Using inline-signing, need to allow dynamic updates.
Right now we have our external view for adi.com set up to use inline-signing with the following entries in our named.conf file; inline-signing yes; key-directory "dnssec"; auto-dnssec maintain; I now need to allow dynamic updates to support letsencrypt which needs to add txt records when the certificate is renewed. Can I just add allow-update { key keyname-here; }; Or do I need to change the above configuration in some way? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.11.0-P2 on Debian 9.0 (stretch)
> Just wonder if there is some agreed guidance on what steps I SHOULD take = > to get bind-9.11.0-P2 successfully build on Debian 9.0? > > > /usr/bin/ld: //lib64/libcrypto.a(a_object.o): > relocation R_X86_64_PC32 against symbol `ASN1_OBJECT_free' > can not be used when making a shared object; > recompile with -fPIC It looks like openssl was not built to create shared libraries. So bind built against your self compiled openssl can not create shared libraries. Either rebuild openssl to create shared libraries or change binds configure to remove --enable-shared, possibly adding --disable-shared. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Comments on Root Key Rollover impact on BIND users
In the following I ment to say 'dnssec-validation' instead of 'dnssec-enable'. > > https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin > > d-users/ > > > > Towards the end of the blog, there is a short list of possible corner > > cases that could trip people up during the rollover. If > > you folks can think of others, please do share them. > > I found a case where the documentation is not clear (at least to me). > > I found that I had 'dnssec-enable yes' along with a managed-keys > statement with an initial-key. If I change to 'dnssec-enable auto' > do I still need a managed-keys statement? If not will it hurt to have > one? Can I have a managed-keys statement without an initial-key? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Comments on Root Key Rollover impact on BIND users
> https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin > d-users/ > > Towards the end of the blog, there is a short list of possible corner > cases that could trip people up during the rollover. If > you folks can think of others, please do share them. I found a case where the documentation is not clear (at least to me). I found that I had 'dnssec-enable yes' along with a managed-keys statement with an initial-key. If I change to 'dnssec-enable auto' do I still need a managed-keys statement? If not will it hurt to have one? Can I have a managed-keys statement without an initial-key? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL
> In message >
Re: resolution problem
colostate.edu. 172800 IN NS dns1.colostate.edu. colostate.edu. 172800 IN NS dns3.colostate.edu. ;; Received 119 bytes from 192.41.162.30#53(l.edu-servers.net) in 78 ms www.cloudsat.cira.colostate.edu. 3600 IN CNAME dpc.cira.colostate.edu. dpc.cira.colostate.edu. 3600IN A 129.82.109.62 ;; Received 83 bytes from 129.82.103.121#53(dns1.colostate.edu) in 36 ms > >>In article, >> Matus UHLAR - fantomas wrote: >>> often a problem of invalid NS delegation, or bad TTL (A record for a server >>> expires before NS record). > > On 19.05.16 15:31, Sam Wilson wrote: >>Glue A records for the nameservers have 172800 TTL, authoritative A >>records have 1200. > > that's it! > > ;; ANSWER SECTION: > colostate.edu. 3600IN NS dns3.colostate.edu. > colostate.edu. 3600IN NS dns1.colostate.edu. > > ;; ADDITIONAL SECTION: > dns3.colostate.edu. 1200IN A 129.82.103.111 > dns1.colostate.edu. 1200IN A 129.82.103.121 > > after 1200 seconds, the A records expire, but the NS records don't. > > Next 2400 seconds you know that you have to ask dns3.colostate.edu and > dns1.colostate.edu, but you can't find their IPs, because ... you don't > know their IPs. > > while some DNS servers can cope with that, it's still broken setup. Our server here running BIND 9.10.3-P4 seems to handle it OK. Do some versions of Bind work with this broken setup while other versions do not? I wonder what versions of Bind are running on the two servers that do work and what versions on the two that do not. > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > I feel like I'm diagonally parked in a parallel universe. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple A records and reverse DNS
> > That is mostly how I thought it worked. What I had in mind more > > specifically was: > > > > adi.com zone: > > mackerel.adi.com. IN A 75.100.245.141 > > mackerel.adi.com. IN A 96.85.104.76 > > > > reverse zones: > > 141.245.100.75.in-addr.arpa. IN PTR mackerel.adi.com > > 76.104.85.96.in-addr.arpa.(not yet set up) > > OK, suppose you then set up > > 76.104.85.96.in-addr.arpa. IN PTR mackerel.adi.com. > > That may not play well with all the SMTP servers you wish to send to, > due to subtle implementation variations. > > > But receiving mail on both was more work than I had expected, so I am > > not going to set that up. > > Many sites have separate incoming and outbound SMTP servers. There is > no reason to name them the same, especially not when you plan to > implement them on separate IP addresses/ranges. > > The important thing is that the A and PTR records agree. That is most > simply done by using a single A record for each name, and a single PTR > record for each IP. Thanks to everyone for all the information. This was all to be temporary while switching from one ISP to another. The new ISP has to set up the pointer records, hopefully delegating to our server. They are taking a long time getting back to us on what they can do. Fortunately we will still have service with our old ISP for quite awhile. I just thought that receiving email from both addresses would make the timing of the final switch over less critical. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Multiple A records and reverse DNS
This is not a BIND question but I hope people here will know the answer. We are switching service providers and I understand that many email SPAM prevention systems insist on the reverse DNS matching the forward DNS. If I have two A records for our mail server and the reverse record matches one of them, will that be good enough. Or will the fact that the other A record does not match cause trouble. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple A records and reverse DNS
> Am 17.03.2016 um 14:53 schrieb Thomas Schulz: >> This is not a BIND question but I hope people here will know the answer >> We are switching service providers and I understand that many email >> SPAM prevention systems insist on the reverse DNS matching the forward >> DNS. If I have two A records for our mail server and the reverse record >> matches one of them, will that be good enough. Or will the fact that >> the other A record does not match cause trouble > > when you have two A-recods then you have two IP's > each of them should have a PTR with *only* the name of the A-record > and in a good setup "smtp_helo_name" matchs too Thanks to everyone for their answers. In switching service providers we have arranged for both providers to be active at the same time for a few weeks. The old provider has reverse DNS set up but the new provider does not yet have that set up. I was thinking of allowing incomming email from both by having two A records but alowing outgoing email only through the old provider that has the working reverse DNS. When the new provider also has reverse DNS set up then I can switch outgoing email and close down the old connection. I turns out that it is harder than I thought to allow incomming connections from both providers at the same time, so I may not do that after all. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Changing records with inline-signing
We currently have adi.com signed using options: inline-signing yes; auto-dnssec maintain; If I change an A record or add a new A record, will the signing be automatically updated or do I have to do an rndc sign zone? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ZSK rollover detail needed.
A recommended way to set up a ZSK rollover is to set the inactive date of the current key one month later than the publish date of the replacement key. This makes sense as the RRSIG records are created to last one month from their creation date. Now if I try to speed up the ZSK rollover to make the old ZSK inactive a few days after the replacement key is created (and make the replacement key active at that time), will Bind start makeing new RRSIG records at that time even though the current RRSIG records may have weeks to go. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
com.google how did they do that
As of the time I am sending this, you can point your browser to http://com.google and get a web page. How did they get com.google to resolve? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Sudden large increase in process size, machine hang
This last week we had a sudden large increase in the size of the named process resulting in the machine running out of memory and hanging. This is with bind 9.9.6 on a Solaris 10 Sparc machine. I have posted in the past about a steady continuous growth in the size of the named process. The Subjects for those posts are: failed: out of memory Process size versus cache size. bind-9.10.0-P2 memory leak? (I hijacked someone else's thread) I have also filed a bug report about this continuous growth. The following measurements show the steady continuous growth over a little more than a month. Thu Oct 16 14:01:42 EDT 2014 46014 Thu Oct 16 14:04:50 EDT 2014 99835 Thu Oct 23 20:06:01 EDT 2014317071 Thu Oct 30 09:31:31 EST 2014426647 Thu Nov 6 20:06:01 EST 2014532291 Thu Nov 13 11:00:46 EST 2014618143 Thu Nov 20 20:06:00 EST 2014701472 But then last week the following happened. Wed Nov 26 08:06:00 EST 2014758702 Wed Nov 26 20:06:00 EST 2014 2099961 Thu Nov 27 08:06:01 EST 2014 3416580 Thu Nov 27 20:06:00 EST 2014 4618297 Fri Nov 28 08:06:00 EST 2014 5733163 Fri Nov 28 20:06:01 EST 2014 6801203 Sat Nov 29 08:06:52 EST 2014 No output from the ps command. We were closed for thanksgiving when this happened. The only recursive queries would have been for email processing by Sendmail. Monday morning we had to reboot the machine by powering it down and back up. The logs did not show any unusual messages from the named process. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dumping the statistics channel
I have been asked to dump the statistics to help document a suspected memory leak in named. When I look at the statistics with Firefox, I see a nicely formatted set of statistics. If I then dump the statistics to a file with wget and then use Firefox to view the file, I see data but there is no formatting and the output seems to be unreadable. So, is this file what I should send to isc.org? Should I be using some options to wget to get a file that displays nicely in Firefox? I have also tried to use Firefox's 'Save Page As' option to dump the statistics, but that resulted in the same saved file as I got with wget. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
On Mon, 13 Oct 2014, Thomas Schulz wrote: I restarted bind 9.9.6 with a max-cache-size of 30M. We have 3 views. The inital process size was 36 MB. The process grew to 184 MB. It grew to 596 MB without the max-cache-size being set and was still growing when I restarted it. BUT when I now do an rndc dumpdb -cache, the named_dump.db file contains only the line ; Dump complete and nothing else. So, if you put any limit on the cache size, you will end up with an empty cache. I do believe that there is a bug that needs to be fixed. I wasn't able to reproduce this with 9.9.6 (or a recent master). Can you please send your configuration (like named-checkconf -px) to bind9-bugs AT isc.org? Thank you. I sent the configuration, hopefully in a usable format. Note that my concern is not specifically with the cache. I was investigating the cache as a possable cause of the unlimited growth in memory usage that I am seeing. The various experiments that I have done seem to point to the cache as the cause of the problem. See also the posts with the subject 'Process size versus cache size'. To the originator of this thread. Sorry if I have hijacked your thread. It is possible that the problem you are seeing has a different cause than the problem I am seeing. Perhaps you should also send in a report to bind9-bugs AT isc.org. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Inline-signing feature request: Directly set the signed zone's serial number
Hi, After reinitialising the inline-signing process (for example by removing the journal files or redeploying the master server) the freshly signed zone's serial number will usually be behind the authoritative version on the slaves causing transfers to fail possibly leading to expired signatures, zone expiry, etc. If you redeploy the master server, couldn't you just copy the journal files over from the old server? And, the rest of the time, never remove journal files. Currently, bumping the serial number of the unsigned zones to exceed that of the slaves is required, however it would be /convenient/ to have a one-shot method (perhaps via rndc) for specifying the signed zone serial number such that this doesn't require edits to the unsigned zone files. This is especially useful in bootstrapping scenarios where the zone data is held under strict revision control or generated by some provisioning system that owns the serial number. Am I on my own with this or would others find this useful? Thanks, Terry Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
... Heh thanks, yeah...initially I was erring on the side of caution and using 9.9.x because it's served us well (~20k recursive clients without any significant problems). Meanwhile we've been keeping a close eye on community comments, and to be honest opinions wax and wane. Just as I think it's stabilized, someone else complains. I suppose sticking to 9.9.x a bit longer is wise. That said, based on the 9.10.1 fixes, we will run it through our own perf tests for comparison. Upgrades are automated and easy, but I'd obviously like to go live with the latest version unless there is a strong technical reason otherwise. FYI, 9.9 is the current Extended Support Version (ESV). If you're looking for a version of BIND with a long period of maintenance, there will be ongoing 9.9.x, 9.9.x+1 etc. releases and interim patches if needed. http://www.isc.org/downloads/software-support-policy/ I mentioned this earlier, but I have been seeing the very large increases in process size with Bind 9.9.5-P1 and 9.9.6b1. I have just installed 9.10.1rc2 on one of our secondary name servers. In time I will be able to see if 9.10.1rc2 shows a bigger increase in process size than 9.9.5-P1 did. I have restarted 9.9.6b1 with max-cache-size 30M on our primary server. Both experiments will take some time before I can tell what is happening. For those seeing this problem on bind 9.10.1, did you upgrade from 9.9.6 or from an earlier version of bind 9.9.*? As mentioned above, I am seeing this problem on 9.9.6. I do not find bind 9.10.1 growing any faster than 9.9.6 does. I restarted bind 9.9.6 with a max-cache-size of 30M. We have 3 views. The inital process size was 36 MB. The process grew to 184 MB. It grew to 596 MB without the max-cache-size being set and was still growing when I restarted it. BUT when I now do an rndc dumpdb -cache, the named_dump.db file contains only the line ; Dump complete and nothing else. So, if you put any limit on the cache size, you will end up with an empty cache. I do believe that there is a bug that needs to be fixed. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
... Heh thanks, yeah...initially I was erring on the side of caution and using 9.9.x because it's served us well (~20k recursive clients without any significant problems). Meanwhile we've been keeping a close eye on community comments, and to be honest opinions wax and wane. Just as I think it's stabilized, someone else complains. I suppose sticking to 9.9.x a bit longer is wise. That said, based on the 9.10.1 fixes, we will run it through our own perf tests for comparison. Upgrades are automated and easy, but I'd obviously like to go live with the latest version unless there is a strong technical reason otherwise. FYI, 9.9 is the current Extended Support Version (ESV). If you're looking for a version of BIND with a long period of maintenance, there will be ongoing 9.9.x, 9.9.x+1 etc. releases and interim patches if needed. http://www.isc.org/downloads/software-support-policy/ I mentioned this earlier, but I have been seeing the very large increases in process size with Bind 9.9.5-P1 and 9.9.6b1. I have just installed 9.10.1rc2 on one of our secondary name servers. In time I will be able to see if 9.10.1rc2 shows a bigger increase in process size than 9.9.5-P1 did. I have restarted 9.9.6b1 with max-cache-size 30M on our primary server. Both experiments will take some time before I can tell what is happening. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
Mike Hoskins wrote: Do you guys have max-cache-size set? I didn't see it in the borderworlds named.conf. I've seen similar growth problems when testing 9.x before setting that (experiment at the time just to see what would happen, and confirmed this behavior). Set sensible resource limits based on available resources. I am going to see what happens with max-cache-size set, but I am convinced that there is a bug in bind. My named has been running for 7.5 weeks now and has been steadily growing in size except for a 1.5 week pause after I did an rndc flush. The process size started out at 36 MB and is now up to 584 MB. But when I do an rndc dumpdb -cache I get a file that is only 5 MB in size. Given the automatic cache cleaning, named should stabilize in size in less than 7.5 weeks. -Original Message- From: Vin?cius Ferr?o fer...@if.ufrj.br Date: Tuesday, September 9, 2014 at 10:17 AM To: Thomas Schulz sch...@adi.com Cc: bind-us...@isc.org bind-us...@isc.org Subject: Re: bind-9.10.0-P2 memory leak? I'm having the exactly same issue. Take a look at my post @ServerFault: http://serverfault.com/questions/616752/bind-9-10-constantly-killed-on-fre ebsd-10-0-with-out-of-swap-space Sent from my iPhone On 09/09/2014, at 11:15, Thomas Schulz sch...@adi.com wrote: Hello I recently upgraded my authoritative nameservers to bind-9.10.0-P2 and after a while one of them ended up using all its swap and the named process got killed. The other servers are seeing similar behaviour, but I restarted named on all of them to postpone further crashes. I am using rate-limiting as well DLZ with PostgreSQL. The server has two views. The operating system is FreeBSD 8.4. My configuration: http://borderworlds.dk/~xi/named-leak/named.conf Log of the memory usage: http://borderworlds.dk/~xi/named-leak/named-mem-usage.log As you can see, in less than a week, named has grown more than 900MB in size. Is anyone else experiencing something similar? If I need to provide more information, I will be happy to do so. -- Christian Laursen What version did you upgrade from? I am seeing bind 9.9.5 and 9.9.6 grow without any evidence that it will ever stop. See my mail to this list with the subject Re: Process size versus cache size. Mine is growing slower than yours, but it is now up to 548 MB. Tom Schulz Applied Dynamics Intl. sch...@adi.com Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
Can you copy and paste the out of memory error you are seeing? Is it still growing? Does it appear to work? I see your other thread answers some. https://lists.isc.org/pipermail/bind-users/2014-July/093618.html Unfortunately the logs containing the out of memory errors have been purged. Those errors have not reoccurred with the 64 bit named. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A record of domain name must be name server ?
On 9/11/2014 11:51 AM, Mark Elkins wrote: On Thu, 2014-09-11 at 11:27 -0400, Kevin Darcy wrote: Mark, Depending on implementation, a PTR RRset with multiple records either -- only ever gets answered with the first record of the set (in which case the second and subsequent records of the set are just a waste of space), or -- answers in a random, cyclic and/or round-robin fashion (in which case, the results are non-deterministic from the standpoint of a client, and this can cause problems and/or confusion) Last time I checked, ALL matching records are returned as a single Resource Record Set - (and in the case of DNSSEC - covered with a single signature). What the receiver does with it is up to that receiver... as you say - some of the information may be discarded. If the invoker is using the classic gethostbyaddr() interface, then it'll only see the RDATA from the first PTR RR, where first is determined by the local nameserver implementation and/or the local Operating System interface for name resolution. So, although the standards allow multiple RRs, in practical terms, it only makes sense for a PTR RRset to contain a *single* RR. I would still disagree. When there is forward--reverse checking, one may need the complete answer. I certainly have some processes that do an exhaustive check. Certainly if one gets down to the resolver-library level and grovels through all of the RRs in the Answer Section of the response packet, one could certainly care more than the typical reverse-resolving app/subsystem would. And any software that builds up certain heightened expectations is likely to complain if those expectations are not met. - Kevin On 9/11/2014 3:45 AM, Mark Elkins wrote: On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote: No, what I'm saying is that if example.com owns an A record 203.0.113.48, and www.example.com owns an A record 203.0.113.48, then where does 48.113.0.203.in-addr.arpa point? Some people will point it at example.com, some will point it at www.example.com. What you get is a mish-mosh. No consistency. Although I prefer the use of a CNAME solution (CNAME www.example.com to example.com), in the case of separate A (and ) records, one could point the reverse to both names. Nothing wrong with a PTR record having more than one answer. There is then no inconsistency, just choice. After all, pretty much every NS record has at least two Right-Hand-Sides (Answers) If, on the other hand, www.example.com is a CNAME to example.com, then it's crystal clear where the reverse record will point -- example.com. There is no ambiguity or option for inconsistency. - Kevin On 9/10/2014 5:48 PM, Eliezer Croitoru wrote: Hey Kevin, This is not an issue at all. A PTR is different then a A record and can be used by two reverse domain names and only the owner of the IP addresses space can define them. I am not sure if two PTR records for two domains will be applied to one IP but it is possible for two IP addresses to have the same PTR. Can we even use a CNAME as a PTR??? Eliezer On 09/11/2014 12:37 AM, Kevin Darcy wrote: Also, have you considered the forward/reverse ambiguity that arises when multiple owner names resolve to the same address? To which of those names does the PTR point? - Kevin Well, this is certainly getting far away from an answer to the original qustion! Originally our web server was only available as www.adi.com. Later I noticed that a lot of sites were available without the www. So I decided to allow our web server to be available as adi.com. But I still consider www.adi.com to be the real name of the server. And I certainly can not alias adi.com to www.adi.com! Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A record of domain name must be name server ?
Hi, xxx.com and IP address 192.168.1.100 is just a example domain name and IP address. Our boss want everybody access our domain example.com through browser, then it will redirect to our web site www.example.com. So I want to get more information about unexpected impact when we changed DNS records. Thanks for your help. Best Regards, Pete Fong Here is how I have things set up here. Our domain is adi.com. We have three name servers set up. Our web site can be accessed as both www.adi.com and adi.com. Here is what I have on our zone file: @ in ns bluegill.adi.com. in ns a.dns.tds.net. in ns seahorse.adi.com. bluegillin A 75.100.245.131 seahorsein A 75.100.245.134 www in A 75.100.245.133 @ in A 75.100.245.133 @ in mx 0 mackerel.adi.com. in mx 10 seahorse.adi.com. in mx 20 bluegill.adi.com. Note that address 75.100.245.133 is entered twice. The mx records are to get email to work correctly. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
Hello I recently upgraded my authoritative nameservers to bind-9.10.0-P2 and after a while one of them ended up using all its swap and the named process got killed. The other servers are seeing similar behaviour, but I restarted named on all of them to postpone further crashes. I am using rate-limiting as well DLZ with PostgreSQL. The server has two views. The operating system is FreeBSD 8.4. My configuration: http://borderworlds.dk/~xi/named-leak/named.conf Log of the memory usage: http://borderworlds.dk/~xi/named-leak/named-mem-usage.log As you can see, in less than a week, named has grown more than 900MB in size. Is anyone else experiencing something similar? If I need to provide more information, I will be happy to do so. -- Christian Laursen What version did you upgrade from? I am seeing bind 9.9.5 and 9.9.6 grow without any evidence that it will ever stop. See my mail to this list with the subject Re: Process size versus cache size. Mine is growing slower than yours, but it is now up to 548 MB. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Process size versus cache size.
On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote: In investigating an out of memory error on a Solaris 8 Sparc machine (compiled as a 32 bit executable), I find that the process size increase due to the cache does not make sense. Over about a week the process size had grown to 257 MB, up from an initial size of 36 MB. But when I dumped the cache with rndc dumpdb -cache, the resulting named_dump.db file was only 6 MB in size. Given the way the file is formatted, I would expect that the in memory version would be smaller than that. But when I did a 'rndc flush', the process stopped growing for about the same number of days that it took to reach 257 MB. That indicates that the increase in process size really is due to the cache. The increase in process size from 36 MB to 257 MB does not make sense given that the cache dump is only 6 MB. What version of BIND is this? And do you use statistics-channel? I'd be interested to see what the memory stats look like on a running server. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. I have tried both BIND 9.9.5-P1 and 9.9.6b1. The figures given above were for 9.9.6b1. I do not have a statistics-channel set up or anything having to do with logging set up. I have since rebuilt BIND as a 64 bit executable, so I expect that I will not have out of memory errors again. But I am seeing the same unexpected increase in process size. The 64 bit named has now run for slightly over 3 weeks without hanging up with an out of memory error (the 32 bit named would die in about 10 days). The process size has grown to 513 MB, up from an initial size of 36 MB, amd is still growing. This time rndc dumpdb -cache produced a 4.8 MB file. I am now redoing my previous experiment with rndc flush to verify that this is really a problem with the cache. If the process size stays the same for 3 weeks and then starts to grow again, then I think that we can conclude that there is something funny going on with the cache. Evan: if there is some debugging you would like me to do, let me know. Preferably something that does not require killing and restarting the process, at least not for a few weeks. The process size was stable at 513 MB for 18 days (not quite 3 weeks) and then started growing again. So it does look like the growth in the process size is mostly due to the cache. The process size is now up to 529 MB. The next thing to do is to just let it run and see if it ever stops growing. I still think that there is something funny going on with the cache. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Root servers
On Thu, Aug 14, 2014 at 02:26:54PM -0500, Bill Christensen wrote: I'm seeing some root server errors on startup: 14-Aug-2014 13:14:08.142 info: host unreachable resolving 'd.gtld-servers.net//IN': 2001:503:ba3e::2:30#53 14-Aug-2014 13:14:08.215 info: host unreachable resolving 'b.gtld-servers.net/A/IN': 2001:503:231d::2:30#53 14-Aug-2014 13:14:08.220 info: host unreachable resolving 'c.gtld-servers.net/A/IN': 2001:503:231d::2:30#53 14-Aug-2014 13:14:08.522 info: host unreachable resolving 'd.gtld-servers.net//IN': 2001:503:83eb::2:31#53 14-Aug-2014 13:14:08.595 info: host unreachable resolving 'c.gtld-servers.net/A/IN': 2001:503:a83e::2:31#53 14-Aug-2014 13:14:08.793 info: host unreachable resolving 'b.gtld-servers.net//IN': 2001:503:c27::2:30#53 14-Aug-2014 13:14:08.794 info: host unreachable resolving 'b.gtld-servers.net//IN': 2001:dc3::35#53 14-Aug-2014 13:14:08.795 info: host unreachable resolving 'c.gtld-servers.net//IN': 2001:503:c27::2:30#53 14-Aug-2014 13:14:08.796 info: host unreachable resolving 'c.gtld-servers.net//IN': 2001:dc3::35#53 How do I correct that? It looks like your system thinks it has IPv6 connectivity, but it doesn't really have it. You can disable IPv6 at the OS level or: named -4. It looks like my root pointers are horribly out of date. Seems to me this is something which should automatically update... Not much, and yes. ; This file is made available by InterNIC ; under anonymous FTP as ; file/domain/named.root ; on server FTP.INTERNIC.NET ; -OR-RS.INTERNIC.NET ; ; last update:Feb 04, 2008 ; related version of root zone: 2008020400 That's old, but not so old as to prevent you from reaching an actual root server. Of course it was 2 years before the root was signed. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: I will add my $0.02. The named executable has the root information built in so that it can start up if there is no named.root file available. So, if you had no named.root file but did have the latest release of Bind then you would have the current data. If you do not update Bind the moment that a new version is released then you need a current named.root file. Just go get a new one from the server listed at the top of the old file. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Process size versus cache size.
On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote: In investigating an out of memory error on a Solaris 8 Sparc machine (compiled as a 32 bit executable), I find that the process size increase due to the cache does not make sense. Over about a week the process size had grown to 257 MB, up from an initial size of 36 MB. But when I dumped the cache with rndc dumpdb -cache, the resulting named_dump.db file was only 6 MB in size. Given the way the file is formatted, I would expect that the in memory version would be smaller than that. But when I did a 'rndc flush', the process stopped growing for about the same number of days that it took to reach 257 MB. That indicates that the increase in process size really is due to the cache. The increase in process size from 36 MB to 257 MB does not make sense given that the cache dump is only 6 MB. What version of BIND is this? And do you use statistics-channel? I'd be interested to see what the memory stats look like on a running server. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. I have tried both BIND 9.9.5-P1 and 9.9.6b1. The figures given above were for 9.9.6b1. I do not have a statistics-channel set up or anything having to do with logging set up. I have since rebuilt BIND as a 64 bit executable, so I expect that I will not have out of memory errors again. But I am seeing the same unexpected increase in process size. The 64 bit named has now run for slightly over 3 weeks without hanging up with an out of memory error (the 32 bit named would die in about 10 days). The process size has grown to 513 MB, up from an initial size of 36 MB, amd is still growing. This time rndc dumpdb -cache produced a 4.8 MB file. I am now redoing my previous experiment with rndc flush to verify that this is really a problem with the cache. If the process size stays the same for 3 weeks and then starts to grow again, then I think that we can conclude that there is something funny going on with the cache. Even: if there is some debugging you would like me to do, let me know. Preferably something that does not require killing and restarting the process, at least not for a few weeks. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Process size versus cache size.
On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote: In investigating an out of memory error on a Solaris 8 Sparc machine (compiled as a 32 bit executable), I find that the process size increase due to the cache does not make sense. Over about a week the process size had grown to 257 MB, up from an initial size of 36 MB. But when I dumped the cache with rndc dumpdb -cache, the resulting named_dump.db file was only 6 MB in size. Given the way the file is formatted, I would expect that the in memory version would be smaller than that. But when I did a 'rndc flush', the process stopped growing for about the same number of days that it took to reach 257 MB. That indicates that the increase in process size really is due to the cache. The increase in process size from 36 MB to 257 MB does not make sense given that the cache dump is only 6 MB. What version of BIND is this? And do you use statistics-channel? I'd be interested to see what the memory stats look like on a running server. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. I have tried both BIND 9.9.5-P1 and 9.9.6b1. The figures given above were for 9.9.6b1. I do not have a statistics-channel set up or anything having to do with logging set up. I have since rebuilt BIND as a 64 bit executable, so I expect that I will not have out of memory errors again. But I am seeing the same unexpected increase in process size. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Process size versus cache size.
In investigating an out of memory error on a Solaris 8 Sparc machine (compiled as a 32 bit executable), I find that the process size increase due to the cache does not make sense. Over about a week the process size had grown to 257 MB, up from an initial size of 36 MB. But when I dumped the cache with rndc dumpdb -cache, the resulting named_dump.db file was only 6 MB in size. Given the way the file is formatted, I would expect that the in memory version would be smaller than that. But when I did a 'rndc flush', the process stopped growing for about the same number of days that it took to reach 257 MB. That indicates that the increase in process size really is due to the cache. The increase in process size from 36 MB to 257 MB does not make sense given that the cache dump is only 6 MB. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: failed: out of memory
You'll want to use max-cache-size to enforce a hard limit on the size of your cache. http://www.zytrax.com/books/dns/ch7/hkpng.html#max-cache-size /Tim --- Tim Krzywonos e:: t...@krzywonos.ca Thanks for reminding me of that. Now that I have some confidence that the problem is the cache and not some funny memory leak, I think I can rely on setting a limit. I still find it strange that when I dumped the cache, the resulting file was only 6 MB in size. The process size had grown to 257 MB, up form an initial size of 36 MB. It does not make sense On 2014-07-21 10:57, sch...@adi.com wrote: Have you tried an rndc flush? You can also dump the contents of the cache to find the (approximate) size of the cache. If related to cache, you can tweak parameters to cache, most namely max-cache-size. IIRC, the cache doesn't have a size limit by default. /Tim I did an rndc dumpdb -cache and the size of the named_dump.db that resulted is 5927042. Not all that big condidering how it is formatted. Late last night I did a rndc flush. At that time the size of named was 31305 pages of 8192 bytes. As of now (13 hours later) the size is still 31305. I will see what happens. See below for our named.conf and then my original description of the problem. As of this morning (3 days 12 hours later) named is still at 31305 pages. So it appears that the continuous growth that I was seeing is due to the cache. Unfortunately my investigation has not been very methodical. I should have noted the size of the named process when I was getting the out of memory errors. I also should have noted the rate of growth of 9.9.5-P1 before trying 9.9.6b1. I am going to switch back to 9.9.5-P1 for a few days and see if the rate of growth is about the same or if it is much worse. (The initial size was 4734 pages and jumped to 7666 within 5 minutes). Assuming that the cache cleaning is working correctly, it may be that a 32 bit process is just not viable these days. I have now built a 64 bit named and will switch to that in a few days. A big problem is that I will be going on vacation at the end of the week and I really want to make sure that named does not shut down while I am away. There is really not enough time to do enough testing to make sure of that. I may set up a cron job to do a daily rndc flush while I am away. I was asked off list for our named.conf. Here it is. options { directory /var/named; acache-enable yes; auth-nxdomain no; transfer-format many-answers; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; }; managed-keys { dlv.isc.org. initial-key 257 3 5 .; }; managed-keys { . initial-key 257 3 8 ...; }; view internal { match-clients { !192.168.3.95; !192.168.3.150; !192.168.4.0/24; localnets; }; sortlist { { 192.168.2.0/24; { 192.168.2.0/24; 192.168.3.0/24; }; }; { 192.168.3.0/24; { 192.168.3.0/24; 192.168.2.0/24; }; }; }; zone . { type hint; file named.root; }; zone adi.com { type master; file adi.com.hosts.int; check-names ignore; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 130-157.245.100.75.in-addr.arpa { type master; file 75.100.245.130-157.revhosts; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 2.168.192.in-addr.arpa { type master; file 192.168.2.revhosts.int; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 3.168.192.in-addr.arpa { type master; file 192.168.3.revhosts.int; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 4.168.192.in-addr.arpa { type master; file 192.168.2.revhosts.int; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone localhost { type master; notify no; file named.local; }; zone 0.0.127.in-addr.arpa { type master; notify no; file named.revlocal; };
Re: failed: out of memory
Have you tried an rndc flush? You can also dump the contents of the cache to find the (approximate) size of the cache. If related to cache, you can tweak parameters to cache, most namely max-cache-size. IIRC, the cache doesn't have a size limit by default. /Tim I did an rndc dumpdb -cache and the size of the named_dump.db that resulted is 5927042. Not all that big condidering how it is formatted. Late last night I did a rndc flush. At that time the size of named was 31305 pages of 8192 bytes. As of now (13 hours later) the size is still 31305. I will see what happens. See below for our named.conf and then my original description of the problem. As of this morning (3 days 12 hours later) named is still at 31305 pages. So it appears that the continuous growth that I was seeing is due to the cache. Unfortunately my investigation has not been very methodical. I should have noted the size of the named process when I was getting the out of memory errors. I also should have noted the rate of growth of 9.9.5-P1 before trying 9.9.6b1. I am going to switch back to 9.9.5-P1 for a few days and see if the rate of growth is about the same or if it is much worse. (The initial size was 4734 pages and jumped to 7666 within 5 minutes). Assuming that the cache cleaning is working correctly, it may be that a 32 bit process is just not viable these days. I have now built a 64 bit named and will switch to that in a few days. A big problem is that I will be going on vacation at the end of the week and I really want to make sure that named does not shut down while I am away. There is really not enough time to do enough testing to make sure of that. I may set up a cron job to do a daily rndc flush while I am away. I was asked off list for our named.conf. Here it is. options { directory /var/named; acache-enable yes; auth-nxdomain no; transfer-format many-answers; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; }; managed-keys { dlv.isc.org. initial-key 257 3 5 .; }; managed-keys { . initial-key 257 3 8 ...; }; view internal { match-clients { !192.168.3.95; !192.168.3.150; !192.168.4.0/24; localnets; }; sortlist { { 192.168.2.0/24; { 192.168.2.0/24; 192.168.3.0/24; }; }; { 192.168.3.0/24; { 192.168.3.0/24; 192.168.2.0/24; }; }; }; zone . { type hint; file named.root; }; zone adi.com { type master; file adi.com.hosts.int; check-names ignore; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 130-157.245.100.75.in-addr.arpa { type master; file 75.100.245.130-157.revhosts; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 2.168.192.in-addr.arpa { type master; file 192.168.2.revhosts.int; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 3.168.192.in-addr.arpa { type master; file 192.168.3.revhosts.int; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 4.168.192.in-addr.arpa { type master; file 192.168.2.revhosts.int; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone localhost { type master; notify no; file named.local; }; zone 0.0.127.in-addr.arpa { type master; notify no; file named.revlocal; }; zone com { type delegation-only; }; zone net { type delegation-only; }; }; view internal4 { match-clients { 192.168.4.0/24; }; zone . { type hint; file named.root; }; zone adi.com { type master; file adi.com.hosts.int4; check-names ignore; notify explicit; also-notify { 192.168.4.95; 192.168.4.150; }; }; zone
Re: failed: out of memory
Have you tried an rndc flush? You can also dump the contents of the cache to find the (approximate) size of the cache. If related to cache, you can tweak parameters to cache, most namely max-cache-size. IIRC, the cache doesn't have a size limit by default. /Tim I did an rndc dumpdb -cache and the size of the named_dump.db that resulted is 5927042. Not all that big condidering how it is formatted. Late last night I did a rndc flush. At that time the size of named was 31305 pages of 8192 bytes. As of now (13 hours later) the size is still 31305. I will see what happens. I was asked off list for our named.conf. Here it is. options { directory /var/named; acache-enable yes; auth-nxdomain no; transfer-format many-answers; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; }; managed-keys { dlv.isc.org. initial-key 257 3 5 .; }; managed-keys { . initial-key 257 3 8 ...; }; view internal { match-clients { !192.168.3.95; !192.168.3.150; !192.168.4.0/24; localnets; }; sortlist { { 192.168.2.0/24; { 192.168.2.0/24; 192.168.3.0/24; }; }; { 192.168.3.0/24; { 192.168.3.0/24; 192.168.2.0/24; }; }; }; zone . { type hint; file named.root; }; zone adi.com { type master; file adi.com.hosts.int; check-names ignore; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 130-157.245.100.75.in-addr.arpa { type master; file 75.100.245.130-157.revhosts; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 2.168.192.in-addr.arpa { type master; file 192.168.2.revhosts.int; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 3.168.192.in-addr.arpa { type master; file 192.168.3.revhosts.int; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone 4.168.192.in-addr.arpa { type master; file 192.168.2.revhosts.int; notify explicit; also-notify { 192.168.2.95; 192.168.2.150; }; }; zone localhost { type master; notify no; file named.local; }; zone 0.0.127.in-addr.arpa { type master; notify no; file named.revlocal; }; zone com { type delegation-only; }; zone net { type delegation-only; }; }; view internal4 { match-clients { 192.168.4.0/24; }; zone . { type hint; file named.root; }; zone adi.com { type master; file adi.com.hosts.int4; check-names ignore; notify explicit; also-notify { 192.168.4.95; 192.168.4.150; }; }; zone 130-157.245.100.75.in-addr.arpa { type master; file 75.100.245.130-157.revhosts; notify explicit; also-notify { 192.168.4.95; 192.168.4.150; }; }; zone 2.168.192.in-addr.arpa { type master; file 192.168.2.revhosts.int; notify explicit; also-notify { 192.168.4.95; 192.168.4.150; }; }; zone 3.168.192.in-addr.arpa { type master; file 192.168.3.revhosts.int; notify explicit; also-notify { 192.168.4.95; 192.168.4.150; }; }; zone 4.168.192.in-addr.arpa { type master; file 192.168.2.revhosts.int; notify explicit; also-notify { 192.168.4.95; 192.168.4.150; }; }; zone localhost { type master; notify no; file named.local; }; zone 0.0.127.in-addr.arpa {
failed: out of memory
We are running Bind on a Sun Sparc machine running Solairs 8. Bind is built as a 32 bit executable as that is the default and is the way libcrypto and libxml2 are built. We have been running Bind 9.9.5. I am now trying Bind 9.9.6b1 as that claims to have fixed some memory leaks. For some time now Bind has stopped being able to do recursive queries every couple of weeks and I have been just restarting it. I decided to look into this and found it logging out of memory errors. This seems to have started happening after I set up bind to sign our domain, adi.com. The server is bluegill.adi.com. It is set up with 3 views. Two are internal views and can do recursive queries. One is the external view and does not allow recursive queries. Since restarting named, this time Bind 9.9.6b1, I have been checking the memory usage every day. The usage in pages of 8192 bytes for the last 7 days are: 16,517 19,221 20,111 23,707 24,957 26,384 28,231 29,912 Note that this shows no signs of settling down. I am looking into the possability of rebuilding Bind as a 64 bit executable as that should take much longer to run out of memory. A recient section of the log showing that the cleaner is running: Jul 17 10:24:44 bluegill named[9334]: [ID 873579 daemon.notice] acache 91e6a30 stats: hits=0 misses=6 queries=6 adds=6 deleted=5 cleaned=5 cleaner_runs=140 overmem=0 overmem_nocreates=0 nomem=0 Jul 17 10:24:44 bluegill named[9334]: [ID 873579 daemon.notice] acache 91e6a30 cleaning interval set to 3600. Jul 17 10:24:44 bluegill named[9334]: [ID 873579 daemon.notice] acache 933f990 stats: hits=3299 misses=79 queries=3378 adds=86 deleted=370 cleaned=370 cleaner_runs=144 overmem=0 overmem_nocreates=0 nomem=0 Jul 17 10:24:44 bluegill named[9334]: [ID 873579 daemon.notice] acache 933f990 cleaning interval set to 3600. Jul 17 10:24:46 bluegill named[9334]: [ID 873579 daemon.notice] acache 9166a20 stats: hits=76514 misses=4348 queries=80862 adds=4348 deleted=3717 cleaned=3717 cleaner_runs=144 overmem=0 overmem_nocreates=0 nomem=0 Jul 17 10:24:46 bluegill named[9334]: [ID 873579 daemon.notice] acache 9166a20 cleaning interval set to 3600. Jul 17 10:29:51 bluegill named[9334]: [ID 873579 daemon.notice] clients-per-query decreased to 10 Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
Asking again, in a different and more generic form: When rebuilding a bind 9.9.4 server running DNSSEC with auto maintain, are there any steps I need to take beyond just backing up /var/named/etc/namedb (this is on FreeBSD) and restoring? This server is authoritative and primary, and has slaves for multiple domains. I'm concerned about keeping keys, serial numbers, and any other dynamic info in sync. Thanks! dn This may not apply to FreeBSD, but you should backup the main named.conf if it is in some other directory than /var/named/etc/namedb. On my system (Solaris) named.conf and a key file for managed keys for the root are in /etc. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Upgrading from 9.8.3 to 9.9.4
I just remembered there was also the change to the db file having a default raw format on slaves unless specified. Interesting. I did not notice that when it happened, but now that I look, I see that my slaves indeed have raw format files. Apparently the switch over did not require me to do anything. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable DNSSEC
Once the DS record is removed from the .edu zone, queriers won't expect your zone to be signed any more. At that point, you can leave it signed or remove the signatures, and it won't make any difference. You just need to wait at least 24 hours from the time the record disappears from the .edu zone. I suggest you wait a little bit longer then that. There are multiple name servers for edu and you want to make sure that all of them have removed the DS record. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS with several ip adessess
Views have been in bind for all recent history. I've watched this thread and have been biting my tongue as long as I could. I'm a proponent of separating servers and NOT using views, as any of you that have taken a class that I've taught will attest. I've seen too many problems over the years that have been caused by incorrect maintenance of both data feeding the views and goofs in the mechanisms making sure that the correct view is made available to the correct slave servers (and clients). With today's hardware (virtualization, etc) it's not very expensive to build out new servers. Separate the services and you remove lots of the little prickly points that will cause you pain as the complexity of your infrastructure grows (and as you hand off to the 'next generation' of maintainers). I'm actually more a proponent of creating an architecture that doesn't NEED differentiated data, but there aren't a lot of places implementing DNS / naming structures on green-fields these days. AlanC --=20 Alan Clegg | +1-919-355-8851 | a...@clegg.com I use views here. I did have to do a little work to make suere the right views went to the right places and to make sure that the slaves that needed all the views got them correctly. But I can't see how setting up virtual hosts would be less work and how setting up virtual hosts would be less prone to errors. And I would have to figure out how to make one host only answer internal queries and the other host only answer external queries. That was easy to do with views (at least for me). Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Adding DS records
Has anyone been able to get Network Solutions to add DS records for their domain? I am trying to get DS records added for my domain and so far it looks like Network Solutions can not do that. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
If I was a NetSol customer, I would ask them, Why not? And if I were a NetSol customer, I would ask myself, Why? If I were a capitalist, I'd vote with my wallet and go somewhere with the features I want. Well, we started with them back when they were the only company registering domain names. And up to now there were no problems (other than perhaps price). Any recomendations for another company for a .com domain in the US? I suppose that I could always use the DLV, but I would rather not. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
gandi.net +1 I transferred from NS to Gandhi in December 1998. I don't know about their hosting of primary DNS but they do host a secondary of mine and it seems to resolve there with an aa flag: Yep, secondary works, but they can't be a DNSSEC primary. Steve We host the primary DNS ourselves with our ISP providing the secondary, so no problem there. Just to get going, I entered the records using the DLV. I think that I will get a different registerer early next year, after the rush of the holidays quiets down. Our contract expires in March, so this is a reasonable time to do a switch. Thanks for the advice so far. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc refresh fails for signed zones
Sorry for the bad advice. Am I correct in thinking that in the case of a hidden master and a chain of slaves, that the first publicly acessable slave would do the signing and that in any case only one instance of bind should do the signing? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc refresh fails for signed zones
Hi! # named -V BIND 9.9.3-rl.13204.02-P2 I have configured slave zones with inline signing: zone mydomain.at { type slave; file /etc/bind/mydomain.at; masters { 1.2.3.4; }; key-directory /etc/bind/keys; auto-dnssec maintain; inline-signing yes; allow-transfer { 5.6.7.8; }; also-notify { 5.6.7.8; }; }; # rndc refresh mydomain.at rndc: 'refresh' failed: failure not a slave or stub zone For normal slave zones (unsigned) it works fine. Is this a known bug? Where can I open a bug report? Any workarounds? I believe that only the master can sign the zone. Also, also-notify does not make much sense for a slave. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DLV and the ad flag
Acording to the book Dnssec Mastery, I should be able to test if my Bind is correctly set up to use the DLV with the command: dig +dnssec nsec3.dlvtest.dns-orac.net And I should expect expect to see the RRSIG records and see the AD flag set. I do get the RRSIG records but I do not see the AD flag. Do I have a problem or is the book wrong? I do see the AD flag if I dig www.isc.org. I am running Bind 9.9.4. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DLV and the ad flag
On Wed, Nov 27, 2013 at 01:30:37PM -0500, Thomas Schulz wrote: Acording to the book Dnssec Mastery, I should be able to test if my Bind is correctly set up to use the DLV with the command: dig +dnssec nsec3.dlvtest.dns-orac.net dns-oarc, not dns-orac. (OARC: Operations, Analysis and Research Center.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. That works much better. Thank you. I typed that wrong at least 5 times! Wow! Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does anyone know where to find the ISC signing keys for source packages?
At Tue, 28 Dec 2010 15:50:23 -0500 (EST), Thomas Schulz wrote: It looks like I am a little dim today. Given gpg and the key, what steps do I do to verify a source package? General case: $ gpg --verify sigfile tarball Eg: $ gpg --verify bind-9.7.2-P3.tar.gz.sha256.asc bind-9.7.2-P3.tar.gz We probably should add this to the aforementioned web page. It looks like I have to somehow make the public key available. When I issue the above command I get: gpg: Can't check signature: public key not found Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Spaces in keys
When I copied the key for root from http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers I ended up with spaces in the key. I assumed that they should not be there and removed them. I since noticed that the key in /etc/bind.keys supplied with the bind distribution has spaces in it. Should the spaces be there or does it not matter? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: error sending response log messages
In article glpv2m$2l4...@sf1.isc.org, Andre LeClaire alecla...@yahoo.com wrote: Mark Andrews wrote: In message 497caef2.80...@yahoo.com, Andre LeClaire writes: Hello everyone, I've been seeing these syslog messages for about a week on a FreeBSD server running BIND 9.4.3-P1: Jan 25 02:35:21 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 03:43:32 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 04:49:59 asimov named[145]: client 206.71.158.30#139: error sending response: permission denied Jan 25 05:15:40 asimov named[145]: client 66.230.160.1#139: error sending response: permission denied Jan 25 07:45:11 asimov named[145]: client 206.71.158.30#139: error sending response: permission denied Jan 25 07:56:26 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 08:10:29 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 08:54:34 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 09:16:41 asimov named[145]: client 206.71.158.30#138: error sending response: permission denied Jan 25 10:03:51 asimov named[145]: client 206.71.158.30#445: error sending response: permission denied Ports 135-139 and 445 are denied by the firewall on the outside interface. Why do you care about what port you are sending to? Just allow named to send its replies. Ports 135-139 and 445 are blocked on the outside interface to protect the Windows networks on the inside, which use those ports, from the savage Internet. You seem to be saying that you are blocking incomming traffic on those ports, but the above errors suggest that you are allowing incomming queries on those ports but blocking the outgoing reply. I don't understand why you would do that. Are you saying that it's normal for named to send replies on those ports? Also, the server has been up for over 3 years with no problems, and these errors just started happening last week. New versions of Bind, and perhaps other dns implementations, make queries on random ports and use a wider range of ports than before. This is to work around a security issue. You are probably seeing the efects of other sites upgrading their dns servers. You should adjust your firewall to allow replies from Bind on any port. Andre -- Tom Schulz sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4.x vs 9.6.x - pid-file check and creation
In article glp3rc$23p...@sf1.isc.org, Jan Arild =?iso-8859-1?Q?Lindstr=F8m?= j...@telenor.net wrote: Hi, ah, of course. I did not think about it as a Solaris bug. I patched BIND 9.6.0-P1 os.c code so it first checks for the diretory before it tries the fast approach of just running mkdir. And that of course works fine. But, since I do not want to run a self-patch BIND in production, I will instead run with pid-file /var/run/named/named/named.pid and be happy with that. Just wondering. Since /var/run is a swap (memory) based file system, do you have to recreate those directories on each reboot? Thanks Jan Arild Lindstr At 15:35 27/01/2009, Mark Andrews wrote: Looking at the publically available parts of SunSolve there are at least bug reports about it. Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with oth= er xxxfs_mkdir() functions. | Open in a new window bug 6253984 http://sunsolve.sun.com/search/document.do?assetkey=3D1-1-6253984-1 - Sep = 10, 2007 = Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with oth= er xxxfs_mkdir() functions. | Open in a new window bug 2152581 http://sunsolve.sun.com/search/document.do?assetkey=3D1-1-2152581-1 - Sep = 10, 2007 = I don't have a copy of the POSIX standard that covers mkdir(2) to see what it has to say about it. Historically however EACCES on search failure, EEXIST if the file/directory exists, then EACCES on parent directory write permissions was the error determination order. Mark -- = Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Tom Schulz sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL issues
In article gkqqei$1nq...@sf1.isc.org, Frank Bulk - iName.com frnk...@iname.com wrote: Yes, I read that last night before posting. I changed it to 256M. Is there a way using rndc to see if that took? Note that 9.5.1 reverts the limit to unlimited AND fixes the bug causing the failure. You should not be running 9.5.0 at all. And how do I see how much of the cache has been used? I don't want to provision more than necessary. This server acts as a secondary DNS entry for about 6000 broadband customers and is an authoritative DNS server for 100+ domains. Frank -Original Message- From: Fr34k [mailto:freaknet...@yahoo.com] Sent: Friday, January 16, 2009 8:45 AM To: frnk...@iname.com; bind-users@lists.isc.org Subject: Re: SERVFAIL issues Hello, Has the max-cache-size setting in named.conf been considered? If not, note that in early releases of 9.5.x max-cache-size is 32M by default instead of unlimited as in 9.4.x From the CHANGES file with the bind-9.5.0-P2 source: max-cache-size defaults to 32M Using: max-cache-size 0 ; will restore previous behavior (unlimited). The ultimate setting would need to be considered for the environment BIND is running in. FWIW, we use max-cache-size 0 ; without issue. You can search this list archives for max-cache-size for previous discussions on this. Thanks. - Original Message From: Frank Bulk frnk...@iname.com To: bind-users@lists.isc.org Sent: Thursday, January 15, 2009 6:57:10 PM Subject: SERVFAIL issues http://marc.info/?l=bind-usersm=122239920822324w=2 http://marc.info/?l=bind-usersm=122243068905656w=2 We upgraded to 9.5.0-P1 when the Kaminsky DNS vulnerability was announced and have had intermittent issues with SERVFAIL problems for some DSL modems that don't properly fail over to a secondary DNS server. A packet capture showed that certain domains would result in a SERVFAIL, and once that domain was identified, if we did a dig against it we had the same result. We've had to stop and start the named service about half a dozen times this fall to resolve the issue. We upgraded to 9.5.0-P2 in early November, hoping that this issue would be resolved. But today we experienced the problem again. A customer couldn't query a site, although everything seemed correct. I captured all their traffic and the trace showed that the DNS server was issuing a SERVFAIL. I stopped and then started named and immediately all was well. Since we sometimes reload named when adding/modifying domains, or at other times use rndc, I'm not sure if that cleared things up such that this is the first time I recall having this problem in 2 months. Is this intermittent SERVFAIL issue resolved in 9.5.1-P1? Frank ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Tom Schulz sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind memory usage
In article gi2uke$2d8...@sf1.isc.org, =?UTF-8?B?TGVvbmFyZG8gUm9kcmlndWVzIE1hZ2FsaMOjZXM=?= leolis...@solutti.com.br wrote: CgpQZXRlciBEYW1iaWVyIGVzY3JldmV1Ogo+IEkgY2FuIGNvbmZpcm0gYmluZCA5LjQgZG9lcyBy dW4gb24gYW4gKElCTSwgbm90IEludGVsKSA0ODYtU0NMLzIgd2l0aCAxNiBNQi4KPiBUaGF0IGNw dSBjYW4gYWRkcmVzcyBubyBtb3JlIHRoYW4gMTYgTUIuCj4KPiAkIGNhdCAvcHJvYy9tZW1pbmZv Cj4gICAgICAgICB0b3RhbDogICAgdXNlZDogICAgZnJlZTogIHNoYXJlZDogYnVmZmVyczogIGNh Y2hlZDoKPiBNZW06ICAxNDU0MDgwMCAxMDU5NjM1MiAgMzk0NDQ0OCAgMzE5NDg4MCAgMTAwMzUy MCAgMzUxODQ2NAo+ICAgCgogICAgdmVyeSBnb29kIHRvIGtub3cgdGhhdCA5LjQgaXMgcnVubmlu ZyBPSyBvbiBhIDE2TWIgbWFjaGluZSwgYSAKc2l0dWF0aW9uIGV2ZW4gd29yc3QgdGhhbiBtaW5l LCB3aGljaCBpcyAzMk1iIDopICAuLi4uIGknbGwgdHJ5IHRvIAppbnN0YWxsIDkuNCB0aGlzIHdl ZWsgaW5zdGVhZCBvZiA5LjUgYW5kIGNoZWNrIGlmIGl0IGhhcyBhIHNsb3dlciBtZW1vcnkgCmZv b3RwcmludC4KCiAgICB0aGFua3MgZm9yIHRoZSB0aXAgISEhCgotLSAKCgoJQXRlbmNpb3NhbWVu dGUgLyBTaW5jZXJpbHksCglMZW9uYXJkbyBSb2RyaWd1ZXMKCVNvbHV0dGkgVGVjbm9sb2dpYQoJ aHR0cDovL3d3dy5zb2x1dHRpLmNvbS5icgoKCU1pbmhhIGFybWFkaWxoYSBkZSBTUEFNLCBOw4NP IG1hbmRlbSBlbWFpbAoJZ2VydHJ1ZGVzQHNvbHV0dGkuY29tLmJyCglNeSBTUEFNVFJBUCwgZG8g bm90IGVtYWlsIGl0CgoKCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXwpiaW5kLXVzZXJzIG1haWxpbmcgbGlzdApiaW5kLXVzZXJzQGxpc3RzLmlzYy5vcmcK aHR0cHM6Ly9saXN0cy5pc2Mub3JnL21haWxtYW4vbGlzdGluZm8vYmluZC11c2Vycw== You know, the above is not very usefull. Can someone please fix the newsgroup gateway. -- Tom Schulz sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MIME garbage in comp.protocols.dns.bind
In article ghtmfl$2rc...@sf1.isc.org, Sam Wilson sam.wil...@ed.ac.uk wrote: In article ghtjng$2pd...@sf1.isc.org, Barry Margolin bar...@alum.mit.edu wrote: Does anyone still read this list via the comp.protocols.dns.bind Usenet gateway? I do, and ever since the web site and mailing list revamp last month, it has been a real PITA. About 1/3 of the messages in the group have all sorts of MIME garbage in the body of the messages. The problem appears to be that the Content-type: multipart/alternative header line is being stripped from the header by the gateway; actually, it ends up in the body of the message. As a result, my newsreader doesn't recognize that the message is multipart, and shows all the pieces literally. You can see the same thing if you view the messages in Google Groups, so it's not just my news provider (Motzarella) or newsreader (MT-Newswatcher). The old mail-to-news gateway either got this right or extracted the plain text alternative before forwarding. I sent mail to bind-users-request a few weeks ago, but got no response. Is this bugging anyone else but me? Yes, it's bugging me. I use MT-Newswatcher (Mac OS X) and whilst I can cope with the multipart/alternative hassle (just stop reading where it turns into HTML - see [1]) the ones that really annoy me are the base64 encoded messages like [2]. I'm clearly less conscientious than Barry - I haven't complained before now. Sam [1] news:ghs3de$1f8...@sf1.isc.org [2] news:ghtbae$2er...@sf1.isc.org I was wondering what was going on. Some messages are just base64 and are completely useless/unreadable. -- Tom Schulz sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users