Re: load balancing

2018-09-18 Thread Grant Taylor via bind-users 

On 09/18/2018 04:12 PM, SIMON BABY wrote:

Are we support this with our current release?


BIND has supported round robin DNS for a long time.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: load balancing

2018-09-18 Thread SIMON BABY 
Thanks Warren. Are we support this with our current release?

Rgds
Simon

On Tue, Sep 18, 2018 at 3:04 PM Leroy Tennison 
wrote:

> Before selecting round robin consider the drawbacks - a DNS server being
> down, DNS server inconsistency, an application expecting some kind of
> stateful interaction.  Finding root cause with DNS round robin can be
> challenging.  I'm not saying don't use it, your situation may be able to
> mitigate/eliminate issues. just do so fully aware of the implications.
> --
> *From:* bind-users  on behalf of SIMON
> BABY 
> *Sent:* Tuesday, September 18, 2018 4:39 PM
> *To:* Warren Kumari
> *Cc:* bind-users@lists.isc.org
> *Subject:* [EXTERNAL] Re: load balancing
>
> Thanks Warren.
> I am looking DNS RR distribution. (DNS Round Robin Load distribution).
>
> Round robin DNS is often used to load balance requests between a number of Web
> servers . For example, a
> company has one domain name and three identical copies of the same web site
> residing on three servers with three different IP addresses. When one user
> accesses the home page it will be sent to the first IP address. The second
> user who accesses the home page will be sent to the next IP address, and
> the third user will be sent to the third IP address. In each case, once the
> IP address is given out, it goes to the end of the list. The fourth user,
> therefore, will be sent to the first IP address, and so forth.
>
> Rgds
> Simon
>
>
> Harriscomputer
>
> Join us at the 2018 Momentum User Conference!
> Register here 
>
>
> *Leroy Tennison *Network Information/Cyber Security Specialist
> E: le...@datavoiceint.com
>
>
> 2220 Bush Dr
> McKinney, Texas
> 75070
> www.datavoiceint.com 
>
> TThis message has been sent on behalf of a company that is part of the
> Harris Operating Group of Constellation Software Inc. These companies are
> listed here .
>
> If you prefer not to be contacted by Harris Operating Group please notify
> us .
>
>
>
> This message is intended exclusively for the individual or entity to which
> it is addressed. This communication may contain information that is
> proprietary, privileged or confidential or otherwise legally exempt from
> disclosure. If you are not the named addressee, you are not authorized to
> read, print, retain, copy or disseminate this message or any part of it. If
> you have received this message in error, please notify the sender
> immediately by e-mail and delete all copies of the message.
>
>
> On Tue, Sep 18, 2018 at 1:22 PM Warren Kumari  wrote:
>
>>
>>
>> On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY  wrote:
>>
>>> Hi,
>>>
>>> Are we support load balancing with latest DNSSEC ? I have a DNSSEC
>>> application with unbound library. Do i have to add any extra configuration
>>> to support Load Balancing?
>>>
>>
>> Your question is sufficiently light on detail that it cannot be
>> realistically answered.
>>
>> What sort of load balancing?
>> 1: Traditional SLB - you hand out one IP address, and have a load
>> balancer widget which shares this to multiple backends?
>> 2: Global SLB - you hand out different IP addresses to different clients?
>> 3: Round Robin - you hand out different IP addresses, but randomly / in a
>> order, not tied to specific clients?
>> 4: Anycast - you hand out the same IP address, but this lives on multiple
>> sites, and routing takes care of getting people to the closest site?
>> 5: Multiple nameservers? Something else?
>>
>> The term "load balance" is very vague / can be applied to multiple things
>> - for all of the above except  #2, this should just work without any
>> changes. GSLB *may* require more work, but may not. # 5 is sufficiently
>> undefined that it cannot really be answered :-)
>>
>> What *exactly* is the question / scenario you are asking?
>> W
>>
>>
>>
>>
>>>
>>> Rgds
>>> Simon
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>>
>> --
>> I don't think the execution is relevant when it was obviously a bad idea
>> in the first place.
>> This is like putting rabid weasels in your pants, and later expressing
>> regret at having chosen those particular rabid weasels and that pair of
>> pants.
>>---maf
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: load balancing

2018-09-18 Thread Leroy Tennison 



Before selecting round robin consider the drawbacks - a DNS server being down, DNS server inconsistency, an application expecting some kind of stateful interaction.  Finding root cause with DNS round robin can be challenging.  I'm not saying don't use it,
 your situation may be able to mitigate/eliminate issues. just do so fully aware of the implications.



From: bind-users  on behalf of SIMON BABY 
Sent: Tuesday, September 18, 2018 4:39 PM
To: Warren Kumari
Cc: bind-users@lists.isc.org
Subject: [EXTERNAL] Re: load balancing
 


Thanks Warren.
I am looking DNS RR distribution. (DNS Round Robin Load distribution). 


Round robin DNS is often used to load balance requests between a number of Web
 servers. For example, a company has one domain name and three identical copies of the same web site residing on three servers with three different IP addresses. When one user accesses the home page it
 will be sent to the first IP address. The second user who accesses the home page will be sent to the next IP address, and the third user will be sent to the third IP address. In each case, once the IP address is given out, it goes to the end of the list. The
 fourth user, therefore, will be sent to the first IP address, and so forth. 


Rgds
Simon 







Harriscomputer










Join us at the 2018 Momentum User Conference!

Register here




Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com








2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com 










TThis message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed
here. 

If you prefer not to be contacted by Harris Operating Group
please notify us. 

 



This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If
 you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.








 
On Tue, Sep 18, 2018 at 1:22 PM Warren Kumari  wrote:







On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY  wrote:


Hi,


Are we support load balancing with latest DNSSEC ? I have a DNSSEC application with unbound library. Do i have to add any extra configuration to support Load Balancing?





Your question is sufficiently light on detail that it cannot be realistically answered.


What sort of load balancing?
1: Traditional SLB - you hand out one IP address, and have a load balancer widget which shares this to multiple backends?
2: Global SLB - you hand out different IP addresses to different clients? 
3: Round Robin - you hand out different IP addresses, but randomly / in a order, not tied to specific clients? 
4: Anycast - you hand out the same IP address, but this lives on multiple sites, and routing takes care of getting people to the closest site?
5: Multiple nameservers? Something else?



The term "load balance" is very vague / can be applied to multiple things - for all of the above except  #2, this should just work without any changes. GSLB *may* require more work, but may not.
 # 5 is sufficiently undefined that it cannot really be answered :-)


What *exactly* is the question / scenario you are asking?
W 




 




Rgds
Simon

___
Please visit 
https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





-- 
I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
   ---maf







___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: load balancing

2018-09-18 Thread SIMON BABY 
Thanks Warren.
I am looking DNS RR distribution. (DNS Round Robin Load distribution).

Round robin DNS is often used to load balance requests between a number of Web
servers . For example, a company
has one domain name and three identical copies of the same web site
residing on three servers with three different IP addresses. When one user
accesses the home page it will be sent to the first IP address. The second
user who accesses the home page will be sent to the next IP address, and
the third user will be sent to the third IP address. In each case, once the
IP address is given out, it goes to the end of the list. The fourth user,
therefore, will be sent to the first IP address, and so forth.

Rgds
Simon


On Tue, Sep 18, 2018 at 1:22 PM Warren Kumari  wrote:

>
>
> On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY  wrote:
>
>> Hi,
>>
>> Are we support load balancing with latest DNSSEC ? I have a DNSSEC
>> application with unbound library. Do i have to add any extra configuration
>> to support Load Balancing?
>>
>
> Your question is sufficiently light on detail that it cannot be
> realistically answered.
>
> What sort of load balancing?
> 1: Traditional SLB - you hand out one IP address, and have a load balancer
> widget which shares this to multiple backends?
> 2: Global SLB - you hand out different IP addresses to different clients?
> 3: Round Robin - you hand out different IP addresses, but randomly / in a
> order, not tied to specific clients?
> 4: Anycast - you hand out the same IP address, but this lives on multiple
> sites, and routing takes care of getting people to the closest site?
> 5: Multiple nameservers? Something else?
>
> The term "load balance" is very vague / can be applied to multiple things
> - for all of the above except  #2, this should just work without any
> changes. GSLB *may* require more work, but may not. # 5 is sufficiently
> undefined that it cannot really be answered :-)
>
> What *exactly* is the question / scenario you are asking?
> W
>
>
>
>
>>
>> Rgds
>> Simon
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad idea
> in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair of
> pants.
>---maf
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: load balancing

2018-09-18 Thread Warren Kumari 
On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY  wrote:

> Hi,
>
> Are we support load balancing with latest DNSSEC ? I have a DNSSEC
> application with unbound library. Do i have to add any extra configuration
> to support Load Balancing?
>

Your question is sufficiently light on detail that it cannot be
realistically answered.

What sort of load balancing?
1: Traditional SLB - you hand out one IP address, and have a load balancer
widget which shares this to multiple backends?
2: Global SLB - you hand out different IP addresses to different clients?
3: Round Robin - you hand out different IP addresses, but randomly / in a
order, not tied to specific clients?
4: Anycast - you hand out the same IP address, but this lives on multiple
sites, and routing takes care of getting people to the closest site?
5: Multiple nameservers? Something else?

The term "load balance" is very vague / can be applied to multiple things -
for all of the above except  #2, this should just work without any changes.
GSLB *may* require more work, but may not. # 5 is sufficiently undefined
that it cannot really be answered :-)

What *exactly* is the question / scenario you are asking?
W




>
> Rgds
> Simon
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

load balancing

2018-09-18 Thread SIMON BABY 
Hi,

Are we support load balancing with latest DNSSEC ? I have a DNSSEC
application with unbound library. Do i have to add any extra configuration
to support Load Balancing?

Rgds
Simon
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-18 Thread Howard, Christopher 
I found that link previously and tried it. It didn't complain about that not 
being a valid setting, but it didn't change the outcome. I'm beginning to 
believe I may just have to upgrade to CentOS 7. It needs to be done at some 
point anyway, I just didn't want to do it now.

-Christopher


On Tue, 2018-09-18 at 09:33 +0100, Tony Finch wrote:

Howard, Christopher 
mailto:christopher-how...@utc.edu>> wrote:


Does any one have any ideas of what I'm missing or what I can do to

resolve this (besides upgrading this box to CentOS 7)?


Try setting `random-device "/dev/urandom";` in `named.conf`.


See 
https://gitlab.isc.org/isc-projects/bind9/commit/24172bd2eeba91441ab1c65d2717b0692309244a


Tony.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-18 Thread Howard, Christopher 
Those are both good. Recent versions of bind are now using OpenSSL for random 
number generation and not /dev/random or /dev/urandom. Since the old version 
still works the /dev devices are obviously working.

-Christopher


On Tue, 2018-09-18 at 07:52 +, Alberto Colosi wrote:

ON INTERNET IS LIKE TO BE LINKED TO RANDOM SEED GENERATION


check


# ls -l /dev/random /dev/urandom

crw-r--r-- 1 root system 39, 0 Jan 22 10:48 /dev/random

crw-r--r-- 1 root system 39, 1 Jan 22 10:48 /dev/urandom




From: bind-users  on behalf of Howard, 
Christopher 
Sent: Tuesday, September 18, 2018 1:11 AM
To: bind-users@lists.isc.org
Subject: PRNG not seeded, service won't start

I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the service 
refuses to start. This is on a CentOS 6.10 machine. I ran into the same issue 
on CentOS 7 and was able to fix it by making sure that rngd is running before 
the named service starts. That same fix is not working for CentOS 6. I'm at a 
loss as to how to fix this and Google is failing me now.

The error in the log says:
Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:
Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator cannot 
be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Does any one have any ideas of what I'm missing or what I can do to resolve 
this (besides upgrading this box to CentOS 7)?

-Christopher


___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list


bind-users mailing list

bind-users@lists.isc.org

https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-18 Thread Howard, Christopher 
I've tried this one. It doesn't work. There is plenty of entropy on the box, 
but it still won't start with the same error.

-Christopher


On Tue, 2018-09-18 at 01:22 +0200, Reindl Harald wrote:

https://wiki.archlinux.org/index.php/Haveged


Am 18.09.18 um 01:11 schrieb Howard, Christopher:

I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the

service refuses to start. This is on a CentOS 6.10 machine. I ran into

the same issue on CentOS 7 and was able to fix it by making sure that

rngd is running before the named service starts. That same fix is not

working for CentOS 6. I'm at a loss as to how to fix this and Google is

failing me now.


The error in the log says:

Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:

Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator

cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)


Does any one have any ideas of what I'm missing or what I can do to

resolve this (besides upgrading this box to CentOS 7)?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-18 Thread Tony Finch 
Howard, Christopher  wrote:

> Does any one have any ideas of what I'm missing or what I can do to
> resolve this (besides upgrading this box to CentOS 7)?

Try setting `random-device "/dev/urandom";` in `named.conf`.

See 
https://gitlab.isc.org/isc-projects/bind9/commit/24172bd2eeba91441ab1c65d2717b0692309244a

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Trafalgar: Variable 3 in northwest, otherwise northerly 4 or 5. Slight or
moderate, occasionally rough in north until later. Fair. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-18 Thread Alberto Colosi 
ON INTERNET IS LIKE TO BE LINKED TO RANDOM SEED GENERATION


check


# ls -l /dev/random /dev/urandom
crw-r--r-- 1 root system 39, 0 Jan 22 10:48 /dev/random
crw-r--r-- 1 root system 39, 1 Jan 22 10:48 /dev/urandom




From: bind-users  on behalf of Howard, 
Christopher 
Sent: Tuesday, September 18, 2018 1:11 AM
To: bind-users@lists.isc.org
Subject: PRNG not seeded, service won't start

I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the service 
refuses to start. This is on a CentOS 6.10 machine. I ran into the same issue 
on CentOS 7 and was able to fix it by making sure that rngd is running before 
the named service starts. That same fix is not working for CentOS 6. I'm at a 
loss as to how to fix this and Google is failing me now.

The error in the log says:
Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:
Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator cannot 
be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Does any one have any ideas of what I'm missing or what I can do to resolve 
this (besides upgrading this box to CentOS 7)?

-Christopher

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind stops answering queries

2018-09-18 Thread Ian Collins 
Hi,


Updated to the latest stable and it seems to have resolved t heissue.


Thanks


ian..



From: bind-users  on behalf of Dave Warren 

Sent: 17 September 2018 19:01
To: bind-users@lists.isc.org
Subject: Re: ISC Bind stops answering queries

On Mon, Sep 17, 2018, at 06:07, Ian Collins wrote:

I have been runnig various versions of ISC Bind for a number of years without 
any issues.


My current server is a Windows 2012 R2 running 9.3.0

<...>
Does anyone have any idea what could be causing the server to stop answering 
queries or suggest any specifiv loggin settings that might help identify it 
please.

I recall a couple of hangs in that era on my Windows Server based Bind servers. 
It was due to malformed queries, although I don't recall the details anymore. 
Upgrading to a supported version would be the obvious first step.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-18 Thread Alberto Colosi 
are your compiler and libs updated ?




From: bind-users  on behalf of Howard, 
Christopher 
Sent: Tuesday, September 18, 2018 1:11 AM
To: bind-users@lists.isc.org
Subject: PRNG not seeded, service won't start

I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the service 
refuses to start. This is on a CentOS 6.10 machine. I ran into the same issue 
on CentOS 7 and was able to fix it by making sure that rngd is running before 
the named service starts. That same fix is not working for CentOS 6. I'm at a 
loss as to how to fix this and Google is failing me now.

The error in the log says:
Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:
Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator cannot 
be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Does any one have any ideas of what I'm missing or what I can do to resolve 
this (besides upgrading this box to CentOS 7)?

-Christopher

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users