Re: multi-master and ixfr-from-differences: failed: new serial (2010060900) out of range
Another attempt. We get these quite often. Any idea where could be the problem? On 10.06.10 09:34, Matus UHLAR - fantomas wrote: I run slaves for root zone on two machines, they behave as one of masters for each other and for all our resurcive servers providing ixfr (I work for an ISP so I think it's feasible for us) and I ocationally get these error in log file: Jun 9 23:11:58 mydb02 named[1427]: general: error: zone ./IN: ixfr-from-differences: failed: new serial (2010060900) out of range [2010060901 - 4157544547] Jun 9 23:11:58 mydb02 named[1427]: xfer-in: error: transfer of './IN' from 192.228.79.201#53: failed while receiving responses: out of range Jun 9 23:11:58 mydb02 named[1427]: xfer-in: info: transfer of './IN' from 192.228.79.201#53: Transfer completed: 2 messages, 3564 records, 112157 bytes, 1.812 secs (61896 bytes/sec) Jun 9 23:11:59 mydb02 named[1427]: general: info: zone ./IN: transferred serial 2010060901 Jun 9 23:11:59 mydb02 named[1427]: xfer-in: info: transfer of './IN' from 192.5.5.241#53: Transfer completed: 3 messages, 3564 records, 125268 bytes, 0.522 secs (239977 bytes/sec) Jun 9 23:11:59 mydb02 named[1427]: notify: info: zone ./IN: sending notifies (serial 2010060901) I wonder what should this mean. I have turned multi-master yes for this zone so I expected that BIND should be quiet if the SOA on master is smaller. However this looks like BIND notices higher serial on one of masters, but then tried to fetch from different master where the SOA hasn't changed yet. Is ther an bug/issue with multiple masters configuration? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master and ixfr-from-differences: failed: new serial (2010060900) out of range
In message 20100625060415.ga18...@fantomas.sk, Matus UHLAR - fantomas writes: Another attempt. We get these quite often. Any idea where could be the problem? Turn off try-tcp-refresh. On 10.06.10 09:34, Matus UHLAR - fantomas wrote: I run slaves for root zone on two machines, they behave as one of masters for each other and for all our resurcive servers providing ixfr (I work for an ISP so I think it's feasible for us) and I ocationally get these error in log file: Jun 9 23:11:58 mydb02 named[1427]: general: error: zone ./IN: ixfr-from-di fferences: failed: new serial (2010060900) out of range [2010060901 - 4157544 547] Jun 9 23:11:58 mydb02 named[1427]: xfer-in: error: transfer of './IN' from 192.228.79.201#53: failed while receiving responses: out of range Jun 9 23:11:58 mydb02 named[1427]: xfer-in: info: transfer of './IN' from 192.228.79.201#53: Transfer completed: 2 messages, 3564 records, 112157 bytes , 1.812 secs (61896 bytes/sec) Jun 9 23:11:59 mydb02 named[1427]: general: info: zone ./IN: transferred s erial 2010060901 Jun 9 23:11:59 mydb02 named[1427]: xfer-in: info: transfer of './IN' from 192.5.5.241#53: Transfer completed: 3 messages, 3564 records, 125268 bytes, 0 .522 secs (239977 bytes/sec) Jun 9 23:11:59 mydb02 named[1427]: notify: info: zone ./IN: sending notifi es (serial 2010060901) I wonder what should this mean. I have turned multi-master yes for this zon e so I expected that BIND should be quiet if the SOA on master is smaller. However this looks like BIND notices higher serial on one of masters, but then tried to fetch from different master where the SOA hasn't changed yet. Is ther an bug/issue with multiple masters configuration? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: strange (to me) dns resolution problem
Am 23.06.2010 22:01, schrieb Hoover Chan: I have a strange problem where most things are working (i.e. I can query and get the correct answers from DNS) but a few domains which worked before have stopped working. Yet, when I go to another DNS server, they do get resolved. Any pointer to where I should look first? Get a newer list of root name servers? Thanks in advance. - Toto t...@the-damian.de wrote: It would be helpful to have some more details (Bind version used, configuration, failing fqdn, ...) On 24.06.10 09:29, Hoover Chan wrote: The machine in question is running bind 9.2.1. There is your problem. You should upgrade to at least 9.4. If you want better answer, you must provide more information than just the firsst one. And, please, configure your mailer to wrap lines below 80 characters per line. 72 to 75 is usually OK. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master and ixfr-from-differences: failed: new serial (2010060900) out of range
On 10.06.10 09:34, Matus UHLAR - fantomas wrote: Jun 9 23:11:58 mydb02 named[1427]: general: error: zone ./IN: ixfr-from-differences: failed: new serial (2010060900) out of range [2010060901 - 4157544547] In message 20100625060415.ga18...@fantomas.sk, Matus UHLAR - fantomas writes: We get these quite often. Any idea where could be the problem? On 25.06.10 16:10, Mark Andrews wrote: Turn off try-tcp-refresh. Is there better documentation for the try-tcp-refresh option? While I have no reason not to trust you, I would like to understand the problem itself. Is looksa likt the tcp refresh would transfer the zone independently on SOA serial arithmetics. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master and ixfr-from-differences: failed: new serial (2010060900) out of range
In message 20100625072717.gc18...@fantomas.sk, Matus UHLAR - fantomas writes: On 10.06.10 09:34, Matus UHLAR - fantomas wrote: Jun 9 23:11:58 mydb02 named[1427]: general: error: zone ./IN: ixfr-fro m-differences: failed: new serial (2010060900) out of range [2010060901 - 415 7544547] In message 20100625060415.ga18...@fantomas.sk, Matus UHLAR - fantomas wri tes: We get these quite often. Any idea where could be the problem? On 25.06.10 16:10, Mark Andrews wrote: Turn off try-tcp-refresh. Is there better documentation for the try-tcp-refresh option? While I have no reason not to trust you, I would like to understand the problem itself. Is looksa likt the tcp refresh would transfer the zone independently on SOA serial arithmetics. With try-tcp-refresh yes; the udp retries fail to the master that is behind. Named does a axfr from that master and you get the message you see. The following may also help as it turns on SOA before AXFR for the ixfr-from-differences case. This has not been tested. Mark Index: lib/dns/zone.c === RCS file: /proj/cvs/prod/bind9/lib/dns/zone.c,v retrieving revision 1.540.2.26 diff -u -r1.540.2.26 zone.c --- lib/dns/zone.c 2 Jun 2010 01:00:28 - 1.540.2.26 +++ lib/dns/zone.c 25 Jun 2010 07:47:41 - @@ -11946,7 +11950,10 @@ } else if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) { dns_zone_log(zone, ISC_LOG_DEBUG(1), ixfr-from-differences set, requesting AXFR from %s, master); - xfrtype = dns_rdatatype_axfr; + if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) + xfrtype = dns_rdatatype_soa; + else + xfrtype = dns_rdatatype_axfr; } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) { dns_zone_log(zone, ISC_LOG_DEBUG(1), forced reload, requesting AXFR of -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I fake a part of domain?
[...] Erm, are you *sure* that you want to do this? Really really sure? It's probably a bad idea, but Step 1: Make yourself authoritative for www2, www3 -- in named.conf: zone www2.example.com { type master; file /etc/namedb/www2.example.com; }; zone www3.example.com { type master; file /etc/namedb/www3.example.com; }; Step 2: Make zone files www2.example.com (and obviously, www3): $TTL 1h www2.example.com. IN SOA localhost ( hostmaster.localhost 2010062700 1h 15m 4w 1h ) NS localhost. A 11.11.11.11 Step 3: Repeat This was a bad idea and I feel dirty... W [...] Just on the ethical side of this to stray away from the technical discussion if I may; The local telco and backbone ISP in the country I live in (not mentioning which one) has done this to block YouTube and Google even due to some ridiculous court ruling in that they offend the country or some rubbish like that?? Originally it was easy to get around by using a different recursive DNS resolver and of course having one's own DNS servers directly resolving the 'hinted root zone' helps tremendously, however most people just used Google's public DNS servers. Anyway now they've done a complete ACL block on the system so the IP addresses even get routed to different destinations or denied altogether!! Means no more music vids for the nation :-( Only way round it is a VPN IPsec tunnel into a different Geo location and re-route the proper IP addresses and domains to a remote gateway. Regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forwarding DNS Server can not resolved alias records(CNAME)?
Forwarding DNS Server can not resolved alias records(CNAME)? here: 211.99.204.77 Forwarding DNS Master Zone (another ip address) [r...@flyinweb data]# vi 01cool.com.dom $TTL 7200 ; 2 hours @IN SOA ns1.mymaster.com. root.mymaster.com. ( 5; serial 10800; refresh 3600; retry 604800; expire 86400; mininum ) NS ns1.mymaster.com. NS ns2.mymaster.com. MX 10 mail.01cool.com. @ A 218.246.85.101 mailA 218.246.85.199 www CNAME 218.246.85.101. www1CNAME 517sou.net. A Record is correct,but CNAME Record is incorrect! [r...@flyinweb data]# dig @211.99.204.77 01cool.com ; DiG 9.7.0-P2 @211.99.204.77 01cool.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 17293 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;01cool.com.IN A ;; ANSWER SECTION: 01cool.com. 7200IN A 218.246.85.101 ;; AUTHORITY SECTION: 01cool.com. 7200IN NS ns1.cnolnic.com. 01cool.com. 7200IN NS ns2.cnolnic.com. ;; ADDITIONAL SECTION: ns2.cnolnic.com.6523IN A 59.151.23.112 ;; Query time: 108 msec ;; SERVER: 211.99.204.77#53(211.99.204.77) ;; WHEN: Fri Jun 25 19:00:35 2010 ;; MSG SIZE rcvd: 104 [r...@flyinweb ~]# dig @211.99.204.77 www.01cool.com ; DiG 9.7.0-P2 @211.99.204.77 www.01cool.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 25575 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.01cool.com.IN A ;; Query time: 108 msec ;; SERVER: 211.99.204.77#53(211.99.204.77) ;; WHEN: Fri Jun 25 18:57:27 2010 ;; MSG SIZE rcvd: 32 ~ -- ShanyiWan 2010-06-25 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone
On Thu, Jun 24, 2010 at 04:37:45PM -0400, Paul Amaral wrote: I was thinking more instantaneous without moving things around. I looked at vim vimrc autocmd but I couldn't get named-checkzone to execute and I would still have to somehow have named-checkzone look at the last zone that was edited. Good suggestion though. Check $PATH or use the full file name from /. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone
On Thu, Jun 24, 2010 at 03:46:37PM -0400, P.A wrote: Hi, im trying to get some ideas how I can exec named-checkzone on a zone file that has just been executed. We have com users who edit zone files but forget to run the command when they are do editing the file. Trying to figure out if anyone has a good way of enforcing that the zone gets checked after its been edited. Shell command file that (1) Checks it out of version control [RCS, Subversion, git, whatever] (2) Throws it into ${EDITOR:-vi} (3) Runs named-checkzone using zone name based on file name (4) If it fails, let the user absorb the error msg before goto (2) (5) If it succeeds, ask the user whether to edit again or commit (6) Check it back into version control (7) rndc reload -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What does the following entry mean, in particular, what is SOA -E?
What does the following entry mean: 25-Jun-2010 15:32:20.669 queries: info: client 192.168.196.55#53: view remote: query: nik.cyp.net IN SOA -E (192.168.1.1) _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What does the following entry mean, in particular, what is SOA -E?
On 25/06/10 16:22, Regid Ichira wrote: What does the following entry mean: 25-Jun-2010 15:32:20.669 queries: info: client 192.168.196.55#53: view remote: query: nik.cyp.net IN SOA -E (192.168.1.1) http://www.isc.org/files/arm96.html#the_category_phrase ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What does the following entry mean, in particular, what is SOA -E?
On 25/06/10 16:28, Phil Mayers wrote: On 25/06/10 16:22, Regid Ichira wrote: What does the following entry mean: 25-Jun-2010 15:32:20.669 queries: info: client 192.168.196.55#53: view remote: query: nik.cyp.net IN SOA -E (192.168.1.1) http://www.isc.org/files/arm96.html#the_category_phrase Drat, sorry, hit return too early: Basically it means a client made a query for the SOA record of the nik.cyp.net zone, and the flags (as per the URL above): ...reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding DNS Server can not resolved alias records(CNAME)?
Note that the name 218.246.85.101 -- which is the target of the www.01cool.com alias -- does not exist in the Internet DNS. I don't what kind of DNS implementation/configuration is running on 211.99.204.77, but it seems to be returning SERVFAIL for *any* recursive query outside of its authoritative zones: dig cnn.com @211.99.204.77 ; DiG 9.3.0 cnn.com @211.99.204.77 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 800 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A which would, of course, include the aforementioned name 218.246.85.101. For non-recursive queries outside of its authoritative zones, it gives a root referral, which is reasonable. I guess that crippling one's nameserver in this way is marginally better than being an open recursor, but not by much... - Kevin On 6/25/2010 7:02 AM, ShanyiWan wrote: Forwarding DNS Server can not resolved alias records(CNAME)? here: 211.99.204.77 Forwarding DNS Master Zone (another ip address) [r...@flyinweb data]# vi 01cool.com.dom $TTL 7200 ; 2 hours @IN SOA ns1.mymaster.com. root.mymaster.com. ( 5; serial 10800; refresh 3600; retry 604800; expire 86400; mininum ) NS ns1.mymaster.com. NS ns2.mymaster.com. MX 10 mail.01cool.com. @ A 218.246.85.101 mailA 218.246.85.199 www CNAME 218.246.85.101. www1CNAME 517sou.net. A Record is correct,but CNAME Record is incorrect! [r...@flyinweb data]# dig @211.99.204.77 01cool.com ; DiG 9.7.0-P2 @211.99.204.77 01cool.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 17293 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;01cool.com.IN A ;; ANSWER SECTION: 01cool.com. 7200IN A 218.246.85.101 ;; AUTHORITY SECTION: 01cool.com. 7200IN NS ns1.cnolnic.com. 01cool.com. 7200IN NS ns2.cnolnic.com. ;; ADDITIONAL SECTION: ns2.cnolnic.com.6523IN A 59.151.23.112 ;; Query time: 108 msec ;; SERVER: 211.99.204.77#53(211.99.204.77) ;; WHEN: Fri Jun 25 19:00:35 2010 ;; MSG SIZE rcvd: 104 [r...@flyinweb ~]# dig @211.99.204.77 www.01cool.com ; DiG 9.7.0-P2 @211.99.204.77 www.01cool.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 25575 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.01cool.com.IN A ;; Query time: 108 msec ;; SERVER: 211.99.204.77#53(211.99.204.77) ;; WHEN: Fri Jun 25 18:57:27 2010 ;; MSG SIZE rcvd: 32 ~ -- ShanyiWan 2010-06-25 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users