Relevant RFC on A records for NS's
Someone pointed me to this http://thednsreport.com/?domain=isc.org I am not a huge fan of these checking tools, this one has me curious. My domain of course has the same error, which is a little comforting, sine I am in good company :) What is this error asking of me, they are wanting in my case, A records for NS's? I am pretty sure I have those, as does isc.org. ns-ext.nrt1.isc.org.3600IN A 192.228.90.19 So what in the world is this tool reporting? -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Relevant RFC on A records for NS's
When I clicked on that link the only error was an MNAME error. Did you see another error? (I wonder if it was a transient error you observed, because it appears different to yours). The error according to the report (run against isc.org): ERROR: Your SOA (Start of Authority) record states that your master (primary) name server is: ns-int.isc.org. That server is not listed at the parent servers, which is not correct. $ dig soa isc.org +short ns-int.isc.org. hostmaster.isc.org. 2009042800 7200 3600 24796800 3600 $ dig ns isc.org +short ord.sns-pb.isc.org. sfba.sns-pb.isc.org. ns-ext.nrt1.isc.org. ams.sns-pb.isc.org. So the report states that the MNAME is not one of the listed name servers. This appears to be true. Checking your domain: newgeo.com (did you mean this one or another?). The error is a different one. Your name servers: $ dig ns newgeo.com +short ns1.nacio.com. ns1.hostwizard.com. Now the report wants to check each name server: $ dig ns1.hostwizard.com @ns1.nacio.com +short 64.84.37.14 That worked. $ dig ns1.nacio.com @ns1.hostwizard.com ; DiG 9.4.2-P2 ns1.nacio.com @ns1.hostwizard.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 24774 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ns1.nacio.com. IN A This one didnt So to answer your question what is this error asking of me?. It wants ns1.hostwizard.com to reply as ns1.nacio.com did. Specifically to answer an A record query for ns1.nacio.com. On 30/4/09 10:12 AM, Scott Haneda talkli...@newgeo.com wrote: Someone pointed me to this http://thednsreport.com/?domain=isc.org I am not a huge fan of these checking tools, this one has me curious. My domain of course has the same error, which is a little comforting, sine I am in good company :) What is this error asking of me, they are wanting in my case, A records for NS's? I am pretty sure I have those, as does isc.org. ns-ext.nrt1.isc.org. 3600 IN A 192.228.90.19 So what in the world is this tool reporting? -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: request timeout
Original Message Subject: Re: request timeout From: JINMEI Tatuya / 神明達哉 jinmei_tat...@isc.org Date: Wed, April 29, 2009 5:26 pm To: Jeff Pang hostmas...@duxieweb.com Cc: bind-users@lists.isc.org At Tue, 28 Apr 2009 00:42:29 -0700, Jeff Pang hostmas...@duxieweb.com wrote: When a Bind requests another Bind for a name resolving, what's the timeout value for this resuest? I mean, within how many seconds peer Bind doesn't answer it, this Bind will give up the query? There are various types of timeouts. Could you be more specific about which one? I mean the timeout for a bind to request to another authorised bind for an A record. thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Relevant RFC on A records for NS's
On Apr 30, 2009, at 1:43 AM, Kal Feher wrote: When I clicked on that link the only error was an MNAME error. Did you see another error? (I wonder if it was a transient error you observed, because it appears different to yours). The error according to the report (run against isc.org): ERROR: Your SOA (Start of Authority) record states that your master (primary) name server is: ns-int.isc.org. That server is not listed at the parent servers, which is not correct. I knew I should have taken a screen shot :) I consistently get a No NS A Records at nameservers Here is what I see: http://dl.getdropbox.com/u/340087/Drops/04.30.09/isc.org-report-64e3ad8b-022856.jpg For the sake of being thorough, here is mine, same error: http://dl.getdropbox.com/u/340087/Drops/04.30.09/newgeo.com-report-53486995-022950.jpg $ dig soa isc.org +short Well hey, that +shore option is pretty nice, thanks! Checking your domain: newgeo.com (did you mean this one or another?). The No, that one is relevant, though I suspect since this comes back to a NS, it is going to say that for all my zones. error is a different one. Your name servers: $ dig ns newgeo.com +short ns1.nacio.com. ns1.hostwizard.com. Now the report wants to check each name server: $ dig ns1.hostwizard.com @ns1.nacio.com +short 64.84.37.14 That worked. $ dig ns1.nacio.com @ns1.hostwizard.com ; DiG 9.4.2-P2 ns1.nacio.com @ns1.hostwizard.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 24774 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ns1.nacio.com. IN A This one didnt So to answer your question what is this error asking of me?. It wants ns1.hostwizard.com to reply as ns1.nacio.com did. Specifically to answer an A record query for ns1.nacio.com. To make sure I understand, as I am finding the No A record error on average 80% of the random domains I am comparing against... In my zone for hostwizard.com I would add in ns1.nacio.com. IN A 64.84.0.18 I am not sure I understand this. I am not in any way in control of ns1.nacio.com. They merely slave my server. They obviously have an A record for ns1.nacio.com, and can maintain and control that. I would be adding in an A record, pointing to an IP address, and now have to watch and maintain their IP space, to be sure that IP does not ever change. If it does change, and I am not on top of that, things are going to get a little wonky. * Please refer to the screen shots in this email, I am going to toss in some test records now, so your results may not match up well if you do live testing. -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Relevant RFC on A records for NS's
On Thu, 2009-04-30 at 19:38, Scott Haneda wrote: On Apr 30, 2009, at 1:43 AM, Kal Feher wrote: When I clicked on that link the only error was an MNAME error. Did you see another error? (I wonder if it was a transient error you observed, because it appears different to yours). The error according to the report (run against isc.org): ERROR: Your SOA (Start of Authority) record states that your master (primary) name server is: ns-int.isc.org. That server is not listed at the parent servers, which is not correct. I knew I should have taken a screen shot :) I consistently get a No NS A Records at nameservers that test suite is rather poor, I would never use it as a guide, find another one try: http://www.nabber.org/projects/dnscheck/?domain=your.domain ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Relevant RFC on A records for NS's
I get the same error when checking my own domain. A check with dig results in proving that the tool is wrong. Scott Haneda wrote: On Apr 30, 2009, at 1:43 AM, Kal Feher wrote: When I clicked on that link the only error was an MNAME error. Did you see another error? (I wonder if it was a transient error you observed, because it appears different to yours). The error according to the report (run against isc.org): ERROR: Your SOA (Start of Authority) record states that your master (primary) name server is: ns-int.isc.org. That server is not listed at the parent servers, which is not correct. I knew I should have taken a screen shot :) I consistently get a No NS A Records at nameservers Here is what I see: http://dl.getdropbox.com/u/340087/Drops/04.30.09/isc.org-report-64e3ad8b-022856.jpg For the sake of being thorough, here is mine, same error: http://dl.getdropbox.com/u/340087/Drops/04.30.09/newgeo.com-report-53486995-022950.jpg $ dig soa isc.org +short Well hey, that +shore option is pretty nice, thanks! Checking your domain: newgeo.com (did you mean this one or another?). The No, that one is relevant, though I suspect since this comes back to a NS, it is going to say that for all my zones. error is a different one. Your name servers: $ dig ns newgeo.com +short ns1.nacio.com. ns1.hostwizard.com. Now the report wants to check each name server: $ dig ns1.hostwizard.com @ns1.nacio.com +short 64.84.37.14 That worked. $ dig ns1.nacio.com @ns1.hostwizard.com ; DiG 9.4.2-P2 ns1.nacio.com @ns1.hostwizard.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 24774 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ns1.nacio.com. IN A This one didnt So to answer your question what is this error asking of me?. It wants ns1.hostwizard.com to reply as ns1.nacio.com did. Specifically to answer an A record query for ns1.nacio.com. To make sure I understand, as I am finding the No A record error on average 80% of the random domains I am comparing against... In my zone for hostwizard.com I would add in ns1.nacio.com. IN A 64.84.0.18 I am not sure I understand this. I am not in any way in control of ns1.nacio.com. They merely slave my server. They obviously have an A record for ns1.nacio.com, and can maintain and control that. I would be adding in an A record, pointing to an IP address, and now have to watch and maintain their IP space, to be sure that IP does not ever change. If it does change, and I am not on top of that, things are going to get a little wonky. * Please refer to the screen shots in this email, I am going to toss in some test records now, so your results may not match up well if you do live testing. -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Relevant RFC on A records for NS's
On Apr 30, 2009, at 2:44 AM, Noel Butler wrote: On Thu, 2009-04-30 at 19:38, Scott Haneda wrote: On Apr 30, 2009, at 1:43 AM, Kal Feher wrote: When I clicked on that link the only error was an MNAME error. Did you see another error? (I wonder if it was a transient error you observed, because it appears different to yours). The error according to the report (run against isc.org): ERROR: Your SOA (Start of Authority) record states that your master (primary) name server is: ns-int.isc.org. That server is not listed at the parent servers, which is not correct. I knew I should have taken a screen shot :) I consistently get a No NS A Records at nameservers that test suite is rather poor, I would never use it as a guide, find another one try: http://www.nabber.org/projects/dnscheck/?domain=your.domain The more people to tell me that the better. I have now been shown that url from multiple clients of mine, all asking me to solve things for them, which I am near certain do not need solving, but the test itself is flawed. I just finally got around to asking this list, and getting a definitive answer. Thank you all. -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: stop zone transfers from coming in
In article gt8lk3$1pe...@sf1.isc.org, Chris Henderson henders...@gmail.com wrote: My server works as a secondary for a zone. I asked the master server's admin to stop the zone transfer; I didn't get any reply and thus commented out the zone's section in my named.conf. But I'm still getting zone files coming in to my server. Here is what I have commented out: # zone example.com { # type slave; # file extra/example.com; #masters { # xxx.xxx.xx.xx; # }; # }; I commented out for some other zones as well and they have stopped coming but not this one. How do I stop this? Just asking the obvious, but have you reconfig'ed or restarted named since you made the change? The other point is that master servers don't send zones, the slave server requests it. The master may send out notify messages to tell the slaves that a change has occured and they should schedule a transfer, but the responsibility lies with the slave. I'd also normally suggest you provide the real name of the zone and the addresses of the server, thought it might not help in this case. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nsupdate delete question
Hi- While invoking nsupdate within a program I notice that trying to delete a nonexistant host does not return an error. Same thing seems to happen from the command line which I will show next.. [r...@mandy4 ccadns]# nslookup mandy11.example.com Server: 204.62.134.38 Address:204.62.134.38#53 ** server can't find mandy11.example.com: NXDOMAIN [r...@mandy4 ccadns]# nsupdate -d delete11 Sending update to 204.62.134.38#53 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 37857 ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; ZONE SECTION: ;example.com. IN SOA ;; UPDATE SECTION: mandy11.example.com.0 ANY A ;; TSIG PSEUDOSECTION: mandy4.example.com. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 124107 300 16 blahblah== 37857 NOERROR 0 Reply from update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 37857 ;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; TSIG PSEUDOSECTION: mandy4.example.com. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 124107 300 16 blahblah== 37857 NOERROR 0 [r...@mandy4 ccadns]# [r...@mandy4 ccadns]# cat delete11 key mandy4.example. blahblahblah server mandy4.example.com zone example.com update delete mandy11.example.com a send [r...@mandy4 ccadns]# As you can see from the nslookup mandy11 does not exist within dns yet nsupdate delete mandy11 seems to work. Am I missing something in the response section indicating an error? Or can you recommend another approach to avoiding misleading a user into thinking his host was deleted properly? Thanks for the help... -Jim ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate delete question
On Apr 30 2009, James M wrote: While invoking nsupdate within a program I notice that trying to delete a nonexistant host does not return an error. That's a result of the way that RFC 2136 defined update operations. Read section 3, and note in particular that errors are never generated in 3.4.2. Sometimes this is a damn nuisance (one would really prefer BIND to give an error when trying to create an RR co-existing with a CNAME, for example, rather than ignoring the update), but not really in your case. Being able to delete RR(s) if they exist, but do nothing if they don't, is a perfectly reasonable requirement. What you need to do is to add a prereq requiring the RRset to exist (prereq yxrrset mandy11.example.com A) or for it to have particular contents (prereq yxrrset mandy11.example.com A 192.168.255.42) before it is deleted. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate delete question
On Thu, 2009-04-30 at 10:18 -0400, James M wrote: trying to delete a nonexistant host does not return an error. That seems reasonable to me, since the state of the zone file after the transaction is indeed the state which would be expected, had the host been present and deleted. If you need to ensure that there actually was a change to the state of the zone, you could specify a prerequisite in your transaction file, insisting that the RRset or label of interest is present before deletion. Something like this might do the trick. key mandy4.example. blahblahblah server mandy4.example.com zone example.com prereq yxrrset mandy11.example.com a update delete mandy11.example.com a send IHTH /Niall ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Zone transfers with views
I am trying to create three DNS slave servers with views for internal an external IP's. Each has an address in the DMZ and the firewall (actually a CSS) routes requests from the external IP's to the internal addresses. The correspondence is one-to-one: external.1 -- dmz.1 external.2 -- dmz.2 external.3 -- dmz.3 This seems to work fine as long as the CSS admin remembers the DNS server need to see the actual source address of the request rather some intermediate NAT'ed IP. What I cannot figure out is how to configure the master server. Ideally it would use views too but it has to be on an internal network and only the DMZ machines can reach it: dmz.1 -- master dmz.2 -- master dmz.3 -- master All four of dmz.1, 2, 3 and master are on subnets considered internal. I tried using views on the master and I can get the slaves to transfer the internal or external zones but not both. If I configure the views to treat the internal and dmz networks as internal, requests for an external zone are denied. If I change the configuration so internal and dmz addresses are considered external, requests for the internal zones are denied. All of the servers are running CentOS 5.3 with Bind version 9.3.4. I've searched the net on the subject and I found lots of help getting views to work but little about getting zones transferred in a situation like above. Is it even possible to do this with views? If not, is there a recommended solution? -- Stephen Carville ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfers with views
Stephen Carville wrote: I am trying to create three DNS slave servers with views for internal an external IP's. Each has an address in the DMZ and the firewall (actually a CSS) routes requests from the external IP's to the internal addresses. The correspondence is one-to-one: external.1 -- dmz.1 external.2 -- dmz.2 external.3 -- dmz.3 This seems to work fine as long as the CSS admin remembers the DNS server need to see the actual source address of the request rather some intermediate NAT'ed IP. What I cannot figure out is how to configure the master server. Ideally it would use views too but it has to be on an internal network and only the DMZ machines can reach it: dmz.1 -- master dmz.2 -- master dmz.3 -- master All four of dmz.1, 2, 3 and master are on subnets considered internal. I tried using views on the master and I can get the slaves to transfer the internal or external zones but not both. If I configure the views to treat the internal and dmz networks as internal, requests for an external zone are denied. If I change the configuration so internal and dmz addresses are considered external, requests for the internal zones are denied. All of the servers are running CentOS 5.3 with Bind version 9.3.4. I've searched the net on the subject and I found lots of help getting views to work but little about getting zones transferred in a situation like above. Is it even possible to do this with views? If not, is there a recommended solution? Use TSIG keys to differentiate the views. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfers with views
On Thu, Apr 30, 2009 at 10:20 AM, Kevin Darcy k...@chrysler.com wrote: Use TSIG keys to differentiate the views. I'll give that a try. Thank you. -- Stephen Carville ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Scale BIND over multiple kernels effectively
At Thu, 30 Apr 2009 11:46:05 -0700, Jonathan Petersson jpeters...@garnser.se wrote: I've been running some dnsperf tests on a couple of servers I have resulting in some interesting behaviors. [...] Any input would be valuable, thanks! Roughly summarizing (ignoring many details), what you showed is: 2 threads on 2 core: 45kqps 4 threads on 4 core: 108kkqps 8 threads on 4 core + HT: 75kqps 16 threads on 8 core + HT: 35kqps correct? There are several possible explanations. First, you may be using too many threads when you see lower performance. Even though recent versions of BIND9 tries very hard eliminating inter-thread contention, it cannot completely be free from some inherent overhead with the use of multiple threads, which could be revealed as you increase the number of threads. From my past experiences threaded BIND9 scales pretty well with at least up to 4 threads (on 4 cores), and I believe it also works well with additional 1-2 threads. I'm not sure about 8 threads, and I've heard a report of performance degradation at around this number. Second, again, from my past personal experiences, HT never helped BIND9; rather, it often worsened the performance. I've not figured out why; if it really works as the manufacturer claims (e.g., using a single core efficiently with multiple threads when one thread stalls due to memory access), it could actually improve overall performance. But empirical experiments have always denied the theoretical positive effect. Note: I've not tried Intel's latest hyper threading (Now called SMT), so my experience was limited to older versions of HT. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
TTLs on A records?
Hi All: I'm running Bind 9.5.0-P1 / Fedora on my primary NS. Are TTLs on individual A records universally supported? I have a domain with a TTL of 3h, and I wanted to route traffic between two servers in that domain quickly, so I set the TTL to the A record like: www300A123.123.123.123 ;www300A123.123.123.124 so I could uncomment one and comment the other to manually switch between them. I've had that setup for several weeks during testing...and I just reversed the records, incremented the serial, and reloaded BIND. On my secondary NS (Bind 9.5.0-P1 / Freebsd 7), when I dig the www record, I see the TTL counting down from 300 (Cool!), and after it reaches 0, the IP address resets to the new oneperfect! On my Windows DC (server2008), the change was also picked up after 5 minutes. When I use some other lookup services, however (like samspade.org), the old IP address shows up for much longer...like it's caching it and ignoring the TTL for the record. Should I expect that behavior? TIA ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Scale BIND over multiple kernels effectively
Thanks for the feedback, 2 threads on 2 core: 45kqps 4 threads on 4 core: 108kkqps 8 threads on 4 core + HT: 75kqps 16 threads on 8 core + HT: 35kqps correct? yes in light of this is it possible to tell BIND how many threads it should utilize or is it a ALL or ONE case? /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Scale BIND over multiple kernels effectively
At Thu, 30 Apr 2009 15:41:03 -0700, Jonathan Petersson jpeters...@garnser.se wrote: in light of this is it possible to tell BIND how many threads it should utilize or is it a ALL or ONE case? Do you mean the -n command line option? usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus] [-p port] [-s] [-t chrootdir] [-u username] [-m {usage|trace|record|size|mctx}] --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: slave transfer problems
In article gtb6g9$bm...@sf1.isc.org, Scott Haneda talkli...@newgeo.com wrote: On Apr 29, 2009, at 5:03 PM, Barry Margolin wrote: In article gtamqt$1k...@sf1.isc.org, Scott Haneda talkli...@newgeo.com wrote: like my machine, .14 is refusing their refresh request. Do I need to allow-recursion for their NS0? No, you shouldn't need allow-recursion. You might need allow-query, if you're not allowing to all. I do not have it set, and am not finding in the docs what the default is, I assume all or my DNS would just not work? Yes, the default is to allow all. 37.6, which named is not listening on, and get the above error? Try setting notify-source to xx.xx.37.14. Neat, I was not aware of that, so when my machine sends out a notify, it probably is using whatever IP it wants to, maybe the first, this would like it down? It uses the address of the outgoing interface that it uses to reach the slave that it's sending the notify to. If you have multiple IPs on the same interface, I'm not sure what the preference list is. But if you care, you should use that option. Those are the only two they gave me, but the general problem is, I can update a zone, change the serial, issue rndc reload, and see my logs show a notify sent their way. It can then take anywhere from a few minutes, to hours, to sometimes days to get the change to hit the secondary. Even if there's a problem with the notify, it shouldn't take much longer than the refresh time in the SOA record. I recommend setting this to something in the neighborhood of an hour, so that there isn't too much of a lag if the notify is lost. This is pretty par for the course template I use 200810011 ; serial, todays date + todays serial # 8H ; refresh 2H ; retry 4W ; expire 1H ); minimum Are you saying to drop the 8H one down to 1H? I was pretty sure I followed RFC on the values above. That zone setting above means I am looking at 8 Hours if the notify fails? If things are set up properly, notify rarely fails, so most recommendations say to set the refresh time long. This is a good idea if the slave is slaving thousands of zones, so it doesn't spend all its time doing refreshes. But if it's a smaller slave, the overhead of refreshing is negligible, so there's no reason not to set it lower. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TTLs on A records?
In article gtd8nt$1vd...@sf1.isc.org, online-reg online-...@enigmedia.com wrote: Hi All: I'm running Bind 9.5.0-P1 / Fedora on my primary NS. Are TTLs on individual A records universally supported? They're supposed to be. Many DNS-based load balancing systems and services depend on it. I have a domain with a TTL of 3h, and I wanted to route traffic between two servers in that domain quickly, so I set the TTL to the A record like: www300A123.123.123.123 ;www300A123.123.123.124 so I could uncomment one and comment the other to manually switch between them. I've had that setup for several weeks during testing...and I just reversed the records, incremented the serial, and reloaded BIND. On my secondary NS (Bind 9.5.0-P1 / Freebsd 7), when I dig the www record, I see the TTL counting down from 300 (Cool!), and after it reaches 0, the IP address resets to the new oneperfect! A slave server is authoritative, not caching, so it shouldn't count down the TTL at all. Or did you mean something else when you said secondary NS? On my Windows DC (server2008), the change was also picked up after 5 minutes. When I use some other lookup services, however (like samspade.org), the old IP address shows up for much longer...like it's caching it and ignoring the TTL for the record. Should I expect that behavior? No. Maybe the web site itself is caching. Try querying your ISP's DNS. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users