Re: IPAM advantages (was Re: MySQL BIND SDB)
Chris Buxton wrote: On Nov 16, 2010, at 12:44 PM, Gary Wallis wrote: IPAM is an Infloblox proprietary system that Cricket Liu is involved with. No. IPAM = IP Address Management. It is not a product, but rather a product category. I believe the term was coined by Lucent, or whoever owned QIP at the time, sometime in the mid-90's. (I could be wrong, though.) Infoblox offers an IPAM solution. I will make no comment on its relative merits versus the competition; I work in the industry. The following companies also offer commercial IPAM solutions (list is not exhaustive): BlueCat Networks (Proteus) Men Mice (the eponymous Suite) Vital/Lucent/Alcatel (QIP) BT (DiamondIP) There is at least one real F/OSS IPAM solution, NetReg from Carnegie Mellon University. C/Panel, Webmin, and other systems like that are system management solutions, not IPAM solutions. Regards, Chris Buxton BlueCat Networks Thanks for the correction and the updated list of IPAM software providers. My main point is that I think that Karl was right about the advantages of managed DNS systems. IPAM is much more than DNS management (too much more for some in many cases.) Centralized DNS management is cool, especially FOSS tools that may help you manage a large cluster of ISC/BIND servers. (If we use FOSS BIND why should we support anti FOSS businesses like many mentioned above?) Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPAM advantages (was Re: MySQL BIND SDB)
On 11/17/2010 7:15 AM, Gary Wallis wrote: [.. Discussion of non-open-source IPAM solutions ..] (If we use FOSS BIND why should we support anti FOSS businesses like many mentioned above?) Several of the businesses listed in the original post are BIND Forum members and are supporting ISC in that manner. BIND forum memberships are also available to individuals and to companies that like/use BIND and feel the need to help with its upkeep.. :) For more information: http://www.isc.org/software/guild/bf AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Is it Possible to Log nxdomain Responses?
We are chasing down some problems in which clients are trying to resolve lookups to a domain related to Microsoft Active Directory zones. We were able to determine that clients were querying this AD zone when it was thought they weren't needing to do so. We enabled querylogging for a short time and saw a specific test system querying the domain and we were able to dump the cache of the master DNS running bind9.7.1 and saw numerous nxdomains for that zone. It would be nice to log each nxdomain for a while so we can verify that the new deligated zone we are about to install fixed the problem. Thank you. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is it Possible to Log nxdomain Responses?
On 17/11/10 13:48, Martin McCormick wrote: We are chasing down some problems in which clients are trying to resolve lookups to a domain related to Microsoft Active Directory zones. We were able to determine that clients were querying this AD zone when it was thought they weren't needing to do so. We enabled querylogging for a short time and saw a specific test system querying the domain and we were able to dump the cache of the master DNS running bind9.7.1 and saw numerous nxdomains for that zone. It would be nice to log each nxdomain for a while so we can verify that the new deligated zone we are about to install fixed the problem. You could maybe do this with wireshark: tshark -R dns.flags.rcode==3 -s 1600 -i any -T fields \ -e ip.src -e ip.dst -e dns.qry.name ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is it Possible to Log nxdomain Responses?
On Wed, Nov 17, 2010 at 07:48:55AM -0600, Martin McCormick mar...@dc.cis.okstate.edu wrote a message of 22 lines which said: It would be nice to log each nxdomain for a while so we can verify that the new deligated zone we are about to install fixed the problem. May be with dnscap https://www.dns-oarc.net/tools/dnscap: dnscap -e x -g -w nxdomain-%s-%u.pcap This will keep NXDOMAIN responses ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Nslookup not working for external domain
We are running into a issue where one of our slave servers isn't resolving non-local domain names. For the two domains hosted on this server, we can resolve any entry. However, if we try to do an nslookup to cnn, google, yahoo, etc. it fails. We have turned off iptables and verified internet connectivity. Below is the error we get. What other areas should we be looking at to troubleshoot? Thx in advance for any help given. nslookup www.cnn.com ;; Got SERVFAIL reply from 192.243.160.18, trying next server Server: 192.243.130.42 Address: 192.243.130.42#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.226.26 Name: www.cnn.com Address: 157.166.255.18 Name: www.cnn.com Address: 157.166.255.19 Name: www.cnn.com Address: 157.166.224.25 Name: www.cnn.com Address: 157.166.224.26 Name: www.cnn.com Address: 157.166.226.25 Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Spaces in keys
When I copied the key for root from http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers I ended up with spaces in the key. I assumed that they should not be there and removed them. I since noticed that the key in /etc/bind.keys supplied with the bind distribution has spaces in it. Should the spaces be there or does it not matter? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Spaces in keys
On 11/17/2010 05:01 PM, Thomas Schulz wrote: When I copied the key for root from http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers I ended up with spaces in the key. I assumed that they should not be there and removed them. I since noticed that the key in /etc/bind.keys supplied with the bind distribution has spaces in it. Should the spaces be there or does it not matter? It doesn't matter. From RFC4034 (Resource Records for the DNS Security Extensions), section 2.2 (The DNSKEY RR Presentation Format): The Public Key field MUST be represented as a Base64 encoding of the Public Key. Whitespace is allowed within the Base64 text. For a definition of Base64 encoding, see [RFC 3548]. Hugo ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Nslookup not working for external domain
In article mailman.797.1290017599.555.bind-us...@lists.isc.org, Moore, Mark A. mmo...@osmre.gov wrote: We are running into a issue where one of our slave servers isn't resolving non-local domain names. For the two domains hosted on this server, we can resolve any entry. However, if we try to do an nslookup to cnn, google, yahoo, etc. it fails. We have turned off iptables and verified internet connectivity. Below is the error we get. What other areas should we be looking at to troubleshoot? Make sure your firewall allows the first server to go out to the Internet on UDP port 53. Can you post its named.conf? Thx in advance for any help given. nslookup www.cnn.com ;; Got SERVFAIL reply from 192.243.160.18, trying next server Server: 192.243.130.42 Address: 192.243.130.42#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.226.26 Name: www.cnn.com Address: 157.166.255.18 Name: www.cnn.com Address: 157.166.255.19 Name: www.cnn.com Address: 157.166.224.25 Name: www.cnn.com Address: 157.166.224.26 Name: www.cnn.com Address: 157.166.226.25 Mark -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: High named CPU every 10 minutes?
On 11/17/2010 2:26 PM, blrmaani wrote: I see a peculiar behavior on my DNS server. The named CPU reaches 90% + every 10 minutes and my monitoring software keeps paging me. I have a DNS host running FreeBSD 7.x, running BIND 9.4.x on a 2-CPU machine with 4GB RAM. It is a recursive DNS server. Do you have the cache cleaning interval set to 10 in your configuration? -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users