0) received
>75019 responses sent
>75003 responses with ADNS(0) sent
> 2848 queries resulted in successful answer
>72340 queries resulted in authoritative answer
> 2239 queries resulted in non authoritative answer
>  440 queries resulted in SERVFAIL
>71731 queries resulted in NXDOMAIN
> 3466 queries caused recursion
>  789 duplicate queries received
> ++ Zone Maintenance Statistics ++
> ++ Resolver Statistics ++
> [Common]
> [View: default]
>20881 IPv4 queries sent
> 5283 IPv4 responses received
>  111 NXDOMAIN received
> 2533 SERVFAIL received
>16195 query retries
>15598 query timeouts
>  450 IPv4 NS address fetches
>6 IPv4 NS address fetch failed
> 4226 queries with RTT < 10ms
>   17 queries with RTT 10-100ms
>  869 queries with RTT 100-500ms
>   82 queries with RTT 500-800ms
>   37 queries with RTT 800-1600ms
>   52 queries with RTT > 1600ms
> [View: _bind]
> ++ Cache DB RRsets ++
> [View: default]
>   72 A
>   24 NS
>5 CNAME
>5 NXDOMAIN
> [View: _bind (Cache: _bind)]
> ++ Socket I/O Statistics ++
>20886 UDP/IPv4 sockets opened
>4 TCP/IPv4 sockets opened
>20883 UDP/IPv4 sockets closed
> 3910 TCP/IPv4 sockets closed
>2 UDP/IPv4 socket bind failures
>20881 UDP/IPv4 connections established
> 3911 TCP/IPv4 connections accepted
> ++ Per Zone Query Statistics ++
> --- Statistics Dump --- (1326803941)
>
>
> Logging options in /etc/named.conf
> 
>
>
> // Logging options
> logging {
> // logging option for named  process
> channel "default_debug" {
> file "/logs/named.log" versions 10 size 500m;
> print-time yes;
> print-category yes;
> severity dynamic;
> };
>
> channel "queries" { // logging option for queries to
> named
> file "/logs/query.log" versions 20 size 500m;
> print-time yes;
> print-category yes;
> severity dynamic;
> };
>
>   category default { "default_debug"; };
>   category queries { null; };   // comment this line to log queries
>   category queries { "queries"; };// uncomment this to log queries
>   category config { "default_debug"; };
>   category security { "default_debug"; };
>   category network { "default_debug"; };
>   category lame-servers { null; };
>   category general { null; };
>   category edns-disabled { null; };
>  };
>
>
> ---
>
> Kindly let me know the procedure to follow/options to enabled in logs  to
> get a detailed report of queries w.r.to  the following lines.
>
>440 queries resulted in SERVFAIL
>71731 queries resulted in NXDOMAIN
>6 IPv4 NS address fetch failed
>
> Thanks in advance.
>
> Regards
>
> ShivaRaman
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

You should add "query-errors" category with severity debug 1 or greater.
Refer to BIND's ARM, section 6.2.10.3 for further explanation.

-- 
--
AP
___
Please visit htt

Re: Defense against a client?

[Peter Andreev]

2012/1/16 Tom Schmitt 

> Hi,
>
> I have a problem with the load on my Bind. Normally it's fine, but from
> time to time there are clients which causes through a misconfiguration or a
> failed local service (not intentionally) a very high amount of queries.
> After finding and informing the responsible person this problem is mostly
> solved in short time.
>
> One of these cases my DNS server can handle, but sometimes there is more
> than one of these cases at the same time and I have a load problem which
> causing problems for all clients of my DNS servers.
>
> My question:
> Is there any possibility in Bind to give a quoata to a client? e.g. that
> from a given IP no more than houndred queries per second are allowed and
> the rest is to be blackholed.
>
> That way only the client causing the load would have a problem but not all
> other clients.
>
> Is there such a possibility? I found nothing in the documentation. Or are
> there other ways to achive this? How do you guys do this?
>
>
As far as I know there is no way to limit query-rate in BIND. I suppose
firewall should cope with the problem much better.

Tom.
> --
> NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
> Jetzt informieren: http://www.gmx.net/de/go/freephone
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: which NS record will be cached?

[Peter Andreev]

2012/1/12 MontyRee 

>
> Hi, all.
>
>
> I have one question about NS cache ttl.
> for example, I can get two different NS TTL like below.
>
> $ dig  google.com ns +trace
>
> google.com. 172800  IN  NS  ns2.google.com.
> google.com. 172800  IN  NS  ns1.google.com.
> google.com. 172800  IN  NS  ns3.google.com.
> google.com. 172800  IN  NS  ns4.google.com.
> ;; Received 164 bytes from 192.5.6.30#53(a.gtld-servers.net) in 173 ms
>
> google.com. 345600  IN  NS  ns4.google.com.
> google.com. 345600  IN  NS  ns1.google.com.
> google.com. 345600  IN  NS  ns2.google.com.
> google.com. 345600  IN  NS  ns3.google.com.
> ;; Received 164 bytes from 216.239.34.10#53(ns2.google.com) in 43 ms
>
> so, on resolving DNS, which NS record TTL will be cached generally?
> 172800 or 345600?
>
>
> Thanks in advance.
>

345600


> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is bind support conditionally resolution?

[Peter Andreev]

2012/1/10 Drunkard Zhang 

> I am designing a big deploy system, which will implement via DNS. The
> demond is misc, one of them is conditionally resolve, which means that
> if one CDN node near unavailable, or latency increased significantly,
> no matter why, I want bind to give another second best result, which
> located in distant places.
>
> Is bind support this natively? Or I have to write external program?
>
> If bind doesn't support, is there any other DNS impletions I can try?
>

As Matus said DNS is not a good place for such magick. Nonetheless you can
use Bind with DLZ and some third-party script/program which will change
database entries depending on reachability or latency.
May be you should look at PowerDNS, it has something called "Dynamic
resolution" and its resolver has scripting support.

___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

2012/1/4 Mark Andrews :
>
> If you want named to be authoritative only set "recursion no;" or
> "allow-recursion { none; }" or "allow-query-cache { none; };" and
> no data will be returned from the cache.  allow-recursion and
> allow-query-cache cross inherit from each other.
>
> If you only want master zones to send notify messages then set
> "notify master-only;".
>
> If you want named to only use the same nameservers as the system
> uses then set "forward only; forwarders { ; };".
> Named does not read resolv.conf though the tools do.

Thank you, Mark, these things was done long time ago. Is there any
documentation related to BIND's internals?

>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

2012/1/3 Chuck Swiger :
> On Jan 3, 2012, at 11:13 AM, Peter Andreev wrote:
>> Unfortunately as I learning BIND more, I understand that it is not
>> very suitable for my requirements.
>
> Which are?  I've been trying to understand what the actual problem you are 
> trying to solve might be.

I'm not trying to solve any problem. I'm wondering why this thread
grown so big. The only question I have unanswered is where I can find
documents/articles/whatever describing BIND's internals, architecture
etc? That's all :)
It was asked in 13th post. May be it's still unanswered because of
unhappy number, I'm not sure.

>
> Regards,
> --
> -Chuck
>



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

2012/1/3 Lyle Giese :
> On 01/03/12 07:53, Peter Andreev wrote:
>>
>> 2012/1/2 Matus UHLAR - fantomas:
>>>>>>>
>>>>>>> On 21.12.11 19:21, Peter Andreev wrote:
>>>>>>
>>>>>>
>>>>>> I think that if server is authoritative - and - slave-only it should
>>>>>> use system resolver rather than querying by itself.
>>>
>>>
>>>
>>>> 2012/1/2 Matus UHLAR - fantomas:
>>>>>
>>>>>
>>>>> BIND will not use system resolver. BIND is the resolver. Relying on
>>>>> other
>>>>>
>>>>> resolver could cause troubles. If BIND does not need to resolve, it
>>>>> will
>>>>> not. If it needs, don't block it.
>>>
>>>
>>>
>>> On 02.01.12 16:42, Peter Andreev wrote:
>>>>
>>>>
>>>> I understood your point, however it differs from mine.
>>>>
>>>> Matus, I'm afraid we won't find consent on this topic. So I offer you
>>>> to stop this discussion.
>>>> Thank you for suggestions and happy new year!
>>>
>>>
>>>
>>> I don't see your point now. I'm afraid that you will have to live with
>>> the
>>> fact that you can not disable sending queries from BIND when it needs
>>> them,
>>> you can only prevent it by configuring BIND (so it will not need them) or
>>> firewall such packets so they will not get outside (which may break its
>>> functionality).
>>
>>
>> My point: I need my servers to answer with authoritative data only. I
>> need them to not perform anything else. Only "get query - send
>> authoritative response". Where in this scenario BIND has to resolve
>> something?
>> In which scenario (except master&  notifies) BIND has to resolve
>> something?
>>
>>
>>>
>>> Maybe ISC will patch BIND to use system resolver for internal queries,
>>> but I
>>> doubt so. Maybe you can do it but imho it's not worth trying.
>>>
>>> Maybe you can set up forward only; and forwarders {}; so BIND will
>>> forward
>>> all recursive queries it generates to your recursive servers.
>>>
>>> But the way you are trying to get over this, I'm afrait you will fail and
>>> that's what I am trying to tell you.
>>
>>
>> I'm free to replace BIND with another authoritative DNS implementation.
>>
>>>
>
> Let me ask this question another way.  How do you plan to block BIND from
> making any queries outside the server?  If you want me to log any queries
> that I don't answer(refused in the logs), I think the default is to look up
> the reverse of the querying IP address.  Do you want to block that type of
> traffic also?
>
> Do you want to block this traffic at the application level or in IPTables?
>  If you block this traffic via IPTables or an external firewall, lots of
> things at the OS level get grumpy.
>
> For instance, I want to attach to the server using VNC or SSH for
> maintanence.  By default, they want to do do a reverse lookup of your ip
> address before allowing access.  Now you wait for that query to time out
> before you can do your work.  That's just a PITA.
>
> And if Bind does want to do any lookups(reverse lookups, go query the root
> servers for something), now you are forcing it to timeout rather than doing
> the lookup and continuing on it's way.  Very inefficient use of resources
> and will cause delays for legit queries.
>
> BIND was designed to be a multipurpose application and as such, it wants and
> is happier being able to do lookups as needed.  You are asking for a
> specific use case and ISC is not into generating special builds for special
> or specific use cases unless you contract with them to build and maintain
> your special build of BIND.

You are absolutely right, BIND is a general purpose DNS server and it
plays its role well. Furthermore BIND is the de facto standard (yes, I
copypasted this phrase from wikipedia). And both these statements are
true.
Unfortunately as I learning BIND more, I understand that it is not
very suitable for my requirements.

>
> Lyle Giese
> LCR Computer Services, Inc.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

2012/1/3 Matus UHLAR - fantomas :
>> 2012/1/2 Matus UHLAR - fantomas :
>>>
>>> I don't see your point now. I'm afraid that you will have to live with
>>> the
>>>
>>> fact that you can not disable sending queries from BIND when it needs
>>> them,
>>> you can only prevent it by configuring BIND (so it will not need them) or
>>> firewall such packets so they will not get outside (which may break its
>>> functionality).
>
>
> On 03.01.12 16:53, Peter Andreev wrote:
>>
>> My point: I need my servers to answer with authoritative data only. I
>> need them to not perform anything else. Only "get query - send
>> authoritative response". Where in this scenario BIND has to resolve
>> something?
>
>
> Nowhere. Note that BIND may send upward or root referrals, for clients that
> are allowed to view cached data (the hint zone is taken as cached). Also,
> bind can send additional data (authoritative or from cache) when configured
> so, but won't recursively resolve them.
>
> See description of additional-from-cache and additional-from-auth, maybe
> minimal-responses.
>
>

Yep, that's what I done first when problem appeared. Second step was
deleting root.hints to (as I hoped) prevent any further resolving and
caching.

>> In which scenario (except master & notifies) BIND has to resolve
>> something?
>
>
> I don't know about any.

Neither do I. Unfortunately it is not covered in documentation.

>>>
>>> Maybe ISC will patch BIND to use system resolver for internal queries,
>>> but I
>>> doubt so. Maybe you can do it but imho it's not worth trying.
>>>
>>> Maybe you can set up forward only; and forwarders {}; so BIND will
>>> forward
>>> all recursive queries it generates to your recursive servers.
>>>
>>> But the way you are trying to get over this, I'm afrait you will fail and
>>> that's what I am trying to tell you.
>>
>>
>> I'm free to replace BIND with another authoritative DNS implementation.
>
>
> Yes, you are. but i'd advise you focus on the real problem, if it exists.
> Kevin Darcy mentioned that in his response.
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Linux - It's now safe to turn on your computer.
> Linux - Teraz mozete pocitac bez obav zapnut.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

2012/1/2 Matus UHLAR - fantomas :
>>>>> On 21.12.11 19:21, Peter Andreev wrote:
>>>>
>>>> I think that if server is authoritative - and - slave-only it should
>>>> use system resolver rather than querying by itself.
>
>
>> 2012/1/2 Matus UHLAR - fantomas :
>>>
>>> BIND will not use system resolver. BIND is the resolver. Relying on other
>>>
>>> resolver could cause troubles. If BIND does not need to resolve, it will
>>> not. If it needs, don't block it.
>
>
> On 02.01.12 16:42, Peter Andreev wrote:
>>
>> I understood your point, however it differs from mine.
>>
>> Matus, I'm afraid we won't find consent on this topic. So I offer you
>> to stop this discussion.
>> Thank you for suggestions and happy new year!
>
>
> I don't see your point now. I'm afraid that you will have to live with the
> fact that you can not disable sending queries from BIND when it needs them,
> you can only prevent it by configuring BIND (so it will not need them) or
> firewall such packets so they will not get outside (which may break its
> functionality).

My point: I need my servers to answer with authoritative data only. I
need them to not perform anything else. Only "get query - send
authoritative response". Where in this scenario BIND has to resolve
something?
In which scenario (except master & notifies) BIND has to resolve something?

>
> Maybe ISC will patch BIND to use system resolver for internal queries, but I
> doubt so. Maybe you can do it but imho it's not worth trying.
>
> Maybe you can set up forward only; and forwarders {}; so BIND will forward
> all recursive queries it generates to your recursive servers.
>
> But the way you are trying to get over this, I'm afrait you will fail and
> that's what I am trying to tell you.

I'm free to replace BIND with another authoritative DNS implementation.

>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> How does cat play with mouse? cat /dev/mouse
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

2012/1/2 Matus UHLAR - fantomas :
>>> On 21.12.11 19:21, Peter Andreev wrote:
>>>>
>>>> All these servers are slaves. They don't send notifies.
>
>
>> 2011/12/21 Matus UHLAR - fantomas :
>>>
>>> they do, unless you have turned it off...
>
>
> On 22.12.11 11:54, Peter Andreev wrote:
>>
>> Of course I turned it off, it's normal practice for slaves, I assume.
>
>
> even sending notifies by slaves can have a reason. for example, other slaves
> not getting notifies from master...
>
>
>>> Do you think if server needed to resolve something, and you would disable
>>> it, it would work better? I think just the oposite. If a server does
>>> lookups
>>> only when needed, then disabling required lookups would make it not
>>> working.
>
>
>> I think that if server is authoritative - and - slave-only it should
>> use system resolver rather than querying by itself.
>
>
> BIND will not use system resolver. BIND is the resolver. Relying on other
> resolver could cause troubles. If BIND does not need to resolve, it will
> not. If it needs, don't block it.
>
I understood your point, however it differs from mine.

Matus, I'm afraid we won't find consent on this topic. So I offer you
to stop this discussion.
Thank you for suggestions and happy new year!

>
>> Where can I find information about what causes queries for internal
>> duties? If it can be found in ARM, could you please point me to the
>> right chapter. May be I missed something while reading it. The only
>> mention I have met is that additional resolving is needed for sending
>> notifies (And will this resolving be performed in case of list of
>> slaves' ip addresses is written in named.conf?).
>
>
> Someone other will have to answer this.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

David, thank you, I checked and all seems good :).

2011/12/21 Matus UHLAR - fantomas :
>> 2011/12/21 Matus UHLAR - fantomas :
>>>
>>> Disabling recursion should do the same afaik. However, disabling
>>>
>>> additional-from-cache is OK and afaik disabled by default.
>
>
> On 21.12.11 19:21, Peter Andreev wrote:
>>
>> No, it is enabled by default.
>
>
>>> server needs to resolve names if it's supposed to send NOTIFY messages.
>>
>>
>> All these servers are slaves. They don't send notifies.
>
>
> they do, unless you have turned it off...

Of course I turned it off, it's normal practice for slaves, I assume.

>
>
>> So while I'm really confused about described issue, I'd like to not
>> speculate on it, because it happened only once.
>> What I don't like at all is the impossibility to disable these
>> lookups.
>
>
> Do you think if server needed to resolve something, and you would disable
> it, it would work better? I think just the oposite. If a server does lookups
> only when needed, then disabling required lookups would make it not working.
>

I think that if server is authoritative - and - slave-only it should
use system resolver rather than querying by itself.

Where can I find information about what causes queries for internal
duties? If it can be found in ARM, could you please point me to the
right chapter. May be I missed something while reading it. The only
mention I have met is that additional resolving is needed for sending
notifies (And will this resolving be performed in case of list of
slaves' ip addresses is written in named.conf?).

>
>> Ok, may be I'm a paranoid and worrying about trifles, but news about
>> compiled in hints astonished me.
>
>
> since it only happened once and you weren't able to find out what really
> happened (did you at least make sure your customer is right?), it should not
> be an issue to care about this much...
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> If Barbie is so popular, why do you have to buy her friends?
> ___
>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

2011/12/21 Matus UHLAR - fantomas :
>>>>> On 20.12.11 17:37, Peter Andreev wrote:
>>>>>>
>>>>>> Whether it means that without hint zone named still can perform
>>>>>> iterative lookups for its internal purposes?
>
>
> On 21.12.11 13:05, Peter Andreev wrote:
>>
>> Well, we run a bunch of authoritative-only slave servers and obviously
>> they don't have to perform any kind of lookups.
>
>
> If they don't have to, they won't.

I hope so.
>
>
>> Some time ago user complained that one of these slave servers
>> responses with wrong data. My colleague tried to investigate this
>> issue, but without any success. Just in case we disabled
>> "additional-from-cache".
>
>
> Disabling recursion should do the same afaik. However, disabling
> additional-from-cache is OK and afaik disabled by default.

No, it is enabled by default.

>
>
>> That's why any sort of internal lookups looks very suspicious for me.
>
>
> server needs to resolve names if it's supposed to send NOTIFY messages.

All these servers are slaves. They don't send notifies.

So while I'm really confused about described issue, I'd like to not
speculate on it, because it happened only once.
What I don't like at all is the impossibility to disable these
lookups. Of course I can follow Jeff's advice and redirect these
lookups to localhost, but it is not a solution, it only transfers
problem to another area.

Ok, may be I'm a paranoid and worrying about trifles, but news about
compiled in hints astonished me.

>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I drive way too fast to worry about cholesterol.
> ___
>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

2011/12/21 Matus UHLAR - fantomas :
>>>> 2011/12/20 Mark Andrews :
>>>>>
>>>>>        Named has a compiled in set of root hints.  It is used if
>>>>>        a root zone is not defined in named.conf.
>
>
>>> On 20.12.11 17:37, Peter Andreev wrote:
>>>>
>>>> Whether it means that without hint zone named still can perform
>>>> iterative lookups for its internal purposes?
>
>
>> 2011/12/20 Matus UHLAR - fantomas :
>>>
>>> yes.
>
>
> On 21.12.11 12:17, Peter Andreev wrote:
>>
>> This fact is really disappointing.
>
>
> well, it's needed for proper functionality. What exactly seems to be your
> problem?

Well, we run a bunch of authoritative-only slave servers and obviously
they don't have to perform any kind of lookups.
Some time ago user complained that one of these slave servers
responses with wrong data. My colleague tried to investigate this
issue, but without any success. Just in case we disabled
"additional-from-cache".
That's why any sort of internal lookups looks very suspicious for me.

>
> Note that
> - only clients that are allowed to recurse are able to see date
>  the "type hint" zone
> - only clients from local networks are allowed to recurse by default.
>  You can tune this by configuring the "allow-recursion" option.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Atheism is a non-prophet organization.
> ___
>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

2011/12/20 Matus UHLAR - fantomas :
>> 2011/12/20 Mark Andrews :
>>>
>>>        Named has a compiled in set of root hints.  It is used if
>>>        a root zone is not defined in named.conf.
>
>
> On 20.12.11 17:37, Peter Andreev wrote:
>>
>> Whether it means that without hint zone named still can perform
>> iterative lookups for its internal purposes?
>
>
> yes.
This fact is really disappointing.
Anyway thank you, Matus, for answer
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Despite the cost of living, have you noticed how popular it remains?
> ___
>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About root zones

[Peter Andreev]

2011/12/20 Mark Andrews :
>
>        Named has a compiled in set of root hints.  It is used if
>        a root zone is not defined in named.conf.
>
>        Mark

Whether it means that without hint zone named still can perform
iterative lookups for its internal purposes?

>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Strange issue with signed zone

[Peter Andreev]

Hello!

We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we have
signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
Recently we realised that our servers don't generate NSEC3 for signed zone.
Problem has gone after we restarted BIND instances.

Is described behaviour normal for BIND or not?

-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: updating Bind made it slower

[Peter Andreev]

2011/9/27 Tom Schmitt :
>
>
>> It is not clear in your question, are you use "rndc reload" or "rndc
>> reload zone.name"? Latter will be faster in case if you change one or
>> few zones in one pass of your updating-script.
>
> I generate from my database the complete named.conf, especially including new 
> zones and then trigger a "rndc reload" to make this new config activ.

In this case "rndc reconfig" should be sufficient. This command tells
BIND to re-read config file and load all new zones without touching
any previously loaded zones.
>
> This process is now taking much more time, leading to outages in the 
> DNS-service :-(
>
> I'll try to replace it with rndc reconfig. Not sure if this really is 
> sufficient.
>
> Tom.
> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: updating Bind made it slower

[Peter Andreev]

2011/9/27 Tom Schmitt :
>
>> > I just updated a couple of my DNS-servers from the rather old version
>> > 9.4.1 to a newer version 9.8.0-P4.
>> >
>> > After this I have problem with outages. Looking into it, I found that
>> > the time for a "rndc reload" has nearly doubled!
>>
>> This has been pointed out to me before; do you really need "reload", or
>> would "reconfig" suffice?
>>
>
> I will try it if this is reducing the times and if a reload is realy not 
> needed. If it works, I will change my updating-scripts.
> Thank you!

It is not clear in your question, are you use "rndc reload" or "rndc
reload zone.name"? Latter will be faster in case if you change one or
few zones in one pass of your updating-script.

> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and MS AD

[Peter Andreev]

2011/8/9 Chris Buxton :
> On Aug 9, 2011, at 10:07 AM, John Williams wrote:
>
>> --- On Tue, 8/9/11, Chris Buxton  wrote:
>>
>>> With a private version of a domain, you should not need to
>>> worry about a DS record in the parent. Just make sure your
>>> internal caching servers not only can find the internal
>>> version of your domain, but also can validate the signatures
>>> therein, most likely using a trusted or managed key specific
>>> to that internal domain.
>>>
>>> I'll not try to get into the specifics of using MS DNS for
>>> this purpose because this is not the right forum.
>>>
>>> Regards,
>>> Chris Buxton
>>> BlueCat Networks
>>
>> Based on your response, I'm wondering how an application such as Exchange 
>> (SMTP, which clearly relies on DNS) will work in this model.  Are there 
>> there any affects of the parent domain (.com, .net, whatever...) not having 
>> the DS records? for the domain?
>
> I don't follow your reasoning.
>
> For SMTP, the DNS-related operation is in looking up the MX and A/ 
> records of other mail servers based on an outgoing message. If you're worried 
> about other mail servers finding your Exchange server, there are two cases:
>
> - External. My comments had nothing to do with external (Internet-facing) DNS 
> records. There, you would want to have DS records put into the parent zone to 
> be able to authenticate the link from parent to child.
>
> - Internal. If you're using MX records internally, you're either very large 
> or misguided. If you are large enough to warrant this, then your caching 
> servers should be able to follow your internal chain of trust, starting at a 
> private trust anchor. This is the point I was getting at.
>
> The use of internal, private namespace should be entirely transparent to any 
> service other than DNS. Your mail server should not need to know about it, 
> and should not be able to detect it (other than watching for private address 
> space and obviously-private domain names like "corp.dom").

As I understood from there -
http://technet.microsoft.com/en-us/library/ee649277(WS.10).aspx -
Chris' scenario should work. But I doubt that it is reasonable to use
DNSSEC for internal domain and, moreover, with such limitations.

>
> Chris Buxton
> BlueCat Networks
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Peter Andreev]

2011/7/25 Vbvbrj :
> On 25.07.2011 10:15, Matus UHLAR - fantomas wrote:

 This is how BIND is supposed to work. If you _need_ such setup, why
 don't you setup your AD servers as recursive point clients directly to 
 them?
 you can teoretically configure maximum cache time in BIND but that would
 be useless server.
>>
>>> I can configure AD servers to Microsoft DNS. But how about workstations?
>>> The all are configured to use BIND DNS. If I change them to Microsoft DNS,
>>> then there is no use of BIND DNS.
>>
>> There's already no use for BIND if you really want what you described. So
>> better deinstall BIND and configure stations to use microsoft's DNS.
>>
>> Not that I prefer or advise using microsoft's DNS, is sucks pretty much.
>> But as you described it, there's no point in using BIND for you.
>
> I have this point. I want to use BIND, because the server on wich resides
> BIND is also a gateway to internet and every client is configured to use it.
> And this server I prepare to switch to *unix system, and I am moving every
> necessary service from windows integrated to opensource multisystem support.
>
> I just can't for now move active directory's dns database to BIND.
May be you should look at the problem from other point and configure
microsoft's dns server to forward queries to BIND? Of course you will
need to reconfigure clients to use microsoft's dns only, but in this
case microsoft's dns will serve queries to your domain and BIND wil
server qeries to other domains. I think it will be better solution.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: link-local glue AAAA

[Peter Andreev]

Thank you, Matus, that's all i wanted to know.

2011/6/5 Matus UHLAR - fantomas :
> On 05.06.11 17:07, Peter Andreev wrote:
>> I'm puzzled a little - i see in my zone  glue records with
>> link-local addresses. I think it is not good, but no rfc mentions
>> about link-local in glue.
>> Could someone tell me best practices for link-local in glue?
>
> It's the same as using private range or other bogus ip addresses in NS
> records for public domains. Technically correct, but will not apparently
> work from outside and any registry should reject that. However registries do
> not have power over delegating within your registered zone so the rest is up
> to you
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Honk if you love peace and quiet.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

link-local glue AAAA

[Peter Andreev]

Hi

I'm puzzled a little - i see in my zone  glue records with
link-local addresses. I think it is not good, but no rfc mentions
about link-local in glue.
Could someone tell me best practices for link-local in glue?

Thanks for advance.

-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.8 with dlz and dnssec

[Peter Andreev]

2011/3/10 Evan Hunt 
>
> > Now DLZ supports dynamic updates and theoretically it is possible to
make
> > such tricks:
> >
> > rndc freeze example.com
> > put some new records in database
> > rndc thaw example.com
> > rndc sign example.com
> > rndc freeze example.com
> >
> > That is zone isn't really dynamic, but it is dynamically loadable and
> > signed.  Will it work?
>
> DLZ only supports dynamic updates if you're using a back-end that supports
> them.  Right now the only combination that works is the DLZ "dlopen"
driver
> running the SMB/CIFS module provided in Samba 4, bind_dlz.c.  As far as I
> know, that module doesn't understand DNSSEC RRtypes, so I doubt if that
> trick would work today.
>
> Even with a back-end module that can manage DNSSEC records, my guess is
> that it wouldn't answer queries correctly, because AFAIK DLZ doesn't have
> a mechanism for finding the closest previous name, and that's necessary
> for returning a signed NXDOMAIN response.  (This problem would also apply
> if you used dnssec-signzone and loaded the signed data into the database
> directly.)
>
> Incidentally, we've been expanding DLZ support further.  In 9.8.1, the
> dlopen driver will be part of the default build on unix/linux platforms,
no
> longer requiring a configure option, so you can use the Samba module (or
> other modules yet to be written) with a stock BIND 9 build.  In 9.9.0,
> we'll be adding support for the dlopen driver on Windows as well.  I plan
> to convert the other DLZ drivers (mysql, postgresql, ldap, etc) to
back-end
> modules for the dlopen driver at that time as well.  I'm not expecting to
> make them support dynamic updates yet, and hadn't even given any thought
to
> to the problem of supporting DNSSEC, but we can add those features to the
> roadmap as well if there's user demand.
>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.

Thank you, Evan

I'd like to add my vote for DNSSEC in DLZ to Christian's one :)


--
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind 9.8 with dlz and dnssec

[Peter Andreev]

Hello, List

Now DLZ supports dynamic updates and theoretically it is possible to make
such tricks:

rndc freeze example.com
put some new records in database
rndc thaw example.com
rndc sign example.com
rndc freeze example.com

That is zone isn't really dynamic, but it is dynamically loadable and
signed.
Will it work?

-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc addzone and file name

[Peter Andreev]

Now I see, I really was mistaken about addzone. Kalman, Alan, thank
you very much for explanation.
I think, I won't break working things and continue with includes and scripts :)

2011/1/14 Alan Clegg :
>
>> You haven't understood. I have several includes within one default
>> view and I need to add zones to them. Different zones to different
>> includes. For me name of view doesn't matter.
>
> The zones added using "addzone" and removable using "delzone" aren't
> going to show up in your include files.
>
> They will be in the BIND created (and thus maintained) version.
>
> If you want to move your existing zones into "management" by BIND, you
> can create a zone using addzone (thus creating the crazy-named file),
> shut down BIND, move your zone definitions into the created file
> (removing them from their existing INCLUDED file) and then restart BIND.
>
> AlanC
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc addzone and file name

[Peter Andreev]

2011/1/14 Kalman Feher :
>
>
>
> On 14/01/11 9:57 AM, "Peter Andreev"  wrote:
>
>> 2011/1/13 Alan Clegg :
>>> On 1/13/2011 11:08 AM, Peter Andreev wrote:
>>>
>>>> I've executed
>>>> rndc addzone test.test '{ type master; file "/etc/namedb/master/test.1"; 
>>>> };'
>>>>
>>>> and have got the file /etc/namedb/3bf305731dd26307.nzf:
>>>> zone test.test { type master; file "/etc/namedb/master/test.1"; };
>>>>
>>>> The question was: can I force rndc addzone to use specific file (for
>>>> example "/etc/namedb/includes/file2") instead of 3bf305731dd26307.nzf?
>>>
>>> No.  The file is a hash of the view in which the data resides.
>>>
>>> "it's automated, just leave it alone and it won't hurt anyone"  :)
>>>
>>> AlanC
>>
>> Thank you very much, Alan. Could you describe why it was made so?
>> I asking because this feature could be very helpful for me, but such
>> restriction does its completely useless.
> I believe it was related to the difference between legal file names and
> legal view names. Thus to avoid problems, the view name is hashed.
>
> I can't think of a situation where you would not know your view name and
> that view name would change over time. So if you wish to edit the file in a
> script, you can still do so, just use the hashed name. But there seems to be
> a general preference not to change anything in that file by hand or script.
> And the file naming scheme may change in future releases, if my change log
> memory is correct.

You haven't understood. I have several includes within one default
view and I need to add zones to them. Different zones to different
includes. For me name of view doesn't matter.
I believe that much more flexible and convenient way is to allow users
to specify file than such non-transparent mechanism which has been
realised.

And I don't like idea that bind user must have permissions to write to
namedb directory. For now without such permissions I get "permission
denied" error when trying to delete zone.

>
> However, I'm curious regarding your requirements and why this restriction
> causes them to be broken? For myself I can think of some occasions:
> 1. Moving from secure to insecure (due to operational changes like transfers
> between registrars).
> 2. ACL changes
>
> Ideally there would be an "rndc editzone" with similar syntax to addzone.
> Thus allowing you to update the zone statement without hand/script editing
> the file. And protecting you from future file name changes.
>>>
>>> ___
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>>
>
> --
> Kal Feher
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc addzone and file name

[Peter Andreev]

2011/1/13 Alan Clegg :
> On 1/13/2011 11:08 AM, Peter Andreev wrote:
>
>> I've executed
>> rndc addzone test.test '{ type master; file "/etc/namedb/master/test.1"; };'
>>
>> and have got the file /etc/namedb/3bf305731dd26307.nzf:
>> zone test.test { type master; file "/etc/namedb/master/test.1"; };
>>
>> The question was: can I force rndc addzone to use specific file (for
>> example "/etc/namedb/includes/file2") instead of 3bf305731dd26307.nzf?
>
> No.  The file is a hash of the view in which the data resides.
>
> "it's automated, just leave it alone and it won't hurt anyone"  :)
>
> AlanC

Thank you very much, Alan. Could you describe why it was made so?
I asking because this feature could be very helpful for me, but such
restriction does its completely useless.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc addzone and file name

[Peter Andreev]

I see that my first post wasn't clear, please, excuse me.
I'll try to explain the situation.

I have:

named.conf:
...
include "includes/file1";
include "includes/file2";
etc
...
eof

I've executed
rndc addzone test.test '{ type master; file "/etc/namedb/master/test.1"; };'

and have got the file /etc/namedb/3bf305731dd26307.nzf:
zone test.test { type master; file "/etc/namedb/master/test.1"; };

The question was: can I force rndc addzone to use specific file (for
example "/etc/namedb/includes/file2") instead of 3bf305731dd26307.nzf?


-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

rndc addzone and file name

[Peter Andreev]

Hello, All!

I have several includes which are edited via hand-written script and
now I'm trying to simplify it by using add/delzone options of rndc.

So, the question is: how can I specify files where rndc addzone puts
new zones' descriptions?

Thanks in advance.
-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Split view - differing SOA serial number

[Peter Andreev]

2010/7/8 John Horne 

> [..]
> Both views use the same zone file (which currently contains 3330257 as
> the serial number), and the zone is configured to use a single master.
> If I use rndc to reload the zone in both views, then nothing changes. If
> I stop and restart the whole named service, then both views have the
> same serial number. Why doesn't a reload cause the zone serial number to
> be updated from the file copy of the zone?
>

Looks like then you do rndc reload for external view, the answer from master
is being processed like any other query from internal network, i.e. by
internal view. And the same situation with notifies.

-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: FW: BIND 9 errors

[Peter Andreev]

2010/7/1 Y z 

>
> (bind version 9.7.0-P1)
>
> A DNS slave server has two IPs: an internal RFC1918 number to talk to
> the internal net, and an external one to talk to the rest of the world.
>
> If I *don't* put the external IP in a master:
>
> zone "example.com" {
> type slave;
> file "example";
> masters port 1053 { 172.16.0.30; } ;
> };
>
> I get errors:
>
> Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify
> from non-master: external.ip#59808
>
This error appears because your master sends notify from external.ip, which
isn't listed in "masters {};" statement.

>
> Whereas, if I *do* put the IP in as a master, I get:
>
> Jun 30 14:02:08 hostname named[1792]: transfer of 'example.com/IN' from
> external.ip#1053 failed to connect: connection refused
>
And this error appears because your master doesn't configured to allow
connections to external.ip#1053.

It will be very helpful in resolving your problem if you provide
"options{};" part of your named.conf file.

>
> (the reason I'm using port 1053 is because the real master is running
> on two different instances, one on port 53, and one on port 1053).
>
> Despite the errors, the zones still seem to function. So, what do I do
> to make the errors go away?
>
> Thanks!
>
>
> _
> The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with
> Hotmail.
>
> http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using bind to provide a dns redirector

[Peter Andreev]

Have you tried to add to your "." zone something like this:

microsoft.com NS ns1.msft.net
 NS ns3.msft.net
 NS ns5.msft.net
etc?
Just an assumption - RFC 4592  describes
processing of asterisk as "any non-existent in particular zone".

2010/3/5 Alex Sharaz 

> Hi all,
>
> I'm looking to implement a dns redirector using bind 9 and need a wee bit
> of
> help.
>
> We have a wired 802.1x network setup here. By default if a user hasn't
> configured 802.1x on their PC their machine gets dropped into an
> unauthenticated VLAN where our DHCP server hands our different DNS server
> IP
> addresses to the rest of the  University.
>
> I'm currently using a product called DNS redirector for the unauthenticated
> VLAN but am having some loading problems hence the query re implementing my
> requirements in bind.
>
> Here's what I'm currently doing:-
>
> 1). We want  users to  have access to windows update and app update sites
> even from the unauth VLAN
> 2). Whatever else they try and get to via a browser, the host address gets
> resolved to a Hull IP address. The browser therefore connects to a local
> web
> server which hands out a page saying "You need to configure your machine in
> order to access the Internet ..."
>
> Apart from the loading issues the whole thing works quite well.
>
> So ...
>
> Getting bind to always resolve to a single P address was quite easy.
>
> In named.conf
>
> zone "." {
>  Type master;
> file "db.redir";
> }
>
> zone "hull.ac.uk" {
> type master;
> file "db.hull";
> }
>
> In db.redir
> $TTL 60
> @   In  SOA localhost. Root.localhost. ( ..)
>
> @   IN  NS  localhost.
>
> *   IN  A   150.237.47.203
>
> So anything I try and resolve returns 47.203
>
> db.hull is similar but lets me add some exra hull addresses for local
> services we might want students to access.
>
> I thought that adding
>
> zone "Microsoft.com" {
>  type forward;
>  forwarders {a.b.c.d; e.f.g.h;};
>  forward only;
> }
>
> Would let me pass queries for anything in Microsoft.com off to our real
> servers, but the zone "." overrides the above and everything resolves back
> to my  47.203 address.
>
>
> So, any thoughts as to how I might persuade bind to correctly resolve
> hostnames in a list of specified domains?
>
> TIA
> Alex
>
>
>
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Modifying a response

[Peter Andreev]

2010/2/24 Alan Clegg 

> Peter Andreev wrote:
>
> > > For example: if user asks for non-existent domain, caching server
> > > replies with some address and no-error rcode.
> >
> > _Extremely_ bad idea.
> >
> >
> > Yes, I know, but boss is boss and task is task :).
> >
> > Thank you very much for your answer.
>
> You might want to talk to your boss about DNSSEC and how it insures that
> "answer modification" is not allowed -- and how it keeps your customers
> safe and secure and is a good selling point (see the Comcast
> announcement that was made yesterday).
>
> AlanC
>
> Oh, DNSSSEC is another headache. These two tasks doesn't influence each
other.

Thank you for advice

>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Modifying a response

[Peter Andreev]

2010/2/24 Stephane Bortzmeyer 

> On Wed, Feb 24, 2010 at 01:28:09PM +0300,
>  Peter Andreev  wrote
>  a message of 31 lines which said:
>
> > Is it possible to modify responses on caching server side?
>
> Not with BIND (short of modifying the source code). Other name servers
> may do it
> <http://mailman.powerdns.com/pipermail/pdns-users/2008-June/005471.html>.


I hoped there is something like plugin which isn't mentioned in manual.

> For example: if user asks for non-existent domain, caching server
> > replies with some address and no-error rcode.
>
> _Extremely_ bad idea.
>

Yes, I know, but boss is boss and task is task :).

Thank you very much for your answer.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Modifying a response

[Peter Andreev]

Hello, everybody.

Is it possible to modify responses on caching server side?

For example: if user asks for non-existent domain, caching server replies
with some address and no-error rcode.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question!

[Peter Andreev]

Yes, of course, at least they needs to know nameservers for that zone.

http://ripe.net/rs/reverse/reverse_howto.html

2010/1/25 Alans 

>  I’m new with this ISP, but I don’t think they requested that.
>
> Your point is RIPE won’t give delegations without request, right?
>
>
>
> Regards,
>
> Alans
>
>
>
> *From:* bind-users-bounces+batpower83=yahoo.co...@lists.isc.org [mailto:
> bind-users-bounces+batpower83 =
> yahoo.co...@lists.isc.org] *On Behalf Of *Peter Andreev
> *Sent:* Monday, January 25, 2010 12:15 PM
> *To:* BIND Users Mailing List
> *Subject:* Re: Delegation question!
>
>
>
> Have you requested delegation?
>
> 2010/1/25 Alans 
>
> Hello,
>
> When I check our dns ip from external server for ptr records it shows
> nothing but
> 93.in-addr.arpa.6562IN  SOA ns-pri.ripe.net.
> dns-help.ripe.net. 2010012534 3600 7200 1209600 7200
> We bought 93.x.x.0/x from RIPE, does that mean that RIPE didn't delegate
> 93.x.x.0/x to us?
>
> Regards,
> Alans
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question!

[Peter Andreev]

Have you requested delegation?

2010/1/25 Alans 

> Hello,
>
> When I check our dns ip from external server for ptr records it shows
> nothing but
> 93.in-addr.arpa.6562IN  SOA ns-pri.ripe.net.
> dns-help.ripe.net. 2010012534 3600 7200 1209600 7200
> We bought 93.x.x.0/x from RIPE, does that mean that RIPE didn't delegate
> 93.x.x.0/x to us?
>
> Regards,
> Alans
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: master server selection / notify

[Peter Andreev]

When I tested the multiple masters configuration, I noticed, that slave
chooses master which sends notifies. I used bind-9.4.3-p2.

2010/1/20 Matus UHLAR - fantomas 

> Hello,
>
> I wasn't able to find answer, if this is documented anywhere, please point
> me there. I like reading docs ;-)
>
> when I have configured a zone with multiple masters, does the server
> selection work the same way as "ordinary" when resolving remote domains?
>
> And if a NOTIFY comes from one of those servers, is the one preferred or is
> the source of NOTIFY ignored and the selection works as usual?
>
> I have small farm of servers and when any of them fetches zone from the
> master and sends notify, I't like others to fetch zone from this one as a
> small optimization.
>
> Thank you.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> A day without sunshine is like, night.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

[Peter Andreev]

Are you want to disable refused answers for recursion and allow any answers
for authoritative information in the same time?

2009/12/3 Dmitry Rybin 

> Give me parabellum :)
>
> This is not answer. I wont to disable Refused answers for not allowed
> client in recursion.
>
> Peter Andreev wrote:
>
>> Search in arm by keyword "blackhole" will save father of russian democracy
>> :-)
>>
>> 2009/12/3 Dmitry Rybin mailto:kirg...@corbina.net>>
>>
>>
>>Barry Margolin wrote:
>>
>>In article
>>><mailto:mailman.1159.1259764844.14796.bind-us...@lists.isc.org>>,
>> Dmitry Rybin mailto:kirg...@corbina.net>>
>>
>>wrote:
>>
>>Hello!
>>
>>I can't find in docs how disable answer (Refused), if
>>recursion for IP is not allowed?
>>
>>
>>What do you expect it to do instead? Not respond at all?
>>
>>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

[Peter Andreev]

Search in arm by keyword "blackhole" will save father of russian democracy
:-)

2009/12/3 Dmitry Rybin 

> Barry Margolin wrote:
>
>> In article ,
>>  Dmitry Rybin  wrote:
>>
>>  Hello!
>>>
>>> I can't find in docs how disable answer (Refused), if recursion for IP is
>>> not allowed?
>>>
>>
>> What do you expect it to do instead? Not respond at all?
>>
>>
> Drop not allowed request.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about alt-transfer-source

[Peter Andreev]

Hello, Stacey

I'm not using views. Now I'm tring to solve next problem:

I have two slave servers, both have same IP-address on loopback interfaces,
this IP-address specified in masters' "allow-transfer" lists, and in
"transfer-source" option of my servers. Due to routing only one server
receives zone updates, while the other one logging "retries limit exceeded".

Thus I try to find out how second server can load zones from first using one
source IP-address and, if first server goes malfunction, load zones from
masters with another source IP-address.


2009/7/9 Stacey Jonathan Marshall 

> On 09/07/2009 10:22, Peter Andreev wrote:
>
>> Can somebody explain how many retries must pass, before IP-address from
>> alt-transfer-source option will be used?
>>
>> Thank you.
>> 
>>
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
> Hi Peter,
>
> Looking at the ARM alt-transfer-source is only used in a view if
> use-alt-transfer-source  is set to "yes".  Are you using views?
>
> Stace
>
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

about alt-transfer-source

[Peter Andreev]

Can somebody explain how many retries must pass, before IP-address from
alt-transfer-source option will be used?

Thank you.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: queries with no RD bit set are truncating

[Peter Andreev]

Kevin, this server is totally non-recursive. Neither recurse option is
enabled and packet size does not exceed 512 byte. May be it was some
temporarly bugs due to mysterious causes.

Below I post full sniffer's output for both queries:

No. TimeSourceDestination   Protocol
Info
  1 0.00193.110.129.66194.85.61.20  DNS
Standard query MX lbr.ru

Frame 1 (66 bytes on wire, 66 bytes captured)
Arrival Time: Jun  9, 2009 10:21:34.40548
[Time delta from previous captured frame: 0.0 seconds]
[Time delta from previous displayed frame: 0.0 seconds]
[Time since reference or first frame: 0.0 seconds]
Frame Number: 1
Frame Length: 66 bytes
Capture Length: 66 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Intel_db:50:96 (00:0e:0c:db:50:96), Dst:
All-HSRP-routers_c7 (00:00:0c:07:ac:c7)
Destination: All-HSRP-routers_c7 (00:00:0c:07:ac:c7)
Address: All-HSRP-routers_c7 (00:00:0c:07:ac:c7)
 ...0     = IG bit: Individual address (unicast)
 ..0.     = LG bit: Globally unique address
(factory default)
Source: Intel_db:50:96 (00:0e:0c:db:50:96)
Address: Intel_db:50:96 (00:0e:0c:db:50:96)
 ...0     = IG bit: Individual address (unicast)
 ..0.     = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 193.110.129.66 (193.110.129.66), Dst: 194.85.61.20
(194.85.61.20)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
 00.. = Differentiated Services Codepoint: Default (0x00)
 ..0. = ECN-Capable Transport (ECT): 0
 ...0 = ECN-CE: 0
Total Length: 52
Identification: 0x7b9b (31643)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 126
Protocol: UDP (0x11)
Header checksum: 0x7f03 [correct]
[Good: True]
[Bad : False]
Source: 193.110.129.66 (193.110.129.66)
Destination: 194.85.61.20 (194.85.61.20)
User Datagram Protocol, Src Port: 11173 (11173), Dst Port: domain (53)
Source port: 11173 (11173)
Destination port: domain (53)
Length: 32
Checksum: 0xec71 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Domain Name System (query)
[Response In: 2]
Transaction ID: 0xc7e5
Flags: 0x (Standard query)
0...    = Response: Message is a query
.000 0...   = Opcode: Standard query (0)
 ..0.   = Truncated: Message is not truncated
 ...0   = Recursion desired: Don't do query recursively
  .0..  = Z: reserved (0)
  ...0  = Non-authenticated data OK: Non-authenticated
data is unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
lbr.ru: type MX, class IN
Name: lbr.ru
Type: MX (Mail exchange)
Class: IN (0x0001)

No. TimeSourceDestination   Protocol
Info
  2 0.034553194.85.61.20  193.110.129.66DNS
Standard query response

Frame 2 (66 bytes on wire, 66 bytes captured)
Arrival Time: Jun  9, 2009 10:21:34.440033000
[Time delta from previous captured frame: 0.034553000 seconds]
[Time delta from previous displayed frame: 0.034553000 seconds]
[Time since reference or first frame: 0.034553000 seconds]
Frame Number: 2
Frame Length: 66 bytes
Capture Length: 66 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Cisco_ff:e0:1b (00:0b:bf:ff:e0:1b), Dst: Intel_db:50:96
(00:0e:0c:db:50:96)
Destination: Intel_db:50:96 (00:0e:0c:db:50:96)
Address: Intel_db:50:96 (00:0e:0c:db:50:96)
 ...0     = IG bit: Individual address (unicast)
 ..0.     = LG bit: Globally unique address
(factory default)
Source: Cisco_ff:e0:1b (00:0b:bf:ff:e0:1b)
Address: Cisco_ff:e0:1b (00:0b:bf:ff:e0:1b)
 ...0     = IG bit: Individual address (unicast)
 ..0.     = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 194.85.61.20 (194.85.61.20), Dst: 193.110.129.66
(193.110.129.66)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
 00.. = Differentiated Services Codepoint: Default (0x00)
 ..0. = ECN-Capable Transport (ECT): 0
 ..

Re: queries with no RD bit set are truncating

[Peter Andreev]

Because there is nothing in server's logs.
While client sees following:

(query with no RD bit)
  - Flags:  Query, Opcode - QUERY (Standard query), Rcode - Success
 QR:(0...) Query
 Opcode:(....) QUERY (Standard query) 0
 AA:(.0..) Not authoritative
 TC:(..0.) Not truncated
 RD:(...0) Recursion not desired  <- no
recursion!
 RA:(0...) Recursive query support not
available
 Zero:  (.0..) 0
 AuthenticatedData: (..0.) Not AuthenticatedData
 CheckingDisabled:  (...0) Not CheckingDisabled
 Rcode: () Success 0
QuestionCount: 1 (0x1)
AnswerCount: 0 (0x0)
NameServerCount: 0 (0x0)
AdditionalCount: 0 (0x0)

(answer)
  - Flags:  Response, Opcode - QUERY (Standard query), AA, TC, Rcode -
Success
 QR:(1...) Response
 Opcode:(....) QUERY (Standard query) 0
 AA:(.1..) Is authoritative
 TC:(..1.) Message truncated <- message is
truncated!
 RD:(...0) Recursion not desired
 RA:(0...) Recursive query support not
available
 Zero:  (.0..) 0
 AuthenticatedData: (..0.) Not AuthenticatedData
 CheckingDisabled:  (...0) Not CheckingDisabled
 Rcode: () Success 0
QuestionCount: 1 (0x1)
AnswerCount: 0 (0x0)
NameServerCount: 0 (0x0)
AdditionalCount: 0 (0x0)

(query with RD bit)
  - Flags:  Query, Opcode - QUERY (Standard query), RD, Rcode - Success
 QR:(0...) Query
 Opcode:(....) QUERY (Standard query) 0
 AA:(.0..) Not authoritative
 TC:(..0.) Not truncated
 RD:(...1) Recursion desired <- RD-flag
set!
 RA:(0...) Recursive query support not
available
 Zero:  (.0..) 0
 AuthenticatedData: (..0.) Not AuthenticatedData
 CheckingDisabled:  (...0) Not CheckingDisabled
 Rcode: () Success 0
QuestionCount: 1 (0x1)
AnswerCount: 0 (0x0)
NameServerCount: 0 (0x0)
AdditionalCount: 0 (0x0)

(answer)
  - Flags:  Response, Opcode - QUERY (Standard query), AA, RD, Rcode -
Success
 QR:(1...) Response
 Opcode:(....) QUERY (Standard query) 0
 AA:(.1..) Is authoritative
 TC:(..0.) Not truncated <- TC-flag not set
 RD:(...1) Recursion desired
 RA:(0...) Recursive query support not
available
 Zero:  (.0..) 0
 AuthenticatedData: (..0.) Not AuthenticatedData
 CheckingDisabled:  (...0) Not CheckingDisabled
 Rcode: () Success 0
QuestionCount: 1 (0x1)
AnswerCount: 5 (0x5)
NameServerCount: 0 (0x0)
AdditionalCount: 3 (0x3)

I do not understand why so occurs.


> Peter, why don't you post what you are seeing?
>
>Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: queries with no RD bit set are truncating

[Peter Andreev]

Thank you for answer, Kevin.

Yes, recursion completely *off* by "recursion no;" option. And only my
servers are authoritative for client's zone. So I'm in confusion, because as
you said, for servers should not have a difference between RD=0 and RD=1.

I'm afraid that there are reasons for such strange behaviour that are hidden
from me. I'm worry that this reasons can become an unevident source of
problems in the future.


2009/6/10 Kevin Darcy 

>  By "non-recursive" do you mean that recursion is turned completely *off*
> and the response is coming from a zone for which you are authoritative
> (master or slave)? If so, I can't believe that there would be a difference
> between the responses to a RD=0 versus a RD=1 query. I'd suggest duplicating
> the problem by making the same queries manually. Run a sniffer trace if
> necessary.
>
> My suspicion is that your "non-recursive" server isn't completely
> "non-recursive", and the RD=1 queries in question might be fetching data
> sets from remote, authoritative servers (e.g. chasing aliases), which happen
> to be smaller than the delegation sets that would be returned in a referral
> response in the RD=0 case. That would explain why the RD=0 query truncates
> and the RD=1 query doesn't (because NS records are *necessary* in a referral
> response, but *optional* in other types of responses, unless QTYPE=NS; TC is
> only set when the full set of *necessary* records doesn't fit into the
> response).
>
> If you have delegation sets that are so large that they don't fit in a
> "classic" 512-byte DNS response, then in my opinion you should probably
> review whether all of those NS records are really necessary, and prune the
> list(s) down.
>
> In any case, why is this really an issue, except perhaps from a
> performance/capacity standpoint (which hardly seems the case since you said
> this only happens "sometimes")? The client retries via TCP, and almost
> certainly gets the full answer it was looking for. The only way to get
> truncation on a TCP query is if you hit the 64K limit, but that seems highly
> unlikely.
>
>
>  - Kevin
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

queries with no RD bit set are truncating

[Peter Andreev]

Good day

I have met a trouble with non-recursive BIND 9.3.3, running on FreeBSD
6.2-R.
Sometimes if one of our clients sends query with no RD bit set, he receives
a truncated answer.
If RD bit is set then all well.

Where I should look to localise a problem?

Thank you.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users