Wildcards and the include directive?
Hi guys, I've looked hard but can't find any reference to using wildcards inside an include directive. Does this feature exist in 9? I've found this setup quite useful for other services like Apache etc. What I want to do is be able to configure multiple zones by something like: include /etc/bind/sites-enabled/* This way, I can add/remove zones on the fly with ln and rm, instead of resorting to sed/awk/perl in order to modify named.conf. Alfie ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wildcards and the include directive?
In message 20120124082907.gb16...@linode1.alfiejohn.com, Alfie John writes: Hi guys, I've looked hard but can't find any reference to using wildcards inside an include directive. Does this feature exist in 9? I've found this setup quite useful for other services like Apache etc. What I want to do is be able to configure multiple zones by something like: include /etc/bind/sites-enabled/* This way, I can add/remove zones on the fly with ln and rm, instead of resorting to sed/awk/perl in order to modify named.conf. Named supports adding and removing zones via rndc. rndc addzone rndc delzone Alfie ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wildcards and the include directive?
include /etc/bind/sites-enabled/* That won't work. What you could do though is to create the content of the file you're including, which ought to solve your problem. cd /var/path ls /etc/bind/sites-enabled.include And then in named.conf [ include /etc/bind/sites-enabled.include ] -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wildcards and the include directive?
Hi Mark, On Tue, Jan 24, 2012 at 07:48:25PM +1100, Mark Andrews wrote: Named supports adding and removing zones via rndc. rndc addzone rndc delzone Thanks for the pointer. I didn't know about the rndc commands (the man pages say nothing). However, looking at the online documentation it says that addzone will add it to the config files. But after running a test, all this does is add it to the cache. So does this would mean that every time the cache is purged, I would have to run addzone again? Alfie ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wildcards and the include directive?
Hi SM, On Tue, Jan 24, 2012 at 12:55:25AM -0800, SM wrote: At 00:29 24-01-2012, Alfie John wrote: I've looked hard but can't find any reference to using wildcards inside an include directive. Does this feature exist in 9? http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#id2575504 Yeah, I've read all that but that doesn't help me with what I want. Alfie ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wildcards and the include directive?
Hi Jan-Piet, On Tue, Jan 24, 2012 at 09:58:49AM +0100, Jan-Piet Mens wrote: What you could do though is to create the content of the file you're including, which ought to solve your problem. cd /var/path ls /etc/bind/sites-enabled.include And then in named.conf [ include /etc/bind/sites-enabled.include ] That's actually a nice hack... I like it. On a more general note, do other people see wildcard includes useful or is it just me? Would a patch be accepted for this feature or is my thinking flat-out wrong? Alfie ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wildcards and the include directive?
the online documentation it says that addzone will add it to the config files. But after running a test, all this does is add it to the cache. So does this would mean that every time the cache is purged, I would have to run addzone again? No. Zones are added to / removed from a .nzf cache which is created dynamically by named. I've got a tiny writeup at [1]. -JP [1] http://jpmens.net/2010/10/04/dynamically-add-zones-to-bind-with-rndc-addzone/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Entropy hardware [was: dnssec-keygen not responding]
Hello, FWIW and for the record, I received an EntropyKey and have shortly described my experience with it so far at http://dnssexy.net/903 Regards, -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6-ESV-R6rc1 is now available
Reload time is really decreased, but named-checkconf utility is still very slow. Is it possible to improve performance for named-checkconf? On 01/20/2012 10:15 PM, Michael McNally wrote: Feature Changes + Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] -- wbr, Sergey V. Lobanov ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can we stop emitting an error for managed-keys.bind?
I know that this has come up in the past, but it came up again, so here I go again. :) If you do not enable dnssec (I hesitate to say by default, but I believe it is accurate) you get the following: daemon.err named[10001]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found That shouldn't be an error message, since named isn't actually going to use the file. The error message itself causes unnecessary user confusion. If there is general agreement that this error shouldn't be printed I'm happy to raise a bug about it. Thanks, Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we stop emitting an error for managed-keys.bind?
It's debug=1 with the current code. if (zone-type == dns_zone_key result == ISC_R_FILENOTFOUND) level = ISC_LOG_DEBUG(1); In message 4f1f7883.2010...@dougbarton.us, Doug Barton writes: I know that this has come up in the past, but it came up again, so here I go again. :) If you do not enable dnssec (I hesitate to say by default, but I believe it is accurate) you get the following: daemon.err named[10001]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found That shouldn't be an error message, since named isn't actually going to use the file. The error message itself causes unnecessary user confusion. If there is general agreement that this error shouldn't be printed I'm happy to raise a bug about it. Thanks, Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we stop emitting an error for managed-keys.bind?
If you do not enable dnssec (I hesitate to say by default, but I believe it is accurate) you get the following: daemon.err named[10001]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found 3195. [cleanup] Silence file not found warnings when loading managed-keys zone. [RT #26340] This fix is in 9.7.5, 9.8.2, and 9.9.0, all of which are currently in release candidate status. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we stop emitting an error for managed-keys.bind?
Thanks Mark and Evan for the responses. I think that's the right solution. For fun I just tried started named with no options and an empty named.conf. The other error that happens with that (lack of configuration) is: daemon.warn named[10741]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Shouldn't that just be enabled by default? We don't see that in FreeBSD because I disable some by default to include larger covering zones with real zone statements. Doug On 01/24/2012 19:51, Mark Andrews wrote: It's debug=1 with the current code. if (zone-type == dns_zone_key result == ISC_R_FILENOTFOUND) level = ISC_LOG_DEBUG(1); In message 4f1f7883.2010...@dougbarton.us, Doug Barton writes: I know that this has come up in the past, but it came up again, so here I go again. :) If you do not enable dnssec (I hesitate to say by default, but I believe it is accurate) you get the following: daemon.err named[10001]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found That shouldn't be an error message, since named isn't actually going to use the file. The error message itself causes unnecessary user confusion. If there is general agreement that this error shouldn't be printed I'm happy to raise a bug about it. Thanks, Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we stop emitting an error for managed-keys.bind?
In message 4f1f98fe.5080...@dougbarton.us, Doug Barton writes: Thanks Mark and Evan for the responses. I think that's the right solution. For fun I just tried started named with no options and an empty named.conf. The other error that happens with that (lack of configuration) is: daemon.warn named[10741]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Shouldn't that just be enabled by default? We don't see that in FreeBSD because I disable some by default to include larger covering zones with real zone statements. BIND 9.9.0 has 3255. [func] No longer require that a empty zones be explicitly enabled or that a empty zone is disabled for RFC 1918 empty zones to be configured. [RT #27139] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we stop emitting an error for managed-keys.bind?
On 01/24/2012 23:24, Mark Andrews wrote: In message 4f1f98fe.5080...@dougbarton.us, Doug Barton writes: Thanks Mark and Evan for the responses. I think that's the right solution. For fun I just tried started named with no options and an empty named.conf. The other error that happens with that (lack of configuration) is: daemon.warn named[10741]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Shouldn't that just be enabled by default? We don't see that in FreeBSD because I disable some by default to include larger covering zones with real zone statements. BIND 9.9.0 has 3255. [func] No longer require that a empty zones be explicitly enabled or that a empty zone is disabled for RFC 1918 empty zones to be configured. [RT #27139] You guys rock. :) -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nslookup/dig question
All, Have two servers. One has BIND8, the other BIND9. Copied over the zone files from the BIND8 server to the BIND9 server, so they are identical. Updated the /etc/resolv.conf file and the named.conf file. When I do an nslookup (from a third server) pointing to the BIND8 server, it works fine: # nslookup server 10.179.193.6 Default server: 10.179.193.6 Address: 10.179.193.6#53 set debug=all 10.16.42.61 Server: 10.179.193.6 Address:10.179.193.6#53 QUESTIONS: 61.42.16.10.in-addr.arpa, type = PTR, class = IN ANSWERS: - 61.42.16.10.in-addr.arpa name = ama552D.example.com. ttl = 86400 AUTHORITY RECORDS: - 42.16.10.in-addr.arpa nameserver = abby.example.com. ttl = 86400 ADDITIONAL RECORDS: - abby.example.com internet address = 10.179.193.6 ttl = 86400 61.42.16.10.in-addr.arpa name = ama552D.example.com. # When I do the same pointing to the BIND9 server, it doesn't work: # nslookup server 10.179.221.13 Default server: 10.179.221.13 Address: 10.179.221.13#53 set debug=all 10.16.42.61 Server: 10.179.221.13 Address:10.179.221.13#53 QUESTIONS: 61.42.16.10.in-addr.arpa, type = PTR, class = IN ANSWERS: AUTHORITY RECORDS: - 16.10.in-addr.arpa origin = prisoner.abc.org mail addr = hostmaster.root-servers.org serial = 2002040800 refresh = 1800 retry = 900 expire = 604800 minimum = 604800 ttl = 10608 ADDITIONAL RECORDS: ** server can't find 61.42.16.10.in-addr.arpa.: NXDOMAIN Server: 10.179.221.13 Address:10.179.221.13#53 QUESTIONS: 61.42.16.10.in-addr.arpa, type = PTR, class = IN ANSWERS: AUTHORITY RECORDS: - 16.10.in-addr.arpa origin = prisoner.abc.org mail addr = hostmaster.root-servers.org serial = 2002040800 refresh = 1800 retry = 900 expire = 604800 minimum = 604800 ttl = 10608 ADDITIONAL RECORDS: ** server can't find 61.42.16.10.in-addr.arpa.: NXDOMAIN ama552d.example.com Server: 10.179.221.13 Address:10.179.221.13#53 QUESTIONS: ama552d.example.com, type = A, class = IN ANSWERS: AUTHORITY RECORDS: - example.com origin = monty.example.com mail addr = admin.example.com serial = 134 refresh = 900 retry = 600 expire = 86400 minimum = 3600 ttl = 2991 ADDITIONAL RECORDS: ** server can't find ama552d.example.com: NXDOMAIN Server: 10.179.221.13 Address:10.179.221.13#53 QUESTIONS: ama552d.example.com.example.com, type = A, class = IN ANSWERS: AUTHORITY RECORDS: - example.com origin = monty.example.com mail addr = admin.example.com serial = 134 refresh = 900 retry = 600 expire = 86400 minimum = 3600 ttl = 3558 ADDITIONAL RECORDS: ** server can't find ama552d.example.com: NXDOMAIN Also did a dig pointing to the BIND8 server: # dig @10.179.193.6 ama552d.example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44601 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ama552d.example.com. IN A ;; ANSWER SECTION: ama552d.example.com.86400 IN A 10.16.42.61 ;; AUTHORITY SECTION: example.com. 86400 IN NS maggi.example.com. example.com. 86400 IN NS abby.example.com. ;; ADDITIONAL SECTION: abby.example.com. 86400 IN A 10.179.193.6 maggi.example.com. 86400 IN A 10.179.196.38 ;; Query time: 2 msec ;; SERVER: 10.179.193.6#53(10.179.193.6) ;; WHEN: Tue Jan 24 16:51:14 2012 ;; MSG SIZE rcvd: 130 # On BIND 9 server, get the following: [root@maggitemp sec_qip]# dig @10.179.221.13 ama552d.example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 12521 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ama552d.example.com. IN A ;; AUTHORITY SECTION: example.com. 2596IN SOA monty.example.com. admin.example.com. 134 900 600 86400 3600 ;; Query time: 15 msec ;; SERVER: 10.179.221.13#53(10.179.221.13) ;; WHEN: Tue Jan 24 17:13:18 2012 ;; MSG SIZE rcvd: 88 # Any idea why the query to the BIND9 server would not work? What should i look for? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
