named.conf splitting
Hi, In a recent discussion on another list, it was discussed the pros and cons of splitting the main conf file to a per domain. In binds case it would be to /etc/named.d/*.conf So each zone would have a file in that directory containing only the relevant info eg: zone example.com { type master; allow-transfer { slavesdns; }; file example.com.signed; allow-query { any; }; allow-update { none; }; }; thats it, nothing more, rather than having 2000 entries in named.conf, we would have 2000 conf file to be read (yes in addition to the 2000 actual zone files. with apache it takes only 2 or so more seconds to start and reload doing it this way, so I know that bind will take longer, it has to with all those open/read/close files, at present bind starts up in about 9 seconds due 17K zones, so I'd imagine this would take even up to 15 seconds. My question is, has anyone done this with success or failure? Would a named developer know if its safe or detrimental to do this? or would it simply make no difference apart from the extra time for starts/reloads? (This came about on another list, because we load all hosts on apache in one file (2000 per box) recently something went wrong with sshfs during a transaction, and in deleting a vhost block it took out about 100 of them :) so we are looking at making things a bit more failsafe, my opinion is, if it can happen once, it can happen again, it could have happened to a zone file, but luckily only the web conf file. Thoughts anyone? Thanks Niki ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging issue with bind
On Thu, 2012-02-16 at 19:06 +0100, Raven wrote: On Thu, 2012-02-16 at 09:55 -0600, Jeremy C. Reed wrote: On Fri, 17 Feb 2012, Mark Andrews wrote: Do: rndc querylog or querylog yes; But the previous email showed rndc status had: query logging is ON Indeed. I tried disabling and re-enabling it, but to no avail. Don't really know where to look now.. -RV All further tests haven't produced any results. Should I escalate this with the bind9-bug or to the debian package maintainer? -RV ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging issue with bind
On Fri, 17 Feb 2012, Andrea Gozzi wrote: All further tests haven't produced any results. Any related log messages in your other named logging about it. (Maybe some isc_stdio_open error for example?) Why were the permissions of your log file rwxrwxrwx? (Why executable? Why writable by other?) (Your other email showed it changed to rw-r--r-- so maybe this is unrelated.) Just to be clear, did named create the zero byte file, or did you manually create it? Is it possible there weren't any queries? (Maybe testing wrong system?) Maybe your rndc is configured to control a different server so the querylog was enabled at wrong place? (But maybe not since your named.stats file is growing.) Should I escalate this with the bind9-bug or to the debian package maintainer? Anyone else reproduce problem? (I tested and it still works for me, but not same version.) What is the name and version of the Debian BIND package(s) you are using? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: block ddns by name
On Feb 16, 2012, at 7:22 AM, Tom Schmitt wrote: Von: Tony Finch d...@dotat.at Does anyone know if there is a way to prevent the creation of certain records - by name? update-policy { deny * name internal.example.com; # ... }; Hi, I have a quite similar question but can't figure it out from the doc for update-policy: I have a few DHCP-clients which are sending really stupid hostnames to the DHCP and via DHCP they got into my DNS zones. Example: A few IP-phones are sending as their hostname eight times xFF. And this not printable name is then in DNS where I (and a few older nameserver) don't want it. So is there something possible like update-policy { deny * name /^a-zA-Z0-9_\-/; }; ? (For thos who don't speak regex: deny all names with something in it what is no letter or digit or underscore or dash. Does a check-names policy achieve this? I'm honestly not sure. BTW: _ is not a valid hostname character. And your regex needs brackets: /[^a-zA-Z0-9_-]/ But no, update-policy doesn't support regular expressions. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named.conf splitting
Yes, it's quite possible to split named.conf into separate per-zone .conf files and then 'include' them back into named.conf. You can even put the list of include statements in a separate file, and then include that into named.conf. named.conf: options { [...] } include /path/to/etc/zones.conf; zones.conf: include /path/to/etc/zone1.conf; include /path/to/etc/zone2.conf; [...] I've seen this done with hundreds of thousands of zones. Performance does not seem to be significantly impacted by breaking up named.conf into included files. The loading time for named in this case will be dominated by the time load actual zones, which involves allocating memory and building a tree structure in memory. Use the latest versions of BIND for fastest loading of this number of zones. See Evan Hunt's blog posts on the topic: http://www.isc.org/community/blog/201107/major-improvement-bind-9-startup-performance http://www.isc.org/community/blog/201107/isc-bind-981b3-provides-startup-performance-improvements Regards, Chris Buxton BlueCat Networks On Feb 17, 2012, at 1:24 AM, Nick Edwards wrote: Hi, In a recent discussion on another list, it was discussed the pros and cons of splitting the main conf file to a per domain. In binds case it would be to /etc/named.d/*.conf So each zone would have a file in that directory containing only the relevant info eg: zone example.com { type master; allow-transfer { slavesdns; }; file example.com.signed; allow-query { any; }; allow-update { none; }; }; thats it, nothing more, rather than having 2000 entries in named.conf, we would have 2000 conf file to be read (yes in addition to the 2000 actual zone files. with apache it takes only 2 or so more seconds to start and reload doing it this way, so I know that bind will take longer, it has to with all those open/read/close files, at present bind starts up in about 9 seconds due 17K zones, so I'd imagine this would take even up to 15 seconds. My question is, has anyone done this with success or failure? Would a named developer know if its safe or detrimental to do this? or would it simply make no difference apart from the extra time for starts/reloads? (This came about on another list, because we load all hosts on apache in one file (2000 per box) recently something went wrong with sshfs during a transaction, and in deleting a vhost block it took out about 100 of them :) so we are looking at making things a bit more failsafe, my opinion is, if it can happen once, it can happen again, it could have happened to a zone file, but luckily only the web conf file. Thoughts anyone? Thanks Niki ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
INSIST message
Hello, I have had a couple of INSIST messages in my general log. I am running BIND 9.6-ESV-R4-P3. Can someone enlighten me as to why I would be getting these? Out of over 125 machines, this is the only one that has logged this message starting yesterday. This is a recursive authoritative server. Can I offer any other information to help troubleshoot this? 17-Feb-2012 14:46:40.301 general: task.c:1229: INSISTmanager-tasks).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed Thank you, Ralph F. Bischof, Jr. NASA Agency IPAM/DNS/DHCP SAIC/NICS 256-544-3982 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.9.0rc2 Windows Installer Tools Only Installation Issues
On 2/4/2012 12:36 PM, Spain, Dr. Jeffry A. wrote: The BIND9.9.0rc2.zip Windows installer allows for a “Tools Only” installation. With this you can avoid having to enter the service account information that will not be needed. However, the only tools you get are dig.exe, nslookup.exe, and a couple of others. It would be nice to also include dnssec-*.exe and named-*.exe to facilitate DNSSEC key management and zone troubleshooting without having to do the full named service installation. As it stands, if you want these tools but don’t want to run the named service on Windows, you do have to do the full service installation. This includes specifying a service account name and password, and then unchecking “Automatic Startup” and “Start BIND Service After Install.” You don't need to do an install at all for the binaries if you aren't going to run named. You might need to run the vcredist_x86.exe to get the Microsoft redistributable binaries for the compiler but that's all that is really needed. Running the installer is a waste of time for this. If it requires the service install just for the tools then that's a bug. Danny With the 9.9.0 release just around the corner, perhaps this could be considered for 9.9.1. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
A few conceptual question about dnssec.
Firstly, where do we get the public key for the DS records? Second, why do I get multiple DS records as response? -- dig +dnssec -t DS isc.org @b0.org.afilias-nst.org. ; DiG 9.8.1 +dnssec -t DS isc.org @b0.org.afilias-nst.org. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32385 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org.86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 isc.org.86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org.86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE= ;; Query time: 339 msec ;; SERVER: 199.19.54.1#53(199.19.54.1) ;; WHEN: Fri Feb 17 23:36:01 2012 ;; MSG SIZE rcvd: 283 Why do I get multiple RRSIG records from some servers? - dig +dnssec -t NS yahoo.com @g.gtld-servers.net. ; DiG 9.8.1 +dnssec -t NS yahoo.com @g.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35065 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;yahoo.com. IN NS ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20120222012103 20120215001103 54350 com. gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8= GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 20120224144059 20120217133059 54350 com. NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds= ;; ADDITIONAL SECTION: ns1.yahoo.com. 172800 IN A 68.180.131.16 ns5.yahoo.com. 172800 IN A 119.160.247.124 ns2.yahoo.com. 172800 IN A 68.142.255.16 ns3.yahoo.com. 172800 IN A 121.101.152.99 ns4.yahoo.com. 172800 IN A 68.142.196.63 ;; Query time: 386 msec ;; SERVER: 192.42.93.30#53(192.42.93.30) ;; WHEN: Fri Feb 17 23:40:26 2012 ;; MSG SIZE rcvd: 693 Do we get a RRSIG for each RR retrieved? If so, why does - dig +dnssec -t NS com @a.root-servers.net. ; DiG 9.8.1 +dnssec -t NS com @a.root-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44852 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;com. IN NS ;; AUTHORITY SECTION: com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.
RE: A few conceptual question about dnssec.
Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? - You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. _ dig +dnssec -t DS isc.org @b0.org.afilias-nst.org. ; DiG 9.8.1 +dnssec -t DS isc.org @b0.org.afilias-nst.org. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32385 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org.86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 isc.org.86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org.86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE= ;; Query time: 339 msec ;; SERVER: 199.19.54.1#53(199.19.54.1) ;; WHEN: Fri Feb 17 23:36:01 2012 ;; MSG SIZE rcvd: 283 _ Why do I get multiple RRSIG records from some servers? - You will get single RRSIG per RR sets. _ dig +dnssec -t NS yahoo.com @g.gtld-servers.net. ; DiG 9.8.1 +dnssec -t NS yahoo.com @g.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35065 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;yahoo.com. IN NS ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20120222012103 20120215001103 54350 com. gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8= GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 20120224144059 20120217133059 54350 com. NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds= ;; ADDITIONAL SECTION: ns1.yahoo.com. 172800 IN A 68.180.131.16 ns5.yahoo.com. 172800 IN A 119.160.247.124 ns2.yahoo.com. 172800 IN A 68.142.255.16 ns3.yahoo.com. 172800 IN A 121.101.152.99 ns4.yahoo.com. 172800 IN A 68.142.196.63 ;; Query time: 386 msec ;; SERVER: 192.42.93.30#53(192.42.93.30) ;; WHEN: Fri Feb 17 23:40:26 2012 ;; MSG SIZE rcvd: 693 _ Do we get a RRSIG for each RR retrieved? If so, why does - Not for each RR But for each RR sets. _ dig +dnssec -t NS com @a.root-servers.net. ; DiG 9.8.1 +dnssec -t NS com @a.root-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44852 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;com. IN NS ;; AUTHORITY SECTION: com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.
Re: A few conceptual question about dnssec.
[ Quoting gaurav.kan...@nic.in at 00:36 on Feb 18 in RE: A few conceptual... ] Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? – You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. That completely depends on what is configured in the zone. Perhaps this will help: http://nlnetlabs.nl/publications/dnssec_howto/ grtz Miek signature.asc Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Query Regarding AKAMAI Working Model
Dear Team, I want to know how AKAMAI works May be this is not the right forum to ask but I am asking this here because AKAMAI heavily depend on its HL-DNS and LL-DNS AND these DNS Servers answer the query based on some input it gets from BGP Routes. If anyone can help me then I will be highly obliged. Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: A few conceptual question about dnssec.
-Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Miek Gieben Sent: Saturday, February 18, 2012 12:42 AM To: bind-users@lists.isc.org Subject: Re: A few conceptual question about dnssec. [ Quoting mailto:gaurav.kan...@nic.in gaurav.kan...@nic.in at 00:36 on Feb 18 in RE: A few conceptual... ] Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? – You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. That completely depends on what is configured in the zone. But I think it is recommended that you should always put 2 DS Records in your zone file corresponding to each child zone. One for SHA1 and second for SHA256. That’s why we always get 2 DS Records from ROOT Server pointing to TLDs. Perhaps this will help: http://nlnetlabs.nl/publications/dnssec_howto/ http://nlnetlabs.nl/publications/dnssec_howto/ grtz Miek ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query Regarding AKAMAI Working Model
Hi, Gaurav-- On Feb 17, 2012, at 11:15 AM, Gaurav kansal wrote: I want to know how AKAMAI works They work well. :-) May be this is not the right forum to ask but I am asking this here because AKAMAI heavily depend on its HL-DNS and LL-DNS AND these DNS Servers answer the query based on some input it gets from BGP Routes. They've got a fair amount of documentation publicly available describing their CDN network, pushing updates from origin to their Edge servers, Akamai'zed URL format, determining which Edge servers should be returned for a client request, based on geo location, network location, availability and throughput, failover, and so forth. http://www.akamai.com/html/technology/products/index.html It's not completely off-topic, but you'd likely do better to ask them directly if you need more info. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Query Regarding AKAMAI Working Model
-Original Message- From: Chuck Swiger [mailto:cswi...@mac.com] Sent: Saturday, February 18, 2012 1:04 AM To: Gaurav kansal Cc: bind-users@lists.isc.org Subject: Re: Query Regarding AKAMAI Working Model Hi, Gaurav-- On Feb 17, 2012, at 11:15 AM, Gaurav kansal wrote: I want to know how AKAMAI works They work well. :-) Ya. They work well. That's why, majority of content providers are using them. J May be this is not the right forum to ask but I am asking this here because AKAMAI heavily depend on its HL-DNS and LL-DNS AND these DNS Servers answer the query based on some input it gets from BGP Routes. They've got a fair amount of documentation publicly available describing their CDN network, pushing updates from origin to their Edge servers, Akamai'zed URL format, determining which Edge servers should be returned for a client request, based on geo location, network location, availability and throughput, failover, and so forth. http://www.akamai.com/html/technology/products/index.html http://www.akamai.com/html/technology/products/index.html It's not completely off-topic, but you'd likely do better to ask them directly if you need more info. I search a lot for but didn't find answer for my question. I have few questions about there working model. First is, why they are doing CNAME 4 time for each zone?? For ex: ;; QUESTION SECTION: ;www.cisco.com. IN A ;; ANSWER SECTION: www.cisco.com. 236 IN CNAME www.cisco.com.akadns.net. www.cisco.com.akadns.net. 268 IN CNAME geoprod.cisco.com.akadns.net. geoprod.cisco.com.akadns.net. 206 INCNAME www.cisco.com.edgekey.net. www.cisco.com.edgekey.net. 11010 IN CNAME www.cisco.com.edgekey.net.globalredir.akadns.net. www.cisco.com.edgekey.net.globalredir.akadns.net. 257 IN CNAME e144.cd.akamaiedge.net. e144.cd.akamaiedge.net. 7 IN A 125.252.232.170 What's the need of doing CNAME 4 times and AKAMAI does this thing for each domain they takes care of. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query Regarding AKAMAI Working Model
On 17/02/2012 20:15, Gaurav kansal wrote: Gaurav, I want to know how AKAMAI works First of all, don't use so many question marks; one is enough. And use it only if you're actually asking a question, not when stating something. May be this is not the right forum to ask but I am asking this here because AKAMAI heavily depend on its HL-DNS and LL-DNS AND these DNS Servers answer the query based on some input it gets from BGP Routes. This list is for discussing BIND operations. You're better off asking your question directly to Akamai. Here's a URL to get you started: http://www.akamai.com/html/support/index.html Regards, Anand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query Regarding AKAMAI Working Model
On 2/17/12 11:35 AM, Anand Buddhdev ana...@ripe.net wrote: Gaurav, I want to know how AKAMAI works First of all, don't use so many question marks; one is enough. And use it only if you're actually asking a question, not when stating something. No one reads RFC 1855 anymore. ;-) May be this is not the right forum to ask but I am asking this here because AKAMAI heavily depend on its HL-DNS and LL-DNS AND these DNS Servers answer the query based on some input it gets from BGP Routes. This list is for discussing BIND operations. You're better off asking your question directly to Akamai. Here's a URL to get you started: http://www.akamai.com/html/support/index.html +1 -- Send a query to the Akamai support folks, they are very knowledgeable and helpful. I know, they've helped me answer stupid questions on many occasions. It's almost rude to ask about their architecture on a somewhat unrelated public forum. http://www.akamai.com/dl/technical_publications/GloballyDistributedContentDe livery.pdf On a more generic note, the CNAME trick is often employed by people building GSLB architectures. We do the same for our internal implementation. It is usually administrative trickery (or creative thinking) to increase efficiency, e.g. Delegate a globally load balanced sub-domain to a set of GSLB devices (thousands in their case, our own implementation is not yet nearly as robust) and then CNAME as needed vs. delegating everything. -- Work is the curse of the drinking classes. -- Mike Romanoff ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
dE . de.tec...@gmail.com wrote: Firstly, where do we get the public key for the DS records? A zone's DNSKEY RRset contains its public keys, and these are hashed to make its DS records. For example, $ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g' isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 $ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 Why do I get multiple RRSIG records from some servers? - When you ask a GTLD server for the yahoo.com delegation NS records, you also get two NSEC3 records that bracket the yahoo.com delegation to prove it is insecure (no DS record), and an RRSIG record for each NSEC3 record. Do we get a RRSIG for each RR retrieved? No, one per RRset, where an RRset is all the records with the same name, class, and type. Lastly, what's the format for the output dis DNSSEC records? See RFC 4034. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Shannon, Rockall, Malin, Hebrides, Bailey: Southwest, veering northwest, 6 to gale 8, occasionally severe gale 9, except in Shannon and Malin. Very rough or high, occasionally very high in Rockall and Bailey, but rough at first in Shannon. Rain then squally snow showers. Moderate, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named.conf splitting
+1 to all of Chris' suggestions, especially the bit about including one file in named.conf, and including the per-zone files in that file. Makes it much easier to update that file with a script, or what have you. hth, Doug On 02/17/2012 07:11, Chris Buxton wrote: Yes, it's quite possible to split named.conf into separate per-zone .conf files and then 'include' them back into named.conf. You can even put the list of include statements in a separate file, and then include that into named.conf. named.conf: options { [...] } include /path/to/etc/zones.conf; zones.conf: include /path/to/etc/zone1.conf; include /path/to/etc/zone2.conf; [...] I've seen this done with hundreds of thousands of zones. Performance does not seem to be significantly impacted by breaking up named.conf into included files. The loading time for named in this case will be dominated by the time load actual zones, which involves allocating memory and building a tree structure in memory. Use the latest versions of BIND for fastest loading of this number of zones. See Evan Hunt's blog posts on the topic: http://www.isc.org/community/blog/201107/major-improvement-bind-9-startup-performance http://www.isc.org/community/blog/201107/isc-bind-981b3-provides-startup-performance-improvements Regards, Chris Buxton BlueCat Networks On Feb 17, 2012, at 1:24 AM, Nick Edwards wrote: Hi, In a recent discussion on another list, it was discussed the pros and cons of splitting the main conf file to a per domain. In binds case it would be to /etc/named.d/*.conf So each zone would have a file in that directory containing only the relevant info eg: zone example.com { type master; allow-transfer { slavesdns; }; file example.com.signed; allow-query { any; }; allow-update { none; }; }; thats it, nothing more, rather than having 2000 entries in named.conf, we would have 2000 conf file to be read (yes in addition to the 2000 actual zone files. with apache it takes only 2 or so more seconds to start and reload doing it this way, so I know that bind will take longer, it has to with all those open/read/close files, at present bind starts up in about 9 seconds due 17K zones, so I'd imagine this would take even up to 15 seconds. My question is, has anyone done this with success or failure? Would a named developer know if its safe or detrimental to do this? or would it simply make no difference apart from the extra time for starts/reloads? (This came about on another list, because we load all hosts on apache in one file (2000 per box) recently something went wrong with sshfs during a transaction, and in deleting a vhost block it took out about 100 of them :) so we are looking at making things a bit more failsafe, my opinion is, if it can happen once, it can happen again, it could have happened to a zone file, but luckily only the web conf file. Thoughts anyone? Thanks Niki -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.0rc3 is now available
Introduction BIND 9.9.0rc3 is the third release candidate for BIND 9.9.0 This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes new in 9.9.0rc3 no new security fixes have been added New Features new in 9.9.0rc3 no new features have been added previously included in 9.9.0rc2 NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of no such domain. This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] Improved scalability by using multiple threads to listen for and process queries. Previously named only listened for queries on one thread regardless of the number of overall threads used. [RT #22992] Improves startup and reconfiguration time by allowing zones to load in multiple threads. [RT #25333] Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] Improves the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with many zones will be serving that zone data much sooner. [RT #24406] The new inline-signing option, in combination with the auto-dnssec option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Previously automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone. In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload, named detects the incremental changes that have been made to the raw version of the zone, and applies those changes to the signed version, adding signatures as needed. A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables bump in the wire signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data). [RT #26224/23657] rndc flushtree name command removes the specified name and all names under it from the cache. [RT #19970] rndc sync command dumps pending changes in a dynamic zone to disk without a freeze/thaw cycle. rndc sync -clean removes the journal file after syncing. rndc freeze no longer removes journal files. [RT #22473] The new rndc signing command provides greater visibility and control of the automatic DNSSEC signing process. Options to this new command include -list zone which will show the current state of signing operations overall or per specified zone. [RT #23729] The also-notify option now takes the same syntax as masters, thus it can use named master lists and TSIG keys. [RT #23508] auto-dnssec zones can now have NSEC3 parameters set prior to signing. [RT #23684] The dnssec-signzone -D option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put $INCLUDE example.com.signed into the zonefile for example.com, run dnssec-signzone -SD example.com, and the result is a fully signed zone which did *not* overwrite your original zone file. Running the same command again will incrementally re-sign the zone, replacing only those signatures that need updating, rather than signing the entire zone from scratch. [RT #22896] dnssec-signzone -R forces removal of signatures that are not expired but were created by a key which no longer
Re: named.conf splitting
On Fri, 2012-02-17 at 07:11 -0800, Chris Buxton wrote: Yes, it's quite possible to split named.conf into separate per-zone .conf files and then 'include' them back into named.conf. You can even put the list of include statements in a separate file, and then include that into named.conf. named.conf: options { [...] } include /path/to/etc/zones.conf; zones.conf: include /path/to/etc/zone1.conf; include /path/to/etc/zone2.conf; [...] If the OP is trying to avoid inline editing, does not the above become pointless? Still requires inline editing to remove the include /path/to/etc/zone1.conf, else named will have an error on reload. Being involved in the apache discussion I think I see where he wants to do, but I'm not sure if bind works like that. (/me fires up dev box) ... OK, Nick, it will not do what you want. Perhaps this is better off as a feature request, and, one that makes sound sense to me, although I include one hosts.conf file and put all entries in that and like most are very happy that way, if people are including singular zone files from another include file, it would make far better sense, less messy too (I think) signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users