Re: Private IP address in A record
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At least on BIND, this should work fine. You probably made some other error (check wherever your logs would likely go). Apart from the fact that, yes, no one really recommends this. On 06/27/2014 12:11 AM, Teerapatr Kittiratanachai wrote: I know that this kind of implementation isn't be recommended, but I don't understand that why some DNS servers can answer the record as normally while another can't. On Fri, Jun 27, 2014 at 10:42 AM, Noel Butler noel.but...@ausics.net wrote: On 27/06/2014 12:32, Teerapatr Kittiratanachai wrote: Dear List, Yesterday I try to map a private IP address on Public DNS Server, but some server, actually 1 server, doesn't show the answer. But the Rcode is 0. So I already removed that record for now. Is it possible to set DNS server for not show answer that be the private IP address? Regards, Teerapatr Kittiratanachai Do not ever do this. If you need a private IP in DNS, use a view that affects your local network only. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Senior Technologist || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922) || \\ Sciences | OIRT/High Perf Res Comp - MSB C630, Newark `' -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOtAsUACgkQmb+gadEcsb5WAACdEfoYWIjeWS6gZbYTnIRPQ1eP k8IAoMiEovyGOqZHtLm1Ws18qF0JStPf =tUVh -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to setup a backup NameServer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/29/2014 07:48 AM, /dev/rob0 wrote: On Tue, Apr 29, 2014 at 11:49:49AM +0100, Niall O'Reilly wrote: At Tue, 29 Apr 2014 10:24:58 +, houguanghua wrote: Yes, I had asked the same question months ago. I'm designing how to protect DNS for an ISP. The zones are not owned by the ISP. The ISP wants to proect the DNS query during attacking. So it's not standard DNS solution. During the attacking, the backup server will provide the DNS query and it works even if it can't refresh zones from primary NS. 1. Which (or how many) zones do you expect your backup server to work for? (and why these zones in particular?) 2. Do you have zone transfer access for these zones? 3. How will you detect the attack and switch over to this backup server? You're asking for features which do not exist, and are unlikely to be in high demand. You're probably going to have to do/hire some custom programming, or else rethink the solution. I suspect the latter is your best bet. To add a little to that: if it's a feature that doesn't exist and no one wants, that often (though not always) means it's not a good idea. DNS has been around a long time; everyone else has solved this problem some other way (a couple of which have already been mentioned here). There are a lot of ugly things ISP's do to DNS; I loathe all of them. I suspect many customers do to. - -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922) || \\ Sciences | OIT/Enterprise Infras. - ADMC 450, Newark `' -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNgiOAACgkQmb+gadEcsb65CwCgkeyVR6z4EP8T9GiU1kIK8J9a dnwAoKA9OCNBMLcX5JK0f0hoQ/GskxAp =0H9x -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error Resolving / EDNS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2012 11:26 AM, James Tingler wrote: Thanks for the reply Carsten. This didn't make a difference but potentially I'm using the parameter incorrectly (no errors though). /etc/rc.d/init.d/named start -4 tailing logs during service start: Sep 19 15:22:13 PROD55-DNS2 named[3676]: using default UDP/IPv4 port range: [1024, 65535] Sep 19 15:22:13 PROD55-DNS2 named[3676]: using default UDP/IPv6 port range: [1024, 65535] ^^ Clearly still listening with IPv6, so though there were no errors, it definitely didn't work. Check the init script and see how you might add that to the named command in the script, not passing it to the script. Sep 19 15:22:13 PROD55-DNS2 named[3676]: listening on IPv4 interface lo, 127.0.0.1#53 Sep 19 15:22:13 PROD55-DNS2 named[3676]: listening on IPv4 interface eth0, 10.52.10.127#53 Sep 19 15:22:13 PROD55-DNS2 named[3676]: generating session key for dynamic DNS Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: 0.IN-ADDR.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: 127.IN-ADDR.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: 254.169.IN-ADDR.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: D.F.IP6.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: 8.E.F.IP6.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: 9.E.F.IP6.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: A.E.F.IP6.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: automatic empty zone: B.E.F.IP6.ARPA Sep 19 15:22:13 PROD55-DNS2 named[3676]: command channel listening on 127.0.0.1#953 Sep 19 15:22:13 PROD55-DNS2 named[3676]: command channel listening on ::1#953 Sep 19 15:22:13 PROD55-DNS2 named[3676]: the working directory is not writable - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaAH4ACgkQmb+gadEcsb6NBQCdEOmtFKDR2rAKHGhkLq6RYbrP kxAAoMP0kX+2y1OLNk+ZueuNPYA/ygWn =MO1E -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sunos 5.8 Error:EDNS not supported by your namesever
INTERNET: a href=3Dmailto:= ma...@isc.orgma...@isc.org/abr /div/div/blockquote/divbrbr clear=3Dalldivbr/div-- br= syedhaqbr /div/div --e89a8fb206e6d442ce04c8f43259-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- syedhaq ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBHhKMACgkQmb+gadEcsb4p8gCfWdSIQ1iFOsHd1ec5mvRlJW9+ yaMAnA27AzJiQkRrXhv3iagql36ZHIb2 =gP0l -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Moving DNS out of non-cooperative provider
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/18/2012 12:19 PM, Tom Diehl wrote: On Mon, 18 Jun 2012, Alexander Gurvitz wrote: Can someone enlighten me on the following scenario (I guess it's explained somewhere, but can't find the info.): example.com was served by ns.OLDprovider.net example.com owner wants to move his domain to ns.NEWprovider.net oldprovider.net is not cooperating, and continues to serve example.com 172800 NS ns.OLDprovider.net (*.gtld-servers.net and ns.newprovider.com now serve example.com 172800 NS ns.NEWprovider.net) Recursive resolver ns.isp.com queried for www.example.com every few minutes, and currently have example.com 45892 NS ns.OLDprovider.net in it's cache. www.example.com have TTL of 3600. Thus each hour ns.isp.com queries ns.OLDprovider.net, with each query gets new NS record, and... refreshes the NS TTL ? Will ns.isp.com EVER query ns.NEWprovider.net ? I'd be happy to know how BIND behaves, but also how other servers may behave in this case. It is not a question of how bind behaves. It is a question of how does dns work. Bottom line is, setup nameservers with $NEWPROVIDER and change the nameserver records with your registrar and move on. All will be well when the ttl's time out. Until the ttl's timeout, resolvers with the old nameservers cached will still query them. Once the ttl's time out the new servers will be queried. Hope this helps, Incidentally I use NameCheap as a registrar, and have noted that their help pages are pretty easy to understand and explain this process in a helpful way. You don't have to be a customer to look at that stuff. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/fYMsACgkQmb+gadEcsb6d0gCeO5kMKwJkBrurVXICv9cAwHnb aZAAnAsOj6alnZtNiuoCjKgvexlAp6Xw =wI6N -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns_zones_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/16/2012 09:38 AM, Morty wrote: I'm writing a script to check the DNS zones listed in a bind named.conf for serial consistency, authoritative response, valid delegation, etc. It can integrate into nagios. I'm concerned about correctness (especially for non-IN classes and IPv6), as well as potential impact to root and TLD servers. Is anyone willing to beta test? Thanks! https://sourceforge.net/projects/dnszonescheck/ I use Xymon, but it does sound interesting. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+zxxYACgkQmb+gadEcsb6cIwCgptxxh9Ddq5BLedu3KCa25XEi DHEAoJH5DUwpw6nzl5RGpYeqN2DNSJKm =ZScS -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC made simple, is this possible?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/11/2012 10:47 AM, Phil Mayers wrote: On 11/01/12 15:31, Howard Leadmon wrote: Then I go to make a change to my DNS file, whoa was I in for a shock, as apparently BIND took my nice text file for DNS I have edited for ages, and As you found out, you cannot do that. auto-dnssec maintain requires that updates to the zone by via dynamic DNS. Not that this is honestly so hard, however. I have played with it at home some and the ns-update command means that you can still at least do this manually fairly easily from the command line. Is my read on that correct? So I guess my million dollar question is, I want to use DNSSEC (it's actually working now), but I want to be able to edit my zone files the way I always have for many years, and just have BIND sign the zones with the keys and update as needed to keep DNS running smoothly. Is there some easy way to do this, some scripts someone has made, or some documentation to walk me through accomplishing this? This is called inline-signing and is a new feature in Bind 9.9, which is in beta. There is some discussion of the limitations and early bugs in the list archive. Google bind 9.9 inline signing for more info, and see the list archives. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8NwSkACgkQmb+gadEcsb71IACfWL8E1aP6YX6nywtbF7+pETVk ZR8AoOBfZLHqCC2f6gqDIxJAm9szSRcT =Q0qZ -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load-balancing in DNS using two A records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/20/2011 12:37 PM, Martin T wrote: I have seen setups where one domain name has two address records. First IP address is in the ISP-A network and the other one is in the ISP-B network. In case I execute host www.domainname.com, I always get two IP addresses as a reply and they always appear by turns. Am I correct, that setup like this provides redundancy as well as load-balancing? Is there some common method in BIND to give out IP addresses by turns? Last but not least, how do application layer(for example www, ssh) handle such setup? The only thing involved is having two A records for the same name. It's not truly load-balancing, but it can do the trick in some circumstances. All applications I've seen ask for and use one IP address. Therefore, SSH will be sometimes connecting to one server and sometimes another. Generally with SSH you care what you're connecting to and will also have individual records for each host to use for that purpose. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7wyb8ACgkQmb+gadEcsb6BMQCePx4LhLGh3b0XOxv4L5ZjA6bn cMMAoNGPW8t9gkqzsD9pUPQuQITaFips =jL/1 -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to resolve a domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How does one get a current bogons list? I'm assuming that there are entries that are generally recommended to be in there (and that they're provided with BIND's source when installing). On 11/18/2011 11:33 AM, Evan Hunt wrote: 1. When was 1/8 allocated, recently? Maybe you need to update your bogon filter? That's my guess. 1.0.0.0/8 was one of the last network blocks allocated--last April, IIRC--and prior to that time it was often filtered because it was commonly used in spoofing attacks. In fact, the BIND 9 documentation contains a sample blackhole ACL which, until recently, specifically recommended filtering addresses in that block. The advice is outdated but I think someone is still following it. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Gi+8ACgkQmb+gadEcsb7MxACfW/gPhip/wbyztsBFB5nJLwZs okkAoJSQcjkEybXyd90BFjq8Aoa9HFmV =gAZG -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/17/2011 02:19 PM, Phil Mayers wrote: On 10/17/2011 06:38 PM, babu dheen wrote: YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. In older versions of bind, you needed to create a local zone per malware domain (or hostname). There's no special config - just a really big, long, list of zones. One problem - there can be hundreds or thousands, even tens of thousands of zones - and this makes bind slow to start, and use more RAM. Do you know what version that arrived in? 9.8.0? - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6pZxIACgkQmb+gadEcsb5JQgCgw2siUmnbwo1SApzvEHowYYmI FowAn1z01FFh7f+qkLsYt+wq1kfFQTqO =rSII -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
I do this. There may now be a smarter way, but I have a small number so this is manageable for me: configure zones for each of the evil zones. Your server will appear authoritative and you can direct clients wherever you like. I direct some of mine to a virtualhost handing out 503 errors. -- Sent from my Palm Pre On Oct 17, 2011 13:46, babu dheen lt;babudh...@yahoo.co.ingt; wrote: YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. nbsp; --- On Mon, 17/10/11, Chris Thompson lt;c...@cam.ac.ukgt; wrote: From: Chris Thompson lt;c...@cam.ac.ukgt; Subject: Re: DNS Sinkhole in BIND To: Bind Users Mailing List lt;bind-users@lists.isc.orggt; Cc: babu dheen lt;babudh...@yahoo.co.ingt; Date: Monday, 17 October, 2011, 8:19 PM On Oct 16 2011, babu dheen wrote: gt; Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. All the replies to this so far seem to assume that he wants to block evil entities from using his nameservers. But Google seems to suggest that DNS Sinkhole usually refers to redirecting names that are being used for evil purposes to e.g. a local monitoring station - not the same thing at all. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: better performance with 32 bit ! why?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not necessarily. They are not apples to apples. Multi-core machines only excel at multi-threaded computational loads. I don't know how BIND does or does not qualify. I suspect, however, there may be some other differences between the two chips anyhow (cache size differences, etc.). On 06/29/2011 09:33 AM, iharrathi@orange-ftgroup.com wrote: on server1(64 bit) i have 2 Intel E5310 *quad*-core 1.6Ghz and on server2(32 bit) i have 2 Intel Xeon *dual*-core 2.33Ghz. means 8*1.6 Ghz on server1 and 4*2.33 on server2. 8*1.6 is better and faster than 4*2.33, no? // /Regards / /Issam Harrathi./ / The 64 bit server(server1) is faster than the 32 bit server (server2). / Really? I thought you said the 64 bit server had a CPU with 1.6GHz cores, and the 32 bit server had 2.33GHz cores? Regards Eivind Olsen IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles et peuvent etre protegees par la loi. Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus. Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message et tous les fichiers eventuellement attaches. Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite. Tout message electronique est susceptible d alteration. A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie. De meme, il appartient au destinataire de s assurer de l absence de tout virus. IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. Any unauthorized view, usage or disclosure ofthis message is prohibited. Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified. Additionally the recipient should ensure they are actually virus free. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4LL5gACgkQmb+gadEcsb7iMwCg08huQWUMJ/I2COhwc7mzN5ix 6mwAnifUFtFJi5fQb10Tpf1iaul9Nn7X =HbQB -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: better performance with 32 bit ! why?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/28/2011 12:30 PM, David Sparro wrote: On 6/28/2011 11:15 AM, iharrathi@orange-ftgroup.com wrote: Hi all, I'm testing the same version of bind 9.4-ESV-R4-P1 on two server, one is a 32 bit (on which i have a redhat 32 bit) and the second a 64 bit server on which i have a redhat 64 bit. on the 32 bit i reach 7 qps but on the 64 bit i only reach 5 qps (using resperf) and also with tcpreplay. Is it normal that bind when compiled and installed on a 32 bit server have better performance than bind when compiled and installed on a 64 bit server. the only différence between the two server is 64 bit vs 32 bit ( same RAM, same Disk, same NIC,...) and CPU is better on the 64 bit (2 Intel E5310 quad-core 1.6Ghz) than the 32 bit(2 Intel Xeon duad-core 2.33Ghz). Thanks. The 32 bit rig is faster (2.33Ghz). My understanding is that 64-bit is NOT faster in most cases, and only makes some things possible (addressing large amounts of memory is one stand-out) that are not possible with 32-bit. If bind is not going to be using over 4GB of RAM by itself, my understanding is that running 64-bit will merely add overhead. I realize that is a pretty big generalization, so feel free to correct me if you know better. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4KEBQACgkQmb+gadEcsb4Z5gCeJDYbXxyg3LXkHvm/Th60Ln0R JLIAoJ+XrmrlJ5bLL+HPBKc/a2uzQMsl =ZuMX -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: please remove me from this mail list
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ...which is posted at the bottom of EVERY list posting (sorry, a pet peeve of mine). On 06/02/2011 02:30 PM, lbro...@hostgator.com wrote: You can do this at https://lists.isc.org/mailman/listinfo/bind-users Steve Ingraham Director of Information Systems Oklahoma Court of Criminal Appeals mailto:singra...@okcca.net 405 522-5343 (office) 405 822-0621 (cell) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3n4ZoACgkQmb+gadEcsb6fowCgs87nQp35wYLdlBYwjo2cSVNC ZCgAnAr1D0oCSCWPJLFGDcZwGw/wGjgC =zFdY -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS Configuration in BIND
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/31/2011 01:35 AM, Robert Spangler wrote: On Tuesday 31 May 2011 00:56, the following was written: Its very simple, If you know basic firewall concept, we will configure source NATing from public IP address to original website private address in firewall. So when any users from internet access my company website, they should obviously get public IP of my company website and once they get the IP address from DNS, it can contact the website using source NATing in firewall. Here my concern is not with NATing or firewall. My basic requirement is how can i configure split DNS to maintain two different Ip address for a same website. I think you are getting your terminology mixed up here. Split DNS is when you have 2 DNS servers, one internal and the other external. Internal server serves the clients internally and the External services the people on the Internet. This setup is very easy as both server hold the same records with the proper ip addresses. The other would be VIEWS. This is when you have a single DNS server serving both internal and external requests but you want to supply different ip address for the same host name depending on where the request is coming from. If you are thinking/talking VIEWS then give this website a look: http://www.howtoforge.com/two_in_one_dns_bind9_views http://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/ ...the end result of which (just to check my own knowledge) is the same as a split DNS, just without needing a second set of servers, right? - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3kicIACgkQmb+gadEcsb7CJgCgpTdt2fLAuS2CP0fWSwbPwLAC GiYAoMmvqby9arWsCcHERNc0t4NOFzp2 =xE7n -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change Query Type on nslookup
'dig' is a better tool in every way, I think. dig nbsp;host.example.comnbsp;I believe is the syntax there. -- Sent from my Palm Pre On Apr 7, 2011 1:02, mee thun lt;mas.mi...@gmail.comgt; wrote: Good Morning.. I am new member in this mailing list. I need help to change the query type in the nslookup command. The default nslookup using A, but I use ipv6 so the query type must use . I don't know how to change the default nslookup from A to permanently? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dots in hostnames problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There are a lot of unfortunate practices one can find in DNS names. I'd personally recommend not doing anything that conflicts with the RFC. At my place of business, we slave a zone from a group that has underscores in the hostnames which is also not allowed. It does not appear to hurt anything, but I wouldn't be surprised if something funny happens someday and is traced to that. On 03/09/2011 01:16 PM, Ben Croswell wrote: The dots delineate domains even if you don't view it as a new domain. -Ben Croswell On Mar 9, 2011 1:13 PM, Matt Rae matt...@gmail.com - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk13xbkACgkQmb+gadEcsb4LQgCfePJlwOUhyw0mTQiARlCgIe6/ cWIAnRPnkvtp5FQFovoOKV28hZycYSTG =99Si -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Take a look at this. It is somewhat confusing, but it is helpful and should tell you right away if you definitely have a firewall issue (and frankly there's little else it could be). https://www.dns-oarc.net/oarc/services/replysizetest On 02/23/2011 11:15 AM, Shaoquan Lin wrote: Thanks, Mark, Last June I asked our firewall person to make sure our firewall not blocking DNS packets over 512 bytes. He told me our firewall was not blocking. I guess that might be some default setting of the firewall and he does not really know. I did two digs here one with +dnssec and one without. I got the the following: 1) with +dnssec : ; DiG 9.6.1-P3 +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec ;; global options: +cmd ;; connection timed out; no servers could be reached 2) without +dnssec : ; DiG 9.6.1-P3 +norec vwall4a.nyc.gov @b.gov-servers.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2024 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;vwall4a.nyc.gov. IN A ;; AUTHORITY SECTION: nyc.gov.86400 IN NS vwall1a.nyc.gov. nyc.gov.86400 IN NS vwall2a.nyc.gov. nyc.gov.86400 IN NS vwall3a.nyc.gov. nyc.gov.86400 IN NS vwall4a.nyc.gov. ;; ADDITIONAL SECTION: vwall1a.nyc.gov.86400 IN A 161.185.1.3 vwall2a.nyc.gov.86400 IN A 161.185.1.12 vwall3a.nyc.gov.86400 IN A 167.153.130.12 vwall4a.nyc.gov.86400 IN A 167.153.130.13 ;; Query time: 31 msec ;; SERVER: 209.112.123.30#53(209.112.123.30) ;; WHEN: Wed Feb 23 11:12:48 2011 ;; MSG SIZE rcvd: 192 Does this show we do have a firewall problem here? Shaoquan Lin Mark Andrews wrote: In message 0539E64AD2B54AD2804C2394F923800B@se179, Shaoquan Lin writes: Mark, Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is that I can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older BINDs like 9.3. I don't know if the problem is with the authoritative nameservers for gov or the nameservers for nyc.gov or with the BIND I am using. I noticed the following: Just fix your firewalls to allow EDNS responses through. While this is a bug in the authoritative servers / interpretation of RFC 1034, its only a issue because your firewall configuration is a decade out of date that it is a problem. 1). a.gov-servers.net or b.gov-servers.net does provide A records in the additional records of their responses for other subdomain under gov like treas.gov, just not nyc.gov. So the problem seems with nameservers for nyc.gov. The problem is relatively new and there might be some recent changes on nyc.gov. The gov servers will return glue if you let bigger answers than 512 bytes through your firewall. ; DiG 9.6.0-APPLE-P2 +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 50028 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; QUESTION SECTION: ;vwall4a.nyc.gov.INA ;; AUTHORITY SECTION: nyc.gov.86400INNSvwall1a.nyc.gov. nyc.gov.86400INNSvwall2a.nyc.gov. nyc.gov.86400INNSvwall3a.nyc.gov. nyc.gov.86400INNSvwall4a.nyc.gov. rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 20110227210022 2011010022 47602 gov. ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9 CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg== ;; ADDITIONAL SECTION: vwall1a.nyc.gov.86400INA161.185.1.3 vwall2a.nyc.gov.86400INA161.185.1.12 vwall3a.nyc.gov.86400INA167.153.130.12 vwall4a.nyc.gov.86400INA167.153.130.13 ;; Query time: 187 msec ;; SERVER: 209.112.123.30#53(209.112.123.30) ;; WHEN: Wed Feb 23 11:54:06 2011 ;; MSG SIZE rcvd: 574 2) Older version of Binds (like 9.3) seems able to resolve vwall4a.nyc.gov as shown the packets I captured in my previous e-mail. What options in named.conf I can use to set tc? Thank you. Shaoquan Lin - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A couple more gems: https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf (really anything at dnssec-deployment.org) There was another table that I found someplace and cannot find now that listed Cisco PIX and mentioned with a * the subtle difference between versions of that firewall firmware. I can't find that table anywhere -- was HTML, not in a PDF. On 02/23/2011 11:39 AM, Ryan Novosielski wrote: Take a look at this. It is somewhat confusing, but it is helpful and should tell you right away if you definitely have a firewall issue (and frankly there's little else it could be). https://www.dns-oarc.net/oarc/services/replysizetest On 02/23/2011 11:15 AM, Shaoquan Lin wrote: Thanks, Mark, Last June I asked our firewall person to make sure our firewall not blocking DNS packets over 512 bytes. He told me our firewall was not blocking. I guess that might be some default setting of the firewall and he does not really know. I did two digs here one with +dnssec and one without. I got the the following: 1) with +dnssec : ; DiG 9.6.1-P3 +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec ;; global options: +cmd ;; connection timed out; no servers could be reached 2) without +dnssec : ; DiG 9.6.1-P3 +norec vwall4a.nyc.gov @b.gov-servers.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2024 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;vwall4a.nyc.gov. IN A ;; AUTHORITY SECTION: nyc.gov.86400 IN NS vwall1a.nyc.gov. nyc.gov.86400 IN NS vwall2a.nyc.gov. nyc.gov.86400 IN NS vwall3a.nyc.gov. nyc.gov.86400 IN NS vwall4a.nyc.gov. ;; ADDITIONAL SECTION: vwall1a.nyc.gov.86400 IN A 161.185.1.3 vwall2a.nyc.gov.86400 IN A 161.185.1.12 vwall3a.nyc.gov.86400 IN A 167.153.130.12 vwall4a.nyc.gov.86400 IN A 167.153.130.13 ;; Query time: 31 msec ;; SERVER: 209.112.123.30#53(209.112.123.30) ;; WHEN: Wed Feb 23 11:12:48 2011 ;; MSG SIZE rcvd: 192 Does this show we do have a firewall problem here? Shaoquan Lin Mark Andrews wrote: In message 0539E64AD2B54AD2804C2394F923800B@se179, Shaoquan Lin writes: Mark, Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is that I can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older BINDs like 9.3. I don't know if the problem is with the authoritative nameservers for gov or the nameservers for nyc.gov or with the BIND I am using. I noticed the following: Just fix your firewalls to allow EDNS responses through. While this is a bug in the authoritative servers / interpretation of RFC 1034, its only a issue because your firewall configuration is a decade out of date that it is a problem. 1). a.gov-servers.net or b.gov-servers.net does provide A records in the additional records of their responses for other subdomain under gov like treas.gov, just not nyc.gov. So the problem seems with nameservers for nyc.gov. The problem is relatively new and there might be some recent changes on nyc.gov. The gov servers will return glue if you let bigger answers than 512 bytes through your firewall. ; DiG 9.6.0-APPLE-P2 +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 50028 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; QUESTION SECTION: ;vwall4a.nyc.gov.INA ;; AUTHORITY SECTION: nyc.gov.86400INNSvwall1a.nyc.gov. nyc.gov.86400INNSvwall2a.nyc.gov. nyc.gov.86400INNSvwall3a.nyc.gov. nyc.gov.86400INNSvwall4a.nyc.gov. rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 20110227210022 2011010022 47602 gov. ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9 CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg== ;; ADDITIONAL SECTION: vwall1a.nyc.gov.86400INA161.185.1.3 vwall2a.nyc.gov.86400INA161.185.1.12 vwall3a.nyc.gov.86400INA167.153.130.12 vwall4a.nyc.gov.86400INA167.153.130.13 ;; Query time: 187 msec ;; SERVER
Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
There was also a message-length client auto or something like that too for some versions of some Cisco HW, but if memory serves, the version that introduced it is broken. :) On 02/23/2011 04:54 PM, Warren Kumari wrote: In PIX versions 6.3.2 and below you had to do: fixup protocol dns maximum-length 4096 In later versions you need: policy-map type inspect dns preset_dns_map parameters message-length maximum 4096 or to increase the response size length: policy-map global_policy class inspection_default inspect dns maximum-length 4096 This is rumor and innuendo, I personally believe that: a: firewalls with ALGs are the devil b: this goes double for PIX / ASA and c: doubled again for putting them in front of servers, especially DNS servers W On Feb 23, 2011, at 1:13 PM, Ryan Novosielski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A couple more gems: https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf (really anything at dnssec-deployment.org) There was another table that I found someplace and cannot find now that listed Cisco PIX and mentioned with a * the subtle difference between versions of that firewall firmware. I can't find that table anywhere -- was HTML, not in a PDF. On 02/23/2011 11:39 AM, Ryan Novosielski wrote: Take a look at this. It is somewhat confusing, but it is helpful and should tell you right away if you definitely have a firewall issue (and frankly there's little else it could be). https://www.dns-oarc.net/oarc/services/replysizetest On 02/23/2011 11:15 AM, Shaoquan Lin wrote: Thanks, Mark, Last June I asked our firewall person to make sure our firewall not blocking DNS packets over 512 bytes. He told me our firewall was not blocking. I guess that might be some default setting of the firewall and he does not really know. I did two digs here one with +dnssec and one without. I got the the following: 1) with +dnssec : ; DiG 9.6.1-P3 +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec ;; global options: +cmd ;; connection timed out; no servers could be reached 2) without +dnssec : ; DiG 9.6.1-P3 +norec vwall4a.nyc.gov @b.gov-servers.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2024 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;vwall4a.nyc.gov. IN A ;; AUTHORITY SECTION: nyc.gov. 86400 IN NS vwall1a.nyc.gov. nyc.gov. 86400 IN NS vwall2a.nyc.gov. nyc.gov. 86400 IN NS vwall3a.nyc.gov. nyc.gov. 86400 IN NS vwall4a.nyc.gov. ;; ADDITIONAL SECTION: vwall1a.nyc.gov. 86400 IN A 161.185.1.3 vwall2a.nyc.gov. 86400 IN A 161.185.1.12 vwall3a.nyc.gov. 86400 IN A 167.153.130.12 vwall4a.nyc.gov. 86400 IN A 167.153.130.13 ;; Query time: 31 msec ;; SERVER: 209.112.123.30#53(209.112.123.30) ;; WHEN: Wed Feb 23 11:12:48 2011 ;; MSG SIZE rcvd: 192 Does this show we do have a firewall problem here? Shaoquan Lin Mark Andrews wrote: In message 0539E64AD2B54AD2804C2394F923800B@se179, Shaoquan Lin writes: Mark, Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is that I can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older BINDs like 9.3. I don't know if the problem is with the authoritative nameservers for gov or the nameservers for nyc.gov or with the BIND I am using. I noticed the following: Just fix your firewalls to allow EDNS responses through. While this is a bug in the authoritative servers / interpretation of RFC 1034, its only a issue because your firewall configuration is a decade out of date that it is a problem. 1). a.gov-servers.net or b.gov-servers.net does provide A records in the additional records of their responses for other subdomain under gov like treas.gov, just not nyc.gov. So the problem seems with nameservers for nyc.gov. The problem is relatively new and there might be some recent changes on nyc.gov. The gov servers will return glue if you let bigger answers than 512 bytes through your firewall. ; DiG 9.6.0-APPLE-P2 +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 50028 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; QUESTION SECTION: ;vwall4a.nyc.gov. IN A ;; AUTHORITY SECTION: nyc.gov. 86400 IN NS vwall1a.nyc.gov. nyc.gov. 86400 IN NS vwall2a.nyc.gov. nyc.gov. 86400 IN NS vwall3a.nyc.gov. nyc.gov. 86400 IN NS vwall4a.nyc.gov. rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 20110227210022 2011010022 47602 gov. ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA 1L0v2kuS9t6gHLk
Re: Please Help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glad to hear it was a help. Does anyone happen to know if anything changed for .gov addresses just last week? This problem appears to have come out of the clear blue sky (not that there wasn't plenty of warning) so I have to assume that something was just activated. On 02/17/2011 09:47 AM, Xiaoxu Huang wrote: We have checked list archives and our side has increased the allowed DNS packet size. Now we are fine to get correct answer for **.gov. Thanks for help and Best Regards, Xiao 2/17/2011 -Original Message- From: bind-users-bounces+xhuang=graphnet@lists.isc.org [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Wednesday, February 16, 2011 5:47 PM To: bind-users@lists.isc.org Subject: Re: Please Help I asked this same question this week. Check the list archives. On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 Can any one help? Thanks and Best Regards, Xiao 2/16/2011 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La otcAoJLIkine7oyqXxix3wKRHReUa5F8 =B/pX -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Please Help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I asked this same question this week. Check the list archives. On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: From couple of our DNS servers, we are failed to get correct DNS answer like followings: 1) From server A # nslookup Default Server: localhost Address: 127.0.0.1 www.nyc.gov Server: localhost Address: 127.0.0.1 *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup 2) From server B: # nslookup www.nyc.gov ;; connection timed out; no servers could be reached 3) Both servers run bind-9.7.2-P2 Can any one help? Thanks and Best Regards, Xiao 2/16/2011 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1cU/8ACgkQmb+gadEcsb5siQCfePHtptnoSYkoDpw5ge4eRYjE EdkAni7xiaBkebYvOR4MpKVmX/jpcOb0 =zWSH -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master with mysql backend
makes for a less reliable system than one just using BIND. The performance of a MySQL based BIND server is much less than a standard BIND server. Managing DNS information using dynamic DNS provides a simple solution to updating the zone information. So, what is the actual advantage of using a MySQL backend to BIND? I'm not convinced that there is any advantage and I am sure that there are many downsides to using this. Using MySQL for a backend to BIND is a fairly commonly proposed solution but it's actual implementation is not followed up on. I looked at using MySQL, but the performance limitations were an absolute deal killer. I set up a simple BIND/MySQL system and benchmarked it and duplicated the performance trends from the BIND-DLZ developers. Maybe this has been improved, but these results have not be published so we don't know about it. If you do implement your MySQL solution, please, please, please, keep us informed about how it works for you. We would like to know more and are always willing to look at new technologies but aren't too accepting of hand waving. Bill Larson Riccardo On 2/12/11 11:33 PM, Doug Barton wrote: On 02/11/2011 01:51 PM, fddi wrote: I understand you, but the advantage of having mysql backend is that if one of the two servers dies, the other keeps running with up to date informations, and can also be updated wit new informations. When the other server comes up again it will automatically sync itself using mysql replica mechanism. if I use file backend I have to manually sync it, and how to keep tracks of modifications ? for this I choose mysql backend Two questions, how often do you anticipate one of the masters failing, and how much data are you talking about? Generally the number of times a server fails is going to be pretty small, if it's not, you've got bigger problems. If you're not talking about a huge amount of data here (and from what you've described in previous posts, you're not) then you are fairly dramatically over-architecting your solution here. Personally I think David had a great idea in regards to using nsupdate to update both masters at the same time. If you really think that one of them is going to fail often enough to justify an automated solution than scripting something that utilizes rsync shouldn't be too hard. hth, Doug ___ bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ZXdQACgkQmb+gadEcsb4s5ACg4vyRIG9nYVGByv7pxH0lv7yc NvUAn1mwDirxMRsmiD6zt5wU6a34q+Fh =DCpw -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 SERVFAIL on some .gov addresses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/10/2011 04:19 PM, Chuck Swiger wrote: On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote: health.nyc.gov query-errors: 10-Feb-2011 15:32:30.682 query-errors: debug 1: client 130.219.34.129#55935: query failed (SERVFAIL) for health.nyc.gov/IN/MX at query.c:4630 10-Feb-2011 15:32:30.682 query-errors: debug 2: fetch completed at resolver.c:3057 for health.nyc.gov/MX in 0.46: failure/success [domain:nyc.GOV,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0 The adberr count looks like it can only be incremented by two code sections in lib/dns/resolver.c: if (result != ISC_R_SUCCESS) { if (result == DNS_R_ALIAS) { /* * XXXRTH Follow the CNAME/DNAME chain? */ dns_adb_destroyfind(find); fctx-adberr++; } } [ ...and... ] if ((find-options DNS_ADBFIND_LAMEPRUNED) != 0) fctx-lamecount++; /* cached lame server */ else fctx-adberr++; /* unreachable server, etc. */ This implies a connectivity issue between your client and the nyc.gov nameservers, I think. But there are local wizards lurking who are much more familiar with the code than I It is starting to appear as if this is an issue relating to EDNS, though I can't see specifically how. It does not appear to even be a size related issue, but instead possibly something to do with packet fragmentation. I built a BIND 9.6.2 server on a CentOS VM -- works fine off our network (connected via Verizon Wireless), but does not work on campus. What I don't quite understand is why querying say 8.8.8.8 with a copy of dig on our network would work. Isn't the same thing ultimately going to have to pass through the same place in our firewall/network eventually whether it's a nameserver asking for it or a client? - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1VfigACgkQmb+gadEcsb6i8gCgm2YnVtwVFTycUKK/JQgM9eTP 6WoAnAuZ31BQR4+xdWbyc9+tur1joI9i =CIn8 -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/11/2011 01:21 PM, Ryan Novosielski wrote: On 02/10/2011 04:19 PM, Chuck Swiger wrote: On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote: health.nyc.gov query-errors: 10-Feb-2011 15:32:30.682 query-errors: debug 1: client 130.219.34.129#55935: query failed (SERVFAIL) for health.nyc.gov/IN/MX at query.c:4630 10-Feb-2011 15:32:30.682 query-errors: debug 2: fetch completed at resolver.c:3057 for health.nyc.gov/MX in 0.46: failure/success [domain:nyc.GOV,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0 The adberr count looks like it can only be incremented by two code sections in lib/dns/resolver.c: if (result != ISC_R_SUCCESS) { if (result == DNS_R_ALIAS) { /* * XXXRTH Follow the CNAME/DNAME chain? */ dns_adb_destroyfind(find); fctx-adberr++; } } [ ...and... ] if ((find-options DNS_ADBFIND_LAMEPRUNED) != 0) fctx-lamecount++; /* cached lame server */ else fctx-adberr++; /* unreachable server, etc. */ This implies a connectivity issue between your client and the nyc.gov nameservers, I think. But there are local wizards lurking who are much more familiar with the code than I It is starting to appear as if this is an issue relating to EDNS, though I can't see specifically how. It does not appear to even be a size related issue, but instead possibly something to do with packet fragmentation. I built a BIND 9.6.2 server on a CentOS VM -- works fine off our network (connected via Verizon Wireless), but does not work on campus. What I don't quite understand is why querying say 8.8.8.8 with a copy of dig on our network would work. Isn't the same thing ultimately going to have to pass through the same place in our firewall/network eventually whether it's a nameserver asking for it or a client? So it was a two part problem, one that pertains to BIND and one that pertains to the firewall. 1) I had max-udp-size=512, which is what I understood to be the prudent thing to have configured if your firewall had a DNS packet limit of 512. For whatever reason, that turned out not to be correct. 2) In the firewall we had a packet size limit of 512 for non-EDNS traffic and client auto for EDNS traffic. However, in our version of firewall firmware, this does not work (a bug), so all of our traffic was effectively limited to 512. What I haven't yet figured out is why #1 would cause the connectivity problem that it did to the .gov DNS servers. It appears that perhaps something was destroying the fragmented packets. I'd be curious if there's someone out there who knows more than me and could help explain. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1VyzgACgkQmb+gadEcsb4jDQCfUM3JoQNNg8kluYVaM7n4o/l0 W6MAoMzkyoKjJZntBUlvO0iLkjPkfq0l =/R/g -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND9 SERVFAIL on some .gov addresses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks, I am running into a problem with the Oracle Solaris-delivered BIND9 (BIND 9.6-ESV-R3) that I have running on four DNS servers. I have to admit my BIND troubleshooting skills aren't what they could be, given that the product normally just works. My issue is with looking up MX records specifically on some .gov addresses. I would not be surprised if this is somehow EDNS/DNSSEC related. Here is dig trace on the example: ; DiG 9.6-ESV-R3 MX health.nyc.gov +trace ;; global options: +cmd . 187059 IN NS f.root-servers.net. . 187059 IN NS m.root-servers.net. . 187059 IN NS d.root-servers.net. . 187059 IN NS b.root-servers.net. . 187059 IN NS l.root-servers.net. . 187059 IN NS g.root-servers.net. . 187059 IN NS j.root-servers.net. . 187059 IN NS a.root-servers.net. . 187059 IN NS c.root-servers.net. . 187059 IN NS k.root-servers.net. . 187059 IN NS i.root-servers.net. . 187059 IN NS e.root-servers.net. . 187059 IN NS h.root-servers.net. ;; Received 336 bytes from 130.219.11.100#53(130.219.11.100) in 3 ms gov.172800 IN NS b.gov-servers.net. gov.172800 IN NS a.gov-servers.net. ;; Received 111 bytes from 192.33.4.12#53(c.root-servers.net) in 5 ms nyc.gov.86400 IN NS vwall1a.nyc.gov. nyc.gov.86400 IN NS vwall2a.nyc.gov. nyc.gov.86400 IN NS vwall3a.nyc.gov. nyc.gov.86400 IN NS vwall4a.nyc.gov. ;; Received 191 bytes from 209.112.123.30#53(b.gov-servers.net) in 71 ms dig: isc_socket_create: address family not supported I've read that I shouldn't let this error message lead me anywhere in particular. Does anyone have some advice for where to start troubleshooting? I've tried BIND elsewhere, no issues (though not the same exact version). A dig +trace actually works from my laptop against the server (but dig by itself returns no MX records). Thank you in advance for suggestions. This one is causing some nasty problems. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1UO9IACgkQmb+gadEcsb682QCaA0uPjJnQGxXOt/CUAXuYN+l2 VGEAoLOuqMQcJWurO8sCGNfrr3Oc/B0u =Hq8W -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 SERVFAIL on some .gov addresses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/10/2011 03:23 PM, Chuck Swiger wrote: On Feb 10, 2011, at 11:26 AM, Ryan Novosielski wrote: dig: isc_socket_create: address family not supported I've read that I shouldn't let this error message lead me anywhere in particular. Does anyone have some advice for where to start troubleshooting? The error message you mention is likely an attempt to do something with IPv6 addresses; perhaps your machine or your network is explicitly configured to do IPv4 only? Does a dig against a well-known working nameserver return valid results like below? I got the same thought, so I added: listen-on-v6 { none; }; listen-on { any; }; ...to named.conf. Same results. Yes, the query against a well known server does work: ; DiG 9.6-ESV-R3 -t mx health.nyc.gov @4.2.2.2 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 31921 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;health.nyc.gov.IN MX ;; ANSWER SECTION: health.nyc.gov. 746 IN MX 10 vwall4.nyc.gov. health.nyc.gov. 746 IN MX 10 vwall1.nyc.gov. health.nyc.gov. 746 IN MX 10 vwall2.nyc.gov. health.nyc.gov. 746 IN MX 10 vwall3.nyc.gov. ;; Query time: 97 msec ;; SERVER: 4.2.2.2#53(4.2.2.2) ;; WHEN: Thu Feb 10 15:27:40 2011 ;; MSG SIZE rcvd: 124 Some other facts: Our MS DNS server works (gets the above result). DiG 9.7.0-P1 from Linux laptop work against server in question, but only with +trace. DiG 9.6-ESV-R3 from server sometimes times out, sometimes comes back quickly with nothing. +trace sometimes times out, sometimes fails with the address family response. health.nyc.gov query-errors: 10-Feb-2011 15:32:30.682 query-errors: debug 1: client 130.219.34.129#55935: query failed (SERVFAIL) for health.nyc.gov/IN/MX at query.c:4630 10-Feb-2011 15:32:30.682 query-errors: debug 2: fetch completed at resolver.c:3057 for health.nyc.gov/MX in 0.46: failure/success [domain:nyc.GOV,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0 Other nyc.gov query-errors: 10-Feb-2011 15:32:33.720 query-errors: debug 1: client 130.219.34.129#59754: query failed (SERVFAIL) for cityhall.nyc.gov/IN/MX at query.c:4630 10-Feb-2011 15:32:33.720 query-errors: debug 2: fetch completed at resolver.c:3057 for cityhall.nyc.gov/MX in 0.63: failure/success [domain:nyc.GOV,referral:0,restar t:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0] 10-Feb-2011 15:32:33.863 query-errors: debug 1: client 10.32.15.102#62148: query failed (SERVFAIL) for cityhall.nyc.gov/IN/MX at query.c:4630 10-Feb-2011 15:32:33.863 query-errors: debug 2: fetch completed at resolver.c:3057 for cityhall.nyc.gov/MX in 0.43: failure/success [domain:nyc.GOV,referral:0,restar t:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0] 10-Feb-2011 15:32:33.932 query-errors: debug 1: client 10.32.15.102#55688: query failed (SERVFAIL) for vwall4.nyc.gov/IN/A at query.c:4630 10-Feb-2011 15:32:33.932 query-errors: debug 2: fetch completed at resolver.c:3057 for vwall4.nyc.gov/A in 0.36: failure/success [domain:nyc.GOV,referral:0,restart:1 ,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0] 10-Feb-2011 15:32:37.580 query-errors: debug 1: client 10.32.15.102#44514: query failed (SERVFAIL) for vwall2.nyc.gov/IN/A at query.c:4630 10-Feb-2011 15:32:37.580 query-errors: debug 2: fetch completed at resolver.c:3057 for vwall2.nyc.gov/A in 0.36: failure/success [domain:nyc.GOV,referral:0,restart:1 ,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0] 10-Feb-2011 15:32:37.585 query-errors: debug 1: client 10.32.15.102#40223: query failed (SERVFAIL) for vwall4.nyc.gov/IN/A at query.c:4630 10-Feb-2011 15:32:37.585 query-errors: debug 2: fetch completed at resolver.c:3057 for vwall4.nyc.gov/A in 0.50: failure/success [domain:nyc.GOV,referral:0,restart:1 ,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0] A similar failure for another domain: 10-Feb-2011 14:48:12.406 query-errors: debug 1: client 130.219.34.129#51779: query failed (SERVFAIL) for idphdomain.idph.state.ia.us/IN/MX at query.c:4630 10-Feb-2011 14:48:12.406 query-errors: debug 1: client 130.219.34.129#51735: query failed (SERVFAIL) for idphdomain.idph.state.ia.us/IN/MX at query.c:4630 10-Feb-2011 14:48:12.406 query-errors: debug 1: client 130.219.34.129#53507: query failed (SERVFAIL) for idphdomain.idph.state.ia.us/IN/MX at query.c:4630 10-Feb-2011 14:48:12.406 query-errors: debug 1: client 130.219.34.129#63844: query failed (SERVFAIL) for idphdomain.idph.state.ia.us/IN/MX at query.c:4630 10-Feb-2011 14:48:12.407 query-errors: debug 1: client 10.32.15.102#56194: query failed (SERVFAIL) for idphdomain.idph.state.ia.us/IN/MX at query.c
Re: BIND9 SERVFAIL on some .gov addresses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/10/2011 04:19 PM, Chuck Swiger wrote: The adberr count looks like it can only be incremented by two code sections in lib/dns/resolver.c: if (result != ISC_R_SUCCESS) { if (result == DNS_R_ALIAS) { /* * XXXRTH Follow the CNAME/DNAME chain? */ dns_adb_destroyfind(find); fctx-adberr++; } } [ ...and... ] if ((find-options DNS_ADBFIND_LAMEPRUNED) != 0) fctx-lamecount++; /* cached lame server */ else fctx-adberr++; /* unreachable server, etc. */ This implies a connectivity issue between your client and the nyc.gov nameservers, I think. But there are local wizards lurking who are much more familiar with the code than I I would think so too except another one is dc.gov. It would strike me as unlikely that I can't reach two .gov sites out of the blue. I sent a note to our telecomm people too to see if they might see something on the Firewall. For the other example: resolver.c:3178 for idphdomain.idph.state.ia.us/MX in 30.69: timed out/success [domain:idphdomain. idph.state.ia.us,referral:3,restart:4,qrysent:20,timeout:19,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] I get no response either. I'd imagine a delegation problem somewhere in the list of domains, although if you poke around, you can find servers which will answer and claim no MX records exist: OK, thanks -- I did not carefully check other locations for that one. Good to know that's not just me. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1UXrEACgkQmb+gadEcsb4dPQCfcrelZiF8TyT3BBZa1L4ERW7y oPQAoLSR9pVFn7BBbb9nFfms5+l/MHqR =pnvt -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users