Re: RRL active by default?
Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: And, then it finally crashed complain that there was no root hints for the view _ksu_bind, and making class IN view _ksu_bind with all the same zones, including the hint zoneit still complained that there was no root hints for view _ksu_bind and crashed. Did you put the _ksu_bind view in the CHAOS class or leave it in the default IN class? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North Utsire: Easterly or southeasterly 4 or 5, occasionally 6 in south Viking. Slight or moderate. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
Can't seem to figure out how to work something like that into my configuration.
It doesn't like that I have allow-recursion { k-state; }; set in
optionsthen something about when using 'view' statements, all zones must
be in views.
So, I uncommented the view ksu { lines in my config (there used to be a
separate view for a JOIN K-STATE SSID, which basically sent you to a special
website regardless of what you wanted to connect to.it was scrapped,
because users using computers running an OS that starts with Wwould still
be stuck going to the site when they switched to normal wireless. (even
though the TTL for the zone was only 5 seconds...)
And, then it finally crashed complain that there was no root hints for the
view _ksu_bind, and making class IN view _ksu_bind with all the same
zones, including the hint zoneit still complained that there was no root
hints for view _ksu_bind and crashed.
daemon.notice] starting BIND 9.9.4-P2 -c
/var/chroot/named/etc/named/named.conf -4
daemon.notice] built with '--prefix=/usr/local' '--sysconfdir=/etc/named'
'--localstatedir=/var' '--with-openssl' '--enable-threads'
'--enable-largefile'
'--with-libtool' '--enable-ipv6' '--enable-newstats' '--enable-filter-'
'--enable-rrl' 'CFLAGS=-m64 -O2' 'LDFLAGS=-Wl,-R/usr/local/ssl/lib/64
-L/usr/local/ssl/lib/64 -Wl,-R/usr/local/lib/amd64 -L/usr/local/lib/amd64
-Wl,-R/usr/local/lib -L/usr/local/lib'
daemon.notice]
daemon.notice] BIND 9 is maintained by Internet Systems Consortium,
daemon.notice] Inc. (ISC), a non-profit 501(c)(3) public-benefit
daemon.notice] corporation. Support and training for BIND 9 are
daemon.notice] available at https://www.isc.org/support
daemon.notice]
daemon.warning] no root hints for view '_ksu_bind'
daemon.notice] command channel listening on 127.0.0.1#953
daemon.crit] db.c:795: REQUIRE(rdataset-rdclass == db-rdclass) failed, back
trace
daemon.crit] #0 4307e3 in ??
daemon.crit] #1 fd7ffeef92ca in ??
daemon.crit] #2 fd7fff1d8467 in ??
daemon.crit] #3 fd7fff1dafc6 in ??
daemon.crit] #4 fd7fff1ef91e in ??
daemon.crit] #5 fd7fff2f1f39 in ??
daemon.crit] #6 fd7fff2f4b29 in ??
daemon.crit] #7 45a851 in ??
daemon.crit] #8 45bc3e in ??
daemon.crit] #9 fd7ffef1a49f in ??
daemon.crit] #10 fd7ffeacbfbb in ??
daemon.crit] exiting (due to assertion failure)
On 05/02/14 23:34, Jeremy C. Reed wrote:
On 05/02/14 09:23, Jeremy C. Reed wrote:
Only for the built-in Chaos _bind view (for id.server, authors.bind,
hostname.bind, and version.bind).
On Fri, 2 May 2014, Lawrence K. Chen, P.Eng. wrote:
Awww...I found messages about version.bind.
My workaround I use is like:
# for builtin tests do not rate-limit
# redefine chaos builtin zones
# can't redefine builtin view '_bind'
view _dnsbench_bind chaos {
recursion no;
notify no;
allow-new-zones no;
rate-limit {
responses-per-second 0;
};
zone version.bind chaos {
type master;
database _builtin version;
};
zone hostname.bind chaos {
type master;
database _builtin hostname;
};
zone authors.bind chaos {
type master;
database _builtin authors;
};
zone id.server chaos {
type master;
database _builtin id;
};
};
Or edit bin/named/config.c (you will quickly find the configuration) and
make and install.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- SafeZone Ally
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
On Thu, May 01, 2014 at 05:10:50PM -0500, Lawrence K. Chen, P.Eng.
wrote:
Does compiling in RRL mean its active, even without a rate-limit
{} control block?
No, and also note the your rate-limit {} stanza could be either in
your options {} statement, or in a view {} statement. The latter
replaces rather than supplements what you have in options.
The other day, I got reports some service is getting intermittent
lookup failures for our ldap server.
Why these appliances have to query DNS servers many times per
second to get the address of a record with a TTL of 1 day
Do you have them directly querying authoritative nameservers? Your
workaround, perhaps, is to have caching-only servers between your
appliances and your authoritative servers.
In looking at the logs, I saw messages about rate-limit of various
subnets. (but, only for the busiest 2 of 8 caching servers)
RRL should only be used on authoritative servers. Are you saying you
saw such logs from a named instance without a rate-limit stanza?
Indeed, that should not be so.
Starting when I first updated to 9.9.4-P1. Though both had said
they had stopped limiting responses by the time I looked.
Just in case, I threw in a
rate-limit {
exempt-clients { k-state; };
};
where k-state is the same acl used with allow-query {} and
allow-recursion {}.
There's also log-only yes; you might try.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
On Thu, 1 May 2014, Lawrence K. Chen, P.Eng. wrote:
Does compiling in RRL mean its active, even without a rate-limit {}
control block?
Only for the built-in Chaos _bind view (for id.server, authors.bind,
hostname.bind, and version.bind).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
Awww...I found messages about version.bind.
On 05/02/14 09:23, Jeremy C. Reed wrote:
On Thu, 1 May 2014, Lawrence K. Chen, P.Eng. wrote:
Does compiling in RRL mean its active, even without a rate-limit {}
control block?
Only for the built-in Chaos _bind view (for id.server, authors.bind,
hostname.bind, and version.bind).
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- SafeZone Ally
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
On 05/02/14 09:23, Jeremy C. Reed wrote:
Only for the built-in Chaos _bind view (for id.server, authors.bind,
hostname.bind, and version.bind).
On Fri, 2 May 2014, Lawrence K. Chen, P.Eng. wrote:
Awww...I found messages about version.bind.
My workaround I use is like:
# for builtin tests do not rate-limit
# redefine chaos builtin zones
# can't redefine builtin view '_bind'
view _dnsbench_bind chaos {
recursion no;
notify no;
allow-new-zones no;
rate-limit {
responses-per-second 0;
};
zone version.bind chaos {
type master;
database _builtin version;
};
zone hostname.bind chaos {
type master;
database _builtin hostname;
};
zone authors.bind chaos {
type master;
database _builtin authors;
};
zone id.server chaos {
type master;
database _builtin id;
};
};
Or edit bin/named/config.c (you will quickly find the configuration) and
make and install.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RRL active by default?
Does compiling in RRL mean its active, even without a rate-limit {} control
block?
The other day, I got reports some service is getting intermittent lookup
failures for our ldap server.
Why these appliances have to query DNS servers many times per second to get
the address of a record with a TTL of 1 day
In looking at the logs, I saw messages about rate-limit of various subnets.
(but, only for the busiest 2 of 8 caching servers) Starting when I first
updated to 9.9.4-P1. Though both had said they had stopped limiting responses
by the time I looked.
Just in case, I threw in a
rate-limit {
exempt-clients { k-state; };
};
where k-state is the same acl used with allow-query {} and allow-recursion {}.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- SafeZone Ally
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
