Problem looking up domain dryfire.com

2016-08-16 Thread Eivind Olsen

Hello.

I'm seeing some odd problems where BIND (9.10.4-P2) has issues resolving 
getsurfed.com. This is when using the "510 Software Group" BIND 9.10 for 
RHEL/CentOS/Fedora.


I can do manual lookups of the domain with "dig" and point it to their 
servers (dns0.getsurfed.com, dns1.getsurfed.com) but it fails for me if 
I go through my BIND installation.


The named.run log contains lines like this:

16-Aug-2016 10:48:40.693 lame-servers: info: 17 unexpected RCODE 
resolving 'dryfire.com/NS/IN': 213.162.97.178#53
16-Aug-2016 10:48:40.749 lame-servers: info: 17 unexpected RCODE 
resolving 'dryfire.com/NS/IN': 213.162.97.177#53


A search for "17 unexpected RCODE" seems to indicate this might be 
caused by incompatibility between SIT/DNS cookies and older versions of 
NSD. Is this also what's happening in my case here?


Regards
Eivind Olsen
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Cacti Template for graphing BIND9.8 queries stats

2013-11-13 Thread Eivind Olsen
Sherif Magdy wrote:

 Can any one help with a template for graphing BIND9.8 queries stats using 
 Cacti? 
 Or any other way to graph the queries stats and response time and so on

Hello. Sorry for replying so late. I'd suggest looking at 
http://www.l3jane.net/wiki/factory:b9agent_en to expose counters from BIND 
through SNMP, which you can then easily get into Cacti.

Regards
Eivind Olsen

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Sunos 5.8 Error:EDNS not supported by your namesever

2012-09-05 Thread Eivind Olsen
Mark Andrews wrote:

 SunOS 5.8 is ancient (12+ year old)and no longer supported by Oracle.
 I can't remember which version of BIND 8, SunOS 5.8 shipped with
 but it wasn't a recent version at the time.

Not that it really matters much, but I thought I'd check some old Solaris
8 installation I still have access to - the BIND bundled on that one was
8.2.4.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


What can cause excessive amount of _dns-sd queries?

2012-08-23 Thread Eivind Olsen
Hello.

I haven't seen this before.. I'm currently seeing someone (1 ip address)
do about 2.1 million queries / hour where a majority of the queries seem
to be:

b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
talk.l.google.com IN A +
gmail-pop.l.google.com IN A +
gmail-imap.l.google.com IN A +

...and similar variations of these.

Have any of you seen something like this before?

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: What can cause excessive amount of _dns-sd queries?

2012-08-23 Thread Eivind Olsen
Torsten Segner wrote:

 these seem to be DNS Service Discovery requests and yes, we see loads of
 them on our servers.

Yeah, now I'm just wondering which OS / application / malware / whatever
could be responsible for this :)

(no, the client isn't directly under my control, it belongs to some customer)

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Can't receive emails from another machine

2012-08-03 Thread Eivind Olsen
Stayvoid wrote:

 Is it connected with my zone file settings (which are specified on the
 side of my registrar) or with BIND?

Hard to tell, I don't think you've told us the name of the domain..?
Give the name, and it should be much easier to figure out what's going on.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: RHEL, Centos, Fedora rpm vs ISC bind versions

2012-07-15 Thread Eivind Olsen
Den 15. juli 2012 kl. 16:57 skrev Benny Pedersen m...@junc.org:

 change to gentoo/funtoo ?

Some might prefer to run the same Linux distribution on all their servers, 
changing to something like Gentoo just to get BIND running seems a bit overkill.

Regards
Eivind Olsen

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Operation Cancelled Error

2012-07-12 Thread Eivind Olsen
Den 12. juli 2012 kl. 01:49 skrev Ben benjo11...@gmail.com:

 If someone share his experience with it, What are the maximum QPS handled by 
 bind? that is good to understand more.

Well, it depends.

If you test with a freshly restarted BIND (nothing cached yet), and ask for 
only external data, you will get one result and be at the mercy of the external 
nameservers.

You will probably get the highest result if you only ask for pre-cached 
answers, in which case reaching 100k qps (and higher) on a single server should 
be easy (with some not-too-old hardware)

Regards
Eivind Olsen

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind configuration

2012-05-21 Thread Eivind Olsen
Use the full zone name in the zone definition.

zone cairosource 

Regards
Eivind Olsen

Den 21. mai 2012 kl. 16:33 skrev Amira Othman a.oth...@cairosource.com:

 Hi all 
 
 I have configured bind9 on centos 5.8 but I still can't nslookup my domain.
 Below are my configuration:
 
 
 Named.conf
 
 key rndckey {
algorithm   hmac-md5;
secret
 jQdcyY1HIkooWVB24Dr4uX5jrVcuZFNEJaGa9Q5e3otOjSrcMVGOwhACivlX;
 };
 options {
 directory /var/named;
 pid-file /var/run/named/named.pid;
 zone cairosource {
type master;
notify no;
file cairosource.zone;
 };
 
 Zone file
 
 ; BIND db file for cairosource.com
 
 $TTL 86400
 
 @   IN  SOA nameserverof domain. mail account. (
2012051810
28800
7200
864000
86400 )
 
NS  ns1
 localhost A  127.0.0.1
 ns1   A  server local ip
 mydomainname   A   server external ip
 
 any help please ?
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: erros in logs

2012-05-11 Thread Eivind Olsen
Ben wrote:

 Hi,

 Currently we using ipv4 network for our customers and all.By the way, we
 do not block any ipv6 , so why we got ipv6 resolution as network
 unreachable in logs?

BIND believes your OS has IPv6 and tries to use it.

One option for disabling use of IPv6 in BIND is to tell BIND that it
shouldn't even try to use IPv6 (start the named command with option
-4).

If you're using for example RHEL / CentOS with the vendor-provided RPMs,
you can do this by editing /etc/sysconfig/named and adding/editing this
line:

OPTIONS=-4

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind caching dns

2012-05-09 Thread Eivind Olsen
Matthew Seaman wrote:

 Not to my knowledge.  It should be possible to write an agentx plugin
 that translates from the XML data provided natively, but you'll have to
 write your own MIBs since the standard one from RFC1612 seems to have
 received little development since.  Indeed RFC3197
 (https://www.ietf.org/rfc/rfc3197.txt) tells a cautionary tale.

I've been using a net-snmp subagent called B9Agent, with good success.
It doesn't parse the XML statistics data but uses the statistics-file
instead. For more details, see
http://www.l3jane.net/wiki/factory%3Ab9agent_en

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Can I build a new DNS/BIND system parallel to our existing DNS production system?

2012-05-03 Thread Eivind Olsen
Samad Agha wrote:

 1- Is it possible to treat the entire environment as brand new, start
 building a couple of Linux name servers running the latest and greatest
 BIND S/W, start populating it in parallel with our current production
 system, and once the new system is completely up and running, turn off the
 two Sun-Fire-V210s.

Absolutely! Since you're currently running BIND 8, I don't expect you to
be using many advanced features, and hopefully you have a fairly standard
configuration.

 2- If step#1 is possible, as a minimum (H/W, S/W) what do I need for a
 complete DNS/BIND system satisfying all the city's DNS needs
 (internal/external resolutions).

Depends, how long is a piece of string? I don't know what amount of
traffic you're currently seeing, or what your uptime requirements are.

 Any architectural/implementation/best practices advice would be highly
 appreciated.

Estimate what amount of traffic you're seeing during prime time. How many
queries per second?

I'd normally not recommend running BIND on slower multi-threaded
Sun/Oracle servers like the T-series, you'll normally be better off with
fewer threads but higher clock speeds from typical Intel/AMD systems.
(caveat: I haven't benchmarked BIND 9.9.x, which might have improved
this).

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Update

2012-04-13 Thread Eivind Olsen
 [root@localhost ~]# dig @10.0.193.14 esa-server.3rc.local

 ;  DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5  @10.0.193.14
 esa-server.3rc.local
 ; (1 server found)
 ;; global options:  printcmd
 ;; connection timed out; no servers could be reached
 [root@localhost ~]#

Is there a local host firewall (iptables?) running on the DNS server? And
if so, is tcp and udp port 53 open?

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Multithreaded BIND 9.9.0 on Linux - I'm confused

2012-04-11 Thread Eivind Olsen
I've read
https://kb.isc.org/article/AA-00629/109/Performance%3A-Multi-threaded-I-O.html
but I'm somewhat confused. Perhaps this mainly hypothetical, of academic
interest, etc.

If I understand that article correctly, each listen-on line gets its own
pool of listener and worker tasks, so a 4-core machine will have 4
listener tasks, delivering to 4 worker tasks. But I don't understand how
this relates to the number of listen-on lines.

On a live server (running RHEL6, and BIND 9.9.0), rndc status tells me I
get:
CPUs found: 12
worker threads: 12
UDP listeners per interface: 12

That server has 9 network interfaces (4 physical, 1 loopback, and 4
alias-interfaces). And one listen-on line (listen-on port 53 { any; };).
Does this mean 12 listeners * 9 interfaces = 108 listener threads + 12
common worker-threads? And if I were to have two listen-on lines instead
of 1, I'd double the amount of threads?

Will there be any real world advantage (or disadvantage) to specifying for
example a couple of specific listen-on statements instead of using the
listen-on any?

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND 9.9.0 assertion failure

2012-03-14 Thread Eivind Olsen
 In BIND 9.9.0(CentOS 4.6)
 
 Mar  9 06:58:51 X named[17533]: general: critical: client.c:318:
 INSIST(client-gt;newstate lt;= 3) failed, back trace

This looks like a crash I just had here, BIND 9.9.0, on RHEL 6.2 (64 bit).

14-Mar-2012 10:16:22.348 general: critical: client.c:318:
INSIST(client-newstate = 3) failed, back trace
14-Mar-2012 10:16:22.348 general: critical: #0 0x7f0e5e702f8f in ??
14-Mar-2012 10:16:22.348 general: critical: #1 0x7f0e5d0b0a8a in ??
14-Mar-2012 10:16:22.348 general: critical: #2 0x7f0e5e6f7b23 in ??
14-Mar-2012 10:16:22.348 general: critical: #3 0x7f0e5e70e05a in ??
14-Mar-2012 10:16:22.348 general: critical: #4 0x7f0e5e714cb7 in ??
14-Mar-2012 10:16:22.348 general: critical: #5 0x7f0e5d0cf1dd in ??
14-Mar-2012 10:16:22.348 general: critical: #6 0x7f0e5ca857f1 in ??
14-Mar-2012 10:16:22.348 general: critical: #7 0x7f0e5bfd792d in ??
14-Mar-2012 10:16:22.348 general: critical: exiting (due to assertion
failure)

BIND had then been running since Mar 12 09:20:46 CET. It's a recursive
server, with somewhat high traffic (not enough to strain it, the load is
normally around 0.02 or thereabout).

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: One IP in multiple zones

2011-09-21 Thread Eivind Olsen
Adamiec, Lawrence wrote:

 Is it possible to have one IP in multiple zone files for forward
 lookups?  What type of troubles would be encountered?

Like, having www.example.com and ftp.example.org point to the same IP
address?

Yes, it's nothing weird about it.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind DNS Need help with name resolution...

2011-08-21 Thread Eivind Olsen
sachin k wrote:

 Can someone please help me understand why this is not working?

A few suggestions:

- try looking up names with dig instead of nslookup
- do a tcpdump while testing, to see where packets are going, and whether
you get anything back at all.

Regards
Eivind Olsen
eiv...@aminor.no

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: rankstel.net (was: SPF implementation schedule.)

2011-07-12 Thread Eivind Olsen
Mahmud wrote:

 I have fallen in problem with my  dns server. Some times , some specific
 domain can't resolve. From log report (/var/log/messages) i have given log
 for that.
 Jul 12 11:17:44 ns1 named[14948]: client 178.33.222.134#38772: query
 (cache) 'rankstel.net/MX/IN' denied
 Jul 12 11:17:45 ns1 named[14948]: client 212.204.41.82#44529: query
 (cache) 'rankstel.net/MX/IN' denied
 Jul 12 11:17:48 ns1 named[14948]: client 212.204.41.82#64402: query
 (cache) 'rankstel.net/MX/IN' denied
 Jul 12 11:17:49 ns1 named[14948]: client 69.73.138.12#55591: query (cache)
 'era.com.bd/MX/IN' denied

I only looked into rankstel.net, since it was listed 3 times above.

The domain rankstel.net is delegated to ns1.ranksitt.net (202.40.176.12)
and ns1.rankstel.net (202.72.233.7), but neither of them are working:
ns1.ranksitt.net is giving return code REFUSE when I ask it for the NS
records to rankstel.net, and ns1.rankstel.net just isn't giving any answer
back (timeout). Whoever owns those nameservers should probably consider
fixing them.

PS! Don't just reply to a previous email when you write about something
unrelated - it messes up the topic, threading etc.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: SPF implementation schedule.

2011-07-11 Thread Eivind Olsen
kalpesh varyani wrote:

 Does ISC implement SPF for server or client side currently?
 If yes, then where to get the libraries; if not then what is the
 scheduled date/release for implementation?

I'm not ISC, and anything I say may be completely wrong. Ok, that's the
disclaimer done with...

BIND support for SPF extends as far as being allowed to put SPF records
into zones. As far as I know BIND does not have any libraries or functions
to actually make much sense of the content of SPF records, which is what
I'm guessing you're really looking for.
Perhaps something like libspf (http://www.libspf2.org) is what you want?

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Clients get DNS timeouts because ipv6 means more queries for each lookup

2011-07-11 Thread Eivind Olsen
Jonathan Kamens wrote:

 I said above that the problem is exacerbated by the fact that many DNS
 servers don't yet support IPV6 queries. This is because the  queries
 don't get NXDOMAIN responses, which would be cached, but rather FORMERR
 responses, which are not cached. As a result, the scenario describes
 above happens much more frequently because the DNS server has to redo
 the  queries often.

I think the main issue here is - why is your nameserver thinking it has
IPv6 connectivity?
If you don't have a working IPv6 connectivity, do one / both of these:

1) Disable or at least configure IPv6 properly on your server
2) Tell BIND to not use IPv6 transport, typically by starting named with
the command line option -4. How to do that depends on your operating
system / distribution / packaging system etc.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DDNS propagation between views

2011-07-08 Thread Eivind Olsen
Joseph L. Casale wrote:

 Are there any tunable's to speed up the propagation of dynamic updates
 between views without manually freezing and thawing the zone?

Hm, are you using the same zonefile for both your versions of the zone,
trying to share it between multiple views? If you are - don't. Views are
an abomination, giving people plenty of rope to hang themself with AND
plenty of chances to shoot themselves in the feet :D

(Yes, I'll admit, views do have their use, but it seems like more often
than not they end up confusing people)

Think of views as having two separate nameservers. I know it's not
_really_ like that, but it helps to think of it that way. Both load their
version of the zonefile into memory at startup, and even if the zone is
updated in one of the views, the other view won't know until being _told_
about it. When you do a freeze/thaw you're pretty much telling one of your
views There, I _might_ have changed the contents of your zonefile, so now
you'll need to check it again.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: update bind

2011-07-06 Thread Eivind Olsen
saravanan subramani wrote:

 Can I upgrade our existing version 9.5 to 9.8 directly or do I have to do
 multiple updates.

You shouldn't need to do intermediate / multiple updates, no. You might
need to go quickly over your named.conf, zonefiles etc., to make sure they
still work with the new version - just in case (I don't know your setup,
whether you use anything odd like the DLZ and so on).

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: better performance with 32 bit ! why?

2011-06-29 Thread Eivind Olsen
iharrathi@orange-ftgroup.com wrote:

 The 64 bit server(server1) is faster than the 32 bit server (server2).

Really? I thought you said the 64 bit server had a CPU with 1.6GHz cores,
and the 32 bit server had 2.33GHz cores?

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: better performance with 32 bit ! why?

2011-06-29 Thread Eivind Olsen
Issam Harrathi wrote:

 on server1(64 bit) i have 2 Intel E5310 quad-core 1.6Ghz and on server2(32
 bit) i have 2 Intel Xeon dual-core 2.33Ghz.
 means 8*1.6 Ghz on server1 and 4*2.33 on server2.
 8*1.6 is better and faster than 4*2.33, no?

You can only do maths like that if you assume that everything is
multithreaded _and_ capable of spreading to multiple cores without any
overhead.

I've mentioned earlier that for example BIND only scales up to about 4
threads. Based on this, your maths example would be (kind of simplified):

64 bit vs 32 bit:
4*1.6GHz vs 4*2.33GHz

Also, you mentioned using tcpreplay, which is also apparantly
single-threaded , making the comparison like this:

1*1.6GHz vs 1*2.33GHz.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: better performance with 32 bit ! why?

2011-06-29 Thread Eivind Olsen
Michael Graff wrote:

 We hope to improve this in 9.9 or at the latest 9.10, and have something
 that can saturate all CPUs.  And no, we're not cracking RSA keys on the
 extra CPUs just to keep them busy!

Pre-populating a small /56 IPv6 prefix with PTRs? :-)

I'm looking forward to what you're planning for 9.something - I still have
more cores I could in theory gain some speed from.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: better performance with 32 bit ! why?

2011-06-28 Thread Eivind Olsen
iharrathi@orange-ftgroup.com wrote:

 Is it normal that bind when compiled and installed on a 32 bit server have
 better performance than bind when compiled and installed on a 64 bit
 server.
 the only différence between the two server is 64 bit vs 32 bit ( same RAM,
 same Disk, same NIC,...) and CPU is better on the 64 bit (2 Intel E5310
 quad-core 1.6Ghz) than the 32 bit(2 Intel Xeon duad-core 2.33Ghz).

I'll admit I haven't really done any proper benchmarking of BIND on 32 vs
64 bit systems. I have done some benchmarking before though.
You're doing the exact same queries, asking for local / locally cached
data? Just so I know that you're _really_ comparing apples to apples. The
systems are configured exactly the same, also with regars to which other
services might be running there, SELinux settings, iptables etc?

In my experience: yes BIND9 is multithreaded, but there seems to be very
little (if any) gain from letting it use more than 4 CPU cores / threads,
meaning the 32 bit 2.33GHz CPU might actually win out purely based on the
higher clock frequency.

Also, you mentioned you were seeing a similar picture when using tcpreplay
- as far as I know tcpreplay is single-threaded - which also suggests the
reason it might win out on the 32 bit system is again due to the clock
frequency.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Error when start named

2011-06-26 Thread Eivind Olsen
Rodrigo Faria Tavares wrote:

 [root@centos ~]# grep 4 /etc/sysconfig/named
 #OPTIONS =-4

Looks like you have commented out that line. Remove the # character there,
if you want to really disable IPv6 in BIND.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Error when start named

2011-06-25 Thread Eivind Olsen
Rodrigo Faria Tavares wrote:

 Error in named configuration:
 /etc/named.rfc1912.zones:10: zone '.': already exists previous
 definition: /etc/named.conf:35
 How I can resolve it ?

By fixing your configuration. The error message seems clear enough, so
check what you have in /etc/named.rfc1912.zones around line 10, and in
/etc/named.conf around line 35. The error message suggests you have
defined the root zone . twice.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How to Setup a Name Servers visible on Internet?

2011-06-21 Thread Eivind Olsen
Metropolitan College Eric Kom wrote:

(...using normal text now, and not the HTML thingie which was messed up in
Squirrelmail here - so I'll bother reading your postings now :-)

I'll admit I am a bit confused about what your current setup actually is.
Having taken a couple of quick looks at your previous postings it looks
like you have had a bit of a mix with filenames, views etc.

I wonder, perhaps it would be easier to make sense of your setup if you
could put your named.conf + any other relevant files (included files,
zonefiles etc..) available for download on some website or FTP or
something?

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How to Setup a Name Servers visible on Internet?

2011-06-21 Thread Eivind Olsen
Metropolitan College Eric Kom wrote:

 I was confusing perhaps!
 so there's is not way to check the reverse?

Sure there is. But the reverse zone is called 194.134.41.in-addr.arpa, and
it's using a file of the same name:

named-checkzone 194.134.41.in-addr.arpa 194.134.41.in-addr.arpa

 Please can you try to ping ns[1-2].metropolitanbuntu.co.za from your
 side to see if the DNS responding?

I can't look up that name. It looks like it might not be properly
delegated to your nameservers... When I check towards coza1.dnsnode.net
for example, I'm told that metropolitanbuntu.co.za is handled by
ns1.serve-hosting.net and ns1.serve-hosting.net - according to those two
servers, the hostnames ns1 or ns2.metropolitanbuntu.co.ca don't exist:

Eivind-mac:~ eivind$ dig any ns1.metropolitanbuntu.co.za.
@ns2.serve-hosting.net

;  DiG 9.6.0-APPLE-P2  any ns1.metropolitanbuntu.co.za.
@ns2.serve-hosting.net
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 64015
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns1.metropolitanbuntu.co.za.   IN  ANY

;; AUTHORITY SECTION:
metropolitanbuntu.co.za. 86400  IN  SOA ns1.serve-hosting.net.
root.serve-hosting.net. 2010112701 86400 7200 360 86400

;; Query time: 139 msec
;; SERVER: 207.210.84.235#53(207.210.84.235)
;; WHEN: Tue Jun 21 19:15:21 2011
;; MSG SIZE  rcvd: 107

Eivind-mac:~ eivind$



Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: forward name resolution OK, but reverse doesn't work ...

2011-06-17 Thread Eivind Olsen
Thomas Schweikle wrote:

 But not reverse:
 !user@ks1:~$ host 74.125.79.99
 !Host 99.79.125.74.in-addr.arpa not found: 2(SERVFAIL)

...

 !zone in-addr.arpa {
 !  type slave;
 !  file /var/cache/named/root/in-addr.arpa.slave;
 !  masters { 192.5.5.241; };
 !  notify no;
 !};

You seem to have set up slaving of the in-addr.arpa from 192.5.5.241
(f.root-servers.net), but that's not one of the authoritative servers for
in-addr.arpa.

Remove the slaving of in-addr.arpa from your configuration. Or check if
it's possible / allowed to slave it from any of the 6 in-addr.arpa
nameservers: [a-f].in-addr-servers.arpa

I'm guessing your logs also have entries about being unable to do zone
transfers of in-addr.arpa.

Regards
Eivind Olsen


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: tell BIND the nameservers have been changed

2011-06-15 Thread Eivind Olsen
 I changed ns[1-2].myzone.com to new IPs in myzone.com's DNS, then how to
 let BIND for example.com to know the NS has been changed?

Since you have decided to not use the real names I can't give specific
advice.

I do wonder if you might have forgotten to also update the glue records;
if ns[1-2].myzone.com are registered as nameservers and have their own
glue records, you should make sure those are updated to the new IP
addresses as well.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind 9 performance

2011-06-15 Thread Eivind Olsen
abushla...@ies.etisalat.ae wrote:

 What about zone configuration in BIND 8 and BIND 9? Is there any
 difference between the two ?

Do you mean the zone configuration in named.conf, or the zonefiles?

BIND9 has a doc/misc/migration document which gives plenty of good advice
on configuration changes from BIND8 to BIND9.

In general, what I'd recommend is:

1) Read that migration document
2) Test your existing named.conf + zonefiles by either loading them into
BIND9 directly, or by using the named-checkconf / named-checkzone commands
from BIND9.
3) Watch your logs

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: bind 9 performance

2011-06-15 Thread Eivind Olsen
hugo hugoo wrote:

 Is there anything I have to look at to check that all is OK in terms of
 performances when I will be in BIND9?

Well, you haven't really given any information about your current setup
and usage, so I have no idea if you're trying to run a million-user ISP
with DNS on an old Intel 486 processor with 8MB RAM :-)

In general, if you want good performance, generally without really having
to tune your operating system etc, the easy answer is: make sure BIND has
enough physical memory available for its cache, and run it on a system
with 4 CPU cores available (BIND9 doesn't really seem to scale much past 4
cores).

If you're really concerned about performance: run benchmarks. Two
interesting things to measure are number of queries per second, and
response time/latency. Keep in mind what you're measuring as well - if you
query from the same server and ask for information avaialble in the cache,
you're just doing a local test. A real life query might very well make
your nameserver ask several external servers, which takes time no matter
what you do.

External factors can and will impact your benchmarking. Know what you're
actually benchmarking.
One example: I was doing some benchmarking a while ago, and was confused
as to why I could only get something like 3500 responses per second from a
server when I asked it to give some 3Kbyte answers back - which was
actually a very nice number, considering I did the testing on a 100Mbps
network link and managed to fill it to just over 97% of maximum
theoretical limit.

Please provide more information if you want a more accurate answer.

1) Which role does your BIND server have? Authoritative server only?
Recursive server only? Mix of both?

2) Is it a plain setup, or do you do anything fancy, like feeding BIND
from a database backend?

3) Please describe the server you're running BIND on. Is it single-core
CPU or multi-core? How much physical memory does it have? Does it
basically just run BIND, or does BIND have to compete with a ton of
other services for resources?

4) What kind of use does your nameserver see? Number of users? Queries per
second? If you don't know - dump statistics during prime time for your
users and check - you should ideally be able to extract some statistics
from BIND8 by running ndc stats and then looking into named.stats
wherever your nameserver has its working directory. If you found the file
- wait a while, run the command again to dump another set of statistics -
you should now have some numbers available in that file and can now
calculate how many queries you have per second on average.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: why bind unable to find log files

2011-06-13 Thread Eivind Olsen
kshitij mali wrote:

 Jun 13 11:00:23 relay named[14508]: logging channel 'resolver_file' file
 '/var/log/resolver.log': permission denied
 Jun 13 11:00:23 relay kernel: audit(1307943023.256:7): avc:  denied  {
 append } for  pid=14511 comm=named name=resolver.log dev=cciss/c0d0p2
 ino=1391030 scontext=root:system_r:named_t
 tcontext=root:object_r:named_conf_t tclass=file

Ah. It looks like you have SELinux enabled. SELinux, like so many other
tools, give you plenty of opportunities to run into problems when used
incorrectly or when not fully understood.

Here's your main options - you'll have to decide for yourself which ones
are ok for you. Perhaps you have some local policy that requires you to
run SELinux, for example..?

1) You can disable SELinux completely
2) You can run SELinux in permissive mode. It won't block anything then,
but it will fill your logs telling you it could have blocked something.
3) You could work within the limits of your local SELinux policies, put
the logfile into a directory allowed by the SELinux policy etc.
4) You could change your local SELinux policy settings to allow BIND to
write to your logfile in that specific directory.

The short version of this: learn how to use SELinux if you are going to
have it enabled, otherwise you might as well disable it...?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNS Trouble

2011-06-12 Thread Eivind Olsen

Den 12. juni 2011 kl. 22:00 skrev Rodrigo Faria Tavares:

 INCNAMEredefariat.com.

...
 I try use ping www.redefariat.com
 
 root@centos named]# ping www.redefariat.com
 ping: unknown host www.redefariat.com

It looks like you have defined the name  in your zonefile - that is 4 w's 
and not just the 3 you try to ping.

Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: primary and secondary running different versions

2011-06-11 Thread Eivind Olsen
Timo Veith wrote:

 will there arise any problems between primary and secondary if they
 run on different bind versions?

In general no, I wouldn't expect any problems, at least not if you're
running a fairly plain setup (no DLZ database backends etc.)

When that is said, there is the possibility of an more recent version of
BIND being stricter with what it allows in its zonefiles, configuration
file etc.
If you are uncertain about this, I suggest you install BIND on a test
system, and have it load a copy of you production configuration +
zonefiles (or you could run those through named-checkconf /
named-checkzone).

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: testing bind9

2011-06-09 Thread Eivind Olsen
Gera 123 wrote:

[from dig...]

 ;; ANSWER SECTION:
 elimparcial.com. 3832 IN A 216.240.181.166

[from nslookup...]

 *** No se puede econtrar el nombre de servidor para la direccion
 192.168.0.19 : non-existent domain
 *** los servidores predeterminados no estan disponibles
 Respuesta no autoritativa
 Servidor: UnKnown
 Address: 192.168.0.19

 Nombre: elimparcial.com
 Address: 216.240.181.166

You got the same answer back, in the end. The error message you got about
192.168.0.19 non-existent domain is probably because you don't have a
reverse lookup zone for your internal subnet. It really isn't important,
even though nslookup tends to think it is.

In general, I'd recommend debugging/testing DNS lookups with a proper tool
like dig, and not nslookup which has a couple of snags which can easily
confuse more than it helps.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: MX record IP address instead of hostnames

2011-06-07 Thread Eivind Olsen
Karen Lear wrote:

 Can anyone tell me why my MX record for the coop-uspto.gov domain are IP
 addresses instead of hostnames?
...
 Non-authoritative answer:
 coop-uspto.gov  mail exchanger = 5 151.207.128.23.coop-uspto.gov.
 coop-uspto.gov  mail exchanger = 5 151.207.128.22.coop-uspto.gov.

I can't, no. It looks fine enough when I check here (a bit odd to only
have a single nameserver, but that's beside the point).

[eivind@vimes ~]$ dig +short mx coop-uspto.gov
5 coop-mbxhc-1.coop-uspto.gov.
5 coop-mbxhc-0.coop-uspto.gov.
[eivind@vimes ~]$

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Hosting my company DNS server in Internet

2011-05-30 Thread Eivind Olsen
babu dheen wrote:

   Can anyone have any idea as to how we can host our own autherative DNS
 server for my company. For example if my company domain is mycompany.com,
 we want to maintain our own DNS server so that users across world should
 contact our DNS server for name resolution for mycompany.com domain.

The most basic way would be:
- install a nameserver (BIND) somewhere, and make sure it's reachable on
tcp+udp port 53 from the entire world
- set up one or more zonefile, configure domain(s) in named.conf
- configure one or more external slave servers to _also_ be authoritative
for your domain(s), fetching updates from your master DNS server.
- make sure your slave server(s) can actually do a zone transfer from your
master. You might also want to prevent others (anyone except your slave
servers) from doing this.
- register/buy the domain name(s) if you haven't already done so.
- tell your registrar to configure your parent domain so it'll delegate
your domain to your nameservers.

Regards
Eivind Olsen
eiv...@aminor.no



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bug in bind 9.7.3?

2011-05-27 Thread Eivind Olsen
Evan Hunt wrote:
 Yes.  But the problem domain has been corrected, so you won't be able to
 reproduce it now.
 In the interest of preventing this happening again, either by accident
 (as it was in this case) or due to someone crafting a bad zone
 maliciously,
 we will be releasing a patch to all affected versions of BIND 9 as soon as
 I finish turning the crank.

Thanks for letting me know. I should have written this last night after
reading your email, but I went to bed, and upgraded all our nameservers in
the morning instead :-)

I must say - ISC dealt with this issue much faster than I'd have expected
really. No, I'm not saying I'd have expected you to take ages, but
hopefully you know what I'm trying to say here. Keep up the good work!

-- 
Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bug in bind 9.7.3?

2011-05-26 Thread Eivind Olsen
David Sparro wrote:

 I had some of my 9.7.2-P3 boxes die the same way as well.
 dig txt _policy._domainkey.federalreserve.gov
 will trigger the crash as well.
 Not all of my systems seem to be affected, though.  Those that are seem
 to be 100% reproducible.

Just out of curiosity - are anyone seeing these crashes with a BIND that
isn't doing DNSSEC validation?

(I've not been able to reproduce this on any non-validating server yet,
and my validating servers are running some other software at the moment -
I'll enable validation on my test systems and check if I can get them to
crash).

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bug in bind 9.7.3?

2011-05-26 Thread Eivind Olsen
I wrote:

 (I've not been able to reproduce this on any non-validating server yet,
 and my validating servers are running some other software at the moment -
 I'll enable validation on my test systems and check if I can get them to
 crash).

I've so far not been able to reproduce it on a DNSSEC-validating BIND either.
I'm not saying there's no bug, only that I can't reproduce it myself
(probably, I'm doing something wrong).

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: subdomain delegation question #2: (simple config)

2011-05-24 Thread Eivind Olsen
dalton stickney wrote:

 ;; QUESTION SECTION:
 ;sccnj04.example.com. IN  NS

So, you ask for sccnj04.example.com, but apparantly that's not what you
have in your zonefile:

 $ORIGIN sccnj04.example.com.
 sccnj04   IN NS sip.example.com.

The $ORIGIN will be appended here to the non-FQDN, meaning you really have:

sccnj04.sccnj04.example.com.  IN NS sip.example.com.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Deny MX query

2011-05-24 Thread Eivind Olsen
Igor da Silva Cagnin wrote:

 I have a doubt about querys, as fact I'd like to deny just querys type MX.
 Other querys types must be available. Is it possible?

Not with a regular BIND 9, no - at least not that I'm aware of.
I guess it can be done by hacking the source code, but is it worth it?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: IPv4 IPv6 named processes on a dual stack host

2011-05-24 Thread Eivind Olsen
Timothy Stoddard wrote:

 Has any one run into a issue with two named processes running on the same
 host.  We want to begin serving up DNS on our IPv6 address space and do
 not
 want to duplicate each of our DNS servers.  We have started two named
 processes one with -6 option.  All seems to be working.  I am concerned
 how journal files will be handled.  Question will the -4 named process
 coexist with -6 on the same box???

Well, I guess it should work, assuming you let it deal with separate
files/directories and don't mix too much between the two instances.

But - why would you prefer to do 2 separate instances, instead of just
having 1 listening on both IPv4 and IPv6? Just run it without any -4 or
-6 options, and tell it to listen to your IPv6-address(es) as well, with
adding something like this to your options block in named.conf:

listen-on-v6{ any; };

I see you mention you run ISC DHCP 4.1 of some version: yes, the DHCP
software can currently only run either IPv4 or IPv6. BIND can easily deal
with both protocols at the same time.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Eivind Olsen
Lightner, Jeff wrote:
 Is anyone else seeing odd results with news.google.com?   My BIND 9
 master and slave are getting different results.   If I go out to other

Normally, you'd have master/slave nameservers in different networks - is
this the case here as well for your servers? Will their outgoing queries
to the Google nameservers come from completely different source
IP-addresses?

I see different results as well when I look up news.google.com from my
different servers on different continents - so it does look like Google
are giving different replies depending on where you come from.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Eivind Olsen
Lightner, Jeff wrote:

 The master is dswadns1.water.com at 12.44.84.213 and the slave is
 dswadns2.water.com at 12.44.84.214.

So, they leave your network in the same way, through the same router etc?
Are they configured to use any forwarders? Stub-zones? Etc? Or do they
both talk directly out to the Internet?

Or, how about.. what do you get if you query the same Google nameserver
from both your hosts? Do you get the same results if you for example query
ns1.google.com from with dig on both your nameservers, or do you then also
get different answers? How about if you check from a single of your
nameservers, doing manual queries to all 4 Google nameservers (ns1 - 4)?
Same result from all 4, or different results?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Error when trying to make secondary nameserver from copying primary nameserver

2011-05-05 Thread Eivind Olsen
Samad Agha wrote:

 1- found out which version of bind dsn1 is running and installed exactly
 that version on dns2:
 [root@dns1 named]# named -v
 BIND 9.3.6-P1-RedHat-9.3.6-16.P1.el5

That version is quite old. In general, just because server 1 has an old
BIND isn't a reason to choose an old BIND on server 2 as well.

 2- Copied dns1:/etc/named.conf from primary server (dns1) onto dns2 and
 chown it:
 [root@dns2 ~]# ls -l /etc/named.conf
 -rw-r--r-- 1 root named 2876 May  3 09:30 /etc/named.conf

Sure, you can use an existing named.conf as basis for your 2nd nameserver,
but if you want to turn you setup into a normal master/slave setup, you'll
also want to configure one of them with zones of type slave, and telling
BIND who the master is, something like:

zone my.zonename {
type slave;
file path/to/my.zonename-file;
masters {
192.168.1.10; // use proper IP address instead
};
};

You might also want to set up your zonefile transfers, typically by
allowing the slave to transfer from the master (so you might need to
change the configuration on the master), and perhaps disallowing anyone
else from doing transfers.

 4- I get the couldn't open pid file '/var/run/named/named.pid':
 Permission
 denied as follows:

Check the permissions of that directory, and see if there's also a
named.pid file already. I'm not familiar with that old RedHat package, so
I on't know how it expects things to be set up, if you're using the
bundled start script.
If the permissions initially look good, I suggest you look into whether
you have SELinux running, maybe its policies are making problems for you?

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Anyone have problems with BIND 9.8.0

2011-04-28 Thread Eivind Olsen
Marion Bogdanov wrote:

 In my preparation to upgrade from 9.7.3 to 9.8.0. I figured it would be
 worth to field the obvious question: has anyone run into any problems in
 their upgrade?

I haven't notice anything myself really, but would be interested in
hearing of others have.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: continous DNS query to ROOT DNS server

2011-04-26 Thread Eivind Olsen
Chris Buxton wrote:

 Create RFC 1918 reverse zones for whatever parts of this address space
 you're using.
 Newer versions of BIND will do this automatically for you -- the zones
 are created without content. What version of BIND are you using?

Hm, anyone know which versions? The BIND 9.8 ARM has a section about
built-in empty zones, where it for example says In particular, these
cover the reverse namespace for addresses from RFC 1918 and RFC 3330.,
then goes on to list several zones which are _not_ what I normally think
of when someone mention RFC 1918.

Also, from the source code of BIND 9.8.0, in the file bin/named/server.c -
there's a list of empty zones, but the RFC 1918 zones seem to be ifdef'ed
out:


#ifdef notyet
/* RFC 1918 */
{ 10.IN-ADDR.ARPA, ISC_TRUE },
{ 16.172.IN-ADDR.ARPA, ISC_TRUE },
{ 17.172.IN-ADDR.ARPA, ISC_TRUE },
{ 18.172.IN-ADDR.ARPA, ISC_TRUE },
{ 19.172.IN-ADDR.ARPA, ISC_TRUE },
{ 20.172.IN-ADDR.ARPA, ISC_TRUE },
{ 21.172.IN-ADDR.ARPA, ISC_TRUE },
{ 22.172.IN-ADDR.ARPA, ISC_TRUE },
{ 23.172.IN-ADDR.ARPA, ISC_TRUE },
{ 24.172.IN-ADDR.ARPA, ISC_TRUE },
{ 25.172.IN-ADDR.ARPA, ISC_TRUE },
{ 26.172.IN-ADDR.ARPA, ISC_TRUE },
{ 27.172.IN-ADDR.ARPA, ISC_TRUE },
{ 28.172.IN-ADDR.ARPA, ISC_TRUE },
{ 29.172.IN-ADDR.ARPA, ISC_TRUE },
{ 30.172.IN-ADDR.ARPA, ISC_TRUE },
{ 31.172.IN-ADDR.ARPA, ISC_TRUE },
{ 168.192.IN-ADDR.ARPA, ISC_TRUE },
#endif

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: slave AXFR bind9

2011-04-21 Thread Eivind Olsen
hugo hugoo wrote:
 I use a server called lenny where the zone is idendified as slave.
 I use a server called custmaster where the zone is master.

You're hiding data from us, for example:
 bind9testcarlos.be. 86400   IN  NS  ns.uat.
 bind9testcarlos.be. 86400   IN  NS  ns2.uat.
 ns.bind9testcarlos.be.  3600IN  A   1.2.3.4
 ns2.bind9testcarlos.be. 3600IN  A   1.2.3.4

You've obfuscated the IP-addresses for ns.bind9testcarlos.be /
ns2.bind9testcarlos.be - and you've done it in a way meaning I don't
_really_ know if you've given them the same IP-address for real either.

Here's what I _think_ might be happening, but which I can't really know
since you hide the information I've asked for before (such as the
configuration of your zone).
Your master DNS will only send notifies to nameservers that handle the
zone according to:
- being mentioned with NS records in the zonefile (in your example, that
would be ns.uat and ns2.uat)
- nameservers mentioned with also-notify statement in your named.conf

I'm guessing that your slave server isn't listed as with NS record in the
zonefile, and isn't listed with also-notify either. Am I right?

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: slave timers

2011-04-19 Thread Eivind Olsen
hugo hugoo wrote:
 How can I go on investigating what happens?

In your previous message you listed these nameservers in the zonefile:

bind9testcarlos.be.  86400   IN  NS ns.uat.
bind9testcarlos.be.  86400   IN  NS ns2.uat.

Is the slave server you're having problems with one of these two (ns.uat /
ns2.uat)? If it isn't, have you told the master nameserver about the slave
with for example the also-notify  option?
How have you configured BIND on the master nameserver, with regards to
notify settings?

Regards
Eivind Olsen
eiv...@aminor.no



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: max-cache-size rule of thumb?

2011-04-18 Thread Eivind Olsen
Dennis Perisa wrote:
 Is there a rule of thumb when setting max-cache-size?  e.g. max physical
 memory * 0.4
 Is there even a need to set max-cache-size on a server with plenty of
 memory
 (10GB) running only BIND?

I'd normally not recommend to limit the cache size - with normal use, it
should stabilize on some amount by itself, based on your usage patterns.
Memory is fairly cheap these days, too.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNSSEC, whitehouse, isc, and troubleshooting...

2011-04-18 Thread Eivind Olsen
John Williams wrote:
 Is anyone else seeing this behavior?  Also, is there a link that addresses
 troubleshooting or diagnosing DNSSEC based queries?

One minor issue:

If I query a.gov-servers.net for the nameservers of whitehouse.org, it
returns a list of 6. If I query any of these, they give me a list of 8
(the additional two being usw5.akam.net and usw6.akam.net).

But, to the original question: I get the AD flag when I query through my
validating resolver:

[eivind@vimes ~]$ /usr/local/bin/dig +dnssec any whitehouse.gov @127.0.0.1

;  DiG 9.8.0  +dnssec any whitehouse.gov @127.0.0.1
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 18201
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 1
...etc...

If on the other hand I ask for www.whitehouse.gov, I get a CNAME outside
of the zone, pointing to www.whitehouse.gov.edgesuite.net which is yet
another CNAME pointing to a1128.h.akamai.net. Neither of these seem to be
DNSSEC signed.

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: multiple IP address in Address Record in BIND

2011-04-17 Thread Eivind Olsen
 Hi,
   we have internal domain called sva.com and address record for this
 sva.com is pointed to many IP addresses. When i do nslookup, i am getting
 below output.  I would like to enable the same configuration in bind.
  Let us know how this can be acheived.
 #nslookup sva.com
 Name:   sva.com
 Addresses:  10.10.10.10, 10.10.10.10, 10.10.10.10, 10.10.10.10,10.10.10.10

You would like it to point to the same IP-address many times? Why?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: multiple IP address in Address Record in BIND

2011-04-17 Thread Eivind Olsen
 In the bind 8 days people would put the same address multiple times and
 then
 other addresses as well to weight the responses.

Yes, but in the example given it's the same address all the time, no
mention of any other addresses, and that's why I ask - what for?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Maximum limit of query per second

2011-04-06 Thread Eivind Olsen
iharrathi@orange-ftgroup.com wrote:

 Have some one reach the number 10 qps for example. Of course we

During testing - yes I have reached that number. This was with resperf
utility which by default speeds up towards 10. From the man page:
By default, resperf will send traffic for 60 seconds, linearly increasing
the amount of traffic from zero to 100,000 queries per second.. You can
tell it to work towards higher numbers with the -m command line option.
This was with no tuning, by the way. No special compile options. I did
increase the amount of allowed recursive clients in named.conf, but that's
all.

I didn't spend time on getting higher qps during testing, as I figured
10 qps in best-case conditions on a single server would suffice, at
least for the time being.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Maximum limit of query per second

2011-04-06 Thread Eivind Olsen
Issam HARRATHI wrote:
 The result i found with resperf, are not OK for me because when i test
 with tcpreplay ( i monitor packet in and packet out, and i dont see any
 problem in CPU or RAM) i found a maximum throughput less (40%) than what i
 found with resperf.
 Your test was on linux or Unix, and which hardware? Do you try with
 tcpreplay?

This was on some HP box, DL360 G7 I think it was. Linux w/SELinux enabled
(just for the heck of it).

I haven't tried it with tcpreplay, no.

How did you conduct the testing? What kind of test data? Real live sample?
Data you are guaranteed to have in your local cache? Or would your testing
require your server to go out on the Internet and be at the mercy of
external servers as well?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: priority with A record?

2011-04-05 Thread Eivind Olsen
iharrathi@orange-ftgroup.com wrote:
 Is there anyway to enable priority on A or NS record?

No.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Deny query to specific domain

2011-04-05 Thread Eivind Olsen
Linh Khuu wrote:
 Is there a way in BIND to deny or block query to a specific domain? For
 example, I don't want anyone within my organization to do query on
 example.com. Is there any option in named.conf allow to do that?

Yes, either set your server as being authoritative for that domain (define
it as a zone etc.), or configure RPZ which is supported in BIND 9.8.0 for
example.

Regards
Eivind Olsen
eiv...@aminor.no

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Is it possible to block resolution of a malware address?

2011-04-01 Thread Eivind Olsen
 That is, if we know that a symbolic address is malign, is there some way
 to
 refuse to resolve it or change its resolution when an internal users asks
 for
 its resolution?

Two different ways of doing this:

- configure your BIND to believe it's authoritative for the address(es) in
question by configuring it as a zone

or, if you run a recent enough version of BIND:
- set up RPZ, it really is easy to implement (and has the advantage of
scaling nicely with multiple servers as well - configure the RPZ zone
somewhere and let normal zone transfers copy it to the other servers you
have as well)

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND 9 and 2 Domains

2011-03-31 Thread Eivind Olsen
 I was wondering if someone had a sample named.conf file I could reference
 that would allow for the configuration of 2 different domain names?

This is so easy that I'm suspecting you're _really_ thinking of something
else than what you're actually asking for. If it isn't, please excuse me,
I don't mean to sound patronising.

To configure 2 different domain names, just list 2 different zone
statements, for example:

options {
directory/some/directory;
...other options as well, like pid-file, listen-on etc etc..
};

zone bohrnag.org {
type master;
file master/bohrnag.org;
};

zone aminor.no {
type slave;
file slave/aminor.no;
masters {
some.ip.address;
};
};

(you might also want to expand on those settings by configuring dynamic
update policies, allowing/denying zone transfers etc - this example is
just meant to show the basic case)

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: problem for validate the script dnssec to isc dlv

2011-03-28 Thread Eivind Olsen
 dns appear as my syncro.
 yet I'm still at the same point
 missing keys

Your delegation for the domain fakessh.eu doesn't seem to be 100% correct
yet though.

If I ask the nameservers for .eu (like p.nic.eu) it tells me your domain
belongs to 4 nameservers:

ns0.xname.org
ns1.xname.org
ns1.novacrea.fr
r13151.ovh.net

If I ask the first one on that list, ns0.xname.org, it tells me you only
have 3 nameservers:

ns1.xname.org
ns1.novacrea.fra
r13151.ovh.net

If I try to get a reply from ns1.xname.org it just goes into timeout here:

[eivind@vimes ~]$ dig +dnssec ns fakessh.eu @ns1.xname.org

;  DiG 9.6.-ESV-R3  +dnssec ns fakessh.eu @ns1.xname.org
;; global options: +cmd
;; connection timed out; no servers could be reached
[eivind@vimes ~]$

If I try to get a reply from r13151.ovh.net I just get a servfail:

[eivind@vimes ~]$ dig +dnssec ns fakessh.eu @r13151.ovh.net

;  DiG 9.6.-ESV-R3  +dnssec ns fakessh.eu @r13151.ovh.net
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 53023
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fakessh.eu.IN  NS

;; Query time: 55 msec
;; SERVER: 87.98.186.232#53(87.98.186.232)
;; WHEN: Mon Mar 28 10:02:33 2011
;; MSG SIZE  rcvd: 39

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: can I set the second nameserver to a public dns cache?

2011-03-28 Thread Eivind Olsen
 Hello,
 I have only one nameserver for a domain.
 Can I set the second nameserver for this domain to a public dns cache?
 for example:
 abc.com.  IN  NS  ns1.abc.com.
 abc.com.  IN  NS  ns2.abc.com.
 ns2.abc.com.  IN  A  8.8.8.8  # 8.8.8.8 is google's public dns server

No. Don't do that. A cache/resolver is not the same as an authoritative
server. For example, it will not flag the cache contents as being
authoritative (the AA flag).

Get a proper secondary/slave nameserver somewhere, it doesn't need to be
costly.

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: problem for validate the script dnssec to isc dlv

2011-03-24 Thread Eivind Olsen
Fakessh wrote:

 the DS it is necessary that I contact OVH.
 in the DLV conserne my problem I have this same recurring errors in the
 script of the isc
 that's my problem

I'll admit, I've had some problems guessing what the problem you're
experiencing really is, there's been mentions of TSIG keys, DNSSEC,
scripts etc. Please bear with me, English isn't my normal language, so
perhaps I've misunderstood something.

If I understand things correctly though, you're unable to get the DLV or
DS records added, and the reason for that seems to be because your DNS
setup doesn't pass a sanity check.

Follow these steps, in this order, and correct these:

1) Two of your nameservers don't seem to do DNSSEC properly. I don't know
which software they are running. If you want to use those nameservers for
a DNSSEC signed domain, you'll need to get whoever manages those
nameservers to make them DNSSEC capable. Depending on the software they're
running, that might just be a configuration issue, or perhaps they'll need
to upgrade to a more recent version of the software to get DNSSEC
capabilities.
The two nameservers that seem to need fixing are ns0.xname.org and
ns2.xname.org.

2) When I check the delegation of the domain fakessh.eu, it's delegated to
4 nameservers. But when I check the NS records in your zone, it lists an
additional 5th nameserver, ns2.xname.org. You should make sure the NS
records in your zone match the delegation - perhaps just remove
ns2.xname.org from your zonefile?

3) I'm not sure why, but if I do dig any fakessh.eu @ns2.xname.org I get
a SERVFAIL back:
eivind@vimes ~]$ dig any fakessh.eu @ns2.xname.org.

;  DiG 9.6.-ESV-R3  any fakessh.eu @ns2.xname.org.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 7693
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fakessh.eu.IN  ANY

;; Query time: 91 msec
;; SERVER:
2a01:e0b:1:64:240:63ff:fee8:6155#53(2a01:e0b:1:64:240:63ff:fee8:6155)
;; WHEN: Fri Mar 25 00:26:26 2011
;; MSG SIZE  rcvd: 28

Doing plain queries for A,  or SOA for example seem to work just fine
though..Am I doing something odd in this query, or is that nameserver
really weird?

4) If you've sorted all the stuff above: now is the time to try to add the
DS or DLV records. I'd not suggest you try this before the previous issues
have been corrected.

Regards
Eivind Olsen
eiv...@aminor.no

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: rndc-key has expired

2011-03-23 Thread Eivind Olsen
 I edit the file named.conf
 modification
 update-policy {
 grant * self * A TXT;
 };
 to update-policy local;
 it seems more logical.
 but I'm still stuck on the validation of isc dlv. the script tells me
 lost keys

Which script? What exactly does it say?

I'm guessing you might have enabled dynamic updates in a DNSSEC signed
zone, without BIND having access to the private keys needed to sign, but
that's a wild guess really.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ip6.arpa help

2011-03-18 Thread Eivind Olsen
Den 18. mars 2011 kl. 10.07 skrev mattias.o.anders...@gavle.se 
mattias.o.anders...@gavle.se:
 Are there any good information, maybe RFC,  how reverse DNS should be done in 
 IPv6. Then I don’t mean how to register a ip6.arpa and edit your zone-file in 
 bind. I mean how you solve the problem with generate 2^64 unique PTR records 
 for a single customer without filling your hard drive. =)

I'm in a similar situation, and no, I don't know of a nice and easy way of 
doing this with current software.

Pre-generating reverse records for any possible IPv6 address in your prefix(es) 
isn't going to work. Adding it to your own services/servers such as email 
servers etc, that's easy. But how can you know which of the 2^64 addresses your 
customer is going to be using?
I've been toying with some ideas, not sure which one would actually work the 
best way:
- don't add any IPv6 reverse records for customers
- you could take the overhead of letting your customers either ask for specific 
reverse records to be implemented (through customer service? self service web 
interface?)
- if your customers get assigned addresses from DHCPv6, you might consider 
letting it update the zones for you
- in theory you could delegate the responsability for reverse records in the 
customers prefix to them, but I doubt many customers would actually bother 
running their own nameservers for this.
- perhaps some alternative nameserver software is capable of generating the 
reverse records on the fly, based on some template, if there's not a specific 
record already defined?

-- 
Regards
Eivind Olsen
eiv...@aminor.no




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: necessary to have a secondary dns ipv6

2011-03-13 Thread Eivind Olsen
You are normally required to have at least two nameservers for your domains. 
Keep in mind that any ipv6-only hosts will be unable to use your ipv4 
nameservers.

Did this answer your question?

Regards
Eivind Olsen

Den 14. mars 2011 kl. 00:10 skrev fakessh @ fake...@fakessh.eu:

 How is it necessary to have a secondary dns ipv6 to properly establish a
 connection ipv6

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc: 'reload' failed: not found

2011-03-08 Thread Eivind Olsen
 Cent OS+BIND 9.7.3+DLZ(BDB as backend)
 # rndc reload 2mysite.net
 rndc: 'reload' failed: not found
 rndc reload not work correctly,why?

I've not used DLZ, but in general the error message you see is the same
one you'd see if BIND didn't know about the zone. For example:

# rndc reload doesntexists.zone
rndc: 'reload' failed: not found
# rndc reload bohrnag.org
zone reload up-to-date
#

I did a quick search on the net, and it looks like it might also be an
issue with the permissions on the database files, depending on the user
BIND is running as?
For example,
http://fixunix.com/dns/55171-chrootd-bind-dlz-file-__db-00-perms-causing-rndc-reload-fail-where-set-change-them.html

Regards
Eivind Olsen
eiv...@aminor.no

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: rndc: 'reload' failed: not found

2011-03-08 Thread Eivind Olsen

On Tue, 8 Mar 2011 04:07:51 -0600 (CST), Dan wrote:

You cannot reload a dlz zone file. The zone is dynamic in mysql.


That's fine, but the original poster said Cent OS+BIND 9.7.3+DLZ(BDB 
as backend), which lead me to believe he's using BDB and not MySQL.


Take what I say here for what it's worth (not much, since I've got no 
experience with DLZ). Maybe the link I gave earlier wasn't any good? 
(this one: 
http://fixunix.com/dns/55171-chrootd-bind-dlz-file-__db-00-perms-causing-rndc-reload-fail-where-set-change-them.html 
- I'd at least suggest the original poster looks at it to see if is of 
any help).


Regards
Eivind Olsen
eiv...@aminor.no

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: rndc: 'reload' failed: not found

2011-03-08 Thread Eivind Olsen
 Is both of the zone loaded from DLZ?

In my tests? Neither of the zones, it was just meant to show that the
rndc reload error message was the same as if BIND had no idea about the
zone.

Regards
Eivind Olsen
eiv...@aminor.no

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: rndc increment the serial

2011-03-05 Thread Eivind Olsen

Den 5. mars 2011 kl. 19.24 skrev fakessh @:

 since I installed the latest version of bind 9.7.3 
 I do not know me use rndc 
 rndc to each use is increment a serial in the area. 
 I do not remember using it. 
 can you give me a little explanation

I'm not sure what it is you're really asking about.
rndc isn't used to increment the serial number in zonefiles - you do that when 
editing the zonefile, and then you can use rndc to inform BIND that the 
zonefile needs to be reloaded, for example:

rndc reload example.com

If rndc isn't working for you, you'll need to configure it, for example by 
setting up an rndc.key file (location depending on your installation of BIND). 
An easy way to configure rndc is with the rndc-confgen -a command line.

-- 
Regards
Eivind Olsen
eiv...@aminor.no

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: inconsistency dnssec debuguers response and writing conseil for new areas zone

2011-02-28 Thread Eivind Olsen
Den 28. feb. 2011 kl. 17.46 skrev fakessh @:
 for example the test shows me some time
 http://dnssec-debugger.verisignlabs.com/nicolaspichot.fr the results are
 not consistent with my expectations


Well, I see a few different errors for that domain:

I don't see any DS records for your domain when I query the fr. nameservers. I 
don't know how it's handled in that TLD but I guess you somehow need to tell 
your registrar about your KSK, so they can put in the correct DS record.

The delegation of your domain looks a bit odd, the fr. nameservers claims you 
have:
- ns0.xname.org
- ns1.xname.org
- ns1.novacrea.fr
- r13151.ovh.net
...but if I query any of these, I'm told there's also ns2.xname.org

At the moment, ns1.xname.org gives an older version of the zone, with a serial 
number 2011021401

Check the list of errors on http://dnsviz.net/d/nicolaspichot.fr/dnssec/ 
especially about missing key 12961.

-- 
Regards
Eivind Olsen
eiv...@aminor.no




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Threaded bind on CentOS

2011-02-24 Thread Eivind Olsen
 I am using bind 9.7.3 and I have tried running it with
 various -n values and it appears that I will always get
 n+3 threads.

I haven't tried this myself on CentOS, but.. How do you verify the amount
of threads? Checking with ps / top? What does BIND log when it starts up?
Normally it should log how many threads it's using.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Multi language support in BIND

2011-02-23 Thread Eivind Olsen
  Can anyone tell me how to enable Arabic domain name query in BIND running
 Redhat RHEL 5. 
  Actually we have many internal domain name zone configured in BIND
 running in Redhat 5 OS. Since i am from Middle east, users in my company
 wants to access their internal domain name through arabic name in
 Explorer.

You should look into Internationalized Domain Names (IDN). I haven't had
to deal much with those myself, thankfully, but there's some information
in various RFCs. I think perhaps
http://en.wikipedia.org/wiki/Internationalized_domain_name might be a good
place to start as well.

I can't type arabic letters here, so I'll give an example in Norwegian
instead - the concept should be the same.

If I want BIND to serve the domain æøå-domene.no, I'll actually have to
convert that name into punycode and put the converted name
(xn---domene-dxai4p.no) into BIND:

zone xn---domene-dxai4p.no {
type master;
file master/xn---domene-dxai4p.no;
etc
};

If you want that domain to receive emails or serve web-traffic, you'll
most likely also have to use the punycode version of the domain name in
your configuration, unless your software is capable of hiding those
details from you.

Do keep in mind that certain software just won't handle these types of
domain names - for example I know of a couple of webmail solutions (both
commercial and open source) that just aren't capable of sending emails to
such domain names - unless you make your users send directly to the
punycode version - and really, you can't expect people to do that
manually.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How to allow set Host file dns query priorities in BIND

2011-02-23 Thread Eivind Olsen
 is there any option in BIND to give priority to HOST file before
 connecting it to internet ISP or local zone?

No. BIND doesn't read/use the hosts file.
What you _can_ do is configure BIND to believe it's authoritative for
those zones, but I'd not recommend doing this unless you have a very good
reason. And if your Internet connection goes down, does it really matter
whether you can do lookups, if you can't make the connections anyway?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How to allow set Host file dns query priorities in BIND

2011-02-23 Thread Eivind Olsen
Den 23. feb. 2011 kl. 18:19 skrev Kevin Darcy k...@chrysler.com:

 One should also bear in mind that DNS isn't only used for obtaining address 
 records for purposes of immediate client/server connection.
...etc...

Fair enough. I didn't see any mention of that in the original posting, and I 
don't think the hosts file is very suited for LOC, TXT and other such records.

Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about some oddities in the logs

2011-02-22 Thread Eivind Olsen
On Tue, 22 Feb 2011 08:59:51 +0100, Torinthiel torinth...@data.pl
wrote:
 Hmm, looks to me as the box listed as client sends some strange notify
 messages. Notify normally should contain SOA, so that receiving NS can
 tell if it has outdated zone or no. These don't. What (regarding DNS of
 course) is on those machines?

These come from a variety of IP-addresses, belonging to customers
(we're an ISP). So I don't know what's really on the customers machines.

 asking for CH TXT version.bind returns bind's version, unless configured
 not to do so. Maybe something also asks for A, but I dunno why. Are
 these addresses in your network? Then you can tracethem down probably.

These are again from customers addresses.

 Now, the more important part - why would you be running a slave of root?
 AFAIK the root servers don't a) allow transfer b) send you notifies, so
 you'll be in trouble as soon as anything changes, which means every week
 right now, that root is signed. Why is
 zone . in { type hint; }
 not enough for you?

At least some of the root servers allow transfers. They won't send me
notifies, true. But I don't need that. Currently the root zone has a
refresh value of 1800 seconds and expire = 604800 seconds, so my slave
servers will check the root for updates often enough.
One advantage is that we can now instantly reject queries for things
like eivind.local. instantly without having to ask the root servers
where local. is served.

Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Question about some oddities in the logs

2011-02-21 Thread Eivind Olsen
Hello. I've recently put into production a new recursive nameserver, and
decided to take a look in the logfiles (the old servers didn't have
logging enabled so I can't really compare the current logs with whatever
the old ones would have been).
I understand most of the entries in the logs + statistics, but there's a
couple of things I'm not sure about - my hope is that someone here can
shed some light on these, and perhaps also tell me if it's expected to see
these in the wild.

The nameserver is running BIND 9.7.2-P3 btw, and yes I know 9.7.3 is out -
it will be upgraded soon.

We're not talking about query logging btw, only a fairly simple logging
channel:

channel default_debug {
file logs/named.run versions 20 size 500m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};

Now, to the log entries (I've removed timestamps + IP-addresses):

1) notify: notice: client x.x.x.x#n: notify question section contains no SOA
Should I be seeing these normally? They only seem to make up a small part
of the full logfiles, still seeing a couple of thousand of these in just a
few days time.

2) security: info: client x.x.x.x#n: query (cache) './A/CH' denied
Not many of these either, but they still seemed a bit weird. Could they be
caused somehow by me running a slave of the root . defined as:
zone . IN {
type slave;
file slave/root.zone;
masters {
...a couple of the root-servers.net servers
};
notify no;
};
I wouldn't expect that to be the cause though, as it's defined as class IN
and not CH.

3) And finally, in the normal statistics file, I see mention of some
RESERVED counters, but I haven't found any corresponding mention in the
logfiles.
For example, the Incoming Requests section lists the number of QUERY,
IQUERY, UPDATE etc, but it also lists a small number of RESERVED13 and
RESERVED14. The Incoming Queries lists a couple of RESERVED0, and
Outgoing Queries lists some RESERVED0 as well.
Should I expect to see these out in the wild? Or should I only really
worry if they're listed in bigger numbers?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: $GENERATE for /8 networks

2011-02-17 Thread Eivind Olsen
 Is there a way I can use $GENERATE to generate PTR records for the whole
 of 10.0.0.0/8 in one line?

Disclaimer: I haven't ever really bothered with $GENERATE. But by reading
the BIND 9.7 ARM, it does seem to be aimed at doing the job for /24
segments, not /8.

Pre-generating a static list of PTR records for a /8 isn't too tricky, by
using any scripting language like Perl for example, although the generated
file will probably be somewhat large. Here's a mockup of such a script, to
give an example:

#!/usr/bin/env perl

$network = 10;
for ($bnet = 0; $bnet  256; $bnet++) {
  for ($cnet = 0; $cnet  256; $cnet++) {
for ($dnet = 0; $dnet  256; $dnet++) {
  print ${dnet}.${cnet}.${bnet} PTR
${network}-${bnet}-${cnet}-${dnet}.mynetwork.\n;
}
  }
}

(no, I'll not pretend it's nice code or anything)

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Delegation question

2011-02-04 Thread Eivind Olsen
 Actually I just found what caused it not to work ; I have forwarders
 set ; If I comment-out the forwarders line ; then everything work as
 it should
 Can't delegation works if forwarders are enabled ?

Unless I'm misunderstanding something, it should work. Here's an extract
from the BIND 9.7 ARM, section 6.2.16.2:

Forwarding occurs only on those queries for which the server is not
authoritative and does not have the answer in its cache.

How exactly had you configured forwarding in your named.conf file?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Delegation question

2011-02-04 Thread Eivind Olsen
 mel  A  192.168.0.3
 ; NS ad.domain.com

You are already defining an A record for mel. I'd try commenting that
one out when you put the NS line back in (and make sure to give that NS
line a name of its own then, since it can then no longer piggyback off the
previous line you've just commented out). You didn't mention whether you
already were commenting out the A record or not.

Check your logs to see if BIND complains about anything. Also try pushing
your zonefile through named-checkzone.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind8 and bind9 installed on the same server: possible?

2011-02-01 Thread Eivind Olsen
 I plan to upgrade my nameservers from bind8 to bind9.
 I guess I will encounter some compatibility problems notably in the layout
 of the zone files

Depends how freaky the zonefiles were before. You could end up having to
_not_ change a thing except for a couple of changes in your named.conf.

 - can anybody give me the point of attention for this upgrade? Your
 experience will be appreciated.

Well, I don't know if there are any oddities to your setup. At the very
least, I'd recommend you run through your named.conf with
named-checkconf from BIND 9. If it's an option, you could copy your
named.conf + all the zonefiles etc to another server (or VM, zone, jail
etc) and try to load it there.

If you're running a pretty much standard authoritative server, it
shouldn't be too hard to get this to work with BIND 9.

 - is it possible to install bind9 without removing bind8 in order to could
 easily and quickly swith from bind8 to bind9 and vice versa?

As was suggested by others, if you compile from source it's easy to give
each version a specific directory to live in. If you on the other hand
like to go with some vendor supplied BIND for some operating system /
distribution, I guess it depends on how it's packaged etc.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: IXFR and AXFR

2011-01-27 Thread Eivind Olsen
 At what time the slave executes AXFR and at what time it executes IXFR
 from the master?

Someone please correct me if I give misleading information. I don't
believe I am, but I've been wrong before :D

There's a good section about this in the ARM, such as BIND 9.7 ARM section
4.3 - Incremental Zone Transfers (IXFR).

Basically, a BIND 9 slave will normally ask for IXFR unless told not to
(request-ixfr).
A BIND 9 master can't always provide IXFR though - if it can't it will
provide AXFR instead. To be able to provide IXFR it needs to have some
idea of the changes being made, so it can give a meaningful reply when
asked to provide all changes since serial number X, so you'll normally
see IXFR being possible for dynamically updated zones (and a couple of
other cases, check the ARM).

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind Bind or BIND?

2011-01-26 Thread Eivind Olsen
 Yes, BIND is an acronym for Berkeley Internet Name Daemon.
 Berkeley Internet Name Domain.

Perhaps you're both right, sort of.

http://www.isc.org/software/bind/whatis :
The name BIND stands for Berkeley Internet Name Daemon

Wikipedia also mentions both versions of the name, on
http://en.wikipedia.org/wiki/BIND :
The acronym of BIND is Berkeley Internet Name Domain in a technical paper
published in 1984. However, the most common acronym today and the one that
can be found on the ISC web site is Berkeley Internet Name Daemon.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Forward using CNAME record

2011-01-25 Thread Eivind Olsen
 www.example.com.   CNAME   web.me.com.
 When you point your browser to www.example.com (obviously not
 example) the page on web.me.com loads properly but www.example.com is
 still displayed in the address bar.

What happens in this case is: the web browser you use will connect to the
address of web.me.com but will present a HTTP host header asking for
www.examle.com. Depending on the configuration of the webserver on that
host, it may serve web pages from a default document root, which may or
may not be the same as web.me.com

 www.ioanamorosan.com.  CNAME   ioanamorosan.tumblr.com.
 If you go directly to ioanamorosan.tumblr.com, the site loads, but if
 you go to www.ioanamorosan.com, you get a tumblr.com 404 error page. The
 browser still displays www.ioanamorosan.com in the address bar.

In this case, the webserver on ioanamorosan.tumblr.com doesn't know how to
deal with requests coming in for www.ioanamorosan.com and gives that error
message.
The administrators of the webserver could add a ServerAlias setting in
their Apache configuration, to put requests into the correct document
root.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Globally setting TTL

2011-01-25 Thread Eivind Olsen
 Is it possible to globally set (override) the default TTL for all zones
 and their subsequent records?

You're thinking about the authoritative zones you host? I am not aware of
any such setting, but it might be possible to use $INCLUDE in the
zonefiles and include a file which contains $TTL 86400 or whatever. Try
it and see if that works for you :D

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: service if s/up/down/g ipv6

2011-01-24 Thread Eivind Olsen
 http://pastebin.com/7Be9FavZ

That zonefile seems to be for fakessh.eu, and not for ovh.net.
Your initial problem was regarding IPv6 towards r13151.ovh.net ? If so,
that's the zonefile we'll need to look at.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question when testing Caching Server with resperf

2011-01-24 Thread Eivind Olsen
 run with query 100-thousand - maximum throughput ~ 9000  - named
process ~ 450 MB
 run with query 100-thousand - ran out query data errors
 run with query 3-millions - maximum throughput ~ 9000 - named process
~ 400 MB
 run with query 3-millions - maximum throughput ~ 16000 - named process
~ 500 MB

First, I know it's not what you asked for, but why only run with
100-thousand queries in the input? If I remember correctly, resperf builds
up gradually in speed towards 100.000 queries per second, unless you
override that speed-limit.

Now, on to what might be your issue. What kind of data do you query for?
Is it real external data, or data you ensure is already in the cache? Are
all the queries unique, or are there duplicates meaning the 1st query for
a specific name will have an empty cache and need to go external and the
2nd query for the same name will get a faster answer from the cache?
Did you flush the cache between tests?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: dns best practices

2011-01-23 Thread Eivind Olsen
 Is there a document for dns  bind best practices?
 I googled but found nothing valueable.

I am not aware of one. The various books have some information which could
be called best practices.
There's some best practices RFCs, like:
Selection and Operation of Secondary DNS Servers
http://www.rfc-editor.org/rfc/rfc2182.txt
Domain Name System (DNS) IANA Considerations
http://www.rfc-editor.org/rfc/rfc5395.txt

(and probably others I've missed)

You didn't mention what you're planning to do with DNS  BIND, so it's a
bit tricky to say whether these apply to you or not. Running a resolving
nameserver is different from running for example a big dynamic DNS
service, etc.
Describe what you're planning to do, and it will be much easier to chip in
with some advice.

The general non-specific advice will probably apply in most/all cases though:
- run a somewhat recent version of BIND
- set up some logging, and watch the logs. Depending on your needs, you
might not (or perhaps you do?) need full query logging etc.
- remember that DNS is using both UDP and TCP port 53, and EDNS0 allows
for bigger UDP packets as well. And don't limit BIND to a specific port
for external (outbound) queries

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: service if s/up/down/g ipv6

2011-01-22 Thread Eivind Olsen
 administrators bind. How is it necessary to have a secondary dns server
 ipv6 in to establish a connection ipv6. I like ipv6 me and one of
 someone else  yet I can not properly establish connections ipv6 I do not
 even know if I r13151.ovh.net answer properly in ipv6

I'm not 100% sure I understand the question.
I don't see any  record for r13151.ovh.net, only a normal IPv4 A record:

Eivind-mac:~ eivind$ dig +short a r13151.ovh.net
87.98.186.232
Eivind-mac:~ eivind$ dig +short  r13151.ovh.net
Eivind-mac:~ eivind$

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


DNSSEC validation on combined auth+recursive server

2011-01-06 Thread Eivind Olsen
Hello.

I seem to remember seeing something about DNSSEC validation not working
when a BIND server is used both to serve the DNSSEC signed zone
authoritatively, and as a resolver? Unfortunately, I haven't managed to
find this information again, and now I'm wondering if it was all in my
head.

(Yes, I know it's best practice to combine the authoritative + recursive
functionality)

Is my mind playing tricks with me?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNSSEC validation on combined auth+recursive server

2011-01-06 Thread Eivind Olsen
(Resending it here, didn't mean to reply just to you Alan)

 On 1/6/2011 3:38 AM, Eivind Olsen wrote:
 (Yes, I know it's best practice to combine the authoritative + recursive
 functionality)
 [...] it's NOT best [...]

Yep, I knew that. Embarassing of me to miss that slightly important
NOT-word :D

Thankfully I haven't mixed DNSSEC into this yet, and this has given me yet
another reason to keep authoritative + recursive functions separate.

Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Controlling many DNS servers using rndc

2011-01-04 Thread Eivind Olsen
 What is the best approach to control 100s of DNS servers using rndc ?
 All these servers run BIND 9.3.x and are unix hosts.

 I was thinking about a script which does a ssh to each of these hosts
 in sequence and execute 'rndc command'. But I was looking for much
 more efficient/parallel way to do this..

Depends, really. rndc itself can work remotely, but that might not be an
option in all networks.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind 9.7.2-P3 does not resolve www.microsoft.com

2010-12-28 Thread Eivind Olsen
 trying to resolve www.microsoft.com or microsoft.com results in a
 connection timed out; no servers could be reached

Well, for what it's worth - it's not just you having that issue. When
testing from home and from work I get the same.

Of course, I could be doing something wrong, but whenever I see an error I
like to imagine it's somebody elses fault :D

One of the nameservers for microsoft.com is ns1.msft.net with an IP
address of 65.55.37.62. For some reason the response I get from it is
truncated, and retrying using TCP doesn't work. Using EDNS0 also doesn't
seem to work, I get FORMERR back:


[eiv...@vimes ~]$ /usr/local/bin/dig any microsoft.com @65.55.37.62
;; Truncated, retrying in TCP mode.

;  DiG 9.7.2-P2  any microsoft.com @65.55.37.62
;; global options: +cmd
;; connection timed out; no servers could be reached
[eiv...@vimes ~]$ /usr/local/bin/dig +edns=0 any microsoft.com @65.55.37.62

;  DiG 9.7.2-P2  +edns=0 any microsoft.com @65.55.37.62
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: FORMERR, id: 6660
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;microsoft.com. IN  ANY

;; Query time: 205 msec
;; SERVER: 65.55.37.62#53(65.55.37.62)
;; WHEN: Tue Dec 28 09:10:55 2010
;; MSG SIZE  rcvd: 42

[eiv...@vimes ~]$

Doing queries that give shorter answers work fine - look at these, notice
the big (but still small enough) TXT reply, and then see how it fails on a
query for any:

[eiv...@vimes ~]$ /usr/local/bin/dig +short any www.microsoft.com
@65.55.37.62
toggle.www.ms.akadns.net.
[eiv...@vimes ~]$ /usr/local/bin/dig +short mx www.microsoft.com @65.55.37.62
toggle.www.ms.akadns.net.
[eiv...@vimes ~]$ /usr/local/bin/dig +short mx microsoft.com @65.55.37.62
10 mail.messaging.microsoft.com.
[eiv...@vimes ~]$ /usr/local/bin/dig +short txt microsoft.com @65.55.37.62
v=spf1 mx include:_spf-a.microsoft.com include:_spf-b.microsoft.com
include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com
ip4:131.107.115.212 ip4:131.107.115.215 ip4:131.107.115.214
ip4:205.248.106.64 ip4:205.248.106.30 ip4:205.248.106.32 ~all
FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ==
[eiv...@vimes ~]$ /usr/local/bin/dig +short any microsoft.com @65.55.37.62
;; Truncated, retrying in TCP mode.
;; connection timed out; no servers could be reached
[eiv...@vimes ~]$


And in general, I don't have problems with EDNS0 or using TCP to look up
other domains with big replies, for example I can use both both of these
commands just fine:

/usr/local/bin/dig +edns=0 any se. @a.ns.se
/usr/local/bin/dig +vc any se. @a.ns.se

So, to recap: at the risk of showing what a fool I am by doing something
completely wrong here, I'm betting Microsoft has messed up their DNS - I
would have expected queries over TCP to work, and I would not have
expected EDNS to give a FORMERR (but ok, if a nameserver doesn't implement
EDNS, giving a FORMERR is apparantly the right thing to do).


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind 9.7.2-P3 does not resolve www.microsoft.com

2010-12-28 Thread Eivind Olsen
 works fine for me on linux and Solaris.

In my case it's using FreeBSD and Solaris.

The problem might be related to where you do queries from?

Anyway, I tried some other nameservers / looking glass sites, like these
- I can't vouch for how good they normally are, but these were ones I
found when searching for dns looking glass:

http://looking-glass.taide.net/
I can look up other domains fine, but when looking up microsoft.com it
comes back with: connection timed out; no servers could be reached

http://ipdnstools.com/
It times out when I do a Get DNS Records query for microsoft.com

When testing for yourself, please keep in mind that limited queries seem
to work fine (like, asking for A records, or MX), but doing any-queries
which give everything seems to fail.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Help with the subzone problem

2010-11-25 Thread Eivind Olsen
 But F5's 3DNS can't setup the NS records for games.abc.com.
 That means, when query to:
 dig games.abc.com ns @ns1.example.com
 get nothing.

I'm not familiar with F5's 3DNS, but in general I'd expect the query you
made above to work. Do you get _any_ response from ns1.example.com? If you
query it directly with dig, asking for www.games.abc.com, or asking for
the SOA record of games.abc.com ?

If you can't get an answer out of that F5 thingie, I'd at least start by
looking there.

If you could give us the real names, we could also check the delegation of
the domain, and we could check that we got sensible answers from your
authoritative nameservers for both abc.com and games.abc.com

Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Integrating BIND9 with external graphing like Cacti

2010-10-13 Thread Eivind Olsen
Has anyone here made use of the XML statistics interface in BIND9, to get
some numbers into Cacti (or another similar tool)? If so, how, and which
numbers did you feel were worth turning into graphs?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Performance hit on Query logging

2010-10-07 Thread Eivind Olsen

--On 7. oktober 2010 14.15.37 -0500 CT gro...@obsd.us wrote:

1) How do I deternine the number of threads Bind is currently using ?
per the man page


You could check the syslog, or use rndc:

vimes# /usr/local/sbin/rndc status
version: 9.7.1-P2
CPUs found: 1
worker threads: 1
...



2) What is the preferred way to determine named utilization ?
Are there measurable impacts to Query response not reflected in CPU load,
Memory or IO?


Not sure what you're after. Parameters to measure? Latency / response time?

Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


  1   2   >