Re: transfer with views
On 1/1/2011 9:15 AM, Gary Wallis wrote: You will need to setup one virtual IP for each extra view. Not since very versions of BIND that are long-since EOL'd. The FAQ goes into how to use TSIG keys to deal with picking the right one. This is what no one here addresses clearly and upfront: The truth is that when you need N views, BIND transfer is a royal pain, for almost all networks and IT departments. Setting up views correctly is not simple. If you HAVE to do it, it's much easier to do it with BIND than it is to do it with alternative methods (in my opinion). Think about it. Given choices, I think I'm in agreement with you: I'd chose to not do views. Based on the posts here, the OP is going to do views. The best thing to do is provide the best method of replicating those views to the machines that are providing slave services without using external applications. If it were me and I had no other choice than to use views, I'd get into the system and re-wire everything using BIND 9.7.2 and write a set of scripts that used rndc addzone and rndc delzone to control the master and all of the slaves, configure TSIG keys to manage zone transfers between hosts, etc. Cheers! and Happy New Year! May 2011 be the best one before we all perish in the fires of whatever is going to happen in 2012! :) AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transfer with views
Alan Clegg wrote: On 1/1/2011 9:15 AM, Gary Wallis wrote: You will need to setup one virtual IP for each extra view. Not since very versions of BIND that are long-since EOL'd. The FAQ goes into how to use TSIG keys to deal with picking the right one. This is what no one here addresses clearly and upfront: The truth is that when you need N views, BIND transfer is a royal pain, for almost all networks and IT departments. Setting up views correctly is not simple. If you HAVE to do it, it's much easier to do it with BIND than it is to do it with alternative methods (in my opinion). Think about it. Given choices, I think I'm in agreement with you: I'd chose to not do views. Based on the posts here, the OP is going to do views. The best thing to do is provide the best method of replicating those views to the machines that are providing slave services without using external applications. If it were me and I had no other choice than to use views, I'd get into the system and re-wire everything using BIND 9.7.2 and write a set of scripts that used rndc addzone and rndc delzone to control the master and all of the slaves, configure TSIG keys to manage zone transfers between hosts, etc. Cheers! and Happy New Year! May 2011 be the best one before we all perish in the fires of whatever is going to happen in 2012! :) AlanC Much thanks! I will look into the TSIG key method for view transfers, and see if the very conservative (but that I am stuck with) CentOS BIND version supports it. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transfer with views
Alan Clegg wrote: ... Given choices, I think I'm in agreement with you: I'd chose to not do views. Based on the posts here, the OP is going to do views. The best thing to do is provide the best method of replicating those views to the machines that are providing slave services without using external applications. If it were me and I had no other choice than to use views, I'd get into the system and re-wire everything using BIND 9.7.2 and write a set of scripts that used rndc addzone and rndc delzone to control the master and all of the slaves, configure TSIG keys to manage zone transfers between hosts, etc. Cheers! and Happy New Year! May 2011 be the best one before we all perish in the fires of whatever is going to happen in 2012! :) AlanC Much thanks! I will look into the TSIG key method for view transfers, and see if the very conservative (but that I am stuck with) CentOS BIND version supports it. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Found it in a Mark Andrews post: http://www.mail-archive.com/bind-users@lists.isc.org/msg03593.html Main snippet: The general and robust solution is: acl allviewkeys { key A; key B; key C; key D; }; match-clients { key A; !allviewkeys; subnet A; } match-clients { key B; !allviewkeys; subnet B; } match-clients { key C; !allviewkeys; subnet C; } match-clients { key D; !allviewkeys; subnet D; } This is easily expandable to many views without having to touch each view when a new view is added. The order of the match-clients acl is important. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Entired NS crashed
Hello *, since ZKT is not able to work over 200.000 Domains on a singel server I have coded my own tool which does it! Now my NS is running DNSSEC and crashed! To load the 230.000 zones it created a very huge load and consumed the entire memory of 8 GByte. Question to power hosters: 1) How many ZONEs do you host per NS? 2) Whats your CPU speed? 3) How much memory do yo use? As far as I can see, 'dig +dnssec www.tamay-dogan.net' give a nice output but how can I know, the expiration date? Is this the timestamp here: tamay-dogan.net.3600IN RRSIG SOA 5 2 3600 20110131191903 [ command 'dig +dnssec tamay-dogan.net' ]--- tamay-dogan.net.3600IN SOA dns1.tamay-dogan.net. hostmaster.tamay-dogan.net. 1292829280 10800 3600 604800 86400 tamay-dogan.net.3600IN RRSIG SOA 5 2 3600 20110131191903 20110101191903 12795 tamay-dogan.net. lti7l2JlLeIATApQfWp3BdPTH4MiP75crl4921bC1qdOXfWJH4La+L58 t0hVMmzNaNbLDH36cQwrYdQvaBJHPkQEwi2Mr8WP0jCSp+bpc2lEP6sz f+kRGWYITjuxAwFsSdhVR+EQd4pIupa16ylJ65OWcBGlIHbC5eA5KSN4 lTk= tamay-dogan.net.86400 IN NSECadmin.tamay-dogan.net. NS SOA MX TXT RRSIG NSEC DNSKEY tamay-dogan.net.86400 IN RRSIG NSEC 5 2 86400 20110131191903 20110101191903 12795 tamay-dogan.net. YS5Y44ywYrsjbSJmtFgF9hk8K80VWLuyLRuDxLeO84kXA/hN9i8mzzDy XYIoiUwWbyeKxEIhqAdA6gekLU2Z+ZuNsSGnPUcCdfZD+GiWEneeWGg/ LcIi9FWTf7J++yGnVMA5Ng6vZ3SgTtiC7r74ZZytm7FkijxCwd8tRyKy a9c= which I could grep? And what is NSEC entry? Why is the VHost admin.tamay-dogan.net there? Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users