Re: dnsperf and BIND memory consumption
Memory statistic start - 570M 1 min - 913M 2 min - 958M 3 min - 1092M 4 min - 1074M 5 min - 1082M 10 min - 1217M 15 min - 1234M 60 min - 1513M max-cache-size 800M; Port installed only with Threads parameter, and patch in Makefile .if (${ARCH} == amd64) ARCH= x86_64 .endif === # ps axw|grep named /usr/local/sbin/named -t /var/named -u bind -c /etc/namedb/named.conf -t /var/named -u bind === $ rndc status version: 9.5.0-P2 (Unknown DNS1) number of zones: 899 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 2 query logging is OFF recursive clients: 286/9900/1 tcp clients: 0/100 server is up and running === (port installed) $ldd /usr/local/sbin/named /usr/local/sbin/named: libcrypto.so.5 = /lib/libcrypto.so.5 (0x807bb000) libthr.so.3 = /lib/libthr.so.3 (0x80a4d000) libc.so.7 = /lib/libc.so.7 (0x80b63000) (system standart) $ldd /usr/sbin/named /usr/sbin/named: libcrypto.so.5 = /lib/libcrypto.so.5 (0x807a9000) libthr.so.3 = /lib/libthr.so.3 (0x80a3b000) libc.so.7 = /lib/libc.so.7 (0x80b51000) === ivan jr sy wrote: Hi can you verify if you're using the newly installed named. did you configure your options to replace the base? can you give us: ldd /usr/sbin/named ldd /usr/local/sbin/named to my understanding, there should be no memory leak issue at all if you disable threads.. this post has always been directed to the concern of FreeBSD + amd64 platform + FreeBSD port dns/bind95 (BIND 9.5.0-P2) + threading enabled thanks! --- On Wed, 12/10/08, Dmitry Rybin [EMAIL PROTECTED] wrote: From: Dmitry Rybin [EMAIL PROTECTED] Subject: Re: dnsperf and BIND memory consumption To: Vinny Abello [EMAIL PROTECTED] Cc: JINMEI Tatuya / 神明達哉 [EMAIL PROTECTED], [EMAIL PROTECTED] [EMAIL PROTECTED], [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wednesday, December 10, 2008, 4:05 AM Hello! I test patch, add to bind95/Makefile .if (${ARCH} == amd64) ARCH= x86_64 .endif work/bind-9.5.0-P2/config.log uname -m = amd64 /usr/bin/uname -p = amd64 Target: amd64-undermydesk-freebsd Configured with: FreeBSD/amd64 system compiler ISC_ARCH_DIR='x86_32' build='x86_64-portbld-freebsd7.0' build_alias='x86_64-portbld-freebsd7.0' build_cpu='x86_64' host='x86_64-portbld-freebsd7.0' host_cpu='x86_64' I didn't find any affect, memory leak very quickly with threads support, and slowly without threads. FreeBSD xxx 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 2 14:18:35 MSD 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/H1 amd64 Vinny Abello wrote: so does this memory leak only occur if @ISC_ARCH_DIR@ is noatomic under FreeBSD amd64? and not when its x86_32 ? First off, note that I have no explicit evidence of memory leak. But *if there is indeed leak in the FreeBSD pthread library*, the key is noatomic. With this configuration named will call pthread locks/unlocks much, much heavier, so the problem may be observable more clearly. named still uses pthread locks Even with x86_32, so it may just be leaking memory more slowly. Again, everything is just a guess and could be wrong. We should seek advice from someone who knows FreeBSD library well. Just out of curiosity, why in theory is this not seen in prior versions of BIND such as 9.4.2-P2 or 9.4.3 on the same FreeBSD 7.0 AMD64 platforms with threading enabled in BIND? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsperf and BIND memory consumption
JINMEI Tatuya / 神明達哉 wrote: At Tue, 09 Dec 2008 18:05:27 +0300, Dmitry Rybin [EMAIL PROTECTED] wrote: I test patch, add to bind95/Makefile .if (${ARCH} == amd64) ARCH= x86_64 .endif Future versions of BIND9 will support amd64 in its configure script to workaround the FreeBSD port for amd64. Regarding the memory leak, I believe it's already solved in 9.5.1rc1 (even with threads and without atomic). I just make port bind 9.5.1rc1. It has same problem with memory leak. It grows from 670M on startup, to 1,4Gb after 20 minutes of work. grep x86 work/bind-9.5.1rc1/config.log ISC_ARCH_DIR='x86_32' build='x86_64-portbld-freebsd7.0' build_alias='x86_64-portbld-freebsd7.0' build_cpu='x86_64' host='x86_64-portbld-freebsd7.0' host_cpu='x86_64' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsperf and BIND memory consumption
Hi, is it possible to see your named.conf what is the methodology of the test? is it for authoritative queries? recursive? or both? at the same time? my patch for the port is the same as yours... thanks! === .if ${ARCH} == amd64 ARCH=x86_64 .endif --- On Thu, 12/11/08, Dmitry Rybin [EMAIL PROTECTED] wrote: From: Dmitry Rybin [EMAIL PROTECTED] Subject: Re: dnsperf and BIND memory consumption To: JINMEI Tatuya / 神明達哉 [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] [EMAIL PROTECTED], [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, December 11, 2008, 1:50 AM JINMEI Tatuya / 神明達哉 wrote: At Tue, 09 Dec 2008 18:05:27 +0300, Dmitry Rybin [EMAIL PROTECTED] wrote: I test patch, add to bind95/Makefile .if (${ARCH} == amd64) ARCH= x86_64 .endif Future versions of BIND9 will support amd64 in its configure script to workaround the FreeBSD port for amd64. Regarding the memory leak, I believe it's already solved in 9.5.1rc1 (even with threads and without atomic). I just make port bind 9.5.1rc1. It has same problem with memory leak. It grows from 670M on startup, to 1,4Gb after 20 minutes of work. grep x86 work/bind-9.5.1rc1/config.log ISC_ARCH_DIR='x86_32' build='x86_64-portbld-freebsd7.0' build_alias='x86_64-portbld-freebsd7.0' build_cpu='x86_64' host='x86_64-portbld-freebsd7.0' host_cpu='x86_64' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
GTLD servers still promoting glue to answer :-(
On Oct 25 2008, Stephane Bortzmeyer wrote: On Fri, Oct 24, 2008 at 08:14:42PM +1100, Mark Andrews [EMAIL PROTECTED] wrote a message of 38 lines which said: Because the Atlas servers are based on old code and because there are delegations that only work in COM and NET because the servers promote glue to answer. At the last OARC http://www.dns-oarc.net/ meeting in Ottawa (september 2008), Matt Larson (Verisign) announced that .com and .net name servers will soon change to the proper behaviour (this triggered a lot of applause. As the recent thread (can't see nameserver externally) reminds us -- for edu rather than com/net, but there can't really be a difference, can there? the nameservers are just a subset -- glue promotion is still happening. One has to wonder what soon means, -- Chris Thompson Email: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS issues with tmomail.net
I frequently send short messages to some cellphone users on tmomail.net. Several weeks ago I started noticing that bind is having problems keeping records for tmomail once they get stale. Specifically the MX record. If I restart bind, I can immediately get the MX record again. I'm running 9.5.0_p2 (9.5.0_p2-r1) on Gentoo. Is anyone else noticing this? -david -- Linux: freedom to build is good please top-post and trim when replying to my messages. i most often read mail on a small device. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS issues with tmomail.net
In article [EMAIL PROTECTED], David Ford [EMAIL PROTECTED] wrote: I frequently send short messages to some cellphone users on . Several weeks ago I started noticing that bind is having problems keeping records for tmomail once they get stale. Specifically the MX record. If I restart bind, I can immediately get the MX record again. I'm running 9.5.0_p2 (9.5.0_p2-r1) on Gentoo. Is anyone else noticing this? I hadn't noticed it but all the records in the response to a request for the MX for tmomail.net have a TTL of 60 seconds, that's the MX record, the NS authority record and the additional A record. The names in the delegation NS records for for tmomail.net are different from the authoritative ones, though they seem to be the same servers. There's considerable opportunity there for things to go wrong, though it all seems to work fine from here. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS issues with tmomail.net
Sam Wilson wrote: I hadn't noticed it but all the records in the response to a request for the MX for tmomail.net have a TTL of 60 seconds, that's the MX record, the NS authority record and the additional A record. The names in the delegation NS records for for tmomail.net are different from the authoritative ones, though they seem to be the same servers. There's considerable opportunity there for things to go wrong, though it all seems to work fine from here. It will work for hours, sometimes a day before bind is unable to fetch records for it again. But immediately upon restarting bind, bind is able to go fetch records for it. I understand that the records for tmomail.net are problematic but what makes the difference in bind from running a while vs. a fresh restart when it comes to fetching records? Why would it be 100% successful on restart? -- Linux: freedom to build is good please top-post and trim when replying to my messages. i most often read mail on a small device. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
I did some testing with this couple a months ago and it seams like AD is following the NS directive in the SOA. The design I used in my test-case was to put AD as an authoritative updater of the specified zone on my master, once updated the BIND master was responsible for updating the slaves. Something you can do is add NS records in AD pointing at your BIND slave-servers for the zone, and vice versa configure your slaves to have the AD as master for the zone, what I've experienced is that updates of new records tends to be REALLY slow, thus I would go with the first option. /Jonathan On Wed, Dec 10, 2008 at 8:17 AM, Nicholas F Miller [EMAIL PROTECTED] wrote: I have a couple of questions regarding how a Microsoft domain controller updates a dynamic zone. 1 ) When a domain controller tries to update the zone does it try the DNS servers it has listed in its network settings or does it follow the SOA for the zone? 2) In the configs below does the slave server's IP need to be listed in the allow-update declaration on the master zone server? Master Server - 1.2.3.4 zone actived.example.com { type master; file named.ad; allow-update { 1.2.3.4;// master DNS server 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { 5.6.7.8 // slave DNS server; }; }; Slave Server - 5.6.7.8 zone actived.example.com { type slave; file named.ad; allow-update-forwarding { 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { none; }; masters { 1.2.3.4 // master DNS server }; }; Thanks, Nicholas Miller, ITS, University of Colorado at Boulder ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
Nicholas F Miller [EMAIL PROTECTED] wrote: I have a couple of questions regarding how a Microsoft domain controller updates a dynamic zone. 1 ) When a domain controller tries to update the zone does it try the DNS servers it has listed in its network settings or does it follow the SOA for the zone? 2) In the configs below does the slave server's IP need to be listed in the allow-update declaration on the master zone server? Master Server - 1.2.3.4 zone actived.example.com { type master; file named.ad; allow-update { 1.2.3.4;// master DNS server 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { 5.6.7.8 // slave DNS server; }; }; Slave Server - 5.6.7.8 zone actived.example.com { type slave; file named.ad; allow-update-forwarding { 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { none; }; masters { 1.2.3.4 // master DNS server }; }; 1) All updates for a zone need to be sent to the master server for that zone, as only the master can perform updates. And one cannot assume that updates sent to a slave server will be forwarded to the master. And the only place in DNS where the master server is listed is in the SOA record. 2) I am not sure of the answer. If a DNS update is sent to a slave server and then forwarded to the master, I assume that the master will see the request as coming from the real source and not from the forwarding slave server. So, I assume that the slave server is not updating the master, and thus does not need to be listed in the allow-update declaration. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsperf and BIND memory consumption
At Wed, 10 Dec 2008 15:50:22 +0300, Dmitry Rybin [EMAIL PROTECTED] wrote: JINMEI Tatuya / 神明達哉 wrote: At Tue, 09 Dec 2008 18:05:27 +0300, Dmitry Rybin [EMAIL PROTECTED] wrote: I test patch, add to bind95/Makefile .if (${ARCH} == amd64) ARCH= x86_64 .endif Future versions of BIND9 will support amd64 in its configure script to workaround the FreeBSD port for amd64. Regarding the memory leak, I believe it's already solved in 9.5.1rc1 (even with threads and without atomic). I just make port bind 9.5.1rc1. It has same problem with memory leak. It grows from 670M on startup, to 1,4Gb after 20 minutes of work. Can you first fall back to the vanilla 9.5.1rc1 (i.e., not FreeBSD port) so that we can separate FreeBSD-port specific issue and BIND9 specific leak? Second, what if you stop named by 'rndc stop'? If there's memory leak in BIND9, it normally detects it during a cleanup process and indicates the bug by aborting (core dumping) itself. If it doesn't cause an abort, please then try the diagnosing I suggested before: http://marc.info/?l=bind-usersm=121811979629090w=2 To summarize it: 1. create a symbolic link from /etc/malloc.conf to X: # ln -s X /etc/malloc.conf 2. - start named with a moderate limitation of virtual memory size, e.g. # /usr/bin/limits -v 384m $path_to_named/named command line options (note that 384m should be reasonably large compared with max-cache-size. I'd suggest setting max-cache-size to 128M and setting 'limits -v' to 512m). 3. Then the named process will eventually abort itself with a core dump due to malloc failure. Please show us the stack trace at that point. Hopefully it will reveal the malloc call that keeps consuming memory. In fact, I myself successfully identified one leak in 9.5.0-P2 with FreeBSD port this way. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
Barry Jonathan, Thanks for the quick replies. your responses go along with my findings as well. I am trying to clean up some of our configs. The DDNS zones just didn't look right to me and I wanted to confirm what I was thinking. Jonathan, I tested things on a test DC by pointing it at a DNS server here that wasn't athoritative for its zone. When I made a change the update happened almost immediately on the master server. This behavior follows the logic of updates following the SOA. Barry, from what I can find I don't think the slave needs to be listed nor does the master in the allow-update directive. If I have time tomorrow I might test this out in our test AD. Nicholas Miller, ITS, University of Colorado at Boulder On Dec 10, 2008, at 10:42 AM, Jonathan Petersson wrote: I did some testing with this couple a months ago and it seams like AD is following the NS directive in the SOA. The design I used in my test-case was to put AD as an authoritative updater of the specified zone on my master, once updated the BIND master was responsible for updating the slaves. Something you can do is add NS records in AD pointing at your BIND slave-servers for the zone, and vice versa configure your slaves to have the AD as master for the zone, what I've experienced is that updates of new records tends to be REALLY slow, thus I would go with the first option. /Jonathan On Dec 10, 2008, at 10:48 AM, [EMAIL PROTECTED] wrote: 1) All updates for a zone need to be sent to the master server for that zone, as only the master can perform updates. And one cannot assume that updates sent to a slave server will be forwarded to the master. And the only place in DNS where the master server is listed is in the SOA record. 2) I am not sure of the answer. If a DNS update is sent to a slave server and then forwarded to the master, I assume that the master will see the request as coming from the real source and not from the forwarding slave server. So, I assume that the slave server is not updating the master, and thus does not need to be listed in the allow-update declaration. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
On Wed, Dec 10, 2008 at 4:00 PM, Mark Andrews [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED], Nicholas F Mille r writes: I have a couple of questions regarding how a Microsoft domain controller updates a dynamic zone. 1 ) When a domain controller tries to update the zone does it try the DNS servers it has listed in its network settings or does it follow the SOA for the zone? There are knowledge base article which describe this fully. I suggest that you search the Microsoft knowledge base for the complete answer. http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true cut ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Master server migration.
I'm migrating away from my 12 year old Solaris master DNS server to a new Linux based master server. I'm looking for suggestions on how to make the transition smooth without any downtime. The IP address of the new server will be different and so will be the hostname that will show up in the whois record. Is there any way to run two master at the same time and when I know the new master is working, I can turn off the old one? Would that be a good idea? I am open to any suggestions. Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Master server migration.
Step 1: Set up the new master as a clone of the old master. Step 2: Reconfigure/demote the old master to the status of slave. All other slaves will continue to get updates from the old master/new slave, and the magic of DNS notify will make replication from new master to old master to others quick and painless, once you have completed... Step 3: Update the NS RRsets and SOA records of all zones to reflect the existence of the new master. This will cause DNS notify to function properly. Make sure you update the zone serial numbers as well. Step 4: Reconfigure all slaves to refer to the new master instead of (or in addition to and in preference to) the old master. This will allow you to remove the old master if you wish to do so, and will make the chain of replication that much shorter and more reliable. Step 5: If you plan to remove the old master, go ahead and do so in all locations: registration records (delegation and glue records at parent zone(s)), zone NS records, possibly even the old master's A record. Wait a few days after doing this before... Step 6: Finally retire the old master. Chris Buxton Men Mice On Dec 10, 2008, at 10:00 PM, Chris Henderson wrote: I'm migrating away from my 12 year old Solaris master DNS server to a new Linux based master server. I'm looking for suggestions on how to make the transition smooth without any downtime. The IP address of the new server will be different and so will be the hostname that will show up in the whois record. Is there any way to run two master at the same time and when I know the new master is working, I can turn off the old one? Would that be a good idea? I am open to any suggestions. Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users