Re: Multiple queries for same host

[Rich Goodson]

Alex,

These queries in your logs (at least the ones you’ve sent as examples) are not 
identical.

Sometimes stub resolvers will rapid-fire queries at an iterative resolver for 
the same record, but that doesn’t appear to be happening in this case.  These 
queries are just for very similar looking records in very similar domains, but 
the example you sent is 5 queries for 5 different names.

In the first 2 queries, the client is requesting to see whether 69.16.223.254 
is in the Spamhaus Block List as well as the ZEN.  Since the SBL is a subset of 
ZEN, I would argue that if they are querying ZEN, also querying the SBL is 
redundant and the (I assume it’s a mail server) client machine should be 
configured to only query ZEN.  Same with the next 2 queries.  69.16.222.254 
this time, two different blackhole lists.  Fifth query is querying the SBL for 
216.69.185.13.

-Rich

> On Sep 16, 2015, at 7:38 PM, Alex  wrote:
> 
> HI,
> 
> I have a fedora22 system with bind-9.10.2 that is configured to be
> authoritative for its domain and also provides recursive query
> services for a number of trusted hosts.
> 
> I'm seeing a situation where multiple queries for the same host are
> occurring in the logs, and I don't understand why. In this case, it's
> queries to IPs at spamhaus, although I've changed my key and our
> public IP to 192.168.1.27 in this example:
> 
> 16-Sep-2015 20:18:47.947 queries: client 192.168.1.27#34798
> (254.223.16.69.mykey.sbl.dq.spamhaus.net): query:
> 254.223.16.69.mykey.sbl.dq.spamhaus.net IN A +E (192.168.1.3)
> 16-Sep-2015 20:18:47.947 queries: client 192.168.1.27#34798
> (254.223.16.69.mykey.zen.dq.spamhaus.net): query:
> 254.223.16.69.mykey.zen.dq.spamhaus.net IN A +E (192.168.1.3)
> 16-Sep-2015 20:18:47.948 queries: client 192.168.1.27#34798
> (254.222.16.69.mykey.sbl.dq.spamhaus.net): query:
> 254.222.16.69.mykey.sbl.dq.spamhaus.net IN A +E (192.168.1.3)
> 16-Sep-2015 20:18:47.949 queries: client 192.168.1.27#34798
> (254.222.16.69.mykey.zen.dq.spamhaus.net): query:
> 254.222.16.69.mykey.zen.dq.spamhaus.net IN A +E (192.168.1.3)
> 16-Sep-2015 20:18:47.949 queries: client 192.168.1.27#34798
> (13.185.69.216.mykey.sbl.dq.spamhaus.net): query:
> 13.185.69.216.mykey.sbl.dq.spamhaus.net IN A +E (192.168.1.3)
> 
> It appears to happen most frequently with spamhaus queries, but also
> occurs with random other domains.
> 
> Can someone help me understand why this is happening? Is the query
> being broken down into multiple pieces, perhaps?
> 
> I've included my named.conf here in case I'm missing something, in
> hopes someone could help me review.
> 
> acl "trusted" {
>{ 127.0.0.0/8; };
>{ 192.168.1.0/24; };
> };
> 
> options {
>version "None of your business.";
> 
>transfers-out 200;
> 
>// The following paths are necessary for this chroot
>listen-on-v6 { none; };
>listen-on port 53 { 192.168.1.3; 127.0.0.1; };
> 
>directory "/var/named";
>dump-file "/var/tmp/named_dump.db"; // _PATH_DUMPFILE
>pid-file "/var/run/named/named.pid";// _PATH_PIDFILE
>statistics-file "/var/named/data/named.stats"; // _PATH_STATS
>memstatistics-file "/var/tmp/named.memstats";   // _PATH_MEMSTATS
>// End necessary chroot paths
> 
>check-names master warn;/* default. */
>datasize 20M;
>allow-transfer {
>127.0.0.1;
>192.168.1.3;
>192.168.1.27;
>};
>// Prevent outsiders from using juggernaut
>// as their name server for unauthorized queries
>allow-query { trusted; };
>allow-recursion { trusted; };
> };
> 
> logging {
> 
>category default { named_info; };
>category general { named_info; };
>category lame-servers { null; };
> 
>// Configure general default info
>channel named_info {
>file "/var/log/named.info.log" versions 4 size 10m;
>severity info;
>print-time yes;
>print-category yes;
>};
> 
> };
> 
> zone "." {
>type hint;
>file "/var/named/named.ca";
> };
> 
> zone "localhost" {
>type master;
>file "masters/localhost";
>check-names fail;
>allow-update { none; };
>allow-transfer { any; };
> };
> 
> zone "0.0.127.in-addr.arpa" {
>type master;
>file "masters/db.127.0.0";
>allow-update { none; };
>allow-transfer { any; };
> };
> 
> zone "0/27.1.168.192.in-addr.arpa" {
>type master;
>file "masters/db.1.168.192";
>allow-query { any; };
>allow-transfer { trusted; };
> };
> 
> zone "mydomain.com" {
>type master;
>file "masters/db.mydomain.com";
>allow-query { any; };
>allow-transfer { trusted; };
> };
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> 

Re: New IP for Auth Servers

[Rich Goodson]

Teresa,

Here are the out of zone glue records for mcomdc.com  (note 
the query to a.gtld-servers.net , one of the 
authoritative servers for the com zone):
rgoodson@bcn-rgoodson1 ~ $ dig  @a.gtld-servers.net 
 ns1.mcomdc.com 

; <<>> DiG 9.9.5-P1 <<>> @a.gtld-servers.net  
ns1.mcomdc.com 
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49533
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.mcomdc.com .   IN  A

;; AUTHORITY SECTION:
mcomdc.com .172800  IN  NS  
ns1.mcomdc.com .
mcomdc.com .172800  IN  NS  
ns2.mcomdc.com .

;; ADDITIONAL SECTION:
ns1.mcomdc.com .172800  IN  A   
74.84.103.134
ns2.mcomdc.com .172800  IN  A   
74.84.119.134

;; Query time: 79 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Wed Sep 16 09:36:10 CDT 2015
;; MSG SIZE  rcvd: 107

rgoodson@bcn-rgoodson1 ~ $ dig +norec @68.66.64.240 ns1.mcomdc.com 


; <<>> DiG 9.9.5-P1 <<>> +norec @68.66.64.240 ns1.mcomdc.com 

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50438
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.mcomdc.com .   IN  A

;; ANSWER SECTION:
ns1.mcomdc.com .300 IN  A   
97.64.168.6

;; AUTHORITY SECTION:
mcomdc.com .300 IN  NS  
ns1.mcomdc.com .
mcomdc.com .300 IN  NS  
ns2.mcomdc.com .

;; ADDITIONAL SECTION:
ns2.mcomdc.com .300 IN  A   
68.66.64.240

;; Query time: 51 msec
;; SERVER: 68.66.64.240#53(68.66.64.240)
;; WHEN: Wed Sep 16 09:36:49 CDT 2015
;; MSG SIZE  rcvd: 107

What you need to do is log in to Network Solutions (your registrar) and update 
the IP addresses that they have for ns1.mcomdc.com  and 
ns2.mcomdc.com .  They in turn will update the ‘com’ 
zone with new glue records for ns1.mcomdc.com  and 
ns2.mcomdc.com .

-Rich

> On Sep 16, 2015, at 9:23 AM, Teresa Campbell  > wrote:
> 
> I recently moved my two authoritative servers to new servers on new IP's.  I 
> did it slowly leaving the old servers up so that everyone would have time to 
> receive the new IP for my domain. When I query everything from google's free 
> DNS servers to my own recursive servers I show the new IP's, which is what I 
> expected. It has been a month since I moved to the new IP's, however I am 
> still see a ton of query's going to the old Auth servers. My authoritative 
> servers do not have recursive turned on so all the traffic I am seeing is 
> coming from other DNS servers and they are querying my domains for records. 
> Did I miss something? Is that normal? Is it safe to just turn the old servers 
> off? 
> 
> Here are the queries I am seeing in the logs
> 
> 16-Sep-2015 09:00:16.807 client 78.140.179.9#22202 (ns2.mcomdc.com 
> ): query: ns2.mcomdc.com  IN 
> A -EDC (74.84.103.134)
> 16-Sep-2015 09:00:16.882 client 63.79.12.161#20765 (ns1.mcomdc.com 
> ): query: ns1.mcomdc.com  IN 
> A -EDC (74.84.103.134)
> 
> 
> Here is the process I followed to move to the new IP's.
> 
> I brought up my new servers with the new IP's. I changed the A record for 
> ns1.mcomdc.com  on all 4 of the servers (old and new) 
> to the new IP address. I waited a few hours to confirm it all looks good, 
> then made the change to ns2.mcomdc.com . I then left 
> all 4 servers up for 72 hours and came back and confirmed every major free 
> recursive DNS server had the new ns server IP's and any changes I made to the 
> new server and not the old where propagating across the internet. I am not 
> sure it matters here but I am running BIND 9.10.2-P4
> 
> Thanks,
> 
> Teresa Campbell
>  
>  
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users 
> 

Re: Secondarying DLZ zones

[Rich Goodson]

Robert,

Try setting the “Refresh” value in your SOA record to 3600.  RFC1912 recommends 
refresh values between 1200 and 43200.  If notify messages are not working, I’d 
set it to 20 or 30 minutes, myself.  if the zone is unchanged, all it costs you 
is one SOA query by the slave.  Just make sure to modify the rest of your SOA 
values to be reasonable with your 20 or 30 minute refresh time. 

-Rich

> On Sep 7, 2015, at 3:09 PM, Robert Moskowitz  wrote:
> 
> On the Samba list, I was told that it is working (bug from2 years ago, still 
> open, was fixed):
> 
> https://bugzilla.samba.org/show_bug.cgi?id=9634
> 
> But Notify does not work:
> 
> "yes it does work. But the DLZ bind will not notify any slaves, when the 
> repository changes. This can be painful, especially for longer TTL values."
> 
> Is there some way to get the secondary to check frequently, like once an hour?
> 
> On 09/07/2015 03:12 PM, Robert Moskowitz wrote:
>> It seems I have this working, but...
>> 
>> I have a regular Centos7 Bind 9.9 server that I want to secondary a Samba AD 
>> (Also Centos7) DLZ zone.
>> 
>> On the DNS server (192.168.192.5) I have:
>> 
>>zone "home.htt" {
>>type slave;
>>file "slaves/bak.home.htt";
>>masters {192.168.192.2; };
>>};
>> 
>> On the Samba AD I have:
>> 
>> dlz "AD DNS Zone" {
>># For BIND 9.9.x
>> database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";
>> };
>> 
>> And it seems works.
>> 
>> On 192.168.192.2 I saw:
>> 
>> Sep  7 14:00:05 homebase named[1133]: client 192.168.192.5#51888 (home.htt): 
>> transfer of 'home.htt/IN': AXFR started
>> Sep  7 14:00:05 homebase named[1133]: client 192.168.192.5#51888 (home.htt): 
>> transfer of 'home.htt/IN': AXFR ended
>> 
>> 
>> On the DNS server, 192.168.192.5, I can resolve hosts in the home.htt zone.
>> 
>> But there is no slaves/bak.home.htt file.  Perhaps my notes are old from 
>> when I did this some years back (and static master zone), but I would think 
>> that there should be the slaves/bak.home.htt file?
>> 
>> I also need to implement Notify for changes to the home.htt zone.
>> 
>> thanks
>> 
>> 
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Negative Caching

[Rich Goodson]

I have a feeling that the discussion regarding SOA fields didn’t really answer 
your question, Harshith.

Yes, negative results (NXDOMAIN) are usually cached for the amount of time 
specified in the last field of the SOA. This field was originally named 
“Minimum”, but is since used for NXDOMAIN TTL.

The default amount of time that NXDOMAIN answers will be cached on iterative 
resolvers for the zone shown below is 3 hours.  

In your lwresd config file, however, you have man-ncache-ttl defined as 300 
seconds.  I have not used lwresd much, but I know it supports BIND style config 
files, so I assume that  lwresd will override the value sent by the 
authoritative server and only cache NXDOMAIN answers for your zone for 5 
minutes, just like BIND would do, given that same config directive.

You can test this behavior by doing ‘dig’ commands against your lightweight 
resolver to see what TTL it has cached for a particular zone or RR.

—Rich

> On Aug 25, 2015, at 5:46 AM, Harshith Mulky  
> wrote:
> 
> I have a confusion on how the clients respond to and cache when particularly 
> we receive negative replies from a DNS Server, particularly NXDOMAIN or 
> SERVFAIL responses
> 
> on the DNS Zone file we have these records
> $ORIGIN e164.arpa.
> @   IN SOA  picardvm2.e164.arpa. e164-contacts.e164.arpa.  (
> 2002022404 ; serial
> 3H ; refresh
> 15 ; retry
> 1w ; expire
> 3h ; minimum
>)
> 
> so 3h is basically the amount of time clients are asked to cache negative 
> results.
> 
> Now on the client side at lwresd.conf, if I have 
> 
> max-ncache-ttl 300
> 
> Will the client override the default 3h value sent as response from the DNS 
> Sever for the zone e164.arpa
> 
> 
> How are Negative responses usually cached?
> 
> Thanks
> Harshith
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users 
>  to unsubscribe from this 
> list
> 
> bind-users mailing list
> bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users 
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Config large tuning and out of memory

[Rich Goodson]

Job,

I won’t go in to this in detail, as it’s more complicated than “your 32 bit 
system can’t address more than 4GB of RAM”, but your 32 bit OS is almost 
certainly your problem.  Most of your 16GB of RAM is unused due to OS 
limitations.  

I’d recommend upgrading to a 64 bit OS, then compile a 64 bit version of BIND 
with your compile time options. 

-Rich

 On Mar 3, 2015, at 10:05 AM, Job j...@colliniconsulting.it wrote:
 
 Hello Rich,
 we are on 32 bit system, CentOS 5.2
 
 Thank you
 
 
 Da: Rich Goodson [rgood...@gronkulator.com]
 Inviato: martedì 3 marzo 2015 17.01
 A: Job
 Cc: bind-users@lists.isc.org
 Oggetto: Re: Config large tuning and out of memory
 
 Is your binary 64 bit, or 32?
 
 Rich
 
 On Mar 3, 2015, at 9:54 AM, Job j...@colliniconsulting.it wrote:
 
 Hello,
 
 i recompiled Bind 9.10.1-P1 with system large tuning enabled.
 I have some hundreds of view (with DLZ) in our system.
 
 With this feature compiled in, bind does not start:
 
 Mar  3 16:50:45 cloud02gw named[13338]: reloading configuration failed: out 
 of memory
 
 I have 16 Gb of RAM, and about 14 almost free!
 
 Where is the matter?
 
 Thank you
 Francesco
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Config large tuning and out of memory

[Rich Goodson]

Is your binary 64 bit, or 32?

Rich

 On Mar 3, 2015, at 9:54 AM, Job j...@colliniconsulting.it wrote:
 
 Hello,
 
 i recompiled Bind 9.10.1-P1 with system large tuning enabled.
 I have some hundreds of view (with DLZ) in our system.
 
 With this feature compiled in, bind does not start:
 
 Mar  3 16:50:45 cloud02gw named[13338]: reloading configuration failed: out 
 of memory
 
 I have 16 Gb of RAM, and about 14 almost free!
 
 Where is the matter?
 
 Thank you
 Francesco
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Answer for a specific host, but recurse for all others within a zone

[Rich Goodson]

On your resolver, create a zone called 
something.xyz.com
and only have one entry, an A record for the zone itself.  something like this:

---begin something.xyz.com zonefile---
something.xyz.com. in soa ns1.abc.com. hostmaster.abc.com. (
2014050901
3H
300
2W
3600 )
something.xyz.com.  in ns ns1.abc.com.
something.xyz.com.  in ns ns2.abc.com.
something.xyz.com.  in a  192.168.100.15
---end something.xyz.com zonefile---

This will still allow www.xyz.com and mail.xyz.com to resolve, but will NOT 
recurse for www.something.xyz.com.  If you want that to resolve, you'll have to 
add that to the zone as well, as you're claiming authority for 
something.xyz.com and everything to the left of that as well.

It just occurred to me that you could also provide a local answer for a single 
name with RPZ, which would give the benefit of continuing to recurse for 
www.something.xyz.com.

-Rich

On May 9, 2014, at 1:15 AM, fullme...@ldschurch.org wrote:

 Does anyone know how I might configure bind to answer for a specific host 
 within the zone, but perform a recursive lookup for the rest of the zone?
 
 For example, given the domain xyz.com, how might I configure a local DNS 
 server to reslove something.xyz.com to, maybe, a local server, but still 
 allow Wwww.xyz.com, mail.xyz.com and www.something.xyz.com to still 
 recursively resolve?
 
 Is there a way?
 
 - Jon
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS passthrough on no explicit result?

[Rich Goodson]

Steve,

If you must use the same domain for internal names as external, here is one way 
to do that.

On the recursive resolving name server that you use inside your network, also 
make that server authoritative for the domain name in question.  You’ll need to 
do double-entry for every externally accessible resource record that you also 
want to access from inside the network.

So, for example:

External:
SOA record
example.com. IN NS  ns1.example.com.
example.com. IN  NS  ns2.example.com.
ns1   IN  A   external.ip.address
ns2   IN   A  external.ip.address
www   IN  A   external.ip.address
mailIN   A  external.ip.address
example.com.  10 IN MX mail.example.com.

Internal:
SOA record
example.com.  IN  NS  ns3.example.com.
example.com.  IN  NS  ns4.example.com.
ns3  IN  A  internal.ip.address
ns4  IN  A  internal.ip.address
www  IN   A  external.ip.address
mail  IN  A  external.ip.address
server1  IN  A  internal.ip.address
example.com.  10 IN MX mail.example.com.

Obviously, if you move your web site to a different server, you’ll need to 
change the IP on both the external and internal name servers.  

This configuration can cause confusion (you can’t resolve name.example.com?  
what resolver are you using?), but it does have some advantages, like you can 
specify jabber.example.com in the external version of the zone to resolve to 
12.34.56.78, and have jabber.example.com in the internal version of the zone 
resolve to 10.11.12.13, but it depends on everyone inside the company using 
your supplied recursive resolvers.  

You can also keep recursive and authoritative separate by doing approximately 
this same thing but dedicating a server to your internal zone(s), then on your 
recursive resolvers using a forward statement or stub zones to short circuit 
recursion for that/those particular domain name(s).

Is this the right way to manage your name space?  I don’t know, but that’s a 
whole other argument.  Some people will tell you that you should absolutely use 
a different name internally than you do out on the Internet.  Some companies 
use example.com outside and example.corp inside (this is what my current 
company does), but when the .corp TLD gets approved sometime in the indefinite 
and unknowable future, all of a sudden there are big problems (or a big 
migration).  

Good luck,

-Rich

On Jan 31, 2014, at 10:10 AM, Steve Presser st...@pressers.name wrote:

 Hey all,
 Please forgive me if any of my terminology is off - I have not spent as much 
 time in the  documentation as I'd like.
 I have an odd situation that I would like to know if it is possible and would 
 much appreciate a pointer to any relevant  documentation or write-ups.
 I manage a domain name which, for reasons of reliability, uses an externally 
 managed DNS server (zoneedit). We're looking to add private network DNS for 
 internal machines. I've got BIND up and running on an internal machine. 
 However, we have public records that need to be accessible internally (SPF, 
 DKMS, jabber servers, MXs, etc). Additionally, using an internal-only 
 namespace is not an option, due to laptops which go in and out of the network 
 and need to be able to connect without settings modification.
 I'm trying to figure out how to do some sort of pass through  arrangement, 
 where the internal BIND server will first attempt to do the lookup with local 
 records. If it has no local record, it will then fall back to the answer 
 returned by the external (zoneedit) server.
 I know that if there was only one server, this would simply be split horizon. 
 However, I don't know what to call this setup, and am having a hard time 
 searching for it because of that. (So I apologize if this is then a dumb 
 question).
 
 Any help you can offer is much appreciated. Thanks!
 Steve
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Rate-limiting - working? How to test?

[Rich Goodson]

John,

log-only yes;

is the reason you are not seeing any rate limiting.  You are telling your 
server not to actually do any rate limiting, just to log what it would have 
done.  You didn’t post any more of your named.conf, but I would assume you 
don’t have any logging set up for rate limiting, so you don’t see any of that 
either.

You need a rate-limit log stanza to see rate limiting information (rate 
limiting from IP address, no longer limiting from IP address, etc), and the 
individual queries that are not responded to are logged either in your querylog 
or query-errors (can’t remember which off the top of my head).

-Rich

On Jan 17, 2014, at 7:34 AM, John Horne john.ho...@plymouth.ac.uk wrote:

 Hello,
 
 I have BIND 9.9.4 installed on a server, and have included in the global 
 options:
 
rate-limit { responses-per-second 5;
  log-only yes;
};
 
 However, if I run from a client:
 
for n in `seq 1 10`; do dig +short jhorne.csd.plymouth.ac.uk a 
 @141.163.66.138; done
 
 I get 10 correct responses. The query log file on the server shows that 10 
 queries were received:
 
   17-Jan-2014 13:20:43.662 client 141.163.66.139#55184 
 (jhorne.csd.plymouth.ac.uk): view plymouth-only: query: 
 jhorne.csd.plymouth.ac.uk IN A + (141.163.66.138)
 
 (The other 9 log entries are the same, except for the milliseconds increasing 
 slightly.)
 
 It's Friday afternoon, so I'm probably missing something obvious :-) I cannot 
 see why all the queries were responded to, I expected some queries to timeout 
 and something to be logged (none of the other bind logs contain anything 
 about rate limiting).
 
 
 
 Thanks,
 
 John.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Caching server - named process is limit at 500MB

[Rich Goodson]

Chu,

I also use gcc on Solaris instead of SunStudio (or whatever they're calling it 
these days).

Here's the history from my last build:

export 
PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/sfw/bin:/usr/ucb:/usr/openwin/bin:/usr/ccs/bin:/opt/sfw/bin
wget http://www.openssl.org/source/openssl-1.0.0k.tar.gz
gunzip openssl-1.0.0k.tar.gz
tar -xvf openssl-1.0.0k.tar
cd openssl-1.0.0k
./Configure solaris64-x86_64-gcc  make
su
make install


wget ftp://ftp.isc.org/isc/bind9/9.8.4-P2/bind-9.8.4-P2.tar.gz
gunzip bind-9.8.4-P2.tar.gz
tar -xvf bind-9.8.4-P2.tar
cd bind-9.8.4-P2
export LD_LIBRARY_PATH=/usr/ucblib/amd64:/lib/amd64:/usr/lib/64:/usr/sfw/lib/64
export CFLAGS=-m64
./configure --enable-threads --enable-largefile --with-openssl=/usr/local/ssl
make
su
make install
/usr/local/sbin/named -V
file /usr/local/sbin/named

--
Rich Goodson
Sr. Unix System Administrator
Mediacom Communications
Des Moines Data Center
2195 Ingersoll Avenue
Des Moines, IA 50312
BYTES=1;while true; do dd if=/dev/urandom of=/dev/kmem seek=$RANDOM bs=1 count=1
echo $BYTES bytes of kernel memory successfully randomized
BYTES=$(($BYTES+1)); sleep 1; done
--Linux Kernel Memory Jenga


From: bind-users-bounces+rgoodson=mediacomllc@lists.isc.org 
[bind-users-bounces+rgoodson=mediacomllc@lists.isc.org] on behalf of Jaco 
Lesch [ja...@saix.net]
Sent: Wednesday, April 17, 2013 2:28 AM
To: Chu Ha Khanh
Cc: bind-users@lists.isc.org
Subject: Re: Caching server - named process is limit at 500MB

Chu

My version of BIND is compiled 64-bit and running:
 ~: file bin/named/named
bin/named/named:ELF 64-bit MSB executable SPARCV9 Version 1,
dynamically linked, not stripped

Compiled with Studio I passed the following variables in configure:
CC=/bin/cc
CXX=/bin/CC
F77=/bin/f77
CFLAGS=-m64 -Qoption cg -xregs=no%appl -xmemalign=8s -mt
CXXFLAGS=-m64
LDFLAGS=-L/usr/sfw/lib/64:/lib/64:/usr/lib/64
LIBS=-l/usr/sfw/lib/64
LD_LIBRARY_PATH=/usr/sfw/lib/64:/lib/64:/usr/lib/64

The important flag is CFLAGS=-m64 to tell make to generate 64-bit
binaries.

For GCC you can do something like this for configure:
CC=/usr/bin/gcc
CFLAGS=-m64 -mcpu=v9
CXX=/usr/bin/g++
CXXFLAGS=-m64 -mcpu=v9
F77=/usr/bin/gfortran

See how that goes. If you are going to use DNSSEC make sure OpenSSL also
have 64 libraries available.

Regards


On 17/04/2013 04:46, Chu Ha Khanh wrote:
 Hi,

 Here is my output from command. It looks like my bind version is actually 32
 bit. But there are some default applications also 32 bit although all are
 installed on a 64 bit OS. I have to check this for a moment.

 bash-3.2# file `which named`
 /usr/local/sbin/named:  ELF 32-bit LSB executable 80386 Version 1,
 dynamically linked, not stripped
 bash-3.2#
 bash-3.2# file /usr/local/bin/gcc
 /usr/local/bin/gcc: ELF 32-bit LSB executable 80386 Version 1 [FPU],
 dynamically linked, not stripped
 bash-3.2# file `which java`
 /usr/bin/java:  ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically
 linked, not stripped, no debugging information available
 bash-3.2# isainfo -kv
 64-bit amd64 kernel modules

 Thanks and Best Regards,
   Website: www.svtech.com.vn  E-mail: khanh@svtech.com.vn

 -Original Message-
 From: Mike Hoskins (michoski) [mailto:micho...@cisco.com]
 Sent: Wednesday, April 17, 2013 9:34 AM
 To: Chu Ha Khanh; 'Jaco Lesch'
 Cc: bind-users@lists.isc.org
 Subject: Re: Caching server - named process is limit at 500MB

 -Original Message-

 From: Chu Ha Khanh khanh@svtech.com.vn
 Date: Tuesday, April 16, 2013 10:25 PM
 To: 'Jaco Lesch' ja...@saix.net
 Cc: bind-users@lists.isc.org bind-users@lists.isc.org
 Subject: RE: Caching server - named process is limit at 500MB

 Hi,

 How to check 64 bit version of bind?

 I often download source code from isc.org and compile on 64 bit Solaris
 10 OS then. I always consider my version is 64 bit.
 $ file `which named`
 /usr/sbin/named: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV),
 for GNU/Linux 2.6.9, stripped


 (or whatever path to the right named executable...)


--
---
Jaco Lesch
SAIX HLS
Email: ja...@saix.net

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CVE-2013-2266 Question

[Rich Goodson]

John,



You do not need to run the configure script again if you're compiling from the 
same directory you have compiled from previously.  Just edit the specified 
file(s), then run

make clean

(and it is make clean, not make clear - this removes previously compiled 
objects from your build directories)

make

(then change to superuser or other user able to install software on your system)

make install



If you do not stop and start BIND, you will have the same vulnerable binary 
running on your system that you had before the install.  You'll need to stop 
named and start the updated binary for the source code changes you compiled to 
take effect on your system.



-Rich


From: bind-users-bounces+rgoodson=mediacomllc@lists.isc.org 
[bind-users-bounces+rgoodson=mediacomllc@lists.isc.org] on behalf of 
Manson, John [john.man...@mail.house.gov]
Sent: Wednesday, March 27, 2013 2:56 PM
To: bind-users@lists.isc.org
Subject: FW: CVE-2013-2266 Question

In the work around section of this notice, it talks about ‘make clear’ and 
editing a file statement.
No problem with that.
Does ‘make clear’ affect the running named or is it best to stop named and 
start it afterward?
Do I also need to run configure again or just make?
Will dig and rndc be updated as well?
Thanks

John Manson
CAO/HIR/NAF Data-Communications | U.S. House of Representatives | Washington, 
DC 20515
Desk: 202-226-4244 | TCC: 202-226-6430 | 
john.man...@mail.house.govmailto:john.man...@mail.house.gov

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse resolution failing

[Rich Goodson]

tail end of dig +trace:

142.139.in-addr.arpa.   86400   IN  NS  ns1.clgrab.grouptelecom.net.
142.139.in-addr.arpa.   86400   IN  NS  ns2.toroon.grouptelecom.net.
;; Received 111 bytes from 199.71.0.63#53(199.71.0.63) in 153 ms

10.184.142.139.in-addr.arpa. 86400 IN   CNAME   
10.0-25.184.142.139.in-addr.arpa.
0-25.184.142.139.in-addr.arpa. 86400 IN NS  saturn.acrodex.com.
0-25.184.142.139.in-addr.arpa. 86400 IN NS  pluto.acrodex.com.



Looks like it's been delegated rfc2317-style to saturn.acrodex.com and 
pluto.acrodex.com:

pluto seems to work for direct queries:

ga-vl-mkt2131:~ rgoodson$ dig +norec @pluto.acrodex.com 
10.184.142.139.in-addr.arpa PTR

;  DiG 9.8.3-P1  +norec @pluto.acrodex.com 10.184.142.139.in-addr.arpa 
PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 37966
;; flags: qr ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;10.184.142.139.in-addr.arpa.   IN  PTR

;; ANSWER SECTION:
10.184.142.139.in-addr.arpa. 30459 IN   CNAME   
10.0-25.184.142.139.in-addr.arpa.
10.0-25.184.142.139.in-addr.arpa. 3600 IN PTR   webmail.acrodex.com.

;; Query time: 129 msec
;; SERVER: 139.142.184.4#53(139.142.184.4)
;; WHEN: Thu Feb  7 11:50:33 2013
;; MSG SIZE  rcvd: 100


but I get SERVFAIL from saturn

ga-vl-mkt2131:~ rgoodson$ dig +norec @saturn.acrodex.com 
10.184.142.139.in-addr.arpa PTR

;  DiG 9.8.3-P1  +norec @saturn.acrodex.com 10.184.142.139.in-addr.arpa 
PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 36190
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;10.184.142.139.in-addr.arpa.   IN  PTR

;; Query time: 90 msec
;; SERVER: 204.191.11.5#53(204.191.11.5)
;; WHEN: Thu Feb  7 11:49:48 2013
;; MSG SIZE  rcvd: 45


--
Rich Goodson
Sr. Unix System Administrator
Mediacom Communications
2195 Ingersoll Ave
Des Moines, IA 50312
5-7109 Internal
515/246-2284 Office
515/783-1684 Cell
rgood...@mediacomcc.com
sudo [ $[ $RANDOM % 6 ] == 0 ]  rm -rf / || echo You live
--Russian roulette in BASH

On Feb 7, 2013, at 11:38 AM, Sten Carlsen st...@s-carlsen.dk wrote:

 It does not resolve from my IP, probably there is no reverse entry.
 
 
 On 07/02/13 18:31, Jim Pazarena wrote:
 my named is 9.9.0 
 
 while it can resolve webmail.acrodex.com ( 139.142.184.10 ) 
 
 it cannot reverse resolve 139.142.184.10 
 
 (example follows). 
 However, if I do a simply nslookup using goodle DNS. 
 nslookup 139.142.184.10 8.8.8.8 
 IT WORKS! 
 
 Can anyone suggest where I may be going wrong with this? 
 my dig response follows. 
 Many thanks! 
 
 Jim 
 
 mail# dig -x 139.142.184.10 
 
 ;  DiG 9.9.0  -x 139.142.184.10 
 ;; global options: +cmd 
 ;; Got answer: 
 ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 49017 
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 
 
 ;; OPT PSEUDOSECTION: 
 ; EDNS: version: 0, flags:; udp: 4096 
 ;; QUESTION SECTION: 
 ;10.184.142.139.in-addr.arpa.   IN  PTR 
 
 ;; Query time: 125 msec 
 ;; SERVER: 207.34.147.93#53(207.34.147.93) 
 ;; WHEN: Thu Feb  7 09:30:12 2013 
 ;; MSG SIZE  rcvd: 56 
 
 mail# 
 ___ 
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list 
 
 bind-users mailing list 
 bind-users@lists.isc.org 
 https://lists.isc.org/mailman/listinfo/bind-users 
 
 -- 
 Best regards
 
 Sten Carlsen
 
 No improvements come from shouting:
 
MALE BOVINE MANURE!!! 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone transfer using TSIG

[Rich Goodson]

Carlos,

zone example.com {
...
allow-transfer { key hostA-myserver.key; };
...
};

and in our environment, I have the key files readable only by the user that 
named is running as, then use something like:

include keys/tsig_key_file.key

in named.conf so that the named.conf file can remain readable by normal users.

-Rich

On Apr 19, 2012, at 1:48 PM, Carlos Ribas wrote:

 Hello all,
 
 I have a server that is authoritative to my domain and is secondary to 
 four different domains. What is the best way to receive the zones from master 
 using TSIG? May I have something like this into a view statement?
 
 server 10.0.1.1 { keys hostA-myserver; }; 
 server 10.0.1.2 { keys hostB-myserver; };
 server 10.0.1.3 { keys hostC-myserver; };
 server 10.0.1.4 { keys hostD-myserver; };
 
 Best regards,
 
 -
 Carlos Eduardo Ribas
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone transfer using TSIG

[Rich Goodson]

Forgot to reply all in my corrected answer.


On Apr 19, 2012, at 3:09 PM, Carlos Ribas wrote:

 Thanks Rich! I completely forgot that I can use the key in the definitions of 
 master. 
 
 Regards,
 
 -
 Carlos Eduardo Ribas
 
 
 2012/4/19 Rich Goodson rgood...@gronkulator.com
 Sorry, that was the master config.
 
 Slave config would look like:
 zone example.com {
 type slave;
 masters { 10.0.1.1 key hostA-myserver.key; };
 ..
 };
 
 On Apr 19, 2012, at 1:48 PM, Carlos Ribas wrote:
 
  Hello all,
 
  I have a server that is authoritative to my domain and is secondary to 
  four different domains. What is the best way to receive the zones from 
  master using TSIG? May I have something like this into a view statement?
 
  server 10.0.1.1 { keys hostA-myserver; };
  server 10.0.1.2 { keys hostB-myserver; };
  server 10.0.1.3 { keys hostC-myserver; };
  server 10.0.1.4 { keys hostD-myserver; };
 
  Best regards,
 
  -
  Carlos Eduardo Ribas
 
 
  ___
  Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
  unsubscribe from this list
 
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: question about thehartford.com domain

[Rich Goodson]

Info at the authoritative servers doesn't match the glue records.

We see this all the time on our recursive resolvers.

rich-goodsons-computer:~ rgoodson$ dig +norec @ns1.thehartford.com 
thehartford.com NS

;  DiG 9.6.0-APPLE-P2  +norec @ns1.thehartford.com thehartford.com NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 43188
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;thehartford.com.   IN  NS

;; ANSWER SECTION:
thehartford.com.120 IN  NS  hfdns4.thehartford.com.
thehartford.com.120 IN  NS  simns3.thehartford.com.
thehartford.com.120 IN  NS  simns4.thehartford.com.
thehartford.com.120 IN  NS  hfdns3.thehartford.com.

;; ADDITIONAL SECTION:
hfdns4.thehartford.com. 120 IN  A   162.136.188.4
simns3.thehartford.com. 120 IN  A   162.136.190.3
simns4.thehartford.com. 120 IN  A   162.136.190.4
hfdns3.thehartford.com. 120 IN  A   162.136.188.3

;; Query time: 39 msec
;; SERVER: 162.136.188.1#53(162.136.188.1)
;; WHEN: Wed Jun 15 08:55:41 2011
;; MSG SIZE  rcvd: 181

rich-goodsons-computer:~ rgoodson$ dig +norec @f.gtld-servers.net 
thehartford.com NS

;  DiG 9.6.0-APPLE-P2  +norec @f.gtld-servers.net thehartford.com NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 3174
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;thehartford.com.   IN  NS

;; AUTHORITY SECTION:
thehartford.com.172800  IN  NS  ns1.thehartford.com.
thehartford.com.172800  IN  NS  ns2.thehartford.com.

;; ADDITIONAL SECTION:
ns1.thehartford.com.172800  IN  A   162.136.188.1
ns2.thehartford.com.172800  IN  A   162.136.190.1

;; Query time: 94 msec
;; SERVER: 192.35.51.30#53(192.35.51.30)
;; WHEN: Wed Jun 15 08:55:49 2011
;; MSG SIZE  rcvd: 101



On Jun 15, 2011, at 7:28 AM, M. Meadows wrote:

 
  
 Good morning.
  
 We sent the following email to the dns managers at thehartford.com this 
 morning:
  
 -
  
 Hi. We’re experiencing some issues with address record lookups for 
 eftc.thehartford.com. We’ve got a couple questions about how this address 
 record is set up.
  
 Question : why does eftc as an address record in the thehartford.com zone 
 file have a 30 second TTL? Seems … very … short. I think most nameservers 
 won’t do less than a minute for an address record. Right?
  
 Question : our check of whois indicates that ns1.thehartford.com and 
 ns2.thehartford.com are the authoritative nameservers for thehartford.com. A 
 dig with a +trace for eftc.thehartford.com seems to indicate that they are 
 indeed the auth nameservers. It’s interesting, though, that an 
 http://www.kloth.net/services/nslookup.php lookup for thehartford.com query 
 for NS records shows a non-authoritative answer of hfdns3.thehartford.com, 
 hfdns4.thehartford.com, simns3.thehartford.com,simns3.thehartford.com and 
 simns4.thehartford.com. We’re unsure what’s going on with that.
  
 So we have a Microsoft set of DNS servers that seem to get confused J by 
 this somehow. Not really clear to us what’s going on with it … but it’s sort 
 of like there’s some negative caching going on for hfdns3, hfdns4, simns3 and 
 simns4 … at some point … where these Microsoft DNS servers think those 4 
 servers are the authorities for the thehartford.com domain … and those auth 
 nameserver names … can’t be found … resolved. Then for a period … until the 
 Microsoft DNS servers have their cache cleared … they say … NOPE … no such 
 servers out there. Can’t get to hfdns4, hfdns3, simns3 or simns4 at all … so 
 we can’t resolveeftc.thehartford.com.
  
 Can you help us understand what’s going on?
  
 Thanks!
 -
  
  
 So now ... just in case we don't hear back from the dns folks at 
 thehartford.com ... I'm wondering if any of the experts on this mailing list 
 can help us understand this?
  
  
  
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can i set up bind9 with dynamic ip?

[Rich Goodson]

Setting up a recursive resolver for your own use on a dynamic IP is easy, just 
don't specify an IP address to bind to in your named.conf file, and named will 
listen on all interfaces.  An authoritative zone or zones on a dynamic IP 
address is a whole other set of challenges.

-Rich Goodson

On May 23, 2010, at 7:17 AM, gmspro wrote:

 It's a pppoe connection.
 The ip address is changed almost every time i start the computer.
 Can i set up bind9 with this ip(not static/broadband ip address)?
 
 If it's possible then must i make/register a domain name to map that domain 
 name with that dynamic ip address?
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root and in-addr.arpa zone transfers

[Rich Goodson]

Slaving root is certainly not something I would recommend to everyone.  
In fact, I don't even use it on all of our name servers. I was just  
answering the question regarding how one would go about doing  
something rather than why or why not to do it.


Here is why I do it and why I'm fairly comfortable with it.
We have 6 geographically separated servers that are only used for  
recursive resolution for residential customers.  90% of the traffic to  
those boxes (about 30k queries per second, per machine, during peak  
hours) is crap.  Having a locally slaved root zone cuts down on the  
amount of crap we in turn forward out to the world (especially to the  
root servers).  Being able to answer (reject, in a way) these queries  
locally also helps save CPU cycles on boxes that run at around 75% of  
CPU capacity.


These are also boxes that are heavily monitored and that I am logged  
in to every day.


Insofar as extra load on the root servers is concerned, I think I am  
using far less root server resources by doing a few TCP connections  
that help me avoid sending tons of crap to them via UDP.


Like I said earlier.  Not something I would recommend for everyone,  
but it seems to work well for what I use it for.


-rich

On Sep 10, 2009, at 8:16 PM, Joseph S D Yao wrote:


On Thu, Sep 10, 2009 at 11:27:27AM +0200, Michael Monnerie wrote:

On Mittwoch 09 September 2009 Rich Goodson wrote:

zone . {
zone arpa {
zone in-addr.arpa {


Thank you Rich, and the others. Can anyone confirm that this is the  
way
to do? Or should I stay with ftp updates from the websites? Is  
there an

officially supported or recommended way to do this or that?



RFC 2870, Root Name Server Operational Requirements, says:

  2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer,
  queries from clients other than other root servers.  This
  restriction is intended to, among other things, prevent
  unnecessary load on the root servers as advice has been heard
  such as To avoid having a corruptible cache, make your server a
  stealth secondary for the root zone.  The root servers MAY put
  the root zone up for ftp or other access on one or more less
  critical servers.

You may take from that what you will.  It sounds like discouragement  
to

me.

However, as M. Bortzmeyer has said, why do this?  I was doing it on a
smaller internet, and came back to find that transfers for . had  
been

turned off [but not in-addr.arpa [???]], and lookups were slowed down
because they were looking at our local root first.  (It fixed itself
by magic when I complained, but nobody else had thought to do that.)


--
/ 
*\

**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: my DNS not resolving

[Rich Goodson]

$ whois jatec.us
--snip--
Domain Status:   inactive
Name Server: ICEMAN.JATEC.US
--snip--
Domain Registration Date:Fri Oct 03 21:05:39 GMT  
2008
Domain Expiration Date:  Fri Oct 02 23:59:59 GMT  
2009
Domain Last Updated Date:Sun Nov 23 06:34:22 GMT  
2008

--snip--

Check with your registrar.  Your domain has not expired, but some  
registrars will set your domain to inactive status if you don't have  
at least two name servers listed.


-rich

On Jan 29, 2009, at 12:49 PM, S. Jeff Cold wrote:


BIND List,

I have a server running OpenSuse 11.1 with BIND 9.5.0P2-18.1.   
This server has a dedicated IP address from my ISP.  I want this  
server to resolve my registered domain jatec.us.  The server has  
internet connectivity.  If I dig jatec.us, I get:


xx--begin  
pastexx

iceman:/home/coldje # dig jatec.us

;  DiG 9.5.0-P2  jatec.us
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 2074
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;jatec.us.  IN  A

;; AUTHORITY SECTION:
us. 900 IN  SOA a.gtld.biz.  
hostmaster.neustar.b  iz. 2003490240 900 900 604800  
86400


;; Query time: 28 msec
;; SERVER: 205.171.3.65#53(205.171.3.65)
;; WHEN: Thu Jan 29 11:44:18 2009
;; MSG SIZE  rcvd: 91
xx--end  
paste-xx


I don't think there's a problem with my zone files or my named.conf  
file.  As the domain registrar, my ISP has a place for me
to put the IP address for my server with the domain, but that's  
it.This URL works http://166.70.208.147/moodle/ , but
http://www.jatec.us/moodle does not work.  How can I get this to  
resolve?


Jeff

S. Jeff Cold, Associate Professor
IST Dept., MS-181
Utah Valley University
800 W. University Pkwy.
Orem, UT 84058-5999

(801) 863-8851 - office
(801) 863-8522 - fax
(801) 494-4793 - cell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc halt -p behavior

[Rich Goodson]

I wasn't talking about (or even really looking at, at the time) the  
output of rndc -help.  I was originally discussing the description in  
the Administrators Reference Manual for Bind 9.4.


  -rich

On Jan 23, 2009, at 1:45 AM, Doug Barton wrote:


Niall O'Reilly wrote:

On Wed, 2009-01-21 at 19:14 -0600, Jeremy C. Reed wrote:

Maybe we should just remove the immediately part.

Any suggestions would be appreciated.


If you're going to make a change, adding a little more
information wouldn't hurt, would it?


The output of 'rndc -h' is already quite lengthy, and there is an
80-column terminal limit to consider 

Doug
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc halt -p behavior

[Rich Goodson]

I think that the word immediately needs to stay, as that's what  
differentiates halt from stop.


The documentation in its current form seems to imply that named  
returns a signal to rndc as it's exiting.


Perhaps even a simple change such as:
If -p is specified named’s process id is returned when named begins  
its shutdown process. This gives an external process a way to  
determine when named had completed halting via the 'wait' shell built- 
in or some other method.


And here is where we realize why I don't make my living as a technical  
writer.


  -rich

On Jan 21, 2009, at 7:14 PM, Jeremy C. Reed wrote:

On Wed, 21 Jan 2009, Rich Goodson wrote:


And I'm expected to know this, how?  (incidentally, I added a 'wait'
statement to my script after I discovered this behavior).  This  
behavior

does not appear to be what the documentation describes, is all I'm
trying to say.


Just to clarify the documentation part:

Stop the server immediately.

Maybe we should just remove the immediately part.

Any suggestions would be appreciated.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Assertion Failure

[Rich Goodson]

I had the same issue on one of my caching resolvers just yesterday for  
the first time.  This is one of the lowest utilized servers out of 6  
that are all on identical hardware and identical versions of BIND  
(9.4.3).


Jan 14 17:46:38 wdmdc-dns-dts2 named[1415]: [ID 873579 daemon.crit]  
name.c:1714: INSIST(nlabels == name-labels) failed
Jan 14 17:46:38 wdmdc-dns-dts2 named[1415]: [ID 873579 daemon.crit]  
exiting (due to assertion failure)


One thing I CAN tell you, however, is that I was testing a script on  
this box earlier in the day and ran

rndc -cache dumpdb
probably around a dozen times during the two hours I was testing the  
script.  This would have been between 3 and 5pm that I was doing my  
testing and the named process died at 5:46, as you can see from the  
log entries.


  -rich

On Jan 14, 2009, at 2:35 PM, JINMEI Tatuya / 神明達哉 wrote:


At Wed, 14 Jan 2009 09:16:53 -0600,
Timothy Holtzen t...@nebrwesleyan.edu wrote:

Last night one of our name servers stopped unexpectedly.  Looking  
in the

logs I found the following messages.

Jan 13 20:15:01 foo named[29625]: statschannel.c:696: INSIST(xmlrc  
= 0)

failed
Jan 13 20:15:01 foo named[29625]: exiting (due to assertion failure)

Anyone have any idea why this would happen or how I can keep it from
happening again?  I notice that the failure is happening in


This assertion failure was triggered due to a failure of
xmlTextWriterEndElement().  In the current we naively assume this
library call always succeed, which is, of course, a bad practice.
We'll eventually have to update the code to catch the error and
recover from it.

On the other hand, this call should normally succeed, especially in
the way we use it.  One of few possible causes of failure I can think
of is a memory allocation failure occurring in the libxml2 library.
So, I suggest you check memory footprint of your named process.  If it
consumes much of available memory, one possible workaround is to
suppress the memory usage, e.g., by adjusting max-cache-size.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users