Re: Split Delegation IP Reverse
You could CNAME the records to another PTR domain maintained by the third server. 230.0.168.192.in-addr.arpa is an alias for 230.0-28.0.168.192.in-addr.arpa 230.0-28.0.168.192.in-addr.arpa domain name pointer host.domainname On Tue, Nov 23, 2010 at 10:43 PM, Wilbert J. Rojas O. wro...@ideay.net.ni wrote: Hi, Hello! My scenario is as follows: I have the following network 192.168.0.0/24 which manages my primary DNS server for this zone reversals and if any updates on the reverse of an IP upgrade to a second DNS server is a slave. Well my question is: Suppose I have a third server that will manage DNS but only part of the reverse IP block that my two DNS servers given, say that this third server must manage the reverse DNS for the network 192.168.0.230/28 only. How could you do this? Escuchar Leer fonéticamente Ing. Wilbert J. Rojas O. |Equipos y Sistemas, S.A. Administrador de Sistemas. Colegio Centro América 60 mts al norte. | Managua, Nicaragua wro...@ideay.net.ni | Tel.:+505 2277-4000 Ext.115|Fax: +505 2277-4411 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does BIND 9 scale with multithreading?
1 QuadCore Intel i7 920 on Fedora 11 x86_64 (can't remember the exact kernel version) with and without hyperthreading and overclocked ranging between 2.8 and 3.4GHz On Thu, Sep 30, 2010 at 2:03 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 29.09.10 10:43, Jonathan Petersson wrote: I did some benchmarking on this about 1.5 yrs ago, here's a graph representing the results: http://sedoss.com/bind.png on how many processors was this ran? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. To Boot or not to Boot, that's the question. [WD1270 Caviar] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does BIND 9 scale with multithreading?
I did some benchmarking on this about 1.5 yrs ago, here's a graph representing the results: http://sedoss.com/bind.png On Wed, Sep 29, 2010 at 10:37 AM, philippe.simo...@swisscom.com wrote: Hi i read that 'old' bind version where better when threading was disabled. Load balancing between 2 processe was better. Is this always the case ? http://zaphods.net/~zaphodb/high-performance-bind9.html some interesting links for DNS performance : http://kb.linuxvirtualserver.org/wiki/Building_Scalable_DNS_Cluster_using_LVS https://lists.isc.org/pipermail/bind-users/2006-September/063917.html Philippe -Original Message- From: bind-users-bounces+philippe.simonet=swisscom@lists.isc.org [mailto:bind-users-bounces+philippe.simonet=swisscom@lists.isc.org] On Behalf Of Eivind Olsen Sent: Wednesday, September 29, 2010 09:56 To: bind-us...@isc.org Subject: How does BIND 9 scale with multithreading? Does anyone know if there are any benchmarks out in the public, which could give some insight into how well BIND 9 scales with multithreading? I've tried looking on this list, and googling, but haven't found anything yet. To be a bit more specific - I'm not sure what a good option for server hardware would be for a recursive DNS server. On one hand, the Sun (ok, Oracle) Niagara/Coolthreads architecture seems to work nicely enough, but maybe I'd be better off with some generic Intel/AMD based solution with fewer threads/cores but higher GHz per thread? Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: refuse in notify slave
The easiest workaround for this is either to use views or TSIG keys. /Jonathan On Thu, Oct 22, 2009 at 6:56 AM, Nelson Serafica ntseraf...@gmail.com wrote: I have multiple ip address on my primary ns server. (eth0 , eth0:1 , eth0:2). Let's say eth0 is 1.2.3.4, eth0:1 is 2.3.4.5 and th0:2 is 3.4.5.6. I have a slave ns server but everytime I do rndc reload and check secondary ns on syslog, I see refused notify from non-master: 1.2.3.4#48499 where 1.2.3.4 is the ip of eth0. Is it possible the ip address that will send to slave will be 4.5.6.7 (eth0:2) and not 1.2.3.4 (eth0)? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Internal whois server
Hi all, This is probably somewhat of an un-legit way of using whois but I'm curious as to whether it would be possible to install an internal whois server that responds with the appropriate prefix-data upon request for internal ip-numbers/domains while forwarding unknown requests to external whois servers. Has anyone done a similar implementation or know what kind of software that could be used to obtain this? Thanks /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Scale BIND over multiple kernels effectively
Before I start digging into the kernel-options for my distro does anyone know if there's been any changes between 2.6.28 and 2.6.29 that would decrease BIND performance? I'm seeing a 55% decrease going to 2.6.29. /Jonathan 2009/4/30 JINMEI Tatuya / 神明達哉 jinmei_tat...@isc.org: At Thu, 30 Apr 2009 15:41:03 -0700, Jonathan Petersson jpeters...@garnser.se wrote: in light of this is it possible to tell BIND how many threads it should utilize or is it a ALL or ONE case? Do you mean the -n command line option? usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus] [-p port] [-s] [-t chrootdir] [-u username] [-m {usage|trace|record|size|mctx}] --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named daemon hangs
Could you please provide a copy of your config, I'm guessing that you have a general forwarder in place or haven't turned on recursion. /Jonathan On Sat, May 2, 2009 at 8:06 AM, Nelson Vale nelsonduv...@gmail.com wrote: Hi all, I've been facing a problem in my private network which I was not able to fix yet. In my gateway (linux debian alike) I have bind 9.5 installed and running, and I have one IPSec tunnel to another gateway over the internet. It also has configured a forward zone with the name server being the other gateway internal address (accessibly through the IPSec tunnel only). Recently the other IPSec endpoint was shutdown and, of course, my queries to the forward domain started failling. Nothing strange here... The real problem is that I suddendly were not able to resolve any other DNS queries, like www.google.com, from inside my network: host www.google.com ;; connection timed out; no servers could be reached I took a look at the named daemon and I see that it does not respond to anything as long as the IPSec tunnel is down, but only if it's the other endpoint that is down. I've tried stopping my endpoint and this problem do not occur as long as I restart named. I think this happens because as long as my endpoint is up the routes to the other endpoint are set, and named trys to querie the forward domain name server. The problem is that the queries do not timeout and named hangs there: The configuration I have is: Bind: BIND 9.5.0-P2 IP Address (private): 192.168.9.254 Forwarders: ADSL provider (2 forwarders) Forward Zone: mylan.loc Name Server:192.168.90.254 After it starts if I try to querie one of the forward zone record (box.mylan.loc) it displays: ... 02-May-2009 14:22:21.843 socket 0xb7bd5548: dispatch_recv: event 0xb7be3d28 - task 0xb7b74d18 02-May-2009 14:22:21.844 socket 0xb7bd5548: internal_recv: task 0xb7b74d18 got event 0xb7bd559c 02-May-2009 14:22:21.844 socket 0xb7bd5548 192.168.9.2#47869: packet received correctly 02-May-2009 14:22:21.844 socket 0xb7bd5548: processing cmsg 0xb7bb2120 02-May-2009 14:22:21.844 client 192.168.9.2#47869: UDP request 02-May-2009 14:22:21.844 client 192.168.9.2#47869: using view '_default' 02-May-2009 14:22:21.845 client 192.168.9.2#47869: request is not signed 02-May-2009 14:22:21.845 client 192.168.9.2#47869: recursion available 02-May-2009 14:22:21.845 client 192.168.9.2#47869: query 02-May-2009 14:22:21.845 client 192.168.9.2#47869: ns_client_attach: ref = 1 02-May-2009 14:22:21.845 client 192.168.9.2#47869: query (cache) 'box.mylan.loc/A/IN' approved 02-May-2009 14:22:21.845 client 192.168.9.2#47869: replace 02-May-2009 14:22:21.845 clientmgr @0xb7baa608: createclients 02-May-2009 14:22:21.846 clientmgr @0xb7baa608: recycle 02-May-2009 14:22:21.846 createfetch: box.mylan.loc A 02-May-2009 14:22:21.846 fctx 0xb7bae408(box.mylan.loc/A'): create 02-May-2009 14:22:21.846 fctx 0xb7bae408(box.mylan.loc/A'): join 02-May-2009 14:22:21.846 fetch 0xb7bb4148 (fctx 0xb7bae408(box.mylan.loc/A)): created 02-May-2009 14:22:21.846 client @0xb7bda008: udprecv 02-May-2009 14:22:21.846 socket 0xb7bd5548: socket_recv: event 0xb7bd4b48 - task 0xb7bb1690 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): start 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): try 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): cancelqueries 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): getaddresses 02-May-2009 14:22:21.847 findaddrinfo: new entry 0xb7aec4a0 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): query 02-May-2009 14:22:21.848 socket 0xb7b79938: created 02-May-2009 14:22:21.848 socket 0xb7b79938 0.0.0.0#43841: bound 02-May-2009 14:22:21.848 dispatchmgr 0xb7bbb168: created UDP dispatcher 0xb7b6d378 02-May-2009 14:22:21.848 dispatch 0xb7b6d378: created task 0xb7b74d70 02-May-2009 14:22:21.848 dispatch 0xb7b6d378: created socket 0xb7b79938 02-May-2009 14:22:21.848 resquery 0xb7b80008 (fctx 0xb7bae408(box.mylan.loc/A)): send 02-May-2009 14:22:21.849 dispatch 0xb7b6d378 response 0xb7ba7848 192.168.90.254#53: attached to task 0xb7b6f2c8 02-May-2009 14:22:21.849 socket 0xb7b79938: socket_recv: event 0xb7b81698 - task 0xb7b74d70 and it hangs here forever. Even if I restart the named server it does not respond to any of my queries. If I stop the named server with Ctrl + C it displays: ... ^C02-May-2009 14:23:46.773 socket.c:1226: unexpected error: 02-May-2009 14:23:46.773 internal_send: 192.168.90.254#53: Interrupted system call should be restarted 02-May-2009 14:23:46.774 errno2result.c:111: unexpected error: 02-May-2009 14:23:46.774 unable to convert errno to isc_result: 85: Interrupted system call should be restarted 02-May-2009 14:23:46.774 resquery 0xb7b80008 (fctx 0xb7bae408(box.mylan.loc/A)): sent 02-May-2009 14:23:46.774 resquery 0xb7b80008 (fctx 0xb7bae408(box.mylan.loct/A)): senddone 02-May-2009 14:23:46.774 fctx
Re: Scale BIND over multiple kernels effectively
Thanks for the feedback, 2 threads on 2 core: 45kqps 4 threads on 4 core: 108kkqps 8 threads on 4 core + HT: 75kqps 16 threads on 8 core + HT: 35kqps correct? yes in light of this is it possible to tell BIND how many threads it should utilize or is it a ALL or ONE case? /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: approach on parsing the query-log file
Thanks for the tip, however the main problem that I'm seeing is that perl + MySQL becomes a bottle-neck if this approach were to be used. I ran some tests yesterday showing that caching 500k rows in a variable and send it to MySQL was 10 times as effective (90k vs 9k) than doing individual writes. I guess I could create an internal buffer in the script caching the last X amount of messages based on a dynamic variable that adopts to the query-flow and then creates a fork that writes it to the DB. /Jonathan On Wed, Apr 29, 2009 at 12:44 AM, Chris Dew cms...@googlemail.com wrote: You may be interested in using circular buffers, instead of a log file. http://www.finalcog.com/replace-logs-emlog-circular-buffer I've used emlog successfully in the past and been very pleased with it's performance. Hope this is useful. Chris. 2009/4/29 Scott Haneda talkli...@newgeo.com: I have read the other posts here, and it looks like you are setting on tail, or a pipe, but that log rotation is causing you headaches. I have had to deal with things like this in the past, and took a different approach. Here are some ideas to think about. Since you mentioned below you wanted this in real time, and that parsing an old log file is out, what about setting up a second log in named, of the same data, but do not rotate the log at all? This gives you a log that you can run tail on. It probably is going to grow too large. I solved this for a different server in the past, by telling the log that was a clone to be be limited in size. In this way, it was not rolled out, but rather, truncated. I am not sure how named would do this. If it will not truncate it, you can write a small script to do it for you. Now that you have a log that is maintained at a fixed size that is manageable, you can do your tail business on it. I also seem to remember, tail has some flags that may help you with dealing with the log ration issues. I only remember them vaguely, as they were not applicable to what I was doing at the time. Hope this helps some. On Apr 27, 2009, at 10:26 PM, Jonathan Petersson wrote: Hi all, I'm thinking of writing a quick tool to archive the query-log in a database to allow for easier reports. The obvious question that occurs is; What would be what's the best approach to do this? Running scripts that parses through the query-log would cause locking essentially killing BIND on a heavy loaded server and only parsing archived files wouldn't allow real-time information, also re-parsing the same set of data over and over again until the log has rotated would cause unnecessary I/O load. I'm guessing the best would be to have BIND write directly to a script that dumps the data where-ever it makes sense to. I've used BIND statistics and found it highly useful but then again it doesn't allow me to make breakdowns based on host/query. If anyone has done something like this or having pointers on how this could achieved any information is welcome! -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- http://www.finalcog.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: request timeout
IIRC it's 3 seconds. On Tue, Apr 28, 2009 at 12:42 AM, Jeff Pang hostmas...@duxieweb.com wrote: When a Bind requests another Bind for a name resolving, what's the timeout value for this resuest? I mean, within how many seconds peer Bind doesn't answer it, this Bind will give up the query? Thanks. Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: approach on parsing the query-log file
The problem I'm seeing with this is that we'll get data that may be inconsistent. Just because a query is sent to a server doesn't mean that there's a name-server there to answer, I believe querying the log-file one way or another would give a more accurate picture of load etc. On Tue, Apr 28, 2009 at 2:33 AM, Chris Buxton cbux...@menandmice.com wrote: On Apr 28, 2009, at 5:26 AM, Jonathan Petersson wrote: Hi all, I'm thinking of writing a quick tool to archive the query-log in a database to allow for easier reports. If it were me, I would turn off query logging and use a packet sniffer. Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: approach on parsing the query-log file
I don't think the cost is that great having querylogging enabled, running the same test using dnsperf there's a 43% performance-increase but 70 000 queries per second is still acceptable with query-logging enabled. /Jonathan On Tue, Apr 28, 2009 at 10:05 AM, Alan Clegg alan_cl...@isc.org wrote: Jonathan Petersson wrote: So I gave tail a try in perl both via File::Tail and by putting tail -f in a pipe. As was stated previously in this thread, you are going down a bad path by using query-log for any purpose beyond short debugging sessions. The loss in performance is rather painful. The use of a network sniffing package is much preferable. [Just to see, try running your million queries with and without query logging turned on and see if you are happy with the results] But, if that's what you want to do, I wish you luck. AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: approach on parsing the query-log file
I did try to run the following option: syslog named; but when matching on named.* in syslog.conf there's no output. /Jonathan 2009/4/28 JINMEI Tatuya / 神明達哉 jinmei_tat...@isc.org: At Tue, 28 Apr 2009 10:01:02 -0700, Jonathan Petersson jpeters...@garnser.se wrote: So I gave tail a try in perl both via File::Tail and by putting tail -f in a pipe. Neither seems to be handling the logrotation well. In my case I'm running a test sending 1 million queries, of those half is picked up by File::Tail if you define how often it should re-read the file but using tail -f straight or File::Tail without arguments just stops once the log has rotated as it doesn't seam to figure out to continue onto the new file. I've never tried it, but how about letting named dump log messages to syslog, and letting syslogd forward all messages to a separate process via a pipe (assuming your syslogd supports that)? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: approach on parsing the query-log file
Ah i.e. I'm using an incorrect logfacility... that would explain things. Either way, I did try to parse tcpdump for queries, the problem I'm getting is that perl isn't the best option for this so I'm going to look into wether things could get sped up with python or something. /Jonathan 2009/4/28 Jeremy C. Reed jeremy_r...@isc.org: On Tue, 28 Apr 2009, Jonathan Petersson wrote: I did try to run the following option: syslog named; syslog should define a syslog facility. Look in the openlog, syslog and/or syslog.conf manual pages to see lists of facilities. The ARM says: The syslog destination clause directs the channel to the system log. Its argument is a syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities are supported on all operating systems. but when matching on named.* in syslog.conf there's no output. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: approach on parsing the query-log file
After feedback and running some tests today I've found that the most cost-effective approach as far as performance goes is to use the native querylog and rotate it often enough to have as live data as possible. Some quick notes (all tests done with perl): - Parse the querylog 500 000k queries: 3 seconds - Parse tcpdump while running 1 million queries: 300k picked up the rest lost due to too high CPU load I haven't tried to pipe querylog through stderr but it feels like that could look a bit ugly running something that os more layered is favored. At this point I'll have to make the sacrifice of having real-time data, parsing the querylog is the most efficient way as I see it based on my tests. Thanks for all the feedback on this, I'll publish my code once I'm finished. /Jonathan On Tue, Apr 28, 2009 at 5:24 PM, Scott Haneda talkli...@newgeo.com wrote: I have read the other posts here, and it looks like you are setting on tail, or a pipe, but that log rotation is causing you headaches. I have had to deal with things like this in the past, and took a different approach. Here are some ideas to think about. Since you mentioned below you wanted this in real time, and that parsing an old log file is out, what about setting up a second log in named, of the same data, but do not rotate the log at all? This gives you a log that you can run tail on. It probably is going to grow too large. I solved this for a different server in the past, by telling the log that was a clone to be be limited in size. In this way, it was not rolled out, but rather, truncated. I am not sure how named would do this. If it will not truncate it, you can write a small script to do it for you. Now that you have a log that is maintained at a fixed size that is manageable, you can do your tail business on it. I also seem to remember, tail has some flags that may help you with dealing with the log ration issues. I only remember them vaguely, as they were not applicable to what I was doing at the time. Hope this helps some. On Apr 27, 2009, at 10:26 PM, Jonathan Petersson wrote: Hi all, I'm thinking of writing a quick tool to archive the query-log in a database to allow for easier reports. The obvious question that occurs is; What would be what's the best approach to do this? Running scripts that parses through the query-log would cause locking essentially killing BIND on a heavy loaded server and only parsing archived files wouldn't allow real-time information, also re-parsing the same set of data over and over again until the log has rotated would cause unnecessary I/O load. I'm guessing the best would be to have BIND write directly to a script that dumps the data where-ever it makes sense to. I've used BIND statistics and found it highly useful but then again it doesn't allow me to make breakdowns based on host/query. If anyone has done something like this or having pointers on how this could achieved any information is welcome! -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: stop zone transfers from coming in
I would honestly look for a typo since you're saying that it does work for some. Either way unless the admin turn it off you will get zone-transfers, the question lies in wether your name-server accepts them and propagates them down. Check in the log for transfer or notification refusals and make sure that you don't have any global variables that could cause issues. /Jonathan On Tue, Apr 28, 2009 at 9:38 PM, Chris Henderson henders...@gmail.com wrote: My server works as a secondary for a zone. I asked the master server's admin to stop the zone transfer; I didn't get any reply and thus commented out the zone's section in my named.conf. But I'm still getting zone files coming in to my server. Here is what I have commented out: # zone example.com { # type slave; # file extra/example.com; # masters { # xxx.xxx.xx.xx; # }; # }; I commented out for some other zones as well and they have stopped coming but not this one. How do I stop this? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
approach on parsing the query-log file
Hi all, I'm thinking of writing a quick tool to archive the query-log in a database to allow for easier reports. The obvious question that occurs is; What would be what's the best approach to do this? Running scripts that parses through the query-log would cause locking essentially killing BIND on a heavy loaded server and only parsing archived files wouldn't allow real-time information, also re-parsing the same set of data over and over again until the log has rotated would cause unnecessary I/O load. I'm guessing the best would be to have BIND write directly to a script that dumps the data where-ever it makes sense to. I've used BIND statistics and found it highly useful but then again it doesn't allow me to make breakdowns based on host/query. If anyone has done something like this or having pointers on how this could achieved any information is welcome! Thanks /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Limit allow-transfer to key + IP
Hi all, I was reading up on TSIG signed zone-transfers and gave it a try in my lab this morning, successfully. However what I noticed (which makes sense based on my config) is that any host with the appropriate key is allowed to perform a zone-transfer. Is there any way to limit the zone-transfer to require both key and known IP using allow-transfer? Thanks /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Limit allow-transfer to key + IP
Thanks! /Jonathan On Tue, Apr 14, 2009 at 12:28 PM, Chris Thompson c...@cam.ac.uk wrote: On Apr 14 2009, Jonathan Petersson wrote: I was reading up on TSIG signed zone-transfers and gave it a try in my lab this morning, successfully. However what I noticed (which makes sense based on my config) is that any host with the appropriate key is allowed to perform a zone-transfer. Is there any way to limit the zone-transfer to require both key and known IP using allow-transfer? Yup. Use allow-transfer { !{!11.22.33.44}; key secret-key; }; Now sit down with a cold, cold drink and puzzle out why that works! -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Windows servers triying to update my zone
I'm not clear what you're trying to achieve her but if you don't want the servers to update the zones you're fine as it is. You may want to look at the hosts that is trying to make updates and make changes on those accordingly. If you do want them to be able to update just add allow-update { ip; }; in the zone argument and you should be good to go. /Jonathan On Tue, Apr 7, 2009 at 5:28 PM, joans4nz joans...@gmail.com wrote: Hi, I am working as a litle ISP in a building giving service to a few enterprises. All entresprises are using private ip addresses. Only my servers have public ip addresses. In all entreprises exist a dns server that are subdomains of my domain and my dns servers are showing the following logs messages: Apr 7 20:00:19 myserver named[67312]: client 172.16.0.153#2100: view interna: update 'mydomain.com/IN' denied Apr 7 20:01:28 myserver named[67312]: client 172.16.0.146#2122: view interna: update 'mydomain.com/IN' denied Apr 7 20:02:37 myserver named[67312]: client 172.16.0.161#2138: view interna: update 'mydomain.com/IN' denied Apr 7 20:03:45 myserver named[67312]: client 172.16.0.153#2154: view interna: update 'mydomain.com/IN' denied Apr 7 20:04:54 myserver named[67312]: client 172.16.0.146#2186: view interna: update 'mydomain.com/IN' denied All the sub-domain dns server are runnin on Windows and are behid a firewall. I try a solution from the book DNS bind Cookbook but the problem was not solutioned. How fix this problem? Thanks to all, joans4nz ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Regexp to match RR's
Hi all, I got some time over so I decide to hack a bit on a DNS management tool for my home-server. I'm curious as to wether someone knows of a list of regexps that can be used to match RR's. Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: C/C++ version Load balancer DNS
You can use BIND itself as a load-balancer. What's your goal? What's your current load? What's your anticipated load 12 months from now? What kind of equipment do you have available? /Jonathan On Fri, Apr 3, 2009 at 2:37 PM, Mallappa Pallakke palla...@gmail.com wrote: Hi, Is there any C/C++ version load balancer available? As I know we have lbnamed which is Perl based load balancer. Or can we do a kind of load balancer using any other mechanism over DNS? It will be a great help if anybody can direct be in this regard. Thanks, Mallappa ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS forwarding not working properly?
You need to enable recursion in options. /Jonathan 2009/3/26 ARMSTRONG, KENNETH karmstr...@botetourtva.us: OK, I've been trying my hardest to figure this out. I have BIND9 installed and set up as a slave to one of our Domain Controllers (so we can at least still get DNS if it were to go down). It works fine for transferring the zone file of our domain down, and from the server running BIND I can resolve hostnames of our local network machines along with outside names such as google.com (using nslookup, yeah I know it sucks). However, when I set up one of my Windows XP clients to use the new server for DNS, it can resolve local machine names fine when I run nslookup against it, but it gives me Query refused when trying to resolve an outside DNS name. I ran nslookup against the ISP's DNS IP's and can resolve the outside hostnames just fine, but for some reason I can't resolve them against the new DNS server. I have not made any modifications to /etc/bind/named.conf. Instead, I have put my configurations in /etc/bind/named.conf.local (since that is what the named.conf file says to do). Here is my /etc/bind/named.conf.local file (protected of course): Code: zone OURDOMAIN.COM { type slave; masters { 192.168.1.22; 192.168.1.23; }; file OURDOMAIN.COM.db; allow-transfer { any; }; allow-query { any; }; }; zone 192.168.in-addr.arpa { type slave; masters { 192.168.1.22; 192.168.1.23; }; file 192.168.in-addr.arpa.db; allow-transfer { any; }; allow-query { any; }; }; And my /etc/bind/named.conf.options: Code: options { directory /var/cache/bind; forwarders { 216.12.0.20; 216.12.48.23; }; auth-nxdomain no; listen-on-v6 { any; }; }; Again, this only seems to affect outside clients, I can run queries on nslookup just fine on the DNS server itself. Any help would be greatly appreciated. Kenny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NOTIFY from masters when slave provides several views
Hi Terry, Each view has to be independently notified if an update takes place. /Jonathan On Thu, Mar 26, 2009 at 4:46 PM, terry+bindus...@tmk.com wrote: This question is related to the prior Internal and External view on same slave server? - RESOLVED thread, but seems to be a different situation in which the previous answer doesn't apply. I have 3 nameservers, which we'll call ns1, ns2, and ns3. These servers are primarily slave servers for stealth master servers (that last part shouldn't really matter). ns1, ns2, and ns3 operate with three views each - internal, customer, and external. Internal is for the ISP's infrastructure systems, customer is for customers (and allows recursion), and external is for the rest of the net (no recursion, just authoritative answers for the zones it serves). The master servers can be in address ranges covered by any of those views as well - the ISP's own zones come from a server in the internal view, most customer zones come from servers in the customer view, with a few coming from servers in the external view. Importantly, neither the masters nor ns1/2/3 have different zone data in different views - the answers are always the same. As an example, if ns1 gets a NOTIFY for a slave zone from a master in an address covered by the customer view, it will do an xfer of the zone, but only for ns1's customer view. The internal and external views won't trans- fer until the expiry/refresh time for the zone fires. Also important is that there are a *lot* of zones, and they all live in an external include file (which, itself, is a collection of smaller include files), which are all auto-generated from an external database. So it would be very difficult to change that. Also, most of the masters are on customer systems with a variety of nameserver versions, and asking them to add addit- ional IP addresses (or indeed, make any changes at all) would also be very difficult. What I'd like is some way to tell BIND that if it gets a NOTIFY for a zone, it should transfer that zone for all views, not just the matching view. The BIND versions in use are 9.6.0-P1 and 9.6.1b1. Here's a censored example of the relevant parts of the named.conf file: // The internal view allows everything view internal in { match-clients { internal; }; recursion yes; additional-from-auth yes; additional-from-cache yes; // Root hints // zone . { type hint; file named.root; }; // snip... (internal-only zones removed from example) // Customer zones // include includes.conf; }; // The customer view allows everything too, but has a different nane for // statistics gathering purposes, and might have restrictions added later view customer in { match-clients { customer; }; recursion yes; additional-from-auth yes; additional-from-cache yes; // Root hints // zone . { type hint; file named.root; }; // Customer zones // include includes.conf; }; // The external view allows queries of zones we serve, but not recursion view external in { match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; // Root hints // zone . { type hint; file named.root; }; // Customer zones // include includes.conf; }; Terry Kennedy http://www.tmk.com te...@tmk.com New York, NY USA ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Ever growing jnl files
I've seen similar behaviors in earlier versions of BIND as well. Since it doesn't seam to impact performance etc I haven't really bothered with it. What you can do is to run an rndc freeze/thaw, this will check out the journal file. /Jonathan On Wed, Jan 7, 2009 at 10:30 AM, Nicholas F Miller nicholas.mil...@colorado.edu wrote: We have a few dynamic zones that are provisioned using Addhost. When addhost adds records to the zone every night it will run nsupdate update.file. The update.file will contain records like these: prereq yxrrset machine.colorado.edu. in a update delete machine.colorado.edu. in a prereq yxrrset machine.colorado.edu. in hinfo update delete machine.colorado.edu. in HINFO This all works fine but the jnl doesn't ever go away after nsupdate runs like this. The jnl will continue to be appended to every night when nsupdate is run again. If we use nsupdate without feeding it a file the jnl will disappear like it's supposed to. Is this a glitch in bind bind-9.5.0-P2? Nicholas Miller, ITS, University of Colorado at Boulder ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind open to query from anyone
In general I would think that it isn't recommended unless it's intended, you probably don't want random client querying your servers for content you don't control. To kill this add recursion no; in options, if you do want this enables for certain prefixes have a look at allow-recursion. Good luck, /Jonathan On Mon, Jan 5, 2009 at 3:15 AM, Chris Henderson henders...@gmail.com wrote: I've setup a secondary name server which works as a secondary or slave name server for my zone or domain name. However, I have tested and noticed that I can query for non-authoritative answers from my secondary or slave name server from outside my network. That is, any one can use my name server to query any host name, eg. www.google.com, www.yahoo.com etc. Is this a bad idea? How can I stop this? Thanks for any suggestions. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
statistics-channels No such URL
Hi everyone, Could someone give me a quick pointer what to look for if I get No such URL when trying to access the statistics web-site. Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statistics-channels No such URL
So I did find the reason: Jan 3 09:45:04 localhost named[5038]: statistics-channels specified but not effective due to missing XML library anything besides: [r...@localhost bind-9.6.0]# rpm -qa | grep libxml2 libxml2-2.7.2-2.fc10.i386 libxml2-devel-2.7.2-2.fc10.i386 That's needed? Bind is compiled from source with --with-libxml2 --enable-threads Thanks /Jonathan On Sat, Jan 3, 2009 at 9:41 AM, Jonathan Petersson jpeters...@garnser.se wrote: Hi everyone, Could someone give me a quick pointer what to look for if I get No such URL when trying to access the statistics web-site. Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statistics-channels No such URL
Sorry for all the spamming, I forgot doing a distclean between the builds, it's working now. /Jonathan On Sat, Jan 3, 2009 at 9:51 AM, Jonathan Petersson jpeters...@garnser.se wrote: Also: [r...@localhost bind-9.6.0]# ./configure --with-libxml2 --enable-pthread . checking for libxml2 library... yes . config.status: executing chmod commands [r...@localhost bind-9.6.0]# On Sat, Jan 3, 2009 at 9:46 AM, Jonathan Petersson jpeters...@garnser.se wrote: So I did find the reason: Jan 3 09:45:04 localhost named[5038]: statistics-channels specified but not effective due to missing XML library anything besides: [r...@localhost bind-9.6.0]# rpm -qa | grep libxml2 libxml2-2.7.2-2.fc10.i386 libxml2-devel-2.7.2-2.fc10.i386 That's needed? Bind is compiled from source with --with-libxml2 --enable-threads Thanks /Jonathan On Sat, Jan 3, 2009 at 9:41 AM, Jonathan Petersson jpeters...@garnser.se wrote: Hi everyone, Could someone give me a quick pointer what to look for if I get No such URL when trying to access the statistics web-site. Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Magic for NSEC3
Thanks for your input /Jonathan On Jan 3, 2009, at 16:13, Mark Andrews mark_andr...@isc.org wrote: In message fa2e1350901031122w75768929h3b17e0a47b806...@mail.gmail.com, Jonathan Petersson writes: Hi all, Hopefully this post wont cause as much SPAM as my last one. About a year ago I started looking into DNSSEC and how to work with it for dynamic updates etc. Since only NSEC was supported, allowing whomever to do a unauthorized zone-transfer I canceled my projects later finding out that NSEC3 would stop the behavior. One really needs to look at the cost benefit analysis to decide whether to use NSEC or NSEC3. NSEC3 is much more expensive than NSEC3 for both authoritative servers and validators than NSEC. There are almost no zone that need that level of protection. Stopping AXFR/IXFR has almost zero cost so for many people it has become reflex without any need to justify it. Stopping zone enumeration has a relatively high cost. Note for many servers stopping AXFR/IXFR was not about the zone content and more about preserving file descriptors for use by the slaves and legitimate TCP clients rather than the curious. With the release of BIND 9.6 my understanding is that NSEC3 is now supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty clueless as whether there's any magic sauce to get NSEC3 records vs. NSEC. If anyone has a pointer that would be of help, I've tried using NSEC3RSASHA1 keys without success of getting NSEC3 records. NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when signing the zone. You need to tell dnssec-signzone which one to use. dnssec-signzone -3 salt [-H iterations] [-A] Thx /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone propagation
What I've done is that I maintain a master-slave zone on my master, if any new zones are manipulated I push out an updated config to my 20 or so slave-servers, once pushed out a trigger a sudo script via ssh that reloads bind with the new config and viola. /Jonathan On Wed, Dec 24, 2008 at 7:38 PM, wes b...@the-wes.com wrote: On Wed, Dec 24, 2008 at 9:54 AM, Michael Varre mva...@gmail.com wrote: On 12/24/08, wes b...@the-wes.com wrote: Can I configure a pair of bind9 servers, one master and one slave, so that when I create a new zone on the master, it is also created on the slave? I already have slaving of existing zones working well. thanks, -wes I'm sure there are other ways but I use webmin to handle all of it for me. I used to do it all manually on the command line, logging into each server and manually adding new zones but webmin has cut the time it takes for me to make dns MACs down to about 10% of what it used to be. Interesting. I am using Webmin. I had to create each zone on the master and slave servers, and set them up accordingly. Can you give me a small hint as to where the magic flag is to configure Webmin for this? thanks, -wes ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
I did some testing with this couple a months ago and it seams like AD is following the NS directive in the SOA. The design I used in my test-case was to put AD as an authoritative updater of the specified zone on my master, once updated the BIND master was responsible for updating the slaves. Something you can do is add NS records in AD pointing at your BIND slave-servers for the zone, and vice versa configure your slaves to have the AD as master for the zone, what I've experienced is that updates of new records tends to be REALLY slow, thus I would go with the first option. /Jonathan On Wed, Dec 10, 2008 at 8:17 AM, Nicholas F Miller [EMAIL PROTECTED] wrote: I have a couple of questions regarding how a Microsoft domain controller updates a dynamic zone. 1 ) When a domain controller tries to update the zone does it try the DNS servers it has listed in its network settings or does it follow the SOA for the zone? 2) In the configs below does the slave server's IP need to be listed in the allow-update declaration on the master zone server? Master Server - 1.2.3.4 zone actived.example.com { type master; file named.ad; allow-update { 1.2.3.4;// master DNS server 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { 5.6.7.8 // slave DNS server; }; }; Slave Server - 5.6.7.8 zone actived.example.com { type slave; file named.ad; allow-update-forwarding { 11.22.33.44; // domain controller 1 55.66.77.88.99; // domain controller 2 }; allow-transfer { none; }; masters { 1.2.3.4 // master DNS server }; }; Thanks, Nicholas Miller, ITS, University of Colorado at Boulder ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS and allow-update declarations
On Wed, Dec 10, 2008 at 4:00 PM, Mark Andrews [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED], Nicholas F Mille r writes: I have a couple of questions regarding how a Microsoft domain controller updates a dynamic zone. 1 ) When a domain controller tries to update the zone does it try the DNS servers it has listed in its network settings or does it follow the SOA for the zone? There are knowledge base article which describe this fully. I suggest that you search the Microsoft knowledge base for the complete answer. http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true cut ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Binding DNS server to a particular IP address
Shouldn't the server statement in options/view do the trick? /Jonathan On Wed, Dec 3, 2008 at 12:04 PM, Todd Snyder [EMAIL PROTECTED] wrote: Try the listen-on directive. Read more here: http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq= dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q #PPA270,M1http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq=dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q#PPA270,M1 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry M Sent: Wednesday, December 03, 2008 11:37 AM To: bind-users@lists.isc.org Subject: Binding DNS server to a particular IP address I have two different IP addresses coming into my server. I need to guarantee that ISC BIND only monitors and replies to requests coming from one of the two IP addresses. I can't seem to find a configuration parameter that tells the server which IP address to listen on. How do I configure that? Thanks. JWM ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate ACL based on a key AND ip-subnet
Actually, to take this a step further, is there any remote possibility to combine this with update-policy as well? I know both questions has been mentioned on the list before with varied answers but I wanted to raise it again since this was finally figured out. /Jonathan On Mon, Nov 17, 2008 at 11:28 AM, Evan Hunt [EMAIL PROTECTED] wrote: allow-update { !{!10/8;any;}; key update-key; }; Wouldn't this still permit any client on the 10/8 subnet to update the zones? It's very confusing syntax, but no. You're probably thinking in boolean algebra (I did too, when I first encountered this). If it were boolean algebra, you could redistribute the negatives: !{!10/8; any;} becomes {!!10/8; !any;} and then simplifies to {10/8; none;}. But ACLs aren't boolean, so you can't do that. Each element has three possible results not two: match and accept, match and reject, or no match, which means continue processing. When an ordinary ACL element matches and is negated (for example, the element is !10/8; and the address is 10.0.0.1) that means match and reject. But if the match is inside of a *nested* ACL, then it's treated differently: A negative result means the nested ACL didn't match--and so you continue processing. So if you're checking address A against an ACL of one of the following forms, these will be the results: { A;B; } == A is allowed, accept immediately { { A; }; B; } == A is allowed, accept immediately {!A;B; } == A is forbidden, reject immediately { !{ A; }; B; } == A is forbidden, reject immediately { { !A; }; B; } == A matched but was negated, try element B { !{ !A; }; B; } == A matched but was negated, try element B Those last two lines there are confusingly similar (and, as written, useless). The difference is what happens if you're checking an address *other* than A, and something else in the nested ACL matches it. { { !A; any; }; B; } == any address other than A is accepted at once, but A is only accepted if B matches too. boolean translation: ((not A) or (A and B)) { !{ !A; any; }; B; } == any address other than A is *rejected* at once, but A is accepted as long as B matches too. boolean translation: (A and B) Hope that's helpful. (*I* find it hard to keep this syntax straight, and I wrote a big chunk of the code that implements it in BIND 9.5...) -- Evan Hunt -- [EMAIL PROTECTED] Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate ACL based on a key AND ip-subnet
Yeah it would most likely be a feature request/change. IIRC update-policy cannot be used in congestion with the allow-update statement. Personally I prefer the usage of update-policy as I can assign different business units within my organization to take responsibility for certain records/record types. As I'm using a multi-view server (public and private IP) I'm concerned that the update keys used might get compromised (computer stolen or whatever) thus it would be useful to be able to limit the capability for updates for specified IP-ranges. This is achieved with the allow-update policy given throughout this conversation but as you cannot use them in congestion with update-policy I'm not able to limit certain records/record types to keys. To put this in a conf example I'm thinking something like: allow-update { ! { !10/8; any; }; update-policy { grant key subdomain dummy.com ALL; }; }; I hope this makes sense. /Jonathan On Mon, Nov 17, 2008 at 4:43 PM, Evan Hunt [EMAIL PROTECTED] wrote: Actually, to take this a step further, is there any remote possibility to combine this with update-policy as well? I'm not sure what you mean. I believe you can use allow-updates to filter according to IP address and then update-policy to filter according to key; that might be an easier way to accomplish the same thing. I've never done so, but I'd expect it to work. But it sounds like you're asking for a feature change... clarify please? -- Evan Hunt -- [EMAIL PROTECTED] Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate ACL based on a key AND ip-subnet
Guess I should start digging in the code then :) On Mon, Nov 17, 2008 at 5:59 PM, Evan Hunt [EMAIL PROTECTED] wrote: IIRC update-policy cannot be used in congestion with the allow-update statement. My bad--you're right. There's code I'd never noticed before that says allow-update will be ignored if update-policy is set. Whoops. (Oddly, the check only applies when both of them are defined in the zone itself. You can put allow-updates in the view options and update-policy in the zone, and named won't complain about it... but it also won't work the way you want it to.) I don't know why it was implemented this way--there's no protocol reason I can see. (There may be other reasons I don't know about.) It's probably not a high enough priority for ISC to devote engineering resources to it at this time, but if someone submitted a patch that added an ACL check to the update-policy syntax, I'm sure we'd consider it. -- Evan Hunt -- [EMAIL PROTECTED] Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users