RE: Slaves and views
With a static-stub zone (new in BIND 9.8), your server would not prime its cache with the bad NS rrset from the authoritative server. It would simply start all query resolution for the domain in question (possibly bigger than the zone) at that server, thus bypassing the bad NS rrset. Then, what is the different between static-stub and a forwarding zone? My understanding .. I am sure there are others here who can speak more authoritatively or with more correct terminology, but: A forwarder simply forwards all queries to the indicated servers, and expects an answer back. A stub will tell the resolver for any zones matching this one, use these nameservers. The resolver will use them like normal NS records, not expecting them to give an answer necessarily (could simply give back a referral). Basically, it's short cutting the delegation process, but that's it, the server still has to do all the work. Cheers, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
IXFR manually edited zone files
BIND Version: 9.7.3 on Solaris 9 10 (locally compiled) Our current workflow for managing DNS involves generating master zone files from a database, pushing the new files to a hidden master nameserver then running rndc reload on that nameserver. Based on the ARM a posting to bind-users[1], I enabled ixfr-from-differences master; on the hidden master expecting the master nameserver would generate a diff from the previous zone file in memory and the new one being loaded so it could send an IXFR to the slaves. However, every time the slave requests an IXFR, it gets a non-incremental response has to perform a full AXFR. I've configured this in a test environment with a single zone file so I know the slave has the first version of the zone file before loading the second version on the master it still results in a AXFR-style IXFR. I've explicitly stated the options allow-query allow-transfer in the config, but I do not have allow-updates configured, relying on the implicit default of denying all updates. Is there something I'm missing to get this working? Thanks, Dave Coulthart 1. https://lists.isc.org/pipermail/bind-users/2010-January/078591.html ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IXFR manually edited zone files
On Mar 7, 2011, at 11:42 AM, Chris Thompson wrote: On Mar 7 2011, David Coulthart wrote: BIND Version: 9.7.3 on Solaris 9 10 (locally compiled) Our current workflow for managing DNS involves generating master zone files from a database, pushing the new files to a hidden master nameserver then running rndc reload on that nameserver. Based on the ARM a posting to bind-users[1], I enabled ixfr-from-differences master; on the hidden master expecting the master nameserver would generate a diff from the previous zone file in memory and the new one being loaded so it could send an IXFR to the slaves. However, every time the slave requests an IXFR, it gets a non-incremental response has to perform a full AXFR. I've configured this in a test environment with a single zone file so I know the slave has the first version of the zone file before loading the second version on the master it still results in a AXFR-style IXFR. I've explicitly stated the options allow-query allow-transfer in the config, but I do not have allow-updates configured, relying on the implicit default of denying all updates. Is there something I'm missing to get this working? Have you tested that the ixfr-from-differences is working at all at the hidden master? E.g. by dig ixfr=[some-old-serial] [zone-name] @[hidden-master] from the slaves (or indeed elsewhere). In my initial testing I enabled debug level 3 on both the master slave. In the slave's log I saw the following: transfer of 'example.com/IN' from 128.59.59.124#53: requesting IXFR for serial 2011030701 transfer of 'example.com/IN' from 128.59.59.124#53: sent request length prefix transfer of 'example.com/IN' from 128.59.59.124#53: sent request data transfer of 'example.com/IN' from 128.59.59.124#53: got nonincremental response I just tested again using dig as you described above and still got a full AXFR even when specifying the serial # that was in the zone file before the reload. From the master's log: client 127.0.0.1#34246: zone transfer 'example.com/IXFR/IN' approved client 127.0.0.1#34246: transfer of 'example.com/IN': AXFR-style IXFR started client 127.0.0.1#34246: transfer of 'example.com/IN': AXFR-style IXFR ended There is also a named-journalprint utility which you can apply to the journal file on the master to check it contains what you hope for. I don't see a journal file being created on the master after I do the reload. The only messages in the master's log about a journal are on initial startup: zone example.com/IN: starting load zone example.com/IN: number of nodes in database: 256 no journal file, but that's OK zone example.com/IN: journal rollforward completed successfully: no journal zone example.com/IN: loaded decrement_reference: delete from rbt: 2468d0 example.com zone_settimer: zone example.com/IN: enter zone example.com/IN: loaded serial 2011030701 On rndc reload, I don't see any mention of a journal being created or destroyed: zone example.com/IN: starting load dns_zone_maintenance: zone example.com/IN: enter zone_settimer: zone example.com/IN: enter zone_loaddone: zone example.com/IN: enter zone example.com/IN: number of nodes in database: 766 zone example.com/IN: loadeddecrement_reference: delete from rbt: 246ed0 example.com replacing zone database calling free_rbtdb(example.com) adjust_quantum - 325 zone_settimer: zone example.com/IN: enter zone example.com/IN: loaded serial 2011030702 done free_rbtdb(example.com) Based on the description of ixfr-from-differences in the ARM, I think a journal file should be created. I have named running as user named, but I've checked permissions on the directory zone file confirmed that named can create files in the directory containing the zone file. If those look OK, then it's something else in the configuration of either master or slaves. I take it you aren't doing anything as obvious as specifying request-ixfr no or provide-ixfr no in server statements. I do not explicitly set these options in my config, relying on them defaulting to yes. Thanks for your help Chris. Dave Coulthart ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: different behavior: A Records in DNS answer, when query of type any (existing CNAME)
On 3/7/2011 6:36 AM, Diezig Adrian wrote: Hi, I have a question concerning answers from DNS servers, when I query a name with type any and the name is a CNAME. I have the following example (works also in Internet) with an ISC BIND server (BIND 9.7.0-P1): ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 @newton.genesiscom.ch dns.ipam.ch ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 25078 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dns.ipam.ch. IN A ;; ANSWER SECTION: dns.ipam.ch.600 IN CNAME www.ipam.ch. www.ipam.ch.600 IN A 81.18.25.238 ;; Query time: 1 msec ;; SERVER: 10.10.3.13#53(10.10.3.13) ;; WHEN: Mon Mar 7 11:52:38 2011 ;; MSG SIZE rcvd: 63 As you can see, we have a CNAME dns.ipam.ch that points to www.ipam.ch. www.ipam.ch is an A-Record to 81.18.25.238. When I do the following query (type=any to dns.ipam.ch), only the CNAME itself will be in the answer section (the A-Record not): ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 @newton.genesiscom.ch dns.ipam.ch any ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 46532 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dns.ipam.ch. IN ANY ;; ANSWER SECTION: dns.ipam.ch.600 IN CNAME www.ipam.ch. ;; Query time: 1 msec ;; SERVER: 10.10.3.13#53(10.10.3.13) ;; WHEN: Mon Mar 7 11:53:21 2011 ;; MSG SIZE rcvd: 47 That's valid response, albeit a little stingy. You asked about all records matching the name dns.ipam.ch, and it gave you all records. Note that RFC 1034's nameserver algorithm (section 4.3.2) specifies that a query should be restarted if QNAME owns a CNAME RR and QTYPE doesn't match CNAME. In a normal case, e.g. QTYPE=A, this means that the CNAME gets added to the Answer Section and then the query is restarted, as if the target of the alias were QNAME. It either produces A records or it doesn't. But in this *special* case, QTYPE=* does in fact match the CNAME record found by the nameserver, therefore the query is not restarted. The nameserver just returns what is has -- i.e. the CNAME record -- and its job is done. It jumps to Step 6 of the algorithm: return the records along with any Additional Records that it deems helpful, and exit. When I do a comparable query (also with type=any) to another DNS Server (eg. google.com) ; DiG 9.3.2 @ns1.google.com. www.google.com. any ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1636 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com.IN ANY ;; ANSWER SECTION: www.google.com. 604800 IN CNAME www.l.google.com. www.l.google.com. 300 IN A 74.125.232.114 www.l.google.com. 300 IN A 74.125.232.115 www.l.google.com. 300 IN A 74.125.232.116 www.l.google.com. 300 IN A 74.125.232.113 www.l.google.com. 300 IN A 74.125.232.112 ;; Query time: 46 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Mon Mar 07 09:44:32 2011 ;; MSG SIZE rcvd: 132 ... I will get also the associated A Records. Well, ns1.google.com coincidentally *happens* to also be authoritative for l.google.com, so it was able to provide the A records. It's arguable, however, whether it should have restarted the query or not (in the sense described above). Does anybody have an idea, why the behavior is different? Can I configure this on my DNS Server (ISC BIND)? FYI: dig @ns1.hp.com. www.hp.com. any and dig @ns1.yahoo.com. www.yahoo.com any Understand that ns1.hp.com is *not* authoritative for any A records owned by www.hp.com (the name is an alias to www.hpgtm.nsatc.net so the authoritative A records would be given from something hosting some descendant of nsatc.net), and ns1.yahoo.com is *not* authoritative for any A records owned by www.yahoo.com (which is an alias to fp.wg1.b.yahoo.com, at least when I query it; the exact target of the alias might depend on who is querying it). will also answer without any A-Records (like me). I have the following questions: -which one is correct (RFC)? An ANY query should return A records if the nameserver being queried is actually authoritative for the name being queried and the name owns A records. But if -- as in your examples above -- the nameserver only holds an alias, it is under no obligation to go and fetch those A records on your behalf. -is it configurable in ISC BIND? Nope. -does the behavior depends on different BIND version? Nope. As far as I know, BIND has always been this way. I know that
Re: different behavior: A Records in DNS answer, when query of type any (existing CNAME)
In message 1dd28595e6555e498a4eed9cf13f8abf07be207...@svcstccrmb01.devoteam.co m, Diezig Adrian writes: Hi, I have a question concerning answers from DNS servers, when I query a name = with type any and the name is a CNAME. I have the following example (works also in Internet) with an ISC BIND serv= er (BIND 9.7.0-P1): ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 @newton.genesiscom.ch dn= s.ipam.ch ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 25078 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dns.ipam.ch. IN A ;; ANSWER SECTION: dns.ipam.ch.600 IN CNAME www.ipam.ch. www.ipam.ch.600 IN A 81.18.25.238 ;; Query time: 1 msec ;; SERVER: 10.10.3.13#53(10.10.3.13) ;; WHEN: Mon Mar 7 11:52:38 2011 ;; MSG SIZE rcvd: 63 As you can see, we have a CNAME dns.ipam.ch that points to www.ipam.ch. www.ipam.ch is an A-Record to 81.18.25.238. When I do the following query (type=any to dns.ipam.ch), only the CNAME i= tself will be in the answer section (the A-Record not): ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 @newton.genesiscom.ch dn= s.ipam.ch any ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 46532 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dns.ipam.ch. IN ANY ;; ANSWER SECTION: dns.ipam.ch.600 IN CNAME www.ipam.ch. ;; Query time: 1 msec ;; SERVER: 10.10.3.13#53(10.10.3.13) ;; WHEN: Mon Mar 7 11:53:21 2011 ;; MSG SIZE rcvd: 47 When I do a comparable query (also with type=any) to another DNS Server (= eg. google.com) ; DiG 9.3.2 @ns1.google.com. www.google.com. any ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1636 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com.IN ANY ;; ANSWER SECTION: www.google.com. 604800 IN CNAME www.l.google.com. www.l.google.com. 300 IN A 74.125.232.114 www.l.google.com. 300 IN A 74.125.232.115 www.l.google.com. 300 IN A 74.125.232.116 www.l.google.com. 300 IN A 74.125.232.113 www.l.google.com. 300 IN A 74.125.232.112 ;; Query time: 46 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Mon Mar 07 09:44:32 2011 ;; MSG SIZE rcvd: 132 ... I will get also the associated A Records. Does anybody have an idea, why the behavior is different? Can I configure t= his on my DNS Server (ISC BIND)? FYI: dig @ns1.hp.com. www.hp.com. any and dig @ns1.yahoo.com. www.yahoo.com any will also answer without any A-Records (like me). I have the following questions: - which one is correct (RFC)? - is it configurable in ISC BIND? - does the behavior depends on different BIND version? I know that it is not very common to do queries with type any. The problem = we have is the following: A Device/Application in our network is doing always queries from type any= . From our side it's not possible to change the type, because it's hard-coded= in the software. Go back to your vendor and demand a fix. Applications which make ANY queries and don't followup with specific type the application needs when it isn't returned are broken. ANY queries are handled differently to normal queries. Similarly CNAME queries are handled differently to normal queries. Mark Kind regards Adrian -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What should I put as Primary DNS and Secondary DNS when building our DNS Servers
Hi All, I'm building our DNS servers from scratch with Red Hat 5.5. Part of the installation asks for Primary DNS and Secondary DNS, since these two servers will act as our DNS servers, should I put their own IP? Does that create any problems? If it does, is there any workarounds? Many thanks in advance, Samad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc: 'reload' failed: not found
Cent OS+BIND 9.7.3+DLZ(BDB as backend) # rndc reload 2mysite.net rndc: 'reload' failed: not found rndc reload not work correctly,why? -- ShanyiWan 2011-03-08 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
