Re: Dig 9.9 FORMERR with NetWare

2013-04-30 Thread Kevin Darcy 
The last (and presumably final) point release (6.5) of NetWare was in 
2003, only 4 years after RFC 2671. Just saying...


- Kevin

On 4/30/2013 7:08 PM, Pascal wrote:

Thank you.  That does appear to be the problem.

-Pascal


On 4/30/2013 5:17 PM, Mark Andrews wrote:

BIND 9.9 dig turns on EDNS by default. You really should be asking
why 172.31.123.6 doesn't suppport EDNS nearly 14 years after it was
specified (RFC 2671 August 1999).

Add +noedns to the command line to disable EDNS.

Mark

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDOS attack Bind 9.9 - P2

2013-04-30 Thread Vernon Schryver 
> Patch BIND to include the RRL (Response Rate Limiting) patches
> (http://www.redbarn.org/dns/ratelimits), blackhole/ignore those
> clients requesting.

The fact that Response Rate Limiting (RRL) does not blackhole/ignore
clients is a feature and why it is a better mitigation for DNS
Reflection DoS attacks than mechanisms that do blackhole/ignore
clients.  The apparent DNS clients in DNS reflection attacks is
usually not the source of the evil requests, but forged by bad guys
trying to attack the nominal clients.  Because RRL limits rate of
any particular response sent to any particular client address block,
the client is generally able to get responses for its legitimate
requests and often will not notice the attack.

Naively blackholing/ignoring the forged client as with common
firewall rules does stop attacks, but lets the bad guy deny name
service to the client.  Breaking host name resolution has been a
part of many security attacks over the years.

  ...


} > I have isc.org attack." isc.org internet *?". It comes from my own clients 
} > that I have allowed in my ACL. the question is how to stop this attack? 

} If the queries are really from your clients, find & fix them.  They are 
} probably attacking others in addition to you, so you'd be doing the rest of 
} the Internet a favor while solving your own problem.

Simple request flooding with forged DNS client IP addresses sounds
unlikely, because there are many other DoS attacks that are more
effective and harder to filter.  In other words, the smart money bets
on the requests not really coming from the apparent clients, but that
they are forged and intended to attack the apparent clients.


} If the traffic is spoofed as being from your clients, stop accepting traffic 
} from elsewhere sourced from your client address space.

That is best, if possible and relevant, as with closed recursive
resolvers.  It is generally irrelevant and impossible for authoritative
DNS servers.

The RRL patch is intended for authoritative servers, but can be used
as better than nothing on recursive resolvers.  The best mitigation
for open recursive resolvers is to close them except to trusted clients.
When that is not possible, RRL can be used at the cost of significantly
slowing applications such as browsers and SMTP servers (mail receivers)
that make large bursts of identical requests.

   ...

] Many people will not compromise critical daemons by using third party
] *unofficial* patches.

I don't know the status of the CZ-NIC Knot DNS or the NLNetLabs NSD
RRL code.  Perhaps that either of those is "third party" or "unnofficial,"
although I have the impression that is at least partly wrong.

The BIND RRL patch on http://www.redbarn.org/dns/ratelimits are
unofficial, and so it is reasonable to be skeptical and wait for an
official release.  However, for obvious reasons it is not really
accurate to label the BIND RRL patch as "third party."  "Pre-pre-release"
is a more accurate characterization of the BIND RRL.  Please note that
users of the FreeBSD bind98 and bind99 ports can get the RRL code
without messing with the patch command.  See
https://www.google.com/search?q=site%3Afreebsd.org+bind+rrl


] iptables does just as good of job.

That is widely known to be false in general.  In principle one could
write iptables rules that do as good a job as RRL.  However, the
common iptable rules that rate limit incoming requests based entirely
on either query types or DNS client IP addresses block ilegitimate
queries and so are distinctly inferior to RRL.


Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig 9.9 FORMERR with NetWare

2013-04-30 Thread Pascal 

Thank you.  That does appear to be the problem.

-Pascal


On 4/30/2013 5:17 PM, Mark Andrews wrote:

BIND 9.9 dig turns on EDNS by default.  You really should be asking
why 172.31.123.6 doesn't suppport EDNS nearly 14 years after it was
specified (RFC 2671 August 1999).

Add +noedns to the command line to disable EDNS.

Mark

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig 9.9 FORMERR with NetWare

2013-04-30 Thread Pascal 
Sorry, I guess I wasn't clear enough.  I was just using 
www.alarmspecs.com as a sample domain.  As you see, that domain is 
working fine.


My problem is 172.31.123.6 is a NetWare DNS server.  I maintain several 
in different locations and trees.  Any time I try to use Dig 9.9 against 
one of them with any domain or record type I get FORMERR.


-Pascal
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig 9.9 FORMERR with NetWare

2013-04-30 Thread Mark Andrews 

In message <51803fd2.3070...@users.sourceforge.net>, Pascal writes:
> Dig 9.9 consistently gives me "FORMERR" against NetWare DNS servers. 
> Previous versions worked fine.  Suggestions on how to figure out if the 
> bug is in Dig or NetWare?
> 
> -Pascal

BIND 9.9 dig turns on EDNS by default.  You really should be asking
why 172.31.123.6 doesn't suppport EDNS nearly 14 years after it was
specified (RFC 2671 August 1999).

Add +noedns to the command line to disable EDNS.

Mark

> O:\Documents and Settings\admin\dig>dig www.alarmspecs.com @172.31.123.6
> 
> ; <<>> DiG 9.8.4-P2 <<>> www.alarmspecs.com @172.31.123.6
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49616
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.alarmspecs.com.IN  A
> 
> ;; ANSWER SECTION:
> www.alarmspecs.com. 3600IN  CNAME   alarmspecs.com.
> alarmspecs.com. 3600IN  A   173.212.225.56
> 
> ;; Query time: 203 msec
> ;; SERVER: 172.31.123.6#53(172.31.123.6)
> ;; WHEN: Tue Apr 16 20:24:24 2013
> ;; MSG SIZE  rcvd: 66
> 
> 
> O:\Documents and Settings\admin\dig>cd 9.9.2-P2
> 
> O:\Documents and Settings\admin\dig\9.9.2-P2>dig www.alarmspecs.com 
> @172.31.123.6
> 
> ; <<>> DiG 9.9.2-P2 <<>> www.alarmspecs.com @172.31.123.6
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 47614
> ;; flags: qr rd ra ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; Query time: 0 msec
> ;; SERVER: 172.31.123.6#53(172.31.123.6)
> ;; WHEN: Tue Apr 16 20:24:29 2013
> ;; MSG SIZE  rcvd: 12
> 
> 
> O:\Documents and Settings\admin\dig\9.9.2-P2>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig 9.9 FORMERR with NetWare

2013-04-30 Thread Noel Butler 
On Tue, 2013-04-30 at 17:04 -0500, Pascal wrote:

> Dig 9.9 consistently gives me "FORMERR" against NetWare DNS servers. 
> Previous versions worked fine.  Suggestions on how to figure out if the 
> bug is in Dig or NetWare?
> 
> -Pascal
> 



> O:\Documents and Settings\admin\dig\9.9.2-P2>dig www.alarmspecs.com 
> @172.31.123.6
> 
> ; <<>> DiG 9.9.2-P2 <<>> www.alarmspecs.com @172.31.123.6
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 47614
> ;; flags: qr rd ra ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 


~$ dig www.alarmspecs.com

; <<>> DiG 9.9.2 <<>> www.alarmspecs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50631
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3





signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dig 9.9 FORMERR with NetWare

2013-04-30 Thread Pascal 
Dig 9.9 consistently gives me "FORMERR" against NetWare DNS servers. 
Previous versions worked fine.  Suggestions on how to figure out if the 
bug is in Dig or NetWare?


-Pascal


O:\Documents and Settings\admin\dig>dig www.alarmspecs.com @172.31.123.6

; <<>> DiG 9.8.4-P2 <<>> www.alarmspecs.com @172.31.123.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49616
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.alarmspecs.com.IN  A

;; ANSWER SECTION:
www.alarmspecs.com. 3600IN  CNAME   alarmspecs.com.
alarmspecs.com. 3600IN  A   173.212.225.56

;; Query time: 203 msec
;; SERVER: 172.31.123.6#53(172.31.123.6)
;; WHEN: Tue Apr 16 20:24:24 2013
;; MSG SIZE  rcvd: 66


O:\Documents and Settings\admin\dig>cd 9.9.2-P2

O:\Documents and Settings\admin\dig\9.9.2-P2>dig www.alarmspecs.com 
@172.31.123.6


; <<>> DiG 9.9.2-P2 <<>> www.alarmspecs.com @172.31.123.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 47614
;; flags: qr rd ra ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 0 msec
;; SERVER: 172.31.123.6#53(172.31.123.6)
;; WHEN: Tue Apr 16 20:24:29 2013
;; MSG SIZE  rcvd: 12


O:\Documents and Settings\admin\dig\9.9.2-P2>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDOS attack Bind 9.9 - P2

2013-04-30 Thread Noel Butler 
On Tue, 2013-04-30 at 22:07 +0100, Steven Carr wrote:

> You asked this question a few weeks ago.
> 
> Patch BIND to include the RRL (Response Rate Limiting) patches
> (http://www.redbarn.org/dns/ratelimits), blackhole/ignore those
> clients requesting.
> 


Many people will not compromise critical daemons by using third party
*unofficial* patches.
iptables does just as good of job.




signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDOS attack Bind 9.9 - P2

2013-04-30 Thread Jay Ford 

On Tue, 30 Apr 2013, Jose Manuel Delgado G. wrote:
I have isc.org attack." isc.org internet *?". It comes from my own clients 
that I have allowed in my ACL. the question is how to stop this attack? 
this causes my traffic on the interface is intense and also up my cpu 
percentage. that I can do to prevent it??


Assuming "clients" means things you connect to the net...

If the queries are really from your clients, find & fix them.  They are 
probably attacking others in addition to you, so you'd be doing the rest of 
the Internet a favor while solving your own problem.


If the traffic is spoofed as being from your clients, stop accepting traffic 
from elsewhere sourced from your client address space.



Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDOS attack Bind 9.9 - P2

2013-04-30 Thread Steven Carr 
You asked this question a few weeks ago.

Patch BIND to include the RRL (Response Rate Limiting) patches
(http://www.redbarn.org/dns/ratelimits), blackhole/ignore those
clients requesting.

On 30 April 2013 21:49, Jose Manuel Delgado G.  wrote:
> I have isc.org attack." isc.org internet *?". It comes from my own clients
> that I have allowed in my ACL. the question is how to stop this attack? this
> causes my traffic on the interface is intense and also up my cpu percentage.
> that I can do to prevent it??
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DDOS attack Bind 9.9 - P2

2013-04-30 Thread Jose Manuel Delgado G. 
I have isc.org attack."* isc.org internet *?".* It comes from my own
clients that I have allowed in my ACL. the question is how to stop this
attack? this causes my traffic on the interface is intense and also up my
cpu percentage.
that I can do to prevent it??
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Views Question

2013-04-30 Thread Evan Hunt 

> If the 'type' info in a zone statement determines master or slave, can
> you have 2 views in the same named.conf file, one with type master zones
> and the other with type slave zones?

There are a couple of ways to read this question, and the answer depends
on which way you intended it.

A query reaches a view, or not, depending on whether it matched an access
control list.  Typically, clients from your internal subnet will reach the
internal view, and everyone else goes to the external view.

If you have an authoritative-only server, and it's master for one set of
zones and slave for a separate, disjoint set of zones, then you do *not*
want to divide them up into different views. Some clients would only
be able to see the masters and some would only be able to see the slaves;
it wouldn't make sense.

However, if what you're asking is "can I have two views that serve the
*same* zones, with one view slaving to the other", then the answer is yes.
I do this myself at home: my internal view provides recursive service for
my family, and also contains slaved copies of my external-facing zones.

You can use a TSIG key in the masters option (and, from BIND 9.9 onward, in
the also-notify option) to enable the two views to talk to one another so
that the slave can be updated when the master is.  The configuration looks
something like this:

key external-key { [...] };

view internal {
match-clients { !key external-key; localhost; localnets; };
zone example.com {
type slave;
masters { localhost key external-key; };

};
};

view external {
match-clients { any; };
zone example.com {
type master;
also-notify { localhost; };

};
};

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Views Question

2013-04-30 Thread /dev/rob0 
On Tue, Apr 30, 2013 at 04:36:52PM +, Manson, John wrote:
> If the 'type' info in a zone statement determines master or slave,

Yes, this is so. There are other types as well, such as hint, stub, 
and forward. See Bv9ARM.ch06.html#zone_statement_grammar for details 
and other types.

> can you have 2 views in the same named.conf file,

You can have as many views as you need.

> one with type 
> master zones and the other with type slave zones?

Each view can have as many zone statements of whatever types you 
need. There is no restriction on the zone types used per view.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Views Question

2013-04-30 Thread Carlos M. Martinez 
I think views have mostly to do with the source of the queries, thus
presenting a different 'view' of zone data depending on who the client is.

You could have one view only with master zones and other view with salve
zones, but I'm not sure what the purpose would be, unless for example
you want to provide slave service for your internal clients only.

regards,

~Carlos

On 4/30/13 1:36 PM, Manson, John wrote:
> If the ‘type’ info in a zone statement determines master or slave, can
> you have 2 views in the same named.conf file, one with type master zones
> and the other with type slave zones?
> 
>  
> 
>  
> 
>  
> 
> John Manson
> 
> CAO/HIR/NAF Data-Communications | U.S. House of Representatives |
> Washington, DC 20515
> 
> Desk: 202-226-4244 | TCC: 202-226-6430 | john.man...@mail.house.gov
> 
> 
>  
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Views Question

2013-04-30 Thread Manson, John 
If the 'type' info in a zone statement determines master or slave, can you have 
2 views in the same named.conf file, one with type master zones and the other 
with type slave zones?



John Manson
CAO/HIR/NAF Data-Communications | U.S. House of Representatives | Washington, 
DC 20515
Desk: 202-226-4244 | TCC: 202-226-6430 | 
john.man...@mail.house.gov

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Courses

2013-04-30 Thread Eric Kom 

On 27/04/2013 14:55, Mark Elkins wrote:

If you live in Africa and can get South, ZACR (UniForum SA), the "co.za"
registry people provide free DNS Courses in Johannesburg and Cape Town.
You still have to cover personal travel, food and lodging though.
These are proper DNS training courses, three day Intro and four day
Advanced courses. They are, however, only offered twice a year, usually
February and September...
You can see more athttp://dnstraining.coza.net.za/
DNS Courses provide by the co.za from South Africa its highly quality 
with experts from the co.za registry and other registry in the world, 
totally of charges.


the topics are generally the same with the one provide by ISC in my view!

You can have DNS training trip in South Africa

I agree with the sentiment that its a costly business though.

On Sat, 2013-04-27 at 03:36 -0500, SUNDAY A. OLUTAYO wrote:

ISC should consider online training too, same linux foundation has done.


Sunday Olutayo

Sent from my LG Mobile

Doug Barton  wrote:

Ted made some really good points. It's also worth pointing out that
overhead, like renting the facility to teach the classes in, food,
travel expenses for the trainers to get to the site, course materials,
insurance, etc. often run into the 'many hundreds' of dollars per
student before the first word is spoken in class.

Doug



___
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Kind Regards

Eric Kom

System Administrator & Programmer - Metropolitan College
 _
/ You are scrupulously honest, frank, and \
| straightforward. Therefore you have few |
\ friends./
 -
   \
\
.--.
   |o_o |
   |:_/ |
  //   \ \
 (| Kom | )
/'\_   _/`\
\___)=(___/

2 Hennie Van Till, White River, 1240
Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334
eric...@kom.za.net  |eric...@metropolitancollege.co.za
www.kom.za.net  |www.kom.za.org  |www.erickom.co.za

Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NS geo-distribution

2013-04-30 Thread Sten Carlsen 

On 30/04/13 10:30, Dave Warren wrote:
> On 2013-04-30 00:49, Sten Carlsen wrote:
>> Don't forget that most users will get the address out of "some"
>> cache, not directly from the authoritative servers.
>
> Absolutely. This is even more true in our case as many of our clients
> are serve very local areas and 2-3 ISPs and 3-4 mobile providers
> probably cover 90%+ of their clients.
Which essentially means that the time to get data from the authoritative
servers is irrelevant in almost all cases. Availability vs. network
problems would be more important in my book.
>
>
> On 2013-04-29 21:48, Chris Buxton wrote:
>> RTT means almost always hitting the fastest server.
>
> My concern with relying on RTT is that since most of our sites are
> very low volume, will it be effective or does it work better when a
> host has higher traffic? How long do resolvers remember a particular
> NS's RTT?
>
> We have a handful of Europe based clients, but their number is quite
> small, so I'm not sure if we'd be significantly hurting the majority
> by introducing a high-latency server into the mix or not, or even how
> to evaluate the results.
>
> I realize I've probably spent more time thinking about it than I'll
> possibly save anyone else anyway, so perhaps that's my answer.
>
> I appreciate all the input.
>
> -- 
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NS geo-distribution

2013-04-30 Thread Dave Warren 

On 2013-04-30 00:49, Sten Carlsen wrote:
Don't forget that most users will get the address out of "some" cache, 
not directly from the authoritative servers.


Absolutely. This is even more true in our case as many of our clients 
are serve very local areas and 2-3 ISPs and 3-4 mobile providers 
probably cover 90%+ of their clients.



On 2013-04-29 21:48, Chris Buxton wrote:

RTT means almost always hitting the fastest server.


My concern with relying on RTT is that since most of our sites are very 
low volume, will it be effective or does it work better when a host has 
higher traffic? How long do resolvers remember a particular NS's RTT?


We have a handful of Europe based clients, but their number is quite 
small, so I'm not sure if we'd be significantly hurting the majority by 
introducing a high-latency server into the mix or not, or even how to 
evaluate the results.


I realize I've probably spent more time thinking about it than I'll 
possibly save anyone else anyway, so perhaps that's my answer.


I appreciate all the input.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NS geo-distribution

2013-04-30 Thread Sten Carlsen 
Don't forget that most users will get the address out of "some" cache,
not directly from the authoritative servers.


On 30/04/13 6:48, Chris Buxton wrote:
> On Apr 29, 2013, at 9:01 PM, Dave Warren wrote:
>> With the vast majority of our customers being in North America (probably 75% 
>> of users are in Canada), would it make sense to add a Europe based NS or 
>> would this tend to return slower results on average since a potential user 
>> would have a 1/3 chance of hitting a NS with a higher latency?
> RTT means almost always hitting the fastest server.
>
> Chris Buxton
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users