date:20180921

Re: NTP through DNS?

2018-09-21 Thread Ray Bellis

On 21/09/2018 12:47, Danny Mayer wrote:

> Putting on both my BIND9 and NTP hats for a moment:
> 
> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
> references to NTP servers whether it's using pool, server or peer. I
> have no idea where the reverse zone comes in though I haven't read the
> whole thread. the NTP service all belong to domains, whether internal or
> external. There is a DHCP option that we have seen but it seems to cause
> more confusion that anything.
> 
> You can create a DNS A or  or even a CNAME in your local DNS that
> the NTP server can use and it all works.
> 
> Let me know if I misunderstood what this is really about.

I believe you have.

The discussion was about automated _discovery_ of the DNS name of your
NTP server using an additional level of indirection so that it can be
automatically configured without using DHCP.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-21 Thread Danny Mayer

On 9/19/2018 10:12 AM, Andrew Latham wrote:
> You can add SRV records for NTP to your domain if that is what you are
> asking.
> 

NTP doesn't use SRV records and I don't see a use case to do so.
Therefore I have no idea why this would be any benefit. You can add NTP
specific FQDN's as A or  or CNAME records if that would be helpful.

Danny

> On Wed, Sep 19, 2018 at 9:09 AM Mauricio Tavares  > wrote:
> 
> Stupid question: can I publish/query the NTP server through DNS the
> same way I can ask who is doing LDAP?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-21 Thread Mukund Sivaraman

Hi Danny

On Fri, Sep 21, 2018 at 07:47:46AM -0400, Danny Mayer wrote:
> You can create a DNS A or  or even a CNAME in your local DNS that
> the NTP server can use and it all works.

The original poster asked "can I publish/query the NTP server through
DNS the same way I can ask who is doing LDAP?"

That implied service discovery / config provisioning, not just
publishing address records of the NTP service in the DNS.

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-21 Thread Danny Mayer

On 9/19/2018 11:19 AM, Ray Bellis wrote:
> On 19/09/2018 15:59, Mauricio Tavares wrote:
> 
>>> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>>> one off my mind).
>>>
>>   Not necessarily; I can name a few universities and business who
>> offer their own NTP servers to their internal systems. AFAIK, this is
>> considered good practice.
> 
> That's not the point that Mukund was making.
> 
> An NTP server is part of your local network configuration.   Your domain
> name is also part of your local network configuration.  As such, these
> two values are often served by DHCP.
> 
> That does not mean, though, that there is a one-to-one mapping from your
> domain name to your preferred set of NTP servers.
> 
> One could have numerous subnets located all over the planet with
> different NTP servers, but all sharing the same domain name.
> 
> If it were feasible to store an NTP server address in the DNS it would
> more logically fit in the in-addr.arpa zone, and not in a forward zone.
> 

Putting on both my BIND9 and NTP hats for a moment:

This answer makes no sense. NTP uses standard DNS FQDN's for all of its
references to NTP servers whether it's using pool, server or peer. I
have no idea where the reverse zone comes in though I haven't read the
whole thread. the NTP service all belong to domains, whether internal or
external. There is a DHCP option that we have seen but it seems to cause
more confusion that anything.

You can create a DNS A or  or even a CNAME in your local DNS that
the NTP server can use and it all works.

Let me know if I misunderstood what this is really about.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone transfer delay

2018-09-21 Thread project722

I've added those 2 lines to the master in the zone info section. It seemed
to have helped with the delay with the server announcing the change and
initiating the xfer-out. But the slave still takes @15 minutes for the new
data to get populated in the file.

On Fri, Sep 21, 2018 at 9:09 AM Reindl Harald 
wrote:

>
>
> Am 21.09.18 um 16:05 schrieb project722:
> > Then, on the "slave", it takes about 15 minutes for the file to actaully
> > update with the new info from the time of the xfer-in. I've tried adding
> > NS records for the slave in the zone file and doing some things with
> > notify, but nothing seems to help. I'd like the changes to be almost
> > instantaneous from the time I run the rndc relaod. Here is the config
> > from the "master"
>
> we have this on all our nameserver-pairs for years and it works perfect
>
> notify explicit;
> also-notify {ip-of-slave;};
>
> also make soure you always increase the zone-serial
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

zone transfer delay

2018-09-21 Thread project722

I've got two recursive dns servers running ISC 9.11 and 9.12. We are using
RPZ and I have a whitelist/blacklist exception zone file on both servers. I
need the ability to change it only on one server and have it propogate to
the other servers. My config is working, but I'm getting some delays that
i'd like to eliminate. First off, on the "master" server, when I update the
rpz-local file and run a rndc reload, it takes about 2 minutes before I see
the xfer-out in the logs. On the "slave", I also see the xfer-in at the
same time. There are no errors, just that kickoff delay.

Then, on the "slave", it takes about 15 minutes for the file to actaully
update with the new info from the time of the xfer-in. I've tried adding NS
records for the slave in the zone file and doing some things with notify,
but nothing seems to help. I'd like the changes to be almost instantaneous
from the time I run the rndc relaod. Here is the config from the "master".

/etc/named.conf
acl RPZ {
192.168.1.100;
};

zone "rpz-local" {
type master;
file "db.rpz-local";
allow-transfer { localhost; RPZ; };
allow-query { localhost; RPZ; };
};

zone file:
$TTL 150

@IN SOA  localhost. need.to.know.only. (
   201707314 ; Serial number
   10; Refresh every 10 seconds
   10; Retry every 30 seconds
   432000; Expire in 5 days
   60 )  ; negative caching ttl 1 minute

IN NSns1master.example.com
IN NSns2slave.example.com

;# ---
;# Whitelist entries using rpz-passthru
;# ---

deteque.comIN CNAME rpz-passthru.
*.deteque.comIN CNAME rpz-passthru.


Here is the config from the slave:

/etc/named.conf
acl RPZ {
192.168.1.101;
};

zone "rpz-local" {
type slave;
file "db.rpz-local";
masters { 192.168.1.101; };
allow-transfer { localhost; RPZ; };
masterfile-format text;
allow-query { localhost; RPZ; };
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-21 Thread Danny Mayer

On 9/21/2018 7:56 AM, Ray Bellis wrote:
> On 21/09/2018 12:47, Danny Mayer wrote:
> 
>> Putting on both my BIND9 and NTP hats for a moment:
>>
>> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
>> references to NTP servers whether it's using pool, server or peer. I
>> have no idea where the reverse zone comes in though I haven't read the
>> whole thread. the NTP service all belong to domains, whether internal or
>> external. There is a DHCP option that we have seen but it seems to cause
>> more confusion that anything.
>>
>> You can create a DNS A or  or even a CNAME in your local DNS that
>> the NTP server can use and it all works.
>>
>> Let me know if I misunderstood what this is really about.
> 
> I believe you have.
> 
> The discussion was about automated _discovery_ of the DNS name of your
> NTP server using an additional level of indirection so that it can be
> automatically configured without using DHCP.

That's easy. Create a FQDN called ntp in your domain and have it be a
set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
option will take care of setting the multiple servers. You don't need
the complexity of SRV records.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-21 Thread Warren Kumari

On Fri, Sep 21, 2018 at 7:57 AM Danny Mayer  wrote:

> On 9/19/2018 10:12 AM, Andrew Latham wrote:
> > You can add SRV records for NTP to your domain if that is what you are
> > asking.
> >
>
> NTP doesn't use SRV records and I don't see a use case to do so.
>

Well, apparently at one point you did :-) --
http://lists.ntp.org/pipermail/questions/2004-December/003645.html

It seems that FreeIPA does actually use SRV for NTP (
https://www.redhat.com/archives/freeipa-users/2014-August/msg00254.html)
It shows up in various other FreeIPA discussion and some mentions of is
being used with NetApp.


W


Therefore I have no idea why this would be any benefit. You can add NTP
> specific FQDN's as A or  or CNAME records if that would be helpful.
>
> Danny
>
> > On Wed, Sep 19, 2018 at 9:09 AM Mauricio Tavares  > > wrote:
> >
> > Stupid question: can I publish/query the NTP server through DNS the
> > same way I can ask who is doing LDAP?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone transfer delay

2018-09-21 Thread project722

Ok, is this something new to the later BIND versions? I'm looking on our
authoritative servers running the red hat bind 9.8.2 and do not see any
.jnl files.

Also, I made a zone transfer and ran a dig axfr rpz-local @ipaddress and it
returned the updated data, while the file remained unchanged. (for now)

On Fri, Sep 21, 2018 at 1:28 PM Tony Finch  wrote:

> project722  wrote:
>
> > Sounds like to me you are saying that the server would return the updated
> > data, because its in the journal file, regardless of whether its made it
> > into the regular zone file yet.
>
> Yes, that's how it works.
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/
> South Fitzroy: Variable 4. Moderate or rough. Fog patches. Moderate,
> occasionally very poor.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-21 Thread Danny Mayer

On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
> On Fri, Sep 21, 2018 at 3:14 PM, Danny Mayer  wrote:
>> On 9/21/2018 7:56 AM, Ray Bellis wrote:
>>> On 21/09/2018 12:47, Danny Mayer wrote:
>>>
 Putting on both my BIND9 and NTP hats for a moment:

 This answer makes no sense. NTP uses standard DNS FQDN's for all of its
 references to NTP servers whether it's using pool, server or peer. I
 have no idea where the reverse zone comes in though I haven't read the
 whole thread. the NTP service all belong to domains, whether internal or
 external. There is a DHCP option that we have seen but it seems to cause
 more confusion that anything.

 You can create a DNS A or  or even a CNAME in your local DNS that
 the NTP server can use and it all works.

 Let me know if I misunderstood what this is really about.
>>>
>>> I believe you have.
>>>
>>> The discussion was about automated _discovery_ of the DNS name of your
>>> NTP server using an additional level of indirection so that it can be
>>> automatically configured without using DHCP.
>>
>> That's easy. Create a FQDN called ntp in your domain and have it be a
>> set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
>> option will take care of setting the multiple servers. You don't need
>> the complexity of SRV records.
>>
>   But that is not, as Ray said, automated discovery. You are
> asking the computer to make assumptions, i.e. "if I am in domain
> hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
> domain thingie. You know where a lot of your basic network resources
> are. If you have a ntp server do you know where it is just like you
> know where your mail, LDAP, and kerbie servers are hiding?"

That's not what I wrote. Someone needs to maintain an SRV record. It's
not a good idea for domains to announce their NTP servers since they can
be abused by others not authorized to use them. We've had plenty of
abuse along those lines along with DDOS attacks. What the ntp CNAME
would do is point to a number of other servers to use and you don't need
to call it ntp, it's just a string.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone transfer delay

2018-09-21 Thread project722

Yes, I seem to be learning that the hard way:) My shop is still on Bind
9.8.2 (Red Hat) on our authoritative servers. These new features in 9.11
are nice!

On Fri, Sep 21, 2018 at 4:29 PM Reindl Harald 
wrote:

>
> Am 21.09.18 um 20:01 schrieb project722:
> > Are you saying do a zone xfer then check the slave with the commands
> > above to see what it actaully returns? Instead of checking the file
> > itself? Sounds like to me you are saying that the server would return
> > the updated data, because its in the journal file, regardless of whether
> > its made it into the regular zone file yet. Is that a correct assumption?
>
> surely!
>
> how do you come to the idea to look at zone files instead use "dig"?
> on most setups the slave zones are even not human readable these days
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone transfer delay

2018-09-21 Thread Tony Finch

project722  wrote:

> Sounds like to me you are saying that the server would return the updated
> data, because its in the journal file, regardless of whether its made it
> into the regular zone file yet.

Yes, that's how it works.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
South Fitzroy: Variable 4. Moderate or rough. Fog patches. Moderate,
occasionally very poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

domain's own a record(s)

2018-09-21 Thread lejeczek via bind-users


hi everyone

I have a quick questionon possibly trivial issue.
I do:
> update delete ddd.dom.local. 86400 in a 10.3.1.100
> send
and that works, but when I try:
> update add dom.local. 86400 in a 10.3.1.100
> send
update failed: REFUSED

..and in logs:
client @0x7fd7a40f2e40 127.0.0.1#9489/key nsupdate_key: 
updating zone 'dom.local/IN': update failed: rejected by 
secure update (REFUSED)


I'm hoping that I can add another A record to dom.local.
What is the problem here? I must be something obvious, right?
many thanks, L.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-21 Thread Mauricio Tavares

On Fri, Sep 21, 2018 at 3:14 PM, Danny Mayer  wrote:
> On 9/21/2018 7:56 AM, Ray Bellis wrote:
>> On 21/09/2018 12:47, Danny Mayer wrote:
>>
>>> Putting on both my BIND9 and NTP hats for a moment:
>>>
>>> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
>>> references to NTP servers whether it's using pool, server or peer. I
>>> have no idea where the reverse zone comes in though I haven't read the
>>> whole thread. the NTP service all belong to domains, whether internal or
>>> external. There is a DHCP option that we have seen but it seems to cause
>>> more confusion that anything.
>>>
>>> You can create a DNS A or  or even a CNAME in your local DNS that
>>> the NTP server can use and it all works.
>>>
>>> Let me know if I misunderstood what this is really about.
>>
>> I believe you have.
>>
>> The discussion was about automated _discovery_ of the DNS name of your
>> NTP server using an additional level of indirection so that it can be
>> automatically configured without using DHCP.
>
> That's easy. Create a FQDN called ntp in your domain and have it be a
> set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
> option will take care of setting the multiple servers. You don't need
> the complexity of SRV records.
>
  But that is not, as Ray said, automated discovery. You are
asking the computer to make assumptions, i.e. "if I am in domain
hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
domain thingie. You know where a lot of your basic network resources
are. If you have a ntp server do you know where it is just like you
know where your mail, LDAP, and kerbie servers are hiding?"


> Danny
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-21 Thread Danny Mayer

On 9/21/2018 6:33 PM, Reindl Harald wrote:
> 
> 
> Am 21.09.18 um 22:19 schrieb Danny Mayer:
>> On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
> The discussion was about automated _discovery_ of the DNS name of your
> NTP server using an additional level of indirection so that it can be
> automatically configured without using DHCP.

 That's easy. Create a FQDN called ntp in your domain and have it be a
 set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
 option will take care of setting the multiple servers. You don't need
 the complexity of SRV records.

>>>   But that is not, as Ray said, automated discovery. You are
>>> asking the computer to make assumptions, i.e. "if I am in domain
>>> hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
>>> domain thingie. You know where a lot of your basic network resources
>>> are. If you have a ntp server do you know where it is just like you
>>> know where your mail, LDAP, and kerbie servers are hiding?"
>>
>> That's not what I wrote. Someone needs to maintain an SRV record. It's
>> not a good idea for domains to announce their NTP servers since they can
>> be abused by others not authorized to use them. We've had plenty of
>> abuse along those lines along with DDOS attacks. What the ntp CNAME
>> would do is point to a number of other servers to use and you don't need
>> to call it ntp, it's just a string.
> 
> but *nobody* cares about what is a good idea when the question was
> simply "does ntp discovery work" where the answer is simply no

No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone transfer delay

2018-09-21 Thread project722

Are you saying do a zone xfer then check the slave with the commands above
to see what it actaully returns? Instead of checking the file itself?
Sounds like to me you are saying that the server would return the updated
data, because its in the journal file, regardless of whether its made it
into the regular zone file yet. Is that a correct assumption?

On Fri, Sep 21, 2018 at 12:05 PM Tony Finch  wrote:

> project722  wrote:
>
> > But the slave still takes @15 minutes for the new data to get populated
> > in the file.
>
> Use `dig axfr` or `named-compilezone -j` to get the server's view of the
> zone. Zone updates are written to a journal and are not incorporated into
> the zone file immediately.
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/
> fight poverty, oppression, hunger, ignorance, disease, and aggression
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone transfer delay

2018-09-21 Thread Tony Finch

project722  wrote:

> But the slave still takes @15 minutes for the new data to get populated
> in the file.

Use `dig axfr` or `named-compilezone -j` to get the server's view of the
zone. Zone updates are written to a journal and are not incorporated into
the zone file immediately.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
fight poverty, oppression, hunger, ignorance, disease, and aggression
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

Re: NTP through DNS?

Re: NTP through DNS?

Re: NTP through DNS?

Re: zone transfer delay

zone transfer delay

Re: NTP through DNS?

Re: NTP through DNS?

Re: zone transfer delay

Re: NTP through DNS?

Re: zone transfer delay

Re: zone transfer delay

domain's own a record(s)

Re: NTP through DNS?

Re: NTP through DNS?

Re: zone transfer delay

Re: zone transfer delay

17 matches

Site Navigation

Mail list logo

Footer information