Re: query cache denied in vew statement

2010-09-27 Thread Phil Mayers

On 09/26/2010 10:57 PM, David S. wrote:

I've removed additional-from-cache and restart bind, below part of
named.conf


Ok, bad guess on my part :o(

Not sure I'm afraid. I don't really understand your config; do you mean 
to have recursion off in both views?


What is sending the queries? They're coming from 127.0.0.1 (localhost) 
so something on the system is trying to use bind as a (recursive) 
nameserver.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: query cache denied in vew statement

2010-09-27 Thread Phil Mayers

On 27/09/10 09:45, David S. wrote:

Hi Pil,

In that case, don't you want recursion on in view mynetwork?
I won't recursion in my network, so recursion is no.


Sorry, I don't understand. Perhaps someone else can help you.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNS resolution based on source network

2010-09-27 Thread David Forrest

On Mon, 27 Sep 2010, Thomas Elsgaard wrote:


Hello

Is it possible with BIND, to resolve the same name (like test.gl) to
different IP's based on the source network of the request?

Here is an example

A machine in network 10.3.0.0/16 is contacting DNS to lookup
test.gl, DNS returns - 10.0.0.2
A machine in network 10.5.0.0/16 is contacting DNS to lookup
test.gl, DNS returns - 10.0.0.5

Thomas
Yes, by using view.  I do it so all my internal machines are 
XXX.maplepark.com, using the private network addresses while the external 
world gets my public addresses.  The internal machines are still able to 
get the external addresses by specifying the server address to be the 
external IP (via host or dig).  Most don't need them though.  It does 
require separate zone files though.  I don't mind sharing my .conf file - 
just email me.


Dave
--
David Forrest e-mail   d...@maplepark.com
Maple Park Development Corporation  http://xen.maplepark.com
St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX)
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNS resolution based on source network - SOLVED

2010-09-27 Thread Thomas Elsgaard
 Yes, by using view.  I do it so all my internal machines are
 XXX.maplepark.com, using the private network addresses while the external
 world gets my public addresses.  The internal machines are still able to get
 the external addresses by specifying the server address to be the external
 IP (via host or dig).  Most don't need them though.  It does require
 separate zone files though.  I don't mind sharing my .conf file - just email
 me.

 Dave


Thanks eveybody, views was the magic word, i will look into it..

Thomas
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: maximum number of FD events (64) received

2010-09-27 Thread Sergey V. Lobanov

Reconfigure Bind thus:

STD_CDEFINES='-DISC_SOCKET_MAXEVENTS=256' ./configure --your-options

then recompile

On 09/27/2010 01:27 PM, Samer Khattab wrote:

Hi all,

I'm using Bind as a caching name server and serving around 2000 req 
per second, and recently have the following messages showing up from 
time to time in the general.log.



27-Sep-2010 10:45:47.639 sockmgr 0x2ad7af2f5010: maximum number of FD 
events (64) received
27-Sep-2010 10:45:47.872 sockmgr 0x2ad7af2f5010: maximum number of FD 
events (64) received


BIND BIND 9.7.1-P2
RHEL 5.5   kernel 2.6.18-194.11.3.el5

What is the meaning of these messages ? Are they related to the system 
file descriptors ?




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
wbr,
Sergey V. Lobanov


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: tkey-gssapi-credential

2010-09-27 Thread Nicholas F Miller
Are you sure? ;-P

I can't seem to get things working. It looks like the Windows machines are not 
happy with the TKEY the DCs are giving them. I can kinit a user account from 
the AD on the DNS server so our krb5.conf appears correct. I am getting errors 
when I run kinit -k -t /etc/krb5.keytab saying the client is not found in the 
database. I'm not sure if it should work since the keytab only has a reference 
to the DNS service principle.

I created the keytab using various different flags. Below is the current keytab:

ktpass -out new.keytab -princ DNS/fqn of the DNS server@FQN of DOMAIN -pass 
* -mapuser ADuser@fqn of domain -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-CRC

From the AD client I am getting some DNS TKEY transactions like this after the 
update fails. Notice the second transaction's Signature inception and 
expiration have a null date:

7341161.603167  DC IP client IP DNS Standard query TKEY 
472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e
...snip
   Queries
   472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e: type TKEY, 
class IN
   Name: 472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e
   Type: TKEY (Transaction Key)
   Class: IN (0x0001)
   Additional records
   472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e: type TKEY, 
class ANY
   Name: 472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e
   Type: TKEY (Transaction Key)
   Class: ANY (0x00ff)
   Time to live: 0 time
   Data length: 1712
   Algorithm name: gss-tsig
   Signature inception: Sep 27, 2010 07:26:04.0 Mountain 
Daylight Time
   Signature expiration: Sep 28, 2010 07:26:04.0 Mountain 
Daylight Time
   Mode: GSSAPI
   Error: No error
   Key Size: 1686
   Key Data
   GSS-API Generic Security Service Application Program Interface
   OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
   Simple Protected Negotiation
   negTokenInit
   mechTypes: 3 items
   MechType: 1.2.840.48018.1.2.2 (MS KRB5 - 
Microsoft Kerberos 5)
   MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 
5)
   MechType: 1.2.840.113554.1.2.2.3 (KRB5 - 
Kerberos 5 - User to User)
   mechToken: 
6082065006092a864886f71201020201006e82063f308206...
   krb5_blob: 
6082065006092a864886f71201020201006e82063f308206...
   KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 
5)
   krb5_tok_id: KRB5_AP_REQ (0x0001)
   Kerberos AP-REQ
   Pvno: 5
   MSG Type: AP-REQ (14)
   Padding: 0
   APOptions: 2000 (Mutual required)
   0...        
= reserved: RESERVED bit off
   .0..        
= Use Session Key: Do NOT use the session key to encrypt the ticket
   ..1.        
= Mutual required: MUTUAL authentication is REQUIRED
   Ticket
   Tkt-vno: 5
   Realm: FQN of DOMAIN
   Server Name (Service and Instance): 
DNS/fqn of the DNS server
   Name-type: Service and Instance (2)
   Name: DNS
   Name: fqn of the DNS server
   enc-part rc4-hmac
   Encryption type: rc4-hmac (23)
   Kvno: 3
   enc-part: 
29653f6457b51106240db14316c9ffef0f40e58852cf7a59...
   Authenticator rc4-hmac
   Encryption type: rc4-hmac (23)
   Authenticator data: 
6b4d26e823ca79be98fa558115020ef589b859088566b9a3...
   Other Size: 0

7344161.605703  client IP DC IP DNS Standard query response 
TKEY
...snip
Queries
   472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e: type TKEY, 
class IN
   Name: 472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e
   Type: TKEY (Transaction Key)
   Class: IN (0x0001)
Answers
   472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e: type TKEY, 
class ANY
   Name: 472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e
   Type: TKEY (Transaction Key)
   Class: ANY 

Re: maximum number of FD events (64) received

2010-09-27 Thread Samer Khattab
Thanks Sergey,

I want to know one more thing, if you can help me.

Will this error cause timeouts ? does it have impact on performance ?



On Mon, Sep 27, 2010 at 3:42 PM, Sergey V. Lobanov ser...@lobanov.inwrote:

 Reconfigure Bind thus:

 STD_CDEFINES='-DISC_SOCKET_MAXEVENTS=256' ./configure --your-options

 then recompile


 On 09/27/2010 01:27 PM, Samer Khattab wrote:

 Hi all,

 I'm using Bind as a caching name server and serving around 2000 req per
 second, and recently have the following messages showing up from time to
 time in the general.log.


 27-Sep-2010 10:45:47.639 sockmgr 0x2ad7af2f5010: maximum number of FD
 events (64) received
 27-Sep-2010 10:45:47.872 sockmgr 0x2ad7af2f5010: maximum number of FD
 events (64) received

 BIND BIND 9.7.1-P2
 RHEL 5.5   kernel 2.6.18-194.11.3.el5

 What is the meaning of these messages ? Are they related to the system
 file descriptors ?



 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



 --
 wbr,
 Sergey V. Lobanov


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tkey-gssapi-credential

2010-09-27 Thread Nicholas F Miller
A small correction:

The packets captured below were between one of the DCs and the DNS server not a 
client.

Also, I am getting this as well when I run nsupdate -g and try to add an A 
record:

dns_tkey_negotiategss: TKEY is unacceptable
_
Nicholas Miller, ITS, University of Colorado at Boulder



On Sep 27, 2010, at 7:54 AM, Nicholas F Miller wrote:

 Are you sure? ;-P
 
 I can't seem to get things working. It looks like the Windows machines are 
 not happy with the TKEY the DCs are giving them. I can kinit a user account 
 from the AD on the DNS server so our krb5.conf appears correct. I am getting 
 errors when I run kinit -k -t /etc/krb5.keytab saying the client is not found 
 in the database. I'm not sure if it should work since the keytab only has a 
 reference to the DNS service principle.
 
 I created the keytab using various different flags. Below is the current 
 keytab:
 
 ktpass -out new.keytab -princ DNS/fqn of the DNS server@FQN of DOMAIN 
 -pass * -mapuser ADuser@fqn of domain -ptype KRB5_NT_PRINCIPAL -crypto 
 DES-CBC-CRC
 
 From the AD client I am getting some DNS TKEY transactions like this after 
 the update fails. Notice the second transaction's Signature inception and 
 expiration have a null date:
 
 7341  161.603167  DC IP client IP DNS Standard query TKEY 
 472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e
 ...snip
   Queries
   472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e: type TKEY, 
 class IN
   Name: 472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e
   Type: TKEY (Transaction Key)
   Class: IN (0x0001)
   Additional records
   472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e: type TKEY, 
 class ANY
   Name: 472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e
   Type: TKEY (Transaction Key)
   Class: ANY (0x00ff)
   Time to live: 0 time
   Data length: 1712
   Algorithm name: gss-tsig
   Signature inception: Sep 27, 2010 07:26:04.0 Mountain 
 Daylight Time
   Signature expiration: Sep 28, 2010 07:26:04.0 Mountain 
 Daylight Time
   Mode: GSSAPI
   Error: No error
   Key Size: 1686
   Key Data
   GSS-API Generic Security Service Application Program Interface
   OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
   Simple Protected Negotiation
   negTokenInit
   mechTypes: 3 items
   MechType: 1.2.840.48018.1.2.2 (MS KRB5 - 
 Microsoft Kerberos 5)
   MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 
 5)
   MechType: 1.2.840.113554.1.2.2.3 (KRB5 - 
 Kerberos 5 - User to User)
   mechToken: 
 6082065006092a864886f71201020201006e82063f308206...
   krb5_blob: 
 6082065006092a864886f71201020201006e82063f308206...
   KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 
 5)
   krb5_tok_id: KRB5_AP_REQ (0x0001)
   Kerberos AP-REQ
   Pvno: 5
   MSG Type: AP-REQ (14)
   Padding: 0
   APOptions: 2000 (Mutual required)
   0...        
 = reserved: RESERVED bit off
   .0..        
 = Use Session Key: Do NOT use the session key to encrypt the ticket
   ..1.        
 = Mutual required: MUTUAL authentication is REQUIRED
   Ticket
   Tkt-vno: 5
   Realm: FQN of DOMAIN
   Server Name (Service and Instance): 
 DNS/fqn of the DNS server
   Name-type: Service and Instance (2)
   Name: DNS
   Name: fqn of the DNS server
   enc-part rc4-hmac
   Encryption type: rc4-hmac (23)
   Kvno: 3
   enc-part: 
 29653f6457b51106240db14316c9ffef0f40e58852cf7a59...
   Authenticator rc4-hmac
   Encryption type: rc4-hmac (23)
   Authenticator data: 
 6b4d26e823ca79be98fa558115020ef589b859088566b9a3...
   Other Size: 0
 
 7344  161.605703  client IP DC IP DNS Standard query response 
 TKEY
 ...snip
 Queries
   

Re: Notice regarding BIND 9.7.2

2010-09-27 Thread Fr34k
Hello,

Were there ... more information on these developments early next week?

My apologies if I missed them.

Thank you.




- Original Message 
From: Larissa Shapiro laris...@isc.org
To: bind-us...@isc.org
Sent: Sun, September 19, 2010 5:54:15 PM
Subject: Notice regarding BIND 9.7.2

Dear User Community,

ISC has learned of a late-breaking bug in the BIND 9.7.2 code base, so
we have removed it from our website and ftp site as it is not currently
recommend for deployment. BIND 9.7.1-P2 is our current recommended
release for Production. We will provide more information on these
developments early next week, as soon as they are available.

Larissa Shapiro
ISC Product Manager
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Notice regarding BIND 9.7.2

2010-09-27 Thread Hauke Lampe


 Were there ... more information on these developments early next week?

I was just about to ask the same question. ;)

I noticed the absence of 9.7.2 on ftp.isc.org, read the announcement here a day 
later and rolled back my 9.7.2rc1 servers to 9.7.1-P2.

It would be good to know the nature of the bug, though. The complete removal of 
9.7.2* from the ftp site left me a bit worried.


Hauke.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNS resolution based on source network

2010-09-27 Thread Warren Kumari


On Sep 27, 2010, at 9:00 AM, Thomas Elsgaard wrote:


Hello

Is it possible with BIND, to resolve the same name (like test.gl) to
different IP's based on the source network of the request?

Here is an example

A machine in network 10.3.0.0/16 is contacting DNS to lookup
test.gl, DNS returns - 10.0.0.2
A machine in network 10.5.0.0/16 is contacting DNS to lookup
test.gl, DNS returns - 10.0.0.5


Yup, one use of this is geolocation / GSLB / stupid DNS tricks:

http://backreference.org/2010/02/01/geolocation-aware-dns-with-bind/

http://www.ip2location.com/ip2location-bind-dns.aspx

and a whole heap more...

W





Thomas
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Consider orang-utans.
In all the worlds graced by their presence, it is suspected that they  
can talk but choose not to do so in case humans put them to work,  
possibly in the television industry. In fact they can talk. It's just  
that they talk in Orang-utan. Humans are only capable of listening in  
Bewilderment.

-- Terry Practhett


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Is 10.in-addr.arpa not recommended?

2010-09-27 Thread Christopher Cain
Hi all.

I am setting up a new appliance-based DNS solution that will contain a fair
number of separately managed Windows DNS slave servers (in addition to the
DNS appliances that will handle the .

Currently there are just over 8000 host records that resolve to IP's in the
10.x.x.x space.  I am wrestling with whether or not I should create a single
10.in-addr.arpa zone or if I should create 256 /16 zones (i.e. -
0.10.in-addr.arpa to 255.10.in-addr.arpa).

The reason I want to encompass the entire 10 space is so new arpa zones will
not have to be defined on all servers (specifically on the Windows slaves)
if a new part of the 10 space is used at some point.

Any recommendations or comments would be greatly appreciated.

Thanks,

Christopher Cain
E: ch...@christophercain.ca
http://ca.linkedin.com/in/christophercain
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is 10.in-addr.arpa not recommended?

2010-09-27 Thread Chris Buxton
On Sep 27, 2010, at 1:03 PM, Christopher Cain wrote:

 Hi all.
 
 I am setting up a new appliance-based DNS solution that will contain a fair 
 number of separately managed Windows DNS slave servers (in addition to the 
 DNS appliances that will handle the .
 
 Currently there are just over 8000 host records that resolve to IP's in the 
 10.x.x.x space.  I am wrestling with whether or not I should create a single 
 10.in-addr.arpa zone or if I should create 256 /16 zones (i.e. - 
 0.10.in-addr.arpa to 255.10.in-addr.arpa).
 
 The reason I want to encompass the entire 10 space is so new arpa zones will 
 not have to be defined on all servers (specifically on the Windows slaves) if 
 a new part of the 10 space is used at some point.
 
 Any recommendations or comments would be greatly appreciated.

There's nothing wrong with a single 10.in-addr.arpa zone. If you need to break 
it up amongst different master servers, a 10.in-addr.arpa zone can still be 
used to delegate child zones to their respective servers.

You might break it up if, for example, the DDNS traffic from DHCP clients 
across the enterprise would be too much for one master server to accommodate. 
The BIND name server writes to its journal file synchronously, for every 
update, and this can be quite a bottleneck. (The same is true for slave 
servers, which keep a journal file for zone transfers in order to service IXFR 
requests sent to them.)

Regards,
Chris Buxton
BlueCat Networks

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: query cache denied in vew statement

2010-09-27 Thread Kevin Darcy
Hopefully you understand that when you turn recursion off, that means 
you can only answer from zones that you actually *host* (i.e. for which 
you are master or slave).


But you have no master or slave zones defined in the mynetwork view.

Therefore it is not possible for that view to do anything useful, the 
way that it is currently configured.



- Kevin


On 9/27/2010 4:45 AM, David S. wrote:

Hi Pil,

In that case, don't you want recursion on in view mynetwork?
I won't recursion in my network, so recursion is no.

-
--
Best regards,
David
http://blog.pnyet.web.id


On 09/27/2010 03:32 PM, Phil Mayers wrote:
   

In that case, don't you want recursion on in view mynetwork?
 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



   



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Is 10.in-addr.arpa not recommended?

2010-09-27 Thread Sten Carlsen
 While a single zone is perfectly fine from a standards point of view,
some clients might be served addresses they don't like 10.x.x.0 and
10.x.x.255.

Just a reminder that this could be a reason if something appears weird.

On 27/09/10 23:07, Chris Buxton wrote:
 On Sep 27, 2010, at 1:03 PM, Christopher Cain wrote:

 Hi all.

 I am setting up a new appliance-based DNS solution that will contain a fair 
 number of separately managed Windows DNS slave servers (in addition to the 
 DNS appliances that will handle the .

 Currently there are just over 8000 host records that resolve to IP's in the 
 10.x.x.x space.  I am wrestling with whether or not I should create a single 
 10.in-addr.arpa zone or if I should create 256 /16 zones (i.e. - 
 0.10.in-addr.arpa to 255.10.in-addr.arpa).

 The reason I want to encompass the entire 10 space is so new arpa zones will 
 not have to be defined on all servers (specifically on the Windows slaves) 
 if a new part of the 10 space is used at some point.

 Any recommendations or comments would be greatly appreciated.
 There's nothing wrong with a single 10.in-addr.arpa zone. If you need to 
 break it up amongst different master servers, a 10.in-addr.arpa zone can 
 still be used to delegate child zones to their respective servers.

 You might break it up if, for example, the DDNS traffic from DHCP clients 
 across the enterprise would be too much for one master server to accommodate. 
 The BIND name server writes to its journal file synchronously, for every 
 update, and this can be quite a bottleneck. (The same is true for slave 
 servers, which keep a journal file for zone transfers in order to service 
 IXFR requests sent to them.)

 Regards,
 Chris Buxton
 BlueCat Networks

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   MALE BOVINE MANURE!!! 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is 10.in-addr.arpa not recommended?

2010-09-27 Thread Warren Kumari

On Sep 27, 2010, at 6:55 PM, Sten Carlsen wrote:

 While a single zone is perfectly fine from a standards point of view, some 
 clients might be served addresses they don't like 10.x.x.0 and 10.x.x.255.
 

But that would be DHCP config, no?


 Just a reminder that this could be a reason if something appears weird.


Fair 'nuff,

W
 
 On 27/09/10 23:07, Chris Buxton wrote:
 On Sep 27, 2010, at 1:03 PM, Christopher Cain wrote:
 
 
 Hi all.
 
 I am setting up a new appliance-based DNS solution that will contain a fair 
 number of separately managed Windows DNS slave servers (in addition to the 
 DNS appliances that will handle the .
 
 Currently there are just over 8000 host records that resolve to IP's in the 
 10.x.x.x space.  I am wrestling with whether or not I should create a 
 single 10.in-addr.arpa zone or if I should create 256 /16 zones (i.e. - 
 0.10.in-addr.arpa to 255.10.in-addr.arpa).
 
 The reason I want to encompass the entire 10 space is so new arpa zones 
 will not have to be defined on all servers (specifically on the Windows 
 slaves) if a new part of the 10 space is used at some point.
 
 Any recommendations or comments would be greatly appreciated.
 
 There's nothing wrong with a single 10.in-addr.arpa zone. If you need to 
 break it up amongst different master servers, a 10.in-addr.arpa zone can 
 still be used to delegate child zones to their respective servers.
 
 You might break it up if, for example, the DDNS traffic from DHCP clients 
 across the enterprise would be too much for one master server to 
 accommodate. The BIND name server writes to its journal file synchronously, 
 for every update, and this can be quite a bottleneck. (The same is true for 
 slave servers, which keep a journal file for zone transfers in order to 
 service IXFR requests sent to them.)
 
 Regards,
 Chris Buxton
 BlueCat Networks
 
 ___
 bind-users mailing list
 
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 -- 
 Best regards
 
 Sten Carlsen
 
 No improvements come from shouting:
 
MALE BOVINE MANURE!!! 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Is 10.in-addr.arpa not recommended?

2010-09-27 Thread Chris Buxton

On Sep 27, 2010, at 3:55 PM, Sten Carlsen wrote:

 While a single zone is perfectly fine from a standards point of view, some 
 clients might be served addresses they don't like 10.x.x.0 and 10.x.x.255.
 
 Just a reminder that this could be a reason if something appears weird. 

Don't confuse zone and DHCP range. Having a 10/8 reverse zone does not mean 
you must have an address range that covers these addresses that might confuse 
users.

You wouldn't want a DHCP range (or a network) that large anyway. The broadcast 
traffic would be a killer.

Regards,
Chris Buxton
BlueCat Networks

 On 27/09/10 23:07, Chris Buxton wrote:
 
 On Sep 27, 2010, at 1:03 PM, Christopher Cain wrote:
 
 Hi all.
 
 I am setting up a new appliance-based DNS solution that will contain a fair 
 number of separately managed Windows DNS slave servers (in addition to the 
 DNS appliances that will handle the .
 
 Currently there are just over 8000 host records that resolve to IP's in the 
 10.x.x.x space.  I am wrestling with whether or not I should create a 
 single 10.in-addr.arpa zone or if I should create 256 /16 zones (i.e. - 
 0.10.in-addr.arpa to 255.10.in-addr.arpa).
 
 The reason I want to encompass the entire 10 space is so new arpa zones 
 will not have to be defined on all servers (specifically on the Windows 
 slaves) if a new part of the 10 space is used at some point.
 
 Any recommendations or comments would be greatly appreciated.
 There's nothing wrong with a single 10.in-addr.arpa zone. If you need to 
 break it up amongst different master servers, a 10.in-addr.arpa zone can 
 still be used to delegate child zones to their respective servers.
 
 You might break it up if, for example, the DDNS traffic from DHCP clients 
 across the enterprise would be too much for one master server to 
 accommodate. The BIND name server writes to its journal file synchronously, 
 for every update, and this can be quite a bottleneck. (The same is true for 
 slave servers, which keep a journal file for zone transfers in order to 
 service IXFR requests sent to them.)
 
 Regards,
 Chris Buxton
 BlueCat Networks
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 -- 
 Best regards
 
 Sten Carlsen
 
 No improvements come from shouting:
 
MALE BOVINE MANURE!!! 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: chrooting BIND [was -Re: Here I am again, hat in hand with humble demeanor.......]

2010-09-27 Thread Doug Barton

On 9/27/2010 7:46 AM, Jerry Kemp wrote:

IMHO, the primary benefit of chrooting is security.

another, less painful option, again IMHO, is to run BIND in a jail if
you are using BSD,


The default configuration in FreeBSD is to run it chroot'ed. Given that 
it's very unlikely that the chroot will be broken, IMO running it in a 
jail for security reasons is overkill.



hth,

Doug

--

... and that's just a little bit of history repeating.
-- Propellerheads

Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: chrooting BIND [was -Re: Here I am again, hat in hand with humble demeanor.......]

2010-09-27 Thread Kevin Oberman
 Date: Mon, 27 Sep 2010 09:46:44 -0500
 From: Jerry Kemp dns.bind.l...@oryx.cc
 Sender: bind-users-bounces+oberman=es@lists.isc.org
 
 IMHO, the primary benefit of chrooting is security.
 
 another, less painful option, again IMHO, is to run BIND in a jail if
 you are using BSD, or a zone if you are on Solaris, or a Solaris based
 distro.

While both are pretty simple to do on BSD, jail is far more secure, but
I certainly find setting up jails more complex than chrooting. (Besides,
the FreeBSD BIND is chrooted by default, so there is nothing to set up.)
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net  Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNS resolution based on source network

2010-09-27 Thread Kevin Darcy
Under certain limited circumstances, it might make more sense to put 
both/all addresses under the same name, and then use the sortlist 
mechanism to present those addresses in an order which is suitable for 
particular clients.


Among other things, this requires that all resolver/nameserver configs 
be configured with the same sortlist configs, that there is no local 
randomization or re-sorting of the address list, and that there are no 
negative consequences for the client or the client software to connect 
to the wrong address if the preferred one happens to be unavailable.


Views are fine, but historically they're a fairly heavyweight solution 
for this class of requirement, because all relevant zones need to be 
defined multiply and this is difficult to maintain and consumes extra 
memory/CPU resources. The new (9.7.x?) attach-cache feature addresses 
the resource issue somewhat, but still doesn't obviate 
parallel/overlapping zone definitions and associated setup/maintenance. 
With sortlisting, all your zone definitions stay the same, you just need 
to create the round-robin entries and define the appropriate address 
ranges in your sortlist and/or acls clauses.





- Kevin


On 9/27/2010 9:00 AM, Thomas Elsgaard wrote:

Hello

Is it possible with BIND, to resolve the same name (like test.gl) to
different IP's based on the source network of the request?

Here is an example

A machine in network 10.3.0.0/16 is contacting DNS to lookup
test.gl, DNS returns -  10.0.0.2
A machine in network 10.5.0.0/16 is contacting DNS to lookup
test.gl, DNS returns -  10.0.0.5

Thomas
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



   



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Is 10.in-addr.arpa not recommended?

2010-09-27 Thread Chris Buxton
On Sep 27, 2010, at 4:43 PM, Sten Carlsen wrote:

 Well, it depends on your clients. If they don't like .0 or .255, you would 
 have to have a rather large amount of ranges.
 
 E.g. range 10.1.1.1 10.1.1.254; range 10.1.2.1 10.1.2.254; ..
 
 If OTOH you don't have any of those clients, other factors like hashing 
 algorithms and sizes come into play. This was recently discussed on the list, 
 so there should be information about the optimal way to slice the address 
 range from that point of view in the archives. 

I think you're still thinking of this as a DHCP issue. DHCP was not mentioned 
by the OP, and this is not the DHCP Users list. We're not talking about an 
actual network of 10/8, we're talking about a DNS zone of 10.in-addr.arpa. 
There are no hashing algorithm or size issues at play, because we're not 
talking about DHCP.

From a pure BIND/DNS perspective, there's nothing wrong with a 10.in-addr.arpa 
zone, either as a container of PTR records, a starting point for resolution 
(meaning it contains lots of delegations), or a mix of both.

Regards,
Chris Buxton
BlueCat Networks

 On 28/09/10 1:08, Warren Kumari wrote:
 
 On Sep 27, 2010, at 6:55 PM, Sten Carlsen wrote:
 
 While a single zone is perfectly fine from a standards point of view, 
 some clients might be served addresses they don't like 10.x.x.0 and 
 10.x.x.255.
 
 But that would be DHCP config, no?
 
 
 Just a reminder that this could be a reason if something appears weird.
 
 Fair 'nuff,
 
 W
 On 27/09/10 23:07, Chris Buxton wrote:
 On Sep 27, 2010, at 1:03 PM, Christopher Cain wrote:
 
 
 Hi all.
 
 I am setting up a new appliance-based DNS solution that will contain a 
 fair number of separately managed Windows DNS slave servers (in addition 
 to the DNS appliances that will handle the .
 
 Currently there are just over 8000 host records that resolve to IP's in 
 the 10.x.x.x space.  I am wrestling with whether or not I should create a 
 single 10.in-addr.arpa zone or if I should create 256 /16 zones (i.e. - 
 0.10.in-addr.arpa to 255.10.in-addr.arpa).
 
 The reason I want to encompass the entire 10 space is so new arpa zones 
 will not have to be defined on all servers (specifically on the Windows 
 slaves) if a new part of the 10 space is used at some point.
 
 Any recommendations or comments would be greatly appreciated.
 
 There's nothing wrong with a single 10.in-addr.arpa zone. If you need to 
 break it up amongst different master servers, a 10.in-addr.arpa zone can 
 still be used to delegate child zones to their respective servers.
 
 You might break it up if, for example, the DDNS traffic from DHCP clients 
 across the enterprise would be too much for one master server to 
 accommodate. The BIND name server writes to its journal file 
 synchronously, for every update, and this can be quite a bottleneck. (The 
 same is true for slave servers, which keep a journal file for zone 
 transfers in order to service IXFR requests sent to them.)
 
 Regards,
 Chris Buxton
 BlueCat Networks
 
 ___
 bind-users mailing list
 
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 -- 
 Best regards
 
 Sten Carlsen
 
 No improvements come from shouting:
 
MALE BOVINE MANURE!!! 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 -- 
 Best regards
 
 Sten Carlsen
 
 No improvements come from shouting:
 
MALE BOVINE MANURE!!! 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is 10.in-addr.arpa not recommended?

2010-09-27 Thread donovan jeffrey j

On Sep 27, 2010, at 4:03 PM, Christopher Cain wrote:

 Hi all.
 
 I am setting up a new appliance-based DNS solution that will contain a fair 
 number of separately managed Windows DNS slave servers (in addition to the 
 DNS appliances that will handle the .
 
 Currently there are just over 8000 host records that resolve to IP's in the 
 10.x.x.x space.  I am wrestling with whether or not I should create a single 
 10.in-addr.arpa zone or if I should create 256 /16 zones (i.e. - 
 0.10.in-addr.arpa to 255.10.in-addr.arpa).
 
 The reason I want to encompass the entire 10 space is so new arpa zones will 
 not have to be defined on all servers (specifically on the Windows slaves) if 
 a new part of the 10 space is used at some point.
 
 Any recommendations or comments would be greatly appreciated.

Hi Chris,

I run a number of internal clients on 10 address space. what i did was break up 
each Zone into Class B's 10.1.x.x , 10.2.x.x then my forward and reverse files 
into class C's. Each record 10.1.1.x . 10.1.2.x, 10.1.3.x, . then scale ass 
needed. providing the means to add forward and reverse to any address within 
that address space.

here is a sample, note the sub folders for sanity sake.

## my LAB 
## 10.153 #

zone 1.153.10.in-addr.arpa IN {
file /var/named/in-arpa-10/153/in-arpa.my-lab1.db;
type master;
};
zone 2.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab2.db;
};

zone 3.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab3.db;
};

zone 4.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab4.db;
};

zone 5.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab5.db;
};

zone 6.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab6.db;
};

zone 7.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab7.db;
};

zone 8.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab8.db;
};

zone 9.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab9.db;
};

zone 10.153.10.in-addr.arpa IN {
type master;
file /var/named/in-arpa-10/153/in-arpa.my-lab10.db;
};


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Is 10.in-addr.arpa not recommended?

2010-09-27 Thread Sten Carlsen


On 28/09/10 2:08, Chris Buxton wrote:
 On Sep 27, 2010, at 4:43 PM, Sten Carlsen wrote:

 Well, it depends on your clients. If they don't like .0 or .255, you
 would have to have a rather large amount of ranges.

 E.g. range 10.1.1.1 10.1.1.254; range 10.1.2.1 10.1.2.254; ..

 If OTOH you don't have any of those clients, other factors like
 hashing algorithms and sizes come into play. This was recently
 discussed on the list, so there should be information about the
 optimal way to slice the address range from that point of view in the
 archives. 

 I think you're still thinking of this as a DHCP issue. DHCP was not
 mentioned by the OP, and this is not the DHCP Users list. We're not
 talking about an actual network of 10/8, we're talking about a DNS
 zone of 10.in-addr.arpa. There are no hashing algorithm or size issues
 at play, because we're not talking about DHCP.
Sorry, reading too fast. My fault.

 From a pure BIND/DNS perspective, there's nothing wrong with a
 10.in-addr.arpa zone, either as a container of PTR records, a starting
 point for resolution (meaning it contains lots of delegations), or a
 mix of both.

 Regards,
 Chris Buxton
 BlueCat Networks

 On 28/09/10 1:08, Warren Kumari wrote:
 On Sep 27, 2010, at 6:55 PM, Sten Carlsen wrote:

 While a single zone is perfectly fine from a standards point of view, 
 some clients might be served addresses they don't like 10.x.x.0 and 
 10.x.x.255.

 But that would be DHCP config, no?


 Just a reminder that this could be a reason if something appears weird.
 Fair 'nuff,

 W
 On 27/09/10 23:07, Chris Buxton wrote:
 On Sep 27, 2010, at 1:03 PM, Christopher Cain wrote:


 Hi all.

 I am setting up a new appliance-based DNS solution that will contain a 
 fair number of separately managed Windows DNS slave servers (in addition 
 to the DNS appliances that will handle the .

 Currently there are just over 8000 host records that resolve to IP's in 
 the 10.x.x.x space.  I am wrestling with whether or not I should create 
 a single 10.in-addr.arpa zone or if I should create 256 /16 zones (i.e. 
 - 0.10.in-addr.arpa to 255.10.in-addr.arpa).

 The reason I want to encompass the entire 10 space is so new arpa zones 
 will not have to be defined on all servers (specifically on the Windows 
 slaves) if a new part of the 10 space is used at some point.

 Any recommendations or comments would be greatly appreciated.

 There's nothing wrong with a single 10.in-addr.arpa zone. If you need to 
 break it up amongst different master servers, a 10.in-addr.arpa zone can 
 still be used to delegate child zones to their respective servers.

 You might break it up if, for example, the DDNS traffic from DHCP clients 
 across the enterprise would be too much for one master server to 
 accommodate. The BIND name server writes to its journal file 
 synchronously, for every update, and this can be quite a bottleneck. (The 
 same is true for slave servers, which keep a journal file for zone 
 transfers in order to service IXFR requests sent to them.)

 Regards,
 Chris Buxton
 BlueCat Networks

 ___
 bind-users mailing list

 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 -- 
 Best regards

 Sten Carlsen

 No improvements come from shouting:

MALE BOVINE MANURE!!! 

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

 -- 
 Best regards

 Sten Carlsen

 No improvements come from shouting:

MALE BOVINE MANURE!!! 
 ___
 bind-users mailing list
 bind-users@lists.isc.org mailto:bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   MALE BOVINE MANURE!!! 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users