measuring dns query
all, im looking for a way to measure dns queries and am looking for an opensource solution if possible. any suggestions? i want to measure the time it takes for 1DNS query in bind vs. dns Active-Directory integrated. thanks, B ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
In article , Ben wrote: > If we are using DNSSEC enable with caching resolver, and remote domain > is not DNSSEC enabled so in that case , do we face any problem, means > any failure or something? No. If the domain doesn't have DNSSEC enabled, there's nothing for the resolver to check. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
Hi, How's your experience with DNSSEC while using it with caching dns and authoritative dns ? If we are using DNSSEC enable with caching resolver, and remote domain is not DNSSEC enabled so in that case , do we face any problem, means any failure or something? Regards, Ben Gaurav Kansal wrote: DNSSEC is done on Authoritative side. Signing is done on authority servers. It's straightforward with inline-signing mode, or if you maintain your zone with dynamic updates. Caching DNS only check whether that particular domain is signed or not, only if that caching DNS is designed to do so. Validation is done on caches. In my experience validation is a pretty untroublesome feature to enable, provided you aren't completely hammering your name servers. Tony. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
In article , Tony Finch wrote: > Gaurav Kansal wrote: > > > DNSSEC is done on Authoritative side. > > Signing is done on authority servers. It's straightforward with > inline-signing mode, or if you maintain your zone with dynamic updates. > > > Caching DNS only check whether that particular domain is signed or not, > > only if that caching DNS is designed to do so. > > Validation is done on caches. In my experience validation is a pretty > untroublesome feature to enable, provided you aren't completely hammering > your name servers. It's only untroublesome until someone screws things up on their auth server. When one of your users can't access something.gov, they'll complain to YOU, even though it's mostly out of your hands. This is true for other problems on auth servers as well, of course. But DNSSEC is new enough that there tend to be more failures of this kind, even by organizations that until now have seemed to know what they're doing. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC
Gaurav Kansal wrote: > DNSSEC is done on Authoritative side. Signing is done on authority servers. It's straightforward with inline-signing mode, or if you maintain your zone with dynamic updates. > Caching DNS only check whether that particular domain is signed or not, > only if that caching DNS is designed to do so. Validation is done on caches. In my experience validation is a pretty untroublesome feature to enable, provided you aren't completely hammering your name servers. Tony. -- f.anthony.n.finchhttp://dotat.at/ Hebrides: Northeasterly 4 or 5, increasing 5 to 7 except in northwest. Moderate. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind caching dns
Matthew Seaman wrote: > Not to my knowledge. It should be possible to write an agentx plugin > that translates from the XML data provided natively, but you'll have to > write your own MIBs since the standard one from RFC1612 seems to have > received little development since. Indeed RFC3197 > (https://www.ietf.org/rfc/rfc3197.txt) tells a cautionary tale. I've been using a net-snmp subagent called "B9Agent", with good success. It doesn't parse the XML statistics data but uses the statistics-file instead. For more details, see http://www.l3jane.net/wiki/factory%3Ab9agent_en Regards Eivind Olsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC
DNSSEC is done on Authoritative side. Caching DNS only check whether that particular domain is signed or not, only if that caching DNS is designed to do so. As we don't signed our records on fly in DNSSEC, so DNSSEC doesn't increase the load but ya it increases the size of the response of the query. By Flow what do you mean to say? -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Ben Sent: Wednesday, May 09, 2012 11:29 AM To: bind-users@lists.isc.org Subject: DNSSEC Hi, I have a some queries regarding dnssec.Kindly clear me out it. 1) DNSSEC is required for authoritative dns or is it for caching dns or for both? 2) If we enable DNSSEC , do we face any performance problem while concerning with throughput? 3) What is actual flow of dnssec? Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
