Re: Moving from type forward to type static-stub
On Thu, Sep 20, 2012 at 07:49:08PM -0500, Oscar Ricardo Silva wrote: I have several recursive, caching BIND servers that were running the Redhat package of BIND. Our servers started crashing because of a bug (previously identified AND fixed by ISC) so we've decided to ditch that version and run from source, 9.9.1-P3. (I'm still not sure why redhat decided to use the rc1 version of source on which to build their rpm ... seriously ... the bug that hit us was fixed in rc2 AND the final release) Because rc2 was released too late to get it into RHEL 6.3... Btw which is the bug that bothers you? Why don't you report it to RH bugzilla? Regards, Adam -- Adam Tkac, Red Hat, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RH release selection (was: Moving from type forward to type static-stub)
On 21 Sep 2012, at 08:55, Adam Tkac wrote: Because rc2 was released too late to get it into RHEL 6.3... Btw which is the bug that bothers you? Why don't you report it to RH bugzilla? I don't understand why RH would choose to include a release candidate rather than a stable release. /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RH release selection (was: Moving from type forward to type static-stub)
On Fri, Sep 21, 2012 at 09:36:11AM +0100, Niall O'Reilly wrote: On 21 Sep 2012, at 08:55, Adam Tkac wrote: Because rc2 was released too late to get it into RHEL 6.3... Btw which is the bug that bothers you? Why don't you report it to RH bugzilla? I don't understand why RH would choose to include a release candidate rather than a stable release. ISC's RCs are generally OK. When I updated BIND in 6.3, I could choose either 9.8.1-P* or 9.8.2rc1. So I decided to pick 9.8.2rc1 because it contains many bugfixes over 9.8.1. And from 9.8.2 changelog it doesn't seems there are regression fixes for bugs which aren't present in 9.8.1, are present in 9.8.2rc1 and are fixed in 9.8.2 (except RT #27738 which is already fixed). However it seems you hit some bug which isn't present in 9.8.1, is present in 9.8.2rc1 and is fixed in 9.8.2. Can you please tell me number of that bug so we can backport the patch? Thank you in advance. Regards, Adam -- Adam Tkac, Red Hat, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DDOS Atatck on BIND 9.8.0
Hi We are running BIND 9.8.0 on Solaris 10 machine. We are getting continuous hits from various IPs to isc.org (snoop report attached) Due to it our DNS is not responding to other genuine query and users are not able to browse. 0.2 59.178.138.195 - 203.94.243.70 DNS C isc.org. Internet * ? 929 0.0 59.178.51.128 - 203.94.243.70 DNS C isc.org. Internet * ? 937 0.0 59.178.166.44 - 203.94.243.70 DNS C isc.org. Internet * ? 944 0.0 120.59.103.34 - 203.94.243.70 DNS C isc.org. Internet * ? 949 0.0 59.180.142.190 - 203.94.243.70 DNS C isc.org. Internet * ? 955 0.1 59.178.50.68 - 203.94.243.70 DNS C isc.org. Internet * ? 964 0.0 120.60.156.1 - 203.94.243.70 DNS C isc.org. Internet * ? 969 0.1 59.180.159.121 - 203.94.243.70 DNS C isc.org. Internet * ? 973 0.0 59.178.182.103 - 203.94.243.70 DNS C isc.org. Internet * ? 980 0.0 59.178.169.247 - 203.94.243.70 DNS C isc.org. Internet * ? 983 0.0 59.178.162.136 - 203.94.243.70 DNS C isc.org. Internet * ? 993 0.3 120.59.108.86 - 203.94.243.70 DNS C isc.org. Internet * ? 998 0.0 59.178.51.96 - 203.94.243.70 DNS C isc.org. Internet * ? 999 0.00010 120.56.185.176 - 203.94.243.70 DNS C isc.org. Internet * ? 1001 0.0 59.180.146.89 - 203.94.243.70 DNS C isc.org. Internet * ? 1015 0.2 59.178.177.217 - 203.94.243.70 DNS C isc.org. Internet * ? 1027 0.0 59.178.62.149 - 203.94.243.70 DNS C isc.org. Internet * ? 1028 0.0 59.178.165.0 - 203.94.243.70 DNS C isc.org. Internet * ? 1037 0.0 59.180.140.93 - 203.94.243.70 DNS C isc.org. Internet * ? 1064 0.0 59.178.183.73 - 203.94.243.70 DNS C isc.org. Internet * ? 1093 0.0 59.177.139.7 - 203.94.243.70 DNS C isc.org. Internet * ? 1103 0.1 59.183.143.46 - 203.94.243.70 DNS C isc.org. Internet * ? Thanks Amit ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Issue with Minumum Value for named9
Dear All, i have the minimum value in my dns server as 60 mins, and my TTL is 60 Seconds , but still when users hit a non exist record , the other dns hold the negative cache for 60 secs instead of 60 mins .. ? why ? $TTL 60 @ IN SOA NS1.TEST.BIZ. Abuse.TEST.BIZ. ( 201208281 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1H ) ; minimum, seconds ; Although my configuration above, all DNS servers that query my server, cache the non exist record for 60 seconds only and not 60 mins As mentioned in my configuration ? any ideas why ? Thanks Again Robert JR ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? DDOS Atatck on BIND 9.8.0
Hello, I used to get a lot of these kind of junk queries for ripe.net and isc.org in ANY type. I just manually block these source IPs in iptables. I did this work for several months and there was no more junk queries after. Also, one of my another DNS server was hacked or whatever and was used to send these kind of junk. My IP was nulled by operator because too high network loads. So, I believe this is maybe a bug or something that BIND 9.8 has. I think is better to upgrade to the latest version. -Original Message- From: Amit Gupta jto...@bol.net.in Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Fri, 21 Sep 2012 15:26:23 To: bind-users@lists.isc.org Cc: ams...@bol.net.in Subject: DDOS Atatck on BIND 9.8.0 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:DDOS Atatck on BIND 9.8.0
-Original Message- From: Tony Xue xuez...@gmail.com Date: Fri, 21 Sep 2012 10:09:37 To: Amit Guptajto...@bol.net.in; bind-users-bounces+xuezxbb=gmail@lists.isc.org; bind-users@lists.isc.org Reply-To: xuez...@gmail.com Cc: ams...@bol.net.in Subject: 答复: DDOS Atatck on BIND 9.8.0 Hello, I used to get a lot of these kind of junk queries for ripe.net and isc.org in ANY type. I just manually block these source IPs in iptables. I did this work for several months and there was no more junk queries after. Also, one of my another DNS server was hacked or whatever and was used to send these kind of junk. My IP was nulled by operator because too high network loads. So, I believe this is maybe a bug or something that BIND 9.8 has. I think is better to upgrade to the latest version. -Original Message- From: Amit Gupta jto...@bol.net.in Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Fri, 21 Sep 2012 15:26:23 To: bind-users@lists.isc.org Cc: ams...@bol.net.in Subject: DDOS Atatck on BIND 9.8.0 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? DDOS Atatck on BIND 9.8.0
Actually I don't have very good idea about it. It's kind of you just cannot do anything about it. Also you're not the server used to attack others so there're less action can be done. I just think you can upgrade to BIND 9, because you're ISP level so most actions I have done , you can't do it. How much bandwidth cost for attack every day? -Original Message- From: Amit Gupta jto...@bol.net.in Date: Fri, 21 Sep 2012 16:02:38 To: bind-users@lists.isc.org Cc: ams...@bol.net.in; xuez...@gmail.com Subject: DDOS Atatck on BIND 9.8.0 Hi At ISP level it is not possible to block IPs for us . Do I require some patch or upgrade to higher BIND .? Or some OS patch of Solaris is required ? Some how I know that these query is of ANY type and response is chocking Ethernet traffic. Please suggest . This BIND is on our production environment . Thanks Amit ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue with Minumum Value for named9
On Fri, 21 Sep 2012, Robert JR wrote: i have the minimum value in my dns server as 60 mins, and my TTL is 60 Seconds , but still when users hit a non exist record , the other dns hold the negative cache for 60 secs instead of 60 mins .. ? why ? $TTL 60 @ IN SOA NS1.TEST.BIZ. Abuse.TEST.BIZ. ( 201208281 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1H ) ; minimum, seconds ; Although my configuration above, all DNS servers that query my server, cache the non exist record for 60 seconds only and not 60 mins As mentioned in my configuration ? any ideas why ? See RFC 2308 in regards to Caching Negative Answers about how the auth server returns an SOA for a NXDOMAIN: ``When the authoritative server creates this record its TTL is taken from the minimum of the SOA.MINIMUM field and SOA's TTL.'' It used the the smaller TTL. I often see the reverse -- for example, the SOA's TTL is 7200 and the MINIMUM is 3600, so the returned record (in the auth section) has the TTL as 3600.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue with Minumum Value for named9
Thank you very much.. this helped alot .. Thanks again Jeremy On 2012-09-21 16:13, Jeremy C. Reed wrote: On Fri, 21 Sep 2012, Robert JR wrote: i have the minimum value in my dns server as 60 mins, and my TTL is 60 Seconds , but still when users hit a non exist record , the other dns hold the negative cache for 60 secs instead of 60 mins .. ? why ? $TTL 60 @ IN SOA NS1.TEST.BIZ. Abuse.TEST.BIZ. ( 201208281 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1H ) ; minimum, seconds ; Although my configuration above, all DNS servers that query my server, cache the non exist record for 60 seconds only and not 60 mins As mentioned in my configuration ? any ideas why ? See RFC 2308 in regards to Caching Negative Answers about how the auth server returns an SOA for a NXDOMAIN: ``When the authoritative server creates this record its TTL is taken from the minimum of the SOA.MINIMUM field and SOA's TTL.'' It used the the smaller TTL. I often see the reverse -- for example, the SOA's TTL is 7200 and the MINIMUM is 3600, so the returned record (in the auth section) has the TTL as 3600. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Moving from type forward to type static-stub
On 09/21/2012 02:55 AM, Adam Tkac wrote: On Thu, Sep 20, 2012 at 07:49:08PM -0500, Oscar Ricardo Silva wrote: I have several recursive, caching BIND servers that were running the Redhat package of BIND. Our servers started crashing because of a bug (previously identified AND fixed by ISC) so we've decided to ditch that version and run from source, 9.9.1-P3. (I'm still not sure why redhat decided to use the rc1 version of source on which to build their rpm ... seriously ... the bug that hit us was fixed in rc2 AND the final release) Because rc2 was released too late to get it into RHEL 6.3... Btw which is the bug that bothers you? Why don't you report it to RH bugzilla? Regards, Adam Case opened with Redhat:2012-07-02 Bug:837165 (opened on 2012-07-02) Proposed patch (by Adam): 2012-07-09 Patch released: 2012-07-23 (but not noted in Bugzilla) Notification of bug fix:2012-07-31 (per Bugzilla) Number of crashes after bug reported:3 (2 initial crashes, 3 more after) We did report it and a patch was released AFTER our servers started crashing on the known bug. Even then, when one server had crashed twice and we were holding our breath on the others, it took weeks for the patched version to come through. I don't want to get in a war of words but here's the first line from the 9.8.2rc1 Release Notes: * BIND 9.8.2rc1 is the first release candidate of BIND 9.8.2. * Not only is it a release candidate but it's the FIRST release candidate. Also, using the dates on the release notes: 2012-01-19 9.8.2rc1 2012-03-13 9.8.2rc1 2012-03-23 9.8.2rc1 ... 2012-06-21 RHEL 6.3 announced as available I wonder if there's no process to revisit a package after a final version has been released. I'm aware that you have to pick something but if it's not a final version why not go back after the official version is available. Sorry for going way off topic (package version vs an actual BIND problem) but the question was asked. Personally it drives me nuts when people just complain on a mailing list but then don't report it through official channels so I wanted to show that we did do that. Oscar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Moving from type forward to type static-stub
On 9/20/12 5:49 PM, Oscar Ricardo Silva wrote: If I'm correct, it will send non-recursive queries to the listed servers and will honor delegations. I've tested this configuration in our lab and it all appears to be working. Yup, static stub will do exactly that. With our configuration, are there any downsides to changing from forward zones to static-stub? Any gotchas I should know about? I am pretty sure that the recursive server will still cache the entries it receives from the static-stub server. If your goal is for instantaneous updates on your recursives when your authoritatives get update, I don't think it will work as well as just slaving the zones. If the goal is for the recursives to see an internal view of the zones, then static-stub will work great. At this time we don't have dnssec validation turned on. We tried it and had too many problems with misconfigured domains not resolving properly so backed out. It's time to back in again (front in?). Now that Comcast is validating, any mistakes that people make will get fixed right quick. 1.7 million people doing validation is good incentive to get things right and fix them quickly. At UC Berkeley, validation has been turned on for four years now and only a handful of domains have required special handling. All of the emphasis on signing for DNSSEC is great, but DNSSEC can't really work without validation. michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
openldap, dlz and dynamic dns updates from isc-dhcpd
Hello List, I would like to use openldap to store DHCP config and DNS zones. I've scoured the web for howtos and I've learned a lot. For openldap backed DNS it seems that DLZ is the best option (faster, and the data is better organised in ldap). My main question is about dynamic updates from the DHCP server. I would like to know if bind 9.9 can update an openldap DLZ with dynamic updates from a DHCP server. I've read about Andrew Tridgell's work on getting BIND to update DLZs (http://jpmens.net/2011/01/21/bind-gets-a-new-updateable-dlz-driver-dlopen/). Can encryption be used to dynamically update BIND's DLZs, just as it can if zone files are used? Thanks, Jeff ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
