Re: Binding on addresses
In message h4ofir$rt...@ger.gmane.org, Chris Hills writes:
Hi
After changing configuration from listen-on-v6 { any; }; to using
specific addresses, I observed the following in the log after issuing
`rndc reload` (times are CEST):-
29-Jul-2009 04:44:22.893 network: error: binding TCP socket: address in use
29-Jul-2009 04:44:22.893 network: error: binding TCP socket: address in use
29-Jul-2009 04:44:22.893 network: info: no longer listening on ::#53
29-Jul-2009 04:44:22.965 general: info: reloading configuration succeeded
29-Jul-2009 04:44:23.031 general: info: reloading zones succeeded
29-Jul-2009 05:19:10.179 general: info: received control channel command
'reload'
29-Jul-2009 05:19:10.180 general: info: loading configuration from
'/usr/local/bind/9.6.1-P1/etc/named.conf'
29-Jul-2009 05:19:10.182 general: info: using default UDP/IPv4 port
range: [1024, 65535]
29-Jul-2009 05:19:10.182 general: info: using default UDP/IPv6 port
range: [1024, 65535]
29-Jul-2009 05:19:10.194 general: info: reloading configuration succeeded
29-Jul-2009 05:19:10.194 general: info: reloading zones succeeded
After the reload, BIND no longer listened on tcp sockets, but udp
sockets worked ok. After restarting named, it was listening on tcp
sockets once more. Based on the log it looks like it is trying to bind
to the address-specific tcp sockets before releasing tcp [::]:53.
Linux's IP stack is broken. Reloading a second time would
have fixed it.
BIND is 9.6.1-P1 on Linux x86.
Regards,
Chris
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: about tcp port 53
Hello, Doing a search on this at www.google.com offers this first link: http://www.tcpipguide.com/free/t_DNSMessageGenerationandTransport-2.htm HTH - Original Message From: Tech W. tech...@yahoo.com.cn To: Stephane Bortzmeyer bortzme...@nic.fr Cc: bind-users@lists.isc.org Sent: Wednesday, July 29, 2009 12:35:31 AM Subject: Re: about tcp port 53 --- On Tue, 28/7/09, Stephane Bortzmeyer bortzme...@nic.fr wrote: what's the use of bind's tcp port 53? DNS requests and responses. oh, I was always thinking dns requests and responses are going with udp protocal. under what condition it uses tcp protocal? Regards, Wah. Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV Record Priority set by IP Address
On 20.07.09 13:26, Lev Vanyan wrote: i've stumbled into a question whether it is possible to configure BIND in a way that it responds to DNS SRV requests with the priority flag changed depending on the IP address of the requesting party. For example, there are two SRV records for _foobar._tcp. One points to 10.0.1.2 and the other to 10.0.2.2. The requesting party has the ip address 10.0.1.53. I would want to have the first one with the priority higher than the second, which would allow me to split up the network by zones each one having their own server with the rest of servers used only in case of the prevalent zone server failure. Do you mean that bind could/should sort responses depending on source address of client requesting the data in the manner to the servers topologically closer to the client should precede others? The sortlist option should do that. However, to benefit of this sorting, all SRV records should have the same priority (so maybe you don't need SRV here at all). Also, the client (or intermediate relay, e.g. local DNS cache or nscd) must not re-sort responses, but has to use them in the order they came in. That may be problem in some libraries, some time ago I've been having similar problems, it seemed that nss_lwres was responsible for that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
9.5.1-P1 to 9.6.1-P1
Any known gotcha's for this upgrade? -- Sandy Mackenzie The contents of this e-mail message and all attachments are intended for the confidential use of the addressee and where addressed to our client are the subject of solicitor and client privilege. Any retention, review, reproduction, distribution or disclosure other than by the addressee is prohibited. Please notify us immediately if we have transmitted this message to you in error. Thank you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.5.1-P1 to 9.6.1-P1
On Wed, 29 Jul 2009, Sandy Mackenzie wrote:
Any known gotcha's for this upgrade?
The significant 9.6.0 changes are listed at
https://www.isc.org/software/bind/new-features/9.6
The BIND 9.6.1 minor release has numerous improvements
especially in portability, documentation, and DNSSEC.
The release also includes the recent security fixes: correctly check the
OpenSSL DSA_do_verify() and EVP_VerifyFinal() function results; and
handling unknown algorithms in the DNSSEC lookaside validation. (Note that
the BIND 9.6.0 version was not susceptible to the reported cases because
it already had NSEC3 algorithm support.)
The behavior of default allow-query-cache option has now changed to also
possibly be affected by recursion no;. If the allow-query-cache option
is not set, then the default for which hosts are allowed to get answers
from the cache is determined by other configurations in the following
order:
1) The allow-recursion ACL, if configured.
2) A recursion no; configuration implies none;.
3) The allow-query ACL, if configured.
4) Barring all of the above, the final default is { localnets;
localhost }.
So in other words, if you have defined recursion no; and have not defined
the allow-query-cache, allow-recursion, and allow-query ACLs, then
the default will be allow-query-cache { none; } and clients will
not have access to the cache. This is a change from 9.3.6, 9.4.3, 9.5.1,
and 9.6.0. For more details, see the ARM.
The contrib/zkt was updated to version 0.98.
BIND 9.6.1 introduces a new logging category called query-errors which
provides detailed internal information about query failures, such server
failures. (This is documented in the ARM.)
Also new experimental new statistics counters were added, including for
socket I/O events and query RTT (round trip time) histograms.
And a bind.keys file is included in the source tree which contains the
recent dlv.isc.org trust anchor for the administrator's convenience.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Correction to signatures on yesterday's BIND 9 releases
Due to a combination of circumstances, including extreme rush and the usual signer of our releases being away at IETF, we accidentally signed yesterday's BIND 9 patch releases (9.4.3-P3, 9.5.1-P3, and 9.6.1-P1) with the expired 2006 ISC signing key rather than the current one, and didn't notice the mistake until after publishing. All of the signatures have been replaced with the correct ones today. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is my slave DNS working right?
The +trace option *forces* dig to step through each level of the hierarchy.
Therefore it's not a good way of testing any kind of override of the
normal iterative-resolution process.
- Kevin
Rob Z wrote:
Hello list,
Here's my scenario:
I have multiple DNS servers (one master and a few slaves)
authoritative for a few zones (eg mydomain.com http://mydomain.com,
zone1.mydomain.com http://zone1.mydomain.com etc).
I also have a caching server (a stock Redhat caching-nameserver.rpm
configuration, BIND 9.2.4 ) which is used by clients on LAN to query
DNS for zone1.mydomain.com http://zone1.mydomain.com.
As far as I understand this caching server does a full recursive
resolution to get information for zone1.mydomain.com
http://zone1.mydomain.com ( going to root servers, then going to
.com servers then to mydomain.com http://mydomain.com server).
My obective is to convert this caching server into a slave server,
which will transfer the full zone1.mydomain.com
http://zone1.mydomain.com.
Am I correct in the assumption that the slave server should answer
queries for zone1.mydomain.com http://zone1.mydomain.com directly as
it has all the information?
I modified the config by adding
zone zone1.mydomain.com http://zone1.mydomain.com {
type slave;
file mydomain/hosts.mydomain.com http://hosts.mydomain.com;
masters { A.B.C.D; };
};
to the caching server config and configured the master server to allow
transfers. The zone is being transfered correctly,
mydomain/hosts.mydomain.com http://hosts.mydomain.com is popupated.
However,
dig +trace @localhost host1.zone1.mydomain.com
http://host1.zone1.mydomain.com
shows that the server is still doing a full recursion, going to the
root servers, tld servers etc.
What am I missing? Do I also have to list my caching server as NS
record in the zone1.mydomain.com http://zone1.mydomain.com?
It's located on a private network and won't be able to answer queries
from the Internet.
Attached is my config file
===
//
// named.conf for Red Hat caching-nameserver
//
options {
directory /var/named;
dump-file /var/named/data/cache_dump.db;
statistics-file /var/named/data/named_stats.txt;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone . IN {
type hint;
file named.ca http://named.ca;
};
zone localdomain IN {
type master;
file localdomain.zone;
allow-update { none; };
};
zone localhost IN {
type master;
file localhost.zone;
allow-update { none; };
};
zone 0.0.127.in-addr.arpa IN {
type master;
file named.local;
allow-update { none; };
};
zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
IN {
type master;
file named.ip6.local;
allow-update { none; };
};
zone 255.in-addr.arpa IN {
type master;
file named.broadcast;
allow-update { none; };
};
zone 0.in-addr.arpa IN {
type master;
file named.zero;
allow-update { none; };
};
zone zone1.MYDOMAIN.COM http://zone1.MYDOMAIN.COM {
type slave;
file mydomain/hosts.mydomain.com http://hosts.mydomain.com;
masters { A.B.C.D; };
};
include /etc/rndc.key;
===
Thanks
Rob
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Creating a CNAME to another domain.
Danny Mayer wrote: Kevin Darcy wrote: Ezra Taylor wrote: Hello All: How can I create a CNAME that points to another domain. Example below. Is the below example possible? stars.mydomain.com http://stars.mydomain.com INCNAME stars.otherdomain.com http://stars.otherdomain.com. If stars.mydomain.com is just an ordinary name in the mydomain.com zone, then there is no problem with what you show above (except, syntactically, you need the trailing dot, as was already pointed out). If, on the other hand, stars.mydomain.com is a *zone*, then it's not possible, because in that case there would be apex records (records whose name is the same as that of the zone); at a minimum, an SOA and at least 2 NS records, which are required for each and every zone. When a particular name owns a CNAME record, it cannot also own SOA or NS records. Not true. For a Domain alias use a DNAME: mydomain.com. IN DNAME otherdomain.com. Bearing in mind that the OP asked specifically about creation of CNAMEs, which part is not true? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[SPAM] Win2k and bind
I know this is a very lame question, But I have been out of the Bind loop for a number of years ( yes I went over to the dark side ...MS DNS) but I want to come back. My question is this I have win2K servers what version of bind will run on this? Thanks Greg This message has been checked by the GDSI Barracuda SPAM/Virus Firewall. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SPAM] Win2k and bind
Unfortunately W2K was dropped a while ago, no safe version available for it. I know this is a very lame question, But I have been out of the Bind loop for a number of years ( yes I went over to the dark side ...MS DNS) but I want to come back. My question is this I have win2K servers what version of bind will run on this? Thanks Greg This message has been checked by the GDSI Barracuda SPAM/Virus Firewall. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
Chris Thompson wrote: On Jul 28 2009, sth...@nethelp.no wrote: % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net 216.250.243.230 As long as that host record exists, with an IP different from what your authoritative servers reply with, you are going to have problems, because queries will be answered by the GTLD servers and not your own authoritative servers. This is the wretched glue promoted to answer bug (we can call it a bug by now, surely?) which we are assured that the GTLD servers will be cured of this year, next year, sometime, or ... ... well, they will have to fix it before they can roll out DNSSEC, won't they? No. The op always needs to notify the Registrar of their domain when the address of any of their nameservers changes. That has always been a requirement. Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
