Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9
Hello Larry, I had the same "head-ache" when I upgraded to 10.9. It seems that instead going forward we all took a step behind. I guess this type of free stuff does come with something attached to it. Anyways, when you upgraded to 10.9 the boot files were wipe clean from the /System/Library/LaunchDaemons/ Open the terminal and restore it by entering the comand! --- launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist echo "launchctl start org.isc.named" >> /etc/launchd.conf --- Then re-start BIND --- launchctl start org.isc.named --- There are several places talking about this stuff but you can verify here: Configure BIND to Launch at Startup http://www.macshadows.com/kb/index.php?title=How_To:_Enable_BIND_-_Mac_OS_X's_Built-in_DNS_Server I hope that helps! -- Eduardo Bonsi System Admin BEARTCOMMUNICATIONS beart...@pacbell.net From: Larry Stone To: bind-users@lists.isc.org Sent: Friday, January 17, 2014 6:45 PM Subject: Non-responsive name servers when started during boot on OS X Mavericks 10.9 Background: I have been using my Macintosh as a server running the client version of OS X (not OS X Server) for many years. Until 10.9 (Mavericks), Apple provided BIND and it worked just fine. My servers were internal only providing behind-NAT local addresses for the local network as well as caching for external names. All went well. With the release of 10.9, BIND was no longer provided (I’m currently on 10.9.1). I initially restored the version of named from 10.8 along with my configuration and zone files and all was well (at least as far as I could tell). I then switched to building from source and all was still well (I thought). The primary server was just upgraded to 9.8.6-P2 while the secondary (not a server except as a redundant name server) is still at 9.8.6-P1 (upgrade planned for this weekend). Problem: This morning, by happenstance, both were rebooted a few minutes apart and suddenly, nobody could access anything. Finally figured out that named on both was not responding (queries timed out). Killed named (which was immediately restarted by Apple’s launchd) and all was well. Rebooted the secondary to see if it was repeatable and same thing. Nothing of interest in the log - both the initial startup at boot time and restart log identically (and it does log the RFC 1918 empty zones warning so it gets that far). I’m guessing there’s some resource not available at boot time that’s causing named to hang but that really just a will guess. I know I’m not providing much information but there’s nothing else I can find so any help with just figuring out why it fails when started at boot time will be a help. -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: transfer signed zone
Question in better format. Original Message Subject: transfer signed zone From: Date: Fri, January 17, 2014 6:49 pm To: bind-us...@isc.org Receiving the following lines when transferring from a non-BIND server. Is there a way to identify the "extra input data"? Jan 17 17:16:35 had4 named[6497]: running Jan 17 17:16:35 had4 named[6497]: zone example.com/IN: Transfer started. Jan 17 17:16:35 had4 named[6497]: transfer of 'example.com/IN' from 10.0.20.22#53: connected using 10.0.20.23#50917 Jan 17 17:16:35 had4 named[6497]: transfer of 'example.com/IN' from 10.0.20.22#53: failed while receiving responses: extra input data Jan 17 17:16:35 had4 named[6497]: transfer of 'example.com/IN' from 10.0.20.22#53: Transfer completed: 6 messages, 16 records, 2046 bytes, 0.005 secs (409200 bytes/sec) Here's the dig output. [root@had4 local]# dig @10.0.20.22 AXFR example.com ; <<>> DiG 9.9.4-P2 <<>> @10.0.20.22 AXFR example.com ; (1 server found) ;; global options: +cmd example.com.86400 INSOA ns1.example.com. hostmaster.example.com. 2014011701 10800 15 604800 10800 example.com.86400 INRRSIG SOA 8 2 86400 20140417221308 20140116221308 15093 example.com. alxE/TLfVRML1EAHCiVDEwmaOjaPdowXxfkompXG3MwJ7tDOQcFV2O2+ 9F4TlB+l0nbfWi0mk7YWBk+w03God8RnUez9KZwhmrGAgEfWtH6kiO7A LEwSPgHTS5cfQah8KGAT6o7DMWOdH0ii2EnJNzqi3gt+SR1bSPw8kTNE TOU= example.com.86400 INNS ns.example.com. example.com.86400 INRRSIG NS 8 2 86400 20140417221308 20140116221308 15093 example.com. hlkdQhwcElD3bWtsIkySNJuwaXKtiVQaRiZX3IRcK8xU6UHwg4QQOt96 oNFCdCx3TZOROL3rf7OyESdL4YeSlzj9CAMuEzKPPOrcJXyILMJdGymY JEQxMkrz+YbA9gbZwlA0Agk9bNBa51zQThsQD4bB9y3lTtOvuIcI3cxg 1Qw= example.com.10800 INNSECns.example.com. NS SOA RRSIG NSEC example.com.10800 INRRSIG NSEC 8 2 10800 20140417221308 20140116221308 15093 example.com. jGZPr5cSMs8vZaBcrA4ldTxz5J1u13vIimT5oeq6ZPsNODl9GGWjtrjA a6w6ElUgpHredujLG8GnBQpwOj+6Si110omD0RioVyqtoIzdTxh5PnJw w7ni5XWV1MpyeDVp1Nl1+CGH8tyGB1DTrVMjTvdUlOWS/fM/FGCvpyAZ WMs= example.com.3600 INDNSKEY 257 3 8 AwEAAb1H+j4Nt3UNOagcrgeJWjM1HepFd1EmG7mPYVGxhWeeJwVU6zOB eqwqpazyuFac+o+YG5YN4xk9wjaXcgNZgEnmOVTK2QpWd/f8M/9FKGjv OiUmTcnccYXli/w7r93Gm14hX52TdBRjtUVMEFqoTypFvTEK46e+DUsf 7/z4sItvaQM/xAhqMXmNJwuPd6HAQviPX6pR6KLz7nR10MoPbMVNUipz ajGXUb8mTLqbRgdRdxWcJ/KSt5WgykLwGe1jSCpIPF7MDFEh7uaZQUTO geuieKVZoVWblEK9Bv6I3VBYOx+eAXVrmSxbWz2LZlo8uaY7i6TWN+aB hgwcg+JNUKM= example.com.3600 INDNSKEY 256 3 8 AwEAAeAVPTRCtLy6aSpJbsdwNMGDmLl218uKYGa0LosgpwIKdMuyp5z4 3E06O4WAR7CMZMeWo0AJ5Ma5zVp8QFkDt77r+FR8pEemNTsFJFF0/yGz 5UjvIrTkAgkqRQRiFucS2JmYCXv5YfVINr/0bk7oY9EV8rnno44bZc92 OT6MIk7X example.com.3600 INRRSIG DNSKEY 8 2 3600 20140417221308 20140116221308 21961 example.com. S67jOAEUEL15uylQ4y6kno7naCR0wvsHJq74ZFHlDrfHHAHXaiDO3nxM ikmn+kv6mULsdH6xddCwvtLmDaYokF4zsIJGdQmyXqCCg8y4A4SsivaO uM+oO1AoXLKKo3XqNEq95gg4e70yj5FNrEk9c4zi0uT2TEOItBsZ9Y/T 8Gl2RDnLrjHf5YOO3py9SM/btwjZcu18TOJBWb9fbdYtKvntmG8tFlld McefBwn0QJ9REmy4oXf00LKXG2xZ2E20m887j3KLzY1pYIp1GZgaRwJZ ssfreEwQpcSoz1DD4MKAU0At3uCa7O8IcWx6VonhF0pZW+PzMVQGOriN 9bXLUg== example.com.3600 INRRSIG DNSKEY 8 2 3600 20140417221308 20140116221308 15093 example.com. KwBcvyQYmX7qDZaQfrS931Fyrf1B8z/PFsXX+hYTQ1y7dIhHIEtN0WBR vyuyson0VA8PrEeUnEvWZrQL+z0Z1h9tpuFQqVWqFyBLooZATk/psPW0 7DcgXMBZ1JEq/srfJQye2MDX/iT5/+hWUJiOW+dcnIVZg2lOaehaKSQv faE= ns.example.com. 86400 INA 192.168.0.1 ns.example.com. 86400 INRRSIG A 8 3 86400 20140417221308 20140116221308 15093 example.com. 0KgiOQwgavCWFxd5bFTtBEMXfO4yzwC8BeKYPSMqPHSdcIsLBMF7wUAR YV193/OM6mTJF9vRzdlUro9kfmFBnX3xC0jVkpcpj1YVP6pTGeB8KGSk OdfC6+H658KscB2eq/XcvFtE4VktU3QPZOW8zj4GquNpNR79fan/Idh2 OXA= ns.example.com. 10800 INNSECexample.com. A RRSIG NSEC ns.example.com. 10800 INRRSIG NSEC 8 3 10800 20140417221308 20140116221308 15093 example.com. Tf+bAbucKKVh7HoBaE2xZNb1yxyON/x5JCPRJs9ybFi1a5eE26Thi1L0 +mrIpZVwTIwPJSfKqKO2MZePqB0fXWBq0M1HPslRbW9pjb+K+IqNSi/k ybSshxj/fdkhown/a0wPZ2w0XAYY5Q8x3sc2UO2+GD8nJReAcNkO3hWe tKs= example.com.86400 INSOA ns1.example.com. hostmaster.example.com. 2014011701 10800 15 604800 10800 example.com.86400 INRRSIG SOA 8 2 86400 20140417221308 20140116221308 15093 example.com. alxE/TLfVRML1EAHCiVDEwmaOjaPdowXxfkompXG3MwJ7tDOQcFV2O2+ 9F4TlB+l0nbfWi0mk7YWBk+w03God8RnUez9KZwhmrGAgEfWtH6kiO7A LEwSPgHTS5cfQah8KGAT6o7DMWOdH0ii2EnJNzqi3gt+SR1bSPw8kTNE TOU= ;; Query time: 10 msec ;; SERVER: 10.0.20.22#53(10.0.20.22) ;; WHEN: Fri Jan 17 18:44:36 EST 2014 ;; XFR size: 15 records (messages 7, bytes 2291) Here's the config: options { directory "/opt/local"; pid-file "server.pid"; dnssec-enable yes; version "SNIP"; }; zone "z1.example.com" IN { type master;
Non-responsive name servers when started during boot on OS X Mavericks 10.9
Background: I have been using my Macintosh as a server running the client version of OS X (not OS X Server) for many years. Until 10.9 (Mavericks), Apple provided BIND and it worked just fine. My servers were internal only providing behind-NAT local addresses for the local network as well as caching for external names. All went well. With the release of 10.9, BIND was no longer provided (I’m currently on 10.9.1). I initially restored the version of named from 10.8 along with my configuration and zone files and all was well (at least as far as I could tell). I then switched to building from source and all was still well (I thought). The primary server was just upgraded to 9.8.6-P2 while the secondary (not a server except as a redundant name server) is still at 9.8.6-P1 (upgrade planned for this weekend). Problem: This morning, by happenstance, both were rebooted a few minutes apart and suddenly, nobody could access anything. Finally figured out that named on both was not responding (queries timed out). Killed named (which was immediately restarted by Apple’s launchd) and all was well. Rebooted the secondary to see if it was repeatable and same thing. Nothing of interest in the log - both the initial startup at boot time and restart log identically (and it does log the RFC 1918 empty zones warning so it gets that far). I’m guessing there’s some resource not available at boot time that’s causing named to hang but that really just a will guess. I know I’m not providing much information but there’s nothing else I can find so any help with just figuring out why it fails when started at boot time will be a help. -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
transfer signed zone
Receiving the following lines when transferring from a non-BIND server. Is there a way to identify the "extra input data"?Jan 17 17:16:35 had4 named[6497]: runningJan 17 17:16:35 had4 named[6497]: zone example.com/IN: Transfer started.Jan 17 17:16:35 had4 named[6497]: transfer of 'example.com/IN' from 10.0.20.22#53: connected using 10.0.20.23#50917Jan 17 17:16:35 had4 named[6497]: transfer of 'example.com/IN' from 10.0.20.22#53: failed while receiving responses: extra input dataJan 17 17:16:35 had4 named[6497]: transfer of 'example.com/IN' from 10.0.20.22#53: Transfer completed: 6 messages, 16 records, 2046 bytes, 0.005 secs (409200 bytes/sec)Here's the dig output.[root@had4 local]# dig @10.0.20.22 AXFR example.com; <<>> DiG 9.9.4-P2 <<>> @10.0.20.22 AXFR example.com; (1 server found);; global options: +cmdexample.com. 86400 IN SOA ns1.example.com. hostmaster.example.com. 2014011701 10800 15 604800 10800example.com. 86400 IN RRSIG SOA 8 2 86400 20140417221308 20140116221308 15093 example.com. alxE/TLfVRML1EAHCiVDEwmaOjaPdowXxfkompXG3MwJ7tDOQcFV2O2+ 9F4TlB+l0nbfWi0mk7YWBk+w03God8RnUez9KZwhmrGAgEfWtH6kiO7A LEwSPgHTS5cfQah8KGAT6o7DMWOdH0ii2EnJNzqi3gt+SR1bSPw8kTNE TOU=example.com. 86400 IN NS ns.example.com.example.com. 86400 IN RRSIG NS 8 2 86400 20140417221308 20140116221308 15093 example.com. hlkdQhwcElD3bWtsIkySNJuwaXKtiVQaRiZX3IRcK8xU6UHwg4QQOt96 oNFCdCx3TZOROL3rf7OyESdL4YeSlzj9CAMuEzKPPOrcJXyILMJdGymY JEQxMkrz+YbA9gbZwlA0Agk9bNBa51zQThsQD4bB9y3lTtOvuIcI3cxg 1Qw=example.com. 10800 IN NSEC ns.example.com. NS SOA RRSIG NSECexample.com. 10800 IN RRSIG NSEC 8 2 10800 20140417221308 20140116221308 15093 example.com. jGZPr5cSMs8vZaBcrA4ldTxz5J1u13vIimT5oeq6ZPsNODl9GGWjtrjA a6w6ElUgpHredujLG8GnBQpwOj+6Si110omD0RioVyqtoIzdTxh5PnJw w7ni5XWV1MpyeDVp1Nl1+CGH8tyGB1DTrVMjTvdUlOWS/fM/FGCvpyAZ WMs=example.com. 3600 IN DNSKEY 257 3 8 AwEAAb1H+j4Nt3UNOagcrgeJWjM1HepFd1EmG7mPYVGxhWeeJwVU6zOB eqwqpazyuFac+o+YG5YN4xk9wjaXcgNZgEnmOVTK2QpWd/f8M/9FKGjv OiUmTcnccYXli/w7r93Gm14hX52TdBRjtUVMEFqoTypFvTEK46e+DUsf 7/z4sItvaQM/xAhqMXmNJwuPd6HAQviPX6pR6KLz7nR10MoPbMVNUipz ajGXUb8mTLqbRgdRdxWcJ/KSt5WgykLwGe1jSCpIPF7MDFEh7uaZQUTO geuieKVZoVWblEK9Bv6I3VBYOx+eAXVrmSxbWz2LZlo8uaY7i6TWN+aB hgwcg+JNUKM=example.com. 3600 IN DNSKEY 256 3 8 AwEAAeAVPTRCtLy6aSpJbsdwNMGDmLl218uKYGa0LosgpwIKdMuyp5z4 3E06O4WAR7CMZMeWo0AJ5Ma5zVp8QFkDt77r+FR8pEemNTsFJFF0/yGz 5UjvIrTkAgkqRQRiFucS2JmYCXv5YfVINr/0bk7oY9EV8rnno44bZc92 OT6MIk7Xexample.com. 3600 IN RRSIG DNSKEY 8 2 3600 20140417221308 20140116221308 21961 example.com. S67jOAEUEL15uylQ4y6kno7naCR0wvsHJq74ZFHlDrfHHAHXaiDO3nxM ikmn+kv6mULsdH6xddCwvtLmDaYokF4zsIJGdQmyXqCCg8y4A4SsivaO uM+oO1AoXLKKo3XqNEq95gg4e70yj5FNrEk9c4zi0uT2TEOItBsZ9Y/T 8Gl2RDnLrjHf5YOO3py9SM/btwjZcu18TOJBWb9fbdYtKvntmG8tFlld McefBwn0QJ9REmy4oXf00LKXG2xZ2E20m887j3KLzY1pYIp1GZgaRwJZ ssfreEwQpcSoz1DD4MKAU0At3uCa7O8IcWx6VonhF0pZW+PzMVQGOriN 9bXLUg==example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20140417221308 20140116221308 15093 example.com. KwBcvyQYmX7qDZaQfrS931Fyrf1B8z/PFsXX+hYTQ1y7dIhHIEtN0WBR vyuyson0VA8PrEeUnEvWZrQL+z0Z1h9tpuFQqVWqFyBLooZATk/psPW0 7DcgXMBZ1JEq/srfJQye2MDX/iT5/+hWUJiOW+dcnIVZg2lOaehaKSQv faE=ns.example.com. 86400 IN A 192.168.0.1ns.example.com. 86400 IN RRSIG A 8 3 86400 20140417221308 20140116221308 15093 example.com. 0KgiOQwgavCWFxd5bFTtBEMXfO4yzwC8BeKYPSMqPHSdcIsLBMF7wUAR YV193/OM6mTJF9vRzdlUro9kfmFBnX3xC0jVkpcpj1YVP6pTGeB8KGSk OdfC6+H658KscB2eq/XcvFtE4VktU3QPZOW8zj4GquNpNR79fan/Idh2 OXA=ns.example.com. 10800 IN NSEC example.com. A RRSIG NSECns.example.com. 10800 IN RRSIG NSEC 8 3 10800 20140417221308 20140116221308 15093 example.com. Tf+bAbucKKVh7HoBaE2xZNb1yxyON/x5JCPRJs9ybFi1a5eE26Thi1L0 +mrIpZVwTIwPJSfKqKO2MZePqB0fXWBq0M1HPslRbW9pjb+K+IqNSi/k ybSshxj/fdkhown/a0wPZ2w0XAYY5Q8x3sc2UO2+GD8nJReAcNkO3hWe tKs=example.com. 86400 IN SOA ns1.example.com. hostmaster.example.com. 2014011701 10800 15 604800 10800example.com. 86400 IN RRSIG SOA 8 2 86400 20140417221308 20140116221308 15093 example.com. alxE/TLfVRML1EAHCiVDEwmaOjaPdowXxfkompXG3MwJ7tDOQcFV2O2+ 9F4TlB+l0nbfWi0mk7YWBk+w03God8RnUez9KZwhmrGAgEfWtH6kiO7A LEwSPgHTS5cfQah8KGAT6o7DMWOdH0ii2EnJNzqi3gt+SR1bSPw8kTNE TOU=;; Query time: 10 msec;; SERVER: 10.0.20.22#53(10.0.20.22);; WHEN: Fri Jan 17 18:44:36 EST 2014;; XFR size: 15 records (messages 7, bytes 2291)Here's the config:options { directory "/opt/local"; pid-file "server.pid"; dnssec-enable yes; version "SNIP";};zone "z1.example.com" IN { type master; file "z1.example.com.db";};zone "example.com" IN { type slave; file "secondary.example.com.db"; masters {10.0.20.22; };};logging { channel dnssec { file "dnssec" versions 10 size 500k
Re: Rate-limiting - working? How to test?
On 17/01/14 14:22, Rich Goodson wrote: > You need a rate-limit log stanza to see rate limiting information (rate limiting from IP address, no longer > limiting from IP address, etc), and the individual queries that are not responded to are logged either in > your querylog or query-errors (can’t remember which off the top of my head). > Yup, that was it :-) I had no 'query-errors' logging set up. I now see the queries being rate-limited (or they would be if I removed/changed the 'log-only' option.) Thanks, John. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Rate-limiting - working? How to test?
John, "log-only yes;" is the reason you are not seeing any rate limiting. You are telling your server not to actually do any rate limiting, just to log what it would have done. You didn’t post any more of your named.conf, but I would assume you don’t have any logging set up for rate limiting, so you don’t see any of that either. You need a rate-limit log stanza to see rate limiting information (rate limiting from IP address, no longer limiting from IP address, etc), and the individual queries that are not responded to are logged either in your querylog or query-errors (can’t remember which off the top of my head). -Rich On Jan 17, 2014, at 7:34 AM, John Horne wrote: > Hello, > > I have BIND 9.9.4 installed on a server, and have included in the global > options: > >rate-limit { responses-per-second 5; > log-only yes; >}; > > However, if I run from a client: > >for n in `seq 1 10`; do dig +short jhorne.csd.plymouth.ac.uk a > @141.163.66.138; done > > I get 10 correct responses. The query log file on the server shows that 10 > queries were received: > > 17-Jan-2014 13:20:43.662 client 141.163.66.139#55184 > (jhorne.csd.plymouth.ac.uk): view plymouth-only: query: > jhorne.csd.plymouth.ac.uk IN A + (141.163.66.138) > > (The other 9 log entries are the same, except for the milliseconds increasing > slightly.) > > It's Friday afternoon, so I'm probably missing something obvious :-) I cannot > see why all the queries were responded to, I expected some queries to timeout > and something to be logged (none of the other bind logs contain anything > about rate limiting). > > > > Thanks, > > John. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Rate-limiting - working? How to test?
On Fri, Jan 17, 2014 at 01:34:00PM +, John Horne wrote a message of 40 lines which said: > log-only yes; >From the ARM: Use log-only yes to test rate limiting parameters without actually dropping any requests. > I get 10 correct responses. It makes sense. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Rate-limiting - working? How to test?
Hello, I have BIND 9.9.4 installed on a server, and have included in the global options: rate-limit { responses-per-second 5; log-only yes; }; However, if I run from a client: for n in `seq 1 10`; do dig +short jhorne.csd.plymouth.ac.uk a @141.163.66.138; done I get 10 correct responses. The query log file on the server shows that 10 queries were received: 17-Jan-2014 13:20:43.662 client 141.163.66.139#55184 (jhorne.csd.plymouth.ac.uk): view plymouth-only: query: jhorne.csd.plymouth.ac.uk IN A + (141.163.66.138) (The other 9 log entries are the same, except for the milliseconds increasing slightly.) It's Friday afternoon, so I'm probably missing something obvious :-) I cannot see why all the queries were responded to, I expected some queries to timeout and something to be logged (none of the other bind logs contain anything about rate limiting). Thanks, John. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users