Re: Problem with internal/external VIEWs
If you want the content to be the same in both views and to be dynamically
updatable then use
view view1 {
zone example.com {
type primary;
[ allow-update / update-policy ] { … };
…
};
};
view view2 {
zone example.com { in-view “view1”; };
};
If you want the zone content to be different then use different file names for
the zone
and use different TSIG names to select views for NOTIFY, UPDATE, and AXFR.
key view1-update-example.com { … };
key view2-update-example.com { … };
key view1-xfr-example.com { … };
key view2-xfr-example.com { … };
view view1 {
match-clients {
view1-update-example.com; !view2-update-example.com;
view1-xfr-example.com; !view2-xfr-example.com;
…
};
server {
key view1-xfr-example.com; // so NOTIFY goes to the correct view
};
zone example.com {
type primary;
allow-update { view1-update-example.com; }; // or update-policy
allow-transfer { view1-xfr-example.com; };
file “view1/example.com.db”;
};
};
view view2 {
match-clients {
!view1-update-example.com; view2-update-example.com;
!view1-xfr-example.com; view2-xfr-example.com;
…
};
server {
key view1-xfr-example.com; // so NOTIFY goes to the correct view
};
zone example.com {
type primary;
allow-update { view2-update-example.com; }; // or update-policy
allow-transfer { view2-xfr-example.com; };
file “view2/example.com.db”;
};
};
and on the secondaries you
key view1-update-example.com { … };
key view2-update-example.com { … };
key view1-xfr-example.com { … };
key view2-xfr-example.com { … };
view view1 {
match-clients {
view1-update-example.com; !view2-update-example.com;
view1-xfr-example.com; !view2-xfr-example.com;
…
};
server {
key view1-xfr-example.com; // so SOA, IXFR and AXFR go to the
correct view.
};
zone example.com {
type secondary;
primaries { ; };
allow-transfer { view1-xfr-example.com; };
file “view1/example.com.db”;
};
};
view view2 {
match-clients {
!view1-update-example.com; view2-update-example.com;
!view1-xfr-example.com; view2-xfr-example.com;
…
};
server {
key view2-xfr-example.com; // so SOA, IXFR and AXFR go to the
correct view.
};
zone example.com {
type secondary;
primaries { ; };
allow-transfer { view2-xfr-example.com; };
file “view2/example.com.db”;
};
};
> On 6 Jul 2021, at 05:36, Dean Gibson (DNS Administrator)
> wrote:
>
> Currently running Bind v9.11.4:
>
> Several years ago, I implemented multiple VIEWs using (almost) the exact
> example in the Reference Manual. However, I wanted the "example-internal.db"
> and "example-external.db" to be the same file.
>
> This worked until I wanted to have "example.com" updateable via ddns. I
> don't remember the exact error, but I have a note in my configuration file of
> "don't do that!" (use the same file). So, I removed the first zone
> declaration for "example.com". That was still with Bind v9, but a lesser
> minor version.
>
> So, the result is that I can't do a "dig -k tsig.file @localhost -t axfr
> example.com" from the server command line. The transfer is denied, because
> "match-clients" forces me into the first (internal) VIEW.
>
> The server is behind a firewall (which has a forward to the server), so "dig"
> works if I specify "dig -k tsig.file @ns1.example.com". Because of this, I
> can still use "dig" like I want on the server.
>
> However, I'd think this must be a common issue. Any resolution (like
> recognizing & dealing with two references to a dynamically updated file)?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at
Re: non-improving referral
> On 6 Jul 2021, at 06:40, @lbutlr wrote: > > I've been getting a few errors along these lines (bind 9.16.18), the IPs > changes, but I don't know what "non0improving referral" means or if I should > be concerned. > > DNS format error from 64.70.78.82#53 resolving ok.contact/NS for > 127.0.0.1#16749: non-improving referra > > This IP is owned bv CenturyLink, which was the company providing our > Internet service (they have recently become something called "Lumen", but the > IP blocks respond as savvin.net). > > Other IPs have appeared, but I did not note them as the logs rolled as I was > distracted by other issues at the time. > > My concern is that they may point to a configuration issue on my end, though > dnsviz is happy. This is an error with the delegation of ok.contact. The NS records at the delegation point do not match those at the zone apex. > -- > Bart, don't use the Touch of Death on your sister. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig standalone source?
> On 6 Jul 2021, at 05:56, Eric Germann via bind-users
> wrote:
>
> Has ISC given any thought to releasing dig as a separate source package?
>
> It’s good for testing DoH, but you need to build the entire bind package to
> get it. It would be useful for support analysts without the overhead of
> compiling all of bind to get it
Really, it a couple of extra megabytes of disk space and a couple of extra
minutes of compile
time. Dig is not a stand alone component. It depends on libisc, libdns,
libisccfg, libirs, and
libbind9. Thats most of the libraries we build. It makes no sense to have a
seperate source
package for dig.
> ---
> Eric Germann
> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
> LinkedIn: https://www.linkedin.com/in/ericgermann
> Twitter: @ekgermann
> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>
> GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>
>
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
non-improving referral
I've been getting a few errors along these lines (bind 9.16.18), the IPs changes, but I don't know what "non0improving referral" means or if I should be concerned. DNS format error from 64.70.78.82#53 resolving ok.contact/NS for 127.0.0.1#16749: non-improving referra This IP is owned bv CenturyLink, which was the company providing our Internet service (they have recently become something called "Lumen", but the IP blocks respond as savvin.net). Other IPs have appeared, but I did not note them as the logs rolled as I was distracted by other issues at the time. My concern is that they may point to a configuration issue on my end, though dnsviz is happy. -- Bart, don't use the Touch of Death on your sister. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dig standalone source?
Has ISC given any thought to releasing dig as a separate source package?
It’s good for testing DoH, but you need to build the entire bind package to get
it. It would be useful for support analysts without the overhead of compiling
all of bind to get it
---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Problem with internal/external VIEWs
Currently running Bind v9.11.4: Several years ago, I implemented multiple VIEWs using (almost) the exact example in the Reference Manual. However, I wanted the "example-internal.db" and "example-external.db" to be the same file. This worked until I wanted to have "example.com" updateable via ddns. I don't remember the exact error, but I have a note in my configuration file of /"don't do that!"/ (use the same file). So, I removed the first zone declaration for "example.com". That was still with Bind v9, but a lesser minor version. So, the result is that I can't do a "dig -k tsig.file @localhost -t axfr example.com" from the server command line. The transfer is denied, because "match-clients" forces me into the first (internal) VIEW. The server is behind a firewall (which has a forward to the server), so "dig" works if I specify "dig -k tsig.file @ns1.example.com". Because of this, I can still use "dig" like I want on the server. However, I'd think this must be a common issue. Any resolution (like recognizing & dealing with two references to a dynamically updated file)? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling bind 9.17.15 with alternate OpenSSL library
Setting PKG_CONFIG_PATH should work as charm…
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 5. 7. 2021, at 19:33, Eric Germann wrote:
>
> Bummer.
>
> Thanks for the quick turnaround though!
>
> ---
> Eric Germann
> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
> LinkedIn: https://www.linkedin.com/in/ericgermann
> Twitter: @ekgermann
> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>
> GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>
>
>
>
>
>
>
>> On Jul 5, 2021, at 1:07 PM, Ondřej Surý wrote:
>>
>> Oh, you are right. That will get only used when pkg-config based method
>> doesn’t work. We probably should remove that as openssl.pc is now widely
>> available.
>>
>> Ondřej
>> --
>> Ondřej Surý — ISC (He/Him)
>>
>> My working hours and your working hours may be different. Please do not feel
>> obligated to reply outside your normal working hours.
>>
On 5. 7. 2021, at 18:57, Eric Germann wrote:
>>> I’m confused
>>>
>>> ./configure --help | grep openssl
>>>
>>> --with-openssl=DIR root of the OpenSSL directory
>>>
>>> ---
>>> Eric Germann
>>> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
>>> LinkedIn: https://www.linkedin.com/in/ericgermann
>>> Twitter: @ekgermann
>>> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>>>
>>> GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>>>
>>>
>>>
>>>
>>>
>>>
>>>
On Jul 5, 2021, at 12:55 PM, Ondřej Surý wrote:
Eric,
configure uses pkg-config to detect OpenSSL version thus you need to point
pkg-config to the right directory.
There’s no such option to configure.
Ondřej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not
feel obligated to reply outside your normal working hours.
>> On 5. 7. 2021, at 18:24, Eric Germann via bind-users
>> wrote:
>>
> I’m in the process of building a custom version of bind with DoH and
> would also like to add DNSSEC algorithm 15 for experimental purposes
>
> DoH works just fine on the servers I have configured.
>
> My “configure" command is
>
> ./configure --with-openssl=../openssl-1.1.1k --with-libxml2
> --with-json-c --disable-dnstap --enable-fixed-rrset --enable-querytrace
> --sysconfdir=/etc/namedb
>
> When I override the SSL library, it doesn’t pick it up. It uses the
> system library of 1.0.2k-fips from the system (Centos 7
> 10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64
> x86_64 x86_64 GNU/Linux)
>
> I know when I build nginx, I can override the SSL library by pointing to
> the OpenSSL directory and it shows and functions with the correct library
> (1.1.1k).
>
> I’ve built OpenSSL in the directory spec’d in the config line, but
> haven’t done a “make install” because it will trash the system.
>
> Is there anyway to build against 1.1.1k without doing a “make install” on
> the newer OpenSSL library?
>
> Thanks
>
> ---
> Eric Germann
> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
> LinkedIn: https://www.linkedin.com/in/ericgermann
> Twitter: @ekgermann
> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>
> GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>
>
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling bind 9.17.15 with alternate OpenSSL library
Bummer.
Thanks for the quick turnaround though!
---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
> On Jul 5, 2021, at 1:07 PM, Ondřej Surý wrote:
>
> Oh, you are right. That will get only used when pkg-config based method
> doesn’t work. We probably should remove that as openssl.pc is now widely
> available.
>
> Ondřej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not feel
> obligated to reply outside your normal working hours.
>
>> On 5. 7. 2021, at 18:57, Eric Germann wrote:
>>
>> I’m confused
>>
>> ./configure --help | grep openssl
>>
>> --with-openssl=DIR root of the OpenSSL directory
>>
>> ---
>> Eric Germann
>> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
>> LinkedIn: https://www.linkedin.com/in/ericgermann
>>
>> Twitter: @ekgermann
>> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>>
>> GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>>
>>
>>
>>
>>
>>
>>
>>> On Jul 5, 2021, at 12:55 PM, Ondřej Surý >> > wrote:
>>>
>>> Eric,
>>>
>>> configure uses pkg-config to detect OpenSSL version thus you need to point
>>> pkg-config to the right directory.
>>>
>>> There’s no such option to configure.
>>>
>>> Ondřej
>>> --
>>> Ondřej Surý — ISC (He/Him)
>>>
>>> My working hours and your working hours may be different. Please do not
>>> feel obligated to reply outside your normal working hours.
>>>
On 5. 7. 2021, at 18:24, Eric Germann via bind-users
mailto:bind-users@lists.isc.org>> wrote:
I’m in the process of building a custom version of bind with DoH and
would also like to add DNSSEC algorithm 15 for experimental purposes
DoH works just fine on the servers I have configured.
My “configure" command is
./configure --with-openssl=../openssl-1.1.1k --with-libxml2
--with-json-c --disable-dnstap --enable-fixed-rrset --enable-querytrace
--sysconfdir=/etc/namedb
When I override the SSL library, it doesn’t pick it up. It uses the
system library of 1.0.2k-fips from the system (Centos 7
10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64
x86_64 x86_64 GNU/Linux)
I know when I build nginx, I can override the SSL library by pointing to
the OpenSSL directory and it shows and functions with the correct library
(1.1.1k).
I’ve built OpenSSL in the directory spec’d in the config line, but haven’t
done a “make install” because it will trash the system.
Is there anyway to build against 1.1.1k without doing a “make install” on
the newer OpenSSL library?
Thanks
---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
to unsubscribe from
this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/
https://lists.isc.org/mailman/listinfo/bind-users
>>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling bind 9.17.15 with alternate OpenSSL library
Oh, you are right. That will get only used when pkg-config based method doesn’t
work. We probably should remove that as openssl.pc is now widely available.
Ondřej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 5. 7. 2021, at 18:57, Eric Germann wrote:
>
> I’m confused
>
> ./configure --help | grep openssl
>
> --with-openssl=DIR root of the OpenSSL directory
>
> ---
> Eric Germann
> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
> LinkedIn: https://www.linkedin.com/in/ericgermann
> Twitter: @ekgermann
> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>
> GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>
>
>
>
>
>
>
>> On Jul 5, 2021, at 12:55 PM, Ondřej Surý wrote:
>>
>> Eric,
>>
>> configure uses pkg-config to detect OpenSSL version thus you need to point
>> pkg-config to the right directory.
>>
>> There’s no such option to configure.
>>
>> Ondřej
>> --
>> Ondřej Surý — ISC (He/Him)
>>
>> My working hours and your working hours may be different. Please do not feel
>> obligated to reply outside your normal working hours.
>>
On 5. 7. 2021, at 18:24, Eric Germann via bind-users
wrote:
>>> I’m in the process of building a custom version of bind with DoH and would
>>> also like to add DNSSEC algorithm 15 for experimental purposes
>>>
>>> DoH works just fine on the servers I have configured.
>>>
>>> My “configure" command is
>>>
>>> ./configure --with-openssl=../openssl-1.1.1k --with-libxml2 --with-json-c
>>> --disable-dnstap --enable-fixed-rrset --enable-querytrace
>>> --sysconfdir=/etc/namedb
>>>
>>> When I override the SSL library, it doesn’t pick it up. It uses the system
>>> library of 1.0.2k-fips from the system (Centos 7 10.0-1160.25.1.el7.x86_64
>>> #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux)
>>>
>>> I know when I build nginx, I can override the SSL library by pointing to
>>> the OpenSSL directory and it shows and functions with the correct library
>>> (1.1.1k).
>>>
>>> I’ve built OpenSSL in the directory spec’d in the config line, but haven’t
>>> done a “make install” because it will trash the system.
>>>
>>> Is there anyway to build against 1.1.1k without doing a “make install” on
>>> the newer OpenSSL library?
>>>
>>> Thanks
>>>
>>> ---
>>> Eric Germann
>>> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
>>> LinkedIn: https://www.linkedin.com/in/ericgermann
>>> Twitter: @ekgermann
>>> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>>>
>>> GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions.
>>> Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling bind 9.17.15 with alternate OpenSSL library
I’m confused
./configure --help | grep openssl
--with-openssl=DIR root of the OpenSSL directory
---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
> On Jul 5, 2021, at 12:55 PM, Ondřej Surý wrote:
>
> Eric,
>
> configure uses pkg-config to detect OpenSSL version thus you need to point
> pkg-config to the right directory.
>
> There’s no such option to configure.
>
> Ondřej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not feel
> obligated to reply outside your normal working hours.
>
>> On 5. 7. 2021, at 18:24, Eric Germann via bind-users
>> wrote:
>>
>> I’m in the process of building a custom version of bind with DoH and would
>> also like to add DNSSEC algorithm 15 for experimental purposes
>>
>> DoH works just fine on the servers I have configured.
>>
>> My “configure" command is
>>
>> ./configure --with-openssl=../openssl-1.1.1k --with-libxml2 --with-json-c
>> --disable-dnstap --enable-fixed-rrset --enable-querytrace
>> --sysconfdir=/etc/namedb
>>
>> When I override the SSL library, it doesn’t pick it up. It uses the system
>> library of 1.0.2k-fips from the system (Centos 7 10.0-1160.25.1.el7.x86_64
>> #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux)
>>
>> I know when I build nginx, I can override the SSL library by pointing to the
>> OpenSSL directory and it shows and functions with the correct library
>> (1.1.1k).
>>
>> I’ve built OpenSSL in the directory spec’d in the config line, but haven’t
>> done a “make install” because it will trash the system.
>>
>> Is there anyway to build against 1.1.1k without doing a “make install” on
>> the newer OpenSSL library?
>>
>> Thanks
>>
>> ---
>> Eric Germann
>> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
>> LinkedIn: https://www.linkedin.com/in/ericgermann
>>
>> Twitter: @ekgermann
>> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>>
>> GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>>
>>
>>
>>
>>
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions.
>> Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling bind 9.17.15 with alternate OpenSSL library
Eric,
configure uses pkg-config to detect OpenSSL version thus you need to point
pkg-config to the right directory.
There’s no such option to configure.
Ondřej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 5. 7. 2021, at 18:24, Eric Germann via bind-users
> wrote:
>
> I’m in the process of building a custom version of bind with DoH and would
> also like to add DNSSEC algorithm 15 for experimental purposes
>
> DoH works just fine on the servers I have configured.
>
> My “configure" command is
>
> ./configure --with-openssl=../openssl-1.1.1k --with-libxml2 --with-json-c
> --disable-dnstap --enable-fixed-rrset --enable-querytrace
> --sysconfdir=/etc/namedb
>
> When I override the SSL library, it doesn’t pick it up. It uses the system
> library of 1.0.2k-fips from the system (Centos 7 10.0-1160.25.1.el7.x86_64 #1
> SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux)
>
> I know when I build nginx, I can override the SSL library by pointing to the
> OpenSSL directory and it shows and functions with the correct library
> (1.1.1k).
>
> I’ve built OpenSSL in the directory spec’d in the config line, but haven’t
> done a “make install” because it will trash the system.
>
> Is there anyway to build against 1.1.1k without doing a “make install” on the
> newer OpenSSL library?
>
> Thanks
>
> ---
> Eric Germann
> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
> LinkedIn: https://www.linkedin.com/in/ericgermann
> Twitter: @ekgermann
> Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
>
> GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>
>
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Compiling bind 9.17.15 with alternate OpenSSL library
I’m in the process of building a custom version of bind with DoH and would also
like to add DNSSEC algorithm 15 for experimental purposes
DoH works just fine on the servers I have configured.
My “configure" command is
./configure --with-openssl=../openssl-1.1.1k --with-libxml2 --with-json-c
--disable-dnstap --enable-fixed-rrset --enable-querytrace
--sysconfdir=/etc/namedb
When I override the SSL library, it doesn’t pick it up. It uses the system
library of 1.0.2k-fips from the system (Centos 7 10.0-1160.25.1.el7.x86_64 #1
SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux)
I know when I build nginx, I can override the SSL library by pointing to the
OpenSSL directory and it shows and functions with the correct library (1.1.1k).
I’ve built OpenSSL in the directory spec’d in the config line, but haven’t done
a “make install” because it will trash the system.
Is there anyway to build against 1.1.1k without doing a “make install” on the
newer OpenSSL library?
Thanks
---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712
GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I identify if bind9 is using 4 cores?
Consult log of bind9 service. It should autodetect 4 cores without any
options, just with plain start of the service.
It should show isc-socket thread for each core:
pstree -t $(pidof named)
I were surprised of my output however, because I have multiple
isc-net-000{1}. My version is bind-9.16.18-1.fc34.x86_64
$ pstree -t $(pidof named)
named─┬─2*[{isc-net-}]
├─5*[{isc-net-0001}]
├─{isc-net-0002}
├─{isc-net-0003}
├─{isc-socket-0}
├─{isc-socket-1}
├─{isc-socket-2}
├─{isc-socket-3}
└─{isc-timer}
Are those numbers intentional?
On 6/17/21 5:32 AM, Manish Rane wrote:
> Hi Team,
>
> I have BIND 9.16.17-Ubuntu on ubuntu and have 4 cores. I have configured
>
> more /etc/default/bind9
> OPTIONS="-n 4"
>
> And then restarted the services. How do I verify if bind9 has spawned 4
> processes and distributed among those?
>
> TIA
> Manish R
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
