Re: Bind 9.6.1 stops after few hours.
On 07.07.2009 / 11:55:34 -0400, Rob Payne wrote: What do you mean by stop? Did the daemon crash, simply not respond to queries, or something else? I don't know if this is the same as what Laurence is seeing. Testing 9.6.1 on Solaris 10/sparc, with a local build (THREADS, no MEMFILL, openssl 0.9.8k) the server stops responding to queries made from the network (LAN), until a local query comes in (dig @localhost ...). We're using 9.6.0-P1 in solaris 10 x86 zone, acting as both recursive and authoritative server (a bit loaded, like 1k concurrent recursive queries during daytime hours seen with 'rndc status') and don't seeing any problems with it. Bind was configured as './configure --with-openssl=no' since we don't use DNSSEC. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC closed environment
Eduardo Júnior wrote: it's possible configure dnssec only between 2 name servers, first is the authoritative and second is the recurisve? The authoritative name server would have zones signed and the recursive will do querys and validation. Sure, why not? I personally prefer my setup whereby I have included the IANA testbed: https://ns.iana.org/dnssec/status.html. In other words, I use their root hints and zonefiles in my test-environment. In fact, I even managed to get an appearantly valid chain of trust all the way up to my 'home.forfunsec.org' testdomain with it. Quite instructive and fun to play with. :-) And using dig (properly compiled and configured) makes requests to recursive and validation occurs correctly? Yep, that sounds like it should work. But you might like 'drill', from NlNetlabs: http://www.nlnetlabs.nl/projects/ldns/ (sorry, for being a bit off-topic here) Regards, -- Marco Davids SIDN ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Maintenance
Hi, Can someone tell me how webhosting providers or ISPs do maintenance on their DNSs? I mean, can they take it offline? What is the procedure usually? Thanks, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Maintenance
Alans wrote: Can someone tell me how webhosting providers or ISPs do maintenance on their DNSs? I mean, can they take it offline? What is the procedure usually? You need to define maintenance. With very few exceptions (none?) I can't think of a reason to take a DNS server off-line to do anything. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Maintenance
I have been thinking of this same issue lately when I had to move a dns service from one host to another to re-build the OS. I use virtual IPs on the host making it relatively easy to move the service around. But as I use Solaris 10 as the platform I am thinking that Zones would be a winner here as I could move the service around physical machines much easier, much like vmotion. It would require the zone data to be on shared storage, but would bring me huge flexibility. On 8 Jul 2009, at 15:15, Chris Hills wrote: On 08/07/09 15:46, Alans wrote: Hi, Can someone tell me how webhosting providers or ISPs do maintenance on their DNSs? I mean, can they take it offline? What is the procedure usually? Hi You can use a load balancer in front of your DNS servers, and remove the host from the pool when maintenance is needed. Another approach is to run your servers as virtual machines. With a platform like VMware you can move the guest from host to host without disruption using vmotion, which allows maintenance to be performed on the host. However, this will not help if you need to do a software or kernel upgrade on the guest. Regards, Chris Hills ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --- Barry Dean Principal Programmer/Analyst Networks Group Computing Services Department --- Nice boy, but about as sharp as a sack of wet mice. -- Foghorn Leghorn ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
namespace verification
Good day all, I am looking at making some sweeping changes to some zone files, cleaning up NS records primarily. As I'm pondering the impact of this, I got to thinking about how to validate every single record in my namespace, and therefore the entirety of my change. What I'm thinking of is a script that will go through each zone file and do a dig against a server (localhost, or otherwise) for each record, verifying that every record resolves correctly. Has anyone written such a beast or know of a tool like this? Am I being obtuse in thinking that this would be useful to me to verify my changes? Cheers, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rDNS Round-Robin
On Mon, Jul 6, 2009 at 4:08 PM, Kevin Darcyk...@chrysler.com wrote: Bryan Irvine wrote: Other than to really annoy me; is there a valid reason for rr rDNS? Once upon a time, BIND specifically *disabled* round-robin behavior for non-address (A/) record types. PTR RRsets, among other types, were always given in a fixed order. But, I just tried a quick test, and it appears that round-robin has been re-enabled for PTRs. Accident? I have no idea why anyone would want this behavior, except perhaps to deliberately make things annoying and the query results inconsistent, in the hopes that people will prevent the creation of round-robin PTRs in the first place. Yes but is it explicitely forbidden anywhere? RFC's maybe? I can't find anything that says you shouldn't other than the majority of people say it's dumb. (Sometimes you need an RFC to point to in order to get someone to fix something that is clearly not working correctly). ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.6.1 under perform after running for a couple of hours
Hello,
A few of the default settings changed from 9.4.x to 9.6.x
The appropriate README files, change logs, and BIND ARM will provide details
about them.
Below are some options and logging configurations you may want to investigate.
Ye Ole Disclaimer: Please be sure to understand what these do and the DNS
environment these alter before making changes.
options suggestions: (set some limits)
allow-query { file-a; file-b; }; #Employ ACLs to limit who can
query the server
allow-recursion { file-a; file-b; }; #Employ ACLs to
limit recursion - may or may not be the same files as in the previous statement
blackhole { file-c; }; #Employ ACLs to drop abusive queries. Note:
This will affect legitimate responses from any networks listed, too. Keep this
in mind.
recursive-clients X000; #Understand how many recursive clients
the hware should handle at a time
tcp-clients X00; # Understand how many TCP clients should be handled
at a time.
clients-per-query X0 ; #Limit the number of clients-per-query. This
helps to limit bogus queries (especially from malware). We use 10.
max-clients-per-query X0 ; # Same as above. That is, we hard set
to deal with bogus queries from malware. I believe BIND automagically adjusts
this by default.We use 20.
max-cache-size 0 ; #Setting to 0 makes this model older behavior. I
believe 9.5+ new default is 32MB. Setting to 0 is unlimited, if memory serves,
and is what we want in our environment.
logging suggestions: (throw away certain things from logging IF you are not
interested in them)
channel secure_messages { file /dev/null; }; #If null is not
understood, one can define it using this method.
category security { secure_messages; }; #Fancy way of sending these
logs to the garbage can using the previous definition. Setting ACLs generates a
lot of log chatter. A good thing while one tweaks ACLs to check the logs. Once
ACLs are tweaked, no need to waste CPU and HDD seak time logging data we no
longer need = trash can.
category lame-servers { null; }; #Nice info about lame servers, but
since we can't fix the Internet = toss to the garbage can for now.
category edns-disabled { null; }; #Again, nice info about EDNS, but it
isn't something our environment needs us to act upon at this time = trash can
for now.
HTH.
From: Imri Zvik im...@inter.net.il
To: bind-users@lists.isc.org
Sent: Wednesday, July 8, 2009 2:24:17 PM
Subject: bind 9.6.1 under perform after running for a couple of hours
Hi,
After a couple of hours, performance of bind 9.6.1 suddenly drops. While the
server remains responsive, the response time increases, the rate of the failed
queries increases, and CPU/load average usage increases. Restarting named
solves the problem.
I cannot find anything useful in the logs, but a quick search in this mailing
list archive shows that other users reported somewhat similar problems with
this version of BIND :(
The operating system is Linux (Linux ns1 2.6.18-128.el5 #1 SMP Wed Dec 17
11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux) , Red Hat Enterprise Linux
Server release 5.3 (Tikanga).
Output of named –V:
BIND 9.6.1 built with '--enable-threads' '--enable-largefile'
'--prefix=/usr/local'
/usr/local/sbin/named: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV),
for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux
2.6.9, not stripped
It is important to state that we just upgraded from 9.4.3-P2.
Any ideas?___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSKEY dynamic update: unexpected change 9.6.0-P1 - 9.6.1
On Wed, Jul 08, 2009 at 09:20:29PM +, Evan Hunt wrote: Is there any reason these flags should not be set by default? Yes, there is: the code as written uses the NSEC3PARAM record in a way that, debatably, could be an RFC violation. We're planning to correct this, and turn the feature on by default in 9.7.0. (I can't promise, but it may make it into the next alpha release.) Thanks for the explanation. Since I'm not using NSEC3, I'm going to assume that it's safe to set the flags. Can I request that NSEC3-NOTES be updated to mention that these features need to be turned on explicitly? A configure flag would be nice. I'd also suggest giving the file a slightly less misleading name, eg. DNSSEC-DYNAMIC-UPDATE-NOTES. Or putting the text into the ARM. Also the private type record seems to have changed from 65535 to 65534 but this hasn't been updated in NSEC3-NOTES. Thank you for pointing that out. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. --Shumon. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rDNS Round-Robin
In message 53d706300907081412r191946eeo5c9a66657bf8e...@mail.gmail.com, Bryan Irvine writes: On Mon, Jul 6, 2009 at 4:08 PM, Kevin Darcyk...@chrysler.com wrote: Bryan Irvine wrote: Other than to really annoy me; =A0is there a valid reason for rr rDNS? Once upon a time, BIND specifically *disabled* round-robin behavior for non-address (A/) record types. PTR RRsets, among other types, were always given in a fixed order. But, I just tried a quick test, and it appears that round-robin has been re-enabled for PTRs. Accident? I have no idea why anyone would want this behavior, except perhaps to deliberately make things annoying and the que= ry results inconsistent, in the hopes that people will prevent the creation = of round-robin PTRs in the first place. Yes but is it explicitely forbidden anywhere? RFC's maybe? I can't find anything that says you shouldn't other than the majority of people say it's dumb. (Sometimes you need an RFC to point to in order to get someone to fix something that is clearly not working correctly). ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users RRsets are unordered. Software and configurations should be prepared for this. Where ordering is required it is built into the RR type. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
