Re: BIND 9.10 compilation problem for FreeBSD 6.x/7.x
Mark Andrews ma...@isc.org wrote: Also one shouldn't need to add LDFLAGS=-R/opt/OpenSSL/lib. configure adds it itself if the platform needs it. --with-openssl=/opt/OpenSSL should be enough. I think the bug here is that configure assumes the admin has added all possible library directories to the RTLD path, so it does not specify an RPATH at all. However if (like me) you are passing a specific path to configure then there is probably a good reason you aren't using the usual system library locations, so you need -R as well as -L and -I. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ North Malin, Hebrides, Bailey: Variable or cyclonic 3 or 4, occasionally 5 except in Hebrides. Moderate or rough. Rain or thundery showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPZ and www.rackspace.com
We have just enabled RPZ with some NSDNAME checks and are seeing an issue resolving www.rackspace.com. The first lookup is successful and returns both the CNAME and the A record. The second query, within a second of the first, will only return the CNAME. It will only return the CNAME until the TTL of the A record times out. The first query, when it actually has to go out and do recursion will always work. Answering from cache will always fail. When you inspect the cache during the time that it is only returning the CNAME, the record in cache is www.wip.rackspace.com type ANY NXDOMAIN.This only happens with RPZ's enabled and query hitting a RPZ zone with a NSDNAME line. Turning off RPZ or whitelisting the lookup via RPZ before it hits a RPZ with NSDNAME allows the query to be successful 100% of the time. Can anyone else verify this behavior? What is going on with www.rackspace.com? If this is a miss configuration on Rackspace's DNS servers how are they not getting hit with support calls like crazy? dig @redacted.cat.com www.rackspace.com ; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 @redacted.cat.com www.rackspace.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 30337 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.rackspace.com. IN A ;; ANSWER SECTION: www.rackspace.com. 300 IN CNAME www.wip.rackspace.com. www.wip.rackspace.com. 30 IN A 173.203.44.116 ;; Query time: 193 msec ;; SERVER: redacted ;; WHEN: Wed May 7 08:53:08 2014 ;; MSG SIZE rcvd: 73 dig @redacted.cat.com www.rackspace.com ; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 @redacted.cat.com www.rackspace.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 25905 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.rackspace.com. IN A ;; ANSWER SECTION: www.rackspace.com. 298 IN CNAME www.wip.rackspace.com. ;; AUTHORITY SECTION: wip.rackspace.com. 58 IN SOA www-gtm-ord1.rackspace.com. hostmaster.305181-GTM1.rackspace.com. 86 10800 3600 604800 60 ;; Query time: 2 msec ;; SERVER: redacted ;; WHEN: Wed May 7 08:53:10 2014 ;; MSG SIZE rcvd: 129 David A. Evans Enterprise IP/DNS Management Network Infrastructure Tools and Services evans_davi...@cat.com___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and www.rackspace.com
On 07/05/14 15:05, David A. Evans wrote: Can anyone else verify this behavior? What is going on with www.rackspace.com? If this is a miss configuration on Rackspace's DNS servers how are they not getting hit with support calls like crazy? We don't have any NSDNAME RPZ entries, and see no problem. Note that the CNAME points to a delegated sub-zone, wip.rackspace.com - probably a load-balancer. Do any of the 3 NS records for that: www-gtm-ord1.rackspace.com www-gtm-lon3.rackspace.com www-gtm-iad2.rackspace.com ...appear in your NSDNAME list? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and www.rackspace.com
No, *rackspace* appears nowhere in our RPZ feeds save the new entry that works around the issue. This entry excludes it from hitting the RPZ zone with the NSDNAME records via a PASSTHRU line a earlier RPZ zone. David A. Evans Enterprise IP/DNS Management Network Infrastructure Tools and Services (309) 675-9700 evans_davi...@cat.com From: Phil Mayers p.may...@imperial.ac.uk To: bind-users@lists.isc.org Date: 05/07/2014 09:30 AM Subject:Re: RPZ and www.rackspace.com Sent by:bind-users-boun...@lists.isc.org On 07/05/14 15:05, David A. Evans wrote: Can anyone else verify this behavior? What is going on with www.rackspace.com? If this is a miss configuration on Rackspace's DNS servers how are they not getting hit with support calls like crazy? We don't have any NSDNAME RPZ entries, and see no problem. Note that the CNAME points to a delegated sub-zone, wip.rackspace.com - probably a load-balancer. Do any of the 3 NS records for that: www-gtm-ord1.rackspace.com www-gtm-lon3.rackspace.com www-gtm-iad2.rackspace.com ...appear in your NSDNAME list? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and www.rackspace.com
I've done some more troubleshooting with info from people that responded directly to me and not to the list.This can be reproduced without any RPZ loaded by mimicking the behavior of the RPZ lookups required to validate NSDNAME lines. Issue these 'digs' within 30 second of each other. dig www.wip.rackspace.com www.wip.rackspace.com. 30 IN A 173.203.44.116 dig www.wip.rackspace.com NS (NXDOMAIN) dig www.wip.rackspace.com (NXDOMAIN) I think this is another case of miss configured load balancers. Shouldn't the NS record lookup respond with a NODATA response and not NXDOMAIN? That still doesn't really answer why a site as big as www.rackspace.com isn't getting hit with support issues on their web site. It only took us about 4 hours into our first production day with NSDNAME's in our RPZ to get a call about www.rackspace.com not loading. David A. Evans Enterprise IP/DNS Management Network Infrastructure Tools and Services evans_davi...@cat.com From: David A. Evans evans_davi...@cat.com To: bind-users@lists.isc.org Date: 05/07/2014 09:11 AM Subject:RPZ and www.rackspace.com Sent by:bind-users-boun...@lists.isc.org CATERPILLAR SECURITY ALERT: The email address in the sender line does not match the account that sent the email. This can be an indication of phishing. Do not click links or open attachments unless you are certain it is from a safe source. Learn more at security.cat.com/phishing We have just enabled RPZ with some NSDNAME checks and are seeing an issue resolving www.rackspace.com. The first lookup is successful and returns both the CNAME and the A record. The second query, within a second of the first, will only return the CNAME. It will only return the CNAME until the TTL of the A record times out. The first query, when it actually has to go out and do recursion will always work. Answering from cache will always fail. When you inspect the cache during the time that it is only returning the CNAME, the record in cache is www.wip.rackspace.com type ANY NXDOMAIN.This only happens with RPZ's enabled and query hitting a RPZ zone with a NSDNAME line. Turning off RPZ or whitelisting the lookup via RPZ before it hits a RPZ with NSDNAME allows the query to be successful 100% of the time. Can anyone else verify this behavior? What is going on with www.rackspace.com? If this is a miss configuration on Rackspace's DNS servers how are they not getting hit with support calls like crazy? dig @redacted.cat.com www.rackspace.com ; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 @redacted.cat.com www.rackspace.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 30337 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.rackspace.com. IN A ;; ANSWER SECTION: www.rackspace.com. 300 IN CNAME www.wip.rackspace.com. www.wip.rackspace.com. 30 IN A 173.203.44.116 ;; Query time: 193 msec ;; SERVER: redacted ;; WHEN: Wed May 7 08:53:08 2014 ;; MSG SIZE rcvd: 73 dig @redacted.cat.com www.rackspace.com ; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 @redacted.cat.com www.rackspace.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 25905 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.rackspace.com. IN A ;; ANSWER SECTION: www.rackspace.com. 298 IN CNAME www.wip.rackspace.com. ;; AUTHORITY SECTION: wip.rackspace.com. 58 IN SOA www-gtm-ord1.rackspace.com. hostmaster.305181-GTM1.rackspace.com. 86 10800 3600 604800 60 ;; Query time: 2 msec ;; SERVER: redacted ;; WHEN: Wed May 7 08:53:10 2014 ;; MSG SIZE rcvd: 129 David A. Evans Enterprise IP/DNS Management Network Infrastructure Tools and Services evans_davi...@cat.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and www.rackspace.com
In message ofdc3c86d9.d668b707-on86257cd1.005339fc-86257cd1.00543...@notes.cat.com, David A. Evans writes: I've done some more troubleshooting with info from people that responded directly to me and not to the list.This can be reproduced without any RPZ loaded by mimicking the behavior of the RPZ lookups required to validate NSDNAME lines. Issue these 'digs' within 30 second of each other. dig www.wip.rackspace.com www.wip.rackspace.com. 30 IN A 173.203.44.116 dig www.wip.rackspace.com NS (NXDOMAIN) dig www.wip.rackspace.com (NXDOMAIN) I think this is another case of miss configured load balancers. Shouldn't the NS record lookup respond with a NODATA response and not NXDOMAIN? Yes. The name exists. That still doesn't really answer why a site as big as www.rackspace.com isn't getting hit with support issues on their web site. It only took us about 4 hours into our first production day with NSDNAME's in our RPZ to get a call about www.rackspace.com not loading. Because NS queries are not common with normal DNS lookups. For some reason people that deploy load balancers think they don't need to fix issues like this. Send something other than a A record and you get: - NXDOMAIN being returned when the name exists. - NOTIMP being returned. (Really you can't just send NODATA?) - REFUSED being returned. (Really you don't want to tell us the record does not exist?) - the wrong SOA being returned. - malformed RDATA with the content being the A record content. Mark David A. Evans Enterprise IP/DNS Management Network Infrastructure Tools and Services evans_davi...@cat.com From: David A. Evans evans_davi...@cat.com To: bind-users@lists.isc.org Date: 05/07/2014 09:11 AM Subject:RPZ and www.rackspace.com Sent by:bind-users-boun...@lists.isc.org CATERPILLAR SECURITY ALERT: The email address in the sender line does not match the account that sent the email. This can be an indication of phishing. Do not click links or open attachments unless you are certain it is from a safe source. Learn more at security.cat.com/phishing We have just enabled RPZ with some NSDNAME checks and are seeing an issue resolving www.rackspace.com. The first lookup is successful and returns both the CNAME and the A record. The second query, within a second of the first, will only return the CNAME. It will only return the CNAME until the TTL of the A record times out. The first query, when it actually has to go out and do recursion will always work. Answering from cache will always fail. When you inspect the cache during the time that it is only returning the CNAME, the record in cache is www.wip.rackspace.com type ANY NXDOMAIN.This only happens with RPZ's enabled and query hitting a RPZ zone with a NSDNAME line. Turning off RPZ or whitelisting the lookup via RPZ before it hits a RPZ with NSDNAME allows the query to be successful 100% of the time. Can anyone else verify this behavior? What is going on with www.rackspace.com? If this is a miss configuration on Rackspace's DNS servers how are they not getting hit with support calls like crazy? dig @redacted.cat.com www.rackspace.com ; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 @redacted.cat.com www.rackspace.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 30337 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.rackspace.com. IN A ;; ANSWER SECTION: www.rackspace.com. 300 IN CNAME www.wip.rackspace.com. www.wip.rackspace.com. 30 IN A 173.203.44.116 ;; Query time: 193 msec ;; SERVER: redacted ;; WHEN: Wed May 7 08:53:08 2014 ;; MSG SIZE rcvd: 73 dig @redacted.cat.com www.rackspace.com ; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 @redacted.cat.com www.rackspace.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 25905 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.rackspace.com. IN A ;; ANSWER SECTION: www.rackspace.com. 298 IN CNAME www.wip.rackspace.com. ;; AUTHORITY SECTION: wip.rackspace.com. 58 IN SOA www-gtm-ord1.rackspace.com. hostmaster.305181-GTM1.rackspace.com. 86 10800 3600 604800 60 ;; Query time: 2 msec ;; SERVER: redacted ;; WHEN: Wed May 7 08:53:10 2014 ;; MSG SIZE rcvd: 129 David A. Evans Enterprise IP/DNS Management Network Infrastructure Tools and Services evans_davi...@cat.com ___ Please visit
Re: Multi-master (HA)
I run a multi-master environment. We have 3 data centers which are considered to be able to run even though the rest are down. Initially, we ran our masters with the same exact configurations on each. One of the data centers was administratively defined as being the 'update master'. From there, any changes were first done locally and then rsync'd to each of the other data centers. Once in place, rndc reload was executed to pick up the changes on all of the masters. However, with the dawning of DNSSEC, that became problematic. Later we moved to dynamic updates and simply sent the update commands to each master separately. That worked but still resulted in issues with resyncing the zones after one of the data centers was out of communication. Now we have moved to one 'update master' and the rest being slave masters. When we want to change the update master, we have scripts which make the needed mods in the zone configurations and then restart named. It's not the prettiest method but it does provide the single point of update, automatic recovery if one of the datacenters is not reachable and full support of DNSSEC. There is no issue with zone file format as the zones are kept in text format and upon conversion to slave, we touch each of the files to prevent the new slave from expiring the zones immediately. -- John On 5/6/2014 2:20 PM, Baird, Josh wrote: Hi, For those of you who operate at multiple sites or datacenters, are you doing any HA for your BIND masters? Ideally, we would have a master in each datacenter; maybe not an active one, but one that is standing by in case your primary master becomes unavailable. Do you have multiple active masters and list them as master in each of your slave's zone definitions? This seems like it could get rather messy. One thought is to use a technology like VMWare SRM which will spin up a master/virtual machine automatically in a second datacenter if your primary master goes down. This coupled with Layer2 connectivity between your sites could make things fairly simple. The standby/secondary master would retain the same IP address as your primary, so everything should just *work*. What are others doing? Any thoughts, ideas or advice is much appreciated. Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master (HA)
I run bind multi master on 5 different site. my solution is bind-dlz with galeraDB backed. we are very satisfied by this configuration and works flawlessy until now. Rick On 5/7/14 8:11 PM, John Wingenbach wrote: I run a multi-master environment. We have 3 data centers which are considered to be able to run even though the rest are down. Initially, we ran our masters with the same exact configurations on each. One of the data centers was administratively defined as being the 'update master'. From there, any changes were first done locally and then rsync'd to each of the other data centers. Once in place, rndc reload was executed to pick up the changes on all of the masters. However, with the dawning of DNSSEC, that became problematic. Later we moved to dynamic updates and simply sent the update commands to each master separately. That worked but still resulted in issues with resyncing the zones after one of the data centers was out of communication. Now we have moved to one 'update master' and the rest being slave masters. When we want to change the update master, we have scripts which make the needed mods in the zone configurations and then restart named. It's not the prettiest method but it does provide the single point of update, automatic recovery if one of the datacenters is not reachable and full support of DNSSEC. There is no issue with zone file format as the zones are kept in text format and upon conversion to slave, we touch each of the files to prevent the new slave from expiring the zones immediately. -- John On 5/6/2014 2:20 PM, Baird, Josh wrote: Hi, For those of you who operate at multiple sites or datacenters, are you doing any HA for your BIND masters? Ideally, we would have a master in each datacenter; maybe not an active one, but one that is standing by in case your primary master becomes unavailable. Do you have multiple active masters and list them as master in each of your slave's zone definitions? This seems like it could get rather messy. One thought is to use a technology like VMWare SRM which will spin up a master/virtual machine automatically in a second datacenter if your primary master goes down. This coupled with Layer2 connectivity between your sites could make things fairly simple. The standby/secondary master would retain the same IP address as your primary, so everything should just *work*. What are others doing? Any thoughts, ideas or advice is much appreciated. Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master (HA)
On 05/06/14 13:39, Evan Hunt wrote: On Tue, May 06, 2014 at 06:20:11PM +, Baird, Josh wrote: Hi, For those of you who operate at multiple sites or datacenters, are you doing any HA for your BIND masters? Ideally, we would have a master in each datacenter; maybe not an active one, but one that is standing by in case your primary master becomes unavailable. Do you have multiple active masters and list them as master in each of your slave's zone definitions? This seems like it could get rather messy. One thought is to use a technology like VMWare SRM which will spin up a master/virtual machine automatically in a second datacenter if your primary master goes down. This coupled with Layer2 connectivity between your sites could make things fairly simple. The standby/secondary master would retain the same IP address as your primary, so everything should just *work*. What are others doing? Any thoughts, ideas or advice is much appreciated. Thank you for bringing this up. As it happens, high-availability/ multi-master support in BIND is something we've been seriously considering for a future release. There's been a lot of internal discussion of use cases, requirements, and possible design approaches. I don't want to influence the conversation here by saying too much about the ideas we've had so far, but I wanted to say: if anyone has specific thoughts on how to make this sort of thing easier in BIND -- even just at the level of boy, it irritates me that I can't make BIND do X -- such comments will fall on welcoming ears. I hadn't thought of doing multi-master...but the issue of promoting a slave to master for DR had come up. At the time the problem was DNSSEC. Its one thing for the slave to become master, its another when it needs to change entries in the zone file to redirect key web-services to DR instances. (at the time, it was create two signed zone files each time...and secure transfer the second one out of bandbut no DR web servers were ever setup, so both were identical files and eventually got scrapped. The issue of raw vs text on secondaries came up after abandonment. But, DR comes up now and then...recently its using DNS appliances and cloud... OTOH, the idea of multi-master is intriguing.the only down side I see, is that I have one really powerful server for my current master(Sun Fire X4170)and my other servers are weak leftoversjust passed EOL last year. And, have all the servers doing full DNSSEC signing could be interesting. It also raises the question of how does the outside world cope with all the servers having identical zones...signed on slightly different times, etc. (especially since I'm using unix timestamp for zone serialavoids issues of multiple admins incrementing serial without noticing others and/or collisions with DNSSEC's incrementing of serials.) But, it shouldn't be too hard to implement since, our nameservers are managed by CFEngine. And, it makes possible for all my name servers to have both internal and external views. Instead of having to have separate external slaves and internal slaves. (and other issues that I'm still working through with having thisnamely my recursive caching servers hitting external slaves instead of internal slaves...) Things have gotten more complicated since we started allowing vanity internal namesbefore it was one subdomain that only existed on internal, and everybody had to put their host in there, as dept-host.subdomain.ksu.edu but then certain VIPs wanted host.dept.ksu.edu to work even though its a 10.x.x.x address. It would also mean one of our satellite campuses that refuses to use our caching servers (and even sent our server that was providing the service for their campus back, which they had firewalled their users from using while it was there)...can have their own caching servers work without needing to understand that our whois record doesn't list our stealth/internal nameservers...which is why they can't resolve any internal services and need to track down somebody to give them the 10.x.x.x IP and having their users use that, etc. Wonder if they know about the change in forwarding on my caching resolvers to AD? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
DNAME ? On 05/06/14 11:44, Rom, Gloria wrote: Yup, that’s what I was asking. Thanks. Gloria Rom UCLA Library Digital Initiatives and Information Technology glor...@library.ucla.edu mailto:glor...@library.ucla.edu 310-206-9784 *From:*bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Kevin Darcy *Sent:* Tuesday, May 06, 2014 9:39 AM *To:* bind-users@lists.isc.org *Subject:* Re: Point domain name of my zone to name in somebody else's zone? The apex name of a zone can't own a CNAME, if that's what you're asking. E.g. the name example.com can't be a CNAME pointing at otherexample.com. But, of course, you can certainly put A and/or records at the apex, that resolve to one or more addresses in one or more ranges you don't own/control. - Kevin On 5/6/2014 12:31 PM, Rom, Gloria wrote: Hello All, Here’s an easy one. I administer a zone that consists of a few names, each of which points to a name in a zone that I do not administer. Now my project manager wants to resolve the domain name of my zone to another name in that foreign zone. Can I tell him that it can’t be done, or have I overlooked a clever workaround? I’m running an oldish version of BIND 9. Thanks, Glo Gloria Rom UCLA Library Digital Initiatives and Information Technology glor...@library.ucla.edu mailto:glor...@library.ucla.edu 310-206-9784 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
In message 536aaf39.6000...@ksu.edu, Lawrence K. Chen, P.Eng. writes: DNAME ? No. DNAME redirects the names under it. It does not redirect the owner name. On 05/06/14 11:44, Rom, Gloria wrote: Yup, that=92s what I was asking. Thanks. = = = Gloria Rom = UCLA Library Digital Initiatives and Information Technology = glor...@library.ucla.edu mailto:glor...@library.ucla.edu = 310-206-9784 = = = *From:*bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Kevin Darcy *Sent:* Tuesday, May 06, 2014 9:39 AM *To:* bind-users@lists.isc.org *Subject:* Re: Point domain name of my zone to name in somebody else's zo= ne? = = = The apex name of a zone can't own a CNAME, if that's what you're asking. = E.g. the name example.com can't be a CNAME pointing at otherexample.com. = But, of course, you can certainly put A and/or records at the apex, = that resolve to one or more addresses in one or more ranges you don't own/cont= rol. = = = - Kevin = On 5/6/2014 12:31 PM, Rom, Gloria wrote: = Hello All, = = = Here=92s an easy one. = = = I administer a zone that consists of a few names, each of which point= s to a name in a zone that I do not administer. = = = Now my project manager wants to resolve the domain name of my zone to another name in that foreign zone. = = = Can I tell him that it can=92t be done, or have I overlooked a clever workaround? I=92m running an oldish version of BIND 9. = = = Thanks, = = = Glo = = = Gloria Rom = UCLA Library Digital Initiatives and Information Technology = glor...@library.ucla.edu mailto:glor...@library.ucla.edu = 310-206-9784 = = = = = = ___ = Please visit https://lists.isc.org/mailman/listinfo/bind-users to uns= ubscribe from this list = = = bind-users mailing list = bind-users@lists.isc.org mailto:bind-users@lists.isc.org = https://lists.isc.org/mailman/listinfo/bind-users = = = = = ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc= ribe from this list = bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users = -- = Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri= be from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
Oh...I misread the questionguess DNAME isn't what's wanted just the apex to somewhere else Yeah...I currently just look up the name and enter A records. But, I've wondered if there was another record type that allowed it to detect address changes of the requested 'CNAME'so I wouldn't have to. Especially, if the requested 'CNAME' is a name that is known to change its IP... Either that...or come up with a way to script it. This is also handy when somesite.ksu.edu decides to outsource its web content to a CNAME...but wonder why they've stopped receiving mail as someaddress@somesite.ksu.edu. Though it was just a minor delayfor them to revert back to the old site, until they migrated their email accounts to the CNAME site as well But, there have been others where that doesn't work for them. Meanwhileusers keep thinking I can also create aliases to: https://someCNAME/some/path I can do http, by bouncing them off a redirector, https is harder (and require me to pass it over to a WSE.) On 05/07/14 17:10, Lawrence K. Chen, P.Eng. wrote: DNAME ? On 05/06/14 11:44, Rom, Gloria wrote: Yup, that’s what I was asking. Thanks. Gloria Rom UCLA Library Digital Initiatives and Information Technology glor...@library.ucla.edu mailto:glor...@library.ucla.edu 310-206-9784 *From:*bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Kevin Darcy *Sent:* Tuesday, May 06, 2014 9:39 AM *To:* bind-users@lists.isc.org *Subject:* Re: Point domain name of my zone to name in somebody else's zone? The apex name of a zone can't own a CNAME, if that's what you're asking. E.g. the name example.com can't be a CNAME pointing at otherexample.com. But, of course, you can certainly put A and/or records at the apex, that resolve to one or more addresses in one or more ranges you don't own/control. - Kevin On 5/6/2014 12:31 PM, Rom, Gloria wrote: Hello All, Here’s an easy one. I administer a zone that consists of a few names, each of which points to a name in a zone that I do not administer. Now my project manager wants to resolve the domain name of my zone to another name in that foreign zone. Can I tell him that it can’t be done, or have I overlooked a clever workaround? I’m running an oldish version of BIND 9. Thanks, Glo Gloria Rom UCLA Library Digital Initiatives and Information Technology glor...@library.ucla.edu mailto:glor...@library.ucla.edu 310-206-9784 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
Can't seem to figure out how to work something like that into my configuration. It doesn't like that I have allow-recursion { k-state; }; set in optionsthen something about when using 'view' statements, all zones must be in views. So, I uncommented the view ksu { lines in my config (there used to be a separate view for a JOIN K-STATE SSID, which basically sent you to a special website regardless of what you wanted to connect to.it was scrapped, because users using computers running an OS that starts with Wwould still be stuck going to the site when they switched to normal wireless. (even though the TTL for the zone was only 5 seconds...) And, then it finally crashed complain that there was no root hints for the view _ksu_bind, and making class IN view _ksu_bind with all the same zones, including the hint zoneit still complained that there was no root hints for view _ksu_bind and crashed. daemon.notice] starting BIND 9.9.4-P2 -c /var/chroot/named/etc/named/named.conf -4 daemon.notice] built with '--prefix=/usr/local' '--sysconfdir=/etc/named' '--localstatedir=/var' '--with-openssl' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-ipv6' '--enable-newstats' '--enable-filter-' '--enable-rrl' 'CFLAGS=-m64 -O2' 'LDFLAGS=-Wl,-R/usr/local/ssl/lib/64 -L/usr/local/ssl/lib/64 -Wl,-R/usr/local/lib/amd64 -L/usr/local/lib/amd64 -Wl,-R/usr/local/lib -L/usr/local/lib' daemon.notice] daemon.notice] BIND 9 is maintained by Internet Systems Consortium, daemon.notice] Inc. (ISC), a non-profit 501(c)(3) public-benefit daemon.notice] corporation. Support and training for BIND 9 are daemon.notice] available at https://www.isc.org/support daemon.notice] daemon.warning] no root hints for view '_ksu_bind' daemon.notice] command channel listening on 127.0.0.1#953 daemon.crit] db.c:795: REQUIRE(rdataset-rdclass == db-rdclass) failed, back trace daemon.crit] #0 4307e3 in ?? daemon.crit] #1 fd7ffeef92ca in ?? daemon.crit] #2 fd7fff1d8467 in ?? daemon.crit] #3 fd7fff1dafc6 in ?? daemon.crit] #4 fd7fff1ef91e in ?? daemon.crit] #5 fd7fff2f1f39 in ?? daemon.crit] #6 fd7fff2f4b29 in ?? daemon.crit] #7 45a851 in ?? daemon.crit] #8 45bc3e in ?? daemon.crit] #9 fd7ffef1a49f in ?? daemon.crit] #10 fd7ffeacbfbb in ?? daemon.crit] exiting (due to assertion failure) On 05/02/14 23:34, Jeremy C. Reed wrote: On 05/02/14 09:23, Jeremy C. Reed wrote: Only for the built-in Chaos _bind view (for id.server, authors.bind, hostname.bind, and version.bind). On Fri, 2 May 2014, Lawrence K. Chen, P.Eng. wrote: Awww...I found messages about version.bind. My workaround I use is like: # for builtin tests do not rate-limit # redefine chaos builtin zones # can't redefine builtin view '_bind' view _dnsbench_bind chaos { recursion no; notify no; allow-new-zones no; rate-limit { responses-per-second 0; }; zone version.bind chaos { type master; database _builtin version; }; zone hostname.bind chaos { type master; database _builtin hostname; }; zone authors.bind chaos { type master; database _builtin authors; }; zone id.server chaos { type master; database _builtin id; }; }; Or edit bin/named/config.c (you will quickly find the configuration) and make and install. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master (HA)
Well, we use two masters in different locations, w/o DLZ. Files for signed zones are being generated from databases and uploaded to servers. What we need here - is propagating of DDNS plus periodical synchronizing of zones, journals etc. Regarding zone templates - I'm using it with NSD4 and I'm totally happy. Actually I don't have words to emphasize how I love those templates! 2014-05-08 2:06 GMT+04:00 Lawrence K. Chen, P.Eng. lkc...@ksu.edu: On 05/06/14 13:39, Evan Hunt wrote: On Tue, May 06, 2014 at 06:20:11PM +, Baird, Josh wrote: Hi, For those of you who operate at multiple sites or datacenters, are you doing any HA for your BIND masters? Ideally, we would have a master in each datacenter; maybe not an active one, but one that is standing by in case your primary master becomes unavailable. Do you have multiple active masters and list them as master in each of your slave's zone definitions? This seems like it could get rather messy. One thought is to use a technology like VMWare SRM which will spin up a master/virtual machine automatically in a second datacenter if your primary master goes down. This coupled with Layer2 connectivity between your sites could make things fairly simple. The standby/secondary master would retain the same IP address as your primary, so everything should just *work*. What are others doing? Any thoughts, ideas or advice is much appreciated. Thank you for bringing this up. As it happens, high-availability/ multi-master support in BIND is something we've been seriously considering for a future release. There's been a lot of internal discussion of use cases, requirements, and possible design approaches. I don't want to influence the conversation here by saying too much about the ideas we've had so far, but I wanted to say: if anyone has specific thoughts on how to make this sort of thing easier in BIND -- even just at the level of boy, it irritates me that I can't make BIND do X -- such comments will fall on welcoming ears. I hadn't thought of doing multi-master...but the issue of promoting a slave to master for DR had come up. At the time the problem was DNSSEC. Its one thing for the slave to become master, its another when it needs to change entries in the zone file to redirect key web-services to DR instances. (at the time, it was create two signed zone files each time...and secure transfer the second one out of bandbut no DR web servers were ever setup, so both were identical files and eventually got scrapped. The issue of raw vs text on secondaries came up after abandonment. But, DR comes up now and then...recently its using DNS appliances and cloud... OTOH, the idea of multi-master is intriguing.the only down side I see, is that I have one really powerful server for my current master(Sun Fire X4170)and my other servers are weak leftoversjust passed EOL last year. And, have all the servers doing full DNSSEC signing could be interesting. It also raises the question of how does the outside world cope with all the servers having identical zones...signed on slightly different times, etc. (especially since I'm using unix timestamp for zone serialavoids issues of multiple admins incrementing serial without noticing others and/or collisions with DNSSEC's incrementing of serials.) But, it shouldn't be too hard to implement since, our nameservers are managed by CFEngine. And, it makes possible for all my name servers to have both internal and external views. Instead of having to have separate external slaves and internal slaves. (and other issues that I'm still working through with having thisnamely my recursive caching servers hitting external slaves instead of internal slaves...) Things have gotten more complicated since we started allowing vanity internal namesbefore it was one subdomain that only existed on internal, and everybody had to put their host in there, as dept-host.subdomain.ksu.edu but then certain VIPs wanted host.dept.ksu.edu to work even though its a 10.x.x.x address. It would also mean one of our satellite campuses that refuses to use our caching servers (and even sent our server that was providing the service for their campus back, which they had firewalled their users from using while it was there)...can have their own caching servers work without needing to understand that our whois record doesn't list our stealth/internal nameservers...which is why they can't resolve any internal services and need to track down somebody to give them the 10.x.x.x IP and having their users use that, etc. Wonder if they know about the change in forwarding on my caching resolvers to AD? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to
Re: Point domain name of my zone to name in somebody else's zone?
In article mailman.160.1399503258.26362.bind-us...@lists.isc.org, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: Oh...I misread the questionguess DNAME isn't what's wanted just the apex to somewhere else Yeah...I currently just look up the name and enter A records. But, I've wondered if there was another record type that allowed it to detect address changes of the requested 'CNAME'so I wouldn't have to. Especially, if the requested 'CNAME' is a name that is known to change its IP... Have the apex point to your own webserver, and have it send an HTTP redirect to www.domain.com, which is CNAMEd to the third party domain. Either that...or come up with a way to script it. That's what we did when I was at Akamai. Their custom DNS servers have an option to resolve the domain apex by looking up another name and returning its IP. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users