Re: [question] new bind option max-recursion-depth

2014-12-17 Thread Techs_Maru 
Hi,
Thanks to me to politely reply.

2014-12-17 15:16 GMT+09:00 Evan Hunt e...@isc.org:
 On Wed, Dec 17, 2014 at 01:30:35PM +0900, Techs_Maru wrote:
 However,
 if the value of the default 7 would be the value that was created
 based on the world data ?
 ( Also for the default value of max-recursion-queries 50; )

 I haven't personally seen any real world queries go more than 4
 levels deep, but I wouldn't be surprised if there are a were domains
 out there that do.  7 seemed like a safe upper limit.

 The default max-recursion-queries value of 50, we got by testing with a
 sample of real-world resolver traffic.  It turns out it isn't quite right,
 though.  A limit of 50 works fine with a populated cache (which is
 how we were testing it), but if the server is just starting up and the
 nameservers for .com and .org and .net and so on aren't in cache yet,
 then it *can* take more than 50 queries to resolve a name.  (This turns
 out to be especially true on 9.10, due to changes in EDNS processing
 that affect how much NS glue we get from servers in the early stages of
 populating the cache.)  We'll be making some adjustments in upcoming
 maintenance releases to allow for this.

 I want to know the recommended settings for everyone to values.

 I'd leave the defaults alone on BIND 9.9.  On 9.10, I might consider
 increasing max-recursion-queries to 100, but be prepared to back the
 change out when updating to the next release.  Or leave the defaults
 alone but be prepared for the possibility of some SERVFAIL responses in
 the first few minutes after server startup.

Sorry,Lack of knowledge,
9.10.X and 9.9.x QueryFlow is different ??

By the way,
value even in the case of dual-stack name servers is okay without changing ?

regards.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [question] new bind option max-recursion-depth

2014-12-16 Thread Techs_Maru 
Hi,Evan,

Thank you for replying.

I was able to understand,
try setting to test servers.
Thanks.

However,
if the value of the default 7 would be the value that was created
based on the world data ?
( Also for the default value of max-recursion-queries 50; )

I want to know the recommended settings for everyone to values.

regards.

 Maru

2014-12-16 15:34 GMT+09:00 Evan Hunt e...@isc.org:
 On Tue, Dec 16, 2014 at 11:13:17AM +0900, Techs_Maru wrote:
 But, max-recursion-depth,
 However, it tried but it did not become a Servfail.
 Meaning of is is Indirections is described in the document, it means
 that when the authority server that does not come directly returns the
 IP address, such as the NS and CNAME?
 Default 7 times the number of times that follow that?

 Suppose a zone is served by name servers in another zone:

 example.com. IN NS ns1.example.org.
 example.com. IN NS ns2.example.org.

 So named has to look up ns1.example.org to find that name server.
 That adds a layer of recursion depth.  Now, if example.org is served
 out of yet another zone:

 example.org. IN NS ns1.example.net.
 example.org. IN NS ns2.example.net.

 ...that adds another layer.  Named will give up after 7 such
 indirections.

 --
 Evan Hunt -- e...@isc.org
 Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[question] new bind option max-recursion-depth

2014-12-15 Thread Techs_Maru 
Hi, Bind-user folks,

I have a question, about Vulnerability CVE-2014-8500 new bind option
max-recursion-depth,
I do not know this option meaning.

I read ARM Documents
I used Bind Version is 9.9.6-P1.
--

max-recursion-depth Sets the maximum number of levels of recursion
that are permitted at any one time while servicing a recursive query.
Resolving a name may require looking up a name server address, which
in turn requires resolving another name, etc; if the number of
indirections exceeds this value, the recursive query is terminated and
returns SERVFAIL. The default is 7.

max-recursion-queries Sets the maximum number of iterative queries
that may be sent while servicing a recursive query. If more queries
are sent, the recursive query is terminated and returns SERV- FAIL.
The default is 50.

--

Probably meaning of max-recursion-queries is Iterative query max
attempt from Cahce Servers.
and also, this configuration option it could be confirmed  that is to
be test servers result Servfail.

But, max-recursion-depth,
However, it tried but it did not become a Servfail.
Meaning of is is Indirections is described in the document, it means
that when the authority server that does not come directly returns the
IP address, such as the NS and CNAME?
Default 7 times the number of times that follow that?

Please tell me I think it's my lack of knowledge.
I want to know if there is a recommended setting value of everyone

regards.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Split DNS(view configuration)

2014-05-20 Thread Techs_Maru 
2014-05-20 1:26 GMT+09:00 Tony Finch d...@dotat.at:

 I think it is better to use named's built-in root hints, so you don't need
 to explicitly configure this.

Thank you for your advices.

 You must not share slave zone files between zones.

  };
  };

  The content of internal view is not updated even if it updates record.
  I want to let both view reflect an update record by zonal transfer.

 Use a different TSIG key for each view in the slave. Include each key in
 the match-clients clause of each view. Include both keys in the
 also-notify clause on the master.

The mastering server side cannot be touched as this assumption.
For instance, it is assumed that I am a secondary server carrier.

It can solve what I wanted to do by forwarding the zone in the local.
Method of sending notify to other view when source in zone forwarding
origin is confirmed with client-match, and either view receives zone.
However, how to configuration is not understood.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Split DNS(view configuration)

2014-05-20 Thread Techs_Maru 
2014-05-20 20:46 GMT+09:00 Tony Finch d...@dotat.at:

 There are two options:

 You can have one view that slaves the zone from the master, and the other
 view slaves the zone from the first view.

 Or you can have an authoritative view that slaves the zone from the
 master, and a recursive view that has static-stub clauses to send
 queries to the first zone. (But beware, there are bugs in older versions
 of BIND if your zones are DNSSEC signed.)

 view internal {
 match-clients{ XXX.XXX.XXX.XXX; };
 match-recursive-only yes;
 recursion yes;
 zone hoge.com {
 type static-stub;
 server-addresses { 127.0.0.1; };
 };
 };

Thakyou, If it is this setting, I seem to be able to want to do.
This option exists from 9.8.0.

It tries a little. Thank you.

---
maru
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Split DNS(view configuration)

2014-05-19 Thread Techs_Maru 
Hi,

There is a question though Split DNS(view configuration) is used.
In the case of the structure such as the following,
---

---
The zone is forwarded only to View internal because it matches it
internal.
I want to forward hoge.zone of  BIND1  to both hoge.zone that uses View
configuration of  BIND2.
Are there any methods?

---
maru
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Split DNS(view configuration)

2014-05-19 Thread Techs_Maru 
Thank you for reply.
I am sorry that I cannot explain that well.


is master(Example IP:AAA.AAA.AAA.AAA) config.

zone hoge.com IN {
type master;
file hoge.zone;
notify yes;
also-notify {
BBB.BBB.BBB.BBB;
};
allow-transfer {
BBB.BBB.BBB.BBB;
};
};



is slave(Example IP:BBB.BBB.BBB.BBB) config.

viewinternal {
match-clients{
XXX.XXX.XXX.XXX;
};
recursion yes;

zone . IN {
type hint;
file named.ca;
};

zone hoge.com IN {
type slave;
masters {
AAA.AAA.AAA.AAA;
};
file hoge.zone_slave;
};
};

viewexternal {
match-clients{
YYY.YYY.YYY.YYY;
};
zone . IN {
type hint;
file named.ca;
};
recursion no;

zone hoge.com IN {
type slave;
masters {
AAA.AAA.AAA.AAA;
};
file hoge.zone_slave;
};
};

The record is changed by this setting.

Before changing the record:
www   IN   A  192.168.1.1


After changing the record:
www   IN   A  10.10.10.10


The zone of hoge.zone is updated with the mastering server.
(rndc reload hoge.com)


** master bind log
 general: info: received control channel command 'reload hoge.com'
 general: info: zone hoge.com/IN: loaded serial 2014051901
 notify: info: zone hoge.com/IN: sending notifies (serial 2014051901)
 xfer-out: info: client BBB.BBB.BBB.BBB#47180 (hoge.com): transfer of '
hoge.com/IN': AXFR-style IXFR started
 xfer-out: info: client BBB.BBB.BBB.BBB#47180 (hoge.com): transfer of '
hoge.com/IN': AXFR-style IXFR ended


** slave bind log
 notify: info: client AAA.AAA.AAA.AAA#4333: view external: received notify
for zone 'hoge.com'
 general: info: zone hoge.com/IN/external: Transfer started.
 xfer-in: info: transfer of 'hoge.com/IN/external' from AAA.AAA.AAA.AAA#53:
connected using BBB.BBB.BBB.BBB#57103
 general: info: zone hoge.com/IN/external: transferred serial 2014051901
 xfer-in: info: transfer of 'hoge.com/IN/external' from AAA.AAA.AAA.AAA#53:
Transfer completed: 1 messages, 20 records, 448 bytes, 0.031 secs (14451
bytes/sec)
 notify: info: zone hoge.com/IN/external: sending notifies (serial
2014051901)



** dig checks
From source XXX.XXX.XXX.XXX

dig @BBB.BBB.BBB.BBB www.hoge.com +short
192.168.1.1

From source YYY.YYY.YYY.YYY
dig @BBB.BBB.BBB.BBB www.hoge.com +short
10.10.10.10

The content of internal view is not updated even if it updates record.
I want to let both view reflect an update record by zonal transfer.

Cannot the thing reflected even if reload is not done be done though it is
reflected when reload is executed with slave?



2014-05-19 22:52 GMT+09:00 Tony Finch d...@dotat.at:

 Techs_Maru tec...@gmail.com wrote:

   The zone is forwarded only to View internal because it matches it
   internal.
   I want to forward hoge.zone of  BIND1  to both hoge.zone that uses View
   configuration of  BIND2.

 I am not sure if I understand exactly what you want. A common way to
 choose what view to use is with TSIG keys - see for example

 http://blog.hudecof.net/posts/2014/02/07/bind9-with-views-and-tsig-axfr.html

 This works for slaved zones but not for forwarding.

 Tony.
 --
 f.anthony.n.finch  d...@dotat.at  http://dotat.at/
 Northwest Shannon, Rockall, Malin, Southwest Hebrides: Northeasterly 4 or 5
 increasing 5 to 7, perhaps gale 8 later except in southeast Malin.
 Moderate or
 rough, becoming rough or very rough in Rockall and northwest Shannon. Rain
 or
 thundery showers. Good, occasionally poor.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users