Re: Recursive bind becomes unresponsive with high load

[Mike Hoskins (michoski)]

If you are crawling lots of new names, the cache size won't have much
impact.  Each new query will require recursing vs hitting the cache.  Try
"rndc recursing" and look at what you have sitting around waiting for
answers.  Hopefully that provides some clues.  This can be all sorts of
things like unresponsive auth servers, network issues, firewalls munging
EDNS, etc causing the recursive client backlog.


On 3/31/16, 11:57 AM, "bind-users-boun...@lists.isc.org on behalf of
Michael Brunnbauer"  wrote:

>
>hi all,
>
>I am using bind on a server that does massive crawling with a
>multithreaded 
>Java app. This server occasionally has to do lookups for hosts in our
>local
>zone netestate.de - for which it is not authoritative - and those lookups
>tend
>to fail when the load is high (e.g. >1000 recursing clients). This
>suggests 
>some kind of congestion.
>
>I have verified that the authoritative name servers for our local zone
>are not
>hammered with requests from the bind instance in question (adding . to
>every
>hostname is important :-) I also have verified that lookups from the
>crawlers
>for the local zone on the lo interface are not excessive. The problem
>occurs
>even before max-cache-size is reached.
>
>Here is my setup:
>
>max-cache-size 1610612736;
>recursive-clients 6000;
>minimal-responses yes;
>
>Mar 31 14:04:51 bardolino named[1506]: starting BIND 9.10.3-P2
> -t /etc/namedroot -u named
>Mar 31 14:04:51 bardolino named[1506]: built with
>'--prefix=/usr/local/bind' '--with-openssl=/usr/lib/ssl'
>'--enable-threads' '--with-tuning=large'
>Mar 31 14:04:51 bardolino named[1506]:
>
>Mar 31 14:04:51 bardolino named[1506]: BIND 9 is maintained by Internet
>Systems Consortium,
>Mar 31 14:04:51 bardolino named[1506]: Inc. (ISC), a non-profit 501(c)(3)
>public-benefit
>Mar 31 14:04:51 bardolino named[1506]: corporation.  Support and training
>for BIND 9 are
>Mar 31 14:04:51 bardolino named[1506]: available at
>https://www.isc.org/support
>Mar 31 14:04:51 bardolino named[1506]:
>
>Mar 31 14:04:51 bardolino named[1506]: adjusted limit on open files from
>65536 to 1048576
>Mar 31 14:04:51 bardolino named[1506]: found 4 CPUs, using 4 worker
>threads
>Mar 31 14:04:51 bardolino named[1506]: using 2 UDP listeners per interface
>Mar 31 14:04:51 bardolino named[1506]: using up to 21000 sockets
>
>/etc/resolv.conf:
>
> domain netestate.de
> nameserver 127.0.0.1
> options timeout:10 attempts:1
>
>The problem also occurs with unchanged options (timeout:5 attempts:2).
>
>I can control the number of DNS-threads of my crawling app and have
>tested it
>with up to ca. 3500 recursing clients which results in a number of
>queries/s
>of the same magnitude. With that setup, lookup errors for the local zone
>occur very often (the TTL for the local zone is 10 minutes).
>
>I would be grateful for advice on where to search or what to adjust.
>
>Here is a statistics dump while running with ca. 1000 recursing clients. A
>high number of failing queries may be natural - we have a high number of
>chinese link farms in our database.
>
>+++ Statistics Dump +++ (1459439461)
>++ Incoming Requests ++
> 7329332 QUERY
>++ Incoming Queries ++
> 7261964 A
>1357 NS
>   4 CNAME
> 635 PTR
>   7 MX
>   65365 
>++ Outgoing Queries ++
>[View: default]
>15552970 A
>2022 NS
>  78 CNAME
>  30 PTR
>   7 MX
>   28796 
>[View: _bind]
>++ Name Server Statistics ++
> 7329332 IPv4 requests received
>  192360 requests with EDNS(0) received
>   4 TCP requests received
> 605 auth queries rejected
>   1 recursive queries rejected
> 7327981 responses sent
>   5 truncated responses sent
>  192358 responses with EDNS(0) sent
> 6063138 queries resulted in successful answer
> 6386951 queries resulted in non authoritative answer
>  115630 queries resulted in nxrrset
>  940424 queries resulted in SERVFAIL
>  208183 queries resulted in NXDOMAIN
> 6756330 queries caused recursion
>   3 duplicate queries received
> 348 queries dropped
> 606 other query failures
>1000 recursing clients
> 7328722 UDP queries received
>   4 TCP queries received
>++ Zone Maintenance Statistics ++
>++ Resolver Statistics ++
>[Common]
>  33 mismatch responses received
> 999 UDP queries in progress
>   1 TCP queries in progress
>[View: default]
>15583903 IPv4 queries sent
> 6182728 IPv4 responses 

Re: DNS Server goofiness

[Mike Hoskins (michoski)]

Do you really want to return RFC1918 to the Internet?  Not the end of the 
world, but some consider it unnecessary information disclosure.  :-)

I've seen this on various WAN/fw/router used at home over the years (arris, 
cisco, linksys, etc) and unlike the commands Reindal shared which are geared 
more toward SOHO/enterprise (e.g. IOS) you might need to look around your 
"gateway" settings.  This can have various names, but is usually a check-box 
under lan/wan/firewall/advanced settings vs basic setup.  Hopefully you can 
find something there which will be obvious (googling for the manual for your 
exact device should help).

hth

From: 
> on 
behalf of David Hornsby >
Date: Thursday, February 4, 2016 at 3:29 PM
To: "bind-users@lists.isc.org" 
>
Subject: DNS Server goofiness

I am having an issue with an authoritative dns server that sits behind a nat. I 
have replicated this problem on two different servers on different versions of 
bind which is why I am now perplexed. In the zone file the LAN address of the 
server has an A record. When the server is queried directly from the LAN, the 
server replies with its LAN address. Just as expected. However when the record 
is queried from through the fw the server replies with its public ip address. 
Which I can only guess it's getting by doing a reverse on the NS record that 
pointed it there in the first place??? This only happens on the record with an 
IP address which matches the server's lan address.

$nslookup dc01 192.168.1.254
Server: 192.168.1.254
Address: 192.168.1.254#53

Name: dc01.home.carolinaky.com
Address: 192.168.1.254

$ nslookup dc01 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: dc01.home.carolinaky.com
Address: 69.133.101.121

I'm confused.

Thanks,
David
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is the use of having a chroot path during installation of Bind

[Mike Hoskins (michoski)]

Yes you can run without the chroot.  Years ago it was considered best practice 
to chroot and most power users would have said you were insane not to do so.  
Now there are increasingly many who say it's not worth the effort (fairly easy 
to get around in many cases) -- do a bit of google engineering and you will see 
pros/cons.

If you are using packages from your distro (looks like it from the "el6" and 
ancient version) this will often just be pulled in by default.  If you build 
your own packages, use upstream repos, ISC packages or something like this:

http://www.five-ten-sg.com/mapper/bind

Then you can just install without the chroot.  Entirely up to you, BIND can 
work either way.  As I said, if you search a bit you'll find older "best 
practices" like these which suggest chroot (note the dates!):

https://www.cymru.com/Documents/secure-bind-template.html

https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-how-to-build-and-run-named-with-a-basic-recursive-configuration.html

Then increasing amounts of documentation saying it is largely irrelevant due to 
adding minimal value due to some known issues in the chroot mechanism itself, 
named -u, etc:

https://deepthought.isc.org/article/AA-00874/0

"""
If following the preceding advice (running BIND as an unprivileged user on a 
dedicated server) chrooting is "de-emphasized." Our operations experts feel 
that chrooting does not substantially improve security under those conditions 
and do not affirmatively recommend it, but they do not explicitly discourage it.
"""

From: 
> on 
behalf of Harshith Mulky 
>
Date: Thursday, January 14, 2016 at 1:46 AM
To: "bind-users@lists.isc.org" 
>
Subject: What is the use of having a chroot path during installation of Bind


Hello,


When installing bind, the following 2 are installed


bind-9.8.2-0.17.rc1.el6.x86_64
bind-chroot-9.8.2-0.17.rc1.el6.x86_64


What is the need of this bind-chroot?



I see all files in /var/named path are softlinks to /var/named/chroot/var/named


and


/etc/named.conf is softlink to /var/named/chroot/etc/named.conf




What is this chroot binding? And why is this chroot Binding Required?



Can the named server function without this chroot Binding?



Thanks

Harshith
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind9 on VMWare

[Mike Hoskins (michoski)]

On 1/13/16, 10:28 AM, "bind-users-boun...@lists.isc.org on behalf of
Reindl Harald"  wrote:


>
>
>Am 13.01.2016 um 16:19 schrieb Lightner, Jeff:
>> We chose to do BIND on physical for our externally authoritative
>>servers.
>>
>> We use Windows DNS for internal.
>>
>> One thing you should do if you're doing virtual is be sure you don't
>>have your guests running on the same node of a cluster.   If that node
>>fails your DNS is going down.   Ideally if you have multiple VMWare
>>clusters you'd put your guests on separate clusters.
>
>while for sure you should run them on different nodes (except for
>upgrades where you move them together to get one machine free of guests
>for a short timeframe) a VMware cluster which can be called so has a
>feature "VMware HA" which would start the VMs automatically on the other
>node after a short period of time (node exploded or isolated from the
>network for whatever reason)
>
>it would also restart a crashed guest automatically
>
>https://www.vmware.com/products/vsphere/features/high-availability
>
>one of the things which is much more harder to implement correctly with
>physical setups


I'll be the canary in the coal mine...  having went down this road before,
I felt like dying as a result.

I've ran several large DNS infras over the years.  Back in 2005/6 I
finally drank the koolaid and migrated a large caching infra
(authoritative was kept on bare metal) to VMWare+Linux.  It worked well
for awhile, and we did all the usual VMware BCPs (anti-affinity, full
redundancy across storage/multipathing, etc).  However, even with all the
OCD nits we picked, there were still edge cases that just never performed
as well (mostly high PPS) and misbehaviors stemming from VMWare or
supporting infrastructure.

After spending weeks tweaking every possible VMware setting, adding more
VMs spread across more hosts, backend network and storage upgrades, etc we
would still find or worse have end users report anomalies we hadn't seen
before on the physical infra.  I was devoted to making it work, and spent
a lot of time including nights and weekends scouring usenet groups,
talking to VMware support, etc.  It never got completely better.

Finally after babysitting that for a few years, we moved everything back
to bare metal in the name of "dependency reduction" -- we didn't want core
things like DNS relying on anything more than absolutely necessary (I'd
argue this is a sound engineering principle for any infrastructure admin
to fight for, despite the fact most pointy hairs will value cost savings
more and it flies in the face of NFV hotness).  Guess what?  No more
mystery behaviors, slow queries, etc.  Hmm.  Of course we still have
issues, but now they are much more concrete (traceable to a known bug or
other issue where the resolution is well understood).

This probably wouldn't be an issue in most environments...as I said we ran
virtual caches for years, and really only started seeing issues as clients
ramped.  However, is the cost savings really worth another complex
dependency (quite possibly relying on another team based on your org
structure), or risk you might have to back out some day as the size of
your environment increases?  Your call, but I've learned the hard way not
to virtualize core infrastructure functions just because a whitepaper or
exec says it should work.  I also learned not to trust my own testing...
because I spent a month with tools like dnsperf and real-world queryfiles
from our environments pounding on VMware+Linux+BIND and even though
testing didn't reveal any obvious problems, real world usage did.

Again it worked for awhile, I understand the many justifications, it could
make sense in some environments, the past is not necessarily the key to
the future, and I even have colleagues still doing this...  just had to
rant a bit since it has caused me much pain and suffering.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind9 on VMWare

[Mike Hoskins (michoski)]

On 1/13/16, 4:02 PM, "bind-users-boun...@lists.isc.org on behalf of Reindl
Harald" <bind-users-boun...@lists.isc.org on behalf of
h.rei...@thelounge.net> wrote:


>Am 13.01.2016 um 19:54 schrieb Mike Hoskins (michoski):
>> I've ran several large DNS infras over the years.  Back in 2005/6 I
>> finally drank the koolaid and migrated a large caching infra
>> (authoritative was kept on bare metal) to VMWare+Linux
>
>i would be careful compare 2005/2006 with now for a lot of reasons
>
>* before vSphere 5.0 VMkernel was a 32bit kernel while capable
>   running 64 bit guests with 10 GB RAM but still a lot of magic
>
>* 2005/2006 a large part was binary translation while now
>   you need a x86_64 host with VT-support
>
>* in 2006 vmxnet3 was not available not was it for a long time
>   included in the mainline linux kernel while now any paravirt
>   drivers are in the stock kernel


Agreed, that's what my "the past is not always the key to the future" quip
tried to express.

However, for the sake of posterity, during this and subsequent work I saw
similar issues with vmxnet3 which vmware professional services could never
fully explain.  Also ran on hosts with VT support, and tried many Linux
kernels including 3.x toward the end without complete improvement.  Note
that 2005/6 was the initial migration date, and actual operation continued
through 2012/13 for our larger environments, with some still operating
virtualized caches today (smaller environments which haven't had the same
issues).

So this is not an argument to never try virtualization by any means, and
in many cases it could work quite well (everything has pros/cons)...just a
place where I would be cautious in deployment and have a good rollback
plan.  Then again, as infrastructure operators that applies to pretty much
everything we do.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query on ignoring additional section returned in replies

[Mike Hoskins (michoski)]

On 11/18/15, 10:47 AM, "bind-users-boun...@lists.isc.org on behalf of
Barry Margolin"  wrote:


>In article ,
> Reindl Harald  wrote:
>
>> when a result looks like below it needs to be fixed and "Are there any
>> BIND specific workarounds?" is the wrong question becaus even if - the
>> domain owner is not in the position to place workarounds somewhere else
>
>While that's the pedantically correct answer, in practice it doesn't
>work well when your users complain "Google DNS deals with it, why don't
>you?" Your users don't care what happens to people somewhere else, they
>just want to get their work done.
>
>Google understands that there are lots of broken DNS configurations out
>there, but their users don't want to hear that it's someone else's fault.


Yes, exactly.  Having spent a few decades wearing the DNS admin hat in
environments with large user bases, I'd be rich if I had a few cents for
all the times I've spent "digging" around to prove it's not "our" problem
but modern users don't care when they can just use Google DNS and it works
magically.

"It's an upstream issue Google is just working around."

"OK, so why can't you?"

Following up with the remote admins to fix the issue is often a joke, this
isn't the early Internet where most people had a clue, cared, listened to
zone contact mailboxes, or were enabled to make timely changes (in all
fairness with many orgs).  :-)

The upstream brokenness comes in various forms so there's no
one-size-fits-all, but for what it's worth to the OP some sites that gave
us issues in 9.9.x seems to work in 9.10.x after we explicitly changed
dnssec-validation to auto.  Can't fully explain that, but we literally had
queries running in a loop against google, 9.9.x and 9.10.x while we
twiddled different things and zones with upstream issues like this would
not resolve via 9.9.x but started working fine with 9.10.x.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query on ignoring additional section returned in replies

[Mike Hoskins (michoski)]

On 11/18/15, 1:19 PM, "bind-users-boun...@lists.isc.org on behalf of Carl
Byington"  wrote:


>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>On Wed, 2015-11-18 at 10:47 -0500, Barry Margolin wrote:
>> While that's the pedantically correct answer, in practice it doesn't
>> work well when your users complain "Google DNS deals with it, why
>> don't you?" Your users don't care what happens to people somewhere
>> else, they just want to get their work done.
>
>zone "fis.com.my" {
>  type forward;
>  forwarders { 8.8.8.8; };
>};


Makes me laugh (and cry), but have done exactly this...  However, I
considered it an ugly hack vs real solution.  Glad to know the ugly hack
is at least used elsewhere.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Installing bind is not very clear for me

[Mike Hoskins (michoski)]

On 9/4/15, 1:12 PM, "bind-users-boun...@lists.isc.org on behalf of
/dev/rob0" 
wrote:


>On Thu, Sep 03, 2015 at 11:02:23PM +0200, Reindl Harald wrote:
>> Am 03.09.2015 um 22:59 schrieb Robert Moskowitz:
>> >On 09/03/2015 04:35 PM, Leandro wrote:
>> >>Ok ...
>> >>I got BIND 9.10.2-P3  working.
>> >>I compiled with
>> >>
>> >>./configure --with-openssl --enable-threads --with-libxml2
>> >>--with-libjson
>> >>make
>> >>make install
>> >>
>> >>Json statistics channel is working and chroot is not longer
>> >>mandatory.
>> >
>> >But do make sure you have selinux enforced.  Or run behind
>> >multiple firewalls...
>> 
>> behind *multiple firewalls* - ?!?! - oh come on and get serious
>> instead promote snakeoil -
>
>I quite agree here.  Firewalls that attempt to filter DNS have
>terrible reputations for *breaking* DNS.  A single firewall is bad
>enough; multiple firewalls sounds like a disaster.


True, have fixed many of those over the years, though in fairness this is
often a matter of expecting to run a firewall (or anything) "out of box"
without understanding the config.  If that's the stance of the admin, you
likely have a lot more to worry about security-wise than named chroot.  :-)


>
>> typically BIND is *not* running as root and hence does not need
>> any special handling compared to any other network service
>
>I don't know if we can say what is "typical".  We can say, for
>running on Linux at least, that running as root is safe.  A
>compromised named would get root after having dropped superuser
>privileges, so it wouldn't be able to do much.


I probably misunderstand your response or am reading too much into the
wording.  Named doesn't run as root due to -u giving up permissions.  That
combined with the fact chroot itself has known shortcomings is why it's
fallen out of BCP amongst name server operators.  It's not that anyone
suggests the alternative to chroot is to just run as root.  You are still
running as a non-privileged user post-startup, and permissioning things
appropriately to minimize damage in the event of a compromise.


>Regardless, again I quite agree that special handling is not
>necessary.  Look at the various BIND9 security announcements over
>the years.  When have you seen one which involved a compromise of
>any kind?
>
>I cannot say with authority that BIND9 has never had a compromise,
>but I am confident in saying I have never seen one.


I appreciate the viewpoint, and I can even agree with it, but the past is
not necessarily a key to the future.  The reality is none of the nastiest
0-days were ever expected.  As a security professional you try to insulate
against potential risks, not just things you have already observed.  It's
up to each operator to determine appropriate cost/benefit, and this is not
an argument for chroot, but I do caution against an "I've never seen it
before so wouldn't worry about it" stance on security.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Installing bind is not very clear for me

[Mike Hoskins (michoski)]

On 9/4/15, 9:29 PM, "bind-users-boun...@lists.isc.org on behalf of Noel
Butler"  wrote:


>On 05/09/2015 04:49, Reindl Harald wrote:
>
>> mostly people who are throwing as much as possible appliances and
>> firewalls in front of their machines doing that because missing
>> knowledge
>
>and falling for some salesman's BS, the moment they sniff you have no
>idea, they rub their hands together thinking how big their Christmas
>bonus will be, many moons ago an apprentice nearly fell for cisco's hype
>of their pix junk, I showed him how to use , hrmm ipchains I think was
>back then, did just as good job as any multi thousands dollars box of
>vendor crap would.


Actually, PIX had issues...  I can attest to that, having administered
several Cisco-based networks including PIX years before I was "a Cisco
person".  Having worked at some large NSPs I can also attest to similar
issues with just about every vendor who does or has existed over the past
couple decades.

That said, PIX was at least stateful (unlike ipchains, as you know that
was the big selling point of iptables), had HA before heartbeat was
popular (I was using clustered PIX at scale in late 90's, didn't really
trust heartbeat in production until 2006/7), was easy to tie into existing
AAA infra (also didn't really like the state of PAM back then)...  as it
is now, the best approach really decided on your use cases.

Your call out that you should really know what you're doing before buying
anything or even getting paid to administer networks is spot on regardless
of what vendors are involved.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Installing bind is not very clear for me

[Mike Hoskins (michoski)]

Few points for clarification:

With rhel/centos you're not getting the major version as reported.  You
need to look at the changlog for the package to see what fixes/features
have been backported.  That effort including associated QA is part of what
you're paying for with rhel or getting for free as part of centos.

If you need to build your own, there are community srpms for that so you
don't have to start from scratch.

http://www.five-ten-sg.com/mapper/bind

ISC themselves has moved away from chroot as an absolute best practice.
Critically think if it really makes sense for you.

https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-ho
w-to-build-and-run-named-with-a-basic-recursive-configuration.html


On 9/3/15, 2:40 PM, "bind-users-boun...@lists.isc.org on behalf of Robert
Moskowitz"  wrote:

>
>
>On 09/03/2015 01:45 PM, Leandro wrote:
>> Dear All:
>> While installing bind still have not clear some issues:
>> Im using Centos 6.6 since Im not very comfortable with Centos7 yet.
>>
>> My final goal is to get an updated and stable version and also use
>> json format for the statistics channel.
>>
>> 1) Some bind users recommended to get at least a 9.10 release but:
>> Using yum and repos, founded that 9.8 is available for Centos 6.6.
>> Also , Centos recommend not to build from source when possible.
>>
>> 2)Building bind 9.10 from source is not complicated but:
>> Could not install on chroot.
>> Could not get the json or xml statistics , only html.
>
>If you need 9.10 for json, and you want to stay with Centos, you WILL be
>doing your own builds.  I am working with C7 and it is 'only' 9.9.4 (or
>at least that is what dig is reporting).
>
>There are a lot of fun debates that if you are using selinux on Centos,
>you do not need chroot.  In fact chroot introduces its own set of
>challenges.  I tend to believe this, though it was years ago that I went
>through the arguments.
>
>There are people on the Centos list that build their own bind.  Ask over
>there.
>
>>
>>
>> Any ideas ?
>> Is possible to update / add my repos to install a recent version with
>> json support and chrooted with:
>> If not , Is it possible to build from source in chrooted enviroment ?
>> Any doc ?
>>
>> btw: Server is not in production yet.
>>
>> Thanks!!
>> Leandro.
>>
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

[Mike Hoskins (michoski)]

On 6/19/15, 4:07 PM, bind-users-boun...@lists.isc.org on behalf of
/dev/rob0 bind-users-boun...@lists.isc.org on behalf of r...@gmx.co.uk
wrote:


On Fri, Jun 19, 2015 at 02:55:23PM -0500, I wrote:
 On Thu, Jun 18, 2015 at 11:11:16PM +,
Mike Hoskins (michoski) wrote:
snip
 Note that connection tracking can be a problem upstream as well,
 for the same reasons as described in the article.  I would still
 turn off conntrack for UDP DNS upstream, unless you're using DNAT
 (yuck.)

Oh ... hahaha ... I missed the @cisco.com, so I don't suppose you're
using Linux on your upstream routers. :)

The same idea applies regardless of implementation, of course.


Quite alright...  In past lives yes, and perhaps even internally at times
(more often OpenBSD and pf)...though I won't admit that.  ;-D

Regardless, all input is welcome.  I'll check out the KB article.  I have
sat for hours with the network team making sure their gear isn't
touching my DNS packets in any perverted ways, but it's always good to
triple check.

Thanks!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

[Mike Hoskins (michoski)]

On 6/19/15, 1:16 PM, bind-users-boun...@lists.isc.org on behalf of Reindl
Harald bind-users-boun...@lists.isc.org on behalf of
h.rei...@thelounge.net wrote:


Am 19.06.2015 um 18:44 schrieb Mike Hoskins (michoski):
 I suppose the only way to avoid any intermediate firewalls would be to
 place everything you run on a LAN segment hanging directly off your
 router/Internet drop with host based firewalls

well, if the router is from Cisco and has NAt enabled there are dns
ALG's breaking zone-transfers in several ways been there done that
until forced the ISP to never ever ship a default Cisco deivce to us


Over the years I've learned that trusting defaults is rarely sane,
regardless of vendor.

Having been involved in many discussions related to this sort of
thing...I've sadly also learned that, much like BCP38, things which seem
simple to fix from the outside often aren't.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

[Mike Hoskins (michoski)]

On 6/18/15, 7:09 PM, Stuart Browne stuart.bro...@bomboratech.com.au
wrote:


Just wondering.  You mention you're using RHEL6; are you also getting
messages in 'dmesg' about connection tracking tables being full?  You may
need some 'NOTRACK' rules in your iptables.

Just following along, for the record...  On our side, iptables is
completely disabled.  We do that sort of thing upstream on dedicated
firewalls.  Just now getting time to reply to Cathy...more detail on that
there.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

[Mike Hoskins (michoski)]

Inline...

On 6/18/15, 9:22 AM, Cathy Almond cat...@isc.org wrote:


On 18/06/2015 12:00, Matus UHLAR - fantomas wrote:
 On 17.06.15 22:39, Shawn Zhou wrote:
 BIND on my resolvers reaches the max open file limit and I am getting
 lots
 of SERVFAILs
 http://pastebin.com/SxRsHLff
 
 After I increased the max-socks (-s 8192) to 8192, I no longer saw the
 file
 limit error from the log anymore; however, I am still many SERVFAILs.
 
 no other errors?
 
 Our resolvers were doing about 15k queries per seconds when this was
 happening and those were legit traffic.  I am aware that I am setting
 recursive clients to a very high number.  Those resolvers are running
on
 12-cores cpu and 24G RAM hardware.  cpu utilization was at about 20%
and
 plenty of RAM left.
 
 I am wondering if I've reached the limit of BIND for the amount of
 recursive queries it can serve.  Any other tunings I should try?
 
 maybe changing number of recursive-clients, max-clients-per-query.
 
 Does EDNS work for you? EDNS problems often result to increased number
of
 TCP queries which slows down resolution ...
 
 By the way, the resolvers are running RHEL 6.x.
 
 precise BIND version would help a bit more... seems RH6.6 contains 9.8.2
 but
 that may be different for older RH6 versions.
 
 

Unless you're running a build with --with-tuning=large (for which there
are a number of caveats around the capacity of the machine etc..), then
you don't really want to have a backlog of recursive clients that
exceeds 3000-3500.  If you're getting that many in your backlog, then as
already highlighted to you, there is Something Wrong going on.


We're running --with-tuning=large, but I think we are OK (128GB RAM, 32
cores).  If there are other caveats to be aware of, please share.

For years I kept recursive clients conservatively set (based on some of
your docs, and community comments).  I finally raised it much higher just
to see what would happen (after having to repeatedly explain why blindly
increasing that number wasn't a good thing), and it had no effect one way
or another.  Still got the servfails.

We are in a somewhat unique situation, because we have batch type jobs
generating rules/etc which often purposefully crawl the bad parts of the
'Net and in turn generate DNS requests for things which legitimately
return servfail.  However, we were getting increasingly consistent
complaints from users about seeing servfails where they weren't expected.
The biggest thing which helped for us was increasing
DISC_SOCKET_MAXEVENTS.  We're still digging to see if the remaining
servfail reports are genuinely something we can tune around, or a symptom
of the use case.


You're probably running into other resource limits that will be what are
causing the SERVFAIL responses you're still seeing despite increasing
the maximum number of sockets that named can use.  I would tune down the
limit to 3000 and allow named to drop the oldest outstanding client
queries when new ones need to be processed.


I'm going to crank this back down in our environments.


There is another logging category you can use (query-errors) that can
tell you more, but it's probably not worth it in this instance.

And I have another suggestion for what might be causing your backlog
(apart from problems in the network path between your servers and the
Internet authoritative servers), for which we have some
soon-to-be-released new mitigation features (in 9.10.3):

https://kb.isc.org/article/AA-01178

(this will be updated to reflect the features we will actually include
in the upcoming release - but they're essentially going to be
fetches-per-server and fetches-per-zone along with with improved
logging/stats for both of those)

There's going to be a webinar about both the problem and the mitigations
on July 8th:

https://www.facebook.com/events/100311766979499/

http://goo.gl/Z8idQf


Looking forward to this.  We've been sticking to 9.9.x (currently running
9.9.7) as an ESV release, but maybe 9.10 makes sense.  Not sure how the
community feels about that?

For the record I've spent a lot of time with our network team looking at
firewall logs, getting packet traces, etc and not found any smoking guns.
We have a perhaps not so unique setup where the caches are in a DMZ, so
clients talk through a firewall, and the DNS servers talk through a
firewall.  I've identified and fixed a number of issues along the
way...enumerating here in case it helps anyone else.

The internal firewall was oversubscribed, and at peak times would reset
connections causing clients to retry which quickly wound up recursive
clients.  Replaced those firewalls, and that specific behavior got a lot
better.

The external firewall was sharing a PAT for all caches, which eventually
exhausted 65k ports.  Can't drop these direct on the 'Net for security
reasons, but now have 1-to-1 NAT per cache and haven't seen this exact
behavior sense.

We do still routinely see that at least some of these also don't resolve
manually from other 

Re: timeouts and negative caching

[Mike Hoskins (michoski)]

I'm not sure if BIND has a separate tunable for the timeout vs true
negative answer scenario you seem to describe, but have you tried setting
max-ncache-ttl very low to see if it affects this?


On 6/11/15, 9:27 AM, Gerd v. Egidy li...@egidy.de wrote:

Hi,

I've got a bind running as recursive resolver behind a thin internet
line. 
When the line is clogged, requests sometimes time out. When the dns
client 
retries the query, bind usually retries the request and eventually
succeeds. 
So far so good.

But now I sometimes see that bind does not retry immediately, but somehow
caches the error for up to 5 minutes (300 secs). The negative answer is
then 
given right away, without checking again if the remote server can be
reached 
now.

Here is an example:

 time dig www.strato.com
;  DiG 9.9.3-P2-RedHat-9.9.3-2.P2.i2n  @localhost www.strato.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 43535
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.strato.de. IN  A

;; Query time: 4397 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 11 14:14:17 CEST 2015
;; MSG SIZE  rcvd: 42

real0m0.007s
user0m0.004s
sys 0m0.000s

When I look into the bind cache I see this:

 rndc dumpdb -all
 cat cache_dump.db
[...]
; authauthority
strato.de.  85530   NS  ns3.strato.de.
85530   NS  ns4.strato.de.
85530   NS  ns1.strato.de.
85530   NS  ns2.strato.de.
; additional
ns1.strato.de.  85530   A   193.141.40.1
; additional
ns2.strato.de.  85530   A   81.169.144.234
; additional
ns3.strato.de.  85530   A   195.122.141.2
; additional
85530   2a00:e10:2004::2
; additional
ns4.strato.de.  85530   A   192.166.192.4
; additional
85530   2a01:238:e100:192::4
[...]
;
; Address database dump
;
[...]
; ns2.strato.de [v4 TTL 59] [v4 failure] [v6 unexpected]
; ns3.strato.de [v4 TTL 59] [v4 failure] [v6 unexpected]
; ns4.strato.de [v4 TTL 59] [v4 failure] [v6 unexpected]
; ns1.strato.de [v4 TTL 59] [v4 failure] [v6 unexpected]

I've seen this [v4 TTL 59] go up to 300.

So there must be some kind of negative caching which caches timeouts
and,
not like the real negative caching, just active negative results.

Where do these 300 seconds come from and how can I configure them? I'd
like to 
drastically reduce them to something like 10 seconds or so to make sure
bind 
retries to resolve a query shortly after a timeout.

Thank you.

Kind regards,

Gerd

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RRL settings that work for you

[Mike Hoskins (michoski)]

Hi folks,

I've read about RRL with interest since its inception, but just now
getting around to rolling it out.  That is partially because we run a very
small authoritative infrastructure serving mostly as Akamai EDNS origins.
However, since it is exposed externally, used by a few tenants and RRL has
been running in the wild for awhile now...we decided to finally hop on the
bandwagon as part of our latest round of DNS infrastructure upgrades.

We are experimenting in log-only mode, and wanted to get feedback on
settings which work well for others in production.  So far we have the
following which appears to work well (not limiting typical clients during
normal operation):

rate-limit {
log-only yes;
ipv4-prefix-length 32;
window 10;
responses-per-second 20;
nxdomains-per-second 10;
exempt-clients {
[...]
};




};


However, as we've mostly just been turning knobs in an attempt to minimize
log entries...  insight from operators is appreciated.

Thanks!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: random latency in named

[Mike Hoskins (michoski)]

FWIW as another data point we've seen the same in the wild across
RHEL/CentOS 5.x and 6.x on large (32 core) Xeon based servers
(E5-2650's), including 6.6 with the 2.6.32-504.16.2.el6.x86_64 kernel.
Observed while debugging other things, and haven't had time to follow up.

-Original Message-
From: Mathew Ian Eis mathew@nau.edu
Date: Friday, May 22, 2015 at 11:33 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Cc: Tony Finch d...@dotat.at
Subject: Re: random latency in named


-Original Message-
From: Tony Finch d...@dotat.at
Date: Friday, May 22, 2015 at 2:32 AM
To: Mathew Eis mathew@nau.edu
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: random latency in named

Mathew Ian Eis mathew@nau.edu wrote:

 * The OS is RHEL 6.6; we just updated the kernel to
 2.6.32-504.16.2.el6.x86_64, also with no effect.

Is your server using a Haswell CPU? If so it might be the lost futex
wakeup bug discussed at the links below, in which case the problem might
go away if you upgrade to RHEL 6.6.z.

https://groups.google.com/forum/#!topic/mechanical-sympathy/QbmpZxp6C64
https://news.ycombinator.com/item?id=9542548

Nope, AMD here, but that probably wouldn¹t rule it out. I think I have a
comment somewhere on that HN thread... It looks like the futex bug
probably affects all architectures; just some more than others, as the
actual kernel patch references ARM.

Anyhow, I wish it had been that, but the 2.6.32-504.16.2.el6.x86_64 kernel
didn¹t fix the issue.

(6.6 2.6.32-504.16.2.el6.x86_64 kernel is the 6.6.z one):
https://rhn.redhat.com/errata/rhel-server-6.6-errata.html

https://rhn.redhat.com/errata/RHSA-2015-0864.html


Thanks,

Mathew Eis
Northern Arizona University
Information Technology Services

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: shutting up logs

[Mike Hoskins (michoski)]

Another option might be changing 'file' to 'syslog' then using stuff like
:msg, contains, 'skipping nameserver' stop (or whatever pattern you want
to match) in your rsyslog configuration.

http://www.rsyslog.com/doc/rsyslog_conf_filter.html

-Original Message-
From: Reindl Harald h.rei...@thelounge.net
Organization: the lounge interactive design
Date: Thursday, May 14, 2015 at 8:44 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: shutting up logs



Am 15.05.2015 um 02:01 schrieb Nick Edwards:
   skipping nameserver 'ns5.concord.org' because it is a CNAME, while
 resolving '210.128-25.119.138.63.in-addr.arpa/PTR'

 I have logs grow by about 30 megs a day with pretty much only this in
 it (of course not always same remote server), how do I shut this up ?

 My logging statments are

 logging {
  category lame-servers { null; };
  category edns-disabled { null; };
  category client { null; };
  category dnssec { null; };
  //  channel log_queries { file /tmp/debug_query.log;
 print-category yes; };
  //  category queries { log_queries; };
 };

you can't shut up specific messages
but you can limit the log file sizes

logging
{
  channel default_log
  {
   file data/named.log versions 0 size 1m;
   severity dynamic;
   print-time   yes;
   print-category   yes;
  };
  channel transfer_log
  {
   file data/transfer.log versions 0 size 1m;
   severity dynamic;
   print-time   yes;
   print-category   yes;
  };
  channel rate_limit_log
  {
   file data/rate_limit.log versions 0 size 1m;
   severity dynamic;
   print-time   yes;
   print-category   yes;
  };
  channel lame_servers_log
  {
   file data/lame_servers.log versions 0 size 1m;
   severity dynamic;
   print-time   yes;
   print-category   yes;
  };
  channel query_errors_log
  {
   file data/query_errors.log versions 0 size 1m;
   severity dynamic;
   print-time   yes;
   print-category   yes;
  };

  category default  {default_log;};
  category resolver {default_log;};
  category security {default_log;};
  category xfer-in  {transfer_log;};
  category xfer-out {transfer_log;};
  category config   {default_log;};
  category queries  {default_log;};
  category notify   {default_log;};
  category database {default_log;};
  category rate-limit   {rate_limit_log;};
  category lame-servers {lame_servers_log;};
  category query-errors {query_errors_log;};
};


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: incoming tcp query

[Mike Hoskins (michoski)]

The answer is BIND does accept TCP queries by default (it's required to be
RFC compliant), but a lot of times upstream firewalls/ACLs/etc block TCP,
munge UDP packet size, etc...  Just firing up BIND with basic
configuration and checking netstat will show you TCP 53 listening.  If
it's not working as expected, you often have to start walking up (or down
as it were) the stack and potentially working with other folks to fix the
problem.

-Original Message-
From: Shuangrong wushuangr...@yahoo.com
Date: Saturday, February 21, 2015 at 11:08 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: incoming tcp query

Hello,

Does Bind accept tcp incoming query by default? Or is there any options
to enable this feature?


Regards,
Shuangrong
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SRV records etc

[Mike Hoskins (michoski)]

-Original Message-
From: John j...@klam.ca
Date: Tuesday, February 10, 2015 at 7:29 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: SRV records etc

How useful are SRV records? Are they worth installing? What are their
benefits, and pitfalls?
Similar question about HINFO.

In my limited experience, this is a question about requirements...  In the
past I had to support applications which made extensive use of SRV for
service discovery.  It was a requirement, it worked well in testing, so we
considered it useful and happily supported it.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mentor Required

[Mike Hoskins (michoski)]

The other thing is, you mention having tried and failed (agreed that isn't a 
bad thing, we've all failed countless times and it's how we learn)...how have 
you failed?

What I think you'll find is you have a list (many lists and other resources 
really) of mentors.  BIND much like many other Internet projects has a helpful 
community.  As asked below, you could start by describing your goals or use 
cases, then share what hasn't worked so far or where you're stuck, as well as 
sharing your config and any errors you're getting in logs.

You might have to adopt some paths based on your OS, or make other small 
modifications based on what you are trying to accomplish, but this is a good 
resource to get you started:

http://www.cymru.com/Documents/secure-bind-template.html

Some others you may not have seen:

http://www.zytrax.com/books/dns/

https://kb.isc.org/article/AA-00845/0/BIND-9.9-Administrator-Reference-Manual-ARM.html

From: Vinícius Ferrão fer...@if.ufrj.brmailto:fer...@if.ufrj.br
Date: Thursday, January 29, 2015 at 9:28 AM
To: STEPHEN EYRE sce...@btinternet.commailto:sce...@btinternet.com
Cc: bind-users@lists.isc.orgmailto:bind-users@lists.isc.org 
bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
Subject: Re: Mentor Required

First of all, why you want to run a full featured DNS server such as BIND9 at 
your home?

Do you want to make some special things? Do you want to publish a zone on the 
Internet? Do you have a DNS name acquired from your country registration 
authority?

Cheers,

Sent from my iPhone

On Jan 29, 2015, at 11:54, STEPHEN EYRE 
sce...@btinternet.commailto:sce...@btinternet.com wrote:


Dear All

For the past 3 or 4 years on and off I have been trying to set up a name server 
on an old machine at home. Each time I have failed which isnt a bad thing as I 
have used each failure to do more research and gain more knowledge.

I think the time is nigh to see if there is someone out there who would take on 
the role of mentor. Someone who has patience and doesnt mind being asked a 
whole range of banal questions.

I am not an IT professional but I do find the who process as endlessly 
fascinating. Its doubtful I will ever make any money out of the skills I have 
gained or obtain any employment either. But I will not stop until I have a 
server up and running.

The software I am using is Ubuntu 14.04 lts.

Is there anyone out there who would like to help?

Regards

Stephen Eyre

Sent from Yahoo Mail on 
Androidhttps://overview.mail.yahoo.com/mobile/?.src=Android


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with BIND 9.10.1-P1 recursion limits

[Mike Hoskins (michoski)]

Thanks for digging in so fast.  Our mitigation will be sticking to
9.9.6-P1, since we like ESV anyway.

Wanted to point out that (perhaps sadly) this isn't so crazypants...or at
least not uncommon.  The *edge* and *aka* references speak Akamai DNS+CDN.
 From my last overview, this has gotten cleaner in the latest versions of
their offerings -- but many of the large(est) sites on the Internet will
be configured this way today.

-Original Message-
From: Evan Hunt e...@isc.org
Date: Tuesday, December 9, 2014 at 2:41 PM
To: Stuart Henderson s...@spacehopper.org
Cc: Tony Finch d...@dotat.at, bind-users@lists.isc.org
bind-users@lists.isc.org
Subject: Re: Problem with BIND 9.10.1-P1 recursion limits

On Tue, Dec 09, 2014 at 05:51:58PM +, Evan Hunt wrote:
 That's unexpected. I'll see if I can reproduce it.

Okay, I can.

Part of the problem is the somewhat crazypants DNS configuration
of www.ibm.com:

  $ dig +noall +answer www.ibm.com
  www.ibm.com.3600IN  CNAME   www.ibm.com.cs186.net.
  www.ibm.com.cs186.net.  60  IN  CNAME
china-cdn.san.ibm.com.edgekey.net.
  china-cdn.san.ibm.com.edgekey.net. 21600 IN CNAME
china-cdn.san.ibm.com.edgekey.net.globalredir.akadns.net.
  china-cdn.san.ibm.com.edgekey.net.globalredir.akadns.net. 900 IN CNAME
e7826.x.akamaiedge.net.
  e7826.x.akamaiedge.net. 20  IN  A   23.59.201.136

... like, *wow*.  A chain of five aliases with TTLs ranging from 20
seconds to 6 hours, passing through five different zones (ibm.com,
cs186.net, edgekey.net, akadns.net, akamaiedge.net), hosted by
servers in three *more* zones (ihost.com, akam.net, and akadns.org,
in addition to akadns.net and akamaiedge.net).  I had to almost
double the maximum recursion queries to 99 to get this to work on
an empty cache.  Yikes.

Almost any non-empty cache will dodge the bullet. Preceeding the
lookup of www.ibm.com with dig @::1 ns com causes the query to
succeed.  Also, as previously noted, on 9.9 it will succeed without
a five-minute delay if you just issue the query a second time.

So, possible workarounds if this issue is causing problems for you:

  - Ensure that the first query sent to a newly-primed recursive
resolver isn't quite as spectacular as this one;
  - Add max-recursion-queries 100; to your options statement;
  - Run 9.9.6-P1 instead of 9.10.1-P1

The five-minute delay is still a bit of a puzzle. It happens because
of this code in adb.c:

/* XXXMLG Don't pound on bad servers. */
if (address_type == DNS_ADBFIND_INET) {
name-expire_v4 = ISC_MIN(name-expire_v4, now + 300);
name-fetch_err = FIND_ERR_FAILURE;
inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
} else {
name-expire_v6 = ISC_MIN(name-expire_v6, now + 300);
name-fetch6_err = FIND_ERR_FAILURE;
inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
}

The now + 300 bit is where the five minutes comes from.  That's code
that's been around for years, and it is in 9.9, but apparently it's
reached more easily in 9.10.  I'm looking into the reasons for this.

The problem should be addressed in 9.10.2, which is likely to be
released next month.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Again question about edns (like swupdl.adobe.com)

[Mike Hoskins (michoski)]

For what little it's worth, I've seen this somewhat even on 9.8 (it's not new), 
though increasingly on 9.9...not saying it's BIND specific, just that I've hit 
these kind of annoyances with remote servers awhile now.

I've tried explaining this on numerous internal email threads, tickets, webex 
(calls are great), etc...but it is quite frustrating, because so long as 
reasonably savvy users can dig @8.8.8.8 and get a response, they don't 
believe your server isn't broken.

From: IDS Submit sub...@ids.itmailto:sub...@ids.it
Date: Wednesday, October 22, 2014 at 6:30 AM
To: bind-us...@isc.orgmailto:bind-us...@isc.org 
bind-us...@isc.orgmailto:bind-us...@isc.org
Subject: Again question about edns (like swupdl.adobe.com)

Good morning,

with www.acer.ithttp://www.acer.it I have the same problem as swupdl.adobe.com

NXDOMAIN with bind 9.10 but NOERROR with Google DNS

I have read the Mark Andrews reply on july 4 2014:
--

It looks like nameserver vendors are not doing even rudimentry checks like 
those above.  DiG has thos options so that we could perform checks like these.



Until Adobe fix their broken servers you can use a server clause to disable 
sending SIT requests to them.  Obviously this does not scale.



  server address { request-sit no; };



Mark
--
But this doesn’t solve the problem on others domains …
… should be possible enable “request-sit no” for all domains and not manually 
add it?
Because I think there are lot of domains with this problem :(


--
\Server\Bind\bin\dig.exe @81.174.15.142 www.acer.it

;  DiG 9.10.1  @81.174.15.142 www.acer.it
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 42228
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.acer.it.   IN  A

;; ANSWER SECTION:
www.acer.it.300 IN  CNAME   public-akamai.gtm.acer.com.

;; AUTHORITY SECTION:
gtm.acer.com.   60  IN  SOA gtm1.acer.com. 
hostmaster.gtm1.acer.com. 482 10800 3600 604800 60

;; Query time: 572 msec
;; SERVER: 81.174.15.142#53(81.174.15.142)
;; WHEN: Wed Oct 22 12:13:12 ora legale Europa occidentale 2014
;; MSG SIZE  rcvd: 132
--


--
\Server\Bind\bin\dig.exe @8.8.8.8 www.acer.it

;  DiG 9.10.1  @8.8.8.8 www.acer.it
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 34510
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.acer.it.   IN  A

;; ANSWER SECTION:
www.acer.it.281 IN  CNAME   public-akamai.gtm.acer.com.
public-akamai.gtm.acer.com. 11  IN  CNAME   www.acer.com.edgesuite.net.
www.acer.com.edgesuite.net. 12306 INCNAME   a492.b.akamai.net.
a492.b.akamai.net.  19  IN  A   88.149.196.137
a492.b.akamai.net.  19  IN  A   88.149.196.145

;; Query time: 60 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 22 12:14:02 ora legale Europa occidentale 2014
;; MSG SIZE  rcvd: 180
--

Thanks in advance and best regards

Staff IDS
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

[Mike Hoskins (michoski)]

-Original Message-
From: Dave Sparro dspa...@gmail.com
Date: Friday, October 3, 2014 at 1:04 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Diagnostic help part 2

On 10/1/2014 3:45 PM, Tony Finch wrote:
 (Sorry for straying off topic. I have less experience of Cisco PIX/ASA
 breaking DNS than of them breaking SMTP.)
I can't resist either..
I specifically remember a PIX that bit me by helpfully changing the
payload of an axfr so that the A records that traveled through the PIX's
NAT got flipped to the inside RFC-1918 addresses for the servers that
were behind the NAT as well.

It took a couple rounds of your sending me the wrong stuff... No I'm
Not! until we figured it out.

Yeah, I've had similar experiences on various platforms over the years...
I know it's hard for smaller shops, but even when I was in startup land I
built labs to validate design and behavior (the difference was the labs
were often under my desk or in a closet).

Finding unexpected behavior like this in production is always stressful.
Ultimately, we have a responsibility as engineers/architects to conduct
due diligence and not make assumptions.  Testing and validation are key
parts of our job.  Anything made by people can have bugs or simply
unexpected behavior.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

[Mike Hoskins (michoski)]

-Original Message-
From: Doug Barton do...@dougbarton.us
Date: Wednesday, October 1, 2014 at 2:07 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Diagnostic help part 2

On 10/1/14 8:17 AM, Barry Margolin wrote:
 In article mailman.1035.1412133286.26362.bind-us...@lists.isc.org,
   Eli Heady eli.he...@gmail.com wrote:

 With response sizes growing (dnssec, ipv6), answers are more likely to
be
 too large for UDP.

 That's unlikely. That's why EDNS was created, so that these large
 answers wouldn't require TCP.

... and more than a decade later EDNS still fails very often due to
misconfigured and/or ancient firewalls that don't understand it. 53/TCP
is part of the spec, and should not be blocked.

This isn't even specific to DNS...for example, there was a time when just
turning on what sounds good for cisco, netscreen and even checkpoint
would break other things like ESMTP.  As an admin you needed to test your
changes and understand the protocol...many don't.

It's just far worse for DNS, since there was a time when many
well-intentioned checklists suggested locking down 53/tcp.  So in this
case DNS admins were reading docs, just the wrong ones.  RTRFM.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

[Mike Hoskins (michoski)]

-Original Message-
From: Thomas Schulz sch...@adi.com
Date: Friday, September 12, 2014 at 11:47 AM
To: bind-us...@isc.org bind-us...@isc.org
Subject: Re: bind-9.10.0-P2 memory leak?

 Mike Hoskins wrote:

 Do you guys have max-cache-size set?  I didn't see it in the
borderworlds
 named.conf.  I've seen similar growth problems when testing 9.x before
 setting that (experiment at the time just to see what would happen, and
 confirmed this behavior).  Set sensible resource limits based on
available
 resources.

I am going to see what happens with max-cache-size set, but I am convinced
that there is a bug in bind. My named has been running for 7.5 weeks now
and has been steadily growing in size except for a 1.5 week pause after I
did an rndc flush. The process size started out at 36 MB and is now up to
584 MB. But when I do an rndc dumpdb -cache I get a file that is only 5 MB
in size. Given the automatic cache cleaning, named should stabilize in
size in less than 7.5 weeks.


Just to be clear, I tend to agree with the memory leak hypothesis at this
point...  Based on the described behavior and past experience I related, I
initially just did a search of your config looking for max-cache-size.
Sorry for that, was in training at the time and somewhat distracted.

However, your use case is obviously very different from mine as you are
not doing recursion (my test environment without max-cache-size was, and
getting hit with an almost endless stream of random real-world queries
from my queryfile).

That said, I wonder if it could be dlz related?  That's the only thing I
see special about your config.  Just trying to find possible clues,
since I have ran all 9.9.x versions over time in heavily loaded production
environments (authoritative and recursive) without seeing the unbounded
growth you mentioned below for 9.9.x.

I do have a lot of interest in the community getting to the bottom of
this, as we are just planning a large upgrade in one of our environments
which will move caching clusters serving 6-8k clients over to 9.10.1.



 -Original Message-
 From: Vinícius Ferrão fer...@if.ufrj.br
 Date: Tuesday, September 9, 2014 at 10:17 AM
 To: Thomas Schulz sch...@adi.com
 Cc: bind-us...@isc.org bind-us...@isc.org
 Subject: Re: bind-9.10.0-P2 memory leak?
 
I'm having the exactly same issue. Take a look at my post @ServerFault:
http://serverfault.com/questions/616752/bind-9-10-constantly-killed-on-f
re
ebsd-10-0-with-out-of-swap-space

Sent from my iPhone

On 09/09/2014, at 11:15, Thomas Schulz sch...@adi.com wrote:

 Hello
 
 I recently upgraded my authoritative nameservers to bind-9.10.0-P2
and
 after a while one of them ended up using all its swap and the named
 process got killed. The other servers are seeing similar behaviour,
but 
 I restarted named on all of them to postpone further crashes.
 
 I am using rate-limiting as well DLZ with PostgreSQL. The server has
two 
 views. The operating system is FreeBSD 8.4.
 
 My configuration:
 http://borderworlds.dk/~xi/named-leak/named.conf
 
 Log of the memory usage:
 http://borderworlds.dk/~xi/named-leak/named-mem-usage.log
 
 As you can see, in less than a week, named has grown more than 900MB
in 
 size.
 
 Is anyone else experiencing something similar?
 
 If I need to provide more information, I will be happy to do so.
 
 -- 
 Christian Laursen
 
 What version did you upgrade from? I am seeing bind 9.9.5 and 9.9.6
 grow without any evidence that it will ever stop. See my mail to this
 list with the subject Re: Process size versus cache size. Mine is
 growing slower than yours, but it is now up to 548 MB.
 
 Tom Schulz
 Applied Dynamics Intl.
 sch...@adi.com

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

[Mike Hoskins (michoski)]

-Original Message-
From: Doug Barton do...@dougbarton.us
Date: Friday, September 12, 2014 at 2:15 PM
To: Mike Hoskins micho...@cisco.com, Thomas Schulz sch...@adi.com,
bind-us...@isc.org bind-us...@isc.org
Subject: Re: bind-9.10.0-P2 memory leak?

On 9/12/14 11:07 AM, Mike Hoskins (michoski) wrote:
 I do have a lot of interest in the community getting to the bottom of
 this, as we are just planning a large upgrade in one of our environments
 which will move caching clusters serving 6-8k clients over to 9.10.1.

Given all of the problems that have been reported with 9.10 you may wish
to reconsider that plan.

Heh thanks, yeah...initially I was erring on the side of caution and using
9.9.x because it's served us well (~20k recursive clients without any
significant problems).  Meanwhile we've been keeping a close eye on
community comments, and to be honest opinions wax and wane.  Just as I
think it's stabilized, someone else complains.  I suppose sticking to
9.9.x a bit longer is wise.

That said, based on the 9.10.1 fixes, we will run it through our own perf
tests for comparison.  Upgrades are automated and easy, but I'd obviously
like to go live with the latest version unless there is a strong technical
reason otherwise.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.10.0-P2 memory leak?

[Mike Hoskins (michoski)]

Do you guys have max-cache-size set?  I didn't see it in the borderworlds
named.conf.  I've seen similar growth problems when testing 9.x before
setting that (experiment at the time just to see what would happen, and
confirmed this behavior).  Set sensible resource limits based on available
resources.

-Original Message-
From: Vinícius Ferrão fer...@if.ufrj.br
Date: Tuesday, September 9, 2014 at 10:17 AM
To: Thomas Schulz sch...@adi.com
Cc: bind-us...@isc.org bind-us...@isc.org
Subject: Re: bind-9.10.0-P2 memory leak?

I'm having the exactly same issue. Take a look at my post @ServerFault:
http://serverfault.com/questions/616752/bind-9-10-constantly-killed-on-fre
ebsd-10-0-with-out-of-swap-space

Sent from my iPhone

On 09/09/2014, at 11:15, Thomas Schulz sch...@adi.com wrote:

 Hello
 
 I recently upgraded my authoritative nameservers to bind-9.10.0-P2 and
 after a while one of them ended up using all its swap and the named
 process got killed. The other servers are seeing similar behaviour,
but 
 I restarted named on all of them to postpone further crashes.
 
 I am using rate-limiting as well DLZ with PostgreSQL. The server has
two 
 views. The operating system is FreeBSD 8.4.
 
 My configuration:
 http://borderworlds.dk/~xi/named-leak/named.conf
 
 Log of the memory usage:
 http://borderworlds.dk/~xi/named-leak/named-mem-usage.log
 
 As you can see, in less than a week, named has grown more than 900MB
in 
 size.
 
 Is anyone else experiencing something similar?
 
 If I need to provide more information, I will be happy to do so.
 
 -- 
 Christian Laursen
 
 What version did you upgrade from? I am seeing bind 9.9.5 and 9.9.6
 grow without any evidence that it will ever stop. See my mail to this
 list with the subject Re: Process size versus cache size. Mine is
 growing slower than yours, but it is now up to 548 MB.
 
 Tom Schulz
 Applied Dynamics Intl.
 sch...@adi.com
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logs problem with Bind 9.9.4

[Mike Hoskins (michoski)]

-Original Message-
From: Reindl Harald h.rei...@thelounge.net
Organization: the lounge interactive design
Date: Friday, August 8, 2014 at 6:33 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Logs problem with Bind 9.9.4

so if you have nothing to say go back from where you came

abusive

why do you reply off-list, in HTML and top-posting?

because some things are better suited off-list

jesus christ learn to use mailing-lists, stop to reply
 in private and strip your qutes

abusive

i'm not sure if you are 12 (we've all been there), or just bored as you
accuse others...but either way the abusive posts with little/no helpful
content really are better suited for self-talk (take a breath, walk around
the block, then reply) or at least private responses.

no community needs abusive know-it-alls, we actually want to encourage
users of all skill levels.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Metazones or Something Else?

[Mike Hoskins (michoski)]

-Original Message-
From: Evan Hunt e...@isc.org
Date: Monday, August 4, 2014 at 1:26 PM
To: John Anderson jo...@ccbill.com
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Metazones or Something Else?

 So to the best of your knowledge this functionality is still on drawing
 board, unless implemented out-of-band?  (i.e. a perl script to parse
 metazone.zone, and create /etc/named.d/*.conf files)

Or run rndc addzone.

There's currently no supported way to perform in-band zone provisioning
via the DNS itself.  I do have access to the metazone implementation that
Vixie wrote his paper about, and I can send it to you if you like, but I'm
not sure how useful you'll find it.  There might also be some interesting
tricks possible with DLZ or with redhat's dynDB LDAP extension (which we
plan to include in BIND 9.11 but is currently only available as a set of
patches).

Improving DNS provisioning is a hot topic for future development, but
we're still just in the requirements-gathering phase.  Would you like to
share what it is you hope to do in more detail?

Just as a data point, if you're looking for references -- I'd like to be
able to do Amazon Route 53 type things (add/edit zones, not just RRs)
via some sort of API.  Of course I want to be able to do this myself,
built on a standard platform (vs implementing the API layer as a one-off),
and not relying on external parties.  I suspect I'm not alone in an
increasing world of cloud operators.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc (and now nsupdate too)

[Mike Hoskins (michoski)]

-Original Message-
From: Tony Finch d...@dotat.at
Date: Friday, August 1, 2014 at 5:31 AM
To: Reindl Harald h.rei...@thelounge.net
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: rndc (and now nsupdate too)

Reindl Harald h.rei...@thelounge.net wrote:
 Am 31.07.2014 um 21:08 schrieb /dev/rob0:
 
  The proper tool to manage zone data is nsupdate(8).  Likewise well
  suited for automation.

 zone file *editing*?

 sorry, no, i developed 2008 a interface to create all zone files based
 on database records, write the complete zone content in a main table
 with a textfiled and a second textfiled where translation for NAT/WAN
 zones happens and so there is and never was a reason to *edit* a
 zone file

 it is created from scratch when changes in a zone happen and cronjobs
 only pull zones with the updated-field set to 1

In our setup, changes made in the database are turned into an nsupdate
script, so we don't need to bounce the name server and we can use
BIND's automatic signing.

no argument on nsupdate, but even if you copy files around...you don't
need to bounce the nameserver, unless rndc reload is what you mean (when i
hear bounce i think stop/start).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc (and now nsupdate too)

[Mike Hoskins (michoski)]

-Original Message-
From: Reindl Harald h.rei...@thelounge.net
Organization: the lounge interactive design
Date: Friday, August 1, 2014 at 9:23 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: rndc (and now nsupdate too)


Am 01.08.2014 um 15:14 schrieb Mike Hoskins (michoski):
 From: Tony Finch d...@dotat.at
 Date: Friday, August 1, 2014 at 5:31 AM
 To: Reindl Harald h.rei...@thelounge.net
 Cc: bind-users@lists.isc.org bind-users@lists.isc.org
 Subject: Re: rndc (and now nsupdate too)
 
 Reindl Harald h.rei...@thelounge.net wrote:
 Am 31.07.2014 um 21:08 schrieb /dev/rob0:

 The proper tool to manage zone data is nsupdate(8).  Likewise well
 suited for automation.

 zone file *editing*?

 sorry, no, i developed 2008 a interface to create all zone files based
 on database records, write the complete zone content in a main table
 with a textfiled and a second textfiled where translation for NAT/WAN
 zones happens and so there is and never was a reason to *edit* a
 zone file

 it is created from scratch when changes in a zone happen and cronjobs
 only pull zones with the updated-field set to 1

 In our setup, changes made in the database are turned into an nsupdate
 script, so we don't need to bounce the name server and we can use
 BIND's automatic signing.
 
 no argument on nsupdate, but even if you copy files around...you don't
 need to bounce the nameserver, unless rndc reload is what you mean
(when i
 hear bounce i think stop/start)

since when is -SIGHUP stop/start?

i suspect a language barrier, since if you read what i typed i never said
that.  in fact, i'm not sure you read what Tony typed either.

bouncing a daemon often means stop/start.  whether you rndc reload or
HUP, such a restart is not needed on zone changes.  my entire point is
that a costly full restart is not needed, even without nsupdate.

i'm sure Tony knows this, and simply wanted to clarify for posterity in
the thread archive.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Tools to automatically test the resolution speed ...

[Mike Hoskins (michoski)]

I haven't used those, but not sure if smokeping's DNS plugin would do what
you want.

-Original Message-
From: Barry Greene bgre...@senki.org
Date: Monday, July 21, 2014 at 11:59 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Tools to automatically test the resolution speed ...

Hi Team,

I'm going to get my team to script a tool to test the DNS resolution
speed of our DNS Resolvers. Something that would give us a MRTG like
output and can be used for KPIs.

I use Namebench a lot for my own testing. Has anyone done any scripting
with Namebench, GRC's DNS Benchmark, or any other tools?

Thanks,

Barry



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: initial lookup fails every time

[Mike Hoskins (michoski)]

-Original Message-
From: Matus UHLAR - fantomas uh...@fantomas.sk
Date: Sunday, July 13, 2014 at 6:24 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: initial lookup fails every time

On 12.07.14 01:19, Tony Publiski wrote:
 I'm hoping someone has seen this before. I'm running a couple of BIND
 9.8.2 DNS servers and having an issue with them for some reason.  The
 servers end up failing to lookup on the initial lookup of a domain that
 hasn't been previously cached every time.  If you immediately retry, the
 lookup succeeds without issue.  I've looked all over but not been able
to
 find any answers, and it's driving me crazy.  Anyone seen this before or
 have an idea?

[root@ns ~]# nslookup www.chase.com
;; connection timed out; trying next origin
Server: 127.0.0.1
Address:127.0.0.1#53

** server can't find www.chase.com: NXDOMAIN

[root@ns ~]# nslookup www.chase.com
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
www.chase.com   canonical name = wwwbcchase.gslb.bankone.com.
Name:   wwwbcchase.gslb.bankone.com
Address: 159.53.84.126

there's too much places where the issue can be.
First, use dig or at least host to track DNS problems.

+1

only idea from info given, is upstream firewall or other network device
doing inspection or filtering and causing timeouts due to edns
fall-back...a race condition where the answer ultimately gets cached but
not before the client times out, so it works next time.

that's just one idea thought, as said above many things could cause the
behavior.  to rule out my idea, you can test yourself:

https://www.dns-oarc.net/oarc/services/replysizetest/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching Nameserver and BIND RPM Compatibility

[Mike Hoskins (michoski)]

-Original Message-
From: Asai a...@globalchangemusic.org
Date: Friday, July 11, 2014 at 12:56 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Caching Nameserver and BIND RPM Compatibility

Greetings,

We're setting up caching-nameserver on an existing BIND instance. The
version of BIND is 9.7. Is there a specific compatible version of
caching-nameserver RPM that's compatible with 9.7?  The latest one
available in the yum repos on this particular server (CentOS 5.8) is
9.3.6-20.P1.el5_8.6

In general I don't think you have to be too concerned about compatibility.
 One exception I know of is the default zone format change when moving to
the latest BIND versions:

https://lists.isc.org/pipermail/bind-users/2012-May/087554.html

I'm sure others will call out points I've missed.

Assuming you just use upstream vendor repos to update, the latest
caching-nameserver should have relevant fixes backported by now and will
be based on the same major release in terms of functionality (how
RedHat/CentOS generally do things)...

I'd still suggest moving to the latest BIND version.  The config is
straight-forward, you have many templates from the 'Net as well as a
reference in the caching-nameserver files, and you can generate your own
RPMs easily if this is large-scale and building from source doesn't make
sense.

http://www.cymru.com/Documents/secure-bind-template.html

http://www.five-ten-sg.com/mapper/bind

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching Nameserver and BIND RPM Compatibility

[Mike Hoskins (michoski)]

-Original Message-
From: Mark Andrews ma...@isc.org
Date: Friday, July 11, 2014 at 8:41 PM
To: Mike Hoskins micho...@cisco.com
Cc: bind-users@lists.isc.org bind-us...@isc.org
Subject: Re: Caching Nameserver and BIND RPM Compatibility

Not every *important* fix is a *security* fix.

OS vendor that just backport security fixes are doing their customers
a disservice.  We issue -P's because security issues require timely
fixes.  We expect OS maintainers to actually include our maintainence
fixes in their maintainence releases.

I couldn't agree more, and it's one of the biggest reasons I avoided Red
Hat flavored operating systems for so long.  On the RHEL/CentOS based DNS
servers we run, we purposefully generate our own packages just to avoid
this annoyance...but it's a problem for a lot more than BIND.  I always
much preferred the BSD approach, where the port maintainers pull in the
latest releases in mostly real time.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: In BIND 8.2 running on Solaris 8, how to start logging

[Mike Hoskins (michoski)]

-Original Message-
From: Samad Agha samad.agha2...@gmail.com
Date: Friday, June 27, 2014 at 1:07 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org, DNS BIND
bind-us...@isc.org
Subject: In BIND 8.2 running on Solaris 8, how to start logging

Hi All,
I have two Solaris 8 servers running BIND 8.2. I'd like to retire them
both and transfer everything to a couple of RHEL 7 boxes. The City (I
work for a mid-size California city) has outsourced different aspects of
our DNS that I even lost track and have
 no idea what these two DNS servers serve. I'd like to start logging all
queries on these two boxes to know who queries them. How do I start a
comprehensive logging to capture all transactions going through these two
servers?
 
Please advise; please be thorough and don't assume anything. Many thanks
in advance.

I see two options:

Enable query logging.  In your named.conf, do something like:

logging {
channel my_querylog {
file /var/adm/query.log versions 5 size 10m;
print-time yes;
};
category queries { my_querylog; };
};


Adjust paths, number of copies (versions) to keep, etc.  Note that this
can fill quickly on busy servers.

Alternatively, use tcpdump to write a pcap of anything to 53/udp or 53/tcp
and analyze it after 1, 7, 30 or whatever days.  Again, if the server is
busy you will get a very large file.  You can limit the amount of time you
capture traffic, or rotate capture files with -C size e.g. tcpdump -i
eth0 -s0 -C 100 -w dnscap filter (you'll endup with dnscap1, dnscap2,
etc each 100MB in size).

Good luck, BIND 8.2 is ancient now so good to hear you are working to get
it updated.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF RR type

[Mike Hoskins (michoski)]

-Original Message-
From: Nicholas F Miller nicholas.mil...@colorado.edu
Date: Thursday, June 5, 2014 at 10:25 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: SPF RR type

Are SPF RR types finally dead or not? I¹ve read through rfc7208 it
appears that they are:

   SPF records MUST be published as a DNS TXT (type 16) Resource Record
   (RR) [RFC1035] only.  The character content of the record is encoded
   as [US-ASCII].  Use of alternative DNS RR types was supported in
   SPF's experimental phase but has been discontinued.

...but to confuse the issue rfc7208 goes on to say:

   If a future update to SPF were developed that did not
   reuse existing SPF records, it could use the SPF RR type.  SPF's use
   of the TXT RR type for structured data should in no way be taken as
   precedent for future protocol designers.²

Bind-9.10.0-P1 still reports errors if you don¹t have SPF RRs defined
with the SPF TXT records or are not using 'check-spf ignore¹.  Should one
keep existing SPF RRs or remove them? Will future versions of bind stop
reporting errors when SPF RRs don¹t exist?

RFC 7208 is dated April 2014...  Even if/when BIND stops complaining, how
long will it take for the Internet to align with the new standard?  :-)

Look how long BCP38's existed and how many networks don't align despite
obvious benefits to the Internet at large.  I know it's a different ball
of wax...but only kinda.

During such transitional periods, I suggest maintaing the old form for at
least awhile (probably a couple years) to give the world time to update
its configuration.  There used to be quite a few major mail providers who
would bounce or at least flag as spam any mail from hosts not represented
in the domain's SPF TXT record...so the choice of when to change depends
on how much you care (or your users will complain) about misbehaved mail
delivery.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enterprise IPAM/DNS Solutions

[Mike Hoskins (michoski)]

Cisco (apply liberal amounts of salt considering my FROM) has a product
suite called Prime, one piece of which is CNR (unless it's been renamed
again this week) -- Cisco Network Registrar, which handles the IPAM piece
and has DHCP and DNS components as well.  CNR can integrate with BIND (as
well as other common DNS software), and is licensed from BT Diamond.

I did a fairly extensive PoC of the IPAM, DNS and DHCP components a couple
years back.  Being completely honest, the downsides I've found during PoC
are clunky UI (admittedly personal opinion, and based on little
experience with other IPAMs -- experiment and decide for yourself), DHCP
implementation geared more toward IT/cable operators (high performance,
but lacking some options for PXE), and lack of true multi-tenant (you can
make logical containers of address space mapped to tenants, but you can't
have address space overlap across containers -- which for RFC1918 is a
problem on any network which consists of numerous acquisitions ;-) ).

DNS and DHCP I've continued solving myself with OSS ISC, but IPAM has
still been useful -- especially adding sanity to IPv6 allocations and
support of fully automated provisioning (API).  I've got a few clusters
deployed (easier to just run an instance per tenant for me), and rely on
the capabilities more over time.  Once you have real IPAM, it's hard to
remember how you lived without it.


cisco.com/go/cnr

-Original Message-
From: Baird, Josh jba...@follett.com
Date: Monday, April 28, 2014 at 12:31 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Enterprise IPAM/DNS Solutions

Hi,

We currently use the Men  Mice DNS/IPAM/DHCP suite which is essentially
a front-end wrapper for BIND.  We deploy our own BIND boxes and simply
install the Men  Mice agent on them which allows us to centrally manage
the zones from a GUI (or CLI) based interface.

I'm curious about the other enterprise solutions that are on the
market.  Bluecat is the first one that comes to mind, but I'm completely
unfamiliar with their product.  Does their product run alongside native
BIND (like MM) or do I need to purchase their own appliances and place
them all over my network?

Are there any other suggestions for products similar to Men  Mice and
Bluecat that I should be looking at?  I'm looking for DNS and IPAM and
central management.

Thanks,

Josh

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation of part of a zone to a global server load balancer

[Mike Hoskins (michoski)]

In the past when doing this with Cisco GSS I followed Akamai's example,
and had success with stuff like (gdns* were the CSS):

; delegation of gslb.domain.com
$TTL 172800 ; 2 days
gdns1.domain.com. A   a.b.c.d
gdns2.domain.com. A   e.f.g.h
gdns3.domain.com. A   i.j.k.l
gdns4.domain.com. A   m.n.o.p
gdns5.domain.com. A   q.r.s.t
gdns6.domain.com. A   u.v.w.x
gslb.domain.com.  NS  gdns1.domain.com.
gslb.domain.com.  NS  gdns2.domain.com.
gslb.domain.com.  NS  gdns3.domain.com.
gslb.domain.com.  NS  gdns4.domain.com.
gslb.domain.com.  NS  gdns5.domain.com.
gslb.domain.com.  NS  gdns6.domain.com.
$TTL 3600   ; 1 hour
$ORIGIN domain.com.
; Hey we look like Akamai!
gsstest CNAME   gsstest.domain.com.gslb.domain.com.


...

# dig @8.8.8.8 gsstest.domain.com
...
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 3701
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
...
;; ANSWER SECTION:
gsstest.domain.com.   3599IN  CNAME
gsstest.domain.com.gslb.domain.com.
gsstest.domain.com.gslb.domain.com. 19 IN A ip.ad.dr.es
...


-Original Message-
From: McDonald, Dan dan.mcdon...@austinenergy.com
Date: Monday, April 7, 2014 at 10:16 AM
To: Bind Users bind-users@lists.isc.org
Subject: Delegation of part of a zone to a global server load balancer

What¹s the right way to delegate individual zone records to a ³global
server load balancer², which is just a simple DNS server that checks to
see if a server is up and if so adds the address to the rotation for
resolution.


I¹ve tried simple delegation using ns records, but I don¹t get
resolution.  In this example, nsg3 and 4 are my global server load
balancers for the outlook.aelabad.net zone,  and ns3.aelabad.net is the
start of authority for  the aelabad.net zone.




Daniel-McDonalds-iMac:~ mcdonalddj$ dig outlook.aelabad.net +norecurse
@ns3.aelabad.net


;  DiG 9.8.3-P1  outlook.aelabad.net +norecurse @ns3.aelabad.net
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 25051
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1


;; QUESTION SECTION:
;outlook.aelabad.net.IN A


;; AUTHORITY SECTION:
outlook.aelabad.net.1200 INNS nsg4.austin-energy.net.
outlook.aelabad.net.1200 INNS nsg3.austin-energy.net.


;; ADDITIONAL SECTION:
nsg3.austin-energy.net.918 INA 10.10.9.3


;; Query time: 1 msec
;; SERVER: 10.1.9.34#53(10.1.9.34)
;; WHEN: Mon Apr  7 09:05:42 2014
;; MSG SIZE  rcvd: 105
Daniel-McDonalds-iMac:~ mcdonalddj$ dig outlook.aelabad.net
@nsg3.austin-energy.net


;  DiG 9.8.3-P1  outlook.aelabad.net @nsg3.austin-energy.net
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 8783
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0


;; QUESTION SECTION:
;outlook.aelabad.net.IN A


;; ANSWER SECTION:
outlook.aelabad.net.10 INA 10.10.223.52


;; Query time: 3 msec
;; SERVER: 10.10.9.3#53(10.10.9.3)
;; WHEN: Mon Apr  7 09:03:03 2014
;; MSG SIZE  rcvd: 72
Daniel-McDonalds-iMac:~ mcdonalddj$ dig outlook.aelabad.net
@ns3.aelabad.net


;  DiG 9.8.3-P1  outlook.aelabad.net @ns3.aelabad.net
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 14770
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0


;; QUESTION SECTION:
;outlook.aelabad.net.IN A


;; AUTHORITY SECTION:
net.686 INSOA a.gtld-servers.net. nstld.verisign-grs.com. 1396879162 1800
900 604800 86400


;; Query time: 2 msec
;; SERVER: 10.1.9.34#53(10.1.9.34)
;; WHEN: Mon Apr  7 09:03:17 2014
;; MSG SIZE  rcvd: 110








___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: High recursive client counts

[Mike Hoskins (michoski)]

Hi Jason,

I've experienced similar things in the past on 9.8.  Since then we've
moved to the latest 9.9, but don't think this is at all version specific
(that said, you could obviously try upgrading).  I don't have an exact
solution for you, but some ideas of things to check and personal
experiences which might help you.

Are the servers in question VM or bare metal?  Several years back we made
a big push to virtualize everything, and after migrating recursive DNS it
worked great for awhile...as sites grew we hit a tipping point where
VM-based resolvers seemed to introduce additional query latency.  These
servers were running far below BIND's capabilities, not taxing virtual
resources, optimized per all available BIND/OS/virtualization knobs, and
using enterprise (read: not just the latest free bits slapped together and
expected to work) network, server and hypervisor tech.  I spent several
months trying to improve the situation and find a real root cause, but on
a whim I setup an identical cluster on bare metal...no more problems.  I
didn't have time to dig further, so we avoid virtualization on busy
resolvers (for now at least).

As your client count has grown...is there any bottlenecks on your network
that might be unaccounted for?  Beyond bandwidth I'm thinking of things
like resource constrained firewalls (are the resolvers in a DMZ?) which
could cause queries to be dropped/timed out/retried, etc?  I've seen
issues where overworked NetOps teams got behind in capacity
planning/upgrades and as clients/#DMZs grew firewalls couldn't keep up and
created all sorts of issues not related to BIND itself.

When the recursive client count backs up, you know more queries than usual
are taking longer than expected to get answers...if this is not related to
BIND itself, your servers, or the network...a bit of spelunking is in
order.  Capture some packets with tcpdump, and take a look at rndc
recursing output.  Take a look at the queries causing delays, dig them
manually from various locations, and try to find a common theme.  If there
is no common theme to the query destinations, then look even closer at
your network.  :-)

hth

-Original Message-
From: Jason Brandt jbra...@fsmail.bradley.edu
Date: Tuesday, March 25, 2014 at 10:31 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: High recursive client counts

We recently migrated to BIND for our internal resolvers, and since the
migration, we are experiencing periods of high recursive client counts,
which will at times cause the BIND server to quit responding.  As a
workaround, I've been able to point
 the BIND server to a forwarder, bypassing the root hints, to restore
stability, but this morning even with the forwarder, our count spiked.


We are using Ubuntu 12.04 LTS, BIND version 9.8.1-P1.  The server is
configured strictly as a resolver, and is not authoritative for any
domains.


We have approximately 15-20k client devices on campus.  Our average
recursive client count is between 10 and 50.  When the spikes occur,
counts will get upwards of 3-4k (this morning: recursive clients:
2358/9900/1). 


What are possible causes of high recursive client count?  What can be
done to prevent this or tune around it?  Obviously raising the max
clients doesn't solve the problem, and the forwarder seemed to help, but
apparently is still susceptible to
 the issue.  


Any suggestions would be greatly appreciated.


-- 
Jason K. Brandt
Systems Administrator





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Difference between BIND 9.8 and 9.9

[Mike Hoskins (michoski)]

From:  BONNET, Frank frank.bon...@esiee.fr
Date:  Wednesday, February 19, 2014 at 12:41 PM
To:  bind-users@lists.isc.org bind-users@lists.isc.org
Subject:  Difference between BIND 9.8 and 9.9

Hello

is there a link to a documentation that lists the main differences
between BIND 9.8 and 9.9 ?

I would like to read it before swiching from 9.8

thank you


I generally browse the release notes.

https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading from 9.8.3 to 9.9.4

[Mike Hoskins (michoski)]

-Original Message-
From: Thomas Schulz sch...@adi.com
Date: Thursday, January 23, 2014 at 9:50 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: RE: Upgrading from 9.8.3 to 9.9.4

 I just remembered there was also the change to the db file
 having a default raw format on slaves unless specified.

Interesting. I did not notice that when it happened, but now that I
look, I see that my slaves indeed have raw format files. Apparently
the switch over did not require me to do anything.

For those who are interested, if you search list archives you can see the
situations where it caused problems for some.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading from 9.8.3 to 9.9.4

[Mike Hoskins (michoski)]

-Original Message-
From: Mike Bernhardt bernha...@bart.gov
Date: Wednesday, January 22, 2014 at 3:25 PM
To: 'Lawrence K. Chen, P.Eng.' lkc...@ksu.edu,
bind-users@lists.isc.org bind-users@lists.isc.org
Subject: RE: Upgrading from 9.8.3 to 9.9.4

Thanks for that. I just remembered there was also the change to the db
file
having a default raw format on slaves unless specified.

That's what I meant by my response about masterfile-format.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading from 9.8.3 to 9.9.4

[Mike Hoskins (michoski)]

-Original Message-
From: Mike Bernhardt bernha...@bart.gov
Date: Thursday, January 16, 2014 4:09 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: RE: Upgrading from 9.8.3 to 9.9.4

Sorry for the double post, but I forgot to ask this:
And if it is indeed enabled regardless of my RFC1918 ranges, I would
imagine
that for my internal servers which have those ranges, I would want to add
disable-empty-zone .; to my global options? And for my external-facing
server which of course has no RFC1918, I would leave it to the default
setting?


You don't have to do this.  BIND won't enable the empty zone if you
already have it defined.


-Original Message-
From: Mike Bernhardt [mailto:bernha...@bart.gov]
Sent: Thursday, January 16, 2014 1:03 PM
To: 'bind-users@lists.isc.org'
Subject: RE: Upgrading from 9.8.3 to 9.9.4

Am I correct in understanding that the change to enabled by default was
in
9.9.x, not in 9.8.x? The 9.9.x specifically states that is enabled by
default whereas the 9.8.x documentation does not.


Yes.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading from 9.8.3 to 9.9.4

[Mike Hoskins (michoski)]

Good call out.  I'd always enabled empty-zones so didn't get bit by that,
but do think the move to 9.9 is when masterfile-format bit some.  Not a
big deal if you're aware of it.Other than that the upgrade as quick
and painless.  I would suggest testing the upgrade on a VM or somewhere
first...always good to confirm for your exact configuration.

-Original Message-
From: Lawrence K. Chen, P.Eng. lkc...@ksu.edu
Organization: Kansas State University - ITS/Enterprise Server Technologies
Date: Tuesday, January 14, 2014 2:46 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Upgrading from 9.8.3 to 9.9.4

IIRC, The main change I ran into when I upgraded to 9.9.2-P1 (from
9.7.6-P4) was the change in default for empty-zones.  All are enabled by
default, including RFC1918 ranges whether you have any defined or not.

On 01/14/14 12:16, Mike Bernhardt wrote:
 Is there anything I need to know regarding changes in default operation
when
 upgrading from 9.8.3 to 9.9.4? I'm specifically looking for changes that
 must be addressed in named.conf options in order to keep an upgrade as
 transparent as possible.
 
 Thanks,
 
 Mike
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) --  SafeZone Ally
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding DS records

[Mike Hoskins (michoski)]

-Original Message-
From: Warren Kumari war...@kumari.net
Date: Friday, December 20, 2013 12:15 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Adding DS records

On Dec 20, 2013, at 10:38 AM, /dev/rob0 r...@gmx.co.uk wrote:

 On Fri, Dec 20, 2013 at 10:04:59AM -0500, Thomas Schulz wrote:
 Has anyone been able to get Network Solutions to add DS records
 for their domain? I am trying to get DS records added for my
 domain and so far it looks like Network Solutions can not do that.
 
 The last time this was asked here was in August:
 
 https://lists.isc.org/pipermail/bind-users/2013-August/091340.html
 
 If I was a NetSol customer, I would ask them, Why not?²

And if I were a NetSol customer, I would ask myself, ³Why?²

If I were a capitalist, I'd vote with my wallet and go somewhere with the
features I want.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation and Forwarding

[Mike Hoskins (michoski)]

-Original Message-
From: Bob McDonald bmcdonal...@gmail.com
Date: Wednesday, December 11, 2013 7:10 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Delegation and Forwarding

I'm a bit confused on the need for a blank forwarders statement inside of
a zone statement in the named.conf file.  Given an internal zone on a
recursive server with global forwarders,
 what are the situations which would require me to code a blank
forwarders statement inside of a zone statement in a named.conf?  I have
internal zones which 1) do not delegate children, 2) delegate children on
the same server, and delegate children on different
 servers (and different versions of bind).  I know that delegation is not
affected on servers without global forwarders.  The documentation around
this is not clear (at least to me grin).

empty forwarders in zone stanza effectively cancels global forwarders.
from the arm:

If no forwarders statement is present or an empty list for forwarders is
given, then no forwarding will be done for the domain, canceling the
effects of any forwarders in the options statement.





so you can assume the same behavior for that zone as if you had no
forwarders defined.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RHEL 6 CPU load

[Mike Hoskins (michoski)]

-Original Message-
From: Blake Hudson bl...@ispn.net
Date: Wednesday, November 20, 2013 11:03 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: RHEL 6 CPU load

Daniel, what do you see the load as? I see 4.6% CPU usage (100% possible
- 95.4% idle).


Wondering the same.  Don't consider 0.00 high load.  ;-)



I'm not sure which versions of BIND you were using on RHEL5, but the
newer versions do tend to use more CPU usage (I'll assume due to new
features, patches, etc in the BIND code).

--Blake

- wrote the following on 11/20/2013 9:37 AM:

We recently upgraded one of our DNS servers to RHEL 6. The other two
servers are running RHEL 5. The new system is showing much higher CPU
load than the other two (RHEL 5 machines sit around 11-15%). I am not
sure if this is related to the OS versions
 or something else. The build procedure for the new system is completely
different than before which could also be the cause. Any ideas why this
could be happening?


Were the configure options the same when you built on 5.x vs 6.x? You can
see that with named -V.

You mention a different build procedure -- do you mean named or OS? As a
first step I would focus on those differences. FWIW I have moved about 30
recursive resolvers with the highest iterative workload I've had the
privilege of managing to centos 6.x and had no ill effects so I don't
think it's simply the OS itself.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Size boundaries for zones of IPv6 rDNS

[Mike Hoskins (michoski)]

-Original Message-
From: Listas lis...@adminlinux.com.br
Date: Thursday, November 14, 2013 12:57 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Size boundaries for zones of IPv6 rDNS

Hi!

Are there size limits for zones of IPv6 reverse DNS ?

For example, is this a valid zone?

5.a.8.3.4.f.3.0.c.a.d.f.ip6.arpa

Thank you in advance!

Looks valid to me.

zone 1.0.0.4.8.6.8.1.1.0.0.2.ip6.arpa {
type master;
file external/master/2001.1868.4001.db;
};

zone 0.0.2.1.3.0.0.2.1.0.1.0.0.2.6.2.ip6.arpa {
type master;
file external/master/2620.101.2003.1200.db;
};


etc

http://www.zytrax.com/books/dns/ch3/#ipv6

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: logging query time

[Mike Hoskins (michoski)]

-Original Message-
From: Birta Levente blevi.li...@gmail.com
Date: Wednesday, November 13, 2013 3:29 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: logging query time

Hi

I have a caching nameserver (bind 9.8.2) and I curious if I can log the
duration of queries to the forwarders?

not that i know of easily (from logs), nor from collectd's bind plugin
that i've found, though the dns plugin could be expanded to provide
this...however, since that ultimately involves running a sniffer process
on your name server(s), it might be better to just do it yourself if it's
for debug purposes.  something like:

http://ask.wireshark.org/questions/3678/dns-transaction-latency

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

xml stats question

[Mike Hoskins (michoski)]

Hi folks,


Quick question on xml stats...  I've used the new style statistics for
monitoring, etc. and find it really useful as I'm sure many do.  One of
the things I'm working on is moving to collectd vs remote polling, and the
bind plugin seems to require v2 vs v3 xml schema (my first guess, since it
won't parse the default xml I'm seeing under /, which looks different in
the latest releases).

I'm sure the plugin will get updated at some point, but from reading over
the 9.9.4 ARM it says I should be able to access URIs like /xml/v2 and
/xml/v3 but neither of those work for me -- just the top level page which
I think is the newer schema (it looks different than it did in 9.8).
However, the ARM also says the v? URIs will be available only if the
requested schema is supported by the server -- what determines that
availability?  I've compiled with libxml2 which makes the top-level stats
work.  Do I just need more configure options or something else to get
/xml/v2 working?

TIA

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: xml stats question

[Mike Hoskins (michoski)]

-Original Message-

From: Mike Hoskins micho...@cisco.com
Date: Saturday, November 2, 2013 1:31 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: xml stats question

Hi folks,

Quick question on xml stats...  I've used the new style statistics for
monitoring, etc. and find it really useful as I'm sure many do.  One of
the things I'm working on is moving to collectd vs remote polling, and the
bind plugin seems to require v2 vs v3 xml schema (my first guess, since it
won't parse the default xml I'm seeing under /, which looks different in
the latest releases).

I'm sure the plugin will get updated at some point, but from reading over
the 9.9.4 ARM it says I should be able to access URIs like /xml/v2 and
/xml/v3 but neither of those work for me -- just the top level page which
I think is the newer schema (it looks different than it did in 9.8).
However, the ARM also says the v? URIs will be available only if the
requested schema is supported by the server -- what determines that
availability?  I've compiled with libxml2 which makes the top-level stats
work.  Do I just need more configure options or something else to get
/xml/v2 working?

Answered my own question, sorry for the noise.  It was getting late last
night, and I thought I'd configured without --enable-newstats, but after
doing a fresh build today the v2 xml appears at / again.

Still not sure about the 9.9.4 ARM reference to /xml/v2 and /xml/v3 (it
would be nice to be able to access /xml/v2 within collectd and /xml/v3
elsewhere), but the right configure options will at least keep collectd
happy for now.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance Tuning RHEL 5 and Bind

[Mike Hoskins (michoski)]

-Original Message-

From: Alan Clegg a...@clegg.com
Date: Tuesday, October 22, 2013 7:44 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Performance Tuning RHEL 5 and Bind

On Oct 21, 2013, at 9:47 AM, wbr...@e1b.org wrote:

 From: Alan Clegg a...@clegg.com
 
 Fix your windows clients.
 
 You can't fix stupid.

I have lots of windows clients and they don't exhibit this feature.
There's something wrong on the windows clients and it's not the norm.

To be honest, recent windows releases do a pretty fine job with DNS.

Agreed.  The problem here is the TCP fall-back vs BIND/OS tuning.  I've
got a lot of Windows clients (mostly vmware related infra) that don't
query via TCP.  I would focus on a deeper inspection of the environment
including network layer.  The OP needs to figure out why the queries are
using TCP.

Speculating based on the available data, I'm wondering if the new BIND
servers were stood up behind a firewall...possibly with broken protocol
inspection/fixup type configuration limiting UDP packet size to 512
bytes...and zone data with large NS/whatever RR sets resulting in TCP
retries.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Install DNS Server

[Mike Hoskins (michoski)]

While I mostly agree, simply doing a 'yum update' against the CentOS repos
will pull you up to 5.9...which isn't really old, it was released around
the same time as 6.4.  Then at least your base OS is up to date, and you
don't have to use the community RPMs.  You can build from source, generate
your own packages, or use community SRPMs that are available.


Newer is generally better, but depending upon what you're doing moving
from 5.x to 6.x (or changing major versions in general) is often not as
easy as it sounds.  I personally still have to maintain 5.x and 6.x to
keep our developers happy.  That said, running 5.x is still not an excuse
to be out of date.  Based on the question, this might just be lack of
experience...but moving to the latest minor release is very simple.

http://www.tecmint.com/how-to-upgrade-from-centos-5-x-to-centos-5-9/

http://www.howtoforge.com/bind-installation-on-centos

http://www.linuxfromscratch.org/blfs/view/svn/server/bind.html

http://www.five-ten-sg.com/mapper/bind

-Original Message-
From: Lightner, Jeff jlight...@water.com
Date: Thursday, October 10, 2013 7:26 AM
To: Sten Carlsen st...@s-carlsen.dk, Chandran Manikandan
tech2m...@gmail.com
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: RE: Install DNS Server

Any reason why you¹re using CentOS 5.7 given that 6.4 (and maybe later)
is available?

if this is a new system you really ought to think about use the 6.x
stuff.   5.x is long in the tooth even though still supported it has many
older upstream packages of things including BIND.   CentOS does put bug
and security fixes in (or RedHat does and CentOS
 gets them because they build from RHEL source) but you still end up with
something very old (BIND 9.3.x) that most folks on this list don¹t want
to talk about because it is long past EOL for BIND.
 

 
 
From: bind-users-bounces+jlightner=water@lists.isc.org
 [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of 
Sten Carlsen
Sent: Thursday, October 10, 2013 6:38 AM
To: Chandran Manikandan
Cc: bind-users@lists.isc.org
Subject: Re: Install DNS Server


 
Hi

I do that and more on an ATOM machine with 2GB RAM. I use Postfix instead
of qmail but see no reason qmail would not work.

I installed all the relevant RPMs, configured them and it works.

One thing to remember is that you need two or more DNS servers, I do that
by being a stealth master with several slaves on my 3rd party provider.


On 10/10/13 12.27, Chandran Manikandan wrote:


Hi All, 
I am running Centos 5.7 32 bit server machine.

I have installed and successfully run qmail,web,ftp with the same machine.

Now am DNS hosting with third party. I would like to install and keep DNS
hosting myself. 

How to do that , How to install Dns server with the same machine or
different machine as well what is the complete procedure and steps.

 

Any one help me.

 

-- 
Thanks, 
Manikandan.C

System Administrator








___Please visit
https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list bind-users mailing
listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-us
ers




-- Best regards Sten Carlsen No improvements come from shouting:
MALE BOVINE MANURE!!!
 
 
Athena®, Created for the Cause

Making a Difference in the Fight Against Breast Cancer
 
 
How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy
alternative to beverages that contain sugar, calories, etc. Your support
of bottled water will make a difference! Your signatures count! Go to
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and
sign a petition to support your right to always choose bottled water.
Help fight federal and state issues,
 such as bottle deposits (or taxes) and organizations that want to ban
the sale of bottled water. Support community curbside recycling programs.
Support bottled water as a healthy way to maintain proper hydration. Our
goal is 50,000 signatures. Share this petition
 with your friends and family today!
 
-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information
 is prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you
have received the message in error, and delete it. Thank you.
--
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: filter-aaaa-on-v4

[Mike Hoskins (michoski)]

-Original Message-

From: Lawrence K. Chen, P.Eng. lkc...@ksu.edu
Date: Wednesday, September 18, 2013 10:08 AM
To: bind-users bind-users@lists.isc.org
Subject: filter--on-v4

I finally turned this feature on when I built bind-9.9.3-P2

Had only gotten the occasional user complaints that some browser/client
tries to connect to IPv6 and fails.  Because our IT Security group
doesn't allow IPv6 and is/was blocking tunneling protocols on campus.

As a side effect, my NTP servers are happiersince all #.pool.ntp.org
(where # is 0-3) now resolve to usable addresses.

Why 4?  If you only have one NTP server, you know what the time is, but
you don't know if it is correct.  If you have two servers, you won't know
what time it is.  With 3, you can have a pretty good idea of the correct
time, until one breaks.  So, 4 gives you a good idea of what the correct
time is, even if one breaks.  Though I had seen another article
suggesting the sets of 3's (3,6,9,12)

Only 0-3 are defined with the pools, so that's what I go with.  Problem
is that they have been putting all the IPv6 NTP servers in pool 2, along
with some IPv4 ones.  And, most of the time when I start ntpd, it picks
an IPv6 one from 2.

Had a server where one of the others was intermittent, so it was going
between 2 or 3 servers (and, of course, I put my NTP servers in
Nagios...so I get alerted when this happenswhich had been fine for
months, until the system got rebooted for OS updates

Just restarted it again, and saw it found 4 servers... wish I had thought
of this sooner.  Wonder if I should do this at home?  Guessing its not
enabled in the system bind, so I'll have to switch to using ports.

FWIW, you could also add -4 to ntpd args or use -4 prefix in ntpd.conf.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: detect if zone/s is frozen

[Mike Hoskins (michoski)]

-Original Message-

From: Tony Finch d...@dotat.at
Date: Wednesday, September 4, 2013 4:50 AM
To: Mike Hoskins micho...@cisco.com
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: detect if zone/s is frozen

Mike Hoskins (michoski) micho...@cisco.com wrote:
 /dev/rob0 r...@gmx.co.uk wrote:
 
 I would suggest that if you're making much use of rndc freeze, YDIW.
 Consider using nsupdate(8) to make your changes.

 True, but I just setup two new networks where the tenants wanted exactly
 this capability...so use cases exist. [...]

 Failing an easy monitoring solution (I don't see anything in terms of
rndc
 options, or old/new stats output), you might consider creating a wrapper
 that does the rndc freeze/vi/update serial to mtime/rndc thaw and post
it
 clearly in /etc/motd.  Not perfect, but would mostly work except when
you
 get distracted in the middle of the vi session.  :-)

Better option: use nsdiff, which calculates the differences between the
live version of your zone and a master file that you edit, and turns the
result into an nsupdate script.

http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff

Thanks for the pointer...

Also, I guess I overlooked the obvious?  If you nsupdate while a zone is
frozen it looks like the update is refused vs silenty queued (nsupdate
exists non-zero)...so a nagios/whatever monitor could be written that
periodically updates a test record within the zone and complains on
failure.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: detect if zone/s is frozen

[Mike Hoskins (michoski)]

-Original Message-

From: /dev/rob0 r...@gmx.co.uk
Organization: RTFM
Reply-To: bind-users@lists.isc.org bind-users@lists.isc.org
Date: Tuesday, September 3, 2013 5:17 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: detect if zone/s is frozen

On Tue, Sep 03, 2013 at 12:31:08PM -0700, Justin T Pryzby wrote:
 Is there a nice way to tell if any zone is frozen (or a
 specific zone)?  I'm hoping to implement a nagios check, since
 I have several times gotten distracted while making an update,
 and forgot to thawed the zone until something odd happens
 later on.

I would suggest that if you're making much use of rndc freeze, YDIW.
Consider using nsupdate(8) to make your changes.

True, but I just setup two new networks where the tenants wanted exactly
this capability...so use cases exist.  It got me thinking, and I was
hoping for a answer all day.  :-)  It would be nice to be able to monitor,
since just looking for missing jnl's or something obvious doesn't work
(maybe a command to force jnl rewrite for any thawed zones would do it,
then you could really just monitor for jnl's missing threshold).

Failing an easy monitoring solution (I don't see anything in terms of rndc
options, or old/new stats output), you might consider creating a wrapper
that does the rndc freeze/vi/update serial to mtime/rndc thaw and post it
clearly in /etc/motd.  Not perfect, but would mostly work except when you
get distracted in the middle of the vi session.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: the location of dig and named

[Mike Hoskins (michoski)]

-Original Message-

From: Nidal Shater ngiw2...@hotmail.com
Date: Wednesday, August 28, 2013 5:35 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: the location of dig and named

when I typed dig  or named ,,, what is the location of the executable
program dig and named is ?

It will vary by platform, and you can ultimately control it via
./configure --bindir=/foo --sbindir=/bar.  Easiest thing to do is look at
the configure defaults or simply find / -type f -name {dig,named,etc}.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: /etc/named.conf won't be installed !!

[Mike Hoskins (michoski)]

-Original Message-

From: Nidal Shater ngiw2...@hotmail.com
Date: Tuesday, August 27, 2013 12:02 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: /etc/named.conf won't be installed !!

hi 
when I install BIND,,,BIND won't install the /etc/named.conf file why ???
I think bind has problems with centos6.3
could anybody figure it out
PS: I use (./configure ,make, make install ) to install it

Others pointed out it's normal for source install, refer to this as a
reference:

http://www.cymru.com/Documents/secure-bind-template.html

Then check the latest ARM for other options you might need:

https://kb.isc.org/article/AA-00845/0/BIND-9.9-Administrator-Reference-Manu
al-ARM.html

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The Path of source code

[Mike Hoskins (michoski)]

-Original Message-

From: Nidal Shater ngiw2...@hotmail.com
Date: Wednesday, August 21, 2013 4:27 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: The Path of source code

I have installed BIND by using the command  yum install bind in
centos6.3,what is the location(path) of the  source code  and espically
the .c files on my filesystem

Nidal

Find out what's installed with rpm -ql rpm-name.  You will likely need
to install bind-devel and bind-libs.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: configure syslog prefix

[Mike Hoskins (michoski)]

-Original Message-

From: Shawn Bakhtiar shashan...@hotmail.com
Date: Wednesday, July 3, 2013 12:15 PM
To: bind-us...@isc.org bind-us...@isc.org
Subject: RE: configure syslog prefix

hhhmmm

I have not run multiple binds on the same box, but according to the man
pages for named.conf (assuming you have a different configuration file
for each instance) setup each to report to a different logging facility
ie:

in named.conf:


logging {
  channel default_syslog {
syslog local7;
severity info;
  };

...


and in /etc/rsyslog.conf

# Save named messages firstnamedinstance.log
local7.*  
/var/log/firstnamedinstance.log

(If you have logrotate installed)You may also want to add a file in
/etc/logrotate.d with the following info:

/var/log/firstnamedinstance.log {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2 /dev/null` 2
/dev/null || true
endscript
}

Good call, and if you're running rsyslog go to rsyslog.conf/doc and read
about templates...  You can rewrite anything to your heart's content with
a little effort.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Service Hung

[Mike Hoskins (michoski)]

-Original Message-

From: Novosielski, Ryan novos...@ca.rutgers.edu
Date: Wednesday, July 3, 2013 12:38 PM
To: Matus UHLAR - fantomas uh...@fantomas.sk
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: BIND Service Hung

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/03/2013 05:09 AM, Matus UHLAR - fantomas wrote:
 On 03.07.13 09:33, Arie Lendra Putra wrote:
 Now the problem is sometimes (not quite often, just seldomly)
 Named on one of this server is just plain not responding, the
 process is still there but just not responding to any queries,
 when this happened the only way to revive it is to kill the PID
 and restart the named service, plain service named restart not
 working.
 
 and nothing on logs.
 
 What seems to be the problem, is it because the bind version is
 too outdated?
 
 most probably. get a newer version within your package
 distribution, or try to upgrade the system if you can.

I don't think there is any evidence whatsoever that points in that
direction.

sure but even in the commercial world, typical support model says
reproduce with latest version -- even moreso with OSS.  if you have a
problem an on ancient version, there are too many variables.  reproduce on
an updated system and you are more likely to get help.  not a perfect
answer, but quite common.  ultimately it is your problem so others might
help but impetus ultimately yours.  you really want to run an updated
version anyway, have you read the CVEs?  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: sockmgr 1005a1080: unexpected POLL timeout

[Mike Hoskins (michoski)]

-Original Message-

From: Dennis Clarke dcla...@blastwave.org
Date: Friday, June 28, 2013 11:43 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: sockmgr 1005a1080: unexpected POLL timeout


I have a recent build of BIND 9.9.3-P1 and after bringing up the service
on a 
Solaris 10 server I begin to see many log entries like so :

28-Jun-2013 15:41:17.636 sockmgr 1005a1080: unexpected POLL timeout

I don't know what this is and am mildly concerned.  Is this evidence of a
config
problem or a compile problem or ?  Really I have not seen this before and
there
are roughly 5000 such entries in my log thus far today.

Dennis

just as a data point i setup a couple new 9.9.3-P1 boxes last night that
get around 30,000 qps combined and with rolling logs the last million
lines or so don't show any trace of POLL on centos 6.4 with bind
compiled from latest isc.org src.  the only option i have is enable-ssl.

not much help i know, but it does seem solaris/compile specific.  maybe
something like this can help:

http://comp.protocols.dns.bind.narkive.com/fijjEh47/workaround-solaris-s-ke
rnel-bug

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

9.9.3-P2

[Mike Hoskins (michoski)]

i'm probably the last to notice, but first...good work on the site
redesign.  nice and clean.


generating a new internal package for 9.9.3, and going through the
site/request form i get directed here:

http://www.isc.org/wp-content/plugins/email-before-download/download.php?dl
=7a5b7f9dbac01f45b0fd96cfd7e4e39b


which downloads 9.9.3-p1, but then there's this:

https://kb.isc.org/article/AA-00889/0/BIND-9.9.2-P2-Release-Notes.html

which points to 9.9.3-p2, and has a link to download all bind
versions...but that just goes to the dl page/form which links to p1.

has the latest p1 tarball incorporated the fixes in those release notes,
is there a link i've missed for p2, or am i just going insane (or any
combination of the above)?

sorry to ask an obvious question...but i'm already a bit behind the times,
and want to be sure i grab the latest.

thanks!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.9.3-P2

[Mike Hoskins (michoski)]

fwd to spare the list further responses :-)

-Original Message-

From: Mike Hoskins micho...@cisco.com
Date: Monday, June 24, 2013 4:59 PM
To: sgra...@isc.org sgra...@isc.org
Subject: Re: 9.9.3-P2

-Original Message-

From: Sue Graves sgra...@isc.org
Organization: Internet Systems Consortium
Reply-To: sgra...@isc.org sgra...@isc.org
Date: Monday, June 24, 2013 4:51 PM
To: Mike Hoskins micho...@cisco.com
Subject: Re: 9.9.3-P2

Hi Mike,
9.9.two-P2 release note, not 9.9.three-P2.  So 9.9.3-P1 is the latest
BIND 9 release.

thanks all for a little sanity on another insane monday...

so the correct answer is c for i'm going insane.

cheers!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Health Check feature in BIND ?

[Mike Hoskins (michoski)]

-Original Message-

From: Lawrence K. Chen, P.Eng. lkc...@ksu.edu
Date: Monday, June 17, 2013 2:55 PM
To: Gaurav Kansal gaurav.kan...@nic.in
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Health Check feature in BIND ?

- Original Message -
 Dear All,
 
 I was just thinking whether it is possible to have a some type of
 health checking of servers through BIND DNS Server and DNS Server
 should replied to clients based on that only.
 
 
 
 i.e., Suppose I have two entries of www record for domain xyz.in
 having ip address 10.1.1.10 and 10.2.2.10.
 
 Now I want that my DNS Server should check whether the server is up
 or not before replying to clients.
 
 If one is down, then DNS server should reply the IP address of the
 second one.
 
 
 
 Although this is not a DNS Job and we should use Load-Balancer for
 this.
 
 But I just wanna to check whether this feature is available in Bind
 or in any Open-Source Program which in turn can be combined with
 BIND to achieve the desired result.
 

Well, doesn't DNS kind of already do this...if the first DNS server isn'
up, then the user's resolver will timeout and try the next resolver

For DNS/MX yes, but I didn't read that as a limitation of the original
request (e.g. how would you do the same auto-redirect with web or other
server types -- round robin alone can be particularly problematic).

You could certainly handle the more generic case with commercial
appliances, or a bit of tinkering on a budget.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: This list's prefix

[Mike Hoskins (michoski)]

-Original Message-

From: Elmar K. Bins e...@4ever.de
Organization: unorganized since 1789
Date: Thursday, June 6, 2013 6:18 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: This list's prefix

s...@resistor.net (SM) wrote:

 And the 100-dollar-question is: How do you remove them on outgoing
mails? ;-)
 The answer is to edit the subject line after hitting the reply button.
:-)

I feared this would be the ugly truth...

Or don't buy into religion and have a simpler life.

;-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: This list's prefix

[Mike Hoskins (michoski)]

-Original Message-

From: Narcis Garcia informat...@actiu.net
Date: Wednesday, June 5, 2013 12:43 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: This list's prefix

It's not the only mailing list where I'm subscribed.
Could please the administrator setup a prefix for messages' subject?

For example:
[bind-u]

Or do your own dirty work, and filter yourself.

List-Id: BIND Users Mailing List bind-users.lists.isc.org


If you are on many mailing lists, folders vs an inbox full of subjects
will be easier to read...

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: This list's prefix

[Mike Hoskins (michoski)]

-Original Message-

From: Narcis Garcia informat...@actiu.net
Date: Wednesday, June 5, 2013 1:02 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: This list's prefix

Somebody has answered me privately and didn't realized until I've
checked all details of each message. I've been near to respond to the
list about that message, unknown for the whole list.

There are some Mailman's features that help a lot to usability for
users, both subject prefix and Reply-To list.
It's a small step for the single administrator, and a big+multiple steps
for the rest of people.

I'm fairly certain the list maintainers understand Mailman's features, and
probably have understood similar features since before Mailman existed
(majordomo *gasp*).  That said, we're debating a personal preference.
Opinions are like...  for those who don't want the default behavior, you
can do whatever you prefer (support yourself vs relying on others -- it's
not a hard task to setup filters).  Others are fine with it.  Life goes on.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: This list's prefix

[Mike Hoskins (michoski)]

-Original Message-

From: Warren Kumari war...@kumari.net
Date: Wednesday, June 5, 2013 1:46 PM
To: Narcis Garcia informat...@actiu.net
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: This list's prefix

--
Curse the dark, or light a match. You decide, it's your dark.
-- Valdis Kletnieks

Very appropriate!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[Mike Hoskins (michoski)]

-Original Message-

From: Tony Finch d...@dotat.at
Date: Thursday, May 9, 2013 11:01 AM
To: Matus UHLAR - fantomas uh...@fantomas.sk
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: architecture question

Matus UHLAR - fantomas uh...@fantomas.sk wrote:
 On 09.05.13 10:21, Tony Finch wrote:
  Right. Give each student a subdomain of some existing domain, even if
the
  subdomains aren't publicly delegated.

 yes, so they will start using it in their job and home.

They shouldn't do that if the teacher has properly explained how domains
are delegated and who the tutorial domain belongs to.

Based on #students generate N random-string sub-domains assigned in their
course handout.  You can either pre-delegate those or let them delegate
the named domain, based on your requirements.  Start with a fresh config
and newly generated set of sub-domains each quarter.  Just a thought if
you want to go this route and avoid mis-use.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[Mike Hoskins (michoski)]

-Original Message-

From: Jeremy P jpcra...@gmail.com
Date: Wednesday, May 8, 2013 1:33 PM
To: Steven Carr sjc...@gmail.com
Cc: bind-users bind-users@lists.isc.org
Subject: Re: architecture question

I understand letter of the law, spirit of the law and playing it safe to
avoid headaches.

However, there are times where registering a real domain just isn't
practical.  For example, I'm not going to ask all of the students in my
courses to go out and register a .com for the semester.  It would be a
waste of money as their systems never leave the
 local network, except through a NAT connection.  So in those types of
instances, I'm assuming .lan or .test are safest?

I've seen .lan before, and .test should certainly suffice for student use.

http://tools.ietf.org/html/rfc2606

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

[Mike Hoskins (michoski)]

-Original Message-

From: Jonathan Reed cronst...@gmail.com
Date: Wednesday, May 8, 2013 4:38 PM
To: Jeremy P jpcra...@gmail.com
Cc: bind-users bind-users@lists.isc.org
Subject: Re: architecture question

It would be a waste of money as their systems never leave the local
network, except through a NAT connection.

Godaddy is selling .coms for $0.99 right now (US/Canada). In the spirit
of an educational setting, it might be a viable exercise for students to
understand how easy and affordable
 it is to establish a legitimate digital entity.

The spirit of education is often saving money based on a former life as a
lab tech.  While cheap, the proposal to just go register a real one!
seems good for $registrar, but potentially bad for the Internet (will we
end up with a bunch of garbage domains that are never used again, and
might actually want to be used by someone else, but will then be squatted
when they expire? yada yada), and better suited for business vs school
networks.

Also, I had a digital entity long before entering a college setting.  I
suspect kids these days are even more likely to have similar.  If real is
the answer, maybe most students wouldn't have to do anything at all.

I really think a lab experiment would be fine using local TLDs, but I
guess it's impossible to really know how valid some of the concerns are
unless we sit through the class or see the course material.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ANNOUNCEMENT: New BIND versions are available.

[Mike Hoskins (michoski)]

-Original Message-

From: Doug Barton do...@dougbarton.us
Date: Saturday, April 13, 2013 12:34 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: ANNOUNCEMENT:  New BIND versions are available.

Michael,

Thanks for this announcement, and a welcome change.

Given the following:

1. bind-announce is very low volume, and carries only critical
information that the community needs to know
2. Currently all posts to bind-announce are duplicated to the other lists

Wouldn't it make sense to 'sort -u' the membership of the 3 lists, call
that the new bind-announce, and give people a 1-time message about how
to unsubscribe if they don't want to be there?

I applaud ISC's desire to not subscribe people to lists willy-nilly
without their permission, but given the specific circumstances here you
may have over-engineered the solution a bit. :)

Doug

I don't get why expecting to receive announcements on -announce is so
surprising.  People that don't get that likely don't keep BIND updated
anyway.  ;-)

I'm not too passionate either way...currently getting ~6 (one per version,
per list) announces each time a new version comes out is something I've
been dealing with for years.

However, a question to ask might be how other OSS projects do it.  People
used to managing OSS will generally be on several lists with -chat,
-users, -announce, etc.  POLA.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Mike Hoskins (michoski)]

-Original Message-

From: Chris Thompson c...@cam.ac.uk
Date: Friday, April 5, 2013 3:10 PM
To: Bind Users Mailing List bind-users@lists.isc.org
Subject: Re: Simple question about zone and CNAME

On Apr 5 2013, John Wobus wrote:

 DNAME? runs away, gigglingŠ

Or SRV records.  Surely browsers are adding support
in the next day or two?

Come on, April 1 has been over for too long for this.

Incidentally, we have just been asked for an A record for cam.ac.uk to
duplicate www.cam.ac.uk because, and I quote, all the publicity material
sent out by the nominator [for an award for the web site] gave the URL
as http://cam.ac.uk/ and this has been retweeted around.

Yes, sadly I've lost that technical battle with marketing several places
now.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward First on Master Zone (bypass SOA)

[Mike Hoskins (michoski)]

-Original Message-

From: Kevin Darcy k...@chrysler.com
Date: Monday, April 1, 2013 2:46 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Forward First on Master Zone (bypass SOA)

On 3/29/2013 12:09 AM, Doug Barton wrote:
 On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:
 My organization is evaluating the use of split-view DNS in our
 environment.

 Simple ... don't do it. It's almost never the right answer, and as
 you're learning carries with it more administrative overhead than the
 problems it's designed to solve.

 Much better to spend the time carefully considering what your goals
 are, and finding other ways to reach them.
And your alternative is what? Run the external version of the namespace
on a completely separate infrastructure from the internal version?

Wouldn't you do that to some extent anyway, to separate external infra --
which I'd think is authoritative only -- and internal which is likely a
mix of authoritative and recursive?

I guess we've overkilled...We're running a split-horizon config on
separate infrastructure.

There has always been those for and against split horizon.  I often flip
back and forth since I see logic in many of the arguments on both sides.
When I usually hear people speak against split-horizon it has to do with
added complexity and minimal benefit (can be harder to debug, confusing to
new admins, internal resources should rely on more than DNS for protection
and leak out in a lot of ways beside DNS, etc).  They generally advocate
converging the namespace itself more than dictating what the
infrastructure should look like.  You could have a cohesive name space
served from separate infra or common infra using views and ACLs to decide
who can access the cache.  I would envision a hidden master feeding both
sets of infra so maintenance is still centralized.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Registrar that supports self-run domains and provides DNSSEC support

[Mike Hoskins (michoski)]

-Original Message-

From: Shawn Bakhtiar shashan...@hotmail.com
Date: Friday, February 22, 2013 12:06 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: RE: Registrar that supports self-run domains and provides
DNSSEC  support

2) We don't buy or maintain street addresses from a for profit company,
why should domain name be any different? Domain name registration should
be a free government/ ma'bell function.

Being an outsider with no beef or raves for GD (just realized that sounds
like something else), I feel this isn't necessarily true.  Government
functions rarely get ran well, at least here in the US.  They're slow,
bloated, and tend to spend lots of tax dollars (not really free) producing
things hackers easily circumvent the day after release.

Also, in ma'bell (er um netsol?) fashion, lack of competition stifles
innovation.  Of course all the registrars don't do what any one of us
likes, but at least there is choice.  Lack of competition also tends to
drive price up vs down.

However, I'm not sure making choices based on cheaper and then
complaining about quality makes sense.  I'd like to think such gems could
exist, but it's certainly not illogical to expect problems from free
services with less money to devote to improving their infrastructure or
conducting RD to adopt new technologies.

I know this last bit from experience, having worked at CELECs back in the
day and running an ISP that was severely underfunded because the Internet
was new and couldn't be trusted like a telephone.  Lots of committed
people working long hours for very little, but there's only so much you
can do with blood, sweat and tears.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-query and views

[Mike Hoskins (michoski)]

-Original Message-

From: Robert Moskowitz r...@htt-consult.com
Date: Thursday, February 21, 2013 12:53 PM
To: Vernon Schryver v...@rhyolite.com
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: allow-query and views

Whow...  This is news.  A hidden view?  Where is this documented.  I
have no restrictions in my general options section.  Figured that the
specific view ones were all that was needed.  Now I am upset.

As usual, knowledge is easy but wisdom takes time...

http://www.cymru.com/Documents/secure-bind-template.html

You can easily incorporate that before Passover.  :-)

hth

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND master , Windows 2008 stub zone not transferring

[Mike Hoskins (michoski)]

-Original Message-

From: Sowmya Manjanatha sowmy...@gmail.com
Date: Thursday, February 21, 2013 1:11 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: BIND master , Windows 2008 stub zone not transferring

Well, I have a stub zone on Windows 2008 server set-up to use two
different BIND server as its list of IPs to use as masters.  In the DNS
manager on Windows, you can always right click on the zone and select
Transfer zone from Master.  With Wireshark on Windows,
 I have found that this triggers a DNS request for the given zone name.
You may be right that it may very well not be a zone transfer and just a
regular query/response.  However, I was just going by the terminology on
the zone from Windows.

Yes, it is a request for the NS RRset I presume...as Mark kindly pointed
out, stub zones do not transfer by definition:

http://technet.microsoft.com/en-us/library/cc771898.aspx

Another problem I am also having is that Windows 2008 server doesn't seem
to pick up the latest SOA i.e. it does not seem to honour the serial
number within the SOA.  It appears it just picks up the 1st response it
gets.  So, I find that sometimes the records
 are stale.  I am trying to understand if there is any configuration in
BIND that can help provide the right response the 2008 server prefers.

Are you simply seeing the effects of TTL and caching on the Windows side?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cannot create A record issue

[Mike Hoskins (michoski)]

-Original Message-

From: Jsilliman jsilli...@gmail.com
Date: Wednesday, February 20, 2013 1:57 PM
To: Alan Clegg a...@clegg.com
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Cannot create A record issue

Ubuntu does not use that:

root@:/etc/bind# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Doh, so know enough about your distro to figure out where to look.  In
this case ``man resolvconf`` would likely be useful for you to read.

Also, you don't need to cat resolv.conf at all...just include full dig
output.  That will show the name server used:

OPS:54 f...@bar.baz:~$ dig google.com
snip
;; SERVER: a.b.c.d#53(a.b.c.d)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND9 statistics-server: JSON?

[Mike Hoskins (michoski)]

-Original Message-

From: Jan-Piet Mens jpmens@gmail.com
Date: Friday, February 15, 2013 12:57 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: BIND9 statistics-server: JSON?

As a fan of BIND's statistics-server I was tempted to see if I could
reduce the size of the data (XML) named produces by adding an option to
produce JSON. The patch [1] (which is terribly quick and dirty) does that.

[1] https://gist.github.com/jpmens/4958763

Just wanted to say thanks for this, and hope it becomes official at some
point.  Many here prefer JSON anywhere it is available...sounds like we
are not alone.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Randoming ports and firewall rules

[Mike Hoskins (michoski)]

-Original Message-

From: Robert Moskowitz r...@htt-consult.com
Date: Friday, February 15, 2013 1:33 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Randoming ports and firewall rules

So it is past time for me to only use port 53 and support port
randomization.  But I do run iptables (and ip6tables) and the server
sits behind a Juniper SSG firewall.

Where are there instructions for setting up iptables for port
randomization

and for general firewall rules (I doubt I will find specific for my
Juniper).

I'm likely misunderstanding the question, but I think stateful firewalls
will address this for you.  Unlike the days of ipchains, iptables makes
this easy...as should any commercial firewall.  The idea being that when
you receive a query on 53/tcp or 53/udp and answer back on a random src
port, that entire conversation is tracked as one session and therefore
succeeds without a bunch of extra rules (the stateful rules are generated
and expired on the fly).

https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall

Fully agreed that you need to leverage src port randomization in the
modern world.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: chroot/etc/named/ directory?

[Mike Hoskins (michoski)]

-Original Message-

From: Robert Moskowitz r...@htt-consult.com
Date: Wednesday, February 13, 2013 10:53 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: chroot/etc/named/ directory?

I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in
Centos 6.3.

I have and will run bind chrooted and on my test setup I noticed a 'new'
subdirectory in the chroot tree:

/var/named/chroot/etc/named/

I cannot find any documentation as what is indended to be placed in this
subdirectory.  my includes for named.conf?

I am assuming the pki subdirectory is for DNSSEC related files, but I
have not found any documentation indicating so.  But then I have not
plowed through DNSSEC documention in depth yet.

If you installed bind*-chroot, it will populate the /var/named/chroot
hierarchy.  It's not strictly required (though I would suggest it), but if
you intend to run BIND chrooted /var/named/chroot is essentially /.
You'll have to place the usual things BIND needs to operate under that
directory -- configs, zones, etc.  Assuming this came from the chroot RPM,
you'll already have other essential pieces for chroot such as your
null/random/zero devices.  Since you mention CentOS, you'll likely also
want to pay attention to things like ROOTDIR in /etc/sysconfig/named.

Having said all that, you might search the archives (SRPMS have been
provided by community members) or other sources for a newer BIND while
you're at it...9.8.2 isn't ancient, but also not technically up to date
now.  I am personally waiting for 9.9.3 to leave beta, but 9.8.4-P1
probably makes sense for you today.  This won't affect your chroot setup,
just something worth considering since you're upgrading.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: chroot/etc/named/ directory?

[Mike Hoskins (michoski)]

-Original Message-

From: Robert Moskowitz r...@htt-consult.com
Date: Wednesday, February 13, 2013 2:15 PM
To: Mike Hoskins micho...@cisco.com
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: chroot/etc/named/ directory?

Having said all that, you might search the archives (SRPMS have been
 provided by community members) or other sources for a newer BIND while
 you're at it...9.8.2 isn't ancient, but also not technically up to
date
 now.

I am not up to building on my own and the few extra repos I work with
(EPEL and rpmfusion) do not have a newer version all ready for Centos 6.3.

How bad is it? :)

That's for you to decide:

https://www.isc.org/software/bind/security/matrix

Of course RHEL/CentOS make it somewhat hard to know what 9.8.2 means
without reading change logs.  They tend to select stable software versions
at release time, then backport fixes with their own version numbering.  So
Red Hat's 9.8.2 likely has fixes for a lot of the ISC 9.8.2
issues...but you might want to confirm vs assume that.

I would want to find it already in an rpm. Once on the build it yourself
carousel you are set there and I have other things I am suppose to be
doing.

Understood.  Happily, running secure DNS infra is one of the things that
pays my mortgage.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slaving from DNS masters behind LVS

[Mike Hoskins (michoski)]

Note: Removing cross-post, but feel free to forward.

-Original Message-

From: Nick Urbanik nick.urba...@optusnet.com.au
Date: Tuesday, February 12, 2013 10:00 PM
To: keepalived-de...@lists.sourceforge.net
keepalived-de...@lists.sourceforge.net, bind-users@lists.isc.org
bind-users@lists.isc.org
Subject: Slaving from DNS masters behind LVS

Dear Folks,

We have a pair of DNS servers running BIND behind a direct routing LVS
director pair running keepalived.  Let's call these two DNS servers A
and B, and the VIP V.

We run a similar setup, so I'm looking forward to hearing the community's
answers.  My views below.

They slave from a hidden master; let's call it M.

I want to allow another machine S to slave from A and B, the pair of
DNS servers that are behind LVS.

Another machine F will forward to the DNS servers behind the load
balancer, A and B.

[There is another similar setup at another location, so there will
be a V1 and V2, A1, A2, B1, B2; all of A1, A2, B1, B2 slave from M.]

1. Should the machine in the SOA be V, or A or B?

I would use V.

Some will argue M if you are doing things like DDNS with DHCP...though
that's not clear here.  Even if you are, it should not require using M
with the right configuration.  I never publish my hidden master name in
public records.

2. Should the NS records for the zones be A, B and V, or just V?

I think it depends on what you are trying to accomplish.

From a Murhpy's Law perspective, where the VIP could go down (or need to
be taken down for maintenance), if the real servers are reachable by
clients in this case...listing A and B would be useful.

However you might accomplish the same thing with multiple VIPs hosted on
separate LVS clusters pointing to different sets of real servers, where
you only list V, V', etc.  This is similar to what we do.

If you really don't want any queries directed to the real servers
themselves (or network topology prevents this), then you would only list V.

3, Should S slave from A and B, or should it slave from V?

Either way you achieve the primary goal of HA, via VIP or masters {}.  If
you use the VIP, you need to consider how much you care about the VIP
going down (maybe you don't if your expire time is high).  If you use
masters, you need to consider how often you add new servers and require
updates to your configuration.

4. Should F forward to V, or to both A and B?

I would actually setup a couple VIPs in cases like this, and use those as
my forwarders, resolv.conf entries, etc.  If a DNS resolver tries a given
VIP, which gets a timeout from one real server, odd things might happen if
the client can't fail-over to a second VIP (it's retry logic will be tied
to the VIP address irrespective of # real servers).  Edge case for sure,
but something to consider when load balancing DNS.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.9.3b1 is now available

[Mike Hoskins (michoski)]

-Original Message-

From: Timothe Litt l...@acm.org
Date: Friday, January 25, 2013 6:13 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: BIND 9.9.3b1 is now available

On 25-Jan-13 17:32, Michael McNally wrote:
   BIND 9.9.3b1 is the first beta release of BIND 9.9.3.

 Makes available a new XML schema (version 3.0) for the statistics
 channel that adds query type statistics at the zone level,
 flattens the XML tree and uses compressed format to optimize
 parsing. It also includes new XSL that permits charting via the
 Google Charts API on browsers that support javascript in XSL.
 To enable, build BIND with configure --enable-newstats. [RT
 #30023]

 (c) 2001-2013 Internet Systems Consortium

2 bits of feedback on the beta announcement:

I have software that reads the stats channel.

Me too.  Took awhile to get right, I'd hate to see it break.  :-(

Please, if you have a new schema, put it on another URI so that software
that wants the old schema gets it, and software that wants the new
explicitly requests it.  E.g.  '/statistics/v3'

Some sort of API-like deprecation would at least be cool...

But am I reading right?  If I don't build with --enable-newstats, all my
monitoring and trending scripts will continue to chug happily along with
the old view?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what do you use for logging?

[Mike Hoskins (michoski)]

-Original Message-

From: Alan Batie a...@peak.org
Date: Thursday, January 17, 2013 1:52 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: what do you use for logging?

On 1/17/13 10:48 AM, Jan-Piet Mens wrote:

 By the way, all of the BIND10 logging
 messages are unique and we provide a paragraph or more documentation
for 
 each of its 933 possible log identifiers!)
 
 I haven't checked whether you have that, but that screams for a CLI
 utility to show the paragraph without having to browse documentation. :)

Agreed!

We use rsyslog here...

Could CLI utility be man(1) and info(1)?  :-)

I agree, being able to access the full documentation from command line is
always useful...but probably doesn't require a new utility so much as an
investment in porting documentation to applicable formats.

FWIW, we package our own from source internally, and use
syslog-ng/rsyslog/logstash/elasticsearch.  Syslog as the default is
perfectly fine with us.  I do also use the rotated file method a few
places, so hoping that doesn't disappear.

Thanks for asking the list.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MNAME not a listed NS record

[Mike Hoskins (michoski)]

-Original Message-

From: Vernon Schryver v...@rhyolite.com
Date: Wednesday, January 16, 2013 5:05 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: MNAME not a listed NS record

 From: Dave Warren li...@hireahit.com

 Various online DNS diagnostic tools throw warnings,

Speaking of so called DNS diagnostic tools, one claims that my domains
have DNS servers with private network addresses.  My only guess is
that they don't know the difference between IPv6 addresses and
RFC 1918 addresses.  On the other hand, maybe that was random FUD
intended to drum up business, because they've stopped that nonsense
in the last 3 days and without my changing anything.

Same thing here.  It's important to remember these tools are written by
humans that also have busy mornings where they don't get to drink enough
coffee...  :-)

Awhile back we updated an internal tool that generates DNS records as part
of a hosted email solution and one of these tools started baulking.
Everything we were doing was RFC compliant, but the tool turned red.  This
spawned a lot of calls to support from customers who took the tool as an
omniscient being, support escalated to management because the customer is
always right (and were threatening to go elsewhere even after being
pointed to relevant RFCs and walking through dig showing everything worked
just fine in practice).

After triple-checking the RFCs and contacting the maintainer with our
justification, the tool started doing the right thing a few weeks later.

So now we need tools that check the tools, and they need to be written by
omniscient beings...

Failing that, the big thing I hope folks learn from this is that automated
tools written by third parties are helpful at times, but no substitute for
familiarity with standards and generally understanding how things work.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name resolution fails if not forwarding

[Mike Hoskins (michoski)]

-Original Message-

From: Daniele d.imbrog...@gmail.com
Date: Wednesday, January 9, 2013 9:17 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Name resolution fails if not forwarding

This is the scenario.

I installed BIND9 via `apt-get` on a newly installed UBUNTU 12.04,
virtualized on VirtualBox.
The network works properly because if I indicate a different server from
my own BIND9 (the first line of '/etc/resolv.conf' is, for example,
`nameserver 8.8.8.8`) the lookups and any action on the Internet
 succeed.

What are you using for a firewall?  iptables within UBUNTU, your internet
gateway, both, something else?

With iptables, it's stateful so outbound queries should allow what's
needed inbound...if it's related, you should be able to check stats and
look for drops.  It's not perfect, but on a typical small network you
should be able to use -Z (zero counters), run some queries, then use -nvL
to see what if any rules are incremented.

IPTables 'port' matches don't match UDP fragments after the first one, so
you either need to use stateful matching (-m state --state
related,established) or specifically accept trailing fragments (the
iptables -f option for IPv4, or -m frag ! --fragid 0 for IPv6).

For something like a home router, it's harder...but there are sometimes
firewall-related statistics exposed through the web interfaces (varies
from vendor to vendor).  It might also be some form of masquerading
getting in the way (e.g. DNS queries get rewritten as your defgw which
confuses iptables).  Just reaching for ideas.

Regardless, spending more time with your firewall might be
worthwhile...try a few queries with it disabled just to get an idea if
that's where to look.

BIND9 configuration is the default one.
I deleted all local zones that I added (even if internal lookups worked
correctly). Now there are only default zones (root, localhost,
127.in-addr.arpa, 0.in-addr.arpa, 255.in-addr.arpa).
Options are the default ones
options {
directory /var/cache/bind;
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 {any;}
};

Is /var/cache/bind writable by the user BIND runs as (named/bind vs root)?

In this situation, if I dig anything the lookup fails, and the log is
full of lame server and FORMERR.

Unfortunately lame server is a can of worms (search the archives), but
FORMERR in my experience often indicates firewall problems on one end or
the other (malformed responses).

Why?
Perhaps the problem is due to the presence of ³dnssec-validaton³ line?

It shouldn't be that alone.  However, you could test...does it work fine
if you set:

dnssec-enable no;
dnssec-validation no;


Good luck!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: query about EDNS UDP Packet

[Mike Hoskins (michoski)]

-Original Message-

From: Gaurav Kansal gaurav.kan...@nic.in
Date: Wednesday, January 9, 2013 12:34 AM
To: Sten Carlsen st...@s-carlsen.dk, bind-users@lists.isc.org
bind-users@lists.isc.org
Subject: Re: query about EDNS UDP Packet

Thanks for help.
My Firewall was dropping packet size larger than 512 bytes.
Cisco 5580 having ASA 8.3. It is by default blocking my EDNS0 Packet.

This should be a FAQ.  :-)

For anyone else who happens to be reading the archives -- googling for
cisco edns0 will lead to a lot of useful information...better than
duplicating it all here.  Many older network devices (including Cisco) had
default policies which assumed a 512 byte limit.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: gitnamed, a project to manage name server by git

[Mike Hoskins (michoski)]

-Original Message-

From: Jan-Piet Mens jpmens@gmail.com
Date: Tuesday, January 8, 2013 4:35 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: gitnamed, a project to manage name server by git

 GitNamed is a project that manage name server by git. you can clone
 the git repo to any workstation, edit zone file, commit and push it.
 the data will push to the master and slave name server on the fly.

Very interesting; thanks for sharing.

I hear the Fedora Project does something along similar lines. Code 
'docs' are at [1].

-JP

[1] http://infrastructure.fedoraproject.org/infra/dns/README

Thanks for sharing both.

Like the built-in sanity checks...Wonder why the fedora folks don't
automate the serial number update, since in my experience that seems to be
one of the top silly mistakes with BIND updates?

Our push process sets that to the mtime of the zone for non-dynamic zones,
which seems to work well except for the occasional DNS validation tool
baulking that we're not using MMDDNN format.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Distribute named.conf

[Mike Hoskins (michoski)]

-Original Message-

From: Phil Mayers p.may...@imperial.ac.uk
Date: Thursday, January 3, 2013 9:44 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Distribute named.conf

On 03/01/13 14:36, Warren Kumari wrote:

 Yup, have a look at Puppet.

 For the first while it will seem like way way more work than it is
 worth (and the whole declarative language bit makes my head hurt) but
 after investing a few hours getting things setup you'll wonder how
 you ever managed without itŠ Deploying a new server (or configs, etc
 to a bunch of servers) suddenly becomes trivial...

A bit OT, but we use cfengine (because puppet didn't exist when we
started doing it), but I strongly endorse the general sentiment behind
this statement; if you run any number of servers at all, a config
management tool like puppet/cfengine will transform your working life.

We started with cfengine as well, for the same reason...I still love it,
but we are moving to Puppet mostly because they are very similar at a high
level, the mothership invests and other acquisitions use it (convergence).

That said, fully agree the tool doesn't matter -- you want configuration
management.  To me that minimally includes a tool like cfengine or puppet
and some sort of CMDB to track objects (and serve as an ENC).

 Setup Puppet to distribute the file, and then have an exec action
 that does: rndc addzone example.com '{type master; file
 master/example.com; };'

Does puppet provide built-in facilities to synchronise events across
multiple servers, because that was a concern to the OP.

Yes, and so did cfengine all the way back to 2.x...though it was a bit
scary to try and use the RPC functionality.  :-)  In Puppet MCollective
should be able to handle this.  While it takes more setup than the usual
client install, it also provides functionality larger shops will likely
not want to live without.

There are also other orchestration layers beside MC, this paper gives a
good overview:

http://www.puppetlabs.com/wp-content/uploads/2010/03/FullyAutomatedProvisio
ning_Whitepaper7.pdf

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: open-source tool for filter out stats from dns logs

[Mike Hoskins (michoski)]

-Original Message-

From: Jeff Wright jwri...@isc.org
Date: Thursday, January 3, 2013 8:41 AM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: open-source tool for filter out stats from dns logs

There might be some tools already out there (like Splunk) that do this
for you.  I think you can get a free Splunk license if you parse
relatively small amounts of daily data.  If you're particularly
concerned about open-source, this thread might also help:
http://stackoverflow.com/questions/183977/what-commercial-and-open-source-
competitors-are-there-to-splunk.

Just wanted to add a few things based on some research I've been doing...
By all means, start with the SO thread above and [your favorite search
engine] as I did.  This may just save folks some time.  :-)

Splunk is an amazing tool, but gets expensive fast when indexing much
data...  With the maturity of many OSS solutions, I'm not sure it even
makes sense on a small scale these days (unless you plan to stick with it).

After reading through several SO threads and spending many late nights
searching, I've mostly concluded that there are two OSS solutions (a mix
of technologies/tools) that can fill this gap.  You can go the neato
(newer, being discussed more) way of [ logstash + graylog + elastic search
] or the oldschool (relatively at this point) of [ syslog-ng + mysql +
sphinx ] (ELSA).

For the prior, my initial research let to buzzword/acronym overload.  This
post helped immensely:

http://jpmens.net/2012/08/06/my-logstash-and-graylog2-notes/

And also led me to find this useful ES utility:

http://jpmens.net/2012/08/09/must-have-ui-for-elasticsearch/

These are also obvious places to start playing (the first is worth
visiting just to watch the, hilarious IMCO, video on the front page):

http://logstash.net/

http://graylog2.org/

http://www.elasticsearch.org/

Of course after setting all that up, some conclude it's too slow for
real-time analytics.  There's discussion about this on SO and other
places.  Based on your use cases, you might not care.  If you do, consider
ELSA:

https://code.google.com/p/enterprise-log-search-and-archive/

Somewhat dated, but great overview by the author (refer to the docs for
latest features):

http://ossectools.blogspot.com/2011/03/fighting-apt-with-open-source-softwa
re.html

We are in the process of building prototype environments for both of these
atm, so wanted to share.

hth

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Distribute named.conf

[Mike Hoskins (michoski)]

-Original Message-

From: wbr...@e1b.org wbr...@e1b.org
Date: Thursday, January 3, 2013 2:29 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: Distribute named.conf

How does Puppet compare to Ansible?  http://ansible.cc/

Thanks for sharing, first I'd heard of it...

From a quick glance (in a rush atm), it seems ansible uses SSH and PUSH
whereas cfengine/puppet use TLS/SSL and PULL.  In general, scaling is
easier with non-SSH approaches built around PULL.

That said, Puppet is not scalable out of the box (unlike cfengine's
server, though you still need to tune several knobs there) -- but it's not
intended to be, a common mis-conception.  The bulit-in webrick server is
for development only, and building the more scalable web services
infrastructure (apache, passenger) is not as difficult as it first seems.
Many folks also run without a puppetmaster (masterless/nodeless).

It'd been awhile since I'd checked, but I see ansible is not listed here
(in case others haven't seen the master table):

http://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_manage
ment_software

I highly advise anyone new to configuraton management to setup some
virtual machines and play with as many solutions as time permits...they
each have interesting features, and no one solution will work for everyone
IMHO.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Distribute named.conf

[Mike Hoskins (michoski)]

-Original Message-

From: wbr...@e1b.org wbr...@e1b.org
Date: Thursday, January 3, 2013 3:15 PM
To: Mike Hoskins micho...@cisco.com
Cc: bind-users@lists.isc.org bind-users@lists.isc.org,
bind-users-bounces+wbrown=e1b@lists.isc.org
bind-users-bounces+wbrown=e1b@lists.isc.org
Subject: Re: Distribute named.conf

Mike wrote on 01/03/2013 02:45:29 PM:

 Thanks for sharing, first I'd heard of it...

I read about it on http://jpmens.net/

 
http://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_manag
e

 ment_software

It's there today.

Apologies to the list, it's what I get for typing on the run...  I meant
to say, I see it there (it just wasn't there in the past when I last
looked at that list).  Glad to see wikipedia is staying up to date.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: another performance tuning question

[Mike Hoskins (michoski)]

-Original Message-

From: Jeremy C. Reed jr...@isc.org
Date: Friday, November 30, 2012 4:18 PM
To: Adamiec, Lawrence ladam...@kentlaw.iit.edu
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: another performance tuning question

On Fri, 30 Nov 2012, Adamiec, Lawrence wrote:

 I got similar results when running against the master server.

Then why so many lost?

   Queries sent: 11000 queries
   Queries completed:8968 queries
   Queries lost: 2032 queries
...
   Percentage completed:  81.53%
   Percentage lost:   18.47%

Look at your queryperf data file and figure out what is not hosted by
you.  Some of my systems get around 60,000 QPS with none lost.  If
really do host these on same system, and are really lost, then will need
other research.

Even if you are doing recursive work, your results are quite slow. you
may want to look in your queryperf input to see what is causing
problems. (It may not be a realistic, real world input set.)

Based on your hosted by you reference, I assume 60K QPS was only
resolving local names?  If not I'd love to see the config.

Some extra data points for the OP:

I might have misread (or be mis-remembering since I last tested), but I
think the default resperf query file includes ten million real-world
entries -- if testing recursion, try it vs generating your own.

If you are not just doing local queries, from experience server hardware
(physical or virtual) and bandwidth play a big part in the numbers.  More
cores = more worker threads, faster connectivity to upstream servers =
more responses.

With the default resperf query file and drop rate capped at 1%, I was able
to get ~20K qps w/ four vCPUs vs ~5K with one vCPU (VMware, RHEL, BIND
9.8).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: truncated responses vs. minimal-responses?

[Mike Hoskins (michoski)]

-Original Message-

From: Matus UHLAR - fantomas uh...@fantomas.sk
Date: Tuesday, November 27, 2012 12:28 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: truncated responses vs. minimal-responses?

Hello,

last few weeks I have seen many discussions over UDP truncating and using
minimal-responses yes; to prevent BIDN from doing that.

I've read article stating that nameserver should avoid truncating packets
even by skipping additional and authority sections in its responses, which
should mean that using minimal-responses would not help.

However, I've seen a few mails mentioning that a query can get truncated
when the authority section is too big and advices to turn
minimal-responses
on.

Reading the 9.9.2 docs and even looking at the sources (I am not a C
coder)
did not help me with this.

It seems it should help...  less bits in the packet relating to additional
and authority should leave room for other data.

That said, I think the better way (when possible) is to adjust RRs not to
return too much data (e.g. NS, A, etc. not returning more than ~8 hosts
-- which in turn could be multicast, load balanced, etc to get the desired
scale).

Akamai, for example, defaults to limiting up to 8 RDATAs per RR (or
however you'd describe that).  If you add 20 As for a name you'll rotate
through 8 at a time.  You can request more at your own risk...they assume
you'll ensure the larger answer will fit in a UDP packet and not cause TCP
responses which cripple performance.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users