Re: DNS RPZ Master/Slave configuration

[Blason R]

Again unicast could be any IP address or normal IP address given on server?
There is no such specification like multicast

On Thu, May 3, 2018 at 7:46 PM, Blason R  wrote:

> Thanks I got it, Below link helped me understand.
>
> https://deepthought.isc.org/article/AA-00518/0/How-can-I-
> synchronize-DNS-RPZ-firewall-policies-across-multiple-DNS-servers.html
>
> The one thing I didnt understand is how to assign unicast address from DNS
> perspective?
>
> On Thu, May 3, 2018 at 7:36 PM, Blason R  wrote:
>
>> Hi there,
>>
>> Can someone please guide me on working configuration of Mater/Slave zone
>> in DNS RPZ for reference?
>>
>> Is that available with someone? And does it work exactly as master/slave
>> like any other zone?
>>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS RPZ Master/Slave configuration

[Blason R]

Thanks I got it, Below link helped me understand.

https://deepthought.isc.org/article/AA-00518/0/How-can-I-synchronize-DNS-RPZ-firewall-policies-across-multiple-DNS-servers.html

The one thing I didnt understand is how to assign unicast address from DNS
perspective?

On Thu, May 3, 2018 at 7:36 PM, Blason R  wrote:

> Hi there,
>
> Can someone please guide me on working configuration of Mater/Slave zone
> in DNS RPZ for reference?
>
> Is that available with someone? And does it work exactly as master/slave
> like any other zone?
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS RPZ Master/Slave configuration

[Blason R]

Hi there,

Can someone please guide me on working configuration of Mater/Slave zone in
DNS RPZ for reference?

Is that available with someone? And does it work exactly as master/slave
like any other zone?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[Phil Mayers]

On 03/08/2012 06:26 PM, michoski wrote:


Meant to add one thing...  In our configuration, we actually have two
recursive VIPs per site, and even considered three (internal IPs are cheap).


We do this.

We also make the two different VIPs use different underlying tech - one 
is an anycast route advertised with eBGP, the other is via 
load-balancing. The diversity of tech gives us a bit more resilience and 
flexibility - taking out the load-balancer no longer destroys DNS, for 
example.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[Romgo]

Hello,

I know that I can use VIP with any software (corosync, Linux HA...) But
this will not explain the origin of the issue I am facing :)


Even if I use a VIP I can reproduce the issue :
If the first VIP (so the nameserver 1) is down, I'll have the same
drawbacks. As the resolver will timeout before falling back to the second
nameserver.

Right ?



On 9 March 2012 10:13, Phil Mayers p.may...@imperial.ac.uk wrote:

 On 03/08/2012 06:26 PM, michoski wrote:

  Meant to add one thing...  In our configuration, we actually have two
 recursive VIPs per site, and even considered three (internal IPs are
 cheap).


 We do this.

 We also make the two different VIPs use different underlying tech - one is
 an anycast route advertised with eBGP, the other is via load-balancing. The
 diversity of tech gives us a bit more resilience and flexibility - taking
 out the load-balancer no longer destroys DNS, for example.

 __**_
 Please visit 
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto
  unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[michoski]

On 3/9/12 7:58 AM, Romgo ro...@free.fr wrote:
 Even if I use a VIP I can reproduce the issue :
 If the first VIP (so the nameserver 1) is down, I'll have the same
 drawbacks. As the resolver will timeout before falling back to the second
 nameserver.

Sure, we don't live in a perfect world.  You can establish reasonable
countermeasures based on your time/budget which will help reduce the
likelihood and impact of failure, but it is likely cost prohibitive to
optimize the edge case and try to implement perfection.  :-)

This is why VIPs + resolv.conf options were suggested.  In most cases, the
VIP will save you.  When it doesn't, you still have a reasonable failover
time.  Monitoring, automation, well-planned maintenance windows, etc. should
help further reduce unexpected issues for your clients.

 On 9 March 2012 10:13, Phil Mayers p.may...@imperial.ac.uk wrote:
 We also make the two different VIPs use different underlying tech - one is
 an anycast route advertised with eBGP, the other is via load-balancing. The
 diversity of tech gives us a bit more resilience and flexibility - taking
 out the load-balancer no longer destroys DNS, for example.

Good deal, but there are pros and cons to any approach.  Added diversity
-- while useful and touted for years (I always enjoy the genetic diversity
discussions saying each of my clusters should run 4-5 different operating
systems) -- also means added complexity, which has its own cost.  :-)

-- 
Work is the curse of the drinking classes.
-- Mike Romanoff

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[Niall O'Reilly]

On 8 Mar 2012, at 02:58, Lyle Giese wrote (on bind-users):

 On linux boxes, adding 
 
 options rotate
 
 to the /etc/resolv.conf helps.

[cross-posted, reply-to header set]

Is there a DHCP option which expresses that, and which
typical fielded DHCP clients will respect?

As you may guess, I don't have access to those thousands
of client systems out there.

/Niall

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[Romgo]

Hello,

thanks for the answer. That was my first change :
/etc/resolv.conf like :

domain example.fr
search example.fr example2.fr
nameserver 192.168.0.1
nameserver 192.168.0.2
options rotate
options timeout:1
options attempts:1

This works fine.

But the issue is now mainly coming from the client : windows XP :/
The default Windows timeout is 2s.

I can see in bind's logs the dns request, but the webpage is not showing
up.

I can use a VIP for DNS server, but I though that master/slave
configuration was made in order to avoid to use a VIP.

Did you guys encounter that kind of issues ?
Maybe my slave server is not well configured ?

Regards,






On 8 March 2012 10:22, Niall O'Reilly niall.orei...@ucd.ie wrote:


 On 8 Mar 2012, at 02:58, Lyle Giese wrote (on bind-users):

  On linux boxes, adding
 
  options rotate
 
  to the /etc/resolv.conf helps.

 [cross-posted, reply-to header set]

Is there a DHCP option which expresses that, and which
typical fielded DHCP clients will respect?

As you may guess, I don't have access to those thousands
of client systems out there.

/Niall

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[michoski]

On 3/8/12 8:15 AM, Romgo ro...@free.fr wrote:
 I can use a VIP for DNS server, but I though that master/slave
 configuration was made in order to avoid to use a VIP.

Master/slave was to avoid SPOF -- if the master dies, who cares with a
reasonable expire time.  :-)

So go ahead, setup a VIP...even using free stuff like Linux HA!  In the big
push for virtualization we've deployed N virtual machines behind VIPs doing
recursive DNS and it works fine.  It also lets you upgrade, replace, etc.
any of your hosts with less stress.  I think high availability should be an
onion of many layers similar to security.

-- 
Television -- a medium.  So called because it is neither rare nor well done.
-- Ernie Kovacs

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[michoski]

On 3/8/12 10:20 AM, Mike Hoskins micho...@cisco.com wrote:

 On 3/8/12 8:15 AM, Romgo ro...@free.fr wrote:
 I can use a VIP for DNS server, but I though that master/slave
 configuration was made in order to avoid to use a VIP.
 
 Master/slave was to avoid SPOF -- if the master dies, who cares with a
 reasonable expire time.  :-)
 
 So go ahead, setup a VIP...even using free stuff like Linux HA!  In the big
 push for virtualization we've deployed N virtual machines behind VIPs doing
 recursive DNS and it works fine.  It also lets you upgrade, replace, etc.
 any of your hosts with less stress.  I think high availability should be an
 onion of many layers similar to security.

Meant to add one thing...  In our configuration, we actually have two
recursive VIPs per site, and even considered three (internal IPs are cheap).
Network blips or maintenance which somehow cause a client to think one of
the VIPs is unavailable will be much less intrusive when there are multiple
server lines in resolv.conf...  So even with a VIP, keep the options you've
added already, it'll help with protocol semantics and edge cases.  Google
has a lot more info on this stuff.  :-)

-- 
Don't worry about avoiding temptation -- as you grow older, it starts
avoiding you.  -- The Old Farmer's Almanac


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[Barry Margolin]

In article mailman.210.1331230835.63724.bind-us...@lists.isc.org,
 michoski micho...@cisco.com wrote:

 On 3/8/12 8:15 AM, Romgo ro...@free.fr wrote:
  I can use a VIP for DNS server, but I though that master/slave
  configuration was made in order to avoid to use a VIP.
 
 Master/slave was to avoid SPOF -- if the master dies, who cares with a
 reasonable expire time.  :-)

Master/slave also predated VIPs.  It goes back to the early days of 
TCP/IP, many years before anyone had ever implemented load balancers, 
anycast, and other HA solutions.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Master/slave configuration

[romgo]

Dear community,

I use bind on my network as DNS Server. Running bind 1:9.6.ESV.R4+dfsg-0+lenny4
on Debian Lenny.

The setup is quite usual : one master server with one slave server.

The slave sync the zone from the master.

I discover that when the master is down I have some trouble to access to
internet and to local domain which are managed by the master server.

Symptoms are : slow browsing and some website can't be reached, seems to be a
timeout issue. (the server didn't answer in time).

I saw that for unreachable website, the issue was DNS as my tcpdump didn't get
any http request.

How can I troubleshoot this issue ?

Regards,



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[Bostjan Skufca]

Problem is, most of client resolvers (not resolving nameservers, but
resolvers on workstations etc) query first specified nameserver first, then
after timeout start with the others. You should create a HA IP for such
uses.

b.


On 7 March 2012 10:23, ro...@free.fr wrote:

 Dear community,

 I use bind on my network as DNS Server. Running bind
 1:9.6.ESV.R4+dfsg-0+lenny4
 on Debian Lenny.

 The setup is quite usual : one master server with one slave server.

 The slave sync the zone from the master.

 I discover that when the master is down I have some trouble to access to
 internet and to local domain which are managed by the master server.

 Symptoms are : slow browsing and some website can't be reached, seems to
 be a
 timeout issue. (the server didn't answer in time).

 I saw that for unreachable website, the issue was DNS as my tcpdump didn't
 get
 any http request.

 How can I troubleshoot this issue ?

 Regards,



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[Barry Margolin]

In article mailman.166.1331112226.63724.bind-us...@lists.isc.org,
 ro...@free.fr wrote:

 Dear community,
 
 I use bind on my network as DNS Server. Running bind 
 1:9.6.ESV.R4+dfsg-0+lenny4
 on Debian Lenny.
 
 The setup is quite usual : one master server with one slave server.
 
 The slave sync the zone from the master.
 
 I discover that when the master is down I have some trouble to access to
 internet and to local domain which are managed by the master server.
 
 Symptoms are : slow browsing and some website can't be reached, seems to be a
 timeout issue. (the server didn't answer in time).
 
 I saw that for unreachable website, the issue was DNS as my tcpdump didn't 
 get
 any http request.
 
 How can I troubleshoot this issue ?
 
 Regards,

Is your /etc/resolv.conf pointing to both servers?

Things will be slow, since the resolver has to wait for a timeout before 
failing over to the backup server.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[michoski]

On 3/7/12 9:15 AM, Barry Margolin bar...@alum.mit.edu wrote:
 In article mailman.166.1331112226.63724.bind-us...@lists.isc.org,
  ro...@free.fr wrote:
 I use bind on my network as DNS Server. Running bind
 1:9.6.ESV.R4+dfsg-0+lenny4
 on Debian Lenny.
 
 The setup is quite usual : one master server with one slave server.
 
 The slave sync the zone from the master.
 
 I discover that when the master is down I have some trouble to access to
 internet and to local domain which are managed by the master server.
 
 Symptoms are : slow browsing and some website can't be reached, seems to be a
 timeout issue. (the server didn't answer in time).
 
 Is your /etc/resolv.conf pointing to both servers?
 
 Things will be slow, since the resolver has to wait for a timeout before
 failing over to the backup server.

Yes, this is a common failure mode.  Beside making sure you list multiple
servers, you might want to try adjusting options in resolv.conf(5).

-- 
Time is the coin of your life. It is the only coin you have, and only you
can determine how it will be spent. Be careful lest you let other people
spend it for you.  -- Carl Sandburg

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[Lyle Giese]

On linux boxes, adding

options rotate

to the /etc/resolv.conf helps.

Lyle Giese
LCR Computer Services, Inc.

On 03/07/12 06:54, Bostjan Skufca wrote:
Problem is, most of client resolvers (not resolving nameservers, but 
resolvers on workstations etc) query first specified nameserver first, 
then after timeout start with the others. You should create a HA IP 
for such uses.


b.


On 7 March 2012 10:23, ro...@free.fr mailto:ro...@free.fr wrote:

Dear community,

I use bind on my network as DNS Server. Running bind
1:9.6.ESV.R4+dfsg-0+lenny4
on Debian Lenny.

The setup is quite usual : one master server with one slave server.

The slave sync the zone from the master.

I discover that when the master is down I have some trouble to
access to
internet and to local domain which are managed by the master server.

Symptoms are : slow browsing and some website can't be reached,
seems to be a
timeout issue. (the server didn't answer in time).

I saw that for unreachable website, the issue was DNS as my
tcpdump didn't get
any http request.

How can I troubleshoot this issue ?

Regards,



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org mailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Master slave configuration of DNSSEC

[Sajeev Ramakrishnan]

Hi all,

 

I have a question regarding configuration of DNSSEC. If I intend to sign a
particular zone which has master and a slave, would I have to sign both?

 

If yes , how would I accomplish this? Will I have to sign both the master
and the slave zone with the same set of keys (public and private generated
for that zone) ?

 

Thanks in advance.

 

Regards,

Kalpesh

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master slave configuration of DNSSEC

[Rick Dicaire]

On Sat, May 1, 2010 at 11:32 AM, Sajeev Ramakrishnan
kalpesh.l...@gmail.com wrote:
 I have a question regarding configuration of DNSSEC. If I intend to sign a
 particular zone which has master and a slave, would I have to sign both?

No.

Assuming you've correctly setup zone xfers from master to slave, the
actual zone contents the slave posesses is dependent on what the
master gives it. If the master has dnssec data in the zone file, then
this is what the slave will get.

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users