Re: Split Delegation IP Reverse

2010-11-23 Thread Jonathan Petersson
You could CNAME the records to another PTR domain maintained by the
third server.

230.0.168.192.in-addr.arpa is an alias for 230.0-28.0.168.192.in-addr.arpa
230.0-28.0.168.192.in-addr.arpa domain name pointer host.domainname

On Tue, Nov 23, 2010 at 10:43 PM, Wilbert J. Rojas O.
wro...@ideay.net.ni wrote:
 Hi,

 Hello!

 My scenario is as follows:

 I have the following network 192.168.0.0/24 which manages my primary DNS
 server for this zone reversals and if any updates on the reverse of an IP
 upgrade to a second DNS server is a slave.

 Well my question is:

 Suppose I have a third server that will manage DNS but only part of the
 reverse IP block that my two DNS servers given, say that this third server
 must manage the reverse DNS for the network 192.168.0.230/28 only.

 How could you do this?
 Escuchar
 Leer fonéticamente

 Ing. Wilbert J. Rojas O. |Equipos y Sistemas, S.A.
 Administrador de Sistemas.
 Colegio Centro América 60 mts al norte. | Managua, Nicaragua
 wro...@ideay.net.ni | Tel.:+505 2277-4000 Ext.115|Fax: +505 2277-4411

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How does BIND 9 scale with multithreading?

2010-09-30 Thread Jonathan Petersson
1 QuadCore Intel i7 920 on Fedora 11 x86_64 (can't remember the exact
kernel version) with and without hyperthreading and overclocked
ranging between 2.8 and 3.4GHz

On Thu, Sep 30, 2010 at 2:03 PM, Matus UHLAR - fantomas
uh...@fantomas.sk wrote:
 On 29.09.10 10:43, Jonathan Petersson wrote:
 I did some benchmarking on this about 1.5 yrs ago, here's a graph
 representing the results: http://sedoss.com/bind.png

 on how many processors was this ran?
 --
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 To Boot or not to Boot, that's the question. [WD1270 Caviar]
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How does BIND 9 scale with multithreading?

2010-09-29 Thread Jonathan Petersson
I did some benchmarking on this about 1.5 yrs ago, here's a graph
representing the results: http://sedoss.com/bind.png

On Wed, Sep 29, 2010 at 10:37 AM,  philippe.simo...@swisscom.com wrote:
 Hi

 i read that 'old' bind version where better when threading was disabled. Load 
 balancing
 between 2 processe was better.  Is this always the case ?
 http://zaphods.net/~zaphodb/high-performance-bind9.html

 some interesting links for DNS performance :
 http://kb.linuxvirtualserver.org/wiki/Building_Scalable_DNS_Cluster_using_LVS
 https://lists.isc.org/pipermail/bind-users/2006-September/063917.html

 Philippe



 -Original Message-
 From: bind-users-bounces+philippe.simonet=swisscom@lists.isc.org
 [mailto:bind-users-bounces+philippe.simonet=swisscom@lists.isc.org]
 On Behalf Of Eivind Olsen
 Sent: Wednesday, September 29, 2010 09:56
 To: bind-us...@isc.org
 Subject: How does BIND 9 scale with multithreading?

 Does anyone know if there are any benchmarks out in the public, which
 could give some insight into how well BIND 9 scales with multithreading?
 I've tried looking on this list, and googling, but haven't found anything
 yet.

 To be a bit more specific - I'm not sure what a good option for server
 hardware would be for a recursive DNS server. On one hand, the Sun (ok,
 Oracle) Niagara/Coolthreads architecture seems to work nicely enough, but
 maybe I'd be better off with some generic Intel/AMD based solution with
 fewer threads/cores but higher GHz per thread?

 Regards
 Eivind Olsen


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: refuse in notify slave

2009-10-21 Thread Jonathan Petersson
The easiest workaround for this is either to use views or TSIG keys.

/Jonathan

On Thu, Oct 22, 2009 at 6:56 AM, Nelson Serafica ntseraf...@gmail.com wrote:
 I have multiple ip address on my primary ns server. (eth0 , eth0:1 ,
 eth0:2). Let's say eth0 is 1.2.3.4, eth0:1 is 2.3.4.5 and th0:2 is 3.4.5.6.
 I have a slave ns server but everytime I do rndc reload and check secondary
 ns on syslog, I see

 refused notify from non-master: 1.2.3.4#48499

 where 1.2.3.4 is the ip of eth0. Is it possible the ip address that will
 send to slave will be 4.5.6.7 (eth0:2) and not 1.2.3.4 (eth0)?
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Internal whois server

2009-08-10 Thread Jonathan Petersson
Hi all,

This is probably somewhat of an un-legit way of using whois but I'm
curious as to whether it would be possible to install an internal
whois server that responds with the appropriate prefix-data upon
request for internal ip-numbers/domains while forwarding unknown
requests to external whois servers.

Has anyone done a similar implementation or know what kind of software
that could be used to obtain this?

Thanks

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Scale BIND over multiple kernels effectively

2009-05-03 Thread Jonathan Petersson
Before I start digging into the kernel-options for my distro does
anyone know if there's been any changes between 2.6.28 and 2.6.29 that
would decrease BIND performance? I'm seeing a 55% decrease going to
2.6.29.

/Jonathan

2009/4/30 JINMEI Tatuya / 神明達哉 jinmei_tat...@isc.org:
 At Thu, 30 Apr 2009 15:41:03 -0700,
 Jonathan Petersson jpeters...@garnser.se wrote:

 in light of this is it possible to tell BIND how many threads it
 should utilize or is it a ALL or ONE case?

 Do you mean the -n command line option?

 usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus]
 [-p port] [-s] [-t chrootdir] [-u username]
 [-m {usage|trace|record|size|mctx}]

 ---
 JINMEI, Tatuya
 Internet Systems Consortium, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: named daemon hangs

2009-05-02 Thread Jonathan Petersson
Could you please provide a copy of your config, I'm guessing that you
have a general forwarder in place or haven't turned on recursion.

/Jonathan

On Sat, May 2, 2009 at 8:06 AM, Nelson Vale nelsonduv...@gmail.com wrote:
 Hi all,


 I've been facing a problem in my private network which I was not able to fix
 yet.

 In my gateway (linux debian alike) I have bind 9.5 installed and running,
 and I have one IPSec tunnel to another gateway over the internet. It also
 has configured a forward zone with the name server being the other gateway
 internal address (accessibly through the IPSec tunnel only).

 Recently the other IPSec endpoint was shutdown and, of course, my queries to
 the forward domain started failling. Nothing strange here...

 The real problem is that I suddendly were not able to resolve any other DNS
 queries, like www.google.com, from inside my network:

 host www.google.com
 ;; connection timed out; no servers could be reached

 I took a look at the named daemon and I see that it does not respond to
 anything as long as the IPSec tunnel is down, but only if it's the other
 endpoint that is down. I've tried stopping my endpoint and this problem do
 not occur as long as I restart named. I think this happens because as long
 as my endpoint is up the routes to the other endpoint are set, and named
 trys to querie the forward domain name server. The problem is that the
 queries do not timeout and named hangs there:

 The configuration I have is:

 Bind: BIND 9.5.0-P2
 IP Address (private): 192.168.9.254
 Forwarders: ADSL provider (2 forwarders)
 Forward Zone: mylan.loc
 Name Server:192.168.90.254


 After it starts if I try to querie one of the forward zone record
 (box.mylan.loc) it displays:

 ...
 02-May-2009 14:22:21.843 socket 0xb7bd5548: dispatch_recv:  event 0xb7be3d28
 - task 0xb7b74d18
 02-May-2009 14:22:21.844 socket 0xb7bd5548: internal_recv: task 0xb7b74d18
 got event 0xb7bd559c
 02-May-2009 14:22:21.844 socket 0xb7bd5548 192.168.9.2#47869: packet
 received correctly
 02-May-2009 14:22:21.844 socket 0xb7bd5548: processing cmsg 0xb7bb2120
 02-May-2009 14:22:21.844 client 192.168.9.2#47869: UDP request
 02-May-2009 14:22:21.844 client 192.168.9.2#47869: using view '_default'
 02-May-2009 14:22:21.845 client 192.168.9.2#47869: request is not signed
 02-May-2009 14:22:21.845 client 192.168.9.2#47869: recursion available
 02-May-2009 14:22:21.845 client 192.168.9.2#47869: query
 02-May-2009 14:22:21.845 client 192.168.9.2#47869: ns_client_attach: ref = 1
 02-May-2009 14:22:21.845 client 192.168.9.2#47869: query (cache)
 'box.mylan.loc/A/IN' approved
 02-May-2009 14:22:21.845 client 192.168.9.2#47869: replace
 02-May-2009 14:22:21.845 clientmgr @0xb7baa608: createclients
 02-May-2009 14:22:21.846 clientmgr @0xb7baa608: recycle
 02-May-2009 14:22:21.846 createfetch: box.mylan.loc A
 02-May-2009 14:22:21.846 fctx 0xb7bae408(box.mylan.loc/A'): create
 02-May-2009 14:22:21.846 fctx 0xb7bae408(box.mylan.loc/A'): join
 02-May-2009 14:22:21.846 fetch 0xb7bb4148 (fctx
 0xb7bae408(box.mylan.loc/A)): created
 02-May-2009 14:22:21.846 client @0xb7bda008: udprecv
 02-May-2009 14:22:21.846 socket 0xb7bd5548: socket_recv: event 0xb7bd4b48 -
 task 0xb7bb1690
 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): start
 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): try
 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): cancelqueries
 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): getaddresses
 02-May-2009 14:22:21.847 findaddrinfo: new entry 0xb7aec4a0
 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): query
 02-May-2009 14:22:21.848 socket 0xb7b79938: created
 02-May-2009 14:22:21.848 socket 0xb7b79938 0.0.0.0#43841: bound
 02-May-2009 14:22:21.848 dispatchmgr 0xb7bbb168: created UDP dispatcher
 0xb7b6d378
 02-May-2009 14:22:21.848 dispatch 0xb7b6d378: created task 0xb7b74d70
 02-May-2009 14:22:21.848 dispatch 0xb7b6d378: created socket 0xb7b79938
 02-May-2009 14:22:21.848 resquery 0xb7b80008 (fctx
 0xb7bae408(box.mylan.loc/A)): send
 02-May-2009 14:22:21.849 dispatch 0xb7b6d378 response 0xb7ba7848
 192.168.90.254#53: attached to task 0xb7b6f2c8
 02-May-2009 14:22:21.849 socket 0xb7b79938: socket_recv: event 0xb7b81698 -
 task 0xb7b74d70


 and it hangs here forever. Even if I restart the named server it does not
 respond to any of my queries. If I stop the named server with Ctrl + C it
 displays:

 ...
 ^C02-May-2009 14:23:46.773 socket.c:1226: unexpected error:
 02-May-2009 14:23:46.773 internal_send: 192.168.90.254#53: Interrupted
 system call should be restarted
 02-May-2009 14:23:46.774 errno2result.c:111: unexpected error:
 02-May-2009 14:23:46.774 unable to convert errno to isc_result: 85:
 Interrupted system call should be restarted
 02-May-2009 14:23:46.774 resquery 0xb7b80008 (fctx
 0xb7bae408(box.mylan.loc/A)): sent
 02-May-2009 14:23:46.774 resquery 0xb7b80008 (fctx
 0xb7bae408(box.mylan.loct/A)): senddone
 02-May-2009 14:23:46.774 fctx 

Re: Scale BIND over multiple kernels effectively

2009-04-30 Thread Jonathan Petersson
Thanks for the feedback,

 2 threads on 2 core: 45kqps
 4 threads on 4 core: 108kkqps
 8 threads on 4 core + HT: 75kqps
 16 threads on 8 core + HT: 35kqps

 correct?

yes

in light of this is it possible to tell BIND how many threads it
should utilize or is it a ALL or ONE case?

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: approach on parsing the query-log file

2009-04-29 Thread Jonathan Petersson
Thanks for the tip, however the main problem that I'm seeing is that
perl + MySQL becomes a bottle-neck if this approach were to be used. I
ran some tests yesterday showing that caching 500k rows in a variable
and send it to MySQL was 10 times as effective (90k vs 9k) than doing
individual writes.

I guess I could create an internal buffer in the script caching the
last X amount of messages based on a dynamic variable that adopts to
the query-flow and then creates a fork that writes it to the DB.

/Jonathan

On Wed, Apr 29, 2009 at 12:44 AM, Chris Dew cms...@googlemail.com wrote:
 You may be interested in using circular buffers, instead of a log file.

 http://www.finalcog.com/replace-logs-emlog-circular-buffer

 I've used emlog successfully in the past and been very pleased with
 it's performance.

 Hope this is useful.

 Chris.

 2009/4/29 Scott Haneda talkli...@newgeo.com:
 I have read the other posts here, and it looks like you are setting on tail,
 or a pipe, but that log rotation is causing you headaches.

 I have had to deal with things like this in the past, and took a different
 approach.  Here are some ideas to think about.

 Since you mentioned below you wanted this in real time, and that parsing an
 old log file is out, what about setting up a second log in named, of the
 same data, but do not rotate the log at all?

 This gives you a log that you can run tail on.  It probably is going to grow
 too large.  I solved this for a different server in the past, by telling the
 log that was a clone to be be limited in size.  In this way, it was not
 rolled out, but rather, truncated.

 I am not sure how named would do this.  If it will not truncate it, you can
 write a small script to do it for you.  Now that you have a log that is
 maintained at a fixed size that is manageable, you can do your tail business
 on it.

 I also seem to remember, tail has some flags that may help you with dealing
 with the log ration issues.  I only remember them vaguely, as they were not
 applicable to what I was doing at the time.

 Hope this helps some.

 On Apr 27, 2009, at 10:26 PM, Jonathan Petersson wrote:

 Hi all,

 I'm thinking of writing a quick tool to archive the query-log in a
 database to allow for easier reports.

 The obvious question that occurs is; What would be what's the best
 approach to do this?

 Running scripts that parses through the query-log would cause locking
 essentially killing BIND on a heavy loaded server and only parsing
 archived files wouldn't allow real-time information, also re-parsing
 the same set of data over and over again until the log has rotated
 would cause unnecessary I/O load. I'm guessing the best would be to
 have BIND write directly to a script that dumps the data where-ever it
 makes sense to.

 I've used BIND statistics and found it highly useful but then again it
 doesn't allow me to make breakdowns based on host/query.

 If anyone has done something like this or having pointers on how this
 could achieved any information is welcome!

 --
 Scott * If you contact me off list replace talklists@ with scott@ *

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 --

 http://www.finalcog.com/
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: request timeout

2009-04-28 Thread Jonathan Petersson
IIRC it's 3 seconds.

On Tue, Apr 28, 2009 at 12:42 AM, Jeff Pang hostmas...@duxieweb.com wrote:
 When a Bind requests another Bind for a name resolving, what's the
 timeout value for this resuest?
 I mean, within how many seconds peer Bind doesn't answer it, this Bind
 will give up the query?

 Thanks.
 Regards.

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson
The problem I'm seeing with this is that we'll get data that may be
inconsistent. Just because a query is sent to a server doesn't mean
that there's a name-server there to answer, I believe querying the
log-file one way or another would give a more accurate picture of load
etc.

On Tue, Apr 28, 2009 at 2:33 AM, Chris Buxton cbux...@menandmice.com wrote:
 On Apr 28, 2009, at 5:26 AM, Jonathan Petersson wrote:

 Hi all,

 I'm thinking of writing a quick tool to archive the query-log in a
 database to allow for easier reports.

 If it were me, I would turn off query logging and use a packet sniffer.

 Chris Buxton
 Professional Services
 Men  Mice


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson
I don't think the cost is that great having querylogging enabled,
running the same test using dnsperf there's a 43% performance-increase
but 70 000 queries per second is still acceptable with query-logging
enabled.

/Jonathan

On Tue, Apr 28, 2009 at 10:05 AM, Alan Clegg alan_cl...@isc.org wrote:
 Jonathan Petersson wrote:
 So I gave tail a try in perl both via File::Tail and by putting tail
 -f in a pipe.

 As was stated previously in this thread, you are going down a bad path
 by using query-log for any purpose beyond short debugging sessions.

 The loss in performance is rather painful.

 The use of a network sniffing package is much preferable.

 [Just to see, try running your million queries with and without query
 logging turned on and see if you are happy with the results]

 But, if that's what you want to do, I wish you luck.

 AlanC


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson
I did try to run the following option:
syslog named;

but when matching on named.* in syslog.conf there's no output.

/Jonathan

2009/4/28 JINMEI Tatuya / 神明達哉 jinmei_tat...@isc.org:
 At Tue, 28 Apr 2009 10:01:02 -0700,
 Jonathan Petersson jpeters...@garnser.se wrote:

 So I gave tail a try in perl both via File::Tail and by putting tail
 -f in a pipe. Neither seems to be handling the logrotation well. In my
 case I'm running a test sending 1 million queries, of those half is
 picked up by File::Tail if you define how often it should re-read the
 file but using tail -f straight or File::Tail without arguments just
 stops once the log has rotated as it doesn't seam to figure out to
 continue onto the new file.

 I've never tried it, but how about letting named dump log messages to
 syslog, and letting syslogd forward all messages to a separate process
 via a pipe (assuming your syslogd supports that)?

 ---
 JINMEI, Tatuya
 Internet Systems Consortium, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson
Ah i.e. I'm using an incorrect logfacility... that would explain things.

Either way, I did try to parse tcpdump for queries, the problem I'm
getting is that perl isn't the best option for this so I'm going to
look into wether things could get sped up with python or something.

/Jonathan

2009/4/28 Jeremy C. Reed jeremy_r...@isc.org:
 On Tue, 28 Apr 2009, Jonathan Petersson wrote:

 I did try to run the following option:
 syslog named;

 syslog should define a syslog facility.

 Look in the openlog, syslog and/or syslog.conf manual pages to see lists
 of facilities. The ARM says:   The syslog destination clause directs the
 channel to the system log. Its argument is a syslog facility as described
 in the syslog man page. Known facilities are kern, user, mail, daemon,
 auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1,
 local2, local3, local4, local5, local6 and local7, however not all
 facilities are supported on all operating systems.

 but when matching on named.* in syslog.conf there's no output.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson
After feedback and running some tests today I've found that the most
cost-effective approach as far as performance goes is to use the
native querylog and rotate it often enough to have as live data as
possible.

Some quick notes (all tests done with perl):
- Parse the querylog 500 000k queries: 3 seconds
- Parse tcpdump while running 1 million queries: 300k picked up the
rest lost due to too high CPU load

I haven't tried to pipe querylog through stderr but it feels like that
could look a bit ugly running something that os more layered is
favored.

At this point I'll have to make the sacrifice of having real-time
data, parsing the querylog is the most efficient way as I see it based
on my tests.

Thanks for all the feedback on this, I'll publish my code once I'm finished.

/Jonathan

On Tue, Apr 28, 2009 at 5:24 PM, Scott Haneda talkli...@newgeo.com wrote:
 I have read the other posts here, and it looks like you are setting on tail,
 or a pipe, but that log rotation is causing you headaches.

 I have had to deal with things like this in the past, and took a different
 approach.  Here are some ideas to think about.

 Since you mentioned below you wanted this in real time, and that parsing an
 old log file is out, what about setting up a second log in named, of the
 same data, but do not rotate the log at all?

 This gives you a log that you can run tail on.  It probably is going to grow
 too large.  I solved this for a different server in the past, by telling the
 log that was a clone to be be limited in size.  In this way, it was not
 rolled out, but rather, truncated.

 I am not sure how named would do this.  If it will not truncate it, you can
 write a small script to do it for you.  Now that you have a log that is
 maintained at a fixed size that is manageable, you can do your tail business
 on it.

 I also seem to remember, tail has some flags that may help you with dealing
 with the log ration issues.  I only remember them vaguely, as they were not
 applicable to what I was doing at the time.

 Hope this helps some.

 On Apr 27, 2009, at 10:26 PM, Jonathan Petersson wrote:

 Hi all,

 I'm thinking of writing a quick tool to archive the query-log in a
 database to allow for easier reports.

 The obvious question that occurs is; What would be what's the best
 approach to do this?

 Running scripts that parses through the query-log would cause locking
 essentially killing BIND on a heavy loaded server and only parsing
 archived files wouldn't allow real-time information, also re-parsing
 the same set of data over and over again until the log has rotated
 would cause unnecessary I/O load. I'm guessing the best would be to
 have BIND write directly to a script that dumps the data where-ever it
 makes sense to.

 I've used BIND statistics and found it highly useful but then again it
 doesn't allow me to make breakdowns based on host/query.

 If anyone has done something like this or having pointers on how this
 could achieved any information is welcome!

 --
 Scott * If you contact me off list replace talklists@ with scott@ *


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: stop zone transfers from coming in

2009-04-28 Thread Jonathan Petersson
I would honestly look for a typo since you're saying that it does work
for some. Either way unless the admin turn it off you will get
zone-transfers, the question lies in wether your name-server accepts
them and propagates them down.

Check in the log for transfer or notification refusals and make sure
that you don't have any global variables that could cause issues.

/Jonathan

On Tue, Apr 28, 2009 at 9:38 PM, Chris Henderson henders...@gmail.com wrote:
 My server works as a secondary for a zone. I asked the master server's
 admin to stop the zone transfer; I didn't get any reply and thus
 commented out the zone's section in my named.conf. But I'm still
 getting zone files coming in to my server.

 Here is what I have commented out:

 #  zone example.com {
 #       type slave;
 #       file extra/example.com;
 #        masters {
 #               xxx.xxx.xx.xx;
 #       };
 #  };

 I commented out for some other zones as well and they have stopped
 coming but not this one.
 How do I stop this?

 Thanks.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


approach on parsing the query-log file

2009-04-27 Thread Jonathan Petersson
Hi all,

I'm thinking of writing a quick tool to archive the query-log in a
database to allow for easier reports.

The obvious question that occurs is; What would be what's the best
approach to do this?

Running scripts that parses through the query-log would cause locking
essentially killing BIND on a heavy loaded server and only parsing
archived files wouldn't allow real-time information, also re-parsing
the same set of data over and over again until the log has rotated
would cause unnecessary I/O load. I'm guessing the best would be to
have BIND write directly to a script that dumps the data where-ever it
makes sense to.

I've used BIND statistics and found it highly useful but then again it
doesn't allow me to make breakdowns based on host/query.

If anyone has done something like this or having pointers on how this
could achieved any information is welcome!

Thanks

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Limit allow-transfer to key + IP

2009-04-14 Thread Jonathan Petersson
Hi all,

I was reading up on TSIG signed zone-transfers and gave it a try in my
lab this morning, successfully. However what I noticed (which makes
sense based on my config) is that any host with the appropriate key is
allowed to perform a zone-transfer.

Is there any way to limit the zone-transfer to require both key and
known IP using allow-transfer?

Thanks

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Limit allow-transfer to key + IP

2009-04-14 Thread Jonathan Petersson
Thanks!

/Jonathan

On Tue, Apr 14, 2009 at 12:28 PM, Chris Thompson c...@cam.ac.uk wrote:
 On Apr 14 2009, Jonathan Petersson wrote:

 I was reading up on TSIG signed zone-transfers and gave it a try in my
 lab this morning, successfully. However what I noticed (which makes
 sense based on my config) is that any host with the appropriate key is
 allowed to perform a zone-transfer.

 Is there any way to limit the zone-transfer to require both key and
 known IP using allow-transfer?

 Yup. Use

  allow-transfer { !{!11.22.33.44}; key secret-key; };

 Now sit down with a cold, cold drink and puzzle out why that works!

 --
 Chris Thompson
 Email: c...@cam.ac.uk


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Windows servers triying to update my zone

2009-04-07 Thread Jonathan Petersson
I'm not clear what you're trying to achieve her but if you don't want
the servers to update the zones you're fine as it is. You may want to
look at the hosts that is trying to make updates and make changes on
those accordingly.

If you do want them to be able to update just add allow-update { ip;
}; in the zone argument and you should be good to go.

/Jonathan

On Tue, Apr 7, 2009 at 5:28 PM, joans4nz joans...@gmail.com wrote:
 Hi,

 I am working as a litle ISP in a building giving service to a few
 enterprises. All entresprises are using private ip addresses. Only my
 servers have public ip addresses. In all entreprises exist a dns server that
 are subdomains of my domain and my dns servers are showing the following
 logs messages:

 Apr 7 20:00:19 myserver named[67312]: client 172.16.0.153#2100: view
 interna: update 'mydomain.com/IN' denied
 Apr 7 20:01:28 myserver named[67312]: client 172.16.0.146#2122: view
 interna: update 'mydomain.com/IN' denied
 Apr 7 20:02:37 myserver named[67312]: client 172.16.0.161#2138: view
 interna: update 'mydomain.com/IN' denied
 Apr 7 20:03:45 myserver named[67312]: client 172.16.0.153#2154: view
 interna: update 'mydomain.com/IN' denied
 Apr 7 20:04:54 myserver named[67312]: client 172.16.0.146#2186: view
 interna: update 'mydomain.com/IN' denied

 All the sub-domain dns server are runnin on Windows and are behid a
 firewall. I try a solution from the book DNS  bind Cookbook but the problem
 was not solutioned.

 How fix this problem?

 Thanks to all,

 joans4nz


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Regexp to match RR's

2009-04-07 Thread Jonathan Petersson
Hi all,

I got some time over so I decide to hack a bit on a DNS management
tool for my home-server.

I'm curious as to wether someone knows of a list of regexps that can
be used to match RR's.

Thx

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: C/C++ version Load balancer DNS

2009-04-03 Thread Jonathan Petersson
You can use BIND itself as a load-balancer.

What's your goal?
What's your current load?
What's your anticipated load 12 months from now?
What kind of equipment do you have available?

/Jonathan

On Fri, Apr 3, 2009 at 2:37 PM, Mallappa Pallakke palla...@gmail.com wrote:
  Hi,
  Is there any C/C++ version load balancer available? As I know we have
 lbnamed which is Perl based load balancer.

  Or can we do a kind of load balancer using any other mechanism over DNS?

  It will be a great help if anybody can direct be in this regard.

  Thanks,
  Mallappa
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNS forwarding not working properly?

2009-03-26 Thread Jonathan Petersson
You need to enable recursion in options.

/Jonathan

2009/3/26 ARMSTRONG, KENNETH karmstr...@botetourtva.us:
 OK, I've been trying my hardest to figure this out.

 I have BIND9 installed and set up as a slave to one of our Domain
 Controllers (so we can at least still get DNS if it were to go down). It
 works fine for transferring the zone file of our domain down, and from the
 server running BIND I can resolve hostnames of our local network machines
 along with outside names such as google.com (using nslookup, yeah I know it
 sucks).

 However, when I set up one of my Windows XP clients to use the new server
 for DNS, it can resolve local machine names fine when I run nslookup against
 it, but it gives me Query refused when trying to resolve an outside DNS
 name.

 I ran nslookup against the ISP's DNS IP's and can resolve the outside
 hostnames just fine, but for some reason I can't resolve them against the
 new DNS server.

 I have not made any modifications to /etc/bind/named.conf. Instead, I have
 put my configurations in /etc/bind/named.conf.local (since that is what the
 named.conf file says to do).

 Here is my /etc/bind/named.conf.local file (protected of course):

 Code:

 zone OURDOMAIN.COM {

    type slave;

    masters {

     192.168.1.22;

     192.168.1.23;

    };

    file OURDOMAIN.COM.db;

    allow-transfer {

     any;

    };

    allow-query {

     any;

    };

 };



 zone 192.168.in-addr.arpa {

    type slave;

    masters {

     192.168.1.22;

     192.168.1.23;

    };

    file 192.168.in-addr.arpa.db;

    allow-transfer {

     any;

    };

    allow-query {

     any;

    };

 };

 And my /etc/bind/named.conf.options:

 Code:

 options {

     directory /var/cache/bind;



     forwarders {

    216.12.0.20;

    216.12.48.23;

     };



     auth-nxdomain no;

     listen-on-v6 { any; };

 };

 Again, this only seems to affect outside clients, I can run queries on
 nslookup just fine on the DNS server itself.

 Any help would be greatly appreciated.



 Kenny

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: NOTIFY from masters when slave provides several views

2009-03-26 Thread Jonathan Petersson
Hi Terry,

Each view has to be independently notified if an update takes place.

/Jonathan

On Thu, Mar 26, 2009 at 4:46 PM,  terry+bindus...@tmk.com wrote:
  This question is related to the prior Internal and External view on same
 slave server? - RESOLVED thread, but seems to be a different situation in
 which the previous answer doesn't apply.

  I have 3 nameservers, which we'll call ns1, ns2, and ns3. These servers
 are primarily slave servers for stealth master servers (that last part
 shouldn't really matter).

  ns1, ns2, and ns3 operate with three views each - internal, customer, and
 external. Internal is for the ISP's infrastructure systems, customer is for
 customers (and allows recursion), and external is for the rest of the net
 (no recursion, just authoritative answers for the zones it serves).

  The master servers can be in address ranges covered by any of those views
 as well - the ISP's own zones come from a server in the internal view, most
 customer zones come from servers in the customer view, with a few coming
 from servers in the external view.

  Importantly, neither the masters nor ns1/2/3 have different zone data in
 different views - the answers are always the same.

  As an example, if ns1 gets a NOTIFY for a slave zone from a master in an
 address covered by the customer view, it will do an xfer of the zone, but
 only for ns1's customer view. The internal and external views won't trans-
 fer until the expiry/refresh time for the zone fires.

  Also important is that there are a *lot* of zones, and they all live in
 an external include file (which, itself, is a collection of smaller include
 files), which are all auto-generated from an external database. So it would
 be very difficult to change that. Also, most of the masters are on customer
 systems with a variety of nameserver versions, and asking them to add addit-
 ional IP addresses (or indeed, make any changes at all) would also be very
 difficult.

  What I'd like is some way to tell BIND that if it gets a NOTIFY for a
 zone, it should transfer that zone for all views, not just the matching
 view.

  The BIND versions in use are 9.6.0-P1 and 9.6.1b1.

 Here's a censored example of the relevant parts of the named.conf file:

 // The internal view allows everything

 view internal in {

        match-clients { internal; };
        recursion yes;
        additional-from-auth yes;
        additional-from-cache yes;

        // Root hints
        //
        zone . {
                type hint;
                file named.root;
        };

        // snip... (internal-only zones removed from example)

        // Customer zones
        //
        include includes.conf;

 };

 // The customer view allows everything too, but has a different nane for
 // statistics gathering purposes, and might have restrictions added later

 view customer in {

        match-clients { customer; };
        recursion yes;
        additional-from-auth yes;
        additional-from-cache yes;

        // Root hints
        //
        zone . {
                type hint;
                file named.root;
        };

        // Customer zones
        //
        include includes.conf;

 };

 // The external view allows queries of zones we serve, but not recursion

 view external in {

        match-clients { any; };
        recursion no;
        additional-from-auth no;
        additional-from-cache no;

        // Root hints
        //
        zone . {
                type hint;
                file named.root;
        };

        // Customer zones
        //
        include includes.conf;

 };

        Terry Kennedy             http://www.tmk.com
        te...@tmk.com             New York, NY USA
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Ever growing jnl files

2009-01-07 Thread Jonathan Petersson
I've seen similar behaviors in earlier versions of BIND as well. Since
it doesn't seam to impact performance etc I haven't really bothered
with it. What you can do is to run an rndc freeze/thaw, this will
check out the journal file.

/Jonathan

On Wed, Jan 7, 2009 at 10:30 AM, Nicholas F Miller
nicholas.mil...@colorado.edu wrote:
 We have a few dynamic zones that are provisioned using Addhost. When addhost
 adds records to the zone every night it will run nsupdate  update.file.
 The update.file will contain records like these:

 prereq yxrrset machine.colorado.edu. in a
 update delete  machine.colorado.edu. in a

 prereq yxrrset machine.colorado.edu. in hinfo
 update delete machine.colorado.edu. in HINFO

 This all works fine but the jnl doesn't ever go away after nsupdate runs
 like this. The jnl will continue to be appended to every night when nsupdate
 is run again. If we use nsupdate without feeding it a file the jnl will
 disappear like it's supposed to. Is this a glitch in bind bind-9.5.0-P2?

 
 Nicholas Miller, ITS, University of Colorado at Boulder

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind open to query from anyone

2009-01-05 Thread Jonathan Petersson
In general I would think that it isn't recommended unless it's
intended, you probably don't want random client querying your servers
for content you don't control.

To kill this add recursion no; in options, if you do want this
enables for certain prefixes have a look at allow-recursion.

Good luck,

/Jonathan

On Mon, Jan 5, 2009 at 3:15 AM, Chris Henderson henders...@gmail.com wrote:
 I've setup a secondary name server which works as a secondary or slave
 name server for my zone or domain name. However, I have tested and
 noticed that I can query for non-authoritative answers from my
 secondary or slave name server from outside my network. That is, any
 one can use my name server to query any host name, eg. www.google.com,
 www.yahoo.com etc. Is this a bad idea? How can I stop this?

 Thanks for any suggestions.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


statistics-channels No such URL

2009-01-03 Thread Jonathan Petersson
Hi everyone,

Could someone give me a quick pointer what to look for if I get No
such URL when trying to access the statistics web-site.

Thx

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: statistics-channels No such URL

2009-01-03 Thread Jonathan Petersson
So I did find the reason:
Jan  3 09:45:04 localhost named[5038]: statistics-channels specified
but not effective due to missing XML library

anything besides:
[r...@localhost bind-9.6.0]# rpm -qa | grep libxml2
libxml2-2.7.2-2.fc10.i386
libxml2-devel-2.7.2-2.fc10.i386

That's needed? Bind is compiled from source with --with-libxml2 --enable-threads

Thanks

/Jonathan

On Sat, Jan 3, 2009 at 9:41 AM, Jonathan Petersson
jpeters...@garnser.se wrote:
 Hi everyone,

 Could someone give me a quick pointer what to look for if I get No
 such URL when trying to access the statistics web-site.

 Thx

 /Jonathan

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: statistics-channels No such URL

2009-01-03 Thread Jonathan Petersson
Sorry for all the spamming, I forgot doing a distclean between the
builds, it's working now.

/Jonathan

On Sat, Jan 3, 2009 at 9:51 AM, Jonathan Petersson
jpeters...@garnser.se wrote:
 Also:
 [r...@localhost bind-9.6.0]# ./configure --with-libxml2 --enable-pthread
 .
 checking for libxml2 library... yes
 .
 config.status: executing chmod commands
 [r...@localhost bind-9.6.0]#


 On Sat, Jan 3, 2009 at 9:46 AM, Jonathan Petersson
 jpeters...@garnser.se wrote:
 So I did find the reason:
 Jan  3 09:45:04 localhost named[5038]: statistics-channels specified
 but not effective due to missing XML library

 anything besides:
 [r...@localhost bind-9.6.0]# rpm -qa | grep libxml2
 libxml2-2.7.2-2.fc10.i386
 libxml2-devel-2.7.2-2.fc10.i386

 That's needed? Bind is compiled from source with --with-libxml2 
 --enable-threads

 Thanks

 /Jonathan

 On Sat, Jan 3, 2009 at 9:41 AM, Jonathan Petersson
 jpeters...@garnser.se wrote:
 Hi everyone,

 Could someone give me a quick pointer what to look for if I get No
 such URL when trying to access the statistics web-site.

 Thx

 /Jonathan



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Magic for NSEC3

2009-01-03 Thread Jonathan Petersson

Thanks for your input

/Jonathan


On Jan 3, 2009, at 16:13, Mark Andrews mark_andr...@isc.org wrote:



In message  
fa2e1350901031122w75768929h3b17e0a47b806...@mail.gmail.com,  
Jonathan Petersson

writes:

Hi all,

Hopefully this post wont cause as much SPAM as my last one. About a
year ago I started looking into DNSSEC and how to work with it for
dynamic updates etc. Since only NSEC was supported, allowing whomever
to do a unauthorized zone-transfer I canceled my projects later
finding out that NSEC3 would stop the behavior.


   One really needs to look at the cost benefit analysis to
   decide whether to use NSEC or NSEC3.  NSEC3 is much more
   expensive than NSEC3 for both authoritative servers and
   validators than NSEC.  There are almost no zone that need
   that level of protection.

   Stopping AXFR/IXFR has almost zero cost so for many people
   it has become reflex without any need to justify it.  Stopping
   zone enumeration has a relatively high cost.

   Note for many servers stopping AXFR/IXFR was not about the
   zone content and more about preserving file descriptors for
   use by the slaves and legitimate TCP clients rather than the
   curious.


With the release of BIND 9.6 my understanding is that NSEC3 is now
supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty
clueless as whether there's any magic sauce to get NSEC3 records vs.
NSEC.

If anyone has a pointer that would be of help, I've tried using
NSEC3RSASHA1 keys without success of getting NSEC3 records.


   NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when
   signing the zone.  You need to tell dnssec-signzone which
   one to use.

   dnssec-signzone -3 salt [-H iterations] [-A] 


Thx

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: zone propagation

2008-12-24 Thread Jonathan Petersson
What I've done is that I maintain a master-slave zone on my master,
if any new zones are manipulated I push out an updated config to my 20
or so slave-servers, once pushed out a trigger a sudo script via ssh
that reloads bind with the new config and viola.

/Jonathan

On Wed, Dec 24, 2008 at 7:38 PM, wes b...@the-wes.com wrote:
 On Wed, Dec 24, 2008 at 9:54 AM, Michael Varre mva...@gmail.com wrote:

 On 12/24/08, wes b...@the-wes.com wrote:
  Can I configure a pair of bind9 servers, one master and one slave, so
  that
  when I create a new zone on the master, it is also created on the slave?
 
  I already have slaving of existing zones working well.
 
  thanks,
  -wes

 I'm sure there are other ways but I use webmin to handle all of it for
 me. I used to do it all manually on the command line, logging into
 each server and manually adding new zones but webmin has cut the time
 it takes for me to make dns MACs down to about 10% of what it used to
 be.

 Interesting. I am using Webmin. I had to create each zone on the master and
 slave servers, and set them up accordingly. Can you give me a small hint as
 to where the magic flag is to configure Webmin for this?

 thanks,
 -wes
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DDNS and allow-update declarations

2008-12-10 Thread Jonathan Petersson
I did some testing with this couple a months ago and it seams like AD is
following the NS directive in the SOA.

The design I used in my test-case was to put AD as an authoritative updater
of the specified zone on my master, once updated the BIND master was
responsible for updating the slaves.

Something you can do is add NS records in AD pointing at your BIND
slave-servers for the zone, and vice versa configure your slaves to have the
AD as master for the zone, what I've experienced is that updates of new
records tends to be REALLY slow, thus I would go with the first option.

/Jonathan

On Wed, Dec 10, 2008 at 8:17 AM, Nicholas F Miller 
[EMAIL PROTECTED] wrote:

 I have a couple of questions regarding how a Microsoft domain controller
 updates a dynamic zone.

 1 ) When a domain controller tries to update the zone does it try the DNS
 servers it has listed in its network settings or does it follow the SOA for
 the zone?

 2) In the configs below does the slave server's IP need to be listed in the
 allow-update declaration on the master zone server?

 Master Server - 1.2.3.4

 zone actived.example.com {
type master;
file named.ad;
allow-update {
1.2.3.4;// master DNS server
11.22.33.44; // domain controller 1
55.66.77.88.99; // domain controller 2
};
allow-transfer {
5.6.7.8 // slave DNS server;
};
 };

 Slave Server - 5.6.7.8

 zone actived.example.com {
type slave;
file named.ad;
allow-update-forwarding {
11.22.33.44; // domain controller 1
55.66.77.88.99; // domain controller 2
};
allow-transfer { none; };
masters {
1.2.3.4 // master DNS server
};
 };

 Thanks,
 
 Nicholas Miller, ITS, University of Colorado at Boulder

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS and allow-update declarations

2008-12-10 Thread Jonathan Petersson
On Wed, Dec 10, 2008 at 4:00 PM, Mark Andrews [EMAIL PROTECTED] wrote:


 In message [EMAIL PROTECTED], Nicholas F
 Mille
 r writes:
  I have a couple of questions regarding how a Microsoft domain
  controller updates a dynamic zone.
 
  1 ) When a domain controller tries to update the zone does it try the
  DNS servers it has listed in its network settings or does it follow
  the SOA for the zone?

 There are knowledge base article which describe this fully.
I suggest that you search the Microsoft knowledge base for
the complete answer.


http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true

 cut 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Binding DNS server to a particular IP address

2008-12-03 Thread Jonathan Petersson
Shouldn't the server statement in options/view do the trick?

/Jonathan

On Wed, Dec 3, 2008 at 12:04 PM, Todd Snyder [EMAIL PROTECTED] wrote:

 Try the listen-on directive.

 Read more here:

 http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq=
 dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q
 #PPA270,M1http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq=dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q#PPA270,M1

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Jerry M
 Sent: Wednesday, December 03, 2008 11:37 AM
 To: bind-users@lists.isc.org
 Subject: Binding DNS server to a particular IP address

 I have two different IP addresses coming into my server.  I need to
 guarantee that ISC BIND only monitors and replies to requests coming
 from one of the two IP addresses. I can't seem to find a configuration
 parameter that tells the server which IP address to listen on.  How do I
 configure that?

 Thanks.

 JWM

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

 -
 This transmission (including any attachments) may contain confidential
 information, privileged material (including material protected by the
 solicitor-client or other applicable privileges), or constitute non-public
 information. Any use of this information by anyone other than the intended
 recipient is prohibited. If you have received this transmission in error,
 please immediately reply to the sender and delete this information from your
 system. Use, dissemination, distribution, or reproduction of this
 transmission by unintended recipients is not authorized and may be unlawful.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Jonathan Petersson
Actually, to take this a step further, is there any remote possibility to
combine this with update-policy as well?

I know both questions has been mentioned on the list before with varied
answers but I wanted to raise it again since this was finally figured out.

/Jonathan

On Mon, Nov 17, 2008 at 11:28 AM, Evan Hunt [EMAIL PROTECTED] wrote:

allow-update { !{!10/8;any;}; key update-key; };
 
  Wouldn't this still permit any client on the 10/8 subnet to update the
  zones?

 It's very confusing syntax, but no.

 You're probably thinking in boolean algebra (I did too, when I first
 encountered this).  If it were boolean algebra, you could redistribute
 the negatives: !{!10/8; any;} becomes {!!10/8; !any;} and then
 simplifies to {10/8; none;}.

 But ACLs aren't boolean, so you can't do that.  Each element has three
 possible results not two: match and accept, match and reject, or no
 match, which means continue processing.

 When an ordinary ACL element matches and is negated (for example, the
 element is !10/8; and the address is 10.0.0.1) that means match and
 reject.  But if the match is inside of a *nested* ACL, then it's treated
 differently:  A negative result means the nested ACL didn't match--and
 so you continue processing.

 So if you're checking address A against an ACL of one of the following
 forms, these will be the results:

{ A;B; }   == A is allowed, accept immediately
{  {  A; }; B; }   == A is allowed, accept immediately
{!A;B; }   == A is forbidden, reject immediately
{ !{  A; }; B; }   == A is forbidden, reject immediately
{  { !A; }; B; }   == A matched but was negated, try element B
{ !{ !A; }; B; }   == A matched but was negated, try element B

 Those last two lines there are confusingly similar (and, as written,
 useless).  The difference is what happens if you're checking an address
 *other* than A, and something else in the nested ACL matches it.

{  { !A; any; }; B; }  == any address other than A is accepted at once,
  but A is only accepted if B matches too.
  boolean translation: ((not A) or (A and B))

{ !{ !A; any; }; B; }  == any address other than A is *rejected* at
 once,
  but A is accepted as long as B matches too.
  boolean translation: (A and B)

 Hope that's helpful.  (*I* find it hard to keep this syntax straight, and I
 wrote a big chunk of the code that implements it in BIND 9.5...)

 --
 Evan Hunt -- [EMAIL PROTECTED]
 Internet Systems Consortium, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Jonathan Petersson
Yeah it would most likely be a feature request/change.

IIRC update-policy cannot be used in congestion with the allow-update
statement. Personally I prefer the usage of update-policy as I can assign
different business units within my organization to take responsibility for
certain records/record types.

As I'm using a multi-view server (public and private IP) I'm concerned that
the update keys used might get compromised (computer stolen or whatever)
thus it would be useful to be able to limit the capability for updates for
specified IP-ranges.

This is achieved with the allow-update policy given throughout this
conversation but as you cannot use them in congestion with update-policy I'm
not able to limit certain records/record types to keys.

To put this in a conf example I'm thinking something like:

allow-update {
! { !10/8; any; };
update-policy { grant key subdomain dummy.com ALL; };
};

I hope this makes sense.

/Jonathan

On Mon, Nov 17, 2008 at 4:43 PM, Evan Hunt [EMAIL PROTECTED] wrote:


  Actually, to take this a step further, is there any remote possibility to
  combine this with update-policy as well?

 I'm not sure what you mean.

 I believe you can use allow-updates to filter according to IP address
 and then update-policy to filter according to key; that might be an
 easier way to accomplish the same thing.  I've never done so, but I'd
 expect it to work.  But it sounds like you're asking for a feature
 change... clarify please?

 --
 Evan Hunt -- [EMAIL PROTECTED]
 Internet Systems Consortium, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Jonathan Petersson
Guess I should start digging in the code then :)

On Mon, Nov 17, 2008 at 5:59 PM, Evan Hunt [EMAIL PROTECTED] wrote:

  IIRC update-policy cannot be used in congestion with the allow-update
  statement.

 My bad--you're right.  There's code I'd never noticed before that says
 allow-update will be ignored if update-policy is set.  Whoops.

 (Oddly, the check only applies when both of them are defined in the
 zone itself.  You can put allow-updates in the view options and
 update-policy in the zone, and named won't complain about it...
 but it also won't work the way you want it to.)

 I don't know why it was implemented this way--there's no protocol reason
 I can see.  (There may be other reasons I don't know about.)  It's probably
 not a high enough priority for ISC to devote engineering resources to it at
 this time, but if someone submitted a patch that added an ACL check to the
 update-policy syntax, I'm sure we'd consider it.

 --
 Evan Hunt -- [EMAIL PROTECTED]
 Internet Systems Consortium, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users