Re: DNSSec on FreeBSD 9.0-RELEASE causes CPU 100%
Hi Just FYI, I just encountered the same issue with bind and DNSSEC. Bind was using 100% CPU, even after a restart. Turns out that were a key in the managed-keys folder which was unreadable by bind (permission issue). Hope It can help. Arnaud Houdelette. On 05/01/2012 01:24, George Kontostanos wrote: Greetings everyone, I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the following options: options { ... dnssec-enable yes; dnssec-validation auto; ... }; Unfortunately immediately after named is restarted one CPU reaches 100% utilization. CPU: 30.1% user, 0.0% nice, 23.6% system, 0.0% interrupt, 46.3% idle Mem: 111M Active, 14M Inact, 255M Wired, 852K Cache, 3558M Free Swap: 2048M Total, 2048M Free PID USERNAMETHR PRI NICE SIZERES STATE C TIME WCPU COMMAND 2178 bind 5 200 51364K 13828K kqread 0 0:17 84.18% named The system is running GENERIC kernel, and it not an authoritative DNS. Mainly used for testing purposes. My logs don't show anything strange: Jan 5 02:03:55 hp named[2178]: starting BIND 9.8.1-P1 -t /var/named -u bind Jan 5 02:03:55 hp named[2178]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifaddrs' '--disable-linux-caps' '--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn' '--without-libxml2' Jan 5 02:03:55 hp named[2178]: using built-in root key for view _default Jan 5 02:03:55 hp named[2178]: command channel listening on 127.0.0.1#953 Jan 5 02:03:55 hp named[2178]: command channel listening on ::1#953 an 5 02:03:55 hp named[2178]: running Anybody has come across a similar behavior ? Cheers, ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: DNSSec on FreeBSD 9.0-RELEASE causes CPU 100%
On Mon, Jan 9, 2012 at 11:47 AM, Doug Barton wrote: > On 01/04/2012 16:24, George Kontostanos wrote: >> Greetings everyone, >> >> I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the >> following options: >> >> options { >> ... >> dnssec-enable yes; >> dnssec-validation auto; >> ... >> }; >> >> Unfortunately immediately after named is restarted one CPU reaches >> 100% utilization. > > There are an enormous number of possible reasons for this. Most common > is that you have a misconfigured firewall in the path that is not > passing DNSSEC-sized packets (which are generally quite a bit larger > than regular DNS due to the signatures). > > The first 2 things you need to do are to crank up BIND logging (the > details are in the BIND docs, particularly the ARM); and to check > whether or not your network is properly configured. There are a number > of sites to do the latter, check the following for example: > > https://www.dns-oarc.net/oarc/services/replysizetest > > If you still need help after these 2 steps, your best bet is > bind-us...@isc.org. > > > Good luck, > > Doug > > -- > > You can observe a lot just by watching. -- Yogi Berra > > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ > Hi Doug, thanks for the valuable info. After a lot of debugging I reached to the point where I get: Jan 9 17:21:22 hp named[39053]: /usr/src/lib/bind/dns/../../../contrib/bind9/lib/dns/journal.c:171: unexpected error: Jan 9 17:21:22 hp named[39053]: missing SOA Some googling showed that this is a rather common error-bug with DNSSEC. I am no expert here, so I will turn this to the bind mailing list. Regards -- George Kontostanos Aicom telecoms ltd http://www.barebsd.com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: DNSSec on FreeBSD 9.0-RELEASE causes CPU 100%
On 01/04/2012 16:24, George Kontostanos wrote: > Greetings everyone, > > I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the > following options: > > options { > ... > dnssec-enable yes; > dnssec-validation auto; > ... > }; > > Unfortunately immediately after named is restarted one CPU reaches > 100% utilization. There are an enormous number of possible reasons for this. Most common is that you have a misconfigured firewall in the path that is not passing DNSSEC-sized packets (which are generally quite a bit larger than regular DNS due to the signatures). The first 2 things you need to do are to crank up BIND logging (the details are in the BIND docs, particularly the ARM); and to check whether or not your network is properly configured. There are a number of sites to do the latter, check the following for example: https://www.dns-oarc.net/oarc/services/replysizetest If you still need help after these 2 steps, your best bet is bind-us...@isc.org. Good luck, Doug -- You can observe a lot just by watching. -- Yogi Berra Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
DNSSec on FreeBSD 9.0-RELEASE causes CPU 100%
Greetings everyone, I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the following options: options { ... dnssec-enable yes; dnssec-validation auto; ... }; Unfortunately immediately after named is restarted one CPU reaches 100% utilization. CPU: 30.1% user, 0.0% nice, 23.6% system, 0.0% interrupt, 46.3% idle Mem: 111M Active, 14M Inact, 255M Wired, 852K Cache, 3558M Free Swap: 2048M Total, 2048M Free PID USERNAMETHR PRI NICE SIZERES STATE C TIME WCPU COMMAND 2178 bind 5 200 51364K 13828K kqread 0 0:17 84.18% named The system is running GENERIC kernel, and it not an authoritative DNS. Mainly used for testing purposes. My logs don't show anything strange: Jan 5 02:03:55 hp named[2178]: starting BIND 9.8.1-P1 -t /var/named -u bind Jan 5 02:03:55 hp named[2178]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifaddrs' '--disable-linux-caps' '--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn' '--without-libxml2' Jan 5 02:03:55 hp named[2178]: using built-in root key for view _default Jan 5 02:03:55 hp named[2178]: command channel listening on 127.0.0.1#953 Jan 5 02:03:55 hp named[2178]: command channel listening on ::1#953 an 5 02:03:55 hp named[2178]: running Anybody has come across a similar behavior ? Cheers, -- George Kontostanos Aicom telecoms ltd ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: bind 9.6.2 dnssec validation bug
According to Chris H: > Unless you need/allow recursion for your internal || stealth || seconds/slaves > > In fact, that's the _only_ reason I haven't already switched to unbound. I must be missing something, you can restrict/allow recursion. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- robe...@keltia.net In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: bind 9.6.2 dnssec validation bug
On Thu, February 10, 2011 2:47 pm, Ollivier Robert wrote: > According to Russell Jackson: > >> Looks like I should just suck it up and start using the bind97 port. >> > > Or switch to unbound. Unless you need/allow recursion for your internal || stealth || seconds/slaves In fact, that's the _only_ reason I haven't already switched to unbound. --Chris > > > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- robe...@keltia.freenix.fr > In memoriam to Ondine : http://ondine.keltia.net/ > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > > -- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: bind 9.6.2 dnssec validation bug
Ollivier Robert wrote: > Or switch to unbound. ^^^ Cute name, but perhaps a tiny bit misleading as to the product's origin -- the first thing I thought of on seeing a name like that was the FSF. Not this time: although its development was commercially sponsored it is BSD-licensed open source. And no, I have nothing at all to do with either the product or its developers/sponsors -- this is from the press release (where I had expected to find mention of GPL). ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: bind 9.6.2 dnssec validation bug
According to Russell Jackson: > Looks like I should just suck it up and start using the bind97 port. Or switch to unbound. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- robe...@keltia.freenix.fr In memoriam to Ondine : http://ondine.keltia.net/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: bind 9.6.2 dnssec validation bug
On 02/06/2011 10:16 PM, Doug Barton wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/06/2011 20:58, Jeremy Chadwick wrote: | On Sun, Feb 06, 2011 at 05:05:08PM -0800, Russell Jackson wrote: |> I haven't seen any mention of this anywhere. Are there any plans to |> update BIND in the 8.1/8.2 branches? |> |> https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record | | This was discussed vehemently in December 2010: | | http://lists.freebsd.org/pipermail/freebsd-stable/2010-December/thread.html#60640 Different issue. :) | RELENG_8 (8.2-PRERELEASE as of the time of this writing) now has the | official 9.6.3 as of a commit done by Doug Barton only a few hours ago: | | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/ | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/README The 9.6.3 update was in ports the same day it was released, and is now in HEAD and RELENG_8. It's not relevant to RELENG_7, which is the issue that Jeremy posted above. I've sent the information about this problem to the release engineers, whether or not it makes it into 8.2-RELEASE is completely in their hands. However, the material that I sent them about this problem boiled down to the following: 1. This IS a significant bug for those who have DNSSEC validation enabled, however 2. Only a minority of our users have it enabled, and the named.conf in the base does not. 3. The bug can be worked around by restarting the affected name server _after_ it sees the new DS record, however 4. The only way to detect this problem is to wait for it to break. There are also the additional long-standing points that the latest releases of BIND are always in the ports, and anyone doing "serious" DNSSEC at this stage will want to be running 9.7.x (or the upcoming 9.8.x) because it supports RFC 5011 trust anchor rollover, among other nice DNSSEC features. | As for whether or not this will be backported to the RELENG_8_1 tag, I | would say "probably", but Doug would be authoritative on that. Back-porting it that far is definitely not being considered at the moment, and is unlikely to happen. Looks like I should just suck it up and start using the bind97 port. Thanks. -- Russell A. Jackson Network Analyst California State University, Bakersfield ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: bind 9.6.2 dnssec validation bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/06/2011 20:58, Jeremy Chadwick wrote: | On Sun, Feb 06, 2011 at 05:05:08PM -0800, Russell Jackson wrote: |> I haven't seen any mention of this anywhere. Are there any plans to |> update BIND in the 8.1/8.2 branches? |> |> https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record | | This was discussed vehemently in December 2010: | | http://lists.freebsd.org/pipermail/freebsd-stable/2010-December/thread.html#60640 Different issue. :) | RELENG_8 (8.2-PRERELEASE as of the time of this writing) now has the | official 9.6.3 as of a commit done by Doug Barton only a few hours ago: | | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/ | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/README The 9.6.3 update was in ports the same day it was released, and is now in HEAD and RELENG_8. It's not relevant to RELENG_7, which is the issue that Jeremy posted above. I've sent the information about this problem to the release engineers, whether or not it makes it into 8.2-RELEASE is completely in their hands. However, the material that I sent them about this problem boiled down to the following: 1. This IS a significant bug for those who have DNSSEC validation enabled, however 2. Only a minority of our users have it enabled, and the named.conf in the base does not. 3. The bug can be worked around by restarting the affected name server _after_ it sees the new DS record, however 4. The only way to detect this problem is to wait for it to break. There are also the additional long-standing points that the latest releases of BIND are always in the ports, and anyone doing "serious" DNSSEC at this stage will want to be running 9.7.x (or the upcoming 9.8.x) because it supports RFC 5011 trust anchor rollover, among other nice DNSSEC features. | As for whether or not this will be backported to the RELENG_8_1 tag, I | would say "probably", but Doug would be authoritative on that. Back-porting it that far is definitely not being considered at the moment, and is unlikely to happen. hth, Doug - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (FreeBSD) iQEcBAEBCAAGBQJNT440AAoJEFzGhvEaGryED28IAJfW8yLH1YngzaKCMvopeZXq HQ5DstQpg9X9vSsqGABh/2A1rtFQsyUOIEK9Af/Rsc1X9w9MNgkEDDNfrJdk0JRK NiJuemPgZGaunhXcXZTyUOuHJOAtJJds/Tcabw2nZv/bagM9KGApOCSuBzbWpam/ 90pOttSKoMs5gxHn75BcSjxRiu4mYiEo7wgkdxF8OwEedHSI6y6SQoMXMgmYkjXS mpOR8AOtrHxN17an7yn26o6Sh3gUW5BSbsIHW921yiDv+lf0N8cT5+T+Livbso/k tciZMZbMExWt02gAzotOjdMX5npkDz4/dMT9L6R6rrPecsDnvdxWE+2gf73a0Lc= =n/On -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: bind 9.6.2 dnssec validation bug
On Sun, Feb 06, 2011 at 05:05:08PM -0800, Russell Jackson wrote: > I haven't seen any mention of this anywhere. Are there any plans to > update BIND in the 8.1/8.2 branches? > > https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record This was discussed vehemently in December 2010: http://lists.freebsd.org/pipermail/freebsd-stable/2010-December/thread.html#60640 RELENG_8 (8.2-PRERELEASE as of the time of this writing) now has the official 9.6.3 as of a commit done by Doug Barton only a few hours ago: http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/ http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/README As for whether or not this will be backported to the RELENG_8_1 tag, I would say "probably", but Doug would be authoritative on that. -- | Jeremy Chadwick j...@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
bind 9.6.2 dnssec validation bug
I haven't seen any mention of this anywhere. Are there any plans to update BIND in the 8.1/8.2 branches? https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record -- Russell A. Jackson Network Analyst California State University, Bakersfield ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Enabling DNSSEC (Was: Re: RFC: Upgrade BIND version in RELENG_7 to BIND 9.6.x)
In message <4d0d408a.2020...@freebsd.org>, Doug Barton writes: > On 12/18/2010 09:16, Garrett Wollman wrote: > > In article<4d0c49a2.4000...@freebsd.org>, do...@freebsd.org writes: > > > >> In order to avoid repeating the scenario where we have a version of BIND > >> in the base that is not supported by the vendor I am proposing that we > >> upgrade to BIND 9.6-ESV in FreeBSD RELENG_7. > > > > +1 > > > > All users are going to want working DNSsec soon, if they don't > > already, and that requires 9.6. (In fact, we should start shipping > > with DNSsec enabled by default and the root key pre-configured, if we > > aren't already doing so.) > > I'm not planning to do that in the base for a couple of reasons. The > primary one being that the way BIND 9.6 handles the root key it would > have to be manually re-configured when the root key changes. When that > happens (not IF, it will happen someday) users who have the old > configuration will no longer be able to validate. The other reason I > don't want to do it in the base is that one open source OS vendor has > already been burned by doing something similar, and I don't want to > repeat that mistake. They also failed to put into place procedures to track the trust anchors as they change. OS vendors are in a much better place to do this than nameserver vendors. > What I do plan to do (and hopefully before the upcoming release) is to > make ports for BIND 9.6 and 9.7+ methods of handling DNSSEC so that > users can enable and disable it easily, have a very easy way of being > notified of changes, doing the updates, etc. It's also worth pointing > out that BIND 9.7 and up support RFC 5011 rollover of the root key, > which ICANN is going to perform, which means that people with "old" root > keys in their configurations will be much more resilient. There is still a boot stap issue to be addressed. BIND 9.6 and BIND 9.7 has /etc/bind.keys which needs to be updated as the keys referenced there change. This is just a reference file in BIND 9.6. > hth, > > Doug > > -- > > Nothin' ever doesn't change, but nothin' changes much. > -- OK Go > > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ > > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Enabling DNSSEC (Was: Re: RFC: Upgrade BIND version in RELENG_7 to BIND 9.6.x)
On 12/18/2010 09:16, Garrett Wollman wrote: In article<4d0c49a2.4000...@freebsd.org>, do...@freebsd.org writes: In order to avoid repeating the scenario where we have a version of BIND in the base that is not supported by the vendor I am proposing that we upgrade to BIND 9.6-ESV in FreeBSD RELENG_7. +1 All users are going to want working DNSsec soon, if they don't already, and that requires 9.6. (In fact, we should start shipping with DNSsec enabled by default and the root key pre-configured, if we aren't already doing so.) I'm not planning to do that in the base for a couple of reasons. The primary one being that the way BIND 9.6 handles the root key it would have to be manually re-configured when the root key changes. When that happens (not IF, it will happen someday) users who have the old configuration will no longer be able to validate. The other reason I don't want to do it in the base is that one open source OS vendor has already been burned by doing something similar, and I don't want to repeat that mistake. What I do plan to do (and hopefully before the upcoming release) is to make ports for BIND 9.6 and 9.7+ methods of handling DNSSEC so that users can enable and disable it easily, have a very easy way of being notified of changes, doing the updates, etc. It's also worth pointing out that BIND 9.7 and up support RFC 5011 rollover of the root key, which ICANN is going to perform, which means that people with "old" root keys in their configurations will be much more resilient. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Plans for BIND and DNSSEC readiness
On Mon, 22 Feb 2010 00:12, dougb@ wrote: PGP Command Output gpg: Signature made Mon Feb 22 00:12:14 2010 EST using DSA key ID D5B2F0FB gpg: Good signature from "Doug Barton " gpg: aka "Doug Barton " gpg: aka "Doug Barton " --- Begin PGP Signed Message Verified 2010-02-25 21:12:11 -- I've made a post to -arch regarding my plans for BIND in the base, along with some information about getting ready for DNSSEC, including the upcoming signing of the root zone. You can find the message at http://lists.freebsd.org/pipermail/freebsd-arch/2010-February/009908.html. If you have any feedback regarding any of these topics, please follow up to that thread. Regards, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ End PGP Signed Message Verified 2010-02-25 21:12:11 --- Little late for a reply, But thanks for keeping this updated as this is obviously very important information that not everyone usually comes across. At least I didn't hear anything about it till now. Thanks Doug, -- jhell ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Plans for BIND and DNSSEC readiness
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I've made a post to -arch regarding my plans for BIND in the base, along with some information about getting ready for DNSSEC, including the upcoming signing of the root zone. You can find the message at http://lists.freebsd.org/pipermail/freebsd-arch/2010-February/009908.html. If you have any feedback regarding any of these topics, please follow up to that thread. Regards, Doug - -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (FreeBSD) iEYEAREDAAYFAkuCEi4ACgkQyIakK9Wy8PtaZwCdGN6NljqTwHUxSQB3lf1T59j8 jpIAn20tJdy2h0ykeJwAQ8iWc32wUQ05 =uzZ5 -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
DNSSEC
hi, This might be of interest to some. http://arstechnica.com/news.ars/post/20080722-org-first-top-level-domain-to-adopt-dns-security-protocol.html - Diane -- - [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.db.net/~db ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"