Re: nsupdate reject
On 20 May 2019, at 20:45, @lbutlr wrote: > > On 20 May 2019, at 16:21, Noel Butler wrote: >> allow-update { key "keyname"; }; > > Ah, no I did not. The instructions I found, as I mentioned in a later post, > were to add grant dons-key. iOS this a change in 9.14, because I did not have > to do this in 9.12? zone "kreme.com" { type master; file "master/kreme.com.signed"; update-policy local; auto-dnssec maintain; allow-update { key "rndc-key"; }; }; gives "'allow-update' is ignored when 'update-policy' is present" when I load the conf file. If I remove "update-policy local; " the nsupdate works, but it seems like it should have worked with the update-policy since I was in fact local to the bind server. -- My little brother got his arm stuck in the microwave. So my mom had to take him to the hospital. My grandma dropped acid this morning, and she freaked out. She hijacked a busload of penguins. So it's sort of a family crisis. Bye! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
On 20 May 2019, at 16:21, Noel Butler wrote: >allow-update { key "keyname"; }; Ah, no I did not. The instructions I found, as I mentioned in a later post, were to add grant dons-key. iOS this a change in 9.14, because I did not have to do this in 9.12? > and nsLOOKUP ? Just a thinko. -- The hippo of recollection stirred in the muddy waters of the mind. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
did you allow for it under the zone ? Adding a key as such will not give you global operations zone foo { ... allow-update { key "keyname"; }; ... } and nsLOOKUP ? Its either to early in the morning here and i'm mis-reading what you're doing, or you should be using or at least meant to say, nsUPDATE On 20/05/2019 10:27, @lbutlr wrote: > Trying to update some DNS under a relatively newly installed bin 9.14 with > nsupdate. > > I have a file admin.key that looks basically like this: > key "rndc-key" { > algorithm hmac-sha256; > secret "SECRETSTUFF="; > }; > > This is the same key block that is in named.conf. I am launching NSLOOKUP > with -k admin.key, but when I try to make a change and then "send", I get > "update failed: REFUSED." > > Is this not the key that is wanted? It appears to be the only key I have. Do > I need to change to some different key type for bind 9.14, or am I forgetting > something else. > > I did make some changes to the DNS back in 9/12 several months ago, and I > don't recall having to even provide the key then. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Preferred log location with ISC copr package
I'm considering changing one of my BIND installations to use the experimental ISC-provided packages: https://www.isc.org/blogs/bind-9-packages/ With these packages, what it the recommended location for log files? A directory was created as part of the package installation: /var/opt/isc/isc-bind/log/ Since I'm new the "Software Collection" paradigm, I don't know if this is an acceptable location for my operational logs. Is that location going to get trashed when I install the next update? -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Should we remove the DLV code?
On 5/20/19 4:34 AM, Matthijs Mekking wrote: * It will make the code much easier to maintain, which is beneficial for users too since that will mean in general less bugs, easier to find bugs, and easier to extend it with new features. Drive by 2ยข comment: Is the existing DLV code causing a problem or otherwise breaking something? How much easier will removing the DLV code make maintaining the rest of the code base? Is the existing DLV code preventing doing something else that is desired? IMHO if the code is sitting there and not actively causing problems, despite being unsightly, then I'd be inclined to leave it. If it's anything more than unsightly, I'd pontificate removing it. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate reject
On 19 May 2019, at 18:27, @lbutlr wrote: > This is the same key block that is in named.conf. I am launching NSLOOKUP > with -k admin.key, but when I try to make a change and then "send", I get > "update failed: REFUSED." I found a page that recommended adding a ddns-key and then adding "grant ddns-key zonesub ANY;" to the zone info, but that produces and error "unknown option 'grant'". -- 'You know what the greatest tragedy is in the whole world?' said Ginger, not paying him the least attention. 'It's all the people who never find out what it is they really want to do or what it is they're really good at. It's all the sons who become blacksmiths because their fathers were blacksmiths. It's all the people who could be really fantastic flute players who grow old and die without ever seeing a musical instrument, so they become bad ploughmen instead. It's all the people with talents who never even find out. Maybe they are never born in a time when it is possible to find out.' ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10 fast only on alias IP
Dear Mukund, thank you for the excellent reply, really. In fact, it is very strange. In the same machine, and same Bind daemon, when incoming queries increase and bottlenecks become visible, is i try to query an alias IP it respond immediately. Bind doesn't seem to be the problem but, as you said, something in networking/socket/stack environments. Using "netstat -su", i noticed an appreciable number of UDP packet receive errors: netstat -su IcmpMsg: InType0: 180 InType3: 7409507 InType8: 103791 InType11: 20541 OutType0: 103791 OutType3: 2839671 OutType8: 185 Udp: 774530039 packets received 11779662 packets to unknown port received. 3602407 packet receive errors 776247231 packets sent 3588125 receive buffer errors 0 send buffer errors InCsumErrors: 14279 Do you think they could be related to UDP dropped packets? I think i have already tuned some parameters (nf_conntrack, rmem_max, wmem_max, ecc) and i have totally removed connection tracking using "raw" queue on local iptables. How could i increase the number of socket on a single IP address, since Bind is working perfectly on the secondary address, when the first one is stucked? Thank you again, very best regards! FC Il giorno lun 20 mag 2019 alle ore 15:03 Mukund Sivaraman ha scritto: > > On Mon, May 20, 2019 at 10:06:09AM +0200, Ict Security wrote: > > Dear guys, > > > > i am experiencing a very strange beahviour of Bind under busy peak time. > > > > With a quite important number of incoming DNS queries, response are > > really, really slow; > > sometimes they even stuck. > > > > If i try to query, in those busy moments, an alias secondary IP > > address of the same machine, the response is really immediate! > > > > I have disabled connection tracking and raised up nf_conntrack_max. > > In system logs, i do not see any limitations or buffer full. > > > > Do i need to balance incoming connection on more alias IP? > > Or shall i change some other parameters which i am not aware at the moment? > > It's not possible to say exactly what's going on without more detailed > info. It's possible that named has reached its query performance limit > and so the recv queue is at its max capacity for that listening > socket. Possibly queries are getting dropped due to this. In that case, > increasing the recv queue is unlikely to help and possibly just cause > bloat. See what "netstat -lu" or "ss -lu" tells you, and load of the > system. > > Possibly you can attempt to mitigate this by tuning various knobs, e.g., > disable excessive logging and query logging, increase the number of UDP > listeners and worker threads to match your CPU count, etc. There isn't > much that can be improved on 9.10 I'm afraid. > > You may want to try BIND 9.12+ that has performance optimizations. > > Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: High load on BIND DNS and query timeouts after RPZ XFR retrieve
On Sun, May 19, 2019 at 10:55:53PM +0200, Peter V wrote: > Hi all, > > I would like to get opinion on issue I was involved over weekend. > Customer utilizes RPZ feed from spamhaus and worked pretty OK for some > months after initial deployment. > They reported issue with wrong performance of BIND DNS; > BIND version: 9.10.8-P1 BIND 9.11 and below can't sometimes keep up with Spamhaus's feeds (their rate of change) without significant tuning. RPZ in BIND 9.11 (non-subscription open source version) and below updates its summary datastructures synchronously along with policy zone updates that causes severe lock contention with the query path. With Spamhaus feeds, updates can be almost continuous with no relief. BIND 9.12+ mitigates this somewhat by refactoring the RPZ summary datastructure update path so it doesn't happen synchronously with the RPZ zone updates, albeit with some differences (esp. for the typical Spamhaus feeds' users - changes from RPZ feeds are visible every 60s in the default configuration). You may want to try BIND 9.12+ to see if it helps your case. (An alternative on BIND 9.10 is to try if forcing AXFR by using "request-ixfr no;" helps. This uses different codepaths within named that could reduce some lock contention - however, it would behave poorly with Spamhaus's feeds which are quite large. At least the transfer rate would have to be limited somehow, and I know that it hasn't helped for some users.) This is an elaborate topic more than just RPZ. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10 fast only on alias IP
On Mon, May 20, 2019 at 10:06:09AM +0200, Ict Security wrote: > Dear guys, > > i am experiencing a very strange beahviour of Bind under busy peak time. > > With a quite important number of incoming DNS queries, response are > really, really slow; > sometimes they even stuck. > > If i try to query, in those busy moments, an alias secondary IP > address of the same machine, the response is really immediate! > > I have disabled connection tracking and raised up nf_conntrack_max. > In system logs, i do not see any limitations or buffer full. > > Do i need to balance incoming connection on more alias IP? > Or shall i change some other parameters which i am not aware at the moment? It's not possible to say exactly what's going on without more detailed info. It's possible that named has reached its query performance limit and so the recv queue is at its max capacity for that listening socket. Possibly queries are getting dropped due to this. In that case, increasing the recv queue is unlikely to help and possibly just cause bloat. See what "netstat -lu" or "ss -lu" tells you, and load of the system. Possibly you can attempt to mitigate this by tuning various knobs, e.g., disable excessive logging and query logging, increase the number of UDP listeners and worker threads to match your CPU count, etc. There isn't much that can be improved on 9.10 I'm afraid. You may want to try BIND 9.12+ that has performance optimizations. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: nsupdate reject
The most obvious thing is to look at the zone and see if that key is included in an allow-update statement for the zone. Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Should we remove the DLV code?
Dear BIND 9 users, The BIND 9 development team has been discussing whether we should remove the DLV code from the BIND 9 source. Reasons for doing this: * The zone dlv.isc.org has been decommissioned some time ago. * It will make the code much easier to maintain, which is beneficial for users too since that will mean in general less bugs, easier to find bugs, and easier to extend it with new features. Before rigorously start chopping, we would like to know if there are still users using it, and if so for what, or if you have other reasons to believe this code should stay, please speak up, on the list or personally to me. Thank you, Matthijs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.10 fast only on alias IP
Dear guys, i am experiencing a very strange beahviour of Bind under busy peak time. With a quite important number of incoming DNS queries, response are really, really slow; sometimes they even stuck. If i try to query, in those busy moments, an alias secondary IP address of the same machine, the response is really immediate! I have disabled connection tracking and raised up nf_conntrack_max. In system logs, i do not see any limitations or buffer full. Do i need to balance incoming connection on more alias IP? Or shall i change some other parameters which i am not aware at the moment? Thank you, cheers! Francesco ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users