RE: Full automatic DNSSEC for hosted zones/domains
Hello bind users
> The answer is almost, as long as the zone has a DNSSEC policy configured:
>
> zone "newdomain.de" {
> type master;
> file "../master/newdomain.de";
> dnssec-policy default;
> }
>
> The only thing not yet fully automated is submitting the DS to the
> parent. You can do that as soon as named puts the CDS/CDNSKEY records in
> the zone.
So you're saying, that with a DNSSEC policy configured, bind is creating CDS
records for me? If so, then when my registrar is supporting those records
(switch.ch), this zone fully automated in regards of DNSSEC?
Is the creation of CDS Records a config option or on by default?
What about going from secure to insecure? Is this possible with dnssec policy
or do I then have to put the relevant CDS records in the zone by hand?
Best regards
Philippe
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: dhclient hook not overwritten /etc/resolv.conf
Hi Zhengyu Pan
Have you tried to put this nameserver address in dhclient.conf?
>From man dhclient.conf
append { [option declaration] [, ... option declaration] }
If for some set of options the client should first use the values
supplied by the server, if any, and then use values you supply,
these values can be defined in the append statement. The append
statement can only be used for options which allow more than one
value to be given. This restriction is not enforced - if you
ignore it, the behaviour will be unpredictable.
I haven’t use the ap- or prepend options, but the supersede option work like a
charm (at least on FreeBSD)
/BR
Philippe
From: bind-users On Behalf Of Zhengyu
Pan(???)
Sent: Thursday, December 19, 2019 10:01 AM
To: bind-users@lists.isc.org
Subject: dhclient hook not overwritten /etc/resolv.conf
Hi,
My OS is Centos7. I add a bash script dns.sh in /etc/dhcp/dhclient-exit-hooks.d
. The script content is
#!/bin/bash
echo “nameserver 1.1.1.1” >> /etc/resolv.conf
I want to append a nameserver in /etc/resove.conf.
However, when I restart network. /etc/resove.conf not changed.
/etc/resove.conf.save append this line.
Why happens that? How can I append a nameserver in /etc/resove.conf?
Zhengyu
Best Wishes
如果您错误接收了该邮件,请通过电子邮件立即通知我们。请回复邮件到 hqs-s...@chinaunicom.cn
,即可以退订此邮件。我们将立即将您的信息从我们的发送目录中删除。 If you have received this email in error
please notify us immediately by e-mail. Please reply to hqs-s...@chinaunicom.cn
,you can unsubscribe from this mail. We will
immediately remove your information from send catalogue of our.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: named cpu usage pretty high because of dns_dnssec_findzonekeys2 -> file not found
Hello Mark and bind users Thank you for the explanations. Some things are still not clear to me... > -Original Message- > From: Mark Andrews > Sent: Monday, March 11, 2019 8:53 AM > To: Philippe Maechler > Cc: bind-users@lists.isc.org > Subject: Re: named cpu usage pretty high because of dns_dnssec_findzonekeys2 > -> file not found > > Because you removed the key from disk before it was removed from the zone. > Presumably named > was logging other error messages before you removed the key from disk or the > machine was off > for a period or you mismanaged the key roll and named keep the key alive. > Possible, the machine was running all the time (uptime is ~92 days). I would have to search in old logs to be sure. Since this domain is for testing purposes, its not important. The "bad thing" is the cpu usage which is quite high. Is this something that will be addressed in further bind releases? E.g. dns_dnssec_findzonekeys2 only search at a given interval for new keys or only logs this message once in a minute/hour? > Named’s re-signing strategy is different to when you are signing the whole > zone at once as > you are signing it incrementally. You should be allowing most of the > sig-validity interval > before you delete the DNSKEY after you inactive it. What exactly ist he sig-validy time? From my understanding this is the period from "Activate" to "Inactive" # dnssec-settime -pall Kglattweb.ch.+013+06605 Created: Mon Mar 11 10:03:49 2019 Publish: Mon Mar 11 11:06:44 2019 Activate: Tue Mar 19 10:02:19 2019 Revoke: UNSET Inactive: Thu Mar 21 10:06:44 2019 Delete: Sun Mar 31 11:05:48 2019 SYNC Publish: Mon Mar 11 11:06:44 2019 SYNC Delete: Sun Mar 31 11:06:44 2019 In this case the sig-validity time is ~2d 4m The key has a delete Date of 2019-03-31 and I can delete (or move) the key at 2019-04-02 or to be safe 2019-04-03? > One should check that there are no RRSIGs > still present in the zone before deleting the DNSKEY from the zone. > Inactivating it stops the > DNSKEY being used to generate new signatures but it needs to stay around > until all those RRSIGs > have expired from caches which only happens after new replacement signatures > have been generated. When are these replacement RRSIGs created? The key reached it's delete date, the new key is in place and new RRSIGs are created. > If you still have the .private file around reinstate it. If not you will > need to import the > DNSKEY using dnssec-importkey and manage its removal properly. Can you help me here? # dnssec-importkey -v 99 -f /usr/local/etc/namedb/master/glattweb.ch.db dnssec-importkey: error: dns_master_load: /usr/local/etc/namedb/master/glattweb.ch.db:15: glattweb.ch: not at top of zone dnssec-importkey: fatal: can't load /usr/local/etc/namedb/master/glattweb.ch.db: not at top of zone ok... yes makes sense, glattweb.ch is not at the top of zone # head /usr/local/etc/namedb/master/glattweb.ch.db $TTL300 $ORIGIN glattweb.ch. @ 300 IN SOA dns1.glattnet.ch. hostmaster.glattnet. ( 2019020400 ; serial 600 ; refresh 300 ; retry 3600 ; expire 90 ; nttl ) I don't think that I should use the .signed file... let’s test that anyway # dnssec-importkey -v 99 -f /usr/local/etc/namedb/master/glattweb.ch.db.signed dnssec-importkey: error: dns_master_load: /usr/local/etc/namedb/master/glattweb.ch.db.signed:1: syntax error dnssec-importkey: fatal: can't load /usr/local/etc/namedb/master/glattweb.ch.db.signed: syntax error Maybe I have to change the zone format from raw to text... # named-compilezone -j -fraw -F text -o tmp glattweb.ch /usr/local/etc/namedb/master/glattweb.ch.db.signed zone glattweb.ch/IN: loaded serial 2019022800 (DNSSEC signed) dump zone to tmp...done OK # less tmp glattweb.ch. 300 IN SOA dns1.glattnet.ch. hostmaster.glattnet. 2019022800 600 300 3600 90 glattweb.ch. 300 IN RRSIG SOA 13 2 300 20190330214039 20190228204039 12809 glattweb.ch. WDhpay5Iwi3DumsZ3UQiwdfkkIY44t8ez8dRW6/xv3sXFOJrwYQTyxwx eO2iiRBZwwOI6oyT/0eNDJiF+FSIlg== ; resign=20190330214039 glattweb.ch. 300 IN NS dns1.glattnet.ch. glattweb.ch. 300 IN NS dns2.glattnet.ch. glattweb.ch. 300 IN RRSIG NS 13 2 300 20190318002703 20190215232756 12809 glattweb.ch. AJ3ez1YZEK6YzRlByyLJf3scpljMgZYjIRH55pG6oPhc7AP0qgo4dBqH MDvaVubxEWyulruRcOiD8jpym6gp2w== ; resign=20190318002703 glattweb.ch. 90 IN NSEC
named cpu usage pretty high because of dns_dnssec_findzonekeys2 -> file not found
Hello List Today our bind server started with the following log contents: 11-Mar-2019 07:41:06.599 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.600 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.602 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.603 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.604 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.606 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.607 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.609 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.610 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.611 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.613 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.614 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.616 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.617 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.618 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.620 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.621 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.623 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.624 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.625 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.627 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.628 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.630 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.631 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.633 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.634 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found 11-Mar-2019 07:41:06.635 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found This is a FreeBSD 11.2 with bind compiled from Ports # named -V BIND 9.11.5 (Extended Support Version) running on FreeBSD amd64 11.2-RELEASE-p5 FreeBSD 11.2-RELEASE-p5 #0: Tue Nov 27 09:33:52 UTC 2018 r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC built by make with '--lo
RE: FW: Bind9.11: dnssec inline signing, cds records and catalog zones
Hi Daniel Thanks for your answer. It's your "fault" that I'm doing dnssec stuff and posting here, I saw your speech at SwiNOG 😊 >If your keys have appropriate timing metadata, then the CDS/CDNSKEY >records are published for your zones automatically: > >See man dnssec-keygen >... >Timing options: >-P date/[+-]offset/none: set key publication date (default: now) >-P sync date/[+-]offset/none: set CDS and CDNSKEY publication date >-A date/[+-]offset/none: set key activation date (default: now) >-R date/[+-]offset/none: set key revocation date >-I date/[+-]offset/none: set key inactivation date >-D date/[+-]offset/none: set key deletion date >-D sync date/[+-]offset/none: set CDS and CDNSKEY deletion date > >or man dnssec-settime > >> And every time I create or activate new keys, I have to manually add the >> CDS records, right? > >Not if your keys have the appropriate timing metadata. Ok, I'll definitely have to re-read the dnssec-keygen and -settime manpages and playing around. The keys I generated (with the -a -b and -3 option provided) I don't see a CDS or CDNSKEY in the signed file. I probably have to use the -Psync option Best regards and "schöne Festtage" Philippe ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind9.11: dnssec inline signing, cds records and catalog zones
regarding my OT question for dnssec-keymgmr:
I found it 😊
I had to enable the python option (Build with python utilities) when building
the port
/BR
Philippe
From: bind-users On Behalf Of Philippe
Maechler
Sent: Friday, December 21, 2018 2:33 PM
To: bind-users@lists.isc.org
Subject: FW: Bind9.11: dnssec inline signing, cds records and catalog zones
Hello bind-users
The previous mail was sent from a foreign address and need the approval of a
moderator. Therefor I cancelled the submission and resending this mail with the
correct address.
Since a few years I’d like to activate dnssec for our zones but didn’t made the
changes, because of the maintenance tasks that are needed (what happens if I’m
not around and something goes wrong?)
Some background info:
There is a small web portal on our master server, where we have all our zones
in a database. A script periodically checks if we have some changes and if we
have them, the scripts generates:
* The catalog-zone file
* The zone file
* Our named.zones.conf
If dnssec is enabled for the zone, the entry in named.zones.conf looks like
that:
zone "example.ch." {
type master;
file "/usr/local/etc/namedb/master/example.ch.db";
masterfile-format text;
notify yes;
also-notify { 192.168.x.a; 192.168.x.b; 192.168.x.c; 192.168.x.d; };
allow-transfer { xfer; };
# look for dnssec keys here:
key-directory "/usr/local/etc/namedb/keys/example.ch";
# use inline signing:
inline-signing yes;
# publish and activate dnssec keys:
auto-dnssec maintain;
};
This server is not public. It’s a “hidden master” for our public servers. New
zones are “deployed” in the cat-zone. With this way we have most of the stuff
automated and don’t have to enable new zones on the slave servers.
Back to dnssec
I then have to create the keys:
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 example.ch # ZSK
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 -fk example.ch # KSK
With this setup, I get the example.ch.db.signed, the .signed.jnl and .jbk
files. A simple check shows that the dnssec records are present
named-compilezone -f raw -F text -o example.ch.text example.ch
example.ch.db.signed && less example.ch.text
I then have to manually insert the NSEC3PARAM, otherwise the zone is “only”
signed with NSEC.
rndc signing -nsec3param 1 0 10 0123456789ABCDEF example.ch.
Question:
Is there a direct way to set the NSEC3PARAM?
Switch, the registry for .ch and .li domains is using/testing CDS records. Can
I tell named, to create the CDS Records for me?
If not, what would be the right way to insert them?
dig @127.0.0.1 dnskey example.ch | dnssec-dsfromkey -f - example.ch
example.ch. IN DS 29530 13 1 2FECA428ABA7C9507909AC6ED37B12233575A143
example.ch. IN DS 29530 13 2
5EF2BD239DF5104B12DD0FC8BE671067C52D378C05D4B81C9AF33A77FD5A5356
I then would create these two new records in example.ch:
example.ch. IN CDS 29530 13 1 2FECA428ABA7C9507909AC6ED37B12233575A143
example.ch. IN CDS 29530 13 2
5EF2BD239DF5104B12DD0FC8BE671067C52D378C05D4B81C9AF33A77FD5A5356
And every time I create or activate new keys, I have to manually add the CDS
records, right?
* The domain used for testing is a .ch domain, but not example.ch
Maybe someone can help me with this, slightly off topic question:
I’m using FreeBSD 11.2 and bind9.11.5 from the ports dir. ISC announced
dnssec-keymgr with bind 9.11, which would make the “maintenance task” doe keys
easier.
Unfortunately I can’t find this tool on my box and there is no other port like
bind9-tools.
Do I have to compile that by hand?
Tia
Philippe
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
FW: Bind9.11: dnssec inline signing, cds records and catalog zones
Hello bind-users
The previous mail was sent from a foreign address and need the approval of a
moderator. Therefor I cancelled the submission and resending this mail with
the correct address.
Since a few years I'd like to activate dnssec for our zones but didn't made
the changes, because of the maintenance tasks that are needed (what happens
if I'm not around and something goes wrong?)
Some background info:
There is a small web portal on our master server, where we have all our
zones in a database. A script periodically checks if we have some changes
and if we have them, the scripts generates:
* The catalog-zone file
* The zone file
* Our named.zones.conf
If dnssec is enabled for the zone, the entry in named.zones.conf looks like
that:
zone "example.ch." {
type master;
file "/usr/local/etc/namedb/master/example.ch.db";
masterfile-format text;
notify yes;
also-notify { 192.168.x.a; 192.168.x.b; 192.168.x.c; 192.168.x.d;
};
allow-transfer { xfer; };
# look for dnssec keys here:
key-directory "/usr/local/etc/namedb/keys/example.ch";
# use inline signing:
inline-signing yes;
# publish and activate dnssec keys:
auto-dnssec maintain;
};
This server is not public. It's a "hidden master" for our public servers.
New zones are "deployed" in the cat-zone. With this way we have most of the
stuff automated and don't have to enable new zones on the slave servers.
Back to dnssec
I then have to create the keys:
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 example.ch # ZSK
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -3 -fk example.ch # KSK
With this setup, I get the example.ch.db.signed, the .signed.jnl and .jbk
files. A simple check shows that the dnssec records are present
named-compilezone -f raw -F text -o example.ch.text example.ch
example.ch.db.signed && less example.ch.text
I then have to manually insert the NSEC3PARAM, otherwise the zone is "only"
signed with NSEC.
rndc signing -nsec3param 1 0 10 0123456789ABCDEF example.ch.
Question:
Is there a direct way to set the NSEC3PARAM?
Switch, the registry for .ch and .li domains is using/testing CDS records.
Can I tell named, to create the CDS Records for me?
If not, what would be the right way to insert them?
dig @127.0.0.1 dnskey example.ch | dnssec-dsfromkey -f - example.ch
example.ch. IN DS 29530 13 1 2FECA428ABA7C9507909AC6ED37B12233575A143
example.ch. IN DS 29530 13 2
5EF2BD239DF5104B12DD0FC8BE671067C52D378C05D4B81C9AF33A77FD5A5356
I then would create these two new records in example.ch:
example.ch. IN CDS 29530 13 1 2FECA428ABA7C9507909AC6ED37B12233575A143
example.ch. IN CDS 29530 13 2
5EF2BD239DF5104B12DD0FC8BE671067C52D378C05D4B81C9AF33A77FD5A5356
And every time I create or activate new keys, I have to manually add the CDS
records, right?
* The domain used for testing is a .ch domain, but not example.ch
Maybe someone can help me with this, slightly off topic question:
I'm using FreeBSD 11.2 and bind9.11.5 from the ports dir. ISC announced
dnssec-keymgr with bind 9.11, which would make the "maintenance task" doe
keys easier.
Unfortunately I can't find this tool on my box and there is no other port
like bind9-tools.
Do I have to compile that by hand?
Tia
Philippe
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Queries related to RPZ
Hello blason
I'm not an RPZ expert, but we have a running RPZ configuration
>From named.conf
zone "rpz.zone" {
typemaster;
file"/etc/namedb/master/rpz.zone.db";
allow-query { localhost; };
allow-transfer { 192.168.3.0/24; };
};
And inside the rpz.zone.db we have:
$TTL 3600
@ IN SOA rpz.zone. rpz.zone. (
2017100903;
3600;
300;
86400;
60 )
IN NS localhost.
; Malware Domains, NXDOMAIN as a reply
;crayumm.comIN CNAME .
;*.crayumm.com IN CNAME .
; phising sites
baddomain.com CNAME .
malwaredomain.com CNAME .
uglydomain.com CNAME .
otherbaddomain.com CNAME .
; and so on
This way you don't increase the size of the named.conf. You only have one
RPZ zone and an entry for all "bad" domains inside it
I recommend to enable the logging for the RPZ category in named.conf
logging {
channel rpz_log {
file "/var/named/var/log/rpz.log" versions 3 size 20m;
print-time yes;
print-category yes;
};
category rpz { rpz_log; syslog_server; };
..
};
HTH
Philippe
-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
blason16
Sent: Tuesday, April 17, 2018 11:49 AM
To: bind-users@lists.isc.org
Subject: Re: Queries related to RPZ
OK - I resolved the issue now the query I had was how to use tens or
thousands of zones with DNS RPZ? Will it not increase named.conf file
size?Can someone please suggest other way?
--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
mailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind9 on VMWare
> > > Complexity? > > > > which complexity? > > > > a virtual guest is less complex because you don't need a ton of daemons > > for hardware-monitoring, drivers and what not on the guest > > For me the relevant comparison is my ordinary OS vs. my ordinary OS + > VMWare. > > > complex are 30 phyiscal servers instead two fat nodes running a > > virtualization cluster with one powerful shared storage > > Ayup, lots of eggs in one basket. > > I absolutely believe virtualization has its place. I also believe that > "everywhere" is not that place. I'm too thinking that virtualization has its place where it's a pretty good thing, but not everywhere. I saw bad setups where something went wrong an all of the vm's were affected. Yes, this is not a problem with the vm itself but bad design/setup of the vm cluster. Thank you for your responses. I'll run some benchmarks on a physical and a virtual server. Could be that we have one physical and one virtual server. That way we have both and can get our own experiences with it. Maybe we'll add switch to only physical or virtual servers in a second step Philippe ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind9 on VMWare
>> I'm not sure if it is a good thing to have physical serves, although we have >> a vmware cluster in both nodes which has enough capacity (ram, cpu, disk)? >> I once read that the vmware boxes have a performance issue with heavy udp >> based services. Did anyone of you face such an issue? Are your dns servers >> all running on physical or virtual boxes? > > where did you read that? I don't remember where I read that. I guess it was on a mailing list where the OP had issues with either a DHCP or syslog server. It all came down to the vmware host/switch which was not good enough for udp services. Could be that this was on Vmware 4.x and got better on 5.x. But as I said, I can't recall exactly where that was ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind9 on VMWare
Hello bind-users
We have to deploy new auth. and caching DNS Servers in our environment and
we're unsure how we should set it up.
current setup
-
We currently have two main pop's and in each one a physical auth. and
caching server. All four boxes are running Bind9.x on FreeBSD
auth. servers
On the auth. master server is a web interface for us, where we can make
changes to the zones. These changes are written into a db and are exported
into bind zone files
The slave server gets his zone updates via zone-transfer over the internal
network
The bind configuration (zone "example.com { type master.}") is written to a
text file which is transferred by scp to the slave. The slave build his
config file and does an rndc reload. On rare occasions the slave is not
reloading the new zones properly and we have to manually start the transfer
of the config file
At prime time we get < 1000 QPS on the auth server
Most of the queries on the auth. servers is for IPv4 PTR records and for our
mailservers (no ipv6 as of yet, but it on the roadmap for Q1 2016, and no
dnssec).
caching servers
The caching servers have a small RPZ zone and nothing else (except the
default-empty-zones)
These servers are only for our networks, have an ipv6 address and they do
dnssec validation.
During heavy hours we have <5'000 QPS. A few customers have theses buggy
netgear routers that ask 2'000 in a second for time-h.netgear.com. With
theses boxes on we get ~15'000QPS
We once had a performance issue on the server because of that.
My idea for the new setup is:
---
caching servers
- Setup new caching servers
- Configure the ipv4 addresses of both (old) servers on the new servers as a
/32 and setup an anycast network.
This way the stupid clients, who won't switch to the secondary ns server
when the primary is not available, are happy when there is some problem with
one server.
If we're having issues with the load in the future we can setup a new server
and put it into the anycast network
auth. servers
- Setup a hidden master on the vmware
- Setup two physical servers which are slaves of the hidden master
That way we have one box which is (anytime in the future) doing the dnssec
stuff, gets the update that we're doing over the webinterface and deploys
the ready-to-serve zones to his slaves.
I'm not sure if it is a good thing to have physical serves, although we have
a vmware cluster in both nodes which has enough capacity (ram, cpu, disk)?
I once read that the vmware boxes have a performance issue with heavy udp
based services. Did anyone of you face such an issue? Are your dns servers
all running on physical or virtual boxes?
Best regards and tia
Philippe
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
AW: file descriptors and max-clients-per-query
Thanks for the feedback > How many sockets are open when you see this message? Normally the > socket() call shouldn't fail even if named uses many sockets > (it will fail anyway, but the failure mode is normally > different), so it's very odd to see the above message. As Jeremy suggested we updatet our 9.4.2 Server this week to 9.4.3-P2 Luckily we hadn't a DNS outage so the message didn't reappear. So I can't say how many sockets where open when we had the message last time > Are you perhaps limiting the system resource for the number of > allowable open sockets? Do you set the 'files' option in > your named.conf? Not that I'm aware of :) $ sysctl -a | grep socket kern.ipc.numopensockets: 38 kern.ipc.maxsockets: 25600 socket: 356,25608, 37, 4099, 25140481 security.jail.socket_unixiproute_only: 1 security.jail.allow_raw_sockets: 0 The only limits I set in named.conf is ttl-stuff (lame-ttl, max-ncache-ttl, ...), clients-per-query and recursive-clients If I see the message again I'll let you know. Philippe ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: file descriptors and max-clients-per-query
Hello Jeremy > > > > I'm running a bind 9.4.2-p2 and a 9.5.1-P1 both on a > FreeBSD 6.x box > > as caching servers. > > let's call them ns1 and ns2 :P > > > > short after we shutdown server one we get error messages on > the other server > > -> socket: too many open file descriptors > > What is the "other server"? I assume you are getting this > error message with the old 9.4.2-P2 (and not on the 9.5.1-P1). No i have the messages on both servers. If ns1 goes down, we get the messages on ns2 and vice-versa. > Before answering your other questions, can you please > consider running the latest 9.4.x version? Versions newer > than yours offer an improved and more efficient socket API on > support systems (like use of kqueue on FreeBSD). I'll try to upgrade to the latest 9.4 version and let you know if I still get the messages on ns1 > If you continue to have the same problems on BIND 9.4.3 (or BIND > 9.5.1-P1) or newer, please let us know. Philippe ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
file descriptors and max-clients-per-query
Hello Everybody I'm running a bind 9.4.2-p2 and a 9.5.1-P1 both on a FreeBSD 6.x box as caching servers. let's call them ns1 and ns2 :P short after we shutdown server one we get error messages on the other server -> socket: too many open file descriptors I tried to recompile named with FD_SETSIZE=4096 as I saw in a earlier message on this list. today I realized that this compile knob didn't help. a) how can I check the file descriptor limit for bind on freebsd? b) how can I increase the file descriptor limits for bind on freebsd? c) is there an easy way to "trigger" this error? (for testing) something else that bothers me is the message: resolver: clients-per-query increased to 105 how can I find out which clients and/or queries and/or remote servers are responsible for this message? should I do something about that? tia Philippe ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
