Re: getting not authoritative with some notifies - Solved

2016-08-02 Thread Matus UHLAR - fantomas 

On Sun, 2016-07-31 at 19:25 -0700, Dave Warren wrote:

Or, separate your resolver and authoritative roles, in which case this
won't be an issue. One should still monitor for zones for customers
who have departed, obviously, but it's not likely to cause any
operational issues.


On 01.08.16 10:37, Carl Byington wrote:

Yes, I should have prefixed my comments with a note that this applies
mainly to users of some low end multi-tenant hosting solutions that (by
default) run both dns roles on the same box, and point /etc/resolv.conf
to localhost.


in such a small system it shouldn't happen often that someone migrates
domain off your server.

However you can avoid this issue by running either multiple dns servers,
bind instances or views, recursive-only on 127.0.0.1 and authoritative on
public IP.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting not authoritative with some notifies - Solved

2016-08-01 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sun, 2016-07-31 at 19:25 -0700, Dave Warren wrote:
> Or, separate your resolver and authoritative roles, in which case this
> won't be an issue. One should still monitor for zones for customers
> who have departed, obviously, but it's not likely to cause any
> operational issues.

Yes, I should have prefixed my comments with a note that this applies
mainly to users of some low end multi-tenant hosting solutions that (by
default) run both dns roles on the same box, and point /etc/resolv.conf
to localhost.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlefiKIACgkQL6j7milTFsFbiACfbGBeSfb5ukdSPG9Kgu+xIXWN
Gy4AniOZC3+vFQ1orNUkE/op/WmshsyG
=qmYk
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting not authoritative with some notifies - Solved

2016-08-01 Thread Matus UHLAR - fantomas 

On Sat, 2016-07-30 at 21:40 +0200, Matus UHLAR - fantomas wrote:

or simply wait till customers complain and tell them they should tell
you when tthey migrated their zones off.


On 31.07.16 18:00, Carl Byington wrote:

Which customers will complain?


funny that you have answered below.


Consider the case where you have customer A and ex-customer B, and you
still have ex-customer B zones loaded in your master dns servers. The
rest of the world properly sees the (new) zone content for ex-customer
B.

But when your existing customer A tries to send mail to ex-customer B,
it may go to the wrong place or bounce. And that will only happen for
your *other* customers. B thinks everything is ok, since they can
receive mail from gmail, etc.


both customer A and ex-customer B will complain because of mail doesn't
working.
Happened multiple times.


To properly serve your customers like A, you need to purge B's zones
soon after they move, whether they notify you or not.


that's the whole problem - we have to watch and notify.

Separating authoritative and recursive DNS works much better.
we can put different measures on protecting each of those.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting not authoritative with some notifies - Solved

2016-07-31 Thread Dave Warren 

On 2016-07-31 18:00, Carl Byington wrote:

Which customers will complain?

Consider the case where you have customer A and ex-customer B, and you
still have ex-customer B zones loaded in your master dns servers. The
rest of the world properly sees the (new) zone content for ex-customer
B.

But when your existing customer A tries to send mail to ex-customer B,
it may go to the wrong place or bounce. And that will only happen for
your *other* customers. B thinks everything is ok, since they can
receive mail from gmail, etc.

To properly serve your customers like A, you need to purge B's zones
soon after they move, whether they notify you or not.



Or, separate your resolver and authoritative roles, in which case this 
won't be an issue. One should still monitor for zones for customers who 
have departed, obviously, but it's not likely to cause any operational 
issues.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting not authoritative with some notifies - Solved

2016-07-31 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sat, 2016-07-30 at 21:40 +0200, Matus UHLAR - fantomas wrote:
> or simply wait till customers complain and tell them they should tell
> you when tthey migrated their zones off.

Which customers will complain?

Consider the case where you have customer A and ex-customer B, and you
still have ex-customer B zones loaded in your master dns servers. The
rest of the world properly sees the (new) zone content for ex-customer
B.

But when your existing customer A tries to send mail to ex-customer B,
it may go to the wrong place or bounce. And that will only happen for
your *other* customers. B thinks everything is ok, since they can
receive mail from gmail, etc.

To properly serve your customers like A, you need to purge B's zones
soon after they move, whether they notify you or not.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAleenRYACgkQL6j7milTFsGq3gCdGXY2Ge1QCQrHqDNAeLswpnxH
IgkAniYF2K5whptZz7aetH4GTbu4A78z
=m/gF
-END PGP SIGNATURE-



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting not authoritative with some notifies - Solved

2016-07-30 Thread Matus UHLAR - fantomas 

On 2016-07-29 08:21, Matus UHLAR - fantomas wrote:

On 28.07.16 12:13, Paul A wrote:
Now what is everyone using to make sure the zones in named.conf 
are still

pointing to your NS servers? I have a lot of stale DNS zones I want to
remove.


separate authoritative and recursive servers.
bill for having zones in DNS.
or simply wait till customers complain and tell them they should tell you
when tthey migrated their zones off.


On 30.07.16 12:36, Dave Warren wrote:
At what point will a customer complain when they switch authoritative 
servers if the old ones are still online,


I haven't said that the non-auth servers have to keep old zones

whether serving current 
data, out of date data


this is what TTL is for. the same behaviour applies to zones all other
servers.


or the zone eventually expires?


that can't happen on master servers

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting not authoritative with some notifies - Solved

2016-07-30 Thread Dave Warren 

On 2016-07-29 08:21, Matus UHLAR - fantomas wrote:

On 28.07.16 12:13, Paul A wrote:
Now what is everyone using to make sure the zones in named.conf are 
still

pointing to your NS servers? I have a lot of stale DNS zones I want to
remove.


separate authoritative and recursive servers.
bill for having zones in DNS.
or simply wait till customers complain and tell them they should tell you
when tthey migrated their zones off. 


At what point will a customer complain when they switch authoritative 
servers if the old ones are still online, whether serving current data, 
out of date data, or the zone eventually expires?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting not authoritative with some notifies - Solved

2016-07-29 Thread Matus UHLAR - fantomas 

On 28.07.16 12:13, Paul A wrote:

Now what is everyone using to make sure the zones in named.conf are still
pointing to your NS servers? I have a lot of stale DNS zones I want to
remove.


separate authoritative and recursive servers.
bill for having zones in DNS.
or simply wait till customers complain and tell them they should tell you
when tthey migrated their zones off.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: getting not authoritative with some notifies - Solved

2016-07-28 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2016-07-28 at 12:13 -0400, Paul A wrote:
> Now what is everyone using to make sure the zones in named.conf are
> still pointing to your NS servers? I have a lot of stale DNS zones I
> want to remove.

script a loop to "dig $zone ns @8.8.8.8 +short" for the ns records for
your configured zones, and remove those for which google does not think
you are authoritative. Alternatively, "dig +trace" which takes (a
little) more scripting.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAleaiDkACgkQL6j7milTFsGAegCfcCkHmwyh4cQlJ49lhzLkhquE
UzkAmQEhjKHeShSGF44+5eYErMVkJjj+
=0U6B
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: getting not authoritative with some notifies - Solved

2016-07-28 Thread Paul A 
Tony,

 the zones that are giving me the not auth error are indeed off cache, as I
see the RA flag and the AA is missing.  I never really thought this was
happening because I have all zones configure the same way and some are not
getting the not auth error and have the aa flag present. I was querying the
slave directly and it never occurred to me that the info I was getting back
might be cached info, I should of looked at the flags :(. Well it turns out
I accidently commented out a huge portion of the named.conf file by mistake
with the */ /*, I didn't close the commented section correctly and it caused
some zones not to be configured. When using vi to edit/look at named.conf  I
was relying on the color and never saw the zones in blue (comment color)
that gave me not auth so I assumed the config was good, I even ran
named-checkconf which came back with no errors which makes sense.  It also
didn't click when using rndc status and the number of zones on the slave was
significant less than on the master server :(. 

I hope this stupid mistake helps someone else, thanks for all that replied. 

Now what is everyone using to make sure the zones in named.conf are still
pointing to your NS servers? I have a lot of stale DNS zones I want to
remove. 

Thanks, Paul  


-Original Message-
From: Tony Finch [mailto:d...@dotat.at] 
Sent: Thursday, July 28, 2016 10:45 AM
To: Casey Deccio 
Cc: Paul A ; bind-us...@isc.org
Subject: Re: getting not authoritative with some notifies

Casey Deccio  wrote:
> On Thu, Jul 28, 2016 at 10:34 AM, Paul A  wrote:
>
> > Yes on both server and the slave and primary are listed on the NS RR.
> > I'm really at a loss here, the zone updates on the slave but I keep 
> > getting that message.
>
> There's a difference between a server being listed in the NS RRset and 
> a server being authoritative for the zone.  Is there a "zone" 
> statement for that zone in your named.conf?

When you query the slave for a problem zone, look at the flags in the
header, e.g.

this answer comes from a recursive query - "ra" is present and "aa" is
missing

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

this answer comes from an authoritative zone - "aa" is present

;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

Tony.
--
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
South Thames, Dover: Southwesterly 5 or 6. Slight or moderate. Rain or
showers. Good, occasionally poor.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users