troubleshooting bind
Hello, I'm troubleshooting a DNS issue we recently experienced where records were unresolveable, response NXDOMAIN, from the caching DNS server. I flushed the cache using rndc flush and I received the host's ip. There were no errors in the system log so I'm enabling debug logging should it occur again. I'm still not sure what caused the NXDOMAIN response it so I'm reviewing my BIND config and taking a look at the default values. When configuring BIND for an internal corporate network with a thousand clients should any of the default values be tweaked? I've searched for tuning guidance but I haven't found any yet. I've taken interest in the tcp-clients, max-ncache-ttl, max-cache-ttl, cleaning-interval and max-cache-size values. These are all currently set to default. I'm guessing in a more volatile network with DHCP and frequent provisioning/deprovisioning of hosts I would want to lower the max-ncache-ttl and max-cache-ttl values. Is this correct? Regarding the tcp-clients option, where can I find the current connection count and how do I know if I'm coming close to this number? In what type of environment would it be expected to hit the default threshold of 100? Lastly, if max-cache-size is set to unlimited what happens if BIND consumes all the available memory? Will the linux kernel terminate the process? How can I find the value of the current cache size? Mike Marseglia Network Engineer, CharterCARE p: 401-456-2331 c: 401-248-4867 e: michael.marseg...@chartercare.orgmailto:michael.marseg...@chartercare.org t: @mmars ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: troubleshooting bind
Hi-- On Apr 9, 2012, at 9:55 AM, Marseglia, Michael wrote: [ ... ] When configuring BIND for an internal corporate network with a thousand clients should any of the default values be tweaked? I’ve searched for tuning guidance but I haven’t found any yet. I’ve taken interest in the tcp-clients, max-ncache-ttl, max-cache-ttl, cleaning-interval and max-cache-size values. These are all currently set to default. These are good things to take a look at, yes, although also clients-per-query max-clients-per-query. I’m guessing in a more volatile network with DHCP and frequent provisioning/deprovisioning of hosts I would want to lower the max-ncache-ttl and max-cache-ttl values. Is this correct? That depends-- if the volatile domain is your domain, and BIND is authoritative for it, then it will be providing AAs directly from zone data, rather than caching responses obtained from some other nameserver. For the most part, it's better for an active domain with frequently changing data to adjust the TTLs for the domain to appropriate values, and let named figure things out from there...but you can only tweak that for the domains you manage. Regarding the tcp-clients option, where can I find the current connection count and how do I know if I’m coming close to this number? In what type of environment would it be expected to hit the default threshold of 100? You can see what active TCP sessions are open via something like: netstat -p tcp | grep 53 ...and add | wc -l if you want to count them. (You might also want to tweak that a bit to use fgrep .53\ to only match port 53...) I don't think it's expected that many TCP sessions would be needed, since UDP + EDNS0 works fine for almost all cases, although as DNSSEC becomes more widely adopted it might be the case that more TCP sessions will be used. Lastly, if max-cache-size is set to unlimited what happens if BIND consumes all the available memory? Will the linux kernel terminate the process? How can I find the value of the current cache size? Most platforms set up a process datasize limit (commonly set to 1GB or so), after which malloc() and friends will fail to get more memory. The kernel will only terminate processes if the entire system runs out of VM, including swap space, but the system will generally in an unusable state due to heavy paging/swapping before the kernel OOM killer gets invoked. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AEM Question
Any idea when the ARM for 9.9.0 will be published? No mention on the ISC web site. Reference and FAQ The primary documentation for BIND is the ARM, the Administrator's Reference Manual. There is a separate edition of the ARM for each major release of BIND. You can download the PDF file of the ARM for BIND 9.8http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.pdf, BIND 9.7http://ftp.isc.org/isc/bind9/cur/9.7/doc/arm/Bv9ARM.pdf, BIND 9.6http://ftp.isc.org/isc/bind9/cur/9.6/doc/arm/Bv9ARM.pdf, BIND 9.5http://www.isc.org/files/Bv9.5.2ARM.pdf, BIND 9.4http://www.isc.org/files/Bv9.4ARM.pdf. HTML versions are available for BIND 9.8http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.html, BIND 9.7http://ftp.isc.org/isc/bind9/cur/9.7/doc/arm/Bv9ARM.html, BIND 9.6http://ftp.isc.org/isc/bind9/cur/9.6/doc/arm/Bv9ARM.html, BIND 9.5http://www.isc.org/files/arm95_0.html and BIND 9.4http://www.isc.org/files/arm94_0.html. From time to time we issue a small addendum to the most recent ARM, which documents new features that were made available since the ARM was published. This notehttp://www.isc.org/software/bind/delegation-only about ISC's BIND Delegation-only feature is an addendum to the BIND 9.5 ARM. Thanks John Manson CAO/HIR/NI Data-Communications | U.S. House of Representatives | Washington, DC 20515 Desk: 202-226-4244 | Team: 202-225-5552 | john.man...@mail.house.gov ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2 is now available
Hello there ISC folks. Me again from Blastwave :-) Small problem with the 9.8.2 tarball : $ ls $SRC/bind-9* /export/medusa/src/bind-9.8.1-P1.tar.gz /export/medusa/src/bind-9.8.2.tar.gz $ gzip -dc /export/medusa/src/bind-9.8.2.tar.gz | tar -xf - $ cd bind-9.8.2 $ ls -lo REL* -rw-r--r-- 1 sysadmin 16744 Mar 22 19:20 RELEASE-NOTES-BIND-9.8.1.html -rw-r--r-- 1 sysadmin 62760 Mar 22 19:20 RELEASE-NOTES-BIND-9.8.1.pdf -rw-r--r-- 1 sysadmin 14419 Mar 22 19:20 RELEASE-NOTES-BIND-9.8.1.txt $ cat version # $Id$ # # This file must follow /bin/sh rules. It is imported directly via # configure. # MAJORVER=9 MINORVER=8 PATCHVER=2 RELEASETYPE= RELEASEVER= Looks like the release notes for 9.8.1 are in the 9.8.2 tarball. If I check the MD5 hash I see the pdf is the same as the 9.8.1-P1 release. Just a FYI there. Dennis ps: I hit this when doing the Solaris SVR4 packages and my package prototype kept complaining that I had 9.8.1 Release notes. Yup. -- -- http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B +-+---+ | Dennis Clarke | Solaris and Linux and Open Source | | dcla...@blastwave.org | Respect for open standards. | +-+---+ --- Introduction BIND 9.8.2 is the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.1 to BIND 9.8.2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes + RPZ implementation now conforms to version 3 of the specification. [RT #27316] + It is now possible to explicitly disable DLV in named.conf by specifying dnssec-lookaside no;. This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes + Named could dereference a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed. [RT #28419] + A parser bug could cause named to crash while reading a malformed zone file. [RT #28467] + Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] + isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265] + Fixed a build error on systems without ENOTSUP. [RT #28200] + The header file isc/hmacsha.h is now installed when building BIND. [RT #28169] + Resolves spurious test failures in ans.pl by updating it to work correctly with Net::DNS 0.68 [RT #28028] + The managed key maintenance timer could fail to restart after 'rndc reconfig' resulting in managed keys not being properly added to managed-keys.bind [RT #27686] + Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] + The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] + Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as unexpected error - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] + Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] + SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] + When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more
Re: BIND 9.8.2 is now available
Looks like the release notes for 9.8.1 are in the 9.8.2 tarball. Yep, we've stopped including the release notes inside the BIND tarballs, but I missed removing them from one branch--oops. We noticed it over the weekend, and a new tarball should be up by tomorrow. (I'm just waiting for the person with the signing key to get me a new set of signatures.) Sorry about that, and thanks for the heads up. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AEM Question
In message 3077e3ff3c87a34a9ba201cb9876aabab694f14...@hrm25.us.house.gov, Mans on, John writes: Any idea when the ARM for 9.9.0 will be published? The ARM is included in the tar file. It is also available here: http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.pdf http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.html A request to update https://www.isc.org/software/bind/documentation has been submitted. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2 is now available
Looks like the release notes for 9.8.1 are in the 9.8.2 tarball. Yep, we've stopped including the release notes inside the BIND tarballs, but I missed removing them from one branch--oops. We noticed it over the weekend, and a new tarball should be up by tomorrow. (I'm just waiting for the person with the signing key to get me a new set of signatures.) Sorry about that, and thanks for the heads up. No problem .. the release works great so I guess I'll just remove the release notes and then carry on with the pkg as per. Dennis -- -- http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B +-+---+ | Dennis Clarke | Solaris and Linux and Open Source | | dcla...@blastwave.org | Respect for open standards. | +-+---+ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AEM Question
The release version of BIND 9.9.0 contains the 9.9 ARM. You can download a copy of it from my web page if you like: On Apr 9, 2012, at 11:01 AM, Manson, John wrote: Any idea when the ARM for 9.9.0 will be published? No mention on the ISC web site. Reference and FAQ The primary documentation for BIND is the ARM, the Administrator's Reference Manual. There is a separate edition of the ARM for each major release of BIND. You can download the PDF file of the ARM for BIND 9.8, BIND 9.7, BIND 9.6, BIND 9.5, BIND 9.4. HTML versions are available for BIND 9.8, BIND 9.7, BIND 9.6, BIND 9.5 and BIND 9.4. From time to time we issue a small addendum to the most recent ARM, which documents new features that were made available since the ARM was published. This note about ISC's BIND Delegation-only feature is an addendum to the BIND 9.5 ARM. Thanks John Manson CAO/HIR/NI Data-Communications | U.S. House of Representatives | Washington, DC 20515 Desk: 202-226-4244 | Team: 202-225-5552 | john.man...@mail.house.gov ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users