Re: BIND - out of memory

2009-03-24 Thread Jan Arild Lindstrøm 
Hi,

more findings ...

BIND 9.6.1b1

No matter what I set in named.conf, it starts to give "out of memory" when 
recursive
clients pass 1000. I see that 1000 is the default value for recursive-clients.

 From "rndc status" on each run, it starts with "out of memory messages" when 
recursive-clients
passes 1000:
recursive clients: 1029/149900/15

 From named.conf:
clients-per-query 250;
max-clients-per-query 1500;
recursive-clients 5;

BIND does not allocate space to more than 1000/default clients no matter what 
is specified in 
named.conf?

I tried it against 9.4.3 also (same config), and the same thing happens:

nsXX(root) named-new 948# tail -f named-new.log  | grep memory
25-Mar-2009 07:35:00.504 database: adb: fetch of 'ns-kiev.km.ua' A 
failed: out of memory
25-Mar-2009 07:35:00.505 database: adb: fetch of 'y.ns.verio.net' A 
failed: out of memory
25-Mar-2009 07:35:00.506 database: adb: fetch of 'dns1.gla.ac.uk' A 
failed: out of memory
--cut--

recursive clients: 1002/49900/5


.. it starts output "out of memory" messages when It passes 1000 recursive 
clients.

So it definitly seems that 1000/default recursive clients is the magic limit 
regarding the "out of memory" 
messages I get.

BIND perhaps allocate space for 1000 recursive-clients, but does not allocate 
more when named.conf
has another number for it?

Or?

Regards
Jan Arild Lindstrom


At 11:44 24/03/2009, Jan Arild Lindstrøm wrote:
>Hi,
>
>I am running ResPerf from Nominum against BIND 9.6.1b1, and I get a lot of:
>
>--cut--
>24-Mar-2009 08:51:30.495 database: adb: fetch of 'ns2.state.oh.us' A failed: 
>out of memory
>24-Mar-2009 08:51:30.630 database: adb: fetch of 'gz-dns.cncnet.net' A failed: 
>out of memory
>24-Mar-2009 08:51:30.657 query-errors: fetch completed at resolver.c:2908 for 
>129.83.61.195.in-addr.arpa/PTR in 22.401385: out of memory/success 
>[domain:61.195.in-addr.arpa,referral:2,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]
>24-Mar-2009 08:51:30.672 query-errors: fetch completed at resolver.c:2908 for 
>211.121.239.211.in-addr.arpa/PTR in 18.586241: out of memory/success 
>[domain:239.211.in-addr.arpa,referral:2,restart:1,qrysent:1,timeout:1,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]
>24-Mar-2009 08:51:30.684 database: adb: fetch of 'iit.rit.ac.th' A failed: out 
>of memory
>24-Mar-2009 08:51:30.685 database: adb: fetch of 'ritk6.rit.ac.th' A failed: 
>out of memory
>24-Mar-2009 08:51:30.708 query-errors: fetch completed at resolver.c:2908 for 
>118.95.219.66.in-addr.arpa/PTR in 31.293651: out of memory/success 
>[domain:95.219.66.in-addr.arpa,referral:1,restart:3,qrysent:0,timeout:1,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
>24-Mar-2009 08:51:30.714 query-errors: fetch completed at resolver.c:2908 for 
>30.126.138.63.in-addr.arpa/PTR in 28.681399: out of memory/success 
>[domain:138.63.in-addr.arpa,referral:1,restart:3,qrysent:0,timeout:1,lame:0,neterr:0,badresp:0,adberr:6,findfail:0,valfail:0]
>24-Mar-2009 08:51:30.715 query-errors: fetch completed at resolver.c:2908 for 
>161.112.185.194.in-addr.arpa/PTR in 18.591808: out of memory/success 
>[domain:185.194.in-addr.arpa,referral:1,restart:1,qrysent:1,timeout:1,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
>24-Mar-2009 08:51:30.739 query-errors: fetch completed at resolver.c:2908 for 
>ppp85-141-184-239.pppoe.mtu-net.ru/A in 14.649606: out of memory/success 
>[domain:mtu-net.ru,referral:1,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:1,findfail:0,valfail:0]
>24-Mar-2009 08:51:30.812 database: adb: fetch of 'tirant.gva.es' A failed: out 
>of memory
>24-Mar-2009 08:51:30.814 database: adb: fetch of 'ns1.pldi.net' A failed: out 
>of memory
>24-Mar-2009 08:51:30.898 database: adb: fetch of 'ns1.corporatecolo.com' A 
>failed: out of memory
>24-Mar-2009 08:51:30.899 database: adb: fetch of 'ns1.gratisdns.dk' A failed: 
>out of memory
>--cut--
>
>What does "database: adb: .. out of memory" mean?
>What does "query-errors: fetch completed at ... out of memory/success" mean?
>
>Solaris 10 on a Sun T5140 with 6 cores/96 threads and 16GB of memory: 
>SunOS xxx.xxx.xx 5.10 Generic_13-01 sun4v sparc SUNW,T5140 Solaris
>
>The named process takes only 170MB:
>Memory: 16G phys mem, 11G free mem, 4104M total swap, 4104M free swap
>19563 named 99  590  171M  169M sleep1:35  0.00% named
>
>BIND 9.4.3 on the same server (running at the same time as testing 9.6.1b1):
>10186 named 99  540 2990M 2989M cpu/66 5438.0  3.84% named
>
>I tried:
>datasize unlimited;
>stacksize unlimited;
>max-cache-size unlimited;
>
>But it had no effect, I still get just as many "out of memory" lines when 
>running ResPerf.
>resperf -d queryfile-example-3million -e -s  -m 1
>
>Plimit reports (on the named process):
>reso

Re: using bind for blacklist of domains

2009-03-24 Thread Jeremy C. Reed 
On Tue, 24 Mar 2009, Kevin Darcy wrote:

> SOA record is now used as the "negative caching TTL", not "minimum" in any
> sense of the word. The comment should probably reflect that.

off-list  now to get BIND's generated outputs to say the same thing 
:)


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: advice wanted: key management for nsupdate/DNSSEC

2009-03-24 Thread Mark Andrews 

In message <200903242339.n2ond3x0021...@edge.twig.com>, Richard Doty writes:
> Greetings,
> 
> I am wondering how folks handle keys for zones that are going
> to be signed with nsupdate.
> 
> It appears that named wants the zone signing keys to be in the
> location identified by the "directory" parameter, yes?  Putting
> all keys in one directory seems like a scaling issue, besides which
> I believe that particular directory needs to be writable by named
> so it can create core files.  I have to leave the keys online for
> nsupdate, but named doesn't need to modify them itself.
> 
> It would be cool if the location of per-zone keys were a per-zone
> configuration parameter, but I can't find any suggestion of that
> in the code.  Maybe I'm looking in the wrong place.

See key-directory which is a per zone directive.
> 
> How do you manage your nsupdate keys?
> 
> Thanks,
> 
> Richard.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: using bind for blacklist of domains

2009-03-24 Thread dhottinger 




Contents of blockeddomains.host:
$TTL 86400 ; one day

@ IN SOA ns.hhs.harrisonburg.k12.va.us
(
2004061000 ; serial number 09032401
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day
NS ns1.harrisonburg.k12.va.us.
NS ns2.harrisonburg.k12.va.us.

A 0.0.0.0

* IN A 0.0.0.0

Before the all-numeric fields, your SOA record needs both an MNAME
field and an RNAME field. MNAME (which you have) should be the name of
the primary master; but if you fully-qualify the name you should
dot-terminate it, to avoid the zone origin ("00.devoid.us") from being
appended. RNAME is a standard SMTP contact email address for the zone,
e.g. ad...@harrisonbug.k12.va.us, with the @ in the email address
replaced with a dot. As with MNAME, make sure to dot-terminate RNAME
too if the domain part of the email address is fully-qualified. Your
SOA should have total of 7 fields, you're only showing 6; RNAME is
missing. A syntactically-better SOA might look like

@ IN SOA ns.hhs.harrisonburg.k12.va.us. admin.harrisonbug.k12.va.us. (
2004061000
28800
7200
864000
86400
)

Beyond that, I can't really tell because of the way email gets
reformatted, but if you have any whitespace before "@" or "*", that's
going to be a problem; the opening parenthesis should also be on the
first SOA line.

Last and least, the "min ttl" comment is misleading. The last field of
the SOA record is now used as the "negative caching TTL", not "minimum"
in any sense of the word. The comment should probably reflect that.

Note that you can use the named-checkzone utility -- included in the
BIND distribution -- to check a zone file for syntax errors, without
actually trying to get named to load the file.
- Kevin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Thanks, its been a while since I did a zone file.  I new there was a  
way to check the file for errors, but couldnt remember it.  I  
appreciate all the help.


take care,

ddh


--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

"The hottest places in Hell are reserved for those who, in times of moral
crisis, preserved their neutrality."
-- Dante

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

advice wanted: key management for nsupdate/DNSSEC

2009-03-24 Thread Richard Doty 
Greetings,

I am wondering how folks handle keys for zones that are going
to be signed with nsupdate.

It appears that named wants the zone signing keys to be in the
location identified by the "directory" parameter, yes?  Putting
all keys in one directory seems like a scaling issue, besides which
I believe that particular directory needs to be writable by named
so it can create core files.  I have to leave the keys online for
nsupdate, but named doesn't need to modify them itself.

It would be cool if the location of per-zone keys were a per-zone
configuration parameter, but I can't find any suggestion of that
in the code.  Maybe I'm looking in the wrong place.

How do you manage your nsupdate keys?

Thanks,

Richard.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Psuedo-Master Zones

2009-03-24 Thread Kevin Darcy 

Corey Shaw wrote:

Bind version: 9.6
OS: Gentoo Linux

I am currently setting up an internal DNS server.  I have a separate 
DNS server that is publicly accessible.  Both servers have a zone for 
"example.com".   How do I set the internal DNS server to forward 
queries for entries that it does not have for "example.com" to the 
public DNS?  

An example:  

"server2.example.com" exists on both DNS servers.  I query the 
internal server and get the internal address.  I query the public DNS 
and get the public address.  That works as it should.


Now let's say "server1.example.com" exists on the public DNS, but not 
on the Internal DNS.  I query the internal DNS for 
"server1.example.com" and it doesn't return anything.  How can I make 
it forward that query to the public DNS which does have an entry for 
"server1.example.com"?


You don't. The internal version of the zone should include all of the 
external entries as well.



 - Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Psuedo-Master Zones

2009-03-24 Thread Corey Shaw 
Bind version: 9.6 
OS: Gentoo Linux 


I am currently setting up an internal DNS server. I have a separate DNS server 
that is publicly accessible. Both servers have a zone for "example.com". How do 
I set the internal DNS server to forward queries for entries that it does not 
have for "example.com" to the public DNS? 


An example: 


"server2.example.com" exists on both DNS servers. I query the internal server 
and get the internal address. I query the public DNS and get the public 
address. That works as it should. 


Now let's say "server1.example.com" exists on the public DNS, but not on the 
Internal DNS. I query the internal DNS for "server1.example.com" and it doesn't 
return anything. How can I make it forward that query to the public DNS which 
does have an entry for "server1.example.com"? 


Thanks for your help. 



_ 
Corey 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: using bind for blacklist of domains

2009-03-24 Thread Kevin Darcy 

dhottin...@harrisonburg.k12.va.us wrote:

Quoting Kevin Darcy :


dhottin...@harrisonburg.k12.va.us wrote:

Quoting Doug McIntyre :


In comp.protocols.dns.bind you write:

Has anyone used their internal dns server for blacklisting? I would
like to specifically block access to domains that are spreading
malware. I was grepping around the internet and fell upon this
website http://www.malwaredomains.com/, but dont seem to be able to
get my internal name server to like any of the configs I push on it.
thanks for any advice that might be offered.


It should be easy enough to take the list, parse it into config line
items pointing to a single zone file that just maps * to 127.0.0.1 or
something.

Or you could just use OpenDNS?

(Not that I use them, but thats one of the free features they 
support).




Sounds good and that is what I thought (except for OpenDNS), however 
I created a zone file named blacklist.host and added an entry into 
my named.conf file that said

zone "00.devoid.us" {
type master;
file "blockeddomains.host";
};

When I restart named I get the following error message in my message 
logs:


Mar 24 14:14:14.970 dns_master_load: blockeddomains.host:9: no 
current owner name
Mar 24 14:14:14.971 zone 00.devoid.us/IN: loading master file 
blockeddomains.host: no owner
I actually have 8 existing zones on this server and they each have a 
root server listed in their zone files. Do I need to have a root 
server in this one?


This isn't an architecture problem, it's a syntax error in the zone 
file.


If you post the contents of the file, up to line 9, we should be able
to spot the syntax error and explain to you how to fix it.

- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Contents of blockeddomains.host:
$TTL 86400 ; one day

@ IN SOA ns.hhs.harrisonburg.k12.va.us
(
2004061000 ; serial number 09032401
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day
NS ns1.harrisonburg.k12.va.us.
NS ns2.harrisonburg.k12.va.us.

A 0.0.0.0

* IN A 0.0.0.0
Before the all-numeric fields, your SOA record needs both an MNAME field 
and an RNAME field. MNAME (which you have) should be the name of the 
primary master; but if you fully-qualify the name you should 
dot-terminate it, to avoid the zone origin ("00.devoid.us") from being 
appended. RNAME is a standard SMTP contact email address for the zone, 
e.g. ad...@harrisonbug.k12.va.us, with the @ in the email address 
replaced with a dot. As with MNAME, make sure to dot-terminate RNAME too 
if the domain part of the email address is fully-qualified. Your SOA 
should have total of 7 fields, you're only showing 6; RNAME is missing. 
A syntactically-better SOA might look like


@ IN SOA ns.hhs.harrisonburg.k12.va.us. admin.harrisonbug.k12.va.us. (
2004061000
28800
7200
864000
86400
)

Beyond that, I can't really tell because of the way email gets 
reformatted, but if you have any whitespace before "@" or "*", that's 
going to be a problem; the opening parenthesis should also be on the 
first SOA line.


Last and least, the "min ttl" comment is misleading. The last field of 
the SOA record is now used as the "negative caching TTL", not "minimum" 
in any sense of the word. The comment should probably reflect that.


Note that you can use the named-checkzone utility -- included in the 
BIND distribution -- to check a zone file for syntax errors, without 
actually trying to get named to load the file.

- Kevin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: using bind for blacklist of domains

2009-03-24 Thread Jeremy C. Reed 
>  @   IN  SOA ns.hhs.harrisonburg.k12.va.us
> (
>  2004061000   ; serial number 09032401
>  28800   ; refresh  8 hours
>  7200; retry2 hours
>  864000  ; expire  10 days
>  86400 ) ; min ttl  1 day

SOA is broken two ways. Needs both machine name and contact name. And the 
"(" (open parenthesis) should be on same line to start the continuation 
not on a line by itself.

If you have "no current owner name" onm first line could be caused by 
indenting $TTL line too.

It seems like you would have seen:
4: unknown RR type '28800'
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: using bind for blacklist of domains

2009-03-24 Thread dhottinger 

Quoting Kevin Darcy :


dhottin...@harrisonburg.k12.va.us wrote:

Quoting Doug McIntyre :


In comp.protocols.dns.bind you write:

Has anyone used their internal dns server for blacklisting? I would
like to specifically block access to domains that are spreading
malware. I was grepping around the internet and fell upon this
website http://www.malwaredomains.com/, but dont seem to be able to
get my internal name server to like any of the configs I push on it.
thanks for any advice that might be offered.


It should be easy enough to take the list, parse it into config line
items pointing to a single zone file that just maps * to 127.0.0.1 or
something.

Or you could just use OpenDNS?

(Not that I use them, but thats one of the free features they support).



Sounds good and that is what I thought (except for OpenDNS),   
however I created a zone file named blacklist.host and added an   
entry into my named.conf file that said

zone "00.devoid.us" {
type master;
file "blockeddomains.host";
};

When I restart named I get the following error message in my message logs:

Mar 24 14:14:14.970 dns_master_load: blockeddomains.host:9: no   
current owner name
Mar 24 14:14:14.971 zone 00.devoid.us/IN: loading master file   
blockeddomains.host: no owner
I actually have 8 existing zones on this server and they each have   
a root server listed in their zone files. Do I need to have a root   
server in this one?



This isn't an architecture problem, it's a syntax error in the zone file.

If you post the contents of the file, up to line 9, we should be able
to spot the syntax error and explain to you how to fix it.

- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Contents of blockeddomains.host:
  $TTL86400   ; one day

  @   IN  SOA ns.hhs.harrisonburg.k12.va.us
 (
  2004061000   ; serial number 09032401
  28800   ; refresh  8 hours
  7200; retry2 hours
  864000  ; expire  10 days
  86400 ) ; min ttl  1 day
  NS  ns1.harrisonburg.k12.va.us.
  NS  ns2.harrisonburg.k12.va.us.

  A   0.0.0.0

  *   IN  A   0.0.0.0


thanks,

ddh


--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

"The hottest places in Hell are reserved for those who, in times of moral
crisis, preserved their neutrality."
-- Dante

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: using bind for blacklist of domains

2009-03-24 Thread Kevin Darcy 

dhottin...@harrisonburg.k12.va.us wrote:

Quoting Doug McIntyre :


In comp.protocols.dns.bind you write:

Has anyone used their internal dns server for blacklisting? I would
like to specifically block access to domains that are spreading
malware. I was grepping around the internet and fell upon this
website http://www.malwaredomains.com/, but dont seem to be able to
get my internal name server to like any of the configs I push on it.
thanks for any advice that might be offered.


It should be easy enough to take the list, parse it into config line
items pointing to a single zone file that just maps * to 127.0.0.1 or
something.

Or you could just use OpenDNS?

(Not that I use them, but thats one of the free features they support).



Sounds good and that is what I thought (except for OpenDNS), however I 
created a zone file named blacklist.host and added an entry into my 
named.conf file that said

zone "00.devoid.us" {
type master;
file "blockeddomains.host";
};

When I restart named I get the following error message in my message 
logs:


Mar 24 14:14:14.970 dns_master_load: blockeddomains.host:9: no current 
owner name
Mar 24 14:14:14.971 zone 00.devoid.us/IN: loading master file 
blockeddomains.host: no owner
I actually have 8 existing zones on this server and they each have a 
root server listed in their zone files. Do I need to have a root 
server in this one?



This isn't an architecture problem, it's a syntax error in the zone file.

If you post the contents of the file, up to line 9, we should be able to 
spot the syntax error and explain to you how to fix it.


- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: using bind for blacklist of domains

2009-03-24 Thread dhottinger 

Quoting Doug McIntyre :


In comp.protocols.dns.bind you write:

Has anyone used their internal dns server for blacklisting?  I would
like to specifically block access to domains that are spreading
malware.  I was grepping around the internet and fell upon this
website http://www.malwaredomains.com/, but dont seem to be able to
get my internal name server to like any of the configs I push on it.
thanks for any advice that might be offered.


It should be easy enough to take the list, parse it into config line
items pointing to a single zone file that just maps * to 127.0.0.1 or
something.

Or you could just use OpenDNS?

(Not that I use them, but thats one of the free features they support).



Sounds good and that is what I thought (except for OpenDNS), however I  
created a zone file named blacklist.host and added an entry into my  
named.conf file that said

zone "00.devoid.us"  {
type master;
file  "blockeddomains.host";
};

When I restart named I get the following error message in my message logs:

Mar 24 14:14:14.970 dns_master_load: blockeddomains.host:9: no current  
owner name
Mar 24 14:14:14.971 zone 00.devoid.us/IN: loading master file  
blockeddomains.host: no owner
I actually  have 8 existing zones on this server and they each have a  
root server listed in their zone files.  Do I need to have a root  
server in this one?


thanks,

ddh

--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

"The hottest places in Hell are reserved for those who, in times of moral
crisis, preserved their neutrality."
-- Dante

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Make changes en mass [done]

2009-03-24 Thread Scott Haneda 
It should not be too hard.  Since you have such a rock solid format,  
you can safely assume in your case, the last 2 digits are ints always,  
always 2 digits long.


Just find the string of chars you are interested in, and substring the  
last two.  Now you have a number (int) and you can use a little math  
to +1 to it.


The only area you have to be careful in, depending on the language, is  
01 to 09 where the leading zero is going to get lost.  You could use a  
string pad left function to put a zero in, or in this case, just check  
the string length, if it is one, concatenate a zero in front.


On Mar 24, 2009, at 1:57 PM, Todd Snyder wrote:

I am looking for a clever way to do the new serial number.  Date  
will do

the first bit no problem (date +%Y%m%d), but I'd love to find a clever
way to auto increment the last 2 digits unless it's a new day.  Then I
could use the same script every time.


--
Scott * If you contact me off list replace talklists@ with scott@ *

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Make changes en mass [done]

2009-03-24 Thread Alan Clegg 
Todd Snyder wrote:
> I am looking for a clever way to do the new serial number.  Date will do
> the first bit no problem (date +%Y%m%d), but I'd love to find a clever
> way to auto increment the last 2 digits unless it's a new day.  Then I
> could use the same script every time.

http://www.crufty.net/help/dns/dnsmagic.html

seems to contain something called "updsoa.pl" that might do what you
want -- infact, it might do EVERYTHING you want...

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Make changes en mass [done]

2009-03-24 Thread Todd Snyder 
I am looking for a clever way to do the new serial number.  Date will do
the first bit no problem (date +%Y%m%d), but I'd love to find a clever
way to auto increment the last 2 digits unless it's a new day.  Then I
could use the same script every time.

/puts on thinking cap.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jeff Lightner
Sent: Tuesday, March 24, 2009 4:54 PM
To: Alan Clegg; bind-users@lists.isc.org
Subject: RE: Make changes en mass [done]

Good point.  

The serial number should be updated since the zone file is being
updated.  The sed command could be used to do that as well.

for zonefile in `ls *.com`
do sed -e s/604800/709600/ -e
s/200[0-9][0-1][0-9][0-9][0-9][0-9][0-9]/2009032401/ $zonefile
>${zonefile}.new
   mv $zonefile ${zonefile}.old
   mv ${zonefile}.new $zonefile
done

The above does the same expiration value replacement as earlier and also
changes the serial number to current day (2009032401 as of this
writing).   This substitution is based on the preferred serial number
syntax of:
CCYYMMDDsq where sq is a sequence number (01 being first).   It assumes
all the zone files have a current serial number using that in the
current decade (2000s) and no sequence number higher than 99.   The
pattern would have to be adjusted if those assumptions weren't valid.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alan Clegg
Sent: Tuesday, March 24, 2009 4:31 PM
To: bind-users@lists.isc.org
Subject: Re: Make changes en mass [done]

John D. Vo wrote:
> Thanks Jeff. I prefer your way better, more eloquent than the brute 
> force method I did.

To this point, nobody has updated the serial.

AlanC
 
Please consider our environment before printing this e-mail or
attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you
have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Make changes en mass [done]

2009-03-24 Thread Jeff Lightner 
Good point.  

The serial number should be updated since the zone file is being
updated.  The sed command could be used to do that as well.

for zonefile in `ls *.com`
do sed -e s/604800/709600/ -e
s/200[0-9][0-1][0-9][0-9][0-9][0-9][0-9]/2009032401/ $zonefile
>${zonefile}.new
   mv $zonefile ${zonefile}.old
   mv ${zonefile}.new $zonefile
done

The above does the same expiration value replacement as earlier and also
changes the serial number to current day (2009032401 as of this
writing).   This substitution is based on the preferred serial number
syntax of:
CCYYMMDDsq where sq is a sequence number (01 being first).   It assumes
all the zone files have a current serial number using that in the
current decade (2000s) and no sequence number higher than 99.   The
pattern would have to be adjusted if those assumptions weren't valid.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alan Clegg
Sent: Tuesday, March 24, 2009 4:31 PM
To: bind-users@lists.isc.org
Subject: Re: Make changes en mass [done]

John D. Vo wrote:
> Thanks Jeff. I prefer your way better, more eloquent than the brute
> force method I did.

To this point, nobody has updated the serial.

AlanC
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Make changes en mass [done]

2009-03-24 Thread Alan Clegg 
John D. Vo wrote:
> Thanks Jeff. I prefer your way better, more eloquent than the brute
> force method I did.

To this point, nobody has updated the serial.

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Make changes en mass [done]

2009-03-24 Thread John D. Vo 




Thanks Jeff. I prefer your way better, more eloquent than the brute
force method I did.

-John

Jeff Lightner wrote:

  I guess "[done]" was a key point of your subject.  Oh - well at least
its there for the archives.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jeff Lightner
Sent: Tuesday, March 24, 2009 3:42 PM
To: j...@eagle.net
Cc: bind-users@lists.isc.org
Subject: RE: Make changes en mass [done]

If all your zones have same value (e.g. 604800) for expire and nothing
else matches that value in the files you could do it fairly easily with
a for loop and sed:

For example if all your zone files were named with a .com at end of
name:

for zonefile in `ls *.com` 
do sed -e s/604800/709600/ $zonefile >${zonefile}.new
   mv $zonefile ${zonefile}.old
   mv ${zonefile}.new $zonefile
done

The sed would find the 604800 in the zone file and replace it with
709600.  You then have it send the sed output to a file with same zone
name with .new appended.  You then save the original zone file (for
backout planning) and finally move the new zonefile over the original.

TEST THE ABOVE IN AN ALTERNATE LOCATION FIRST!!!   



-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo
Sent: Tuesday, March 24, 2009 2:46 PM
To: j...@eagle.net
Cc: bind-users@lists.isc.org
Subject: Re: Make changes en mass [done]

I used WinSCP and just select a bunch of files and edit command and 
copy/paste the "good' settings into the zone files.

-Thanks.

-John

John D. Vo wrote:
  
  
Greetings:

According to http://thednsreport.com, my "expire" time for my zones 
are too short (recommended 2-4 weeks) and
my SOA record is not good.

Is there a tool that I can use to make changes to all my zones in one 
swoop?

Thanks,

Solaris/Bind 9.2.2. (yes, it is ancient)


  
   

  



-- 


Best Regards,

John D. Vo
Eagle Teleconferencing Services, Inc.
Network-System Administrator
j...@eagle.net
Office: (212) 200-2000 Ext. 105
Cell: (212) 200-3016

---




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Make changes en mass [done]

2009-03-24 Thread Jeff Lightner 
I guess "[done]" was a key point of your subject.  Oh - well at least
its there for the archives.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jeff Lightner
Sent: Tuesday, March 24, 2009 3:42 PM
To: j...@eagle.net
Cc: bind-users@lists.isc.org
Subject: RE: Make changes en mass [done]

If all your zones have same value (e.g. 604800) for expire and nothing
else matches that value in the files you could do it fairly easily with
a for loop and sed:

For example if all your zone files were named with a .com at end of
name:

for zonefile in `ls *.com` 
do sed -e s/604800/709600/ $zonefile >${zonefile}.new
   mv $zonefile ${zonefile}.old
   mv ${zonefile}.new $zonefile
done

The sed would find the 604800 in the zone file and replace it with
709600.  You then have it send the sed output to a file with same zone
name with .new appended.  You then save the original zone file (for
backout planning) and finally move the new zonefile over the original.

TEST THE ABOVE IN AN ALTERNATE LOCATION FIRST!!!   



-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo
Sent: Tuesday, March 24, 2009 2:46 PM
To: j...@eagle.net
Cc: bind-users@lists.isc.org
Subject: Re: Make changes en mass [done]

I used WinSCP and just select a bunch of files and edit command and 
copy/paste the "good' settings into the zone files.

-Thanks.

-John

John D. Vo wrote:
> Greetings:
>
> According to http://thednsreport.com, my "expire" time for my zones 
> are too short (recommended 2-4 weeks) and
> my SOA record is not good.
>
> Is there a tool that I can use to make changes to all my zones in one 
> swoop?
>
> Thanks,
>
> Solaris/Bind 9.2.2. (yes, it is ancient)
>
 

-- 


Best Regards,

John D. Vo
Eagle Teleconferencing Services, Inc.
Network-System Administrator
j...@eagle.net
Office: (212) 200-2000 Ext. 105
Cell: (212) 200-3016

---


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Please consider our environment before printing this e-mail or
attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you
have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Make changes en mass [done]

2009-03-24 Thread Jeff Lightner 
If all your zones have same value (e.g. 604800) for expire and nothing
else matches that value in the files you could do it fairly easily with
a for loop and sed:

For example if all your zone files were named with a .com at end of
name:

for zonefile in `ls *.com` 
do sed -e s/604800/709600/ $zonefile >${zonefile}.new
   mv $zonefile ${zonefile}.old
   mv ${zonefile}.new $zonefile
done

The sed would find the 604800 in the zone file and replace it with
709600.  You then have it send the sed output to a file with same zone
name with .new appended.  You then save the original zone file (for
backout planning) and finally move the new zonefile over the original.

TEST THE ABOVE IN AN ALTERNATE LOCATION FIRST!!!   



-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo
Sent: Tuesday, March 24, 2009 2:46 PM
To: j...@eagle.net
Cc: bind-users@lists.isc.org
Subject: Re: Make changes en mass [done]

I used WinSCP and just select a bunch of files and edit command and 
copy/paste the "good' settings into the zone files.

-Thanks.

-John

John D. Vo wrote:
> Greetings:
>
> According to http://thednsreport.com, my "expire" time for my zones 
> are too short (recommended 2-4 weeks) and
> my SOA record is not good.
>
> Is there a tool that I can use to make changes to all my zones in one 
> swoop?
>
> Thanks,
>
> Solaris/Bind 9.2.2. (yes, it is ancient)
>
 

-- 


Best Regards,

John D. Vo
Eagle Teleconferencing Services, Inc.
Network-System Administrator
j...@eagle.net
Office: (212) 200-2000 Ext. 105
Cell: (212) 200-3016

---


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

using bind for blacklist of domains

2009-03-24 Thread dhottinger 
Has anyone used their internal dns server for blacklisting?  I would  
like to specifically block access to domains that are spreading  
malware.  I was grepping around the internet and fell upon this  
website http://www.malwaredomains.com/, but dont seem to be able to  
get my internal name server to like any of the configs I push on it.   
thanks for any advice that might be offered.


ddh


--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

"The hottest places in Hell are reserved for those who, in times of moral
crisis, preserved their neutrality."
-- Dante

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Make changes en mass [done]

2009-03-24 Thread John D. Vo 
I used WinSCP and just select a bunch of files and edit command and 
copy/paste the "good' settings into the zone files.


-Thanks.

-John

John D. Vo wrote:

Greetings:

According to http://thednsreport.com, my "expire" time for my zones 
are too short (recommended 2-4 weeks) and

my SOA record is not good.

Is there a tool that I can use to make changes to all my zones in one 
swoop?


Thanks,

Solaris/Bind 9.2.2. (yes, it is ancient)




--


Best Regards,

John D. Vo
Eagle Teleconferencing Services, Inc.
Network-System Administrator
j...@eagle.net
Office: (212) 200-2000 Ext. 105
Cell: (212) 200-3016

---


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Make changes en mass

2009-03-24 Thread Lakes, Dale 
Be very careful (test, test, test) before using in production, but
something like:

for file in *.db
> do
> sed -i-03242009 "s/1200/2419200/g" $file
> done

should work.

I'm making a couple of assumptions:
1) all of your zone database files end in .db
2) the -i flag is supported in Solaris sed (I don't know)
3) you want to make backup files with today's date appended
4) the integer representing seconds to expire (1200 in the example) only
appears once in each zone file (grep to be sure).

Hope this helps.

Dale Lakes
Antares Management Solutions

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo
Sent: Tuesday, March 24, 2009 1:03 PM
To: bind-users@lists.isc.org
Subject: Make changes en mass

Greetings:

According to http://thednsreport.com, my "expire" time for my zones are 
too short (recommended 2-4 weeks) and
my SOA record is not good.

Is there a tool that I can use to make changes to all my zones in one 
swoop?

Thanks,

Solaris/Bind 9.2.2. (yes, it is ancient)

-- 


Best Regards,

John D. Vo
Eagle Teleconferencing Services, Inc.
Network-System Administrator
j...@eagle.net
Office: (212) 200-2000 Ext. 105
Cell: (212) 200-3016

---


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


http://www.antaressolutions.com/
 Industry Expertise. Intelligent Solutions.  
Visit http://www.antaressolutions.com/
CONFIDENTIALITY NOTICE:
This message is intended only for the use of the individual or entity to which 
it is addressed and may contain information that is privileged, confidential or 
exempt from disclosure by law. If the reader of this message is not the 
intended recipient, or the employee or agent responsible for delivering the 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from printing, storing, disseminating, distributing or 
copying this message. If you have received this message in error, please notify 
us immediately by replying to the message and deleting it from your computer. 
Neither this information block, the typed name of the sender, nor anything else 
in this message is intended to constitute an electronic signature, unless a 
specific statement to the contrary is included in this message.
Thank you, Antares Management Solutions.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Make changes en mass

2009-03-24 Thread Fr34k 

Hello,

Some folks prefer to script something.
Some may find this tool helpful:
http://www.laffeycomputer.com/rpl.html

I'm sure there are other ways.

HTH



- Original Message 
From: John D. Vo 
To: bind-users@lists.isc.org
Sent: Tuesday, March 24, 2009 1:03:22 PM
Subject: Make changes en mass

Greetings:

According to http://thednsreport.com, my "expire" time for my zones are too 
short (recommended 2-4 weeks) and
my SOA record is not good.

Is there a tool that I can use to make changes to all my zones in one swoop?

Thanks,

Solaris/Bind 9.2.2. (yes, it is ancient)

-- 

Best Regards,

John D. Vo
Eagle Teleconferencing Services, Inc.
Network-System Administrator
j...@eagle.net
Office: (212) 200-2000 Ext. 105
Cell:    (212) 200-3016

---


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Make changes en mass

2009-03-24 Thread John D. Vo 

Greetings:

According to http://thednsreport.com, my "expire" time for my zones are 
too short (recommended 2-4 weeks) and

my SOA record is not good.

Is there a tool that I can use to make changes to all my zones in one 
swoop?


Thanks,

Solaris/Bind 9.2.2. (yes, it is ancient)

--


Best Regards,

John D. Vo
Eagle Teleconferencing Services, Inc.
Network-System Administrator
j...@eagle.net
Office: (212) 200-2000 Ext. 105
Cell: (212) 200-3016

---


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange DNS Behaviour

2009-03-24 Thread Mark Andrews 

In message <00a901c9ac92$9dc4e8a0$f9281...@wipro74039c7ca>, "Ashish" writes:
> Hi,
> 
> Could someone kindly explain what is happening?

You have a DNS client that is using a pre-RFC 1535 search
algorithm that is looking up kemira.kemira.com.

Network Working Group  E. Gavron
Request for Comments: 1535ACES Research Inc.
Category: Informational October 1993


  A Security Problem and Proposed Correction
   With Widely Deployed DNS Software


You are also using BIND 4 or BIND 8 as a nameserver.  You
should upgrade the nameserver.

Mark


> I don't have domain name kemira.kemira.com anywhere in my primary
> database (and all secondaries, too) kemira.com = 137.33.1.2
> I have doublechecked the master database and secondaries. I have
> restarted both of them, but nothing seems to help.
> 
> In funet.fi (master for fi-domain) when I start named and query
> kemira.kemira.com for the first time, it looks like this:
> 
> ==
> datagram from 130.230.1.1 port 1536, fd 7, len 44
> req: nlookup(kemira.kemira.com.funet.fi) id 1 type=1
> req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0)
> findns: SOA found
> req: leaving (kemira.kemira.com.funet.fi, rcode 3)
> req: answer -> 130.230.1.1 9 (1536) id=1 Local
> 
> datagram from 130.230.1.1 port 1537, fd 7, len 44
> req: nlookup(kemira.kemira.com.funet.fi) id 2 type=15
> req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0)
> findns: SOA found
> req: leaving (kemira.kemira.com.funet.fi, rcode 3)
> req: answer -> 130.230.1.1 9 (1537) id=2 Local
> 
> datagram from 130.230.1.1 port 1538, fd 7, len 35
> req: nlookup(kemira.kemira.com) id 3 type=1
> req: found 'kemira.kemira.com' as 'com' (cname=0)
> findns: using cache
> findns: 7 NS's added for ''
> ns_forw()
> nslookup(nsp=xf7fff1e0,qp=x55000)
> nslookup: NS NS.NIC.DDN.MIL c1 t2 (x0)
> nslookup: 1 ns addrs
> nslookup: NS AOS.BRL.MIL c1 t2 (x0)
> nslookup: 4 ns addrs
> nslookup: NS KAVA.NISC.SRI.COM c1 t2 (x0)
> nslookup: 5 ns addrs
> nslookup: NS C.NYSER.NET c1 t2 (x0)
> nslookup: 6 ns addrs
> nslookup: NS TERP.UMD.EDU c1 t2 (x0)
> nslookup: 7 ns addrs
> nslookup: NS NS.NASA.GOV c1 t2 (x0)
> nslookup: 9 ns addrs
> nslookup: NS NIC.NORDU.NET c1 t2 (x0)
> nslookup: 10 ns addrs total
> forw: forw -> 192.33.4.12 7 (53) nsid=5 id=3 0ms retry 4 sec
> 
> 
> 
> and a bit later:
> 
> datagram from 192.33.4.12 port 53, fd 7, len 186
> USER response nsid=5 id=3
> stime 712944912/687743  now 712944912/887742 rtt 199
> NS #0 addr 192.33.4.12 used, rtt 199
> NS #1 128.63.4.82 rtt now 0
> NS #2 26.3.0.29 rtt now 0
> NS #3 192.5.25.82 rtt now 0
> NS #4 192.33.33.24 rtt now 0
> NS #5 128.8.10.90 rtt now 0
> NS #6 192.52.195.10 rtt now 0
> NS #7 128.102.16.10 rtt now 0
> NS #8 192.36.148.17 rtt now 0
> NS #9 192.112.36.4 rtt now 401
> resp: ancount 1, aucount 3, arcount 3
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname kemira.kemira.com type 1 class 1 ttl 172800
> db_update(kemira.kemira.com, 0x554b8, 0x554b8, 031, 0x44ca0)
> db_update: adding 554b8
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
> db_update(KEMIRA.COM, 0x55580, 0x55580, 031, 0x44ca0)
> db_update: adding 55580
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
> db_update(KEMIRA.COM, 0x555b8, 0x555b8, 031, 0x44ca0)
> db_update: adding 555b8
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
> db_update(KEMIRA.COM, 0x555f0, 0x555f0, 031, 0x44ca0)
> db_update: adding 555f0
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname KEMIRA.KEMIRA.COM type 1 class 1 ttl 172800
db_update(KEMIRA.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0)
> db_update: new ttl 713117712, +172800
> update failed (DATAEXISTS)
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname HYDRA.HELSINKI.FI type 1 class 1 ttl 518400
> db_update(HYDRA.HELSINKI.FI, 0x55630, 0x55630, 031, 0x44ca0)
> 192.33.4.12 attempted update to auth zone 1 'fi'
> update failed (-10)
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname HKIUX9.FIN.KEMIRA.COM type 1 class 1 ttl 172800
> db_update(HKIUX9.FIN.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0)
> db_update: adding 55630
> resp: got as much answer as there is
> send_msg -> 130.230.1.1 (UDP 9 1538) id=3
> 
> datagram from 130.230.1.1 port 1539, fd 7, len 35
> req: nlookup(kemira.kemira.com) id 4 type=15
> datagram from 130.230.1.1 port 1539, fd 7, len 35
> req: nlookup(kemira.kemira.com) id 4 type=15
> req: found 'kemira.kemira.com' as 'kemira.kemira.com' (cname=0)
> finddata: added 0 class 1 type 15 RRs
> findns: 3 NS's added for 'kemira'
> ns_forw()
> nslookup(nsp=xf7fff1e0,qp=x55000)
> nslookup: NS KEMIRA.KEMIRA.COM c1 t2 (x0)
> nslook

Re: Server names for query

2009-03-24 Thread Matus UHLAR - fantomas 
> Casey Deccio wrote:
> >RFC 1035 [1] (page 44) describes the use of a list of server names 
> >(SLIST) to query for a particular name.  It is unclear to me from the 
> >RFC as to whether the server is selected by address or by name.  In 
> >other words, all history (e.g., batting average and response time) 
> >being equal, if a name resolves to two IP addresses, is it twice as 
> >likely to be used in resolution for a name as that which resolves to 
> >only one--both according to the RFC, and as implemented in BIND?  Example:
> >
> >example.com . 3600 IN NS ns1.example.com 
> >.
> >example.com . 3600 IN NS ns2.example.com 
> >.
> >ns1.example.com . 3600 IN A 10.0.0.1
> >ns1.example.com . 3600 IN A 10.0.0.2
> >ns2.example.com . 3600 IN A 10.0.0.3

On 23.03.09 17:20, Kevin Darcy wrote:
> For the *initial* NS query, I believe BIND will resolve those names down 
> to a flat set of addresses, all of which have equal chance of being 
> tried, so, yes, if a given NS name resolves to more addresses than other 
> names, it is more likely to be tried on the initial NS query.

Btw how does BIND send notifies? does it send them to _any_ of those IP
addresses? Some RFCs in the past iirc assumed that one name with multiple
IPs is one multihomed host, which could lead to assumption that it's enough
to query one of those IP's.

I believe it's not true.
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named-checkconf error

2009-03-24 Thread Steve Shockley 

On 12/8/2008 11:00 AM, Chris Thompson wrote:

In message <493b2b5d.40...@shockley.net>, Steve Shockley wrote:


I'm running BIND 9.4.2 on OpenBSD 4.3. I'm getting some errors with
named-checkconf I don't really understand. I'm running:

named-checkzone -t /var/named capmarksecurities.com
/master/db.capmarksecurities.com

and I get:

zone capmarksecurities.com/IN: getaddrinfo(quarantine1.capmark.com)
failed: non-recoverable failure in name resolution

[etc.]

This appears to happen with all zones with MX records that are in a
different zone. The zone loads and seems to work as expected. What's
going wrong?


Something is wrong with the configuration of the host on which you
ran named-checkzone. Either its resolver configuration is screwed,
or getaddrinfo() isn't getting as far as using the resolver. Can
you do host address lookups at all there?

You can suppress the check by using "-i local" on named-checkzone
(see the man page). But it would be better to fix the configuration
problem, of course.


For the archives, this error turned out to be because BIND is chrooted, 
and there was no hosts or resolv.conf in /var/named/etc.  I copied those 
two files from /etc to /var/named/etc and the output came up with no errors.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange DNS Behaviour

2009-03-24 Thread Eric C. Davis 


funet.finameserver = ns.funet.fi
funet.finameserver = ns-secondary.funet.fi
> kemira.com
Server:  rockyd.rockefeller.edu
Address:  129.85.1.24

Non-authoritative answer:
kemira.com  nameserver = ns1.capgemini.fi
kemira.com  nameserver = ns2.capgemini.fi

Internet DNS thinks those domain names are under the authority of the 
name servers listed above.  What are you trying to accomplish?


Eric
Ashish wrote:

Hi,

Could someone kindly explain what is happening?

I don't have domain name kemira.kemira.com anywhere in my primary
database (and all secondaries, too) kemira.com = 137.33.1.2
I have doublechecked the master database and secondaries. I have
restarted both of them, but nothing seems to help.

In funet.fi (master for fi-domain) when I start named and query
kemira.kemira.com for the first time, it looks like this:

==
datagram from 130.230.1.1 port 1536, fd 7, len 44
req: nlookup(kemira.kemira.com.funet.fi) id 1 type=1
req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0)
findns: SOA found
req: leaving (kemira.kemira.com.funet.fi, rcode 3)
req: answer -> 130.230.1.1 9 (1536) id=1 Local

datagram from 130.230.1.1 port 1537, fd 7, len 44
req: nlookup(kemira.kemira.com.funet.fi) id 2 type=15
req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0)
findns: SOA found
req: leaving (kemira.kemira.com.funet.fi, rcode 3)
req: answer -> 130.230.1.1 9 (1537) id=2 Local

datagram from 130.230.1.1 port 1538, fd 7, len 35
req: nlookup(kemira.kemira.com) id 3 type=1
req: found 'kemira.kemira.com' as 'com' (cname=0)
findns: using cache
findns: 7 NS's added for ''
ns_forw()
nslookup(nsp=xf7fff1e0,qp=x55000)
nslookup: NS NS.NIC.DDN.MIL c1 t2 (x0)
nslookup: 1 ns addrs
nslookup: NS AOS.BRL.MIL c1 t2 (x0)
nslookup: 4 ns addrs
nslookup: NS KAVA.NISC.SRI.COM c1 t2 (x0)
nslookup: 5 ns addrs
nslookup: NS C.NYSER.NET c1 t2 (x0)
nslookup: 6 ns addrs
nslookup: NS TERP.UMD.EDU c1 t2 (x0)
nslookup: 7 ns addrs
nslookup: NS NS.NASA.GOV c1 t2 (x0)
nslookup: 9 ns addrs
nslookup: NS NIC.NORDU.NET c1 t2 (x0)
nslookup: 10 ns addrs total
forw: forw -> 192.33.4.12 7 (53) nsid=5 id=3 0ms retry 4 sec



and a bit later:

datagram from 192.33.4.12 port 53, fd 7, len 186
USER response nsid=5 id=3
stime 712944912/687743  now 712944912/887742 rtt 199
NS #0 addr 192.33.4.12 used, rtt 199
NS #1 128.63.4.82 rtt now 0
NS #2 26.3.0.29 rtt now 0
NS #3 192.5.25.82 rtt now 0
NS #4 192.33.33.24 rtt now 0
NS #5 128.8.10.90 rtt now 0
NS #6 192.52.195.10 rtt now 0
NS #7 128.102.16.10 rtt now 0
NS #8 192.36.148.17 rtt now 0
NS #9 192.112.36.4 rtt now 401
resp: ancount 1, aucount 3, arcount 3
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname kemira.kemira.com type 1 class 1 ttl 172800
db_update(kemira.kemira.com, 0x554b8, 0x554b8, 031, 0x44ca0)
db_update: adding 554b8
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
db_update(KEMIRA.COM, 0x55580, 0x55580, 031, 0x44ca0)
db_update: adding 55580
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
db_update(KEMIRA.COM, 0x555b8, 0x555b8, 031, 0x44ca0)
db_update: adding 555b8
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
db_update(KEMIRA.COM, 0x555f0, 0x555f0, 031, 0x44ca0)
db_update: adding 555f0
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.KEMIRA.COM type 1 class 1 ttl 172800
db_update(KEMIRA.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0)
db_update: new ttl 713117712, +172800
update failed (DATAEXISTS)
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname HYDRA.HELSINKI.FI type 1 class 1 ttl 518400
db_update(HYDRA.HELSINKI.FI, 0x55630, 0x55630, 031, 0x44ca0)
192.33.4.12 attempted update to auth zone 1 'fi'
update failed (-10)
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname HKIUX9.FIN.KEMIRA.COM type 1 class 1 ttl 172800
db_update(HKIUX9.FIN.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0)
db_update: adding 55630
resp: got as much answer as there is
send_msg -> 130.230.1.1 (UDP 9 1538) id=3

datagram from 130.230.1.1 port 1539, fd 7, len 35
req: nlookup(kemira.kemira.com) id 4 type=15
datagram from 130.230.1.1 port 1539, fd 7, len 35
req: nlookup(kemira.kemira.com) id 4 type=15
req: found 'kemira.kemira.com' as 'kemira.kemira.com' (cname=0)
finddata: added 0 class 1 type 15 RRs
findns: 3 NS's added for 'kemira'
ns_forw()
nslookup(nsp=xf7fff1e0,qp=x55000)
nslookup: NS KEMIRA.KEMIRA.COM c1 t2 (x0)
nslookup: 1 ns addrs
nslookup: NS HYDRA.HELSINKI.FI c1 t2 (x0)
nslookup: 2 ns addrs
nslookup: NS HKIUX9.FIN.KEMIRA.COM c1 t2 (x0)
nslookup: 3 ns addrs
nslookup: 3 ns addrs total
forw: forw -> 137.33.1.2 7 (53) nsid=7 id=4 0ms retry 4 sec

datagram from 137.33.1.2 port 53, fd 7, len 92
USER response nsid=7 id=4
stime 712944912/917744  now 712944912/967742 rtt 49
NS #0 addr 137.33.1.2 used, rtt 49
NS #1 128.214.4.29 rtt now 0
NS #2 137.33.1.9

Strange DNS Behaviour

2009-03-24 Thread Ashish 
Hi,

Could someone kindly explain what is happening?

I don't have domain name kemira.kemira.com anywhere in my primary
database (and all secondaries, too) kemira.com = 137.33.1.2
I have doublechecked the master database and secondaries. I have
restarted both of them, but nothing seems to help.

In funet.fi (master for fi-domain) when I start named and query
kemira.kemira.com for the first time, it looks like this:

==
datagram from 130.230.1.1 port 1536, fd 7, len 44
req: nlookup(kemira.kemira.com.funet.fi) id 1 type=1
req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0)
findns: SOA found
req: leaving (kemira.kemira.com.funet.fi, rcode 3)
req: answer -> 130.230.1.1 9 (1536) id=1 Local

datagram from 130.230.1.1 port 1537, fd 7, len 44
req: nlookup(kemira.kemira.com.funet.fi) id 2 type=15
req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0)
findns: SOA found
req: leaving (kemira.kemira.com.funet.fi, rcode 3)
req: answer -> 130.230.1.1 9 (1537) id=2 Local

datagram from 130.230.1.1 port 1538, fd 7, len 35
req: nlookup(kemira.kemira.com) id 3 type=1
req: found 'kemira.kemira.com' as 'com' (cname=0)
findns: using cache
findns: 7 NS's added for ''
ns_forw()
nslookup(nsp=xf7fff1e0,qp=x55000)
nslookup: NS NS.NIC.DDN.MIL c1 t2 (x0)
nslookup: 1 ns addrs
nslookup: NS AOS.BRL.MIL c1 t2 (x0)
nslookup: 4 ns addrs
nslookup: NS KAVA.NISC.SRI.COM c1 t2 (x0)
nslookup: 5 ns addrs
nslookup: NS C.NYSER.NET c1 t2 (x0)
nslookup: 6 ns addrs
nslookup: NS TERP.UMD.EDU c1 t2 (x0)
nslookup: 7 ns addrs
nslookup: NS NS.NASA.GOV c1 t2 (x0)
nslookup: 9 ns addrs
nslookup: NS NIC.NORDU.NET c1 t2 (x0)
nslookup: 10 ns addrs total
forw: forw -> 192.33.4.12 7 (53) nsid=5 id=3 0ms retry 4 sec



and a bit later:

datagram from 192.33.4.12 port 53, fd 7, len 186
USER response nsid=5 id=3
stime 712944912/687743  now 712944912/887742 rtt 199
NS #0 addr 192.33.4.12 used, rtt 199
NS #1 128.63.4.82 rtt now 0
NS #2 26.3.0.29 rtt now 0
NS #3 192.5.25.82 rtt now 0
NS #4 192.33.33.24 rtt now 0
NS #5 128.8.10.90 rtt now 0
NS #6 192.52.195.10 rtt now 0
NS #7 128.102.16.10 rtt now 0
NS #8 192.36.148.17 rtt now 0
NS #9 192.112.36.4 rtt now 401
resp: ancount 1, aucount 3, arcount 3
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname kemira.kemira.com type 1 class 1 ttl 172800
db_update(kemira.kemira.com, 0x554b8, 0x554b8, 031, 0x44ca0)
db_update: adding 554b8
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
db_update(KEMIRA.COM, 0x55580, 0x55580, 031, 0x44ca0)
db_update: adding 55580
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
db_update(KEMIRA.COM, 0x555b8, 0x555b8, 031, 0x44ca0)
db_update: adding 555b8
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
db_update(KEMIRA.COM, 0x555f0, 0x555f0, 031, 0x44ca0)
db_update: adding 555f0
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname KEMIRA.KEMIRA.COM type 1 class 1 ttl 172800
db_update(KEMIRA.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0)
db_update: new ttl 713117712, +172800
update failed (DATAEXISTS)
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname HYDRA.HELSINKI.FI type 1 class 1 ttl 518400
db_update(HYDRA.HELSINKI.FI, 0x55630, 0x55630, 031, 0x44ca0)
192.33.4.12 attempted update to auth zone 1 'fi'
update failed (-10)
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname HKIUX9.FIN.KEMIRA.COM type 1 class 1 ttl 172800
db_update(HKIUX9.FIN.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0)
db_update: adding 55630
resp: got as much answer as there is
send_msg -> 130.230.1.1 (UDP 9 1538) id=3

datagram from 130.230.1.1 port 1539, fd 7, len 35
req: nlookup(kemira.kemira.com) id 4 type=15
datagram from 130.230.1.1 port 1539, fd 7, len 35
req: nlookup(kemira.kemira.com) id 4 type=15
req: found 'kemira.kemira.com' as 'kemira.kemira.com' (cname=0)
finddata: added 0 class 1 type 15 RRs
findns: 3 NS's added for 'kemira'
ns_forw()
nslookup(nsp=xf7fff1e0,qp=x55000)
nslookup: NS KEMIRA.KEMIRA.COM c1 t2 (x0)
nslookup: 1 ns addrs
nslookup: NS HYDRA.HELSINKI.FI c1 t2 (x0)
nslookup: 2 ns addrs
nslookup: NS HKIUX9.FIN.KEMIRA.COM c1 t2 (x0)
nslookup: 3 ns addrs
nslookup: 3 ns addrs total
forw: forw -> 137.33.1.2 7 (53) nsid=7 id=4 0ms retry 4 sec

datagram from 137.33.1.2 port 53, fd 7, len 92
USER response nsid=7 id=4
stime 712944912/917744  now 712944912/967742 rtt 49
NS #0 addr 137.33.1.2 used, rtt 49
NS #1 128.214.4.29 rtt now 0
NS #2 137.33.1.9 rtt now 0
resp: ancount 0, aucount 1, arcount 0
doupdate(zone 0, savens f7ffe9d0, flags 19)
doupdate: dname kemira.com type 6 class 1 ttl 3600
db_update(kemira.com, 0x556f8, 0x556f8, 031, 0x44ca0)
db_update: adding 556f8
resp: leaving auth NO
send_msg -> 130.230.1.1 (UDP 9 1539) id=4

=

Kindly advice!

Many Thanks,
Ashish



Please do not print this email unless it is absolutely n

RE: Root Server Simulation Communication Problem

2009-03-24 Thread Ben Bridges 
Mani,
 
With recursion enabled, your abc.com server is both authoritative (for
the zones configured in named.conf) and caching.  If you want it to be
purely authoritative, you'll need to disable recursion.  But if you want
to be able to query it for the root server (which is why you started
this thread), you're going to have to allow recursion for at least your
internal hosts because the server is not authoritative for ".".  Why are
you wanting to be able to query it for the root server?  To want to be
able to query a purely authoritative server for something for which it
is not authoritative is a bit of a self-contradiction.
 
Ben




From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of T
MANIKANDAN-PKXR74
Sent: Tuesday, March 24, 2009 12:52 AM
To: bind-users@lists.isc.org
Subject: RE: Root Server Simulation Communication Problem


Hi Ben,
 
Thanks for reply now my root server (rootns.man) is responding
to abc.com. after enabling the recursion to Yes in abc.com server, now
my question is, Is my abc.com still called authoritative Name server or
a caching name server I was intend to set up a authoritative name
server, and hope by enabling recursion iam still authoritative server.
 
Regards
Mani



From: Ben Bridges [mailto:bbrid...@springnet.net] 
Sent: Friday, March 20, 2009 8:35 PM
To: T MANIKANDAN-PKXR74; bind-users@lists.isc.org
Subject: RE: Root Server Simulation Communication Problem


You have recursion disabled on your abc.com server, and I
believe that is preventing your query from succeeding.  My understanding
is that the contents of the root hints file are not stored in the
server's cache (which means, I think, that they are not themselves
returned in response to queries for those records).  Since you have
recursion disabled on abc.com, it is never using its root hints to query
your root server (rootns.man) for the NS and A records for the root zone
(which sounds obfuscated, but it is done that way because the root
servers themselves have the most current list of servers for the root
zone).
 
 


From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of T
MANIKANDAN-PKXR74
Sent: Friday, March 20, 2009 8:30 AM
To: bind-users@lists.isc.org
Subject: Root Server Simulation Communication Problem



Hi,

  I am trying to set up lab which replicates the root
server also. ( DNS with Root server simulation for Intranet),
Basically I have two servers one abc.com as
authoritative server and the other rootns.man acting as root server.
running BIND 9 on both. 


 I have done the following things in my named.conf file

options {
directory "/var/named";
recursion no;
};

zone "." {
type hint;
file "root";
};

zone "abc.com" IN {
type master;
file "forward";
};

zone "10.168.192.in-addr.arpa" IN {
type master;
file "reverse";
};

My root File (Points to another DNS acting as Root
server let us call rootns.man)

.   86400   IN  NS
rootns.man.
rootns.man. 86400   IN  A   1.2.3.4

My Forward and reverse file

$TTL 3600
@ IN SOA abc.com. root.abc.com. (
42  ; serial
3H  ; refresh
15M ; retry
1W  ; expiry
1D) ; minimum
IN NS abc.com.
abc.com. IN A 192.168.10.12


$TTL 3600
@ IN SOA abc.com. root.abc.com.(
42  ; serial
3H  ; refresh
15M ; retry
1W  ; expiry
1D) ; minimum

 IN NS abc.com.
12 IN PTR abc.com.

In the other DNS server

Servers loading zones with lower serials

2009-03-24 Thread Todd Snyder 
Good day,

I saw some strange behaviour from BIND and am trying to understand it.

In one of the labs, someone mucked up a DNS change and made the serial
lower than the previous version.  

Some of the nameservers complained:

Mar 23 15:07:24 ns1001 named[5913]: zone 5.1.10.in-addr.arpa/IN: serial
number (2008030900) received from master 10.1.1.1#53 < ours (2008062600)

But some others just went ahead and loaded the zone anyways.

One of the servers that loaded the zone was BIND9.2.4

One of the ones that rejected it was 9.4.2-P2

I've done some searching but can't find anything that jumps out at me to
explain this behaviour.  Am I misunderstanding the serials?

Thanks,

Todd.


-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND - out of memory

2009-03-24 Thread Jan Arild Lindstrøm 
Hi,

I am running ResPerf from Nominum against BIND 9.6.1b1, and I get a lot of:

--cut--
24-Mar-2009 08:51:30.495 database: adb: fetch of 'ns2.state.oh.us' A failed: 
out of memory
24-Mar-2009 08:51:30.630 database: adb: fetch of 'gz-dns.cncnet.net' A failed: 
out of memory
24-Mar-2009 08:51:30.657 query-errors: fetch completed at resolver.c:2908 for 
129.83.61.195.in-addr.arpa/PTR in 22.401385: out of memory/success 
[domain:61.195.in-addr.arpa,referral:2,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]
24-Mar-2009 08:51:30.672 query-errors: fetch completed at resolver.c:2908 for 
211.121.239.211.in-addr.arpa/PTR in 18.586241: out of memory/success 
[domain:239.211.in-addr.arpa,referral:2,restart:1,qrysent:1,timeout:1,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]
24-Mar-2009 08:51:30.684 database: adb: fetch of 'iit.rit.ac.th' A failed: out 
of memory
24-Mar-2009 08:51:30.685 database: adb: fetch of 'ritk6.rit.ac.th' A failed: 
out of memory
24-Mar-2009 08:51:30.708 query-errors: fetch completed at resolver.c:2908 for 
118.95.219.66.in-addr.arpa/PTR in 31.293651: out of memory/success 
[domain:95.219.66.in-addr.arpa,referral:1,restart:3,qrysent:0,timeout:1,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
24-Mar-2009 08:51:30.714 query-errors: fetch completed at resolver.c:2908 for 
30.126.138.63.in-addr.arpa/PTR in 28.681399: out of memory/success 
[domain:138.63.in-addr.arpa,referral:1,restart:3,qrysent:0,timeout:1,lame:0,neterr:0,badresp:0,adberr:6,findfail:0,valfail:0]
24-Mar-2009 08:51:30.715 query-errors: fetch completed at resolver.c:2908 for 
161.112.185.194.in-addr.arpa/PTR in 18.591808: out of memory/success 
[domain:185.194.in-addr.arpa,referral:1,restart:1,qrysent:1,timeout:1,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
24-Mar-2009 08:51:30.739 query-errors: fetch completed at resolver.c:2908 for 
ppp85-141-184-239.pppoe.mtu-net.ru/A in 14.649606: out of memory/success 
[domain:mtu-net.ru,referral:1,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:1,findfail:0,valfail:0]
24-Mar-2009 08:51:30.812 database: adb: fetch of 'tirant.gva.es' A failed: out 
of memory
24-Mar-2009 08:51:30.814 database: adb: fetch of 'ns1.pldi.net' A failed: out 
of memory
24-Mar-2009 08:51:30.898 database: adb: fetch of 'ns1.corporatecolo.com' A 
failed: out of memory
24-Mar-2009 08:51:30.899 database: adb: fetch of 'ns1.gratisdns.dk' A failed: 
out of memory
--cut--

What does "database: adb: .. out of memory" mean?
What does "query-errors: fetch completed at ... out of memory/success" mean?

Solaris 10 on a Sun T5140 with 6 cores/96 threads and 16GB of memory: 
SunOS xxx.xxx.xx 5.10 Generic_13-01 sun4v sparc SUNW,T5140 Solaris

The named process takes only 170MB:
Memory: 16G phys mem, 11G free mem, 4104M total swap, 4104M free swap
 19563 named 99  590  171M  169M sleep1:35  0.00% named

BIND 9.4.3 on the same server (running at the same time as testing 9.6.1b1):
 10186 named 99  540 2990M 2989M cpu/66 5438.0  3.84% named

I tried:
datasize unlimited;
stacksize unlimited;
max-cache-size unlimited;

But it had no effect, I still get just as many "out of memory" lines when 
running ResPerf.
resperf -d queryfile-example-3million -e -s  -m 1

Plimit reports (on the named process):
resource  current maximum
time(seconds) unlimited   unlimited
file(blocks)  unlimited   unlimited
data(kbytes)  unlimited   unlimited
stack(kbytes) unlimited   unlimited
coredump(blocks)  unlimited   unlimited
nofiles(descriptors)  unlimited   unlimited
vmemory(kbytes)   unlimited   unlimited

Any hints on what these "out of memory" messages mean would be appreciated.

Thanks
Jan Arild Lindstrom

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users