Re: How to check slave zone freshness

2016-02-08 Thread Mark Andrews 

With a modern nameserver that supports the expire edns option you can
also do "dig +expire soa zone @server" which will tell you how long
until the zone will expire on this server.

e.g.

;; BADCOOKIE, retrying.

; <<>> DiG 9.11.0pre-alpha <<>> +expire soa . +norec +noauth
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 11fa29d809bed1e5bad33ed956b8efad9c6914524fd2730f (good)
; EXPIRE: 577179 (6 days 16 hours 19 minutes 39 seconds)
;; QUESTION SECTION:
;.  IN  SOA

;; ANSWER SECTION:
.   86400   IN  SOA a.root-servers.net. 
nstld.verisign-grs.com. 2016020800 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 09 06:42:37 EST 2016
;; MSG SIZE  rcvd: 332

Mark

In message <56b8a65a.9030...@pernau.at>, Klaus Darilion writes:
> 
> 
> Am 08.02.2016 um 14:58 schrieb Tony Finch:
> > Klaus Darilion  wrote:
> >>
> >> I want to monitor the freshness of my slaves zones. Is it somehow
> >> possible to extract the status of slave-zones from bind?
> > 
> > If you are running 9.10 or later you can use `rndc zonestatus`.
> 
> Ah. Nice, as updating to 9.10 is on my plan.
> 
> I guess I need to iterate over all configured zones, may be a bit slow
> for several thousand zones. I will seee ...
> 
> > I have an older script which just looks at the timestamp of the zone
> > files; BIND bumps the timestamp whenever it successfully refreshes the
> > zone, even if it didn't need to transfer any changes.
> 
> Thanks for the info
> Klaus
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Resolver optimization of auth selection - Truth or Myth?

2016-02-08 Thread Barry Margolin 
In article ,
 "Darcy Kevin (FCA)"  wrote:

> If you take a look at sections 4.1 & 4.2 - they seem to say  
> BIND 9.8 gets it a little backwards and starts to prefer 
> higher latency servers?

It doesn't say it prefers high-latency servers. It occasionally tries 
the high-latency servers, because it decays the low-latency SRTT.

The purpose of this is to prevent permanently blackholing a server when 
it's temporarily slow. So every now and then it will switch to the 
high-latency server. If it's still high latency, it will lose preference 
again, and it will go back to the low-latency servers. But if it has 
gotten better, it will continue to be used.

Network distance is not the only reason for high latency, sometimes it 
can be because of heavy load on the server, or a congested network link, 
or other temporary conditions.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Resolver optimization of auth selection - Truth or Myth?

2016-02-08 Thread Darcy Kevin (FCA) 
I suspect they changed the algorithm, in light of recent research findings 
about attackability. See 
http://www.cs.technion.ac.il/~gnakibly/papers/WOOT13.pdf



- Kevin


From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of MURTARI, JOHN
Sent: Monday, February 08, 2016 1:36 PM
To: bind-users@lists.isc.org
Subject: Resolver optimization of auth selection - Truth or Myth?

Folks,
Just trying to settle a question on BIND based resolver 
operation.  When given multiple authoritative servers for a zone, does it 
optimize selection based on auth server response times?  For example:

---
I'm located in Sydney, Australia and my ISP has a couple of 
BIND based resolvers also located there.  I'm trying to get to 
www.example.com and it happens to have three 
authoritative servers, ns{1,2,3}.example.com with a single unicast IP and 
located as follows:

ns1.example.com - Signapore,   ns2.example.com - Los Angeles,   
ns3.example.com - New York

We'll assume DNS round trip time (RTT) are proportional to 
distance from Sydney; also,  the fine folks at example.com have set a 10 minute 
TTL on all their resource records and have never heard of anycast IPs.   They 
are also very reliable, so we're not considering the effects of a 
non-responsive server.

So.do the BIND resolvers in Sydney begin to notice their 
quickest source of responses is ns1 and when cache data expires, do they go 
there first?  Or, are did the people at example.com waste money trying to 
locate one of their authoritative servers in Singapore to better serve their 
Australian visitors?
-

I did do a little searching on this and found what seemed to be 
a decent paper, no date, but covered up to BIND 9.8: 
http://irl.cs.ucla.edu/data/files/papers/res_ns_selection.pdf

If you take a look at sections 4.1 & 4.2 - they seem to say  
BIND 9.8 gets it a little backwards and starts to prefer higher latency servers?

Any clarification on this is welcome.
Thanks!

John




John Murtari - jm5...@att.com
Ciberspring
office: 315-944-0998
cell: 315-430-2702

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Resolver optimization of auth selection - Truth or Myth?

2016-02-08 Thread MURTARI, JOHN 
Folks,
Just trying to settle a question on BIND based resolver 
operation.  When given multiple authoritative servers for a zone, does it 
optimize selection based on auth server response times?  For example:

---
I'm located in Sydney, Australia and my ISP has a couple of 
BIND based resolvers also located there.  I'm trying to get to 
www.example.com and it happens to have three 
authoritative servers, ns{1,2,3}.example.com with a single unicast IP and 
located as follows:

ns1.example.com - Signapore,   ns2.example.com - Los Angeles,   
ns3.example.com - New York

We'll assume DNS round trip time (RTT) are proportional to 
distance from Sydney; also,  the fine folks at example.com have set a 10 minute 
TTL on all their resource records and have never heard of anycast IPs.   They 
are also very reliable, so we're not considering the effects of a 
non-responsive server.

So.do the BIND resolvers in Sydney begin to notice their 
quickest source of responses is ns1 and when cache data expires, do they go 
there first?  Or, are did the people at example.com waste money trying to 
locate one of their authoritative servers in Singapore to better serve their 
Australian visitors?
-

I did do a little searching on this and found what seemed to be 
a decent paper, no date, but covered up to BIND 9.8: 
http://irl.cs.ucla.edu/data/files/papers/res_ns_selection.pdf

If you take a look at sections 4.1 & 4.2 - they seem to say  
BIND 9.8 gets it a little backwards and starts to prefer higher latency servers?

Any clarification on this is welcome.
Thanks!

John




John Murtari - jm5...@att.com
Ciberspring
office: 315-944-0998
cell: 315-430-2702

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

2016-02-08 Thread Warren Kumari 
There is also transfer logs -- you could watch those and see if you are
getting any failures, but this seem, um, more brittle..

W

On Mon, Feb 8, 2016 at 6:22 AM Klaus Darilion 
wrote:

>
>
> Am 08.02.2016 um 14:59 schrieb Warren Kumari:
> > The standard, compatible way to do this is simply to do a lookup for the
> > SOA record and make sure that the serial number matches what you expect
> > it to be / what is on the master. I'm not sure what monitoring tool you
> > are using (or if you are writing your own), but most standard monitoring
> > tools have such a script already written -
> > e.g:
> https://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS/checkexpire/details
>
> This does not detect problems between the master and slave as long as
> the master is not updated.
>
> Further I can not fetch the serial easily from the slave as our slave is
> a "bump in the wire" signer, so the SOA is the internal increased
> "DNSSEC serial". So I would need to extract it from the local zone
> files/journal.
>
> > I believe that BIND also updates the mtime on the zone file when it does
> > the check (not only when something changes):
> > root@eric:/etc/namedb/slave# date
> > Mon Feb  8 08:36:58 EST 2016
> > root@eric:/etc/namedb/slave# ls -al superficialinjurymonkey.com
> > *
> > -rw-r--r-- 1 named named  714 Feb  8 03:51 superficialinjurymonkey.com
> > 
> > -rw-r--r-- 1 named named 1236 Feb  8 03:51 superficialinjurymonkey.com
> .jnl
> > root@eric:/etc/namedb/slave#
> >
> > So, you should be able to just run 'ls' and see if the 'mtime' is larger
> > than you expect...
>
> This is an interesting hint and good starting point. Thanks.
>
> Nevertheless, additionally I would to need to extract the SOA refresh
> value for every zone to find out if a zone is not fresh any more.
>
> Thanks
> Klaus
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

2016-02-08 Thread Klaus Darilion 


Am 08.02.2016 um 14:58 schrieb Tony Finch:
> Klaus Darilion  wrote:
>>
>> I want to monitor the freshness of my slaves zones. Is it somehow
>> possible to extract the status of slave-zones from bind?
> 
> If you are running 9.10 or later you can use `rndc zonestatus`.

Ah. Nice, as updating to 9.10 is on my plan.

I guess I need to iterate over all configured zones, may be a bit slow
for several thousand zones. I will seee ...

> I have an older script which just looks at the timestamp of the zone
> files; BIND bumps the timestamp whenever it successfully refreshes the
> zone, even if it didn't need to transfer any changes.

Thanks for the info
Klaus


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

2016-02-08 Thread Klaus Darilion 


Am 08.02.2016 um 14:59 schrieb Warren Kumari:
> The standard, compatible way to do this is simply to do a lookup for the
> SOA record and make sure that the serial number matches what you expect
> it to be / what is on the master. I'm not sure what monitoring tool you
> are using (or if you are writing your own), but most standard monitoring
> tools have such a script already written -
> e.g: 
> https://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS/checkexpire/details

This does not detect problems between the master and slave as long as
the master is not updated.

Further I can not fetch the serial easily from the slave as our slave is
a "bump in the wire" signer, so the SOA is the internal increased
"DNSSEC serial". So I would need to extract it from the local zone
files/journal.

> I believe that BIND also updates the mtime on the zone file when it does
> the check (not only when something changes):
> root@eric:/etc/namedb/slave# date
> Mon Feb  8 08:36:58 EST 2016
> root@eric:/etc/namedb/slave# ls -al superficialinjurymonkey.com
> *
> -rw-r--r-- 1 named named  714 Feb  8 03:51 superficialinjurymonkey.com
> 
> -rw-r--r-- 1 named named 1236 Feb  8 03:51 superficialinjurymonkey.com.jnl
> root@eric:/etc/namedb/slave#
> 
> So, you should be able to just run 'ls' and see if the 'mtime' is larger
> than you expect...

This is an interesting hint and good starting point. Thanks.

Nevertheless, additionally I would to need to extract the SOA refresh
value for every zone to find out if a zone is not fresh any more.

Thanks
Klaus
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

2016-02-08 Thread Warren Kumari 
The standard, compatible way to do this is simply to do a lookup for the
SOA record and make sure that the serial number matches what you expect it
to be / what is on the master. I'm not sure what monitoring tool you are
using (or if you are writing your own), but most standard monitoring tools
have such a script already written - e.g:
https://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS/checkexpire/details

I believe that BIND also updates the mtime on the zone file when it does
the check (not only when something changes):
root@eric:/etc/namedb/slave# date
Mon Feb  8 08:36:58 EST 2016
root@eric:/etc/namedb/slave# ls -al superficialinjurymonkey.com*
-rw-r--r-- 1 named named  714 Feb  8 03:51 superficialinjurymonkey.com
-rw-r--r-- 1 named named 1236 Feb  8 03:51 superficialinjurymonkey.com.jnl
root@eric:/etc/namedb/slave#

So, you should be able to just run 'ls' and see if the 'mtime' is larger
than you expect...

W


On Mon, Feb 8, 2016 at 5:40 AM Klaus Darilion 
wrote:

> Hi!
>
> I want to monitor the freshness of my slaves zones. Is it somehow
> possible to extract the status of slave-zones from bind?
>
> Thanks
> Klaus
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

2016-02-08 Thread Tony Finch 
Klaus Darilion  wrote:
>
> I want to monitor the freshness of my slaves zones. Is it somehow
> possible to extract the status of slave-zones from bind?

If you are running 9.10 or later you can use `rndc zonestatus`.

I have an older script which just looks at the timestamp of the zone
files; BIND bumps the timestamp whenever it successfully refreshes the
zone, even if it didn't need to transfer any changes.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Irish Sea: Southwesterly veering northwesterly later, 6 to gale 8,
occasionally severe gale 9 or storm 10 at first in south. Rough or very rough,
occasionally high at first in south. Showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How to check slave zone freshness

2016-02-08 Thread Klaus Darilion 
Hi!

I want to monitor the freshness of my slaves zones. Is it somehow
possible to extract the status of slave-zones from bind?

Thanks
Klaus
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users