Re: Getting all IP adresses for a domain name

2020-01-29 Thread Leroy Tennison 
Thanks to both of you for your replies, +trace did show me the name servers for 
the domain and which answered, I would still need to query the other name 
servers but that's OK.  I wasn't aware that the standard DNS reply would show 
all A records for a domain - that's good to know, I wish I had a DNS round 
robin configuration to test against (we don't use it internally).  Fortunately 
I don't have to worry about different IP addresses based on location and my 
"context" doesn't involve CDNs so I can avoid that issue.

From: bind-users  on behalf of Matus UHLAR - 
fantomas 
Sent: Wednesday, January 29, 2020 1:34 PM
To: bind-users@lists.isc.org 
Subject: [EXTERNAL] Re: Getting all IP adresses for a domain name

On 29.01.20 19:12, Leroy Tennison wrote:
>I ran into a situation here the IP (v4) address returned for a domain was
> different from two systems.  It turned out that two DNS servers served the
> domain and were replying with different IP addresses (discovered by doing
> whois on the domain followed by dig @ for each name server).
> This led me to wonder "How would I get all IP addresses if DNS round robin
> was being used?"  I work with external organizations so I can't count on
> the DNS server being ISC's.  I'm not concerned about multiple servers
> behind a single IP address (Anycast for instance) because I consider
> issues related to that to be the destination organization's problem, I'm
> only concerned with what possible IP addresses could be returned in
> response to a query.

in standard operation, DNS returns all A records associated with a domain
name.

However, current CDNs tend to send different IPs for different clients,
often just the one that is tropologically closest to the client.

Unfortunately, such CDNs don't provide all possible addresses so I guess you
are unlucky here.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; 
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.fantomas.sk%2f&c=E,1,ZWC6GZyMtjHtMy2-T3ri182cQqZHtLQGM2tlkQO-yTfTAmsYFEZHtFhRjArPKCOQSHvN_Mb7MeN2gJ71jYKgYa0L82YX2MaJ3ebpnuB6YYPojoqxmlLoUWgL&typo=1
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
___
Please visit 
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flists.isc.org%2fmailman%2flistinfo%2fbind-users&c=E,1,k6xXThc-6-hmh0VQPQMnHfZ9d_gFtjWFaiG4Lw0jQtFjXmLVFxWLxn0ll6vuy0tuDxwzy1NeUP92giorPz1zVf-yTE9f9m0Jr9Qulcf9jx-kmtUKj_tfYXs,&typo=1
 to unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flists.isc.org%2fmailman%2flistinfo%2fbind-users&c=E,1,T-Az6IiKqV3EjWtoNVj7AwX21luT3ZOuDkT3SeEHy7WqYMFytIOptTjw1UcpKm2j-Vu9lgkBDWcOE3sRUxQQJ_mltRKz8MWVfW6p272kF1A,&typo=1

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting all IP adresses for a domain name

2020-01-29 Thread Matus UHLAR - fantomas 

On 29.01.20 19:12, Leroy Tennison wrote:

I ran into a situation here the IP (v4) address returned for a domain was
different from two systems.  It turned out that two DNS servers served the
domain and were replying with different IP addresses (discovered by doing
whois on the domain followed by dig @ for each name server). 
This led me to wonder "How would I get all IP addresses if DNS round robin

was being used?"  I work with external organizations so I can't count on
the DNS server being ISC's.  I'm not concerned about multiple servers
behind a single IP address (Anycast for instance) because I consider
issues related to that to be the destination organization's problem, I'm
only concerned with what possible IP addresses could be returned in
response to a query.


in standard operation, DNS returns all A records associated with a domain
name.

However, current CDNs tend to send different IPs for different clients,
often just the one that is tropologically closest to the client.

Unfortunately, such CDNs don't provide all possible addresses so I guess you
are unlucky here.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Getting all IP adresses for a domain name

2020-01-29 Thread Lightner, Jeffrey 
"dig +trace " will show the whole path to a given record from root 
servers down through registrar to the name servers the registrar specifies.


From: bind-users  On Behalf Of Leroy Tennison
Sent: Wednesday, January 29, 2020 2:13 PM
To: bind-users@lists.isc.org
Subject: Getting all IP adresses for a domain name

I ran into a situation here the IP (v4) address returned for a domain was 
different from two systems.  It turned out that two DNS servers served the 
domain and were replying with different IP addresses (discovered by doing whois 
on the domain followed by dig @ for each name server).  This led 
me to wonder "How would I get all IP addresses if DNS round robin was being 
used?"  I work with external organizations so I can't count on the DNS server 
being ISC's.  I'm not concerned about multiple servers behind a single IP 
address (Anycast for instance) because I consider issues related to that to be 
the destination organization's problem, I'm only concerned with what possible 
IP addresses could be returned in response to a query.

Thanks in advance for any information.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com

[cid:image001.png@01D5D6B0.97204400]

2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Getting all IP adresses for a domain name

2020-01-29 Thread Leroy Tennison 
I ran into a situation here the IP (v4) address returned for a domain was 
different from two systems.  It turned out that two DNS servers served the 
domain and were replying with different IP addresses (discovered by doing whois 
on the domain followed by dig @ for each name server).  This led 
me to wonder "How would I get all IP addresses if DNS round robin was being 
used?"  I work with external organizations so I can't count on the DNS server 
being ISC's.  I'm not concerned about multiple servers behind a single IP 
address (Anycast for instance) because I consider issues related to that to be 
the destination organization's problem, I'm only concerned with what possible 
IP addresses could be returned in response to a query.

Thanks in advance for any information.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NSEC3 salt change - temporary performance decline

2020-01-29 Thread Klaus Darilion 
Am 21.01.2020 um 16:40 schrieb Ondřej Surý:
> We are currently investigating performance degradation related to big IXFRs.  
> Do you use ixfr-from-differences in your BIND configuration?  You could try 
> enforcing AFRX on salt change.
> 
> This is currently tracked as 
> https://gitlab.isc.org/isc-projects/bind9/issues/1447
> 
> and associated feature request: 
> https://gitlab.isc.org/isc-projects/bind9/issues/1515

thanks for giving priority to this issue.

Regards
Klaus
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NSEC3 salt change - temporary performance decline

2020-01-29 Thread Klaus Darilion 
Hello Niels!

Thanks for bringing this to attention. I have reported it before [1][2]
without response.

We see this regulary. AFAIS it happens actually always, but if the IXFR
is small, the performance decline is so short that you usually won't
notice it.

The bigger the zonechange ie NSEC3 change, full resigning * the
longer is the performance decline and you will notice it more often.

*we don't resalt or resign completele - but this is what several of our
TLD customers do.

I hope it will be fixed soon, we already test other software.

regards
Klaus


[1] https://lists.isc.org/pipermail/bind-users/2018-March/099814.html
[2] https://lists.isc.org/pipermail/bind-users/2019-March/101579.html


Am 21.01.2020 um 15:43 schrieb Niels Haarbo via bind-users:
> Hello BIND users
> 
> Our DNSSEC signer changes NSEC3 salt every 30 days. The signer resigns all 
> the relevant records and the zone is transferred using IXFR to the 
> authoritative servers (6 nodes).
> 
> Two of the 6 authoritative servers (BIND 9.11.13 and 9.11.14) are affected by 
> a performance decline shortly after the change of salt. This has happened 
> after the last 3 changes of salt and the period of performance decline is 
> within 30 - 90 minutes. Most queries are dropped by the affected nodes during 
> the period. The normal rate is between 1.000 and 1.500 queries/second.
> 
> Other nodes running NSD and Knot are not affected.
> 
> What could be the reason for the performance decline?
> 
> Best regards
> 
> Niels Haarbo
> DK Hostmaster A/S
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users