Re: Efficacy of using short timeout values for an A record
On 2/14/2012 1:42 PM, Chuck Swiger wrote: ISC's BIND has (or had) a MINTTL value of 5 minutes / 300 seconds. It's probably unreasonable to expect other platforms to refetch DNS records faster than that. Uh... no. BIND has always respected TTL when caching information. AlanC -- a...@clegg.com | 1.919.355.8851 signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Efficacy of using short timeout values for an A record
Mac OS X imposes a 60 second minimum on TTLs, or at least it did at one time. I am unaware of any other client OS having such a restriction. Client software does not always respect TTLs, though. It's entirely possible for a client application to completely ignore the TTL value and continue to connect (and reconnect as needed) to whatever address was first retrieved via the stub resolver. Regards, Chris Buxton BlueCat Networks On Feb 14, 2012, at 2:59 AM, goran kent wrote: Hi, I need to setup an A record for a machine who's IP might change unexpectedly, and I need to ensure PCs out there cache it for as short a time as possible: host1300 IN A 10.10.10.10 Does anyone know whether MS windows PCs will in fact honour that 300s, then force a re-lookup? Can I use even shorter values? eg, 60? I know this will lead to extra DNS traffic, but this is only for this particular case. Thanks for any comments. Regards gk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Efficacy of using short timeout values for an A record
On Feb 14, 2012, at 11:11 AM, Alan Clegg wrote: On 2/14/2012 1:42 PM, Chuck Swiger wrote: ISC's BIND has (or had) a MINTTL value of 5 minutes / 300 seconds. It's probably unreasonable to expect other platforms to refetch DNS records faster than that. Uh... no. BIND has always respected TTL when caching information. See http://www.ietf.org/rfc/rfc1035.txt The MINIMUM value in the SOA should be used to set a floor on the TTL of data distributed from a zone. This floor function should be done when the data is copied into a response. This will allow future dynamic update protocols to change the SOA MINIMUM field without ambiguous semantics. ...and lib/dns/master.c dns_soa_getminimum() and limit_ttl(). At one point, and I might be dating myself back to the BIND-4.x days, these used to set a minimum floor value of 300 seconds, even if the SOA or per-record TTL was smaller. Maybe that is no longer the case in BIND-9.x and more common use of dynamic updates, but I repeat my observation that it's not reasonable to update DNS at sub-minute intervals and expect all clients to honor such Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Efficacy of using short timeout values for an A record
On Feb 14, 2012, at 11:23 AM, Chuck Swiger wrote: On Feb 14, 2012, at 11:11 AM, Alan Clegg wrote: On 2/14/2012 1:42 PM, Chuck Swiger wrote: ISC's BIND has (or had) a MINTTL value of 5 minutes / 300 seconds. It's probably unreasonable to expect other platforms to refetch DNS records faster than that. Uh... no. BIND has always respected TTL when caching information. See http://www.ietf.org/rfc/rfc1035.txt The MINIMUM value in the SOA should be used to set a floor on the TTL of data distributed from a zone. The original question is from the standpoint of the recursive server, not the authoritative server. Yes, BIND 4 imposed a minimum value, but only on authoritative data. Not on cached data. BIND has (or perhaps had) the ability to impose a minimum TTL on cached data, but most implementations do not enable this. As I recall, the value has to be set in the source code before compiling the binary. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query Regarding NSEC RR in DNSSEC
Hello Gaurav, You might want to have a look at our whitepaper on 'authenticated denial of existence' to gain better understanding of this somewhat complicated aspect of the DNSSEC specification: https://www.sidn.nl/fileadmin/docs/PDF-files_UK/wp-2011-0x01-v2.pdf Regards, -- Marco On 02/14/2012 08:18 PM, Chris Buxton wrote: Briefly, the answer is, the NXDOMAIN response could be replayed by a man-in-the-middle attacker. We need to have something to sign, something specific to that query. If we just return the zone's SOA record and its signature, we're still subject to a replay attack. So we need to prove the negative, and that happens by enumerating all the possible positive answers near the query. Regards, Chris Buxton BlueCat Networks On Feb 14, 2012, at 9:23 AM, Gaurav kansal wrote: Dear Team, We have a Authenticated Response in DNSSEC through trust chain. Now my question is why we itself need a NSEC when we get response from DNSSEC enabled server authentically. Means, if a Record exist in DNSSEC, then it replies the answer along with RRSIG of that RR. AND if domain doesn’t exist, then it can simply give NXDOMAIN and our job will be done as we trust that nameserver through trust chain. So what’s the need of NSEC?? Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind dies with assertion failure
It is a known issue, and is indeed a bug. We're working on it already, so stay tuned. --Michael On Feb 14, 2012, at 12:44 PM, Alex wrote: Hi, I have a fedora16 x86_64 box and named keeps dying with an assertion failure: 14-Feb-2012 13:24:41.137 general: critical: rbtdb.c:1619: INSIST(!((void *)((node)-deadlink.prev) != (void *)(-1))) failed 14-Feb-2012 13:24:41.137 general: critical: exiting (due to assertion failure) This is bind-9.8.2-0.2.rc1.fc16.x86_64. Is this a known issue? Is this indeed a bug or perhaps something otherwise wrong with the server? How can I troubleshoot this further? Thanks, Alex ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Efficacy of using short timeout values for an A record
In message 0b215138-0162-4fe0-835a-9fc611a6e...@mac.com, Chuck Swiger writes: On Feb 14, 2012, at 2:59 AM, goran kent wrote: I need to setup an A record for a machine who's IP might change unexpectedly, and I need to ensure PCs out there cache it for as short a time as possible: host1300 IN A 10.10.10.10 Does anyone know whether MS windows PCs will in fact honour that 300s, then force a re-lookup? Can I use even shorter values? eg, 60? ISC's BIND has (or had) a MINTTL value of 5 minutes / 300 seconds. It's probably unreasonable to expect other platforms to refetch DNS records faster than that. To the best of my knowlege this is just plain wrong. If a answer had a TTL it was honoured. If a negative answer didn't have a TTL (no SOA record in the authority section) then one was choosen. Aside from DNS, you're going to run into layer-2 problems with MAC-to-IP mappings in your switches if you try to move an IP around at sub-minute intervals. What problem are you actually trying to solve? It's likely that a tool or mechanism like load-balancing onto a pool of boxes would provide a much better solution than expecting to move a box around so rapidly Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Efficacy of using short timeout values for an A record
On Feb 14, 2012, at 2:16 PM, Mark Andrews wrote: ISC's BIND has (or had) a MINTTL value of 5 minutes / 300 seconds. It's probably unreasonable to expect other platforms to refetch DNS records faster than that. To the best of my knowlege this is just plain wrong. Look at BIND-4.8.3 and check named/db_update.c around line 40: int min_cache_ttl = (5*60); /* 5 minute minimum ttl */ ...and then: fixttl(dp) register struct databuf *dp; { if (dp-d_zone == 0 !(dp-d_flags DB_F_HINT)) { if (dp-d_ttl = tt.tv_sec) return; else if (dp-d_ttl tt.tv_sec+min_cache_ttl) dp-d_ttl = tt.tv_sec+min_cache_ttl; else if (dp-d_ttl tt.tv_sec+max_cache_ttl) dp-d_ttl = tt.tv_sec+max_cache_ttl; } return; } ...or check named/ns_req.c around line 720 for the equivalent for a secondary NS: if (dp-d_ttl) ttl = dp-d_ttl; else ttl = zp-z_minimum;/* really default */ #ifdef notdef /* don't decrease ttl based on time since verification */ if (zp-z_type == Z_SECONDARY) { /* * Set ttl to value received from primary, * less time since we verified it (but never * less than a small positive value). */ ttl -= tt.tv_sec - zp-z_lastupdate; if (ttl = 0) ttl = 120; } #endif Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Efficacy of using short timeout values for an A record
In message 4a96bb45-eacb-4252-89c6-34061849c...@mac.com, Chuck Swiger writes: On Feb 14, 2012, at 2:16 PM, Mark Andrews wrote: ISC's BIND has (or had) a MINTTL value of 5 minutes / 300 seconds. It's probably unreasonable to expect other platforms to refetch DNS records faster than that. To the best of my knowlege this is just plain wrong. I stand corrected. This was changed in 4.9.3-beta27. It was also a protocol violation. 516. [proto]minimum TTL changes from five minutes to zero seconds. While ISC may have inherited it (BIND 4.8.3 was UCB CSRG code), we also fixed it. BIND 4.9.3 was the first release by ISC. A more complete history can be found at http://www.isc.org/software/bind/history. Mark Look at BIND-4.8.3 and check named/db_update.c around line 40: int min_cache_ttl = (5*60); /* 5 minute minimum ttl */ ...and then: fixttl(dp) register struct databuf *dp; { if (dp-d_zone == 0 !(dp-d_flags DB_F_HINT)) { if (dp-d_ttl = tt.tv_sec) return; else if (dp-d_ttl tt.tv_sec+min_cache_ttl) dp-d_ttl = tt.tv_sec+min_cache_ttl; else if (dp-d_ttl tt.tv_sec+max_cache_ttl) dp-d_ttl = tt.tv_sec+max_cache_ttl; } return; } ...or check named/ns_req.c around line 720 for the equivalent for a secondary NS: if (dp-d_ttl) ttl = dp-d_ttl; else ttl = zp-z_minimum;/* really default */ #ifdef notdef /* don't decrease ttl based on time since verification */ if (zp-z_type == Z_SECONDARY) { /* * Set ttl to value received from primary, * less time since we verified it (but never * less than a small positive value). */ ttl -= tt.tv_sec - zp-z_lastupdate; if (ttl = 0) ttl = 120; } #endif Regards, -- -Chuck -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can i use my custom root hint file
Hi All For My internal DNS setup i want to create a internal root hint file . Should i follow the pattern of standard root hint file ? Thanks Regards Vishesh Kumar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users