Re: multi-named instance exist?
dev_n...@zoho.com wrote: If named is invoked successfully on startup, then the contents of the PID file will be overwritten with the new PID value. If named *isn't* invoked successfully on startup, then that's a separate error condition that should be detected and dealt with, within the whole startup subsystem. The problems with using ps to find the named process include: -- you can get false matches if you don't tailor your string matching _just_right_, -- unexpectedly missed matches if the command-line arguments change, even a little bit (e.g. if someone bypasses the wrapper script on an emergency basis to start the process manually, with the arguments given perhaps in a different order), and -- since ps operates on a constantly-changing data source, it can miss legitimate processes in the process table. I've seen that happen many many times with ps on Solaris, not sure if Linux or other flavors of Unix have some sort of concurrency-control mechanism to prevent that phenomenon. I agree all your opitions on ps's drawbacks. what I said is, kill -0 $PID will return true even the process who owns $PID isn't named. for example, named.pid wasn't removed after a system shutdown, the value in it is 1234. after system startup, another process is launched and owns that process id of 1234. Boys boys boys there is no need to fight, you're both right. :) NAMED_PID=/path/to/pid if [ -e $NAMED_PID ]; then if ps -p `cat $NAMED_PID` | grep named; then # named is already running, do what's appropriate else # pid file is bogus, remove it and start named unlink $NAMED_PID start named fi else if ps -U nobody | grep named; then # named is running without a pid file, oops do something useful else if ps -ax | grep [n]amed; then # something is probably really wrong here # probably want to stop and look first else start named fi fi fi I agree with Kevin that ps on Solaris has issues, although I've never had similar problems on FreeBSD I still prefer to try and cover all the bases. Limiting the number of processes that you examine with ps by looking only at those with user nobody helps limit your chances of false positives, although it doesn't cover someone typing 'named' as root. Of course on FreeBSD the /etc/rc.d/named script already handles all of this and much more for you. :) Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND - out of memory
Hi, I allready tried 9.4.3, and it happened there. Trying 9.6.0-P1 gives the same result: recursive clients: 1083/49900/5 --cut-- 26-Mar-2009 08:04:39.736 database: adb: fetch of 'mars.csd.unb.ca' A failed: out of memory 26-Mar-2009 08:04:39.737 database: adb: fetch of 'dns.guangzhou.gd.cn' A failed: out of memory --cut-- nsXX(root) / 502# plimit 9474 9474: /local/named-new/local/sbin/named -f -c /etc/named/named.conf.new -u n resource current maximum time(seconds) unlimited unlimited file(blocks) unlimited unlimited data(kbytes) unlimited unlimited stack(kbytes) unlimited unlimited coredump(blocks) unlimited unlimited nofiles(descriptors) unlimited unlimited vmemory(kbytes) unlimited unlimited tcp-clients 5000; clients-per-query 2500; max-clients-per-query 5000; recursive-clients 5; (Big numbers to be sure they are not the reason for the 1000 limit.) 9.6.1b1 info: file local/named-new/local/sbin/named: ELF 64-bit MSB executable SPARCV9 Version 1, UltraSPARC3 Extensions Required, dynamically linked, not stripped Sun Studio Express 3/09 (-xtarget=ultraT2plus -m64): nsXX(root) named-new 543# /local/named-new/local/sbin/named -V BIND 9.6.1b1 built with '--prefix=/local' '--localstatedir=/var' '--with-openssl=/local/openssl' '--with-randomdev=/dev/urandom' '--enable-threads' '--with-libtool' '--enable-static=yes' '--disable-shared' '--sysconfdir=/etc/named' 'CC=/opt/StudioExpress/SSX0903/bin/cc' 'CFLAGS= -xtarget=ultraT2plus -m64' 'LDFLAGS= -xtarget=ultraT2plus -m64' 'CPPFLAGS= -xtarget=ultraT2plus -m64' 'CXX=/opt/StudioExpress/SSX0903/bin/CC' 'CXXFLAGS= -xtarget=ultraT2plus -m64' SunOS nsXX.xxx.xx 5.10 Generic_13-01 sun4v sparc SUNW,T5140 Solaris BIND 9.4.3 Sun Studio 12: -fast -xtarget=ultraT1 -m64 BIND 9.6.0-P1: Sun Studio Express 11/08: -fast -xtarget=native64 I tried it on another server also, and same thing happens: As soon as recursive clients pass 1000/default, out of memory messages start to flood the log. Anyway: During peak of the day our prod servers are around 700 recursive clients, so we are not affected by the 1000/default limit yet. But if we flush the cache we will have a problem (as always), since then suddenly there is +8000 recursive clients there within one second, and the number just grows until 5, and the server is jammed. Hence we try very hard to not flush the whole cache or restart BIND. I have asked before about that problem, but no solution have been found. But perhaps now, the 1000/default limit and out-of-memory might be the/one of the reasons for this. Regards Jan Arild Lindstrom At 22:41 25/03/2009, Doug Barton wrote: Jan Arild Lindstrøm wrote: Hi, more findings ... BIND 9.6.1b1 No matter what I set in named.conf, it starts to give out of memory when recursive clients pass 1000. I see that 1000 is the default value for recursive-clients. Did you try backing up to 9.6.0-P1 to see if the same behavior exists there? Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
FORMERR resolving AAAA/IN records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear list users, I have a bind 9.3 server on a centos 5.2 machine which logs huge (about 12 errors every second) quantities of FORMERR messages while trying to resolve /IN records which look like this : Mar 25 08:44:24 myserver named[1124]: FORMERR resolving 'auniarael.com//IN': 216.69.185.38#53 I'm a bit of a bind noob so I scoured the bind 9.3 ARM and the web looking for info which could help me understand what is going wrong. I found nothing of much use to me, appart from a thread on this list from 2006 in which Barry Finkel has a similar question. I followed the logging instructions he gives and solved the overfull /var/log problem but I presume I still have these FORMERR problems occuring. Just for info, if it of any use, in a log file from before modifying logging, I had 1826550 lines of FORMERR but of these, only 275 unique adresses, so it's always the same requests and always the same errors... I don't think it's a recursion problem, I have restricted that to my networks. I only get these logs on this server, not on any of the others. I'd greatly appreciate if someone could point me in the right direction to try and work out what is going wrong and fix it. Cheers, - -- Oliver Henriot B.Sc. Ph.D. | Technicien de Maintenance Moyens Informatiques et Multimédia | UMS MI2S | http://mi2s.imag.fr/ Domaine universitaire BP53 | 38041 Grenoble cedex 9 | France tel.: +33 4 76 51 43 48 | fax: +33 4 76 51 47 15 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknLQKMACgkQSWuBJnHIHdK3eACdGugSFsEKyiOxl9qFbDC8EajI u1gAoLFI7icFidwPdqCif/8oAOyUHn6o =0UaV -END PGP SIGNATURE- smime.p7s Description: S/MIME Cryptographic Signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-named instance exist?
On Mar 26 2009, Kevin Darcy wrote: [...] The problems with using ps to find the named process include: -- you can get false matches if you don't tailor your string matching _just_right_, -- unexpectedly missed matches if the command-line arguments change, even a little bit (e.g. if someone bypasses the wrapper script on an emergency basis to start the process manually, with the arguments given perhaps in a different order), and -- since ps operates on a constantly-changing data source, it can miss legitimate processes in the process table. I've seen that happen many many times with ps on Solaris, not sure if Linux or other flavors of Unix have some sort of concurrency-control mechanism to prevent that phenomenon. If you have a pgrep(1) command, use it rather than mucking around with ps(1). And if you haven't, consider switching to a Unix flavour that does... But this is getting off-topic for bind-users. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Root Server Simulation Communication Problem
Ben, In that case if I want an authoritative server and also a caching name server, is it fine if I place both the functionalities together as a best practice of implementation, how about security issues ?, If I want to introduce one more server for caching functionality alone how will I separate both in two different servers what are the changes I will be making in my abc.com server and what configuration should be there for the new caching name server, so that my clients can do a external query. Regards Mani From: Ben Bridges [mailto:bbrid...@springnet.net] Sent: Tuesday, March 24, 2009 7:26 PM To: T MANIKANDAN-PKXR74; bind-users@lists.isc.org Subject: RE: Root Server Simulation Communication Problem Mani, With recursion enabled, your abc.com server is both authoritative (for the zones configured in named.conf) and caching. If you want it to be purely authoritative, you'll need to disable recursion. But if you want to be able to query it for the root server (which is why you started this thread), you're going to have to allow recursion for at least your internal hosts because the server is not authoritative for .. Why are you wanting to be able to query it for the root server? To want to be able to query a purely authoritative server for something for which it is not authoritative is a bit of a self-contradiction. Ben From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of T MANIKANDAN-PKXR74 Sent: Tuesday, March 24, 2009 12:52 AM To: bind-users@lists.isc.org Subject: RE: Root Server Simulation Communication Problem Hi Ben, Thanks for reply now my root server (rootns.man) is responding to abc.com. after enabling the recursion to Yes in abc.com server, now my question is, Is my abc.com still called authoritative Name server or a caching name server I was intend to set up a authoritative name server, and hope by enabling recursion iam still authoritative server. Regards Mani From: Ben Bridges [mailto:bbrid...@springnet.net] Sent: Friday, March 20, 2009 8:35 PM To: T MANIKANDAN-PKXR74; bind-users@lists.isc.org Subject: RE: Root Server Simulation Communication Problem You have recursion disabled on your abc.com server, and I believe that is preventing your query from succeeding. My understanding is that the contents of the root hints file are not stored in the server's cache (which means, I think, that they are not themselves returned in response to queries for those records). Since you have recursion disabled on abc.com, it is never using its root hints to query your root server (rootns.man) for the NS and A records for the root zone (which sounds obfuscated, but it is done that way because the root servers themselves have the most current list of servers for the root zone). From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of T MANIKANDAN-PKXR74 Sent: Friday, March 20, 2009 8:30 AM To: bind-users@lists.isc.org Subject: Root Server Simulation Communication Problem Hi, I am trying to set up lab which replicates the root server also. ( DNS with Root server simulation for Intranet), Basically I have two servers one abc.com as authoritative server and the other rootns.man acting as root server. running BIND 9 on both. I have done the following things in my named.conf file options { directory /var/named; recursion no; }; zone . { type hint; file root; }; zone abc.com IN { type master; file forward; }; zone 10.168.192.in-addr.arpa IN { type master; file reverse; }; My root File (Points to another DNS acting as Root server let us call rootns.man) . 86400 IN NS rootns.man. rootns.man. 86400 IN A 1.2.3.4 My Forward and reverse file $TTL 3600 @ IN SOA abc.com. root.abc.com. ( 42 ; serial 3H ; refresh 15M ; retry
Re: FORMERR resolving AAAA/IN records
Mar 25 08:44:24 myserver named[1124]: FORMERR resolving 'auniarael.com//IN': 216.69.185.38#53 The negative response includes the optional NS records. My custom named has logging that says: FORMERR: NS name matches domain name. This new logging is not committed yet. If you have a good suggestion for improving this specific logging message, please let me know. (Maybe It has a referral to itself.?) The comments in the lib/dns/resolver.c code (where this FORMERR is coming from) say: /* * We already know ns_name is a subdomain of fctx-domain. * If ns_name is equal to fctx-domain, we're not making * progress. We return DNS_R_FORMERR so that we'll keep * trying other servers. */ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
PTR for localhost
Hello, In recent version of Bind-9.6, is it needed for reverse parsing config of localhost? for example, zone 0.0.127.IN-ADDR.ARPA { type master; file local.rev; }; thanks.___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PTR for localhost
On 26.03.09 21:34, dev_n...@zoho.com wrote: In recent version of Bind-9.6, is it needed for reverse parsing config of localhost? for example, zone 0.0.127.IN-ADDR.ARPA { type master; file local.rev; }; I think it's not, but it's alwayt better to have it. However, the builtin default zone name is 127.in-addr.arpa and I prefer creating this one. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Root Server Simulation Communication Problem
Mani, That's a very general question, and I don't claim to be an expert on all aspects of dns security, so hopefully those who are will chime in on this point. I think most of those who are knowledge about dns would probably recommend separating your authoritative and caching servers, especially if you're a big dns shop hosting lots of domains, but I'm not sure if that's for security reasons or for performance reasons. If you're a small shop and host relatively few domains and you want to present the same records for public domains to both internal and external clients, then I personally don't see that it would hurt to make one server both authoritative and caching from a security standpoint. You'd want to be careful about allowing recursion to only your internal clients, of course, and you'd want to restrict access to private zones to only your internal clients (see below). If you want to have public and private views of the same zones (which is often the case), then it might be just as easy to have separate authoritative and caching servers. If you want your abc.com server to be purely authoritative, then you'll want to restore your original recursion=no in the options. You should also move the 10.168.192.in-addr.arpa zone to your caching server. That's private address space, so you don't want to serve that data to internet hosts. (If you decide to make abc.com both authoritative and caching, you'll want to add an allow-query statement to that zone restricting it to only internal clients.) For a caching server, the only zones you should need are the root hints zone and any zones you may have for internal clients (like 10.168.192.in-addr.arpa and internal versions of other zones like abc.com). You'd want allow-query and allow-recursion statements in your global options restricting queries and recursion to your internal clients. (I suppose you could use recursion=yes instead of allow-recursion { internal-clients; }, but allow-recursion seems safer to me.) Ben From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of T MANIKANDAN-PKXR74 Sent: Thursday, March 26, 2009 6:57 AM To: bind-users@lists.isc.org Subject: RE: Root Server Simulation Communication Problem Ben, In that case if I want an authoritative server and also a caching name server, is it fine if I place both the functionalities together as a best practice of implementation, how about security issues ?, If I want to introduce one more server for caching functionality alone how will I separate both in two different servers what are the changes I will be making in my abc.com server and what configuration should be there for the new caching name server, so that my clients can do a external query. Regards Mani From: Ben Bridges [mailto:bbrid...@springnet.net] Sent: Tuesday, March 24, 2009 7:26 PM To: T MANIKANDAN-PKXR74; bind-users@lists.isc.org Subject: RE: Root Server Simulation Communication Problem Mani, With recursion enabled, your abc.com server is both authoritative (for the zones configured in named.conf) and caching. If you want it to be purely authoritative, you'll need to disable recursion. But if you want to be able to query it for the root server (which is why you started this thread), you're going to have to allow recursion for at least your internal hosts because the server is not authoritative for .. Why are you wanting to be able to query it for the root server? To want to be able to query a purely authoritative server for something for which it is not authoritative is a bit of a self-contradiction. Ben From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of T MANIKANDAN-PKXR74 Sent: Tuesday, March 24, 2009 12:52 AM To: bind-users@lists.isc.org Subject: RE: Root Server Simulation Communication Problem Hi Ben, Thanks for reply now my root server (rootns.man) is responding to abc.com. after enabling the recursion to Yes in abc.com server, now my question is, Is my abc.com still called authoritative Name server or a caching name server I was intend to set up a authoritative name server, and hope by enabling recursion iam still authoritative server. Regards Mani From: Ben Bridges [mailto:bbrid...@springnet.net] Sent: Friday, March 20, 2009 8:35 PM To: T MANIKANDAN-PKXR74; bind-users@lists.isc.org Subject: RE:
DNS forwarding not working properly?
OK, I've been trying my hardest to figure this out. I have BIND9 installed and set up as a slave to one of our Domain Controllers (so we can at least still get DNS if it were to go down). It works fine for transferring the zone file of our domain down, and from the server running BIND I can resolve hostnames of our local network machines along with outside names such as google.com (using nslookup, yeah I know it sucks). However, when I set up one of my Windows XP clients to use the new server for DNS, it can resolve local machine names fine when I run nslookup against it, but it gives me Query refused when trying to resolve an outside DNS name. I ran nslookup against the ISP's DNS IP's and can resolve the outside hostnames just fine, but for some reason I can't resolve them against the new DNS server. I have not made any modifications to /etc/bind/named.conf. Instead, I have put my configurations in /etc/bind/named.conf.local (since that is what the named.conf file says to do). Here is my /etc/bind/named.conf.local file (protected of course): Code: zone OURDOMAIN.COM { type slave; masters { 192.168.1.22; 192.168.1.23; }; file OURDOMAIN.COM.db; allow-transfer { any; }; allow-query { any; }; }; zone 192.168.in-addr.arpa { type slave; masters { 192.168.1.22; 192.168.1.23; }; file 192.168.in-addr.arpa.db; allow-transfer { any; }; allow-query { any; }; }; And my /etc/bind/named.conf.options: Code: options { directory /var/cache/bind; forwarders { 216.12.0.20; 216.12.48.23; }; auth-nxdomain no; listen-on-v6 { any; }; }; Again, this only seems to affect outside clients, I can run queries on nslookup just fine on the DNS server itself. Any help would be greatly appreciated. Kenny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FORMERR resolving AAAA/IN records
In message 20090326141903.1917917...@britaine.cis.anl.gov, b19...@anl.gov writ es: Oliver Henriot oliver.henr...@imag.fr wrote: dnsserver% !! dig auniarael.com @216.69.185.38 ; DiG 8.3 auniarael.com @216.69.185.38 ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0 ;; QUERY SECTION: ;; auniarael.com, type = , class = IN ;; AUTHORITY SECTION: . 1D IN SOA cpns01.secureserver.net. dns.jomax.net . ( 20080922; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ); minimum auniarael.com. 1H IN NScpns01.secureserver.net. auniarael.com. 1H IN NScpns02.secureserver.net. ;; Total query time: 62 msec ;; FROM: dnsserver.anl.gov to SERVER: 216.69.185.38 216.69.185.38 ;; WHEN: Thu Mar 26 09:06:02 2009 ;; MSG SIZE sent: 31 rcvd: 157 Note this answer is internally self inconsistant. AA=1 which indicates the answer is authoritative yet the authority section contains SOA and NS RRsets with different owners with the SOA being higher in the namespace than the NS RRset. Even if AA=0 it would still be self inconsistant and the relationship between the SOA and NS RRsets is impossible in a well formed response. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PTR for localhost
On Mar 26 2009, Matus UHLAR - fantomas wrote: On 26.03.09 21:34, dev_n...@zoho.com wrote: In recent version of Bind-9.6, is it needed for reverse parsing config of localhost? for example, zone 0.0.127.IN-ADDR.ARPA { type master; file local.rev; }; I think it's not, but it's alwayt better to have it. However, the builtin default zone name is 127.in-addr.arpa and I prefer creating this one. I prefer to use: zone localhost { type master; file db.localhost; }; zone 1.0.0.127.in-addr.arpa { type master; file db.localhost-rev; }; zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa { type master; file db.localhost-rev; }; with just the two master files: (db.localhost) ; Like empty zone, but modified for zone localhost @ 86400 SOA localhost. . 0 28800 7200 604800 86400 @ 0 NS localhost. @ 86400 A127.0.0.1 @ 86400 ::1 (db.localhost-rev) ; Like empty zone, but modified for reverse lookup of localhost (IPv4 or IPv6) @ 86400 SOA localhost. . 0 28800 7200 604800 86400 @ 0 NS localhost. @ 86400 PTR localhost. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS forwarding not working properly?
You need to enable recursion in options. /Jonathan 2009/3/26 ARMSTRONG, KENNETH karmstr...@botetourtva.us: OK, I've been trying my hardest to figure this out. I have BIND9 installed and set up as a slave to one of our Domain Controllers (so we can at least still get DNS if it were to go down). It works fine for transferring the zone file of our domain down, and from the server running BIND I can resolve hostnames of our local network machines along with outside names such as google.com (using nslookup, yeah I know it sucks). However, when I set up one of my Windows XP clients to use the new server for DNS, it can resolve local machine names fine when I run nslookup against it, but it gives me Query refused when trying to resolve an outside DNS name. I ran nslookup against the ISP's DNS IP's and can resolve the outside hostnames just fine, but for some reason I can't resolve them against the new DNS server. I have not made any modifications to /etc/bind/named.conf. Instead, I have put my configurations in /etc/bind/named.conf.local (since that is what the named.conf file says to do). Here is my /etc/bind/named.conf.local file (protected of course): Code: zone OURDOMAIN.COM { type slave; masters { 192.168.1.22; 192.168.1.23; }; file OURDOMAIN.COM.db; allow-transfer { any; }; allow-query { any; }; }; zone 192.168.in-addr.arpa { type slave; masters { 192.168.1.22; 192.168.1.23; }; file 192.168.in-addr.arpa.db; allow-transfer { any; }; allow-query { any; }; }; And my /etc/bind/named.conf.options: Code: options { directory /var/cache/bind; forwarders { 216.12.0.20; 216.12.48.23; }; auth-nxdomain no; listen-on-v6 { any; }; }; Again, this only seems to affect outside clients, I can run queries on nslookup just fine on the DNS server itself. Any help would be greatly appreciated. Kenny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS forwarding not working properly?
Thanks, I gave that a go and now when I run a query I get No response from server when running nslookup. I tried restarting bind and now I get the rndc: connect failed: 127.0.0.1#953: connection refused error. I then tried running rndc-confgen, and added the following to rndc.conf: key rndc-key { algorithm hmac-md5; secret stuff here; }; options { default-key rndc-key; default-server 127.0.0.1; default-port 953; }; And created rndc.conf file with the following: key rndc-key { algorithm hmac-md5; secret stuff here; }; But I still get the connection failed error as above when I try to restart bind. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jonathan Petersson Sent: Thursday, March 26, 2009 11:33 AM To: ARMSTRONG, KENNETH Cc: bind-users@lists.isc.org Subject: Re: DNS forwarding not working properly? You need to enable recursion in options. /Jonathan 2009/3/26 ARMSTRONG, KENNETH karmstr...@botetourtva.us: OK, I've been trying my hardest to figure this out. I have BIND9 installed and set up as a slave to one of our Domain Controllers (so we can at least still get DNS if it were to go down). It works fine for transferring the zone file of our domain down, and from the server running BIND I can resolve hostnames of our local network machines along with outside names such as google.com (using nslookup, yeah I know it sucks). However, when I set up one of my Windows XP clients to use the new server for DNS, it can resolve local machine names fine when I run nslookup against it, but it gives me Query refused when trying to resolve an outside DNS name. I ran nslookup against the ISP's DNS IP's and can resolve the outside hostnames just fine, but for some reason I can't resolve them against the new DNS server. I have not made any modifications to /etc/bind/named.conf. Instead, I have put my configurations in /etc/bind/named.conf.local (since that is what the named.conf file says to do). Here is my /etc/bind/named.conf.local file (protected of course): Code: zone OURDOMAIN.COM { type slave; masters { 192.168.1.22; 192.168.1.23; }; file OURDOMAIN.COM.db; allow-transfer { any; }; allow-query { any; }; }; zone 192.168.in-addr.arpa { type slave; masters { 192.168.1.22; 192.168.1.23; }; file 192.168.in-addr.arpa.db; allow-transfer { any; }; allow-query { any; }; }; And my /etc/bind/named.conf.options: Code: options { directory /var/cache/bind; forwarders { 216.12.0.20; 216.12.48.23; }; auth-nxdomain no; listen-on-v6 { any; }; }; Again, this only seems to affect outside clients, I can run queries on nslookup just fine on the DNS server itself. Any help would be greatly appreciated. Kenny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Max. Number of char in a TXT Record
Hello, I have some questions: 1) Anybody know the maximum number of characters allowed in a TXT field? 2) What is the maximum number of includes inside a SFP field? Sorry for the bad english :( Thanks ! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS forwarding not working properly?
Aha! Thanks, checking the config showed that I had messed up my syntax at the recursion statement. I corrected that and was able to start bind, and now I can run nslookup on my XP clients to resolve other domains! Thanks to all for your help!! Kenny -Original Message- From: Jeremy C. Reed [mailto:jeremy_r...@isc.org] Sent: Thursday, March 26, 2009 12:44 PM To: ARMSTRONG, KENNETH Cc: bind-users@lists.isc.org Subject: RE: DNS forwarding not working properly? On Thu, 26 Mar 2009, ARMSTRONG, KENNETH wrote: Thanks, I gave that a go and now when I run a query I get No response from server when running nslookup. I tried restarting bind and now I get the rndc: connect failed: 127.0.0.1#953: connection refused error. I then tried running rndc-confgen, and added the following to rndc.conf: Is your named even running? Check your logs. Run named-checkconf. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-named instance exist?
Rich Goodson wrote: If you're really looking to cover all bases, there's a little gotcha in Solaris (even in 10) that will make this startup script fail if it's invoked with sh (as most startup scripts that I've seen are). Yeah, I was trying to avoid shell portability concerns to try to avoid veering off topic any more than necessary. :) Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Max. Number of char in a TXT Record
Darvin Denmian wrote: Hello, I have some questions: 1) Anybody know the maximum number of characters allowed in a TXT field? A simple question, but a complicated answer. You may have multiple strings in a single TXT record. Each string may be up to 255 characters in length, with a length byte indicating the size of the string's payload. I don't believe there is any arbitrary limitation on the number of strings in a TXT record, but the RDATA itself may not exceed 65535 bytes in total, which is comprised of both the length-bytes and payloads of all strings contained therein. That 64K limit is a general restriction on DNS records of all types, not specific to TXT records. Note that any DNS response which exceeds 512 bytes is slightly undesirable, since in the absence of EDNS0 (which the vast majority of -- but not all -- implementations honor these days), responses which exceed 512 bytes will signal truncation and prompt a retry via TCP. It's optimal to stay within 512 bytes if possible. 2) What is the maximum number of includes inside a SFP field? I assume you mean SPF (Sender Policy Framework), the anti-SPAM(ming) mechanism (?) I'm no SPF expert but in glancing at the documentation it looks like there is no arbitrary limit on the number of includes. Since SPF records are stuffed into (one or more?) TXT records, the above limits in the answer to question #1 would apply. Maybe someone with better knowledge of and/or experience with SPF can confirm or deny. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
NOTIFY from masters when slave provides several views
This question is related to the prior Internal and External view on same slave server? - RESOLVED thread, but seems to be a different situation in which the previous answer doesn't apply. I have 3 nameservers, which we'll call ns1, ns2, and ns3. These servers are primarily slave servers for stealth master servers (that last part shouldn't really matter). ns1, ns2, and ns3 operate with three views each - internal, customer, and external. Internal is for the ISP's infrastructure systems, customer is for customers (and allows recursion), and external is for the rest of the net (no recursion, just authoritative answers for the zones it serves). The master servers can be in address ranges covered by any of those views as well - the ISP's own zones come from a server in the internal view, most customer zones come from servers in the customer view, with a few coming from servers in the external view. Importantly, neither the masters nor ns1/2/3 have different zone data in different views - the answers are always the same. As an example, if ns1 gets a NOTIFY for a slave zone from a master in an address covered by the customer view, it will do an xfer of the zone, but only for ns1's customer view. The internal and external views won't trans- fer until the expiry/refresh time for the zone fires. Also important is that there are a *lot* of zones, and they all live in an external include file (which, itself, is a collection of smaller include files), which are all auto-generated from an external database. So it would be very difficult to change that. Also, most of the masters are on customer systems with a variety of nameserver versions, and asking them to add addit- ional IP addresses (or indeed, make any changes at all) would also be very difficult. What I'd like is some way to tell BIND that if it gets a NOTIFY for a zone, it should transfer that zone for all views, not just the matching view. The BIND versions in use are 9.6.0-P1 and 9.6.1b1. Here's a censored example of the relevant parts of the named.conf file: // The internal view allows everything view internal in { match-clients { internal; }; recursion yes; additional-from-auth yes; additional-from-cache yes; // Root hints // zone . { type hint; file named.root; }; // snip... (internal-only zones removed from example) // Customer zones // include includes.conf; }; // The customer view allows everything too, but has a different nane for // statistics gathering purposes, and might have restrictions added later view customer in { match-clients { customer; }; recursion yes; additional-from-auth yes; additional-from-cache yes; // Root hints // zone . { type hint; file named.root; }; // Customer zones // include includes.conf; }; // The external view allows queries of zones we serve, but not recursion view external in { match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; // Root hints // zone . { type hint; file named.root; }; // Customer zones // include includes.conf; }; Terry Kennedy http://www.tmk.com te...@tmk.com New York, NY USA ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Max. Number of char in a TXT Record
On Thu, March 26, 2009 19:19, Kevin Darcy wrote: 2) What is the maximum number of includes inside a SFP field? I assume you mean SPF (Sender Policy Framework), the anti-SPAM(ming) mechanism (?) I'm no SPF expert but in glancing at the documentation it looks like there is no arbitrary limit on the number of includes. Since SPF records are stuffed into (one or more?) TXT records, the above limits in the answer to question #1 would apply. Kevin, it looks like you are correct. From the RFC: 3.1.4. Record Size The published SPF record for a given domain name SHOULD remain small enough that the results of a query for it will fit within 512 octets. This will keep even older DNS implementations from falling over to TCP. Since the answer size is dependent on many things outside the scope of this document, it is only possible to give this guideline: If the combined length of the DNS name and the text of all the records of a given type (TXT or SPF) is under 450 characters, then DNS answers should fit in UDP packets. Note that when computing the sizes for queries of the TXT format, one must take into account any other TXT records published at the domain name. Records that are too long to fit in a single UDP packet MAY be silently ignored by SPF clients. So, it appears that you can as many include's in a SPF record as you wish, but it would be wise to keep the size of the SPF record below ~450 characters. There is lots of good SPF information at www.openspf.org -Vince ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NOTIFY from masters when slave provides several views
Hi Terry, Each view has to be independently notified if an update takes place. /Jonathan On Thu, Mar 26, 2009 at 4:46 PM, terry+bindus...@tmk.com wrote: This question is related to the prior Internal and External view on same slave server? - RESOLVED thread, but seems to be a different situation in which the previous answer doesn't apply. I have 3 nameservers, which we'll call ns1, ns2, and ns3. These servers are primarily slave servers for stealth master servers (that last part shouldn't really matter). ns1, ns2, and ns3 operate with three views each - internal, customer, and external. Internal is for the ISP's infrastructure systems, customer is for customers (and allows recursion), and external is for the rest of the net (no recursion, just authoritative answers for the zones it serves). The master servers can be in address ranges covered by any of those views as well - the ISP's own zones come from a server in the internal view, most customer zones come from servers in the customer view, with a few coming from servers in the external view. Importantly, neither the masters nor ns1/2/3 have different zone data in different views - the answers are always the same. As an example, if ns1 gets a NOTIFY for a slave zone from a master in an address covered by the customer view, it will do an xfer of the zone, but only for ns1's customer view. The internal and external views won't trans- fer until the expiry/refresh time for the zone fires. Also important is that there are a *lot* of zones, and they all live in an external include file (which, itself, is a collection of smaller include files), which are all auto-generated from an external database. So it would be very difficult to change that. Also, most of the masters are on customer systems with a variety of nameserver versions, and asking them to add addit- ional IP addresses (or indeed, make any changes at all) would also be very difficult. What I'd like is some way to tell BIND that if it gets a NOTIFY for a zone, it should transfer that zone for all views, not just the matching view. The BIND versions in use are 9.6.0-P1 and 9.6.1b1. Here's a censored example of the relevant parts of the named.conf file: // The internal view allows everything view internal in { match-clients { internal; }; recursion yes; additional-from-auth yes; additional-from-cache yes; // Root hints // zone . { type hint; file named.root; }; // snip... (internal-only zones removed from example) // Customer zones // include includes.conf; }; // The customer view allows everything too, but has a different nane for // statistics gathering purposes, and might have restrictions added later view customer in { match-clients { customer; }; recursion yes; additional-from-auth yes; additional-from-cache yes; // Root hints // zone . { type hint; file named.root; }; // Customer zones // include includes.conf; }; // The external view allows queries of zones we serve, but not recursion view external in { match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; // Root hints // zone . { type hint; file named.root; }; // Customer zones // include includes.conf; }; Terry Kennedy http://www.tmk.com te...@tmk.com New York, NY USA ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
config for views
Hello, I want to config a named for two networks, using the view. for example, neta is for internal users, netb is for any other users. I got the named.conf below, do you have any suggestion on it? thanks. options { directory /usr/local/bind; recursion no; zone-statistics yes; statistics-file /usr/local/bind/var/named.stats; }; view neta { match-clients { someip; }; zone test.a.com { type master; file /usr/local/bind/etc/test.a.com.neta.db; }; }; view netb { match-clients { any; }; zone test.a.com { type master; file /usr/local/bind/etc/test.a.com.netb.db; }; }; key rndc-key { algorithm hmac-md5; secret *; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; };___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: config for views
dev_n...@zoho.com wrote: Hello, I want to config a named for two networks, using the view. for example, neta is for internal users, netb is for any other users. I got the named.conf below, do you have any suggestion on it? thanks. options { directory /usr/local/bind; recursion no; zone-statistics yes; statistics-file /usr/local/bind/var/named.stats; }; view neta { match-clients { someip; }; zone test.a.com { type master; file /usr/local/bind/etc/test.a.com.neta.db; }; }; view netb { match-clients { any; }; zone test.a.com { type master; file /usr/local/bind/etc/test.a.com.netb.db; }; }; key rndc-key { algorithm hmac-md5; secret *; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; }; That's the general idea, yes, but someip can't be used literally unless it's defined as an ACL somewhere else in the config, of course, and recursion no in options means that *neither* of these views can be used for your own clients (including perhaps the nameserver itself) to resolve any names outside of the test.a.com zone. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users