Bind DNS server not resloving
Hi I have been experience DNS resolutions problems these past few days, if i run nslookup i get this error: ;; connection timed out; no servers could be reached with dig +trace i get: ; <<>> DiG 9.6-ESV-R1 <<>> @ espn.com +trace ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached am not sure exectly whats is causing these time outs, the strange thing is that it works sometimes for a brief time and stop. The network does not seems to be the problem as i can run a traceroute from the server and also if i run a traceroute from dnsstuff.com my server is Debian 5.0 lenny and the bind version running on it is 9.9.6-ESV-R1. any help will be greatly appreciated. Thanks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc: 'sign' failed: permission denied
I've configured bind-9.7.1 with DNSSec and stored the keys online, to
allow dynamic updates via nsupdate. Here are the relevant bits from my
named.conf:
options {
...
dnssec-enable yes;
directory "/var/named/db";
key-directory "/var/named/keys";
...
};
key foo {
algorithm hmac-md5;
secret "X";
};
view "global" {
zone "example.org" {
type master;
file "example.org.signed";
allow-update {
key foo;
};
};
I have KSK and ZSK pairs for example.org, I can query data from the
zone and get all the DNSSec bits back as expected, everything works
fine. I can even do this on a remote server:
$ nsupdate
server my-example-server.example.org
key foo X
zone example.org
update add somerecord.example.org 300 A 192.168.0.123
send
And have it work perfectly (i.e. the KSK and ZSK in the key-directory
are found and used by named).
The problem is that, when I attempt
rndc sign example.org
from my server, I get
rndc: 'sign' failed: permission denied
The only thing logged by my server is
07-Jul-2010 15:11:29.614 info: received control channel command 'sign
example.org'
No indication as to what "permission" is denied, specifically.
Any ideas as to what I may be doing wrong ?
The server runs as user 'named', and the keys in the key directory are
owned by 'named' with rw permissions (both public and private). This
is also evidenced by the fact that nsupdate works, even from a remote
machine.
Thanks for any ideas,
--Gabriel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind says 'clocks are unsynchronized' but they are not
If you really do have such a small pipe (with your email address I assume Sweden. I didn't think Swedes even knew there were link types other than fibre ;) )then perhaps you're throttling it to the point where your NTP sync drops off. Options: Perhaps try some traffic shaping on the link. IXFR or any other bandwidth friendly alternative as suggested below or perhaps an internal NTP server. On 7/07/10 4:17 PM, "Sven Eschenberg" wrote: > Hi, > > The size of the zone should not be that much of a matter if you use > IFXR. Aside from that, did you ever consider using another mechanism for > synchronization, like rsync or lzmaing the zone and transferring it via > your protocol of choice? > Then again, why would one have a TLD coloc on a 256kbps line, that seems > very unreasonable. > > Regards > > -Sven > > > On Wed, 2010-07-07 at 14:58 +0200, Niklas Jakobsson wrote: >> Hello, >> >> On ons, 2010-07-07 at 14:41 +0200, Tom Schmitt wrote: >>> Original-Nachricht Datum: Wed, 07 Jul 2010 13:13:45 +0200 Von: Niklas Jakobsson An: bind-us...@isc.org Betreff: bind says \'clocks are unsynchronized\' but they are not >>> Hello, I have some problems with our bind servers complaining that 'clocks are unsynchronized' when doing zone transfers with TSIG. The problem is the clocks are correct, synced with ntp and everything. >>> >>> Maybe one of the two servers doing the zone transfer is running in a chroot >>> where it has another time setting than the server itself? >>> >> >> Not running any chroot. >> >>> The problems seems to occur mostly on zone transfers that take a long time (ie. hours). >>> >>> HOURS?? >>> There is defnitly something wrong. I cannot imagine a zone so big or a >>> connection so slow that a zonetransfer could take hours. Or do you make a >>> axfr of the tld com. over a serial connection? ;-) >>> >>> >>> Tom. >>> >> >> Size of a tld that should not be named: 256947194 bytes >> Speed of connection to a site very far away: 256 kbit/s >> >> 256947194/(256*1000/8)/60/60 = 2.23 ~ little over 2 hours... >> >> /Nico >> >> >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind says 'clocks are unsynchronized' but they are not
Hi, The size of the zone should not be that much of a matter if you use IFXR. Aside from that, did you ever consider using another mechanism for synchronization, like rsync or lzmaing the zone and transferring it via your protocol of choice? Then again, why would one have a TLD coloc on a 256kbps line, that seems very unreasonable. Regards -Sven On Wed, 2010-07-07 at 14:58 +0200, Niklas Jakobsson wrote: > Hello, > > On ons, 2010-07-07 at 14:41 +0200, Tom Schmitt wrote: > > Original-Nachricht > > > Datum: Wed, 07 Jul 2010 13:13:45 +0200 > > > Von: Niklas Jakobsson > > > An: bind-us...@isc.org > > > Betreff: bind says \'clocks are unsynchronized\' but they are not > > > > > Hello, > > > > > > I have some problems with our bind servers complaining that 'clocks are > > > unsynchronized' when doing zone transfers with TSIG. The problem is the > > > clocks are correct, synced with ntp and everything. > > > > Maybe one of the two servers doing the zone transfer is running in a chroot > > where it has another time setting than the server itself? > > > > Not running any chroot. > > > > > > > > > The problems seems to occur mostly on zone transfers that take a long > > > time (ie. hours). > > > > > > > HOURS?? > > There is defnitly something wrong. I cannot imagine a zone so big or a > > connection so slow that a zonetransfer could take hours. Or do you make a > > axfr of the tld com. over a serial connection? ;-) > > > > > > Tom. > > > > Size of a tld that should not be named: 256947194 bytes > Speed of connection to a site very far away: 256 kbit/s > > 256947194/(256*1000/8)/60/60 = 2.23 ~ little over 2 hours... > > /Nico > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind says 'clocks are unsynchronized' but they are not
Hello, On ons, 2010-07-07 at 14:41 +0200, Tom Schmitt wrote: > Original-Nachricht > > Datum: Wed, 07 Jul 2010 13:13:45 +0200 > > Von: Niklas Jakobsson > > An: bind-us...@isc.org > > Betreff: bind says \'clocks are unsynchronized\' but they are not > > > Hello, > > > > I have some problems with our bind servers complaining that 'clocks are > > unsynchronized' when doing zone transfers with TSIG. The problem is the > > clocks are correct, synced with ntp and everything. > > Maybe one of the two servers doing the zone transfer is running in a chroot > where it has another time setting than the server itself? > Not running any chroot. > > > > > The problems seems to occur mostly on zone transfers that take a long > > time (ie. hours). > > > > HOURS?? > There is defnitly something wrong. I cannot imagine a zone so big or a > connection so slow that a zonetransfer could take hours. Or do you make a > axfr of the tld com. over a serial connection? ;-) > > > Tom. > Size of a tld that should not be named: 256947194 bytes Speed of connection to a site very far away: 256 kbit/s 256947194/(256*1000/8)/60/60 = 2.23 ~ little over 2 hours... /Nico ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind says 'clocks are unsynchronized' but they are not
Original-Nachricht > Datum: Wed, 07 Jul 2010 13:13:45 +0200 > Von: Niklas Jakobsson > An: bind-us...@isc.org > Betreff: bind says \'clocks are unsynchronized\' but they are not > Hello, > > I have some problems with our bind servers complaining that 'clocks are > unsynchronized' when doing zone transfers with TSIG. The problem is the > clocks are correct, synced with ntp and everything. Maybe one of the two servers doing the zone transfer is running in a chroot where it has another time setting than the server itself? > > The problems seems to occur mostly on zone transfers that take a long > time (ie. hours). > HOURS?? There is defnitly something wrong. I cannot imagine a zone so big or a connection so slow that a zonetransfer could take hours. Or do you make a axfr of the tld com. over a serial connection? ;-) Tom. -- GMX DSL: Internet-, Telefon- und Handy-Flat ab 19,99 EUR/mtl. Bis zu 150 EUR Startguthaben inklusive! http://portal.gmx.net/de/go/dsl ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind says 'clocks are unsynchronized' but they are not
Hello, I have some problems with our bind servers complaining that 'clocks are unsynchronized' when doing zone transfers with TSIG. The problem is the clocks are correct, synced with ntp and everything. The problems seems to occur mostly on zone transfers that take a long time (ie. hours). Anyone seen had any similar problems or have an idea what is going on? I'm running bind 9.6.1-P3 on debian/lenny. /Nico -- Niklas Jakobsson - SysAdmin @ Netnod mailto:n...@netnod.se ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
