Re: nsupdate ACL based on a key AND ip-subnet
On Fri, 2008-11-14 at 17:35 -0800, Chris Buxton wrote: Use a firewall (with deep packet inspection) to restrict by subnet. Then use the TSIG key in the allow-update statement. Unfortunately, to my knowledge, that's the only way to do this. Wouldn't using a BIND view to restrict by subnet work instead of a firewall? /Niall ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary and TLD not updating
Chris Thompson schrieb:
On Nov 17 2008, Res wrote:
On Sun, 16 Nov 2008, Jeff Justice wrote:
Well, first part solved. I forgot to change the IP address of our
nameserver at the registrar. Secondary is still not updating though.
options { directory /opt/local/etc/named/;
listen-on port 53 { 127.0.0.1;74.87.108.83; };
pid-file none; statistics-file named.stats;
datasize 20M; allow-recursion { localnets; };
allow-transfer { any;
};
};
Ack! allow-transfer should never be any
What, never? Why not?
Security issue! You really want everyone to download your zone(s)?
Greetings
Holger
SIGNAL Krankenversicherung a. G.
Sitz: Dortmund, HR B 2405 AG Dortmund, Ust-IdNr. DE 124906350
IDUNA Vereinigte Lebensversicherung aG fur Handwerk, Handel und Gewerbe
Sitz: Hamburg, HR B 2740 AG Hamburg, Ust-IdNr. DE 118617622
SIGNAL Unfallversicherung a. G.
Sitz: Dortmund, HR B 2220, AG Dortmund, Ust-IdNr. DE 124906341
SIGNAL IDUNA Allgemeine Versicherung AG
Sitz: Dortmund, HR B 19108, AG Dortmund, Ust-IdNr. DE 118617622
Vorstande:
Reinhold Schulte (Vorsitzender), Dr. Karl-Josef Bierth, Michael Johnigk,
Ulrich Leitermann, Michael Petmecky, Dr. Klaus Sticker, Vorsitzender der
Aufsichtsrate: Gunter Kutz
SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de,
E-Mail: [EMAIL PROTECTED]
44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund,
Telefon: (02 31) 1 35-0, Telefax: (02 31) 1 35-46 38
20351 Hamburg, Hausanschrift: Neue Rabenstra?e 15-19, 20354 Hamburg,
Telefon: (0 40) 41 24-0, Telefax: (0 40) 41 24-29 58
begin:vcard
fn:Holger Honert
n:Honert;Holger
org:SIGNAL IDUNA Gruppe;koms-97850
adr;dom:;;Joseph-Scherer-Str. 3;Dortmund;;44139
email;internet:[EMAIL PROTECTED]
tel;work:0231/135-4043
tel;fax:0231/135-2959
x-mozilla-html:FALSE
url:http://signal-iduna.de
version:2.1
end:vcard
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary and TLD not updating
Ack! allow-transfer should never be any What, never? Why not? Security issue! You really want everyone to download your zone(s)? That is a decision for each operator to make. The ability to transfer a zone is not by itself a security issue. I guess the question is, what information can be gained from a transfer that can't be gained through a query or dig? Jeff J. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary and TLD not updating
On 2008-11-17 14:25, Holger Honert wrote: Chris Thompson schrieb: On Nov 17 2008, Res wrote: Ack! allow-transfer should never be any What, never? Why not? Security issue! You really want everyone to download your zone(s)? I couldn't care less. If the security of my systems were the least bit dependent on keeping DNS records secret, I would kinda suck as an admin, wouldn't I? Allowing any user to do zone transfers from my nameserver might put unnecessary load on my nameservers. I could *almost* care about that, if you paid me to. And for this reason only, I limit transfers to legitimate slaves. Since AXFR is TCP only, it can't be used for an amplification attack, so that's not an issue. It's much ado about nothing. This paranoia about DNS privacy is largely responsible for the significant delay in implementing the long-overdue DNSSEC extensions. Here's a suggestion: if you have secrets, don't publish them in a publicly accessible database. -- Jefferson Ogata : Internetworker, Antibozo ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Lots of errors, having 'lame' day, suggestions?
So it looks like my zone config file, not the actual zone, but the config statement that is in conf was gone. I added it back in and all is well now. I have ran rndc reload so many times, I have no idea how it was deleted, it is all in one file, not separate files, so it seems unlikely it was a slip of the fingers. It also was up and running for a long time, and then all of a sudden died. Is there any way you know to check that a zone has it's matching configuration options? I suppose I really can only check in the other direction. On Nov 17, 2008, at 6:48 AM, Chris Buxton wrote: No, the bad referral is coming from your own server. The query (cache) denied message means that your server doesn't consider itself to be authoritative for the zone in question. Find out why. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate ACL based on a key AND ip-subnet
Actually, to take this a step further, is there any remote possibility to
combine this with update-policy as well?
I know both questions has been mentioned on the list before with varied
answers but I wanted to raise it again since this was finally figured out.
/Jonathan
On Mon, Nov 17, 2008 at 11:28 AM, Evan Hunt [EMAIL PROTECTED] wrote:
allow-update { !{!10/8;any;}; key update-key; };
Wouldn't this still permit any client on the 10/8 subnet to update the
zones?
It's very confusing syntax, but no.
You're probably thinking in boolean algebra (I did too, when I first
encountered this). If it were boolean algebra, you could redistribute
the negatives: !{!10/8; any;} becomes {!!10/8; !any;} and then
simplifies to {10/8; none;}.
But ACLs aren't boolean, so you can't do that. Each element has three
possible results not two: match and accept, match and reject, or no
match, which means continue processing.
When an ordinary ACL element matches and is negated (for example, the
element is !10/8; and the address is 10.0.0.1) that means match and
reject. But if the match is inside of a *nested* ACL, then it's treated
differently: A negative result means the nested ACL didn't match--and
so you continue processing.
So if you're checking address A against an ACL of one of the following
forms, these will be the results:
{ A;B; } == A is allowed, accept immediately
{ { A; }; B; } == A is allowed, accept immediately
{!A;B; } == A is forbidden, reject immediately
{ !{ A; }; B; } == A is forbidden, reject immediately
{ { !A; }; B; } == A matched but was negated, try element B
{ !{ !A; }; B; } == A matched but was negated, try element B
Those last two lines there are confusingly similar (and, as written,
useless). The difference is what happens if you're checking an address
*other* than A, and something else in the nested ACL matches it.
{ { !A; any; }; B; } == any address other than A is accepted at once,
but A is only accepted if B matches too.
boolean translation: ((not A) or (A and B))
{ !{ !A; any; }; B; } == any address other than A is *rejected* at
once,
but A is accepted as long as B matches too.
boolean translation: (A and B)
Hope that's helpful. (*I* find it hard to keep this syntax straight, and I
wrote a big chunk of the code that implements it in BIND 9.5...)
--
Evan Hunt -- [EMAIL PROTECTED]
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate ACL based on a key AND ip-subnet
Yeah it would most likely be a feature request/change.
IIRC update-policy cannot be used in congestion with the allow-update
statement. Personally I prefer the usage of update-policy as I can assign
different business units within my organization to take responsibility for
certain records/record types.
As I'm using a multi-view server (public and private IP) I'm concerned that
the update keys used might get compromised (computer stolen or whatever)
thus it would be useful to be able to limit the capability for updates for
specified IP-ranges.
This is achieved with the allow-update policy given throughout this
conversation but as you cannot use them in congestion with update-policy I'm
not able to limit certain records/record types to keys.
To put this in a conf example I'm thinking something like:
allow-update {
! { !10/8; any; };
update-policy { grant key subdomain dummy.com ALL; };
};
I hope this makes sense.
/Jonathan
On Mon, Nov 17, 2008 at 4:43 PM, Evan Hunt [EMAIL PROTECTED] wrote:
Actually, to take this a step further, is there any remote possibility to
combine this with update-policy as well?
I'm not sure what you mean.
I believe you can use allow-updates to filter according to IP address
and then update-policy to filter according to key; that might be an
easier way to accomplish the same thing. I've never done so, but I'd
expect it to work. But it sounds like you're asking for a feature
change... clarify please?
--
Evan Hunt -- [EMAIL PROTECTED]
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate ACL based on a key AND ip-subnet
IIRC update-policy cannot be used in congestion with the allow-update statement. My bad--you're right. There's code I'd never noticed before that says allow-update will be ignored if update-policy is set. Whoops. (Oddly, the check only applies when both of them are defined in the zone itself. You can put allow-updates in the view options and update-policy in the zone, and named won't complain about it... but it also won't work the way you want it to.) I don't know why it was implemented this way--there's no protocol reason I can see. (There may be other reasons I don't know about.) It's probably not a high enough priority for ISC to devote engineering resources to it at this time, but if someone submitted a patch that added an ACL check to the update-policy syntax, I'm sure we'd consider it. -- Evan Hunt -- [EMAIL PROTECTED] Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate ACL based on a key AND ip-subnet
Guess I should start digging in the code then :) On Mon, Nov 17, 2008 at 5:59 PM, Evan Hunt [EMAIL PROTECTED] wrote: IIRC update-policy cannot be used in congestion with the allow-update statement. My bad--you're right. There's code I'd never noticed before that says allow-update will be ignored if update-policy is set. Whoops. (Oddly, the check only applies when both of them are defined in the zone itself. You can put allow-updates in the view options and update-policy in the zone, and named won't complain about it... but it also won't work the way you want it to.) I don't know why it was implemented this way--there's no protocol reason I can see. (There may be other reasons I don't know about.) It's probably not a high enough priority for ISC to devote engineering resources to it at this time, but if someone submitted a patch that added an ACL check to the update-policy syntax, I'm sure we'd consider it. -- Evan Hunt -- [EMAIL PROTECTED] Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary and TLD not updating
Res wrote: On Mon, 17 Nov 2008, Jefferson Ogata wrote: On 2008-11-17 14:25, Holger Honert wrote: Chris Thompson schrieb: On Nov 17 2008, Res wrote: Ack! allow-transfer should never be any What, never? Why not? Security issue! You really want everyone to download your zone(s)? I couldn't care less. If the security of my systems were the least bit dependent on keeping DNS records secret, I would kinda suck as an admin, wouldn't I? does your employer know this is your attitude? he/she might take a different stand :) I know you'd no longer be working for me, if that was your take on how things should be. Sounds like a veiled threat, and, if so, highly inappropriate. As stated before, this is a decision that needs to be made by each organization, according to an *intelligent* and *informed* consideration of the risks, benefits and drawbacks. In my experience, most security experts (either self-proclaimed or possessing some ultimately-meaningless piece of paper that designates them as such) are ignorant of DNS and need to be brought up to speed. DNS admins, on the other hand, generally need to be more sensitive to different security contexts and requirements. They can meet in the middle and come up with an appropriate solution. Any blanket rule of always restrict zone transfers is foolish, as would be a blanket rule of always leave zone transfers completely open. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary and TLD not updating
Hey, maybe it's time to agree to disagree on this one? If Bert and Ernie can live together in roommate bliss, I'm sure we can all accept and appreciate each others differences. On Mon, Nov 17, 2008 at 7:47 PM, Kevin Darcy [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: Just because individual records are public doesn't mean you should allow just anyone to configure their nameserver as a slave to your domain. There's no benefit to allowing transfers to just anybody except for the allowance it makes for the laziness of admins. Incorrect. I've often AXFR'ed people's zones to help troubleshoot problems they've reported. Weigh that against the risks of DoS attacks, and the sucking up of previous upload bandwidth by domain transfers out. Each such transfer could well use many many queries worth of bandwidth. Individual queries of every record in the zone consumes as much or even more bandwidth. Moreover, if a would-be hacker were to start *guessing* at names in the zone, then the total query traffic might actually be *substantially* larger than the zone transfer would be. (If Intrusion Detection/Prevention is in place, the hacker could fly under the radar horizon by spreading the queries over a moderately-long period of time, from different clients in a botnet, but the aggregate traffic might still be higher than an AXFR). Perhaps you don't understand that AXFRs are TCP. So reflection attacks aren't really an issue, and the usual concerns about DoS-amplification-via-reflector are misplaced. Admittedly, if one has exceptionally large RRsets in a given zone (e.g. using TXT RRs as a kind of _ad_hoc_ database), then allowing AXFRs might enable the hackers to find those RRsets and use them for amplification in subsequent DoS attacks. But the moral of that story is that one shouldn't use DNS as a generic distributed database, not that open AXFRs are inherently a security vulnerability. We never experienced any problems with having zone transfers completely open, for years. I realize that's just anecdotal evidence, but, on the other hand, are there any documented cases where open AXFRs were actually used in any kind of attack? If not, then I call FUD. Its one more potential vulnerability with no particular benefit. Sounds like a poor trade to me. That's one opinion. I cited a particular benefit above. Another benefit is that maintaining lists of authorized slaves, potentially on a zone-by-zone basis, complicates named.conf and, as we all know, complicated configs lead to a higher risk of error, which can itself lead itself to security breaches. - Kevin --Original Message-- From: Res Sender: [EMAIL PROTECTED] To: Jefferson Ogata Cc: bind-users@lists.isc.org Subject: Re: Secondary and TLD not updating Sent: Nov 17, 2008 4:20 PM On Mon, 17 Nov 2008, Jefferson Ogata wrote: On 2008-11-17 14:25, Holger Honert wrote: Chris Thompson schrieb: On Nov 17 2008, Res wrote: Ack! allow-transfer should never be any What, never? Why not? Security issue! You really want everyone to download your zone(s)? I couldn't care less. If the security of my systems were the least bit dependent on keeping DNS records secret, I would kinda suck as an admin, wouldn't I? does your employer know this is your attitude? he/she might take a different stand :) I know you'd no longer be working for me, if that was your take on how things should be. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Google for President YouTube for VP in any year divisible by 4 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC launches new website and mailing list manager
The mailing list conversion requires a little explanation: * The new one-stop page for all the lists under isc.org is https://lists.isc.org/mailman/listinfo Now, can it be configured to strip or reject html rubbish? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Views and Blackhole
Chris,
Thanks that worked.
RootNet08
On Tue, Nov 18, 2008 at 12:46 AM, Chris Buxton [EMAIL PROTECTED]wrote:
Remove your subnet from the bogons ACL at the beginning.
acl bogons {
! 192.168.16.0/21;
0.0.0.0/8;
[...]
192.168.0.0/16;
[...]
};
Chris Buxton
Professional Services
Men Mice
On Nov 17, 2008, at 8:38 PM, root net wrote:
Hello,
I have a server I am testing before I put in production. Working on a more
secure bind config. BTW if anyone has any other suggestions on locking down
bind beside below and chroot let me know. I was adding views which has been
debated time and time again whether or not it really helps but anyway. My
problem is I have the latest bogons from team-cymru which includes my
internal network subnet 192.168.16.0/21. So in the bogons list it says
192.168.0.0/16 which is blackholed. So my local network is being
blackholed but it works fine when users not on the bogons query the server
from the external view. My question is how can I get this to work without
adding each cidr block of the 192.168.0.0/16 separately or even breaking
it up in /21s? I have tried everything I know how. A sanitized portion of
my named.conf is this:
//For length sakes I took out the other networks.
acl i_lan { 127.0.0.1; 192.168.16.0/21};
acl i_dns { 127.0.0.1; 192.168.16.2; 192.168.23.2;};
acl bogons { 0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
192.168.0.0/16;
198.18.0.0/15;
223.0.0.0/8;
224.0.0.0/3;
};
options {
version Go Away;
directory /var/named;
dump-file /var/dump/named_dump.db;
pid-file /var/run/named/named.pid;
statistics-file /var/stats/named.stats;
recursion no;
allow-query { any; };
listen-on { 127.0.0.1; 192.168.16.2;};
recursive-clients 1000;
tcp-clients 1000;
auth-nxdomain yes;
blackhole { bogons; };
view internal {
match-clients { i_lan; };
notify no;
recursion yes;
allow-transfer { i_dns;};
zone localhost {
type master;
file localhost.zone;
};
zone 127.in-addr.arpa {
type master;
file localhost.zone;
};
zone 0.in-addr.arpa {
type master;
file named.zero;
};
zone 255.in-addr.arpa {
type master;
file named.broadcast;
// zones go here
};
view external {
match-clients { !i_lan; any; } ;
recursion no;
allow-transfer { i_dns;};
// zones go here
};
Any help is appreciated and thanks in advanced.
RootNet08
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: ISC launches new website and mailing list manager
That reminds me of the debate over V chips/parental controls. People that DON'T want something think it is the responsibility of others not to send it to them rather than THEIR own responsibility to block it with the tools they have. If you don't want HTML just set up a rule in your mail client that blocks it. If your mail client doesn't allow you to setup rules then you probably need to use something created in the current millennium. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Hecking Sent: Tuesday, November 18, 2008 7:54 AM To: bind-users@lists.isc.org; [EMAIL PROTECTED] Subject: Re: ISC launches new website and mailing list manager The mailing list conversion requires a little explanation: * The new one-stop page for all the lists under isc.org is https://lists.isc.org/mailman/listinfo Now, can it be configured to strip or reject html rubbish? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Reverse lookups failing
Please disregard. This is working now. Was either an ASA firewall dns filter which was stopped and restarted during testing or the setting of both nameservers to run bind9.3.5-P2. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davenport, Steve M Sent: Monday, November 17, 2008 8:20 PM To: [EMAIL PROTECTED] Subject: Reverse lookups failing Hello, I am having issues with reverse lookups failing and can not find the cause. Running bind 9.3.5-P1 and 9.3.6rc1. On an external server dig gives: $ dig @harley.mc.utmck.edu -x 165.6.6.27 ; DiG 9.5.0-P1 @harley.mc.utmck.edu -x 165.6.6.27 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached Internally the same query is fine: $ dig @harley.mc.utmck.edu -x 165.6.6.27 ; DiG 9.2.4 @harley.mc.utmck.edu -x 165.6.6.27 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1952 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;27.6.6.165.in-addr.arpa. IN PTR ;; ANSWER SECTION: 27.6.6.165.in-addr.arpa. 21600 IN PTR ns-2.hosp.utmck.edu. ;; AUTHORITY SECTION: 6.165.in-addr.arpa. 21600 IN NS ns-2.hosp.utmck.edu. 6.165.in-addr.arpa. 21600 IN NS harley.mc.utmck.edu. ;; ADDITIONAL SECTION: ns-2.hosp.utmck.edu.21600 IN A 165.6.6.27 harley.mc.utmck.edu.21600 IN A 165.6.131.32 ;; Query time: 18 msec ;; SERVER: 165.6.131.32#53(harley.mc.utmck.edu) ;; WHEN: Mon Nov 17 19:50:49 2008 ;; MSG SIZE rcvd: 144 The config file has allow query set on the reverse zone. This was working earlier and I'm told there have been no network changes. Does this appear to be a firewall issue? Is there anything else that might help narrow down the problem? Thanks for your assistance, Steve ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind9 no longer detect my ipv6 interface after having upgrade from ubuntu server 8.04 to 8.10
On Tue, Nov 18, 2008 at 04:13:35PM +0100, Thomas Manson wrote: Hi, Hi, I've my secondary DNS Server that run bind9 version 9.5.0-P2 (from ubuntu 8.10 server) Before, I was using the version on ubuntu 8.04 and it was working successfully with ipv6. I think BIND from Ubuntu distribution is not compiled as GNU source (with _GNU_SOURCE macro defined). It is needed to get IPv6 working. The best solution is to open ticket in Ubuntu bug tracker. Adam -- Adam Tkac, Red Hat, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone does not show an A record when using Dig
It's resolving correctly from dnsstuff.com ... Shawn Somers Systems Administrator Skynet BroadBand (360)802-6657 Steve Koon wrote: I have one of my zones that is not showing one of the A records when using Dig anyone know why this is happening? *emailclickA 64.186.224.244* Thanks, Steve === Zone file content on secondary $ORIGIN . $TTL 900 ; 15 minutes discoversunriver.com IN SOA ns1.escapia.com. nsadmin.escapia.com. ( 2008111801 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 86400 ; expire (1 day) 86400 ; minimum (1 day) ) NSns1.escapia.com. NSns2.escapia.com. NSpdns1.ultradns.net. NSpdns2.ultradns.net. A 69.25.129.10 MX1 aspmx.l.google.com. MX5 alt1.aspmx.l.google.com. MX5 alt2.aspmx.l.google.com. MX10 aspmx2.googlemail.com. MX10 aspmx3.googlemail.com. MX10 aspmx4.googlemail.com. MX10 aspmx5.googlemail.com. TXT v=spf1 ip4:64.186.224.192/26 ip4:69.63.216.128/26 ip4:69.63.211.0/25 ip4:69.25.129.6 ip4:72.18.155.106/29 a mx a:wezen.escapia.com include:aspmx.googlemail.com ~all $ORIGIN discoversunriver.com. emailclick A 64.186.224.244 googlea4183689 CNAMEgoogle.com. mail CNAMEcrs.ultradns.net. www A 69.25.129.10 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about BIND 9.3.6 on Solaris
Two things: 1. Does change 2469 - solaris: Work around Solaris's select() limitations. [RT #18769] address the same problem as change 2406 in 9.3.5-P2 - Some operating systems have FD_SETSIZE set to a low value by default... [RT #18328]? If not, what happened to RT #18328? 2. I'm assuming that we need to use the ISC_SOCKET_USE_POLLWATCH compile-time option on our Solaris boxes -- it doesn't appear that there is are Solaris patches yet for Bug ID 6724237. -- Jeff Wieland ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help understanding lame server error
In message [EMAIL PROTECTED], Scott Haneda write s: I have a good deal if lame server errors in my logs, which I am not entirely understanding. 19-Nov-2008 15:36:34.657 lame-servers: info: lame server resolving '170.73.234.209.in-addr.arpa' (in '73.234.209.in-addr.arpa'?): 209.234.64.192#53 19-Nov-2008 15:36:34.955 lame-servers: info: lame server resolving '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?): 209.183.48.20#53 19-Nov-2008 15:36:34.975 lame-servers: info: lame server resolving '221.250.53.206.in-addr.arpa' (in '250.53.206.in-addr.arpa'?): 209.43.20.115#53 19-Nov-2008 15:36:34.989 lame-servers: info: lame server resolving '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?): 209.183.52.20#53 19-Nov-2008 15:36:35.050 lame-servers: info: lame server resolving '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?): 209.183.48.21#53 My server is not allowing recursions, other than to localnets. about the only thing hitting it is an email server. So I am not clear on why these lookups are happening, or why they are coming from all these other IP's The IP addresses above are the ones your server is querying. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is it possible to use one KSK for multiple domains?
On Wed, Nov 19, 2008 at 09:55:52PM +0100, Adam Tkac [EMAIL PROTECTED] wrote a message of 17 lines which said: If I understand correctly what RFC 4034, section 2.1.1 says ... If bit 7 has value 1, then the DNSKEY record holds a DNS zone key, and the DNSKEY RR's owner name MUST be the name of a zone... it is impossible. Each zone has to have his own KSK and ZSK pair, hasn't it? [Warning: still struggling with the subtleties of KSK/ZSK.] The text you quote is for DNS publication. But you typically do not put KSK in the DNS, no? I would say, quoting Tolkien: one ZSK per zone, but only one KSK to sign them all. [AFNIC manages six TLD so the answer interests us, too.] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is it possible to use one KSK for multiple domains?
On Wed, 2008-11-19 at 21:55 +0100, Adam Tkac wrote: does anyone know if is it possible to sign multiple domains with one KSK? Adam, I suspect your question may need to be more specific. Are you asking about the signing process itself, or rather about how certain aspects of this process need to be exposed in the DNS? The RFC-fragment you cite seems to me to require that each signed zone needs its set of [KZ]SK exposed in the DNS, but to be silent on whether a single key can be reused by appearing as RDATA in the DNSKEY RRsets of multiple zones. I haven't read 4033/4034 thoroughly, so it's possible I may have misunderstood completely. Best regards, Niall O'Reilly ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Workaround Solaris's kernel bug
Thomas Schulz wrote: Change 2489 says to define ISC_SOCKET_USE_POLLWATCH to workaround a Solaris kernel bug about /dev/poll. How do I know if I should define this? Should I just assume that if I am running Sloaris 8 then I need to define ISC_SOCKET_USE_POLLWATCH? Is there any down side to defining this if it is not needed? Tom Schulz Applied Dynamics Intl. [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Tom, This is CR 6724237 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 Which was first introduced in Solaris 8. At this time there is no patch for Solaris 8, 9 or 10 and therefore ISC_SOCKET_USE_POLLWATCH should be defined when building BIND 9 for those systems. Stacey Marshall Sun Microsystems Ltd. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Zone not propogating to slaves
I am getting on one of my slaves (69.25.129.117) yet on the other I get
the zone to come across from the master. Just a quirk here is that the
.117 slave has to be recycled before the zone comes across yet the .118
comes across when the master is recycle and a change has occurred in one
of the zones. By the way until this zone I have not had problems with
zones coming across to either slave although I have had to do a recycle
to the .117 to get them there.
Anyone know why I am getting this not authoritative message and no
zone file on .118 all of a sudden?
Thanks,
Steve
This is the log message in the 69.25.129.119 Master
client 69.25.129.117#1305: transfer of 'manzanitavacation.com/IN': AXFR
started
client 69.25.129.117#1305: transfer of 'manzanitavacation.com/IN': AXFR
ended
This is the log message in the 69.25.129.118 slave
client 69.25.129.117#1304: received notify for zone
'manzanitavacation.com': not authoritative
This is the log message in the 69.25.129.117 slave
zone manzanitavacation.com/IN: Transfer started.
transfer of 'manzanitavacation.com/IN' from 69.25.129.119#53: connected
using 69.25.129.117#1305
zone manzanitavacation.com/IN: transferred serial 2008111901
transfer of 'manzanitavacation.com/IN' from 69.25.129.119#53: Transfer
completed: 1 messages, 8 records, 251 bytes, 0.109 secs (2302 bytes/sec)
zone manzanitavacation.com/IN: sending notifies (serial 2008111901)
=[1]== named.conf for 69.25.129.117 Slave =
options {
directory C:\WINDOWS\system32\dns\etc\named;
pid-file C:\WINDOWS\system32\dns\etc\named\run\named.pid;
dump-file
C:\WINDOWS\system32\dns\etc\named\dump\named_dump.db;
statistics-file
C:\WINDOWS\system32\dns\etc\named\stats\named.stats;
zone-statistics yes;
forwarders { 63.251.161.33; 216.231.41.2; };
allow-query {any;};
recursion yes;
//allow-recursion {69.25.129.119;};
allow-transfer {69.25.129.119;};
listen-on-v6 { any; };
};
// log to named\log\named.log events from info UP in severity (no debug)
// defaults to use 3 files in rotation
// failure messages up to this point are in the event log
logging{
channel my_log{
file
C:\WINDOWS\system32\dns\etc\named\log\named.log versions 3 size 250k;
severity info;
};
category default{
my_log;
};
};
#
zone manzanitavacation.com. in {
type slave;
file
c:\windows\system32\dns\etc\named\zones\db.manzanitavacation.com.zone;
masters { 69.25.129.119; };
allow-notify {69.25.129.117;69.25.129.118; };
};
=[1]=
=[2]== named.conf for 69.25.129.119 Master =
options {
directory C:\WINDOWS\system32\dns\etc;
dump-file C:\WINDOWS\system32\dns\etc\named\dump\nameddump.db;
statistics-file
C:\WINDOWS\system32\dns\etc\named\stats\named.stats;
pid-file C:\WINDOWS\system32\dns\etc\named\run\named.pid;
recursion yes;
zone-statistics yes;
forwarders { 63.251.161.33 ; 63.251.161.1; };
#forward first;
listen-on-v6 { any; };
dnssec-enable yes;
};
key rndc-key { algorithm hmac-md5; secret ??; };
controls {
inet 127.0.0.1 port 953 allow { localhost; } keys {
rndc-key; };
};
logging{
channel my_log{
file
C:\WINDOWS\system32\dns\etc\named\log\named.log versions 3 size 250k;
severity info;
};
category default{
my_log;
};
};
#
zone manzanitavacation.com. in {
type master;
file
c:\windows\system32\dns\etc\named\zones\manzanitavacation.com.zone;
};
=[3]== named.conf for 69.25.129.118 Slave ==
options {
directory C:\WINDOWS\system32\dns\etc\named;
pid-file C:\WINDOWS\system32\dns\etc\named\run\named.pid;
dump-file
C:\WINDOWS\system32\dns\etc\named\dump\named_dump.db;
statistics-file
C:\WINDOWS\system32\dns\etc\named\stats\named.stats;
zone-statistics yes;
forwarders { 63.251.161.33; 216.231.41.2; };
allow-query {any;};
recursion yes;
//allow-recursion {69.25.129.119;};
allow-transfer {69.25.129.119;};
listen-on-v6 { any; };
};
// log to named\log\named.log events from info UP in severity (no debug)
// defaults to use 3 files in rotation
// failure messages up to this point are in the event log
logging{
channel my_log{
file
C:\WINDOWS\system32\dns\etc\named\log\named.log versions 3 size 250k;
Re: Is it possible to use one KSK for multiple domains?
On Thu, Nov 20, 2008 at 11:55:17AM +, Chris Thompson [EMAIL PROTECTED] wrote a message of 33 lines which said: The text you quote is for DNS publication. But you typically do not put KSK in the DNS, no? Sure you do. How could a validator use it if you didn't? Because it is published as a trust anchor? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help understanding lame server error
Have you tried looking up the client IP from another line in the logs from the same time? -Original Message- From: Scott Haneda [EMAIL PROTECTED] Date: Thu, 20 Nov 2008 00:45:26 To: BIND Users Mailing Listbind-users@lists.isc.org Subject: Re: Help understanding lame server error On Nov 19, 2008, at 6:19 PM, Kevin Darcy wrote: Scott Haneda wrote: I have a good deal if lame server errors in my logs, which I am not entirely understanding. 19-Nov-2008 15:36:34.657 lame-servers: info: lame server resolving '170.73.234.209.in-addr.arpa' (in '73.234.209.in-addr.arpa'?): 209.234.64.192#53 73.234.209.in-addr.arpa has been delegated to ns1.networkiowa.com (address 209.234.64.192), but that nameserver is not responding authoritatively for the zone. This is referred to technically as being lame. Fortunately one of the other delegated nameservers (storm.weather.net) *is* responding authoritatively. So the zone is not completely broken. But named is logging this as a warning. You can configure logging to ignore these lame-server conditions. Generally I want to know, as there are cases where I mess up, and something bad happens. I watch the logs, and know to fix it. So I am not so much minding the data in my logs, but more just wanting to understand what is causing these lookups. 19-Nov-2008 15:36:34.955 lame-servers: info: lame server resolving '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?): 209.183.48.20#53 19-Nov-2008 15:36:34.975 lame-servers: info: lame server resolving '221.250.53.206.in-addr.arpa' (in '250.53.206.in-addr.arpa'?): 209.43.20.115#53 19-Nov-2008 15:36:34.989 lame-servers: info: lame server resolving '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?): 209.183.52.20#53 19-Nov-2008 15:36:35.050 lame-servers: info: lame server resolving '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?): 209.183.48.21#53 I assume, without looking, that the causes for these are similar to the example above. Yes, I have thousands of these entries. I usually use another NS to point my email server to, that one has become a little flakey, so I moved to using my own local NS on the same machine as the email server. My server is not allowing recursions, other than to localnets. about the only thing hitting it is an email server. So I am not clear on why these lookups are happening, or why they are coming from all these other IP's Most email software these days, as a default, performs reverse- lookups of connecting client addresses as a form of spam detection (because it's common knowledge that spammers are genetically incapable of populating reverse records). It is thus perfectly normal to see a lot of reverse-lookup traffic from email servers. Correct, but that is what is strange. I am very familiar with my email sever, and I am not doing reverse PTR record checking. I am of course using some DNSBL's and DNSWL's as well, but no reverse checking. Further, I have allowed only localnets to check recursively on this NS. I know my IP range, and what machines would be hitting it. BTW, if you want to determine where all of these reverse lookups were coming from, you could just turn on query logging. Why guess when you can tell for sure? This is the core of my question, maybe someone can point me to docs, or help me understand a log line. In the example above, I see field 1 is the date, field 2 is the time, field 3 looks like the error description, field 4 is the level, and then there are the rest of the bits. However, I thought the last part, was an IP and a port, telling me, that IP, asked on port 53, for a lookup of my server. So in this case, why do I need to look at the query log, when I believe, this log tells me who is doing the lookup. If this really was the email server doing this lookup, all the lines should share the same IP in common. So let's assume that for a second, this is a reverse record lookup, that means my email server is asking of my NS for a record/response. Should I not see my IP in those log lines? Here is another example, I think not a reverse lookup for sure: 20-Nov-2008 00:36:38.470 lame-servers: info: lame server resolving 'szi.szi.sv.gov.yu' (in 'szi.sv.gov.yu'?): 195.178.32.2#53 Doesn't that mean that 195.178.32.2 requested a lookup from my NS for szi.szi.sv.gov.yu? I have an email server, and a bunch of web servers, the web servers do not have DNS lookups on, so those are not asking anything of my DNS server. The only thing that should be, is the email server, but that is not adding up, since I do not have reverse lookup checking enabled. I can think of one thing, which is my web stats server, which I would think, does resolve IP's to host names, in order to show a report of what domains are going to websites. That being said, I would think, that I should see the source of the
Re: socket: too many open file descriptors
At Thu, 20 Nov 2008 04:30:00 -0800 (PST), pollex [EMAIL PROTECTED] wrote: 9.3.4-P1.1 still seems to be a Debian specific version, but if this is featurewise equivalent to 9.3.5-P1, you should at least upgrade to 9.3.5-P2 (and build it with a large value of ISC_SOCKET_MAXSOCKETS). In fact, I'd rather more strongly recommend 9.3.6. First off, there was a typo in my previous response: ISC_SOCKET_MAXSOCKETS should have been ISC_SOCKET_FDSETSIZE. how is the exact command line to compile with 4096 FDs? ./configure --ISC_SOCKET_MAXSOCKETS='4096'? Replacing the macro name with the correct one, and assuming you're using a bsh variant such as zsh and bash: % STD_CDEFINES='-DISC_SOCKET_FDSETSIZE=4096' ./configure But again, I'd rather strongly recommend 9.3.6. Then you won't have to care about ISC_SOCKET_MAXSOCKETS or any other annoying details about FD consumption in the first place. There should be no reason for someone considering an upgrade to 9.3.5-P2 not to rather use 9.3.6. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Processing Expect - HTTP 417 on expect 100
Once again, Henrik is the man: http://www.nabble.com/CONNECT-errors-with-2.7.STABLE2-2-td18261153.html What I'm looking for is a brief, technical explanation of why this setting defaults to off rather than on. I didn't really get from that thread why the defaults were the way they were, especially as the behaviour described with the Expect 100 wasn't in violation of spec, just unusual. We had a problem which was solved by this setting, and I want to be in a position to explain why things were setup in a way which caused this to occur. Thanks, Paul Cocker TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind crash with timer.c
On Tue, Nov 25, 2008 at 11:36:36AM +0100, Olivier JUDITH wrote: Currently use bind 9.2.4.-30.el4 as primary server synchronized with NTP by a GPS time sources. recently, bind daemon crash with following error messages in //var/named/log/general file. Nov 12 09:41:15.417 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997041001 Nov 12 09:41:15.439 general: info: zone so.srsa/IN: loaded serial 811051400 Nov 12 09:41:15.439 general: notice: running Bad 00 99:99:99.999 general: critical: timer.c:645: fatal error: Bad 00 99:99:99.999 general: critical: RUNTIME_CHECK(isc_time_now(now) == 0) failed Bad 00 99:99:99.999 general: critical: exiting (due to fatal error in library) Nov 17 14:30:45.669 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997041001 Nov 17 14:30:45.670 general: info: zone so.srsa/IN: loaded serial 811171428 Nov 17 14:30:45.670 general: notice: running Nov 17 15:39:23.507 general: info: loading configuration from '/etc/named.conf' Nov 17 15:39:23.511 general: info: zone so.srsa/IN: loaded serial 811171539 After made research in bind archive list i found one answer from *Mark Andrews* talking about time of day problem. I checked my time source and local date on the server. Everything seem to be correct. Can you give me more explanation on this crash? Hi, it is quite hard to determine where exactly problem is from information written above. The best solution will be open ticket in RH support tracker or RH bugzilla and attach core dump there. Adam -- Adam Tkac, Red Hat, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rfc1918 ns records coming from internet are queried?
Problem: when querying asdf.ad.rice.edu, bind sends queries into my local network (specifically to 10.129.92.100, which is not a ns) which I find undesirable. Is there any way to disable this behavior? Is it expected that bind queries rfc1918 nameserver addresses from non-rfc1918 queries? I would've expected something along the lines of error: ... RFC 1918 response from Internet for $ dig @ns1.rice.edu asdf.ad.rice.edu ; DiG 9.4.1-P1 @ns1.rice.edu asdf.ad.rice.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 52793 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;asdf.ad.rice.edu. IN A ;; AUTHORITY SECTION: ad.rice.edu.3600IN NS support-dc7.rice.edu. ad.rice.edu.3600IN NS support-dc6.rice.edu. ad.rice.edu.3600IN NS support-dc5.rice.edu. ad.rice.edu.3600IN NS support-dc4.rice.edu. ;; ADDITIONAL SECTION: support-dc7.rice.edu. 3600IN A 10.136.93.4 support-dc6.rice.edu. 3600IN A 128.42.18.16 support-dc5.rice.edu. 3600IN A 10.129.92.100 support-dc4.rice.edu. 3600IN A 128.42.18.223 ;; Query time: 82 msec ;; SERVER: 128.42.209.32#53(128.42.209.32) ;; WHEN: Tue Nov 25 15:29:48 2008 ;; MSG SIZE rcvd: 202 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just to make sure I have TTL's understood.
On Nov 25, 2008, at 10:33 PM, Res wrote: Aa an after-thought, check yor ACL's...normally, IIRC once you do an rndc reload and changes are detected the master notifies the slaves right away, I might be wrong but I'm sure it used to do that. That is what I thought as well, either way, it has been much more than the 4 hours set in my refresh value. Thanks for your replies. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just to make sure I have TTL's understood.
Based on your suggestions, I have made a template zone file to base all new zones on, do you agree with this? * When I need to change to a low TTL for migration needs, what would be the approach to that with this template format? $TTL 1D @ IN SOA ns1.hostwizard.com. scott.hostwizard.com. ( 200810011 ; serial, todays date + todays serial # 8H ; refresh 2H ; retry 4W ; expire 1H ); minimum @ IN NS ns1.hostwizard.com. @ IN NS ns1.nacio.com. @ IN MX 10 gonepostal.hostwizard.com. ; Primary Mail Exchanger ; email server base pop IN A 64.84.37.6 smtpIN A 64.84.37.6 imapIN A 64.84.37.6 @ IN TXT v=spf1 ip4:64.84.37.0/26 ?all ; http website base ;@ IN A 64.84.37.x ;wwwIN A 64.84.37.x ;ftpIN A 64.84.37.x On Nov 25, 2008, at 10:17 PM, Res wrote: this is overly messy, you are better off just setting your base TTL to 300 and be done with it until your move then reset it all back to 1d. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rfc1918 ns records coming from internet are queried?
I'm looking for a way to set a policy that named wont
query
rfc1918 nameserver addresses returned from a non-rfc1918 query.
Would this be
a bad policy?
You could use netmasks with your server statements, like this:
server 10.0.0.0/8 {
bogus yes;
};
server 172.16.0.0/12 {
bogus yes;
};
server 192.168.0.0/16 {
bogus yes;
};
You could even then override this for specific servers in those
ranges, by using statements without netmasks (or more specific
netmasks).
Thanks, that is a workaround that solves most of the problem, but
unfortunately it is not usable. It requires that a list of the local
organizations dns servers are maintained which is unfeasible (large, global,
disparate organization). Also, IP collision between local dns servers and
rogue rfc1918 responses will still send queries to the local dns servers.
A good border router will do a few things for network hygiene. It will filter
incoming packets that have a source address from the internal network, and it
will filter outgoing packets that don't have a source IP in the internal
network.
A DNS server should do a similar thing: it will not send rfc1918 queries to
the internet, and it will discard rfc1918 responses from the internet.
It appears Bind can't do this and I'm fine with that. This email is simply to
clear up any confusion about what the issue is.
ds
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rfc1918 ns records coming from internet are queried?
On Nov 26, 2008, at 11:49 AM, David Sparks wrote:
However, if you're concerned, it's pretty easy to set up a more
secure
infrastructure. Put a resolver (resolving name server) at the edge of
your network (in a DMZ, presumably) that knows nothing of internal
domains (nor IP address space). It refuses to send queries to private
addresses, but will answer queries coming from them. Then set up an
internal resolver that knows about your private namespace; for any
outside domains, it forwards to the server on the edge of your
network. Have client machines send queries to the internal resolver,
not to the edge resolver.
That will work but I was hoping for something like:
view internet {
filter-rfc1918-responses yes;
...
However I'm not concerned. :)
You can in fact set up the environment I described using views. Just
have the private view forward to the internet view. The following
resolving name server will ignore referrals to private name servers
for outside names; note that it's missing the masters list definition
named private-auth-servers, plus the options statement, but is
otherwise complete.
acl private {
10/8;
172.16/12;
192.168/16;
# does not include 127/8
};
view private {
match-clients { private; };
# forward unknown names to the internet view:
forward only;
forwarders { 127.0.0.1; };
# stub, slave, or forward zones for the private namespace:
zone private.zone {
type stub;
masters { private-auth-servers; };
file stub.private.zone;
forwarders { }; # disable forwarding for stub zones
};
};
view internet {
server 10/8 { bogus yes; };
server 172.16/12 { bogus yes; };
server 192.168/16 { bogus yes; };
allow-query { 127.0.0.1; };
};
Chris Buxton
Professional Services
Men Mice
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rfc1918 ns records coming from internet are queried?
A border router knows what is inside and outside your network, while a DNS server does not. Important difference. You're missing the point. This is not about inside and outside networks, it is about rfc1918 responses from internet queries. I'm afraid I have seen too many organizations using a mix of public and RFC1918 IP addresses on the inside. Thus I don't believe that you can differentiate based on RFC1918 addresses or not on a general basis. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind image size
--- Davenport, Steve M [Mon, Dec 01, 2008 at 05:03:06PM -0500]: --- I have a server running Solaris10 and bind9.3.6 compiled with gcc3.3.2. The build was done with ./configure, make. The image size seems rather large at 10637668 bytes vs 4459328 bytes on a different Solaris10 system. Any ideas about the image size difference? was bind built by hand on the different Solaris10 system? if it's stock (can't recall if there's a SUNWbind or whatever package), the binary is probably stripped. man strip for more details. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I retrieve the details that makes up the statistics?
At Mon, 10 Nov 2008 09:54:19 -0800, Chris Buxton [EMAIL PROTECTED] wrote: A logging category that logged not just incoming queries, but also outgoing queries, and also the responses sent/received to these queries, would be really handy. It doesn't need to log the whole packet (except at some debug level), but just something along the lines of the current logging category. For responses, also log the type of response: positive answer, nxrrset (or whatever you want to call this), nxdomain, referral, or error (with type). This category could either log all of this at info level, or else log incoming queries at level notice and all other traffic at level notice. Or even log incoming queries at level info and all other traffic at debug level 1 (to retain current behavior for non-debug levels), and then start logging full packet contents (i.e. what we see in default dig output) at higher debug levels. I see this as a replacement for the current queries logging category, not an addition to it. Thanks for the suggestions. These generally seem to me to make sense (although I'd rather use a separate log category for outgoing queries and incoming responses). --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debugging recursive bind
At Fri, 21 Nov 2008 11:11:17 +0100, Marco Michelino [EMAIL PROTECTED] wrote: I have a recursive dns server that sometimes returns errors on queries even if the requested domain exists: # dig @myserver agriturismolacapraccia.it mx [snip] My log file shows no error... how can I debug the query to understand what's going wrong? Which version of BIND are you using? If it's not the latest versions, i.e., 9.3.6/9.4.3/9.5.1rc1, please upgrade. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS lookup problems specific the Facebook domains
how about llnwd.net can you ping dns11.llnwd.net from that box? I believe there's that routing issue, I've troubleshooted this kind of problem in one ISP, my immediate resolution is to have a conditional forwarding for that domain only to openDNS. Thanks! --- On Wed, 12/3/08, JINMEI Tatuya / 神明達哉 [EMAIL PROTECTED] wrote: From: JINMEI Tatuya / 神明達哉 [EMAIL PROTECTED] Subject: Re: DNS lookup problems specific the Facebook domains To: [EMAIL PROTECTED] Cc: BIND Users Mailing List [EMAIL PROTECTED] Date: Wednesday, December 3, 2008, 9:31 AM At Fri, 21 Nov 2008 10:47:42 -0800, Rob Tanner [EMAIL PROTECTED] wrote: I'm trying to figure out if this is my problem or a Facebook problem. The first issue was with facebookmail.com. The cache entry would become corrupt and I would have to clear cache to get things back to working again. Since facebookmail.com resolves to a single IP address, my work around was to make my internal DNS authoritative for it and the problem went away. A week ago, DNS lookups for facebook.com failed completely. Even restarting the DNS service didn't fix the problem. Currently, and as a temporary fix only, I am forwarding facebook,com lookups to an off-campus server which does not seem to have the problem. And now, as of last night, lookups to fbcdn.net (which apparently hosts stylesheets) fail completely and I've implemented the same forwarding scheme there as well. I've been tracking resource allocations on the Linux box that hosts the DNS just to see if there might be some connection there, and as far as I can tell, there isn't anything there that might explain it. Being that we are a four year residential college, the heaviest hit on our DNS servers are students, and Facebook is the singularly most heavily used external service. Also, as far as I can tell, we are having no problems looking up any other addresses. Has anyone else seen this problem with Facebook or does this problem sound familiar with any other sites. I'm baffled and any ideas about what to look for would be most appreciatd. Does this still happen? If so, and if you're using BIND 9.5.x prior to 9.5.1b3, I'd suggest you upgrade to 9.5.1b3. Prior versions of 9.5 have a bug in cache management that could cause failure of name resolution for particular domain names. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: logging query results
ivan jr sy wrote: hi all, what about performance issues? if BIND considers additional logging and DNS admins unwittingly turn ON logging of queries (just by issuing rndc querylog) and other future logging categories, it somehow degrades the performance of BIND. as i've tested BIND 9.5.0-P2 with authoritative queries, my FreeBSD7 amd64 box can accommodate as much as 34,000 queries per second (i've seen other boxes can go as much as 100,000 QPS), but once logging is turned on, it barely reaches 1,000 queries per second. (for 100,000 qps around 14,000...) Ideally, some of the logging functions would operate in a separate thread, which, on a multiprocessor box, might mean a separate processor as well. Then, it would be pretty much indistinguishable from running a separate process (e.g. dnscap) on the same box, although, admittedly, not as good as running dnscap on a totally separate box on the same segment/subnet/VLAN... - Kevin I hope it is also part of BIND's roadmap, querylog optimization. fyi on that.. --- On Wed, 12/3/08, Kevin Darcy [EMAIL PROTECTED] wrote: From: Kevin Darcy [EMAIL PROTECTED] Subject: Re: logging query results To: [EMAIL PROTECTED] Date: Wednesday, December 3, 2008, 1:28 PM Bill Larson wrote: JINMEI Tatuya / 神明達哉 [EMAIL PROTECTED] said: At Fri, 28 Nov 2008 10:08:34 -0800, wes [EMAIL PROTECTED] wrote: I would like to know if it's possible to log the output of each dns query. Do you mean the response to each query by output? If so, there's currently no such log messages regardless of log level. We may implement it in the future as we discussed in a different thread: https://lists.isc.org/pipermail/bind-users/2008-December/073981.html Is anyone besides myself beginning to feel that too MUCH functionality is being built into BIND? Will the next request be to put out the cat before bedtime? I'm concerned that BIND is being made too complex, with the associated security issues of any complex system. Sendmail is a perfect example of this. It tried to do everything with the resulting bug of the month outcome. Query logging is a great idea, but OARC has already produced a very functional dnscap which will capture all DNS traffic, queries and responses, incoming and outgoing. Maybe this type of logging functionality could be better relegated to a third party tool such as dnscap rather than being built directly into BIND. Adding functionality for for the purpose of better operations is one thing. Including the capability of performing zone transfers inside BIND was a great addition rather than having a separate named-xfer tool. This made running in a chroot environment much simpler, easier, and secure. This is good additional functionality. Additional functionality, such as adding additional query logging capabilities that aren't critical to the operation of the basic system, simply increase complexity with the inherent decrease in security that makes this type of addition a drawback. Please, keep BIND as simple as possible (but not simpler). Leave additional capabilities to separate tools such as dnscap. Bill, While I appreciate the work that's gone into dnscap (which I use), looking at the big picture, does it really make sense to have a *separate* tool, just for the purpose of dumping the contents of DNS packets coming into, or leaving, a particular instance of named, in a human-readable form? From the standpoint of efficiency, named already has intimate details about the contents of every packet it processes, all that remains is that it render those contents into a human-readable form into a logfile. If dnscap is run outside of named, however, it needs to capture the packets in wire-format from the raw device -- requiring, usually, superuser privileges, which opens up some security issues -- and then parse those packets from scratch, using much of the same logic, the same algorithms, that named itself uses. Seems like a duplication of effort to me, and named can do this processing _unprivileged_, if configured and/or invoked that way, thus allaying your security concerns. dnscap certainly has its place as a sophisticated capture utility on a third-party client (i.e. neither the initiator or the responder), or on either end, where something other than BIND, with inferior logging capabilities, is being used. But if the initiator and/or responder are BIND, why not leverage all of the algorithms, cpu cycles, etc. that are already being brought to bear by named to parse the contents of DNS packets? Yes, it's that dread buzzword synergy; I think we have some here. Then again, maybe the best of both worlds can be obtained
BIND and ENUM NAPTR...
Greetings: SIP (NAPTR and ENUM) uses a DNS like structure. Does BIND support these data types? Are there any references? Regards, Gregory Hicks - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
FW: Pls help me for bind9
Hi dear Pls help me for bind9 孙睿 / Rui Sun -Original Message- From: Sue Graves [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2008 12:48 AM To: Sun, Rui (IT Operation Director) Cc: [EMAIL PROTECTED] Subject: Re: Pls help me for bind9 As BIND is Open Source software, there is free support and discussion available from the community by sending mail to [EMAIL PROTECTED] There are 3 mail lists for discussions among users of ISC's BIND Distribution. You can subscribe via our website at https://lists.isc.org/mailman/listinfo Updates as to our development work are shared with the BIND Forum members which you are welcome to join. See https://www.isc.org/software/guild We also offer paid support contracts https://www.isc.org/services/support Regards, Sue Sun, Rui (IT Operation Director) wrote: Hi dear pls help me for bind 9 [In my tel DNS server] nslookup www.baihui.com Server: 118.102.24.83 Address:118.102.24.83#53 Non-authoritative answer: www.baihui.com canonical name = baihui.com. Name: baihui.com Address: 219.143.38.65 [But my db file is set as below] $TTL 600 @ IN SOA dns1.baihui.name. hostmaster.baihui.name. ( 140024 ; Serial 6000 ; Refresh 3000 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL; @IN NS dns1.baihui.name. @IN NS dns2.baihui.name. baihui.com. IN A 202.127.112.36 [Could you pls give me some help?] 孙睿 / Rui Sun -- Susan Graves Internet Systems Consortium +1 650-423-1323 office [EMAIL PROTECTED] See http://www.isc.org/training/ for the latest information on our training offerings ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just to make sure I have TTL's understood.
Scott Haneda [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Before I go out on a limb, I wanted to ask those who know more about this than I do. I added a zone change to my primary server, in this case, setting the TTL's pretty low, as things were going to move around a bit in the beginning. Waited a few weeks after adding it. * The basic thing I am trying to understand, is *when* the slaves get the change, and what repercussions there are if it is slow. Here is the zone: ORIGIN . $TTL 86400 ; 1 day example.com IN SOA ns1.hostwizard.com. scott.hostwizard.com. ( 2008112501 ; serial *** I did change this *** 14400 ; refresh (4 hours) 7200 ; retry (2 hours) 604800 ; expire (1 week) 3600 ; minimum (1 hour) ) $TTL 3600 ; 1 hour NS ns1.hostwizard.com. NS ns1.nacio.com. A 64.84.37.51 $TTL 300; 5 minutes MX 10 gonepostal.hostwizard.com. $TTL 3600 ; 1 hour TXT v=spf1 ip4:64.84.37.0/26 ?all Should be changed to: SPFv=spf1 ... Usage of TXT for spf declarations has been depreciated for 2 years now. Why are you using ?all? That opens you up to forged messages (unless you're uncertain about the record). $ORIGIN example.com. foo A 64.84.37.51 bar A 64.84.37.51 $TTL 300; 5 minutes www A 64.84.37.51 pop A 64.84.37.6 smtpA 64.84.37.6 dig example.com MX That will give me back the MX you see above. In this case, I am on a starbucks wifi, so they use whatever NS they are using. At home, the same command, pointed to openDNS, gives back the new MX as well. Now, if I run dig example.com MX @ns1.hostwizard.com I also get the new MX Running dig example.com MX @ns1.nacio.com, which is my slave provide example.com. 188 IN MX 20 mx1.biz.mail.yahoo.com. example.com. 188 IN MX 30 mx5.biz.mail.yahoo.com. It took openDNS, all of 6 or 7 minutes to get the change, I am now, hours later, not seeing the change in my secondary provider. They also have ns0.nacio.com, ns1.nacio.com, ns2.nacio.com and ns3.nacio.com, all of which answer stale for this query. It may take up to 4 hours for your secondary to see the change. Why? Your refresh value on your SOA record is set to 4 hours. Therefore, the secondary server(s) won't check again until 4 hours after the last zone transfer, and when that check occurs and doesn't note a new serial number, then they should check in 2 hour intervals thereafter. So why did opendns get the change earlier: 1) They didn't have anything cached, are not servers for your zone, and queried your primary. 2) If they are also secondaries, perhaps they respect NOTIFY messages, while your secondaries do not. Am I correct, in that, the 300 TTL I set, is correct, and what I should have done to prepare for a MX change to happen with as little problem/delay as possible? No. The least delay is a TTL of 0 second, which should cause no caching of the record at all. What is the setting on a slave that determines when it should see my change? My logs show the notifies going over, and being accepted. Depends on the DNS software at the secondary. Perhaps notifies are being ignored. Do you know what they run? I also provide a secondary, and to be honest, if I wanted to stall my secondary from accepting a primary notify, different than the TTL, I would not even know how to do that. If the whois servers are listed with myself, and my secondary, and the secondary is now stale, for hours, what repercussions does this have? A lame delegation or old data at your TLD's name servers. I think, queries that are not cached by the local resolver of a internet user, go back to whoever is listed in the whois. I am also pretty sure it does not pick one over the other, I see no way a client request could pick a primary over a secondary, I believe it happens at random, almost in a load balanced way, or perhaps it is distance routed, so the closest is first. Short of fetching the SOA record, there is nothing that tells a resolver which name server is primary, and even that is sometimes non-conclusive (due to faulty data). Either way, am I correct in that a secondary, is needed, if it is there, it must be in sync, as it is pretty evenly used by all clients requesting data from it, until their local resolver caches it? Needed? Yes. (Disaster recovery) In Sync? It should be. (Minor variations during an update are OK) Used evenly? Given enough time, yes. (random distribution). Thanks, and as I
Re: forward reverse lookups
At Fri, 7 Nov 2008 07:18:27 -0800 (PST), paulpsmith [EMAIL PROTECTED] wrote: I'm fairly new to BIND, but have a pretty good understanding of DNS and other protocols. I have been trying to make something work for about a week now and can't figure it out. Is it possible to have a cache only nameserver forward reverse lookups to a primary server for those zones? This is for internal only. I have an OBSD 4.4 syslog server. i got named running on it locally as a cache only name server. The syslog messages come in and get logged with the src IP address of the host sending the message. I want the fqdn of the device for easier reading. If I put the name/IP in a hosts file, it shows the name. If I have the server do lookups to the primary servers, I get a name. My problem is that if I have it just look up to the primary, it is up to 50/100 lookups per second to the primary servers. i don't want to put that load on them. Anyone have an idea? I've tried putting the zone statements for the subnets in as forward zones in the named.conf, but that does not seem to help. If I understand you correctly, this should be possible. But if you can provide more details including network configuration and your named.conf that didn't work, we could provide more useful and specific advice. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rfc1918 ns records coming from internet are queried?
Date: Wed, 26 Nov 2008 21:09:53 +0100 (CET) To: [EMAIL PROTECTED] Subject: Re: rfc1918 ns records coming from internet are queried? From: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] A border router knows what is inside and outside your network, while a DNS server does not. Important difference. You're missing the point. This is not about inside and outside networks, it is about rfc1918 responses from internet queries. I'm afraid I have seen too many organizations using a mix of public and RFC1918 IP addresses on the inside. Thus I don't believe that you can differentiate based on RFC1918 addresses or not on a general basis. Actually, I got the impression that the OP wanted to know if BIND would ignore and NS records provided by some server on the internet that pointed to RFC-1918 type IP addresses. (It could be that everyone is talking to the same thing...) If BIND sends out a request, as it should, to some set of NS record IP addresses, it keeps a record of WHEN the request was sent out and marks how long it takes to get a response back from those requests. The RFC-1918 type addresses SHOULD never respond - unless you happen to have a server at the same address that someone else is advertizing. (The SHOULD never respond is driven by the BCP-38 filtering at edge routers.) Thus those addresses will have ungodly high round trip times and should be removed from further queries... (My read of how it works. I could be wrong though.) Regards, Gregory Hicks Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Moderators note
Due to technical difficulties, a number of messages were being held in the moderation queue. These postings have now been cleared out (some may be duplicates, for which I apologize). We are still working out a couple of minor kinks in the move to the new mailing list system. Thanks for your understanding. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: logging query results
In article [EMAIL PROTECTED], Mark Andrews [EMAIL PROTECTED] wrote: Disk i/o is just glacially slow when compared to network i/o. To get disk logging up to network speeds you need to throw away a lots of it. Which suggests that having filtering built into the logging might make it much more useful, at the risk of yet more feature bloat. I make this suggestion from experience with packet logging on routers - almost useless without filtering. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
check Availability before sending response
Hello, Is there any way to make Bind check the server's availability before send back responses to clients? ie, given the domain name www.site.com was pointed to 1.1.1.1 and 2.2.2.2 in Bind. When a client query for www.site.com, Bind will check the health status for these two servers. If one is unavailable,Bind shouldn't direct client's requests to it. I know F5's 3DNS can do it well.But rather than 3DNS, is there any free way for this purpose? Thanks. Ken. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: check Availability before sending response
On Wed, Dec 03, 2008 at 10:53:43PM +0800, Ken DBA [EMAIL PROTECTED] wrote a message of 21 lines which said: ie, given the domain name www.site.com was pointed to 1.1.1.1 and 2.2.2.2 in Bind. When a client query for www.site.com, Bind will check the health status for these two servers. If one is unavailable,Bind shouldn't direct client's requests to it. How BIND could: * Know what protocol to test? www.site.com is probably for HTTP but mail.site.com ? POP ? IMAP ? * Embed all these protocols? HTTP, HTTPS, POP, IMAP, BitTorrent, DNS, whois, FTP, SSH, SMTP... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FW: Pls help me for bind9
Subject: FW: Pls help me for bind9 Date: Fri, 21 Nov 2008 10:25:49 +0800 From: Sun, Rui \(IT Operation Director\) [EMAIL PROTECTED] To: bind-users@lists.isc.org Hi dear Pls help me for bind9 What problem are you having? What does your named.conf look like? your zone files? (Please include the 'real' files, not any sanitized ones. Ëïî£ / Rui Sun -Original Message- From: Sue Graves [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2008 12:48 AM To: Sun, Rui (IT Operation Director) Cc: [EMAIL PROTECTED] Subject: Re: Pls help me for bind9 As BIND is Open Source software, there is free support and discussion available from the community by sending mail to [EMAIL PROTECTED] There are 3 mail lists for discussions among users of ISC's BIND Distribution. You can subscribe via our website at https://lists.isc.org/mailman/listinfo Updates as to our development work are shared with the BIND Forum members which you are welcome to join. See https://www.isc.org/software/guild We also offer paid support contracts https://www.isc.org/services/support Regards, Sue Sun, Rui (IT Operation Director) wrote: Hi dear pls help me for bind 9 [In my tel DNS server] nslookup www.baihui.com Server: 118.102.24.83 Address:118.102.24.83#53 Non-authoritative answer: www.baihui.com canonical name = baihui.com. Name: baihui.com Address: 219.143.38.65 [But my db file is set as below] $TTL 600 @ IN SOA dns1.baihui.name. hostmaster.baihui.name. ( 140024 ; Serial 6000 ; Refresh 3000 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL; @IN NS dns1.baihui.name. @IN NS dns2.baihui.name. baihui.com. IN A 202.127.112.36 [Could you pls give me some help?] Ëïî£ / Rui Sun -- Susan Graves Internet Systems Consortium +1 650-423-1323 office [EMAIL PROTECTED] See http://www.isc.org/training/ for the latest information on our training offerings ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dropping external recursive requests
That ought to work, and work well.
This will not impact outside name servers that query your name server,
because they send iterative queries. If they're sending recursive
queries, they're abusing your server. I can't see any problems with this
approach.
If you have authoritative data in the third view, make sure that when
the first view wants to look it up, its iterative query to the server
machine itself is routed through to the third view (rather than being
captured by the first view).
Chris Buxton
Men Mice
On Tue, 2008-12-02 at 17:10 -0800, [EMAIL PROTECTED] wrote:
Our DNS server occasionally get requests for recursion with forged src
addresses.
Currently our server returns Standard query response, Refused since
our named.conf
only allows recursion for our internal machines. This, of course,
results in the poor
machine whose address was forged receiving spurious traffic.
Some of the Cisco firewalls support DNS inspection and can be
configured to drop
requests which want recursion. What are the ramifications of enabling
this?
Can bind be configured to do this? I was thinking about something
like:
view internal {
match-clients { localhost; localnets; };
...
}
view external-recursive {
match-clients { any; };
match-recursive-only yes;
blackhole { any};
}
view external {
...
}
-- John
[EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How to modify A records on the slave when master is down?
On Fri, 2008-11-21 at 21:10 -0800, [EMAIL PROTECTED] wrote:
Hello. I have two geographically different datacenters. Each
datacenter has two instances of BIND.
There is one master out of these four. The zones will have multiple
A records (pointing to the two datacenters to provide some minimal
amount of redundancy and load balancing)
What I want to do is put together a plan for when the master either
fails or the master becomes unavailable.
So if your master fails, or more likely, it becomes unavailable, and I
need to change the A records on the other slaves, how do you do it?
Can I have a master in each datacenter and a slave in each datacenter,
but a change made to any master propagates to all slaves? For that
matter, can I just have four masters and be done with it?
It doesnt make sense that I could have multiple masters.. but I have
no idea how to solve this problem. If datacenter A goes down for
three days, i want to be able to modify the slave A records to stop
pointing to the bad datacenter. And when the datacenter comes back up
and the old master is alive, I want everything to work.
You can always promote a slave to master status, or maintain a DR copy
of the zone.
Configure your slave servers to look to your second master (or the slave
that will be promoted as needed) as a second master, and enable
multi-master. Like this:
zone zone.name {
type slave;
file zone.file;
masters {
ip-of-master;
ip-of-backup-master;
};
multi-master yes;
};
If you have a backup (or DR) master, then the slaves will switch to its
version of the zone automatically. If you instead use a slave that will
be promoted for this purpose, then, when disaster strikes:
- Promote the slave (edit the zone statement, changing the type and
removing the 'masters' and 'multi-master' statements).
- Edit the zone as needed.
- 'rndc reconfig' ought to work, but you may need 'rndc reload' instead.
If you have lots of zones, it makes sense to keep a whole separate
named.conf instead, and simply switch over to it.
Chris Buxton
Men Mice
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: socket: too many open file descriptors
At Tue, 2 Dec 2008 05:17:17 -0800 (PST), pollex [EMAIL PROTECTED] wrote: Hi Jinmei I have followed your advice and I have installed and compiled the Bind 9.3.6 with the following command: STD_CDEFINES=-ISC_SOCKET_FDSETSIZE=4096 ./configure --prefix=/usr/ local/bind9.3.6 --enable-threads But now I have the following issue, I can't start bind with multi threading... I have in the init script the lines: OPTIONS=-u bind -n 8 -t /var/lib/named -c /etc/bind/named.conf and in the start part: mount --bind /proc/ /var/lib/named/proc/ -o ro (This is needed because bin runs in jail) First, you don't need to specify ISC_SOCKET_FDSETSIZE in 9.3.6 (but I don't think it's irrelevant to the main point). Second, I have no idea. Maybe it's somehow related to this change: 2472. [port] linux: check the number of available cpu's before calling chroot as it depends on /proc. [RT #16923] hopefully someone more familiar with Linux has some clue. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Binding DNS server to a particular IP address
Shouldn't the server statement in options/view do the trick? /Jonathan On Wed, Dec 3, 2008 at 12:04 PM, Todd Snyder [EMAIL PROTECTED] wrote: Try the listen-on directive. Read more here: http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq= dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q #PPA270,M1http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq=dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q#PPA270,M1 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry M Sent: Wednesday, December 03, 2008 11:37 AM To: bind-users@lists.isc.org Subject: Binding DNS server to a particular IP address I have two different IP addresses coming into my server. I need to guarantee that ISC BIND only monitors and replies to requests coming from one of the two IP addresses. I can't seem to find a configuration parameter that tells the server which IP address to listen on. How do I configure that? Thanks. JWM ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to modify A records on the slave when master is down?
What we used to do is we had 2 masters. After an update was done on one of them, we ran a perl script that would scp the db files to the other and then send rndc reload to itself and the other master. That way both were always up to date. It seems like if you had one master and one slave at each datacenter, this would work very well. After the down datacenter comes back up, simply run the script from the up-to-date master. I can send you the perl script to save you some time if you want. The main trick was getting scp to work with rsa keys so no password is required (although it could work fine with a password if you're running the script manually). Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2008 9:10 PM To: [EMAIL PROTECTED] Subject: How to modify A records on the slave when master is down? Hello. I have two geographically different datacenters. Each datacenter has two instances of BIND. There is one master out of these four. The zones will have multiple A records (pointing to the two datacenters to provide some minimal amount of redundancy and load balancing) What I want to do is put together a plan for when the master either fails or the master becomes unavailable. So if your master fails, or more likely, it becomes unavailable, and I need to change the A records on the other slaves, how do you do it? Can I have a master in each datacenter and a slave in each datacenter, but a change made to any master propagates to all slaves? For that matter, can I just have four masters and be done with it? It doesnt make sense that I could have multiple masters.. but I have no idea how to solve this problem. If datacenter A goes down for three days, i want to be able to modify the slave A records to stop pointing to the bad datacenter. And when the datacenter comes back up and the old master is alive, I want everything to work. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dropping external recursive requests
In message [EMAIL PROTECTED] t, Alberto Colosi/SI/RM/GSI/it writes: why not? beter handled by isc and done in a clean way then 1.000.000 of dirty ways as these ;) Please go read RFC 5358. No where in there does it say to drop responses. If we though that dropping queries was a good idea it would have been explicitely documented in RFC 5358. Not offering recursive service means returning REFUSED. --- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to modify A records on the slave when master is down?
better to use an ftps then an sftp. use vsftpd with SSL compile option GNU lftp lftp is really simple and can be configured to bypass RSA CA verify sso to allow selfsigned and many other settings. The difference is that if you lose RSA keys or in all cases, using the RSA keys to allow SCP, you could have a command line session too if used with SSH instead. The main difference is a bit of security more ;) --- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP Mike Bernhardt [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/12/2008 22.59 To [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject RE: How to modify A records on the slave when master is down? What we used to do is we had 2 masters. After an update was done on one of them, we ran a perl script that would scp the db files to the other and then send rndc reload to itself and the other master. That way both were always up to date. It seems like if you had one master and one slave at each datacenter, this would work very well. After the down datacenter comes back up, simply run the script from the up-to-date master. I can send you the perl script to save you some time if you want. The main trick was getting scp to work with rsa keys so no password is required (although it could work fine with a password if you're running the script manually). Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2008 9:10 PM To: [EMAIL PROTECTED] Subject: How to modify A records on the slave when master is down? Hello. I have two geographically different datacenters. Each datacenter has two instances of BIND. There is one master out of these four. The zones will have multiple A records (pointing to the two datacenters to provide some minimal amount of redundancy and load balancing) What I want to do is put together a plan for when the master either fails or the master becomes unavailable. So if your master fails, or more likely, it becomes unavailable, and I need to change the A records on the other slaves, how do you do it? Can I have a master in each datacenter and a slave in each datacenter, but a change made to any master propagates to all slaves? For that matter, can I just have four masters and be done with it? It doesnt make sense that I could have multiple masters.. but I have no idea how to solve this problem. If datacenter A goes down for three days, i want to be able to modify the slave A records to stop pointing to the bad datacenter. And when the datacenter comes back up and the old master is alive, I want everything to work. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Binding DNS server to a particular IP address
Not really. The server statement modifies how named talks to other nameservers, it doesn't affect what addresses are listened on. - Kevin Jonathan Petersson wrote: Shouldn't the server statement in options/view do the trick? /Jonathan On Wed, Dec 3, 2008 at 12:04 PM, Todd Snyder [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Try the listen-on directive. Read more here: http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq= dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q #PPA270,M1 http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq=dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q#PPA270,M1 -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Jerry M Sent: Wednesday, December 03, 2008 11:37 AM To: bind-users@lists.isc.org mailto:bind-users@lists.isc.org Subject: Binding DNS server to a particular IP address I have two different IP addresses coming into my server. I need to guarantee that ISC BIND only monitors and replies to requests coming from one of the two IP addresses. I can't seem to find a configuration parameter that tells the server which IP address to listen on. How do I configure that? Thanks. JWM ___ bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: check Availability before sending response
Ken DBA wrote: Hello, Is there any way to make Bind check the server's availability before send back responses to clients? ie, given the domain name www.site.com was pointed to 1.1.1.1 and 2.2.2.2 in Bind. When a client query for www.site.com, Bind will check the health status for these two servers. If one is unavailable,Bind shouldn't direct client's requests to it. I know F5's 3DNS can do it well.But rather than 3DNS, is there any free way for this purpose? Thanks. Roll your own monitoring system and have it modify the DNS RRset via Dynamic Update (if you prefer) to reflect which server(s) are up/down at any particular time. That's essentially what all these fancy, expensive GSLB boxes do anyway. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dropping external recursive requests
On Dec 3, 6:26 pm, Mark Andrews [EMAIL PROTECTED] wrote: If it is a forged packet it should be dropped regardless of the setting of RD. True, however not something that's easily determined from a distance. Ideally ingress filtering would render this a non-issue, however there obviously holes in the current filtering done by ISPs. If the only reason to think the packet is forged is the setting of RD=1 then the OP has committed a reasoning error. The situation that we've encountered on a couple of occasions is a steady stream (several a second) of the exact same query with the same source address for several days. When we contact the owner of the source address, they state they're under DDoS attack and are not the source of the request. Part of the attack they experience is the Refused response from our DNS server. Also rd being set my just be the result of someone testing with a tool which sets rd by default. In which case they can change the setting. Which is worst ... occasionally dropping a request from someone using a misconfigured tool / server, or participating in a larger DDoS attack? Granted that dropping external requests with RD=1 doesn't eliminate the potiental for DDoS attacks, it just changes it. One needs to be really, really careful here. Understood ... and I realize that things shouldn't be oversimplified (i.e. by assuming RD=1 must mean an evil request). Part of the purpose for this post is to start a discussion on the pros / cons. -- John [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.3.5-P2 download link required
Dear Team We need BIND 9.3.5-P2 version. But we are not getting the Download link.Kindly provide me the link. so that we can download this version,. Thanks regds Abhilash This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies and the original message. Any unauthorized review, use, disclosure,dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. The recipient acknowledges that Bharti Airtel Limited or its subsidiaries and associated companies(collectively Bharti Airtel Limited),are unable to exercise control or ensure or guarantee the integrity of/overthe contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of Bharti Airtel Limited. Before opening any attachments please check them for viruses and defects. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: socket: too many open file descriptors
On 3 dic, 21:08, Mark Andrews [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED], pollex writes: Hi Jinmei I have followed your advice and I have installed and compiled the Bind 9.3.6 with the following command: STD_CDEFINES=-ISC_SOCKET_FDSETSIZE=4096 ./configure --prefix=/usr/ local/bind9.3.6 --enable-threads But now I have the following issue, I can't start bind with multi threading... I have in the init script the lines: OPTIONS=-u bind -n 8 -t /var/lib/named -c /etc/bind/named.conf and in the start part: mount --bind /proc/ /var/lib/named/proc/ -o ro (This is needed because bin runs in jail) Any idea? (With the previous version this works ok) Log messages would be useful. What does the following report? named -g -u bind -n 8 -t /var/lib/named -c /etc/bind/named.conf Thanks for all ___ bind-users mailing list [EMAIL PROTECTED] https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list [EMAIL PROTECTED]://lists.isc.org/mailman/listinfo/bind-users Mark, thanks for the reply this is the report: 04-Dec-2008 09:52:54.950 starting BIND 9.3.6 -g -u bind -n 8 -t /var/ lib/named -c /etc/bind/named.conf 04-Dec-2008 09:52:54.950 using up to 4096 sockets 04-Dec-2008 09:52:54.954 loading configuration from '/etc/bind/ named.conf' 04-Dec-2008 09:52:54.956 using default UDP/IPv4 port range: [1024, 65535] 04-Dec-2008 09:52:54.956 using default UDP/IPv6 port range: [1024, 65535] 04-Dec-2008 09:52:54.958 listening on IPv4 interface lo, 127.0.0.1#53 04-Dec-2008 09:52:54.958 could not listen on UDP socket: address in use 04-Dec-2008 09:52:54.958 creating IPv4 interface lo failed; interface ignored 04-Dec-2008 09:52:54.958 listening on IPv4 interface eth1, ###.###.#.### #53 04-Dec-2008 09:52:54.958 could not listen on UDP socket: address in use 04-Dec-2008 09:52:54.958 creating IPv4 interface eth1 failed; interface ignored 04-Dec-2008 09:52:54.958 not listening on any interfaces 04-Dec-2008 09:52:54.959 /etc/bind/named.conf:80: couldn't add command channel 127.0.0.1#953: address in use 04-Dec-2008 09:52:54.959 ignoring config file logging statement due to -g option 04-Dec-2008 09:52:54.960 additionally listening on IPv4 interface lo, 127.0.0.1#53 04-Dec-2008 09:52:54.960 could not listen on UDP socket: address in use 04-Dec-2008 09:52:54.960 creating IPv4 interface lo failed; interface ignored 04-Dec-2008 09:52:54.960 additionally listening on IPv4 interface eth1, ###.###.#.### #53 04-Dec-2008 09:52:54.960 could not listen on UDP socket: address in use 04-Dec-2008 09:52:54.960 creating IPv4 interface eth1 failed; interface ignored 04-Dec-2008 09:52:54.961 zone 0.in-addr.arpa/IN: loaded serial 1 04-Dec-2008 09:52:54.961 zone 127.in-addr.arpa/IN: loaded serial 1 04-Dec-2008 09:52:54.962 zone 255.in-addr.arpa/IN: loaded serial 1 04-Dec-2008 09:52:54.962 /etc/bind/db.bind:5: class 'CH' != zone class 'IN' 04-Dec-2008 09:52:54.962 zone bind/IN: loading master file /etc/bind/ db.bind: bad class 04-Dec-2008 09:52:54.962 zone localhost/IN: loaded serial 1 04-Dec-2008 09:52:54.962 running 04-Dec-2008 09:52:56.244 shutting down 04-Dec-2008 09:52:56.245 exiting In the other version i had a line like this found X CPUs, using X worker threads Thanks again ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to modify A records on the slave when master is down?
Huh? sftp uses secure transport as does scp and both use the same keys as ssh. I can see no way in which ftps would be viewed as superior. Exactly how are you losing RSA keys and if you do aren't you more concerned that you can no longer ssh into the box? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alberto Colosi/SI/RM/GSI/it Sent: Wednesday, December 03, 2008 5:25 PM To: Mike Bernhardt Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: How to modify A records on the slave when master is down? better to use an ftps then an sftp. use vsftpd with SSL compile option GNU lftp lftp is really simple and can be configured to bypass RSA CA verify sso to allow selfsigned and many other settings. The difference is that if you lose RSA keys or in all cases, using the RSA keys to allow SCP, you could have a command line session too if used with SSH instead. The main difference is a bit of security more ;) --- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP Mike Bernhardt [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/12/2008 22.59 To [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject RE: How to modify A records on the slave when master is down? What we used to do is we had 2 masters. After an update was done on one of them, we ran a perl script that would scp the db files to the other and then send rndc reload to itself and the other master. That way both were always up to date. It seems like if you had one master and one slave at each datacenter, this would work very well. After the down datacenter comes back up, simply run the script from the up-to-date master. I can send you the perl script to save you some time if you want. The main trick was getting scp to work with rsa keys so no password is required (although it could work fine with a password if you're running the script manually). Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2008 9:10 PM To: [EMAIL PROTECTED] Subject: How to modify A records on the slave when master is down? Hello. I have two geographically different datacenters. Each datacenter has two instances of BIND. There is one master out of these four. The zones will have multiple A records (pointing to the two datacenters to provide some minimal amount of redundancy and load balancing) What I want to do is put together a plan for when the master either fails or the master becomes unavailable. So if your master fails, or more likely, it becomes unavailable, and I need to change the A records on the other slaves, how do you do it? Can I have a master in each datacenter and a slave in each datacenter, but a change made to any master propagates to all slaves? For that matter, can I just have four masters and be done with it? It doesnt make sense that I could have multiple masters.. but I have no idea how to solve this problem. If datacenter A goes down for three days, i want to be able to modify the slave A records to stop pointing to the bad datacenter. And when the datacenter comes back up and the old master is alive, I want everything to work. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.5.1rc1 is now available.
BIND 9.5.1rc1 is now available. BIND 9.5.1rc1 is a maintenance release candidate for BIND 9.5. BIND 9.5.1rc1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/bind-9.5.1rc1.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at http://www.isc.org/about/openpgp/pgpkey2006.txt. A binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip The PGP signature of the binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1rc1/BIND9.5.1rc1.debug.zip.sha512.asc Changes since 9.5.0. --- 9.5.1rc1 released --- 2498. [bug] Removed a bogus function argument used with ISC_SOCKET_USE_POLLWATCH: it could cause compiler warning or crash named with the debug 1 level of logging. [RT #18917] 2496. [bug] Add sanity length checks to NSID option. [RT #18813] 2495. [bug] Tighten RRSIG checks. [RT #18795] 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being installed. [RT #18826] 2493. [bug] The linux capabilites code was not correctly cleaning up after itself. [RT #18767] 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO is cleared when IPV6_V6ONLY is set. [RT #18785] 2489. [port] solaris: Workaround Solaris's kernel bug about /dev/poll: http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 Define ISC_SOCKET_USE_POLLWATCH at build time to enable this workaround. [RT #18870] 2487. [bug] Give TCP connections longer to complete. [RT #18675] 2485. [bug] Change update's the handling of obscured RRSIG records. Not all orphand DS records were being removed. [RT #18828] 2482. [port] libxml2: support versions 2.7.* in addition to 2.6.*. [RT #18806] 2479. [bug] xfrout:covers was not properly initalized. [RT #18801] 2478. [bug] 'addresses' could be used uninitalized in configure_forward(). [RT #18800] 2476. [doc] ARM: improve documentation for max-journal-size and ixfr-from-differences. [RT #15909] [RT #18541] --- 9.5.1b3 released --- 2475. [bug] LRU cache cleanup under overmem condition could purge particular entries more aggressively. [RT #17628] 2474. [bug] ACL structures could be allocated with insufficient space, causing an array overrun. [RT #18765] 2473. [port] linux: raise the limit on open files to the possible maximum value before spawning threads; 'files' specified in named.conf doesn't seem to work with threads as expected. [RT #18784] 2472. [port] linux: check the number of available cpu's before calling chroot as it depends on /proc. [RT #16923] 2471. [bug] named-checkzone was not reporting missing mandatory glue when sibling checks were disabled. [RT #18768] 2470. [bug] Elements of the isc_radix_node_t could be incorrectly overwritten. [RT# 18719] 2469. [port] solaris: Work around Solaris's select() limitations. [RT #18769] 2468. [bug] Resolver could try unreachable servers multiple times. [RT #18739] 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740] 2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue. [RT #18302] 2465. [bug] Adb's handling of lame addresses was different for IPv4 and IPv6. [RT #18738] 2464. [port] linux: check that a capability is present before trying to set it. [RT #18135] 2463. [port] linux:
how to archieve this?
Hello, We are running a commercial site. We want bind to execute some additional actions before the response, listed as below: 1) Client querys for www.site.com's ARR. 2) Bind gets client's IP, and calculate something based on this IP. 3) If IP matchs condition A, return the ARR of www.site.com - 1.1.1.1. If IP matchs condition B, return the ARR of www.site.com - 2.2.2.2. If IP matchs condition C, return Refused. How to implement this architecture on Bind? Does Bind provide some programming API like Apache's APR? Thanks in advance. Ken. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to archieve this?
refer to 'split' DNS using views here's something: http://www.zytrax.com/books/dns/ch7/view.html in a nutshell.. you have to - have 2 views, same zone per view - either have two different zone files... and maintain it separately. (or you may have two zone files and segregate the differences, while those RRs that are common can be on another file referred by an include statement) --- On Fri, 12/5/08, Ken DBA [EMAIL PROTECTED] wrote: From: Ken DBA [EMAIL PROTECTED] Subject: how to archieve this? To: bind-users [EMAIL PROTECTED] Date: Friday, December 5, 2008, 4:57 PM Hello, We are running a commercial site. We want bind to execute some additional actions before the response, listed as below: 1) Client querys for www.site.com's ARR. 2) Bind gets client's IP, and calculate something based on this IP. 3) If IP matchs condition A, return the ARR of www.site.com - 1.1.1.1. If IP matchs condition B, return the ARR of www.site.com - 2.2.2.2. If IP matchs condition C, return Refused. How to implement this architecture on Bind? Does Bind provide some programming API like Apache's APR? Thanks in advance. Ken. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to archieve this?
Depending on the rules you intend to use, you may find that BIND simply isn't suited to this purpose. You may need to write your own name server implementation, using a set of F5 appliances, or something else. If you do this, you are probably best off handling as much as you can using BIND, and then delegating the special-handling names to your special-purpose name server. That way, your special-purpose name server need not be optimized enough to handle the whole load. Also, algorithms can be simpler if your custom name server is only handling address records and zone apex records (SOA and NS). (Not all special-purpose name servers correctly handle apex records, but that's a bad thing.) An example that you may find useful as a starting point is lbnamed. It's old and probably has some bugs in its protocol handling, but it does something along the lines that you're looking for. Chris Buxton Men Mice On Fri, 2008-12-05 at 11:57 +0800, Ken DBA wrote: Hello, We are running a commercial site. We want bind to execute some additional actions before the response, listed as below: 1) Client querys for www.site.com's ARR. 2) Bind gets client's IP, and calculate something based on this IP. 3) If IP matchs condition A, return the ARR of www.site.com - 1.1.1.1. If IP matchs condition B, return the ARR of www.site.com - 2.2.2.2. If IP matchs condition C, return Refused. How to implement this architecture on Bind? Does Bind provide some programming API like Apache's APR? Thanks in advance. Ken. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to archieve this?
--- On Fri, 12/5/08, Chris Buxton [EMAIL PROTECTED] wrote: An example that you may find useful as a starting point is lbnamed. It's old and probably has some bugs in its protocol handling, but it does something along the lines that you're looking for. Thanks for the info. I have checked the lbnamed. All my feel unsure is, how about its performance? Since it's written by Perl, not a compiled program.Has anyone used it in production environment? Thanks. Ken. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to archieve this?
--- On Fri, 12/5/08, ivan jr sy [EMAIL PROTECTED] wrote: From: ivan jr sy [EMAIL PROTECTED] Subject: Re: how to archieve this? To: bind-users [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Friday, December 5, 2008, 12:05 PM refer to 'split' DNS using views here's something: http://www.zytrax.com/books/dns/ch7/view.html Yes I know Views.I was a DBA but these days I checked lots documents about Bind,it's really a great tool. But views is not suitable to our application. Because views is working based on the different IP datas. We don't want the response is based on geography locations, but based on others, ie, which realserver has the best network connectivity. Thanks. Ken. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to archieve this?
While I have no experience with the performance of lbnamed, I have heard that the resolving name servers used by OpenDNS run a name server program written in Perl. (I forget the name of the package.) Performance is a problem that can be overcome with optimizations and by throwing more hardware at the problem. Chris Buxton Men Mice On Fri, 2008-12-05 at 13:54 +0800, Ken DBA wrote: --- On Fri, 12/5/08, Chris Buxton [EMAIL PROTECTED] wrote: An example that you may find useful as a starting point is lbnamed. It's old and probably has some bugs in its protocol handling, but it does something along the lines that you're looking for. Thanks for the info. I have checked the lbnamed. All my feel unsure is, how about its performance? Since it's written by Perl, not a compiled program.Has anyone used it in production environment? Thanks. Ken. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to archieve this?
Or, does Bind developer group provide commercial development for this purpose? We can pay for it. --- On Fri, 12/5/08, Chris Buxton [EMAIL PROTECTED] wrote: From: Chris Buxton [EMAIL PROTECTED] Subject: Re: how to archieve this? To: bind-users bind-users@lists.isc.org Date: Friday, December 5, 2008, 1:10 PM Depending on the rules you intend to use, you may find that BIND simply isn't suited to this purpose. You may need to write your own name server implementation, using a set of F5 appliances, or something else. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to archieve this?
If you have money to spend, just buy a commercial load-balancing solution. - Kevin Ken DBA wrote: Or, does Bind developer group provide commercial development for this purpose? We can pay for it. --- On Fri, 12/5/08, Chris Buxton [EMAIL PROTECTED] wrote: From: Chris Buxton [EMAIL PROTECTED] Subject: Re: how to archieve this? To: bind-users bind-users@lists.isc.org Date: Friday, December 5, 2008, 1:10 PM Depending on the rules you intend to use, you may find that BIND simply isn't suited to this purpose. You may need to write your own name server implementation, using a set of F5 appliances, or something else. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
view based for particular zone only
Hi, I would like to enable view based for only few particular hosts. Is there any to to match zone name i.e domain name (not match-destination cause ip of webserver is same for all zone). With Regards Nabin Limbu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: view based for particular zone only
At https://www.isc.org/software/bind/documentation/arm95#view_statement_grammar you can see that you can specify the clients that get a certain view Hope this helps. Regards, Serge Fonville On Fri, Dec 5, 2008 at 10:35 AM, Nabin Limbu [EMAIL PROTECTED] wrote: Hi, I would like to enable view based for only few particular hosts. Is there any to to match zone name i.e domain name (not match-destination cause ip of webserver is same for all zone). With Regards Nabin Limbu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to archieve this?
Have you considered dynamically regenerating view definitions based on your rules? If the results of your rules are stable for minutes at a time, it may work. Regards, Chris. 2008/12/5 Ken DBA [EMAIL PROTECTED] --- On Fri, 12/5/08, Kevin Darcy [EMAIL PROTECTED] wrote: From: Kevin Darcy [EMAIL PROTECTED] Subject: Re: how to archieve this? To: bind-users bind-users@lists.isc.org Date: Friday, December 5, 2008, 2:17 PM If you have money to spend, just buy a commercial load-balancing solution. I checked F5's 3DNS, it's about $40,000.Too expensive to us.:-( ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Oddities in my named.log. Can you explain?
There is a windows box configured to use your domain name and it is trying to lookup/update the active directory configuration. Send a Cease and Desist letter stating that you are the registered owner of the domain name in question and they should cease using it. Mark In message [EMAIL PROTECTED], Keve Nagy writes: Hi Everyone, I see some oddities frequently showing up in our BIND logfiles. This is on the official primary NS for our domain. *Oddity_type#1* ... view external-in: query: server.EXAMPLE.COM IN SOA -E Please note that the only thing I changed here is the domain name. I did not capitalize it, the original domain name also got logged this way. And yes, the original hostname queried was server, I did not change that either. These are repeatedly coming from the same source IP address, once in every 10-70 minutes. We have never had a host named server. So why would an external machine keep asking for a hostname we never had? Especially with such an obvious name! Also, why is the domain part capitalized for these queries, and not in any proper/legitimate query? I assume this is what the query was for. The original request must have been for server.EXAMPLE.COM, having the domain part this way capitalized in the query itself. So why would a remote system look for a never existed host named server in our system, with the domain name capitalized? Any legitimate reason you could think of? *Oddity_type#2* ... view external-in: query: server.EXAMPLE.COM IN SOA + ... view external-in: updating zone 'example.com/IN': update unsucces sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Again note, that I only changed the name of the domain and I did not alter the capitalization or the hostname. These are from another source IP address, but always the same one. For some reason, also looking for the host named server. And a few minutes later, it seems to try to update the domain database. By the way, no host is allowed to update our DNS records. The zone files are updated by hand only. And this has always been the case, no exceptions. *Oddity_type#3* ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve. _sites.dc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc s.EXAMPLE.COM IN SOA -E ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E Look at these add hostnames which are queried for! These are all systematically returning queries. And these come from multiple source IP addresses. Are these queries legitimate? I mean, do you know of any system that may be doing this? Are these strange hostname queries part of some standard way identifying services and I just don't happen to know about this standard? I would very much appreciate some feedback on these. Best regards, Keve Nagy * Debrecen * Hungary -- if you need to reply directly: keve(at)mail(dot)poliod(dot)hu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Oddities in my named.log. Can you explain?
Michael Milligan wrote: [Note: this is really off-topic for bind-users...] How a Microsoft Active Directory controller works and what it does is indeed off-topic in this news group. Your nudging is noted. In my defense however, I could't have known this without the answer, having only a strongly BIND related question. :-) Now that I learnt that this is related to a Win2000 and Win2003 behaviour I agree, its further discussion doesn't belong here. I am moving the topic to a more appropriate news group. The first default site name was renamed to Alapertelmezett-elso-hely-neve, this should give you a clue for tracking this down. Not really. Alapertelmezett-elso-hely-neve translates directly to Default-first-place-name. So I believe the remote host is just using a localized language version of a windows server. :-) Thanks for the pointers! Your help is very much appreciated. Regards, Keve -- if you need to reply directly: keve(at)mail(dot)poliod(dot)hu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkconf error
named-checkzone calls getaddrinfo() to lookup addresses of servers which are not in the zone. That lookup has failed. For a start I would fix this delegation error. The NS RRset on both sides of the delegation should be the same. capmark.com.172800 IN NS ns1.gmaccm.com. capmark.com.172800 IN NS ns2.gmaccm.com. ;; Received 116 bytes from 192.42.93.30#53(G.GTLD-SERVERS.NET) in 175 ms quarantine1.capmark.com. 7200 IN A 216.83.188.21 capmark.com.86400 IN NS ns1.capmark.com. capmark.com.86400 IN NS ns2.capmark.com. ;; Received 125 bytes from 216.83.188.8#53(ns1.gmaccm.com) in 227 ms There may be other problems which may only be visible from where you are performing the lookup. Mark In message [EMAIL PROTECTED], Steve Shockley writes: I'm running BIND 9.4.2 on OpenBSD 4.3. I'm getting some errors with named-checkconf I don't really understand. I'm running: named-checkzone -t /var/named capmarksecurities.com /master/db.capmarksecurities.com and I get: zone capmarksecurities.com/IN: getaddrinfo(quarantine1.capmark.com) failed: non-recoverable failure in name resolution zone capmarksecurities.com/IN: getaddrinfo(quarantine2.capmark.com) failed: non-recoverable failure in name resolution zone capmarksecurities.com/IN: getaddrinfo(mailhost3.capmark.com) failed: non-recoverable failure in name resolution zone capmarksecurities.com/IN: getaddrinfo(mxo1.capmark.com) failed: non-recoverable failure in name resolution zone capmarksecurities.com/IN: getaddrinfo(mxo2.capmark.com) failed: non-recoverable failure in name resolution zone capmarksecurities.com/IN: loaded serial 235310359 OK The zone file: $ORIGIN . $TTL 86400 ; 1 day capmarksecurities.com IN SOA ns1.capmark.com. dnsadmin.capmark.com. ( 235310359 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) $TTL 300; 5 minutes NS ns1.capmark.com. NS ns2.capmark.com. $TTL 900; 15 minutes MX 10 quarantine1.capmark.com. MX 10 quarantine2.capmark.com. MX 20 mailhost3.capmark.com. MX 200 mxo1.capmark.com. MX 200 mxo2.capmark.com. $ORIGIN capmarksecurities.com. $TTL 7200 ; 2 hours defeasance CNAME idealweb.capmark.com. investorguide A 70.60.19.129 $TTL 86400 ; 1 day www CNAME www.capmark.com. This appears to happen with all zones with MX records that are in a different zone. The zone loads and seems to work as expected. What's going wrong? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkconf error
On Dec 7 2008, Mark Andrews wrote:
named-checkzone calls getaddrinfo() to lookup addresses of servers
which are not in the zone. That lookup has failed.
For a start I would fix this delegation error. The NS RRset on both
sides of the delegation should be the same.
capmark.com.172800 IN NS ns1.gmaccm.com.
capmark.com.172800 IN NS ns2.gmaccm.com.
;; Received 116 bytes from 192.42.93.30#53(G.GTLD-SERVERS.NET) in 175 ms
quarantine1.capmark.com. 7200 IN A 216.83.188.21
capmark.com.86400 IN NS ns1.capmark.com.
capmark.com.86400 IN NS ns2.capmark.com.
;; Received 125 bytes from 216.83.188.8#53(ns1.gmaccm.com) in 227 ms
It seems rather unlikely that this has anything to do with the OP's problem,
as the IP addresses of ns{1,2}.gmaccm.com and ns{1,2}.capmark.com are the
same, i.e. 216.83.188.{8,9}, in the glue as well as in the zones.
But technically, of course, Mark is right: you ought to fix this
(for gmaccm.com as well as for capmark.com).
In message [EMAIL PROTECTED], Steve Shockley wrote:
I'm running BIND 9.4.2 on OpenBSD 4.3. I'm getting some errors with
named-checkconf I don't really understand. I'm running:
named-checkzone -t /var/named capmarksecurities.com
/master/db.capmarksecurities.com
and I get:
zone capmarksecurities.com/IN: getaddrinfo(quarantine1.capmark.com)
failed: non-recoverable failure in name resolution
[etc.]
This appears to happen with all zones with MX records that are in a
different zone. The zone loads and seems to work as expected. What's
going wrong?
Something is wrong with the configuration of the host on which you
ran named-checkzone. Either its resolver configuration is screwed,
or getaddrinfo() isn't getting as far as using the resolver. Can
you do host address lookups at all there?
You can suppress the check by using -i local on named-checkzone
(see the man page). But it would be better to fix the configuration
problem, of course.
--
Chris Thompson
Email: [EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Round robin DNS and only one record?
Greetings all. Is it possible to set up BIND in such a way that if there are multiple A-records for a specific host, instead of returning all of them in response to a request and only changing the order with every second request, the server only returns one A-record, and varies that A-record with every second request? A little background: I am preparing to retire an aging load-balancing appliance which does dynamic load balancing based on various criteria. In any given response to a request for an A-record, only one IP address is returned, thus: ;; ANSWER SECTION: foo.test.com. 86400 IN A 192.168.1.10 With every other request, the IP varies. BIND's default behavior is to hand out both IPs, thus: ;; ANSWER SECTION: foo.test.com. 86400 IN A 192.168.1.10 foo.test.com. 86400 IN A 192.168.1.11 With every other request, the IPs' order changes. Certain browsers hitting our web application don't like having two A-records handed to them (I'm still in the process of figuring out why), and much prefer the first example above. We have two geographically dispersed locations, and too much traffic to realistically concentrate all of it to just one of the locations at present. Our load-balancer is near death, and I'm scrambling to replace it. I'm prepared to deal with the disaster-recovery scenario in which one of our locations becomes unavailable. My main objective is to replicate the behavior of our existing load balancer from the point of view of the end user, but ignore the dynamic aspect of it and use BIND to handle DNS. Any help or advice would be greatly appreciated. Best regards, Dustin Lovell America First Credit Union ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Round robin DNS and only one record?
In article [EMAIL PROTECTED], Dustin Lovell [EMAIL PROTECTED] wrote: Certain browsers hitting our web application don't like having two A-records handed to them (I'm still in the process of figuring out why), and much prefer the first example above. Really? So these browsers can't access www.google.com, which has four A records? I don't think BIND can be forced to return only one A record at a time without code changes. Why don't you replace your aging load balancer with a new load balancer? -- Barry Margolin, [EMAIL PROTECTED] Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsperf and BIND memory consumption
Hello!
I test patch, add to bind95/Makefile
.if (${ARCH} == amd64)
ARCH= x86_64
.endif
work/bind-9.5.0-P2/config.log
uname -m = amd64
/usr/bin/uname -p = amd64
Target: amd64-undermydesk-freebsd
Configured with: FreeBSD/amd64 system compiler
ISC_ARCH_DIR='x86_32'
build='x86_64-portbld-freebsd7.0'
build_alias='x86_64-portbld-freebsd7.0'
build_cpu='x86_64'
host='x86_64-portbld-freebsd7.0'
host_cpu='x86_64'
I didn't find any affect, memory leak very quickly with threads support,
and slowly without threads.
FreeBSD xxx 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 2 14:18:35 MSD
2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/H1 amd64
Vinny Abello wrote:
so does this memory leak only occur if
@ISC_ARCH_DIR@ is noatomic under FreeBSD amd64?
and not when its x86_32 ?
First off, note that I have no explicit evidence of memory leak. But
*if there is indeed leak in the FreeBSD pthread library*, the key is
noatomic. With this configuration named will call pthread
locks/unlocks much, much heavier, so the problem may be observable
more clearly. named still uses pthread locks Even with x86_32, so it
may just be leaking memory more slowly.
Again, everything is just a guess and could be wrong. We should seek
advice from someone who knows FreeBSD library well.
Just out of curiosity, why in theory is this not seen in prior versions of
BIND such as 9.4.2-P2 or 9.4.3 on the same FreeBSD 7.0 AMD64 platforms with
threading enabled in BIND?
--
Рыбин Дмитрий
Управление магистральной сети
Отдел Информационных Систем
Руководитель группы АВР
Corbina Telecom
Tel: +7(495) 728-4000
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsperf and BIND memory consumption
Hi
can you verify if you're using the newly installed named.
did you configure your options to replace the base?
can you give us:
ldd /usr/sbin/named
ldd /usr/local/sbin/named
to my understanding, there should be no memory leak issue at all if you disable
threads..
this post has always been directed to the concern of FreeBSD + amd64 platform +
FreeBSD port dns/bind95 (BIND 9.5.0-P2) + threading enabled
thanks!
--- On Wed, 12/10/08, Dmitry Rybin [EMAIL PROTECTED] wrote:
From: Dmitry Rybin [EMAIL PROTECTED]
Subject: Re: dnsperf and BIND memory consumption
To: Vinny Abello [EMAIL PROTECTED]
Cc: JINMEI Tatuya / 神明達哉 [EMAIL PROTECTED], [EMAIL PROTECTED] [EMAIL
PROTECTED], [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Wednesday, December 10, 2008, 4:05 AM
Hello!
I test patch, add to bind95/Makefile
.if (${ARCH} == amd64)
ARCH= x86_64
.endif
work/bind-9.5.0-P2/config.log
uname -m = amd64
/usr/bin/uname -p = amd64
Target: amd64-undermydesk-freebsd
Configured with: FreeBSD/amd64 system compiler
ISC_ARCH_DIR='x86_32'
build='x86_64-portbld-freebsd7.0'
build_alias='x86_64-portbld-freebsd7.0'
build_cpu='x86_64'
host='x86_64-portbld-freebsd7.0'
host_cpu='x86_64'
I didn't find any affect, memory leak very quickly with
threads support,
and slowly without threads.
FreeBSD xxx 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 2
14:18:35 MSD
2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/H1 amd64
Vinny Abello wrote:
so does this memory leak only occur if
@ISC_ARCH_DIR@ is noatomic under
FreeBSD amd64?
and not when its x86_32 ?
First off, note that I have no explicit evidence
of memory leak. But
*if there is indeed leak in the FreeBSD pthread
library*, the key is
noatomic. With this configuration
named will call pthread
locks/unlocks much, much heavier, so the problem
may be observable
more clearly. named still uses pthread locks Even
with x86_32, so it
may just be leaking memory more slowly.
Again, everything is just a guess and could be
wrong. We should seek
advice from someone who knows FreeBSD library
well.
Just out of curiosity, why in theory is this not seen
in prior versions of BIND such as 9.4.2-P2 or 9.4.3 on the
same FreeBSD 7.0 AMD64 platforms with threading enabled in
BIND?
--
Рыбин Дмитрий
Управление магистральной сети
Отдел Информационных Систем
Руководитель группы АВР
Corbina Telecom
Tel: +7(495) 728-4000
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
can't see nameserver externally
Hello, I noticed that one of our nameservers is no longer responding with the correct address externally. The server is ns-2.hosp.utmck.edu and is listed as a server in the registration record for utmck.edu. The address should be 165.6.6.27 but a dig/nslookup from an external site returns 165.6.144.1. We do not have 165.6.144.1 in any of the zone files, but this address is the external address of a broadband service manager in our network. Using dig/nslookup on the local network verifies that 165.6.144.1 is not in the zone files or cache of our nameservers. The name and address of our ns-2 resolve correctly internally. Can someone please tell me how to identify and correct this problem. $ORIGIN edu. utmck IN NS ns-2.hosp.utmck.edu. IN NS harley.mc.utmck.edu. IN A 165.6.57.12 IN MX 10 chewy2.mc.utmck.edu. IN MX 20 chewy.mc.utmck.edu. IN SOA 165.6.131.32. root.harley.mc.utmck.edu. ( 200284 19 10800 1800 604800 7200 ) ... $ORIGIN hosp.utmck.edu. ns-2 IN A 165.6.6.27 ... $ORIGIN mc.utmck.edu. harleyIN A 165.6.131.32 Thanks for your help, Steve ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dnsperf and BIND memory consumption
-Original Message- From: JINMEI Tatuya / 神明達哉 [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2008 3:38 PM To: Vinny Abello Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: dnsperf and BIND memory consumption At Tue, 9 Dec 2008 15:26:25 -0500, Vinny Abello [EMAIL PROTECTED] wrote: Has anybody else tried this patch for you? I haven't had time to look into this at all. If nobody has tried this yet, I'll get around to it when I can and let you know the result. No one else other than by myself. It worked perfectly for me, i.e., I could reproduce the problem and I could completely eliminate the leak with the patch. One thing I was not certain about in an off-list discussion that led to this patch was that the patch reportedly solved the leak only partially. I've been hoping to confirm that, but unfortunately I've not got any followup since then. So, basically, I believe the problem was solved, it would also help if you could confirm it. Thanks, --- JINMEI, Tatuya Internet Systems Consortium, Inc. Jinmei, I'll try to confirm when I have some spare time and let you know. -Vinny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Round robin DNS and only one record?
Dustin Lovell wrote: Certain browsers hitting our web application don't like having two A-records handed to them (I'm still in the process of figuring out why), Yeah, you really need to dig into that further, since we have *hundreds* of multi-A-record names, and we've never run into any browser problems because of it. Misdiagnosis perhaps? Now, it _is_ true that some browsers take a noticeably -- and thus perhaps unacceptably -- long time to fail over from one address to another, when given a multi-A-record DNS response and the first address, or the first _n_ addresses, are unreachable. But if all of the addresses are reachable, I'm not aware of any browsers that have an issue with multi-A-record DNS responses _per_se_. They are extremely common. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can't see nameserver externally
Davenport, Steve M wrote: Hello, I noticed that one of our nameservers is no longer responding with the correct address externally. The server is ns-2.hosp.utmck.edu and is listed as a server in the registration record for utmck.edu. The address should be 165.6.6.27 but a dig/nslookup from an external site returns 165.6.144.1. We do not have 165.6.144.1 in any of the zone files, but this address is the external address of a broadband service manager in our network. Using dig/nslookup on the local network verifies that 165.6.144.1 is not in the zone files or cache of our nameservers. The name and address of our ns-2 resolve correctly internally. Can someone please tell me how to identify and correct this problem. Have you checked the IP registered for the NS? ns-2.hosp.utmck.edu.172800 IN A 165.6.144.1 utmck.edu. 172800 IN NS harley.mc.utmck.edu. utmck.edu. 172800 IN NS ns-2.hosp.utmck.edu. ;; Received 123 bytes from 192.31.80.30#53(D.GTLD-SERVERS.NET) in 27 ms dig -tA ns-2.hosp.utmck.edu +trace ; DiG 9.2.4 -tA ns-2.hosp.utmck.edu +trace ;; global options: printcmd . 444765 IN NS F.ROOT-SERVERS.NET. . 444765 IN NS G.ROOT-SERVERS.NET. . 444765 IN NS H.ROOT-SERVERS.NET. . 444765 IN NS I.ROOT-SERVERS.NET. . 444765 IN NS J.ROOT-SERVERS.NET. . 444765 IN NS K.ROOT-SERVERS.NET. . 444765 IN NS L.ROOT-SERVERS.NET. . 444765 IN NS M.ROOT-SERVERS.NET. . 444765 IN NS A.ROOT-SERVERS.NET. . 444765 IN NS B.ROOT-SERVERS.NET. . 444765 IN NS C.ROOT-SERVERS.NET. . 444765 IN NS D.ROOT-SERVERS.NET. . 444765 IN NS E.ROOT-SERVERS.NET. ;; Received 500 bytes from 67.19.0.10#53(67.19.0.10) in 1 ms edu.172800 IN NS D.GTLD-SERVERS.NET. edu.172800 IN NS L.GTLD-SERVERS.NET. edu.172800 IN NS G.GTLD-SERVERS.NET. edu.172800 IN NS F.GTLD-SERVERS.NET. edu.172800 IN NS A.GTLD-SERVERS.NET. edu.172800 IN NS C.GTLD-SERVERS.NET. edu.172800 IN NS E.GTLD-SERVERS.NET. ;; Received 305 bytes from 192.5.5.241#53(F.ROOT-SERVERS.NET) in 48 ms ns-2.hosp.utmck.edu.172800 IN A 165.6.144.1 utmck.edu. 172800 IN NS harley.mc.utmck.edu. utmck.edu. 172800 IN NS ns-2.hosp.utmck.edu. ;; Received 123 bytes from 192.31.80.30#53(D.GTLD-SERVERS.NET) in 27 ms ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsperf and BIND memory consumption
Memory statistic
start - 570M
1 min - 913M
2 min - 958M
3 min - 1092M
4 min - 1074M
5 min - 1082M
10 min - 1217M
15 min - 1234M
60 min - 1513M
max-cache-size 800M;
Port installed only with Threads parameter, and patch in Makefile
.if (${ARCH} == amd64)
ARCH= x86_64
.endif
===
# ps axw|grep named
/usr/local/sbin/named -t /var/named -u bind -c /etc/namedb/named.conf -t
/var/named -u bind
===
$ rndc status
version: 9.5.0-P2 (Unknown DNS1)
number of zones: 899
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 2
query logging is OFF
recursive clients: 286/9900/1
tcp clients: 0/100
server is up and running
===
(port installed)
$ldd /usr/local/sbin/named
/usr/local/sbin/named:
libcrypto.so.5 = /lib/libcrypto.so.5 (0x807bb000)
libthr.so.3 = /lib/libthr.so.3 (0x80a4d000)
libc.so.7 = /lib/libc.so.7 (0x80b63000)
(system standart)
$ldd /usr/sbin/named
/usr/sbin/named:
libcrypto.so.5 = /lib/libcrypto.so.5 (0x807a9000)
libthr.so.3 = /lib/libthr.so.3 (0x80a3b000)
libc.so.7 = /lib/libc.so.7 (0x80b51000)
===
ivan jr sy wrote:
Hi
can you verify if you're using the newly installed named.
did you configure your options to replace the base?
can you give us:
ldd /usr/sbin/named
ldd /usr/local/sbin/named
to my understanding, there should be no memory leak issue at all if you
disable threads..
this post has always been directed to the concern of FreeBSD + amd64 platform
+ FreeBSD port dns/bind95 (BIND 9.5.0-P2) + threading enabled
thanks!
--- On Wed, 12/10/08, Dmitry Rybin [EMAIL PROTECTED] wrote:
From: Dmitry Rybin [EMAIL PROTECTED]
Subject: Re: dnsperf and BIND memory consumption
To: Vinny Abello [EMAIL PROTECTED]
Cc: JINMEI Tatuya / 神明達哉 [EMAIL PROTECTED], [EMAIL PROTECTED] [EMAIL
PROTECTED], [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Wednesday, December 10, 2008, 4:05 AM
Hello!
I test patch, add to bind95/Makefile
.if (${ARCH} == amd64)
ARCH= x86_64
.endif
work/bind-9.5.0-P2/config.log
uname -m = amd64
/usr/bin/uname -p = amd64
Target: amd64-undermydesk-freebsd
Configured with: FreeBSD/amd64 system compiler
ISC_ARCH_DIR='x86_32'
build='x86_64-portbld-freebsd7.0'
build_alias='x86_64-portbld-freebsd7.0'
build_cpu='x86_64'
host='x86_64-portbld-freebsd7.0'
host_cpu='x86_64'
I didn't find any affect, memory leak very quickly with
threads support,
and slowly without threads.
FreeBSD xxx 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 2
14:18:35 MSD
2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/H1 amd64
Vinny Abello wrote:
so does this memory leak only occur if
@ISC_ARCH_DIR@ is noatomic under
FreeBSD amd64?
and not when its x86_32 ?
First off, note that I have no explicit evidence
of memory leak. But
*if there is indeed leak in the FreeBSD pthread
library*, the key is
noatomic. With this configuration
named will call pthread
locks/unlocks much, much heavier, so the problem
may be observable
more clearly. named still uses pthread locks Even
with x86_32, so it
may just be leaking memory more slowly.
Again, everything is just a guess and could be
wrong. We should seek
advice from someone who knows FreeBSD library
well.
Just out of curiosity, why in theory is this not seen
in prior versions of BIND such as 9.4.2-P2 or 9.4.3 on the
same FreeBSD 7.0 AMD64 platforms with threading enabled in
BIND?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsperf and BIND memory consumption
JINMEI Tatuya / 神明達哉 wrote:
At Tue, 09 Dec 2008 18:05:27 +0300,
Dmitry Rybin [EMAIL PROTECTED] wrote:
I test patch, add to bind95/Makefile
.if (${ARCH} == amd64)
ARCH= x86_64
.endif
Future versions of BIND9 will support amd64 in its configure script to
workaround the FreeBSD port for amd64.
Regarding the memory leak, I believe it's already solved in 9.5.1rc1
(even with threads and without atomic).
I just make port bind 9.5.1rc1. It has same problem with memory leak.
It grows from 670M on startup, to 1,4Gb after 20 minutes of work.
grep x86 work/bind-9.5.1rc1/config.log
ISC_ARCH_DIR='x86_32'
build='x86_64-portbld-freebsd7.0'
build_alias='x86_64-portbld-freebsd7.0'
build_cpu='x86_64'
host='x86_64-portbld-freebsd7.0'
host_cpu='x86_64'
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsperf and BIND memory consumption
Hi,
is it possible to see your named.conf
what is the methodology of the test? is it for authoritative queries?
recursive? or both? at the same time?
my patch for the port is the same as yours...
thanks!
===
.if ${ARCH} == amd64
ARCH=x86_64
.endif
--- On Thu, 12/11/08, Dmitry Rybin [EMAIL PROTECTED] wrote:
From: Dmitry Rybin [EMAIL PROTECTED]
Subject: Re: dnsperf and BIND memory consumption
To: JINMEI Tatuya / 神明達哉 [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED] [EMAIL PROTECTED], [EMAIL PROTECTED] [EMAIL
PROTECTED]
Date: Thursday, December 11, 2008, 1:50 AM
JINMEI Tatuya / 神明達哉 wrote:
At Tue, 09 Dec 2008 18:05:27 +0300,
Dmitry Rybin [EMAIL PROTECTED] wrote:
I test patch, add to bind95/Makefile
.if (${ARCH} == amd64)
ARCH= x86_64
.endif
Future versions of BIND9 will support amd64 in its
configure script to
workaround the FreeBSD port for amd64.
Regarding the memory leak, I believe it's already
solved in 9.5.1rc1
(even with threads and without atomic).
I just make port bind 9.5.1rc1. It has same problem with
memory leak.
It grows from 670M on startup, to 1,4Gb after 20 minutes of
work.
grep x86 work/bind-9.5.1rc1/config.log
ISC_ARCH_DIR='x86_32'
build='x86_64-portbld-freebsd7.0'
build_alias='x86_64-portbld-freebsd7.0'
build_cpu='x86_64'
host='x86_64-portbld-freebsd7.0'
host_cpu='x86_64'
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
GTLD servers still promoting glue to answer :-(
On Oct 25 2008, Stephane Bortzmeyer wrote: On Fri, Oct 24, 2008 at 08:14:42PM +1100, Mark Andrews [EMAIL PROTECTED] wrote a message of 38 lines which said: Because the Atlas servers are based on old code and because there are delegations that only work in COM and NET because the servers promote glue to answer. At the last OARC http://www.dns-oarc.net/ meeting in Ottawa (september 2008), Matt Larson (Verisign) announced that .com and .net name servers will soon change to the proper behaviour (this triggered a lot of applause. As the recent thread (can't see nameserver externally) reminds us -- for edu rather than com/net, but there can't really be a difference, can there? the nameservers are just a subset -- glue promotion is still happening. One has to wonder what soon means, -- Chris Thompson Email: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS issues with tmomail.net
I frequently send short messages to some cellphone users on tmomail.net. Several weeks ago I started noticing that bind is having problems keeping records for tmomail once they get stale. Specifically the MX record. If I restart bind, I can immediately get the MX record again. I'm running 9.5.0_p2 (9.5.0_p2-r1) on Gentoo. Is anyone else noticing this? -david -- Linux: freedom to build is good please top-post and trim when replying to my messages. i most often read mail on a small device. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS issues with tmomail.net
In article [EMAIL PROTECTED], David Ford [EMAIL PROTECTED] wrote: I frequently send short messages to some cellphone users on . Several weeks ago I started noticing that bind is having problems keeping records for tmomail once they get stale. Specifically the MX record. If I restart bind, I can immediately get the MX record again. I'm running 9.5.0_p2 (9.5.0_p2-r1) on Gentoo. Is anyone else noticing this? I hadn't noticed it but all the records in the response to a request for the MX for tmomail.net have a TTL of 60 seconds, that's the MX record, the NS authority record and the additional A record. The names in the delegation NS records for for tmomail.net are different from the authoritative ones, though they seem to be the same servers. There's considerable opportunity there for things to go wrong, though it all seems to work fine from here. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS issues with tmomail.net
Sam Wilson wrote: I hadn't noticed it but all the records in the response to a request for the MX for tmomail.net have a TTL of 60 seconds, that's the MX record, the NS authority record and the additional A record. The names in the delegation NS records for for tmomail.net are different from the authoritative ones, though they seem to be the same servers. There's considerable opportunity there for things to go wrong, though it all seems to work fine from here. It will work for hours, sometimes a day before bind is unable to fetch records for it again. But immediately upon restarting bind, bind is able to go fetch records for it. I understand that the records for tmomail.net are problematic but what makes the difference in bind from running a while vs. a fresh restart when it comes to fetching records? Why would it be 100% successful on restart? -- Linux: freedom to build is good please top-post and trim when replying to my messages. i most often read mail on a small device. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
I did some testing with this couple a months ago and it seams like AD is
following the NS directive in the SOA.
The design I used in my test-case was to put AD as an authoritative updater
of the specified zone on my master, once updated the BIND master was
responsible for updating the slaves.
Something you can do is add NS records in AD pointing at your BIND
slave-servers for the zone, and vice versa configure your slaves to have the
AD as master for the zone, what I've experienced is that updates of new
records tends to be REALLY slow, thus I would go with the first option.
/Jonathan
On Wed, Dec 10, 2008 at 8:17 AM, Nicholas F Miller
[EMAIL PROTECTED] wrote:
I have a couple of questions regarding how a Microsoft domain controller
updates a dynamic zone.
1 ) When a domain controller tries to update the zone does it try the DNS
servers it has listed in its network settings or does it follow the SOA for
the zone?
2) In the configs below does the slave server's IP need to be listed in the
allow-update declaration on the master zone server?
Master Server - 1.2.3.4
zone actived.example.com {
type master;
file named.ad;
allow-update {
1.2.3.4;// master DNS server
11.22.33.44; // domain controller 1
55.66.77.88.99; // domain controller 2
};
allow-transfer {
5.6.7.8 // slave DNS server;
};
};
Slave Server - 5.6.7.8
zone actived.example.com {
type slave;
file named.ad;
allow-update-forwarding {
11.22.33.44; // domain controller 1
55.66.77.88.99; // domain controller 2
};
allow-transfer { none; };
masters {
1.2.3.4 // master DNS server
};
};
Thanks,
Nicholas Miller, ITS, University of Colorado at Boulder
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
Nicholas F Miller [EMAIL PROTECTED] wrote:
I have a couple of questions regarding how a Microsoft domain
controller updates a dynamic zone.
1 ) When a domain controller tries to update the zone does it try the
DNS servers it has listed in its network settings or does it follow
the SOA for the zone?
2) In the configs below does the slave server's IP need to be listed
in the allow-update declaration on the master zone server?
Master Server - 1.2.3.4
zone actived.example.com {
type master;
file named.ad;
allow-update {
1.2.3.4;// master DNS server
11.22.33.44; // domain controller 1
55.66.77.88.99; // domain controller 2
};
allow-transfer {
5.6.7.8 // slave DNS server;
};
};
Slave Server - 5.6.7.8
zone actived.example.com {
type slave;
file named.ad;
allow-update-forwarding {
11.22.33.44; // domain controller 1
55.66.77.88.99; // domain controller 2
};
allow-transfer { none; };
masters {
1.2.3.4 // master DNS server
};
};
1) All updates for a zone need to be sent to the master server for that
zone, as only the master can perform updates. And one cannot assume
that updates sent to a slave server will be forwarded to the
master. And the only place in DNS where the master server is listed
is in the SOA record.
2) I am not sure of the answer. If a DNS update is sent to a slave
server and then forwarded to the master, I assume that the master
will see the request as coming from the real source and not from
the forwarding slave server. So, I assume that the slave server is
not updating the master, and thus does not need to be listed in the
allow-update declaration.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone:+1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: [EMAIL PROTECTED]
Argonne, IL 60439-4828 IBMMAIL: I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsperf and BIND memory consumption
At Wed, 10 Dec 2008 15:50:22 +0300,
Dmitry Rybin [EMAIL PROTECTED] wrote:
JINMEI Tatuya / 神明達哉 wrote:
At Tue, 09 Dec 2008 18:05:27 +0300,
Dmitry Rybin [EMAIL PROTECTED] wrote:
I test patch, add to bind95/Makefile
.if (${ARCH} == amd64)
ARCH= x86_64
.endif
Future versions of BIND9 will support amd64 in its configure script to
workaround the FreeBSD port for amd64.
Regarding the memory leak, I believe it's already solved in 9.5.1rc1
(even with threads and without atomic).
I just make port bind 9.5.1rc1. It has same problem with memory leak.
It grows from 670M on startup, to 1,4Gb after 20 minutes of work.
Can you first fall back to the vanilla 9.5.1rc1 (i.e., not FreeBSD
port) so that we can separate FreeBSD-port specific issue and BIND9
specific leak?
Second, what if you stop named by 'rndc stop'? If there's memory leak
in BIND9, it normally detects it during a cleanup process and
indicates the bug by aborting (core dumping) itself.
If it doesn't cause an abort, please then try the diagnosing I
suggested before:
http://marc.info/?l=bind-usersm=121811979629090w=2
To summarize it:
1. create a symbolic link from /etc/malloc.conf to X:
# ln -s X /etc/malloc.conf
2. - start named with a moderate limitation of virtual memory size, e.g.
# /usr/bin/limits -v 384m $path_to_named/named command line options
(note that 384m should be reasonably large compared with
max-cache-size. I'd suggest setting max-cache-size to 128M and
setting 'limits -v' to 512m).
3. Then the named process will eventually abort itself with a core dump
due to malloc failure. Please show us the stack trace at that point.
Hopefully it will reveal the malloc call that keeps consuming memory.
In fact, I myself successfully identified one leak in 9.5.0-P2 with
FreeBSD port this way.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
Barry Jonathan, Thanks for the quick replies. your responses go along with my findings as well. I am trying to clean up some of our configs. The DDNS zones just didn't look right to me and I wanted to confirm what I was thinking. Jonathan, I tested things on a test DC by pointing it at a DNS server here that wasn't athoritative for its zone. When I made a change the update happened almost immediately on the master server. This behavior follows the logic of updates following the SOA. Barry, from what I can find I don't think the slave needs to be listed nor does the master in the allow-update directive. If I have time tomorrow I might test this out in our test AD. Nicholas Miller, ITS, University of Colorado at Boulder On Dec 10, 2008, at 10:42 AM, Jonathan Petersson wrote: I did some testing with this couple a months ago and it seams like AD is following the NS directive in the SOA. The design I used in my test-case was to put AD as an authoritative updater of the specified zone on my master, once updated the BIND master was responsible for updating the slaves. Something you can do is add NS records in AD pointing at your BIND slave-servers for the zone, and vice versa configure your slaves to have the AD as master for the zone, what I've experienced is that updates of new records tends to be REALLY slow, thus I would go with the first option. /Jonathan On Dec 10, 2008, at 10:48 AM, [EMAIL PROTECTED] wrote: 1) All updates for a zone need to be sent to the master server for that zone, as only the master can perform updates. And one cannot assume that updates sent to a slave server will be forwarded to the master. And the only place in DNS where the master server is listed is in the SOA record. 2) I am not sure of the answer. If a DNS update is sent to a slave server and then forwarded to the master, I assume that the master will see the request as coming from the real source and not from the forwarding slave server. So, I assume that the slave server is not updating the master, and thus does not need to be listed in the allow-update declaration. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
On Wed, Dec 10, 2008 at 4:00 PM, Mark Andrews [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED], Nicholas F Mille r writes: I have a couple of questions regarding how a Microsoft domain controller updates a dynamic zone. 1 ) When a domain controller tries to update the zone does it try the DNS servers it has listed in its network settings or does it follow the SOA for the zone? There are knowledge base article which describe this fully. I suggest that you search the Microsoft knowledge base for the complete answer. http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true cut ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Master server migration.
I'm migrating away from my 12 year old Solaris master DNS server to a new Linux based master server. I'm looking for suggestions on how to make the transition smooth without any downtime. The IP address of the new server will be different and so will be the hostname that will show up in the whois record. Is there any way to run two master at the same time and when I know the new master is working, I can turn off the old one? Would that be a good idea? I am open to any suggestions. Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Master server migration.
Step 1: Set up the new master as a clone of the old master. Step 2: Reconfigure/demote the old master to the status of slave. All other slaves will continue to get updates from the old master/new slave, and the magic of DNS notify will make replication from new master to old master to others quick and painless, once you have completed... Step 3: Update the NS RRsets and SOA records of all zones to reflect the existence of the new master. This will cause DNS notify to function properly. Make sure you update the zone serial numbers as well. Step 4: Reconfigure all slaves to refer to the new master instead of (or in addition to and in preference to) the old master. This will allow you to remove the old master if you wish to do so, and will make the chain of replication that much shorter and more reliable. Step 5: If you plan to remove the old master, go ahead and do so in all locations: registration records (delegation and glue records at parent zone(s)), zone NS records, possibly even the old master's A record. Wait a few days after doing this before... Step 6: Finally retire the old master. Chris Buxton Men Mice On Dec 10, 2008, at 10:00 PM, Chris Henderson wrote: I'm migrating away from my 12 year old Solaris master DNS server to a new Linux based master server. I'm looking for suggestions on how to make the transition smooth without any downtime. The IP address of the new server will be different and so will be the hostname that will show up in the whois record. Is there any way to run two master at the same time and when I know the new master is working, I can turn off the old one? Would that be a good idea? I am open to any suggestions. Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
