Re: getting not authoritative with some notifies - Solved
On Sun, 2016-07-31 at 19:25 -0700, Dave Warren wrote: Or, separate your resolver and authoritative roles, in which case this won't be an issue. One should still monitor for zones for customers who have departed, obviously, but it's not likely to cause any operational issues. On 01.08.16 10:37, Carl Byington wrote: Yes, I should have prefixed my comments with a note that this applies mainly to users of some low end multi-tenant hosting solutions that (by default) run both dns roles on the same box, and point /etc/resolv.conf to localhost. in such a small system it shouldn't happen often that someone migrates domain off your server. However you can avoid this issue by running either multiple dns servers, bind instances or views, recursive-only on 127.0.0.1 and authoritative on public IP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, 2016-07-31 at 19:25 -0700, Dave Warren wrote: > Or, separate your resolver and authoritative roles, in which case this > won't be an issue. One should still monitor for zones for customers > who have departed, obviously, but it's not likely to cause any > operational issues. Yes, I should have prefixed my comments with a note that this applies mainly to users of some low end multi-tenant hosting solutions that (by default) run both dns roles on the same box, and point /etc/resolv.conf to localhost. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlefiKIACgkQL6j7milTFsFbiACfbGBeSfb5ukdSPG9Kgu+xIXWN Gy4AniOZC3+vFQ1orNUkE/op/WmshsyG =qmYk -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
On Sat, 2016-07-30 at 21:40 +0200, Matus UHLAR - fantomas wrote: or simply wait till customers complain and tell them they should tell you when tthey migrated their zones off. On 31.07.16 18:00, Carl Byington wrote: Which customers will complain? funny that you have answered below. Consider the case where you have customer A and ex-customer B, and you still have ex-customer B zones loaded in your master dns servers. The rest of the world properly sees the (new) zone content for ex-customer B. But when your existing customer A tries to send mail to ex-customer B, it may go to the wrong place or bounce. And that will only happen for your *other* customers. B thinks everything is ok, since they can receive mail from gmail, etc. both customer A and ex-customer B will complain because of mail doesn't working. Happened multiple times. To properly serve your customers like A, you need to purge B's zones soon after they move, whether they notify you or not. that's the whole problem - we have to watch and notify. Separating authoritative and recursive DNS works much better. we can put different measures on protecting each of those. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
On 2016-07-31 18:00, Carl Byington wrote: Which customers will complain? Consider the case where you have customer A and ex-customer B, and you still have ex-customer B zones loaded in your master dns servers. The rest of the world properly sees the (new) zone content for ex-customer B. But when your existing customer A tries to send mail to ex-customer B, it may go to the wrong place or bounce. And that will only happen for your *other* customers. B thinks everything is ok, since they can receive mail from gmail, etc. To properly serve your customers like A, you need to purge B's zones soon after they move, whether they notify you or not. Or, separate your resolver and authoritative roles, in which case this won't be an issue. One should still monitor for zones for customers who have departed, obviously, but it's not likely to cause any operational issues. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sat, 2016-07-30 at 21:40 +0200, Matus UHLAR - fantomas wrote: > or simply wait till customers complain and tell them they should tell > you when tthey migrated their zones off. Which customers will complain? Consider the case where you have customer A and ex-customer B, and you still have ex-customer B zones loaded in your master dns servers. The rest of the world properly sees the (new) zone content for ex-customer B. But when your existing customer A tries to send mail to ex-customer B, it may go to the wrong place or bounce. And that will only happen for your *other* customers. B thinks everything is ok, since they can receive mail from gmail, etc. To properly serve your customers like A, you need to purge B's zones soon after they move, whether they notify you or not. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAleenRYACgkQL6j7milTFsGq3gCdGXY2Ge1QCQrHqDNAeLswpnxH IgkAniYF2K5whptZz7aetH4GTbu4A78z =m/gF -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
On 2016-07-29 08:21, Matus UHLAR - fantomas wrote: On 28.07.16 12:13, Paul A wrote: Now what is everyone using to make sure the zones in named.conf are still pointing to your NS servers? I have a lot of stale DNS zones I want to remove. separate authoritative and recursive servers. bill for having zones in DNS. or simply wait till customers complain and tell them they should tell you when tthey migrated their zones off. On 30.07.16 12:36, Dave Warren wrote: At what point will a customer complain when they switch authoritative servers if the old ones are still online, I haven't said that the non-auth servers have to keep old zones whether serving current data, out of date data this is what TTL is for. the same behaviour applies to zones all other servers. or the zone eventually expires? that can't happen on master servers -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
On 2016-07-29 08:21, Matus UHLAR - fantomas wrote: On 28.07.16 12:13, Paul A wrote: Now what is everyone using to make sure the zones in named.conf are still pointing to your NS servers? I have a lot of stale DNS zones I want to remove. separate authoritative and recursive servers. bill for having zones in DNS. or simply wait till customers complain and tell them they should tell you when tthey migrated their zones off. At what point will a customer complain when they switch authoritative servers if the old ones are still online, whether serving current data, out of date data, or the zone eventually expires? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
On 28.07.16 12:13, Paul A wrote: Now what is everyone using to make sure the zones in named.conf are still pointing to your NS servers? I have a lot of stale DNS zones I want to remove. separate authoritative and recursive servers. bill for having zones in DNS. or simply wait till customers complain and tell them they should tell you when tthey migrated their zones off. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: getting not authoritative with some notifies - Solved
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, 2016-07-28 at 12:13 -0400, Paul A wrote: > Now what is everyone using to make sure the zones in named.conf are > still pointing to your NS servers? I have a lot of stale DNS zones I > want to remove. script a loop to "dig $zone ns @8.8.8.8 +short" for the ns records for your configured zones, and remove those for which google does not think you are authoritative. Alternatively, "dig +trace" which takes (a little) more scripting. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAleaiDkACgkQL6j7milTFsGAegCfcCkHmwyh4cQlJ49lhzLkhquE UzkAmQEhjKHeShSGF44+5eYErMVkJjj+ =0U6B -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: getting not authoritative with some notifies - Solved
Tony, the zones that are giving me the not auth error are indeed off cache, as I see the RA flag and the AA is missing. I never really thought this was happening because I have all zones configure the same way and some are not getting the not auth error and have the aa flag present. I was querying the slave directly and it never occurred to me that the info I was getting back might be cached info, I should of looked at the flags :(. Well it turns out I accidently commented out a huge portion of the named.conf file by mistake with the */ /*, I didn't close the commented section correctly and it caused some zones not to be configured. When using vi to edit/look at named.conf I was relying on the color and never saw the zones in blue (comment color) that gave me not auth so I assumed the config was good, I even ran named-checkconf which came back with no errors which makes sense. It also didn't click when using rndc status and the number of zones on the slave was significant less than on the master server :(. I hope this stupid mistake helps someone else, thanks for all that replied. Now what is everyone using to make sure the zones in named.conf are still pointing to your NS servers? I have a lot of stale DNS zones I want to remove. Thanks, Paul -Original Message- From: Tony Finch [mailto:d...@dotat.at] Sent: Thursday, July 28, 2016 10:45 AM To: Casey DeccioCc: Paul A ; bind-us...@isc.org Subject: Re: getting not authoritative with some notifies Casey Deccio wrote: > On Thu, Jul 28, 2016 at 10:34 AM, Paul A wrote: > > > Yes on both server and the slave and primary are listed on the NS RR. > > I'm really at a loss here, the zone updates on the slave but I keep > > getting that message. > > There's a difference between a server being listed in the NS RRset and > a server being authoritative for the zone. Is there a "zone" > statement for that zone in your named.conf? When you query the slave for a problem zone, look at the flags in the header, e.g. this answer comes from a recursive query - "ra" is present and "aa" is missing ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 this answer comes from an authoritative zone - "aa" is present ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode South Thames, Dover: Southwesterly 5 or 6. Slight or moderate. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users