Re: Zone set for dynamic updating isn't updating
Thanks, this should help. On Mar 4, 2021, at 12:40 PM, Mark Andrews mailto:ma...@isc.org>> wrote: The permissions on the directory holding the zone file and journal need to allow named to create files. Named will recreate new versions of these as part of processing the dynamic update and move them into place once they are complete. If you are running Linux also se SELinux settings as they add additional constraints. Additionally if you are running as root named does not have permission to override file permissions root normally has. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone set for dynamic updating isn't updating
The permissions on the directory holding the zone file and journal need to
allow named to create files. Named will recreate new versions of these as
part of processing the dynamic update and move them into place once they are
complete.
If you are running Linux also se SELinux settings as they add additional
constraints. Additionally if you are running as root named does not have
permission to override file permissions root normally has.
--
Mark Andrews
> On 5 Mar 2021, at 05:59, Bruce Johnson wrote:
>
> We have one zone set for Active directory to update dynamically that has
> stopped doing so.
>
> Someone manually updated the zone without doing a freeze/thaw and the host
> that was added wasn’t properly resolving. What I found looking for a solution
> was to freeze the zone, delete the .jnl file, update the serial #, then thaw
> the zone. That got lookup working properly again, but now the zone is not
> longer updating. I found a bunch of errors about permissions denied
>
> Mar 2 14:00:30 example named[42659]: etc/DynZone.Hosts.jnl: create:
> permission denied
>
> I created the file and chowned it to named
>
> but it hasn’t been written to:
>
> -rw-r--r--. 1 root root 108578 Feb 22 09:43 DynZone.Hosts
> -rw-rw-r--. 1 named named 0 Mar 2 14:01 DynZone.Hosts.jnl
>
> I know that there have been new hosts added that should have been updated in
> that zone.
>
> It was working before the incident so I don’t think it’s a permissions issue,
> but I could well be wrong.
>
> Unfortunately I can’t really find any info on what the permissions SHOULD be
> for the bind config and files.
>
> Another clue that permissions are wrong, is that any time I’ve tried to set
> up logging directives in named.conf restarting it results in a failure due to
> permissions; but as I mentioned, it was working until recently.
>
> This is the zone config in named.conf:
>
> zone “DynZone.com" {
> type master;
> file “etc/DynZone.Hosts";
> check-names ignore;
> allow-update {"trusted";};
> };
>
> The trusted acl is a list of our (name) vlans, but checking the config syntax
> with named-checonf -z shows all are properly loading, and the zone transfers
> after the manual update did work.
>
> --
> Bruce Johnson
> University of Arizona
> College of Pharmacy
> Information Technology Group
>
> Institutions do not have opinions, merely customs
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Zone set for dynamic updating isn't updating
We have one zone set for Active directory to update dynamically that has
stopped doing so.
Someone manually updated the zone without doing a freeze/thaw and the host that
was added wasn’t properly resolving. What I found looking for a solution was to
freeze the zone, delete the .jnl file, update the serial #, then thaw the zone.
That got lookup working properly again, but now the zone is not longer
updating. I found a bunch of errors about permissions denied
Mar 2 14:00:30 example named[42659]: etc/DynZone.Hosts.jnl: create: permission
denied
I created the file and chowned it to named
but it hasn’t been written to:
-rw-r--r--. 1 root root 108578 Feb 22 09:43 DynZone.Hosts
-rw-rw-r--. 1 named named 0 Mar 2 14:01 DynZone.Hosts.jnl
I know that there have been new hosts added that should have been updated in
that zone.
It was working before the incident so I don’t think it’s a permissions issue,
but I could well be wrong.
Unfortunately I can’t really find any info on what the permissions SHOULD be
for the bind config and files.
Another clue that permissions are wrong, is that any time I’ve tried to set up
logging directives in named.conf restarting it results in a failure due to
permissions; but as I mentioned, it was working until recently.
This is the zone config in named.conf:
zone “DynZone.com" {
type master;
file “etc/DynZone.Hosts";
check-names ignore;
allow-update {"trusted";};
};
The trusted acl is a list of our (name) vlans, but checking the config syntax
with named-checonf -z shows all are properly loading, and the zone transfers
after the manual update did work.
--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group
Institutions do not have opinions, merely customs
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND server; dig vs dig +trace on failing lookup.
Gregory Sloop wrote: > Would you mind showing me how you got there? I like https://dnsviz.net/ and https://zonemaster.net/ - dnsviz is better at showing DNSSEC issues, and zonemaster has a bigger collection of general DNS checks, so it's worth using them both. Tony. -- f.anthony.n.finchhttps://dotat.at/ Southwest Fitzroy: Cyclonic 4 to 6, occasionally 3 at first, becoming easterly or northeasterly later. Moderate or rough. Showers, thundery at first. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hardware requirements
Tweak your firewall On Thu, 4 Mar, 2021, 1:17 PM ShubhamGoyal, wrote: > Dear sir , > > I want to ask about what is the Hardware requirements . If 1 million > queries/sec comes in our Recursive resolver (bind 9.16.11)in Centos 8 > > thanks > > [image: 150th Anniversary Mahatma Gandhi] > > > > [ C-DAC is on Social-Media too. Kindly follow us at: > Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ] > > This e-mail is for the sole use of the intended recipient(s) and may > contain confidential and privileged information. If you are not the > intended recipient, please contact the sender by reply e-mail and destroy > all copies and the original message. Any unauthorized review, use, > disclosure, dissemination, forwarding, printing or copying of this email > is strictly prohibited and appropriate legal action will be taken. > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hardware requirements
Hello Shubham, Running a DNS resolver service that can handle a million queries/s isn't a simple matter of just installing some servers and clicking some buttons. You need to have a clear and well-structured project that considers many things. Hardware requirements are just a very small part of it, and even then, asking for hardware requirements based on just one metric like the query rate is rather amateurish. Regards, Anand On 04/03/2021 08:41, ShubhamGoyal wrote: > Dear sir , > > I want to ask about what is the Hardware requirements . If 1 million > queries/sec comes in our Recursive resolver (bind 9.16.11)in Centos 8 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
