Re: Internal clients' queries for "myhostname." get sent to forwarders. Why?
The search algorithms in libresolve/libbind are a compromise. If I had my way, back when libresolv was updated for RFC 1535, support for partially qualified domain names would have died. ndots was the compromise. Searches would have only continued on NXDOMAIN and unqualified names would not have been tried against the root. There were obvious security and information leakage issues with partially qualified names. So to with continuing searches on NODATA and SERVFAIL. I have been setting hostname to the fully qualified value for the last 20 years or so. The worked on almost all platforms but some needed tweaking to remove assumptions that a hostname was a single label. Also whenever a hostname is added to a configuration file / script the fully qualified version is used. I killed searching in the local sendmail configurations and forced everyone to use fully qualified names in mail. This reduced problems once people got used to it. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind v9.9.5 becomes unresponsive when using samba4 dlopen driver
On Wed, Mar 12, 2014 at 10:09:44PM +0200, Nikos Mitas wrote: > at this point, nslookup and rndc are not working, the only option i have is > to kill samba and named and start over. But after a while the problem > repeats. > > any help will be very welcome Offhand I'd guess it's a deadlock. Does it happen if named is built without threads? Can you attach to the process with gdb and get a backtrace? You can submit a bug report against BIND at bind9-b...@isc.org -- if you do, please include as much information as possible about the system you're running on, how you configured the built ("named -V" will tell you this), and your named.conf ("named-checkconf -px" dumps a copy of your configuration with key secrets omitted). If the problem's in the samba DLZ module, I probably won't be able to help you, but if it's in the dlopen driver, perhaps I can. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal clients' queries for "myhostname." get sent to forwarders. Why?
On 03/12/14 06:50, Tony Finch wrote: > Lawrence K. Chen, P.Eng. wrote: > >> If you have FQDN for machines, the problem might be that the domain >> isn't set in resolv.conf? > > The machines are configured with a bare hostname. If there isn't a search > or domain directive in /etc/resolv.conf and there isn't an entry for the > machine in /etc/hosts then `hostname -f` will fail. > > It is probably a bug that `hostname -f` does not have any "ndots" logic. > See also RFC 1535. > > Tony. > Around here, the users insist on being able to only use hostname to reach everythingso our resolv.conf's have search is max'd...though some systems seem to work when 7 subdomains are listed for "search". Though most of the time, we'll find that we have to ask them which subdomain can they live without to add a new one to "search". One time, they removed the first one...because the department doesn't exist anymore and they don't (think they) have anything in it they need. Except that the backup jobs they run all stopped working. Yeah, the backup server is in that subdomain (and the fqdn is baked into the library catalog's Oracle DB backend, so we can never change it...though every few years they look at switching us to another vendor's product rather than upgrading...and we end up upgrading.) Also we still have a large number of Solaris systems around...where typing 'hostname -f' would change the hostname of the system to '-f'. (or an error if not root.) And, virtually every system here uses just hostnamesince lots of people call `hostname` in their prompts, and don't like the added length of getting an fqdn. (or figuring out what they need to do to make it right.) Though I did discover that search appends to all lookups, not just bare hostnames. Could not understand why new SA saying machines could be reached with .campus (years ago when we started having systems with RFC1918 IPs...they decided to make up a TLD. The DNS administrator said that it wasn't possible to do split DNS, yet he didn't ask what I meant when I had asked him about it. After he quit, DNS got thrown in my lap. and .campus.ksu.edu was born, which was good, because we had a policy at the time requiring user facing sites to use Thawte certificates...which were hard to get for .campus fqdn's...but we can get for .campus.ksu.edu fqdn's, which can't be resolved from off campus (well, not fully...) Several years ago, another admin tried to get force everybody to stop using the .campus TLD. (I've joked that its only a matter of time that some one goes and registers itor perhaps one of the other fake TLDs we used, like .wireless ;) Problem was there was a big move of Oracle DBs into the TLD...and with the name baked into the installationrenaming isn't going to happen until those systems are abandoned (though a big hardware refresh is near on the horizon...along with a network reorg for data classification.) Though everything that was .campus is in .campus.ksu.edu (except that we had functional subdomains in .campus and functional hostnames in .campus.ksu.edu) But, a host in .campus.ksu.edu is often not in .campus (since its deprecated) And, there's a mix on which domain the reverses are pointed towhich is important for the particular system he was setting up at the time. (Some old systems have had their reverses updated, but not all users have switched to using the new forward in service requests to him) Oh, there have been cases where we've added hostnames to /etc/hosts so that they could use bare hostnames to reach things in other subdomainsother times its to ensure the desired hostname is reached when the name exists in more than one subdomain. Some also have names that are not in DNS (not sure if they thought of CNAMEs) so they can find the application. Which was especially important before we forced a consistent functional naming scheme across our datacenter. They were using Sith Lords to name their machines, some where very similar in spelling but significantly different functions or classifications. Probably ran out of Sith lords with names starting with p, t, d, a or b (prod, test, dev, alpha or beta). It was whole bunch of very similar names starting with 's' that made my manager snap. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- & SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind v9.9.5 becomes unresponsive when using samba4 dlopen driver
Hello, I am using bind 9.9.5 with samba domain controller v4.1.5 on RedHat v6.5 and bind becomes unresponsive during the execution of samba dns update: ..28-Feb-2014 17:59:17.932 database: info: samba_dlz: starting transaction on zone example.com at this point, nslookup and rndc are not working, the only option i have is to kill samba and named and start over. But after a while the problem repeats. any help will be very welcome Thanks for your time Nikos Mitas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to create a fake root server?
First of all, don't use .loc as an internal TLD. There are *many* proposals in process with ICANN for establishing new TLDs, and for all you know, .loc might be one of them. If .loc gets established on the Internet, and you're using it internally, that presents abundant opportunities for confusion and failure. Use a publically-registered domain, a descendant of a publically-registered domain, or potentially, one of the reserved TLDs in RFC 6761. I'm not sure what your question is, exactly. Set up the root zone, slave it, publish 2 or more of the master/slaves in the NS records, delegate whatever TLD you're going to use, set up *that* zone, lather, rinse, repeat, for the entire hierarchy. Anyone who reads _DNS_and_BIND_ should be able to set up an internal-root infrastructure, IMO (although, sadly, the later editions don't seem as aligned to internal-root as they used to be). - Kevin On 3/12/2014 11:07 AM, Peter wrote: Hi guys, I'm doing a virtual internet (internal net) for several VPS's. My goal is to simulate the Internet root servers and the ISP:s domain servers, which are hosting the actual domains. I want to the create several DNS nameservers that will contain the specific domain under the "xxx.loc, yyy.loc, zzz.loc". 1 server for the .loc root 3 servers for xxx.loc (server1), yyy.loc (server2), zzz.loc (server3) Running BIND 9 at every server. Any suggestions or good links are highly appreciated. Best regards, Peter ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to create a fake root server?
Hi guys, I'm doing a virtual internet (internal net) for several VPS's. My goal is to simulate the Internet root servers and the ISP:s domain servers, which are hosting the actual domains. I want to the create several DNS nameservers that will contain the specific domain under the "xxx.loc, yyy.loc, zzz.loc". 1 server for the .loc root 3 servers for xxx.loc (server1), yyy.loc (server2), zzz.loc (server3) Running BIND 9 at every server. Any suggestions or good links are highly appreciated. Best regards, Peter ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal clients' queries for "myhostname." get sent to forwarders. Why?
Lawrence K. Chen, P.Eng. wrote: > If you have FQDN for machines, the problem might be that the domain > isn't set in resolv.conf? The machines are configured with a bare hostname. If there isn't a search or domain directive in /etc/resolv.conf and there isn't an entry for the machine in /etc/hosts then `hostname -f` will fail. It is probably a bug that `hostname -f` does not have any "ndots" logic. See also RFC 1535. Tony. -- f.anthony.n.finchhttp://dotat.at/ Tyne, Dogger: Southeast veering southwest 3 or 4. Slight. Fog patches in south. Moderate or good, occasionally very poor in south. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users