slave zone header in bind8

[Matus UHLAR - fantomas]

Hello,

IIRC, slave zones transferred to BIND8 had header that informed us when was
the zone transferred and from where.

Do I remember correctly? If so, when was this feature removed and why?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends? 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS server works but keep getting host unreachable resolving error

[Shi Jin]

Hi there,

I've setup a DNS server running bind9 in my LAN and set it up to ISP provided 
DNS servers as the forwarders. Currently this DNS server works in the sense 
both internal and external names are resolved without any problem. However, for 
each DNS query, the syslog shows entries of 

dhcp-dns named[18638]: host unreachable resolving 'google.com/A/IN': 
216.171.238.66#53
Where the IP 216.171.238.66 is the ISP provided DNS server. 

My named.conf.options looks like
forwarders {
216.171.238.66;
216.171.238.67;
 };
listen-on-v6 { none; };

When I run dig, I get
/etc/bind# dig

;  DiG 9.5.1-P2 
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 48733
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

;; QUESTION SECTION:
;.  IN  NS

;; ANSWER SECTION:
.   435420  IN  NS  K.ROOT-SERVERS.NET.
.   435420  IN  NS  A.ROOT-SERVERS.NET.
.   435420  IN  NS  H.ROOT-SERVERS.NET.
.   435420  IN  NS  M.ROOT-SERVERS.NET.
.   435420  IN  NS  E.ROOT-SERVERS.NET.
.   435420  IN  NS  J.ROOT-SERVERS.NET.
.   435420  IN  NS  D.ROOT-SERVERS.NET.
.   435420  IN  NS  L.ROOT-SERVERS.NET.
.   435420  IN  NS  G.ROOT-SERVERS.NET.
.   435420  IN  NS  F.ROOT-SERVERS.NET.
.   435420  IN  NS  B.ROOT-SERVERS.NET.
.   435420  IN  NS  C.ROOT-SERVERS.NET.
.   435420  IN  NS  I.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 521820  IN  A   198.41.0.4
A.ROOT-SERVERS.NET. 521820  IN  2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 297362  IN  A   192.228.79.201
C.ROOT-SERVERS.NET. 297362  IN  A   192.33.4.12
D.ROOT-SERVERS.NET. 297362  IN  A   128.8.10.90
E.ROOT-SERVERS.NET. 297362  IN  A   192.203.230.10
F.ROOT-SERVERS.NET. 347113  IN  A   192.5.5.241
F.ROOT-SERVERS.NET. 521820  IN  2001:500:2f::f
G.ROOT-SERVERS.NET. 297362  IN  A   192.112.36.4
H.ROOT-SERVERS.NET. 297362  IN  A   128.63.2.53
H.ROOT-SERVERS.NET. 297362  IN  2001:500:1::803f:235
I.ROOT-SERVERS.NET. 297362  IN  A   192.36.148.17
J.ROOT-SERVERS.NET. 330463  IN  A   192.58.128.30
J.ROOT-SERVERS.NET. 330463  IN  2001:503:c27::2:30

;; Query time: 0 msec
;; SERVER: 192.168.1.127#53(192.168.1.127)
;; WHEN: Mon Sep 21 14:11:54 2009
;; MSG SIZE  rcvd: 500

The IP 192.168.1.127 is the IP address of the LAN DNS server I've setup.
The has NAT firewall enabled so it is able to access to the ISP provided DNS 
server directly. However, it looks to me like the ISP provided DNS server 
(216.171.238.66) was not able to resolve any of the names and all the resolving 
is done at the top level servers. Is my understanding correct?

More importantly, is this the correct behavior I should expect and how to I 
solve the host unreachable resolving problem?

I appreciate you help. Thank you very much.


--
Shi Jin, PhD


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting host unreachable resolving error

[Michael Monnerie]

On Montag 21 September 2009 Shi Jin wrote:
 However, it looks to me like the ISP provided DNS server
 (216.171.238.66) was not able to resolve any of the names and all the
 resolving is done at the top level servers. Is my understanding
 correct?

Try
dig @216.171.238.66 hp.com
to see if the .66 host answers to your queries. Maybe you got a wrong IP 
there? Try the same for .67, the other DNS.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: recursion on auth-only server

[Chris Thompson]

On Sep 21 2009, Matus UHLAR - fantomas wrote:


I have moved authoritative server to new IP address. I have changed the DNS
name pointing to it so the NS would point to the new IP.

Now I looked at the traffic and it seems that there are ~4 of 1000 recursive
requests sent to it.


And do you know that this was not the case before the move?


Are there any known resolvers that can iterate through NS hierarchy, or
iterative DNS servers that send resursive requests anywhere?


There are all sorts of reasons, from misconfigured resolvers to manual
use of dig (do you always remember to specify +norec when appropriate?).
Query logging will help you track them down if you are really concerned.
At 0.4%, I wouldn't worry.

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on delegation to subdomain/external servers

[Kevin Darcy]

What is unfortunate about BIND picking a forwarder based on real, 
up-to-date information about the thing that the end-user ultimately 
cares about -- how quickly the queries get answered?


Surely this is better than hardcoding a bunch of assumptions into your 
forwarding configs, assumptions that can be trivially invalidated by 
such factors as nameserver failures, nameserver performance bottlenecks, 
network congestion, route flapping and other topographical anomalies, 
query usage patterns, etc.


If you want more fine-grained control of your query traffic, for reasons 
other than pure query performance (e.g. you might pay per-byte on link A 
but a flat rate on link B), then you might have to resort to devices 
and/or mechanisms outside of named in order to accomplish it, e.g. 
traffic shapers, transparent DNS proxies and the like.



 - Kevin


Merton Campbell Crockett wrote:
When I was transferred into our corporate IT Networks group, I 
inherited a DNS architecture based on forwarding DNS queries to 
regional name servers.  The regional name servers had access to the 
Internet and were able to provide name and address resolution for both 
Intranet and Internet queries.


The designers of the DNS architecture carefully configured the 
forwarders statement on each name server so that the name server for 
the region was listed first.  It was followed by the other regional 
name servers ordered by distance from the local name server.


Had this been implemented under BIND 8, it would have worked as the 
designers had expected.  Unfortunately, it was implemented under BIND 
9.3.  The list of name servers in the forwarders statement was no 
longer treated as a sequential list as it had been in BIND 8.  Under 
BIND 9.3 and later releases, the selection of name server from the 
forwarders list is performed the same way as the selection of name 
server for a DNS zone:  its round-robin with a preference given to the 
name server with the smallest RTT.


Another item that the designers didn't anticipate was how RTT is 
calculated.  It is not based on the RTT to the forwarder but on the 
time that it takes for the forwarder to return a result.  Given the 
physical locations of the regional name servers, the calculated RTT is 
roughly identical even at sites where there is a local name server 
co-located with the regional name server.  In our particular 
environment, the primary forwarder changes approximately every 20-30 
seconds.


Given this behavior, I'm not sure what advantage there is in having 
online and offline name servers.  I would opt for having all name 
servers online and let BIND select the more desirable name server.



On 17 Sep 2009, at 11:15:59, Ben Croswell wrote:

I have done some testing of the RTT forwarding and found that as long 
as only one, or the other of the two nameservers that you forward 
to is active at any given time the switch over is actually very quick.
The exception being the first query when the currently active 
forwarder dies and the second comes up.  The reason being that the 
first query has to wait for a timeout cycle before trying the second 
forwarder and readjusting the RTT values for both.


So theoretically if your forwarders are 10.1.1.1 and 10.2.1.1 as long 
as only one will answer queries at a given time with their own 
right answer it should failover fairly quickly.  If both answer 
then you will be at the mercy of the RTT as to which answer you will get.


--
-Ben Croswell

On Thu, Sep 17, 2009 at 12:27 PM, Kevin Darcy k...@chrysler.com 
mailto:k...@chrysler.com wrote:


RUOFF LARS wrote:

 
 


[mailto:bind-users-boun...@lists.isc.org
mailto:bind-users-boun...@lists.isc.org] On Behalf Of
Kevin Darcy
   



BTW, at the moment I am experimenting a solution usign a
forward zone:
zone dummy.ts IN {
   type forward;
   forward only;
   forwarders { 172.25.32.171; 192.168.2.3; };
};

It seems to work.
I guess that the requests are not sent simultaneously though?
 


Correct, it's similar to the algorithm that a stub resolver uses:
try one forwarder, if it times out, try another, and so on.

In fact, the way I like to think of forwarding is: when you
forward, you're turning named *into* a stub resolver with a
cache, at least for part of the namespace. If you forward
globally (i.e. in options), and have some authoritative zones
and/or stub zones with forwarders { } defined, then those are
just selective overrides of your stub-resolver+cache function.
And if you have forward first anywhere, then you're just giving
named a second chance to resolve names iteratively, in case the
initial stub-resolver+cache approach fails (because the
 

Re: DNS server works but keep getting host unreachable resolving error

[Mark Andrews]

In message 865284.37771...@web36203.mail.mud.yahoo.com, Shi Jin writes:
 
  host unreachable is one of the clearer error messages, so
  you need
  to do some digging. From the box that you've set up bind9
  on you'll
  need to use dig to query the ISP's name servers. If that
  works, then
  you'll have to use tcpdump on that box to find out what
  named is doing.
  
  Doug
  
 Thank you very much.
 Your suggestion to use tcpdump actually is very helpful. It clearly shows:
  ICMP host 216.171.238.67 unreachable - admin prohibited, length 87

Yet you claim that dig to 216.171.238.67 works.  I think you need to provide
a full trace not the summary that a plain tcpdump gives.

Add  -Xvvv to the set of flags you used with tcpdump.

 So I think this most likely has to do with the firewall setup. Probably I 
 should enable ICMP redirect? Could anyone confirm? And
  is this safe?
 
 Thank you very much.
 Shi
 
 
   
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind-9.7.0a3 genkey.sh and dnssec-signzone missing check

[Paul Wouters]

Hi,

When using 9.7.0a3 with dnssec-signzone and PKCS#11, one can use the genkey.sh
as a tool to generate keys. It is however hardcoded to RSASHA1. (We needed 
NSECRSASHA1)
The below tiny patch addresses this.

Related, the dnssec-signzone command created a zone with algo 5 DNSKEY's with
NSEC3 records, which is a bogus zone that stupid people like me should not be 
allowed
to create :)

Paul

--- genkey.sh.org   2009-09-21 19:40:17.0 -0400
+++ genkey.sh   2009-09-21 19:40:45.0 -0400
@@ -1,8 +1,8 @@
 #!/bin/bash

-usage=Usage: $0 -z zone -x ext -p pin -b bits -e engine [-f] -k key_path
+usage=Usage: $0 -z zone -x ext -p pin -a algonum -b bits -e engine [-f] -k 
key_path
 tmp_file=/tmp/cur_key.$$
-while getopts :z:x:p:t:k:b:e:f opt; do
+while getopts :z:x:p:t:k:b:e:a:f opt; do
   case $opt in
 z  ) zone=$OPTARG ;;
 x  ) ext=$OPTARG ;;
@@ -12,6 +12,7 @@ while getopts :z:x:p:t:k:b:e:f opt; do
 e  ) engine=$OPTARG ;;
 b  ) bits=$OPTARG ;;
 k  ) key_path=$OPTARG ;;
+a  ) algo=$OPTARG ;;
 \? ) echo $usage
 exit 1 ;;
esac
@@ -42,9 +43,9 @@ if [ $? -ne 0 ] ; then exit 1 ; fi

 echo Generating DNSKEY RR
 if [ $flag ] ; then
-  keytag=`$mypath/keyconv.pl -a 5 -k -e $engine -l $label -p $key_path -i 
$tmp_file $zone`
+  keytag=`$mypath/keyconv.pl -a $algo -k -e $engine -l $label -p $key_path -i 
$tmp_file $zone`
 else
-  keytag=`$mypath/keyconv.pl -a 5 -e $engine -l $label -p $key_path -i 
$tmp_file $zone`
+  keytag=`$mypath/keyconv.pl -a $algo -e $engine -l $label -p $key_path -i 
$tmp_file $zone`
 fi

 if [ ! $keytag ] ; then rm $tmp_file; exit 1 ; fi

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting host unreachable resolving error

[Shi Jin]

Thank you all.
I've confirmed that the problem is firewall related. I've replaced my current 
Untangle firewall with a simplest Linux NAT iptables firewall and everything 
works perfectly, without any complains.

Thank you very much for your kind help/suggestions.

Shi


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users