Re: Clarification on bind result
Is there any update on the following issue. On Mon, May 31, 2010 at 2:16 PM, rams brames...@gmail.com wrote: Hi , I have the following zone file: $ORIGIN td3497.com. @ IN SOA udns1.ultradns.net. ppk.yahoo.com. ( 2010052610 ; serial 10800 ; refresh 3600 ; retry 2592000 ; expire 86400 ; minimum ) cname.chain.td3497.com. 86400 IN CNAME mx.chain.td3497.com. mx.chain.td3497.com. 86400 IN MX 34 mx1.chain.td3497.com. mx1.chain.td3497.com. 86400 IN MX 34 mx2.chain.td3497.com. mx2.chain.td3497.com. 86400 IN MX 34 mx3.chain.td3497.com. mx3.chain.td3497.com. 86400 IN A 1.2.3.4 ramesh.td3497.com. 86400 MX 20 . ramesh.td3497.com. 86400 MX 20 mx1. *cname.td3497.com. 86400 CNAME .* td3497.com. 86400 IN NS udns2.ultradns.net. td3497.com. 86400 IN NS udns1.ultradns.net. ;End I queried for cname domain against bind 9.6.X and got the following response C:\Documents and Settings\rameshbdig @localhost cname.td3497.com mx ; DiG 9.6.1-P1 @localhost cname.td3497.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 681 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;cname.td3497.com. IN MX ;; ANSWER SECTION: cname.td3497.com. 86400 IN CNAME . ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 31 14:10:32 2010 ;; MSG SIZE rcvd: 47 Here why authority section is not returned? Actually authority section should be returned with SOA right? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind response
Hi , I have the following zone file: $ORIGIN td3497.com. @ IN SOA udns1.ultradns.net. ppk.yahoo.com. ( 2010052610 ; serial 10800 ; refresh 3600 ; retry 2592000 ; expire 86400 ; minimum ) cname.chain.td3497.com. 86400 IN CNAME mx.chain.td3497.com. mx.chain.td3497.com. 86400 IN MX 34 mx1.chain.td3497.com. mx1.chain.td3497.com. 86400 IN MX 34 mx2.chain.td3497.com. mx2.chain.td3497.com. 86400 IN MX 34 mx3.chain.td3497.com. mx3.chain.td3497.com. 86400 IN A 1.2.3.4 ramesh.td3497.com. 86400 MX 20 . ramesh.td3497.com. 86400 MX 20 mx1. cname.td3497.com. 86400 CNAME . td3497.com. 86400 IN NS udns2.ultradns.net. td3497.com. 86400 IN NS udns1.ultradns.net. ;End I queried for cname domain against bind 9.6.X and got the following response C:\Documents and Settings\rameshbdig @localhost cname.td3497.com mx ; DiG 9.6.1-P1 @localhost cname.td3497.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 681 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;cname.td3497.com. IN MX ;; ANSWER SECTION: cname.td3497.com. 86400 IN CNAME . ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 31 14:10:32 2010 ;; MSG SIZE rcvd: 47 Here why authority section is not returned? Actually authority section should be returned with SOA right? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind response
On 01.06.10 14:16, rams wrote: I queried for cname domain against bind 9.6.X and got the following response C:\Documents and Settings\rameshbdig @localhost cname.td3497.com mx ; DiG 9.6.1-P1 @localhost cname.td3497.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 681 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;cname.td3497.com. IN MX ;; ANSWER SECTION: cname.td3497.com. 86400 IN CNAME . ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 31 14:10:32 2010 ;; MSG SIZE rcvd: 47 Here why authority section is not returned? Actually authority section should be returned with SOA right? For CNAME answers, the authority for destination (.) is returned and authority is returned if it's known and configured. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind response
On Tue, 1 Jun 2010, Matus UHLAR - fantomas wrote: On 01.06.10 14:16, rams wrote: I queried for cname domain against bind 9.6.X and got the following response C:\Documents and Settings\rameshbdig @localhost cname.td3497.com mx ; DiG 9.6.1-P1 @localhost cname.td3497.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 681 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;cname.td3497.com. IN MX ;; ANSWER SECTION: cname.td3497.com. 86400 IN CNAME . ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 31 14:10:32 2010 ;; MSG SIZE rcvd: 47 Here why authority section is not returned? Actually authority section should be returned with SOA right? For CNAME answers, the authority for destination (.) is returned and authority is returned if it's known and configured. And here it is known to be NXDOMAIN when the server is recursive: [...@maplepark ~]$ dig cname.td3497.com. any ; DiG 9.7.0-P2 cname.td3497.com. any ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 6782 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;cname.td3497.com. IN ANY ;; AUTHORITY SECTION: com. 864 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1275386123 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 192.168.102.9#53(192.168.102.9) ;; WHEN: Tue Jun 1 04:56:13 2010 ;; MSG SIZE rcvd: 107 -- David Forrest Maple Park Development Corporation St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
max-cache-size query
Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: max-cache-size query
What version of BIND are you running? If you're getting FD limits, I'd think it's an older version with a bug, and your problems might also be alleviated by upgrading. Todd. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Techi Sent: Tuesday, June 01, 2010 8:36 AM To: bind-users@lists.isc.org Subject: max-cache-size query Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size query
On Tue 01 of Jun 2010 15:43:54 you wrote: What version of BIND are you running? If you're getting FD limits, I'd think it's an older version with a bug, and your problems might also be alleviated by upgrading. Version: bind-9.3.6-4.P1.el5_4.2 I cannot upgrade. Company's policy is to use only Centos packages :( Anyway, I believe that it is not a true 9.3 since for example, I can set the allow-query-cache statement of 9.5. Of course, only RH can say that and I am not RH. Cheers. Todd. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Techi Sent: Tuesday, June 01, 2010 8:36 AM To: bind-users@lists.isc.org Subject: max-cache-size query Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size query
On Tue, Jun 01, 2010 at 03:52:56PM +0300, Techi wrote: On Tue 01 of Jun 2010 15:43:54 you wrote: What version of BIND are you running? If you're getting FD limits, I'd think it's an older version with a bug, and your problems might also be alleviated by upgrading. Version: bind-9.3.6-4.P1.el5_4.2 I cannot upgrade. Company's policy is to use only Centos packages :( Anyway, I believe that it is not a true 9.3 since for example, I can set the allow-query-cache statement of 9.5. Of course, only RH can say that and I am not RH. You are right, it is not a true 9.3.6-P1, it contains numerous enhancements from later releases (like allow-query-cache). If you set too low max-cache-size and it is really busy recursion server (from number of connections it seems it really is) then BIND will often hit upper cache watermark and will start cache cleanup, which is, at least in 9.3.X series, quite expensive operation. Additionally, when cache is too small and cleaned too often, BIND will ask again and again for the same records, which means huge number of connections. If you hit again the crash you should probably open a report in the CentOS tracker. Regards, Adam -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Techi Sent: Tuesday, June 01, 2010 8:36 AM To: bind-users@lists.isc.org Subject: max-cache-size query Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Adam Tkac, Red Hat, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC Status...
A few questions about DNSSEC... I understand the root zones are currently getting signed. Just for sanity sake, should I be able to DIG +dnssec a.gtld-servers.net and be able to see a RRSIG record (assume I have a valid dnssec recursive name server with a valid trust anchor configured). Check out the following... [r...@int-dns ~]# dig +dnssec a.gtld-servers.net ; DiG 9.6.1-P1 +dnssec a.gtld-servers.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 54144 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;a.gtld-servers.net. IN A ;; ANSWER SECTION: a.gtld-servers.net. 171425 IN A 192.5.6.30 ;; AUTHORITY SECTION: gtld-servers.net. 171424 IN NS d2.nstld.com. gtld-servers.net. 171424 IN NS f2.nstld.com. gtld-servers.net. 171424 IN NS a2.nstld.com. gtld-servers.net. 171424 IN NS g2.nstld.com. gtld-servers.net. 171424 IN NS l2.nstld.com. gtld-servers.net. 171424 IN NS e2.nstld.com. gtld-servers.net. 171424 IN NS c2.nstld.com. gtld-servers.net. 171424 IN NS h2.nstld.com. ;; Query time: 130 msec ;; SERVER: 10.10.10.1#53(10.10.10.1) ;; WHEN: Tue Jun 1 09:46:13 2010 ;; MSG SIZE rcvd: 208 Also, referense the following URL.. https://ns.iana.org/dnssec/root.zone.signed I assume this data is correct. Is there a security risk publishing this data? I understand DNS is public information but why wouldn't the root be signed using nsec3 versus nsec? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Status...
On Tue, Jun 1, 2010 at 6:55 AM, Heavy Man heavyma...@yahoo.com wrote: A few questions about DNSSEC... I understand the root zones are currently getting signed. The root zone is currently signed with a DURZ (deliberately unvalidatable root zone) as part of its deployment. See the following site for more information: http://www.root-dnssec.org/ Just for sanity sake, should I be able to DIG +dnssec a.gtld-servers.net and be able to see a RRSIG record (assume I have a valid dnssec recursive name server with a valid trust anchor configured). (As a side note, gtld-servers.net is the domain corresponding to the names of servers authoritative for TLD servers (e.g., edu, com, net), not the root zone.) There is a difference between the name of a zone and the names of the servers authoritative for that zone, which are the targets of the NS records. For example: $ dig . ns ; DiG 9.7.0-P1 . ns ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 63188 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.INNS ;; ANSWER SECTION: .484118INNSd.root-servers.net. .484118INNSl.root-servers.net. .484118INNSi.root-servers.net. .484118INNSh.root-servers.net. .484118INNSe.root-servers.net. .484118INNSj.root-servers.net. .484118INNSm.root-servers.net. .484118INNSg.root-servers.net. .484118INNSa.root-servers.net. .484118INNSf.root-servers.net. .484118INNSc.root-servers.net. .484118INNSk.root-servers.net. .484118INNSb.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net.144120INA198.41.0.4 The zone origin is ., but the names of the authoritative server are [a-m]. root-servers.net. In DNSSEC, signing is done on a per-zone basis, so the signing of the root-servers.net zone is independent of (and unnecessary for) the signing of the root zone (.). This being said, if you now query the root servers for DNSSEC RRs pertaining to the root zone, you will get the following: $ dig @a.root-servers.net +dnssec . ns ; DiG 9.7.0-P1 @a.root-servers.net +dnssec . ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 8463 ;; flags: qr aa rd; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 21 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;.INNS ;; ANSWER SECTION: .518400INNSa.root-servers.net. .518400INNSh.root-servers.net. .518400INNSj.root-servers.net. .518400INNSm.root-servers.net. .518400INNSg.root-servers.net. .518400INNSe.root-servers.net. .518400INNSk.root-servers.net. .518400INNSd.root-servers.net. .518400INNSc.root-servers.net. .518400INNSi.root-servers.net. .518400INNSb.root-servers.net. .518400INNSl.root-servers.net. .518400INNSf.root-servers.net. .518400INRRSIGNS 8 0 518400 2010060707 2010053106 55138 . xJyVQ+6RhZ7OQZFqFBY+z6xTeLWk7GpGljhp2zmkXVkK1bB3x0DZsdwA MF7+pyXa3hkUvbG4+MBErWmhiJveV/DyU00kZXrWc8oma82uhLvgBjwf /q7JArynxkbhrsbFoHT0IBQe9mQBhfJAta9myUEc01EGDVWwvpATMTTM Ktc= which includes the RRSIG covering the NS RRset for the root zone. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
question about bind bug fixed in 9.6.2-P2
From the release notes: --- 9.6.2-P2 released --- 2876. [bug] Named could return SERVFAIL for negative responses from unsigned zones. [RT #21131] Question: Does this bug only occur if dnssec is enabled? or only if dnssec validation is turned on? or will it (potentially) occur regardless of whether or not either of these options are used? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size query
One obvious solution to keeping the firewall guys happy would just be to make them not burn state entries for the nameserver at all Firewalls in front of nameservers cause an ungodly amount of issues for no real benefit... Just sayin'... W On Jun 1, 2010, at 8:35 AM, Techi wrote: Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --- Schizophrenia beats being alone. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Status...
In message 573607.58516...@web114302.mail.gq1.yahoo.com, Heavy Man writes: A few questions about DNSSEC... I understand the root zones are currently getting signed. Just for sanit= y sake, should I be able to DIG +dnssec a.gtld-servers.net and be able to s= ee a RRSIG record (assume I have a valid dnssec recursive name server with = a valid trust anchor configured). Check out the following... Firstly it would be a.root-servers.net, not a.gtld-servers.net. Secondly root-servers.net is not signed and doesn't need to be. Also, referense the following URL.. https://ns.iana.org/dnssec/root.zone.signed I assume this data is correct. Is there a security risk publishing this = data? I understand DNS is public information but why wouldn't the root b= e signed using nsec3 versus nsec? Because there is no benefit to signing with NSEC3. * The entire zone is publicly available so you don't need the obscuration. * The zone is so small that you don't need optout. Also NSEC3 is more expensive to operationally. The authortative servers need to do more work to serve the zone and validators need to do more work to check the answers. You don't use NSEC3 unless there is a real benefit to using it. If you just have a http server and email don't go using NSEC3. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
probleme with dk dkim and dlv for miltiple domain for dkimproxy and bind dnssec
hello all hello bind network I am having problems with my dk and dkim signature of my emails I have successfully made the process of verification of signatures dnssec all my domains are correct and good displays on dlv.isc.org the reason for my problem just the reason that I have updated my postfix and I have recreated a pair of keys with openssl for dkimproxy the reason for my questions one of my domains. in .fr: after validation of signatures by isc dk dkim said OK Other areas domains ( other .fr and other .eu ) after validation of signatures by isc dk dkim said bad that happens I do not understand thanks for advice thanks for help ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users