Re: Split Delegation IP Reverse

2010-11-23 Thread Jonathan Petersson 
You could CNAME the records to another PTR domain maintained by the
third server.

230.0.168.192.in-addr.arpa is an alias for 230.0-28.0.168.192.in-addr.arpa
230.0-28.0.168.192.in-addr.arpa domain name pointer host.domainname

On Tue, Nov 23, 2010 at 10:43 PM, Wilbert J. Rojas O.
 wrote:
> Hi,
>
> Hello!
>
> My scenario is as follows:
>
> I have the following network 192.168.0.0/24 which manages my primary DNS
> server for this zone reversals and if any updates on the reverse of an IP
> upgrade to a second DNS server is a slave.
>
> Well my question is:
>
> Suppose I have a third server that will manage DNS but only part of the
> reverse IP block that my two DNS servers given, say that this third server
> must manage the reverse DNS for the network 192.168.0.230/28 only.
>
> How could you do this?
> Escuchar
> Leer fonéticamente
>
> Ing. Wilbert J. Rojas O. |Equipos y Sistemas, S.A.
> Administrador de Sistemas.
> Colegio Centro América 60 mts al norte. | Managua, Nicaragua
> wro...@ideay.net.ni | Tel.:+505 2277-4000 Ext.115|Fax: +505 2277-4411
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How does BIND 9 scale with multithreading?

2010-09-30 Thread Jonathan Petersson 
1 QuadCore Intel i7 920 on Fedora 11 x86_64 (can't remember the exact
kernel version) with and without hyperthreading and overclocked
ranging between 2.8 and 3.4GHz

On Thu, Sep 30, 2010 at 2:03 PM, Matus UHLAR - fantomas
 wrote:
> On 29.09.10 10:43, Jonathan Petersson wrote:
>> I did some benchmarking on this about 1.5 yrs ago, here's a graph
>> representing the results: http://sedoss.com/bind.png
>
> on how many processors was this ran?
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "To Boot or not to Boot, that's the question." [WD1270 Caviar]
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How does BIND 9 scale with multithreading?

2010-09-29 Thread Jonathan Petersson 
I did some benchmarking on this about 1.5 yrs ago, here's a graph
representing the results: http://sedoss.com/bind.png

On Wed, Sep 29, 2010 at 10:37 AM,   wrote:
> Hi
>
> i read that 'old' bind version where better when threading was disabled. Load 
> balancing
> between 2 processe was better.  Is this always the case ?
> http://zaphods.net/~zaphodb/high-performance-bind9.html
>
> some interesting links for DNS performance :
> http://kb.linuxvirtualserver.org/wiki/Building_Scalable_DNS_Cluster_using_LVS
> https://lists.isc.org/pipermail/bind-users/2006-September/063917.html
>
> Philippe
>
>
>
>> -Original Message-
>> From: bind-users-bounces+philippe.simonet=swisscom@lists.isc.org
>> [mailto:bind-users-bounces+philippe.simonet=swisscom@lists.isc.org]
>> On Behalf Of Eivind Olsen
>> Sent: Wednesday, September 29, 2010 09:56
>> To: bind-us...@isc.org
>> Subject: How does BIND 9 scale with multithreading?
>>
>> Does anyone know if there are any benchmarks out in the public, which
>> could give some insight into how well BIND 9 scales with multithreading?
>> I've tried looking on this list, and googling, but haven't found anything
>> yet.
>>
>> To be a bit more specific - I'm not sure what a good option for server
>> hardware would be for a recursive DNS server. On one hand, the Sun (ok,
>> Oracle) Niagara/Coolthreads architecture seems to work nicely enough, but
>> maybe I'd be better off with some generic Intel/AMD based solution with
>> fewer threads/cores but higher GHz per thread?
>>
>> Regards
>> Eivind Olsen
>>
>>
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Overload some records for intern use

2009-11-13 Thread Jonathan Petersson 
Someone correct me if I'm wrong but using BIND you must have the full
zone, partial forwarding/proxying isn't built in so you would need to
download the zone and replace the data you need to change.

/Jonathan

On Fri, Nov 13, 2009 at 11:22 AM, Johan VAN RYSEGHEM
 wrote:
> Hello all,
>
> my problem is quite simple, but I've tried a lot of different setups, none
> worked :(
>
> My company's DNS are hosted by an third-operator. In the zone
> "websiteburo.com", there are several A records, pointing on our different
> servers.
> My problem is: a few of these servers are hosted locally in our offices, so
> i'd like to setup a DNS server which would:
> 1/ return local addresses for a subset of records
> 2/ forward the queries to the external server if it cannot answer
>
> Of course i could probably write a batch which retrieves the zone from the
> external server and rewrites some records with local addresses, but I think
> there could be a more elegant way to do this.
>
> Help would be welcome
>
> Thanx in advance
>
> --
> Johan VAN RYSEGHEM - Développeur RIAS
> Websiteburo | Agence Media Interactive | Bordeaux/Paris
> johan.van.ryseg...@websiteburo.com : 06.77.88.51.60 - Fixe : 05.47.74.74.20
> http://www.websiteburo.com
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: refuse in notify slave

2009-10-21 Thread Jonathan Petersson 
The easiest workaround for this is either to use views or TSIG keys.

/Jonathan

On Thu, Oct 22, 2009 at 6:56 AM, Nelson Serafica  wrote:
> I have multiple ip address on my primary ns server. (eth0 , eth0:1 ,
> eth0:2). Let's say eth0 is 1.2.3.4, eth0:1 is 2.3.4.5 and th0:2 is 3.4.5.6.
> I have a slave ns server but everytime I do rndc reload and check secondary
> ns on syslog, I see
>
> refused notify from non-master: 1.2.3.4#48499
>
> where 1.2.3.4 is the ip of eth0. Is it possible the ip address that will
> send to slave will be 4.5.6.7 (eth0:2) and not 1.2.3.4 (eth0)?
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Internal whois server

2009-08-10 Thread Jonathan Petersson 
Hi all,

This is probably somewhat of an un-legit way of using whois but I'm
curious as to whether it would be possible to install an internal
whois server that responds with the appropriate prefix-data upon
request for internal ip-numbers/domains while forwarding unknown
requests to external whois servers.

Has anyone done a similar implementation or know what kind of software
that could be used to obtain this?

Thanks

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Scale BIND over multiple kernels effectively

2009-05-03 Thread Jonathan Petersson 
Before I start digging into the kernel-options for my distro does
anyone know if there's been any changes between 2.6.28 and 2.6.29 that
would decrease BIND performance? I'm seeing a 55% decrease going to
2.6.29.

/Jonathan

2009/4/30 JINMEI Tatuya / 神明達哉 :
> At Thu, 30 Apr 2009 15:41:03 -0700,
> Jonathan Petersson  wrote:
>
>> in light of this is it possible to tell BIND how many threads it
>> should utilize or is it a ALL or ONE case?
>
> Do you mean the -n command line option?
>
> usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus]
> [-p port] [-s] [-t chrootdir] [-u username]
> [-m {usage|trace|record|size|mctx}]
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named daemon hangs

2009-05-02 Thread Jonathan Petersson 
Could you please provide a copy of your config, I'm guessing that you
have a general forwarder in place or haven't turned on recursion.

/Jonathan

On Sat, May 2, 2009 at 8:06 AM, Nelson Vale  wrote:
> Hi all,
>
>
> I've been facing a problem in my private network which I was not able to fix
> yet.
>
> In my gateway (linux debian alike) I have bind 9.5 installed and running,
> and I have one IPSec tunnel to another gateway over the internet. It also
> has configured a forward zone with the name server being the other gateway
> internal address (accessibly through the IPSec tunnel only).
>
> Recently the other IPSec endpoint was shutdown and, of course, my queries to
> the forward domain started failling. Nothing strange here...
>
> The real problem is that I suddendly were not able to resolve any other DNS
> queries, like www.google.com, from inside my network:
>
> "host www.google.com
> ;; connection timed out; no servers could be reached"
>
> I took a look at the named daemon and I see that it does not respond to
> anything as long as the IPSec tunnel is down, but only if it's the other
> endpoint that is down. I've tried stopping my endpoint and this problem do
> not occur as long as I restart named. I think this happens because as long
> as my endpoint is up the routes to the other endpoint are set, and named
> trys to querie the forward domain name server. The problem is that the
> queries do not timeout and named hangs there:
>
> The configuration I have is:
>
> Bind: BIND 9.5.0-P2
> IP Address (private): 192.168.9.254
> Forwarders: ADSL provider (2 forwarders)
> Forward Zone: mylan.loc
> Name Server:192.168.90.254
>
>
> After it starts if I try to querie one of the forward zone record
> (box.mylan.loc) it displays:
>
> "...
> 02-May-2009 14:22:21.843 socket 0xb7bd5548: dispatch_recv:  event 0xb7be3d28
> -> task 0xb7b74d18
> 02-May-2009 14:22:21.844 socket 0xb7bd5548: internal_recv: task 0xb7b74d18
> got event 0xb7bd559c
> 02-May-2009 14:22:21.844 socket 0xb7bd5548 192.168.9.2#47869: packet
> received correctly
> 02-May-2009 14:22:21.844 socket 0xb7bd5548: processing cmsg 0xb7bb2120
> 02-May-2009 14:22:21.844 client 192.168.9.2#47869: UDP request
> 02-May-2009 14:22:21.844 client 192.168.9.2#47869: using view '_default'
> 02-May-2009 14:22:21.845 client 192.168.9.2#47869: request is not signed
> 02-May-2009 14:22:21.845 client 192.168.9.2#47869: recursion available
> 02-May-2009 14:22:21.845 client 192.168.9.2#47869: query
> 02-May-2009 14:22:21.845 client 192.168.9.2#47869: ns_client_attach: ref = 1
> 02-May-2009 14:22:21.845 client 192.168.9.2#47869: query (cache)
> 'box.mylan.loc/A/IN' approved
> 02-May-2009 14:22:21.845 client 192.168.9.2#47869: replace
> 02-May-2009 14:22:21.845 clientmgr @0xb7baa608: createclients
> 02-May-2009 14:22:21.846 clientmgr @0xb7baa608: recycle
> 02-May-2009 14:22:21.846 createfetch: box.mylan.loc A
> 02-May-2009 14:22:21.846 fctx 0xb7bae408(box.mylan.loc/A'): create
> 02-May-2009 14:22:21.846 fctx 0xb7bae408(box.mylan.loc/A'): join
> 02-May-2009 14:22:21.846 fetch 0xb7bb4148 (fctx
> 0xb7bae408(box.mylan.loc/A)): created
> 02-May-2009 14:22:21.846 client @0xb7bda008: udprecv
> 02-May-2009 14:22:21.846 socket 0xb7bd5548: socket_recv: event 0xb7bd4b48 ->
> task 0xb7bb1690
> 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): start
> 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): try
> 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): cancelqueries
> 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): getaddresses
> 02-May-2009 14:22:21.847 findaddrinfo: new entry 0xb7aec4a0
> 02-May-2009 14:22:21.847 fctx 0xb7bae408(box.mylan.loc/A'): query
> 02-May-2009 14:22:21.848 socket 0xb7b79938: created
> 02-May-2009 14:22:21.848 socket 0xb7b79938 0.0.0.0#43841: bound
> 02-May-2009 14:22:21.848 dispatchmgr 0xb7bbb168: created UDP dispatcher
> 0xb7b6d378
> 02-May-2009 14:22:21.848 dispatch 0xb7b6d378: created task 0xb7b74d70
> 02-May-2009 14:22:21.848 dispatch 0xb7b6d378: created socket 0xb7b79938
> 02-May-2009 14:22:21.848 resquery 0xb7b80008 (fctx
> 0xb7bae408(box.mylan.loc/A)): send
> 02-May-2009 14:22:21.849 dispatch 0xb7b6d378 response 0xb7ba7848
> 192.168.90.254#53: attached to task 0xb7b6f2c8
> 02-May-2009 14:22:21.849 socket 0xb7b79938: socket_recv: event 0xb7b81698 ->
> task 0xb7b74d70
>
>
> and it hangs here forever. Even if I restart the named server it does not
> respond to any of my queries. If I stop the named server with Ctrl + C it
> displays:
>
> "...
> ^C02-May-2009 14:23:46.773 socket.c:1226: unexpected error:
> 02-May-2009 14:23:46.773 internal_send: 192.168.90.254#53: Interrupted
> system call should be restarted
> 02-May-2009 14:23:46.774 errno2result.c:111: unexpected error:
> 02-May-2009 14:23:46.774 unable to convert errno to isc_result: 85:
> Interrupted system call should be restarted
> 02-May-2009 14:23:46.774 resquery 0xb7b80008 (fctx
> 0xb7bae408(box.mylan.loc/A)): sent
> 02-May-2009 14:23:46.774 resquery 0xb7b80

Re: Scale BIND over multiple kernels effectively

2009-04-30 Thread Jonathan Petersson 
Thanks for the feedback,

> 2 threads on 2 core: 45kqps
> 4 threads on 4 core: 108kkqps
> 8 threads on 4 core + HT: 75kqps
> 16 threads on 8 core + HT: 35kqps
>
> correct?

yes

in light of this is it possible to tell BIND how many threads it
should utilize or is it a ALL or ONE case?

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Scale BIND over multiple kernels effectively

2009-04-30 Thread Jonathan Petersson 
Hi all,

I've been running some dnsperf tests on a couple of servers I have
resulting in some interesting behaviors.

The test-bed that I have is 3 servers with the following CPUs: E3110
(DC @ 3.00GHz), i7 920 (QC 2...@3.20ghz) and E5520 (Dual QC @
2.27GHz), RAM is 6GB on each running at 800-1.6GHz.

In the tests all logging has been disabled and the instance is
BIND-9.6.0-P1 with threads enabled.

In my tests I've queried localhost with 2 million A-record lookups of
the same host. Modifying the CPU parameters has shown some interesting
data.
First off the E3110, this server is running Fedora 9 x86_64 (2.6.27),
resulting in 45k qps with ~70% across the two cores.

Second server i7 920 with HT enabled running Ubuntu 9.04 x86_64
(2.6.28) gave 75k qps with ~50% across all virtual cores
Second server i7 920 with HT disabled running Ubuntu 9.04 x86_64
(2.6.28) gave 108k qps with ~70% across all physical cores

Third server E5520 with HT enabled running Fedora 11 x86_64 (2.6.29)
gave 35k qps with ~15% load across all virtual cores.

Given my results I have a couple of questions, looking at the scaling
between E3110 to i7 920 there was a 66% performance increase,
disabling HT on the i7 920 gave an additional 44% totaling in 140%
compared to E3110. This is all fine although I were hoping to see
greater or equal results when having HT enabled.

Now going to the server with dual E5520 having a total of 16 virtual
cores the result plummeted and couldn't even match the E3110,
unfortunately I'm unable to disable HT on this one (it's 12 000 miles
away) if that would be an issue seeing the result of the i7 920 but
I'm trying to understand why I'm seeing this serious performance
decrease and why the CPU load across the cores is that low.

Any input would be valuable, thanks!

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-29 Thread Jonathan Petersson 
For those who's interested in the end-result I decided to post my code
on my blog.

http://garnser.blogspot.com/2009/04/dns-query-parser.html

The code creates a FIFO that BIND query-log writes to. Once the script
receives data it's parsed cached and written to a database.

I'll continue to make additions to it, if anyone has proposals of
additions or questions please contact me directly.

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-29 Thread Jonathan Petersson 
Thanks for the tip, however the main problem that I'm seeing is that
perl + MySQL becomes a bottle-neck if this approach were to be used. I
ran some tests yesterday showing that caching 500k rows in a variable
and send it to MySQL was 10 times as effective (90k vs 9k) than doing
individual writes.

I guess I could create an internal buffer in the script caching the
last X amount of messages based on a dynamic variable that adopts to
the query-flow and then creates a fork that writes it to the DB.

/Jonathan

On Wed, Apr 29, 2009 at 12:44 AM, Chris Dew  wrote:
> You may be interested in using circular buffers, instead of a log file.
>
> http://www.finalcog.com/replace-logs-emlog-circular-buffer
>
> I've used emlog successfully in the past and been very pleased with
> it's performance.
>
> Hope this is useful.
>
> Chris.
>
> 2009/4/29 Scott Haneda :
>> I have read the other posts here, and it looks like you are setting on tail,
>> or a pipe, but that log rotation is causing you headaches.
>>
>> I have had to deal with things like this in the past, and took a different
>> approach.  Here are some ideas to think about.
>>
>> Since you mentioned below you wanted this in real time, and that parsing an
>> old log file is out, what about setting up a second log in named, of the
>> same data, but do not rotate the log at all?
>>
>> This gives you a log that you can run tail on.  It probably is going to grow
>> too large.  I solved this for a different server in the past, by telling the
>> log that was a clone to be be limited in size.  In this way, it was not
>> rolled out, but rather, truncated.
>>
>> I am not sure how named would do this.  If it will not truncate it, you can
>> write a small script to do it for you.  Now that you have a log that is
>> maintained at a fixed size that is manageable, you can do your tail business
>> on it.
>>
>> I also seem to remember, tail has some flags that may help you with dealing
>> with the log ration issues.  I only remember them vaguely, as they were not
>> applicable to what I was doing at the time.
>>
>> Hope this helps some.
>>
>> On Apr 27, 2009, at 10:26 PM, Jonathan Petersson wrote:
>>
>>> Hi all,
>>>
>>> I'm thinking of writing a quick tool to archive the query-log in a
>>> database to allow for easier reports.
>>>
>>> The obvious question that occurs is; What would be what's the best
>>> approach to do this?
>>>
>>> Running scripts that parses through the query-log would cause locking
>>> essentially killing BIND on a heavy loaded server and only parsing
>>> archived files wouldn't allow real-time information, also re-parsing
>>> the same set of data over and over again until the log has rotated
>>> would cause unnecessary I/O load. I'm guessing the best would be to
>>> have BIND write directly to a script that dumps the data where-ever it
>>> makes sense to.
>>>
>>> I've used BIND statistics and found it highly useful but then again it
>>> doesn't allow me to make breakdowns based on host/query.
>>>
>>> If anyone has done something like this or having pointers on how this
>>> could achieved any information is welcome!
>>
>> --
>> Scott * If you contact me off list replace talklists@ with scott@ *
>>
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
>
> --
>
> http://www.finalcog.com/
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: stop zone transfers from coming in

2009-04-28 Thread Jonathan Petersson 
I would honestly look for a typo since you're saying that it does work
for some. Either way unless the admin turn it off you will get
zone-transfers, the question lies in wether your name-server accepts
them and propagates them down.

Check in the log for transfer or notification refusals and make sure
that you don't have any global variables that could cause issues.

/Jonathan

On Tue, Apr 28, 2009 at 9:38 PM, Chris Henderson  wrote:
> My server works as a secondary for a zone. I asked the master server's
> admin to stop the zone transfer; I didn't get any reply and thus
> commented out the zone's section in my named.conf. But I'm still
> getting zone files coming in to my server.
>
> Here is what I have commented out:
>
> #  zone "example.com" {
> #       type slave;
> #       file "extra/example.com";
> #        masters {
> #               xxx.xxx.xx.xx;
> #       };
> #  };
>
> I commented out for some other zones as well and they have stopped
> coming but not this one.
> How do I stop this?
>
> Thanks.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson 
After feedback and running some tests today I've found that the most
"cost-effective" approach as far as performance goes is to use the
native querylog and rotate it often enough to have as "live" data as
possible.

Some quick notes (all tests done with perl):
- Parse the querylog 500 000k queries: 3 seconds
- Parse tcpdump while running 1 million queries: 300k picked up the
rest lost due to too high CPU load

I haven't tried to pipe querylog through stderr but it feels like that
could look a bit ugly running something that os more layered is
favored.

At this point I'll have to make the sacrifice of having real-time
data, parsing the querylog is the most efficient way as I see it based
on my tests.

Thanks for all the feedback on this, I'll publish my code once I'm finished.

/Jonathan

On Tue, Apr 28, 2009 at 5:24 PM, Scott Haneda  wrote:
> I have read the other posts here, and it looks like you are setting on tail,
> or a pipe, but that log rotation is causing you headaches.
>
> I have had to deal with things like this in the past, and took a different
> approach.  Here are some ideas to think about.
>
> Since you mentioned below you wanted this in real time, and that parsing an
> old log file is out, what about setting up a second log in named, of the
> same data, but do not rotate the log at all?
>
> This gives you a log that you can run tail on.  It probably is going to grow
> too large.  I solved this for a different server in the past, by telling the
> log that was a clone to be be limited in size.  In this way, it was not
> rolled out, but rather, truncated.
>
> I am not sure how named would do this.  If it will not truncate it, you can
> write a small script to do it for you.  Now that you have a log that is
> maintained at a fixed size that is manageable, you can do your tail business
> on it.
>
> I also seem to remember, tail has some flags that may help you with dealing
> with the log ration issues.  I only remember them vaguely, as they were not
> applicable to what I was doing at the time.
>
> Hope this helps some.
>
> On Apr 27, 2009, at 10:26 PM, Jonathan Petersson wrote:
>
>> Hi all,
>>
>> I'm thinking of writing a quick tool to archive the query-log in a
>> database to allow for easier reports.
>>
>> The obvious question that occurs is; What would be what's the best
>> approach to do this?
>>
>> Running scripts that parses through the query-log would cause locking
>> essentially killing BIND on a heavy loaded server and only parsing
>> archived files wouldn't allow real-time information, also re-parsing
>> the same set of data over and over again until the log has rotated
>> would cause unnecessary I/O load. I'm guessing the best would be to
>> have BIND write directly to a script that dumps the data where-ever it
>> makes sense to.
>>
>> I've used BIND statistics and found it highly useful but then again it
>> doesn't allow me to make breakdowns based on host/query.
>>
>> If anyone has done something like this or having pointers on how this
>> could achieved any information is welcome!
>
> --
> Scott * If you contact me off list replace talklists@ with scott@ *
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson 
Ah i.e. I'm using an incorrect logfacility... that would explain things.

Either way, I did try to parse tcpdump for queries, the problem I'm
getting is that perl isn't the best option for this so I'm going to
look into wether things could get sped up with python or something.

/Jonathan

2009/4/28 Jeremy C. Reed :
> On Tue, 28 Apr 2009, Jonathan Petersson wrote:
>
>> I did try to run the following option:
>> syslog named;
>
> syslog should define a "syslog facility".
>
> Look in the openlog, syslog and/or syslog.conf manual pages to see lists
> of facilities. The ARM says: "  The syslog destination clause directs the
> channel to the system log. Its argument is a syslog facility as described
> in the syslog man page. Known facilities are kern, user, mail, daemon,
> auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1,
> local2, local3, local4, local5, local6 and local7, however not all
> facilities are supported on all operating systems."
>
>> but when matching on named.* in syslog.conf there's no output.
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson 
I did try to run the following option:
syslog named;

but when matching on named.* in syslog.conf there's no output.

/Jonathan

2009/4/28 JINMEI Tatuya / 神明達哉 :
> At Tue, 28 Apr 2009 10:01:02 -0700,
> Jonathan Petersson  wrote:
>
>> So I gave tail a try in perl both via File::Tail and by putting tail
>> -f in a pipe. Neither seems to be handling the logrotation well. In my
>> case I'm running a test sending 1 million queries, of those half is
>> picked up by File::Tail if you define how often it should re-read the
>> file but using tail -f straight or File::Tail without arguments just
>> stops once the log has rotated as it doesn't seam to figure out to
>> continue onto the new file.
>
> I've never tried it, but how about letting named dump log messages to
> syslog, and letting syslogd forward all messages to a separate process
> via a pipe (assuming your syslogd supports that)?
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson 
Just realized something else, since I'm using perl in this case it's
going to be a permament bottleneck regardless of wether I use
syslog/tcpdump/querylog, it just isn't quick enough for that kind of
data-flow...

Back to the drawing-board

/Jonathan

On Tue, Apr 28, 2009 at 10:49 AM, Jonathan Petersson
 wrote:
> I don't think the cost is that great having querylogging enabled,
> running the same test using dnsperf there's a 43% performance-increase
> but 70 000 queries per second is still acceptable with query-logging
> enabled.
>
> /Jonathan
>
> On Tue, Apr 28, 2009 at 10:05 AM, Alan Clegg  wrote:
>> Jonathan Petersson wrote:
>>> So I gave tail a try in perl both via File::Tail and by putting tail
>>> -f in a pipe.
>>
>> As was stated previously in this thread, you are going down a bad path
>> by using query-log for any purpose beyond short debugging sessions.
>>
>> The loss in performance is rather painful.
>>
>> The use of a network sniffing package is much preferable.
>>
>> [Just to see, try running your million queries with and without query
>> logging turned on and see if you are happy with the results]
>>
>> But, if that's what you want to do, I wish you luck.
>>
>> AlanC
>>
>>
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson 
I don't think the cost is that great having querylogging enabled,
running the same test using dnsperf there's a 43% performance-increase
but 70 000 queries per second is still acceptable with query-logging
enabled.

/Jonathan

On Tue, Apr 28, 2009 at 10:05 AM, Alan Clegg  wrote:
> Jonathan Petersson wrote:
>> So I gave tail a try in perl both via File::Tail and by putting tail
>> -f in a pipe.
>
> As was stated previously in this thread, you are going down a bad path
> by using query-log for any purpose beyond short debugging sessions.
>
> The loss in performance is rather painful.
>
> The use of a network sniffing package is much preferable.
>
> [Just to see, try running your million queries with and without query
> logging turned on and see if you are happy with the results]
>
> But, if that's what you want to do, I wish you luck.
>
> AlanC
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson 
So I gave tail a try in perl both via File::Tail and by putting tail
-f in a pipe. Neither seems to be handling the logrotation well. In my
case I'm running a test sending 1 million queries, of those half is
picked up by File::Tail if you define how often it should re-read the
file but using tail -f straight or File::Tail without arguments just
stops once the log has rotated as it doesn't seam to figure out to
continue onto the new file.

/Jonathan

On Tue, Apr 28, 2009 at 8:52 AM, David Forrest  wrote:
> On Tue, 28 Apr 2009, Gregory Hicks wrote:
>
>>
>>> From: Jonathan Petersson 
>>> Date: Tue, 28 Apr 2009 08:13:25 -0700
>>> Subject: Re: approach on parsing the query-log file
>>> To: niall.orei...@ucd.ie
>>> Cc: Bind Mailing 
>>>
>>> Yeah I've thought about using tail but I'm not sure how locking would
>>> be managed when logrotate kicks in, does anyone know?
>>
>> I use "tail -f "
>>
>> When the log rotates, the tail is still running against the rotated
>> file.  I have to manually change to the current file. ("^C-!!" works)
>>
>> A better way to do it might be to have the 'logfile' be a pipe and have
>> the parsing intelligence on the other side of the pipe.  Have the log
>> rotation "smarts" be on the other side of the pipe also.  (At one $JOB,
>> I used this technique to separate out different log messages from
>> simultaneously running SMTP processes.)
>>
>> Regards,
>> GRegory Hicks
>>>
>>> On Tue, Apr 28, 2009 at 3:41 AM, Niall O'Reilly 
>>
>> wrote:
>>>>
>>>> On Mon, 2009-04-27 at 22:26 -0700, Jonathan Petersson wrote:
>>>>>
>>>>> The obvious question that occurs is; What would be what's the best
>>>>> approach to do this?
>>>>
>>>>        I've not used it, but a colleague is very keen on File::Tail
>>>>        (http://search.cpan.org/~mgrabnar/File-Tail-0.99.3/Tail.pm).
>>>>        Apparently, it looks after log-file roll-over and 'just
>>
>> works'.
>>>>
>>>>        /Niall
>>>>
>>>>
>>>>
>
> I use tail --follow=name  as the tail then switches to the new
> inode.  An alternative is to to put the copytruncate directive in
> /etc/logrotate.conf as the possible loss of one or two queries is usually
> not significant to statistical analysis.  Using inotail (which is supposedly
> less processor intensive) requires the second approach as it does not
> include the --follow=name option.
>
> Dave
> --
> David Forrest                   e-mail   drf @ maplepark.com
> Maple Park Development Corporation  http://xen.maplepark.com
> St. Louis, Missouri
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson 
Yeah I've thought about using tail but I'm not sure how locking would
be managed when logrotate kicks in, does anyone know?

On Tue, Apr 28, 2009 at 3:41 AM, Niall O'Reilly  wrote:
> On Mon, 2009-04-27 at 22:26 -0700, Jonathan Petersson wrote:
>> The obvious question that occurs is; What would be what's the best
>> approach to do this?
>
>        I've not used it, but a colleague is very keen on File::Tail
>        (http://search.cpan.org/~mgrabnar/File-Tail-0.99.3/Tail.pm).
>        Apparently, it looks after log-file roll-over and 'just works'.
>
>        /Niall
>
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: approach on parsing the query-log file

2009-04-28 Thread Jonathan Petersson 
The problem I'm seeing with this is that we'll get data that may be
inconsistent. Just because a query is sent to a server doesn't mean
that there's a name-server there to answer, I believe querying the
log-file one way or another would give a more accurate picture of load
etc.

On Tue, Apr 28, 2009 at 2:33 AM, Chris Buxton  wrote:
> On Apr 28, 2009, at 5:26 AM, Jonathan Petersson wrote:
>>
>> Hi all,
>>
>> I'm thinking of writing a quick tool to archive the query-log in a
>> database to allow for easier reports.
>
> If it were me, I would turn off query logging and use a packet sniffer.
>
> Chris Buxton
> Professional Services
> Men & Mice
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: request timeout

2009-04-28 Thread Jonathan Petersson 
IIRC it's 3 seconds.

On Tue, Apr 28, 2009 at 12:42 AM, Jeff Pang  wrote:
> When a Bind requests another Bind for a name resolving, what's the
> timeout value for this resuest?
> I mean, within how many seconds peer Bind doesn't answer it, this Bind
> will give up the query?
>
> Thanks.
> Regards.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

approach on parsing the query-log file

2009-04-27 Thread Jonathan Petersson 
Hi all,

I'm thinking of writing a quick tool to archive the query-log in a
database to allow for easier reports.

The obvious question that occurs is; What would be what's the best
approach to do this?

Running scripts that parses through the query-log would cause locking
essentially killing BIND on a heavy loaded server and only parsing
archived files wouldn't allow real-time information, also re-parsing
the same set of data over and over again until the log has rotated
would cause unnecessary I/O load. I'm guessing the best would be to
have BIND write directly to a script that dumps the data where-ever it
makes sense to.

I've used BIND statistics and found it highly useful but then again it
doesn't allow me to make breakdowns based on host/query.

If anyone has done something like this or having pointers on how this
could achieved any information is welcome!

Thanks

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Limit allow-transfer to key + IP

2009-04-14 Thread Jonathan Petersson 
Thanks!

/Jonathan

On Tue, Apr 14, 2009 at 12:28 PM, Chris Thompson  wrote:
> On Apr 14 2009, Jonathan Petersson wrote:
>
>> I was reading up on TSIG signed zone-transfers and gave it a try in my
>> lab this morning, successfully. However what I noticed (which makes
>> sense based on my config) is that any host with the appropriate key is
>> allowed to perform a zone-transfer.
>>
>> Is there any way to limit the zone-transfer to require both key and
>> known IP using allow-transfer?
>
> Yup. Use
>
>  allow-transfer { !{!11.22.33.44}; key secret-key; };
>
> Now sit down with a cold, cold drink and puzzle out why that works!
>
> --
> Chris Thompson
> Email: c...@cam.ac.uk
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Limit allow-transfer to key + IP

2009-04-14 Thread Jonathan Petersson 
Hi all,

I was reading up on TSIG signed zone-transfers and gave it a try in my
lab this morning, successfully. However what I noticed (which makes
sense based on my config) is that any host with the appropriate key is
allowed to perform a zone-transfer.

Is there any way to limit the zone-transfer to require both key and
known IP using allow-transfer?

Thanks

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about allow-transfer

2009-04-09 Thread Jonathan Petersson 
allow-transfer { slaveip; };

On Wed, Apr 8, 2009 at 11:42 PM, Jeff Pang  wrote:
> hello,
>
> I have two bind-9.6 (one master one slave) for product application.
> how to set allow-transfer in master's named.conf?
> shall it be:
>
> allow-transfer { none; };
>
> or:
>
> allow-transfer { all; };
>
> thanks.
>
> Regards.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Regexp to match RR's

2009-04-08 Thread Jonathan Petersson 
> On Apr 8, 2009, at 3:21 PM, Kevin Darcy wrote:
>>
>> I'm not a big fan of allowing users to enter Resource Records verbatim.
>> Most users aren't that sophisticated, or, if they are, they can do their
>> nsupdates directly, if they have been given access to the relevant TSIG key
>> (how's that for a False Dilemma argument :-)
>
> Again, I have to disagree with that statement. Aside from automated updates,
> even for dynamic zones (zones that allow dynamic updates), our customers
> wouldn't want day-to-day updates being submitted by dynamic update from user
> to DNS server. The reason is that dynamic updates are anonymous - there's no
> audit trail. For compliance reasons, it's valuable to have such updates
> submitted through a tool that logs them (user, timestamp, actions, user
> comment), even if the tool then sends them on to the DNS server via dynamic
> updates.
>

Not sure if we're talking about the same kind of dynamic update here,
I'm referring to updates controller by update-policy in conjunction
with TSIG keys. Each independent user can have his own key with
applicable restrictions and it's logged accordingly in BIND's
log-files.

Dynamic updates are invaluable when you have business units who wants
to maintain control of their own zones but aren't allowed to
manipulate data directly on the DNS master servers.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Regexp to match RR's

2009-04-08 Thread Jonathan Petersson 
I think you've valid points in this, the stuff I'm coding on is using
dynamic updates, right now I'm mainly looking at the regexp stuff to
validate user input via a web-ui. Surely when using dynamic updates
you will have an error thrown at you if you give incorrect input but I
believe it would be a better thing if the tool itself gave this to
prevent sending incorrect data to begin with.

/Jonathan

On Wed, Apr 8, 2009 at 3:09 PM, Kevin Darcy  wrote:
> Jonathan Petersson wrote:
>>
>> Hi all,
>>
>> I got some time over so I decide to hack a bit on a DNS management
>> tool for my home-server.
>>
>> I'm curious as to wether someone knows of a list of regexps that can
>> be used to match RR's.
>>
>
> I'm not sure why a DNS management tool would be in the business of
> "matching" RRs textually. The most popular methods these days for generating
> and updating zone data appear to be a) Dynamic Update, b) h2n (which
> converts a "hosts" file into zone files, under fairly sophisticated
> configuration control), or c) backend database. None of these methods
> entails parsing the contents of a zone file as input, except perhaps
> initially as a way to import legacy zone files into the new management tool
> (and in my opinion, the same thing could be accomplished more cleanly by
> AXFR'ing the contents of the zones instead of parsing the zone files).
>
> Managing DNS by manipulating zone files textually is, in my opinion, a dead
> end. I tried that over a decade ago and it was just too much of a headache
> and I had to switch methodologies.
>
> - Kevin
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Regexp to match RR's

2009-04-07 Thread Jonathan Petersson 
Hi all,

I got some time over so I decide to hack a bit on a DNS management
tool for my home-server.

I'm curious as to wether someone knows of a list of regexps that can
be used to match RR's.

Thx

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Windows servers triying to update my zone

2009-04-07 Thread Jonathan Petersson 
I'm not clear what you're trying to achieve her but if you don't want
the servers to update the zones you're fine as it is. You may want to
look at the hosts that is trying to make updates and make changes on
those accordingly.

If you do want them to be able to update just add allow-update { ip;
}; in the zone argument and you should be good to go.

/Jonathan

On Tue, Apr 7, 2009 at 5:28 PM, joans4nz  wrote:
> Hi,
>
> I am working as a litle ISP in a building giving service to a few
> enterprises. All entresprises are using private ip addresses. Only my
> servers have public ip addresses. In all entreprises exist a dns server that
> are subdomains of my domain and my dns servers are showing the following
> logs messages:
>
> Apr 7 20:00:19 myserver named[67312]: client 172.16.0.153#2100: view
> interna: update 'mydomain.com/IN' denied
> Apr 7 20:01:28 myserver named[67312]: client 172.16.0.146#2122: view
> interna: update 'mydomain.com/IN' denied
> Apr 7 20:02:37 myserver named[67312]: client 172.16.0.161#2138: view
> interna: update 'mydomain.com/IN' denied
> Apr 7 20:03:45 myserver named[67312]: client 172.16.0.153#2154: view
> interna: update 'mydomain.com/IN' denied
> Apr 7 20:04:54 myserver named[67312]: client 172.16.0.146#2186: view
> interna: update 'mydomain.com/IN' denied
>
> All the sub-domain dns server are runnin on Windows and are behid a
> firewall. I try a solution from the book DNS & bind Cookbook but the problem
> was not solutioned.
>
> How fix this problem?
>
> Thanks to all,
>
> joans4nz
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: C/C++ version Load balancer DNS

2009-04-03 Thread Jonathan Petersson 
You can use BIND itself as a load-balancer.

What's your goal?
What's your current load?
What's your anticipated load 12 months from now?
What kind of equipment do you have available?

/Jonathan

On Fri, Apr 3, 2009 at 2:37 PM, Mallappa Pallakke  wrote:
>  Hi,
>  Is there any C/C++ version load balancer available? As I know we have
> lbnamed which is Perl based load balancer.
>
>  Or can we do a kind of load balancer using any other mechanism over DNS?
>
>  It will be a great help if anybody can direct be in this regard.
>
>  Thanks,
>  Mallappa
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NOTIFY from masters when slave provides several views

2009-03-26 Thread Jonathan Petersson 
Hi Terry,

Each view has to be independently notified if an update takes place.

/Jonathan

On Thu, Mar 26, 2009 at 4:46 PM,   wrote:
>  This question is related to the prior "Internal and External view on same
> slave server? - RESOLVED" thread, but seems to be a different situation in
> which the previous answer doesn't apply.
>
>  I have 3 nameservers, which we'll call ns1, ns2, and ns3. These servers
> are primarily slave servers for stealth master servers (that last part
> shouldn't really matter).
>
>  ns1, ns2, and ns3 operate with three views each - internal, customer, and
> external. Internal is for the ISP's infrastructure systems, customer is for
> customers (and allows recursion), and external is for the rest of the net
> (no recursion, just authoritative answers for the zones it serves).
>
>  The master servers can be in address ranges covered by any of those views
> as well - the ISP's own zones come from a server in the internal view, most
> customer zones come from servers in the customer view, with a few coming
> from servers in the external view.
>
>  Importantly, neither the masters nor ns1/2/3 have different zone data in
> different views - the answers are always the same.
>
>  As an example, if ns1 gets a NOTIFY for a slave zone from a master in an
> address covered by the customer view, it will do an xfer of the zone, but
> only for ns1's customer view. The internal and external views won't trans-
> fer until the expiry/refresh time for the zone fires.
>
>  Also important is that there are a *lot* of zones, and they all live in
> an external include file (which, itself, is a collection of smaller include
> files), which are all auto-generated from an external database. So it would
> be very difficult to change that. Also, most of the masters are on customer
> systems with a variety of nameserver versions, and asking them to add addit-
> ional IP addresses (or indeed, make any changes at all) would also be very
> difficult.
>
>  What I'd like is some way to tell BIND that if it gets a NOTIFY for a
> zone, it should transfer that zone for all views, not just the matching
> view.
>
>  The BIND versions in use are 9.6.0-P1 and 9.6.1b1.
>
> Here's a censored example of the relevant parts of the named.conf file:
>
> // The internal view allows everything
>
> view "internal" in {
>
>        match-clients { internal; };
>        recursion yes;
>        additional-from-auth yes;
>        additional-from-cache yes;
>
>        // Root hints
>        //
>        zone "." {
>                type hint;
>                file "named.root";
>        };
>
>        // snip... (internal-only zones removed from example)
>
>        // Customer zones
>        //
>        include "includes.conf";
>
> };
>
> // The customer view allows everything too, but has a different nane for
> // statistics gathering purposes, and might have restrictions added later
>
> view "customer" in {
>
>        match-clients { customer; };
>        recursion yes;
>        additional-from-auth yes;
>        additional-from-cache yes;
>
>        // Root hints
>        //
>        zone "." {
>                type hint;
>                file "named.root";
>        };
>
>        // Customer zones
>        //
>        include "includes.conf";
>
> };
>
> // The external view allows queries of zones we serve, but not recursion
>
> view "external" in {
>
>        match-clients { any; };
>        recursion no;
>        additional-from-auth no;
>        additional-from-cache no;
>
>        // Root hints
>        //
>        zone "." {
>                type hint;
>                file "named.root";
>        };
>
>        // Customer zones
>        //
>        include "includes.conf";
>
> };
>
>        Terry Kennedy             http://www.tmk.com
>        te...@tmk.com             New York, NY USA
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS forwarding not working properly?

2009-03-26 Thread Jonathan Petersson 
You need to enable recursion in options.

/Jonathan

2009/3/26 ARMSTRONG, KENNETH :
> OK, I've been trying my hardest to figure this out.
>
> I have BIND9 installed and set up as a slave to one of our Domain
> Controllers (so we can at least still get DNS if it were to go down). It
> works fine for transferring the zone file of our domain down, and from the
> server running BIND I can resolve hostnames of our local network machines
> along with outside names such as google.com (using nslookup, yeah I know it
> sucks).
>
> However, when I set up one of my Windows XP clients to use the new server
> for DNS, it can resolve local machine names fine when I run nslookup against
> it, but it gives me "Query refused" when trying to resolve an outside DNS
> name.
>
> I ran nslookup against the ISP's DNS IP's and can resolve the outside
> hostnames just fine, but for some reason I can't resolve them against the
> new DNS server.
>
> I have not made any modifications to /etc/bind/named.conf. Instead, I have
> put my configurations in /etc/bind/named.conf.local (since that is what the
> named.conf file says to do).
>
> Here is my /etc/bind/named.conf.local file (protected of course):
>
> Code:
>
> zone "OURDOMAIN.COM" {
>
>    type slave;
>
>    masters {
>
>     192.168.1.22;
>
>     192.168.1.23;
>
>    };
>
>    file "OURDOMAIN.COM.db";
>
>    allow-transfer {
>
>     any;
>
>    };
>
>    allow-query {
>
>     any;
>
>    };
>
> };
>
>
>
> zone "192.168.in-addr.arpa" {
>
>    type slave;
>
>    masters {
>
>     192.168.1.22;
>
>     192.168.1.23;
>
>    };
>
>    file "192.168.in-addr.arpa.db";
>
>    allow-transfer {
>
>     any;
>
>    };
>
>    allow-query {
>
>     any;
>
>    };
>
> };
>
> And my /etc/bind/named.conf.options:
>
> Code:
>
> options {
>
>     directory "/var/cache/bind";
>
>
>
>     forwarders {
>
>    216.12.0.20;
>
>    216.12.48.23;
>
>     };
>
>
>
>     auth-nxdomain no;
>
>     listen-on-v6 { any; };
>
> };
>
> Again, this only seems to affect outside clients, I can run queries on
> nslookup just fine on the DNS server itself.
>
> Any help would be greatly appreciated.
>
>
>
> Kenny
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Ever growing jnl files

2009-01-07 Thread Jonathan Petersson 
I've seen similar behaviors in earlier versions of BIND as well. Since
it doesn't seam to impact performance etc I haven't really bothered
with it. What you can do is to run an rndc freeze/thaw, this will
check out the journal file.

/Jonathan

On Wed, Jan 7, 2009 at 10:30 AM, Nicholas F Miller
 wrote:
> We have a few dynamic zones that are provisioned using Addhost. When addhost
> adds records to the zone every night it will run "nsupdate < update.file".
> The update.file will contain records like these:
>
> prereq yxrrset machine.colorado.edu. in a
> update delete  machine.colorado.edu. in a
>
> prereq yxrrset machine.colorado.edu. in hinfo
> update delete machine.colorado.edu. in HINFO
>
> This all works fine but the jnl doesn't ever go away after nsupdate runs
> like this. The jnl will continue to be appended to every night when nsupdate
> is run again. If we use nsupdate without feeding it a file the jnl will
> disappear like it's supposed to. Is this a glitch in bind bind-9.5.0-P2?
>
> 
> Nicholas Miller, ITS, University of Colorado at Boulder
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind open to query from anyone

2009-01-05 Thread Jonathan Petersson 
In general I would think that it isn't recommended unless it's
intended, you probably don't want random client querying your servers
for content you don't control.

To kill this add "recursion no;" in options, if you do want this
enables for certain prefixes have a look at "allow-recursion".

Good luck,

/Jonathan

On Mon, Jan 5, 2009 at 3:15 AM, Chris Henderson  wrote:
> I've setup a secondary name server which works as a secondary or slave
> name server for my zone or domain name. However, I have tested and
> noticed that I can query for non-authoritative answers from my
> secondary or slave name server from outside my network. That is, any
> one can use my name server to query any host name, eg. www.google.com,
> www.yahoo.com etc. Is this a bad idea? How can I stop this?
>
> Thanks for any suggestions.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Magic for NSEC3

2009-01-03 Thread Jonathan Petersson 

Thanks for your input

/Jonathan


On Jan 3, 2009, at 16:13, Mark Andrews  wrote:



In message  
,  
"Jonathan Petersson"

writes:

Hi all,

Hopefully this post wont cause as much SPAM as my last one. About a
year ago I started looking into DNSSEC and how to work with it for
dynamic updates etc. Since only NSEC was supported, allowing whomever
to do a unauthorized zone-transfer I canceled my projects later
finding out that NSEC3 would stop the behavior.


   One really needs to look at the cost benefit analysis to
   decide whether to use NSEC or NSEC3.  NSEC3 is much more
   expensive than NSEC3 for both authoritative servers and
   validators than NSEC.  There are almost no zone that need
   that level of protection.

   Stopping AXFR/IXFR has almost zero cost so for many people
   it has become reflex without any need to justify it.  Stopping
   zone enumeration has a relatively high cost.

   Note for many servers stopping AXFR/IXFR was not about the
   zone content and more about preserving file descriptors for
   use by the slaves and legitimate TCP clients rather than the
   curious.


With the release of BIND 9.6 my understanding is that NSEC3 is now
supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty
clueless as whether there's any magic sauce to get NSEC3 records vs.
NSEC.

If anyone has a pointer that would be of help, I've tried using
NSEC3RSASHA1 keys without success of getting NSEC3 records.


   NSEC3RSASHA1 allows the use of either NSEC and NSEC3 when
   signing the zone.  You need to tell dnssec-signzone which
   one to use.

   dnssec-signzone -3 salt [-H iterations] [-A] 


Thx

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Magic for NSEC3

2009-01-03 Thread Jonathan Petersson 
Hi all,

Hopefully this post wont cause as much SPAM as my last one. About a
year ago I started looking into DNSSEC and how to work with it for
dynamic updates etc. Since only NSEC was supported, allowing whomever
to do a unauthorized zone-transfer I canceled my projects later
finding out that NSEC3 would stop the behavior.

With the release of BIND 9.6 my understanding is that NSEC3 is now
supported, however, after reading the DNSSEC ARM for 9.6 I'm pretty
clueless as whether there's any magic sauce to get NSEC3 records vs.
NSEC.

If anyone has a pointer that would be of help, I've tried using
NSEC3RSASHA1 keys without success of getting NSEC3 records.

Thx

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: statistics-channels No such URL

2009-01-03 Thread Jonathan Petersson 
Sorry for all the spamming, I forgot doing a distclean between the
builds, it's working now.

/Jonathan

On Sat, Jan 3, 2009 at 9:51 AM, Jonathan Petersson
 wrote:
> Also:
> [r...@localhost bind-9.6.0]# ./configure --with-libxml2 --enable-pthread
> .
> checking for libxml2 library... yes
> .
> config.status: executing chmod commands
> [r...@localhost bind-9.6.0]#
>
>
> On Sat, Jan 3, 2009 at 9:46 AM, Jonathan Petersson
>  wrote:
>> So I did find the reason:
>> Jan  3 09:45:04 localhost named[5038]: statistics-channels specified
>> but not effective due to missing XML library
>>
>> anything besides:
>> [r...@localhost bind-9.6.0]# rpm -qa | grep libxml2
>> libxml2-2.7.2-2.fc10.i386
>> libxml2-devel-2.7.2-2.fc10.i386
>>
>> That's needed? Bind is compiled from source with --with-libxml2 
>> --enable-threads
>>
>> Thanks
>>
>> /Jonathan
>>
>> On Sat, Jan 3, 2009 at 9:41 AM, Jonathan Petersson
>>  wrote:
>>> Hi everyone,
>>>
>>> Could someone give me a quick pointer what to look for if I get "No
>>> such URL" when trying to access the statistics web-site.
>>>
>>> Thx
>>>
>>> /Jonathan
>>>
>>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: statistics-channels No such URL

2009-01-03 Thread Jonathan Petersson 
Also:
[r...@localhost bind-9.6.0]# ./configure --with-libxml2 --enable-pthread
.
checking for libxml2 library... yes
.
config.status: executing chmod commands
[r...@localhost bind-9.6.0]#


On Sat, Jan 3, 2009 at 9:46 AM, Jonathan Petersson
 wrote:
> So I did find the reason:
> Jan  3 09:45:04 localhost named[5038]: statistics-channels specified
> but not effective due to missing XML library
>
> anything besides:
> [r...@localhost bind-9.6.0]# rpm -qa | grep libxml2
> libxml2-2.7.2-2.fc10.i386
> libxml2-devel-2.7.2-2.fc10.i386
>
> That's needed? Bind is compiled from source with --with-libxml2 
> --enable-threads
>
> Thanks
>
> /Jonathan
>
> On Sat, Jan 3, 2009 at 9:41 AM, Jonathan Petersson
>  wrote:
>> Hi everyone,
>>
>> Could someone give me a quick pointer what to look for if I get "No
>> such URL" when trying to access the statistics web-site.
>>
>> Thx
>>
>> /Jonathan
>>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: statistics-channels No such URL

2009-01-03 Thread Jonathan Petersson 
So I did find the reason:
Jan  3 09:45:04 localhost named[5038]: statistics-channels specified
but not effective due to missing XML library

anything besides:
[r...@localhost bind-9.6.0]# rpm -qa | grep libxml2
libxml2-2.7.2-2.fc10.i386
libxml2-devel-2.7.2-2.fc10.i386

That's needed? Bind is compiled from source with --with-libxml2 --enable-threads

Thanks

/Jonathan

On Sat, Jan 3, 2009 at 9:41 AM, Jonathan Petersson
 wrote:
> Hi everyone,
>
> Could someone give me a quick pointer what to look for if I get "No
> such URL" when trying to access the statistics web-site.
>
> Thx
>
> /Jonathan
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

statistics-channels No such URL

2009-01-03 Thread Jonathan Petersson 
Hi everyone,

Could someone give me a quick pointer what to look for if I get "No
such URL" when trying to access the statistics web-site.

Thx

/Jonathan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone propagation

2008-12-24 Thread Jonathan Petersson 
What I've done is that I maintain a "master-slave" zone on my master,
if any new zones are manipulated I push out an updated config to my 20
or so slave-servers, once pushed out a trigger a sudo script via ssh
that reloads bind with the new config and viola.

/Jonathan

On Wed, Dec 24, 2008 at 7:38 PM, wes  wrote:
> On Wed, Dec 24, 2008 at 9:54 AM, Michael Varre  wrote:
>>
>> On 12/24/08, wes  wrote:
>> > Can I configure a pair of bind9 servers, one master and one slave, so
>> > that
>> > when I create a new zone on the master, it is also created on the slave?
>> >
>> > I already have slaving of existing zones working well.
>> >
>> > thanks,
>> > -wes
>>
>> I'm sure there are other ways but I use webmin to handle all of it for
>> me. I used to do it all manually on the command line, logging into
>> each server and manually adding new zones but webmin has cut the time
>> it takes for me to make dns MACs down to about 10% of what it used to
>> be.
>
> Interesting. I am using Webmin. I had to create each zone on the master and
> slave servers, and set them up accordingly. Can you give me a small hint as
> to where the magic flag is to configure Webmin for this?
>
> thanks,
> -wes
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: setup default DNS server with only one record

2008-12-11 Thread Jonathan Petersson 
You want to manipulate the "." zone. The config you have should be valid,
just point your "." zone in named.conf to the zone file.

/Jonathan

On Thu, Dec 11, 2008 at 1:08 AM, Chris Henderson <[EMAIL PROTECTED]>wrote:

> I am trying to setup a default DNS server for one of my restricted
> network segment so that no matter what people type in their browser,
> they will be redirected to a single IP address or the hostname. The
> zone file that I have setup is partially working - it resolves
> .mydomain.com to a single IP address but doesn't resolve
> .some-other-domain.com (eg. www.cnn.com) - it just gives up.
> Here is my zone file. Any help would be highly appreciated. Thanks.
>
> $TTL 1W
> @   IN SOA  nms.mydomain.com.
> hostmaster.mydomain.com. (
>42  ; serial
>2D  ; refresh
>4H  ; retry
>6W  ; expiry
>1W ); minimum
>
> @   ns  nms.mydomain.com.
> *   A   192.168.25.25
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS and allow-update declarations

2008-12-10 Thread Jonathan Petersson 
On Wed, Dec 10, 2008 at 4:00 PM, Mark Andrews <[EMAIL PROTECTED]> wrote:

>
> In message <[EMAIL PROTECTED]>, Nicholas F
> Mille
> r writes:
> > I have a couple of questions regarding how a Microsoft domain
> > controller updates a dynamic zone.
> >
> > 1 ) When a domain controller tries to update the zone does it try the
> > DNS servers it has listed in its network settings or does it follow
> > the SOA for the zone?
>
> There are knowledge base article which describe this fully.
>I suggest that you search the Microsoft knowledge base for
>the complete answer.


http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true

< cut >
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS and allow-update declarations

2008-12-10 Thread Jonathan Petersson 
I did some testing with this couple a months ago and it seams like AD is
following the NS directive in the SOA.

The design I used in my test-case was to put AD as an authoritative updater
of the specified zone on my master, once updated the BIND master was
responsible for updating the slaves.

Something you can do is add NS records in AD pointing at your BIND
slave-servers for the zone, and vice versa configure your slaves to have the
AD as master for the zone, what I've experienced is that updates of new
records tends to be REALLY slow, thus I would go with the first option.

/Jonathan

On Wed, Dec 10, 2008 at 8:17 AM, Nicholas F Miller <
[EMAIL PROTECTED]> wrote:

> I have a couple of questions regarding how a Microsoft domain controller
> updates a dynamic zone.
>
> 1 ) When a domain controller tries to update the zone does it try the DNS
> servers it has listed in its network settings or does it follow the SOA for
> the zone?
>
> 2) In the configs below does the slave server's IP need to be listed in the
> allow-update declaration on the master zone server?
>
> Master Server - 1.2.3.4
>
> zone "actived.example.com" {
>type master;
>file "named.ad";
>allow-update {
>1.2.3.4;// master DNS server
>11.22.33.44; // domain controller 1
>55.66.77.88.99; // domain controller 2
>};
>allow-transfer {
>5.6.7.8 // slave DNS server;
>};
> };
>
> Slave Server - 5.6.7.8
>
> zone "actived.example.com" {
>type slave;
>file "named.ad";
>allow-update-forwarding {
>11.22.33.44; // domain controller 1
>55.66.77.88.99; // domain controller 2
>};
>allow-transfer { none; };
>masters {
>1.2.3.4 // master DNS server
>};
> };
>
> Thanks,
> 
> Nicholas Miller, ITS, University of Colorado at Boulder
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Binding DNS server to a particular IP address

2008-12-03 Thread Jonathan Petersson 
Shouldn't the "server" statement in options/view do the trick?

/Jonathan

On Wed, Dec 3, 2008 at 12:04 PM, Todd Snyder <[EMAIL PROTECTED]> wrote:

> Try the "listen-on" directive.
>
> Read more here:
>
> http://books.google.com.hk/books?id=zkZN52WhG8sC&printsec=frontcover&dq=
> dns&ei=dA-3SJ7XEaWijgG7v4Qw&hl=en&sig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q
> #PPA270,M1
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jerry M
> Sent: Wednesday, December 03, 2008 11:37 AM
> To: bind-users@lists.isc.org
> Subject: Binding DNS server to a particular IP address
>
> I have two different IP addresses coming into my server.  I need to
> guarantee that ISC BIND only monitors and replies to requests coming
> from one of the two IP addresses. I can't seem to find a configuration
> parameter that tells the server which IP address to listen on.  How do I
> configure that?
>
> Thanks.
>
> JWM
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
> -
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from your
> system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Jonathan Petersson 
Guess I should start digging in the code then :)

On Mon, Nov 17, 2008 at 5:59 PM, Evan Hunt <[EMAIL PROTECTED]> wrote:

> > IIRC update-policy cannot be used in congestion with the allow-update
> > statement.
>
> My bad--you're right.  There's code I'd never noticed before that says
> allow-update will be ignored if update-policy is set.  Whoops.
>
> (Oddly, the check only applies when both of them are defined in the
> zone itself.  You can put "allow-updates" in the view options and
> "update-policy" in the zone, and named won't complain about it...
> but it also won't work the way you want it to.)
>
> I don't know why it was implemented this way--there's no protocol reason
> I can see.  (There may be other reasons I don't know about.)  It's probably
> not a high enough priority for ISC to devote engineering resources to it at
> this time, but if someone submitted a patch that added an ACL check to the
> update-policy syntax, I'm sure we'd consider it.
>
> --
> Evan Hunt -- [EMAIL PROTECTED]
> Internet Systems Consortium, Inc.
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Jonathan Petersson 
Yeah it would most likely be a feature request/change.

IIRC update-policy cannot be used in congestion with the allow-update
statement. Personally I prefer the usage of update-policy as I can assign
different business units within my organization to take responsibility for
certain records/record types.

As I'm using a multi-view server (public and private IP) I'm concerned that
the update keys used might get compromised (computer stolen or whatever)
thus it would be useful to be able to limit the capability for updates for
specified IP-ranges.

This is achieved with the allow-update policy given throughout this
conversation but as you cannot use them in congestion with update-policy I'm
not able to limit certain records/record types to keys.

To put this in a "conf example" I'm thinking something like:

allow-update {
! { !10/8; any; };
update-policy { grant key subdomain dummy.com ALL; };
};

I hope this makes sense.

/Jonathan

On Mon, Nov 17, 2008 at 4:43 PM, Evan Hunt <[EMAIL PROTECTED]> wrote:

>
> > Actually, to take this a step further, is there any remote possibility to
> > combine this with update-policy as well?
>
> I'm not sure what you mean.
>
> I believe you can use allow-updates to filter according to IP address
> and then update-policy to filter according to key; that might be an
> easier way to accomplish the same thing.  I've never done so, but I'd
> expect it to work.  But it sounds like you're asking for a feature
> change... clarify please?
>
> --
> Evan Hunt -- [EMAIL PROTECTED]
> Internet Systems Consortium, Inc.
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Jonathan Petersson 
Actually, to take this a step further, is there any remote possibility to
combine this with update-policy as well?

I know both questions has been mentioned on the list before with varied
answers but I wanted to raise it again since this was finally figured out.

/Jonathan

On Mon, Nov 17, 2008 at 11:28 AM, Evan Hunt <[EMAIL PROTECTED]> wrote:

> > >  allow-update { !{!10/8;any;}; key update-key; };
> >
> > Wouldn't this still permit any client on the 10/8 subnet to update the
> > zones?
>
> It's very confusing syntax, but no.
>
> You're probably thinking in boolean algebra (I did too, when I first
> encountered this).  If it were boolean algebra, you could redistribute
> the negatives: "!{!10/8; any;}" becomes "{!!10/8; !any;}" and then
> simplifies to "{10/8; none;}".
>
> But ACLs aren't boolean, so you can't do that.  Each element has three
> possible results not two: match and accept, match and reject, or "no
> match", which means continue processing.
>
> When an ordinary ACL element matches and is negated (for example, the
> element is "!10/8;" and the address is 10.0.0.1) that means "match and
> reject".  But if the match is inside of a *nested* ACL, then it's treated
> differently:  A negative result means "the nested ACL didn't match"--and
> so you continue processing.
>
> So if you're checking address A against an ACL of one of the following
> forms, these will be the results:
>
>{ A;B; }   == A is allowed, accept immediately
>{  {  A; }; B; }   == A is allowed, accept immediately
>{!A;B; }   == A is forbidden, reject immediately
>{ !{  A; }; B; }   == A is forbidden, reject immediately
>{  { !A; }; B; }   == A matched but was negated, try element B
>{ !{ !A; }; B; }   == A matched but was negated, try element B
>
> Those last two lines there are confusingly similar (and, as written,
> useless).  The difference is what happens if you're checking an address
> *other* than A, and something else in the nested ACL matches it.
>
>{  { !A; any; }; B; }  == any address other than A is accepted at once,
>  but A is only accepted if B matches too.
>  boolean translation: ((not A) or (A and B))
>
>{ !{ !A; any; }; B; }  == any address other than A is *rejected* at
> once,
>  but A is accepted as long as B matches too.
>  boolean translation: (A and B)
>
> Hope that's helpful.  (*I* find it hard to keep this syntax straight, and I
> wrote a big chunk of the code that implements it in BIND 9.5...)
>
> --
> Evan Hunt -- [EMAIL PROTECTED]
> Internet Systems Consortium, Inc.
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Jonathan Petersson 
Yeah, kinda makes sense, thanks!

/Jonathan

On Mon, Nov 17, 2008 at 11:28 AM, Evan Hunt <[EMAIL PROTECTED]> wrote:

> > >  allow-update { !{!10/8;any;}; key update-key; };
> >
> > Wouldn't this still permit any client on the 10/8 subnet to update the
> > zones?
>
> It's very confusing syntax, but no.
>
> You're probably thinking in boolean algebra (I did too, when I first
> encountered this).  If it were boolean algebra, you could redistribute
> the negatives: "!{!10/8; any;}" becomes "{!!10/8; !any;}" and then
> simplifies to "{10/8; none;}".
>
> But ACLs aren't boolean, so you can't do that.  Each element has three
> possible results not two: match and accept, match and reject, or "no
> match", which means continue processing.
>
> When an ordinary ACL element matches and is negated (for example, the
> element is "!10/8;" and the address is 10.0.0.1) that means "match and
> reject".  But if the match is inside of a *nested* ACL, then it's treated
> differently:  A negative result means "the nested ACL didn't match"--and
> so you continue processing.
>
> So if you're checking address A against an ACL of one of the following
> forms, these will be the results:
>
>{ A;B; }   == A is allowed, accept immediately
>{  {  A; }; B; }   == A is allowed, accept immediately
>{!A;B; }   == A is forbidden, reject immediately
>{ !{  A; }; B; }   == A is forbidden, reject immediately
>{  { !A; }; B; }   == A matched but was negated, try element B
>{ !{ !A; }; B; }   == A matched but was negated, try element B
>
> Those last two lines there are confusingly similar (and, as written,
> useless).  The difference is what happens if you're checking an address
> *other* than A, and something else in the nested ACL matches it.
>
>{  { !A; any; }; B; }  == any address other than A is accepted at once,
>  but A is only accepted if B matches too.
>  boolean translation: ((not A) or (A and B))
>
>{ !{ !A; any; }; B; }  == any address other than A is *rejected* at
> once,
>  but A is accepted as long as B matches too.
>  boolean translation: (A and B)
>
> Hope that's helpful.  (*I* find it hard to keep this syntax straight, and I
> wrote a big chunk of the code that implements it in BIND 9.5...)
>
> --
> Evan Hunt -- [EMAIL PROTECTED]
> Internet Systems Consortium, Inc.
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-16 Thread Jonathan Petersson 
On Sun, Nov 16, 2008 at 1:28 PM, Chris Thompson <[EMAIL PROTECTED]> wrote:

> On Nov 14 2008, blrmaani wrote:
>
>   I use BIND 9.2 on Linux.
>>
>
> Horribly old. But I doubt whether anything has changed in the ACL logic
> since then.
>
>   I was experimenting with a feature to allow
>> dynamic updates based on
>> BOTH the following:
>> 1. Secret key ( TSIG )
>> 2. Subnet.
>>
>> Unfortunately, I realized that we can specify only one of the above in
>> allow-update {} ACL.
>> If I specify both, it doesn't work as expected.
>>
>> Question:
>> 1. Is there a way to achieve this?
>>
> [...]
>
>> here is what I'm expecting:
>>
>> // This should allow update only if the update is from 10/8 subnet AND
>> key matches:
>> allow-update { key "" ; 10/8; }
>>
>
> That's an OR on the conditions, as Chris Buxton writes.
> But you *can* do what you want, provided you have a copious supply of iced
> drinks to keep you calm while trying to work out the consequences of using
> negations in ACLs. If I have it right, the following works:
>
>  allow-update { !{!10/8;any;}; key update-key; };


Wouldn't this still permit any client on the 10/8 subnet to update the
zones?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users