RE: Using Ansible to manage bind installation/basic setup.

[Stoffel, John (TAI)]

I'm using the following role, but only for a very simple secondary setup.

   ansible-galaxy install bertvv.bind

It's not the fastest, and I'm sure my ansible-foo isn't the best, but it's 
working for me so far.

John


Sr. Storage Architect
TOSHIBA AMERICA, INC.
290 Donald Lynch Blvd - Suite 201
Marlborough, MA 01752
508-736-5499 (mobile)
E-Mail:  john.stof...@toshiba.com
Website: Service Now Self Service 
Portal

From: bind-users  On Behalf Of MURTARI, JOHN
Sent: Wednesday, May 19, 2021 7:40 AM
To: bind-users@lists.isc.org
Subject: Re: Using Ansible to manage bind installation/basic setup.


> Ansible's template module is what you'd probably use for #1, the service  
> module (with handlers) for #2, and #3 comes out of the box when you use 
> Ansible.

> While you might find existing roles and playbooks on the internets, I  would 
> strongly recommend to vet them carefully in a test environment  before using 
> them in production; just because something works for me  doesn't mean it will 
> satisfy you. :)



Thanks for the recommendation.  I had found some existing playbook stuff, but 
confusing to understand.  Just using their basic support for templates was 
pretty easy.  Had some experience with Puppet in the past.  Ansible's use of 
simple SSH for access instead of requiring a remote client installed does make 
it a lot easier.



Best regards!
John




From: bind-users 
mailto:bind-users-boun...@lists.isc.org>> on 
behalf of Jan-Piet Mens via bind-users 
mailto:bind-users@lists.isc.org>>
Sent: Tuesday, May 18, 2021 1:29:51 PM
To: bind-users@lists.isc.org
Subject: Re: Using Ansible to manage bind installation/basic setup.

Ansible's template module is what you'd probably use for #1, the service
module (with handlers) for #2, and #3 comes out of the box when you use
Ansible.

While you might find existing roles and playbooks on the internets, I
would strongly recommend to vet them carefully in a test environment
before using them in production; just because something works for me
doesn't mean it will satisfy you. :)

Good luck,

-JP
___
Please visit 
https://urldefense.com/v3/__https://lists.isc.org/mailman/listinfo/bind-users__;!!BhdT!2lED6vbUEHG2F8ocQh8Fn7IxVUx1x_4UeguTObEE64xI6g-6VYkphsl6O4BthDo$
  to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at 
https://urldefense.com/v3/__https://www.isc.org/contact/__;!!BhdT!2lED6vbUEHG2F8ocQh8Fn7IxVUx1x_4UeguTObEE64xI6g-6VYkphsl69XQ71wc$
  for more information.


bind-users mailing list
bind-users@lists.isc.org
https://urldefense.com/v3/__https://lists.isc.org/mailman/listinfo/bind-users__;!!BhdT!2lED6vbUEHG2F8ocQh8Fn7IxVUx1x_4UeguTObEE64xI6g-6VYkphsl6O4BthDo$
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Syslog with BIND on CentOS

[John Thurston]

On 5/20/2021 2:17 PM, Anand Buddhdev wrote:

You could also log directly to files (bypassing syslog), and then have
some process follow the files and send the logs to a remote server.


This seems rather inefficient, but there are established and flexible 
tools to do just this.


Without changing the configuration of my named (which is currently 
logging to a local file), I can make rsyslogd consider that file an 
input source. Once in, the parsing and output modules can then work on it.


This relies on the input module "imfile", and the output module "omfwd"

https://rsyslog-doc.readthedocs.io/en/latest/configuration/modules/idx_input.html

imfile appears to follow log rotations cleanly. A limitation I see is 
everything is assigned the same syslog facility.priority values.


It remains to be seen if this process can keep up with the query volume.

Warning: When started for the first time, imfile will read the existing 
file and start forwarding. If the query log already contains 800MB of 
lines, those will all be read in and passed through the parser and 
output modules.


--
Do things because you should, not just because you can.

John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Syslog with BIND on CentOS

[Petr Menšík]

Hello John,

I think it should be possible to use chroot and have there custom socket
mapped directly to rsyslog.

bind-chroot should be available in CentOS, try running
named-chroot.service instead of named.service.

I have not tried it on real installation, but I guess it should be
easiest way to use arbitrary socket different than common one.

Regards,
Petr

On 5/20/21 11:34 PM, John Thurston wrote:
> Many years ago, when we ran ISC BIND on Solaris, we created a logging
> channel to send the logged-queries to the local syslogd. We then had our
> local syslogd forward most of the traffic on to a central syslog server.
> 
> I just tried to re-implement something like that on CentOS, and thought
> I had it working . . until it was exposed to full production traffic
> load. The output to our central syslog server was truncated, and my
> local system log was filled with messages saying jourald was activating
> ratelimiting. !?
> 
> My subsequent read of the docs indicates that BIND on CentOS 7, while
> being told it is sending to 'syslogd', is sending to 'journald' which is
> handling all the messages and forwarding them on to 'syslogd'. I don't
> want journald handling my thousands of messages per second from BIND. I
> don't want that information in my journal logs. I just want it out in
> the central syslog server.
> 
> Is there some direct way to get the logging channel of BIND pointed
> directly into the local syslogd? (which would then apply its forwarding
> rules to get traffic to the central syslog server)
> 
> I thought about trying to rip jourald out entirely, and quickly decided
> that was a path to madness.
> 
> The only thing I can come up with is to activate dnstap, and have some
> other process absorbing the data and spewing it directly to the central
> syslogd.
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB



OpenPGP_signature
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New BIND releases are available: 9.11.32, 9.16.16, and 9.17.13

[Manish Rane]

I already tried the official Repository on my existing Ubuntu 18.04 and it
worked perfectly.
--
Thanks and Regards,
Manish R


On Fri, May 21, 2021 at 11:02 AM Josef Moellers  wrote:

> On 20.05.21 17:22, Manish Rane wrote:
> > Hi Team,
> >
> > Are those new versions available in Linux distro packages?
>
> As Anand already wrote: our Enterprise releases won't have this atm,
> unless you request it through the official channels.
> OpenSUSE Tumbleweed will hopefully have in a few days.
>
> Josef
> >
> --
> > Thanks and Regards,
> > Manish R
> >
> >
> > On Thu, May 20, 2021 at 8:08 PM Anand Buddhdev  > > wrote:
> >
> > On 20/05/2021 00:06, Michael McNally wrote:
> >
> > Hi ISC people,
> >
> > > RELEASE-NOTES-bind-9.16.16.html
> >
> > I was just reading the release notes, and noticed:
> >
> > "The default value of the max-ixfr-ratio option was changed to
> > unlimited, for better backwards compatibility in the stable release
> > series."
> >
> > Thank you for this. Just yesterday, I was looking at XFRs between
> BIND
> > 9.16.15, and a downstream Knot DNS server, which kept getting AXFRs
> > instead of IXFRs. I was going to open an issue about this in GitLab.
> > However, upgrading to 9.16.16 restored the previous (expected)
> > behaviour.
> >
> > Regards,
> > Anand
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users
> >  to unsubscribe
> > from this list
> >
> > ISC funds the development of this software with paid support
> > subscriptions. Contact us at https://www.isc.org/contact/
> >  for more information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org 
> > https://lists.isc.org/mailman/listinfo/bind-users
> > 
> >
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
>
>
> --
> SUSE Software Solutions Germany GmbH
> Maxfeldstr. 5
> 90409 Nürnberg
> Germany
>
> (HRB 36809, AG Nürnberg)
> Geschäftsführer: Felix Imendörffer
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users