Re: Controls statement BIND 9.10.0b2 CentOS6.5
Solved: Including the key was incorrect. This works fine: controls { inet ::1 allow { localhost; } ; Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Controls statement BIND 9.10.0b2 CentOS6.5
With no controls statement, I get the following error (annoying - not fatal): Mar 20 11:56:01 maplepark named[26046]: starting BIND 9.10.0b2 -u named Mar 20 11:56:01 maplepark named[26046]: built with '--enable-threads' Mar 20 11:56:01 maplepark named[26046]: ... Mar 20 11:56:01 maplepark named[26046]: configuring command channel from '/etc/rndc.key' Mar 20 11:56:01 maplepark named[26046]: couldn't add command channel 127.0.0.1#953: address in use Mar 20 11:56:01 maplepark named[26046]: configuring command channel from '/etc/rndc.key' Mar 20 11:56:01 maplepark named[26046]: command channel listening on ::1#953 But I can't seem to construct a controls statement to only listen to the IPv6 loopback. As it just retries on a failure to IPv4 it works anyway but it is annoying to get the error message on startup. I don't have either address in the /etc/rndc.key file, just the key. Dave -- David Forrest e-mail: drf at maplepark dot com Maple Park Development http://www.maplepark.com St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dumping master file: tmp-xxx: open: permission denied
On Tue, 14 Jan 2014, LuKreme wrote: On 13 Jan 2014, at 20:36 , Mark Andrews ma...@isc.org wrote: In message 8919443e-8f62-48cd-8da4-9c9632fc5...@kreme.com, LuKreme writes: OK, I am getting this error dumping master file: tmp-xxx: open: permission denied, occasionally, on both my slave DNS servers and I can't seem to fix it. The dns slave files are being written into /var/named/etc/namedb/slave which is owned by bind 8 drwxr-xr-x 2 bind wheel 1024 Jan 13 19:46 /var/named/etc/namedb/slave DNS changes are getting propagated to both servers from the master, so I don't know where the permission denied is coming from. Where is this tmp file being (attempted to be) written? It's trying to write the the working directory which I doubt is /var/named/etc/namedb/slave. I suspect you have a bad file directive. Hmm. OK, there is a /var/named/etc/namedb/working/ which is also owned by bind. Where might this bad file directive be? The only ‘file’ in named.conf are in the form “slave/example.com” and the pid-file setting. And why are the slave servers dumping master file in the first place? So the slave can start up and serve the zone content when the master server is down. Oh? Coolness :) I've been tripped up on this before as there is a default directory and the default can be overridden by a directory option statement. Using a chroot adds the current definition into the chrooted directory. It can get quite confusing and I have found that just using full paths on all zone files just cuts out any question. Usually the slave server will get a new copy master fairly quickly if you don't save it but it is cleaner if it has a fairly recent copy locally. Dave -- David Forrest e-mail: drf at maplepark dot com St. Louis, Missouri___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dumping master file: tmp-xxx: open: permission denied
On Tue, 14 Jan 2014, LuKreme wrote: On 14 Jan 2014, at 09:02 , David Forrest d...@maplepark.com wrote: On Tue, 14 Jan 2014, LuKreme wrote: On 13 Jan 2014, at 20:36 , Mark Andrews ma...@isc.org wrote: In message 8919443e-8f62-48cd-8da4-9c9632fc5...@kreme.com, LuKreme writes: OK, I am getting this error dumping master file: tmp-xxx: open: permission denied, occasionally, on both my slave DNS servers and I can't seem to fix it. The dns slave files are being written into /var/named/etc/namedb/slave which is owned by bind 8 drwxr-xr-x 2 bind wheel 1024 Jan 13 19:46 /var/named/etc/namedb/slave DNS changes are getting propagated to both servers from the master, so I don't know where the permission denied is coming from. Where is this tmp file being (attempted to be) written? It's trying to write the the working directory which I doubt is /var/named/etc/namedb/slave. I suspect you have a bad file directive. Hmm. OK, there is a /var/named/etc/namedb/working/ which is also owned by bind. Where might this bad file directive be? The only ‘file’ in named.conf are in the form “slave/example.com” and the pid-file setting. And why are the slave servers dumping master file in the first place? So the slave can start up and serve the zone content when the master server is down. Oh? Coolness :) I've been tripped up on this before as there is a default directory and the default can be overridden by a directory option statement. Using a chroot adds the current definition into the chrooted directory. It can get quite confusing and I have found that just using full paths on all zone files just cuts out any question. Usually the slave server will get a new copy master fairly quickly if you don't save it but it is cleaner if it has a fairly recent copy locally. so I should change zone kreme.com { type slave; masters { 75.148.37.67; }; file slave/kreme.com; }; to zone kreme.com { type slave; masters { 75.148.37.67; }; file “/var/named/etc/namedb/slave/kreme.com; }; and that will eliminate the errors? This works for me. At least I then know where it is going. or are you saying that in options { … I should set directory “/var/named/etc/namedb/“ No. this just sets up another redirection to work out. YMMV though If I change the ownership of /var/named/etc/namedb to bind, it gets changed back to root when bind starts. I'm on CentOS65 and it seemed to not notice I was running as named -u named and this tripped me up too in my init so I added a statement just before it executes (around line 170 in /etc/rc.d/init.d/named) the start daemon to change the ownerships to named; like this: 169 chown -hR named:named /var/named ## DRF 170 171 daemon --pidfile $ROOTDIR/$PIDFILE /usr/sbin/$named -u named ${OPTIONS}; But I am sure there is a proper way to do this. Expediency usually bites. Maybe some can tell us -- David Forrest e-mail: drf at maplepark dot com Maple Park Development http://www.maplepark.com St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone gets permission denied
I slaved the root zone without a file statement in my named.conf for the slaved file and it worked. I added the file statement later to my named.con as I wanted a local copy for quicker startup. I think I may have touched the file to get it started though. When I finally looked at it, I found it was binary. You might just try it without the file statement in the rndc invocation like this: rndc addzone zone.local '{ type slave; masters { 172.31.199.154; }; };' Dave ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone gets permission denied
On Sun, 12 Jan 2014, Georgy Goshin wrote: named -g too shows only received command and do not shows which permission is denied 12-Jan-2014 19:42:48.133 received control channel command 'addzone zone.local { type slave; file slaves/zone.local; masters { 172.31.199.154; }; };' 12-Jan-2014 19:43:05.826 received control channel command 'addzone zone.local { type slave; masters { 172.31.199.154; }; };' Don't know what also to try ( Can you add it directly to the named.conf file and have it load? If so it would indicate the trouble is in the rndc routines and not named itself. Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DS records
On Fri, 20 Dec 2013, Steven Carr wrote: On 20 December 2013 18:10, pgndev pgnet@gmail.com wrote: Gandi.net Great support, including DNSSEC: Gandi only support DNSSEC if you host the DNS elsewhere, their DNS servers do not support DNSSEC. Steve gandi.net +1 I transferred from NS to Gandhi in December 1998. I don't know about their hosting of primary DNS but they do host a secondary of mine and it seems to resolve there with an aa flag: ; DiG 9.10.0a1 -t rrsig @ns6.gandi.net maplepark.com +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 64272 ;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 5, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;maplepark.com. IN RRSIG ;; ANSWER SECTION: maplepark.com. 7200IN RRSIG SPF 5 2 7200 20140117060102 20131220050102 53247 maplepark.com. 37jqijnR2J4+HDefTxLqcbUSshnT5HAWlwJ3XL82ty18UDXJ+excwzWU 6G75VWONF0HIT9Raa8aXeMdhAwgz3KX8+W1WDYs5sIdw59oWSrCw0eWr uT7qjAvlOX5csEBit6YTBYG6ddDnO4MCqAULziKNKGQcNMBcsQeUbgax XkM= maplepark.com. 7200IN RRSIG DNSKEY 5 2 7200 20140117060102 20131220050102 47911 maplepark.com. U/kQ9v9+5W58P22QrWrfB9TDXLETHTWfXuqRMHRdKiK0RfXKFPWY6b8I 4bZaaYwsyJOqK+e+jO9UM53wjZOFrHGC2WAjMldybFY1k5zvjiRu4wY/ FOWeS8moA3IJBTEPG5/mMC5KhI7fGNILh8r/oa3+vFVLB2T8UMpvKKc3 9dfsJEqa0k4AyL5AqqKWF8j9tNlyR2kIXxjHYVw0GP0ef4nWloikiFs9 vwVCoinqM10lXlRMOSu4px3YhMYFZgiDG4RcPOvZ7uQu7vwhxr7OGG/Y A49oLk/gonzcFN5cVTA9sUoWNLiYRhkMavU5z/IskaV1xO4rkZiNcmHB HOwgHw== maplepark.com. 7200IN RRSIG DNSKEY 5 2 7200 20140117060102 20131220050102 53247 maplepark.com. Zi7yCTwBShrjydl4Q0Qg/IKnfdl1Qqj8XJKmYE8+iuoP+VdNDMQ8LPky 4CJSwqygJkAql6ppm8FYXFwPZsCU3GfWAc90lbAMzGPUtu8XngZcrBJx GUeoUndaDOSe2iXd2tws1a2szu6AmE4ku932yvGzlMXR2y4WfH9caAcw fR0= maplepark.com. 600 IN RRSIG NSEC 5 2 600 20140117060102 20131220050102 53247 maplepark.com. qsBEyCopGtmQeQr2+gbpewo646pneaDVnaqnYrx2C4fiwedfiJMIhcx9 xAxgH0fG7TZ7zEJOUwCITlWkj1lrU4rH0xVNQaQKYez2pcF+CnGJzy7C A4SYBRdVXAU/slxu56ahvi7GNS7PHkGJiUVUJh65iEpS2HY3qOdv3CUn jRA= (...) -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to transfer IPv4 reverse zone
On Thu, 19 Dec 2013, Daniel Lintott wrote: (...) ;; ANSWER SECTION: 5.168.192.in-addr.arpa. 38400 IN SOA server1.internal.serverb.co.uk. daniel.serverb.co.uk. 1234478001 10800 3600 604800 38400 ;; AUTHORITY SECTION: 5.168.192.in-addr.arpa. 38400 IN NS server1.internal.serverb.co.uk. 5.168.192.in-addr.arpa. 38400 IN NS server2.internal.serverb.co.uk. ;; ADDITIONAL SECTION: server1.internal.serverb.co.uk. 38400 IN A 192.168.5.1 server1.internal.serverb.co.uk. 38400 IN 2a01:348:1db::1 server2.internal.serverb.co.uk. 38400 IN A 192.168.5.2 server2.internal.serverb.co.uk. 38400 IN 2a01:348:1db::2 All except the aforementioned reverse zone: dig @192.168.5.1 5.168.192.in-addr.arpa AXFR ; DiG 9.9.4-P1 @192.168.5.1 5.168.192.in-addr.arpa AXFR (...) This is an unrouteable private zone. I slave root as you appear to do and serve your own 5.168.192.in-addr.arpa. as I do. I don't expect it to transfer out as it only has meaning in an internal view. Dave -- David Forrest e-mail: drf at maplepark dot com St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv4 not working reverse on /24 cidr
On Mon, 22 Jul 2013, Ryan Pavely wrote: Ryan Pavely Net Access Corporation http://www.nac.net/ So that would suggest any time any block a /24 is hosted you must actually host the parent zone, pointing to the larger cidr, and then have your normal files for each cider in that block. This was on the list a few days ago: https://dougbarton.us/DNS/2317.html Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: broken ISP in china
On Mon, 18 Feb 2013, Lyle Giese wrote: I am cross posting this as it might be a dns issue, but it effects email directly. And I am quite aware of the 'Great Chinese Firewall' and realized that may be a large part of the issue. LCR's mail filter and mail servers are all in the lcrcomputer.net domain. Recently I moved this domain(lcrcomputer.net) to a registrar that suports DNSSEC and inserted the DS record for this domain. I checked DNSSEC via http://dnsviz.net and http://dnssec-debugger.verisignlabs.com. Both show DNSSEC is working just fine for lcrcomputer.net. However, shortly after that one of my customers stopped receiving email from one of their clients in China. They just brought that to my attention and I tried to email the client in China and got this back: For ro...@x.com.cn mailto:ro...@medtecs.com.cn, Site (x.com.cn/ipv4 address) said: 559 sorry , your helo/ehlo and domain in mail are invalid, you don't connect from there. (#5.5.9) Because this started within 24 hours of when I published the DS record for lcrcomputer.net, I am assuming that this is related. Your nameserver seem to be answering fine in ipV6 +dnssec +norec: http://pastebin.com/S9LM6a59 Does your customer have a SPF record with old info (you show no TXT or SPF RRs) ? Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Free secondary servers supporting DNSSEC?
On Sun, 17 Feb 2013, Vernon Schryver wrote: In any case, some naming and shaming seems appropriate. Basic Naming and shaming seems excessive for a free service. Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need to improve named performance
On Mon, 12 Nov 2012, Ed LaFrance wrote: Hello Alan - Of course you are right, my bad. Here's the entirety of my named.conf - there's nothing pertaining to logging in here, so I guess that means that 'log everything' is the default. I would only want to log critical named errors, so if anyone has syntax they have my gratitude: No, you just get the defaults as described in the ARM 6.2.10 Only one logging statement is used to define as many channels and categories as are wanted. If there is no logging statement, the logging configuration will be: logging { category default { default_syslog; default_debug; }; category unmatched { null; }; }; The rest of 6.2.10 shows the syntax and provides the ability to roll the logs much as (r)syslogd.conf does for those that syslog gets. None of my named logs go to syslog as I do have a logging statement of my choices. Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.9.0rc1: example from arm 4.8.3 does not validate
On Thu, 19 Jan 2012, Axel Rau wrote: Am 18.01.2012 um 23:54 schrieb Evan Hunt: I tried the example from page 23 with a local zone, a trusted key and inline-signing, like: [...] But I'm getting no ad-flag: That's normal; authoritative servers don't set the AD bit, validating resolvers do. (There's not much point in having an authoritative server validate its own answers.) Can dig tell me, if the sigs are valid, if I provide my trusted key? Or do I need a 2nd (validating) ns? Axel One needs to ask a non-authoritative validating server. For checking our publicly available DNSSEC signed site, I use the available recursing validating oarc server. dig +dnssec @bind.odvr.dns-oarc.net maplepark.com and get the flags returned in a crontab script that checks it daily for the ad flag. Dave -- David Forrest e-mail drf @ maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.9 query log change
On Sun, 15 Jan 2012, Evan Hunt wrote: Looking at some query log output from BIND 9.9.0rc1, e.g. 15-Jan-2012 18:24:45.358 client 131.111.11.47#58644 (www.playground.test): ^ query: www.playground.test IN A +E (131.111.9.112) the indicated parenthesized item is new, but seems always to be the same as the later query name. What is it for? If it meant to be the name of the client it has got it horribly wrong! 3199. [func] When logging client information, include the name being queried. [RT #25944] This is to to help with debugging by making it easier for human eyes, and/or 'grep', to separate out the logging for one specific query from all the other contemporaneous queries. The ARM for 9.9.0rc1 still describes the old format. Oops. Where, please? I'll fix that. Page 49 queries -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: variable dig results
On Fri, 6 Jan 2012, M. Meadows wrote: Wondering why we get variable results from the following command:dig eftc.thehartford.com (sometimes we get authority section and additional section feedback ... sometimes we don't) ;; Query time: 52 msec ;; SERVER: 172.25.17.185#53(172.25.17.185) ;; WHEN: Fri Jan 6 00:10:02 2012 ;; MSG SIZE rcvd: 202 I assume this is due to differences in response from different auth nameservers. If that's the case ... what does one have set up to return the 2nd response? As the server wasn't specified, dig tries each of the servers listed in /etc/resolv.conf and used 172.25.17.185 both times, one with the rd flag set and got a non-authoritative answer and an authoritative. I'd assume there are multiple instances or views and you're getting cached answers occasionally. If consistency is needed, maybe specify the server with @server and/or +[no]recurse -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On Wed, 21 Dec 2011, Peter Andreev wrote: Ok, may be I'm a paranoid and worrying about trifles, but news about compiled in hints astonished me. The test shown here may calm you (if it shows refusal): https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful Dave -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to resolve a domain
On Fri, 18 Nov 2011, Ryan Novosielski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How does one get a current bogons list? I'm assuming that there are entries that are generally recommended to be in there (and that they're provided with BIND's source when installing). SOURCE=http://www.cymru.com/Documents/bogon-bn-agg.txt; # Aggregated list. Here's a script I use: http://www.maplepark.com/~drf/consults/Getblackhole -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Upgrading From 9.7.2 to 9.8.1 startup failed (due to fatal error)
On Fri, 16 Sep 2011, Ken Schweigert wrote: Looking through my named.conf the only reference I have to /dev/null is: logging { ... channel dev_null_log { file /dev/null; }; … category lame-servers { dev_null_log; }; … I'd really like to not lose this channel because of how many lame servers get reported. Any ideas what may be my problem with this upgrade and what I can do to get this version installed? Regards, -ken I ran into this upon upgrade also and changed the channel statement to: channel null { // toss anything sent to this channel null; }; ... category lame-servers { null; }; The new ARM gave me the hint of the config change. Dave -- David Forrest St. Louis, Missouri___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Named.conf logical blocks
On 06/28/2011 05:53 PM, Stefan Certic wrote: Hi Guys, Does anyone have a sample grammar for pharsing named.conf into a data structure? Perl or PHP are preffered, but anything would be fine just to get a clear picture about grammar and logical blocks. I send mine through named-checkconf to put it in a consistent state. This helps to reduce the includes and sort out the views and blocks logically. See man named-checkconf. /usr/local/sbin/named-checkconf -p /var/named/named.conf.canonical ||\ echo -e \nConversion failed, as will named if attempted \ /var/named/named.conf.canonical -- David Forrest Maple Park Development Corporation St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I can't resolve one domain: nhs.uk
Resolves from here: [drf@maplepark ~]$ dig nhs.uk ; DiG 9.8.0-P2 nhs.uk ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 65421 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;nhs.uk.IN A ;; ANSWER SECTION: nhs.uk. 3134IN A 217.64.234.65 ;; AUTHORITY SECTION: nhs.uk. 76348 IN NS nsb.nhs.uk. nhs.uk. 76348 IN NS nsa.nhs.uk. ;; ADDITIONAL SECTION: nsa.nhs.uk. 76348 IN A 194.176.105.223 nsb.nhs.uk. 76348 IN A 80.2.101.230 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Fri Jun 17 09:17:37 2011 ;; MSG SIZE rcvd: 108 [drf@maplepark ~]$ -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size rule of thumb?
On Mon, 18 Apr 2011, Dennis Perisa wrote: Hi all, Is there a rule of thumb when setting max-cache-size? e.g. max physical memory * 0.4 Is there even a need to set max-cache-size on a server with plenty of memory (10GB) running only BIND? Regards Dennis Dennis, since getting the answers from cache is usually faster (and therefore more efficient) than recursing, I think the question is really what is the definition of plenty of memory. If bind's performance is hindered because of available memory then a limit on the cache size may be warranted, as also an increase of memory may be. In the example, a max-cache-size of .4*10GB leaves a residual pool that far exceeds BIND's requirements. The answer must be determined empirically; If performance is adversely affected then (and only then) limit the cache size . Dave -- David Forrest Maple Park Development Corporation St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: start script for bind9
On Thu, 14 Apr 2011, Alan Clegg wrote: On 4/14/2011 10:23 AM, hugo hugoo wrote: I know that if bind is installed via apt-get install (I am using debian linux version), there is automatically a bind9 startup script in /etc/init.d/ directory. Since named just works and I do everything else using rndc, I have the following line in /etc/rc.local: /usr/local/sbin/named AlanC I also find that named just works and, since the source install uses the /usr/local/sbin as the default target, it does not overwrite my distribution (Fedora) binary. It is also important to my setup that named is always running so I use a root crontab entry: /usr/bin/pgrep named /dev/null || /usr/local/sbin/named -u named that runs every minute to insure it is up. I can then stop it with rndc stop and it will restart on the next minute's crontab event. I can return to my distribution's upstart by stopping using the rndc and immediately start it's binary using the service command, but have found the ISC source tarballs a better solution to my needs that include DNSSEC and IPv6 while Fedora 11 is EOL. YMMV. Dave F -- St. Louis, Missouri(Sent by ALPINE 2.02 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Description of log file contents
On Thu, 14 Apr 2011, Alex wrote: Hi, I would figure this is a FAQ, but I can't find it. My apologies if I somehow missed searching properly. Where can I find a description of what the variables at the end of the line in the query log mean? For example: 14-Apr-2011 17:27:54.277 queries: client 67.210.0.112#17930: query: ns1.colo.com IN -E 14-Apr-2011 17:27:55.061 queries: client 98.139.193.153#54962: query: cape.com IN MX -E 14-Apr-2011 17:27:55.160 queries: client 202.160.178.228#45211: query: www.call-anyone.com IN A - 14-Apr-2011 17:27:55.317 queries: client 69.162.74.234#6673: query: mydomain.net IN ANY + 14-Apr-2011 17:27:55.766 queries: client 63.230.177.41#20138: query: ns.mydomain.com IN A -E 14-Apr-2011 17:27:55.818 queries: client 131.167.253.42#50026: query: 102.96/28.188.104.66.in-addr.arpa IN PTR - I understand the A and IN, of course, but what is -E and just + and - ? Does it have to do with whether it was found in the cache? Thanks, Alex ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users From the ARM (included in source dist) queries The query log entry reports the client’s IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported. Dave -- St. Louis, Missouri___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC with 9.7.2-P2
On Tue, 16 Nov 2010, Mark Andrews wrote: snipped Isn't sufficient to configure the root trust anchor inside managed-keys {}; statement? If I understand correctly the key should be automatically updated, shouldn't it? For 9.7 yes. I just updated to 9.7.2-P3 and got this message on start: Dec 1 10:52:01 maplepark named[20356]: starting BIND 9.7.2-P3 -u named Dec 1 10:52:01 maplepark named[20356]: built with defaults Dec 1 10:52:01 maplepark named[20356]: using up to 4096 sockets Dec 1 10:52:01 maplepark named[20356]: loading configuration from '/etc/named.conf' Dec 1 10:52:01 maplepark named[20356]: reading built-in trusted keys from file '/etc/bind.keys' I had removed that file for -P2 but the sudo make install of -P3 re-wrote it: [...@maplepark:~/src/bind-9.7.2-P3]$grep bind.keys typescript /usr/bin/install -c -m 644 ./bind.keys /etc so it is back. I do have a managed-keys statement in my named.conf: managed-keys { . initial-key 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=; }; and it seems to run OK so far. My question is whether the built-in trusted keys (/etc/bind.keys) is necessary or not in 9.7.2-P3. I am assuming it is as the make step set it up. Dave -- David Forrest e-mail drf @ maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC with 9.7.2-P2
On Wed, 1 Dec 2010, lst_ho...@kwsoft.de wrote: Zitat von David Forrest d...@maplepark.com: On Tue, 16 Nov 2010, Mark Andrews wrote: snipped Isn't sufficient to configure the root trust anchor inside managed-keys {}; statement? If I understand correctly the key should be automatically updated, shouldn't it? For 9.7 yes. I just updated to 9.7.2-P3 and got this message on start: Dec 1 10:52:01 maplepark named[20356]: starting BIND 9.7.2-P3 -u named Dec 1 10:52:01 maplepark named[20356]: built with defaults Dec 1 10:52:01 maplepark named[20356]: using up to 4096 sockets Dec 1 10:52:01 maplepark named[20356]: loading configuration from '/etc/named.conf' Dec 1 10:52:01 maplepark named[20356]: reading built-in trusted keys from file '/etc/bind.keys' I had removed that file for -P2 but the sudo make install of -P3 re-wrote it: [...@maplepark:~/src/bind-9.7.2-P3]$grep bind.keys typescript /usr/bin/install -c -m 644 ./bind.keys /etc so it is back. I do have a managed-keys statement in my named.conf: managed-keys { . initial-key 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=; }; and it seems to run OK so far. My question is whether the built-in trusted keys (/etc/bind.keys) is necessary or not in 9.7.2-P3. I am assuming it is as the make step set it up. It is a DLV needed as a trust ancor until DNSSEC is chained from the DNS root downwards. See http://www.isc.org/solutions/dlv for details. Regards Andreas The startup of named with the builtin trusted keys and my managed-keys statement creates two identical separate mkeys files and their mkeys.jnl counterparts for the root . : -rw-r--r-- 1 named users698 2010-12-01 04:47 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys -rw-r--r-- 1 named users512 2010-12-01 04:47 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys.jnl -rw-r--r-- 1 named users698 2010-12-01 04:51 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys -rw-r--r-- 1 named users512 2010-12-01 04:51 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys.jnl both of which show a key id == 19036 which seems odd. I do have two views, though, for internal (recursive) and external (non-recursive) purposes. Oh well, it works as both views seem to authenticate DNSSEC: [maplepark.com (view: external)] 1044 queries resulted in successful answer 1140 queries resulted in authoritative answer 17 queries resulted in nxrrset 79 queries resulted in NXDOMAIN 5 requested transfers completed [maplepark.com (view: internal)] 333 queries resulted in successful answer 1129 queries resulted in authoritative answer 4 queries resulted in nxrrset 792 queries resulted in NXDOMAIN Thanks, Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC with 9.7.2-P2
On Fri, 12 Nov 2010, Phil Mayers wrote: On 12/11/10 12:49, David Forrest wrote: and, on checking named.conf, I found the entry for br. as: trusted-keys { br. 257 3 5 AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7PMNpyw3XCFQWP/XsT0pdzeEGJ400kdbbPqXr2lnmEtWMjj3Z/ejR8mZbJ/6OWJQ0k/2YOyo6Tiab1NGbGfs513y6dy1hOFpz+peZzGsCmcaCsTAv+DP/wmm+hNx94QqhVx0bmFUiCVUFKU3TS1GP415eykXvYDjNpy6AM=; }; This key is invalid for br. Since you're running 9.7.2, don't do this. br is signed by the root; instead, defined a managed-keys statement for . and let the root DNSSEC take care of it. See: http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers That fixed it! Thanks, Phil. Upon restarting I got a starting log message: reading built-in trusted keys from file '/etc/bind.keys' and stopped it with rndc to rename that file as it seemed to be a lookaside key for dlv. After a restart of named I got only a named[25911]: set up managed keys zone for view external, file '3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys' message and it seems to be working fine now. Although I am using Fedora 11, I did disable the inits for the distribution scripts and start named from a root cron crontab (* * * * * /usr/bin/pgrep named /dev/null || (ulimit -u 4096; /usr/local/sbin/named -u named) as I have all the 9.7.2-P2 stuff in /usr/local/sbin while F11 used /usr/sbin. My troubles were of my own making, not F11's, although I do not remember creating the '/etc/bind.keys' file. Thanks again, this is a very helpful list. Dave -- David Forrest e-mail drf @ maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: managed-keys-zone file not found
On Sun, 3 Oct 2010, Evan Hunt wrote: On Fri, Oct 01, 2010 at 10:29:34PM +, Jack Tavares wrote: Hello While starting up bind I get the following 2 messages 01-Oct-2010 15:13:15.304 set up managed keys zone for view external, file '3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys' and 01-Oct-2010 15:13:15.309 managed-keys-zone ./IN/external: loading from master file 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys failed: file not found The expected behavior is, the first time you start BIND with managed-keys configured in a view, it will try to load the keys from an existing managed-keys file. If the file isn't found, it logs this warning, and then if the directory is writable, it goes ahead and creates the file. So you should only be seeing this the first time, and not thereafter. Which is why I'm concerned about this: I have tried using managed-keys-directory option, but I cannot get rid of this message. BIND hasn't created the file yet? Is your working directory or managed-keys-directory writable? Evan, I had this same message and it continued on every start. But it went ahead and loaded the zone (in memory I surmised) and everything worked OK. I just tried creating an empty file (via touch) in my working directory and, viola! No more messages except for the set up managed keys zone for view external and it still works as it should. My working directory is owned by named and I run as -u named so I don't know why it does not write the file. I had a similar problem with the internal view and removed the annoying message in the same manner; touching the file with the name in the message in the working directory. So I now have two empty files; No biggie. I searched in the source code for the message and found it in ./bin/named/server.c but didn't go any further as my invocation hack worked for me and it just seemed to be a log info message. YMMV. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS resolution based on source network
On Mon, 27 Sep 2010, Thomas Elsgaard wrote: Hello Is it possible with BIND, to resolve the same name (like test.gl) to different IP's based on the source network of the request? Here is an example A machine in network 10.3.0.0/16 is contacting DNS to lookup test.gl, DNS returns - 10.0.0.2 A machine in network 10.5.0.0/16 is contacting DNS to lookup test.gl, DNS returns - 10.0.0.5 Thomas Yes, by using view. I do it so all my internal machines are XXX.maplepark.com, using the private network addresses while the external world gets my public addresses. The internal machines are still able to get the external addresses by specifying the server address to be the external IP (via host or dig). Most don't need them though. It does require separate zone files though. I don't mind sharing my .conf file - just email me. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) I had similar problems with 9.7.1-P2 and it seemed that the named init script generated for F11 reset permissions on the /var/named directory. Go figure. But, to make it work, I inserted a chmod command just before it launched the daemon to set /var/named as owned by named. I also like the executable in /usr/local/sbin rather than /usr/sbin as the script said. so mine now is as below: ... chown -hR named:named /var/named ## DRF #daemon /usr/sbin/$named -u named ${OPTIONS};## DRF daemon /usr/local/sbin/$named -u named ${OPTIONS}; ## DRF ... I don't start it directly from the command line though, so running from the command line as root should not have that ownership problem. You might check the actual install directory as you might be running the old executable. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
On Thu, 9 Sep 2010, Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) [snipped] I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese Lyle, since it runs from the command line, it would seem that you're left with the zone files and those special files named needs. From the named-checkconf man: Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read by named-checkconf. Configuration errors in these files may cause named to fail to run, even if named-checkconf was successful. named-checkconf can be run on these files explicitly, however. I have also found some pesky errors in my zone files by running named-checkzone on them. That may be indicated as you can run but the zones don't open. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: root-anchor.xml anchors.xml in Bind
On Sat, 17 Jul 2010, Lyle Giese wrote: OK I am confused a bit. Can someone shed just a bit of light on this for me? (This is such a new topic not much is available in searches yet) IANA put out anchors2keys python script and I have that working. If I include the resulting files into named.conf as an include, named(9.7.1-P2) loads up but does not mention importing those keys, but complains loudly if the file asked for in the include statement is not there. That part is good, it appears to be reaching out and at least reading the file and knows it's there. But did it import that data and is named using it? That is not answered quite so quickly. Now I read with great interest the thread here about how to use the root-anchor.xml. Kalman Feher takes the root-anchor output from anchors2keys as a trusted-key and changes it to a managed-key and then imports into named's data. Doing that results in named adding the . key into it's managed keys zone files and you can see them in the *.mkeys files. What is the difference between managed-keys and trusted-keys? And should I be importing anchors.xml as managed-keys instead of trusted-keys? Thanks, Lyle Giese LCR Computer Services, Inc. Lyle, To see what the named.conf actually is after all includes, I run this: /usr/local/sbin/named-checkconf -p /var/named/named.conf.canonical and just browse the resulting output. Dave St. Louis, MO ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Running both a cache-only and an authoritative server on the same server
On Thu, 17 Jun 2010, Torsten wrote: Am Thu, 17 Jun 2010 13:35:38 +0100 schrieb Phil Mayers p.may...@imperial.ac.uk: On 17/06/10 12:39, Jørn Skjerven wrote: Hi! I've tried to search the archive for for this, but could not find anything relevant. We currently run a server with an authoritative set for domains. We want to use the same server as a cache-only DNS for other customers as well. Is it possible to achieve this in a single named.conf, or is it recommended to run two instances of bind, each with a different listen-on ip statement? Sure. Use views: view authoritative { recursion no; match-destinations { mycurrentip; }; zone ... }; view authoritative { recursion yes; match-destinations { myrecurseip; }; }; The important part seems to be on a secondary IP and afaik listen-on statements don't work inside of view statements. That leaves you with running two seperate instances of Bind on the same server. Ciao Torsten But match-clients does work in views I set up an acl for my internal IPs as: acl local-nets { 192.168.0.0/16; // our known internal net 127.0.0.1; // localhost loopback ::1;// Localhost IPV6 }; And one for the external: acl isp-net { 99.178.153.41; }; // our ATT-Uverse net and then used views: view internal // only local hosts (match-clients) will see this view { match-clients { local-nets; }; allow-recursion { local-nets; }; zone . [zone ... ] } view external { // Primary nameserver for maplepark.com. allow-query { any; }; // allow-recursion { none;}; // additional-from-cache no; will not work with this! recursion no; // So use this instead. additional-from-cache no; // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful zone . [zone ... ] } and it has been working well. I do use all private addresses for my internal network and that does require a separate zone file. Dave -- David Forrest e-mail drf @ maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX)___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind response
On Tue, 1 Jun 2010, Matus UHLAR - fantomas wrote: On 01.06.10 14:16, rams wrote: I queried for cname domain against bind 9.6.X and got the following response C:\Documents and Settings\rameshbdig @localhost cname.td3497.com mx ; DiG 9.6.1-P1 @localhost cname.td3497.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 681 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;cname.td3497.com. IN MX ;; ANSWER SECTION: cname.td3497.com. 86400 IN CNAME . ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 31 14:10:32 2010 ;; MSG SIZE rcvd: 47 Here why authority section is not returned? Actually authority section should be returned with SOA right? For CNAME answers, the authority for destination (.) is returned and authority is returned if it's known and configured. And here it is known to be NXDOMAIN when the server is recursive: [...@maplepark ~]$ dig cname.td3497.com. any ; DiG 9.7.0-P2 cname.td3497.com. any ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 6782 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;cname.td3497.com. IN ANY ;; AUTHORITY SECTION: com. 864 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1275386123 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 192.168.102.9#53(192.168.102.9) ;; WHEN: Tue Jun 1 04:56:13 2010 ;; MSG SIZE rcvd: 107 -- David Forrest Maple Park Development Corporation St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0-P1 annoyance: DNS format error
On Thu, 18 Mar 2010, Jeff A. Earickson wrote: Hi, I just upgraded bind on my mail server from 9.6.2 to 9.7.0-P1, and now I'm getting a flood of these in my syslog: DNS format error from 218.10.19.172#53 resolving hisfield.ru/NS for client 137.146.28.72#22500: invalid response with various IP's and record types. Most of these are spam sites I'll bet. I checked the Bv9ARM.pdf for new syslog categories and found a new one, which I set to null in an attempt to shut these messages up: category query-errors{ null; }; Still they come. I checked this mailing list and googled; what do I do to silence this? Jeff Earickson Colby College ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Actually this log message comes from the category resolver Try category resolver { null; }; -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help with logrotate and bind
On Fri, 26 Feb 2010, Diosney Sarmiento Herrera wrote: H i! I am trying to rotate my named logfile with logrotate and I configured it as I show: # # Logrotate fragment for bind. # /var/log/named.log { daily ifempty compress delaycompress dateext rotate 14 missingok nocreate } The problem is that when the log is rotated the file /var/log/named.log dissapear. How I can fix this issue? By the way, there is a need to include a prerotate and postrotate scripts? Thanks in advance! You have nocreate specified and that may be the problem. I have: create 0644 named named in my logrotate.conf and it rotates properly. And I have no pre or postrotate scripts. Dave -- David Forrest Maple Park Development Corporation St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Insecure response BIND 9.7.0b2
Logged: Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980: dlv.isc.org SOA: got insecure response; parent indicates it should be secure What does this mean? -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insecure response BIND 9.7.0b2
On Thu, 19 Nov 2009, Jeremy C. Reed wrote: On Thu, 19 Nov 2009, David Forrest wrote: Logged: Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980: dlv.isc.org SOA: got insecure response; parent indicates it should be secure What does this mean? This is documented in the ARM. The parent zone says (published DS) that it should have been signed. I mean is it something I can fix in my configs or is it a result of the dlv.isc.org configuration? Can I alter my configuration to eliminate these messages? -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dump cache's content
On Mon, 26 Oct 2009, net...@royal.net wrote: Hello, Is it possible to dump all Bind cache's content into a file? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users rndc dumpdb -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
9.6.1-P1 log message
What do I have to do to correct whatever is causing this log message from named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)? validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be secure failure Thanks in advance, Dave -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.6.1-P1 log message
On Tue, 25 Aug 2009, Jeremy C. Reed wrote: On Tue, 25 Aug 2009, David Forrest wrote: What do I have to do to correct whatever is causing this log message from named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)? validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be secure failure May need more context for this (like higher debug level for DNSSEC category). (I have patches for improving the DNSSEC logging which are planned for upcoming BIND release.) This may be: must be secure failure, no DS and this is a delegation must be secure failure, key is insecure, so mark the data as insecure also. must be secure failure, no supported algorithm/digest (dlv) must be secure failure (DS) must be secure failure, no supported algorithm/digest (DS) must be secure failure, DLV lookup from a DLV subdomain must be secure failure, DLV lookup from a DLV subdomain? must be secure failure, not beneath secure root must be secure failure at '%s', can't fall back to DLV must be secure failure, no DS at zone cut (zone) must be secure failure, is a delegation but no DS at zone cut (cache) must be secure failure, no supported algorithm/digest (%s/DS) Sorry this probably doesn't help much. Thanks for the note anyway, Jeremy. I got another response off-list, and since I'm not really using DNSSEC for anything, I just changed my options to: dnssec-enable no; dnssec-validation no; and that seems to have done it. Dave -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig return values
On Fri, 22 May 2009, Scott Haneda wrote: I have searched for dig return codes and also looked at the man page, leading me to nothing definitive. Does `dig` have return codes that I can use to make some form of automated tests? foo=`dig NS example.com @ns2.example.com +short +time=2 +tries=1` echo $foo ; DiG 9.4.3-P1 NS example.com @ns2.example.com +short +time=2 +tries=1 ;; global options: printcmd ;; connection timed out; no servers could be reached I do not know, nor would I want to have to know, all the possible return strings I may get back. My needs are simple, I believe any ANSWER of 0 I would determine to be true, any timeout of any form I would determine to be false. Can anyone point me to docs on return codes, or is this going to amount to string parsing? If it does, how much deviation on return messages are there from the various dig versions that have been released? Thank you. my dig (version DiG 9.6.1b1) returns RC 0 on both an answer and a connection timeout, and would seem to require a string parsing for a useful branch. F9 64 system. Dave -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: will blocking getting hammered by cache request do anything?
On Sun, 8 Mar 2009, enigmedia wrote: Hi All: my 9.6.0 server is getting hammered by cache requests from a specific IP (62.109.4.89) which traces back to what looks like a DSL netblock in Russia: 05-Mar-2009 12:18:01.883 queries: info: client 62.109.4.89#53157: query: . IN NS + 05-Mar-2009 12:18:01.883 security: info: client 62.109.4.89#53157: query (cache) './NS/IN' denied I assume that this is some unpatched server (because currently I only see this single IP trying to connect), but is there any way to tell the difference between that and a deliberate DDOS attack? Actually, this is almost certainly someone trying to use your server as part of a DNS amplification attack ON that server. The source IP is spoofed, with the goal of getting lots of servers to send large replies to it. But since you have recursion and query-cache disabled for external IPs, you're not amplifying anything. My subnet is on a Verizon 3Mbps static business DSL connection with a router/firewall NAT'ing the incoming traffic. My question is, will blocking this from the firewall in front of the box help in any way to mitigate it's effect on the server? Or do I need to get my upstream provider to block this IP for it to have any impact? The server isn't choking on the volume of requests (yet), and I'm wondering if blocking the requests at the border of the network would do anything meaningful? If you block it on the firewall, then the requests will never hit the server, so of course it will mitigate its effect on the server. It won't help with the downstream bandwidth on your DSL, but it will stop the REFUSED replies from being sent back, so your upstream bandwidth will improve. Thanks Barry: you mentioned that the IP is being spoofed...does that mean the IP in the log is not the actual IP that sent the request? If so, would blocking it actually work? This question has come up before and I commented thusly with a response from Mark Andrews: Using allow-query to deny some queries still takes time and resources from your server as it then sends a denied message back to the query source. As the source is spoofed it then contributes in a small way to the DDoS attack. I think it is better to just drop the queries on your firewall. I found this entry for iptables on the list a while back and it works well and drops around a thousand queries a day. iptables -A INPUT -i $LOCALIF -j DROP -p udp --dport domain -m u32 --u32 0220...@1216=10220...@2024=00220...@21=0x00020001 Mark replied: Well you opinion does not match the collective wisdom of dnsop and dnsext working groups. These working groups looks at the issue a while ago and concluded that sending REFUSED was the best response overall. Unless you know the packet was forged then dropping it does additional damage. Send REFUSED turns you from a amplifies into a obscurer. The best thing you can do is make sure that you have deployed BCP 38 on your network. This will prevent you being a source of spoofed traffic. The next best thing you can do is track or get your ISP to track the offending traffic back to its source and request the BCP 38 be deployed there. That way everybody in the world is in a better position. You can't detect all reflection attacks at the reflector. This one is a easy one to detect. You can however work to close down the holes in the global BCP 38 defences. This attack provides a perfect opportunity to chase down those holes. Mark Mark made that comment and it made sense to me. A thousand queries daily is a negligable load on my server and being an obscurer could be a good thing. Dropping the queries at the firewall does make my logging easier to scan though, and, being selfish, I have opted to continue dropping them. I'm just a small user and it is the path of least resistence. I have noticed the attacks are sporadic and I'll go a week or so without any and then they recur for a couple of days. Dave -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adb.c:1526: INSIST(find-adbname == ((void *)0)) failed
On Wed, 18 Feb 2009, Mark Andrews wrote: In message 1234867921.16690.43.ca...@d410-heron, Niall O'Reilly writes: On Mon, 2009-02-16 at 12:17 +1100, Mark Andrews wrote: It should be unrelated. I would however still upgrade. Thanks, Mark. If I don't see the same assertion failure with the current release, I guess that's closed. One advantage of upgrading is getting all those nice log entries reporting EDNS faults. 8-) No. You get log entries reporting TIMEOUTS. Using EDNS is only one possible reason for the timeout and it is one we have control over so that is why it is mentioned. Mark /Niall To get rid of all those nice log entries, I have this in my named.conf: channel edns-disabled { file /dev/null; }; category edns-disabled { null; }; -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: loads of Query denied... is it an attack or a misconfiguration ?
On Wed, 11 Feb 2009, Matthew Huff wrote: I've been aware of this problem since it first came up on this and nanog's list, but I'm having some configuration issues trying to make the upward referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS queries being answered in the log: 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view external-in: query: . IN NS + 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view external-in: query: . IN NS + 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view external-in: query: . IN NS + 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view external-in: query: . IN NS + 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view external-in: query: . IN NS + My config follows, any suggestion? options { directory /var/named; pid-file /var/named/named.pid; statistics-file /var/named/named.stats; memstatistics-file /var/named/named.memstats; dump-file /var/adm/named.dump; zone-statistics yes; notify no; transfer-format many-answers; max-transfer-time-in 60; interface-interval 0; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; }; view internal-in in { match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; allow-query { trusted; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; zone . in { type hint; file db.cache; }; zone 0.0.127.in-addr.arpa in { type master; file master/db.127.0.0; allow-query { any; }; allow-transfer { none; }; }; zone foo.com in { type master; file master/db.foo; }; ... ... ... }; view external-in in { match-clients { any; }; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; zone . in { type hint; file db.cache; }; zone foo.com in { type master; file master/db.foo; allow-query { any; }; }; ... ... ... }; Matthew, the querylog shows what was queried. To see what is answered try digging your external interface. Here is my external view: view external { // Primary nameserver for maplepark.com. match-clients { any; }; recursion no; additional-from-cache no; // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful zone maplepark.com{ type master; notify yes; allow-transfer { slave-name-servers; }; file /var/named/drf/external/maplepark.com.external.; }; zone . { type hint; file named.ca; }; // Update this hint by: /usr/local/sbin/update-root-cache }; And the result of the external query: [...@maplepark ~]$ dig +bufsize=4096 @64.216.205.121 . NS ; DiG 9.6.0-P1 +bufsize=4096 @64.216.205.121 . NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 24703 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN NS ;; Query time: 0 msec ;; SERVER: 64.216.205.121#53(64.216.205.121) ;; WHEN: Wed Feb 11 08:53:04 2009 ;; MSG SIZE rcvd: 28 [...@maplepark ~]$ Note that the status is REFUSED and MSG SIZE is 28 bytes And the querylog has this: 11-Feb-2009 08:53:04.195 queries: info: client 64.216.205.121#58714: view external: query: . IN NS +E Try digging. AFAICT your conf should return REFUSED Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://www.maplepark.com St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS prevention - how to restrict queries to hint (root) zones?
On Tue, 3 Feb 2009, Mark Andrews wrote: In message 1233658532.12933.42.ca...@muccalla.uninsubria.it, MAtteo HCE Valsa sna writes: hi all, We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's package), that do both recursive queries for internal clients (with proper allow-recursion clause) and authoritative servers for the institution's domain. There are reports of DDOS attacks based on DNS requests for the root zone with spoofed source IP address: * the attacker sends a request for the root zone with spoofed source address to a DNS server * The intermediate victim (DNS server) sends the reply packet - significatively larger than the request - to the ultimate victim (the owner of the spoofed source IP address in the request packet). * the ultimate victim connection is flooded http://isc.sans.org/diary.html?storyid=5773 I verified that our servers reply when queried from a non-trusted source address for the root zone. (and we must also notice that the non-trusted source address argument is pretty pointless when dealing with spoofed source addresses: if a query with a spoofed internal source address could reach the server, the server would just DDOS an internal machine. But we do discard inbound packets with internal source IP addresses on the network border). The first answer to this threat would be to disallow queries for the root zone would for any client (the root zone is used only by the server itself, right?). * Do you think there is any reason NOT do do this? * Do you know a simple way to do this? the trivial solution of adding an allow-query clause to the root zone definition is refused by the server, as hint type zones cannot have an allow-query clause - see https://lists.isc.org/pipermail/bind-users/2006-January/061077.html there is possibly a way to do this using views, but... anything simpler? options { allow-query { recusrsive-clients; }; allow-recursion { recusrsive-clients; }; }; zone { type (slave|master); ... allow-query { any; }; }; Or upgrade to BIND 9.4 or later and use allow-query-cache, BIND 9.3 is past end-of-life. Mark best regards and thanks for any answer MAtteo Valsasna Using allow-query to deny some queries still takes time and resources from your server as it then sends a denied message back to the query source. As the source is spoofed it then contributes in a small way to the DDoS attack. I think it is better to just drop the queries on your firewall. I found this entry for iptables on the list a while back and it works well and drops around a thousand queries a day. iptables -A INPUT -i $LOCALIF -j DROP -p udp --dport domain -m u32 --u32 0220...@1216=10220...@2024=00220...@21=0x00020001 -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9 query logging
On Fri, 30 Jan 2009, Robert Coward wrote: Sorry, I should have been a been a bit more specific. In reference to the O Reilly book: O' Reilly DNS and Bind by Paul Albitz Cricket Liu (4th Edition) pg. 163 - 173 (specifically pg. 164, paragraph 4) and pg. 405 - 421 (info about using the debug options) The web sites I looked at were: http://www.bind9.net/manuals and http://www.zytrax.com/books/dns So reading your response the current version of Bind (9.6 I think) does not have the ability to log the responses. O Reilly DNS and Bind Paul Albitz Cricket Liu Using 9.6.0-P1, I enabled the querylogs option like this: channel querylogs { file /var/log/dnsqueries size 20m; severity info; print-category yes; print-severity yes; print-time yes; }; category queries {querylogs; }; and it generated a quite large log file so I wrote a rather inefficient bash script to distill it down to more readable format and end up with this little query report: Total A NS MX TXT PTR SOA SPF External 740 3101 353 2 0 73 0 Internal 33504 23758 15451222553314450 0 Totals 34244 24068 154615755535144573 0 Other packets: (if any not detailed) 01-Feb-2009 13:34:27.796 queries: info: client64.246.42.203#40986: view external: query: maplepark.com IN IXFR - 02-Feb-2009 11:32:54.799 queries: info: client 192.168.102.95#53722: view internal: query: _ldap._tcp.dc._msdcs.maplepark.com IN SRV + DDos ( . IN NS) attacks follow: (if any) (Note: I don't get any of these anymore as I have them dropped at the firewall. They amount to about 1000 per day, and demanded some sort of attention to make my logs readable.) The script via cron runs daily mailing the output and it serves my purposes for a very small office network. -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: contacting a external nameserver
On Tue, 27 Jan 2009, Luis Silva wrote: Hi all, I'm having a question related to querying external servers that hope you could answer me. I'm sending a iterative query for an external server and the server is sending a referral answer but only with the authoritive name servers. After that, i send a query A asking the nameservers ip addresses. This A query is supposed to be a recursive query or must be a iterative one? Is there a standard that talks about this? thanks in advance. Kind regards, Luis My external NS is one that that does so by virtue of these named.conf entries: view external { // Primary nameserver for maplepark.com. match-clients { any; }; recursion no; additional-from-cache no; // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful zone maplepark.com{ type master; notify yes; allow-transfer { slave-name-servers; }; file /var/named/drf/external/maplepark.com.external.; }; I do this because it then replies with a 28 byte message with only my authoritative information (nothing) and does not then contribute to a DDoS in an amplified reply to a request for the root servers ( . NS). If I could, I would have it just not respond and let the attacker time out. But that is not an option. At least I haven't found a way to do that. A side effect of this config is that I don't send glue to legitimate queries for my NS (just my authoritative information) but my secondaries are easily found from the root servers. And if my NS is off-line, the secondaries will be queried anyway. No information is returned for upward referrals. Dave Forrest ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
max open files vs max sockets
On startup of named 9.6.0 I get the following message: Jan 17 11:55:20 maplepark named[13014]: max open files (1024) is smaller than max sockets (4096) Is this a problem for a small internal network dns server? Dave -- David Forrest e-mail d...@maplepark.com St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Conflicting glue records?
Milo Hyson wrote: In our particular case, we have stale glue records for our name- servers that appear to be coming from a domain we host that is owned by someone else. Despite our best efforts, we have not been able to reach the owners and thus have not been able to get the host records changed at the registrar. The net result is that any domains listing those server names fail to resolve as the old IPs are no longer in service. This raises a scary question. If this is really an undefined situation, could it be used as an attack vector? Although our particular situation involves no component of fraud, what is to stop someone from registering a domain and listing our server name with a bogus IP? Milo Hyson Chief Scientist CyberLife Labs --- Nothing. But why would it matter? And why would they ask someone other than the TLDs for your NS? I don't really think this is a problem as it only comes into play if they query the registered domain. If one is hosting a domain owned by someone else they should be able to contact domain holder. If they cannot contact them, they can just stop hosting them and queries will not then bother them. I have several secondary nameservers out there and I have registered them with my register. Checking for my nameservers at the TLD servers gives this response: [r...@maplepark ~]# dig +norecurse @A.GTLD-SERVERS.NET maplepark.com ns ; DiG 9.6.0 +norecurse @A.GTLD-SERVERS.NET maplepark.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62282 ;; flags: qr; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 5 ;; QUESTION SECTION: ;maplepark.com. IN NS ;; ANSWER SECTION: maplepark.com. 172800 IN NS maplepark.com. maplepark.com. 172800 IN NS ns5.dnsmadeeasy.com. maplepark.com. 172800 IN NS ns6.dnsmadeeasy.com. maplepark.com. 172800 IN NS ns6.gandi.net. maplepark.com. 172800 IN NS ns7.dnsmadeeasy.com. ;; ADDITIONAL SECTION: maplepark.com. 172800 IN A 64.216.205.121 ns5.dnsmadeeasy.com.172800 IN A 63.219.151.12 ns6.dnsmadeeasy.com.172800 IN A 64.246.42.203 ns6.gandi.net. 172800 IN A 217.70.177.40 ns7.dnsmadeeasy.com.172800 IN A 205.234.170.139 ;; Query time: 91 msec ;; SERVER: 192.5.6.30#53(192.5.6.30) ;; WHEN: Thu Jan 8 09:05:47 2009 ;; MSG SIZE rcvd: 218 As can be seen (or digged|dug), the glue has me (maplepark.com), three other .com(s), and a .net, all as it should be (and as I wanted it and registered it) Not allowing this setup would cripple lookups using my secondaries (all slaves). OTOH, if you were to add my nameservers to YOUR TLD (through your registrar) anyone querying your nameservers for anything could be directed to my nameserver and then find answers only as long as my nameservers were active. If I, as an active homebuilder, should fall prey to the ridiculous broken market I am dealing with and go out of business, those querying YOUR nameservers could get stupid answers. But if they query the TLD for me they would also get stupid answers until my registration expires. But I wouldn't care too much. Protect yourself by maintaining YOUR TLD through your registrar and don't add me to your list of NS. My short answer is Don't host domains that aren't maintained and rely on the DNS to normally resolve those who do maintain their domains. imho, the system ain't broke; so don't fix it. I'm dead sure someone will tell if I'm wrong, and maybe even if I'm not. -- David Forrest e-mail drf @ maplepark.com Maple Park Development Corporation http://www.maplepark.com St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users