Re: ISC DHCP does not work with BIND 9.10
At Thu, 19 Feb 2015 19:20:29 +0100, Jiri Popelka jpope...@redhat.com wrote: But it's still not possible to stop them, one has to use 'kill -9'. Any ideas ? Hmm, that's beyond my experiments. (Do you mean you cannot terminate them by SIGTERM?) Hopefully someone else has a clue. -- JINMEI, Tatuya ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: historical issues with query performance during AXFR
At Thu, 25 Apr 2013 13:42:00 -0500, C. B. cbroo...@gmail.com wrote: I was wondering if there were any well known (or otherwise) historical issues with query performance by an authoriative BIND server answering queries for records in a zone it was in the middle of performing an AXFR/IXFR on? Particularly in the 9.5.x code branch? This may be related to this topic 2878. [func] Incrementally write the master file after performing a AXFR. [RT #21010] but it depends on what specifically you mean AXFR/IXFR on and in the middle. From the above description of yours I guess that's probably irrelevant of your background situation. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configure error - BIND10, 1.0.0 on Mac OS X 10.8.2
At Sat, 23 Feb 2013 09:30:55 +1100, James Brown jlbr...@bordo.com.au wrote: Received an error running configure on Mountain Lion: ./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... ./install-sh -c -d [...] checking for C++ compiler default output file name... configure: error: in `/Users/jlbrown/Downloads/bind10-1.0.0': configure: error: C++ compiler cannot create executables See `config.log' for more details. Have installed the latest version of Xcode. Looks like you don't even have C/C++ compilers. Have you installed Command Line Tools via Xcode? You may also want to check this: http://bind10.isc.org/wiki/SystemNotesMacOSXMountainLion --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
At Mon, 04 Jun 2012 12:53:31 -0700, Doug Barton do...@dougbarton.us wrote: If your cache is too small the CPU will peg when the cleaning-interval goes. Maybe that's changed but the behavior still exists in the 9.7 branch. Setting your cache size really depends on your query load. On a resolver doing 15,000/qps having a cache of 256M will cause a problem during the cleaning-interval whereas if it's 2G you won't notice the interval at all. Also on a busy resolver expect BIND to use about twice as much as where you set your limits. Hmm, looking into the code again, I realized my memory was slightly incorrect: cleaning interval has been effectively no-op since BIND 9.5 should have been cleaning interval has been effectively meaningless and therefore disabled by default since BIND 9.5, and if you explicitly enable it by setting cleaning-interval to a non 0 value, it will still do meaningless but expensive operations. So, in conclusion, my main point should still stand: Tweaking it (cleaning-interval) won't improve performance. And, it could actually do harm. Thanks, I learned something today! But that sort of prompts the question in my mind, why does the option still exist? Good question, I wonder the same thing:-) I don't remember the original plan, but I guess it was actually planned to be deprecated but it has just been forgotten or left as a lower priority thing since then. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
At Fri, 1 Jun 2012 21:14:06 +, Dan Mason danma...@qwest.net wrote: cleaning interval has been effectively no-op since BIND 9.5. Tweaking it won't improve performance, although it shouldn't cause a bad effect either. If your cache is too small the CPU will peg when the cleaning-interval goes. Maybe that's changed but the behavior still exists in the 9.7 branch. Setting your cache size really depends on your query load. On a resolver doing 15,000/qps having a cache of 256M will cause a problem during the cleaning-interval whereas if it's 2G you won't notice the interval at all. Also on a busy resolver expect BIND to use about twice as much as where you set your limits. Hmm, looking into the code again, I realized my memory was slightly incorrect: cleaning interval has been effectively no-op since BIND 9.5 should have been cleaning interval has been effectively meaningless and therefore disabled by default since BIND 9.5, and if you explicitly enable it by setting cleaning-interval to a non 0 value, it will still do meaningless but expensive operations. So, in conclusion, my main point should still stand: Tweaking it (cleaning-interval) won't improve performance. And, it could actually do harm. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
At Fri, 01 Jun 2012 03:27:22 -0700, Doug Barton do...@dougbarton.us wrote: One thing that can help is to set the cleaning interval more aggressively, but that can also cause performance problems for your clients if you are CPU bound, so use that option with care, and monitor the results after a change. cleaning interval has been effectively no-op since BIND 9.5. Tweaking it won't improve performance, although it shouldn't cause a bad effect either. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: View-specific logging
At Mon, 02 Jan 2012 09:42:29 +, Florian Weimer fwei...@bfk.de wrote: I would like to switch on query logging for specific views only. Is this possible using BIND 9.7 (or any other BIND version, for that matter)? As far as I know it's not possible with any version of BIND 9 (and not only for query logging but also for logging in general). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Experience with DDNS (RFC 2136)
At 11 Oct 2011 13:57:38 +0100, Chris Thompson c...@cam.ac.uk wrote: Maybe an off topic in this thread, but out of curiosity, is there any specific reason you don't use the database as the direct source of the zone with BIND 9's dlz or PowerDNS? In general it will be slower, and I can't speak for Chris but here, we rejected DLZ and similar because: 1. DNSSEC 2. Speed 3. Impedance mismatch between database schema and DNS 4. Perceived second-class status of DLZ 5. Loss of various things that are automatic if using zones (IXFR) 6. Too-tight coupling between the SQL DB and DNS [...] I have kept an eye on DLZ developments over the years, and thought quite seriously about using it for the re-implementation of the hidden master for our managed zone service (for vanity domains, although that's not how we describe them to the punters), but even there it didn't work out, primarily for Phil's reasons #5 and #6. I see, thanks. I think #6 is the most critical reason - other things can be solved via development/release engineering improvements, but this one seems to be about the system design policy, which wouldn't (easily) be changed due to a feature set or the quality of implementation. Since there appears to be a class of operators who prefer the coupling of DNS server and the database (from the fact that there are a non negligible number of users of DLZ and PowerDNS(+ database backend), this is probably a matter of operational philosophy. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Experience with DDNS (RFC 2136)
At 06 Oct 2011 20:26:48 +0100, Chris Thompson c...@cam.ac.uk wrote: Are you willing to share the stories of your DDNS deployments, maybe including approximate number of zones, records, update frequencies, etc.? We converted all our regular DNS updating operations to use dynamic updates in May 2005, for those zones for which we[*] are master. That's currently 58 zones (many of them small, the largest is cam.ac.uk with c. 5 non-DNSSEC RRs) but would have been a few more then before our reverse zone consolidation exercise. We have never regretted this. We did have some Windows 2000 DNS Server stealth slaves that had to be given provide-ixfr no settings because they ed up applying incremental transfers, but they've all gone now (thank $DEITY). We already had most of the input to our DNS zone content generated from an external database (even more so now), but I don't think that was critical. Deciding to write a compare two zone files and generate nsupdate input to convert one to the other Perl script was. Maybe an off topic in this thread, but out of curiosity, is there any specific reason you don't use the database as the direct source of the zone with BIND 9's dlz or PowerDNS? In general it will be slower, and DNSSEC signing might be an issue in that setup, but on the other hand updates will be reflected immediately, (at least in theory) no need for worrying about consistency, no need for additional script or DDNS setups, and (although this may not be an issue with 58 zones w/ max 50K RRs/zone) no need for waiting on reload. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
some questions about BIND 9's xfrin.c code...
I've been looking at BIND 9's IXFR(-in) implementation and encountered a few questions. I was not sure if these should be considered a bug, so I'm asking these here before actually filing a bug report. The source file in question is lib/dns/xfrin.c. 1. In xfrin_recv_done(), if an RR is found in the state of XFRST_IXFR_END, it will be treated as an error of DNS_R_EXTRADATA and xfrin will fail. But all diffs have been committed to the DB by then (and will be visible to clients if the server is multi threaded, even if the intermediate changes may become invisible once the error is detected). Is that intentional and okay? 2. Likewise, if an IXFR response consists of multiple difference sequences (i.e. multiple SOA changes), each change sequence is committed to the DB at the end of the sequence (and will be visible to clients). If an error is detected in a later difference sequence, the xfrin process is aborted at that point, but some part of the changes have already been visible to clients. Is that intentional and okay? I guess both these questions are related to this part of RFC1995: An IXFR client, should only replace an older version with a newer version after all the differences have been successfully processed. (section 4) It's not clear to me whether all the differences mean all the differences of all the sequences or all differences of each sequence. If it's the former, the BIND 9's behavior seems to break this specification; if it's the latter, it performs exactly what's specified. 3. When adding an RR in IXFR, an NS record with a wildcard owner name is rejected: case XFRST_IXFR_ADD: ... if (rdata-type == dns_rdatatype_ns dns_name_iswildcard(name)) FAIL(DNS_R_INVALIDNS); This is probably a good practice, but when does it specifically check this case, and this case only? For example, rbtdb.c:loading_addrdataset() also rejects wildcard NSEC3 or non-origin SOA. Why shouldn't xfrin also reject them? I guess we could either be very strict or generally accept what the primary gives, but the current behavior seems to be incomplete. --- JINMEI, Tatuya ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stats ouput 9.3 vs 9.7
At Wed, 7 Sep 2011 10:13:28 -0500, Baird, Josh jba...@follett.com wrote: Just upgraded some authoritative boxes to RHEL6, thus upgrading to BIND 9.7.3. On RHEL5 (BIND 9.3.x), I had scripts that parsed the output of the named.stats file, and piped them through net-snmpd so my NMS could monitor query statistics. On 9.3.x, the named.stats looked like: [...] Is there a way to revert back to the old stats format? Unfortunately not (at least not by tweaking named.conf or via build time options). It's a backward incompatible change (introduced in BIND 9.5, btw). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.0b1 Released Today
At Sat, 22 Jan 2011 20:38:46 +0100, Florian Weimer f...@deneb.enyo.de wrote: Does this work with DNSSEC if one loads an explicit trust anchor, even if in the world view the trust anchor is missing? I'm afraid I don't understand the question. Could you be more specific, e.g., by using the above example.com example? I think Paul is wondering if it works with the DENIC testbed. 8-) The forward hack does not work reliable for DNSSEC islands, IIRC. (I still don't understand what exactly it works with the DENIC testbed means in the context of the original question of Paul, but) If so, I believe the answer is yes. static-stub was developed specifically for that purpose (although the feature itself is generic and would be useful for other purposes) :-) --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.0b1 Released Today
At Fri, 21 Jan 2011 14:00:19 -0500 (EST), Paul Wouters p...@xelerance.com wrote: * BIND now supports a new zone type, static-stub. This allows the administrator of a recursive nameserver to force queries for a particular zone to go to IP addresses of the administrator's choosing, on a per zone basis, both globally or per view. I.e. if the administrator wishes to have their recursive server query 192.0.2.1 and 192.0.2.2 for zone example.com rather than the servers listed by the .com gTLDs, they would configure example.com as a static-stub zone in their recursive server. [RT #21474] Does this work with DNSSEC if one loads an explicit trust anchor, even if in the world view the trust anchor is missing? I'm afraid I don't understand the question. Could you be more specific, e.g., by using the above example.com example? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: maximum number of FD events (64) received
At Mon, 27 Sep 2010 13:27:01 +0400, Samer Khattab skhat...@gmail.com wrote: I'm using Bind as a caching name server and serving around 2000 req per second, and recently have the following messages showing up from time to time in the general.log. 27-Sep-2010 10:45:47.639 sockmgr 0x2ad7af2f5010: maximum number of FD events (64) received 27-Sep-2010 10:45:47.872 sockmgr 0x2ad7af2f5010: maximum number of FD events (64) received BIND BIND 9.7.1-P2 RHEL 5.5 kernel 2.6.18-194.11.3.el5 What is the meaning of these messages ? Are they related to the system file descriptors ? These logs are not (directly) related to file descriptors. They mean epoll returned more socket events than the implementation normally expects (which is 64). This is not necessarily an error because the remaining events will be returned with the next call to epoll_wait(). However, the event loop should generally runs pretty quickly, so it's still an unexpected situation. You may want to check overall stability of the server, e.g., in terms of the ratio of server failures (SERVFAIL) that your server returns to the clients, cache memory footprint, cache hit ratio, number of query drops (if any), etc. If these are okay and you only see the log messages occasionally, you can probably ignore them. Otherwise, if you use multiple threads on a multi-core machine and you set max-cache-size to some finite value, you may be hit by a recently found bug in the cache memory management, which can make a caching server very busy. (but it's a wild guess: I've personally never seen this bug trigger the log message in question). This bug will be fixed in 9.7.2. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: list zones
At Tue, 3 Aug 2010 12:39:05 +0300, Mihamina Rakotomandimby miham...@gulfsat.mg wrote: Manao ahoana, Hello, Bonjour, Without grepping the configuration files from the system shell, is it possible to lists all the master zones on a running bind9? What tool with? If you enable zone-statistics you can see a list of zones for which the server has authority by rndc stats. Or, if you enable XML-based statistics (available = 9.5) you can see the same list in it (whether or not you enable zone-statistics). In either case, however, the list is a mixture of primary (master) and secondary (slave) servers. So, if you specifically want to see a list of masters (but not slaves), these may not be an option (depending on your configuration). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind hang out when named reach to 5-600 Mb
At Tue, 20 Jul 2010 01:18:54 -0700 (PDT), khanh rua duonghoahoc_k4...@yahoo.com wrote: I mean hang is bind still running but it cannot response query from user. I suspect it still responds to queries that don't require recursion, e.g. version.bind txt ch. Is that correct? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind hang out when named reach to 5-600 Mb
At Thu, 8 Jul 2010 02:30:25 -0700 (PDT), khanh rua duonghoahoc_k4...@yahoo.com wrote: I install bind as a cache server on Solaris 10, Sun Sparc T5140. It has problem, bind always hang out when named reach to 5-600 Mb ('prstat' check). I have several servers and all have this problem even when i install bind in zone or try with a 64bit version. T5140's a powerful server but bind can't make use of its power. I'm newb with bind an so i have just try some other way but useless. What should i do to track this problem ? As others asked, please clarify a bit more what hang means. I'd particularly interested in - whether it responds to rndc (e.g. rndc status) - whether it responds to queries for build in data, such as version.bind/TXT/CH (try 'dig @server_address version.bind txt ch' from the local host). - if you enable XML based statistics, whether it responds to statistics request over http. If it does, showing the xml statistics while the problem is happening would be useful. Please also make sure you kernel doesn't have this problem: http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 If you are not sure, and if the query load is not so heavy, (e.g. up to 2000qps or so), you may also want to try rebuilding named with --disable-devpoll --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.7.0-P2 Bus Error - Solaris 9
At Mon, 14 Jun 2010 09:06:50 -0500 (CDT), b19...@anl.gov wrote: Do I need to file an official bug report? Yes, please. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.7.0-P2 Bus Error - Solaris 9
At Mon, 14 Jun 2010 09:06:50 -0500 (CDT), b19...@anl.gov wrote: This morning on a Solaris 9 system, I issued these comands: I believe I found the cause of the bug. Please try the patch copied below. --- JINMEI, Tatuya Internet Systems Consortium, Inc. Index: dighost.c === RCS file: /proj/cvs/prod/bind9/bin/dig/dighost.c,v retrieving revision 1.330 diff -u -r1.330 dighost.c --- dighost.c 18 May 2010 02:38:10 - 1.330 +++ dighost.c 15 Jun 2010 00:49:24 - @@ -2401,6 +2401,15 @@ isc_result_totext(ISC_R_NOMEMORY)); } isc_task_send(global_task, event); + + /* +* The timer may have expired if, for example, get_address() takes +* long time and the timer was running on a different thread. +* We need to cancel the possible timeout event not to confuse +* ourselves due to the duplicate events. +*/ + if (l-timer != NULL) + isc_timer_detach(l-timer); } @@ -2424,7 +2433,7 @@ query-waiting_connect = ISC_TRUE; query-lookup-current_query = query; result = get_address(query-servname, port, query-sockaddr); - if (result == ISC_R_NOTFOUND) { + if (result != ISC_R_SUCCESS) { /* * This servname doesn't have an address. Try the next server * by triggering an immediate 'timeout' (we lie, but the effect @@ -2506,7 +2515,7 @@ /* XXX Check the sense of this, need assertion? */ query-waiting_connect = ISC_FALSE; result = get_address(query-servname, port, query-sockaddr); - if (result == ISC_R_NOTFOUND) { + if (result != ISC_R_SUCCESS) { /* This servname doesn't have an address. */ force_timeout(l, query); return; ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: odd behaviour on caching ns with views
At Tue, 8 Jun 2010 11:03:55 +0200, Torsten t...@the-damian.de wrote: Everything works perfectly okay except queries for 1.0.0.127.in-addr.arpa and 0.0.0.0.in-addr.arpa. These are refused by the caching server (denied entries in default log). Asking those queries on an identical server without views returns the usual NXDOMAIN answer. Is there something special about 0.in-addr.arpa and 127.in-addr.arpa in views I haven't seen yet? That sounds like something related to builtin empty zones. But I have no idea how the existence/non-existence of views affects the behavior. That may be due to your separate configuration file: include /named/default/private_netblocks.conf; and showing the content of this file may help. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disable dnssec in bind resolver
At Fri, 4 Jun 2010 16:50:26 +0200, Jan Buchholz 96de...@googlemail.com wrote: how i can disable dnssec in the bind resolver ? My firewall don´t let packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but this don´t fix the problem. I believe that only disables *serving* DNSSEC records. I think you want 'dnssec-validation no;' sorry, 'dnssec-validation no;' is already configured, because that´s the default. The DO bit is always set whenever the server includes an EDNS OPT RR (I thought it was based on the specification, but don't remember which sentence of which RFC says so). So, your only choice is to completely disable EDNS: server ::/0 { edns no; }; server 0.0.0.0/0 { edns no; }; As others said, however, I'd rather say the fix is to upgrade/replace the broken firewall. Please consider it only for a short term workaround and seriously consider fixing the real problem. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc flush(more-than-one)name
At Thu, 3 Jun 2010 15:21:08 +0200, Matus UHLAR - fantomas uh...@fantomas.sk wrote: rndc flushnamespace / rndc flushname -recurse would have to walk the tree and remove each entry. This can be time consuming. is this planned feature or does it already work somewhere? This is a planned (or wished) feature. Not available right now. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clarification on AXFR
At Thu, 3 Jun 2010 11:39:30 +0530, rams brames...@gmail.com wrote: During AXFR of a zone, the zone.dbfile is not created till the AXFR completes. Till AXFR completes, the file name will be some value as 456eefwfc. Is it correct behavior? Yes, that's the intended behavior. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding Total QPS from named stats
At Thu, 20 May 2010 19:37:34 -0700 (PDT), ivan jr sy ivan...@yahoo.com wrote: But is there a best practice in calculating it from the named stats? Can the dynamic updates, notify and such be considered as queries? In named.stats you copied, no: 5818360608 IPv4 requests received requests mean all incoming messages from client, including dynamic update requests and notifies. 4692675534 queries resulted in successful answer queries are a subset of requests only for messages with opcode = query. These are probably what you want to look at in this context. If all you need is to just count the number of incoming queries, you can see it in the Incoming Requests section of the stats: ++ Incoming Requests ++ 54708 QUERY 1592 UPDATE --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Explanation of a resolver.c error message
At Tue, 18 May 2010 12:07:12 -0600, Keith Christian keith1christ...@gmail.com wrote: Could anyone offer an explanation for what condition(s) trigger this error in older, out of date versions of BIND, specifically, BIND 9.5.1b1 ? resolver.c:5617: REQUIREquery) != ((void *)0)) (((const isc__magic_t *)(query))-magic == ((('Q') 24 | ('!') 16 | ('!') 8 | ('!')) failed Is this related to a type of query, or some other event? I suspect it's a known bug: 2408. [bug] A duplicate TCP dispatch event could be sent, which could then trigger an assertion failure in resquery_response(). [RT #18275] which has been fixed in recent versions of 9.5. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KAMINSKY vulnerability !!
At Mon, 10 May 2010 10:05:47 -0400, P.A ra...@meganet.net wrote: Today I came in and both my name server stopped answering queries. I restarted the servers a couple of times and they are now up. I have posted the primary/slave look below. My question is did I just get rid by the kaminsky vulnerability? if so how can I determined what host caused this if its possible. The last thing what version should I upgrade to? [...] May 10 08:37:11 ns1 named[4388]: resolver.c:5494: REQUIREquery) != ((void *)0)) (((const isc__magic_t *)(query))-magic == ((('Q') 24 | ('!') 16 | ('!') 8 | ('!')) failed I suspect you hit an old bug: 2408. [bug] A duplicate TCP dispatch event could be sent, which could then trigger an assertion failure in resquery_response(). [RT #18275] which was fixed in 9.4.3. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.7.0-P1 socket: file descriptor exceeds limit / assertion failure
At Thu, 29 Apr 2010 14:53:44 -0700, Dale Kiefling dale.kiefl...@cbs.com wrote: We have a Bind 9.7.0-P1 instance that is throwing the following errors: 21-Apr-2010 16:59:00.173 general: error: socket: file descriptor exceeds limit (1024/1024) The fact that the FD limit is 1024 suggests your named uses select instead of epoll. As far as I know Linux kernel 2.6 should support epoll, so your named may have been built with --disable-epoll. What's the result of named -V? $ uname -a Linux ha1.example.com 2.6.18-128.1.10.el5PAE #1 SMP Thu May 7 11:14:31 EDT 2009 i686 athlon i386 GNU/Linux For a busy recursive server that could consume more than 1024 open sockets, select won't work well anyway. Even if you increase the FD limit it's quite likely that the server hits other scalability issues. So, if your named was built --disable-epoll, I'd suggest you to rebuild it with enabling epoll (which should be enabled by default on your Linux system) and try again. In any case, the assertion failure should be a bug, but right now I have no idea about how it happened. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone Statistics in Bind9.7.0
At Wed, 10 Mar 2010 14:45:48 +0100, Dangl, Thomas thomas.t.da...@siemens.com wrote: in Bind 9.6.2 the zone statistics looked like that: Now with Bind9.7.0 it only covers zone name4.3.2.1.e164.arpa/IN/name rdataclassIN/rdataclass serial8/serial /zone Is there some way to get the full scope of counters that came with the Bind9.6.2? I tried activating zone-statistics in each zone statement, but that didnt change anything. I didn't see any difference in the code that can possibly affect this point between 9.6 and the head branch (which I believe is identical to 9.7.0 on this point). Are you sure you specify zone-statistics yes; in the options statement? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6.1-P1 crashing
At Tue, 05 Jan 2010 08:24:16 +0100, Dario Miculinic dario.miculi...@t-com.hr wrote: I dont't have the same core dump, but this is from one that happend yesterday: Thanks, but unfortunately the detailed stack traces don't seem to provide a useful hint for the race. If you can help debug this further, could you apply the patch copied below, rebuild named and run it? It *may* catch the race condition at a closer point to the real cause. (note: this patch only does diagnose, so it will not fix the problem). Or, if you need any workaround that *may* work, you may want to rebuild named with disabling atomic operations. ./configure --disable-atomic [...other options] I'm not sure if this stops the problem, but I believe it's worth trying. --- JINMEI, Tatuya Internet Systems Consortium, Inc. Index: heap.c === RCS file: /proj/cvs/prod/bind9/lib/isc/heap.c,v retrieving revision 1.37 diff -u -r1.37 heap.c --- heap.c 19 Oct 2007 17:15:53 - 1.37 +++ heap.c 8 Jan 2010 08:01:19 - @@ -149,10 +149,12 @@ i 1 heap-compare(elt, heap-array[p]) ; i = p, p = heap_parent(i)) { heap-array[i] = heap-array[p]; + INSIST(heap-array[i] != NULL); if (heap-index != NULL) (heap-index)(heap-array[i], i); } heap-array[i] = elt; + INSIST(heap-array[i] != NULL); if (heap-index != NULL) (heap-index)(heap-array[i], i); @@ -173,11 +175,13 @@ if (heap-compare(elt, heap-array[j])) break; heap-array[i] = heap-array[j]; + INSIST(heap-array[i] != NULL); if (heap-index != NULL) (heap-index)(heap-array[i], i); i = j; } heap-array[i] = elt; + INSIST(heap-array[i] != NULL); if (heap-index != NULL) (heap-index)(heap-array[i], i); @@ -217,6 +221,7 @@ less = heap-compare(elt, heap-array[index]); heap-array[index] = elt; + INSIST(heap-array[index] != NULL); if (less) float_up(heap, index, heap-array[index]); else ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [BUG] bind crash in statschannel.c
At Tue, 5 Jan 2010 10:00:34 +0100, Marinescu Paul dan pauldan.marine...@epfl.ch wrote: bind (9.6.1-P2) dies when one tries to retrieve statistics via HTTP from the statistcs-channel feature if an underlying call to libxml fails (returns a NULL pointer) at statschannel.c:720 - writer = xmlNewTextWriterDoc(doc, 0); It's clearly wrong that we do assertion failure when an libxml routine fails (we've noticed that and have a patch, but it's not yet ready to be merged), but in reality libxml routines normally should not fail in a way we are using it. The only realistic cause is memory allocation failure within libxml, but if this happened named should have complained about memory shortage in other places, too. Did you see such warnings/errors in your log? BTW, if we trust the information in the stack trace what happened doesn't make sense: #3 0x0805b5ed in assertion_failed (file=0x81e5954 statschannel.c, line=721, type=isc_assertiontype_insist, cond=0x81e59d0 xmlrc = 0) at ./main.c:161 Even though this indicates xmlrc = 0 was false, #4 0x08075e45 in generatexml (server=0xb7a2b018, buflen=0xbfd2be8c, buf=0xbfd2be90) at statschannel.c:721 boottime = 2009-12-16T19:01:48Z nowstr = 2009-12-16T19:02:00Z now = {seconds = 1260990120, nanoseconds = 623889000} writer = (xmlTextWriterPtr) 0x0 doc = value optimized out xmlrc = 0 xmlrc is actually 0. It's also odd that writer is NULL (it may be the reason for the error in xmlTextWriterStartDocument(), but it still doesn't explain why xmlrc is 0). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: File Descriptor limit and malfunction bind
At Tue, 05 Jan 2010 10:36:27 +0200, Imri Zvik im...@inter.net.il wrote: i have a high load DNS server running bind 9.4.3 on RH - yesterday we experienced a problem with the bind (the bind froze) , and when looking at the logs i saw the following error : named error: socket: file descriptor exceeds limit (4096/4096) i looked at my OS file descriptor limit and using ulimit -n - 1024 . where the number 4096 come from? It's the hard-coded default maximum number of file descriptor (which is nearly equal to the maximum allowable number of open sockets). If I'm not mistaken, you should either recompile with a higher value for ISC_SOCKET_MAXSOCKETS or restart named with the -S maxsockets argument. I'm afraid it's yes and no. Yes, you can raise the hard coded default value by the -S command line option. (I'm afraid) no, I suspect it won't solve the problem. From my past experiences, 4096 should be sufficient even for a very busy server. If it still consumes all available sockets, it's more likely to mean there's some unexpected serious error (bug) which can't be mitigated by raising that limit. I've heard of similar reports (seemingly consuming all available sockets and named freezes), but unfortunately I couldn't reproduce it myself and since it seems to be quite rare I've not figured out the problem. One possible workaround one may want to try is to *disable* epoll, the efficient version of I/O API for Linux: ./configure --disable-epoll This means named will use the inefficient API of select, but depending on the machine power and the server load, it may provide acceptable performance and rather stabler behavior as select is (seemingly) stabler API. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6.1-P1 crashing
At Wed, 30 Dec 2009 10:23:17 +0100, Dario Miculinic dario.miculi...@t-com.hr wrote: I'm administrating 4 DNS servers running CentOS release 5.4 and Red Hat Enterprise Linux Server release 5.2. with BIND version 9.6.1-P1. On 3 of them BIND crashed 7 times in last 10 days. There's nothing in log files, but we have core dump file. I found this in the core dump: #0 0x080db986 in ttl_sooner (v1=0x0, v2=0x3385b628) at rbtdb.c:752 752 ttl_sooner(void *v1, void *v2) { (gdb) where #0 0x080db986 in ttl_sooner (v1=0x0, v2=0x3385b628) at rbtdb.c:752 What's the result of the following gdb command? (gdb) thread apply all bt full We've seen crash like this one, but we've not figured out how this happens. This is pretty likely an inter-thread race, and it may be tricky. According to the v1/v2 values in your stack trace, a full backtrace with information of other threads may provide more useful hint. If you need immediate workaround rather than chasing the bug, rebuilding named with --disable-atomic may help (we cannot be sure because we don't yet know how this bug happens in the first place). This will use locks in a more conservative way and may avoid the tricky race condition at the cost of lower performance (so if you want to try that you'll also need to watch the server load). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Feature request - disable internal recursion cache
At Mon, 02 Nov 2009 18:24:54 +0300, Dmitry Rybin kirg...@corbina.net wrote: Kevin Darcy wrote: Daemon as unbound, pdns-recursor - much faster in recursion queries, that bind. :( ___ So, you don't cache locally, you forward to another daemon that (in the best case) answers from *its* cache. How have you improved performance by changing nothing else and adding a network hop? recursion possibilities of bind is very pity in compare with powerdns-recursor, unbound so on. It allocate a lot of memory and make high CPU usage. I don't deny in some cases BIND9 caching server may require a lot of memory and may run slowly, but if you are still using a massive number of views as you've previously reported: https://lists.isc.org/pipermail/bind-users/2008-December/074173.html the excessive number of views can be a main reason for the performance problems, in which case comparison with other implementations that don't support views doesn't make much sense. Anyway, if you want to forward incoming queries to a different server without caching the results, I believe setting max-cache-ttl (and perhaps max-ncache-ttl also) to 0 does pretty much of it. (max-cache-ttl = 0 has a bad effect, as noted in recent ARM, but if you only care about results from an external forwarder, it should be okay) --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: call for testers (Re: ISC BIND 9.7.0b1 is now available)
At Mon, 26 Oct 2009 11:42:53 -0400, Gerry Scott gscot...@gmail.com wrote: OpenSolaris build 125 includes execinfo.h within the /usr/include directory. Also, backtrace() functionality has been included within the OS since build 63. http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6536146 Okay, that's good know. Thanks, --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: call for testers (Re: ISC BIND 9.7.0b1 is now available)
At Thu, 22 Oct 2009 10:09:12 -0400, Gerry Scott gscot...@gmail.com wrote: Backtrace executes successfully on the latest build of OpenSolaris for SPARC (snv_125) with gcc version 3.4.6 # uname -a SunOS nemesis 5.11 snv_125 sun4u sparc SUNW, 5-slot Sun Enterprise E3500 # gcc -v Reading specs from /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/specs Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --enable-shared --enable-languages=c,c++,f77 Thread model: posix gcc version 3.4.6 Thanks for testing. This is an interesting result...I didn't expect it works for SunOS + sparc. Can you identify if your system has a backtrace() library function in libc? Does your system have /usr/include/execinfo.h? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named error messages
At Fri, 16 Oct 2009 08:42:55 +0200, Toto t...@the-damian.de wrote: we're getting quite a lot of messages like the ones below recently. The server is a resolver running bind 9.6.1-P1 (compiled from source on debian etch). 16-Oct-2009 08:28:50.430 dispatch: dispatch 0xeed08400: shutting down due to TCP receive error: [IP REMOVED]#53: connection reset Searching for clues I stumbled across an old problem from 2006 (https://lists.isc.org/pipermail/bind-users/2006-August/063501.html). This can happen if the remote server doesn't handle TCP queries correctly. Maybe the log messages are noisy, but other than the verbosity it's not a problem. Do you have any specific problem with them or did you just wonder? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: call for testers (Re: ISC BIND 9.7.0b1 is now available)
At Wed, 21 Oct 2009 20:19:59 -0400, Dave Knight d...@knig.ht wrote: If the test fails on your platform, please report it to bind9-b...@isc.org, including the OS, its version, and hardware architecture (x86, amd64, sparc, etc). Possibly also useful to report success here so that many people aren't needlessly repeating the same test. Yes, that's indeed helpful as we actually plan to take an opt-in approach, that is, enabling it only for those known to work. This is a list of platforms I've confirmed to work correctly: - FreeBSD 6.1-RELEASE i386, gcc (GCC) 3.4.4 [FreeBSD] 20050518 - FreeBSD 7.0-RC1 amd64, gcc (GCC) 4.2.1 20070719 [FreeBSD] - FreeBSD 8.0-RC1 ia64, gcc (GCC) 4.2.1 20070719 [FreeBSD] - Linux 2.6.25 i686, gcc (Debian 4.3.2-1.1) 4.3.2 - Linux 2.6.18-6-amd64, gcc (GCC) 4.1.2 20061115 (prerelease) (Debian 4.1.1-21) - SunOS 5.10 i86pc(amd64), Sun C 5.7 2005/01/07 - SunOS 5.10 i86pc(amd64), gcc (GCC) 3.4.2 (producing 32-bit code) In general, I expect it should work on - most x86/amd64/IA64 + gcc platforms (regardless of OS) - most Linux variants (assuming the compiler is gcc, regardless of machine arch) So, if it does NOT work on a platform that matches the above condition, it's good to know. Likewise, if it DOES works on a platform that doesn't match the condition, it's also a good input. Other results, which are actually expected but not yet confirmed, are also appreciated. Thanks once again, --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
call for testers (Re: ISC BIND 9.7.0b1 is now available)
Dear beta testers, At Tue, 20 Oct 2009 20:29:20 +, Evan Hunt e...@isc.org wrote: BIND 9.7.0b1 is now available. [snip] - On some platforms, named and other binaries can now print out a stack backtrace an assertion failure, to aid in debugging. I'd like to know platforms for which this feature does NOT work, so that we can fix the problem (preferably) or disable this feature at ./configure time for such platforms. To see if it works for your platform, please perform the following steps: 1. build 9.7.0b1 2. go to the bind-9.7.0b1/bin/tests directory 3. % make backtrace_test 4. % ./backtrace_test On success, backtrace_test simply exits without any output (I know it's not a good UI); if something goes wrong it will dump some warning messages to stderr and exit with a non-0 exit code. If the test fails on your platform, please report it to bind9-b...@isc.org, including the OS, its version, and hardware architecture (x86, amd64, sparc, etc). There are several known defects: - this feature doesn't work if it's built with libtool - this doesn't work for Windows (probably obvious) these cases don't have to be tested. Thanks, --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: call for testers (Re: ISC BIND 9.7.0b1 is now available)
At Wed, 21 Oct 2009 15:50:00 -0700, JINMEI Tatuya jin...@isc.org wrote: On success, backtrace_test simply exits without any output (I know it's not a good UI); if something goes wrong it will dump some warning messages to stderr and exit with a non-0 exit code. If the test fails on your platform, please report it to bind9-b...@isc.org, including the OS, its version, and hardware architecture (x86, amd64, sparc, etc). I've seen a couple of prompt reports (thanks!), and these reports reminded me that I forgot to ask for one more element of the platform: compiler. Please include which compiler you use with your reports. Thanks again, --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: acache cleaning (not periodic)
At Wed, 19 Aug 2009 16:52:57 +0200, Matus UHLAR - fantomas uh...@fantomas.sk wrote: I have authoritative-only server with enough of memory to run with acache. I have set acache-cleaning-interval to 0 and I am wondering if it's safe when there will not be any periodic cleaning. If a domain is changed or removed, are relevant records/links updated in acache or removed? Yes (if not it's a bug). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
At Tue, 25 Aug 2009 22:08:11 +0200, clemens fischer ino-n...@spotteswoode.dnsalias.org wrote: How about the patch copied below? With this it would fail like this: 24-Aug-2009 16:46:41.334 /Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to add dnsbl-1.uceprotect.net for deny-answer-addresses: already exists 24-Aug-2009 16:46:41.334 loading configuration: already exists 24-Aug-2009 16:46:41.334 exiting (due to fatal error) [1]6321 exit 1 ./named -c named.conf -g The text itself would have been right on my nose. I'm not sure about the fatal error, though. If I only get to see a warning when using rndc reload on a running named(8), this solution is perfect. If you mean when you incorrectly edit named.conf with a duplicate name for deny-answer-* and do rndc reload then named will just reject the new configuration file with the warning and keep running, it will behave that way (it's not different from other fatal configuration errors). This change will appear in 9.7.0a3. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: no more recursive clients: quota reached
At Wed, 26 Aug 2009 13:37:09 -0400, Lisa Casey l...@jellico.net wrote: The lins recursive clients: 564/1000 bothers me, did my change to /etc/named.conf not get oicked up? It appears that the max recursive clients is still at bind's default of 1000. True. It's also true that recursive-clients 5000; will increase the quota in question to 5000. So the only sensible explanation I can think of is that you made an error in updating the configuration file. BTW, it would always be helpful to identify the exact version of BIND9 when you ask something like this. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
At Fri, 21 Aug 2009 10:42:31 -0500 (CDT), Jeremy C. Reed jr...@isc.org wrote: deny-answer-addresses { 127/8; 192.168/16; 10/8; 172.16/12; } except-from { zen.spamhaus.org; dnsbl-1.uceprotect.net; dnsbl-1.uceprotect.net; This is repeated, resulting in already exists (via the RBT code). Maybe we can improve the configuration failure logging for this. How about the patch copied below? With this it would fail like this: 24-Aug-2009 16:46:41.334 /Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to add dnsbl-1.uceprotect.net for deny-answer-addresses: already exists 24-Aug-2009 16:46:41.334 loading configuration: already exists 24-Aug-2009 16:46:41.334 exiting (due to fatal error) [1]6321 exit 1 ./named -c named.conf -g --- JINMEI, Tatuya Index: server.c === RCS file: /proj/cvs/prod/bind9/bin/named/server.c,v retrieving revision 1.540 diff -u -r1.540 server.c --- server.c5 Aug 2009 17:35:33 - 1.540 +++ server.c24 Aug 2009 23:47:35 - @@ -431,7 +431,14 @@ * for baz.example.com, which is not the expected result. * We simply use (void *)1 as the dummy data. */ - CHECK(dns_rbt_addname(*rbtp, name, (void *)1)); + result = dns_rbt_addname(*rbtp, name, (void *)1); + if (result != ISC_R_SUCCESS) { + cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR, + failed to add %s for %s: %s, + str, confname, isc_result_totext(result)); + goto cleanup; + } + } return (result); ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: attach-cache sample
At Fri, 14 Aug 2009 10:30:02 +0400, Dmitry Rybin kirg...@corbina.net wrote: Have you read the ARM? It may not be sufficient (while I personally believe it's quite extensive), but at least there *is* documentation. OK, Please explain what configuration parameter mismatch: view world { zone 0.0.127.IN-ADDR.ARPA { type master; file localhost.rev; }; [other zones] }; view view0 { attach-cache world; [zones] }; Please provide a complete configuration file. In my quick test using the above template I didn't see any problem. I also remember you previously used an extraordinary large number of views (50-ish). If you still do this, I first suggest you try setting up some minimal configuration with a few views (like above) and see if it works. If it still fails, submitting the configuration file of that situation will help diagnose. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: attach-cache sample
At Thu, 13 Aug 2009 17:03:53 +0400, Dmitry Rybin kirg...@corbina.net wrote: Have anybody test option attach-cache? There is no documentation about it. :( Have you read the ARM? It may not be sufficient (while I personally believe it's quite extensive), but at least there *is* documentation. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache vs acache in bind 9.4.3
At 04 Aug 2009 12:49:41 -0400, LENA MATUSOVSKAYA, BLOOMBERG/ 731 LEXIN lmatusovs...@bloomberg.net wrote: Can you pls explain the difference between cache and acache (additional cache) under bind 9.4.3? Is it possible to see the content of each and how? cache is a widely-common DNS cache (I believe you can use google it, for example). The content of cache can be dumped via 'rndc dumpdb'. acache is BIND9's internal hot-spot cache to optimize building authoritative responses. There's currently no interface to view acache content. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
At 03 Aug 2009 11:52:10 +0100, Chris Thompson c...@cam.ac.uk wrote: will believe this answer (and cache it). This would only be proper behaviour if the *.gtld-servers.net were slaving (possibly stealth slaving) potomacnetworks.com - which of course they aren't, but how is the poor recursive nameserver to know that? By seeing the aa bit of the response. We're aware of this problem and have a patch to fix the behavior at the resolver side. The fix will (hopefully) appear in next release versions of BIND9. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9.6.0 Statistics Output
At Thu, 30 Jul 2009 09:53:13 +0200, Dangl, Thomas thomas.t.da...@siemens.com wrote: I collect statistics data via the http interface and parse the XML file. There are some differences of the layout of the XML result between Bind9.5 and Bind9.6. To be precise, there have been substantial changes in (IIRC) 9.5.1 from 9.5.0, so it's actually not between 9.5 and 9.6. Note that the XML format is still considered experimental, and backward incompatible changes may still happen. However, we understand such changes are very inconvenient even if it's still experimental, and we'll try to keep future changes in a backward compatible manner as much as possible. Is there an option or configuration parameter that allows to control the XML format? No, but you can at least check the statistics version to see if it's compatible for your parser. The current version is 2.0, and, in general, changes in the same major version (currently 2) should be backward compatible. There are 2 views found in the XML file named _default and bind. Is there a view - or rather one of these views - that is included in each XML statistics result that contains the total of the counter across all views? Or is it necessary to parse across all views and calculate the sum? The latter. If a statistics counter is provided per-view basis, you need to sum up the counters of all views to get the total. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: socket.c:4524: unexpected error in BIND 9.4.3 P3
At Thu, 30 Jul 2009 22:16:47 +0700, Le Vu lev@gmail.com wrote: I have updated BIND from 9.4.2-P2 to 9.4.3-P3 to mitigate the Dynamic Update DOS attack. I have noted a lot of errors from socket.c (which I have never seen before with v9.4.2) Jul 30 06:25:18 DNS1 named[2]: socket.c:4524: unexpected error: Jul 30 06:25:18 DNS1 named[2]: 22/Invalid argument There are also some of these errors: Jul 30 07:26:17 DNS1 named[2]: sockmgr 0xb7f05008: maximum number of FD events (64) received BIND is compiled with following option on Centos 5.3 (another machine with RHEL 4.4 has these error too): ./configure --disable-openssl-version-check --with-openssl=no What should I do: - go back to 9.4.2-P2 and use iptables to filter DNS update packet - use another version of BIND - ignore the error If you didn't have a performance problem with 9.4.2-P2, please try rebuilding 9.4.3-P3 with --disable-epoll as a workaround. We've heard the problem you saw several times: https://lists.isc.org/pipermail/bind-users/2009-April/076026.html https://lists.isc.org/pipermail/bind-users/2009-May/076265.html but haven't figured out the cause of that. While it doesn't seem to be super rare, it doesn't seem to be so common...I myself have never seen this on my Linux test box, and many other Linux users apparently don't have this problem either (otherwise we'd have got this report much more frequently). If you're willing to help debug this problem (even if the workaround works), that would be great. Thanks, --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
At Thu, 30 Jul 2009 09:02:51 +0200, Gilles Massen gilles.mas...@restena.lu wrote: Is there a way to prevent Bind (9.6) from using ipv6 transport for making queries, by an entry in the config file rather than by 'named -4'? No. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: idsable ipv6 in config?
At Thu, 30 Jul 2009 12:10:14 +0200, Gilles Massen gilles.mas...@restena.lu wrote: Is there a way to prevent Bind (9.6) from using ipv6 transport for making queries, by an entry in the config file rather than by 'named -4'? No. Ok, thanks. In that case I would humbly suggest to enhance the syntax of query-source[-6v] and transfer-source[-v6] to accept 'none' as argument, in some future release. I personally don't see a need for it (what's wrong with -4/-6?)...but if that's so important to you, you can always promote the future request as a funded project:-) --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.6.1: skipping zone transfer, but why ?
At Wed, 22 Jul 2009 15:56:38 +0200, Jan Hansen bi...@nhl-data.dk wrote: As I wrote in the post Master is unreachable (cached), I've switched to windows server 2003, which currently *seem* to have a positive effect. I haven't seen the behaviour yet after the switch, but Ian Tait sees this behaviour on 2003. Is it OS specific, or does it affect both 2003/2008? As far as I'm informed, much of the network stack is new in 2008/vista and forward, which maybe could be related to this problem? I don't know if this is version specific. Note that this bug is triggered due to a failure of zone transfer. So you may just be lucky when you didn't see the problem. When will this fix be out in a release? 9.6.2, perhaps? or what is the roadmap for that kind of things? It will appear in 9.6.2. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A smarter stub resolver??
At Wed, 15 Jul 2009 10:04:30 -0400, Taylor, Gord gord.tay...@rbc.com wrote: Is there a smarter stub resolver that acts more like a DNS server using Round Trip Time (RTT) to pick the best DNS server from the list? We run well over 500 xNix boxes (and growing), so running DNS on each of these just isn't a viable option to get round the DNS timing issues. In BIND 9.7, we're planning to provide an experimental stub library implementation that uses the internal resolver routine of the BIND9 recursive server. If I understand the above correctly, that's exactly a smarter stub resolver you'd be looking for. It's experimental in many points, however, including: - not all /etc/resolv.conf options are supported - only getaddrinfo() and getnameinfo() are supported as top-level API functions. In other words, there'll be no smarter gethostbyname() or gethostbyaddr(). - likewise, there'll be no lower-level API functions like res_xxx() variants. So, depending on your purpose, this experimental implementation may or may not help you. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.6.1: skipping zone transfer, but why ?
At Mon, 20 Jul 2009 16:13:03 +0100, Ian Tait ia...@thoughtbubble.net wrote: I see exactly this problem too on windows 2003. Lookups happen normally after this behaviour occurs though. Restarting bind cures the problem. I haven't bothered to debug the issue as yet :-) We've found a bug that can cause this problem. We're working on a complete fix to the problem, but a workaround patch copied below may work for you in the mean time. p.s. this is a Windows specific bug. --- JINMEI, Tatuya Internet Systems Consortium, Inc. Index: zone.c === RCS file: /proj/cvs/prod/bind9/lib/dns/zone.c,v retrieving revision 1.483.36.7 diff -u -r1.483.36.7 zone.c --- zone.c 17 Jun 2009 04:53:57 - 1.483.36.7 +++ zone.c 20 Jul 2009 19:41:18 - @@ -11004,6 +11004,8 @@ isc_result_t result; isc_uint32_t seconds = isc_time_seconds(now); + return; + REQUIRE(DNS_ZONEMGR_VALID(zmgr)); locktype = isc_rwlocktype_read; ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.6.1: skipping zone transfer, but why ?
At Mon, 20 Jul 2009 12:41:24 -0700, JINMEI Tatuya jin...@isc.org wrote: We've found a bug that can cause this problem. We're working on a complete fix to the problem, but a workaround patch copied below may work for you in the mean time. Sorry that patch was incorrect. Copying the correct one. --- JINMEI, Tatuya Index: zone.c === RCS file: /proj/cvs/prod/bind9/lib/dns/zone.c,v retrieving revision 1.483.36.7 diff -u -r1.483.36.7 zone.c --- zone.c 17 Jun 2009 04:53:57 - 1.483.36.7 +++ zone.c 20 Jul 2009 19:42:09 - @@ -11032,6 +11032,8 @@ isc_uint32_t last = seconds; unsigned int i, slot = UNREACH_CHACHE_SIZE, oldest = 0; + return; + REQUIRE(DNS_ZONEMGR_VALID(zmgr)); RWLOCK(zmgr-rwlock, isc_rwlocktype_write); ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.6.1 under perform after running for a couple of hours
At Wed, 08 Jul 2009 21:24:17 +0300, Imri Zvik im...@inter.net.il wrote: After a couple of hours, performance of bind 9.6.1 suddenly drops. While the server remains responsive, the response time increases, the rate of the failed queries increases, and CPU/load average usage increases. Restarting named solves the problem. [snip] It is important to state that we just upgraded from 9.4.3-P2. I have no idea with confidence about this kind of problem that 9.6.1 has but 9.4.3-P2 doesn't. But one usual suspect in such a symptom is memory management problems for a caching server. Can you show your named.conf to see if there's anything that may matter in this sense? How much memory did named use when you saw the problem? If you enable statistics-channels can you show its output when this occurs? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.6.1 stops after few hours.
At Tue, 7 Jul 2009 11:55:34 -0400, Rob Payne rnspa...@the-paynes.com wrote: After an upgrade to 9.6.1 we noticed the Bind daemon stops after few hours. What do you mean by stop? Did the daemon crash, simply not respond to queries, or something else? I don't know if this is the same as what Laurence is seeing. Testing 9.6.1 on Solaris 10/sparc, with a local build (THREADS, no MEMFILL, openssl 0.9.8k) the server stops responding to queries made from the network (LAN), until a local query comes in (dig @localhost ...). You may want to try this: 2489. [port] solaris: Workaround Solaris's kernel bug about /dev/poll: http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 Define ISC_SOCKET_USE_POLLWATCH at build time to enable this workaround. [RT #18870] Note, however, that this is workaround after all and may still cause problematic behavior. The essential fix is to apply Sun's patch to the kernel bug (I hear it exists, but don't know how widely it's available). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.6.1 stops after few hours.
At Fri, 3 Jul 2009 17:31:57 -0300, Laurence Stendard lstend...@diveo.net.br wrote: After an upgrade to 9.6.1 we noticed the Bind daemon stops after few hours. What do you mean by stop? Did the daemon crash, simply not respond to queries, or something else? From which version did you upgrade your named? How often does that happen? Does the problem change if you disable threads and/or epoll (via --disable-threads / --disable-epoll)? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How See what is Cached?
At Sun, 5 Jul 2009 15:01:29 +0300, Alans batpowe...@yahoo.co.uk wrote: One more question regarding cache, ns1 cache file is 60+ MB while ns2 cache file is 5 MB!! How to improve this issue? What do you mean by improve? Having both servers cache (approximately) the same amount of data? If the reason for the unbalanced cache content is that you specify a lower size for ns2, you can improve it by increasing the max-cache-size value for ns2 (or decreasing it for ns1). If the reason is due to client-side server selection algorithm (many Unix based resolvers only uses the first address in /etc/resolv.conf as long as it responds to their queries), there's basically nothing you can do as the server side operator. And is there any way to make cache file same on both servers? I don't understand this question, if it doesn't mean the size of cached data. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-9.5.0-P2
At Fri, 26 Jun 2009 10:55:07 -0400, Del Solar Navarrete Maria Cristina mdelso...@entel.cl wrote: I have Red Hat Enterprise Linux Server release 5 (Tikanga) Okay, then if your kernel supports epoll (at least all 2.6 kernels should support it as far as I know), 9.5.1 should work much better for you than 9.5.0-P2. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-9.5.0-P2
At Thu, 25 Jun 2009 13:05:27 -0400, Del Solar Navarrete Maria Cristina mdelso...@entel.cl wrote: Y have a problem with bind, part of file mesagges is: Please use 9.5.1. 9.5.0-P2 is an emergency security fix version with limitation on performance/scalability. It should still work (or have worked) for most people, but cannot work in a highly busy environment. The log and status output seem to indicate your operational environment is such a busy one. (BTW: how 9.5.1 is effective also depends on your OS. Which OS are you using?) --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL debugging
At Wed, 24 Jun 2009 10:13:51 +0400, Dmitry Rybin kirg...@corbina.net wrote: new experimental feature just for that purpose: Is this feature going to be back ported to 9.4 and 9.5 releases as well? For 9.5, yes. For 9.4, not according to the current plan. named[87071]: 22-Jun-2009 13:18:23.256 query-errors: debug 2: fetch completed at resolver.c:6569 for static.cache.l.google.com/A in 0.041364: SERVFAIL/success [domain:com,referral:1,restart:0,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] Which version of BIND9 is this? To match the line number we need the exact version number. FreeBSD 7.2-STABLE, bind from ports bind96-9.6.1 Okay, then the above log strongly suggests that the cache is full in some unusual way and even recently fetched RR (which is in this case NS for google.com) has been purged before it's actually used. There have been bugs that could cause this symptom, but all known problems should have been solved in 9.6.1. So, I have no specific idea about how exactly that happened. Can you provide the following information? - your complete named.conf - if you enable statistics-channel, its output when you see this trouble - the result of rndc dump when you see this trouble (note: rndc dump purges stale cache entries as a side effect and may hide the cause. It will still help investigate the problem) If you think it's sensitive please contact me offlist. Thanks, --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL debugging
At Mon, 22 Jun 2009 13:30:42 +0400, Dmitry Rybin kirg...@corbina.net wrote: Please try 9.6.1b1, which we expect to be released next week. It has a new experimental feature just for that purpose: Is this feature going to be back ported to 9.4 and 9.5 releases as well? For 9.5, yes. For 9.4, not according to the current plan. named[87071]: 22-Jun-2009 13:18:23.256 query-errors: debug 2: fetch completed at resolver.c:6569 for static.cache.l.google.com/A in 0.041364: SERVFAIL/success [domain:com,referral:1,restart:0,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] Which version of BIND9 is this? To match the line number we need the exact version number. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Tracking down validation failures
At 12 Jun 2009 17:50:39 +0100, Chris Thompson c...@cam.ac.uk wrote: (They don't add up to as much as the statistics-channel ValFail counter is increasing by, though.] It's not surprising: if validation attempt succeeds with one authoritative server after some validation failures with other authoritative servers, you won't see the intermediate error in query-error log messages. But these failures are still counted in ValFail. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind is hanging on CentOS 4.4
At Fri, 29 May 2009 13:56:40 -0400, Jesse Cabral jcab...@mtsolutions.net wrote: I just tried that and re-ran the ./configure --disable-threads Then I killed the named pid and started named: ps -Leo user,pid,ppid,lstart,lwp,nlwp,psr,args |egrep LWP|named USER PID PPID STARTED LWP NLWP PSR COMMAND named14671 1 Fri May 29 13:56:41 2009 146715 0 /usr/sbin/named -u named -t /var/named/chroot Still appears to be threaded ? Is /usr/sbin/named really the one you rebuilt? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind is hanging on CentOS 4.4
At Fri, 29 May 2009 15:41:26 -0400, David Ford da...@blue-labs.org wrote: Every few releases I try to add threads back in and get the same results. Both on my 32bit linux and 64bit linux machines (current gentoo). Named crashes or hangs. Jeff Lightner wrote: This may have something to do with the different way Linux does threads compared to UNIX. I suspect it simply means different things happen in different (operational) environments, even if the software/hardware is the same. Admittedly, threaded versions of BIND9 have more bugs than non-threaded versions due to all the complexity of multi-thread interactions. So I won't be surprised there's someone who always has to disable threads. At the same time, I won't be surprised there's someone else who is just happy with threads and enjoys enhanced performance. It's regrettable to me that we cannot fully satisfy all users with threads, but my general impression is that many if not most users are happily using BIND9 with threads. (but I'm afraid this is going to be off-topic. I don't think we're discussion whether the thread support is good or bad, but how to disable them for any reason). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: servfail on 9.6.1rc1
At Thu, 28 May 2009 17:12:54 +0400, Anatoly Pugachev ma...@team.co.ru wrote: Installed bind-9.6.1rc1 for the query-errors category debugging. Server is a usual recursive server on solaris 10 x86 with 4Gb of RAM. Named was compiled with SunStudio 12 compiler suite as: CFLAGS=-m32 -xarch=sse2 ./configure --prefix=/ --with-openssl=no make named.conf without any views defined, max-cache-size is set to 1500m usual daily load shown with 'rndc status' is 1500 recursive clients. $ prstat PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 19567 bind 232M 228M sleep 590 0:12:08 19% named/7 Here's what I've got in the logs: first query: 28-May-2009 05:57:40.578 query-errors: debug 1: client 213.33.171.242#1130: query failed (SERVFAIL) for 5.126.208.91.IN-ADDR.ARPA/IN/PTR at query.c:4619 28-May-2009 05:57:40.578 query-errors: debug 2: fetch completed at resolver.c:2908 for 5.126.208.91.IN-ADDR.ARPA/PTR in 0.000163: out of memory/success [domain:91.in-addr.arpa,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] second same query coming to server resolving properly (NOERROR) Can you please help me to investigate what is wrong? At least according to the log it was due to memory allocation failure. Please first check the maximum memory the named process can allocate in your environment. If you limit the datasize in your named.conf, try increasing the value or (preferably) removing it. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: file descriptors and max-clients-per-query
At Thu, 14 May 2009 17:46:42 +0200, Philippe Maechler pmaechler...@glattnet.ch wrote: I'm running a bind 9.4.2-p2 and a 9.5.1-P1 both on a FreeBSD 6.x box as caching servers. let's call them ns1 and ns2 :P short after we shutdown server one we get error messages on the other server - socket: too many open file descriptors What is the other server? I assume you are getting this error message with the old 9.4.2-P2 (and not on the 9.5.1-P1). No i have the messages on both servers. If ns1 goes down, we get the messages on ns2 and vice-versa. How many sockets are open when you see this message? Normally the socket() call shouldn't fail even if named uses many sockets (it will fail anyway, but the failure mode is normally different), so it's very odd to see the above message. Are you perhaps limiting the system resource for the number of allowable open sockets? Do you set the 'files' option in your named.conf? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind Statistics questions
At Tue, 5 May 2009 11:11:13 +0100, Nuno Ribeiro nribeir...@gmail.com wrote: I have some doubts and I would like clarify them: - Bind ( version 9.5) provides lots of statistics information and provides two interfaces for users to get access to it (file dump and HTTP access). For what I see and read the counters are cumulative during the time the service is running. My question is if it possible to reset the counter statistics in real time in order to have statistic details in a time interval? It's currently not possible. We've actually discussed before, so you might want to search the mail archive. It would not be difficult to implement it, but I've personally not yet seen a strong argument for it. Most if not all of the things that the reset feature could provide can be achieved by post-processing cumulative data, so, for now I'd rather keep the server side simple. Other question is if there is any statistic detail provide us information such this average time answering to queries of type A The answer would be no anyway, but I'm afraid the question is also not very clear. Can you define average time answering to queries of type A more precisely? (e.g. it's not even clear about an authoritative server or a recursive server) --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Scale BIND over multiple kernels effectively
At Thu, 30 Apr 2009 11:46:05 -0700, Jonathan Petersson jpeters...@garnser.se wrote: I've been running some dnsperf tests on a couple of servers I have resulting in some interesting behaviors. [...] Any input would be valuable, thanks! Roughly summarizing (ignoring many details), what you showed is: 2 threads on 2 core: 45kqps 4 threads on 4 core: 108kkqps 8 threads on 4 core + HT: 75kqps 16 threads on 8 core + HT: 35kqps correct? There are several possible explanations. First, you may be using too many threads when you see lower performance. Even though recent versions of BIND9 tries very hard eliminating inter-thread contention, it cannot completely be free from some inherent overhead with the use of multiple threads, which could be revealed as you increase the number of threads. From my past experiences threaded BIND9 scales pretty well with at least up to 4 threads (on 4 cores), and I believe it also works well with additional 1-2 threads. I'm not sure about 8 threads, and I've heard a report of performance degradation at around this number. Second, again, from my past personal experiences, HT never helped BIND9; rather, it often worsened the performance. I've not figured out why; if it really works as the manufacturer claims (e.g., using a single core efficiently with multiple threads when one thread stalls due to memory access), it could actually improve overall performance. But empirical experiments have always denied the theoretical positive effect. Note: I've not tried Intel's latest hyper threading (Now called SMT), so my experience was limited to older versions of HT. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Scale BIND over multiple kernels effectively
At Thu, 30 Apr 2009 15:41:03 -0700, Jonathan Petersson jpeters...@garnser.se wrote: in light of this is it possible to tell BIND how many threads it should utilize or is it a ALL or ONE case? Do you mean the -n command line option? usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus] [-p port] [-s] [-t chrootdir] [-u username] [-m {usage|trace|record|size|mctx}] --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: request timeout
At Tue, 28 Apr 2009 00:42:29 -0700, Jeff Pang hostmas...@duxieweb.com wrote: When a Bind requests another Bind for a name resolving, what's the timeout value for this resuest? I mean, within how many seconds peer Bind doesn't answer it, this Bind will give up the query? There are various types of timeouts. Could you be more specific about which one? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: approach on parsing the query-log file
At Tue, 28 Apr 2009 10:01:02 -0700, Jonathan Petersson jpeters...@garnser.se wrote: So I gave tail a try in perl both via File::Tail and by putting tail -f in a pipe. Neither seems to be handling the logrotation well. In my case I'm running a test sending 1 million queries, of those half is picked up by File::Tail if you define how often it should re-read the file but using tail -f straight or File::Tail without arguments just stops once the log has rotated as it doesn't seam to figure out to continue onto the new file. I've never tried it, but how about letting named dump log messages to syslog, and letting syslogd forward all messages to a separate process via a pipe (assuming your syslogd supports that)? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPV6 Bind doubt
At Thu, 23 Apr 2009 20:34:23 +0100, Nuno Ribeiro nribeir...@gmail.com wrote: I will try to clarify my doubt based in your comments: Bind will be configured to listen IPv4 and IPv6 queries. When receiving a query via IPv6 it can forward only via IPv4? I was considering to forward the query to another recursive server using the forwarders option. If I understand the above correctly, it should be pretty easy: - configure listen-on and listen-on-v6 appropriately (note that the default of listen-on-v6 is none) - specify the IPv4 address of the external recursive server: forwarders { 192.0.2.1; }; and you may also want to specify this forward only; to make very sure that the server won't fall back to the normal recursive mode (with IPv6 transport) But since this is probably too trivial, I'm afraid I may misunderstand the requirement... --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPV6 Bind doubt
At Wed, 22 Apr 2009 12:12:51 +0100, Nuno Ribeiro nribeir...@gmail.com wrote: I have a doubt about bind and I would like you, if possible, to clarify it to me: It is possible to a bind server to receive a DNS query in IPV6, and forward it using IPV4 to another server? If yes, how can I configure it in the configuration file? The question is not very clear to me...by to receive a DNS query in IPV6, do you mean you want to receive queries *only* over IPv6? Likewise, by forward it using IPV4 to another server, do you mean you want to forward the query *only* over IPv4? Also, by forward, do you mean forward a query to another recursive server (e.g., by using the forwarders option), or do you mean the server acts as a normal recursive server who sends queries to external authoritative servers? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can bind filter the result
At Mon, 20 Apr 2009 14:55:56 +0800, Ken Lai soulhacker...@gmail.com wrote: let's take an example. my DNS server called SrvA, the outer DNS server called SrvB. normally, the client sent the query to SrvA, and SrvA forwards it to SrvB. and SrvA return a result which came from SrvB to the client. unfortunately the SrvB sometimes will return a A record that is a advertisement site ip to SrvA. so i dont want to respond to client if the returned IP address is the Advertisement site address. filter the domain name may not be suitable. As already pointed out in this list, if this is specific to the real recursive server (= SrvB), you probably rather want to reconsider the use of it in the first place. If this is not specific to that single server (= SrvB), I doubt filtering based on the IP addresses of A RRs of responses will be very effective because there are many such addresses, some of which may even be changing rapidly. Regarding the specific question about resource data (e.g. IP address) based filtering: no, BIND9 currently doesn't provide such filtering. However, we're now reviewing a kind of such filtering based on contributed patch (for different purposes than that you described), and it *may* be included in BIND 9.7. Even so, I suspect the new filtering feature is not something you want for your purpose as described above. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9 Configuration and Statistics
At Sat, 11 Apr 2009 20:59:18 -0600, ic.nssip ic.ns...@northwestel.net wrote: I have only a little question about Bind 9 Configuration and Statistics page. I activated statistics-channels on a 9.5.0-P2 and a 9.6.0 DNS Server. I'm not getting any records for: - Outgoing Queries from View _bind - Cache DB RRsets for View _bind That's normal, as view _bind is not expected to cache any external names. - Outgoing Queries from View _default Do you have non-empty cache DB RRsets but still not see anything about outgoing queries? If, for example, this is an authoritative-only server, it's possible that named doesn't send any outgoing query (and in that case there should be no cache DB RRsets). What should I activate or change on settings in order to get statistics on above listed too? (I know this is not an answer to the question but) If your views aren't expected to have non-empty statistics, you don't have to worry about these things. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nameserver not responding (servfail)
At Tue, 7 Apr 2009 13:47:06 +0800, David Cake d...@difference.com.au wrote: It loads all domains fine on startup, and sends and receives notifies, but any attempts to lookup domains from the server itself seem to fail, returning servfail. Could you be more specific about any attempts...fail? Desirably you could show us your named.conf and how you saw the failure (e.g., by sending a dig). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rdataset.c:652: REQUIRE(dbp != ((void *)0) *dbp == ((void *)0)) failed
At Tue, 07 Apr 2009 07:54:38 +0100, Howard Wilkinson how...@cohtech.com wrote: We have had a failure of one of our BIND installations this morning. The failure happened at 01:51:45 BST on a machine that was effectively idle at the time. The previous messages logged by 'named' were 30 seconds before the crash and were a zone transfer from a Microsoft 2003 DNS server of an AD integrated zone. I can provide config files if they are useful. The version of BIND is a stock build from Fedora 9 - bind-9.5.1-2.P2.fc9.i386. If named dumped a core, could you show us its stack trace? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unreachable IP in allow transfer
At Tue, 07 Apr 2009 12:34:46 -0400, Barry Margolin bar...@alum.mit.edu wrote: This look more like the result of masters { 123.123.123.123;}. If a slave can't connect to the master, it will time out when it tries to perform a zone transfer. I'm not sure why this would cause slow response times, though. I assume the zone transfer is done in a separate thread from query processing. Actually, whether or not threads are used, an unreachable master server itself shouldn't cause slower response times because zone transfers take place asynchronously. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how bind supports multi-processors?
At Wed, 18 Mar 2009 22:48:34 +0100, Florian Weimer f...@deneb.enyo.de wrote: Is threads stable enough in product use of Bind? It's stable on mainstream architectures. GNU/Linux on i386 and amd64 is fine in general. GNU/Linux on hppa, mips(el), ia64, and others is problematic. The hppa instability could be due to the lack of a stable SMP kernel. The ia64 issues seem to be a genuine BIND 9 issue. Part of the problem is that BIND contains its own set of wrappers for atomic CPU operations, instead of using GCC's intrinsics or libatomicops. That's an optional feature, even if it's enabled by default when found to be available by autoconf. If the atomic operations cause stability problems, you can disable them by rebuilding BIND9 with --disable-atomic. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how bind supports multi-processors?
At Wed, 18 Mar 2009 23:11:07 +0100, Florian Weimer f...@deneb.enyo.de wrote: That's an optional feature, even if it's enabled by default when found to be available by autoconf. If the atomic operations cause stability problems, you can disable them by rebuilding BIND9 with --disable-atomic. Would it be possible to disable them by default on architectures where the intrinsics haven't been reviewed by someone familiar with the platform, or tested very extensively? We keep running into those issues on fringe architectures. 8-/ Please a file a bug report:-) --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL debugging
At Fri, 13 Mar 2009 17:31:37 -0400, R Dicaire kri...@gmail.com wrote: Please try 9.6.1b1, which we expect to be released next week. It has a new experimental feature just for that purpose: Is this feature going to be back ported to 9.4 and 9.5 releases as well? For 9.5, yes. For 9.4, not according to the current plan. Note also that this is a new experimental feature. So far, we've only included a new feature in a .0 release, so this logging feature would only appear in 9.7.0. We're now trying to seek an intermediate path, considering the tradeoff between the plus of providing useful features for older versions and the risk of introducing instability to maintenance release. So, we may even remove this feature from the final release of 9.6.1 if we find significant regression with it through the beta cycle. On the other hand, we may include it to the next version of 9.4 if we find it very useful and can be sure that it does no harm. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statschannel assertion failure
At Thu, 26 Feb 2009 07:58:29 -0600, Timothy Holtzen t...@nebrwesleyan.edu wrote: No it is a single processor on both production and test systems. Production is an Opteron and the test system is an Athlon64 but both are single core processors. Just to be sure I did a configured with a --disable-threads on the test system and tried again. Testing still triggers the exception with the same errors. Okay, then please try the revised patch. This will make named abort itself in the context of the libxml2 error, so please then get the stack trace of the core dump and show it. BTW, I tried to reproduce the problem by mostly concurrent access like: wget http://127.0.0.1:5300/ ; wget http://127.0.0.1:5300/ but couldn't see the crash. Also, since this happened even --disable-threads, it's very unlikely to be a kind of race condition. I have no idea how the concurrent access relates to the problem at this moment. --- JINMEI, Tatuya Internet Systems Consortium, Inc. Index: statschannel.c === RCS file: /proj/cvs/prod/bind9/bin/named/statschannel.c,v retrieving revision 1.2.2.13.2.1 diff -u -r1.2.2.13.2.1 statschannel.c --- statschannel.c 18 Dec 2008 02:39:12 - 1.2.2.13.2.1 +++ statschannel.c 26 Feb 2009 17:43:50 - @@ -109,10 +109,60 @@ #endif } +#ifdef HAVE_LIBXML2 +static void +error_libxml2(void *ctx, xmlErrorPtr error) { + xmlParserCtxtPtr pctx; + ns_server_t *server = ctx; + char *msg, *cp; + + REQUIRE(server != NULL); + REQUIRE(error != NULL); + + /* +* Save the error code, if available, so that it can be used in the main +* code. No lock is necessary here. +*/ + pctx = error-ctxt; + if (pctx != NULL pctx-myDoc != NULL + pctx-myDoc-_private != NULL) { + *(int *)pctx-myDoc-_private = error-code; + } + + /* +* Log the error message. Since some libxml2 error messages are +* terminated with a CR, we make a local copy to remove it. This is +* expensive, but should be okay as we don't expect to see libxml2 +* errors so often. +*/ + if (error-message != NULL) { + msg = isc_mem_strdup(server-mctx, error-message); + if (msg == NULL) + return; + cp = strchr(msg, '\n'); + if (cp != NULL) + *cp = '\0'; + + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + libxml2 Error: %s, msg); + + isc_mem_free(server-mctx, msg); + + INSIST(0); + } +} +#endif + static void init_desc(void) { int i; +#ifdef HAVE_LIBXML2 + xmlSetStructuredErrorFunc(ns_g_server, error_libxml2); + xmlInitParser(); +#endif + /* Initialize name server statistics */ memset(nsstats_desc, 0, dns_nsstatscounter_max * sizeof(nsstats_desc[0])); ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statschannel assertion failure
At Wed, 25 Feb 2009 14:17:27 -0600, Timothy Holtzen t...@nebrwesleyan.edu wrote: I applied the patch on my test system and ran my little test using wget and this is the output I got in the log Feb 25 13:51:12 arthur named[17030]: libxml2 Error: Input is not proper UTF-8, indicate encoding ! Feb 25 13:51:12 arthur named[17030]: libxml2 Error: xmlTextWriterWriteDocCallback : XML error 9 ! Feb 25 13:51:12 arthur named[17030]: libxml2 Error: write error Feb 25 13:51:12 arthur named[17030]: statschannel.c:744: INSIST(xmlrc = 0) failed Feb 25 13:51:12 arthur named[17030]: exiting (due to assertion failure) Since it failed with the full patch I figured removing xmlInitParser() wouldn't make a difference. I decided to try anyway and got the same result. Okay, thanks for the confirmation. Are you running named with multiple threads on multiple processors? If so, does the situation change if you disable threads? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc reconfig issue
At Tue, 24 Feb 2009 14:47:17 +0100, Ronni Jensen r...@mvb.dk wrote: Every night I have a perl script generate a config file which contains approximately 5000 zones at the moment, but this will vary in size as zones are added/removed. However, when I put include /etc/special-zones.conf; into named.conf and do rndc reconfig, the named service is not answering DNS queries while it is loading the config, which takes a really long time :-/ I was under the impression that rndc reconfig would not affect the service as such, but apparently it does. Does anyone have a qualified suggestion on how to reload configuration (load the new zones and unload the ones that are not in the config file anymore) without stalling the DNS service so it does not affect the user experience? Could you tell us a bit more details? How exactly long did it take to load the new configuration? Does that depend on specific add/remove actions? e.g., does that change if you only add a single zone without any deletion, or does that happen even for such a simple, small change? Also, does that happen first time you reconfig the server, or after several times of reconfig operation? It would also be very helpful if you can file a bug report with the set of your configuration so that we can reproduce it locally. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: File descriptors
At Tue, 24 Feb 2009 13:14:27 -0500, Todd canada...@gmail.com wrote: We ran into an issue this morning with some caching DNS servers. One of the zones we heavily rely on was having DNS issues, which appears to have been causing very slow responses to us. The servers in question handle about 500queries/second. These particular servers are configured with recursive-clients 5000, which we thought would be sufficient. However, before we even reached 5000, the server started boinking because of socket: too many open file descriptors errors in syslog. So, the question is, do we need a 1:1 mapping of fle descriptors to max queries, + overhead for named? From reading, I see that a socket uses a file descriptor, so my assumption is yes, but I wanted to check with Those Who Are Wiser Than I before I write a change ticket to get these things fixed. If I do need to allow more file descriptors, what is the best method to ensure that the named process has an appropriate number? Before answering the questions: which version of BIND (you didn't even say it was a BIND, but I guess it is for the obvious reason:-) are you using? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: File descriptors
At Tue, 24 Feb 2009 15:10:36 -0500, Todd canada...@gmail.com wrote: The servers in question are running a mix of BIND versions .. 9.2.3, 9.2.4, 9.3.2, 9.3.4, 9.4.1, 9.4.2-p2, the majority are 9.3.4 and 9.4.2-P2 Then are confused somehow. Among above, the only version that could cause the too many open file descriptors problem is 9.4.2-P2 (this doesn't mean you can safely use the others; they are vulnerable to the so-called 'Kaminsky' caching poisoning attacks). Regarding 9.4.2-P2, I'd strongly recommend to upgrade to 9.4.3-P1. 9.4.2-P2 has a fundamental performance problem due to the use of inefficient socket API, which has been solved in 9.4.3 and onward. If you still have the same problem with 9.4.3-P1, please report it again. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statschannel assertion failure
At Tue, 24 Feb 2009 14:26:45 -0600, Timothy Holtzen t...@nebrwesleyan.edu wrote: Hi guys I'm getting this assertion failure again under Bind 9.5.1-P1 on RHEL 5.2. Feb 23 22:00:01 foo named[18476]: statschannel.c:696: INSIST(xmlrc = 0) failed Feb 23 22:00:01 foo named[18476]: exiting (due to assertion failure) I posted about it once before. I understand that this is caused by a failure in xmlTextWriterEndElement() which should normally succeed. It was suggested last time that this could be caused by a memory allocation failure and it was suggested that as a work around I suppress memory usage using max-cache-size. I went ahead and limited it to 130Meg and have been monitoring since. I've never seen the memory footprint for bind go up beyond a few hundred Meg on a system with 2Gig of ram so I'm thinking that memory allocation may not be the problem. Can you try the patch copied below? It will make allow named to log libxml internal errors. Hopefully this will provide some hints about what happened. The patch also does libxml2 initialization at the named's own initialization step. Most of our use of libxml2 should be thread-safe, but some of the initialization steps (which are currently triggered first time statistics is dump) could cause a race. If this is the case, it may fix the crash as well. I actually doubt that, but if that is the case, please also try removing the following line in the patch: xmlInitParser(); to see whether you can reproduce it again. Thanks, --- JINMEI, Tatuya Internet Systems Consortium, Inc. Index: statschannel.c === RCS file: /proj/cvs/prod/bind9/bin/named/statschannel.c,v retrieving revision 1.2.2.13.2.1 diff -u -r1.2.2.13.2.1 statschannel.c --- statschannel.c 18 Dec 2008 02:39:12 - 1.2.2.13.2.1 +++ statschannel.c 25 Feb 2009 04:14:21 - @@ -109,10 +109,58 @@ #endif } +#ifdef HAVE_LIBXML2 +static void +error_libxml2(void *ctx, xmlErrorPtr error) { + xmlParserCtxtPtr pctx; + ns_server_t *server = ctx; + char *msg, *cp; + + REQUIRE(server != NULL); + REQUIRE(error != NULL); + + /* +* Save the error code, if available, so that it can be used in the main +* code. No lock is necessary here. +*/ + pctx = error-ctxt; + if (pctx != NULL pctx-myDoc != NULL + pctx-myDoc-_private != NULL) { + *(int *)pctx-myDoc-_private = error-code; + } + + /* +* Log the error message. Since some libxml2 error messages are +* terminated with a CR, we make a local copy to remove it. This is +* expensive, but should be okay as we don't expect to see libxml2 +* errors so often. +*/ + if (error-message != NULL) { + msg = isc_mem_strdup(server-mctx, error-message); + if (msg == NULL) + return; + cp = strchr(msg, '\n'); + if (cp != NULL) + *cp = '\0'; + + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + libxml2 Error: %s, msg); + + isc_mem_free(server-mctx, msg); + } +} +#endif + static void init_desc(void) { int i; +#ifdef HAVE_LIBXML2 + xmlSetStructuredErrorFunc(ns_g_server, error_libxml2); + xmlInitParser(); +#endif + /* Initialize name server statistics */ memset(nsstats_desc, 0, dns_nsstatscounter_max * sizeof(nsstats_desc[0])); ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: isc_socket_create: fcntl/reserved: Too many open file
At Thu, 19 Feb 2009 23:29:44 +0530, kamal pandy kmlpa...@gmail.com wrote: I am running ISC-9.3.5P1 on my HP-UX-IA machine, and I am seeing this message isc_socket_create: fcntl/reserved: Too many open files in syslog. (I've sent the same (but a bit more detailed) response to bind9-bugs) Please upgrade to 9.3.6. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ResendRE: ns_type question
At Sun, 15 Feb 2009 00:34:38 -0800, Jack Tavares j.tava...@f5.com wrote: Any suggestions on this? [snip] I have downloaded libbind6.0b1 My question is; the arpa/nameser.h file included does not include type definitions for DNSKEY (or other dnssec rr types) in the ns_type enum. am I looking in the wrong place? No, you're looking at the right place, and libbind isn't supposed to provide any new feature regarding the new DNSSEC spec. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
At Wed, 04 Feb 2009 11:51:10 +0300, Dmitry Rybin kirg...@corbina.net wrote: max-cache-size 800M; It's way too much, if this applies to all of the 50 views. Oh! I decrease memory to 16Mb. Okay, and according to this: : Started at Feb 3 00:51 (Now Feb 4 11:15:37) MSK : Startup mem: 890M : Cur. memory usage: 2534M the additional memory needed while running is 1644M (2534 - 890), 32.88M per view (if the #of view is 50). This seems to be a possible situation, considering other memory overhead per view. If the memory footprint is now stabilized at that point, I guess you're fine with that, right? (and you could increase max-cache-size to, e.g., 64M). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-9.5.1 logging
At Wed, 4 Feb 2009 12:53:20 -0500, Peter Fraser petros.fra...@gmail.com wrote: Ok thanks, I did see that file and I did post some of the output. So what else do I need to do to get say query or security logs into the files I have specified? Regarding query logs, you need to configure it explicitly. Example: channel querylog { file ./named-query.log versions 5 size 10M; print-severity yes; print-time yes; }; category queries { querylog; }; Regarding security logs, your configuration looks fine: file /etc/namedb/dns-security.log; severity info; }; category security { myfile-security; }; (of course, as long as the named process has a permission to write to this file). If you don't see a message, it should mean there's no event at the severity of info or higher. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-9.5.1 logging
At Fri, 30 Jan 2009 22:06:57 -0500, Peter Fraser petros.fra...@gmail.com wrote: I'm trying to configure bind-9.5 logging to help troubleshoot a problem. I put this in named.conf logging { channel myfile { file /etc/namedb/dns.log; severity info; print-time yes; print-severity yes; print-category yes; }; channel myfile-security { file /etc/namedb/dns-security.log; severity info; }; category update { myfile; }; category security { myfile-security; }; }; I then run rndc trace, but the log files stay empty. What could I be doing wrong? 'rndc trace' only affects debug logs. There should be a file named 'named.run' on the working directory, and you'll find noisy output there by issuing 'rndc trace'. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is per view logging possible with bind?
At Sat, 31 Jan 2009 08:31:35 -0500 (EST), Justin Piszcz jpis...@lucidpixels.com wrote: I have multiple views: internal external localhost Is it possible instead of seeing this in the logs: It's impossible if my understanding of the implementation is correct. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Upgrade 9.5.1-P1 to 9.6.0.P1 question
At Mon, 2 Feb 2009 12:34:06 -0800 (PST), Terpasaur emery.rudo...@gmail.com wrote: I successfully and effortlessly upgraded two Bind servers running 9.5.1-P2 directly to 9.6.0-P1, simply by running ./configure make make install Although this worked just fine, I am now planning to perform the same procedure one of my production servers which is running 9.5.1-P1, and wanted to know if there were any problems going this route instead of a full uninstall/install process? It (=overriding by make install) should normally work well. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is per view logging possible with bind?
At Mon, 2 Feb 2009 15:13:54 -0800 (PST), Gregory Hicks ghi...@hicks-net.net wrote: Is it possible instead of seeing this in the logs: It's impossible if my understanding of the implementation is correct. I may have mis-understood here, but I have TWO views and get logging by view, thusly: I probably cut too much of the original post, but my understanding is the OP wanted this: 02-Feb-2009 07:04:42.544 queries: info: client 127.0.0.1#41764: view trusted: query: 137.139.188.205.in-addr.arpa IN PTR + to go to one log file, say named-trusted.queries and this one: 02-Feb-2009 07:05:18.297 queries: info: client 65.98.93.197#53: view external: query: metis.hicks-net.net IN MX -ED to another, such as named-external.queries, which I said was impossible. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: referral doubt
At Thu, 29 Jan 2009 15:39:01 +, Luis Silva luisfilsi...@gmail.com wrote: I have a question related with the contacting external servers. If my server receives an referral answer from an external server with 3 NS records but just 1 A additional record, what is the normal behaviour? is the server supposed to resolve all 3 nameservers or continues with the iterative process contacting the server that have the additional A record. I don't know what's normal, but BIND9 should continue with the process with the server that has an address (while trying to resolve addresses of other NSes). For example: Trying to resolve www.testing.server.com When contacting server.com nameserver I receive in the answer 3 NS and 1 A Additional record: testing.server.com NS ns1.testing.server.com testing.server.com NS ns2.testing.server.com testing.server.com NS ns3.testing.server.com ns1.testing.server.com A 192.123.123.23 In this case BIND9 should immediately send a subsequent query to 192.123.123.23. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9 query logging
At Thu, 29 Jan 2009 14:33:31 -0500, cod3fr3ak rvc.pobox+unixli...@gmail.com wrote: channel query_log { file /var/adm/dns-logs/dns_query.log versions 7 size 2G; severity debug 3; print-category yes; print-severity yes; print-time yes; }; According to the O Reilly book DNS and Bind (4th Edition) and the Bind 9 web docs the configuration above should log both the requested query and the response. Currently all I get back is the query: What exactly do you mean by 'BIND 9 web doc', and which specific part of it are you referring to? Whatever the docs or books say, the fact is that BIND9 doesn't log replies. BTW, next version(s) of BIND9 (at least 9.7, perhaps next minor versions of current releases) will have the ability to log query errors, which include logs about responses indicating an error (such as NXDOMAINs or SERVFAILs). So, if you're particularly interested in such unusual responses, you'll probably be happy with that. We previously discussed in this mailing list whether we want to have the ability of logging any responses. Opinions varied: some said that would be great, others said don't complicate the implementation any more, and let packet capture tools do the job. I see the point of both sides, and at the moment we're simply keeping the current behavior (i.e, not logging responses). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
At Thu, 22 Jan 2009 09:12:11 +0300, Dmitry Rybin kirg...@corbina.net wrote: +50 views of zone data + memory for 10 clients + You have a 32bit build which will give a maximum of 2G data. You are just trying to cram too much into too small a place. OK. May be you can give any recomendation? As Mark said, having 50 views, each of which contains non-negligible amount of cache, is an excessive condition. Also, since the matching view is identified by linear search for every query, it may also impact your query processing performance. So, you'd primarily consider reducing the number of views anyway. Still, I noticed cache management may not work well (even with a single view) especially when it's multi-threaded and configured with a small max-cache-size such as 16MB. (It's ironical that using a small max-cache-size could hinder cache cleaning, resulting in larger memory footprints). I'm developing a fix to this problem. Can you try the patch available at: http://www.jinmei.org/patch/bind9-lrucache.diff (should be cleanly applicable to 9.6). and let me know if it mitigates the problem? Other recommendations: - I previously suggested using a separate cache-only view and forward all recursive queries to that view. Have you tried that? If you have, didn't it work as I hoped? - BIND 9.7 will have a new option attach-cache exactly for such an extraordinary operational environment as yours: it allows multiple views to share a single cache to save memory. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users