Re: RFC 6303 and bind 9.9.0
In article , Chris Thompson wrote: > On Mar 1 2012, Spain, Dr. Jeffry A. wrote: > > [...] > >Also I see that bind 9.9.0 uses built-in root hints if those are not > >explicitly configured. > > That has been true since BIND 9.2. > > >If the root hints are updated on ftp://rs.internic.net/domain/, would it > >require a new build of bind to incorporate them, or is bind able to update > >its built-in root hints by some other means? > > No, it requires a rebuild after changing lib/dns/rootns.c. But using a > mildly out-of-date hints file is usually harmless - it is only a *hint*. Right. One of the first things BIND does after starting up is query one of the root servers to get the current set of root servers. So the only potential problem would be if someone were to hijack one (or more) of the root servers and make it give out a bogus answer. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: RFC 6303 and bind 9.9.0
On Mar 1 2012, Spain, Dr. Jeffry A. wrote: [...] Also I see that bind 9.9.0 uses built-in root hints if those are not explicitly configured. That has been true since BIND 9.2. If the root hints are updated on ftp://rs.internic.net/domain/, would it require a new build of bind to incorporate them, or is bind able to update its built-in root hints by some other means? No, it requires a rebuild after changing lib/dns/rootns.c. But using a mildly out-of-date hints file is usually harmless - it is only a *hint*. [Having said that, I admit I specify an explicit root hints file and keep it up to date in most of my own nameserver configurations.] -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: RFC 6303 and bind 9.9.0
> In my named.conf I have set up empty zones for the whole of 240/4. I view RFC > 6303 as the minimum necessary for a hygienic name server, but there are a > number of other permanent bogon address ranges which it makes sense to stub > out locally. Would you please elaborate on how you are managing your bogon-related empty zones. According to http://www.team-cymru.org/Services/Bogons/bgp.html, there are 5500 IPv4 and 49000 IPv6 bogon prefixes. Thanks. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: RFC 6303 and bind 9.9.0
>> Just for clarification, do I understand correctly that if none of the >> empty zones described in RFC 6303 are set up explicitly in the bind >> 9.9.0 configuration file, then bind 9.9.0 will process them as such >> anyway using built-in generic zone processing rules? > Yes. To expand a bit on Mark's answer, all of the namespaces covered by RFC > 6303 have built-in empty zones in BIND 9.9, and these zones are activated by > default in any view that supports recursion. No configuration should be > necessary. > If you want to set up reverse DNS for a private network in a nonroutable > address space, you can go ahead and do so; zones that you configure override > the built-in zones. Thanks. This works as you say if I remove the explicit configuration for the empty zones, as verified by adding the option 'zone-statistics yes;' and running 'rndc stats'. Also I see that bind 9.9.0 uses built-in root hints if those are not explicitly configured. If the root hints are updated on ftp://rs.internic.net/domain/, would it require a new build of bind to incorporate them, or is bind able to update its built-in root hints by some other means? Finally it appears that aside from the built-in empty zones, a forward lookup zone for 'localhost.' is still required to prevent bind from attempting to resolve this name over the Internet. Reverse lookup zones for 127.0.0.1 and ::1 are also required if it is necessary to resolve those addresses to the name 'localhost.' Is it still considered a best practice to explicitly configure these localhost-related zones on recursive resolvers? I see this point addressed in RFC 1912, but don't see anything in RFC 5735 and RFC 6303, which have superseded it. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
In article ,
sth...@nethelp.no wrote:
> > > Have seen some anycast DNS implementations using more than one address,
> > > some times even on the same subnet, any considerations or reasons for
> > > doing that?
> >
> > We do that.
> >
> > We use two different, indepentent methods to route traffic to the IPs.
> > We feel this provides a greater degree of resilience.
>
> More than one address also lets you do some load balancing or traffic
> steering, if that is desirable.
>
> (E.g.: Anycast group 1 announces prefix 1 with localpref 110, prefix 2
> with localpref 120. Anycast group 2 announces prefix 1 with localpref
> 120, prefix 2 with localpref 110.)
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
I was at BBN Planet/Genuity when we came up with the 4.2.2.{1,2,3}
scheme. Were we the first major ISP to deploy anycast DNS (it was the
late 90's)?
I don't know if it's still the same since Level(3) took over, but here's
how we did it. There were around 15 4.2.2.1 locations, collocated with
the major hubs of of our routing network. These were intended to be the
primary servers our customers used. There were about a half dozen
4.2.2.2 machines, spread evenly around the network. And one or two
4.2.2.3 machines, as the final resort if these were all down.
When I was there (until 2003), we didn't have any software that would
monitor BIND on the nameserver and withdraw the route automatically if
it went down. We just had static routes on the upstream router; if a
server went down, the NOCC had to reconfigure the router to take it out
of anycast. So we depended on clients timing out and failing over to
the backup resolver IPs.
--
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
> > Have seen some anycast DNS implementations using more than one address, > > some times even on the same subnet, any considerations or reasons for > > doing that? > > We do that. > > We use two different, indepentent methods to route traffic to the IPs. > We feel this provides a greater degree of resilience. More than one address also lets you do some load balancing or traffic steering, if that is desirable. (E.g.: Anycast group 1 announces prefix 1 with localpref 110, prefix 2 with localpref 120. Anycast group 2 announces prefix 1 with localpref 120, prefix 2 with localpref 110.) Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
On 29/02/12 03:55, ju wusuo wrote: Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? We do that. We use two different, indepentent methods to route traffic to the IPs. We feel this provides a greater degree of resilience. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
That should be it. And that's probably why adding and removing the custom root.hints file does not change the count, when enabled it's the one counted and when disabled, the build in one is counted. Thanks. ena On Thu, Mar 1, 2012 at 2:41 PM, Mark Andrews wrote: > > Built in root hints zones with class IN. > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RFC 6303 and bind 9.9.0
Spain, Dr. Jeffry A. wrote: > Which of these alternative empty zones should be used in the current DNS > environment and why? In my named.conf I have set up empty zones for the whole of 240/4. I view RFC 6303 as the minimum necessary for a hygienic name server, but there are a number of other permanent bogon address ranges which it makes sense to stub out locally. Tony. -- f.anthony.n.finchhttp://dotat.at/ Fisher: West or southwest, veering east or northeast, 4 or 5, decreasing 3 at times. Slight or moderate. Fog patches. Moderate, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
On Thu, Mar 1, 2012 at 2:27 PM, Matthew Seaman < m.sea...@infracaninophile.co.uk> wrote: > On 01/03/2012 12:10, Emil Natan wrote: > > On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman < > > m.sea...@infracaninophile.co.uk> wrote: > > > >> > On 01/03/2012 11:20, Emil Natan wrote: > >>> > > Do any of you experience the same issue? Any ideas what I'm > missing or > >>> > > what's wrong? > >> > > >> > Automatic empty zones? > >> > > >> > > > Thanks for the input. It seems you are right, adding "recursion no;" to > > named.conf which disables the automatic empty zones, reduces the number > of > > zones to what I expect +1, which means named.conf with no "zone" > > statements, "rndc status" returns "number of zones: 1", when I have 7 > zone > > statements, the number returned is 8. So I'm still missing something. Any > > ideas? > > Try: > > zone-statistics yes; > > and then dumping statistics, or looking at the XML statistics output. > In fact, there are 4 extra zones in the _bind view I'd expect you to see > as well as your configured zones: > > [version.bind (view: _bind)] > [hostname.bind (view: _bind)] > [authors.bind (view: _bind)] > [id.server (view: _bind)] > > I always add "hostname none;" and "version none;", so I believe that's the reason I do not see what you have expected. Here is the statistics file: +++ Statistics Dump +++ (1330605355) ++ Incoming Requests ++ ++ Incoming Queries ++ ++ Outgoing Queries ++ [View: default] 37 A 37 NS 172 [View: _bind] ++ Name Server Statistics ++ ++ Zone Maintenance Statistics ++ 1 IPv4 notifies sent ++ Resolver Statistics ++ [Common] [View: default] 182 IPv4 queries sent 64 IPv6 queries sent 238 query retries 174 query timeouts 1 IPv4 NS address fetches 6 IPv6 NS address fetches [View: _bind] ++ Cache DB RRsets ++ [View: default] [View: _bind (Cache: _bind)] ++ Socket I/O Statistics ++ 185 UDP/IPv4 sockets opened 65 UDP/IPv6 sockets opened 3 TCP/IPv4 sockets opened 1 TCP/IPv6 sockets opened 183 UDP/IPv4 sockets closed 64 UDP/IPv6 sockets closed 15 TCP/IPv4 sockets closed 64 UDP/IPv6 socket connect failures 182 UDP/IPv4 connections established 16 TCP/IPv4 connections accepted 64 UDP/IPv6 send errors ++ Per Zone Query Statistics ++ --- Statistics Dump --- (1330605355) ena Cheers, > >Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matt...@infracaninophile.co.uk Kent, CT11 9PW > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
Built in root hints zones with class IN. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
It's really more elegant way to disable the empty zones, Thanks.
On Thu, Mar 1, 2012 at 2:14 PM, Flex Banana wrote:
> I think you want to use
>
> options {
> empty-zones-enable no;
> };
>
> in your named.conf configuration file to disable all empty zones.
>
> Look at the DNS and BIND reference from Cricket Liu
>
> ciao!
> Banana
>
> On Mar 1, 2012, at 1:10 PM, Emil Natan wrote:
>
>
>
> On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman <
> m.sea...@infracaninophile.co.uk> wrote:
>
>> On 01/03/2012 11:20, Emil Natan wrote:
>> > Do any of you experience the same issue? Any ideas what I'm missing or
>> > what's wrong?
>>
>> Automatic empty zones?
>>
>>
> Thanks for the input. It seems you are right, adding "recursion no;" to
> named.conf which disables the automatic empty zones, reduces the number of
> zones to what I expect +1, which means named.conf with no "zone"
> statements, "rndc status" returns "number of zones: 1", when I have 7 zone
> statements, the number returned is 8. So I'm still missing something. Any
> ideas?
>
> ena
>
>
>>Cheers,
>>
>>Matthew
>>
>> --
>> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
>> Flat 3
>> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
>> JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
On 01/03/2012 12:10, Emil Natan wrote: > On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman < > m.sea...@infracaninophile.co.uk> wrote: > >> > On 01/03/2012 11:20, Emil Natan wrote: >>> > > Do any of you experience the same issue? Any ideas what I'm missing or >>> > > what's wrong? >> > >> > Automatic empty zones? >> > >> > > Thanks for the input. It seems you are right, adding "recursion no;" to > named.conf which disables the automatic empty zones, reduces the number of > zones to what I expect +1, which means named.conf with no "zone" > statements, "rndc status" returns "number of zones: 1", when I have 7 zone > statements, the number returned is 8. So I'm still missing something. Any > ideas? Try: zone-statistics yes; and then dumping statistics, or looking at the XML statistics output. In fact, there are 4 extra zones in the _bind view I'd expect you to see as well as your configured zones: [version.bind (view: _bind)] [hostname.bind (view: _bind)] [authors.bind (view: _bind)] [id.server (view: _bind)] Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
I think you want to use
options {
empty-zones-enable no;
};
in your named.conf configuration file to disable all empty zones.
Look at the DNS and BIND reference from Cricket Liu
ciao!
Banana
On Mar 1, 2012, at 1:10 PM, Emil Natan wrote:
>
>
> On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman
> wrote:
> On 01/03/2012 11:20, Emil Natan wrote:
> > Do any of you experience the same issue? Any ideas what I'm missing or
> > what's wrong?
>
> Automatic empty zones?
>
>
> Thanks for the input. It seems you are right, adding "recursion no;" to
> named.conf which disables the automatic empty zones, reduces the number of
> zones to what I expect +1, which means named.conf with no "zone" statements,
> "rndc status" returns "number of zones: 1", when I have 7 zone statements,
> the number returned is 8. So I'm still missing something. Any ideas?
>
> ena
>
>Cheers,
>
>Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
> Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
> JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman < m.sea...@infracaninophile.co.uk> wrote: > On 01/03/2012 11:20, Emil Natan wrote: > > Do any of you experience the same issue? Any ideas what I'm missing or > > what's wrong? > > Automatic empty zones? > > Thanks for the input. It seems you are right, adding "recursion no;" to named.conf which disables the automatic empty zones, reduces the number of zones to what I expect +1, which means named.conf with no "zone" statements, "rndc status" returns "number of zones: 1", when I have 7 zone statements, the number returned is 8. So I'm still missing something. Any ideas? ena >Cheers, > >Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matt...@infracaninophile.co.uk Kent, CT11 9PW > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
On 01/03/2012 11:20, Emil Natan wrote: > Do any of you experience the same issue? Any ideas what I'm missing or > what's wrong? Automatic empty zones? Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
On 01/03/12 03:40, Beavis wrote: Just want to piggy back on this topic is there any documentation available online that shows a deployment guideline for Anycast? There's not much to it: 1. Create the anycast IP on your servers 2. Route the anycast IP to your servers 3. Make bind listen on the anycast IP 1 & 3 are easy. 2 can be accomplished using a very wide variety of methods. We use BGP, with a locally-created BGP speaker that checks port 53 for a reply and advertises/withdraws the route dynamically, but exabgp would be my recommendation, since it has a built-in facility to announce/withdraw routes via a "watchdog" script - see pages 5 & 6 of: http://thomas.mangin.com/data/pdf/Linx%2074%20-%20Mangin%20-%20BGP.pdf Alternatively you could use OSPF with Zebra/Quagga/Whatever. For example: http://www.digriz.org.uk/ha-ospf-anycast Cisco IP SLA probes, with "track" static routes are another option. Or, if you don't care about dynamically withdrawing the route when bind goes away, just plain static routes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc status number of zones
Hi list,
I have a test environment with 3 VMs running different versions of BIND -
9.7.3-P3, 9.8.1-P1 and 9.9.0rc1. On all 3 machines "rndc status" reports
unrealistic "number of zones:". For example, when the zones configured at
named.conf are 3, the number reported is "number of zones: 18" and when the
zones are 7, then I get "number of zones: 41". Here is mine "named.zones"
configuration file, part of named.conf (included into it). There are no
other "zone" statements in named.conf:
== named.zones ===
zone "." {
type hint;
file "/etc/root.hints";
};
zone "net.ttt" {
type master;
file "net.ttt.zone";
};
zone "vvv.ttt" {
type master;
file "vvv.ttt.zone";
notify explicit;
also-notify { 10.0.130.118; };
allow-transfer { 10.0.130.118; };
};
=
If I comment the "zone . { ... };" part and then reconfig/reload/restart,
the number reported by "rndc status" remains unchanged. If I comment any
other zone statement, the number reported decrease accordingly, when all
commented, the number reported is 16.
Do any of you experience the same issue? Any ideas what I'm missing or
what's wrong?
Thanks,
ena
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
