Do TLD glue records support round robin replies?

Folks, Our normal procedure when changing the IP address of a TLD name server is to get the new server responding properly and then update the glue records with the Registrar to reflect the new address, normally 1-2 days apart for two nameservers. We monitor query traffic on

Ability to limit memory usage for zones on an authoritative server.

Folks, From some lab testing it appears the answer to the above question is NO but hope springs eternal! We'd like to limit RAM usage by BIND (9.9.8/RHEL) on some authoritative test servers. A load of configured zones would require over 10 Gig of RAM, but

RE: Problem in Performance test

--- Original Msg - From: "RunxiaWan" Subject: Problem in Performance test Hi all, I am doing performance test for my company's resolver with BIND 9.10.3 and find something weird. The test client and resolver are in the same LAN. When I use a small set of domain as

RE: Mitigation of server's load by queries for non-existing domains

Tony, Didn't see this mentioned in the other thread messages, but depending on what version of BIND you are using you may find a lot of benefit in using the Response Rate Limiting (RRL) feature. https://www.isc.org/blogs/bind-9-9-4-released/ We have found it to be VERY

RE: What is the use of having a chroot path during installation

-Original Message- From: Harshith Mulky To: "bind-users@lists.isc.org" Subject: What is the use of having a chroot path during installation of Bind When installing bind, the following 2 are installed

Resolver optimization of auth selection - Truth or Myth?

Folks, Just trying to settle a question on BIND based resolver operation. When given multiple authoritative servers for a zone, does it optimize selection based on auth server response times? For example: --- I'm located in Sydney, Australia and my ISP has

Complete DNS fake root setup example

Folks, Had to do some testing where we wanted our own insulated fake root environment. We wanted to start from simulated root name servers. I was surprised I couldn't find a complete example even after some extensive searches. The concepts are easy, but the

RE: Complete DNS fake root setup example

--- Original msg On Wed, Jan 20, 2016 at 05:12:44PM +, MURTARI, JOHN wrote: > Folks, > Had to do some testing where we wanted our own > insulated fake root environment. We wanted to start > from simulated root name servers. I was

Reducing memory usage by using db storage - performance?

Folks, Recently been looking at servers that host almost 200K ARPA zones and load about 80 million resource records. They run on good hardware and take only a few minutes to load the zones on a clean start. The issue is memory utilization of about 23 Gig in RAM.

Re: what does "max-ncache-ttl 0;" mean?

Folks, Never has so little been said by so many? The OP asked: == man pages for named.conf says "max-ncache-ttl " and only talks about default values and max values - no mention of minimum-value. Does "max-ncache-ttl 0;" mean never cache negative queries (queries resulting

Re: Bind Queries log file format

> We may move it to the end of the log message (bugs ticket #44606 has > been created for looking at it). Maybe its location was poor.. please > can everyone who participated in this thread say whether having it at > the end will be ok? It's really only for code debug. I'd say give the admin a

RE: Bind Queries log file format

> From: Warren Kumari [mailto:war...@kumari.net] > Customer: "My BIND went Boom! It's been running fine for many years, > and then for no reason at all it went Boom. Here are my log files..." > ISC: "Doh. Sorry. Unfortunately the log file doesn't have sufficient > debug info. Can you please turn

RE: Bind Queries log file format

Folks at ISC, > I agree, there are an awful lot of systems and SIEM products that process > querylogs. This one change will require a huge amount > of re-engineering > work in customer environments. You know we love you and the work you do! But changing that log format was really a

RE: "chase DS servers" while setting up a Split-DNS-Server with

Johannes, Noted your message below. I might suggest you check out the 'views' feature of BIND. You may find it a lot easier to setup/manage. Some starting info: https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html Best regards! John

RE: Re: Disabling rate-limit?

Blr, We do run RRL on some of our servers, example option clause below that activates the feature. Two suggestions: 1. You mention you 'inherited' the server and looked at /etc/named.conf -- verify that it is not running chroot to another directory and using another config file (I

The DDOS attack on DYN & RRL ?

Folks, God only knows, the DDOS hackers are probably on this listbut I have to ask what protections DYN had in place before the attack occurred. RRL has been promoted as some protection against these types of attacks. If they had it in place, did it help or was the pure

Re: The DDOS attack on DYN & RRL ?

Folks, Saw something in a previous posting that should be corrected: > The sticking point seems to be that most DNS providers don't allow zone > transfers from > their servers The customers of Dyn are in the same situation. Actually from personal experience just a few

RE: problem domains host in ns1/ns2.planetdomain.com (Eric Yiu)

Eric, Thanks for the complete example below, but I'm not sure what you are trying to solve? It looks like the netregistry.net servers don't have zone data loaded even though they are supposed to be authoritative. Your best bet would be to contact them and point out it appears

RE: Tuning suggestions for high-core-count Linux servers

Stuart, You didn't mention what OS you are using, I assume some version of Linux. What you are seeing may not be a BIND limit, but the OS. One thing we noted with Redhat is that the kernel just couldn't keep up with the inbound UDP packets (queue overflow).The kernel does keep a

Ending a TXT record with a backslash?

Folks, Recently had an issue with someone who wanted this for a TXT record: murt2 IN TXT "path=\"; Now, not sure wny they wanted it - maybe the root directory in Windows??? But anyway, BIND does not like it. zone example.com/IN: loading from master file

Unexpected change in notify log format?

Folks, We'd had a discussion back in February (Bind query log format) about the perils of changes to the log formats. Just got bit by an earlier change used for logging notify messages. Had to run some regression tests. Looks like it occurred between 9.9.8

Secure Cert for lists web site expired?

Folks, Was in the middle of reading some list articles and Firefox locked me out with the message below: Your connection is not secure The owner of lists.isc.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to

Proper use of keyid in allow-transfer

Folks, Came across usage of a keyid as an address list in a allow-transfer option on a older server site. Didn't really know that was legal. It seemed an easier way to allow zone transfers without constantly updating a list of IP addresses on a master server. The only trouble

Using Ansible to manage bind installation/basic setup.

Folks, Thinking of using Ansible to help with standardized bind installations & auto setup. Searched the list Archives/ISC website and didn't see much. Found a variety of Ansible roles/playbooks on Google, but nothing seemed to be the clear preferred favorite?Any recommendations are

Re: Contents of bind-users digest...

Folks, let me add my desire for a quick download dig supporting DoH. It could really help with some testing, some ready stuff for Ubuntu 18/20, Redhat/CentOS, could make a lot of people happy. Maybe the libs included and we set the LD_LIBRARY_PATH, or a 'static' link? It only takes a 'few

Re: Contents of bind-users digest...

ase do not feel obligated to reply outside your normal working hours. On 6. 7. 2021, at 14:44, MURTARI, JOHN wrote:  Folks, let me add my desire for a quick download dig supporting DoH. It could really help with some testing, some ready stuff for Ubuntu 18/20, Redhat/CentOS, could make

Re: Using Ansible to manage bind installation/basic setup.

> Ansible's template module is what you'd probably use for #1, the service > module (with handlers) for #2, and #3 comes out of the box when you use > Ansible. > While you might find existing roles and playbooks on the internets, I would > strongly recommend to vet them carefully in a test