Systemd script

Hi, I have just compiled bind-9.9.8-P3 on SLES12 and tried to adapt the init script we where using on SLES11SP3, but it doesn't seem to work, since the new version of bind needs to get some libraries copied into the chroot environment, that's why I am trying to adapt the systemd script that co

Re: Systemd script

Am 19.02.2016 um 11:45 schrieb Josep Manel Andrés: I have just compiled bind-9.9.8-P3 on SLES12 and tried to adapt the init script we where using on SLES11SP3, but it doesn't seem to work, since the new version of bind needs to get some libraries copied into the chroot environment, that's why I

Re: Systemd script

Hi Harald, Thanks, but I suspect those are the files that come with the default system installation, but not usable (without modifications) if I have compiled it from source. Am I right? Cheers. On 19/02/16 12:02, Reindl Harald wrote: Am 19.02.2016 um 11:45 schrieb Josep Manel Andrés: I h

Re: Systemd script

Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés: Hi Harald, Thanks, but I suspect those are the files that come with the default system installation, but not usable (without modifications) if I have compiled it from source. Am I right? well, it should not be that hard to adopt them for your

Re: Systemd script

Am 19.02.2016 um 12:25 schrieb Reindl Harald: Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés: Hi Harald, Thanks, but I suspect those are the files that come with the default system installation, but not usable (without modifications) if I have compiled it from source. Am I right? well, it

Re: Systemd script

Hi, I am not too confident to build RPM packages, that is why I wanted to go for a normal installation from source. Cheers! On 19/02/16 12:28, Reindl Harald wrote: Am 19.02.2016 um 12:25 schrieb Reindl Harald: Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés: Hi Harald, Thanks, but I sus

Re: Systemd script

Am 19.02.2016 um 12:46 schrieb Josep Manel Andrés: I am not too confident to build RPM packages, that is why I wanted to go for a normal installation from source. well, learn it, it's really not hard to do i learnt it the hard way that "make install" over years leaves more and more mess whi

no-case-compress lifespan

We've run into our first minor weirdness with an application that gets tripped over by a mixed-case response. Just so I can communicate accurately to the relevant parties in our discussions - what is the anticipated lifetime of the "no-case-compress" config option? Does ISC think it might get

Re: Systemd script

You are right, I think I will give it a try. So I guess that I will have to prepare two packages (at least) if I wanna run it on a chroot env. bind and bind-chrootenv packages. And I think I should get the specs files from the 9.9.6P1 available on the SLES12 Repos. Thanks a lot! On 19/02/16

Re: Systemd script

Am 19.02.2016 um 14:15 schrieb Josep Manel Andrés: You are right, I think I will give it a try. So I guess that I will have to prepare two packages (at least) if I wanna run it on a chroot env. bind and bind-chrootenv packages. And I think I should get the specs files from the 9.9.6P1 availab

Re: no-case-compress lifespan

> Just so I can communicate accurately to the relevant parties in our > discussions - what is the anticipated lifetime of the "no-case-compress" > config option? Does ISC think it might get removed in the foreseeable > future? We have no plans to deprecate or remove it; certainly not as long as

A Zone Transfer Question

This is my first time to try master slave configuration. Here is a brief description: I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the master for zone1 and slave for zone2. VM2 is master for zone2 and slave for zone1. Both zones uses DNS Dynamic Update from DH

Re: A Zone Transfer Question

On Fri, Feb 19, 2016 at 11:45 AM, David Li wrote: > This is my first time to try master slave configuration. Here is a > brief description: > > I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the > master for zone1 and slave for zone2. VM2 is master for zone2 and >

Re: A Zone Transfer Question

Hello David, You can get started by checking your log files to see if named is complaining about anything it might not like that is preventing the transfer. John Sent from Nine From: David Li Sent: Feb 19, 2016 10:46 AM To: BIND Users Subject: A Zone Transfer Questio

Re: A Zone Transfer Question

Hi John, Here are the files. They are all internal zones without any references to external name servers. VM1: named.conf: - # # master (on VM1) # zone "rack1.com" { type master; file "/var/named/db.rack1.com"; allow-update { key rndc-key-rack1; }; # For DHCP dynami

Re: A Zone Transfer Question

Hi John, Nothing in the /var/log/messages indicates transfer problems. In fact I don't think the transfer ever started by itself for some reason until I manually used "dig" to initiate. David On Fri, Feb 19, 2016 at 9:00 AM, John W. Blue wrote: > Hello David, > > You can get started by checking

Re: A Zone Transfer Question

Nothing in the logs, eg? Well so much for getting an easy resolution. :D If you trust your conf files and logs are clean, I personally next to turn to tcpdump. You really need to know what (if anything) is being placed on the wire. Something like this should get you started: tcpdump -i eth0

Re: A Zone Transfer Question

"kick off" as in update the zone and not by using dig. John Sent from Nine From: "John W. Blue" Sent: Feb 19, 2016 1:17 PM To: David Li Cc: BIND Users Subject: Re: A Zone Transfer Question Nothing in the logs, eg? Well so much for getting an easy resolution. :D If

Re: A Zone Transfer Question

In article , David Li wrote: > Hi John, > > Here are the files. They are all internal zones without any references > to external name servers. The zones should have NS records that list the slave servers, or you should have an "also-notify" statement in the master's named.conf. Although with

RE: A Zone Transfer Question

Guys, REFRESH is set to 1 minute. That's not a long time to wait. Just do a packet capture and see if the slave is issuing zone-refresh queries regularly in the 30-second-to-1-minute range (it's randomized, of course, between REFRESH/2 and full REFRESH). If the slave isn't issuing r

Re: A Zone Transfer Question

Hi David, Something I'm not seeing in your config is an options {} block that lays out your defaults for allow-transfer, allow-notify, also-notify, etc. Those are important things to know when it comes to troubleshooting zone transfer issues. Unless you've got a specific reason for not doing so,

Re: A Zone Transfer Question

Hi John, Sorry I missed the options. I attached them below. I didn't have allow-transfer, allow-notify and also-notify. I only have allow-query. I read somewhere that NOTIFY is automatic for all slave zones. Is this the problem? For VM1 named.conf options { directory "/var/named"; al

RE: A Zone Transfer Question

How do you suppose named knows where to send the NOTIFY messages? It's only "automatic" to the nameservers listed in the NS records of the zone. But you didn't list your slave, did you? I seem to recall there was only 1 NS record, and that's presumably the master...

RE: A Zone Transfer Question

As pointed out previously, however, with a 1-minute REFRESH, NOTIFY is pretty much a non-issue. - Kevin -Original Message- From: Darcy Kevin (FCA) Sent: Friday, February 19, 2016 4:25 PM To: BIND Users Subject: RE: A Zone Transfer Question How do

ISC Responds to Customer Questions About CVE-2015-5745 (glibc buffer overflow vulnerability.)

This week a major vulnerability in glibc was announced. In response to questions from our customers and users, ISC has provided a response for operators who are wondering what CVE-2015-5745 means for BIND, ISC DHCP, and Kea server operators. https://www.isc.org/blogs/a-few-words-about-the-glibc-

Re: ISC Responds to Customer Questions About CVE-2015-7547 (glibc buffer overflow vulnerability.)

Please excuse the typo'ed CVE number in the command line -- the glibc vulnerability is CVE-2015-7547. The link below is correct. On 2/19/16 5:03 PM, Michael McNally wrote: > This week a major vulnerability in glibc was announced. In response to > questions from our customers and users, ISC has p

Re: Tuning for lots of SERVFAIL responses

On 2016-02-18 18:19, John Miller wrote: Something I just thought of: how did you manage your NS records in this situation? To get NOTIFY/IXFR to work properly, either you have to list every one of your recursive servers in your local NS records or you have to do an also-notify block on the maste

Re: ISC Responds to Customer Questions About CVE-2015-5745 (glibc buffer overflow vulnerability.)

Michael McNally wrote: > This week a major vulnerability in glibc was announced. In response to > questions from our customers and users, ISC has provided a response for > operators who are wondering what CVE-2015-5745 means for BIND, ISC DHCP, > and Kea server operators. > > https://www.isc.org/

Re: A Zone Transfer Question

Regardless of how NOTIFY's behaving (it's a nice-to-have, not a must), you need to make sure zone transfers from master to slave are working. If you can run dig @10.4.1.101 rack1.com AXFR from your slave, then zone transfers of rack1.com are working from master to slave, and your issue lies somew

Re: A Zone Transfer Question

Hi John, Well, I was wrong about the log. I did find some info about why zone transfer failed. On one server running zone rack1.com, I see: Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745 (rack1.com): query 'rack1.com/SOA/IN' denied Feb 19 16:04:27 dli-centos7 named[13882]: clie

RE: A Zone Transfer Question

Look at your "allow-query". It appears your master isn't letting your slave query it. Query access is a prerequisite for zone-refresh transactions. - Kevin -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.

Intermittent NXDOMAIN for a name we are forwarding

We have a DNS setup where we forward a name in one domain to 5 external nameservers. We see NXDOMAIN error intermittently (once in couple of weeks). How do I debug this issue? I took a cache dump on our DNS and 2 out of 5 nameserver IPs appear in "Unassociated entries" when the problem happens.

Re: A Zone Transfer Question

In article , David Li wrote: > Hi John, > > Well, I was wrong about the log. I did find some info about why zone > transfer failed. On one server running zone rack1.com, I see: > > Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745 > (rack1.com): query 'rack1.com/SOA/IN' denied

Re: A Zone Transfer Question

In article , John Miller wrote: > And if you actually want people to use your zone or you want NOTIFY > working, two NS records (and possibly glue) are really a must. He mentioned that these are internal nameservers, they're not reached via public delegation. So NS records are probably irrelev

Re: A Zone Transfer Question

On Fri, Feb 19, 2016 at 9:26 PM, Barry Margolin wrote: > In article , > John Miller wrote: > >> And if you actually want people to use your zone or you want NOTIFY >> working, two NS records (and possibly glue) are really a must. > > He mentioned that these are internal nameservers, they're not

Re: A Zone Transfer Question

Am 20.02.2016 um 04:04 schrieb John Miller: Will a zone even load with zero NS records? It's not something I've ever tried, though probably should for grins no, bind won't start at all signature.asc Description: OpenPGP digital signature ___ Ple