Radomir Kuznetsov is out of the office.
I will be out of the office starting 05/26/2011 and will not return until 06/13/2011. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zones not getting transferred after a restart
Consider the option transfers-in. Look at the output of: rndc status If you notice that the soa queries in progress number is high in proportion to the number of slave zones maintained by the server, you should increase the transfers-in number (the default is 10 as I recall). That means that your server is limiting itself to only 10 simultaneous zone retrievals from the masters of the zones. I didn't get the response I liked in my particular case until I tweaked the number to about 70% of the soa queries in progress number. As with tweaking any parameter on a heavily used system, you might want to look at the typical system vital statistics after tweaking the value and looking at how any of those things (cpu, mem, disk i/o, network i/o, general load, etc) may now be trending differently after a day/week. Richard On 3/15/2011 6:29 PM, Mark Andrews wrote: In messageilo4hp$s5g$1...@dough.gmane.org, Bernhard Schmidt writes: Hi, we have an internal distribution point running BIND 9.5.0-P2 (SLES 11.1 distribution package). It slaves about 1800 zones from a commercial DNS management software running on 127.0.0.1:8054 and distributes them towards our servers. Whenever we restart BIND on that system, the 1800 zones are loaded within two seconds (1800 loaded serial x entries, running), but it takes up to 30 minutes (26 minutes the last time) where it does not do any AXFR upstream and logs 15-Mar-2011 09:36:47.334 zone kongress.xxx.de/IN: notify from 127.0.0.1#8054: refresh in progress, refresh check queued on every notify it receives. I cannot really see SOA queries upstream either. When that time has passed by it catches up with the zone transfers. Other than having edns no and request-ixfr no set for the upstream server (due to bugs in this field) the configuration is pretty standard. I'm not really opposed to updating the BIND to a newer version, but given I'd have to go away from the distribution package where I feel fine using it (firewalled system, only reachable by our other servers) I'd rather know for sure that this problem is solved. I see similar issues on our frontend servers running 9.7.3. Can anyone explain how I can speedup this progress? Disable notify for the zones. Increase soa-query-rate. It also applies to notifies. Also I'd like to disable/tune down the 15-Mar-2011 08:25:36.828 zone xxx.in-addr.arpa/IN: refresh: skipping zone transfer as master 127.0.0.1#8054 (source 0.0.0 .0#0) is unreachable (cached) thing. Good idea, but stopping all zone transfers for 10 minutes from the only master just because it was unreachable for a few seconds is a bad idea. Adjust lame-ttl. I have searched for a named.conf knob and have failed to find any. Closest I have found is serial-query-rate, which is not set in our environment and should default to 20. The information transmitted in this email and any of its attachments is intended only for the person or entity to which it is addressed and may contain Cablevision proprietary information, which is privileged, confidential, or subject to copyright belonging to Cablevision. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may be unlawful. If you received this in error, please contact the sender immediately and delete and destroy the communication and all of the attachments you have received and all copies thereof. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
On 31/05/11 09:28, Matus UHLAR - fantomas wrote: This problem could be avoided by providing the same data, but differently sorted, correct? On 31.05.11 12:27, Phil Mayers wrote: Not really. Client side sorting may take place (e.g. to comply with RFC 3484 policies in calls to getaddrinfo) and destroy any server-side sorting. On 01/06/11 08:11, Matus UHLAR - fantomas wrote: by this problem I mean the DNSSEC. Providing all the data just differently sorted would cause them to be DNSSEC compliant, wouldn't it? On 01.06.11 10:55, Phil Mayers wrote: Yes, but the client would then re-sort the data, so it wouldn't achieve the original purpose. Sorting the data server side gives you essentially no control over which record the client will pick if they are calling getaddrinfo, as is likely. Aha, I've got it. However data sorting at client's side should not affect much clients, only where - the client has sorting set up - the sorting client prefers one of IP's used in RRset. We have set that up to prefer IPs from our network over foreign. As Mark has already pointed out, the approach is not intrinsically DNSSEC-hostile. It's perfectly legitimate to serve different data with different, valid, signatures. This is what happens with signature regen and key rollover. In this case, it would just be a permanent case of rollover - one KSK, one ZSK per dns server and different copies of the zone. With sorting, they need only one copy of each zone. I withhold judgement on whether it's a good approach in general. I suspect it's just GSLB-lite personally. Correct -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursive lookups problems with 9.8.0_p2
Matus UHLAR - fantomas uhlar at fantomas.sk writes: Would it be convenient to try 9.8.1b1? It has a fix that may address this problem. On 30.05.11 18:31, Evan Hunt wrote: I should add that I don't recommend using 9.8.1b1 in a production environemnt because of a known security flaw. But it might be informative to test with it and see whether it addresses the CNAME problem, and if so you can deploy 9.8.1 in a few weeks. I've also experienced the cname problem (authoritative queries to a slave zone with dynamic updates). I'd like to try 9.8.1b1 in a test environment, but I'm having trouble compiling dlopen /home/mcdonalddj/rpm/BUILD/bind-9.8.1b1/bin/named/../../contrib/dlz/drivers /dlz_postgres_driver.c:487: undefined reference to `sdlzh_build_querystring' [many more undefined references follow] collect2: ld returned 1 exit status make[2]: *** [named] Error 1 make[2]: Leaving directory `/home/mcdonalddj/rpm/BUILD/bind-9.8.1b1/bin/named' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/home/mcdonalddj/rpm/BUILD/bind-9.8.1b1/bin' make: *** [subdirs] Error 1 error: Bad exit status from /home/mcdonalddj/rpm/tmp/rpm-tmp.25569 (%build) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
please remove me from this mail list
Steve Ingraham Director of Information Systems Oklahoma Court of Criminal Appeals mailto:singra...@okcca.net 405 522-5343 (office) 405 822-0621 (cell) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: please remove me from this mail list
You can do this at https://lists.isc.org/mailman/listinfo/bind-users Steve Ingraham Director of Information Systems Oklahoma Court of Criminal Appeals mailto:singra...@okcca.net 405 522-5343 (office) 405 822-0621 (cell) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: please remove me from this mail list
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ...which is posted at the bottom of EVERY list posting (sorry, a pet peeve of mine). On 06/02/2011 02:30 PM, lbro...@hostgator.com wrote: You can do this at https://lists.isc.org/mailman/listinfo/bind-users Steve Ingraham Director of Information Systems Oklahoma Court of Criminal Appeals mailto:singra...@okcca.net 405 522-5343 (office) 405 822-0621 (cell) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3n4ZoACgkQmb+gadEcsb6fowCgs87nQp35wYLdlBYwjo2cSVNC ZCgAnAr1D0oCSCWPJLFGDcZwGw/wGjgC =zFdY -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users