Re: CARP+Pfsync+Bind

Then, you can forget about DNSSEC for example ... Lio -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de ed Envoyi : vendredi 7 octobre 2005 19:25 Cc : misc@openbsd.org Objet : Re: CARP+Pfsync+Bind On Thu, 6 Oct 2005 19:52:31 -0400 "Dave Anderso

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 19:52:31 -0400 "Dave Anderson" <[EMAIL PROTECTED]> wrote: > Responses long enough so that required information is truncated should > be rare, so perhaps you've been lucky and not encountered any yet. I understand fully what you are saying, but I just don't want to serve DNS via

Re: CARP+Pfsync+Bind

Quoting ed <[EMAIL PROTECTED]>: Zone transfers are on tcp/53, DNS lookups are 53/udp, so: pass in on $ext_if proto udp from any to $DNS port 53 keep state and if required: pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state I use TinyDNS here, so we don't really need to tra

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 22:15:25 +0100 ed <[EMAIL PROTECTED]> wrote: > Works fine on on the 2 domains where it's been implemented, of which > I handled the conversion from BIND style to djbdns. No problems on UDP > lookups alone, including some deep CNAMEs, which are just not required, > but I'll de

Re: CARP+Pfsync+Bind

On Thu, 2005-10-06 at 22:15:52 +0100, ed proclaimed... > TCP for for DNS lookups are probably going to incur latency. I'd rather > just block that off and ensure that the DNS being provided does not leak > excess > 512 bytes. This might cause some problems with huge round robin > lists, but we can

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 15:07:23 -0500 eric <[EMAIL PROTECTED]> wrote: > On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed... > > > I use TinyDNS here, so we don't really need to transfer zones as its > > handled with a single data file. CARP can be good with DNS. > > 53/tcp *is* required to answer

Re: CARP+Pfsync+Bind

** Reply to message from ed <[EMAIL PROTECTED]> on Thu, 6 Oct 2005 22:15:25 +0100 >On Thu, 6 Oct 2005 15:49:02 -0400 >"Dave Anderson" <[EMAIL PROTECTED]> wrote: > >> That's not quite the whole story: 53/tcp is also used when the >> response to a query is too big for a single UDP packet (the resolv

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 15:49:02 -0400 "Dave Anderson" <[EMAIL PROTECTED]> wrote: > That's not quite the whole story: 53/tcp is also used when the > response to a query is too big for a single UDP packet (the resolver > sends a UDP query and gets a 'truncated' UDP reply, so the resolver > retries the q

Re: CARP+Pfsync+Bind

On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed... > I use TinyDNS here, so we don't really need to transfer zones as its > handled with a single data file. CARP can be good with DNS. 53/tcp *is* required to answer normal queries. Since you're drinking djb's koolaid, see

Re: CARP+Pfsync+Bind

** Reply to message from ed <[EMAIL PROTECTED]> on Thu, 6 Oct 2005 14:04:20 +0100 >Zone transfers are on tcp/53, DNS lookups are 53/udp, so: That's not quite the whole story: 53/tcp is also used when the response to a query is too big for a single UDP packet (the resolver sends a UDP query and ge

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 16:55:05 +0400 Vladimir Potapov <[EMAIL PROTECTED]> wrote: > We have 1 server on which running firewall and DNS master service. And > we planned to install another server for load balancing and redudancy. > 2 servers(each have running PF and BIND) will balancing load (or one >

CARP+Pfsync+Bind

Hello everyone! We have 1 server on which running firewall and DNS master service. And we planned to install another server for load balancing and redudancy. 2 servers(each have running PF and BIND) will balancing load (or one will master and other slave) for DNS and PF. Does anyone protect DNS se