Re: reverse zone file in external view not transferring to slaveserver??
Thanks guys, sorry needed some down time to recharge my batteries - am gona combine all answers into one lump mail :-) Frank Pikelner wrote: Do your bind logs give any clues as to what is going on? On the master make sure you have read permission and the file is being loaded. On the slave it should be attempting a transfer. Frank Pikelner On 2009-12-01, at 6:21 PM, Kaya Saman samank...@netscape.net wrote: Unfortunately the only place I can find anything to do with Bind log-wise is in /var/adm/messages there is no specific /var/log/bind or named log like in Linux with my system or it is in such a weird place I haven't found it yet! I've also tried looking for it several times but never managed to find it. What do you mean the Blastwave version? I've got BIND 9.6.0-P1 running on Solaris 9 with patches that are current as of Sept 2008... My version was, however, compiled on the machine it is running on though. See domain hicks-net.net or hicks-net.org... Two of my nameservers are external. I believe that the 'external' view transfers... Gregory, http://www.blastwave.org/ pkg repo for Solaris/OpenSolaris, kind of similar to yum or apt-get for Linux. external views transfer but just not the reverse? But then since my network only has 1 single WAN IP I am trying to transfer everything internally through the intranet using local IP's and wondering if some issues could be there? type master; allow-transfer { other.servers.ip.addresses; }; perhaps? I tend to do options { ... allow-transfer {none;}; ... }; But this wouldn't explain why all the rest can transfer and the one zone can't. Have you made sure that the slaved copies for the internal view and the external view go to DIFFERENT files? Otherwise they overwrite each other and strange timing effects occur. Just thoughts. Joseph, yes definitely they are going to different files as I have 14 different zone files 7 in each 'view' - with 13 files getting transferred.. I don't know if there's any way to start Bind verbosely or alternatively a command that will check the zone transfers? I only have these available to me: bash-2.05# ls /opt/csw/sbin dnssec-dsfromkey dnssec-signzone named named-compilezonesasldblistusers2 wget.static dnssec-keyfromlabel logwatch named-checkconf rndc saslpasswd2 dnssec-keygenlwresd named-checkzone rndc-confgen squid Is one of these capable? --Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone vs domain
In article mailman.1146.1259697520.14796.bind-us...@lists.isc.org, Doug Barton do...@dougbarton.us wrote: gmspro wrote: What's the main difference between zone and domain? In what context? Unfortunately both terms get used by various people/vendors in different ways. A little more detail is needed to answer your question (although if you're talking strictly DNS terms Chris' answer was quite detailed). In the context of a DNS-centred newsgroup/mailing list Chris' answer was excellent. Whether the original author was asking about the DNS is, of course, slightly open to question. Unfortunately, as you imply, computing, and network related fields in particular, are full of multivalued terms. They have to be disambiguated by referring to their particular, errm, domain. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Parent is a CNAME
In article mailman.1153.1259725836.14796.bind-us...@lists.isc.org, Joseph S D Yao j...@tux.org wrote: On Tue, Dec 01, 2009 at 04:59:16PM -0800, Hans Jacobsen wrote: If a.stanford.edu is a cname (say to b.stanford.edu) can I delegate subdomain.a.stanford.edu? Are there documents that point to this being an ok or bad practice? I know all records for a.stanford.edu are relegated to records for b.stanford.edu What about subdomains? No. The domain that has a CNAME must never appear on the left-hand side of another record. Not true. CNAME chains - CNAMEs pointing to other CNAMEs - are inefficient and discouraged but the DNS spec is built to ensure that they work. Check out www.google.com sometime (or www.google.co.uk) and wonder at how many people would be annoyed if they didn't. If you delegate, the domain appears on the left side of NS records. If you delegate there is ambiguity because there are CNAME and other records. A CNAME says all the information about this name can be found attached to that other name over there. If you include the domain in a declaration in the same zone, it still is on the left side of a record - just not alone. a CNAMEb ; Delegate a - WRONG a NSns1 [WRONG] Correct. ; Use a on LHS - WRONG subdomain.a A 7.8.9.10 [WRONG] subdomain.a NSns1.subdomain.a [WRONG] ns1.subdomain.aA 7.9.11.13 [WRONG] As Chris Buxton points out, these will actually work though not in the form you've given them. The A record for subdomain.a needs to be in the subdomain.a child zone and the A record for ns1 must be in the child zone but may also need to be in the current zone as glue. We use the same kind of convention Chris describes for naming our routers - look up kb6.net.ed.ac.uk, say. We've been doing it for years. Why not do this? subdomain.b A 7.8.9.10 subdomain.b NSns1.subdomain.b ns1.subdomain.bA 7.9.11.13 If b was itself delegated the CNAME would be problematical again. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Disable Refused answer
Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Feature request - disable internal recursion cache
I found answer for my feature request - simple C proxer: http://www.wolfermann.org/dnsproxy.html It can forward queries to auth or recursion server. Based on client IPs. FreeBSD port /usr/ports/dns/dnsproxy/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Feature request - disable internal recursion cache
On Wed, Dec 2, 2009 at 9:43 AM, Dmitry Rybin kirg...@corbina.net wrote: I found answer for my feature request - simple C proxer: http://www.wolfermann.org/dnsproxy.html It can forward queries to auth or recursion server. Based on client IPs. What if one of your access customers is running their own DNS server? It seems like dnsproxy would be much more useful if it performed it's query routing based on the RD bit. -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Feature request - disable internal recursion cache
Dmitry Rybin wrote: I found answer for my feature request - simple C proxer: http://www.wolfermann.org/dnsproxy.html It can forward queries to auth or recursion server. Based on client IPs. So, what does a dnsproxy approach accomplish, that can't be achieved with less processes, and less listening ports/addresses, by BIND's view feature? You can have one view for recursive resolution, and another view that's only authoritative data, with no recursion at all, and select the view depending on the client source address. This is, in fact, how many folks (including us) run their Internet-facing nameservers these days. Perhaps this is why the dnsproxy code hasn't been updated in over 4 years. It would appear to be obsolete. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Parent is a CNAME
I apologise, I should have tested - I appear to have been laboring under a misconception and false mental model. I will check my resources to see why I thought this. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone file in external view not transferring to slaveserver??
On Wed, Dec 02, 2009 at 10:02:45AM +0200, Kaya Saman wrote: ... Joseph, yes definitely they are going to different files as I have 14 different zone files 7 in each 'view' - with 13 files getting transferred.. ... This is good. But bad, in that would have been an easy solution. This whole problem sounds vaguely familiar, but I just can't catch the pointer to the memory and the solution ... just out of reach ... ... I don't know if there's any way to start Bind verbosely or alternatively a command that will check the zone transfers? ... Look up the logging clause in named.conf. There's a lot, and I don't remember anywhere near all of it, so referring you to the documentation is best, but ask if you need help. E.g.: // logging clause - who, what, where, why, when, how, how long? logging { channel querylog { file /var/log/named/query.log versions 15 size 25m; // severity debug; severity info; print-time yes; print-category yes; print-severity yes; }; channel securlog { file /var/log/named/security.log versions 15 size 25m; // severity debug 9; severity info; print-time yes; print-category yes; print-severity yes; }; channel all { file /var/log/named/named.log versions 15 size 25m; severity info; print-time yes; print-category yes; print-severity yes; }; category queries { querylog; }; category security { securlog; }; category lame-servers { null; };// ignore category default { all; }; }; -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Parent is a CNAME
On Wed, Dec 02, 2009 at 12:47:08PM +, Sam Wilson wrote: In article mailman.1153.1259725836.14796.bind-us...@lists.isc.org, Joseph S D Yao j...@tux.org wrote: [incorrectly] No. ... Not true. CNAME chains - CNAMEs pointing to other CNAMEs - are inefficient and discouraged but the DNS spec is built to ensure that they work. Check out www.google.com sometime (or www.google.co.uk) and wonder at how many people would be annoyed if they didn't. CNAME chains have nothing to do with this. THIS is perfectly legal: a CNAME b b CNAME c c CNAME d d CNAME extra-ordinary although, as mentioned, inefficient. THIS is not legal: a CNAME b a CNAME c a A 1.1.1.1 ... Why not do this? subdomain.b A 7.8.9.10 subdomain.b NSns1.subdomain.b ns1.subdomain.bA 7.9.11.13 If b was itself delegated the CNAME would be problematical again. ... And if all the name servers crashed, then the domain would be unserved. Why introduce unnecessary hypotheticals? ;-) And, as pointed out in another post, the CNAME does not appear to be problematic in this case, even were it to exist. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Parent is a CNAME
In article mailman.1165.1259775639.14796.bind-us...@lists.isc.org, Joseph S D Yao j...@tux.org wrote: On Wed, Dec 02, 2009 at 12:47:08PM +, Sam Wilson wrote: In article mailman.1153.1259725836.14796.bind-us...@lists.isc.org, Joseph S D Yao j...@tux.org wrote: [incorrectly] No. ... Not true. CNAME chains - CNAMEs pointing to other CNAMEs - are inefficient and discouraged but the DNS spec is built to ensure that they work. Check out www.google.com sometime (or www.google.co.uk) and wonder at how many people would be annoyed if they didn't. CNAME chains have nothing to do with this. THIS is perfectly legal: a CNAME b b CNAME c c CNAME d d CNAME extra-ordinary I think he misunderstood you to be saying that the name that has a CNAME can never appear on the *righthand* side of a RR. This is true for records like MX and NS -- they mustn't point to aliases. CNAME chains are the exception to this rule. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
In article mailman.1159.1259764844.14796.bind-us...@lists.isc.org, Dmitry Rybin kirg...@corbina.net wrote: Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? What do you expect it to do instead? Not respond at all? -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Parent is a CNAME
In article mailman.1165.1259775639.14796.bind-us...@lists.isc.org, Joseph S D Yao j...@tux.org wrote: On Wed, Dec 02, 2009 at 12:47:08PM +, Sam Wilson wrote: In article mailman.1153.1259725836.14796.bind-us...@lists.isc.org, Joseph S D Yao j...@tux.org wrote: [incorrectly] No. ... Not true. CNAME chains - CNAMEs pointing to other CNAMEs - are inefficient and discouraged but the DNS spec is built to ensure that they work. Check out www.google.com sometime (or www.google.co.uk) and wonder at how many people would be annoyed if they didn't. CNAME chains have nothing to do with this. THIS is perfectly legal: a CNAME b b CNAME c c CNAME d d CNAME extra-ordinary although, as mentioned, inefficient. My bad - I read your initial statement as banning names with CNAME records from the RHS of other RRs, not from the LHS, and I was offering a counterexample. THIS is not legal: a CNAME b a CNAME c a A 1.1.1.1 To be pedantic, the first alone is legal, but once that exists neither of the second nor third is legal. ... Why not do this? subdomain.b A 7.8.9.10 subdomain.b NSns1.subdomain.b ns1.subdomain.bA 7.9.11.13 If b was itself delegated the CNAME would be problematical again. ... And if all the name servers crashed, then the domain would be unserved. Why introduce unnecessary hypotheticals? ;-) Because you introduced a delegation for a and I wanted to head off the idea that you could delegate b and then point a to it as a CNAME. You'd need to use DNAME in that situation. And, as pointed out in another post, the CNAME does not appear to be problematic in this case, even were it to exist. Indeed. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone file in external view not transferring to slaveserver??
On Thu, Dec 03, 2009 at 12:59:51AM +0200, Kaya Saman wrote: ... I just hope this doesn't take up many CPU cycles and memory as the debug commands do in Cisco devices rendering them almost unusable in a fully setup network environment. ... I'm glad the logging helped! Query logging can take a lot of space - look up whether the default is for the server to not log queries, and how and why it switches over. I remember it can be done manually, but ISTM there are other reasons it switches. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone file in external view not transferring to slaveserver??
Joseph S D Yao wrote: On Thu, Dec 03, 2009 at 12:59:51AM +0200, Kaya Saman wrote: ... I just hope this doesn't take up many CPU cycles and memory as the debug commands do in Cisco devices rendering them almost unusable in a fully setup network environment. ... I'm glad the logging helped! Query logging can take a lot of space - look up whether the default is for the server to not log queries, and how and why it switches over. I remember it can be done manually, but ISTM there are other reasons it switches. Thank you so much for all the help!! I think however I should turn this off as I only have a 4.3GB HD in the machine.. The reality of the situation is that I need another WAN IP address. Without it I can't really do much as having a secondary DNS server is impossible. Am just holding off for now as I soon depending on how things go for myself I may move the whole network infrastructure to the country I am in no being Turkey, rather then keeping things going in UK. Few that's sorted and understood :-) Best Regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone file in external view not transferring to slaveserver??
Major thanks Joseph Added below: // logging clause - who, what, where, why, when, how, how long? logging { channel querylog { file /var/log/named/query.log versions 15 size 25m; // severity debug; severity info; print-time yes; print-category yes; print-severity yes; }; channel securlog { file /var/log/named/security.log versions 15 size 25m; // severity debug 9; severity info; print-time yes; print-category yes; print-severity yes; }; channel all { file /var/log/named/named.log versions 15 size 25m; severity info; print-time yes; print-category yes; print-severity yes; }; category queries { querylog; }; category security { securlog; }; category lame-servers { null; };// ignore category default { all; }; }; with addition of this: category xfer-out { default_syslog; default_debug; }; Inside the logging statement! The response I got below: 03-Dec-2009 00:52:20.105 general: info: zone 2.178.81.in-addr.arpa/IN/external: refresh: non-authoritative answer from master 192.168.1.100#53 (source 0.0.0.0#0) This is for my slave server! I think it's because the authoritative answer is coming off my ISP, however though if the zone file is valid is should be authoritative and irrelevant whoever else has the zone to my understanding anyway. - oh hang on, on second thought of course it's not authoritative due to the IP address that's sending the information! I believe that's been my issue all along. Now however I really do like the log output as I can actually see what's going on :-) I just hope this doesn't take up many CPU cycles and memory as the debug commands do in Cisco devices rendering them almost unusable in a fully setup network environment. --Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
inverse query:PTR RR or OPCODE=1 ?
when I read the RFC1035, I noticed the opcode defination in the DNS message head . It said that when opcode = 1 the message did Inverse query . but in the packet I capatured when I used nslookup to do inverse query ,the inverse query packet use the opcode = 0 and the question segment with RR TYPE PTR. Can someone explain this ? Am I wrong about understanding the inverse query ? Thank a lot . -- 为爱上色 公益活动___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
inverse query:PTR RR or OPCODE=1 ?
when I read the RFC1035, I noticed the opcode defination in the DNS message head . It said that when opcode = 1 the message did Inverse query . but in the packet I capatured when I used nslookup to do inverse query ,the inverse query packet use the opcode = 0 and the question segment with RR TYPE PTR. Can someone explain this ? Am I wrong about understanding the inverse query ? Thank a lot . ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inverse query:PTR RR or OPCODE=1 ?
On Thu, Dec 03, 2009 at 10:42:38AM +0800, lipeng967 wrote: when I read the RFC1035, I noticed the opcode defination in the DNS message head . It said that when opcode = 1 the message did Inverse query . but in the packet I capatured when I used nslookup to do inverse query ,the inverse query packet use the opcode = 0 and the question segment with RR TYPE PTR. Can someone explain this ? Am I wrong about understanding the inverse query ? Thank a lot . Note that 6.4 (inverse queries) was optional, and read 3.5 (in-addr.arpa), which is about REVERSE (not inverse) DNS as it is used today. With some additions and changes: the RFCs are living documents. RFC 3425 obsolets inverse queries entirely: The IQUERY method of performing inverse DNS lookups, specified in RFC 1035, has not been generally implemented and has usually been operationally disabled where it has been implemented. Both reflect a general view in the community that the concept was unwise and that the widely-used alternate approach of using pointer (PTR) queries and reverse-mapping records is preferable. Consequently, this document deprecates the IQUERY operation, declaring it entirely obsolete. This document updates RFC 1035. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inverse query:PTR RR or OPCODE=1 ?
In message 4591889.164031259808158905.javamail.corem...@app183.163.com, lipen g967 writes: when I read the RFC1035, I noticed the opcode defination in the DNS message head . It said that when opcode = 1 the message did Inverse query. but in the packet I capatured when I used nslookup to do inverse query ,the inverse query packet use the opcode = 0 and the question segment with RR TYPE PTR. Can someone explain this ? Am I wrong about understanding the inverse query ? Thank a lot . Nslookup does normal queries into the .ARPA namespace to do reverse lookups. Inverse lookups were a concept that really only worked in the dentist surgery senario (one server providing the entire DNS view). Inverse queries were deprecated years ago http://www.ietf.org/rfc/rfc3425.txt. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inverse query:PTR RR or OPCODE=1 ?
Thank you very much for your help and advice .___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users