Re: How does load balancing operate on 1 forwarders
A long time ago it used to be in turn, but all current versions of BIND sort the forwarders based on a preference value (SRTT) that's derived from the RTT of previous query/query response interactions, with a 'time since we last tried this server' incorporated so that servers that aren't top of the preference list are periodically re-used. It also means that if a server becomes unavailable, it gets time-penalised and therefore the others of the group will be used instead until the penalty has decreased over time - at which point, if it's back and running once more then it's going to be selected (or not) as before on 'nearness'. You can see the SRTT value of nameservers in the ADB section of the cache dump (from rndc dumpdb). Smaller values are preferred. What version are you using? Jonathan Reed wrote: I have the forwarders statement to fwd queries to a few DNS servers on my LAN. forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; } The bind documentation says that these fwders are queried in turn, but what exactly does that mean? I understand it to mean that they are not round robined and if the answer is found from the first IP then it stops there and returns the query to the client. But assume that .1 goes unreachable. What is the timeout used to query the next forwarder in the list? And is this timeout modifiable? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about message your system is lacking dev/random (or equivalent)
I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and /dev/urandom. # odmget CuDvDr | grep -p random CuDvDr: resource = ddins value1 = random value2 = 34 value3 = crw-r--r--1 root system 34, 0 Feb 26 2009 random crw-r--r--1 root system 34, 1 Feb 26 2009 urandom I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of DNS servers are running with no problem. The other 2 show error in the dnssec log: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Linh Khuu -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, April 13, 2010 3:43 PM To: Khuu, Linh MicroTech Cc: 'bind-users@lists.isc.org' Subject: Re: Question about message your system is lacking dev/random (or equivalent) On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote: I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov SOA: verify rdataset (keyid=43133): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Did you build BIND yourself? When BIND starts does it log anything like: --with-randomdev=something? What operating system, etc? You haven't really provided very much useful information in your question... DNSSEC needs entropy for signing -- it believes that your system does not provide a useful source of entropy (do you have a /dev/random?) and so it want you to add some. This is not a BIND problem, it is an OS (or more likely configuration issue). W Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen PGP.sig Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problem with an unsigned private subzone of a signed public zone
We have a forward zone (private.cam.ac.uk) and reverse zones (e.g. 16.172.in-addr.arpa) for a subset of RFC1918 addresses that are routed throughout, but not outside, the university network. Access to these zones is restricted to that network, as the results would not be meaningful elsewhere. The public zone cam.ac.uk does *not* contain a delegation for private.cam.ac.uk. The original justification for this, I think, was along the lines of well, 172.in-addr.arpa obviously can't have a delegation to our 16.172.in-addr.arpa, so we shouldn't have one for the corresponding forward zone either. Nowadays, cam.ac.uk is signed but private.cam.ac.uk is not. This doesn't create any problems for recursive nameservers that slave them, or forward all requests to servers that do. But there is one setup which fails: a recursive nameserver that accesses the private zones via stubs zone private.cam.ac.uk { type stub; file stub/private.cam.ac.uk; masters { 131.111.12.37; 131.111.8.37; }; }; zone 16.172.in-addr.arpa { type stub; file stub/16.172.in-addr.arpa; masters { 131.111.12.37; 131.111.8.37; }; }; [etc.] and also have DNSSEC validation turned on (via dlv.isc.org, but I don't think that matters - the point is that the parent zones are in the chain of trust). Then queries about private.cam.ac.uk give SERVFAIL (unless +cd is used, so its definitely a validation failure) but to my surprise ones for 16.172.in-addr.arpa do not. That's although 172.in-addr.arpa is just as much trusted (via the ARIN trust anchors imported into dlv.isc.org) as cam.ac.uk is. I think the reason is that although 172.in-addr.arpa does not, of course, contain a delegation to *our* 16.172.in-addr.arpa, it does contain one to blackhole-{1,2}.iana.org, and of course this is not signed. So BIND has a proof of non-existence of the DS record for 16.172.in-addr.arpa. Of course, it could also prove there is no DS record for private.cam.ac.uk, but the absence of NS records as well apparently makes it think that private.cam.ac.uk is bogus. Have others encountered problems like this, and if so what have they done about it? Should I just give in and put a delegation to private.cam.ac.uk in the parent zone, even though external clients will get REFUSED is they try to follow it? -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does load balancing operate on 1 forwarders
bind 9.6.1-P2. I've dumped it to its file. $ sudo rndc dumpdb $ cat named_dump.db ... ; Unassociated entries ; ; 10.0.0.3 [srtt 610620] [flags 2000] [ttl 1721] ; 10.0.0.2 [srtt 16654] [flags 2000] [ttl 1721] ; 10.0.0.1 [srtt 375289] [flags 2000] [ttl 1721] ... So I can assume that srtt with the lowest value has the best metric? And the ttl of 1721 is the timeout of 1.7 seconds? Am I reading that right? On Mon, Apr 19, 2010 at 4:26 AM, Cathy Almond cat...@isc.org wrote: A long time ago it used to be in turn, but all current versions of BIND sort the forwarders based on a preference value (SRTT) that's derived from the RTT of previous query/query response interactions, with a 'time since we last tried this server' incorporated so that servers that aren't top of the preference list are periodically re-used. It also means that if a server becomes unavailable, it gets time-penalised and therefore the others of the group will be used instead until the penalty has decreased over time - at which point, if it's back and running once more then it's going to be selected (or not) as before on 'nearness'. You can see the SRTT value of nameservers in the ADB section of the cache dump (from rndc dumpdb). Smaller values are preferred. What version are you using? Jonathan Reed wrote: I have the forwarders statement to fwd queries to a few DNS servers on my LAN. forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; } The bind documentation says that these fwders are queried in turn, but what exactly does that mean? I understand it to mean that they are not round robined and if the answer is found from the first IP then it stops there and returns the query to the client. But assume that .1 goes unreachable. What is the timeout used to query the next forwarder in the list? And is this timeout modifiable? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about message your system is lacking dev/random (or equivalent)
A few things to try: 1: Make sure that /dev/urandom is actually doing something: dd if=/dev/urandom bs=1k count=1 | strings 2: You might want to try the same thing on /dev/random, but you will (probably) get way way less output -- you might want to look into seeing if your machines has a hardware entropy source and can / does expose it somewhere -- you can also investigate adding a hardware random source. From a quick look online, AIX is much more restrictive about its entropy sources, but you should be able to run a daemon that adds entropy. You should also see where BIIND believes it should suck randomness from -- it will log this when it starts, mine looks like: Mar 21 17:43:09 lisa named[27159]: starting BIND 9.7.0-P1 -u bind -t / chroot/named -c /etc/bind/named.conf Mar 21 17:43:09 lisa named[27159]: built with '--with-openssl=yes' '-- with-randomdev=/dev/urandom' Mar 21 17:43:09 lisa named[27159]: using up to 4096 sockets W On Apr 19, 2010, at 5:59 AM, Khuu, Linh MicroTech wrote: I'm running the BIND9 on AIX 5.3. My OS does have /dev/random and / dev/urandom. # odmget CuDvDr | grep -p random CuDvDr: resource = ddins value1 = random value2 = 34 value3 = crw-r--r--1 root system 34, 0 Feb 26 2009 random crw-r--r--1 root system 34, 1 Feb 26 2009 urandom I'm running BIND9 on 4 DNS servers with same build, same OS. 2 of DNS servers are running with no problem. The other 2 show error in the dnssec log: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Linh Khuu -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, April 13, 2010 3:43 PM To: Khuu, Linh MicroTech Cc: 'bind-users@lists.isc.org' Subject: Re: Question about message your system is lacking dev/ random (or equivalent) On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote: I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov SOA: verify rdataset (keyid=43133): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Did you build BIND yourself? When BIND starts does it log anything like: --with-randomdev=something? What operating system, etc? You haven't really provided very much useful information in your question... DNSSEC needs entropy for signing -- it believes that your system does not provide a useful source of entropy (do you have a /dev/random?) and so it want you to add some. This is not a BIND problem, it is an OS (or more likely configuration issue). W Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen -- Beware that the most effective way for someone to decrypt your data may be with rubber hose. --- SSH 1.2.12 README ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Additional records in A-Query
On 4/18/2010 5:17 AM, Fabian Hahn wrote: To speed up queries for the user I need to force the inclusion of additional records in a DNS response. I.e. when returning www.domain.com A I would like to force the inclusion of A-records for static1.domain.com and static2.domain.com since they will be used in the same web-page. No, you can't convince BIND to include unsolicited A-records in a response, and even if you could, most resolvers would reject them anyway, as Barry pointed out. There are serious security problems with accepting A-records that weren't found through the regular iterative process. How can you trust that such A-records are legitimate? Sledgehammer approach: run a refreshing script to periodically query those names so that you can keep your local cache populated with them. The frequency of that script should be tuned to the TTL of the relevant records. If your client usage patterns indicate low activity at certains times of day/week, then you might want to exclude those times from the running of the refreshing script, so as to reduce the network-bandwidth overhead. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with an unsigned private subzone of a signed public zone
On Apr 19 2010, I wrote: [...] Of course, it could also prove there is no DS record for private.cam.ac.uk, but the absence of NS records as well apparently makes it think that private.cam.ac.uk is bogus. More experiments indicate that something changed between 9.6.1-P3 and 9.6.2rc1 - previously the type stub setup worked OK without a delegation in the signed parent. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Additional records in A-Query
I do see additional unsolicited A-records being returned with CNAME-records and NS-records. They seem to be honored by the forwarders and resolvers on the way back. In addition i should have mentioned that these records will be hosts in the same domain and this is implemented for a authoritative-only DNS server. I am hoping that this will decrease the time a user experiences in DNS related delays when viewing a web page referencing several URLs in the domain. Fabian On 4/18/2010 5:17 AM, Fabian Hahn wrote: To speed up queries for the user I need to force the inclusion of additional records in a DNS response. I.e. when returning www.domain.com A I would like to force the inclusion of A-records for static1.domain.com andstatic2.domain.com since they will be used in the same web-page. No, you can't convince BIND to include unsolicited A-records in a response, and even if you could, most resolvers would reject them anyway, as Barry pointed out. There are serious security problems with accepting A-records that weren't found through the regular iterative process. How can you trust that such A-records are legitimate? Sledgehammer approach: run a refreshing script to periodically query those names so that you can keep your local cache populated with them. The frequency of that script should be tuned to the TTL of the relevant records. If your client usage patterns indicate low activity at certains times of day/week, then you might want to exclude those times from the running of the refreshing script, so as to reduce the network-bandwidth overhead. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: invalid requests for dns_registration.*
In article mailman.974.1269852204.21153.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: on one of my nameservers I see many of these messages in log files: Mar 29 07:59:07 gtssk1 named[5012]: security: error: client 195.168.29.200#65293: view gtsi: check-names failure dns_registration.in.nextra.sk/A/IN On 30.03.10 10:04, Matus UHLAR - fantomas wrote: Has anyone seen a case where the dns_registration prefix would be special? Any kind of device/service/protocol that would prepend this to domain in domain search list to get any informations? I'm receiving more and more requests for dns_registration record in many domains. Has anyone seen a case where someone/something could issue such requests? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Additional records in A-Query
If the A records are owned by the target of a CNAME, or by the names referred to by NS records in the Authority Section, then they're related to the query being made and therefore not really unsolicited. To repeat: BIND doesn't have a way to include unrelated/unsolicited A records in a response, and even if it did, responsible resolvers would probably ignore them. If you're so concerned about the latency of your client browser's DNS lookups then perhaps you should redesign your website(s) to use a much smaller set of unique domain names. Also, I hope you realize that most modern browsers, as well as most modern operating systems, implement their own name caching right? So query-latency isn't as much of an issue as it once was. Unless, of course, your TTLs are set unreasonably low. In that case, you're defeating caching and creating your own performance problem. A quick search turns up: http://developer.yahoo.com/performance/rules.html - Kevin On 4/19/2010 4:49 PM, Fabian Hahn wrote: I do see additional unsolicited A-records being returned with CNAME-records and NS-records. They seem to be honored by the forwarders and resolvers on the way back. In addition i should have mentioned that these records will be hosts in the same domain and this is implemented for a authoritative-only DNS server. I am hoping that this will decrease the time a user experiences in DNS related delays when viewing a web page referencing several URLs in the domain. Fabian On 4/18/2010 5:17 AM, Fabian Hahn wrote: To speed up queries for the user I need to force the inclusion of additional records in a DNS response. I.e. when returning www.domain.com A I would like to force the inclusion of A-records for static1.domain.com andstatic2.domain.com since they will be used in the same web-page. No, you can't convince BIND to include unsolicited A-records in a response, and even if you could, most resolvers would reject them anyway, as Barry pointed out. There are serious security problems with accepting A-records that weren't found through the regular iterative process. How can you trust that such A-records are legitimate? Sledgehammer approach: run a refreshing script to periodically query those names so that you can keep your local cache populated with them. The frequency of that script should be tuned to the TTL of the relevant records. If your client usage patterns indicate low activity at certains times of day/week, then you might want to exclude those times from the running of the refreshing script, so as to reduce the network-bandwidth overhead. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with an unsigned private subzone of a signed public zone
On 19 Apr 2010, at 20:40, Chris Thompson c...@cam.ac.uk wrote: On Apr 19 2010, I wrote: [...] Of course, it could also prove there is no DS record for private.cam.ac.uk, but the absence of NS records as well apparently makes it think that private.cam.ac.uk is bogus. More experiments indicate that something changed between 9.6.1-P3 and 9.6.2rc1 - previously the type stub setup worked OK without a delegation in the signed parent. This change has broken a configuration that I was on the verge of deploying :-( Tony (on his iPod). -- f.anthony.n.finch d...@dotat.at http://dotat.at/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does load balancing operate on 1 forwarders
In message t2q9876b68c1004190706v21144cb2i9193d71694804...@mail.gmail.com, Jo nathan Reed writes: bind 9.6.1-P2. I've dumped it to its file. $ sudo rndc dumpdb $ cat named_dump.db ... ; Unassociated entries ; ; 10.0.0.3 [srtt 610620] [flags 2000] [ttl 1721] ; 10.0.0.2 [srtt 16654] [flags 2000] [ttl 1721] ; 10.0.0.1 [srtt 375289] [flags 2000] [ttl 1721] ... So I can assume that srtt with the lowest value has the best metric? And the ttl of 1721 is the timeout of 1.7 seconds? Am I reading that right? ttl is the time to live of the adb entry (secs). srtt (smoothed round trip time) is use to select the server (usecs). Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about message your system is lacking dev/random (or equivalent)
This is the warning message named emits when it can't find /dev/random. 20-Apr-2010 02:46:35.879 could not open entropy source /dev/random: file not found The message, in question, is NOT emitted by named if it has been correctly linked. I suspect that the wrong shared library is being found. Named only needs /dev/random to generate new signature when DSA or NSEC3DSA is being used to sign dynamic zones. Named does NOT need /dev/random to validate responses. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users