Re: Forward First on Master Zone (bypass SOA)

[Doug Barton]

On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:

My organization is evaluating the use of split-view DNS in our environment.


Simple ... don't do it. It's almost never the right answer, and as 
you're learning carries with it more administrative overhead than the 
problems it's designed to solve.


Much better to spend the time carefully considering what your goals are, 
and finding other ways to reach them.


Doug

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dynamic Update Policy.....

[Gary Greene]

I'm trying to get bind to use ddns updates for our environment, however I'm 
getting errors in the logs on the system that the host is being denied from 
making the changes.

Currently, I'm only allowing certain hosts to update their records, as a test.

The stanza for update-policy follows:

zone "minervanetworks.com" {
type master;
notify yes;
update-policy {
grant ggreene-imac$@MINERVANETWORKS.COM ms-self * A;
grant cvallejo-w7-lt$@MINERVANETWORKS.COM ms-self * A;
grant cvallejo-test-w7-lt$@MINERVANETWORKS.COM ms-self * A;
};
file "/etc/named.d/minervanetworks.zone";
check-names ignore;
};

The error I see in the logs:
Mar 28 15:57:29 ns1 named[11482]: client 10.5.1.11#52418: view internal: update 
'minervanetworks.com/IN' denied

The reverse zones work, as they are setup to allow dhcpd to make the changes 
(and they work correctly), however the forward zone does not.

Any insight would be great. Thanks.

--
Gary L. Greene, Jr.
Sr. Systems Administrator
IT Operations
Minerva Networks, Inc.
Cell: (650) 704-6633

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Precautions for upgrading from 9.7.7 to 9.9.2-P2

[Mark Andrews]

In message <22783305.318587.1364508740276.javamail.r...@k-state.edu>, "Lawrence
 K. Chen, P.Eng." writes:
> Hmmm, I forget just what all I muttered when I upgraded from 9.7 to 9.9.2-P1.
>   I think the main beef I had was doing it the day before I left for LISA'12.
> ... guess I didn't join this list until around that time.
> 
> As, I recall...the main thing that tripped me up was change in empty-zones be
> havior.  It needs to be explicitly disabled (either totally or just for the z
> ones you use).

Which is only a issues if you have a forward "zone" below a empty
zone without a intervening master/slave/stub zone.

As I have stated before forward zones were designed for two purposes.
* performance increases by accessing a centralised cache
* work around firewall issues

Forward zones were not designed to graft on internal namespaces.
That they sometimes succeed at doing this is down to good luck.
Forward zones work by redirecting where a recursing request is sent.
The do not create a delegation in zones loaded onto the nameserver.

Basic zone management (master/slave) zones is capable of grafting
on namespaces and if you don't want to have a full zone transfered
to slaves then stub zones were designed to allow you to graft on a
namespace.

> There were a lot of cosmetic thingslike saying you've requested NSEC3, bu
> t don't have such a key, or lots of RSA_verify failed messages
> 
> The switch to raw slave zone files was also scary the first time I saw it...a
> nd later having to name slave zone files consistently, so that they can be ea
> sily read now.
> 
> This switch also broke some zones that I'm slave for, where I had lost contac
> t with the master.  Strange that one of the zones, took almost 3 months befor
> e they finally asked why they weren't resolving off of our servers anymore ..
> . they hadn't been using the domain for email for years, but it was the only 
> contact info we had for them (and it matched their SOA.)
> 
> - Original Message -
> > Wang, Yu  wrote:
> > >
> > > I am in the process of preparing bind upgrade from 9.7.7 to
> > > 9.9.2-p2. I
> > > am reading release notes from 9.8.0 up to see if there are new
> > > things/features that might cause issues. I would welcome and
> > > appreciate
> > > advice on precautions I should take before, during, and after
> > > upgrade.
> > 
> > The main thing that you are likely to trip over is the change in the
> > default format of slaved zones, from text to raw. named should move
> > the
> > old files out of the way and retransfer the zones, and complain about
> > it
> > in the log. You probably want to remove the old slave zone files,
> > either
> > before upgrading (to avoid upsetting named) or afterwards (to keep
> > things
> > tidy).
> > 
> 
> -- 
> Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
> For: Enterprise Server Technologies (EST) -- & SafeZone Ally
> Snail: Computing and Telecommunications Services (CTS)
> Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
> Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu
> Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Precautions for upgrading from 9.7.7 to 9.9.2-P2

[Lawrence K. Chen, P.Eng.]

Hmmm, I forget just what all I muttered when I upgraded from 9.7 to 9.9.2-P1.  
I think the main beef I had was doing it the day before I left for LISA'12 
guess I didn't join this list until around that time.

As, I recall...the main thing that tripped me up was change in empty-zones 
behavior.  It needs to be explicitly disabled (either totally or just for the 
zones you use).

There were a lot of cosmetic thingslike saying you've requested NSEC3, but 
don't have such a key, or lots of RSA_verify failed messages

The switch to raw slave zone files was also scary the first time I saw it...and 
later having to name slave zone files consistently, so that they can be easily 
read now.

This switch also broke some zones that I'm slave for, where I had lost contact 
with the master.  Strange that one of the zones, took almost 3 months before 
they finally asked why they weren't resolving off of our servers anymore ... 
they hadn't been using the domain for email for years, but it was the only 
contact info we had for them (and it matched their SOA.)

- Original Message -
> Wang, Yu  wrote:
> >
> > I am in the process of preparing bind upgrade from 9.7.7 to
> > 9.9.2-p2. I
> > am reading release notes from 9.8.0 up to see if there are new
> > things/features that might cause issues. I would welcome and
> > appreciate
> > advice on precautions I should take before, during, and after
> > upgrade.
> 
> The main thing that you are likely to trip over is the change in the
> default format of slaved zones, from text to raw. named should move
> the
> old files out of the way and retransfer the zones, and complain about
> it
> in the log. You probably want to remove the old slave zone files,
> either
> before upgrading (to avoid upsetting named) or afterwards (to keep
> things
> tidy).
> 

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward First on Master Zone (bypass SOA)

[Kevin Darcy]

On 3/28/2013 3:28 PM, Ben-Eliezer, Tal (ITS) wrote:


Hello,

My organization is evaluating the use of split-view DNS in our 
environment.


One of the challenges I've yet to overcome in my trials, is the 
ability to minimize the administrative overhead of maintaining two 
copies of the zone.


Upon reviewing some of the BIND options, "forward first;" caught my 
eye. Below is the description of this feature I found on Zytrax:


/"forward is only relevant in conjunction with a valid forwarders 
statement. If set to 'only' the server will only forward queries, if 
set to 'first' (default) it will send the queries to the forwarder and 
if not answered will attempt to answer the query. This statement may 
be used in a zone, view or a global options clause."/


//

If I understand this correctly, BIND should handle a query for 
host.example.com by first passing it through the configured forwarder, 
which should succeed (the record exists on the Internet).


However, I believe since this server is also authoritative for this 
domain (the internal copy), and the record is not in this "view" of 
the zone file, I receive an NXDOMAIN.


I've spent hours researching a way to accomplish this without any 
luck. Is there any way to accomplish what I'm trying to do?


The forward-first/forward-only distinction doesn't help you here: as 
already mentioned, if a BIND instance is authoritative for a zone, it 
will never forward for it. "Forward first" only allows named to try 
iterative resolution if it gets *no*response* from any of its forwarders 
-- it has no bearing whatsoever on how it answers from authoritative 
data. You need to bite the bullet and set up your maintenance processes 
to duplicate the entries of the external-facing version of the zone into 
the internal version, if they don't already exist there with different 
values (aka "schizophrenic" DNS).


People that still manually update zone files have had some success with 
$INCLUDE'ing the common entries into both versions of the zone. But, 
always remember that BIND sees them as separate zones, so you need to be 
careful about incrementing the serial numbers of *both* zones whenever 
the include file changes. Obviously, this technique isn't going to work 
with zones that are dynamicaly-updated, or where the zone files are 
managed by some sort of maintenance system, unless it can be 
tweaked/configured/enhanced to understand $INCLUDE files.


- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forward First on Master Zone (bypass SOA)

[Ben-Eliezer, Tal (ITS)]

Hi Chris, this looks interesting, I'll do some testing and report back!

Thank you,
Tal

-Original Message-
From: Chris Buxton [mailto:cli...@buxtonfamily.us] 
Sent: Thursday, March 28, 2013 5:02 PM
To: Ben-Eliezer, Tal (ITS)
Cc: bind-users@lists.isc.org
Subject: Re: Forward First on Master Zone (bypass SOA)

On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:

> I've spent hours researching a way to accomplish this without any luck. Is 
> there any way to accomplish what I'm trying to do?

No, not unless you want to monkey around with static zones and $INCLUDE 
directives -- something like this:

Internal zone file:

$INCLUDE internal.zone.apex
$INCLUDE example.com.common-records
$TTL 86400
some.internal.host  A   192.0.2.1
[...]

External zone file:

$INCLUDE external.zone.apex
$INCLUDE example.com.common-records
$TTL 86400
some.external.host  A   192.0.2.254
[...]

where the *.zone.apex files look something like this:

$TTL 86400
@   SOA [... 7 data fields ...]
NS  ns1.example.com.
NS  ns2.example.com.
MX  10 mx1.example.com.

This way, you mostly maintain 3 files of DNS records for the zone -- external, 
internal, and common. Note that this is not compatible with dynamic zones.

If you need to support dynamic zones (and who doesn't, these days?), you're out 
of luck.

Chris Buxton
BlueCat Networks

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward First on Master Zone (bypass SOA)

[Chris Buxton]

On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:

> I’ve spent hours researching a way to accomplish this without any luck. Is 
> there any way to accomplish what I’m trying to do?

No, not unless you want to monkey around with static zones and $INCLUDE 
directives -- something like this:

Internal zone file:

$INCLUDE internal.zone.apex
$INCLUDE example.com.common-records
$TTL 86400
some.internal.host  A   192.0.2.1
[...]

External zone file:

$INCLUDE external.zone.apex
$INCLUDE example.com.common-records
$TTL 86400
some.external.host  A   192.0.2.254
[...]

where the *.zone.apex files look something like this:

$TTL 86400
@   SOA [... 7 data fields ...]
NS  ns1.example.com.
NS  ns2.example.com.
MX  10 mx1.example.com.

This way, you mostly maintain 3 files of DNS records for the zone -- external, 
internal, and common. Note that this is not compatible with dynamic zones.

If you need to support dynamic zones (and who doesn't, these days?), you're out 
of luck.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Precautions for upgrading from 9.7.7 to 9.9.2-P2

[Tony Finch]

Wang, Yu  wrote:
>
> I am in the process of preparing bind upgrade from 9.7.7 to 9.9.2-p2. I
> am reading release notes from 9.8.0 up to see if there are new
> things/features that might cause issues. I would welcome and appreciate
> advice on precautions I should take before, during, and after upgrade.

The main thing that you are likely to trip over is the change in the
default format of slaved zones, from text to raw. named should move the
old files out of the way and retransfer the zones, and complain about it
in the log. You probably want to remove the old slave zone files, either
before upgrading (to avoid upsetting named) or afterwards (to keep things
tidy).

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Precautions for upgrading from 9.7.7 to 9.9.2-P2

[Wang, Yu]

Hello,

I am in the process of preparing bind upgrade from 9.7.7 to 9.9.2-p2. I am 
reading release notes from 9.8.0 up to see if there are new things/features 
that might cause issues. I would welcome and appreciate advice on precautions I 
should take before, during, and after upgrade. Any issue did you run into in 
your upgrade; what impacts it had; and how did you resolve it.

Thank you for your time.

Yu Wang
Network Architect
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Bucks]

Hi Jim,

Shouldn't there be quotes around the key string in the named .conf file?  I
have quotes around mine in named.conf.  I do not have quotes around the key
string in the dhcpd.conf.

If this is correct, I've made sure they match (I was trying to "genericize"
the key string before), but not any longer.

After making sure the key strings match, I'm still getting the error
"unable to add forward map" when I do a release & renew from a windows
laptop.
Here are the current (and live) config files.

named.conf
=
/*
 Sample named.conf BIND DNS server 'named' configuration file
 for the Red Hat BIND distribution.

 See the BIND Administrator's Reference Manual (ARM) for details, in:
   file:///usr/share/doc/bind-{
version}/arm/Bv9ARM.html
 Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
 its manual.
*/

acl stapleton_hosts {
127.0.0.1;
172.10.0.0/16;
};

options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named";// "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
zone-statistics yes;


/*
  Specify listenning interfaces. You can use list of addresses (';' is
  delimiter) or keywords "any"/"none"
*/
//listen-on port 53{ any; };
listen-on port 53{ 127.0.0.1; 172.10.0.0; };

//listen-on-v6 port 53{ any; };
//listen-on-v6 port 53{ ::1; };

/*
  Access restrictions

  There are two important options:
allow-query { argument; };
  - allow queries for authoritative data

allow-query-cache { argument; };
  - allow queries for non-authoritative data (mostly cached data)

  You can use address, network address or keywords
"any"/"localhost"/"none" as argument
  Examples:
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
*/

allow-query{ stapleton_hosts; };
allow-query-cache{ stapleton_hosts; };

// Enable/disable recursion - recursion yes/no;
recursion yes;

/* DNSSEC related options. See information about keys ("Trusted keys",
bellow) */

/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
//dnssec-enable yes;

/* Enable DNSSEC validation on recursive servers */
//dnssec-validation yes;

/* Enable DLV by default, use built-in ISC DLV key. */
//dnssec-lookaside auto;

version "Secret";

};

# Use this command line to generate the key.  Only need the key string
(from the .private file) inside these files.
#  dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER
#
# It is very important to use the exact same keystring and name on both
dhcpd.conf and named.conf for this to work.
key DHCP_UPDATER {   # This line specifies the key name
algorithm HMAC-MD5;  # This line specifies the
encryption algorithm best to stick with HMAC-MD5
secret
"TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==";
# Finally, the key statement itself
};


logging
{
/*  If you want to enable debugging, eg. using the 'rndc trace' command,
 *  named will try to write the 'named.run' file in the $directory
(/var/named).
 *  By default, SELinux policy does not allow named to modify the
/var/named directory,
 *  so put the default debug log file in data/ :
 */
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

/*
 Views let a name server answer a DNS query differently depending on who is
asking.

 By default, if named.conf contains no "view" clauses, all zones are in the
 "default" view, which matches all clients.

 Views are processed sequentially. The first match is used so the last view
should
 match "any" - it's fallback and the most restricted view.

 If named.conf contains any "view" clause, then all zones MUST be in a view.
*/

//view "localhost_resolver"
//{
///* This view sets up named to be a localhost resolver ( caching only
nameserver ).
// * If all you want is a caching-only nameserver, then you need only
define this view:
// */
//match-clients { localhost; };
//recursion yes;
//
//# all views must contain the root hints zone:
//zone "." IN {
//type hint;
//file "/var/named/named.ca";
//};
//
//   /* these are zones that contain definitions for all the localhost
// * names and addresses, as recommended in RFC1912 - these names
should
// * not leak to the other nameservers:
// */
//include "/etc/named.rfc1912.zones";
//};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
   that connect

Re: Forward First on Master Zone (bypass SOA)

[Ben Croswell]

A server will not forward a zone it is also authoritative for.
On Mar 28, 2013 3:33 PM, "Ben-Eliezer, Tal (ITS)" <
tal.ben-elie...@its.ny.gov> wrote:

> Hello,
>
> ** **
>
> My organization is evaluating the use of split-view DNS in our environment.
> 
>
> One of the challenges I’ve yet to overcome in my trials, is the ability to
> minimize the administrative overhead of maintaining two copies of the zone.
> 
>
> Upon reviewing some of the BIND options, “forward first;” caught my eye.
> Below is the description of this feature I found on Zytrax:
>
> ** **
>
> *“forward is only relevant in conjunction with a valid forwarders
> statement. If set to 'only' the server will only forward queries, if set to
> 'first' (default) it will send the queries to the forwarder and if not
> answered will attempt to answer the query. This statement may be used in a
> zone, view or a global options clause.”*
>
> * *
>
> If I understand this correctly, BIND should handle a query for
> host.example.com by first passing it through the configured forwarder,
> which should succeed (the record exists on the Internet).
>
> However, I believe since this server is also authoritative for this domain
> (the internal copy), and the record is not in this “view” of the zone file,
> I receive an NXDOMAIN.
>
> ** **
>
> I’ve spent hours researching a way to accomplish this without any luck. Is
> there any way to accomplish what I’m trying to do?
>
> ** **
>
> Thanks,
>
> ** **
>
> Tal Ben-Eliezer
>
> 
>
> ** **
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Glassford]

Hi Jim,

Looking at your config files, believe the keys do not match in 
named.conf and dhcpd.conf but maybe they were adjusted for the posting 
to the list. Alan Clegg's link shows creating the key and adding it to 
the files and also some nsupdate examples.



Would want like the following, only with your key in each file, cut and 
paste that key! :-)


~~~ inside dhcpd.conf this ~

key DHCP_UPDATER {
algorithm HMAC-MD5;
secret ;
};

 ~~~ inside named.conf this ~

key DHCP_UPDATER {
algorithm HMAC-MD5;
secret ;
};


On 3/28/2013 3:05 PM, Jim Bucks wrote:

Hi All (sorry for the top-posting)

Alan - thanks for the link.  I'll be checking it out / looking it over.

Jim,

Based on the nsupdate output (below), it looks like I've hosed up 
something in my "key".  I used the key string from the .private key 
file (I've found some search results that say to use the .key and 
others say to use the .private).


Jim

[root@dns04 chroot]# nsupdate -d
> server 127.0.0.1
> key DHCP_UPDATE 
TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
> update add 101.20.10.172.in-addr.arpa. 3600 in ptr 
dhcp.coloradostudios.com .

>
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11212
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;101.20.10.172.in-addr.arpa.INSOA

;; AUTHORITY SECTION:
20.10.172.in-addr.arpa.0INSOA dns04.coloradostudios.com 
. sysmgr.hd.net 
. 2013032600 10800 3600 604800 86400


Found zone name: 20.10.172.in-addr.arpa
The master is: dns04.coloradostudios.com 


Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 25308
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
101.20.10.172.in-addr.arpa. 3600 INPTR dhcp.coloradostudios.com 
.


;; TSIG PSEUDOSECTION:
dhcp_update.0ANYTSIG hmac-md5.sig-alg.reg.int 
. 1364496936 300 16 
qUBZdqVmksNQtmb1mb9gNQ== 25308 NOERROR 0


; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 25308
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;20.10.172.in-addr.arpa.INSOA

;; TSIG PSEUDOSECTION:
dhcp_update.0ANYTSIG hmac-md5.sig-alg.reg.int 
. 1364496936 300 0  25308 BADKEY 0


> quit
[root@dns04 chroot]#


On Thu, Mar 28, 2013 at 12:03 PM, Jim Glassford > wrote:


Hi Jim,

No, sorry, wrong IP address, the real IP address of the dns
server, not the client.

zone dhcp.coloradostudios.com . {
   primary your_dns_server_IP_address; <- change from 127.0.0.1
   key DHCP_UPDATER;
}

Also do you have a /var/log/named.log file or debug log file for
named, other than messages, might have more information.
Can try nsupdate with debug to see if this gives any clue also.
nsupdate -d
> server your_dns_server_here
> key  your_key_here
> update add 101.20.10.172.in-addr.arpa. 3600 in ptr
dhcp-172-10-20-101.coloradostudios.com
.
>  do extra CR to get it to go

should see lots of debug information here
>
> quit

man nsupdate

best!
jim

On 3/28/2013 1:52 PM, Jim Bucks wrote:

No I have not tried that, but .101 is a leased IP address for a
Windows workstation.

I'm willing to try it, but it seems like that would mean I would
need a zone like this for all of my leased addresses???


Jim

On Thu, Mar 28, 2013 at 11:42 AM, Jim Glassford mailto:jmgl...@iup.edu>> wrote:

Hi Jim,

Lost track but have you tried using the IP address of the
server for the primary, 172.10.20.101 instead of 127.0.0.1?

zone dhcp.coloradostudios.com
. {
   primary 172.10.20.101; <- change from 127.0.0.1
   key DHCP_UPDATER;
}


best!
jim


On 3/28/2013 1:31 PM, Jim Bucks wrote:

Hi Sten,

Thanks for the response,  I only dabble in DNS setups every
5 years (or so).  I really thought this would be a "no
brainer", and most likely have some simple command / syntax
error causing all of this.

From /var/log/messages

Mar 28 11:22:57 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: Unable to add forward map from
dhcp-172-10-20-101.coloradostudios.com

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Bucks]

Hi All,

Alan, I looked that doc over and the only thing I found different than what
I used the key string from the .private key file.

Jim, thanks for the nsupdate pointer.  I've never had to delve into that
level of debugging.

When using nsupdate, I was able to update the forward and reverse zones
files.  I've looked over what I did interactively, and am not seeing a
difference from what I'm wanting to do "automatically" (but I'll admit I'm
getting some sort of cross-eyed over this).  Here's my interactive output
(that worked).

[root@dns04 chroot]# nsupdate -d
> server 127.0.0.1
> key DHCP_UPDATER TrlaHSJXel+L5hqtfev5Gdlwj7B+
HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
> update add 101.20.10.172.in-addr.arpa. 3600 in ptr
dhcp.coloradostudios.com.
>
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  31481
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;101.20.10.172.in-addr.arpa.INSOA

;; AUTHORITY SECTION:
20.10.172.in-addr.arpa.0INSOAdns04.coloradostudios.com.
sysmgr.hd.net. 2013032600 10800 3600 604800 86400

;; TSIG PSEUDOSECTION:
dhcp_updater.0ANYTSIGhmac-md5.sig-alg.reg.int.
1364498781 300 16 ZQBZwvuMnMJmgF3exPs7Nw== 31481 NOERROR 0

Found zone name: 20.10.172.in-addr.arpa
The master is: dns04.coloradostudios.com
Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  22770
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
101.20.10.172.in-addr.arpa. 3600 INPTRdhcp.coloradostudios.com.

;; TSIG PSEUDOSECTION:
dhcp_updater.0ANYTSIGhmac-md5.sig-alg.reg.int.
1364498781 300 16 SyvXSO/PE5Gr/LrR0Cw9nQ== 22770 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  22770
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;20.10.172.in-addr.arpa.INSOA

;; TSIG PSEUDOSECTION:
dhcp_updater.0ANYTSIGhmac-md5.sig-alg.reg.int.
1364498781 300 16 AllUYyqyOwwMkv2SMfcyHg== 22770 NOERROR 0

>











> server 127.0.0.1
> key DHCP_UPDATER
TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
>
> update add dhcp-172-10-20-101.dhcp.coloradostudios.com 3600 IN A
dhcp.coloradostudios.com.
28-Mar-2013 13:36:40.447 dns_rdata_fromtext: buffer-0x7f302626f710:1: near
'dhcp.coloradostudios.com.': bad dotted quad
invalid rdata format: bad dotted quad
> update add proccilap.dhcp.coloradostudios.com 86400 A 172.10.20.101
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  12184
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;proccilap.dhcp.coloradostudios.com. INSOA

;; AUTHORITY SECTION:
dhcp.coloradostudios.com. 0INSOAdns04.coloradostudios.com.
sysmgr.axs.tv. 2013032801 10800 3600 604800 86400

;; TSIG PSEUDOSECTION:
dhcp_updater.0ANYTSIGhmac-md5.sig-alg.reg.int.
1364499508 300 16 Exdx5vgPto6sSf2nNau9iQ== 12184 NOERROR 0

Found zone name: dhcp.coloradostudios.com
The master is: dns04.coloradostudios.com
Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  22408
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
proccilap.dhcp.coloradostudios.com. 86400 IN A172.10.20.101

;; TSIG PSEUDOSECTION:
dhcp_updater.0ANYTSIGhmac-md5.sig-alg.reg.int.
1364499508 300 16 hREc0P/HnhR/ynAe09xELw== 22408 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  22408
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;dhcp.coloradostudios.com.INSOA

;; TSIG PSEUDOSECTION:
dhcp_updater.0ANYTSIGhmac-md5.sig-alg.reg.int.
1364499508 300 16 /bLrKPzY8+pUuw8RM2MPQA== 22408 NOERROR 0

>



[root@dns04 chroot]# rndc freeze
[root@dns04 chroot]# rndc thaw



[root@dns04 keys]# ll ../../var/named/slaves/
total 24
-rw-r--r-- 1 named named  390 Mar 28 13:40 db.172.10.20
-rw-r--r-- 1 named named  792 Mar 28 13:26 db.172.10.20.jnl
-r--r--r-- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
-rw-r--r-- 1 named named  362 Mar 28 13:41 db.dhcp.coloradostudios.com
-rw-r--r-- 1 named named  782 Mar 28 13:38 db.dhcp.coloradostudios.com.jnl
[root@dns04 keys]# ll ../../var/named/slaves/
total 16
-rw-r--r-- 1 named named  390 Mar 28 13:40 db.172.10.20
-r--r--r-- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
-rw-r--r-- 1 named named  362 Mar 28 13:41 db.dhcp.coloradostudios.com
[root@dns04 keys]# cat ../../var/named/slaves/db.dhcp.coloradostudios.com
$ORIGIN .
$TTL 86400; 1 day
dhcp.coloradostudios.com IN SOAdns04.coloradostudios.com. sysmgr.axs.tv.
(
2013032802 ; serial
10800  ; refresh (3 hours)
3600   ; retry (1 hour)
  

Forward First on Master Zone (bypass SOA)

[Ben-Eliezer, Tal (ITS)]

Hello,

My organization is evaluating the use of split-view DNS in our environment.
One of the challenges I've yet to overcome in my trials, is the ability to 
minimize the administrative overhead of maintaining two copies of the zone.
Upon reviewing some of the BIND options, "forward first;" caught my eye. Below 
is the description of this feature I found on Zytrax:

"forward is only relevant in conjunction with a valid forwarders statement. If 
set to 'only' the server will only forward queries, if set to 'first' (default) 
it will send the queries to the forwarder and if not answered will attempt to 
answer the query. This statement may be used in a zone, view or a global 
options clause."

If I understand this correctly, BIND should handle a query for host.example.com 
by first passing it through the configured forwarder, which should succeed (the 
record exists on the Internet).
However, I believe since this server is also authoritative for this domain (the 
internal copy), and the record is not in this "view" of the zone file, I 
receive an NXDOMAIN.

I've spent hours researching a way to accomplish this without any luck. Is 
there any way to accomplish what I'm trying to do?

Thanks,

Tal Ben-Eliezer


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Bucks]

Hi All (sorry for the top-posting)

Alan - thanks for the link.  I'll be checking it out / looking it over.

Jim,

Based on the nsupdate output (below), it looks like I've hosed up something
in my "key".  I used the key string from the .private key file (I've found
some search results that say to use the .key and others say to use the
.private).

Jim

[root@dns04 chroot]# nsupdate -d
> server 127.0.0.1
> key DHCP_UPDATE
TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
> update add 101.20.10.172.in-addr.arpa. 3600 in ptr
dhcp.coloradostudios.com.

>
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  11212
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;101.20.10.172.in-addr.arpa.INSOA

;; AUTHORITY SECTION:
20.10.172.in-addr.arpa.0INSOAdns04.coloradostudios.com.
sysmgr.hd.net. 2013032600 10800 3600 604800 86400

Found zone name: 20.10.172.in-addr.arpa
The master is: dns04.coloradostudios.com
Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  25308
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
101.20.10.172.in-addr.arpa. 3600 INPTRdhcp.coloradostudios.com.

;; TSIG PSEUDOSECTION:
dhcp_update.0ANYTSIGhmac-md5.sig-alg.reg.int.
1364496936 300 16 qUBZdqVmksNQtmb1mb9gNQ== 25308 NOERROR 0

; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  25308
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;20.10.172.in-addr.arpa.INSOA

;; TSIG PSEUDOSECTION:
dhcp_update.0ANYTSIGhmac-md5.sig-alg.reg.int.
1364496936 300 0  25308 BADKEY 0

> quit
[root@dns04 chroot]#


On Thu, Mar 28, 2013 at 12:03 PM, Jim Glassford  wrote:

>  Hi Jim,
>
> No, sorry, wrong IP address, the real IP address of the dns server, not
> the client.
>
> zone dhcp.coloradostudios.com. {
>primary your_dns_server_IP_address; <-
> change from 127.0.0.1
>key DHCP_UPDATER;
> }
>
> Also do you have a /var/log/named.log file or debug log file for named,
> other than messages, might have more information.
> Can try nsupdate with debug to see if this gives any clue also.
> nsupdate -d
> > server your_dns_server_here
> > key  your_key_here
> > update add 101.20.10.172.in-addr.arpa. 3600 in ptr
> dhcp-172-10-20-101.coloradostudios.com.
> >  do extra CR to get it to go
>
> should see lots of debug information here
> >
> > quit
>
> man nsupdate
>
> best!
> jim
>
> On 3/28/2013 1:52 PM, Jim Bucks wrote:
>
> No I have not tried that, but .101 is a leased IP address for a Windows
> workstation.
>
> I'm willing to try it, but it seems like that would mean I would need a
> zone like this for all of my leased addresses???
>
>
> Jim
>
> On Thu, Mar 28, 2013 at 11:42 AM, Jim Glassford  wrote:
>
>>  Hi Jim,
>>
>> Lost track but have you tried using the IP address of the server for the
>> primary, 172.10.20.101 instead of 127.0.0.1?
>>
>> zone dhcp.coloradostudios.com. {
>>primary 172.10.20.101; <- change from
>> 127.0.0.1
>>key DHCP_UPDATER;
>> }
>>
>>
>> best!
>> jim
>>
>>
>> On 3/28/2013 1:31 PM, Jim Bucks wrote:
>>
>> Hi Sten,
>>
>> Thanks for the response,  I only dabble in DNS setups every 5 years (or
>> so).  I really thought this would be a "no brainer", and most likely have
>> some simple command / syntax error causing all of this.
>>
>> From /var/log/messages
>>
>> Mar 28 11:22:57 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
>> 00:0b:cd:33:b6:49 (proccilapxp) via eth1
>> Mar 28 11:22:57 dns04 dhcpd: Unable to add forward map from
>> dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
>> Mar 28 11:22:57 dns04 dhcpd: DHCPREQUEST for 172.10.20.101 (172.10.5.5)
>> from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
>> Mar 28 11:22:57 dns04 dhcpd: DHCPACK on 172.10.20.101 to
>> 00:0b:cd:33:b6:49 (proccilapxp) via eth1
>>
>>
>> On Thu, Mar 28, 2013 at 11:26 AM, Sten Carlsen wrote:
>>
>>>  Apparently the DHCP server tries to put the change into BIND but times
>>> out. What does the named log tell about this?
>>>
>>> Either it did see the request or it will have an explanation why it
>>> won't do it.
>>>
>>> On 28/03/13 18:18, Jim Bucks wrote:
>>>
>>> Hi Mark, Graham, & others.
>>>
>>> I've spent the last day trying all sorts of things to get this working
>>> (to no avail).  I'm still at the stage of DHCP offering the lease IP
>>> address, but the DNS is not automatically updating the two "zones" files
>>> with the newly leased addresses.
>>>
>>> Here is a grief summary of what I tried/changed.
>>>- Added the group named to the dhcpd user
>>>- moved the two zones files into /var/named/chroot/var/named/slaves/
>>> (was internal/)
>>>- added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
>>>- grabbed a

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Bucks]

Thanks Leonard,

I thought I had all the IP6 stuff turned off!  I'll scour through the
configurations & make sure that whatever straggler is left has been
commented out / de-activated.

Jim


On Thu, Mar 28, 2013 at 12:08 PM, Leonard Mills  wrote:

> Hi Jim,
>
> Based on my experience, the important stuff is:
>
> Mar 28 11:38:30 dns04 named-sdb[3710]: zone
> 20.10.172.in-addr.arpa/IN/internal: sending notifies (serial 2013032600)
> Mar 28 11:38:30 dns04 named-sdb[3710]: error (network unreachable)
> resolving './NS/IN': 2001:503:ba3e::2:30#53
>
> So your named threads can't successfully communicate with:
> 2001:503:ba3e::2:30#53
>
> Don't know if that has to do with your v6 routing tables on your
> system/switch/router or if that was intentional and you were intending to
> start named with -4 as an argument.  Either way, "network unreachable" is a
> big problem, even if it's from a minor typo in a notify-related clause in
> the config file.
>
> HtH,
>
> Len
>
>   --
> *From:* Jim Bucks 
> *To:* Niall O'Reilly ; bind-users@lists.isc.org
> *Sent:* Thursday, March 28, 2013 10:50 AM
> *Subject:* Re: Looking for a pointer on getting reverse mapping with DDNS
> to work with DHCPD & Named.
>
> Here's from a recent re-start of the named service.  There were no
> additional log entries when the dhcp service granted the lease and failed
> to update the "zones" files.
>
> Mar 28 11:38:15 dns04 named-sdb[3493]: received control channel command
> 'stop'
> Mar 28 11:38:15 dns04 named-sdb[3493]: shutting down: flushing changes
> Mar 28 11:38:15 dns04 named-sdb[3493]: stopping command channel on
> 127.0.0.1#953
> Mar 28 11:38:15 dns04 named-sdb[3493]: stopping command channel on ::1#953
> Mar 28 11:38:15 dns04 named-sdb[3493]: no longer listening on 127.0.0.1#53
> Mar 28 11:38:15 dns04 named-sdb[3493]: exiting
> Mar 28 11:38:18 dns04 named: /etc/named.conf:178: 'allow-update' redefined
> near 'allow-update'
> Mar 28 11:38:30 dns04 named-sdb[3710]: starting BIND
> 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 -u named -t /var/named/chroot
> Mar 28 11:38:30 dns04 named-sdb[3710]: built with
> '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
> '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
> '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
> '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var'
> '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static'
> '--disable-openssl-version-check' '--with-dlz-ldap=yes'
> '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
> '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego'
> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
> '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
> 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=
> -DDIG_SIGCHASE'
> Mar 28 11:38:30 dns04 named-sdb[3710]:
> 
> Mar 28 11:38:30 dns04 named-sdb[3710]: BIND 9 is maintained by Internet
> Systems Consortium,
> Mar 28 11:38:30 dns04 named-sdb[3710]: Inc. (ISC), a non-profit 501(c)(3)
> public-benefit
> Mar 28 11:38:30 dns04 named-sdb[3710]: corporation.  Support and training
> for BIND 9 are
> Mar 28 11:38:30 dns04 named-sdb[3710]: available at
> https://www.isc.org/support
> Mar 28 11:38:30 dns04 named-sdb[3710]:
> 
> Mar 28 11:38:30 dns04 named-sdb[3710]: adjusted limit on open files from
> 4096 to 1048576
> Mar 28 11:38:30 dns04 named-sdb[3710]: found 4 CPUs, using 4 worker threads
> Mar 28 11:38:30 dns04 named-sdb[3710]: using up to 4096 sockets
> Mar 28 11:38:30 dns04 named-sdb[3710]: SDB ldap zone database module
> loaded.
> Mar 28 11:38:30 dns04 named-sdb[3710]: SDB postgreSQL DB zone database
> module loaded.
> Mar 28 11:38:30 dns04 named-sdb[3710]: SDB sqlite3 DB zone database module
> loaded.
> Mar 28 11:38:30 dns04 named-sdb[3710]: SDB directory DB zone database
> module loaded.
> Mar 28 11:38:30 dns04 named-sdb[3710]: loading configuration from
> '/etc/named.conf'
> Mar 28 11:38:30 dns04 named-sdb[3710]: using default UDP/IPv4 port range:
> [1024, 65535]
> Mar 28 11:38:30 dns04 named-sdb[3710]: using default UDP/IPv6 port range:
> [1024, 65535]
> Mar 28 11:38:30 dns04 named-sdb[3710]: listening on IPv4 interface lo,
> 127.0.0.1#53
> Mar 28 11:38:30 dns04 named-sdb[3710]: generating session key for dynamic
> DNS
> Mar 28 11:38:30 dns04 named-sdb[3710]: sizing zone task pool based on 8
> zones
> Mar 28 11:38:30 dns04 named-sdb[3710]: set up managed keys zone for view
> internal, file
> 'dynamic/3bed2cb3a3acf7b6a8ef4

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Glassford]

Hi Jim,

No, sorry, wrong IP address, the real IP address of the dns server, not 
the client.


zone dhcp.coloradostudios.com . {
   primary your_dns_server_IP_address; <- change from 127.0.0.1
   key DHCP_UPDATER;
}

Also do you have a /var/log/named.log file or debug log file for named, 
other than messages, might have more information.

Can try nsupdate with debug to see if this gives any clue also.
nsupdate -d
> server your_dns_server_here
> key  your_key_here
> update add 101.20.10.172.in-addr.arpa. 3600 in ptr 
dhcp-172-10-20-101.coloradostudios.com 
.

>  do extra CR to get it to go

should see lots of debug information here
>
> quit

man nsupdate

best!
jim

On 3/28/2013 1:52 PM, Jim Bucks wrote:
No I have not tried that, but .101 is a leased IP address for a 
Windows workstation.


I'm willing to try it, but it seems like that would mean I would need 
a zone like this for all of my leased addresses???



Jim

On Thu, Mar 28, 2013 at 11:42 AM, Jim Glassford > wrote:


Hi Jim,

Lost track but have you tried using the IP address of the server
for the primary, 172.10.20.101 instead of 127.0.0.1?

zone dhcp.coloradostudios.com . {
   primary 172.10.20.101; <- change from 127.0.0.1
   key DHCP_UPDATER;
}


best!
jim


On 3/28/2013 1:31 PM, Jim Bucks wrote:

Hi Sten,

Thanks for the response,  I only dabble in DNS setups every 5
years (or so).  I really thought this would be a "no brainer",
and most likely have some simple command / syntax error causing
all of this.

From /var/log/messages

Mar 28 11:22:57 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: Unable to add forward map from
dhcp-172-10-20-101.coloradostudios.com
 to 172.10.20.101
: timed out
Mar 28 11:22:57 dns04 dhcpd: DHCPREQUEST for 172.10.20.101
(172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: DHCPACK on 172.10.20.101 to
00:0b:cd:33:b6:49 (proccilapxp) via eth1


On Thu, Mar 28, 2013 at 11:26 AM, Sten Carlsen
mailto:st...@s-carlsen.dk>> wrote:

Apparently the DHCP server tries to put the change into BIND
but times out. What does the named log tell about this?

Either it did see the request or it will have an explanation
why it won't do it.

On 28/03/13 18:18, Jim Bucks wrote:

Hi Mark, Graham, & others.

I've spent the last day trying all sorts of things to get
this working (to no avail).  I'm still at the stage of DHCP
offering the lease IP address, but the DNS is not
automatically updating the two "zones" files with the newly
leased addresses.

Here is a grief summary of what I tried/changed.
   - Added the group named to the dhcpd user
   - moved the two zones files into
/var/named/chroot/var/named/slaves/  (was internal/)
   - added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
   - grabbed a current version named.conf file and added the
bare minimum config into into it.

Attached are my configs.

Any ideas on what I've hosed up?

Thanks,

Jim



-- 
Jim Bucks - IT Director

Colorado Studios , Mobile TV
Group , HDNet
, AXS.tv 
8269 E. 23rd Ave. Denver, CO 80238 Main 303-388-8500

jbu...@coloradostudios.com
Direct 303-542-5520



___
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org  
https://lists.isc.org/mailman/listinfo/bind-users


-- 
Best regards


Sten Carlsen

No improvements come from shouting:

"MALE BOVINE MANURE!!!"


___
Please visit
https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users




-- 
Jim Bucks - IT Director

Colorado Studios , Mobile TV
Group , HDNet ,
AXS.tv 
8269 E. 23rd Ave. Denver, CO 80238 Main 303-388-8500

jbu...@coloradostudios.com 

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Alan Clegg]

I'm completely unable to fix the top-post/body comments here, so my comments 
are at the bottom:

On Mar 28, 2013, at 1:52 PM, Jim Bucks  wrote:

> No I have not tried that, but .101 is a leased IP address for a Windows 
> workstation.
> 
> I'm willing to try it, but it seems like that would mean I would need a zone 
> like this for all of my leased addresses???
> 
> 
> Jim
> 
> On Thu, Mar 28, 2013 at 11:42 AM, Jim Glassford  wrote:
> Hi Jim,
> 
> Lost track but have you tried using the IP address of the server for the 
> primary, 172.10.20.101 instead of 127.0.0.1?
> 
> zone dhcp.coloradostudios.com. {
>primary 172.10.20.101; <- change from 
> 127.0.0.1  
>key DHCP_UPDATER;
> }

I think there is a lot of confusion as to what is going on in this thread.

I was pointed to the following page earlier today (in a completely unrelated 
conversation), and think that reading over it might help the original poster to 
figure out what is going on:

   http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/

AlanC
-- 
Alan Clegg | +1-919-355-8851 | a...@clegg.com

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion Issue

[Chris Buxton]

On Mar 28, 2013, at 10:51 AM, Manson, John wrote:
> http://www.digwebinterface.com/?  Is one of the internet sites I use.

http://www.digwebinterface.com/?hostnames=test.gopleader.gov&type=A&showcommand=on&colorize=on&stats=on&norecursive=on&useresolver=8.8.4.4&ns=auth&nameservers=
__

test.gopleader@chyron.house.gov.:
dig A +norec test.gopleader.gov. @chyron.house.gov.
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.1 <<>> A +norec 
test.gopleader.gov. @chyron.house.gov.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48126
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.gopleader.gov.IN  A

;; ANSWER SECTION:

test.gopleader.gov. 300 IN  CNAME   www.house.gov.
www.house.gov.  900 IN  CNAME   house.gov.edgesuite.net.


;; Query time: 26 msec
;; SERVER: 143.228.129.38#53(143.228.129.38)
;; WHEN: Thu Mar 28 18:55:49 2013
;; MSG SIZE  rcvd: 97

test.gopleader@mercury.house.gov.:
dig A +norec test.gopleader.gov. @mercury.house.gov.
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.1 <<>> A +norec 
test.gopleader.gov. @mercury.house.gov.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63565
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.gopleader.gov.IN  A

;; ANSWER SECTION:

test.gopleader.gov. 300 IN  CNAME   www.house.gov.
www.house.gov.  900 IN  CNAME   house.gov.edgesuite.net.


;; Query time: 23 msec
;; SERVER: 143.231.1.67#53(143.231.1.67)
;; WHEN: Thu Mar 28 18:55:49 2013
;; MSG SIZE  rcvd: 97
__

You've changed the record test.gopleader.gov since last I looked at it -- it's 
now going to Akamai. The result shown here shows what's called a "dangling 
CNAME" -- your CNAME record, pointing to an outside resource. A resolving name 
server (one with recursion enabled) will then follow that to Akamai, giving 
this result:

test.gopleader.gov. 300 IN  CNAME   www.house.gov.
www.house.gov.  552 IN  CNAME   house.gov.edgesuite.net.
house.gov.edgesuite.net. 12640  IN  CNAME   a1164.g.akamai.net.
a1164.g.akamai.net. 19  IN  A   165.254.47.115
a1164.g.akamai.net. 19  IN  A   165.254.47.112

Everything is as it should be.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Bucks]

No I have not tried that, but .101 is a leased IP address for a Windows
workstation.

I'm willing to try it, but it seems like that would mean I would need a
zone like this for all of my leased addresses???


Jim

On Thu, Mar 28, 2013 at 11:42 AM, Jim Glassford  wrote:

>  Hi Jim,
>
> Lost track but have you tried using the IP address of the server for the
> primary, 172.10.20.101 instead of 127.0.0.1?
>
> zone dhcp.coloradostudios.com. {
>primary 172.10.20.101; <- change from
> 127.0.0.1
>key DHCP_UPDATER;
> }
>
>
> best!
> jim
>
>
> On 3/28/2013 1:31 PM, Jim Bucks wrote:
>
> Hi Sten,
>
> Thanks for the response,  I only dabble in DNS setups every 5 years (or
> so).  I really thought this would be a "no brainer", and most likely have
> some simple command / syntax error causing all of this.
>
> From /var/log/messages
>
> Mar 28 11:22:57 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
> 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> Mar 28 11:22:57 dns04 dhcpd: Unable to add forward map from
> dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
> Mar 28 11:22:57 dns04 dhcpd: DHCPREQUEST for 172.10.20.101 (172.10.5.5)
> from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> Mar 28 11:22:57 dns04 dhcpd: DHCPACK on 172.10.20.101 to 00:0b:cd:33:b6:49
> (proccilapxp) via eth1
>
>
> On Thu, Mar 28, 2013 at 11:26 AM, Sten Carlsen  wrote:
>
>>  Apparently the DHCP server tries to put the change into BIND but times
>> out. What does the named log tell about this?
>>
>> Either it did see the request or it will have an explanation why it won't
>> do it.
>>
>> On 28/03/13 18:18, Jim Bucks wrote:
>>
>> Hi Mark, Graham, & others.
>>
>> I've spent the last day trying all sorts of things to get this working
>> (to no avail).  I'm still at the stage of DHCP offering the lease IP
>> address, but the DNS is not automatically updating the two "zones" files
>> with the newly leased addresses.
>>
>> Here is a grief summary of what I tried/changed.
>>- Added the group named to the dhcpd user
>>- moved the two zones files into /var/named/chroot/var/named/slaves/
>> (was internal/)
>>- added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
>>- grabbed a current version named.conf file and added the bare minimum
>> config into into it.
>>
>> Attached are my configs.
>>
>> Any ideas on what I've hosed up?
>>
>> Thanks,
>>
>> Jim
>>
>>
>>
>> --
>> Jim Bucks - IT Director
>> Colorado Studios , Mobile TV 
>> Group,
>> HDNet , AXS.tv 
>> 8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
>> jbu...@coloradostudios.comDirect 303-542-5520
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing 
>> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>> --
>> Best regards
>>
>> Sten Carlsen
>>
>> No improvements come from shouting:
>>
>>"MALE BOVINE MANURE!!!"
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
>
> --
> Jim Bucks - IT Director
> Colorado Studios , Mobile TV 
> Group,
> HDNet , AXS.tv 
> 8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
> jbu...@coloradostudios.comDirect 303-542-5520
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing 
> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Jim Bucks - IT Director
Colorado Studios , Mobile TV
Group,
HDNet , AXS.tv 
8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
jbu...@coloradostudios.comDirect 303-542-5520
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Recursion Issue

[Manson, John]

http://www.digwebinterface.com/?  Is one of the internet sites I use.


John Manson
CAO/HIR/NAF Data-Communications | U.S. House of Representatives | Washington, 
DC 20515
Desk: 202-226-4244 | TCC: 202-226-6430 | 
john.man...@mail.house.gov

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Bucks]

Here's from a recent re-start of the named service.  There were no
additional log entries when the dhcp service granted the lease and failed
to update the "zones" files.

Mar 28 11:38:15 dns04 named-sdb[3493]: received control channel command
'stop'
Mar 28 11:38:15 dns04 named-sdb[3493]: shutting down: flushing changes
Mar 28 11:38:15 dns04 named-sdb[3493]: stopping command channel on
127.0.0.1#953
Mar 28 11:38:15 dns04 named-sdb[3493]: stopping command channel on ::1#953
Mar 28 11:38:15 dns04 named-sdb[3493]: no longer listening on 127.0.0.1#53
Mar 28 11:38:15 dns04 named-sdb[3493]: exiting
Mar 28 11:38:18 dns04 named: /etc/named.conf:178: 'allow-update' redefined
near 'allow-update'
Mar 28 11:38:30 dns04 named-sdb[3710]: starting BIND
9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 -u named -t /var/named/chroot
Mar 28 11:38:30 dns04 named-sdb[3710]: built with
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var'
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=
-DDIG_SIGCHASE'
Mar 28 11:38:30 dns04 named-sdb[3710]:

Mar 28 11:38:30 dns04 named-sdb[3710]: BIND 9 is maintained by Internet
Systems Consortium,
Mar 28 11:38:30 dns04 named-sdb[3710]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Mar 28 11:38:30 dns04 named-sdb[3710]: corporation.  Support and training
for BIND 9 are
Mar 28 11:38:30 dns04 named-sdb[3710]: available at
https://www.isc.org/support
Mar 28 11:38:30 dns04 named-sdb[3710]:

Mar 28 11:38:30 dns04 named-sdb[3710]: adjusted limit on open files from
4096 to 1048576
Mar 28 11:38:30 dns04 named-sdb[3710]: found 4 CPUs, using 4 worker threads
Mar 28 11:38:30 dns04 named-sdb[3710]: using up to 4096 sockets
Mar 28 11:38:30 dns04 named-sdb[3710]: SDB ldap zone database module loaded.
Mar 28 11:38:30 dns04 named-sdb[3710]: SDB postgreSQL DB zone database
module loaded.
Mar 28 11:38:30 dns04 named-sdb[3710]: SDB sqlite3 DB zone database module
loaded.
Mar 28 11:38:30 dns04 named-sdb[3710]: SDB directory DB zone database
module loaded.
Mar 28 11:38:30 dns04 named-sdb[3710]: loading configuration from
'/etc/named.conf'
Mar 28 11:38:30 dns04 named-sdb[3710]: using default UDP/IPv4 port range:
[1024, 65535]
Mar 28 11:38:30 dns04 named-sdb[3710]: using default UDP/IPv6 port range:
[1024, 65535]
Mar 28 11:38:30 dns04 named-sdb[3710]: listening on IPv4 interface lo,
127.0.0.1#53
Mar 28 11:38:30 dns04 named-sdb[3710]: generating session key for dynamic
DNS
Mar 28 11:38:30 dns04 named-sdb[3710]: sizing zone task pool based on 8
zones
Mar 28 11:38:30 dns04 named-sdb[3710]: set up managed keys zone for view
internal, file
'dynamic/3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys'
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
10.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
16.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
17.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
18.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
19.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
20.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
21.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
22.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
23.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
24.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
25.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
26.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
27.172.IN-ADDR.ARPA
Mar 28 11:38:30 dns04 named-sdb[3710]: automatic empty zone: view internal:
28.172.IN-

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Glassford]

Hi Jim,

Lost track but have you tried using the IP address of the server for the 
primary, 172.10.20.101 instead of 127.0.0.1?


zone dhcp.coloradostudios.com. {
   primary 172.10.20.101; <- change from 
127.0.0.1

   key DHCP_UPDATER;
}


best!
jim


On 3/28/2013 1:31 PM, Jim Bucks wrote:

Hi Sten,

Thanks for the response,  I only dabble in DNS setups every 5 years 
(or so).  I really thought this would be a "no brainer", and most 
likely have some simple command / syntax error causing all of this.


From /var/log/messages

Mar 28 11:22:57 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to 
00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: Unable to add forward map from 
dhcp-172-10-20-101.coloradostudios.com 
 to 172.10.20.101 
: timed out
Mar 28 11:22:57 dns04 dhcpd: DHCPREQUEST for 172.10.20.101 
(172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: DHCPACK on 172.10.20.101 to 
00:0b:cd:33:b6:49 (proccilapxp) via eth1



On Thu, Mar 28, 2013 at 11:26 AM, Sten Carlsen > wrote:


Apparently the DHCP server tries to put the change into BIND but
times out. What does the named log tell about this?

Either it did see the request or it will have an explanation why
it won't do it.

On 28/03/13 18:18, Jim Bucks wrote:

Hi Mark, Graham, & others.

I've spent the last day trying all sorts of things to get this
working (to no avail).  I'm still at the stage of DHCP offering
the lease IP address, but the DNS is not automatically updating
the two "zones" files with the newly leased addresses.

Here is a grief summary of what I tried/changed.
   - Added the group named to the dhcpd user
   - moved the two zones files into
/var/named/chroot/var/named/slaves/  (was internal/)
   - added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
   - grabbed a current version named.conf file and added the bare
minimum config into into it.

Attached are my configs.

Any ideas on what I've hosed up?

Thanks,

Jim



-- 
Jim Bucks - IT Director

Colorado Studios , Mobile TV
Group , HDNet ,
AXS.tv 
8269 E. 23rd Ave. Denver, CO 80238 Main 303-388-8500

jbu...@coloradostudios.com    
Direct 303-542-5520 



___
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org  
https://lists.isc.org/mailman/listinfo/bind-users


-- 
Best regards


Sten Carlsen

No improvements come from shouting:

"MALE BOVINE MANURE!!!"


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users




--
Jim Bucks - IT Director
Colorado Studios , Mobile TV Group 
, HDNet , AXS.tv 


8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
jbu...@coloradostudios.com  
   Direct 303-542-5520



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Bucks]

Hi Sten,

Thanks for the response,  I only dabble in DNS setups every 5 years (or
so).  I really thought this would be a "no brainer", and most likely have
some simple command / syntax error causing all of this.

>From /var/log/messages

Mar 28 11:22:57 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: Unable to add forward map from
dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
Mar 28 11:22:57 dns04 dhcpd: DHCPREQUEST for 172.10.20.101 (172.10.5.5)
from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: DHCPACK on 172.10.20.101 to 00:0b:cd:33:b6:49
(proccilapxp) via eth1


On Thu, Mar 28, 2013 at 11:26 AM, Sten Carlsen  wrote:

>  Apparently the DHCP server tries to put the change into BIND but times
> out. What does the named log tell about this?
>
> Either it did see the request or it will have an explanation why it won't
> do it.
>
> On 28/03/13 18:18, Jim Bucks wrote:
>
> Hi Mark, Graham, & others.
>
> I've spent the last day trying all sorts of things to get this working (to
> no avail).  I'm still at the stage of DHCP offering the lease IP address,
> but the DNS is not automatically updating the two "zones" files with the
> newly leased addresses.
>
> Here is a grief summary of what I tried/changed.
>- Added the group named to the dhcpd user
>- moved the two zones files into /var/named/chroot/var/named/slaves/
> (was internal/)
>- added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
>- grabbed a current version named.conf file and added the bare minimum
> config into into it.
>
> Attached are my configs.
>
> Any ideas on what I've hosed up?
>
> Thanks,
>
> Jim
>
>
>
> --
> Jim Bucks - IT Director
> Colorado Studios , Mobile TV 
> Group,
> HDNet , AXS.tv 
> 8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
> jbu...@coloradostudios.comDirect 303-542-5520
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing 
> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>
>"MALE BOVINE MANURE!!!"
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Jim Bucks - IT Director
Colorado Studios , Mobile TV
Group,
HDNet , AXS.tv 
8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
jbu...@coloradostudios.comDirect 303-542-5520
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion issue

[Matus UHLAR - fantomas]

On 28.03.13 17:09, Manson, John wrote:

Maybe my understanding of how bind works is faulty.
I thought bind would do the leg work to get an IP.
Especially when it is authoritative for CNAME domain.
Even a dig on mercury gives the same 'no IP' result.
Sorry for the bother.


I got the same result as Chris. Please show us how you do the "dig".

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Sten Carlsen]

Apparently the DHCP server tries to put the change into BIND but times
out. What does the named log tell about this?

Either it did see the request or it will have an explanation why it
won't do it.

On 28/03/13 18:18, Jim Bucks wrote:
> Hi Mark, Graham, & others.
>
> I've spent the last day trying all sorts of things to get this working
> (to no avail).  I'm still at the stage of DHCP offering the lease IP
> address, but the DNS is not automatically updating the two "zones"
> files with the newly leased addresses.
>
> Here is a grief summary of what I tried/changed.
>- Added the group named to the dhcpd user
>- moved the two zones files into
> /var/named/chroot/var/named/slaves/  (was internal/)
>- added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
>- grabbed a current version named.conf file and added the bare
> minimum config into into it.
>
> Attached are my configs.
>
> Any ideas on what I've hosed up?
>
> Thanks,
>
> Jim
>
>
>
> -- 
> Jim Bucks - IT Director 
> Colorado Studios , Mobile TV Group
> , HDNet , AXS.tv
> 
> 8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
> jbu...@coloradostudios.com 
>Direct 303-542-5520
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

[Jim Bucks]

Hi Mark, Graham, & others.

I've spent the last day trying all sorts of things to get this working (to
no avail).  I'm still at the stage of DHCP offering the lease IP address,
but the DNS is not automatically updating the two "zones" files with the
newly leased addresses.

Here is a grief summary of what I tried/changed.
   - Added the group named to the dhcpd user
   - moved the two zones files into /var/named/chroot/var/named/slaves/
(was internal/)
   - added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
   - grabbed a current version named.conf file and added the bare minimum
config into into it.

Attached are my configs.

Any ideas on what I've hosed up?

Thanks,

Jim



-- 
Jim Bucks - IT Director
Colorado Studios , Mobile TV
Group,
HDNet , AXS.tv 
8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
jbu...@coloradostudios.comDirect 303-542-5520
DDNS_DHCP_Problem20130327.txt


Centos 64 bit ver 6.4
dhcpd ver 4.1.1-P1
bind  var BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3

All the above are on one server.





Here is what I'm still seeing when grabbing a DHCP lease from this server.  
I do get a lease, but the DDNS is not updating the "zones" files.
===
Mar 27 15:38:29 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to 00:0b:cd:33:b6:49 
(proccilapxp) via eth1
Mar 27 15:38:29 dns04 dhcpd: Unable to add forward map from 
dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
Mar 27 15:38:29 dns04 dhcpd: DHCPREQUEST for 172.10.20.101 (172.10.5.5) from 
00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 27 15:38:29 dns04 dhcpd: DHCPACK on 172.10.20.101 to 00:0b:cd:33:b6:49 
(proccilapxp) via eth1






Here are all my configuration & logfiles.  They are 99% the same as my "real" 
files.  
The only change was to replace the "secret" string.  Syntactically, there are 
no changes.


File Permissions & Ownerships
=
ll /var/named/chroot/var/named/
total 28
drwxrwx---  2 named named 4096 Mar 28 08:01 data
drwxrwx---. 2 named named 4096 Feb 15 09:21 external
drwxrwx---. 3 named named 4096 Mar 28 09:40 internal
-rw-r-  1 root  named  152 Dec 15  2009 named.empty
-rw-r-  1 root  named  152 Jun 21  2007 named.localhost
-rw-r-  1 root  named  168 Dec 15  2009 named.loopback
drwxrwx---  2 named named 4096 Mar 28 10:37 slaves


ll /var/named/chroot/var/named/slaves/
-rw-rw-rw-  1 named named  386 Mar 26 10:55 db.172.10.20
-rw-rw-rw-  1 named named  525 Mar 26 11:41 db.dhcp.coloradostudios.com


ll /var/lib/dhcpd/dhcpd.leases
-rw-r--r-- 1 root root 1511 Mar 27 13:18 /var/lib/dhcpd/dhcpd.leases

ll /etc/dhcp/dhcpd.conf
-rw-r--r-- 1 root root 2010 Mar 27 12:45 /etc/dhcp/dhcpd.conf

ll /var/named/chroot/etc/named.conf
-rw-r- 1 named named 6341 Mar 27 12:54 /var/named/chroot/etc/named.conf


Based on and internet search. I have added the "named" group into the dhcpd user
usermod -G dhcpd,named dhcpd



cat /etc/sysconfig/named
==
# BIND named process options
# ~~
# Currently, you can use the following options:
#
# ROOTDIR="/var/named/chroot"  --  will run named in a chroot environment.
#you must set up the chroot environment 
#(install the bind-chroot package) before
#doing this.
#   NOTE:
# Those directories are automatically mounted to chroot if they are
# empty in the ROOTDIR directory. It will simplify maintenance of your
# chroot environment.
#  - /var/named
#  - /etc/pki/dnssec-keys
#  - /etc/named
#  - /usr/lib64/bind or /usr/lib/bind (architecture dependent)
#
# Those files are mounted as well if target file doesn't exist in
# chroot.
#  - /etc/named.conf
#  - /etc/rndc.conf
#  - /etc/rndc.key
#  - /etc/named.rfc1912.zones
#  - /etc/named.dnssec.keys
#  - /etc/named.iscdlv.key
#
#   Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
#   line to your /etc/rsyslog.conf file. Otherwise your logging becomes
#   broken when rsyslogd daemon is restarted (due update, for example).
#
# OPTIONS="whatever" --  These additional options will be passed to named
#at startup. Don't add -t here, use ROOTDIR instead.
#
# KEYTAB_FILE="/dir/file"--  Specify named service keytab file (for 
GSS-TSIG)
#
# DISABLE_ZONE_CHECKING  -- By default, initscript calls named-checkzone
#   utility for every zone to ensure all zones are
#   valid before named starts. If you set this option
#   to 'yes' then initscript doesn't perform those

RE: Recursion issue

[Manson, John]

Maybe my understanding of how bind works is faulty.
I thought bind would do the leg work to get an IP.
Especially when it is authoritative for CNAME domain.
Even a dig on mercury gives the same 'no IP' result.
Sorry for the bother.

-Original Message-
From: Chris Buxton [mailto:cli...@buxtonfamily.us] 
Sent: Thursday, March 28, 2013 12:57 PM
To: Manson, John
Cc: bind-users@lists.isc.org
Subject: Re: Recursion issue

On Mar 28, 2013, at 9:05 AM, Manson, John wrote:
> I disagree with your statement about recursion.
> What stops an authoritative server from doing recursion if you do not have 
> the recursion statement?
> I guess the bind default is recursion yes.

OK, bad choice of words on my part. I did not mean to say that you should not 
set any configuration options to disable recursion, because as you said, it is 
on by default (but restricted, by default, to localnets and localhost). What I 
meant was that there is no reason to permit recursive queries to your 
authoritative servers. Therefore, I would recommend turning it off using 
'recursion no;' in your options or view statement.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion issue

[Chris Buxton]

On Mar 28, 2013, at 9:05 AM, Manson, John wrote:
> I disagree with your statement about recursion.
> What stops an authoritative server from doing recursion if you do not have 
> the recursion statement?
> I guess the bind default is recursion yes.

OK, bad choice of words on my part. I did not mean to say that you should not 
set any configuration options to disable recursion, because as you said, it is 
on by default (but restricted, by default, to localnets and localhost). What I 
meant was that there is no reason to permit recursive queries to your 
authoritative servers. Therefore, I would recommend turning it off using 
'recursion no;' in your options or view statement.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion issue

[Matus UHLAR - fantomas]

On 28.03.13 16:05, Manson, John wrote:

I disagree with your statement about recursion.



What stops an authoritative server from doing recursion if you do not have
the recursion statement?  I guess the bind default is recursion yes.


if your server does not allow recursion, it will still answer the
authoritative data.

You have said you do not have recursion allowed, why do you expect it to be
allowed now?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Recursion issue

[Manson, John]

I disagree with your statement about recursion.
What stops an authoritative server from doing recursion if you do not have the 
recursion statement?
I guess the bind default is recursion yes.

-Original Message-
From: Chris Buxton [mailto:cli...@buxtonfamily.us] 
Sent: Thursday, March 28, 2013 11:49 AM
To: Manson, John
Cc: bind-users@lists.isc.org
Subject: Re: Recursion issue

On Mar 28, 2013, at 8:27 AM, Manson, John wrote:

> From the internet:
> Answer records
> 
> name  class   typedatatime to live
> test.gopleader.govIN  CNAME   testwww.house.gov
> 
> Testwww from the internet:
> Answer records
> 
> name  class   typedatatime to live
> testwww.house.gov IN  A   12.13.14.15 900s(00:15:00)
> 
> So the first lookup does not fully resolve due to recursion.
> Does this help?

Yes it does. It just doesn't all get answered from the one zone. Both of your 
public servers, chyron and mercury, contain both zones. A non-recursive query 
to either of them gets both records in an authoritative answer.

$ dig test.gopleader.gov +norec @mercury.house.gov

; <<>> DiG 9.7.6-P1 <<>> test.gopleader.gov +norec @mercury.house.gov ;; global 
options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26756 ;; flags: qr aa; 
QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.gopleader.gov.IN  A

;; ANSWER SECTION:
test.gopleader.gov. 300 IN  CNAME   testwww.house.gov.
testwww.house.gov.  900 IN  A   12.13.14.15

;; Query time: 100 msec
;; SERVER: 143.231.1.67#53(143.231.1.67) ;; WHEN: Thu Mar 28 08:45:23 2013 ;; 
MSG SIZE  rcvd: 80

There is no need to configure recursion on your external authoritative name 
servers. Other name servers will not query them recursively anyway.

I continue to fail to see the problem that you're trying to solve.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Recursion issue

[Manson, John]

Why do the 2 web-based test sites that I use fail?

Hostnames or IP addresses:
Type:

Options:
 Show command
 Colorize output
 Stats
 Trace
 Short
 No recursive
 Only first nameserver
 Compare output

Nameservers:
 Resolver: 
 All
 Authoritative
 NIC
 Specify myself:



test.gopleader@mercury.house.gov:
test.gopleader.gov. 300 IN  CNAME   testwww.house.gov.


-Original Message-
From: Chris Buxton [mailto:cli...@buxtonfamily.us] 
Sent: Thursday, March 28, 2013 11:49 AM
To: Manson, John
Cc: bind-users@lists.isc.org
Subject: Re: Recursion issue

On Mar 28, 2013, at 8:27 AM, Manson, John wrote:

> From the internet:
> Answer records
> 
> name  class   typedatatime to live
> test.gopleader.govIN  CNAME   testwww.house.gov
> 
> Testwww from the internet:
> Answer records
> 
> name  class   typedatatime to live
> testwww.house.gov IN  A   12.13.14.15 900s(00:15:00)
> 
> So the first lookup does not fully resolve due to recursion.
> Does this help?

Yes it does. It just doesn't all get answered from the one zone. Both of your 
public servers, chyron and mercury, contain both zones. A non-recursive query 
to either of them gets both records in an authoritative answer.

$ dig test.gopleader.gov +norec @mercury.house.gov

; <<>> DiG 9.7.6-P1 <<>> test.gopleader.gov +norec @mercury.house.gov ;; global 
options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26756 ;; flags: qr aa; 
QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.gopleader.gov.IN  A

;; ANSWER SECTION:
test.gopleader.gov. 300 IN  CNAME   testwww.house.gov.
testwww.house.gov.  900 IN  A   12.13.14.15

;; Query time: 100 msec
;; SERVER: 143.231.1.67#53(143.231.1.67) ;; WHEN: Thu Mar 28 08:45:23 2013 ;; 
MSG SIZE  rcvd: 80

There is no need to configure recursion on your external authoritative name 
servers. Other name servers will not query them recursively anyway.

I continue to fail to see the problem that you're trying to solve.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion issue

[Chris Buxton]

On Mar 28, 2013, at 8:27 AM, Manson, John wrote:

> From the internet:
> Answer records
> 
> name  class   typedatatime to live
> test.gopleader.govIN  CNAME   testwww.house.gov
> 
> Testwww from the internet:
> Answer records
> 
> name  class   typedatatime to live
> testwww.house.gov IN  A   12.13.14.15 900s(00:15:00)
> 
> So the first lookup does not fully resolve due to recursion.
> Does this help?

Yes it does. It just doesn't all get answered from the one zone. Both of your 
public servers, chyron and mercury, contain both zones. A non-recursive query 
to either of them gets both records in an authoritative answer.

$ dig test.gopleader.gov +norec @mercury.house.gov

; <<>> DiG 9.7.6-P1 <<>> test.gopleader.gov +norec @mercury.house.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26756
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.gopleader.gov.IN  A

;; ANSWER SECTION:
test.gopleader.gov. 300 IN  CNAME   testwww.house.gov.
testwww.house.gov.  900 IN  A   12.13.14.15

;; Query time: 100 msec
;; SERVER: 143.231.1.67#53(143.231.1.67)
;; WHEN: Thu Mar 28 08:45:23 2013
;; MSG SIZE  rcvd: 80

There is no need to configure recursion on your external authoritative name 
servers. Other name servers will not query them recursively anyway.

I continue to fail to see the problem that you're trying to solve.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Recursion issue

[Manson, John]

>From the internet:
Answer records

nameclass   typedatatime to live
test.gopleader.gov  IN  CNAME   testwww.house.gov

Testwww from the internet:
Answer records

nameclass   typedatatime to live
testwww.house.gov   IN  A   12.13.14.15 900s(00:15:00)

So the first lookup does not fully resolve due to recursion.
Does this help?


-Original Message-
From: Chris Buxton [mailto:cli...@buxtonfamily.us] 
Sent: Thursday, March 28, 2013 11:13 AM
To: Manson, John
Cc: bind-users@lists.isc.org
Subject: Re: Recursion issue

On Mar 28, 2013, at 7:56 AM, Manson, John wrote:
> My external authoritative dns does not allow recursion.
> We have vanity names like speaker.gov.
> When we add an entry like:
> www.speaker.gov   CNAMEwww.house.gov
> it fails because of the recursion statement even though the external dns is 
> authoritative for house.gov.
> Anyone know of a way to modify the recursion behavior since house.gov is 
> already in the outhouse-view along with the vanity .gov names.?
> Currently we have to use A records with the www.house.gov IP.
> Web staff and others would like to see the House server name displayed in the 
> browser url bar and in dig results.

If you want the browser URL bar to change from what the user typed to 
"www.house.gov", you have to use an HTTP redirect. You cannot do that with DNS.

Other than that issue, what part of your current environment is not working? In 
your public data, I see:

www.speaker.gov.300 IN  CNAME   wc.house.gov.edgekey.net.
wc.house.gov.edgekey.net. 17789 IN  CNAME   e4776.g.akamaiedge.net.
e4776.g.akamaiedge.net. 20  IN  A   184.26.83.91

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion issue

[Chris Buxton]

On Mar 28, 2013, at 7:56 AM, Manson, John wrote:
> My external authoritative dns does not allow recursion.
> We have vanity names like speaker.gov.
> When we add an entry like:
> www.speaker.gov   CNAMEwww.house.gov
> it fails because of the recursion statement even though the external dns is 
> authoritative for house.gov.
> Anyone know of a way to modify the recursion behavior since house.gov is 
> already in the outhouse-view along with the vanity .gov names.?
> Currently we have to use A records with the www.house.gov IP.
> Web staff and others would like to see the House server name displayed in the 
> browser url bar and in dig results.

If you want the browser URL bar to change from what the user typed to 
"www.house.gov", you have to use an HTTP redirect. You cannot do that with DNS.

Other than that issue, what part of your current environment is not working? In 
your public data, I see:

www.speaker.gov.300 IN  CNAME   wc.house.gov.edgekey.net.
wc.house.gov.edgekey.net. 17789 IN  CNAME   e4776.g.akamaiedge.net.
e4776.g.akamaiedge.net. 20  IN  A   184.26.83.91

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Recursion issue

[Manson, John]

My external authoritative dns does not allow recursion.
We have vanity names like speaker.gov.
When we add an entry like:
www.speaker.gov   CNAME
www.house.gov
it fails because of the recursion statement even though the external dns is 
authoritative for house.gov.
Anyone know of a way to modify the recursion behavior since house.gov is 
already in the outhouse-view along with the vanity .gov names.?
Currently we have to use A records with the www.house.gov 
IP.
Web staff and others would like to see the House server name displayed in the 
browser url bar and in dig results.

Thanks


John Manson
CAO/HIR/NAF Data-Communications | U.S. House of Representatives | Washington, 
DC 20515
Desk: 202-226-4244 | TCC: 202-226-6430 | 
john.man...@mail.house.gov

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: FW: CVE-2013-2266 Question

[G.W. Haywood]

Hi there,

On Wed, 27 Mar 2013, Manson, John wrote:


Does 'make clear' affect the running named


No.  The 'configure' step and the 'make' steps are repsectively
configuring the software source files for your environment before the
build (more or less compile and link) process, and then the building,
optionally testing and finally installing the new software (binaries
such as named, and for example vanilla configuration files - or what
you could think of as templates in a new installation).  If you have
an existing set of configuration files, the install process will not
touch them.  This is in keeping with the Principle Of Least Surprise. :)

Nothing you do in the build/test/install process affects the already
running processes.  Normally one builds new software in a directory
owned by a non-privileged user while logged in as that user.  Then
only switch to a privileged user to install files (in places in the
filesystem where the unprivileged user cannot write them) by giving
the command 'make install'.  Sometimes a test might need to be run as
a privileged user or might require a special test environment which
must be set up by a privileged user.  The BIND package tests fall into
the latter category, see below.  Many people don't run the tests but
it's a good idea to run them if only for peace of mind.


or is it best to stop named and start it afterward?


You should stop and start named after the newly built software has
been installed.  There's no need to stop it before building a new
version.


Do I also need to run configure again or just make?


You don't really need to run configure again unless something else has
changed, but I would generally rebuild from scratch so that I know
that everything is as I expect.  It takes very little effort.


Will dig and rndc be updated as well?


Yes, they are rebuilt together with named and installed when you do
the 'make install' step.

Here's what I did on one of my nameservers the day before yesterday:

8<--
26 Mar 2013

 bind 

97. Downloaded, built and installed, nameserver restarted.

$ cd ~/tgz
$ wget ftp://ftp.isc.org/isc/bind9/9.9.2-P2/bind-9.9.2-P2.tar.gz
$ cd ~/src/net
$ rm -rf bind-9.9.2
$ tar xzvf ~/tgz/bind-9.9.2-P2.tar.gz
$ cd bind-9.9.2-P2
$ ./configure --prefix=/usr/local --sysconfdir=/etc --with-openssl 
STD_CDEFINES="-DDIG_SIGCHASE=1"

$ make
$ su
# bin/tests/system/ifconfig.sh up
# exit
$ make test
...
I:System test result summary:
I:50 PASS
I: 2 SKIPPED
make[2]: Leaving directory `/home/ged/src/net/bind-9.9.2-P2/bin/tests/system'
make[1]: Leaving directory `/home/ged/src/net/bind-9.9.2-P2/bin/tests'
$ su
# bin/tests/system/ifconfig.sh down
# make install
# killall named ; sleep 2 ; /usr/local/sbin/named -4 -u named
# exit
8<--

Note that I've trimmed reams and reams of build and test output above,
I've just included the last four lines of the test output.  Some of it
can take a while.  The test system creates interfaces on 10.53.0.x and
in the unlikely event that you're using those addresses on your system
while you test the BIND package you will probably need to do something
to prevent an unpleasant experience.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users