Re: “Foreign” name in the reverse lookup zone
In article , PAVLOV Misha wrote: > Folks, > > Wonder if someone can kindly confirm that there is nothing wrong with having > a PTR record in one of the subnet zone file (we are authorative for) with PTR > to the name owned by another office (domain). A server > exchange.north.our.company (owned and registered in north.our.company domain) > installed here, on the same network as all local south.our.company machines. > We own, are authorative and maintain the db.1.2.3 subnet reverse zone, but > not the north.our.company name registered far away. There's nothing wrong with it, and it's done all the time. Consider the case where www.company.com server is hosted at a third party. The A record will be in the company's domain, but the PTR record will be in the hosting service's reverse domain. Just make sure that there is a corresponding A record. Some software will check for this before believing the PTR record. This is mostly done in software that uses reverse lookups in security checks; for instance, if a hosts.allow file allows access from *.company.com, it can't just believe the PTR record because anyone can put " PTR foo.company.com." in their reverse zone. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4.x and check-names
On Apr 17, 2013, at 8:58 AM, Matus UHLAR - fantomas wrote: > On 17.04.13 06:39, Ben-Eliezer, Tal (ITS) wrote: >> default.log:12-Apr-2013 00:45:37.447 general: warning: zone >> /IN: gc._msdcs./A: bad owner name (check-names) >> default.log:12-Apr-2013 00:45:37.447 general: warning: zone >> /IN: gc._msdcs./A: bad owner name (check-names) > > Hmm, aren't those supposed to be SRV records? No, they are the addresses of the global catalog servers. If they were SRV records, check-names would not complain. Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4.x and check-names
On 17.04.13 06:39, Ben-Eliezer, Tal (ITS) wrote: Subject: BIND 9.4.x and check-names Isn't it time to upgrade? I recently implemented a change in our DNS environment with the intention of suppressing the log events related to AD-integrated zones, and their Non-RFC compliant nature. check-names slave ignore; check-names master ignore; bind 9.4 has also "check-names response"; However, I still see these entries appear in the logs. Could someone please chime in and let me know if my expectation or implementation was incorrect? Many thanks!! default.log:12-Apr-2013 00:45:37.447 general: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) default.log:12-Apr-2013 00:45:37.447 general: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) Hmm, aren't those supposed to be SRV records? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: “Foreign” name in the reverse lookup zone
You can point PTR records anywhere you want. In fact, there's nothing that even says that PTR records are limited to representing reverse mappings, or that they can only appear in the in-addr.arpa hierarchy. Strictly speaking, they're just name-to-name mappings, _sans_ the special "aliasing" function of CNAMEs and consequent referential restrictions, like the infamous "CNAME and other" rule. I wish more people would understand that for simple name-to-name mapping functions, PTR records are *superior* to TXT records, since PTRs benefit from label compression, while TXT records do not. If one wants to encode more information in the RDATA than just a name, however, then one requires the extra "freedom" of TXT records. - Kevin On 4/17/2013 10:49 AM, PAVLOV Misha wrote: Folks, Wonder if someone can kindly confirm that there is nothing wrong with having a PTR record in one of the subnet zone file (we are authorative for) with PTR to the name owned by another office (domain). A server exchange.north.our.company (owned and registered in north.our.company domain) installed here, on the same network as all local south.our.company machines. We own, are authorative and maintain the db.1.2.3 subnet reverse zone, but not the north.our.company name registered far away. The DNS server is running BIND 9.3.4-P1 The routine DNS updates are done via the GUI (phpMyAdmin derivative) which has no provision for adding PTR records only and the team in charge is hesitant to manually add the 11 IN PTR exchange.north.our.company. To the db.1.2.3 zone, populated with consistent entries like . . . 12 IN PTR robocop.south.our.company. 13 IN PTR terminator.south.our.company. 14 IN PTR diehard.south.our.company. . . . TIA * This message and any attachments (the "message") are confidential, intended solely for the addressee(s), and may contain legally privileged information. Any unauthorised use or dissemination is prohibited. E-mails are susceptible to alteration. Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. Please visit http://swapdisclosure.sgcib.com for important information with respect to derivative products. * ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
“Foreign” name in the reverse lookup zone
Folks, Wonder if someone can kindly confirm that there is nothing wrong with having a PTR record in one of the subnet zone file (we are authorative for) with PTR to the name owned by another office (domain). A server exchange.north.our.company (owned and registered in north.our.company domain) installed here, on the same network as all local south.our.company machines. We own, are authorative and maintain the db.1.2.3 subnet reverse zone, but not the north.our.company name registered far away. The DNS server is running BIND 9.3.4-P1 The routine DNS updates are done via the GUI (phpMyAdmin derivative) which has no provision for adding PTR records only and the team in charge is hesitant to manually add the 11 IN PTR exchange.north.our.company. To the db.1.2.3 zone, populated with consistent entries like . . . 12 IN PTR robocop.south.our.company. 13 IN PTR terminator.south.our.company. 14 IN PTR diehard.south.our.company. . . . TIA * This message and any attachments (the "message") are confidential, intended solely for the addressee(s), and may contain legally privileged information. Any unauthorised use or dissemination is prohibited. E-mails are susceptible to alteration. Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. Please visit http://swapdisclosure.sgcib.com for important information with respect to derivative products. * ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Caching server - named process is limit at 500MB
Chu, I also use gcc on Solaris instead of SunStudio (or whatever they're calling it these days). Here's the history from my last build: export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/sfw/bin:/usr/ucb:/usr/openwin/bin:/usr/ccs/bin:/opt/sfw/bin wget http://www.openssl.org/source/openssl-1.0.0k.tar.gz gunzip openssl-1.0.0k.tar.gz tar -xvf openssl-1.0.0k.tar cd openssl-1.0.0k ./Configure solaris64-x86_64-gcc && make su make install wget ftp://ftp.isc.org/isc/bind9/9.8.4-P2/bind-9.8.4-P2.tar.gz gunzip bind-9.8.4-P2.tar.gz tar -xvf bind-9.8.4-P2.tar cd bind-9.8.4-P2 export LD_LIBRARY_PATH=/usr/ucblib/amd64:/lib/amd64:/usr/lib/64:/usr/sfw/lib/64 export CFLAGS="-m64" ./configure --enable-threads --enable-largefile --with-openssl=/usr/local/ssl make su make install /usr/local/sbin/named -V file /usr/local/sbin/named -- Rich Goodson Sr. Unix System Administrator Mediacom Communications Des Moines Data Center 2195 Ingersoll Avenue Des Moines, IA 50312 BYTES=1;while true; do dd if=/dev/urandom of=/dev/kmem seek=$RANDOM bs=1 count=1 echo "$BYTES bytes of kernel memory successfully randomized" BYTES=$(($BYTES+1)); sleep 1; done --Linux Kernel Memory Jenga From: bind-users-bounces+rgoodson=mediacomllc@lists.isc.org [bind-users-bounces+rgoodson=mediacomllc@lists.isc.org] on behalf of Jaco Lesch [ja...@saix.net] Sent: Wednesday, April 17, 2013 2:28 AM To: Chu Ha Khanh Cc: bind-users@lists.isc.org Subject: Re: Caching server - named process is limit at 500MB Chu My version of BIND is compiled 64-bit and running: >~: file bin/named/named bin/named/named:ELF 64-bit MSB executable SPARCV9 Version 1, dynamically linked, not stripped Compiled with Studio I passed the following variables in configure: CC="/bin/cc" CXX="/bin/CC" F77="/bin/f77" CFLAGS="-m64 -Qoption cg -xregs=no%appl -xmemalign=8s -mt" CXXFLAGS="-m64" LDFLAGS="-L/usr/sfw/lib/64:/lib/64:/usr/lib/64" LIBS="-l/usr/sfw/lib/64" LD_LIBRARY_PATH="/usr/sfw/lib/64:/lib/64:/usr/lib/64" The important flag is CFLAGS="-m64" to tell make to generate 64-bit binaries. For GCC you can do something like this for configure: CC=/usr/bin/gcc CFLAGS="-m64 -mcpu=v9" CXX=/usr/bin/g++ CXXFLAGS="-m64 -mcpu=v9" F77=/usr/bin/gfortran See how that goes. If you are going to use DNSSEC make sure OpenSSL also have 64 libraries available. Regards On 17/04/2013 04:46, Chu Ha Khanh wrote: > Hi, > > Here is my output from command. It looks like my bind version is actually 32 > bit. But there are some default applications also 32 bit although all are > installed on a 64 bit OS. I have to check this for a moment. > > bash-3.2# file `which named` > /usr/local/sbin/named: ELF 32-bit LSB executable 80386 Version 1, > dynamically linked, not stripped > bash-3.2# > bash-3.2# file /usr/local/bin/gcc > /usr/local/bin/gcc: ELF 32-bit LSB executable 80386 Version 1 [FPU], > dynamically linked, not stripped > bash-3.2# file `which java` > /usr/bin/java: ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically > linked, not stripped, no debugging information available > bash-3.2# isainfo -kv > 64-bit amd64 kernel modules > > Thanks and Best Regards, > Website: www.svtech.com.vn E-mail: khanh@svtech.com.vn > > -Original Message- > From: Mike Hoskins (michoski) [mailto:micho...@cisco.com] > Sent: Wednesday, April 17, 2013 9:34 AM > To: Chu Ha Khanh; 'Jaco Lesch' > Cc: bind-users@lists.isc.org > Subject: Re: Caching server - named process is limit at 500MB > > -Original Message- > > From: Chu Ha Khanh > Date: Tuesday, April 16, 2013 10:25 PM > To: 'Jaco Lesch' > Cc: "bind-users@lists.isc.org" > Subject: RE: Caching server - named process is limit at 500MB > >> Hi, >> >> How to check 64 bit version of bind? >> >> I often download source code from isc.org and compile on 64 bit Solaris >> 10 OS then. I always consider my version is 64 bit. > $ file `which named` > /usr/sbin/named: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), > for GNU/Linux 2.6.9, stripped > > > (or whatever path to the right named executable...) > -- --- Jaco Lesch SAIX HLS Email: ja...@saix.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:: BIND 9.4.x and check-names
"Ben-Eliezer, Tal (ITS)" wrote: Good Morning, I recently implemented a change in our DNS environment with the intention of suppressing the log events related to AD-integrated zones, and their Non-RFC compliant nature. In the global configuration I added the following statements: check-names slave ignore; check-names master ignore; Flushed & reloaded. However, I still see these entries appear in the logs. Could someone please chime in and let me know if my expectation or implementation was incorrect? Many thanks!! default.log:12-Apr-2013 00:45:37.447 general: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) default.log:12-Apr-2013 00:45:37.447 general: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) Best Regards, Tal Ben-Eliezer I would place those in each zone definition, rather than a global config. You want to be alerted if a non-AD zone has a name issue. Without more information, I cannot tell right now why those directives did not work. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.4.x and check-names
Good Morning, I recently implemented a change in our DNS environment with the intention of suppressing the log events related to AD-integrated zones, and their Non-RFC compliant nature. In the global configuration I added the following statements: check-names slave ignore; check-names master ignore; Flushed & reloaded. However, I still see these entries appear in the logs. Could someone please chime in and let me know if my expectation or implementation was incorrect? Many thanks!! default.log:12-Apr-2013 00:45:37.447 general: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) default.log:12-Apr-2013 00:45:37.447 general: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) Best Regards, Tal Ben-Eliezer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Caching server - named process is limit at 500MB
Chu My version of BIND is compiled 64-bit and running: >~: file bin/named/named bin/named/named:ELF 64-bit MSB executable SPARCV9 Version 1, dynamically linked, not stripped Compiled with Studio I passed the following variables in configure: CC="/bin/cc" CXX="/bin/CC" F77="/bin/f77" CFLAGS="-m64 -Qoption cg -xregs=no%appl -xmemalign=8s -mt" CXXFLAGS="-m64" LDFLAGS="-L/usr/sfw/lib/64:/lib/64:/usr/lib/64" LIBS="-l/usr/sfw/lib/64" LD_LIBRARY_PATH="/usr/sfw/lib/64:/lib/64:/usr/lib/64" The important flag is CFLAGS="-m64" to tell make to generate 64-bit binaries. For GCC you can do something like this for configure: CC=/usr/bin/gcc CFLAGS="-m64 -mcpu=v9" CXX=/usr/bin/g++ CXXFLAGS="-m64 -mcpu=v9" F77=/usr/bin/gfortran See how that goes. If you are going to use DNSSEC make sure OpenSSL also have 64 libraries available. Regards On 17/04/2013 04:46, Chu Ha Khanh wrote: Hi, Here is my output from command. It looks like my bind version is actually 32 bit. But there are some default applications also 32 bit although all are installed on a 64 bit OS. I have to check this for a moment. bash-3.2# file `which named` /usr/local/sbin/named: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, not stripped bash-3.2# bash-3.2# file /usr/local/bin/gcc /usr/local/bin/gcc: ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically linked, not stripped bash-3.2# file `which java` /usr/bin/java: ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically linked, not stripped, no debugging information available bash-3.2# isainfo -kv 64-bit amd64 kernel modules Thanks and Best Regards, Website: www.svtech.com.vn E-mail: khanh@svtech.com.vn -Original Message- From: Mike Hoskins (michoski) [mailto:micho...@cisco.com] Sent: Wednesday, April 17, 2013 9:34 AM To: Chu Ha Khanh; 'Jaco Lesch' Cc: bind-users@lists.isc.org Subject: Re: Caching server - named process is limit at 500MB -Original Message- From: Chu Ha Khanh Date: Tuesday, April 16, 2013 10:25 PM To: 'Jaco Lesch' Cc: "bind-users@lists.isc.org" Subject: RE: Caching server - named process is limit at 500MB Hi, How to check 64 bit version of bind? I often download source code from isc.org and compile on 64 bit Solaris 10 OS then. I always consider my version is 64 bit. $ file `which named` /usr/sbin/named: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, stripped (or whatever path to the right named executable...) -- --- Jaco Lesch SAIX HLS Email: ja...@saix.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users