from:"Thomas Schulz"

Using inline-signing, need to allow dynamic updates.

2017-02-27 Thread Thomas Schulz

Right now we have our external view for adi.com set up to use
inline-signing with the following entries in our named.conf file;

 inline-signing yes;
 key-directory "dnssec";
 auto-dnssec maintain;

I now need to allow dynamic updates to support letsencrypt which needs
to add txt records when the certificate is renewed. Can I just add

 allow-update { key keyname-here; };

Or do I need to change the above configuration in some way?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

2017-01-27 Thread Thomas Schulz

> Just wonder if there is some agreed guidance on what steps I SHOULD take =
> to get bind-9.11.0-P2 successfully build on Debian 9.0?
> 
> 
> /usr/bin/ld: //lib64/libcrypto.a(a_object.o):
> relocation R_X86_64_PC32 against symbol `ASN1_OBJECT_free'
> can not be used when making a shared object; 
> recompile with -fPIC

It looks like openssl was not built to create shared libraries. So bind
built against your self compiled openssl can not create shared libraries.
Either rebuild openssl to create shared libraries or change binds configure
to remove --enable-shared, possibly adding --disable-shared.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Comments on Root Key Rollover impact on BIND users

2016-12-12 Thread Thomas Schulz

In the following I ment to say 'dnssec-validation' instead of 'dnssec-enable'.

> > https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin
> > d-users/ 
> > 
> > Towards the end of the blog, there is a short list of possible corner
> > cases that could trip people up during the rollover.  If
> > you folks can think of others, please do share them.
> 
> I found a case where the documentation is not clear (at least to me).
> 
> I found that I had 'dnssec-enable yes' along with a managed-keys
> statement with an initial-key. If I change to 'dnssec-enable auto'
> do I still need a managed-keys statement? If not will it hurt to have
> one? Can I have a managed-keys statement without an initial-key?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Comments on Root Key Rollover impact on BIND users

2016-12-12 Thread Thomas Schulz

> https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin
> d-users/ 
> 
> Towards the end of the blog, there is a short list of possible corner
> cases that could trip people up during the rollover.  If
> you folks can think of others, please do share them.

I found a case where the documentation is not clear (at least to me).

I found that I had 'dnssec-enable yes' along with a managed-keys
statement with an initial-key. If I change to 'dnssec-enable auto'
do I still need a managed-keys statement? If not will it hurt to have
one? Can I have a managed-keys statement without an initial-key?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL

2016-08-25 Thread Thomas Schulz

> In message 
>

Re: resolution problem

2016-05-24 Thread Thomas Schulz

colostate.edu.  172800  IN  NS  dns1.colostate.edu.
colostate.edu.  172800  IN  NS  dns3.colostate.edu.
;; Received 119 bytes from 192.41.162.30#53(l.edu-servers.net) in 78 ms

www.cloudsat.cira.colostate.edu. 3600 IN CNAME  dpc.cira.colostate.edu.
dpc.cira.colostate.edu. 3600IN  A   129.82.109.62
;; Received 83 bytes from 129.82.103.121#53(dns1.colostate.edu) in 36 ms
> 
>>In article ,
>> Matus UHLAR - fantomas  wrote:
>>> often a problem of invalid NS delegation, or bad TTL (A record for a server
>>> expires before NS record).
> 
> On 19.05.16 15:31, Sam Wilson wrote:
>>Glue A records for the nameservers have 172800 TTL, authoritative A
>>records have 1200.
> 
> that's it!
> 
> ;; ANSWER SECTION:
> colostate.edu.  3600IN  NS  dns3.colostate.edu.
> colostate.edu.  3600IN  NS  dns1.colostate.edu.
> 
> ;; ADDITIONAL SECTION:
> dns3.colostate.edu. 1200IN  A   129.82.103.111
> dns1.colostate.edu. 1200IN  A   129.82.103.121
> 
> after 1200 seconds, the A records expire, but the NS records don't.
> 
> Next 2400 seconds you know that you have to ask dns3.colostate.edu and
> dns1.colostate.edu, but you can't find their IPs, because ...  you don't
> know their IPs.
> 
> while some DNS servers can cope with that, it's still broken setup.

Our server here running BIND 9.10.3-P4 seems to handle it OK. Do some
versions of Bind work with this broken setup while other versions do
not? I wonder what versions of Bind are running on the two servers
that do work and what versions on the two that do not.

> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I feel like I'm diagonally parked in a parallel universe. 

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple A records and reverse DNS

2016-03-22 Thread Thomas Schulz

> > That is mostly how I thought it worked. What I had in mind more
> > specifically was:
> > 
> > adi.com zone:
> > mackerel.adi.com.  IN  A  75.100.245.141
> > mackerel.adi.com.  IN  A  96.85.104.76
> > 
> > reverse zones:
> > 141.245.100.75.in-addr.arpa.  IN  PTR  mackerel.adi.com
> > 76.104.85.96.in-addr.arpa.(not yet set up)
> 
> OK, suppose you then set up 
> 
> 76.104.85.96.in-addr.arpa. IN  PTR  mackerel.adi.com.
> 
> That may not play well with all the SMTP servers you wish to send to,
> due to subtle implementation variations. 
> 
> > But receiving mail on both was more work than I had expected, so I am
> > not going to set that up. 
> 
> Many sites have separate incoming and outbound SMTP servers. There is
> no reason to name them the same, especially not when you plan to
> implement them on separate IP addresses/ranges. 
> 
> The important thing is that the A and PTR records agree. That is most
> simply done by using a single A record for each name, and a single PTR
> record for each IP.

Thanks to everyone for all the information.
This was all to be temporary while switching from one ISP to another.
The new ISP has to set up the pointer records, hopefully delegating to
our server. They are taking a long time getting back to us on what they
can do. Fortunately we will still have service with our old ISP for
quite awhile. I just thought that receiving email from both addresses
would make the timing of the final switch over less critical.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Multiple A records and reverse DNS

2016-03-19 Thread Thomas Schulz

This is not a BIND question but I hope people here will know the answer.
We are switching service providers and I understand that many email SPAM
prevention systems insist on the reverse DNS matching the forward DNS.
If I have two A records for our mail server and the reverse record matches
one of them, will that be good enough. Or will the fact that the other A
record does not match cause trouble.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple A records and reverse DNS

2016-03-19 Thread Thomas Schulz

> Am 17.03.2016 um 14:53 schrieb Thomas Schulz:
>> This is not a BIND question but I hope people here will know the answer
>> We are switching service providers and I understand that many email
>> SPAM prevention systems insist on the reverse DNS matching the forward
>> DNS. If I have two A records for our mail server and the reverse record
>> matches one of them, will that be good enough. Or will the fact that
>> the other A record does not match cause trouble
> 
> when you have two A-recods then you have two IP's
> each of them should have a PTR with *only* the name of the A-record
> and in a good setup "smtp_helo_name" matchs too

Thanks to everyone for their answers. In switching service providers we
have arranged for both providers to be active at the same time for a few
weeks. The old provider has reverse DNS set up but the new provider does
not yet have that set up. I was thinking of allowing incomming email from
both by having two A records but alowing outgoing email only through the
old provider that has the working reverse DNS. When the new provider also
has reverse DNS set up then I can switch outgoing email and close down the
old connection.

I turns out that it is harder than I thought to allow incomming
connections from both providers at the same time, so I may not do
that after all.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Changing records with inline-signing

2016-03-19 Thread Thomas Schulz

We currently have adi.com signed using options:

inline-signing yes;
auto-dnssec maintain;

If I change an A record or add a new A record, will the signing be
automatically updated or do I have to do an rndc sign zone?


Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ZSK rollover detail needed.

2016-02-18 Thread Thomas Schulz

A recommended way to set up a ZSK rollover is to set the inactive date of
the current key one month later than the publish date of the replacement key.
This makes sense as the RRSIG records are created to last one month from
their creation date.
Now if I try to speed up the ZSK rollover to make the old ZSK inactive
a few days after the replacement key is created (and make the replacement
key active at that time), will Bind start makeing new RRSIG records at that
time even though the current RRSIG records may have weeks to go.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

com.google how did they do that

2015-04-01 Thread Thomas Schulz

As of the time I am sending this, you can point your browser to
http://com.google and get a web page. How did they get com.google
to resolve?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Sudden large increase in process size, machine hang

2014-12-03 Thread Thomas Schulz

This last week we had a sudden large increase in the size of the named
process resulting in the machine running out of memory and hanging.
This is with bind 9.9.6 on a Solaris 10 Sparc machine.

I have posted in the past about a steady continuous growth in the
size of the named process. The Subjects for those posts are:
failed: out of memory
Process size versus cache size.
bind-9.10.0-P2 memory leak?  (I hijacked someone else's thread)

I have also filed a bug report about this continuous growth.

The following measurements show the steady continuous growth over
a little more than a month.

Thu Oct 16 14:01:42 EDT 2014 46014
Thu Oct 16 14:04:50 EDT 2014 99835
Thu Oct 23 20:06:01 EDT 2014317071
Thu Oct 30 09:31:31 EST 2014426647
Thu Nov  6 20:06:01 EST 2014532291
Thu Nov 13 11:00:46 EST 2014618143
Thu Nov 20 20:06:00 EST 2014701472

But then last week the following happened.

Wed Nov 26 08:06:00 EST 2014758702
Wed Nov 26 20:06:00 EST 2014   2099961
Thu Nov 27 08:06:01 EST 2014   3416580
Thu Nov 27 20:06:00 EST 2014   4618297
Fri Nov 28 08:06:00 EST 2014   5733163
Fri Nov 28 20:06:01 EST 2014   6801203
Sat Nov 29 08:06:52 EST 2014   No output from the ps command.

We were closed for thanksgiving when this happened. The only recursive
queries would have been for email processing by Sendmail. Monday morning
we had to reboot the machine by powering it down and back up.
The logs did not show any unusual messages from the named process.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dumping the statistics channel

2014-11-03 Thread Thomas Schulz

I have been asked to dump the statistics to help document a suspected
memory leak in named. When I look at the statistics with Firefox, I see
a nicely formatted set of statistics. If I then dump the statistics to
a file with wget and then use Firefox to view the file, I see data but
there is no formatting and the output seems to be unreadable.

So, is this file what I should send to isc.org? Should I be using some
options to wget to get a file that displays nicely in Firefox?
I have also tried to use Firefox's 'Save Page As' option to dump the
statistics, but that resulted in the same saved file as I got with wget.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

2014-10-14 Thread Thomas Schulz

 On Mon, 13 Oct 2014, Thomas Schulz wrote:
 
  I restarted bind 9.9.6 with a max-cache-size of 30M. We have 3 views.
  The inital process size was 36 MB. The process grew to 184 MB. It grew
  to 596 MB without the max-cache-size being set and was still growing
  when I restarted it.  BUT when I now do an rndc dumpdb -cache, the
  named_dump.db file contains only the line
  
  ; Dump complete
  
  and nothing else.
  
  So, if you put any limit on the cache size, you will end up with an empty
  cache. I do believe that there is a bug that needs to be fixed.
 
 I wasn't able to reproduce this with 9.9.6 (or a recent master).  Can 
 you please send your configuration (like named-checkconf -px) to 
 bind9-bugs AT isc.org? Thank you.

I sent the configuration, hopefully in a usable format. Note that my
concern is not specifically with the cache. I was investigating the
cache as a possable cause of the unlimited growth in memory usage that
I am seeing. The various experiments that I have done seem to point to
the cache as the cause of the problem. See also the posts with the
subject 'Process size versus cache size'.

To the originator of this thread. Sorry if I have hijacked your thread.
It is possible that the problem you are seeing has a different cause than
the problem I am seeing. Perhaps you should also send in a report to
bind9-bugs AT isc.org.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Inline-signing feature request: Directly set the signed zone's serial number

2014-10-13 Thread Thomas Schulz

 Hi,
 
 After reinitialising the inline-signing process (for example by
 removing the journal files or redeploying the master server) the
 freshly signed zone's serial number will usually be behind the
 authoritative version on the slaves causing transfers to fail 
 possibly leading to expired signatures, zone expiry, etc.

If you redeploy the master server, couldn't you just copy the journal
files over from the old server? And, the rest of the time, never remove
journal files.

 Currently, bumping the serial number of the unsigned zones to exceed
 that of the slaves is required, however it would be /convenient/ to
 have a one-shot method (perhaps via rndc) for specifying the signed
 zone serial number such that this doesn't require edits to the
 unsigned zone files.
 
 This is especially useful in bootstrapping scenarios where the zone
 data is held under strict revision control or generated by some
 provisioning system that owns the serial number.
 
 Am I on my own with this or would others find this useful?
 
 
 Thanks,
 
 Terry

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

2014-10-13 Thread Thomas Schulz

 ...
 Heh thanks, yeah...initially I was erring on the side of caution and using
 9.9.x because it's served us well (~20k recursive clients without any
 significant problems).  Meanwhile we've been keeping a close eye on
 community comments, and to be honest opinions wax and wane.  Just as I
 think it's stabilized, someone else complains.  I suppose sticking to
 9.9.x a bit longer is wise.
 
 That said, based on the 9.10.1 fixes, we will run it through our own perf
 tests for comparison.  Upgrades are automated and easy, but I'd obviously
 like to go live with the latest version unless there is a strong technical
 reason otherwise.
 
 FYI, 9.9 is the current Extended Support Version (ESV).  If you're
 looking for a version of BIND with a long period of maintenance, there
 will be ongoing 9.9.x, 9.9.x+1 etc. releases and interim patches if needed.
 
 http://www.isc.org/downloads/software-support-policy/

 I mentioned this earlier, but I have been seeing the very large increases
 in process size with Bind 9.9.5-P1 and 9.9.6b1. I have just installed
 9.10.1rc2 on one of our secondary name servers. In time I will be able
 to see if 9.10.1rc2 shows a bigger increase in process size than 9.9.5-P1
 did. I have restarted 9.9.6b1 with max-cache-size 30M on our primary
 server. Both experiments will take some time before I can tell what
 is happening.

For those seeing this problem on bind 9.10.1, did you upgrade from 9.9.6
or from an earlier version of bind 9.9.*? As mentioned above, I am seeing
this problem on 9.9.6. I do not find bind 9.10.1 growing any faster than
9.9.6 does.

I restarted bind 9.9.6 with a max-cache-size of 30M. We have 3 views.
The inital process size was 36 MB. The process grew to 184 MB. It grew
to 596 MB without the max-cache-size being set and was still growing
when I restarted it.  BUT when I now do an rndc dumpdb -cache, the
named_dump.db file contains only the line

; Dump complete

and nothing else.

So, if you put any limit on the cache size, you will end up with an empty
cache. I do believe that there is a bug that needs to be fixed.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

2014-09-15 Thread Thomas Schulz

 ...
  Heh thanks, yeah...initially I was erring on the side of caution and using
  9.9.x because it's served us well (~20k recursive clients without any
  significant problems).  Meanwhile we've been keeping a close eye on
  community comments, and to be honest opinions wax and wane.  Just as I
  think it's stabilized, someone else complains.  I suppose sticking to
  9.9.x a bit longer is wise.
  
  That said, based on the 9.10.1 fixes, we will run it through our own perf
  tests for comparison.  Upgrades are automated and easy, but I'd obviously
  like to go live with the latest version unless there is a strong technical
  reason otherwise.
 
 FYI, 9.9 is the current Extended Support Version (ESV).  If you're
 looking for a version of BIND with a long period of maintenance, there
 will be ongoing 9.9.x, 9.9.x+1 etc. releases and interim patches if needed.
 
 http://www.isc.org/downloads/software-support-policy/

I mentioned this earlier, but I have been seeing the very large increases
in process size with Bind 9.9.5-P1 and 9.9.6b1. I have just installed
9.10.1rc2 on one of our secondary name servers. In time I will be able
to see if 9.10.1rc2 shows a bigger increase in process size than 9.9.5-P1
did. I have restarted 9.9.6b1 with max-cache-size 30M on our primary
server. Both experiments will take some time before I can tell what
is happening.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

2014-09-12 Thread Thomas Schulz

 Mike Hoskins wrote:

 Do you guys have max-cache-size set?  I didn't see it in the borderworlds
 named.conf.  I've seen similar growth problems when testing 9.x before
 setting that (experiment at the time just to see what would happen, and
 confirmed this behavior).  Set sensible resource limits based on available
 resources.

I am going to see what happens with max-cache-size set, but I am convinced
that there is a bug in bind. My named has been running for 7.5 weeks now
and has been steadily growing in size except for a 1.5 week pause after I
did an rndc flush. The process size started out at 36 MB and is now up to
584 MB. But when I do an rndc dumpdb -cache I get a file that is only 5 MB
in size. Given the automatic cache cleaning, named should stabilize in
size in less than 7.5 weeks.

 -Original Message-
 From: Vin?cius Ferr?o fer...@if.ufrj.br
 Date: Tuesday, September 9, 2014 at 10:17 AM
 To: Thomas Schulz sch...@adi.com
 Cc: bind-us...@isc.org bind-us...@isc.org
 Subject: Re: bind-9.10.0-P2 memory leak?
 
I'm having the exactly same issue. Take a look at my post @ServerFault:
http://serverfault.com/questions/616752/bind-9-10-constantly-killed-on-fre
ebsd-10-0-with-out-of-swap-space

Sent from my iPhone

On 09/09/2014, at 11:15, Thomas Schulz sch...@adi.com wrote:

 Hello
 
 I recently upgraded my authoritative nameservers to bind-9.10.0-P2 and
 after a while one of them ended up using all its swap and the named
 process got killed. The other servers are seeing similar behaviour,
but 
 I restarted named on all of them to postpone further crashes.
 
 I am using rate-limiting as well DLZ with PostgreSQL. The server has
two 
 views. The operating system is FreeBSD 8.4.
 
 My configuration:
 http://borderworlds.dk/~xi/named-leak/named.conf
 
 Log of the memory usage:
 http://borderworlds.dk/~xi/named-leak/named-mem-usage.log
 
 As you can see, in less than a week, named has grown more than 900MB
in 
 size.
 
 Is anyone else experiencing something similar?
 
 If I need to provide more information, I will be happy to do so.
 
 -- 
 Christian Laursen
 
 What version did you upgrade from? I am seeing bind 9.9.5 and 9.9.6
 grow without any evidence that it will ever stop. See my mail to this
 list with the subject Re: Process size versus cache size. Mine is
 growing slower than yours, but it is now up to 548 MB.
 
 Tom Schulz
 Applied Dynamics Intl.
 sch...@adi.com

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

2014-09-12 Thread Thomas Schulz

  Can you copy and paste the out of memory error you are seeing?  Is it 
  still growing? Does it appear to work?
 
 I see your other thread answers some.
 https://lists.isc.org/pipermail/bind-users/2014-July/093618.html

Unfortunately the logs containing the out of memory errors have been
purged. Those errors have not reoccurred with the 64 bit named.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Thomas Schulz

 On 9/11/2014 11:51 AM, Mark Elkins wrote:
 On Thu, 2014-09-11 at 11:27 -0400, Kevin Darcy wrote:
 Mark,
  Depending on implementation, a PTR RRset with multiple
 records either

 -- only ever gets answered with the first record of the set (in
 which case the second and subsequent records of the set are just a
 waste of space), or
 -- answers in a random, cyclic and/or round-robin fashion (in which
 case, the results are non-deterministic from the standpoint of a
 client, and this can cause problems and/or confusion)

 Last time I checked, ALL matching records are returned as a single
 Resource Record Set - (and in the case of DNSSEC - covered with a single
 signature).

 What the receiver does with it is up to that receiver... as you say -
 some of the information may be discarded.
 If the invoker is using the classic gethostbyaddr() interface, then 
 it'll only see the RDATA from the first PTR RR, where first is 
 determined by the local nameserver implementation and/or the local 
 Operating System interface for name resolution.

 So, although the standards allow multiple RRs, in practical terms, it
 only makes sense for a PTR RRset to contain a *single* RR.
 I would still disagree. When there is forward--reverse checking, one
 may need the complete answer. I certainly have some processes that do an
 exhaustive check.
 Certainly if one gets down to the resolver-library level and grovels 
 through all of the RRs in the Answer Section of the response packet, one 
 could certainly care more than the typical reverse-resolving 
 app/subsystem would. And any software that builds up certain heightened 
 expectations is likely to complain if those expectations are not met.
 
  - Kevin
 On 9/11/2014 3:45 AM, Mark Elkins wrote:

 On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote:
 No, what I'm saying is that if

 example.com owns an A record 203.0.113.48, and
 www.example.com owns an A record 203.0.113.48, then

 where does 48.113.0.203.in-addr.arpa point?

 Some people will point it at example.com, some will point it at
 www.example.com. What you get is a mish-mosh. No consistency.
 Although I prefer the use of a CNAME solution (CNAME www.example.com to
 example.com), in the case of separate A (and ) records, one could
 point the reverse to both names. Nothing wrong with a PTR record having
 more than one answer. There is then no inconsistency, just choice. After
 all, pretty much every NS record has at least two Right-Hand-Sides
 (Answers)


 If, on the other hand, www.example.com is a CNAME to example.com, then
 it's crystal clear where the reverse record will point -- example.com.
 There is no ambiguity or option for inconsistency.

   - Kevin

 On 9/10/2014 5:48 PM, Eliezer Croitoru wrote:
 Hey Kevin,

 This is not an issue at all.
 A PTR is different then a A record and can be used by two reverse
 domain names and only the owner of the IP addresses space can define
 them.
 I am not sure if two PTR records for two domains will be applied to
 one IP but it is possible for two IP addresses to have the same PTR.

 Can we even use a CNAME as a PTR???

 Eliezer

 On 09/11/2014 12:37 AM, Kevin Darcy wrote:
 Also, have you considered the forward/reverse ambiguity that arises when
 multiple owner names resolve to the same address? To which of those
 names does the PTR point?

   - Kevin

Well, this is certainly getting far away from an answer to the original
qustion!

Originally our web server was only available as www.adi.com. Later I
noticed that a lot of sites were available without the www. So I decided
to allow our web server to be available as adi.com. But I still consider
www.adi.com to be the real name of the server. And I certainly can not
alias adi.com to www.adi.com!

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Thomas Schulz

 Hi,
 
 xxx.com and IP address 192.168.1.100 is just a example domain name and IP
 address. Our boss want everybody access our domain example.com through
 browser, then it will redirect to our web site www.example.com. So I want
 to get more information about unexpected impact when we changed DNS records.
 
 Thanks for your help.
 
 Best Regards,
 Pete Fong

Here is how I have things set up here. Our domain is adi.com. We have
three name servers set up. Our web site can be accessed as both
www.adi.com and adi.com. Here is what I have on our zone file:


@   in  ns  bluegill.adi.com.
in  ns  a.dns.tds.net.
in  ns  seahorse.adi.com.

bluegillin  A   75.100.245.131
seahorsein  A   75.100.245.134
www in  A   75.100.245.133
@   in  A   75.100.245.133

@   in  mx  0   mackerel.adi.com.
in  mx  10  seahorse.adi.com.
in  mx  20  bluegill.adi.com.

Note that address 75.100.245.133 is entered twice.
The mx records are to get email to work correctly.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

2014-09-09 Thread Thomas Schulz

 Hello
 
 I recently upgraded my authoritative nameservers to bind-9.10.0-P2 and 
 after a while one of them ended up using all its swap and the named 
 process got killed. The other servers are seeing similar behaviour, but 
 I restarted named on all of them to postpone further crashes.
 
 I am using rate-limiting as well DLZ with PostgreSQL. The server has two 
 views. The operating system is FreeBSD 8.4.
 
 My configuration:
 http://borderworlds.dk/~xi/named-leak/named.conf
 
 Log of the memory usage:
 http://borderworlds.dk/~xi/named-leak/named-mem-usage.log
 
 As you can see, in less than a week, named has grown more than 900MB in 
 size.
 
 Is anyone else experiencing something similar?
 
 If I need to provide more information, I will be happy to do so.
 
 -- 
 Christian Laursen

What version did you upgrade from? I am seeing bind 9.9.5 and 9.9.6
grow without any evidence that it will ever stop. See my mail to this
list with the subject Re: Process size versus cache size. Mine is
growing slower than yours, but it is now up to 548 MB.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Process size versus cache size.

2014-09-05 Thread Thomas Schulz

On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote:
 In investigating an out of memory error on a Solaris 8 Sparc
 machine (compiled as a 32 bit executable), I find that the process
 size increase due to the cache does not make sense.

 Over about a week the process size had grown to 257 MB, up from an
 initial size of 36 MB. But when I dumped the cache with rndc dumpdb
 -cache, the resulting named_dump.db file was only 6 MB in size.
 Given the way the file is formatted, I would expect that the in
 memory version would be smaller than that.

 But when I did a 'rndc flush', the process stopped growing for about
 the same number of days that it took to reach 257 MB. That indicates
 that the increase in process size really is due to the cache. The
 increase in process size from 36 MB to 257 MB does not make sense
 given that the cache dump is only 6 MB.

 What version of BIND is this?  And do you use statistics-channel?
 I'd be interested to see what the memory stats look like on a running
 server.

 --
 Evan Hunt -- e...@isc.org
 Internet Systems Consortium, Inc.

I have tried both BIND 9.9.5-P1 and 9.9.6b1. The figures given above
were for 9.9.6b1. I do not have a statistics-channel set up or anything
having to do with logging set up.
I have since rebuilt BIND as a 64 bit executable, so I expect that I will
not have out of memory errors again. But I am seeing the same unexpected
increase in process size.

The 64 bit named has now run for slightly over 3 weeks without hanging
up with an out of memory error (the 32 bit named would die in about 10
days). The process size has grown to 513 MB, up from an initial size of
36 MB, amd is still growing. This time rndc dumpdb -cache produced a
4.8 MB file.

I am now redoing my previous experiment with rndc flush to verify that
this is really a problem with the cache. If the process size stays the
same for 3 weeks and then starts to grow again, then I think that we
can conclude that there is something funny going on with the cache.

Evan: if there is some debugging you would like me to do, let me know.
Preferably something that does not require killing and restarting the
process, at least not for a few weeks.

The process size was stable at 513 MB for 18 days (not quite 3 weeks)
and then started growing again. So it does look like the growth in the
process size is mostly due to the cache. The process size is now up to
529 MB. The next thing to do is to just let it run and see if it ever
stops growing. I still think that there is something funny going on
with the cache.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Root servers

2014-08-15 Thread Thomas Schulz

 On Thu, Aug 14, 2014 at 02:26:54PM -0500, Bill Christensen wrote:
  I'm seeing some root server errors on startup:
  
  14-Aug-2014 13:14:08.142 info: host unreachable resolving 
  'd.gtld-servers.net//IN': 2001:503:ba3e::2:30#53
  14-Aug-2014 13:14:08.215 info: host unreachable resolving 
  'b.gtld-servers.net/A/IN': 2001:503:231d::2:30#53
  14-Aug-2014 13:14:08.220 info: host unreachable resolving 
  'c.gtld-servers.net/A/IN': 2001:503:231d::2:30#53
  14-Aug-2014 13:14:08.522 info: host unreachable resolving 
  'd.gtld-servers.net//IN': 2001:503:83eb::2:31#53
  14-Aug-2014 13:14:08.595 info: host unreachable resolving 
  'c.gtld-servers.net/A/IN': 2001:503:a83e::2:31#53
  14-Aug-2014 13:14:08.793 info: host unreachable resolving 
  'b.gtld-servers.net//IN': 2001:503:c27::2:30#53
  14-Aug-2014 13:14:08.794 info: host unreachable resolving 
  'b.gtld-servers.net//IN': 2001:dc3::35#53
  14-Aug-2014 13:14:08.795 info: host unreachable resolving 
  'c.gtld-servers.net//IN': 2001:503:c27::2:30#53
  14-Aug-2014 13:14:08.796 info: host unreachable resolving 
  'c.gtld-servers.net//IN': 2001:dc3::35#53
  
  
  How do I correct that?
 
 It looks like your system thinks it has IPv6 connectivity, but it
 doesn't really have it.  You can disable IPv6 at the OS level or:
 named -4.
 
  It looks like my root pointers are horribly out of date.  Seems
  to me this is something which should automatically update...
 
 Not much, and yes.
 
  ;   This file is made available by InterNIC
  ;   under anonymous FTP as
  ;   file/domain/named.root
  ;   on server   FTP.INTERNIC.NET
  ;   -OR-RS.INTERNIC.NET
  ;
  ;   last update:Feb 04, 2008
  ;   related version of root zone:   2008020400
 
 That's old, but not so old as to prevent you from reaching an actual 
 root server.  Of course it was 2 years before the root was signed.
 -- 
   http://rob0.nodns4.us/
   Offlist GMX mail is seen only if /dev/rob0 is in the Subject:

I will add my $0.02. The named executable has the root information built
in so that it can start up if there is no named.root file available.
So, if you had no named.root file but did have the latest release of
Bind then you would have the current data. If you do not update Bind
the moment that a new version is released then you need a current
named.root file. Just go get a new one from the server listed at the
top of the old file.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Process size versus cache size.

2014-08-14 Thread Thomas Schulz

On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote:
 In investigating an out of memory error on a Solaris 8 Sparc
 machine (compiled as a 32 bit executable), I find that the process
 size increase due to the cache does not make sense.

 Over about a week the process size had grown to 257 MB, up from an
 initial size of 36 MB. But when I dumped the cache with rndc dumpdb
 -cache, the resulting named_dump.db file was only 6 MB in size.
 Given the way the file is formatted, I would expect that the in
 memory version would be smaller than that.

 But when I did a 'rndc flush', the process stopped growing for about
 the same number of days that it took to reach 257 MB. That indicates
 that the increase in process size really is due to the cache. The
 increase in process size from 36 MB to 257 MB does not make sense
 given that the cache dump is only 6 MB.

 What version of BIND is this?  And do you use statistics-channel?
 I'd be interested to see what the memory stats look like on a running
 server.

 --
 Evan Hunt -- e...@isc.org
 Internet Systems Consortium, Inc.

I have tried both BIND 9.9.5-P1 and 9.9.6b1. The figures given above
were for 9.9.6b1. I do not have a statistics-channel set up or anything
having to do with logging set up.
I have since rebuilt BIND as a 64 bit executable, so I expect that I will
not have out of memory errors again. But I am seeing the same unexpected
increase in process size.

The 64 bit named has now run for slightly over 3 weeks without hanging
up with an out of memory error (the 32 bit named would die in about 10
days). The process size has grown to 513 MB, up from an initial size of
36 MB, amd is still growing. This time rndc dumpdb -cache produced a
4.8 MB file.

I am now redoing my previous experiment with rndc flush to verify that
this is really a problem with the cache. If the process size stays the
same for 3 weeks and then starts to grow again, then I think that we
can conclude that there is something funny going on with the cache.

Even: if there is some debugging you would like me to do, let me know.
Preferably something that does not require killing and restarting the
process, at least not for a few weeks.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Process size versus cache size.

2014-07-24 Thread Thomas Schulz

 On Wed, Jul 23, 2014 at 02:15:34PM -0400, Thomas Schulz wrote:
  In investigating an out of memory error on a Solaris 8 Sparc
  machine (compiled as a 32 bit executable), I find that the process
  size increase due to the cache does not make sense.
  
  Over about a week the process size had grown to 257 MB, up from an
  initial size of 36 MB. But when I dumped the cache with rndc dumpdb
  -cache, the resulting named_dump.db file was only 6 MB in size.
  Given the way the file is formatted, I would expect that the in
  memory version would be smaller than that.
  
  But when I did a 'rndc flush', the process stopped growing for about
  the same number of days that it took to reach 257 MB. That indicates
  that the increase in process size really is due to the cache. The
  increase in process size from 36 MB to 257 MB does not make sense
  given that the cache dump is only 6 MB.
 
 What version of BIND is this?  And do you use statistics-channel?  
 I'd be interested to see what the memory stats look like on a running
 server.
 
 -- 
 Evan Hunt -- e...@isc.org
 Internet Systems Consortium, Inc.
 
I have tried both BIND 9.9.5-P1 and 9.9.6b1. The figures given above
were for 9.9.6b1. I do not have a statistics-channel set up or anything
having to do with logging set up.
I have since rebuilt BIND as a 64 bit executable, so I expect that I will
not have out of memory errors again. But I am seeing the same unexpected
increase in process size.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Process size versus cache size.

2014-07-23 Thread Thomas Schulz

In investigating an out of memory error on a Solaris 8 Sparc
machine (compiled as a 32 bit executable), I find that the process
size increase due to the cache does not make sense.

Over about a week the process size had grown to 257 MB, up from an
initial size of 36 MB. But when I dumped the cache with rndc dumpdb
-cache, the resulting named_dump.db file was only 6 MB in size.
Given the way the file is formatted, I would expect that the in
memory version would be smaller than that.

But when I did a 'rndc flush', the process stopped growing for about
the same number of days that it took to reach 257 MB. That indicates
that the increase in process size really is due to the cache. The
increase in process size from 36 MB to 257 MB does not make sense
given that the cache dump is only 6 MB.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: failed: out of memory

2014-07-22 Thread Thomas Schulz

 You'll want to use max-cache-size to enforce a hard limit on the size 
 of your cache.  
 http://www.zytrax.com/books/dns/ch7/hkpng.html#max-cache-size
 
 /Tim
 
 ---
 Tim Krzywonos
 e:: t...@krzywonos.ca

Thanks for reminding me of that. Now that I have some confidence
that the problem is the cache and not some funny memory leak, I
think I can rely on setting a limit. I still find it strange that
when I dumped the cache, the resulting file was only 6 MB in size.
The process size had grown to 257 MB, up form an initial size of
36 MB. It does not make sense
 
 On 2014-07-21 10:57, sch...@adi.com wrote:
 Have you tried an rndc flush?  You can also dump the contents of 
 the
 cache to find the (approximate) size of the cache.  If related to 
 cache,
 you can tweak parameters to cache, most namely max-cache-size.  
 IIRC,
 the cache doesn't have a size limit by default.

 /Tim

 I did an rndc dumpdb -cache and the size of the named_dump.db that
 resulted is 5927042. Not all that big condidering how it is 
 formatted.
 Late last night I did a rndc flush. At that time the size of named
 was 31305 pages of 8192 bytes. As of now (13 hours later) the size
 is still 31305. I will see what happens.

 See below for our named.conf and then my original description of the
 problem.

 As of this morning (3 days 12 hours later) named is still at 31305 
 pages.
 So it appears that the continuous growth that I was seeing is due to 
 the
 cache.

 Unfortunately my investigation has not been very methodical. I should
 have noted the size of the named process when I was getting the out 
 of
 memory errors. I also should have noted the rate of growth of 
 9.9.5-P1
 before trying 9.9.6b1. I am going to switch back to 9.9.5-P1 for a 
 few
 days and see if the rate of growth is about the same or if it is much
 worse. (The initial size was 4734 pages and jumped to 7666 within
 5 minutes). Assuming that the cache cleaning is working correctly, it
 may be that a 32 bit process is just not viable these days. I have 
 now
 built a 64 bit named and will switch to that in a few days.

 A big problem is that I will be going on vacation at the end of the 
 week
 and I really want to make sure that named does not shut down while I 
 am
 away. There is really not enough time to do enough testing to make
 sure of that. I may set up a cron job to do a daily rndc flush while 
 I
 am away.


 I was asked off list for our named.conf. Here it is.
 options {
 directory /var/named;
 acache-enable yes;
 auth-nxdomain no;
 transfer-format many-answers;
 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;
 };
 managed-keys {
 dlv.isc.org. initial-key 257 3 5 .;
 };
 managed-keys {
   . initial-key 257 3 8 ...;
 };

 view internal {
 match-clients { !192.168.3.95; !192.168.3.150;
 !192.168.4.0/24; localnets;
 };
 sortlist {
 { 192.168.2.0/24; { 192.168.2.0/24; 192.168.3.0/24; 
 }; };
 { 192.168.3.0/24; { 192.168.3.0/24; 192.168.2.0/24; 
 }; };
 };
 zone . {
 type hint;
 file named.root;
 };

 zone adi.com {
 type master;
 file adi.com.hosts.int;
 check-names ignore;
 notify explicit;
 also-notify {
 192.168.2.95;
 192.168.2.150;
 };
 };

 zone 130-157.245.100.75.in-addr.arpa {
 type master;
 file 75.100.245.130-157.revhosts;
 notify explicit;
 also-notify {
 192.168.2.95;
 192.168.2.150;
 };
 };

 zone 2.168.192.in-addr.arpa {
 type master;
 file 192.168.2.revhosts.int;
 notify explicit;
 also-notify {
 192.168.2.95;
 192.168.2.150;
 };
 };

 zone 3.168.192.in-addr.arpa {
 type master;
 file 192.168.3.revhosts.int;
 notify explicit;
 also-notify {
 192.168.2.95;
 192.168.2.150;
 };
 };

 zone 4.168.192.in-addr.arpa {
 type master;
 file 192.168.2.revhosts.int;
 notify explicit;
 also-notify {
 192.168.2.95;
 192.168.2.150;
 };
 };

 zone localhost {
 type master;
 notify no;
 file named.local;
 };

 zone 0.0.127.in-addr.arpa {
 type master;
 notify no;
 file named.revlocal;
 };

Re: failed: out of memory

2014-07-21 Thread Thomas Schulz

  Have you tried an rndc flush?  You can also dump the contents of the 
  cache to find the (approximate) size of the cache.  If related to cache, 
  you can tweak parameters to cache, most namely max-cache-size.  IIRC, 
  the cache doesn't have a size limit by default.
  
  /Tim
  
 I did an rndc dumpdb -cache and the size of the named_dump.db that
 resulted is 5927042. Not all that big condidering how it is formatted.
 Late last night I did a rndc flush. At that time the size of named
 was 31305 pages of 8192 bytes. As of now (13 hours later) the size
 is still 31305. I will see what happens.

See below for our named.conf and then my original description of the
problem.

As of this morning (3 days 12 hours later) named is still at 31305 pages.
So it appears that the continuous growth that I was seeing is due to the
cache.

Unfortunately my investigation has not been very methodical. I should
have noted the size of the named process when I was getting the out of
memory errors. I also should have noted the rate of growth of 9.9.5-P1
before trying 9.9.6b1. I am going to switch back to 9.9.5-P1 for a few
days and see if the rate of growth is about the same or if it is much
worse. (The initial size was 4734 pages and jumped to 7666 within
5 minutes). Assuming that the cache cleaning is working correctly, it
may be that a 32 bit process is just not viable these days. I have now
built a 64 bit named and will switch to that in a few days.

A big problem is that I will be going on vacation at the end of the week
and I really want to make sure that named does not shut down while I am
away. There is really not enough time to do enough testing to make
sure of that. I may set up a cron job to do a daily rndc flush while I
am away.

 
 I was asked off list for our named.conf. Here it is.
 options {
 directory /var/named;
 acache-enable yes;
 auth-nxdomain no;
 transfer-format many-answers;
 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;
 };
 managed-keys {
 dlv.isc.org. initial-key 257 3 5 .;
 };
 managed-keys {
   . initial-key 257 3 8 ...;
 };
 
 view internal {
 match-clients { !192.168.3.95; !192.168.3.150;
 !192.168.4.0/24; localnets;
 };
 sortlist {
 { 192.168.2.0/24; { 192.168.2.0/24; 192.168.3.0/24; }; };
 { 192.168.3.0/24; { 192.168.3.0/24; 192.168.2.0/24; }; };
 };
 zone . {
 type hint;
 file named.root;
 };
 
 zone adi.com {
 type master;
 file adi.com.hosts.int;
 check-names ignore;
 notify explicit;
 also-notify {
 192.168.2.95;
 192.168.2.150;
 };
 };
 
 zone 130-157.245.100.75.in-addr.arpa {
 type master;
 file 75.100.245.130-157.revhosts;
 notify explicit;
 also-notify {
 192.168.2.95;
 192.168.2.150;
 };
 };
 
 zone 2.168.192.in-addr.arpa {
 type master;
 file 192.168.2.revhosts.int;
 notify explicit;
 also-notify {
 192.168.2.95;
 192.168.2.150;
 };
 };
 
 zone 3.168.192.in-addr.arpa {
 type master;
 file 192.168.3.revhosts.int;
 notify explicit;
 also-notify {
 192.168.2.95;
 192.168.2.150;
 };
 };
 
 zone 4.168.192.in-addr.arpa {
 type master;
 file 192.168.2.revhosts.int;
 notify explicit;
 also-notify {
 192.168.2.95;
 192.168.2.150;
 };
 };
 
 zone localhost {
 type master;
 notify no;
 file named.local;
 };
 
 zone 0.0.127.in-addr.arpa {
 type master;
 notify no;
 file named.revlocal;
 };
 
 zone com {
 type delegation-only;
 };
 
 zone net {
 type delegation-only;
 };
 };
 
 view internal4 {
 match-clients { 192.168.4.0/24; };
 zone . {
 type hint;
 file named.root;
 };
 
 zone adi.com {
 type master;
 file adi.com.hosts.int4;
 check-names ignore;
 notify explicit;
 also-notify {
 192.168.4.95;
 192.168.4.150;
 };
 };
 
 zone

Re: failed: out of memory

2014-07-18 Thread Thomas Schulz

 Have you tried an rndc flush?  You can also dump the contents of the 
 cache to find the (approximate) size of the cache.  If related to cache, 
 you can tweak parameters to cache, most namely max-cache-size.  IIRC, 
 the cache doesn't have a size limit by default.
 
 /Tim
 
I did an rndc dumpdb -cache and the size of the named_dump.db that
resulted is 5927042. Not all that big condidering how it is formatted.
Late last night I did a rndc flush. At that time the size of named
was 31305 pages of 8192 bytes. As of now (13 hours later) the size
is still 31305. I will see what happens.

I was asked off list for our named.conf. Here it is.
options {
directory /var/named;
acache-enable yes;
auth-nxdomain no;
transfer-format many-answers;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
};
managed-keys {
dlv.isc.org. initial-key 257 3 5 .;
};
managed-keys {
  . initial-key 257 3 8 ...;
};

view internal {
match-clients { !192.168.3.95; !192.168.3.150;
!192.168.4.0/24; localnets;
};
sortlist {
{ 192.168.2.0/24; { 192.168.2.0/24; 192.168.3.0/24; }; };
{ 192.168.3.0/24; { 192.168.3.0/24; 192.168.2.0/24; }; };
};
zone . {
type hint;
file named.root;
};

zone adi.com {
type master;
file adi.com.hosts.int;
check-names ignore;
notify explicit;
also-notify {
192.168.2.95;
192.168.2.150;
};
};

zone 130-157.245.100.75.in-addr.arpa {
type master;
file 75.100.245.130-157.revhosts;
notify explicit;
also-notify {
192.168.2.95;
192.168.2.150;
};
};

zone 2.168.192.in-addr.arpa {
type master;
file 192.168.2.revhosts.int;
notify explicit;
also-notify {
192.168.2.95;
192.168.2.150;
};
};

zone 3.168.192.in-addr.arpa {
type master;
file 192.168.3.revhosts.int;
notify explicit;
also-notify {
192.168.2.95;
192.168.2.150;
};
};

zone 4.168.192.in-addr.arpa {
type master;
file 192.168.2.revhosts.int;
notify explicit;
also-notify {
192.168.2.95;
192.168.2.150;
};
};

zone localhost {
type master;
notify no;
file named.local;
};

zone 0.0.127.in-addr.arpa {
type master;
notify no;
file named.revlocal;
};

zone com {
type delegation-only;
};

zone net {
type delegation-only;
};
};

view internal4 {
match-clients { 192.168.4.0/24; };
zone . {
type hint;
file named.root;
};

zone adi.com {
type master;
file adi.com.hosts.int4;
check-names ignore;
notify explicit;
also-notify {
192.168.4.95;
192.168.4.150;
};
};

zone 130-157.245.100.75.in-addr.arpa {
type master;
file 75.100.245.130-157.revhosts;
notify explicit;
also-notify {
192.168.4.95;
192.168.4.150;
};
};

zone 2.168.192.in-addr.arpa {
type master;
file 192.168.2.revhosts.int;
notify explicit;
also-notify {
192.168.4.95;
192.168.4.150;
};
};

zone 3.168.192.in-addr.arpa {
type master;
file 192.168.3.revhosts.int;
notify explicit;
also-notify {
192.168.4.95;
192.168.4.150;
};
};

zone 4.168.192.in-addr.arpa {
type master;
file 192.168.2.revhosts.int;
notify explicit;
also-notify {
192.168.4.95;
192.168.4.150;
};
};

zone localhost {
type master;
notify no;
file named.local;
};

zone 0.0.127.in-addr.arpa {

failed: out of memory

2014-07-17 Thread Thomas Schulz

We are running Bind on a Sun Sparc machine running Solairs 8. Bind is
built as a 32 bit executable as that is the default and is the way
libcrypto and libxml2 are built. We have been running Bind 9.9.5.
I am now trying Bind 9.9.6b1 as that claims to have fixed some memory
leaks.

For some time now Bind has stopped being able to do recursive queries
every couple of weeks and I have been just restarting it. I decided to
look into this and found it logging out of memory errors. This seems to
have started happening after I set up bind to sign our domain, adi.com.
The server is bluegill.adi.com. It is set up with 3 views. Two are internal
views and can do recursive queries. One is the external view and does
not allow recursive queries.

Since restarting named, this time Bind 9.9.6b1, I have been checking
the memory usage every day. The usage in pages of 8192 bytes for the
last 7 days are:
16,517  19,221  20,111  23,707  24,957  26,384  28,231  29,912

Note that this shows no signs of settling down. I am looking into
the possability of rebuilding Bind as a 64 bit executable as that
should take much longer to run out of memory.

A recient section of the log showing that the cleaner is running:
Jul 17 10:24:44 bluegill named[9334]: [ID 873579 daemon.notice]
acache 91e6a30 stats: hits=0 misses=6 queries=6 adds=6 deleted=5
cleaned=5 cleaner_runs=140 overmem=0 overmem_nocreates=0 nomem=0
Jul 17 10:24:44 bluegill named[9334]: [ID 873579 daemon.notice]
acache 91e6a30 cleaning interval set to 3600.
Jul 17 10:24:44 bluegill named[9334]: [ID 873579 daemon.notice]
acache 933f990 stats: hits=3299 misses=79 queries=3378 adds=86 deleted=370
cleaned=370 cleaner_runs=144 overmem=0 overmem_nocreates=0 nomem=0
Jul 17 10:24:44 bluegill named[9334]: [ID 873579 daemon.notice]
acache 933f990 cleaning interval set to 3600.
Jul 17 10:24:46 bluegill named[9334]: [ID 873579 daemon.notice]
acache 9166a20 stats: hits=76514 misses=4348 queries=80862 adds=4348
deleted=3717 cleaned=3717 cleaner_runs=144 overmem=0 overmem_nocreates=0
nomem=0
Jul 17 10:24:46 bluegill named[9334]: [ID 873579 daemon.notice]
acache 9166a20 cleaning interval set to 3600.
Jul 17 10:29:51 bluegill named[9334]: [ID 873579 daemon.notice]
clients-per-query decreased to 10


Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and upgrading/restoring

2014-01-28 Thread Thomas Schulz

 Asking again, in a different and more generic form: When rebuilding a
 bind 9.9.4 server running DNSSEC with auto maintain, are there any steps
 I need to take beyond just backing up /var/named/etc/namedb (this is on
 FreeBSD) and restoring?
 
 This server is authoritative and primary, and has slaves for multiple
 domains.
 
 I'm concerned about keeping keys, serial numbers, and any other dynamic
 info in sync.
 
 Thanks!
 
 dn

This may not apply to FreeBSD, but you should backup the main named.conf
if it is in some other directory than /var/named/etc/namedb. On my system
(Solaris) named.conf and a key file for managed keys for the root are in
/etc.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Upgrading from 9.8.3 to 9.9.4

2014-01-23 Thread Thomas Schulz

 I just remembered there was also the change to the db file
 having a default raw format on slaves unless specified.

Interesting. I did not notice that when it happened, but now that I
look, I see that my slaves indeed have raw format files. Apparently
the switch over did not require me to do anything.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable DNSSEC

2014-01-07 Thread Thomas Schulz

 
 Once the DS record is removed from the .edu zone, queriers won't
 expect your zone to be signed any more. At that point, you can leave
 it signed or remove the signatures, and it won't make any difference.
 You just need to wait at least 24 hours from the time the record
 disappears from the .edu zone.
 
I suggest you wait a little bit longer then that. There are multiple
name servers for edu and you want to make sure that all of them have
removed the DS record.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS with several ip adessess

2014-01-03 Thread Thomas Schulz

 Views have been in bind for all recent history.
 
 I've watched this thread and have been biting my tongue as long as I
 could.
 
 I'm a proponent of separating servers and NOT using views, as any of
 you that have taken a class that I've taught will attest.
 
 I've seen too many problems over the years that have been caused by
 incorrect maintenance of both data feeding the views and goofs in the
 mechanisms making sure that the correct view is made available to the
 correct slave servers (and clients).
 
 With today's hardware (virtualization, etc) it's not very expensive
 to build out new servers.  Separate the services and you remove lots of
 the little prickly points that will cause you pain as the complexity of
 your infrastructure grows (and as you hand off to the 'next
 generation' of maintainers).
 
 I'm actually more a proponent of creating an architecture that doesn't
  NEED differentiated data, but there aren't a lot of places
 implementing DNS / naming structures on green-fields these days.
 
 AlanC
 --=20
 Alan Clegg | +1-919-355-8851 | a...@clegg.com

I use views here. I did have to do a little work to make suere the right
views went to the right places and to make sure that the slaves that needed
all the views got them correctly. But I can't see how setting up virtual
hosts would be less work and how setting up virtual hosts would be less
prone to errors. And I would have to figure out how to make one host only
answer internal queries and the other host only answer external queries.
That was easy to do with views (at least for me).

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Adding DS records

2013-12-20 Thread Thomas Schulz

Has anyone been able to get Network Solutions to add DS records for
their domain? I am trying to get DS records added for my domain and
so far it looks like Network Solutions can not do that.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding DS records

2013-12-20 Thread Thomas Schulz

  If I was a NetSol customer, I would ask them, Why not?
 
 And if I were a NetSol customer, I would ask myself, Why?
 
 If I were a capitalist, I'd vote with my wallet and go somewhere with the
 features I want.

Well, we started with them back when they were the only company registering
domain names. And up to now there were no problems (other than perhaps price).

Any recomendations for another company for a  .com domain in the US?
I suppose that I could always use the DLV, but I would rather not.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding DS records

2013-12-20 Thread Thomas Schulz

  gandi.net +1
 
  I transferred from NS to Gandhi in December 1998. I don't know about their
  hosting of primary DNS but they do host a secondary of mine and it seems to
  resolve there with an aa flag:
 
 Yep, secondary works, but they can't be a DNSSEC primary.
 
 Steve

We host the primary DNS ourselves with our ISP providing the secondary,
so no problem there. Just to get going, I entered the records using the
DLV. I think that I will get a different registerer early next year, after
the rush of the holidays quiets down. Our contract expires in March, so
this is a reasonable time to do a switch.
Thanks for the advice so far.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc refresh fails for signed zones

2013-12-12 Thread Thomas Schulz

Sorry for the bad advice.

Am I correct in thinking that in the case of a hidden master and a chain
of slaves, that the first publicly acessable slave would do the signing
and that in any case only one instance of bind should do the signing?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc refresh fails for signed zones

2013-12-11 Thread Thomas Schulz

 Hi!
 
 # named -V
 BIND 9.9.3-rl.13204.02-P2
 
 I have configured slave zones with inline signing:
 
 zone mydomain.at {
  type slave;
  file /etc/bind/mydomain.at;
  masters { 1.2.3.4; };
  key-directory /etc/bind/keys;
  auto-dnssec maintain;
  inline-signing yes;
  allow-transfer { 5.6.7.8; };
  also-notify { 5.6.7.8; };
 };
 
 
 # rndc refresh mydomain.at
 rndc: 'refresh' failed: failure
 not a slave or stub zone
 
 
 For normal slave zones (unsigned) it works fine. Is this a known bug?
 Where can I open a bug report? Any workarounds?

I believe that only the master can sign the zone.
Also, also-notify does not make much sense for a slave.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DLV and the ad flag

2013-11-27 Thread Thomas Schulz

Acording to the book Dnssec Mastery, I should be able to test if my
Bind is correctly set up to use the DLV with the command:

dig +dnssec nsec3.dlvtest.dns-orac.net

And I should expect expect to see the RRSIG records and see the AD
flag set. I do get the RRSIG records but I do not see the AD flag.
Do I have a problem or is the book wrong? I do see the AD flag if
I dig www.isc.org. I am running Bind 9.9.4.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DLV and the ad flag

2013-11-27 Thread Thomas Schulz

 On Wed, Nov 27, 2013 at 01:30:37PM -0500, Thomas Schulz wrote:
  Acording to the book Dnssec Mastery, I should be able to test if my
  Bind is correctly set up to use the DLV with the command:
  
  dig +dnssec nsec3.dlvtest.dns-orac.net
 
 dns-oarc, not dns-orac.  (OARC: Operations, Analysis and Research
 Center.)
 
 -- 
 Evan Hunt -- e...@isc.org
 Internet Systems Consortium, Inc.

That works much better. Thank you.
I typed that wrong at least 5 times! Wow!

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Does anyone know where to find the ISC signing keys for source packages?

2010-12-28 Thread Thomas Schulz

 
 At Tue, 28 Dec 2010 15:50:23 -0500 (EST), Thomas Schulz wrote:
  
  It looks like I am a little dim today. Given gpg and the key, what steps
  do I do to verify a source package?
 
 General case:
 
 $ gpg --verify sigfile tarball
 
 Eg:
 
 $ gpg --verify bind-9.7.2-P3.tar.gz.sha256.asc bind-9.7.2-P3.tar.gz
 
 We probably should add this to the aforementioned web page.

It looks like I have to somehow make the public key available. When I
issue the above command I get:

gpg: Can't check signature: public key not found

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Spaces in keys

2010-11-17 Thread Thomas Schulz

When I copied the key for root from
http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers
I ended up with spaces in the key. I assumed that they should not be there
and removed them. I since noticed that the key in /etc/bind.keys supplied
with the bind distribution has spaces in it. Should the spaces be there or
does it not matter?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error sending response log messages

2009-02-02 Thread Thomas Schulz

In article glpv2m$2l4...@sf1.isc.org,
Andre LeClaire  alecla...@yahoo.com wrote:
Mark Andrews wrote:
 In message 497caef2.80...@yahoo.com, Andre LeClaire writes:
 Hello everyone,
 I've been seeing these syslog messages for about a week on a FreeBSD 
 server running BIND 9.4.3-P1:

 Jan 25 02:35:21 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 03:43:32 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 04:49:59 asimov named[145]: client 206.71.158.30#139: error 
 sending response: permission denied
 Jan 25 05:15:40 asimov named[145]: client 66.230.160.1#139: error 
 sending response: permission denied
 Jan 25 07:45:11 asimov named[145]: client 206.71.158.30#139: error 
 sending response: permission denied
 Jan 25 07:56:26 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 08:10:29 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 08:54:34 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 09:16:41 asimov named[145]: client 206.71.158.30#138: error 
 sending response: permission denied
 Jan 25 10:03:51 asimov named[145]: client 206.71.158.30#445: error 
 sending response: permission denied

 Ports 135-139 and 445 are denied by the firewall on the outside 
 interface.
 
  Why do you care about what port you are sending to?  Just
  allow named to send its replies.
 

Ports 135-139 and 445 are blocked on the outside interface to protect 
the Windows networks on the inside, which use those ports, from the 
savage Internet.

You seem to be saying that you are blocking incomming traffic on those
ports, but the above errors suggest that you are allowing incomming
queries on those ports but blocking the outgoing reply. I don't understand
why you would do that.

Are you saying that it's normal for named to send replies on those ports?
Also, the server has been up for over 3 years with no problems, and 
these errors just started happening last week.

New versions of Bind, and perhaps other dns implementations, make queries
on random ports and use a wider range of ports than before.  This is to
work around a security issue.  You are probably seeing the efects of other
sites upgrading their dns servers.

You should adjust your firewall to allow replies from Bind on any port.


Andre
-- 
Tom Schulz
sch...@adi.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.4.x vs 9.6.x - pid-file check and creation

2009-01-28 Thread Thomas Schulz

In article glp3rc$23p...@sf1.isc.org,
Jan Arild =?iso-8859-1?Q?Lindstr=F8m?=  j...@telenor.net wrote:

Hi,

ah, of course. I did not think about it as a Solaris bug.

I patched BIND 9.6.0-P1 os.c code so it first checks for the diretory
before it tries the fast approach of just running mkdir. And that of
course works fine.

But, since I do not want to run a self-patch BIND in production, I will
instead run with pid-file /var/run/named/named/named.pid and be happy
with that.

Just wondering.  Since /var/run is a swap (memory) based file system,
do you have to recreate those directories on each reboot?


Thanks
Jan Arild Lindstr


At 15:35 27/01/2009, Mark Andrews wrote:

Looking at the publically available parts of SunSolve there are at least
bug reports about it.

Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with oth=
er xxxfs_mkdir() functions.  |  Open in a new window
bug 6253984
http://sunsolve.sun.com/search/document.do?assetkey=3D1-1-6253984-1 - Sep =
10, 2007
 =

Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with oth=
er xxxfs_mkdir() functions.  |  Open in a new window
bug 2152581
http://sunsolve.sun.com/search/document.do?assetkey=3D1-1-2152581-1 - Sep =
10, 2007 =

I don't have a copy of the POSIX standard that covers mkdir(2) to
see what it has to say about it.  Historically however EACCES on
search failure,  EEXIST if the file/directory exists, then EACCES on
parent directory write permissions was the error determination order.

Mark
-- =

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


-- 
Tom Schulz
sch...@adi.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL issues

2009-01-16 Thread Thomas Schulz

In article gkqqei$1nq...@sf1.isc.org,
Frank Bulk - iName.com frnk...@iname.com wrote:
Yes, I read that last night before posting.  I changed it to 256M.  Is
there a way using rndc to see if that took?  

Note that 9.5.1 reverts the limit to unlimited AND fixes the bug causing
the failure.  You should not be running 9.5.0 at all.


And how do I see how much of the cache has been used?  I don't want to
provision more than necessary.  This server acts as a secondary DNS entry
for about 6000 broadband customers and is an authoritative DNS server for
100+ domains.

Frank

-Original Message-
From: Fr34k [mailto:freaknet...@yahoo.com] 
Sent: Friday, January 16, 2009 8:45 AM
To: frnk...@iname.com; bind-users@lists.isc.org
Subject: Re: SERVFAIL issues

Hello,

Has the max-cache-size setting in named.conf been considered?

If not, note that in early releases of 9.5.x max-cache-size is 32M by
default instead of unlimited as in 9.4.x

From the CHANGES file with the bind-9.5.0-P2 source:
max-cache-size defaults to 32M

Using:
max-cache-size 0 ;
will restore previous behavior (unlimited).

The ultimate setting would need to be considered for the environment BIND is
running in.

FWIW, we use max-cache-size 0 ; without issue.

You can search this list archives for max-cache-size for previous
discussions on this.

Thanks.



- Original Message 
From: Frank Bulk frnk...@iname.com
To: bind-users@lists.isc.org
Sent: Thursday, January 15, 2009 6:57:10 PM
Subject: SERVFAIL issues

http://marc.info/?l=bind-usersm=122239920822324w=2
http://marc.info/?l=bind-usersm=122243068905656w=2

We upgraded to 9.5.0-P1 when the Kaminsky DNS vulnerability was announced
and have had intermittent issues with SERVFAIL problems for some DSL modems
that don't properly fail over to a secondary DNS server.  A packet capture
showed that certain domains would result in a SERVFAIL, and once that domain
was identified, if we did a dig against it we had the same result.  We've
had to stop and start the named service about half a dozen times this fall
to resolve the issue.

We upgraded to 9.5.0-P2 in early November, hoping that this issue would be
resolved.  But today we experienced the problem again.  A customer couldn't
query a site, although everything seemed correct.  I captured all their
traffic and the trace showed that the DNS server was issuing a SERVFAIL.  I
stopped and then started named and immediately all was well.  Since we
sometimes reload named when adding/modifying domains, or at other times use
rndc, I'm not sure if that cleared things up such that this is the first
time I recall having this problem in 2 months.

Is this intermittent SERVFAIL issue resolved in 9.5.1-P1?

Frank


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


-- 
Tom Schulz
sch...@adi.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind memory usage

2008-12-15 Thread Thomas Schulz

In article gi2uke$2d8...@sf1.isc.org,
=?UTF-8?B?TGVvbmFyZG8gUm9kcmlndWVzIE1hZ2FsaMOjZXM=?=
 leolis...@solutti.com.br wrote:
CgpQZXRlciBEYW1iaWVyIGVzY3JldmV1Ogo+IEkgY2FuIGNvbmZpcm0gYmluZCA5LjQgZG9lcyBy
dW4gb24gYW4gKElCTSwgbm90IEludGVsKSA0ODYtU0NMLzIgd2l0aCAxNiBNQi4KPiBUaGF0IGNw
dSBjYW4gYWRkcmVzcyBubyBtb3JlIHRoYW4gMTYgTUIuCj4KPiAkIGNhdCAvcHJvYy9tZW1pbmZv
Cj4gICAgICAgICB0b3RhbDogICAgdXNlZDogICAgZnJlZTogIHNoYXJlZDogYnVmZmVyczogIGNh
Y2hlZDoKPiBNZW06ICAxNDU0MDgwMCAxMDU5NjM1MiAgMzk0NDQ0OCAgMzE5NDg4MCAgMTAwMzUy
MCAgMzUxODQ2NAo+ICAgCgogICAgdmVyeSBnb29kIHRvIGtub3cgdGhhdCA5LjQgaXMgcnVubmlu
ZyBPSyBvbiBhIDE2TWIgbWFjaGluZSwgYSAKc2l0dWF0aW9uIGV2ZW4gd29yc3QgdGhhbiBtaW5l
LCB3aGljaCBpcyAzMk1iIDopICAuLi4uIGknbGwgdHJ5IHRvIAppbnN0YWxsIDkuNCB0aGlzIHdl
ZWsgaW5zdGVhZCBvZiA5LjUgYW5kIGNoZWNrIGlmIGl0IGhhcyBhIHNsb3dlciBtZW1vcnkgCmZv
b3RwcmludC4KCiAgICB0aGFua3MgZm9yIHRoZSB0aXAgISEhCgotLSAKCgoJQXRlbmNpb3NhbWVu
dGUgLyBTaW5jZXJpbHksCglMZW9uYXJkbyBSb2RyaWd1ZXMKCVNvbHV0dGkgVGVjbm9sb2dpYQoJ
aHR0cDovL3d3dy5zb2x1dHRpLmNvbS5icgoKCU1pbmhhIGFybWFkaWxoYSBkZSBTUEFNLCBOw4NP
IG1hbmRlbSBlbWFpbAoJZ2VydHJ1ZGVzQHNvbHV0dGkuY29tLmJyCglNeSBTUEFNVFJBUCwgZG8g
bm90IGVtYWlsIGl0CgoKCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fXwpiaW5kLXVzZXJzIG1haWxpbmcgbGlzdApiaW5kLXVzZXJzQGxpc3RzLmlzYy5vcmcK
aHR0cHM6Ly9saXN0cy5pc2Mub3JnL21haWxtYW4vbGlzdGluZm8vYmluZC11c2Vycw==


You know, the above is not very usefull.  Can someone please fix the
newsgroup gateway.
-- 
Tom Schulz
sch...@adi.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MIME garbage in comp.protocols.dns.bind

2008-12-12 Thread Thomas Schulz

In article ghtmfl$2rc...@sf1.isc.org,
Sam Wilson  sam.wil...@ed.ac.uk wrote:
In article ghtjng$2pd...@sf1.isc.org,
 Barry Margolin bar...@alum.mit.edu wrote:

 Does anyone still read this list via the comp.protocols.dns.bind Usenet 
 gateway?  I do, and ever since the web site and mailing list revamp last 
 month, it has been a real PITA.  About 1/3 of the messages in the group 
 have all sorts of MIME garbage in the body of the messages.  The problem 
 appears to be that the Content-type: multipart/alternative header line 
 is being stripped from the header by the gateway; actually, it ends up 
 in the body of the message.  As a result, my newsreader doesn't 
 recognize that the message is multipart, and shows all the pieces 
 literally.
 
 You can see the same thing if you view the messages in Google Groups, so 
 it's not just my news provider (Motzarella) or newsreader 
 (MT-Newswatcher).  The old mail-to-news gateway either got this right or 
 extracted the plain text alternative before forwarding.
 
 I sent mail to bind-users-request a few weeks ago, but got no response.  
 Is this bugging anyone else but me?

Yes, it's bugging me.  I use MT-Newswatcher (Mac OS X) and whilst I can 
cope with the multipart/alternative hassle (just stop reading where it 
turns into HTML - see [1]) the ones that really annoy me are the base64 
encoded messages like [2].

I'm clearly less conscientious than Barry - I haven't complained before 
now.

Sam

[1] news:ghs3de$1f8...@sf1.isc.org
[2] news:ghtbae$2er...@sf1.isc.org

I was wondering what was going on.  Some messages are just base64 and are
completely useless/unreadable.
-- 
Tom Schulz
sch...@adi.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

50 matches

Mail list logo