Re: bind Bind or BIND?
On 27/01/2011 02:43, Alan Clegg wrote: On 1/26/2011 9:22 PM, Chuck Swiger wrote: Yes, BIND is an acronym for Berkeley Internet Name Daemon. Berkeley Internet Name Domain. Hi Alan, Could you correct the reference on http://www.isc.org/software/bind/whatis please. Cheers, Stace ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: libbind error
On 12/11/2010 22:46, Jack Tavares wrote: I believe I found a bug in the libbind code. Is this the correct place to report that? Thanks Jack, According to http://www.isc.org/software/libbind (found via search): Bug reports may be sent to libbind-b...@isc.org mailto:libbind-b...@isc.org. The public mailing list for discussing libbind development is bind-workers https://lists.isc.org/mailman/listinfo/bind-workers. I've not seen much happen in the libbind space mind so you may want to cross post here as well. Stace ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: why one shouldn't use relative hostnames
Additionally a wildcard record in one of the the searched domains would cause a false positive to be returned causing an outage to the service/services. And if your not in control of the zone or the search order it could be difficult to rectify. -Stacey On 11/11/2010 00:30, Kevin Darcy wrote: On 11/10/2010 1:19 PM, Maria Iano wrote: We are working with a software vendor whose software only works with relative hostnames - they say it can't cope with a fully-qualified domain name. They want us to make sure the necessary domain is in all clients' search lists. Does anyone have any good references for me to explanations of why this is a very bad thing. I would find quick access to thoughtful well-phrased arguments very useful right now. I've looked for such a thing from time to time, with no success. Maybe I need to compose something like that. Main reasons for not using shortnames: a) Security. The problem cited way back in RFC 1535 still exists, in a slightly different form, with respect to shortnames, i.e. they're ambiguous and can cause names to resolve unexpectedly, thus causing connections to be made to unexpected hosts, which might not be trusted. E.g. we have multiple DNS names with the first label of mailroom, one could potentially connect to the wrong mailroom server, depending on the (somewhat arbitrary) ordering of one's searchlist. A less-trusted mailroom server could trojan the more-trusted one. b) Capacity and performance (specifically, query latency). Each searchlist element magnifies query volume, and increases query latency for all queries which don't happen to resolve with the first element in the searchlist. Names which don't resolve at all (typos, obsolete references, etc.) exhaust the *entire* searchlist, which has maximum latency to the invoking application, and uses maximum nameservice-infrastructure, network, logging and/or server resources. c) Undesired dependencies and co-ordination challenges. Shortname resolution depends on the precise configuration of searchlists, but in many organizations the DNS infrastructure experts are not in the same department as those who control the configuration of searchlists (which are often client OS experts rather than in the server or networking areas), so there can be co-ordination challenges between the departments. When using FQDNs, searchlists are unnecessary and therefore the dependencies and co-ordination challenges are minimized d) Inconsistency between internal and Internet environments; future-proofing. Shortnames are, by and large, not used on the Internet, because of the foregoing reasons, writ large because of the sheer scale and diversity of the Internet and its DNS namespace. If shortnames are used on an internal network, there is an inconsistency between the the two environments, internal and Internet, which may cause confusion and interoperability challenges, should a particular function or subsystem be out-hosted and/or attached to an Internet-accessible cloud at some point in the future. Under this heading, it should be noted that some Internet-oriented technologies absolutely require FQDNs as part of their formal specification. To my knowledge, no formal specifications (other than WINS/NETBIOS perhaps) require shortnames. Therefore, to be most flexible and accommodating to changing technologies and environments, it is best to use the naming format -- FQDNs -- which is most likely to be compatible and interoperable going forward. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to get easily (from a script) all CNAME of a A record?
On 09/11/2010 14:14, Michelle Konzack wrote: Hello Matus UHLAR - fantomas, Am 2010-11-09 14:13:47, hacktest Du folgendes herunter: I am not sure whether dnswalk over whole internet can do that, but on your I will try it... server you can either run recursive grep over named data directory, or dump the named dsatabase and grep it... This is what I currently do... [ '/usr/sbin/get_hosts_in cname' ]-- #!/bin/sh QUERY=$1 for FILE in $(cd /etc/bind ls *.signed) do grep --regexp= IN CNAME .*${QUERY} /etc/bind/${FILE} 2/dev/null |cut -d ' ' -f1 |sed 's|.$||' done ...and it is to slow do to more then 80.000 Zones (they have to be greped all) number of VHosts. Oh, it is now time to use xargs, because I saw today, that I hit the limits for ls. :-D Following is working: cd /etc/bind ls but not: cd /etc/bind ls * or cd /etc/bind ls *.signed and the OSes are called Linux and BSD... WTF? It seems that a commandline can not have more then 31.000 characters. (no not options but total lenght) Thanks, Greetings and nice Day/Evening Michelle Konzack The asterisk causes the shell to expand the names and run ls with them as a single command, so in effect you have ls file1 file2 file3 Try the following instead: cd /etc/bind for FILE in *.signed do grep --regexp= IN CNAME .*${QUERY} ${FILE} 2/dev/null |cut -d ' ' -f1 |sed 's|.$||' done It might still have the same issue, but worth a go. I assume the command length is also why your not simply running grep -h expression *.signed? Stace ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A Further Question about query-source
dig does not use named.conf. If you hadn't specified the server to ask (using @ syntax) then resolv.conf is used as source for initial server. Stace On 08/09/2010 17:13, b19...@anl.gov wrote: I have DNS severs with multiple addresses. They are running 9.7.1-P2. On the servers I have query-source 1.2.3.4; to tell BIND to use one of the DNS addresses for its queries. Yesterday on the box I issued dig example.com @someserver.example.com and the query was sent using the non-DNS address. I expected the query-source directive to send the query over the 1.2.3.4 IP address and not one of the other three addresses on the box. Is query-source not honored because I specified the DNS server I wanted to query? Thanks. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind hang out when named reach to 5-600 Mb
On 07/09/10 07:36, khanh rua wrote: Can u tell me how to do this ? If you enable query log, you might be able to see if it's actually serving queries at that time. I mean it hang is named process is still running but it cannot respond any lookup query. CPU is almost at low rate 5-6 % or lower. It's both hang with single thread or multithread. datasize is m max-cache-size is 2000m; These are versions of bind i tried : bash-3.00# file /usr/sbin/named /usr/sbin/named:ELF 32-bit MSB executable SPARC Version 1, dynamically linked, stripped bash-3.00# which named /usr/sbin/named bash-3.00# file /opt/SUNWbind9.6/sbin/named /opt/SUNWbind9.6/sbin/named:ELF 64-bit MSB executable SPARCV9 Version 1, dynamically linked, not stripped bash-3.00# file /usr/sbin/bind bind-9.7.1b1/ bind9.7.0P1/ bash-3.00# file /usr/sbin/bind-9.7.1b1/named /usr/sbin/bind-9.7.1b1/named: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, not stripped running 'named -V' is the best may to show version and configure options. In my circumstance, i can try installing anything as long as it can fix this bug. I saw on sunsolve there 's a patch for bind 119783-15. Don't know is it useful to fix this bug? No, that patch provides BIND 9.6.1-P3 with no specific changes. Could you collect some lock statistics using plockstat(1M)? i.e.: # plockstat -e 300 -p `pgrep ^named` The -e 300 causes it to collect statistics for 5 minutes - experiment a little and feed back what is reported. Mb i will check with other version of bind. Hope this can help. *From:* Fajar A. Nugraha fa...@fajar.net *To:* khanh rua duonghoahoc_k4...@yahoo.com *Cc:* bind-users@lists.isc.org *Sent:* Thu, July 8, 2010 5:10:02 PM *Subject:* Re: Bind hang out when named reach to 5-600 Mb On Thu, Jul 8, 2010 at 4:30 PM, khanh rua duonghoahoc_k4...@yahoo.com mailto:duonghoahoc_k4...@yahoo.com wrote: Hi, I install bind as a cache server on Solaris 10, Sun Sparc T5140. It has problem, bind always hang out when named reach to 5-600 Mb ('prstat' check). How did you determine that it hang? If you enable query log, you might be able to see if it's actually serving queries at that time. Also, how is the cpu and disk usage at that time (I'm trying to see if you have cpu or disk as bottleneck? My guess is that: - one of your CPU thread is at 100% usage - named is busy serving queries alreadt, so that the new query you issued does not get processed in a timely manner. I have several servers and all have this problem even when i install bind in zone or try with a 64bit version. T5140's a powerful server but bind can't make use of its power. IMHO, it's not really named-specific problem. The thing is Sun/Oracle T-series processors doesn't perform well with single thread loads. And (last time I check anyway) even though bind can make use of multi processor/threads, single thread performance still matters a lot. So you'd probably get much better performance when running named with say ... a generic x86 server/PC with Intel Xeon/Core i-series. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- --Stacey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: out of memory Errors
On 06/17/10 16:50, Prabhat Rana wrote: I'm running BIND 9.6.1-P1 in a Solaris 10 server. There is a total of 32G of physical memory and at any given time about 20G is free. However, named keeps on throwing out of memory errors. When these error occurs in syslog, although named is still running it goes in a hung state. I noticed that it occurs when named takes up 4G of memory. So it appears as if there is 4G of memory usage limitation in this environment. Although there is plenty of physical memory available, named is not able to go more than 4G. I looked around and one way as documented by some Oracle DBA was to create projects in Solaris 10 environment as in /etc/projects file and assign more memory. I followed those steps but it didn't fix the issue. Has any one come across this problem? Is there a way to find if the BIND is 32 or 64 bit? The BIND pkg was downloaded from http://sunfreeware.com So we're not sure if its 32 ot 64 bit. Any suggestions would be greatly appreciated. Prabhat. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users The latest Solaris patch for BIND provides version 9.6.1-P3, all be it only as 32bit and thus limited also to 4gb. Use file(1) command to see what the binary is: $ file /usr/sbin/named /usr/sbin/named:ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically linked, stripped $ named -V BIND 9.6.1-P3 built with --prefix=/usr --mandir=/usr/share/man --with-libtool --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/usr/lib/dns --sysconfdir=/etc --localstatedir=/var --with-openssl --enable-threads=yes --enable-devpoll=yes --disable-openssl-version-check --enable-fixed-rrset --disable-getifaddrs -- --Stacey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsquery for Solaris
On 03/10/10 11:59, Chris Thompson wrote: On Mar 10 2010, Sam Wilson wrote: In article mailman.750.1268169970.21153.bind-us...@lists.isc.org, jcarrol...@cfl.rr.com wrote: dig was added to Solaris 9. It is not native to Solaris 8 or older. That would explain why it's only where Chris found it on some of our range of Solarises (vintage or only slightly worn). Yes, I did overestimate how long it's been there. (Also, of course, some people will exclude/remove package SUNWbind so that they can use the same path names for their own BIND installations.) But if you are still using Solaris 8 or earlier... well it's not quite as bad as still running BIND 8. Not *quite* ... :-) For what its worth, with vintage support patch install BIND 9 dig is supplied in /usr/lib/dns/dig (yes, /usr/lib - sorry about that). Stace ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Random slow queries
On 02/24/10 18:50, Mike Chesney wrote: Running Bind 9.6.1-P3 We run authorative DNS for 60k+ zones. One one network where we two dns servers both running the same hardware on Centos 5.4 We see slow dns responses : example for i in {1..250}; do dig example.com http://example.com @localhost | grep Query time:; done; Centos is a time-sharing system right. I wonder if your time-share is up and your simply being scheduled off CPU - the network communication is an opportunity for the scheduler to do that. Try adding a sleep and see if your results smooth out - more 0 msec and less msec total. for i in {1..250}; do sleep 0.5; dig example.com http://example.com @localhost | grep Query time:; done; Sometimes they'll all come back w/ a 0msec response . But every few runs we see. ; Query time: 501 msec ;; Query time: 111 msec ;; Query time: 0 msec ;; Query time: 0 msec ; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 1461 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 441 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec This is just a snapshot, most other entries are all 0. This doesn't happen on any of our other dns servers. Load is pretty low on this machine around .3 4gb ram. Named consumes about 15% of memory and 4% of cpu. Not sure where to look next. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6.2rc1 make test question
On 02/24/10 20:56, John Center wrote: Hi Stace, Sorry, I didn't think this was necessarily a Solaris problem. I'm running this on Solaris 10 (SPARC 64bit), built with Sun Studio 12.1. Why did it occur on OpenSolaris? Hi John, Interesting, I didn't see the issue on Solaris 10 but then I'm not certain if I tested on 64bit - we only compile it 32bit. We have not discovered the cause on OpenSolaris as yet, its logged here as CR 6909705. Regards, Stace Thanks. -John From: stacey.marsh...@sun.com [stacey.marsh...@sun.com] Sent: Wednesday, February 24, 2010 9:01 AM To: John Center Cc: bind-users@lists.isc.org Subject: Re: BIND 9.6.2rc1 make test question On 02/15/10 20:25, John Center wrote: Hi, I just built BIND 9.6.2rc1 make test passes except for the following: A:the dst module provides the capability to verify data signed with the RSA and DSA algorithms I:testing t2_data_1, t2_dsasig, test., 23616, DST_ALG_DSA, ISC_R_SUCCESS I:testing t2_data_1, t2_rsasig, test., 54622, DST_ALG_RSAMD5, ISC_R_SUCCESS I:testing t2_data_1, t2_dsasig, test., 54622, DST_ALG_RSAMD5, !ISC_R_SUCCESS I:testing t2_data_2, t2_dsasig, test., 23616, DST_ALG_DSA, !ISC_R_SUCCESS mem.c:322: INSIST(dl != 0L) failed. I:the test case caused exception 6 R:UNRESOLVED What does this mean where do I look to resolve this issue? Thanks. -John John, You don't state what your building on? I too have come across the same error on OpenSolaris circa snv_117. Stace ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Occasional errors from res_nsearch
On 11/25/09 05:44, Divakar Pratap Singh P wrote: Hi, I am using S olaris (5.10 Sparc as well as i386 ) server to run an application (written in C language) which uses B ind library client implementation (available on Solaris box by default, version 4.9.4) . On processing consecutive lookup requests using the function res_nsearch , many of the initial requests fail, and after some time, it starts resolving the requests . Error code returned is either 1 or 2, but after some time it starts working fine with eror code 0. Nslookup command works perfectly fine, resolving all valid domains correctly. We have nis service also configured on the servers. Could that be an issue here ? Because its calling res_nsearch() directly NIS shouldn't be an issue, though the NIS domainname would be used - set by res_ninit() - if one is not provided in resolv.conf(4). You should find setting environment variable RES_OPTIONS=debug useful in seeing what the resolver is doing. For further help please provide resolv.conf, output from command when RES_OPTIONS=debug is set and preferably the C code. Stacey Marshall. Sun Microsystems. Cumulative log of replies from res_nsearch ( for domain “ google.com ” ) : - function ret val: 1 Error Msg DNS lookup failed: Response is 'No address associated with name'. Resolved IP: function ret val: 1 Error Msg DNS lookup failed: Response is 'No address associated with name'. Resolved IP: function ret val: 1 Error Msg DNS lookup failed: Response is 'No address associated with name'. Resolved IP: function ret val: 1 Error Msg DNS lookup failed: Response is 'No address associated with name'. Resolved IP: function ret val: 1 Error Msg DNS lookup failed: Response is 'No address associated with name'. Resolved IP: function ret val: 0 Error Msg Resolved IP: 74.125.67.100 function ret val: 0 Error Msg Resolved IP: 74.125.53.100 function ret val: 0 Error Msg Resolved IP: 74.125.45.100 function ret val: 0 Error Msg Resolved IP: 74.125.67.100 function ret val: 0 Error Msg Resolved IP: 74.125.53.100 function ret val: 0 Error Msg Resolved IP: 74.125.45.100 function ret val: 0 Error Msg Resolved IP: 74.125.67.100 function ret val: 0 Error Msg Resolved IP: 74.125.53.100 - Thanks in anticipation, Divakar. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
libbind ns_sign() and ns_verify() parameter in_timesigned not documented
The tsig manual page description for ns_sign() and ns_verify() include a parameter named in_timesigned of type time_t. However there is no description of this parameter as there is for the others: $ less libbind-6.0/doc/tsig.cat3 TSIG LOCALTSIG NAME ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp, ns_verify_tcp_init, ns_find_tsig -- TSIG system SYNOPSIS int ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k, const u_char *querysig, int querysiglen, u_char *sig, int *siglen, time_t in_timesigned); ... int ns_verify(u_char *msg, int *msglen, void *k, const u_char *querysig, int querysiglen, u_char *sig, int *siglen, time_t in_timesigned, int nostrip); From a cursory review it does not seem to be used unless error == ns_r_badtime. Could someone describe the purpose of parameter? Regards, Stacey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
libbind ns_find_tsig() documentation error.
The documentation for ns_find_tsig() is confused looking at libbind-6.0/doc/tsig.cat3: TSIG LOCALTSIG NAME ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp, ns_verify_tcp_init, ns_find_tsig -- TSIG system SYNOPSIS ... u_char * ns_find_tsig(u_char *msg, u_char *eom); ... ns_find_tsig() msgthe incoming DNS message msglen the length of the DNS message A cursory review of libbind-6.0/nameser/ns_verify.c confirms that it is a unsigned character pointer that is expected to point to the end-of-message. Regards, Stacey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about alt-transfer-source
On 09/07/2009 10:22, Peter Andreev wrote: Can somebody explain how many retries must pass, before IP-address from alt-transfer-source option will be used? Thank you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Hi Peter, Looking at the ARM alt-transfer-source is only used in a view if use-alt-transfer-source is set to yes. Are you using views? Stace ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem with bind stop
On 01/07/2009 15:41, Joan Marc Riera wrote: Hello, we have some troubles with restart and stop. bind does not stop and I think it's because of a wrong kill argument on the stop) case. Perhaps named is still saving updates... Try halt instead... $ rndc [] $ rndc [...] stop Save pending updates to master files and stop the server. stop -pSave pending updates to master files and stop the server reporting process id. halt Stop the server without saving pending updates. halt -pStop the server without saving pending updates reporting process id. [...] Stacey I think that the kill -0 $PID should be something else, is it possible? Many thanks Marc From /etc/init.d/bind9: stop) #here i erase some validations pid=$(/usr/sbin/rndc stop -p | awk '/^pid:/ {print $2}') if [ -n $pid ]; then while kill *-0* $pid 2/dev/null; do log_progress_msg waiting for pid $pid to die sleep 1 done fi log_end_msg $? ;; Our version: ii bind9 1:9.5.1.dfsg.P1-1 Internet Domain Name Server ii bind9-doc 1:9.5.1.dfsg.P1-1 Documentation for BIND ii bind9-host 1:9.5.1.dfsg.P1-1 Version of 'host' bundled with BIND 9.X ii bind9utils 1:9.5.1.dfsg.P1-1 Utilities for BIND ii libbind9-40 1:9.5.1.dfsg.P1-1 BIND9 Shared Library used by BIND ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND and Solaris rand()
On 04/06/09 16:06, Chris Thompson wrote: It turns out that rand(3c) in even recent Solaris versions returns values in the range 0..32767 only. I suppose this is part of Sun's rather extreme paranoia about backwards compatibility with programs written before the flood. rand(3C) - simple random-number generator returns successive pseudo-random numbers in the range of 0 to RAND_MAX (defined as 32767). The specific thing that brought this to my attention was that, when using the -j option to dnssec-signzone, I couldn't get jitter of more than a few hours however large I set the option. isc_random_jitter in lib/isc/random.c has return (max - rand() % jitter); and now it is obvious why that was. There are probably other bad things happening elsewhere in BIND and its associated utilities. Sun provided the drand48(3c) routines as an alternative to rand(3c), even back in the SunOS 4.x days, and they have a better spec. I was about to write a version of lib/isc/random.c using lrand48() instead of rand(), but thought I would ask whether anyone has done the same thing already. Also, a suggestion to ISC that they use lrand48() on Solaris, in the same way as they use arc4random() if that is available. BIND 8 was changed to use /dev/urandom on Solaris around the time when arc4random() was added to it. Perhaps a similar solution could be used here? Stacey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Catch ALL Setup
On 02/18/09 05:19, Mark Andrews wrote: $ORIGIN . @ 0 SOA ... @ 0 NS ... * 0 A 1.2.3.4 Just be careful of what you wish for, don't come back here saying that your resolver search path is no longer working ;-) To explain, lets say you use the above in example.com and configure clients with 'search example.com another.com someother.com' in resolv.conf. A resolver looking for 'test', hoping to find it as 'test.another.com' would query the name server for test.example.com first and get back 'test.example.com IN A 1.2.3.4.'. regards, Stacey In message 499b8e5a.5010...@whgl.uni-frankfurt.de, Sven Eschenberg writes: Dear list, I tried googling about a Catch-All setup for a DNS, with little success. I tried messing around with some zone/hint files in an isolated setup, but without any success. What I am trying to achieve is the following: No matter which host/name is looked up, the DNS should spit out the same IP address. The intention is to bring the users to a specific webserver/webpage, not matter what web page the intend to surf to, for the easiness of setting up their connection. The basic idea is, unauthenticated clients will be put in an isolated network, users then pop up their web browser, will land on a specific webpage with instructions on which steps they need to take, to get proper access. I tried to create a * zone, which seems to be ignored by bind, or rather bind doesn't like the contents of the zone file. I'd appreciate any pointer to some information, how I can tweak bind to do such a thing. With best regards -Sven ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unexpected error question
On 02/05/09 16:04, Cherney John-CJC030 wrote: Yes, I normally use svcadm disable dns/server to stop named. Also, I've modified the dns/server stop method from the usual kill: to /usr/sbin/rndc stop. I did that because I want to make sure the cache gets written to the db files, which an rndc stop does. It seems that named is having a problem with one of the files, but I can't tell which one from the first syslog message. John, Did you make other SMF changes too? Could you provide output from 'svcprop dns/server'? As Gregory touches upon below, an 'rndc stop' does attempt to execute the SMF instances stop method before named exits as that is how named informs SMF that it intentionally exited. The message you see suggests that the privileges to do so have been lost, often associated with the use of chroot users. Instead of using chroot Sun recommends changing the SMF instance property ' start/user' to specify an alternative user and or using zones(5). FYI we did consider making the default stop method perform an 'rndc stop', however we found on a large DNS server an 'rndc stop' could take a long time and thus be problematic when trying to shut down the server. That and 'rndc stop' does eventually invoke the instances stop method! Stacey Marshall Sun Microsystems Ltd. jwc -Original Message- From: Gregory Hicks [mailto:ghi...@hicks-net.net] Sent: Thursday, February 05, 2009 10:56 AM To: bind-us...@isc.org; Cherney John-CJC030 Cc: mark_andr...@isc.org Subject: RE: Unexpected error question Subject: RE: Unexpected error question Date: Thu, 5 Feb 2009 09:51:05 -0500 From: Cherney John-CJC030 john.cher...@motorola.com To: bind-us...@isc.org I see. I was assuming that the second line was caused by the first line, and that if I could get more info on the first line, I could take care of both of them. I have a named user that the named process is run as. However, I see these errors even when I use rndc stop as root. Is there any resource that recommends what permissions need to be on specific SMF files for DNS? (or in general). Or is this even a permissioning issue with SMF files? The problem comes from the idea that SMF wants to be the 'controller'. When the program in question (named in the case) receives a 'stop' command from rndc, SMF doesn't know WHY the program stopped, just that it DID stop. Thus the error. A better way to stop named might be svcadm named disable (I think that's the right syntax but could be wrong. I am NOT an SMF expert...) That should avoid the error message. There was some discussion on the smf-disc...@opensolaris.org list last month on how to avoid error messages when you don't care if the underlying service stops all by itself. Regards, Gregory Hicks Thanks! jwc -Original Message- From: mark_andr...@isc.org [mailto:mark_andr...@isc.org] Sent: Thursday, February 05, 2009 1:18 AM Cc: Cherney John-CJC030; bind-us...@isc.org Subject: Re: Unexpected error question In message 200902050609.n1569ktg082...@drugs.dv.isc.org, Mark Andrews writes: In message f021020da23b6641a05e616d5ead146304597...@de01exm60.ds.mot.com, Ch erney John-CJC030 writes: I'm seeing the following lines in syslog, which occur when I shut down named: =20 general: error: ./main.c:858: unexpected error: general: error: smf_disable_instance() failed for svc:/network/dns/server:default : insufficient privileges for action =20 I'm running 9.3.5-P1 on Solaris 10 x86 =20 I took a quick look at the source code and it looks like there should be a file and/or filenumber as part of the unexpected error line. I've noticed the same two lines when I issue an rndc stop. The named process does stop, but I'm worried that there may be data in the cache that isn't getting written to the db files. Nothing jumped out at me from my google search. It seems like I have a file permissions issue, but I haven't recently changed any file permissions. I don't see any unusual messages on startup.=20 =20 Can someone point me the right direction for this? Is there any other information I should/could provide? =20 Thanks! jwc SMF is Sun's management facility. The code in question was submitted by Sun. I would be looking at how you have SMF set up in particular how to give the user named is running under permission to disable itself. See also http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris as mentioned in the FAQ. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews,
Re: BIND 9.4.x vs 9.6.x - pid-file check and creation
Mark Andrews wrote: Looking at the publically available parts of SunSolve there are at least bug reports about it. Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with other xxxfs_mkdir() functions. | Open in a new window bug 6253984 http://sunsolve.sun.com/search/document.do?assetkey=1-1-6253984-1 - Sep 10, 2007 FYI this has been fixed in OpenSolaris, alas it has not been fixed in Solaris 9 or 10 and currently there are no plans to do so. Requires Support Contract tmp_mkdir()/xmemfs_mkdir() inconsistent with other xxxfs_mkdir() functions. | Open in a new window bug 2152581 http://sunsolve.sun.com/search/document.do?assetkey=1-1-2152581-1 - Sep 10, 2007 This is the Solaris 10 reference, its closed (hence no plans to fix). With sufficient justification it could be re-opened. Stace I don't have a copy of the POSIX standard that covers mkdir(2) to see what it has to say about it. Historically however EACCES on search failure, EEXIST if the file/directory exists, then EACCES on parent directory write permissions was the error determination order. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using 2 CPUs with BIND
Mike Diggins wrote: I noticed that when BIND 9.2.4 on Redhat Linux (Intel x86) starts, the log records: dns1 named[28513]: starting BIND 9.2.4 -u named -t /var/named/chroot dns1 named[28513]: using 2 CPUs When I start BIND on my Solaris 10 SPARC dual CPU (V210) system 9.4.2-P2, I don't get the message using 2 CPUs, but that's what I want. I The message format changed slightly in BIND 9.4.2-p2, from bin/named/main.c: #ifdef ISC_PLATFORM_USETHREADS if (ns_g_cpus == 0) ns_g_cpus = ns_g_cpus_detected; isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, found %u CPU%s, using %u worker thread%s, ns_g_cpus_detected, ns_g_cpus_detected == 1 ? : s, ns_g_cpus, ns_g_cpus == 1 ? : s); #else ns_g_cpus = 1; #endif compiled it with './configure --prefix=/usr/local/bind --enable-threads' Take a look at the config.log output to check that threading is indeed enabled, it should be by default anyhow on Solaris 10 system. and start it with '/usr/local/bind/sbin/named -n 2 -c /etc/named.conf'. How do I know it's actually using the two SPARC CPUs? Use /usr/bin/ps -Lp `pgrep named` will show you the number of light-weight-processes (LWP), threads, running for the named process. Incidently the '-n' option shouldn't be necessary, named can detect the number of CPU's on Solaris. Regards, Stace -Mike _ Mike Diggins Voice: 905.525.9140 Ext. 27471 Network Analyst, Enterprise NetworksFAX:905.522.0511 University Technology Services E-Mail: mike.digg...@mcmaster.ca McMaster University, Hamilton, Ontario ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using 2 CPUs with BIND
Mike Diggins wrote: Thanks. Would this imply it has detected multiple CPUs? I still don't see any mention of it in my logs. The below output does indicated that you have five threads. I'm not sure why your log is not showing the message. Double check the log configuration and check /var/adm/messages for other messages indicating a problem. Stace digg...@newblack~# /usr/bin/ps -Lp `pgrep named` PID LWP TTYLTIME CMD 605 1 ? 0:00 named 605 2 ? 0:09 named 605 3 ? 0:06 named 605 4 ? 0:34 named 605 5 ? 0:01 named -Mike On Fri, 2 Jan 2009, Stacey Jonathan Marshall wrote: Mike Diggins wrote: I noticed that when BIND 9.2.4 on Redhat Linux (Intel x86) starts, the log records: dns1 named[28513]: starting BIND 9.2.4 -u named -t /var/named/chroot dns1 named[28513]: using 2 CPUs When I start BIND on my Solaris 10 SPARC dual CPU (V210) system 9.4.2-P2, I don't get the message using 2 CPUs, but that's what I want. I The message format changed slightly in BIND 9.4.2-p2, from bin/named/main.c: #ifdef ISC_PLATFORM_USETHREADS if (ns_g_cpus == 0) ns_g_cpus = ns_g_cpus_detected; isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, found %u CPU%s, using %u worker thread%s, ns_g_cpus_detected, ns_g_cpus_detected == 1 ? : s, ns_g_cpus, ns_g_cpus == 1 ? : s); #else ns_g_cpus = 1; #endif compiled it with './configure --prefix=/usr/local/bind --enable-threads' Take a look at the config.log output to check that threading is indeed enabled, it should be by default anyhow on Solaris 10 system. and start it with '/usr/local/bind/sbin/named -n 2 -c /etc/named.conf'. How do I know it's actually using the two SPARC CPUs? Use /usr/bin/ps -Lp `pgrep named` will show you the number of light-weight-processes (LWP), threads, running for the named process. Incidently the '-n' option shouldn't be necessary, named can detect the number of CPU's on Solaris. Regards, Stace -Mike _ Mike Diggins Voice: 905.525.9140 Ext. 27471 Network Analyst, Enterprise NetworksFAX:905.522.0511 University Technology Services E-Mail: mike.digg...@mcmaster.ca McMaster University, Hamilton, Ontario ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _ Mike Diggins Voice: 905.525.9140 Ext. 27471 Network Analyst, Enterprise NetworksFAX:905.522.0511 University Technology Services E-Mail: mike.digg...@mcmaster.ca McMaster University, Hamilton, Ontario ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Workaround Solaris's kernel bug
Thomas Schulz wrote: Change 2489 says to define ISC_SOCKET_USE_POLLWATCH to workaround a Solaris kernel bug about /dev/poll. How do I know if I should define this? Should I just assume that if I am running Sloaris 8 then I need to define ISC_SOCKET_USE_POLLWATCH? Is there any down side to defining this if it is not needed? Tom Schulz Applied Dynamics Intl. [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Tom, This is CR 6724237 http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 Which was first introduced in Solaris 8. At this time there is no patch for Solaris 8, 9 or 10 and therefore ISC_SOCKET_USE_POLLWATCH should be defined when building BIND 9 for those systems. Stacey Marshall Sun Microsystems Ltd. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users