Re: FW: BIND 9 errors
2010/7/1 Y z yan...@hotmail.com
(bind version 9.7.0-P1)
A DNS slave server has two IPs: an internal RFC1918 number to talk to
the internal net, and an external one to talk to the rest of the world.
If I *don't* put the external IP in a master:
zone example.com {
type slave;
file example;
masters port 1053 { 172.16.0.30; } ;
};
I get errors:
Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify
from non-master: external.ip#59808
This error appears because your master sends notify from external.ip, which
isn't listed in masters {}; statement.
Whereas, if I *do* put the IP in as a master, I get:
Jun 30 14:02:08 hostname named[1792]: transfer of 'example.com/IN' from
external.ip#1053 failed to connect: connection refused
And this error appears because your master doesn't configured to allow
connections to external.ip#1053.
It will be very helpful in resolving your problem if you provide
options{}; part of your named.conf file.
(the reason I'm using port 1053 is because the real master is running
on two different instances, one on port 53, and one on port 1053).
Despite the errors, the zones still seem to function. So, what do I do
to make the errors go away?
Thanks!
_
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with
Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Can I start multiple processes(named) in a server?
bind-dlz(mysql)
Single process(named):
Jul 1 16:06:42 flyinweb named[10474]: starting BIND 9.7.0-P2 -u named -c
/usr/local/bind/etc/named.conf
Jul 1 16:06:42 flyinweb named[10474]: built with '--prefix=/usr/local/bind'
'--with-dlz-mysql=/usr/local/mysql' '--enable-threads=no' '--enable-largefile'
Jul 1 16:06:42 flyinweb named[10474]: using up to 4096 sockets
Jul 1 16:06:42 flyinweb named[10474]: loading configuration from
'/usr/local/bind/etc/named.conf'
Jul 1 16:06:42 flyinweb named[10474]: reading built-in trusted keys from file
'/usr/local/bind/etc/bind.keys'
Jul 1 16:06:42 flyinweb named[10474]: using default UDP/IPv4 port range:
[1024, 65535]
Jul 1 16:06:42 flyinweb named[10474]: using default UDP/IPv6 port range:
[1024, 65535]
Jul 1 16:06:42 flyinweb named[10474]: listening on IPv4 interface lo,
127.0.0.1#53
Jul 1 16:06:42 flyinweb named[10474]: listening on IPv4 interface eth0,
192.168.146.155#53
Jul 1 16:06:42 flyinweb named[10474]: generating session key for dynamic DNS
Jul 1 16:06:42 flyinweb named[10474]: Loading 'Mysql zone' using driver mysql
Jul 1 16:06:42 flyinweb named[10474]: command channel listening on
127.0.0.1#953
Multiple processes(named):
Can I start multiple processes(named) in a server and each process can provide
services normally?
See information so that on the internet(I think this may be wrong).How can i do
to maximize the ability of concurrent queries(named) ?
All the name.conf is the same:
//
// named.conf for nameserver
//
options {
directory /usr/local/bind/;
allow-query { any; };
allow-query-cache { any; };
recursion no;
pid-file /usr/local/bind/var/run/named.pid;
};
logging
{
channel query_log
{
file query.log versions 3 size 20m;
severity info;
print-time yes;
print-category yes;
};
category queries
{
query_log;
};
};
dlz Mysql zone {
database mysql
{host=localhost dbname=mydns_data ssl=false port=3306 user=root
pass=sok12345}
{select zone from dns_records where zone = '%zone%'}
{select ttl, type, mx_priority, case when lower(type)='txt' then
concat('\', data, '\')
else data end from dns_records where zone = '%zone%' and host =
'%record%'
and not (type = 'SOA' or type = 'NS')}
{select ttl, type, mx_priority, data, resp_person, serial, refresh, retry,
expire, minimum
from dns_records where zone = '%zone%' and (type = 'SOA' or type='NS')}
{select ttl, type, host, mx_priority, data, resp_person, serial, refresh,
retry, expire,
minimum from dns_records where zone = '%zone%' and not (type = 'SOA' or
type = 'NS')};
# {select zone from xfr_table where zone = '%zone%' and client = '%client%'}
# {update data_count set count = count + 1 where zone ='%zone%'};
};
include etc/rndc.key;
/var/log/messages as follow:
Jul 1 15:32:02 flyinweb named[9788]: starting BIND 9.7.0-P2 -c
/usr/local/bind/etc/named.conf.1 -u named
Jul 1 15:32:02 flyinweb named[9788]: built with '--prefix=/usr/local/bind'
'--with-dlz-mysql=/usr/local/mysql' '--enable-threads=no' '--enable-largefile'
Jul 1 15:32:02 flyinweb named[9788]: using up to 4096 sockets
Jul 1 15:32:02 flyinweb named[9788]: loading configuration from
'/usr/local/bind/etc/named.conf.1'
Jul 1 15:32:02 flyinweb named[9788]: reading built-in trusted keys from file
'/usr/local/bind/etc/bind.keys'
Jul 1 15:32:02 flyinweb named[9788]: using default UDP/IPv4 port range: [1024,
65535]
Jul 1 15:32:02 flyinweb named[9788]: using default UDP/IPv6 port range: [1024,
65535]
Jul 1 15:32:02 flyinweb named[9788]: listening on IPv4 interface lo,
127.0.0.1#53
Jul 1 15:32:02 flyinweb named[9788]: listening on IPv4 interface eth0,
192.168.146.155#53
Jul 1 15:32:02 flyinweb named[9788]: generating session key for dynamic DNS
Jul 1 15:32:02 flyinweb named[9788]: Loading 'Mysql zone' using driver mysql
Jul 1 15:32:02 flyinweb named[9788]: command channel listening on 127.0.0.1#953
Jul 1 15:32:02 flyinweb named[9788]: running
Jul 1 15:32:02 flyinweb named[9791]: starting BIND 9.7.0-P2 -c
/usr/local/bind/etc/named.conf.2 -u named
Jul 1 15:32:02 flyinweb named[9791]: built with '--prefix=/usr/local/bind'
'--with-dlz-mysql=/usr/local/mysql' '--enable-threads=no' '--enable-largefile'
Jul 1 15:32:02 flyinweb named[9791]: using up to 4096 sockets
Jul 1 15:32:02 flyinweb named[9791]: loading configuration from
'/usr/local/bind/etc/named.conf.2'
Jul 1 15:32:02 flyinweb named[9791]: reading built-in trusted keys from file
'/usr/local/bind/etc/bind.keys'
Jul 1 15:32:02 flyinweb named[9791]: using default UDP/IPv4 port range: [1024,
65535]
Jul 1 15:32:02 flyinweb named[9791]: using default UDP/IPv6 port range: [1024,
65535]
Jul 1 15:32:02 flyinweb named[9791]: listening on IPv4 interface lo,
127.0.0.1#53
Jul 1 15:32:02 flyinweb named[9791]: binding TCP socket:
Re: Nsupdate -l not using session.key
I was obviously especially tired yesterday when I tested this.
Anyway BIND was chroot'd and user wasn't.
(slaps forehead)
Problem solved.
On 30/06/10 6:07 PM, Kal Feher kalman.fe...@melbourneit.com.au wrote:
On 30/06/10 5:25 PM, Alan Clegg acl...@isc.org wrote:
On 6/30/2010 11:13 AM, Kalman Feher wrote:
While testing bind 9.7.1 features including automated signing and
update-policy local. I encountered some strange behaviour using nsupdate -l.
When using nsupdate -l I was not able to update the zone in question and the
following error was generated:
update-security: error: client 127.0.0.1#9292: view internal: update
'star/IN' denied
Any suggestions?
Send your named.conf
Named.conf:
acl xfer {
none;
};
acl trusted {
127.0.0.0/8;
::1/128;
10.115.160.0/22;
};
options {
directory /var/bind;
pid-file /var/run/named/named.pid;
bindkeys-file /etc/bind/bind.keys;
listen-on-v6 { none; };
listen-on port 53 { any; };
allow-query {
trusted;
};
allow-query-cache {
trusted;
};
allow-transfer {
xfer;
};
dnssec-enable yes;
};
logging {
channel default_log {
file /var/log/named/named.log versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
channel query_log {
file /var/log/named/query.log versions 5 size 100M;
print-time yes;
print-severity yes;
print-category yes;
};
channel dnssec_log {
file /var/log/named/dnssec.log versions 5 size 100M;
print-time yes;
print-severity yes;
print-category yes;
};
channel resolver_log {
file /var/log/named/resolver.log versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; default_syslog; };
category queries { query_log; };
category dnssec { dnssec_log; };
category resolver { resolver_log; };
};
include /etc/bind/rndc.key;
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {
rndc-key; };
};
view internal in {
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone . in {
type hint;
file /var/bind/root.cache;
};
zone localhost IN {
type master;
file pri/localhost.zone;
allow-update { none; };
notify no;
allow-query { any; };
allow-transfer { none; };
};
zone 127.in-addr.arpa IN {
type master;
file pri/127.zone;
allow-update { none; };
notify no;
allow-query { any; };
allow-transfer { none; };
};
zone star IN {
type master;
auto-dnssec maintain;
update-policy local;
dnssec-secure-to-insecure no;
file pri/star/star.zone.signed;
key-directory pri/star;
notify no;
allow-query { any; };
allow-transfer { none; };
};
zone COM { type delegation-only; };
zone NET { type delegation-only; };
};
view public in {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone . in {
type hint;
file /var/bind/root.cache;
};
};
view chaos chaos {
match-clients { any; };
allow-query { none; };
zone . {
type hint;
file /dev/null; };
};
AlanC
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Kal Feher
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I start multiple processes(named) in a server?
On 7/1/2010 4:21 AM, ShanyiWan wrote:
Multiple processes(named): Can I start multiple processes(named) in a
server and each process can provide services normally? See
information so that on the internet(I think this may be wrong).How
can i do to maximize the ability of concurrent queries(named) ? All
the name.conf is the same:
You can't have more than one process listening on the same
{address,port} at the same time, so no, you can't do what you are trying
to do in the way you are trying to do it.
What exactly is it that you want to gain? From the above, it would seem
that you are looking for higher queries/second?
Based on my recollection, you aren't going to get high q/sec out of DLZ
due to the way it queries the database for every incoming query -- you
may want to put a layer of caching recursive servers in front of your
DLZ server, or run your DLZ server on a different set of ports and have
your customer facing bind cache responses from it.
AlanC
signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND 9 errors
Thanks for your reply, comments inline:
Peter Andreev wrote (on Thu, Jul 01, 2010 at 10:45:44AM +0400):
2010/7/1 Y z
(bind version 9.7.0-P1)
A DNS slave server has two IPs: an internal RFC1918 number to talk to
the internal net, and an external one to talk to the rest of the world.
If I *don't* put the external IP in a master:
zone example.com {
type slave;
file example;
masters port 1053 { 172.16.0.30; } ;
This is the internal IP of the (true) master.
};
I get errors:
Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify
from non-master: external.ip#59808
This error appears because your master sends notify from external.ip, which
isn't listed in masters {}; statement.
No. Sorry if I was confusing. external.ip belongs to the slave server;
i.e., the slave server appears to want to talk to itself.
Whereas, if I *do* put the IP in as a master, I get:
Jun 30 14:02:08 hostname named[1792]: transfer of 'example.com/IN' from
external.ip#1053 failed to connect: connection refused
And this error appears because your master doesn't configured to allow
connections to external.ip#1053.
The slave (external.ip) doesn't, it is true. But the true master does; I
just checked. Again, I'm theorizing that (somewhere) NAT is confusing
the box into wanting to talk to itself.
It will be very helpful in resolving your problem if you provide
options{}; part of your named.conf file.
ok:
options {
pid-file /var/run/bind/run/named.pid;
directory /var/named;
allow-recursion { 127.0.0.1; internal.net; external.ip.subnet; };
allow-transfer { external.slave.ip; internal.ip; external.ip };
/* both internal.ip and external.ip are assigned to this host;
external.slave.ip is a host on another network */
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
(the reason I'm using port 1053 is because the real master is running
on two different instances, one on port 53, and one on port 1053).
Despite the errors, the zones still seem to function. So, what do I do
to make the errors go away?
Thanks!
_
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with
Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I start multiple processes(named) in a server?
On Thu, 01 Jul 2010 10:50:24 -0400, Alan Clegg acl...@isc.org wrote:
On 7/1/2010 4:21 AM, ShanyiWan wrote:
Multiple processes(named): Can I start multiple processes(named) in a
server and each process can provide services normally? See
information so that on the internet(I think this may be wrong).How
can i do to maximize the ability of concurrent queries(named) ? All
the name.conf is the same:
You can't have more than one process listening on the same
{address,port} at the same time, so no, you can't do what you are trying
to do in the way you are trying to do it.
What exactly is it that you want to gain? From the above, it would seem
that you are looking for higher queries/second?
Based on my recollection, you aren't going to get high q/sec out of DLZ
due to the way it queries the database for every incoming query -- you
may want to put a layer of caching recursive servers in front of your
DLZ server, or run your DLZ server on a different set of ports and have
your customer facing bind cache responses from it.
If Alan's guess about the reason for trying this is to obtain higher
performance, then you should review the information about BIND DLZ
performance at http://bind-dlz.sourceforge.net/perf_tests.html. Granted,
this info about an older version of BIND, and BIND-DLZ, and on older
hardware, but there is some very good performance indicators listed.
In particular, they have a table of BIND DLZ performance using a number of
different drivers. I have attempted to copy and past this performance
comparison table into this message. (If you can't read it, go back to the
original source.)
BindPostgresMySQL LDAPFileSystem* Berkely DB
BTREE
HASHHPT-T HPT-C HPT-P
QPS 16,108 589 689 82 176 1116
10115325916412,050
Notice that with a vanilla BIND server they were able to get 16k queries
per second. Using BIND-DLZ with a MySQL database back end they were not
even getting 700 queries per second.
Also, going back to to the BIND DLZ Home page on Source Forge, they say:
DLZ (Dynamically Loadable Zones) is a patch for BIND
version 9 that simplifies BIND administration and reduces
memory usage and startup time. DLZ allows you to store
your zone data in a database. Unlike using scripts, the
changes in your database are immediately reflected in
BIND's response to DNS queries, so there is no need to
reload or restart BIND. You see, BIND dynamically loads
the zone data it needs to answer a query from the database.
Notice that they say that there are many different reasons that BIND-DLZ
is useful and helpful, but NEVER do they claim that it's goal is high
performance, and their own testing demonstrates this. The combination of
BIND-DLZ and MySQL does NOT provide for a high performance DNS server.
Alan does provide some very good suggestions for implementing a DNS server
system using BIND-DLZ/MySQL to get better performance, basically provide
your users a caching BIND front end that would query your BIND-DLZ server.
But then again, this may kill the benefit of using a BIND-DLZ server in the
first place.
I've played with BIND-DLZ using MySQL as the data store. My experience is
that no matter how convenient managing the DNS data in a SQL database,
the performance just didn't meet my expectations.
My suggestion to anyone looking at using BIND-DLZ is to really think about
what they want from it. It is convenient, it is more complex, and it is
slow. Can you live with it's advantages AND disadvantages?
Bill Larson
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
hello
hello: I have good news for you. Last week ,I have Order china New Apple iPad Wi-Fi 32GB this website: www.Toradeo.com I have received the product! I believe you will find what you want there and have an good experience on shopping from them. Regards! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 errors
In message snt117-w75ea52bae5d8946f5b8c0db...@phx.gbl, Y z writes:
Thanks for your reply, comments inline:
Peter Andreev wrote (on Thu, Jul 01, 2010 at 10:45:44AM +0400):
2010/7/1 Y z
(bind version 9.7.0-P1)
A DNS slave server has two IPs: an internal RFC1918 number to talk to
the internal net, and an external one to talk to the rest of the world.
If I *don't* put the external IP in a master:
zone example.com {
type slave;
file example;
masters port 1053 { 172.16.0.30; } ;
This is the internal IP of the (true) master.
};
I get errors:
Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify
from non-master: external.ip#59808
This error appears because your master sends notify from external.ip, which
isn't listed in masters {}; statement.
No. Sorry if I was confusing. external.ip belongs to the slave server;
i.e., the slave server appears to want to talk to itself.
You have a hairpin NAT. The notify is sent to the external address
of the slave. The NAT then turns this around making the source
address of the notify message be the external address of the NAT.
You can any of the following:
* tell the master to send notify messages to a explict list of addresses
and use the internal address of the slave. This has long term maintenance
issues.
notify explict;
also-notify { internal address; other slave addresess; };
You may want to add the also-notify { internal address; }; regardless
of whether you turn on notify explict.
* tell the slave to accept notify messages from its external address.
allow-notify { acl; };
* add a forwarding entry for the NAT to send external/{TCP,UDP}/1053
to master/1053 and use masters port 1053 { external; };. i.e.
go through the NAT.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: FW: BIND 9 errors
In article mailman.1945.1277966757.21153.bind-us...@lists.isc.org,
Peter Andreev andreev.pe...@gmail.com wrote:
2010/7/1 Y z yan...@hotmail.com
(bind version 9.7.0-P1)
A DNS slave server has two IPs: an internal RFC1918 number to talk to
the internal net, and an external one to talk to the rest of the world.
If I *don't* put the external IP in a master:
zone example.com {
type slave;
file example;
masters port 1053 { 172.16.0.30; } ;
};
I get errors:
Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify
from non-master: external.ip#59808
This error appears because your master sends notify from external.ip, which
isn't listed in masters {}; statement.
This can be resolved by putting a notify-source option in the master's
named.conf.
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
