Re: getaddrinfo and TTL
Phil Mayers writes: If you want TTL, you will need to use DNS-specific functions like the res_* API. You need to be sure you are querying the master, otherwise the TTL will be the one from cache, not the real value. I appreciate this information as it sounds like I am using the wrong tool for the job. I only want to look up an A record by name and have the fields in a structure, evaluate those data and then possibly delete that record or or write a new one that has been modified. I thought that getaddrinfo was what I needed to use to do essentially a nslookup in C. Martin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Multi-master DNS with Bind
Hi, Looking to find information as to whether I can set up bind for multi-master DNS. I want to be able to update DNS records via any or more than one nameserver in the domain and have the records updated and propagated regardless if the master is available. Is this supported or are there ways to make this work with bind? -John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master DNS with Bind
Hi, Looking to find information as to whether I can set up bind for multi-master DNS. I want to be able to update DNS records via any or more than one nameserver in the domain and have the records updated and propagated regardless if the master is available. Is this supported or are there ways to make this work with bind? Not at this time. We've discussed the subject at some length and it may appear in a future release, but it's not on the near-term roadmap. BIND 9 does support update forwarding (i.e., slaves receiving updates and passing them on to the master), but that doesn't sound like what you're looking for. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master DNS with Bind
Hello Evan Hunt, Am 2012-08-05 20:26:06, hacktest Du folgendes herunter: Not at this time. We've discussed the subject at some length and it may appear in a future release, but it's not on the near-term roadmap. Something for bind10? BIND 9 does support update forwarding (i.e., slaves receiving updates and passing them on to the master), but that doesn't sound like what you're looking for. I do not think, because if the master goes Off-Line you are screwed I have some automated scripts, which check the MASTER if it is On-Line or not, and if not, a SLAVE switch to MASTER. Requires that all SLAVES have rsynced backupfiles from the MASTER. Another method would be that you do NOT USE SLAVES at all but instead install on all MASTERS a CGI script and put the DATA for the ZONES in CSV files, do cross-updates and let a script create the Zones automaticaly. Currently I am working on this kind of setup because I have an ADMIN workstation/server with a PostgreSQL database with all required infos in my office and replicated 3 times in the Internet in differnt countries. It does not mather, on which ADMIN workstation/server I am working. It will always update all 12 name servers correctly. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing http://www.itsystems.tamay-dogan.net/ itsystems@tdnet Jabber linux4miche...@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: security BIND
-Original Message- From: Carsten Strotmann c...@strotmann.de Date: Saturday, August 4, 2012 8:37 AM To: Alberto Rasillo bluesnatu...@gmail.com Cc: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: security BIND On Sat, 4 Aug 2012, Alberto Rasillo wrote: Hi what are recomendations regarding security and DNS service?Thnks it is difficult (impossible?) to answer such a generic question. Generic security advice for a DNS service: * read your DNS servers documentation carefully * understand every bit of your configuration * don't use configuration settings you don't fully understand * understand hos DNS works (read a good book or visit a good DNS training) * run recent software (not old software that has know security issues) * monitor your DNS server (DNS server logfiles, DNS traffic-patterns) * don't run an 'open resolver' (https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=59 ) Agreed, there's no one answer but a collection of advice. You'll need to do some research, and keep abreast of trends by joining lists like this one and others like dns-operations and bugtraq. http://www.cymru.com/Documents/secure-bind-template.html http://www.cisco.com/web/about/security/intelligence/dns-bcp.html http://www.rfc-editor.org/bcp-index.html http://shop.oreilly.com/product/9780596100575.do Good luck! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
new bind 9.9 and root NS
Hi;
I have a client who's migrating from an old bind 9.3 installation to a
new bind 9.9. I've done the migration and everything seemed to be
running fine. Before switching the internic pointers, though, the
client gave it a good thorough trashing and they're finding some
issues.
On the new system, the first time a domain outside of the client's
authoritative space is queried, the response takes longer than it
should. Obviously, non-cached searches will take longer, but these
are taking *way* longer:
# rndc flush
# time host www.olearycomputers.com.
www.olearycomputers.com has address 69.246.199.78
real 0m7.62s
user 0m0.00s
sys 0m0.00s
The old server beats that by more than 3 seconds:
[root]# rndc flush
[root]# time host www.olearycomputers.com.
www.olearycomputers.com has address 69.246.199.78
real 0m3.334s
user 0m0.003s
sys 0m0.003s
A dig trace on the old box looks resonable:
# dig +trace www.olearycomputers.com
; DiG 9.3.4 +trace www.olearycomputers.com
;; global options: printcmd
[[root ns snipped]]
;; Received 512 bytes from 143.43.32.201#53(143.43.32.201) in 1 ms
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
[[remaining .com NS snipped]]
;; Received 501 bytes from 192.5.5.241#53(f.root-servers.net) in 71 ms
olearycomputers.com. 172800 IN NS ns3.no-ip.com.
olearycomputers.com. 172800 IN NS ns1.no-ip.com.
olearycomputers.com. 172800 IN NS ns4.no-ip.com.
olearycomputers.com. 172800 IN NS ns5.no-ip.com.
;; Received 211 bytes from 192.35.51.30#53(f.gtld-servers.net) in 77
ms
www.olearycomputers.com. 60 IN A 69.246.199.78
olearycomputers.com. 86400 IN NS ns5.no-ip.com.
[[etc]]
;; Received 289 bytes from 204.16.253.33#53(ns3.no-ip.com) in 34 ms
On the new box, I get nowhere:
# dig +trace www.olearycomputers.com
; DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 +trace www.olearycomputers.com
;; global options: +cmd
. 517932 IN NS g.root-servers.net.
. 517932 IN NS e.root-servers.net.
[[some root ns snipped]]
518025 IN RRSIG NS 8 0 518400 2012080700 2012073023 50398 .
ICR2HkAQdy85QN3+i3lpLqoFc11zE/ZTNiBcb9F6dyglatHsX+dvWdJS 1laG5xA//M/
OfFCALDy/xApk/Thnh20mTeEtXiiB0IEBFE17B3NgTggO gqbhk7sWt0m7SyDbXgHLbbFB
+xyLMbT3bOaUUVf7470Cnx6eTI8Q5Hco PVs=
;; Received 857 bytes from 143.43.32.170#53(143.43.32.170) in 5 ms
;; connection timed out; no servers could be reached
A straight hit to one of the root ns on the new box is equally as bad:
# dig @a.root-servers.net.
; DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 @a.root-servers.net.
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
But, on the old box works like a champ:
# ssh ${old} 'dig @a.root-servers.net.'
; DiG 9.3.4 @a.root-servers.net.
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 1160
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
[[sniped]]
;; Query time: 25 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Jul 31 15:50:47 2012
;; MSG SIZE rcvd: 512
Can someone tell me why the root ns don't seem to like the new bind
9.9 systems?
Thanks for any hints/tips/suggestions.
Doug O'Leary
--
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
