Re: Writeable file already in use

2016-01-05 Thread Jan-Piet Mens 
> Change the filenames on the slave, or just don't have a "file" option
> in the slave zone configuration.

I was going to yell "TIL from Evan, that 'file' is optional for a
slave", but 

/etc/named.conf:545: zone 'example.com': missing 'file' entry

This is on 9.10.3. Did I misunderstand you?

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Jan-Piet Mens 
> but I believe it's optional otherwise.

You are correct (of course). I had inline signing enabled.

For a non-signed zone I note the transfer indeed works without a 'file'
specification, and I note it's not stored on file anywhere (just in
core).

Thanks for clarifying.

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Evan Hunt 
> I was going to yell "TIL from Evan, that 'file' is optional for a
> slave", but 
> 
> /etc/named.conf:545: zone 'example.com': missing 'file' entry
> 
> This is on 9.10.3. Did I misunderstand you?

Do you use inline-signing?  It's mandatory in that case (named needs to
know where to put the .signed file and the journal files), but I believe
it's optional otherwise.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Tony Finch 
Jan-Piet Mens  wrote:
>
> For a non-signed zone I note the transfer indeed works without a 'file'
> specification, and I note it's not stored on file anywhere (just in
> core).

Yes, so (as you have probably guessed) the server has to retransfer the
zone from scratch when it is restarted. This might make you sad if you
have lots of zones or large zones.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
Hebrides, Bailey, Fair Isle: Easterly or southeasterly 5 to 7, occasionally
gale 8 in Fair Isle, decreasing 4 at times. Moderate or rough, occasionally
very rough in Fair Isle. Showers, wintry in Fair Isle. Good, occasionally poor
in Fair Isle.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Barry Margolin 
In article ,
 Alan Clegg  wrote:

> On 1/5/16 6:26 AM, Jan-Piet Mens wrote:
> >> This might make you sad if you have lots of zones or large zones.
> > 
> > .. or even just want to look at what was transferred (whitout having to
> > recurse to a `dig axfr').
> > 
> > I see no reason to omit 'file' (except on a diskless slave ;-)
> 
> I ran into one exception to this rule - it seemed that the customer had
> security requirements that did not allow "transient data" to be written
> to disk.  They had to make sure that if the physical device was stolen,
> all of their zone data didn't follow it out the door.

The in-memory copy is likely to end up in the swap partition.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Ray Bellis 
On 05/01/2016 17:03, Barry Margolin wrote:

> The in-memory copy is likely to end up in the swap partition.

A swap partition?   I don't think I've seen one of those for years...

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Reindl Harald 



Am 05.01.2016 um 18:03 schrieb Barry Margolin:

In article ,
  Alan Clegg  wrote:


On 1/5/16 6:26 AM, Jan-Piet Mens wrote:

This might make you sad if you have lots of zones or large zones.


.. or even just want to look at what was transferred (whitout having to
recurse to a `dig axfr').

I see no reason to omit 'file' (except on a diskless slave ;-)


I ran into one exception to this rule - it seemed that the customer had
security requirements that did not allow "transient data" to be written
to disk.  They had to make sure that if the physical device was stolen,
all of their zone data didn't follow it out the door.


The in-memory copy is likely to end up in the swap partition


a proper dimensioned server has no swap partition at all, at least no 
one od the servers i am responsible since 2008 had one and *for sure* 
the memory requirement of a authoritative nameserver is pretty clear to 
don#t need it




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Alan Clegg 
On 1/5/16 6:26 AM, Jan-Piet Mens wrote:
>> This might make you sad if you have lots of zones or large zones.
> 
> .. or even just want to look at what was transferred (whitout having to
> recurse to a `dig axfr').
> 
> I see no reason to omit 'file' (except on a diskless slave ;-)

I ran into one exception to this rule - it seemed that the customer had
security requirements that did not allow "transient data" to be written
to disk.  They had to make sure that if the physical device was stolen,
all of their zone data didn't follow it out the door.

AlanC
-- 
Why don't we wander and follow la vie dansante.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Writeable file already in use

2016-01-05 Thread Darcy Kevin (FCA) 
http://unix.stackexchange.com/questions/190398/do-i-need-swap-space-if-i-have-more-than-enough-amount-of-ram


- Kevin

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald
Sent: Tuesday, January 05, 2016 12:19 PM
To: bind-users@lists.isc.org
Subject: Re: Writeable file already in use



Am 05.01.2016 um 18:03 schrieb Barry Margolin:
> In article <mailman.13.1452009325.73610.bind-us...@lists.isc.org>,
>   Alan Clegg <a...@clegg.com> wrote:
>
>> On 1/5/16 6:26 AM, Jan-Piet Mens wrote:
>>>> This might make you sad if you have lots of zones or large zones.
>>>
>>> .. or even just want to look at what was transferred (whitout having 
>>> to recurse to a `dig axfr').
>>>
>>> I see no reason to omit 'file' (except on a diskless slave ;-)
>>
>> I ran into one exception to this rule - it seemed that the customer 
>> had security requirements that did not allow "transient data" to be 
>> written to disk.  They had to make sure that if the physical device 
>> was stolen, all of their zone data didn't follow it out the door.
>
> The in-memory copy is likely to end up in the swap partition

a proper dimensioned server has no swap partition at all, at least no one od 
the servers i am responsible since 2008 had one and *for sure* the memory 
requirement of a authoritative nameserver is pretty clear to don#t need it

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Reindl Harald 



Am 05.01.2016 um 19:05 schrieb Darcy Kevin (FCA):

http://unix.stackexchange.com/questions/190398/do-i-need-swap-space-if-i-have-more-than-enough-amount-of-ram


and the answer is clearly NO if you have *enough* RAM
you just have to define the "enough"

which means your workload and your useful buffercache fits in

when a have a machine (in my case only VMs) running over a full month 
with a 1 GB swap file and it's not used with a single MB i do NOT need 
stackexchange to answer that question


a dedicated authoritative-only namserver and to utilize the ressources a 
containered asterisk with hylafax and even a tiny webserver with a 
mysqld for the addressbook are doing that with 1.5 GB RAM:


[root@asterisk:~]$ free
  totalusedfree  shared  buff/cache 
available
Mem:   1,5G150M886M 18M460M 
   1,3G

Swap:0B  0B  0B

what do you want to swap out there?

the machine has all blocks of the disks it ever accessed, the software 
and the data in it's memory and would not come to the idea swap anything 
out anyways



-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald
Sent: Tuesday, January 05, 2016 12:19 PM
To: bind-users@lists.isc.org
Subject: Re: Writeable file already in use



Am 05.01.2016 um 18:03 schrieb Barry Margolin:

In article <mailman.13.1452009325.73610.bind-us...@lists.isc.org>,
   Alan Clegg <a...@clegg.com> wrote:


On 1/5/16 6:26 AM, Jan-Piet Mens wrote:

This might make you sad if you have lots of zones or large zones.


.. or even just want to look at what was transferred (whitout having
to recurse to a `dig axfr').

I see no reason to omit 'file' (except on a diskless slave ;-)


I ran into one exception to this rule - it seemed that the customer
had security requirements that did not allow "transient data" to be
written to disk.  They had to make sure that if the physical device
was stolen, all of their zone data didn't follow it out the door.


The in-memory copy is likely to end up in the swap partition


a proper dimensioned server has no swap partition at all, at least no one od 
the servers i am responsible since 2008 had one and *for sure* the memory 
requirement of a authoritative nameserver is pretty clear to don#t need it





signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Reindl Harald 

and to finish that topic:

in days of zram (it's in the mainline kernel for a long time - 
https://www.kernel.org/doc/Documentation/blockdev/zram.txt) when you 
think you need some swap for whatever reason you use that just because 
modern hardware has left so many cpu cycles left that it don't need 
measurable ressources and it#s way faster


Am 05.01.2016 um 19:19 schrieb Reindl Harald:

Am 05.01.2016 um 19:05 schrieb Darcy Kevin (FCA):

http://unix.stackexchange.com/questions/190398/do-i-need-swap-space-if-i-have-more-than-enough-amount-of-ram



and the answer is clearly NO if you have *enough* RAM
you just have to define the "enough"

which means your workload and your useful buffercache fits in

when a have a machine (in my case only VMs) running over a full month
with a 1 GB swap file and it's not used with a single MB i do NOT need
stackexchange to answer that question

a dedicated authoritative-only namserver and to utilize the ressources a
containered asterisk with hylafax and even a tiny webserver with a
mysqld for the addressbook are doing that with 1.5 GB RAM:

[root@asterisk:~]$ free
   totalusedfree  shared  buff/cache
available
Mem:   1,5G150M886M 18M460M1,3G
Swap:0B  0B  0B

what do you want to swap out there?

the machine has all blocks of the disks it ever accessed, the software
and the data in it's memory and would not come to the idea swap anything
out anyways


-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald
Sent: Tuesday, January 05, 2016 12:19 PM
To: bind-users@lists.isc.org
Subject: Re: Writeable file already in use



Am 05.01.2016 um 18:03 schrieb Barry Margolin:

In article <mailman.13.1452009325.73610.bind-us...@lists.isc.org>,
   Alan Clegg <a...@clegg.com> wrote:


On 1/5/16 6:26 AM, Jan-Piet Mens wrote:

This might make you sad if you have lots of zones or large zones.


.. or even just want to look at what was transferred (whitout having
to recurse to a `dig axfr').

I see no reason to omit 'file' (except on a diskless slave ;-)


I ran into one exception to this rule - it seemed that the customer
had security requirements that did not allow "transient data" to be
written to disk.  They had to make sure that if the physical device
was stolen, all of their zone data didn't follow it out the door.


The in-memory copy is likely to end up in the swap partition


a proper dimensioned server has no swap partition at all, at least no
one od the servers i am responsible since 2008 had one and *for sure*
the memory requirement of a authoritative nameserver is pretty clear
to don't need it




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Jan-Piet Mens 
> This might make you sad if you have lots of zones or large zones.

.. or even just want to look at what was transferred (whitout having to
recurse to a `dig axfr').

I see no reason to omit 'file' (except on a diskless slave ;-)

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-05 Thread Timothe Litt 
Jan-Piet Mens  wrote:
> This might make you sad if you have lots of zones or large zones.
> .. or even just want to look at what was transferred (whitout having to
> recurse to a `dig axfr').
>
> I see no reason to omit 'file' (except on a diskless slave 
Or if you care about availability, which is a strong reason for having a
slave in the first place. (Performance is the other.)

If a diskless slave restarts when the master is down, it has no data to
serve.  This will also make you (or your clients) sad, even if you only
have a few small zones :-(

I agree - don't omit 'file', except on a diskless slave.  Don't try to
share the file, even when it seems to work.  And think twice about why
you have a diskless slave...

The only fault that I find with bind's decision to prohibit shared
writable files is that it took so long to arrive.  Instead of
complaining, which seems to appear here every few months, the response
should be "Thank you - for *finally* preventing this disastrous
misconfiguration."

I've lost count of how many times I've encountered someone who had
corruption due to this misconfiguration.   There are many (working) ways
to replicate data.  Among them: in-view, dname, external scripts to copy
files, external tools that write records to multiple files, replicators
triggered by file writes (e.g. inotify) or database update triggers 

Although I remember when a 1MB ("hard") disk was huge - today disk space
is cheap.  Don't trade a few MB (or GB) of space for eventual data
corruption.  And the manpower to implement any of the above is far less
that that spent on recovering from corruption, which can go undetected
for a long time.  [And usually, the folks who run into it haven't tested
their backups...]

As for the "I know I'll never have bind update that zone" - that may be
true today.  But it changes -- perhaps when your successor discovers
it.  Either a tool requires dynamic update, or someone discovers signed
zones, or realizes that dnssec maintain saves a lot of work, or the next
technology comes along.  To misappropriate a K quote - "Your constant
is my variable".  Or the ever popular "If you don't take the time to do
it right, you'll have to make the time to do it over...and over again".

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 




smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Writeable file already in use

2016-01-04 Thread Sathyan Arjunan 
Team,

Recently, I updated my bind from 9.9.5 to 9.9.8-P2 from then I seen
problems with me named configuration. Interestingly, I seen this problem
only on my slaves NOT on Master DNS.

I am using multiple zones pointing to a same file. This configuration has
been in place for nearly 10 years with no issues...

Zone config on Master: ###No issues with Master###

 zone "domain1.com." {type master; file "db.file-1"; };
 zone "domain2.com." {type master; file "db.file-1"; };
 zone "domain3.com." {type master; file "db.file-1"; };

Zone config on Slave:

zone "domain1.com." {type slave; file "db.file-1"; masters { x.x.x.x; };
allow-query { any; }; };
zone "domain2.com." { type slave; file "db.file-1"; masters { x.x.x.x; };
allow-query { any; }; };
zone "domain3.com." { type slave; file "db.file-1"; masters{ x.x.x.x; };
allow-query { any; }; };

Below is the errors i seen from named on my slave dns

: named.conf:584: writeable file 'db.file-1': already in use: named.conf:194


Please advise...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-04 Thread Evan Hunt 
On Mon, Jan 04, 2016 at 05:13:55PM -0700, Sathyan Arjunan wrote:
> Recently, I updated my bind from 9.9.5 to 9.9.8-P2 from then I seen
> problems with me named configuration. Interestingly, I seen this problem
> only on my slaves NOT on Master DNS.
> 
> I am using multiple zones pointing to a same file. This configuration has
> been in place for nearly 10 years with no issues...

It's actually an error and always has been.  Having named write to the
same file for multiple zones is risky; they can step on each other and
cause load failures later.  The only change is that named will now
prevent you from making this mistake.

> Zone config on Master: ###No issues with Master###
> 
>  zone "domain1.com." {type master; file "db.file-1"; };
>  zone "domain2.com." {type master; file "db.file-1"; };
>  zone "domain3.com." {type master; file "db.file-1"; };

On the master server, named doesn't write to zone files (unless the
zone is dynamically updatable) so this isn't an error.

> zone "domain1.com." {type slave; file "db.file-1"; masters { x.x.x.x; };
> allow-query { any; }; };
> zone "domain2.com." { type slave; file "db.file-1"; masters { x.x.x.x; };
> allow-query { any; }; };
> zone "domain3.com." { type slave; file "db.file-1"; masters{ x.x.x.x; };
> allow-query { any; }; };
> 
> Below is the errors i seen from named on my slave dns
> 
> : named.conf:584: writeable file 'db.file-1': already in use: named.conf:194

On a slave server, named transfers the zone from elsewhere and writes a
copy into a local file.  These all need to be different files.

> Please advise...

Change the filenames on the slave, or just don't have a "file" option
in the slave zone configuration.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Writeable file already in use

2016-01-04 Thread Reindl Harald 



Am 05.01.2016 um 01:13 schrieb Sathyan Arjunan:

Recently, I updated my bind from 9.9.5 to 9.9.8-P2 from then I seen
problems with me named configuration. Interestingly, I seen this problem
only on my slaves NOT on Master DNS.

I am using multiple zones pointing to a same file


this is not supported - period



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users