Re: Description of log file contents
It is in the ARM. http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#id2575842 (search for "queries" or "querylog") ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Description of log file contents
On Thu, 14 Apr 2011, Alex wrote: Hi, I would figure this is a FAQ, but I can't find it. My apologies if I somehow missed searching properly. Where can I find a description of what the variables at the end of the line in the query log mean? For example: 14-Apr-2011 17:27:54.277 queries: client 67.210.0.112#17930: query: ns1.colo.com IN -E 14-Apr-2011 17:27:55.061 queries: client 98.139.193.153#54962: query: cape.com IN MX -E 14-Apr-2011 17:27:55.160 queries: client 202.160.178.228#45211: query: www.call-anyone.com IN A - 14-Apr-2011 17:27:55.317 queries: client 69.162.74.234#6673: query: mydomain.net IN ANY + 14-Apr-2011 17:27:55.766 queries: client 63.230.177.41#20138: query: ns.mydomain.com IN A -E 14-Apr-2011 17:27:55.818 queries: client 131.167.253.42#50026: query: 102.96/28.188.104.66.in-addr.arpa IN PTR - I understand the "A" and "IN", of course, but what is -E and just + and - ? Does it have to do with whether it was found in the cache? Thanks, Alex ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users From the ARM (included in source dist) "queries The query log entry reports the client’s IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported." Dave -- St. Louis, Missouri___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Description of log file contents
> Where can I find a description of what the variables at the end of the > line in the query log mean? For example: The full set is +SETDC + recursion requested (- no recursion) S request is signed E EDNS0 enabled T TCP (else UDP) D DNSSEC requested C Checking disabled Regards, -JP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Description of log file contents
Hi, I would figure this is a FAQ, but I can't find it. My apologies if I somehow missed searching properly. Where can I find a description of what the variables at the end of the line in the query log mean? For example: 14-Apr-2011 17:27:54.277 queries: client 67.210.0.112#17930: query: ns1.colo.com IN -E 14-Apr-2011 17:27:55.061 queries: client 98.139.193.153#54962: query: cape.com IN MX -E 14-Apr-2011 17:27:55.160 queries: client 202.160.178.228#45211: query: www.call-anyone.com IN A - 14-Apr-2011 17:27:55.317 queries: client 69.162.74.234#6673: query: mydomain.net IN ANY + 14-Apr-2011 17:27:55.766 queries: client 63.230.177.41#20138: query: ns.mydomain.com IN A -E 14-Apr-2011 17:27:55.818 queries: client 131.167.253.42#50026: query: 102.96/28.188.104.66.in-addr.arpa IN PTR - I understand the "A" and "IN", of course, but what is -E and just + and - ? Does it have to do with whether it was found in the cache? Thanks, Alex ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: start script for bind9
YMMV wrt "just works". Yes, running the latest ISC bind can be worthwhile after the OS distribution stops updating (or before it gets around to packaging the latest ISC version.) People considering the approach suggested by David & Alan should be aware that the OS startup files often do more than just running named. For example, under fedora: checkconf, checkzone, chroot and (in some versions) selinux setup are handled in /etc/init.d/named, along with quite a few sanity checks. You may be better off copying the OS script & changing it to run named from /usr/local/sbin if your environment is non-trivial. Even if it's not, it's worth doing a few sanity checks (like making sure networking is up). In any case, be sure to understand what you're giving up if you elect to go with the "just works" defaults in the named executable. It may be OK for some, but I tend to be more careful with important systems. - This communication may not represent my employer's views, if any, on the matters discussed. -Original Message- From: David Forrest [mailto:d...@maplepark.com] Sent: Thursday, April 14, 2011 11:53 To: Dave Forrest Cc: bind-users@lists.isc.org Subject: Re: start script for bind9 On Thu, 14 Apr 2011, Alan Clegg wrote: > On 4/14/2011 10:23 AM, hugo hugoo wrote: > >> I know that if bind is installed via apt-get install (I am using >> debian linux version), there is automatically a bind9 startup script >> in /etc/init.d/ directory. > > Since named "just works" and I do everything else using rndc, I have > the following line in /etc/rc.local: > >/usr/local/sbin/named > > AlanC > I also find that named "just works" and, since the source install uses the /usr/local/sbin as the default target, it does not overwrite my distribution (Fedora) binary. It is also important to my setup that named is always running so I use a root crontab entry: /usr/bin/pgrep named >/dev/null || /usr/local/sbin/named -u named that runs every minute to insure it is up. I can then stop it with rndc stop and it will restart on the next minute's crontab event. I can return to my distribution's upstart by stopping using the rndc and immediately start it's binary using the service command, but have found the ISC source tarballs a better solution to my needs that include DNSSEC and IPv6 while Fedora 11 is EOL. YMMV. Dave F -- St. Louis, Missouri(Sent by ALPINE 2.02 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SOA RNAME Value
Justin Krejci wrote: > > So I am wondering if this is normal/expected behavior for BIND and if so > should debug logging or named-checkzone with debugging be able to > identify this as the problem. Or am I missing something else altogether? With bind-9.7.3, I get the following log messages with the default logging level: 14-Apr-2011 17:29:39.697 general: error: dns_rdata_fromtext: /zd/29-120.144.168.192.in-addr.arpa:5: near 'root': bad name (check-names) 14-Apr-2011 17:29:39.697 general: error: zone 29/120.144.168.192.in-addr.arpa/IN: loading from master file /zd/29-120.144.168.192.in-addr.arpa failed: bad name (check-names) named-checkzone says: /spool/bind/zd/29-120.144.168.192.in-addr.arpa:5: warning: root.29/120.144.168.192.in-addr.arpa: bad name (check-names) zone 29/120.144.168.192.in-addr.arpa/IN: loaded serial 1 OK named-checkzone -k fail says: dns_rdata_fromtext: /spool/bind/zd/29-120.144.168.192.in-addr.arpa:5: near 'root': bad name (check-names) zone 29/120.144.168.192.in-addr.arpa/IN: loading from master file /spool/bind/zd/29-120.144.168.192.in-addr.arpa failed: bad name (check-names) zone 29/120.144.168.192.in-addr.arpa/IN: not loaded due to errors. The zone file is: $TTL 1h ; @ SOA localhost. root ( 1 ; serial 1h ; refresh 1000; retry 1w ; expiry 1h ); minimum ; NS localhost. ; ; eof Tony. -- f.anthony.n.finchhttp://dotat.at/ Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5 or 6 later. Rough or very rough. Occasional rain. Moderate or good, occasionally poor. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: start script for bind9
On Thu, 14 Apr 2011, Alan Clegg wrote: On 4/14/2011 10:23 AM, hugo hugoo wrote: I know that if bind is installed via apt-get install (I am using debian linux version), there is automatically a bind9 startup script in /etc/init.d/ directory. Since named "just works" and I do everything else using rndc, I have the following line in /etc/rc.local: /usr/local/sbin/named AlanC I also find that named "just works" and, since the source install uses the /usr/local/sbin as the default target, it does not overwrite my distribution (Fedora) binary. It is also important to my setup that named is always running so I use a root crontab entry: /usr/bin/pgrep named >/dev/null || /usr/local/sbin/named -u named that runs every minute to insure it is up. I can then stop it with rndc stop and it will restart on the next minute's crontab event. I can return to my distribution's upstart by stopping using the rndc and immediately start it's binary using the service command, but have found the ISC source tarballs a better solution to my needs that include DNSSEC and IPv6 while Fedora 11 is EOL. YMMV. Dave F -- St. Louis, Missouri(Sent by ALPINE 2.02 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS record delegation
On Apr 10, 2011, at 2:42 PM, Parashar Singh wrote: > We want to be able to point the wild card (*.domain.com) and the root domain > (domain.com) to the GLB’s while not breaking the other custom prefixes within > that domain’s record (stage.domain.com, foo.domain.com, etc.). > Except some 10-20 A records, as declared in zone file, for all other DNS > lookup request shall be forwarded to Global Load Balancer. > Allow any records on the DNS server to resolve to the respective records on > DNS. > All other records are captured by the wildcard and load balanced. > The load balancers will forward the queries to the Apache web servers which > will direct users to the appropriate website. > > Can you suggest, how we can configure BIND to do above setup. As I understand it, you must delegate every such name to the load balancer(s). Wildcards probably won't work right. YMMV, since all load balancer implementations are different. Regards, Chris Buxton BlueCat Networks___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SOA RNAME Value
Sorry, was a long day (for other reasons) here is a maybe an easier to follow summary. When the SOA RNAME value does not include the final dot at the end you append the zone automatically. The zone in this case contains a forward slash character "/" which is not a valid email address in the domain part. When the zone "d/26.c.b.a.in-addr.arpa." contains an SOA RNAME value of "hostmaster" thereby making the email address hostmaster@d/26.c.b.a.in-addr.arpa. and then BIND will just give SERVFAIL on any query for that zone. When the same zone contains "hostmaster.domain.com." instead BIND serves the records as expected. So I am wondering if this is normal/expected behavior for BIND and if so should debug logging or named-checkzone with debugging be able to identify this as the problem. Or am I missing something else altogether? Thank On Wed, 2011-04-13 at 22:06 -0500, Justin Krejci wrote: > Hello List, > > When troubleshooting a particular reverse delegated zone to us we used > the normal "d/26.c.b.a.in-addr.arpa" naming for the zone. A couple of > zones did not get served correctly (tried on BIND 9.7.0-P2 and 9.7.3) > and any query for a record within these zones always came back with a > SERVFAIL. After coming thru all of the syntax in the config and zone > everything checked out as valid. I enabled debug logging which didn't > really yield any useful data. I tried running debug on the > named-checkzone and everything came back clean. Web searches were not > very helpful especially since I didn't really know what search > keywords to use. Eventually I compared one working reverse delegated > zone to one of the problem ones with a more granular eye and I noticed > the RNAME in the SOA was different where the SERVFAIL one had > "hostmaster" and the working one had "hostmaster.domain.com.". I > thought well I might as try it out and replaced the "hostmaster" with > "hostmaster.domain.com." and sure enough it was serving the domain > just fine after that. > > So I know you can get away with using just "hostmaster" in the RNAME > field if your zone/domain actually makes sense but in this case it was > not working and I can only think it has to do with the slash "/" > character in the zone name. Is this behavior documented? Is it perhaps > a bug? Certainly I personally will remember this as an issue going > forward but will others run into this trouble as well? Am I way off > base on thinking it should have been more easily identifiable what the > problem is with using the debug logs and debug named-checkzone tool? I > know the RNAME field should just be set to an appropriate value but > does anyone generally even use the RNAME? The authoritative name > servers are giving an NXDOMAIN or SERVFAIL or whatever it's not like > you can even see the SOA anyways. > > Thanks for any insight!! > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: start script for bind9
On 4/14/2011 10:23 AM, hugo hugoo wrote: > I know that if bind is installed via apt-get install (I am using debian > linux version), there is automatically a bind9 startup script in > /etc/init.d/ directory. Since named "just works" and I do everything else using rndc, I have the following line in /etc/rc.local: /usr/local/sbin/named AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: start script for bind9
> From: hugo hugoo > Date: Thu, 14 Apr 2011 14:23:56 + > Sender: bind-users-bounces+oberman=es@lists.isc.org > > > Hello, > > I have installed bind9 using the make install procedure. It works but > I did not find any startup script to could put in my /etc/init.d/ > directory. > > I know that if bind is installed via apt-get install (I am using > debian linux version), there is automatically a bind9 startup script > in /etc/init.d/ directory. It would help a bit if you gave us a hint as to what OS and OS version as well as the version of BIND. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
start script for bind9
Hello, I have installed bind9 using the make install procedure. It works but I did not find any startup script to could put in my /etc/init.d/ directory. I know that if bind is installed via apt-get install (I am using debian linux version), there is automatically a bind9 startup script in /etc/init.d/ directory. Can anyone help? Kind regards, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users