Re: FW: BIND 9 errors
2010/7/1 Y z yan...@hotmail.com (bind version 9.7.0-P1) A DNS slave server has two IPs: an internal RFC1918 number to talk to the internal net, and an external one to talk to the rest of the world. If I *don't* put the external IP in a master: zone example.com { type slave; file example; masters port 1053 { 172.16.0.30; } ; }; I get errors: Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify from non-master: external.ip#59808 This error appears because your master sends notify from external.ip, which isn't listed in masters {}; statement. Whereas, if I *do* put the IP in as a master, I get: Jun 30 14:02:08 hostname named[1792]: transfer of 'example.com/IN' from external.ip#1053 failed to connect: connection refused And this error appears because your master doesn't configured to allow connections to external.ip#1053. It will be very helpful in resolving your problem if you provide options{}; part of your named.conf file. (the reason I'm using port 1053 is because the real master is running on two different instances, one on port 53, and one on port 1053). Despite the errors, the zones still seem to function. So, what do I do to make the errors go away? Thanks! _ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -- AP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can I start multiple processes(named) in a server?
bind-dlz(mysql) Single process(named): Jul 1 16:06:42 flyinweb named[10474]: starting BIND 9.7.0-P2 -u named -c /usr/local/bind/etc/named.conf Jul 1 16:06:42 flyinweb named[10474]: built with '--prefix=/usr/local/bind' '--with-dlz-mysql=/usr/local/mysql' '--enable-threads=no' '--enable-largefile' Jul 1 16:06:42 flyinweb named[10474]: using up to 4096 sockets Jul 1 16:06:42 flyinweb named[10474]: loading configuration from '/usr/local/bind/etc/named.conf' Jul 1 16:06:42 flyinweb named[10474]: reading built-in trusted keys from file '/usr/local/bind/etc/bind.keys' Jul 1 16:06:42 flyinweb named[10474]: using default UDP/IPv4 port range: [1024, 65535] Jul 1 16:06:42 flyinweb named[10474]: using default UDP/IPv6 port range: [1024, 65535] Jul 1 16:06:42 flyinweb named[10474]: listening on IPv4 interface lo, 127.0.0.1#53 Jul 1 16:06:42 flyinweb named[10474]: listening on IPv4 interface eth0, 192.168.146.155#53 Jul 1 16:06:42 flyinweb named[10474]: generating session key for dynamic DNS Jul 1 16:06:42 flyinweb named[10474]: Loading 'Mysql zone' using driver mysql Jul 1 16:06:42 flyinweb named[10474]: command channel listening on 127.0.0.1#953 Multiple processes(named): Can I start multiple processes(named) in a server and each process can provide services normally? See information so that on the internet(I think this may be wrong).How can i do to maximize the ability of concurrent queries(named) ? All the name.conf is the same: // // named.conf for nameserver // options { directory /usr/local/bind/; allow-query { any; }; allow-query-cache { any; }; recursion no; pid-file /usr/local/bind/var/run/named.pid; }; logging { channel query_log { file query.log versions 3 size 20m; severity info; print-time yes; print-category yes; }; category queries { query_log; }; }; dlz Mysql zone { database mysql {host=localhost dbname=mydns_data ssl=false port=3306 user=root pass=sok12345} {select zone from dns_records where zone = '%zone%'} {select ttl, type, mx_priority, case when lower(type)='txt' then concat('\', data, '\') else data end from dns_records where zone = '%zone%' and host = '%record%' and not (type = 'SOA' or type = 'NS')} {select ttl, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum from dns_records where zone = '%zone%' and (type = 'SOA' or type='NS')} {select ttl, type, host, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum from dns_records where zone = '%zone%' and not (type = 'SOA' or type = 'NS')}; # {select zone from xfr_table where zone = '%zone%' and client = '%client%'} # {update data_count set count = count + 1 where zone ='%zone%'}; }; include etc/rndc.key; /var/log/messages as follow: Jul 1 15:32:02 flyinweb named[9788]: starting BIND 9.7.0-P2 -c /usr/local/bind/etc/named.conf.1 -u named Jul 1 15:32:02 flyinweb named[9788]: built with '--prefix=/usr/local/bind' '--with-dlz-mysql=/usr/local/mysql' '--enable-threads=no' '--enable-largefile' Jul 1 15:32:02 flyinweb named[9788]: using up to 4096 sockets Jul 1 15:32:02 flyinweb named[9788]: loading configuration from '/usr/local/bind/etc/named.conf.1' Jul 1 15:32:02 flyinweb named[9788]: reading built-in trusted keys from file '/usr/local/bind/etc/bind.keys' Jul 1 15:32:02 flyinweb named[9788]: using default UDP/IPv4 port range: [1024, 65535] Jul 1 15:32:02 flyinweb named[9788]: using default UDP/IPv6 port range: [1024, 65535] Jul 1 15:32:02 flyinweb named[9788]: listening on IPv4 interface lo, 127.0.0.1#53 Jul 1 15:32:02 flyinweb named[9788]: listening on IPv4 interface eth0, 192.168.146.155#53 Jul 1 15:32:02 flyinweb named[9788]: generating session key for dynamic DNS Jul 1 15:32:02 flyinweb named[9788]: Loading 'Mysql zone' using driver mysql Jul 1 15:32:02 flyinweb named[9788]: command channel listening on 127.0.0.1#953 Jul 1 15:32:02 flyinweb named[9788]: running Jul 1 15:32:02 flyinweb named[9791]: starting BIND 9.7.0-P2 -c /usr/local/bind/etc/named.conf.2 -u named Jul 1 15:32:02 flyinweb named[9791]: built with '--prefix=/usr/local/bind' '--with-dlz-mysql=/usr/local/mysql' '--enable-threads=no' '--enable-largefile' Jul 1 15:32:02 flyinweb named[9791]: using up to 4096 sockets Jul 1 15:32:02 flyinweb named[9791]: loading configuration from '/usr/local/bind/etc/named.conf.2' Jul 1 15:32:02 flyinweb named[9791]: reading built-in trusted keys from file '/usr/local/bind/etc/bind.keys' Jul 1 15:32:02 flyinweb named[9791]: using default UDP/IPv4 port range: [1024, 65535] Jul 1 15:32:02 flyinweb named[9791]: using default UDP/IPv6 port range: [1024, 65535] Jul 1 15:32:02 flyinweb named[9791]: listening on IPv4 interface lo, 127.0.0.1#53 Jul 1 15:32:02 flyinweb named[9791]: binding TCP socket:
Re: Nsupdate -l not using session.key
I was obviously especially tired yesterday when I tested this. Anyway BIND was chroot'd and user wasn't. (slaps forehead) Problem solved. On 30/06/10 6:07 PM, Kal Feher kalman.fe...@melbourneit.com.au wrote: On 30/06/10 5:25 PM, Alan Clegg acl...@isc.org wrote: On 6/30/2010 11:13 AM, Kalman Feher wrote: While testing bind 9.7.1 features including automated signing and update-policy local. I encountered some strange behaviour using nsupdate -l. When using nsupdate -l I was not able to update the zone in question and the following error was generated: update-security: error: client 127.0.0.1#9292: view internal: update 'star/IN' denied Any suggestions? Send your named.conf Named.conf: acl xfer { none; }; acl trusted { 127.0.0.0/8; ::1/128; 10.115.160.0/22; }; options { directory /var/bind; pid-file /var/run/named/named.pid; bindkeys-file /etc/bind/bind.keys; listen-on-v6 { none; }; listen-on port 53 { any; }; allow-query { trusted; }; allow-query-cache { trusted; }; allow-transfer { xfer; }; dnssec-enable yes; }; logging { channel default_log { file /var/log/named/named.log versions 5 size 50M; print-time yes; print-severity yes; print-category yes; }; channel query_log { file /var/log/named/query.log versions 5 size 100M; print-time yes; print-severity yes; print-category yes; }; channel dnssec_log { file /var/log/named/dnssec.log versions 5 size 100M; print-time yes; print-severity yes; print-category yes; }; channel resolver_log { file /var/log/named/resolver.log versions 5 size 50M; print-time yes; print-severity yes; print-category yes; }; category default { default_log; }; category general { default_log; default_syslog; }; category queries { query_log; }; category dnssec { dnssec_log; }; category resolver { resolver_log; }; }; include /etc/bind/rndc.key; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { rndc-key; }; }; view internal in { match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; zone . in { type hint; file /var/bind/root.cache; }; zone localhost IN { type master; file pri/localhost.zone; allow-update { none; }; notify no; allow-query { any; }; allow-transfer { none; }; }; zone 127.in-addr.arpa IN { type master; file pri/127.zone; allow-update { none; }; notify no; allow-query { any; }; allow-transfer { none; }; }; zone star IN { type master; auto-dnssec maintain; update-policy local; dnssec-secure-to-insecure no; file pri/star/star.zone.signed; key-directory pri/star; notify no; allow-query { any; }; allow-transfer { none; }; }; zone COM { type delegation-only; }; zone NET { type delegation-only; }; }; view public in { match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; zone . in { type hint; file /var/bind/root.cache; }; }; view chaos chaos { match-clients { any; }; allow-query { none; }; zone . { type hint; file /dev/null; }; }; AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I start multiple processes(named) in a server?
On 7/1/2010 4:21 AM, ShanyiWan wrote: Multiple processes(named): Can I start multiple processes(named) in a server and each process can provide services normally? See information so that on the internet(I think this may be wrong).How can i do to maximize the ability of concurrent queries(named) ? All the name.conf is the same: You can't have more than one process listening on the same {address,port} at the same time, so no, you can't do what you are trying to do in the way you are trying to do it. What exactly is it that you want to gain? From the above, it would seem that you are looking for higher queries/second? Based on my recollection, you aren't going to get high q/sec out of DLZ due to the way it queries the database for every incoming query -- you may want to put a layer of caching recursive servers in front of your DLZ server, or run your DLZ server on a different set of ports and have your customer facing bind cache responses from it. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND 9 errors
Thanks for your reply, comments inline: Peter Andreev wrote (on Thu, Jul 01, 2010 at 10:45:44AM +0400): 2010/7/1 Y z (bind version 9.7.0-P1) A DNS slave server has two IPs: an internal RFC1918 number to talk to the internal net, and an external one to talk to the rest of the world. If I *don't* put the external IP in a master: zone example.com { type slave; file example; masters port 1053 { 172.16.0.30; } ; This is the internal IP of the (true) master. }; I get errors: Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify from non-master: external.ip#59808 This error appears because your master sends notify from external.ip, which isn't listed in masters {}; statement. No. Sorry if I was confusing. external.ip belongs to the slave server; i.e., the slave server appears to want to talk to itself. Whereas, if I *do* put the IP in as a master, I get: Jun 30 14:02:08 hostname named[1792]: transfer of 'example.com/IN' from external.ip#1053 failed to connect: connection refused And this error appears because your master doesn't configured to allow connections to external.ip#1053. The slave (external.ip) doesn't, it is true. But the true master does; I just checked. Again, I'm theorizing that (somewhere) NAT is confusing the box into wanting to talk to itself. It will be very helpful in resolving your problem if you provide options{}; part of your named.conf file. ok: options { pid-file /var/run/bind/run/named.pid; directory /var/named; allow-recursion { 127.0.0.1; internal.net; external.ip.subnet; }; allow-transfer { external.slave.ip; internal.ip; external.ip }; /* both internal.ip and external.ip are assigned to this host; external.slave.ip is a host on another network */ /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; }; (the reason I'm using port 1053 is because the real master is running on two different instances, one on port 53, and one on port 1053). Despite the errors, the zones still seem to function. So, what do I do to make the errors go away? Thanks! _ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I start multiple processes(named) in a server?
On Thu, 01 Jul 2010 10:50:24 -0400, Alan Clegg acl...@isc.org wrote: On 7/1/2010 4:21 AM, ShanyiWan wrote: Multiple processes(named): Can I start multiple processes(named) in a server and each process can provide services normally? See information so that on the internet(I think this may be wrong).How can i do to maximize the ability of concurrent queries(named) ? All the name.conf is the same: You can't have more than one process listening on the same {address,port} at the same time, so no, you can't do what you are trying to do in the way you are trying to do it. What exactly is it that you want to gain? From the above, it would seem that you are looking for higher queries/second? Based on my recollection, you aren't going to get high q/sec out of DLZ due to the way it queries the database for every incoming query -- you may want to put a layer of caching recursive servers in front of your DLZ server, or run your DLZ server on a different set of ports and have your customer facing bind cache responses from it. If Alan's guess about the reason for trying this is to obtain higher performance, then you should review the information about BIND DLZ performance at http://bind-dlz.sourceforge.net/perf_tests.html. Granted, this info about an older version of BIND, and BIND-DLZ, and on older hardware, but there is some very good performance indicators listed. In particular, they have a table of BIND DLZ performance using a number of different drivers. I have attempted to copy and past this performance comparison table into this message. (If you can't read it, go back to the original source.) BindPostgresMySQL LDAPFileSystem* Berkely DB BTREE HASHHPT-T HPT-C HPT-P QPS 16,108 589 689 82 176 1116 10115325916412,050 Notice that with a vanilla BIND server they were able to get 16k queries per second. Using BIND-DLZ with a MySQL database back end they were not even getting 700 queries per second. Also, going back to to the BIND DLZ Home page on Source Forge, they say: DLZ (Dynamically Loadable Zones) is a patch for BIND version 9 that simplifies BIND administration and reduces memory usage and startup time. DLZ allows you to store your zone data in a database. Unlike using scripts, the changes in your database are immediately reflected in BIND's response to DNS queries, so there is no need to reload or restart BIND. You see, BIND dynamically loads the zone data it needs to answer a query from the database. Notice that they say that there are many different reasons that BIND-DLZ is useful and helpful, but NEVER do they claim that it's goal is high performance, and their own testing demonstrates this. The combination of BIND-DLZ and MySQL does NOT provide for a high performance DNS server. Alan does provide some very good suggestions for implementing a DNS server system using BIND-DLZ/MySQL to get better performance, basically provide your users a caching BIND front end that would query your BIND-DLZ server. But then again, this may kill the benefit of using a BIND-DLZ server in the first place. I've played with BIND-DLZ using MySQL as the data store. My experience is that no matter how convenient managing the DNS data in a SQL database, the performance just didn't meet my expectations. My suggestion to anyone looking at using BIND-DLZ is to really think about what they want from it. It is convenient, it is more complex, and it is slow. Can you live with it's advantages AND disadvantages? Bill Larson ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
hello
hello: I have good news for you. Last week ,I have Order china New Apple iPad Wi-Fi 32GB this website: www.Toradeo.com I have received the product! I believe you will find what you want there and have an good experience on shopping from them. Regards! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 errors
In message snt117-w75ea52bae5d8946f5b8c0db...@phx.gbl, Y z writes: Thanks for your reply, comments inline: Peter Andreev wrote (on Thu, Jul 01, 2010 at 10:45:44AM +0400): 2010/7/1 Y z (bind version 9.7.0-P1) A DNS slave server has two IPs: an internal RFC1918 number to talk to the internal net, and an external one to talk to the rest of the world. If I *don't* put the external IP in a master: zone example.com { type slave; file example; masters port 1053 { 172.16.0.30; } ; This is the internal IP of the (true) master. }; I get errors: Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify from non-master: external.ip#59808 This error appears because your master sends notify from external.ip, which isn't listed in masters {}; statement. No. Sorry if I was confusing. external.ip belongs to the slave server; i.e., the slave server appears to want to talk to itself. You have a hairpin NAT. The notify is sent to the external address of the slave. The NAT then turns this around making the source address of the notify message be the external address of the NAT. You can any of the following: * tell the master to send notify messages to a explict list of addresses and use the internal address of the slave. This has long term maintenance issues. notify explict; also-notify { internal address; other slave addresess; }; You may want to add the also-notify { internal address; }; regardless of whether you turn on notify explict. * tell the slave to accept notify messages from its external address. allow-notify { acl; }; * add a forwarding entry for the NAT to send external/{TCP,UDP}/1053 to master/1053 and use masters port 1053 { external; };. i.e. go through the NAT. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FW: BIND 9 errors
In article mailman.1945.1277966757.21153.bind-us...@lists.isc.org, Peter Andreev andreev.pe...@gmail.com wrote: 2010/7/1 Y z yan...@hotmail.com (bind version 9.7.0-P1) A DNS slave server has two IPs: an internal RFC1918 number to talk to the internal net, and an external one to talk to the rest of the world. If I *don't* put the external IP in a master: zone example.com { type slave; file example; masters port 1053 { 172.16.0.30; } ; }; I get errors: Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify from non-master: external.ip#59808 This error appears because your master sends notify from external.ip, which isn't listed in masters {}; statement. This can be resolved by putting a notify-source option in the master's named.conf. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users